commit b563d4a9cbf4d71654c264d777dd25fb52f0bc77 Author: Tony Du Date: Thu Jan 30 16:21:09 2025 -0800 infra diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..2217a41 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +.env +venv diff --git a/README.md b/README.md new file mode 100644 index 0000000..819ee59 --- /dev/null +++ b/README.md @@ -0,0 +1,134 @@ +# My Homelab Setup + +## Getting started + +### Dependencies + +Install dependencies (Arch): + +```sh +pacman -Sy opentofu kubectl helm helmfile python +``` + +### Promxox + +We first need to configure a Proxmox user for terraform to act on behalf of and +a token for the user. + +```sh +# Create the user +pveum user add terraform@pve + +# Create a role for the user above +pveum role add Terraform -privs "Datastore.Allocate Datastore.AllocateSpace Datastore.AllocateTemplate Datastore.Audit Pool.Allocate Sys.Audit Sys.Console Sys.Modify SDN.Use VM.Allocate VM.Audit VM.Clone VM.Config.CDROM VM.Config.Cloudinit VM.Config.CPU VM.Config.Disk VM.Config.HWType VM.Config.Memory VM.Config.Network VM.Config.Options VM.Migrate VM.Monitor VM.PowerMgmt User.Modify Pool.Audit" + +# Assign the terraform user to the above role +pveum aclmod / -user terraform@pve -role Terraform + +# Create the token and save it for later +pveum user token add terraform@pve provider --privsep=0 +``` + +### Provisioning with OpenTofu/Terraform + +Create a file `proxmox/tf/credentials.auto.tfvars` with the following content, +making sure to replace as necessary: + +``` +proxmox_api_endpoint = "https://" +proxmox_api_token = "terraform@pve!provider=" +``` + +Customize the other variables in `proxmox/tf/vars.auto.tfvars` and double check +the configuration. + +When ready, run `opentofu apply`. The command might fail the first time if +provisioning from scratch, but it seems to be fine when running it a second +time. + +### Creating a Docker swarm + +The Docker swarm acts as a launchpad for the rest of the infrastructure. It +bootstraps a Portainer, Traefik, and Gitea deployment so that remaining +configuration can be done through Portainer and Git. + +```sh +# Add SSH keys to known_hosts +ansible-inventory -i inventory/dolo --list |\ + jq -r '._meta.hostvars | keys[]' |\ + grep 'stingray' |\ + while read -r line; do + ssh-keygen -R "$line" + ssh-keyscan -H "$line" >> ~/.ssh/known_hosts + done + +# Initialize swarm +ansible-playbook -i inventory/stingray swarm.yml +``` + +Traefik will be listening on hosts: +- git.mnke.org +- git.stingray.mnke.org +- portainer.stingray.mnke.org + +Set DNS records or edit your hosts file to point those domains to a swarm node. + +### Creating a k3s cluster + +Set up Ansible: + +```sh +# Tested on Python 3.13.1 +python3 -m venv venv +source venv/bin/activate +pip install -r requirements.txt +ansible-galaxy collection install -r proxmox/ansible/collections/requirements.yml +``` + +Set up the k3s cluster: + +```sh +# Necessary because the hosts.yml file contains a relative path to the terraform +# project directory +cd proxmox/ansible +# Remove/scan keys +ansible-inventory -i inventory/dolo --list |\ + jq -r '._meta.hostvars | keys[]' |\ + while read -r line; do + ssh-keygen -R "$line" + ssh-keyscan -H "$line" >> ~/.ssh/known_hosts + done +ansible-playbook lvm.yml site.yml -i inventory/dolo +# You should be left with a kubeconfig. Move it to ~/.kube/config. If you +# already have a ~/.kube/config file, make sure to back it up first. +mv kubeconfig ~/.kube/config +# Verify that you can connect to the cluster +kubectl get nodes + +# Back to root repo directory +cd - +# Verify deployment and service +kubectl apply -f proxmox/k8s/examples/001-example.yml +# This should succeed, and an IP should have been allocated by metallb. Check +# with the following command: +kubectl describe nginx +# Now try checking that the deployment works: +curl http://[allocated-ip] +``` + +### Install Helm charts + +```sh +kubectl create secret generic regcred \ + --from-file=.dockerconfigjson=$HOME/.docker/config.json \ + --type=kubernetes.io/dockerconfigjson +# Assuming from the repo root +cd proxmox/k8s/helmfile +helmfile sync -f proxmox/k8s/helmfile.d +``` + +## Credits + +- Some inspiration and guidance was taken from [Andreas Marqvardsen's blog post](https://blog.andreasm.io/2024/01/15/proxmox-with-opentofu-kubespray-and-kubernetes) +- An automated setup of a k3s cluster from [Techno Tim's Ansible roles](https://github.com/techno-tim/k3s-ansible) +- Inspiration for a minimal docker swarm from [nmarus](https://github.com/nmarus/docker-swarm-ansible/tree/master) diff --git a/clusters/dolo/flux-system/gotk-components.yaml b/clusters/dolo/flux-system/gotk-components.yaml new file mode 100644 index 0000000..580e89e --- /dev/null +++ b/clusters/dolo/flux-system/gotk-components.yaml @@ -0,0 +1,12507 @@ +--- +# This manifest was generated by flux. DO NOT EDIT. +# Flux Version: v2.4.0 +# Components: source-controller,kustomize-controller,helm-controller,notification-controller +apiVersion: v1 +kind: Namespace +metadata: + labels: + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.4.0 + pod-security.kubernetes.io/warn: restricted + pod-security.kubernetes.io/warn-version: latest + name: flux-system +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.4.0 + name: allow-egress + namespace: flux-system +spec: + egress: + - {} + ingress: + - from: + - podSelector: {} + podSelector: {} + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.4.0 + name: allow-scraping + namespace: flux-system +spec: + ingress: + - from: + - namespaceSelector: {} + ports: + - port: 8080 + protocol: TCP + podSelector: {} + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.4.0 + name: allow-webhooks + namespace: flux-system +spec: + ingress: + - from: + - namespaceSelector: {} + podSelector: + matchLabels: + app: notification-controller + policyTypes: + - Ingress +--- +apiVersion: v1 +kind: ResourceQuota +metadata: + labels: + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.4.0 + name: critical-pods-flux-system + namespace: flux-system +spec: + hard: + pods: "1000" + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - system-node-critical + - system-cluster-critical +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.4.0 + name: crd-controller-flux-system +rules: +- apiGroups: + - source.toolkit.fluxcd.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - kustomize.toolkit.fluxcd.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - helm.toolkit.fluxcd.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - notification.toolkit.fluxcd.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - image.toolkit.fluxcd.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - "" + resources: + - namespaces + - secrets + - configmaps + - serviceaccounts + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - update + - patch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- nonResourceURLs: + - /livez/ping + verbs: + - head +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.4.0 + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: flux-edit-flux-system +rules: +- apiGroups: + - notification.toolkit.fluxcd.io + - source.toolkit.fluxcd.io + - helm.toolkit.fluxcd.io + - image.toolkit.fluxcd.io + - kustomize.toolkit.fluxcd.io + resources: + - '*' + verbs: + - create + - delete + - deletecollection + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.4.0 + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: flux-view-flux-system +rules: +- apiGroups: + - notification.toolkit.fluxcd.io + - source.toolkit.fluxcd.io + - helm.toolkit.fluxcd.io + - image.toolkit.fluxcd.io + - kustomize.toolkit.fluxcd.io + resources: + - '*' + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.4.0 + name: cluster-reconciler-flux-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: kustomize-controller + namespace: flux-system +- kind: ServiceAccount + name: helm-controller + namespace: flux-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.4.0 + name: crd-controller-flux-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: crd-controller-flux-system +subjects: +- kind: ServiceAccount + name: kustomize-controller + namespace: flux-system +- kind: ServiceAccount + name: helm-controller + namespace: flux-system +- kind: ServiceAccount + name: source-controller + namespace: flux-system +- kind: ServiceAccount + name: notification-controller + namespace: flux-system +- kind: ServiceAccount + name: image-reflector-controller + namespace: flux-system +- kind: ServiceAccount + name: image-automation-controller + namespace: flux-system +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + labels: + app.kubernetes.io/component: source-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.4.0 + name: buckets.source.toolkit.fluxcd.io +spec: + group: source.toolkit.fluxcd.io + names: + kind: Bucket + listKind: BucketList + plural: buckets + singular: bucket + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.endpoint + name: Endpoint + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + name: v1 + schema: + openAPIV3Schema: + description: Bucket is the Schema for the buckets API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + BucketSpec specifies the required configuration to produce an Artifact for + an object storage bucket. + properties: + bucketName: + description: BucketName is the name of the object storage bucket. + type: string + certSecretRef: + description: |- + CertSecretRef can be given the name of a Secret containing + either or both of + + - a PEM-encoded client certificate (`tls.crt`) and private + key (`tls.key`); + - a PEM-encoded CA certificate (`ca.crt`) + + and whichever are supplied, will be used for connecting to the + bucket. The client cert and key are useful if you are + authenticating with a certificate; the CA cert is useful if + you are using a self-signed server certificate. The Secret must + be of type `Opaque` or `kubernetes.io/tls`. + + This field is only supported for the `generic` provider. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + endpoint: + description: Endpoint is the object storage address the BucketName + is located at. + type: string + ignore: + description: |- + Ignore overrides the set of excluded patterns in the .sourceignore format + (which is the same as .gitignore). If not provided, a default will be used, + consult the documentation for your version to find out what those are. + type: string + insecure: + description: Insecure allows connecting to a non-TLS HTTP Endpoint. + type: boolean + interval: + description: |- + Interval at which the Bucket Endpoint is checked for updates. + This interval is approximate and may be subject to jitter to ensure + efficient use of resources. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + prefix: + description: Prefix to use for server-side filtering of files in the + Bucket. + type: string + provider: + default: generic + description: |- + Provider of the object storage bucket. + Defaults to 'generic', which expects an S3 (API) compatible object + storage. + enum: + - generic + - aws + - gcp + - azure + type: string + proxySecretRef: + description: |- + ProxySecretRef specifies the Secret containing the proxy configuration + to use while communicating with the Bucket server. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + region: + description: Region of the Endpoint where the BucketName is located + in. + type: string + secretRef: + description: |- + SecretRef specifies the Secret containing authentication credentials + for the Bucket. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + sts: + description: |- + STS specifies the required configuration to use a Security Token + Service for fetching temporary credentials to authenticate in a + Bucket provider. + + This field is only supported for the `aws` and `generic` providers. + properties: + certSecretRef: + description: |- + CertSecretRef can be given the name of a Secret containing + either or both of + + - a PEM-encoded client certificate (`tls.crt`) and private + key (`tls.key`); + - a PEM-encoded CA certificate (`ca.crt`) + + and whichever are supplied, will be used for connecting to the + STS endpoint. The client cert and key are useful if you are + authenticating with a certificate; the CA cert is useful if + you are using a self-signed server certificate. The Secret must + be of type `Opaque` or `kubernetes.io/tls`. + + This field is only supported for the `ldap` provider. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + endpoint: + description: |- + Endpoint is the HTTP/S endpoint of the Security Token Service from + where temporary credentials will be fetched. + pattern: ^(http|https)://$ + type: string + provider: + description: Provider of the Security Token Service. + enum: + - aws + - ldap + type: string + secretRef: + description: |- + SecretRef specifies the Secret containing authentication credentials + for the STS endpoint. This Secret must contain the fields `username` + and `password` and is supported only for the `ldap` provider. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + required: + - endpoint + - provider + type: object + suspend: + description: |- + Suspend tells the controller to suspend the reconciliation of this + Bucket. + type: boolean + timeout: + default: 60s + description: Timeout for fetch operations, defaults to 60s. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ + type: string + required: + - bucketName + - endpoint + - interval + type: object + x-kubernetes-validations: + - message: STS configuration is only supported for the 'aws' and 'generic' + Bucket providers + rule: self.provider == 'aws' || self.provider == 'generic' || !has(self.sts) + - message: '''aws'' is the only supported STS provider for the ''aws'' + Bucket provider' + rule: self.provider != 'aws' || !has(self.sts) || self.sts.provider + == 'aws' + - message: '''ldap'' is the only supported STS provider for the ''generic'' + Bucket provider' + rule: self.provider != 'generic' || !has(self.sts) || self.sts.provider + == 'ldap' + - message: spec.sts.secretRef is not required for the 'aws' STS provider + rule: '!has(self.sts) || self.sts.provider != ''aws'' || !has(self.sts.secretRef)' + - message: spec.sts.certSecretRef is not required for the 'aws' STS provider + rule: '!has(self.sts) || self.sts.provider != ''aws'' || !has(self.sts.certSecretRef)' + status: + default: + observedGeneration: -1 + description: BucketStatus records the observed state of a Bucket. + properties: + artifact: + description: Artifact represents the last successful Bucket reconciliation. + properties: + digest: + description: Digest is the digest of the file in the form of ':'. + pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ + type: string + lastUpdateTime: + description: |- + LastUpdateTime is the timestamp corresponding to the last update of the + Artifact. + format: date-time + type: string + metadata: + additionalProperties: + type: string + description: Metadata holds upstream information such as OCI annotations. + type: object + path: + description: |- + Path is the relative file path of the Artifact. It can be used to locate + the file in the root of the Artifact storage on the local file system of + the controller managing the Source. + type: string + revision: + description: |- + Revision is a human-readable identifier traceable in the origin source + system. It can be a Git commit SHA, Git tag, a Helm chart version, etc. + type: string + size: + description: Size is the number of bytes in the file. + format: int64 + type: integer + url: + description: |- + URL is the HTTP address of the Artifact as exposed by the controller + managing the Source. It can be used to retrieve the Artifact for + consumption, e.g. by another controller applying the Artifact contents. + type: string + required: + - lastUpdateTime + - path + - revision + - url + type: object + conditions: + description: Conditions holds the conditions for the Bucket. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last observed generation of + the Bucket object. + format: int64 + type: integer + observedIgnore: + description: |- + ObservedIgnore is the observed exclusion patterns used for constructing + the source artifact. + type: string + url: + description: |- + URL is the dynamic fetch link for the latest Artifact. + It is provided on a "best effort" basis, and using the precise + BucketStatus.Artifact data is recommended. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.endpoint + name: Endpoint + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: v1beta1 Bucket is deprecated, upgrade to v1 + name: v1beta1 + schema: + openAPIV3Schema: + description: Bucket is the Schema for the buckets API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: BucketSpec defines the desired state of an S3 compatible + bucket + properties: + accessFrom: + description: AccessFrom defines an Access Control List for allowing + cross-namespace references to this object. + properties: + namespaceSelectors: + description: |- + NamespaceSelectors is the list of namespace selectors to which this ACL applies. + Items in this list are evaluated using a logical OR operation. + items: + description: |- + NamespaceSelector selects the namespaces to which this ACL applies. + An empty map of MatchLabels matches all namespaces in a cluster. + properties: + matchLabels: + additionalProperties: + type: string + description: |- + MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: array + required: + - namespaceSelectors + type: object + bucketName: + description: The bucket name. + type: string + endpoint: + description: The bucket endpoint address. + type: string + ignore: + description: |- + Ignore overrides the set of excluded patterns in the .sourceignore format + (which is the same as .gitignore). If not provided, a default will be used, + consult the documentation for your version to find out what those are. + type: string + insecure: + description: Insecure allows connecting to a non-TLS S3 HTTP endpoint. + type: boolean + interval: + description: The interval at which to check for bucket updates. + type: string + provider: + default: generic + description: The S3 compatible storage provider name, default ('generic'). + enum: + - generic + - aws + - gcp + type: string + region: + description: The bucket region. + type: string + secretRef: + description: |- + The name of the secret containing authentication credentials + for the Bucket. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + suspend: + description: This flag tells the controller to suspend the reconciliation + of this source. + type: boolean + timeout: + default: 60s + description: The timeout for download operations, defaults to 60s. + type: string + required: + - bucketName + - endpoint + - interval + type: object + status: + default: + observedGeneration: -1 + description: BucketStatus defines the observed state of a bucket + properties: + artifact: + description: Artifact represents the output of the last successful + Bucket sync. + properties: + checksum: + description: Checksum is the SHA256 checksum of the artifact. + type: string + lastUpdateTime: + description: |- + LastUpdateTime is the timestamp corresponding to the last update of this + artifact. + format: date-time + type: string + path: + description: Path is the relative file path of this artifact. + type: string + revision: + description: |- + Revision is a human readable identifier traceable in the origin source + system. It can be a Git commit SHA, Git tag, a Helm index timestamp, a Helm + chart version, etc. + type: string + url: + description: URL is the HTTP address of this artifact. + type: string + required: + - lastUpdateTime + - path + - url + type: object + conditions: + description: Conditions holds the conditions for the Bucket. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last observed generation. + format: int64 + type: integer + url: + description: URL is the download link for the artifact output of the + last Bucket sync. + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.endpoint + name: Endpoint + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + deprecated: true + deprecationWarning: v1beta2 Bucket is deprecated, upgrade to v1 + name: v1beta2 + schema: + openAPIV3Schema: + description: Bucket is the Schema for the buckets API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + BucketSpec specifies the required configuration to produce an Artifact for + an object storage bucket. + properties: + accessFrom: + description: |- + AccessFrom specifies an Access Control List for allowing cross-namespace + references to this object. + NOTE: Not implemented, provisional as of https://github.com/fluxcd/flux2/pull/2092 + properties: + namespaceSelectors: + description: |- + NamespaceSelectors is the list of namespace selectors to which this ACL applies. + Items in this list are evaluated using a logical OR operation. + items: + description: |- + NamespaceSelector selects the namespaces to which this ACL applies. + An empty map of MatchLabels matches all namespaces in a cluster. + properties: + matchLabels: + additionalProperties: + type: string + description: |- + MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: array + required: + - namespaceSelectors + type: object + bucketName: + description: BucketName is the name of the object storage bucket. + type: string + certSecretRef: + description: |- + CertSecretRef can be given the name of a Secret containing + either or both of + + - a PEM-encoded client certificate (`tls.crt`) and private + key (`tls.key`); + - a PEM-encoded CA certificate (`ca.crt`) + + and whichever are supplied, will be used for connecting to the + bucket. The client cert and key are useful if you are + authenticating with a certificate; the CA cert is useful if + you are using a self-signed server certificate. The Secret must + be of type `Opaque` or `kubernetes.io/tls`. + + This field is only supported for the `generic` provider. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + endpoint: + description: Endpoint is the object storage address the BucketName + is located at. + type: string + ignore: + description: |- + Ignore overrides the set of excluded patterns in the .sourceignore format + (which is the same as .gitignore). If not provided, a default will be used, + consult the documentation for your version to find out what those are. + type: string + insecure: + description: Insecure allows connecting to a non-TLS HTTP Endpoint. + type: boolean + interval: + description: |- + Interval at which the Bucket Endpoint is checked for updates. + This interval is approximate and may be subject to jitter to ensure + efficient use of resources. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + prefix: + description: Prefix to use for server-side filtering of files in the + Bucket. + type: string + provider: + default: generic + description: |- + Provider of the object storage bucket. + Defaults to 'generic', which expects an S3 (API) compatible object + storage. + enum: + - generic + - aws + - gcp + - azure + type: string + proxySecretRef: + description: |- + ProxySecretRef specifies the Secret containing the proxy configuration + to use while communicating with the Bucket server. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + region: + description: Region of the Endpoint where the BucketName is located + in. + type: string + secretRef: + description: |- + SecretRef specifies the Secret containing authentication credentials + for the Bucket. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + sts: + description: |- + STS specifies the required configuration to use a Security Token + Service for fetching temporary credentials to authenticate in a + Bucket provider. + + This field is only supported for the `aws` and `generic` providers. + properties: + certSecretRef: + description: |- + CertSecretRef can be given the name of a Secret containing + either or both of + + - a PEM-encoded client certificate (`tls.crt`) and private + key (`tls.key`); + - a PEM-encoded CA certificate (`ca.crt`) + + and whichever are supplied, will be used for connecting to the + STS endpoint. The client cert and key are useful if you are + authenticating with a certificate; the CA cert is useful if + you are using a self-signed server certificate. The Secret must + be of type `Opaque` or `kubernetes.io/tls`. + + This field is only supported for the `ldap` provider. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + endpoint: + description: |- + Endpoint is the HTTP/S endpoint of the Security Token Service from + where temporary credentials will be fetched. + pattern: ^(http|https)://$ + type: string + provider: + description: Provider of the Security Token Service. + enum: + - aws + - ldap + type: string + secretRef: + description: |- + SecretRef specifies the Secret containing authentication credentials + for the STS endpoint. This Secret must contain the fields `username` + and `password` and is supported only for the `ldap` provider. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + required: + - endpoint + - provider + type: object + suspend: + description: |- + Suspend tells the controller to suspend the reconciliation of this + Bucket. + type: boolean + timeout: + default: 60s + description: Timeout for fetch operations, defaults to 60s. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ + type: string + required: + - bucketName + - endpoint + - interval + type: object + x-kubernetes-validations: + - message: STS configuration is only supported for the 'aws' and 'generic' + Bucket providers + rule: self.provider == 'aws' || self.provider == 'generic' || !has(self.sts) + - message: '''aws'' is the only supported STS provider for the ''aws'' + Bucket provider' + rule: self.provider != 'aws' || !has(self.sts) || self.sts.provider + == 'aws' + - message: '''ldap'' is the only supported STS provider for the ''generic'' + Bucket provider' + rule: self.provider != 'generic' || !has(self.sts) || self.sts.provider + == 'ldap' + - message: spec.sts.secretRef is not required for the 'aws' STS provider + rule: '!has(self.sts) || self.sts.provider != ''aws'' || !has(self.sts.secretRef)' + - message: spec.sts.certSecretRef is not required for the 'aws' STS provider + rule: '!has(self.sts) || self.sts.provider != ''aws'' || !has(self.sts.certSecretRef)' + status: + default: + observedGeneration: -1 + description: BucketStatus records the observed state of a Bucket. + properties: + artifact: + description: Artifact represents the last successful Bucket reconciliation. + properties: + digest: + description: Digest is the digest of the file in the form of ':'. + pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ + type: string + lastUpdateTime: + description: |- + LastUpdateTime is the timestamp corresponding to the last update of the + Artifact. + format: date-time + type: string + metadata: + additionalProperties: + type: string + description: Metadata holds upstream information such as OCI annotations. + type: object + path: + description: |- + Path is the relative file path of the Artifact. It can be used to locate + the file in the root of the Artifact storage on the local file system of + the controller managing the Source. + type: string + revision: + description: |- + Revision is a human-readable identifier traceable in the origin source + system. It can be a Git commit SHA, Git tag, a Helm chart version, etc. + type: string + size: + description: Size is the number of bytes in the file. + format: int64 + type: integer + url: + description: |- + URL is the HTTP address of the Artifact as exposed by the controller + managing the Source. It can be used to retrieve the Artifact for + consumption, e.g. by another controller applying the Artifact contents. + type: string + required: + - lastUpdateTime + - path + - revision + - url + type: object + conditions: + description: Conditions holds the conditions for the Bucket. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last observed generation of + the Bucket object. + format: int64 + type: integer + observedIgnore: + description: |- + ObservedIgnore is the observed exclusion patterns used for constructing + the source artifact. + type: string + url: + description: |- + URL is the dynamic fetch link for the latest Artifact. + It is provided on a "best effort" basis, and using the precise + BucketStatus.Artifact data is recommended. + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + labels: + app.kubernetes.io/component: source-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.4.0 + name: gitrepositories.source.toolkit.fluxcd.io +spec: + group: source.toolkit.fluxcd.io + names: + kind: GitRepository + listKind: GitRepositoryList + plural: gitrepositories + shortNames: + - gitrepo + singular: gitrepository + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.url + name: URL + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + name: v1 + schema: + openAPIV3Schema: + description: GitRepository is the Schema for the gitrepositories API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + GitRepositorySpec specifies the required configuration to produce an + Artifact for a Git repository. + properties: + ignore: + description: |- + Ignore overrides the set of excluded patterns in the .sourceignore format + (which is the same as .gitignore). If not provided, a default will be used, + consult the documentation for your version to find out what those are. + type: string + include: + description: |- + Include specifies a list of GitRepository resources which Artifacts + should be included in the Artifact produced for this GitRepository. + items: + description: |- + GitRepositoryInclude specifies a local reference to a GitRepository which + Artifact (sub-)contents must be included, and where they should be placed. + properties: + fromPath: + description: |- + FromPath specifies the path to copy contents from, defaults to the root + of the Artifact. + type: string + repository: + description: |- + GitRepositoryRef specifies the GitRepository which Artifact contents + must be included. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + toPath: + description: |- + ToPath specifies the path to copy contents to, defaults to the name of + the GitRepositoryRef. + type: string + required: + - repository + type: object + type: array + interval: + description: |- + Interval at which the GitRepository URL is checked for updates. + This interval is approximate and may be subject to jitter to ensure + efficient use of resources. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + provider: + description: |- + Provider used for authentication, can be 'azure', 'generic'. + When not specified, defaults to 'generic'. + enum: + - generic + - azure + type: string + proxySecretRef: + description: |- + ProxySecretRef specifies the Secret containing the proxy configuration + to use while communicating with the Git server. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + recurseSubmodules: + description: |- + RecurseSubmodules enables the initialization of all submodules within + the GitRepository as cloned from the URL, using their default settings. + type: boolean + ref: + description: |- + Reference specifies the Git reference to resolve and monitor for + changes, defaults to the 'master' branch. + properties: + branch: + description: Branch to check out, defaults to 'master' if no other + field is defined. + type: string + commit: + description: |- + Commit SHA to check out, takes precedence over all reference fields. + + This can be combined with Branch to shallow clone the branch, in which + the commit is expected to exist. + type: string + name: + description: |- + Name of the reference to check out; takes precedence over Branch, Tag and SemVer. + + It must be a valid Git reference: https://git-scm.com/docs/git-check-ref-format#_description + Examples: "refs/heads/main", "refs/tags/v0.1.0", "refs/pull/420/head", "refs/merge-requests/1/head" + type: string + semver: + description: SemVer tag expression to check out, takes precedence + over Tag. + type: string + tag: + description: Tag to check out, takes precedence over Branch. + type: string + type: object + secretRef: + description: |- + SecretRef specifies the Secret containing authentication credentials for + the GitRepository. + For HTTPS repositories the Secret must contain 'username' and 'password' + fields for basic auth or 'bearerToken' field for token auth. + For SSH repositories the Secret must contain 'identity' + and 'known_hosts' fields. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + suspend: + description: |- + Suspend tells the controller to suspend the reconciliation of this + GitRepository. + type: boolean + timeout: + default: 60s + description: Timeout for Git operations like cloning, defaults to + 60s. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ + type: string + url: + description: URL specifies the Git repository URL, it can be an HTTP/S + or SSH address. + pattern: ^(http|https|ssh)://$ + type: string + verify: + description: |- + Verification specifies the configuration to verify the Git commit + signature(s). + properties: + mode: + default: HEAD + description: |- + Mode specifies which Git object(s) should be verified. + + The variants "head" and "HEAD" both imply the same thing, i.e. verify + the commit that the HEAD of the Git repository points to. The variant + "head" solely exists to ensure backwards compatibility. + enum: + - head + - HEAD + - Tag + - TagAndHEAD + type: string + secretRef: + description: |- + SecretRef specifies the Secret containing the public keys of trusted Git + authors. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + required: + - secretRef + type: object + required: + - interval + - url + type: object + status: + default: + observedGeneration: -1 + description: GitRepositoryStatus records the observed state of a Git repository. + properties: + artifact: + description: Artifact represents the last successful GitRepository + reconciliation. + properties: + digest: + description: Digest is the digest of the file in the form of ':'. + pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ + type: string + lastUpdateTime: + description: |- + LastUpdateTime is the timestamp corresponding to the last update of the + Artifact. + format: date-time + type: string + metadata: + additionalProperties: + type: string + description: Metadata holds upstream information such as OCI annotations. + type: object + path: + description: |- + Path is the relative file path of the Artifact. It can be used to locate + the file in the root of the Artifact storage on the local file system of + the controller managing the Source. + type: string + revision: + description: |- + Revision is a human-readable identifier traceable in the origin source + system. It can be a Git commit SHA, Git tag, a Helm chart version, etc. + type: string + size: + description: Size is the number of bytes in the file. + format: int64 + type: integer + url: + description: |- + URL is the HTTP address of the Artifact as exposed by the controller + managing the Source. It can be used to retrieve the Artifact for + consumption, e.g. by another controller applying the Artifact contents. + type: string + required: + - lastUpdateTime + - path + - revision + - url + type: object + conditions: + description: Conditions holds the conditions for the GitRepository. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + includedArtifacts: + description: |- + IncludedArtifacts contains a list of the last successfully included + Artifacts as instructed by GitRepositorySpec.Include. + items: + description: Artifact represents the output of a Source reconciliation. + properties: + digest: + description: Digest is the digest of the file in the form of + ':'. + pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ + type: string + lastUpdateTime: + description: |- + LastUpdateTime is the timestamp corresponding to the last update of the + Artifact. + format: date-time + type: string + metadata: + additionalProperties: + type: string + description: Metadata holds upstream information such as OCI + annotations. + type: object + path: + description: |- + Path is the relative file path of the Artifact. It can be used to locate + the file in the root of the Artifact storage on the local file system of + the controller managing the Source. + type: string + revision: + description: |- + Revision is a human-readable identifier traceable in the origin source + system. It can be a Git commit SHA, Git tag, a Helm chart version, etc. + type: string + size: + description: Size is the number of bytes in the file. + format: int64 + type: integer + url: + description: |- + URL is the HTTP address of the Artifact as exposed by the controller + managing the Source. It can be used to retrieve the Artifact for + consumption, e.g. by another controller applying the Artifact contents. + type: string + required: + - lastUpdateTime + - path + - revision + - url + type: object + type: array + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + observedGeneration: + description: |- + ObservedGeneration is the last observed generation of the GitRepository + object. + format: int64 + type: integer + observedIgnore: + description: |- + ObservedIgnore is the observed exclusion patterns used for constructing + the source artifact. + type: string + observedInclude: + description: |- + ObservedInclude is the observed list of GitRepository resources used to + produce the current Artifact. + items: + description: |- + GitRepositoryInclude specifies a local reference to a GitRepository which + Artifact (sub-)contents must be included, and where they should be placed. + properties: + fromPath: + description: |- + FromPath specifies the path to copy contents from, defaults to the root + of the Artifact. + type: string + repository: + description: |- + GitRepositoryRef specifies the GitRepository which Artifact contents + must be included. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + toPath: + description: |- + ToPath specifies the path to copy contents to, defaults to the name of + the GitRepositoryRef. + type: string + required: + - repository + type: object + type: array + observedRecurseSubmodules: + description: |- + ObservedRecurseSubmodules is the observed resource submodules + configuration used to produce the current Artifact. + type: boolean + sourceVerificationMode: + description: |- + SourceVerificationMode is the last used verification mode indicating + which Git object(s) have been verified. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.url + name: URL + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: v1beta1 GitRepository is deprecated, upgrade to v1 + name: v1beta1 + schema: + openAPIV3Schema: + description: GitRepository is the Schema for the gitrepositories API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: GitRepositorySpec defines the desired state of a Git repository. + properties: + accessFrom: + description: AccessFrom defines an Access Control List for allowing + cross-namespace references to this object. + properties: + namespaceSelectors: + description: |- + NamespaceSelectors is the list of namespace selectors to which this ACL applies. + Items in this list are evaluated using a logical OR operation. + items: + description: |- + NamespaceSelector selects the namespaces to which this ACL applies. + An empty map of MatchLabels matches all namespaces in a cluster. + properties: + matchLabels: + additionalProperties: + type: string + description: |- + MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: array + required: + - namespaceSelectors + type: object + gitImplementation: + default: go-git + description: |- + Determines which git client library to use. + Defaults to go-git, valid values are ('go-git', 'libgit2'). + enum: + - go-git + - libgit2 + type: string + ignore: + description: |- + Ignore overrides the set of excluded patterns in the .sourceignore format + (which is the same as .gitignore). If not provided, a default will be used, + consult the documentation for your version to find out what those are. + type: string + include: + description: Extra git repositories to map into the repository + items: + description: GitRepositoryInclude defines a source with a from and + to path. + properties: + fromPath: + description: The path to copy contents from, defaults to the + root directory. + type: string + repository: + description: Reference to a GitRepository to include. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + toPath: + description: The path to copy contents to, defaults to the name + of the source ref. + type: string + required: + - repository + type: object + type: array + interval: + description: The interval at which to check for repository updates. + type: string + recurseSubmodules: + description: |- + When enabled, after the clone is created, initializes all submodules within, + using their default settings. + This option is available only when using the 'go-git' GitImplementation. + type: boolean + ref: + description: |- + The Git reference to checkout and monitor for changes, defaults to + master branch. + properties: + branch: + description: The Git branch to checkout, defaults to master. + type: string + commit: + description: The Git commit SHA to checkout, if specified Tag + filters will be ignored. + type: string + semver: + description: The Git tag semver expression, takes precedence over + Tag. + type: string + tag: + description: The Git tag to checkout, takes precedence over Branch. + type: string + type: object + secretRef: + description: |- + The secret name containing the Git credentials. + For HTTPS repositories the secret must contain username and password + fields. + For SSH repositories the secret must contain identity and known_hosts + fields. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + suspend: + description: This flag tells the controller to suspend the reconciliation + of this source. + type: boolean + timeout: + default: 60s + description: The timeout for remote Git operations like cloning, defaults + to 60s. + type: string + url: + description: The repository URL, can be a HTTP/S or SSH address. + pattern: ^(http|https|ssh)://$ + type: string + verify: + description: Verify OpenPGP signature for the Git commit HEAD points + to. + properties: + mode: + description: Mode describes what git object should be verified, + currently ('head'). + enum: + - head + type: string + secretRef: + description: The secret name containing the public keys of all + trusted Git authors. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + required: + - mode + type: object + required: + - interval + - url + type: object + status: + default: + observedGeneration: -1 + description: GitRepositoryStatus defines the observed state of a Git repository. + properties: + artifact: + description: Artifact represents the output of the last successful + repository sync. + properties: + checksum: + description: Checksum is the SHA256 checksum of the artifact. + type: string + lastUpdateTime: + description: |- + LastUpdateTime is the timestamp corresponding to the last update of this + artifact. + format: date-time + type: string + path: + description: Path is the relative file path of this artifact. + type: string + revision: + description: |- + Revision is a human readable identifier traceable in the origin source + system. It can be a Git commit SHA, Git tag, a Helm index timestamp, a Helm + chart version, etc. + type: string + url: + description: URL is the HTTP address of this artifact. + type: string + required: + - lastUpdateTime + - path + - url + type: object + conditions: + description: Conditions holds the conditions for the GitRepository. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + includedArtifacts: + description: IncludedArtifacts represents the included artifacts from + the last successful repository sync. + items: + description: Artifact represents the output of a source synchronisation. + properties: + checksum: + description: Checksum is the SHA256 checksum of the artifact. + type: string + lastUpdateTime: + description: |- + LastUpdateTime is the timestamp corresponding to the last update of this + artifact. + format: date-time + type: string + path: + description: Path is the relative file path of this artifact. + type: string + revision: + description: |- + Revision is a human readable identifier traceable in the origin source + system. It can be a Git commit SHA, Git tag, a Helm index timestamp, a Helm + chart version, etc. + type: string + url: + description: URL is the HTTP address of this artifact. + type: string + required: + - lastUpdateTime + - path + - url + type: object + type: array + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last observed generation. + format: int64 + type: integer + url: + description: |- + URL is the download link for the artifact output of the last repository + sync. + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.url + name: URL + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + deprecated: true + deprecationWarning: v1beta2 GitRepository is deprecated, upgrade to v1 + name: v1beta2 + schema: + openAPIV3Schema: + description: GitRepository is the Schema for the gitrepositories API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + GitRepositorySpec specifies the required configuration to produce an + Artifact for a Git repository. + properties: + accessFrom: + description: |- + AccessFrom specifies an Access Control List for allowing cross-namespace + references to this object. + NOTE: Not implemented, provisional as of https://github.com/fluxcd/flux2/pull/2092 + properties: + namespaceSelectors: + description: |- + NamespaceSelectors is the list of namespace selectors to which this ACL applies. + Items in this list are evaluated using a logical OR operation. + items: + description: |- + NamespaceSelector selects the namespaces to which this ACL applies. + An empty map of MatchLabels matches all namespaces in a cluster. + properties: + matchLabels: + additionalProperties: + type: string + description: |- + MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: array + required: + - namespaceSelectors + type: object + gitImplementation: + default: go-git + description: |- + GitImplementation specifies which Git client library implementation to + use. Defaults to 'go-git', valid values are ('go-git', 'libgit2'). + Deprecated: gitImplementation is deprecated now that 'go-git' is the + only supported implementation. + enum: + - go-git + - libgit2 + type: string + ignore: + description: |- + Ignore overrides the set of excluded patterns in the .sourceignore format + (which is the same as .gitignore). If not provided, a default will be used, + consult the documentation for your version to find out what those are. + type: string + include: + description: |- + Include specifies a list of GitRepository resources which Artifacts + should be included in the Artifact produced for this GitRepository. + items: + description: |- + GitRepositoryInclude specifies a local reference to a GitRepository which + Artifact (sub-)contents must be included, and where they should be placed. + properties: + fromPath: + description: |- + FromPath specifies the path to copy contents from, defaults to the root + of the Artifact. + type: string + repository: + description: |- + GitRepositoryRef specifies the GitRepository which Artifact contents + must be included. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + toPath: + description: |- + ToPath specifies the path to copy contents to, defaults to the name of + the GitRepositoryRef. + type: string + required: + - repository + type: object + type: array + interval: + description: Interval at which to check the GitRepository for updates. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + recurseSubmodules: + description: |- + RecurseSubmodules enables the initialization of all submodules within + the GitRepository as cloned from the URL, using their default settings. + type: boolean + ref: + description: |- + Reference specifies the Git reference to resolve and monitor for + changes, defaults to the 'master' branch. + properties: + branch: + description: Branch to check out, defaults to 'master' if no other + field is defined. + type: string + commit: + description: |- + Commit SHA to check out, takes precedence over all reference fields. + + This can be combined with Branch to shallow clone the branch, in which + the commit is expected to exist. + type: string + name: + description: |- + Name of the reference to check out; takes precedence over Branch, Tag and SemVer. + + It must be a valid Git reference: https://git-scm.com/docs/git-check-ref-format#_description + Examples: "refs/heads/main", "refs/tags/v0.1.0", "refs/pull/420/head", "refs/merge-requests/1/head" + type: string + semver: + description: SemVer tag expression to check out, takes precedence + over Tag. + type: string + tag: + description: Tag to check out, takes precedence over Branch. + type: string + type: object + secretRef: + description: |- + SecretRef specifies the Secret containing authentication credentials for + the GitRepository. + For HTTPS repositories the Secret must contain 'username' and 'password' + fields for basic auth or 'bearerToken' field for token auth. + For SSH repositories the Secret must contain 'identity' + and 'known_hosts' fields. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + suspend: + description: |- + Suspend tells the controller to suspend the reconciliation of this + GitRepository. + type: boolean + timeout: + default: 60s + description: Timeout for Git operations like cloning, defaults to + 60s. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ + type: string + url: + description: URL specifies the Git repository URL, it can be an HTTP/S + or SSH address. + pattern: ^(http|https|ssh)://$ + type: string + verify: + description: |- + Verification specifies the configuration to verify the Git commit + signature(s). + properties: + mode: + description: Mode specifies what Git object should be verified, + currently ('head'). + enum: + - head + type: string + secretRef: + description: |- + SecretRef specifies the Secret containing the public keys of trusted Git + authors. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + required: + - mode + - secretRef + type: object + required: + - interval + - url + type: object + status: + default: + observedGeneration: -1 + description: GitRepositoryStatus records the observed state of a Git repository. + properties: + artifact: + description: Artifact represents the last successful GitRepository + reconciliation. + properties: + digest: + description: Digest is the digest of the file in the form of ':'. + pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ + type: string + lastUpdateTime: + description: |- + LastUpdateTime is the timestamp corresponding to the last update of the + Artifact. + format: date-time + type: string + metadata: + additionalProperties: + type: string + description: Metadata holds upstream information such as OCI annotations. + type: object + path: + description: |- + Path is the relative file path of the Artifact. It can be used to locate + the file in the root of the Artifact storage on the local file system of + the controller managing the Source. + type: string + revision: + description: |- + Revision is a human-readable identifier traceable in the origin source + system. It can be a Git commit SHA, Git tag, a Helm chart version, etc. + type: string + size: + description: Size is the number of bytes in the file. + format: int64 + type: integer + url: + description: |- + URL is the HTTP address of the Artifact as exposed by the controller + managing the Source. It can be used to retrieve the Artifact for + consumption, e.g. by another controller applying the Artifact contents. + type: string + required: + - lastUpdateTime + - path + - revision + - url + type: object + conditions: + description: Conditions holds the conditions for the GitRepository. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + contentConfigChecksum: + description: |- + ContentConfigChecksum is a checksum of all the configurations related to + the content of the source artifact: + - .spec.ignore + - .spec.recurseSubmodules + - .spec.included and the checksum of the included artifacts + observed in .status.observedGeneration version of the object. This can + be used to determine if the content of the included repository has + changed. + It has the format of `:`, for example: `sha256:`. + + Deprecated: Replaced with explicit fields for observed artifact content + config in the status. + type: string + includedArtifacts: + description: |- + IncludedArtifacts contains a list of the last successfully included + Artifacts as instructed by GitRepositorySpec.Include. + items: + description: Artifact represents the output of a Source reconciliation. + properties: + digest: + description: Digest is the digest of the file in the form of + ':'. + pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ + type: string + lastUpdateTime: + description: |- + LastUpdateTime is the timestamp corresponding to the last update of the + Artifact. + format: date-time + type: string + metadata: + additionalProperties: + type: string + description: Metadata holds upstream information such as OCI + annotations. + type: object + path: + description: |- + Path is the relative file path of the Artifact. It can be used to locate + the file in the root of the Artifact storage on the local file system of + the controller managing the Source. + type: string + revision: + description: |- + Revision is a human-readable identifier traceable in the origin source + system. It can be a Git commit SHA, Git tag, a Helm chart version, etc. + type: string + size: + description: Size is the number of bytes in the file. + format: int64 + type: integer + url: + description: |- + URL is the HTTP address of the Artifact as exposed by the controller + managing the Source. It can be used to retrieve the Artifact for + consumption, e.g. by another controller applying the Artifact contents. + type: string + required: + - lastUpdateTime + - path + - revision + - url + type: object + type: array + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + observedGeneration: + description: |- + ObservedGeneration is the last observed generation of the GitRepository + object. + format: int64 + type: integer + observedIgnore: + description: |- + ObservedIgnore is the observed exclusion patterns used for constructing + the source artifact. + type: string + observedInclude: + description: |- + ObservedInclude is the observed list of GitRepository resources used to + to produce the current Artifact. + items: + description: |- + GitRepositoryInclude specifies a local reference to a GitRepository which + Artifact (sub-)contents must be included, and where they should be placed. + properties: + fromPath: + description: |- + FromPath specifies the path to copy contents from, defaults to the root + of the Artifact. + type: string + repository: + description: |- + GitRepositoryRef specifies the GitRepository which Artifact contents + must be included. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + toPath: + description: |- + ToPath specifies the path to copy contents to, defaults to the name of + the GitRepositoryRef. + type: string + required: + - repository + type: object + type: array + observedRecurseSubmodules: + description: |- + ObservedRecurseSubmodules is the observed resource submodules + configuration used to produce the current Artifact. + type: boolean + url: + description: |- + URL is the dynamic fetch link for the latest Artifact. + It is provided on a "best effort" basis, and using the precise + GitRepositoryStatus.Artifact data is recommended. + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + labels: + app.kubernetes.io/component: source-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.4.0 + name: helmcharts.source.toolkit.fluxcd.io +spec: + group: source.toolkit.fluxcd.io + names: + kind: HelmChart + listKind: HelmChartList + plural: helmcharts + shortNames: + - hc + singular: helmchart + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.chart + name: Chart + type: string + - jsonPath: .spec.version + name: Version + type: string + - jsonPath: .spec.sourceRef.kind + name: Source Kind + type: string + - jsonPath: .spec.sourceRef.name + name: Source Name + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + name: v1 + schema: + openAPIV3Schema: + description: HelmChart is the Schema for the helmcharts API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: HelmChartSpec specifies the desired state of a Helm chart. + properties: + chart: + description: |- + Chart is the name or path the Helm chart is available at in the + SourceRef. + type: string + ignoreMissingValuesFiles: + description: |- + IgnoreMissingValuesFiles controls whether to silently ignore missing values + files rather than failing. + type: boolean + interval: + description: |- + Interval at which the HelmChart SourceRef is checked for updates. + This interval is approximate and may be subject to jitter to ensure + efficient use of resources. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + reconcileStrategy: + default: ChartVersion + description: |- + ReconcileStrategy determines what enables the creation of a new artifact. + Valid values are ('ChartVersion', 'Revision'). + See the documentation of the values for an explanation on their behavior. + Defaults to ChartVersion when omitted. + enum: + - ChartVersion + - Revision + type: string + sourceRef: + description: SourceRef is the reference to the Source the chart is + available at. + properties: + apiVersion: + description: APIVersion of the referent. + type: string + kind: + description: |- + Kind of the referent, valid values are ('HelmRepository', 'GitRepository', + 'Bucket'). + enum: + - HelmRepository + - GitRepository + - Bucket + type: string + name: + description: Name of the referent. + type: string + required: + - kind + - name + type: object + suspend: + description: |- + Suspend tells the controller to suspend the reconciliation of this + source. + type: boolean + valuesFiles: + description: |- + ValuesFiles is an alternative list of values files to use as the chart + values (values.yaml is not included by default), expected to be a + relative path in the SourceRef. + Values files are merged in the order of this list with the last file + overriding the first. Ignored when omitted. + items: + type: string + type: array + verify: + description: |- + Verify contains the secret name containing the trusted public keys + used to verify the signature and specifies which provider to use to check + whether OCI image is authentic. + This field is only supported when using HelmRepository source with spec.type 'oci'. + Chart dependencies, which are not bundled in the umbrella chart artifact, are not verified. + properties: + matchOIDCIdentity: + description: |- + MatchOIDCIdentity specifies the identity matching criteria to use + while verifying an OCI artifact which was signed using Cosign keyless + signing. The artifact's identity is deemed to be verified if any of the + specified matchers match against the identity. + items: + description: |- + OIDCIdentityMatch specifies options for verifying the certificate identity, + i.e. the issuer and the subject of the certificate. + properties: + issuer: + description: |- + Issuer specifies the regex pattern to match against to verify + the OIDC issuer in the Fulcio certificate. The pattern must be a + valid Go regular expression. + type: string + subject: + description: |- + Subject specifies the regex pattern to match against to verify + the identity subject in the Fulcio certificate. The pattern must + be a valid Go regular expression. + type: string + required: + - issuer + - subject + type: object + type: array + provider: + default: cosign + description: Provider specifies the technology used to sign the + OCI Artifact. + enum: + - cosign + - notation + type: string + secretRef: + description: |- + SecretRef specifies the Kubernetes Secret containing the + trusted public keys. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + required: + - provider + type: object + version: + default: '*' + description: |- + Version is the chart version semver expression, ignored for charts from + GitRepository and Bucket sources. Defaults to latest when omitted. + type: string + required: + - chart + - interval + - sourceRef + type: object + status: + default: + observedGeneration: -1 + description: HelmChartStatus records the observed state of the HelmChart. + properties: + artifact: + description: Artifact represents the output of the last successful + reconciliation. + properties: + digest: + description: Digest is the digest of the file in the form of ':'. + pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ + type: string + lastUpdateTime: + description: |- + LastUpdateTime is the timestamp corresponding to the last update of the + Artifact. + format: date-time + type: string + metadata: + additionalProperties: + type: string + description: Metadata holds upstream information such as OCI annotations. + type: object + path: + description: |- + Path is the relative file path of the Artifact. It can be used to locate + the file in the root of the Artifact storage on the local file system of + the controller managing the Source. + type: string + revision: + description: |- + Revision is a human-readable identifier traceable in the origin source + system. It can be a Git commit SHA, Git tag, a Helm chart version, etc. + type: string + size: + description: Size is the number of bytes in the file. + format: int64 + type: integer + url: + description: |- + URL is the HTTP address of the Artifact as exposed by the controller + managing the Source. It can be used to retrieve the Artifact for + consumption, e.g. by another controller applying the Artifact contents. + type: string + required: + - lastUpdateTime + - path + - revision + - url + type: object + conditions: + description: Conditions holds the conditions for the HelmChart. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + observedChartName: + description: |- + ObservedChartName is the last observed chart name as specified by the + resolved chart reference. + type: string + observedGeneration: + description: |- + ObservedGeneration is the last observed generation of the HelmChart + object. + format: int64 + type: integer + observedSourceArtifactRevision: + description: |- + ObservedSourceArtifactRevision is the last observed Artifact.Revision + of the HelmChartSpec.SourceRef. + type: string + observedValuesFiles: + description: |- + ObservedValuesFiles are the observed value files of the last successful + reconciliation. + It matches the chart in the last successfully reconciled artifact. + items: + type: string + type: array + url: + description: |- + URL is the dynamic fetch link for the latest Artifact. + It is provided on a "best effort" basis, and using the precise + BucketStatus.Artifact data is recommended. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.chart + name: Chart + type: string + - jsonPath: .spec.version + name: Version + type: string + - jsonPath: .spec.sourceRef.kind + name: Source Kind + type: string + - jsonPath: .spec.sourceRef.name + name: Source Name + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: v1beta1 HelmChart is deprecated, upgrade to v1 + name: v1beta1 + schema: + openAPIV3Schema: + description: HelmChart is the Schema for the helmcharts API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: HelmChartSpec defines the desired state of a Helm chart. + properties: + accessFrom: + description: AccessFrom defines an Access Control List for allowing + cross-namespace references to this object. + properties: + namespaceSelectors: + description: |- + NamespaceSelectors is the list of namespace selectors to which this ACL applies. + Items in this list are evaluated using a logical OR operation. + items: + description: |- + NamespaceSelector selects the namespaces to which this ACL applies. + An empty map of MatchLabels matches all namespaces in a cluster. + properties: + matchLabels: + additionalProperties: + type: string + description: |- + MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: array + required: + - namespaceSelectors + type: object + chart: + description: The name or path the Helm chart is available at in the + SourceRef. + type: string + interval: + description: The interval at which to check the Source for updates. + type: string + reconcileStrategy: + default: ChartVersion + description: |- + Determines what enables the creation of a new artifact. Valid values are + ('ChartVersion', 'Revision'). + See the documentation of the values for an explanation on their behavior. + Defaults to ChartVersion when omitted. + enum: + - ChartVersion + - Revision + type: string + sourceRef: + description: The reference to the Source the chart is available at. + properties: + apiVersion: + description: APIVersion of the referent. + type: string + kind: + description: |- + Kind of the referent, valid values are ('HelmRepository', 'GitRepository', + 'Bucket'). + enum: + - HelmRepository + - GitRepository + - Bucket + type: string + name: + description: Name of the referent. + type: string + required: + - kind + - name + type: object + suspend: + description: This flag tells the controller to suspend the reconciliation + of this source. + type: boolean + valuesFile: + description: |- + Alternative values file to use as the default chart values, expected to + be a relative path in the SourceRef. Deprecated in favor of ValuesFiles, + for backwards compatibility the file defined here is merged before the + ValuesFiles items. Ignored when omitted. + type: string + valuesFiles: + description: |- + Alternative list of values files to use as the chart values (values.yaml + is not included by default), expected to be a relative path in the SourceRef. + Values files are merged in the order of this list with the last file overriding + the first. Ignored when omitted. + items: + type: string + type: array + version: + default: '*' + description: |- + The chart version semver expression, ignored for charts from GitRepository + and Bucket sources. Defaults to latest when omitted. + type: string + required: + - chart + - interval + - sourceRef + type: object + status: + default: + observedGeneration: -1 + description: HelmChartStatus defines the observed state of the HelmChart. + properties: + artifact: + description: Artifact represents the output of the last successful + chart sync. + properties: + checksum: + description: Checksum is the SHA256 checksum of the artifact. + type: string + lastUpdateTime: + description: |- + LastUpdateTime is the timestamp corresponding to the last update of this + artifact. + format: date-time + type: string + path: + description: Path is the relative file path of this artifact. + type: string + revision: + description: |- + Revision is a human readable identifier traceable in the origin source + system. It can be a Git commit SHA, Git tag, a Helm index timestamp, a Helm + chart version, etc. + type: string + url: + description: URL is the HTTP address of this artifact. + type: string + required: + - lastUpdateTime + - path + - url + type: object + conditions: + description: Conditions holds the conditions for the HelmChart. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last observed generation. + format: int64 + type: integer + url: + description: URL is the download link for the last chart pulled. + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.chart + name: Chart + type: string + - jsonPath: .spec.version + name: Version + type: string + - jsonPath: .spec.sourceRef.kind + name: Source Kind + type: string + - jsonPath: .spec.sourceRef.name + name: Source Name + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + deprecated: true + deprecationWarning: v1beta2 HelmChart is deprecated, upgrade to v1 + name: v1beta2 + schema: + openAPIV3Schema: + description: HelmChart is the Schema for the helmcharts API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: HelmChartSpec specifies the desired state of a Helm chart. + properties: + accessFrom: + description: |- + AccessFrom specifies an Access Control List for allowing cross-namespace + references to this object. + NOTE: Not implemented, provisional as of https://github.com/fluxcd/flux2/pull/2092 + properties: + namespaceSelectors: + description: |- + NamespaceSelectors is the list of namespace selectors to which this ACL applies. + Items in this list are evaluated using a logical OR operation. + items: + description: |- + NamespaceSelector selects the namespaces to which this ACL applies. + An empty map of MatchLabels matches all namespaces in a cluster. + properties: + matchLabels: + additionalProperties: + type: string + description: |- + MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: array + required: + - namespaceSelectors + type: object + chart: + description: |- + Chart is the name or path the Helm chart is available at in the + SourceRef. + type: string + ignoreMissingValuesFiles: + description: |- + IgnoreMissingValuesFiles controls whether to silently ignore missing values + files rather than failing. + type: boolean + interval: + description: |- + Interval at which the HelmChart SourceRef is checked for updates. + This interval is approximate and may be subject to jitter to ensure + efficient use of resources. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + reconcileStrategy: + default: ChartVersion + description: |- + ReconcileStrategy determines what enables the creation of a new artifact. + Valid values are ('ChartVersion', 'Revision'). + See the documentation of the values for an explanation on their behavior. + Defaults to ChartVersion when omitted. + enum: + - ChartVersion + - Revision + type: string + sourceRef: + description: SourceRef is the reference to the Source the chart is + available at. + properties: + apiVersion: + description: APIVersion of the referent. + type: string + kind: + description: |- + Kind of the referent, valid values are ('HelmRepository', 'GitRepository', + 'Bucket'). + enum: + - HelmRepository + - GitRepository + - Bucket + type: string + name: + description: Name of the referent. + type: string + required: + - kind + - name + type: object + suspend: + description: |- + Suspend tells the controller to suspend the reconciliation of this + source. + type: boolean + valuesFile: + description: |- + ValuesFile is an alternative values file to use as the default chart + values, expected to be a relative path in the SourceRef. Deprecated in + favor of ValuesFiles, for backwards compatibility the file specified here + is merged before the ValuesFiles items. Ignored when omitted. + type: string + valuesFiles: + description: |- + ValuesFiles is an alternative list of values files to use as the chart + values (values.yaml is not included by default), expected to be a + relative path in the SourceRef. + Values files are merged in the order of this list with the last file + overriding the first. Ignored when omitted. + items: + type: string + type: array + verify: + description: |- + Verify contains the secret name containing the trusted public keys + used to verify the signature and specifies which provider to use to check + whether OCI image is authentic. + This field is only supported when using HelmRepository source with spec.type 'oci'. + Chart dependencies, which are not bundled in the umbrella chart artifact, are not verified. + properties: + matchOIDCIdentity: + description: |- + MatchOIDCIdentity specifies the identity matching criteria to use + while verifying an OCI artifact which was signed using Cosign keyless + signing. The artifact's identity is deemed to be verified if any of the + specified matchers match against the identity. + items: + description: |- + OIDCIdentityMatch specifies options for verifying the certificate identity, + i.e. the issuer and the subject of the certificate. + properties: + issuer: + description: |- + Issuer specifies the regex pattern to match against to verify + the OIDC issuer in the Fulcio certificate. The pattern must be a + valid Go regular expression. + type: string + subject: + description: |- + Subject specifies the regex pattern to match against to verify + the identity subject in the Fulcio certificate. The pattern must + be a valid Go regular expression. + type: string + required: + - issuer + - subject + type: object + type: array + provider: + default: cosign + description: Provider specifies the technology used to sign the + OCI Artifact. + enum: + - cosign + - notation + type: string + secretRef: + description: |- + SecretRef specifies the Kubernetes Secret containing the + trusted public keys. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + required: + - provider + type: object + version: + default: '*' + description: |- + Version is the chart version semver expression, ignored for charts from + GitRepository and Bucket sources. Defaults to latest when omitted. + type: string + required: + - chart + - interval + - sourceRef + type: object + status: + default: + observedGeneration: -1 + description: HelmChartStatus records the observed state of the HelmChart. + properties: + artifact: + description: Artifact represents the output of the last successful + reconciliation. + properties: + digest: + description: Digest is the digest of the file in the form of ':'. + pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ + type: string + lastUpdateTime: + description: |- + LastUpdateTime is the timestamp corresponding to the last update of the + Artifact. + format: date-time + type: string + metadata: + additionalProperties: + type: string + description: Metadata holds upstream information such as OCI annotations. + type: object + path: + description: |- + Path is the relative file path of the Artifact. It can be used to locate + the file in the root of the Artifact storage on the local file system of + the controller managing the Source. + type: string + revision: + description: |- + Revision is a human-readable identifier traceable in the origin source + system. It can be a Git commit SHA, Git tag, a Helm chart version, etc. + type: string + size: + description: Size is the number of bytes in the file. + format: int64 + type: integer + url: + description: |- + URL is the HTTP address of the Artifact as exposed by the controller + managing the Source. It can be used to retrieve the Artifact for + consumption, e.g. by another controller applying the Artifact contents. + type: string + required: + - lastUpdateTime + - path + - revision + - url + type: object + conditions: + description: Conditions holds the conditions for the HelmChart. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + observedChartName: + description: |- + ObservedChartName is the last observed chart name as specified by the + resolved chart reference. + type: string + observedGeneration: + description: |- + ObservedGeneration is the last observed generation of the HelmChart + object. + format: int64 + type: integer + observedSourceArtifactRevision: + description: |- + ObservedSourceArtifactRevision is the last observed Artifact.Revision + of the HelmChartSpec.SourceRef. + type: string + observedValuesFiles: + description: |- + ObservedValuesFiles are the observed value files of the last successful + reconciliation. + It matches the chart in the last successfully reconciled artifact. + items: + type: string + type: array + url: + description: |- + URL is the dynamic fetch link for the latest Artifact. + It is provided on a "best effort" basis, and using the precise + BucketStatus.Artifact data is recommended. + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + labels: + app.kubernetes.io/component: source-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.4.0 + name: helmrepositories.source.toolkit.fluxcd.io +spec: + group: source.toolkit.fluxcd.io + names: + kind: HelmRepository + listKind: HelmRepositoryList + plural: helmrepositories + shortNames: + - helmrepo + singular: helmrepository + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.url + name: URL + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + name: v1 + schema: + openAPIV3Schema: + description: HelmRepository is the Schema for the helmrepositories API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + HelmRepositorySpec specifies the required configuration to produce an + Artifact for a Helm repository index YAML. + properties: + accessFrom: + description: |- + AccessFrom specifies an Access Control List for allowing cross-namespace + references to this object. + NOTE: Not implemented, provisional as of https://github.com/fluxcd/flux2/pull/2092 + properties: + namespaceSelectors: + description: |- + NamespaceSelectors is the list of namespace selectors to which this ACL applies. + Items in this list are evaluated using a logical OR operation. + items: + description: |- + NamespaceSelector selects the namespaces to which this ACL applies. + An empty map of MatchLabels matches all namespaces in a cluster. + properties: + matchLabels: + additionalProperties: + type: string + description: |- + MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: array + required: + - namespaceSelectors + type: object + certSecretRef: + description: |- + CertSecretRef can be given the name of a Secret containing + either or both of + + - a PEM-encoded client certificate (`tls.crt`) and private + key (`tls.key`); + - a PEM-encoded CA certificate (`ca.crt`) + + and whichever are supplied, will be used for connecting to the + registry. The client cert and key are useful if you are + authenticating with a certificate; the CA cert is useful if + you are using a self-signed server certificate. The Secret must + be of type `Opaque` or `kubernetes.io/tls`. + + It takes precedence over the values specified in the Secret referred + to by `.spec.secretRef`. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + insecure: + description: |- + Insecure allows connecting to a non-TLS HTTP container registry. + This field is only taken into account if the .spec.type field is set to 'oci'. + type: boolean + interval: + description: |- + Interval at which the HelmRepository URL is checked for updates. + This interval is approximate and may be subject to jitter to ensure + efficient use of resources. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + passCredentials: + description: |- + PassCredentials allows the credentials from the SecretRef to be passed + on to a host that does not match the host as defined in URL. + This may be required if the host of the advertised chart URLs in the + index differ from the defined URL. + Enabling this should be done with caution, as it can potentially result + in credentials getting stolen in a MITM-attack. + type: boolean + provider: + default: generic + description: |- + Provider used for authentication, can be 'aws', 'azure', 'gcp' or 'generic'. + This field is optional, and only taken into account if the .spec.type field is set to 'oci'. + When not specified, defaults to 'generic'. + enum: + - generic + - aws + - azure + - gcp + type: string + secretRef: + description: |- + SecretRef specifies the Secret containing authentication credentials + for the HelmRepository. + For HTTP/S basic auth the secret must contain 'username' and 'password' + fields. + Support for TLS auth using the 'certFile' and 'keyFile', and/or 'caFile' + keys is deprecated. Please use `.spec.certSecretRef` instead. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + suspend: + description: |- + Suspend tells the controller to suspend the reconciliation of this + HelmRepository. + type: boolean + timeout: + description: |- + Timeout is used for the index fetch operation for an HTTPS helm repository, + and for remote OCI Repository operations like pulling for an OCI helm + chart by the associated HelmChart. + Its default value is 60s. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ + type: string + type: + description: |- + Type of the HelmRepository. + When this field is set to "oci", the URL field value must be prefixed with "oci://". + enum: + - default + - oci + type: string + url: + description: |- + URL of the Helm repository, a valid URL contains at least a protocol and + host. + pattern: ^(http|https|oci)://$ + type: string + required: + - url + type: object + status: + default: + observedGeneration: -1 + description: HelmRepositoryStatus records the observed state of the HelmRepository. + properties: + artifact: + description: Artifact represents the last successful HelmRepository + reconciliation. + properties: + digest: + description: Digest is the digest of the file in the form of ':'. + pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ + type: string + lastUpdateTime: + description: |- + LastUpdateTime is the timestamp corresponding to the last update of the + Artifact. + format: date-time + type: string + metadata: + additionalProperties: + type: string + description: Metadata holds upstream information such as OCI annotations. + type: object + path: + description: |- + Path is the relative file path of the Artifact. It can be used to locate + the file in the root of the Artifact storage on the local file system of + the controller managing the Source. + type: string + revision: + description: |- + Revision is a human-readable identifier traceable in the origin source + system. It can be a Git commit SHA, Git tag, a Helm chart version, etc. + type: string + size: + description: Size is the number of bytes in the file. + format: int64 + type: integer + url: + description: |- + URL is the HTTP address of the Artifact as exposed by the controller + managing the Source. It can be used to retrieve the Artifact for + consumption, e.g. by another controller applying the Artifact contents. + type: string + required: + - lastUpdateTime + - path + - revision + - url + type: object + conditions: + description: Conditions holds the conditions for the HelmRepository. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + observedGeneration: + description: |- + ObservedGeneration is the last observed generation of the HelmRepository + object. + format: int64 + type: integer + url: + description: |- + URL is the dynamic fetch link for the latest Artifact. + It is provided on a "best effort" basis, and using the precise + HelmRepositoryStatus.Artifact data is recommended. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.url + name: URL + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: v1beta1 HelmRepository is deprecated, upgrade to v1 + name: v1beta1 + schema: + openAPIV3Schema: + description: HelmRepository is the Schema for the helmrepositories API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: HelmRepositorySpec defines the reference to a Helm repository. + properties: + accessFrom: + description: AccessFrom defines an Access Control List for allowing + cross-namespace references to this object. + properties: + namespaceSelectors: + description: |- + NamespaceSelectors is the list of namespace selectors to which this ACL applies. + Items in this list are evaluated using a logical OR operation. + items: + description: |- + NamespaceSelector selects the namespaces to which this ACL applies. + An empty map of MatchLabels matches all namespaces in a cluster. + properties: + matchLabels: + additionalProperties: + type: string + description: |- + MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: array + required: + - namespaceSelectors + type: object + interval: + description: The interval at which to check the upstream for updates. + type: string + passCredentials: + description: |- + PassCredentials allows the credentials from the SecretRef to be passed on to + a host that does not match the host as defined in URL. + This may be required if the host of the advertised chart URLs in the index + differ from the defined URL. + Enabling this should be done with caution, as it can potentially result in + credentials getting stolen in a MITM-attack. + type: boolean + secretRef: + description: |- + The name of the secret containing authentication credentials for the Helm + repository. + For HTTP/S basic auth the secret must contain username and + password fields. + For TLS the secret must contain a certFile and keyFile, and/or + caFile fields. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + suspend: + description: This flag tells the controller to suspend the reconciliation + of this source. + type: boolean + timeout: + default: 60s + description: The timeout of index downloading, defaults to 60s. + type: string + url: + description: The Helm repository URL, a valid URL contains at least + a protocol and host. + type: string + required: + - interval + - url + type: object + status: + default: + observedGeneration: -1 + description: HelmRepositoryStatus defines the observed state of the HelmRepository. + properties: + artifact: + description: Artifact represents the output of the last successful + repository sync. + properties: + checksum: + description: Checksum is the SHA256 checksum of the artifact. + type: string + lastUpdateTime: + description: |- + LastUpdateTime is the timestamp corresponding to the last update of this + artifact. + format: date-time + type: string + path: + description: Path is the relative file path of this artifact. + type: string + revision: + description: |- + Revision is a human readable identifier traceable in the origin source + system. It can be a Git commit SHA, Git tag, a Helm index timestamp, a Helm + chart version, etc. + type: string + url: + description: URL is the HTTP address of this artifact. + type: string + required: + - lastUpdateTime + - path + - url + type: object + conditions: + description: Conditions holds the conditions for the HelmRepository. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last observed generation. + format: int64 + type: integer + url: + description: URL is the download link for the last index fetched. + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.url + name: URL + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + deprecated: true + deprecationWarning: v1beta2 HelmRepository is deprecated, upgrade to v1 + name: v1beta2 + schema: + openAPIV3Schema: + description: HelmRepository is the Schema for the helmrepositories API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + HelmRepositorySpec specifies the required configuration to produce an + Artifact for a Helm repository index YAML. + properties: + accessFrom: + description: |- + AccessFrom specifies an Access Control List for allowing cross-namespace + references to this object. + NOTE: Not implemented, provisional as of https://github.com/fluxcd/flux2/pull/2092 + properties: + namespaceSelectors: + description: |- + NamespaceSelectors is the list of namespace selectors to which this ACL applies. + Items in this list are evaluated using a logical OR operation. + items: + description: |- + NamespaceSelector selects the namespaces to which this ACL applies. + An empty map of MatchLabels matches all namespaces in a cluster. + properties: + matchLabels: + additionalProperties: + type: string + description: |- + MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: array + required: + - namespaceSelectors + type: object + certSecretRef: + description: |- + CertSecretRef can be given the name of a Secret containing + either or both of + + - a PEM-encoded client certificate (`tls.crt`) and private + key (`tls.key`); + - a PEM-encoded CA certificate (`ca.crt`) + + and whichever are supplied, will be used for connecting to the + registry. The client cert and key are useful if you are + authenticating with a certificate; the CA cert is useful if + you are using a self-signed server certificate. The Secret must + be of type `Opaque` or `kubernetes.io/tls`. + + It takes precedence over the values specified in the Secret referred + to by `.spec.secretRef`. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + insecure: + description: |- + Insecure allows connecting to a non-TLS HTTP container registry. + This field is only taken into account if the .spec.type field is set to 'oci'. + type: boolean + interval: + description: |- + Interval at which the HelmRepository URL is checked for updates. + This interval is approximate and may be subject to jitter to ensure + efficient use of resources. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + passCredentials: + description: |- + PassCredentials allows the credentials from the SecretRef to be passed + on to a host that does not match the host as defined in URL. + This may be required if the host of the advertised chart URLs in the + index differ from the defined URL. + Enabling this should be done with caution, as it can potentially result + in credentials getting stolen in a MITM-attack. + type: boolean + provider: + default: generic + description: |- + Provider used for authentication, can be 'aws', 'azure', 'gcp' or 'generic'. + This field is optional, and only taken into account if the .spec.type field is set to 'oci'. + When not specified, defaults to 'generic'. + enum: + - generic + - aws + - azure + - gcp + type: string + secretRef: + description: |- + SecretRef specifies the Secret containing authentication credentials + for the HelmRepository. + For HTTP/S basic auth the secret must contain 'username' and 'password' + fields. + Support for TLS auth using the 'certFile' and 'keyFile', and/or 'caFile' + keys is deprecated. Please use `.spec.certSecretRef` instead. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + suspend: + description: |- + Suspend tells the controller to suspend the reconciliation of this + HelmRepository. + type: boolean + timeout: + description: |- + Timeout is used for the index fetch operation for an HTTPS helm repository, + and for remote OCI Repository operations like pulling for an OCI helm + chart by the associated HelmChart. + Its default value is 60s. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ + type: string + type: + description: |- + Type of the HelmRepository. + When this field is set to "oci", the URL field value must be prefixed with "oci://". + enum: + - default + - oci + type: string + url: + description: |- + URL of the Helm repository, a valid URL contains at least a protocol and + host. + pattern: ^(http|https|oci)://$ + type: string + required: + - url + type: object + status: + default: + observedGeneration: -1 + description: HelmRepositoryStatus records the observed state of the HelmRepository. + properties: + artifact: + description: Artifact represents the last successful HelmRepository + reconciliation. + properties: + digest: + description: Digest is the digest of the file in the form of ':'. + pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ + type: string + lastUpdateTime: + description: |- + LastUpdateTime is the timestamp corresponding to the last update of the + Artifact. + format: date-time + type: string + metadata: + additionalProperties: + type: string + description: Metadata holds upstream information such as OCI annotations. + type: object + path: + description: |- + Path is the relative file path of the Artifact. It can be used to locate + the file in the root of the Artifact storage on the local file system of + the controller managing the Source. + type: string + revision: + description: |- + Revision is a human-readable identifier traceable in the origin source + system. It can be a Git commit SHA, Git tag, a Helm chart version, etc. + type: string + size: + description: Size is the number of bytes in the file. + format: int64 + type: integer + url: + description: |- + URL is the HTTP address of the Artifact as exposed by the controller + managing the Source. It can be used to retrieve the Artifact for + consumption, e.g. by another controller applying the Artifact contents. + type: string + required: + - lastUpdateTime + - path + - revision + - url + type: object + conditions: + description: Conditions holds the conditions for the HelmRepository. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + observedGeneration: + description: |- + ObservedGeneration is the last observed generation of the HelmRepository + object. + format: int64 + type: integer + url: + description: |- + URL is the dynamic fetch link for the latest Artifact. + It is provided on a "best effort" basis, and using the precise + HelmRepositoryStatus.Artifact data is recommended. + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + labels: + app.kubernetes.io/component: source-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.4.0 + name: ocirepositories.source.toolkit.fluxcd.io +spec: + group: source.toolkit.fluxcd.io + names: + kind: OCIRepository + listKind: OCIRepositoryList + plural: ocirepositories + shortNames: + - ocirepo + singular: ocirepository + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.url + name: URL + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta2 + schema: + openAPIV3Schema: + description: OCIRepository is the Schema for the ocirepositories API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: OCIRepositorySpec defines the desired state of OCIRepository + properties: + certSecretRef: + description: |- + CertSecretRef can be given the name of a Secret containing + either or both of + + - a PEM-encoded client certificate (`tls.crt`) and private + key (`tls.key`); + - a PEM-encoded CA certificate (`ca.crt`) + + and whichever are supplied, will be used for connecting to the + registry. The client cert and key are useful if you are + authenticating with a certificate; the CA cert is useful if + you are using a self-signed server certificate. The Secret must + be of type `Opaque` or `kubernetes.io/tls`. + + Note: Support for the `caFile`, `certFile` and `keyFile` keys have + been deprecated. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + ignore: + description: |- + Ignore overrides the set of excluded patterns in the .sourceignore format + (which is the same as .gitignore). If not provided, a default will be used, + consult the documentation for your version to find out what those are. + type: string + insecure: + description: Insecure allows connecting to a non-TLS HTTP container + registry. + type: boolean + interval: + description: |- + Interval at which the OCIRepository URL is checked for updates. + This interval is approximate and may be subject to jitter to ensure + efficient use of resources. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + layerSelector: + description: |- + LayerSelector specifies which layer should be extracted from the OCI artifact. + When not specified, the first layer found in the artifact is selected. + properties: + mediaType: + description: |- + MediaType specifies the OCI media type of the layer + which should be extracted from the OCI Artifact. The + first layer matching this type is selected. + type: string + operation: + description: |- + Operation specifies how the selected layer should be processed. + By default, the layer compressed content is extracted to storage. + When the operation is set to 'copy', the layer compressed content + is persisted to storage as it is. + enum: + - extract + - copy + type: string + type: object + provider: + default: generic + description: |- + The provider used for authentication, can be 'aws', 'azure', 'gcp' or 'generic'. + When not specified, defaults to 'generic'. + enum: + - generic + - aws + - azure + - gcp + type: string + proxySecretRef: + description: |- + ProxySecretRef specifies the Secret containing the proxy configuration + to use while communicating with the container registry. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + ref: + description: |- + The OCI reference to pull and monitor for changes, + defaults to the latest tag. + properties: + digest: + description: |- + Digest is the image digest to pull, takes precedence over SemVer. + The value should be in the format 'sha256:'. + type: string + semver: + description: |- + SemVer is the range of tags to pull selecting the latest within + the range, takes precedence over Tag. + type: string + semverFilter: + description: SemverFilter is a regex pattern to filter the tags + within the SemVer range. + type: string + tag: + description: Tag is the image tag to pull, defaults to latest. + type: string + type: object + secretRef: + description: |- + SecretRef contains the secret name containing the registry login + credentials to resolve image metadata. + The secret must be of type kubernetes.io/dockerconfigjson. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + serviceAccountName: + description: |- + ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate + the image pull if the service account has attached pull secrets. For more information: + https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account + type: string + suspend: + description: This flag tells the controller to suspend the reconciliation + of this source. + type: boolean + timeout: + default: 60s + description: The timeout for remote OCI Repository operations like + pulling, defaults to 60s. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ + type: string + url: + description: |- + URL is a reference to an OCI artifact repository hosted + on a remote container registry. + pattern: ^oci://$ + type: string + verify: + description: |- + Verify contains the secret name containing the trusted public keys + used to verify the signature and specifies which provider to use to check + whether OCI image is authentic. + properties: + matchOIDCIdentity: + description: |- + MatchOIDCIdentity specifies the identity matching criteria to use + while verifying an OCI artifact which was signed using Cosign keyless + signing. The artifact's identity is deemed to be verified if any of the + specified matchers match against the identity. + items: + description: |- + OIDCIdentityMatch specifies options for verifying the certificate identity, + i.e. the issuer and the subject of the certificate. + properties: + issuer: + description: |- + Issuer specifies the regex pattern to match against to verify + the OIDC issuer in the Fulcio certificate. The pattern must be a + valid Go regular expression. + type: string + subject: + description: |- + Subject specifies the regex pattern to match against to verify + the identity subject in the Fulcio certificate. The pattern must + be a valid Go regular expression. + type: string + required: + - issuer + - subject + type: object + type: array + provider: + default: cosign + description: Provider specifies the technology used to sign the + OCI Artifact. + enum: + - cosign + - notation + type: string + secretRef: + description: |- + SecretRef specifies the Kubernetes Secret containing the + trusted public keys. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + required: + - provider + type: object + required: + - interval + - url + type: object + status: + default: + observedGeneration: -1 + description: OCIRepositoryStatus defines the observed state of OCIRepository + properties: + artifact: + description: Artifact represents the output of the last successful + OCI Repository sync. + properties: + digest: + description: Digest is the digest of the file in the form of ':'. + pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ + type: string + lastUpdateTime: + description: |- + LastUpdateTime is the timestamp corresponding to the last update of the + Artifact. + format: date-time + type: string + metadata: + additionalProperties: + type: string + description: Metadata holds upstream information such as OCI annotations. + type: object + path: + description: |- + Path is the relative file path of the Artifact. It can be used to locate + the file in the root of the Artifact storage on the local file system of + the controller managing the Source. + type: string + revision: + description: |- + Revision is a human-readable identifier traceable in the origin source + system. It can be a Git commit SHA, Git tag, a Helm chart version, etc. + type: string + size: + description: Size is the number of bytes in the file. + format: int64 + type: integer + url: + description: |- + URL is the HTTP address of the Artifact as exposed by the controller + managing the Source. It can be used to retrieve the Artifact for + consumption, e.g. by another controller applying the Artifact contents. + type: string + required: + - lastUpdateTime + - path + - revision + - url + type: object + conditions: + description: Conditions holds the conditions for the OCIRepository. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + contentConfigChecksum: + description: |- + ContentConfigChecksum is a checksum of all the configurations related to + the content of the source artifact: + - .spec.ignore + - .spec.layerSelector + observed in .status.observedGeneration version of the object. This can + be used to determine if the content configuration has changed and the + artifact needs to be rebuilt. + It has the format of `:`, for example: `sha256:`. + + Deprecated: Replaced with explicit fields for observed artifact content + config in the status. + type: string + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last observed generation. + format: int64 + type: integer + observedIgnore: + description: |- + ObservedIgnore is the observed exclusion patterns used for constructing + the source artifact. + type: string + observedLayerSelector: + description: |- + ObservedLayerSelector is the observed layer selector used for constructing + the source artifact. + properties: + mediaType: + description: |- + MediaType specifies the OCI media type of the layer + which should be extracted from the OCI Artifact. The + first layer matching this type is selected. + type: string + operation: + description: |- + Operation specifies how the selected layer should be processed. + By default, the layer compressed content is extracted to storage. + When the operation is set to 'copy', the layer compressed content + is persisted to storage as it is. + enum: + - extract + - copy + type: string + type: object + url: + description: URL is the download link for the artifact output of the + last OCI Repository sync. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: source-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.4.0 + name: source-controller + namespace: flux-system +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: source-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.4.0 + control-plane: controller + name: source-controller + namespace: flux-system +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: http + selector: + app: source-controller + type: ClusterIP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: source-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.4.0 + control-plane: controller + name: source-controller + namespace: flux-system +spec: + replicas: 1 + selector: + matchLabels: + app: source-controller + strategy: + type: Recreate + template: + metadata: + annotations: + prometheus.io/port: "8080" + prometheus.io/scrape: "true" + labels: + app: source-controller + spec: + containers: + - args: + - --events-addr=http://notification-controller.flux-system.svc.cluster.local./ + - --watch-all-namespaces=true + - --log-level=info + - --log-encoding=json + - --enable-leader-election + - --storage-path=/data + - --storage-adv-addr=source-controller.$(RUNTIME_NAMESPACE).svc.cluster.local. + env: + - name: RUNTIME_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: TUF_ROOT + value: /tmp/.sigstore + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + containerName: manager + resource: limits.cpu + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + containerName: manager + resource: limits.memory + image: ghcr.io/fluxcd/source-controller:v1.4.1 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: healthz + name: manager + ports: + - containerPort: 9090 + name: http + protocol: TCP + - containerPort: 8080 + name: http-prom + protocol: TCP + - containerPort: 9440 + name: healthz + protocol: TCP + readinessProbe: + httpGet: + path: / + port: http + resources: + limits: + cpu: 1000m + memory: 1Gi + requests: + cpu: 50m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /data + name: data + - mountPath: /tmp + name: tmp + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + securityContext: + fsGroup: 1337 + serviceAccountName: source-controller + terminationGracePeriodSeconds: 10 + volumes: + - emptyDir: {} + name: data + - emptyDir: {} + name: tmp +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + labels: + app.kubernetes.io/component: kustomize-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.4.0 + name: kustomizations.kustomize.toolkit.fluxcd.io +spec: + group: kustomize.toolkit.fluxcd.io + names: + kind: Kustomization + listKind: KustomizationList + plural: kustomizations + shortNames: + - ks + singular: kustomization + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + name: v1 + schema: + openAPIV3Schema: + description: Kustomization is the Schema for the kustomizations API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + KustomizationSpec defines the configuration to calculate the desired state + from a Source using Kustomize. + properties: + commonMetadata: + description: |- + CommonMetadata specifies the common labels and annotations that are + applied to all resources. Any existing label or annotation will be + overridden if its key matches a common one. + properties: + annotations: + additionalProperties: + type: string + description: Annotations to be added to the object's metadata. + type: object + labels: + additionalProperties: + type: string + description: Labels to be added to the object's metadata. + type: object + type: object + components: + description: Components specifies relative paths to specifications + of other Components. + items: + type: string + type: array + decryption: + description: Decrypt Kubernetes secrets before applying them on the + cluster. + properties: + provider: + description: Provider is the name of the decryption engine. + enum: + - sops + type: string + secretRef: + description: The secret name containing the private OpenPGP keys + used for decryption. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + required: + - provider + type: object + dependsOn: + description: |- + DependsOn may contain a meta.NamespacedObjectReference slice + with references to Kustomization resources that must be ready before this + Kustomization can be reconciled. + items: + description: |- + NamespacedObjectReference contains enough information to locate the referenced Kubernetes resource object in any + namespace. + properties: + name: + description: Name of the referent. + type: string + namespace: + description: Namespace of the referent, when not specified it + acts as LocalObjectReference. + type: string + required: + - name + type: object + type: array + force: + default: false + description: |- + Force instructs the controller to recreate resources + when patching fails due to an immutable field change. + type: boolean + healthChecks: + description: A list of resources to be included in the health assessment. + items: + description: |- + NamespacedObjectKindReference contains enough information to locate the typed referenced Kubernetes resource object + in any namespace. + properties: + apiVersion: + description: API version of the referent, if not specified the + Kubernetes preferred version will be used. + type: string + kind: + description: Kind of the referent. + type: string + name: + description: Name of the referent. + type: string + namespace: + description: Namespace of the referent, when not specified it + acts as LocalObjectReference. + type: string + required: + - kind + - name + type: object + type: array + images: + description: |- + Images is a list of (image name, new name, new tag or digest) + for changing image names, tags or digests. This can also be achieved with a + patch, but this operator is simpler to specify. + items: + description: Image contains an image name, a new name, a new tag + or digest, which will replace the original name and tag. + properties: + digest: + description: |- + Digest is the value used to replace the original image tag. + If digest is present NewTag value is ignored. + type: string + name: + description: Name is a tag-less image name. + type: string + newName: + description: NewName is the value used to replace the original + name. + type: string + newTag: + description: NewTag is the value used to replace the original + tag. + type: string + required: + - name + type: object + type: array + interval: + description: |- + The interval at which to reconcile the Kustomization. + This interval is approximate and may be subject to jitter to ensure + efficient use of resources. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + kubeConfig: + description: |- + The KubeConfig for reconciling the Kustomization on a remote cluster. + When used in combination with KustomizationSpec.ServiceAccountName, + forces the controller to act on behalf of that Service Account at the + target cluster. + If the --default-service-account flag is set, its value will be used as + a controller level fallback for when KustomizationSpec.ServiceAccountName + is empty. + properties: + secretRef: + description: |- + SecretRef holds the name of a secret that contains a key with + the kubeconfig file as the value. If no key is set, the key will default + to 'value'. + It is recommended that the kubeconfig is self-contained, and the secret + is regularly updated if credentials such as a cloud-access-token expire. + Cloud specific `cmd-path` auth helpers will not function without adding + binaries and credentials to the Pod that is responsible for reconciling + Kubernetes resources. + properties: + key: + description: Key in the Secret, when not specified an implementation-specific + default key is used. + type: string + name: + description: Name of the Secret. + type: string + required: + - name + type: object + required: + - secretRef + type: object + namePrefix: + description: NamePrefix will prefix the names of all managed resources. + maxLength: 200 + minLength: 1 + type: string + nameSuffix: + description: NameSuffix will suffix the names of all managed resources. + maxLength: 200 + minLength: 1 + type: string + patches: + description: |- + Strategic merge and JSON patches, defined as inline YAML objects, + capable of targeting objects based on kind, label and annotation selectors. + items: + description: |- + Patch contains an inline StrategicMerge or JSON6902 patch, and the target the patch should + be applied to. + properties: + patch: + description: |- + Patch contains an inline StrategicMerge patch or an inline JSON6902 patch with + an array of operation objects. + type: string + target: + description: Target points to the resources that the patch document + should be applied to. + properties: + annotationSelector: + description: |- + AnnotationSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource annotations. + type: string + group: + description: |- + Group is the API group to select resources from. + Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + kind: + description: |- + Kind of the API Group to select resources from. + Together with Group and Version it is capable of unambiguously + identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + labelSelector: + description: |- + LabelSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource labels. + type: string + name: + description: Name to match resources with. + type: string + namespace: + description: Namespace to select resources from. + type: string + version: + description: |- + Version of the API Group to select resources from. + Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + type: object + required: + - patch + type: object + type: array + path: + description: |- + Path to the directory containing the kustomization.yaml file, or the + set of plain YAMLs a kustomization.yaml should be generated for. + Defaults to 'None', which translates to the root path of the SourceRef. + type: string + postBuild: + description: |- + PostBuild describes which actions to perform on the YAML manifest + generated by building the kustomize overlay. + properties: + substitute: + additionalProperties: + type: string + description: |- + Substitute holds a map of key/value pairs. + The variables defined in your YAML manifests that match any of the keys + defined in the map will be substituted with the set value. + Includes support for bash string replacement functions + e.g. ${var:=default}, ${var:position} and ${var/substring/replacement}. + type: object + substituteFrom: + description: |- + SubstituteFrom holds references to ConfigMaps and Secrets containing + the variables and their values to be substituted in the YAML manifests. + The ConfigMap and the Secret data keys represent the var names, and they + must match the vars declared in the manifests for the substitution to + happen. + items: + description: |- + SubstituteReference contains a reference to a resource containing + the variables name and value. + properties: + kind: + description: Kind of the values referent, valid values are + ('Secret', 'ConfigMap'). + enum: + - Secret + - ConfigMap + type: string + name: + description: |- + Name of the values referent. Should reside in the same namespace as the + referring resource. + maxLength: 253 + minLength: 1 + type: string + optional: + default: false + description: |- + Optional indicates whether the referenced resource must exist, or whether to + tolerate its absence. If true and the referenced resource is absent, proceed + as if the resource was present but empty, without any variables defined. + type: boolean + required: + - kind + - name + type: object + type: array + type: object + prune: + description: Prune enables garbage collection. + type: boolean + retryInterval: + description: |- + The interval at which to retry a previously failed reconciliation. + When not specified, the controller uses the KustomizationSpec.Interval + value to retry failures. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + serviceAccountName: + description: |- + The name of the Kubernetes service account to impersonate + when reconciling this Kustomization. + type: string + sourceRef: + description: Reference of the source where the kustomization file + is. + properties: + apiVersion: + description: API version of the referent. + type: string + kind: + description: Kind of the referent. + enum: + - OCIRepository + - GitRepository + - Bucket + type: string + name: + description: Name of the referent. + type: string + namespace: + description: |- + Namespace of the referent, defaults to the namespace of the Kubernetes + resource object that contains the reference. + type: string + required: + - kind + - name + type: object + suspend: + description: |- + This flag tells the controller to suspend subsequent kustomize executions, + it does not apply to already started executions. Defaults to false. + type: boolean + targetNamespace: + description: |- + TargetNamespace sets or overrides the namespace in the + kustomization.yaml file. + maxLength: 63 + minLength: 1 + type: string + timeout: + description: |- + Timeout for validation, apply and health checking operations. + Defaults to 'Interval' duration. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + wait: + description: |- + Wait instructs the controller to check the health of all the reconciled + resources. When enabled, the HealthChecks are ignored. Defaults to false. + type: boolean + required: + - interval + - prune + - sourceRef + type: object + status: + default: + observedGeneration: -1 + description: KustomizationStatus defines the observed state of a kustomization. + properties: + conditions: + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + inventory: + description: |- + Inventory contains the list of Kubernetes resource object references that + have been successfully applied. + properties: + entries: + description: Entries of Kubernetes resource object references. + items: + description: ResourceRef contains the information necessary + to locate a resource within a cluster. + properties: + id: + description: |- + ID is the string representation of the Kubernetes resource object's metadata, + in the format '___'. + type: string + v: + description: Version is the API version of the Kubernetes + resource object's kind. + type: string + required: + - id + - v + type: object + type: array + required: + - entries + type: object + lastAppliedRevision: + description: |- + The last successfully applied revision. + Equals the Revision of the applied Artifact from the referenced Source. + type: string + lastAttemptedRevision: + description: LastAttemptedRevision is the revision of the last reconciliation + attempt. + type: string + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last reconciled generation. + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: v1beta1 Kustomization is deprecated, upgrade to v1 + name: v1beta1 + schema: + openAPIV3Schema: + description: Kustomization is the Schema for the kustomizations API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: KustomizationSpec defines the desired state of a kustomization. + properties: + decryption: + description: Decrypt Kubernetes secrets before applying them on the + cluster. + properties: + provider: + description: Provider is the name of the decryption engine. + enum: + - sops + type: string + secretRef: + description: The secret name containing the private OpenPGP keys + used for decryption. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + required: + - provider + type: object + dependsOn: + description: |- + DependsOn may contain a meta.NamespacedObjectReference slice + with references to Kustomization resources that must be ready before this + Kustomization can be reconciled. + items: + description: |- + NamespacedObjectReference contains enough information to locate the referenced Kubernetes resource object in any + namespace. + properties: + name: + description: Name of the referent. + type: string + namespace: + description: Namespace of the referent, when not specified it + acts as LocalObjectReference. + type: string + required: + - name + type: object + type: array + force: + default: false + description: |- + Force instructs the controller to recreate resources + when patching fails due to an immutable field change. + type: boolean + healthChecks: + description: A list of resources to be included in the health assessment. + items: + description: |- + NamespacedObjectKindReference contains enough information to locate the typed referenced Kubernetes resource object + in any namespace. + properties: + apiVersion: + description: API version of the referent, if not specified the + Kubernetes preferred version will be used. + type: string + kind: + description: Kind of the referent. + type: string + name: + description: Name of the referent. + type: string + namespace: + description: Namespace of the referent, when not specified it + acts as LocalObjectReference. + type: string + required: + - kind + - name + type: object + type: array + images: + description: |- + Images is a list of (image name, new name, new tag or digest) + for changing image names, tags or digests. This can also be achieved with a + patch, but this operator is simpler to specify. + items: + description: Image contains an image name, a new name, a new tag + or digest, which will replace the original name and tag. + properties: + digest: + description: |- + Digest is the value used to replace the original image tag. + If digest is present NewTag value is ignored. + type: string + name: + description: Name is a tag-less image name. + type: string + newName: + description: NewName is the value used to replace the original + name. + type: string + newTag: + description: NewTag is the value used to replace the original + tag. + type: string + required: + - name + type: object + type: array + interval: + description: The interval at which to reconcile the Kustomization. + type: string + kubeConfig: + description: |- + The KubeConfig for reconciling the Kustomization on a remote cluster. + When specified, KubeConfig takes precedence over ServiceAccountName. + properties: + secretRef: + description: |- + SecretRef holds the name to a secret that contains a 'value' key with + the kubeconfig file as the value. It must be in the same namespace as + the Kustomization. + It is recommended that the kubeconfig is self-contained, and the secret + is regularly updated if credentials such as a cloud-access-token expire. + Cloud specific `cmd-path` auth helpers will not function without adding + binaries and credentials to the Pod that is responsible for reconciling + the Kustomization. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + required: + - secretRef + type: object + patches: + description: |- + Strategic merge and JSON patches, defined as inline YAML objects, + capable of targeting objects based on kind, label and annotation selectors. + items: + description: |- + Patch contains an inline StrategicMerge or JSON6902 patch, and the target the patch should + be applied to. + properties: + patch: + description: |- + Patch contains an inline StrategicMerge patch or an inline JSON6902 patch with + an array of operation objects. + type: string + target: + description: Target points to the resources that the patch document + should be applied to. + properties: + annotationSelector: + description: |- + AnnotationSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource annotations. + type: string + group: + description: |- + Group is the API group to select resources from. + Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + kind: + description: |- + Kind of the API Group to select resources from. + Together with Group and Version it is capable of unambiguously + identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + labelSelector: + description: |- + LabelSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource labels. + type: string + name: + description: Name to match resources with. + type: string + namespace: + description: Namespace to select resources from. + type: string + version: + description: |- + Version of the API Group to select resources from. + Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + type: object + required: + - patch + type: object + type: array + patchesJson6902: + description: JSON 6902 patches, defined as inline YAML objects. + items: + description: JSON6902Patch contains a JSON6902 patch and the target + the patch should be applied to. + properties: + patch: + description: Patch contains the JSON6902 patch document with + an array of operation objects. + items: + description: |- + JSON6902 is a JSON6902 operation object. + https://datatracker.ietf.org/doc/html/rfc6902#section-4 + properties: + from: + description: |- + From contains a JSON-pointer value that references a location within the target document where the operation is + performed. The meaning of the value depends on the value of Op, and is NOT taken into account by all operations. + type: string + op: + description: |- + Op indicates the operation to perform. Its value MUST be one of "add", "remove", "replace", "move", "copy", or + "test". + https://datatracker.ietf.org/doc/html/rfc6902#section-4 + enum: + - test + - remove + - add + - replace + - move + - copy + type: string + path: + description: |- + Path contains the JSON-pointer value that references a location within the target document where the operation + is performed. The meaning of the value depends on the value of Op. + type: string + value: + description: |- + Value contains a valid JSON structure. The meaning of the value depends on the value of Op, and is NOT taken into + account by all operations. + x-kubernetes-preserve-unknown-fields: true + required: + - op + - path + type: object + type: array + target: + description: Target points to the resources that the patch document + should be applied to. + properties: + annotationSelector: + description: |- + AnnotationSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource annotations. + type: string + group: + description: |- + Group is the API group to select resources from. + Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + kind: + description: |- + Kind of the API Group to select resources from. + Together with Group and Version it is capable of unambiguously + identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + labelSelector: + description: |- + LabelSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource labels. + type: string + name: + description: Name to match resources with. + type: string + namespace: + description: Namespace to select resources from. + type: string + version: + description: |- + Version of the API Group to select resources from. + Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + type: object + required: + - patch + - target + type: object + type: array + patchesStrategicMerge: + description: Strategic merge patches, defined as inline YAML objects. + items: + x-kubernetes-preserve-unknown-fields: true + type: array + path: + description: |- + Path to the directory containing the kustomization.yaml file, or the + set of plain YAMLs a kustomization.yaml should be generated for. + Defaults to 'None', which translates to the root path of the SourceRef. + type: string + postBuild: + description: |- + PostBuild describes which actions to perform on the YAML manifest + generated by building the kustomize overlay. + properties: + substitute: + additionalProperties: + type: string + description: |- + Substitute holds a map of key/value pairs. + The variables defined in your YAML manifests + that match any of the keys defined in the map + will be substituted with the set value. + Includes support for bash string replacement functions + e.g. ${var:=default}, ${var:position} and ${var/substring/replacement}. + type: object + substituteFrom: + description: |- + SubstituteFrom holds references to ConfigMaps and Secrets containing + the variables and their values to be substituted in the YAML manifests. + The ConfigMap and the Secret data keys represent the var names and they + must match the vars declared in the manifests for the substitution to happen. + items: + description: |- + SubstituteReference contains a reference to a resource containing + the variables name and value. + properties: + kind: + description: Kind of the values referent, valid values are + ('Secret', 'ConfigMap'). + enum: + - Secret + - ConfigMap + type: string + name: + description: |- + Name of the values referent. Should reside in the same namespace as the + referring resource. + maxLength: 253 + minLength: 1 + type: string + required: + - kind + - name + type: object + type: array + type: object + prune: + description: Prune enables garbage collection. + type: boolean + retryInterval: + description: |- + The interval at which to retry a previously failed reconciliation. + When not specified, the controller uses the KustomizationSpec.Interval + value to retry failures. + type: string + serviceAccountName: + description: |- + The name of the Kubernetes service account to impersonate + when reconciling this Kustomization. + type: string + sourceRef: + description: Reference of the source where the kustomization file + is. + properties: + apiVersion: + description: API version of the referent + type: string + kind: + description: Kind of the referent + enum: + - GitRepository + - Bucket + type: string + name: + description: Name of the referent + type: string + namespace: + description: Namespace of the referent, defaults to the Kustomization + namespace + type: string + required: + - kind + - name + type: object + suspend: + description: |- + This flag tells the controller to suspend subsequent kustomize executions, + it does not apply to already started executions. Defaults to false. + type: boolean + targetNamespace: + description: |- + TargetNamespace sets or overrides the namespace in the + kustomization.yaml file. + maxLength: 63 + minLength: 1 + type: string + timeout: + description: |- + Timeout for validation, apply and health checking operations. + Defaults to 'Interval' duration. + type: string + validation: + description: |- + Validate the Kubernetes objects before applying them on the cluster. + The validation strategy can be 'client' (local dry-run), 'server' + (APIServer dry-run) or 'none'. + When 'Force' is 'true', validation will fallback to 'client' if set to + 'server' because server-side validation is not supported in this scenario. + enum: + - none + - client + - server + type: string + required: + - interval + - prune + - sourceRef + type: object + status: + default: + observedGeneration: -1 + description: KustomizationStatus defines the observed state of a kustomization. + properties: + conditions: + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastAppliedRevision: + description: |- + The last successfully applied revision. + The revision format for Git sources is /. + type: string + lastAttemptedRevision: + description: LastAttemptedRevision is the revision of the last reconciliation + attempt. + type: string + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last reconciled generation. + format: int64 + type: integer + snapshot: + description: The last successfully applied revision metadata. + properties: + checksum: + description: The manifests sha1 checksum. + type: string + entries: + description: A list of Kubernetes kinds grouped by namespace. + items: + description: |- + Snapshot holds the metadata of namespaced + Kubernetes objects + properties: + kinds: + additionalProperties: + type: string + description: The list of Kubernetes kinds. + type: object + namespace: + description: The namespace of this entry. + type: string + required: + - kinds + type: object + type: array + required: + - checksum + - entries + type: object + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + deprecated: true + deprecationWarning: v1beta2 Kustomization is deprecated, upgrade to v1 + name: v1beta2 + schema: + openAPIV3Schema: + description: Kustomization is the Schema for the kustomizations API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: KustomizationSpec defines the configuration to calculate + the desired state from a Source using Kustomize. + properties: + commonMetadata: + description: |- + CommonMetadata specifies the common labels and annotations that are applied to all resources. + Any existing label or annotation will be overridden if its key matches a common one. + properties: + annotations: + additionalProperties: + type: string + description: Annotations to be added to the object's metadata. + type: object + labels: + additionalProperties: + type: string + description: Labels to be added to the object's metadata. + type: object + type: object + components: + description: Components specifies relative paths to specifications + of other Components. + items: + type: string + type: array + decryption: + description: Decrypt Kubernetes secrets before applying them on the + cluster. + properties: + provider: + description: Provider is the name of the decryption engine. + enum: + - sops + type: string + secretRef: + description: The secret name containing the private OpenPGP keys + used for decryption. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + required: + - provider + type: object + dependsOn: + description: |- + DependsOn may contain a meta.NamespacedObjectReference slice + with references to Kustomization resources that must be ready before this + Kustomization can be reconciled. + items: + description: |- + NamespacedObjectReference contains enough information to locate the referenced Kubernetes resource object in any + namespace. + properties: + name: + description: Name of the referent. + type: string + namespace: + description: Namespace of the referent, when not specified it + acts as LocalObjectReference. + type: string + required: + - name + type: object + type: array + force: + default: false + description: |- + Force instructs the controller to recreate resources + when patching fails due to an immutable field change. + type: boolean + healthChecks: + description: A list of resources to be included in the health assessment. + items: + description: |- + NamespacedObjectKindReference contains enough information to locate the typed referenced Kubernetes resource object + in any namespace. + properties: + apiVersion: + description: API version of the referent, if not specified the + Kubernetes preferred version will be used. + type: string + kind: + description: Kind of the referent. + type: string + name: + description: Name of the referent. + type: string + namespace: + description: Namespace of the referent, when not specified it + acts as LocalObjectReference. + type: string + required: + - kind + - name + type: object + type: array + images: + description: |- + Images is a list of (image name, new name, new tag or digest) + for changing image names, tags or digests. This can also be achieved with a + patch, but this operator is simpler to specify. + items: + description: Image contains an image name, a new name, a new tag + or digest, which will replace the original name and tag. + properties: + digest: + description: |- + Digest is the value used to replace the original image tag. + If digest is present NewTag value is ignored. + type: string + name: + description: Name is a tag-less image name. + type: string + newName: + description: NewName is the value used to replace the original + name. + type: string + newTag: + description: NewTag is the value used to replace the original + tag. + type: string + required: + - name + type: object + type: array + interval: + description: The interval at which to reconcile the Kustomization. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + kubeConfig: + description: |- + The KubeConfig for reconciling the Kustomization on a remote cluster. + When used in combination with KustomizationSpec.ServiceAccountName, + forces the controller to act on behalf of that Service Account at the + target cluster. + If the --default-service-account flag is set, its value will be used as + a controller level fallback for when KustomizationSpec.ServiceAccountName + is empty. + properties: + secretRef: + description: |- + SecretRef holds the name of a secret that contains a key with + the kubeconfig file as the value. If no key is set, the key will default + to 'value'. + It is recommended that the kubeconfig is self-contained, and the secret + is regularly updated if credentials such as a cloud-access-token expire. + Cloud specific `cmd-path` auth helpers will not function without adding + binaries and credentials to the Pod that is responsible for reconciling + Kubernetes resources. + properties: + key: + description: Key in the Secret, when not specified an implementation-specific + default key is used. + type: string + name: + description: Name of the Secret. + type: string + required: + - name + type: object + required: + - secretRef + type: object + patches: + description: |- + Strategic merge and JSON patches, defined as inline YAML objects, + capable of targeting objects based on kind, label and annotation selectors. + items: + description: |- + Patch contains an inline StrategicMerge or JSON6902 patch, and the target the patch should + be applied to. + properties: + patch: + description: |- + Patch contains an inline StrategicMerge patch or an inline JSON6902 patch with + an array of operation objects. + type: string + target: + description: Target points to the resources that the patch document + should be applied to. + properties: + annotationSelector: + description: |- + AnnotationSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource annotations. + type: string + group: + description: |- + Group is the API group to select resources from. + Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + kind: + description: |- + Kind of the API Group to select resources from. + Together with Group and Version it is capable of unambiguously + identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + labelSelector: + description: |- + LabelSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource labels. + type: string + name: + description: Name to match resources with. + type: string + namespace: + description: Namespace to select resources from. + type: string + version: + description: |- + Version of the API Group to select resources from. + Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + type: object + required: + - patch + type: object + type: array + patchesJson6902: + description: |- + JSON 6902 patches, defined as inline YAML objects. + Deprecated: Use Patches instead. + items: + description: JSON6902Patch contains a JSON6902 patch and the target + the patch should be applied to. + properties: + patch: + description: Patch contains the JSON6902 patch document with + an array of operation objects. + items: + description: |- + JSON6902 is a JSON6902 operation object. + https://datatracker.ietf.org/doc/html/rfc6902#section-4 + properties: + from: + description: |- + From contains a JSON-pointer value that references a location within the target document where the operation is + performed. The meaning of the value depends on the value of Op, and is NOT taken into account by all operations. + type: string + op: + description: |- + Op indicates the operation to perform. Its value MUST be one of "add", "remove", "replace", "move", "copy", or + "test". + https://datatracker.ietf.org/doc/html/rfc6902#section-4 + enum: + - test + - remove + - add + - replace + - move + - copy + type: string + path: + description: |- + Path contains the JSON-pointer value that references a location within the target document where the operation + is performed. The meaning of the value depends on the value of Op. + type: string + value: + description: |- + Value contains a valid JSON structure. The meaning of the value depends on the value of Op, and is NOT taken into + account by all operations. + x-kubernetes-preserve-unknown-fields: true + required: + - op + - path + type: object + type: array + target: + description: Target points to the resources that the patch document + should be applied to. + properties: + annotationSelector: + description: |- + AnnotationSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource annotations. + type: string + group: + description: |- + Group is the API group to select resources from. + Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + kind: + description: |- + Kind of the API Group to select resources from. + Together with Group and Version it is capable of unambiguously + identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + labelSelector: + description: |- + LabelSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource labels. + type: string + name: + description: Name to match resources with. + type: string + namespace: + description: Namespace to select resources from. + type: string + version: + description: |- + Version of the API Group to select resources from. + Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + type: object + required: + - patch + - target + type: object + type: array + patchesStrategicMerge: + description: |- + Strategic merge patches, defined as inline YAML objects. + Deprecated: Use Patches instead. + items: + x-kubernetes-preserve-unknown-fields: true + type: array + path: + description: |- + Path to the directory containing the kustomization.yaml file, or the + set of plain YAMLs a kustomization.yaml should be generated for. + Defaults to 'None', which translates to the root path of the SourceRef. + type: string + postBuild: + description: |- + PostBuild describes which actions to perform on the YAML manifest + generated by building the kustomize overlay. + properties: + substitute: + additionalProperties: + type: string + description: |- + Substitute holds a map of key/value pairs. + The variables defined in your YAML manifests + that match any of the keys defined in the map + will be substituted with the set value. + Includes support for bash string replacement functions + e.g. ${var:=default}, ${var:position} and ${var/substring/replacement}. + type: object + substituteFrom: + description: |- + SubstituteFrom holds references to ConfigMaps and Secrets containing + the variables and their values to be substituted in the YAML manifests. + The ConfigMap and the Secret data keys represent the var names and they + must match the vars declared in the manifests for the substitution to happen. + items: + description: |- + SubstituteReference contains a reference to a resource containing + the variables name and value. + properties: + kind: + description: Kind of the values referent, valid values are + ('Secret', 'ConfigMap'). + enum: + - Secret + - ConfigMap + type: string + name: + description: |- + Name of the values referent. Should reside in the same namespace as the + referring resource. + maxLength: 253 + minLength: 1 + type: string + optional: + default: false + description: |- + Optional indicates whether the referenced resource must exist, or whether to + tolerate its absence. If true and the referenced resource is absent, proceed + as if the resource was present but empty, without any variables defined. + type: boolean + required: + - kind + - name + type: object + type: array + type: object + prune: + description: Prune enables garbage collection. + type: boolean + retryInterval: + description: |- + The interval at which to retry a previously failed reconciliation. + When not specified, the controller uses the KustomizationSpec.Interval + value to retry failures. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + serviceAccountName: + description: |- + The name of the Kubernetes service account to impersonate + when reconciling this Kustomization. + type: string + sourceRef: + description: Reference of the source where the kustomization file + is. + properties: + apiVersion: + description: API version of the referent. + type: string + kind: + description: Kind of the referent. + enum: + - OCIRepository + - GitRepository + - Bucket + type: string + name: + description: Name of the referent. + type: string + namespace: + description: Namespace of the referent, defaults to the namespace + of the Kubernetes resource object that contains the reference. + type: string + required: + - kind + - name + type: object + suspend: + description: |- + This flag tells the controller to suspend subsequent kustomize executions, + it does not apply to already started executions. Defaults to false. + type: boolean + targetNamespace: + description: |- + TargetNamespace sets or overrides the namespace in the + kustomization.yaml file. + maxLength: 63 + minLength: 1 + type: string + timeout: + description: |- + Timeout for validation, apply and health checking operations. + Defaults to 'Interval' duration. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + validation: + description: 'Deprecated: Not used in v1beta2.' + enum: + - none + - client + - server + type: string + wait: + description: |- + Wait instructs the controller to check the health of all the reconciled resources. + When enabled, the HealthChecks are ignored. Defaults to false. + type: boolean + required: + - interval + - prune + - sourceRef + type: object + status: + default: + observedGeneration: -1 + description: KustomizationStatus defines the observed state of a kustomization. + properties: + conditions: + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + inventory: + description: Inventory contains the list of Kubernetes resource object + references that have been successfully applied. + properties: + entries: + description: Entries of Kubernetes resource object references. + items: + description: ResourceRef contains the information necessary + to locate a resource within a cluster. + properties: + id: + description: |- + ID is the string representation of the Kubernetes resource object's metadata, + in the format '___'. + type: string + v: + description: Version is the API version of the Kubernetes + resource object's kind. + type: string + required: + - id + - v + type: object + type: array + required: + - entries + type: object + lastAppliedRevision: + description: |- + The last successfully applied revision. + Equals the Revision of the applied Artifact from the referenced Source. + type: string + lastAttemptedRevision: + description: LastAttemptedRevision is the revision of the last reconciliation + attempt. + type: string + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last reconciled generation. + format: int64 + type: integer + type: object + type: object + served: true + storage: false + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: kustomize-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.4.0 + name: kustomize-controller + namespace: flux-system +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: kustomize-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.4.0 + control-plane: controller + name: kustomize-controller + namespace: flux-system +spec: + replicas: 1 + selector: + matchLabels: + app: kustomize-controller + template: + metadata: + annotations: + prometheus.io/port: "8080" + prometheus.io/scrape: "true" + labels: + app: kustomize-controller + spec: + containers: + - args: + - --events-addr=http://notification-controller.flux-system.svc.cluster.local./ + - --watch-all-namespaces=true + - --log-level=info + - --log-encoding=json + - --enable-leader-election + env: + - name: RUNTIME_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + containerName: manager + resource: limits.cpu + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + containerName: manager + resource: limits.memory + image: ghcr.io/fluxcd/kustomize-controller:v1.4.0 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: healthz + name: manager + ports: + - containerPort: 8080 + name: http-prom + protocol: TCP + - containerPort: 9440 + name: healthz + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: healthz + resources: + limits: + cpu: 1000m + memory: 1Gi + requests: + cpu: 100m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /tmp + name: temp + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + securityContext: + fsGroup: 1337 + serviceAccountName: kustomize-controller + terminationGracePeriodSeconds: 60 + volumes: + - emptyDir: {} + name: temp +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + labels: + app.kubernetes.io/component: helm-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.4.0 + name: helmreleases.helm.toolkit.fluxcd.io +spec: + group: helm.toolkit.fluxcd.io + names: + kind: HelmRelease + listKind: HelmReleaseList + plural: helmreleases + shortNames: + - hr + singular: helmrelease + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + name: v2 + schema: + openAPIV3Schema: + description: HelmRelease is the Schema for the helmreleases API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: HelmReleaseSpec defines the desired state of a Helm release. + properties: + chart: + description: |- + Chart defines the template of the v1.HelmChart that should be created + for this HelmRelease. + properties: + metadata: + description: ObjectMeta holds the template for metadata like labels + and annotations. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is an unstructured key value map stored with a resource that may be + set by external tools to store and retrieve arbitrary metadata. They are not + queryable and should be preserved when modifying objects. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + type: object + labels: + additionalProperties: + type: string + description: |- + Map of string keys and values that can be used to organize and categorize + (scope and select) objects. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + type: object + type: object + spec: + description: Spec holds the template for the v1.HelmChartSpec + for this HelmRelease. + properties: + chart: + description: The name or path the Helm chart is available + at in the SourceRef. + maxLength: 2048 + minLength: 1 + type: string + ignoreMissingValuesFiles: + description: IgnoreMissingValuesFiles controls whether to + silently ignore missing values files rather than failing. + type: boolean + interval: + description: |- + Interval at which to check the v1.Source for updates. Defaults to + 'HelmReleaseSpec.Interval'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + reconcileStrategy: + default: ChartVersion + description: |- + Determines what enables the creation of a new artifact. Valid values are + ('ChartVersion', 'Revision'). + See the documentation of the values for an explanation on their behavior. + Defaults to ChartVersion when omitted. + enum: + - ChartVersion + - Revision + type: string + sourceRef: + description: The name and namespace of the v1.Source the chart + is available at. + properties: + apiVersion: + description: APIVersion of the referent. + type: string + kind: + description: Kind of the referent. + enum: + - HelmRepository + - GitRepository + - Bucket + type: string + name: + description: Name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace of the referent. + maxLength: 63 + minLength: 1 + type: string + required: + - kind + - name + type: object + valuesFiles: + description: |- + Alternative list of values files to use as the chart values (values.yaml + is not included by default), expected to be a relative path in the SourceRef. + Values files are merged in the order of this list with the last file overriding + the first. Ignored when omitted. + items: + type: string + type: array + verify: + description: |- + Verify contains the secret name containing the trusted public keys + used to verify the signature and specifies which provider to use to check + whether OCI image is authentic. + This field is only supported for OCI sources. + Chart dependencies, which are not bundled in the umbrella chart artifact, + are not verified. + properties: + provider: + default: cosign + description: Provider specifies the technology used to + sign the OCI Helm chart. + enum: + - cosign + - notation + type: string + secretRef: + description: |- + SecretRef specifies the Kubernetes Secret containing the + trusted public keys. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + required: + - provider + type: object + version: + default: '*' + description: |- + Version semver expression, ignored for charts from v1.GitRepository and + v1beta2.Bucket sources. Defaults to latest when omitted. + type: string + required: + - chart + - sourceRef + type: object + required: + - spec + type: object + chartRef: + description: |- + ChartRef holds a reference to a source controller resource containing the + Helm chart artifact. + properties: + apiVersion: + description: APIVersion of the referent. + type: string + kind: + description: Kind of the referent. + enum: + - OCIRepository + - HelmChart + type: string + name: + description: Name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent, defaults to the namespace of the Kubernetes + resource object that contains the reference. + maxLength: 63 + minLength: 1 + type: string + required: + - kind + - name + type: object + dependsOn: + description: |- + DependsOn may contain a meta.NamespacedObjectReference slice with + references to HelmRelease resources that must be ready before this HelmRelease + can be reconciled. + items: + description: |- + NamespacedObjectReference contains enough information to locate the referenced Kubernetes resource object in any + namespace. + properties: + name: + description: Name of the referent. + type: string + namespace: + description: Namespace of the referent, when not specified it + acts as LocalObjectReference. + type: string + required: + - name + type: object + type: array + driftDetection: + description: |- + DriftDetection holds the configuration for detecting and handling + differences between the manifest in the Helm storage and the resources + currently existing in the cluster. + properties: + ignore: + description: |- + Ignore contains a list of rules for specifying which changes to ignore + during diffing. + items: + description: |- + IgnoreRule defines a rule to selectively disregard specific changes during + the drift detection process. + properties: + paths: + description: |- + Paths is a list of JSON Pointer (RFC 6901) paths to be excluded from + consideration in a Kubernetes object. + items: + type: string + type: array + target: + description: |- + Target is a selector for specifying Kubernetes objects to which this + rule applies. + If Target is not set, the Paths will be ignored for all Kubernetes + objects within the manifest of the Helm release. + properties: + annotationSelector: + description: |- + AnnotationSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource annotations. + type: string + group: + description: |- + Group is the API group to select resources from. + Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + kind: + description: |- + Kind of the API Group to select resources from. + Together with Group and Version it is capable of unambiguously + identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + labelSelector: + description: |- + LabelSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource labels. + type: string + name: + description: Name to match resources with. + type: string + namespace: + description: Namespace to select resources from. + type: string + version: + description: |- + Version of the API Group to select resources from. + Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + type: object + required: + - paths + type: object + type: array + mode: + description: |- + Mode defines how differences should be handled between the Helm manifest + and the manifest currently applied to the cluster. + If not explicitly set, it defaults to DiffModeDisabled. + enum: + - enabled + - warn + - disabled + type: string + type: object + install: + description: Install holds the configuration for Helm install actions + for this HelmRelease. + properties: + crds: + description: |- + CRDs upgrade CRDs from the Helm Chart's crds directory according + to the CRD upgrade policy provided here. Valid values are `Skip`, + `Create` or `CreateReplace`. Default is `Create` and if omitted + CRDs are installed but not updated. + + Skip: do neither install nor replace (update) any CRDs. + + Create: new CRDs are created, existing CRDs are neither updated nor deleted. + + CreateReplace: new CRDs are created, existing CRDs are updated (replaced) + but not deleted. + + By default, CRDs are applied (installed) during Helm install action. + With this option users can opt in to CRD replace existing CRDs on Helm + install actions, which is not (yet) natively supported by Helm. + https://helm.sh/docs/chart_best_practices/custom_resource_definitions. + enum: + - Skip + - Create + - CreateReplace + type: string + createNamespace: + description: |- + CreateNamespace tells the Helm install action to create the + HelmReleaseSpec.TargetNamespace if it does not exist yet. + On uninstall, the namespace will not be garbage collected. + type: boolean + disableHooks: + description: DisableHooks prevents hooks from running during the + Helm install action. + type: boolean + disableOpenAPIValidation: + description: |- + DisableOpenAPIValidation prevents the Helm install action from validating + rendered templates against the Kubernetes OpenAPI Schema. + type: boolean + disableSchemaValidation: + description: |- + DisableSchemaValidation prevents the Helm install action from validating + the values against the JSON Schema. + type: boolean + disableWait: + description: |- + DisableWait disables the waiting for resources to be ready after a Helm + install has been performed. + type: boolean + disableWaitForJobs: + description: |- + DisableWaitForJobs disables waiting for jobs to complete after a Helm + install has been performed. + type: boolean + remediation: + description: |- + Remediation holds the remediation configuration for when the Helm install + action for the HelmRelease fails. The default is to not perform any action. + properties: + ignoreTestFailures: + description: |- + IgnoreTestFailures tells the controller to skip remediation when the Helm + tests are run after an install action but fail. Defaults to + 'Test.IgnoreFailures'. + type: boolean + remediateLastFailure: + description: |- + RemediateLastFailure tells the controller to remediate the last failure, when + no retries remain. Defaults to 'false'. + type: boolean + retries: + description: |- + Retries is the number of retries that should be attempted on failures before + bailing. Remediation, using an uninstall, is performed between each attempt. + Defaults to '0', a negative integer equals to unlimited retries. + type: integer + type: object + replace: + description: |- + Replace tells the Helm install action to re-use the 'ReleaseName', but only + if that name is a deleted release which remains in the history. + type: boolean + skipCRDs: + description: |- + SkipCRDs tells the Helm install action to not install any CRDs. By default, + CRDs are installed if not already present. + + Deprecated use CRD policy (`crds`) attribute with value `Skip` instead. + type: boolean + timeout: + description: |- + Timeout is the time to wait for any individual Kubernetes operation (like + Jobs for hooks) during the performance of a Helm install action. Defaults to + 'HelmReleaseSpec.Timeout'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + type: object + interval: + description: Interval at which to reconcile the Helm release. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + kubeConfig: + description: |- + KubeConfig for reconciling the HelmRelease on a remote cluster. + When used in combination with HelmReleaseSpec.ServiceAccountName, + forces the controller to act on behalf of that Service Account at the + target cluster. + If the --default-service-account flag is set, its value will be used as + a controller level fallback for when HelmReleaseSpec.ServiceAccountName + is empty. + properties: + secretRef: + description: |- + SecretRef holds the name of a secret that contains a key with + the kubeconfig file as the value. If no key is set, the key will default + to 'value'. + It is recommended that the kubeconfig is self-contained, and the secret + is regularly updated if credentials such as a cloud-access-token expire. + Cloud specific `cmd-path` auth helpers will not function without adding + binaries and credentials to the Pod that is responsible for reconciling + Kubernetes resources. + properties: + key: + description: Key in the Secret, when not specified an implementation-specific + default key is used. + type: string + name: + description: Name of the Secret. + type: string + required: + - name + type: object + required: + - secretRef + type: object + maxHistory: + description: |- + MaxHistory is the number of revisions saved by Helm for this HelmRelease. + Use '0' for an unlimited number of revisions; defaults to '5'. + type: integer + persistentClient: + description: |- + PersistentClient tells the controller to use a persistent Kubernetes + client for this release. When enabled, the client will be reused for the + duration of the reconciliation, instead of being created and destroyed + for each (step of a) Helm action. + + This can improve performance, but may cause issues with some Helm charts + that for example do create Custom Resource Definitions during installation + outside Helm's CRD lifecycle hooks, which are then not observed to be + available by e.g. post-install hooks. + + If not set, it defaults to true. + type: boolean + postRenderers: + description: |- + PostRenderers holds an array of Helm PostRenderers, which will be applied in order + of their definition. + items: + description: PostRenderer contains a Helm PostRenderer specification. + properties: + kustomize: + description: Kustomization to apply as PostRenderer. + properties: + images: + description: |- + Images is a list of (image name, new name, new tag or digest) + for changing image names, tags or digests. This can also be achieved with a + patch, but this operator is simpler to specify. + items: + description: Image contains an image name, a new name, + a new tag or digest, which will replace the original + name and tag. + properties: + digest: + description: |- + Digest is the value used to replace the original image tag. + If digest is present NewTag value is ignored. + type: string + name: + description: Name is a tag-less image name. + type: string + newName: + description: NewName is the value used to replace + the original name. + type: string + newTag: + description: NewTag is the value used to replace the + original tag. + type: string + required: + - name + type: object + type: array + patches: + description: |- + Strategic merge and JSON patches, defined as inline YAML objects, + capable of targeting objects based on kind, label and annotation selectors. + items: + description: |- + Patch contains an inline StrategicMerge or JSON6902 patch, and the target the patch should + be applied to. + properties: + patch: + description: |- + Patch contains an inline StrategicMerge patch or an inline JSON6902 patch with + an array of operation objects. + type: string + target: + description: Target points to the resources that the + patch document should be applied to. + properties: + annotationSelector: + description: |- + AnnotationSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource annotations. + type: string + group: + description: |- + Group is the API group to select resources from. + Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + kind: + description: |- + Kind of the API Group to select resources from. + Together with Group and Version it is capable of unambiguously + identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + labelSelector: + description: |- + LabelSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource labels. + type: string + name: + description: Name to match resources with. + type: string + namespace: + description: Namespace to select resources from. + type: string + version: + description: |- + Version of the API Group to select resources from. + Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + type: object + required: + - patch + type: object + type: array + type: object + type: object + type: array + releaseName: + description: |- + ReleaseName used for the Helm release. Defaults to a composition of + '[TargetNamespace-]Name'. + maxLength: 53 + minLength: 1 + type: string + rollback: + description: Rollback holds the configuration for Helm rollback actions + for this HelmRelease. + properties: + cleanupOnFail: + description: |- + CleanupOnFail allows deletion of new resources created during the Helm + rollback action when it fails. + type: boolean + disableHooks: + description: DisableHooks prevents hooks from running during the + Helm rollback action. + type: boolean + disableWait: + description: |- + DisableWait disables the waiting for resources to be ready after a Helm + rollback has been performed. + type: boolean + disableWaitForJobs: + description: |- + DisableWaitForJobs disables waiting for jobs to complete after a Helm + rollback has been performed. + type: boolean + force: + description: Force forces resource updates through a replacement + strategy. + type: boolean + recreate: + description: Recreate performs pod restarts for the resource if + applicable. + type: boolean + timeout: + description: |- + Timeout is the time to wait for any individual Kubernetes operation (like + Jobs for hooks) during the performance of a Helm rollback action. Defaults to + 'HelmReleaseSpec.Timeout'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + type: object + serviceAccountName: + description: |- + The name of the Kubernetes service account to impersonate + when reconciling this HelmRelease. + maxLength: 253 + minLength: 1 + type: string + storageNamespace: + description: |- + StorageNamespace used for the Helm storage. + Defaults to the namespace of the HelmRelease. + maxLength: 63 + minLength: 1 + type: string + suspend: + description: |- + Suspend tells the controller to suspend reconciliation for this HelmRelease, + it does not apply to already started reconciliations. Defaults to false. + type: boolean + targetNamespace: + description: |- + TargetNamespace to target when performing operations for the HelmRelease. + Defaults to the namespace of the HelmRelease. + maxLength: 63 + minLength: 1 + type: string + test: + description: Test holds the configuration for Helm test actions for + this HelmRelease. + properties: + enable: + description: |- + Enable enables Helm test actions for this HelmRelease after an Helm install + or upgrade action has been performed. + type: boolean + filters: + description: Filters is a list of tests to run or exclude from + running. + items: + description: Filter holds the configuration for individual Helm + test filters. + properties: + exclude: + description: Exclude specifies whether the named test should + be excluded. + type: boolean + name: + description: Name is the name of the test. + maxLength: 253 + minLength: 1 + type: string + required: + - name + type: object + type: array + ignoreFailures: + description: |- + IgnoreFailures tells the controller to skip remediation when the Helm tests + are run but fail. Can be overwritten for tests run after install or upgrade + actions in 'Install.IgnoreTestFailures' and 'Upgrade.IgnoreTestFailures'. + type: boolean + timeout: + description: |- + Timeout is the time to wait for any individual Kubernetes operation during + the performance of a Helm test action. Defaults to 'HelmReleaseSpec.Timeout'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + type: object + timeout: + description: |- + Timeout is the time to wait for any individual Kubernetes operation (like Jobs + for hooks) during the performance of a Helm action. Defaults to '5m0s'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + uninstall: + description: Uninstall holds the configuration for Helm uninstall + actions for this HelmRelease. + properties: + deletionPropagation: + default: background + description: |- + DeletionPropagation specifies the deletion propagation policy when + a Helm uninstall is performed. + enum: + - background + - foreground + - orphan + type: string + disableHooks: + description: DisableHooks prevents hooks from running during the + Helm rollback action. + type: boolean + disableWait: + description: |- + DisableWait disables waiting for all the resources to be deleted after + a Helm uninstall is performed. + type: boolean + keepHistory: + description: |- + KeepHistory tells Helm to remove all associated resources and mark the + release as deleted, but retain the release history. + type: boolean + timeout: + description: |- + Timeout is the time to wait for any individual Kubernetes operation (like + Jobs for hooks) during the performance of a Helm uninstall action. Defaults + to 'HelmReleaseSpec.Timeout'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + type: object + upgrade: + description: Upgrade holds the configuration for Helm upgrade actions + for this HelmRelease. + properties: + cleanupOnFail: + description: |- + CleanupOnFail allows deletion of new resources created during the Helm + upgrade action when it fails. + type: boolean + crds: + description: |- + CRDs upgrade CRDs from the Helm Chart's crds directory according + to the CRD upgrade policy provided here. Valid values are `Skip`, + `Create` or `CreateReplace`. Default is `Skip` and if omitted + CRDs are neither installed nor upgraded. + + Skip: do neither install nor replace (update) any CRDs. + + Create: new CRDs are created, existing CRDs are neither updated nor deleted. + + CreateReplace: new CRDs are created, existing CRDs are updated (replaced) + but not deleted. + + By default, CRDs are not applied during Helm upgrade action. With this + option users can opt-in to CRD upgrade, which is not (yet) natively supported by Helm. + https://helm.sh/docs/chart_best_practices/custom_resource_definitions. + enum: + - Skip + - Create + - CreateReplace + type: string + disableHooks: + description: DisableHooks prevents hooks from running during the + Helm upgrade action. + type: boolean + disableOpenAPIValidation: + description: |- + DisableOpenAPIValidation prevents the Helm upgrade action from validating + rendered templates against the Kubernetes OpenAPI Schema. + type: boolean + disableSchemaValidation: + description: |- + DisableSchemaValidation prevents the Helm upgrade action from validating + the values against the JSON Schema. + type: boolean + disableWait: + description: |- + DisableWait disables the waiting for resources to be ready after a Helm + upgrade has been performed. + type: boolean + disableWaitForJobs: + description: |- + DisableWaitForJobs disables waiting for jobs to complete after a Helm + upgrade has been performed. + type: boolean + force: + description: Force forces resource updates through a replacement + strategy. + type: boolean + preserveValues: + description: |- + PreserveValues will make Helm reuse the last release's values and merge in + overrides from 'Values'. Setting this flag makes the HelmRelease + non-declarative. + type: boolean + remediation: + description: |- + Remediation holds the remediation configuration for when the Helm upgrade + action for the HelmRelease fails. The default is to not perform any action. + properties: + ignoreTestFailures: + description: |- + IgnoreTestFailures tells the controller to skip remediation when the Helm + tests are run after an upgrade action but fail. + Defaults to 'Test.IgnoreFailures'. + type: boolean + remediateLastFailure: + description: |- + RemediateLastFailure tells the controller to remediate the last failure, when + no retries remain. Defaults to 'false' unless 'Retries' is greater than 0. + type: boolean + retries: + description: |- + Retries is the number of retries that should be attempted on failures before + bailing. Remediation, using 'Strategy', is performed between each attempt. + Defaults to '0', a negative integer equals to unlimited retries. + type: integer + strategy: + description: Strategy to use for failure remediation. Defaults + to 'rollback'. + enum: + - rollback + - uninstall + type: string + type: object + timeout: + description: |- + Timeout is the time to wait for any individual Kubernetes operation (like + Jobs for hooks) during the performance of a Helm upgrade action. Defaults to + 'HelmReleaseSpec.Timeout'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + type: object + values: + description: Values holds the values for this Helm release. + x-kubernetes-preserve-unknown-fields: true + valuesFrom: + description: |- + ValuesFrom holds references to resources containing Helm values for this HelmRelease, + and information about how they should be merged. + items: + description: |- + ValuesReference contains a reference to a resource containing Helm values, + and optionally the key they can be found at. + properties: + kind: + description: Kind of the values referent, valid values are ('Secret', + 'ConfigMap'). + enum: + - Secret + - ConfigMap + type: string + name: + description: |- + Name of the values referent. Should reside in the same namespace as the + referring resource. + maxLength: 253 + minLength: 1 + type: string + optional: + description: |- + Optional marks this ValuesReference as optional. When set, a not found error + for the values reference is ignored, but any ValuesKey, TargetPath or + transient error will still result in a reconciliation failure. + type: boolean + targetPath: + description: |- + TargetPath is the YAML dot notation path the value should be merged at. When + set, the ValuesKey is expected to be a single flat value. Defaults to 'None', + which results in the values getting merged at the root. + maxLength: 250 + pattern: ^([a-zA-Z0-9_\-.\\\/]|\[[0-9]{1,5}\])+$ + type: string + valuesKey: + description: |- + ValuesKey is the data key where the values.yaml or a specific value can be + found at. Defaults to 'values.yaml'. + maxLength: 253 + pattern: ^[\-._a-zA-Z0-9]+$ + type: string + required: + - kind + - name + type: object + type: array + required: + - interval + type: object + x-kubernetes-validations: + - message: either chart or chartRef must be set + rule: (has(self.chart) && !has(self.chartRef)) || (!has(self.chart) + && has(self.chartRef)) + status: + default: + observedGeneration: -1 + description: HelmReleaseStatus defines the observed state of a HelmRelease. + properties: + conditions: + description: Conditions holds the conditions for the HelmRelease. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + failures: + description: |- + Failures is the reconciliation failure count against the latest desired + state. It is reset after a successful reconciliation. + format: int64 + type: integer + helmChart: + description: |- + HelmChart is the namespaced name of the HelmChart resource created by + the controller for the HelmRelease. + type: string + history: + description: |- + History holds the history of Helm releases performed for this HelmRelease + up to the last successfully completed release. + items: + description: |- + Snapshot captures a point-in-time copy of the status information for a Helm release, + as managed by the controller. + properties: + apiVersion: + description: |- + APIVersion is the API version of the Snapshot. + Provisional: when the calculation method of the Digest field is changed, + this field will be used to distinguish between the old and new methods. + type: string + appVersion: + description: AppVersion is the chart app version of the release + object in storage. + type: string + chartName: + description: ChartName is the chart name of the release object + in storage. + type: string + chartVersion: + description: |- + ChartVersion is the chart version of the release object in + storage. + type: string + configDigest: + description: |- + ConfigDigest is the checksum of the config (better known as + "values") of the release object in storage. + It has the format of `:`. + type: string + deleted: + description: Deleted is when the release was deleted. + format: date-time + type: string + digest: + description: |- + Digest is the checksum of the release object in storage. + It has the format of `:`. + type: string + firstDeployed: + description: FirstDeployed is when the release was first deployed. + format: date-time + type: string + lastDeployed: + description: LastDeployed is when the release was last deployed. + format: date-time + type: string + name: + description: Name is the name of the release. + type: string + namespace: + description: Namespace is the namespace the release is deployed + to. + type: string + ociDigest: + description: OCIDigest is the digest of the OCI artifact associated + with the release. + type: string + status: + description: Status is the current state of the release. + type: string + testHooks: + additionalProperties: + description: |- + TestHookStatus holds the status information for a test hook as observed + to be run by the controller. + properties: + lastCompleted: + description: LastCompleted is the time the test hook last + completed. + format: date-time + type: string + lastStarted: + description: LastStarted is the time the test hook was + last started. + format: date-time + type: string + phase: + description: Phase the test hook was observed to be in. + type: string + type: object + description: |- + TestHooks is the list of test hooks for the release as observed to be + run by the controller. + type: object + version: + description: Version is the version of the release object in + storage. + type: integer + required: + - chartName + - chartVersion + - configDigest + - digest + - firstDeployed + - lastDeployed + - name + - namespace + - status + - version + type: object + type: array + installFailures: + description: |- + InstallFailures is the install failure count against the latest desired + state. It is reset after a successful reconciliation. + format: int64 + type: integer + lastAttemptedConfigDigest: + description: |- + LastAttemptedConfigDigest is the digest for the config (better known as + "values") of the last reconciliation attempt. + type: string + lastAttemptedGeneration: + description: |- + LastAttemptedGeneration is the last generation the controller attempted + to reconcile. + format: int64 + type: integer + lastAttemptedReleaseAction: + description: |- + LastAttemptedReleaseAction is the last release action performed for this + HelmRelease. It is used to determine the active remediation strategy. + enum: + - install + - upgrade + type: string + lastAttemptedRevision: + description: |- + LastAttemptedRevision is the Source revision of the last reconciliation + attempt. For OCIRepository sources, the 12 first characters of the digest are + appended to the chart version e.g. "1.2.3+1234567890ab". + type: string + lastAttemptedRevisionDigest: + description: |- + LastAttemptedRevisionDigest is the digest of the last reconciliation attempt. + This is only set for OCIRepository sources. + type: string + lastAttemptedValuesChecksum: + description: |- + LastAttemptedValuesChecksum is the SHA1 checksum for the values of the last + reconciliation attempt. + Deprecated: Use LastAttemptedConfigDigest instead. + type: string + lastHandledForceAt: + description: |- + LastHandledForceAt holds the value of the most recent force request + value, so a change of the annotation value can be detected. + type: string + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + lastHandledResetAt: + description: |- + LastHandledResetAt holds the value of the most recent reset request + value, so a change of the annotation value can be detected. + type: string + lastReleaseRevision: + description: |- + LastReleaseRevision is the revision of the last successful Helm release. + Deprecated: Use History instead. + type: integer + observedGeneration: + description: ObservedGeneration is the last observed generation. + format: int64 + type: integer + observedPostRenderersDigest: + description: |- + ObservedPostRenderersDigest is the digest for the post-renderers of + the last successful reconciliation attempt. + type: string + storageNamespace: + description: |- + StorageNamespace is the namespace of the Helm release storage for the + current release. + maxLength: 63 + minLength: 1 + type: string + upgradeFailures: + description: |- + UpgradeFailures is the upgrade failure count against the latest desired + state. It is reset after a successful reconciliation. + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + deprecated: true + deprecationWarning: v2beta1 HelmRelease is deprecated, upgrade to v2 + name: v2beta1 + schema: + openAPIV3Schema: + description: HelmRelease is the Schema for the helmreleases API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: HelmReleaseSpec defines the desired state of a Helm release. + properties: + chart: + description: |- + Chart defines the template of the v1beta2.HelmChart that should be created + for this HelmRelease. + properties: + metadata: + description: ObjectMeta holds the template for metadata like labels + and annotations. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is an unstructured key value map stored with a resource that may be + set by external tools to store and retrieve arbitrary metadata. They are not + queryable and should be preserved when modifying objects. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + type: object + labels: + additionalProperties: + type: string + description: |- + Map of string keys and values that can be used to organize and categorize + (scope and select) objects. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + type: object + type: object + spec: + description: Spec holds the template for the v1beta2.HelmChartSpec + for this HelmRelease. + properties: + chart: + description: The name or path the Helm chart is available + at in the SourceRef. + type: string + interval: + description: |- + Interval at which to check the v1beta2.Source for updates. Defaults to + 'HelmReleaseSpec.Interval'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + reconcileStrategy: + default: ChartVersion + description: |- + Determines what enables the creation of a new artifact. Valid values are + ('ChartVersion', 'Revision'). + See the documentation of the values for an explanation on their behavior. + Defaults to ChartVersion when omitted. + enum: + - ChartVersion + - Revision + type: string + sourceRef: + description: The name and namespace of the v1beta2.Source + the chart is available at. + properties: + apiVersion: + description: APIVersion of the referent. + type: string + kind: + description: Kind of the referent. + enum: + - HelmRepository + - GitRepository + - Bucket + type: string + name: + description: Name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace of the referent. + maxLength: 63 + minLength: 1 + type: string + required: + - kind + - name + type: object + valuesFile: + description: |- + Alternative values file to use as the default chart values, expected to + be a relative path in the SourceRef. Deprecated in favor of ValuesFiles, + for backwards compatibility the file defined here is merged before the + ValuesFiles items. Ignored when omitted. + type: string + valuesFiles: + description: |- + Alternative list of values files to use as the chart values (values.yaml + is not included by default), expected to be a relative path in the SourceRef. + Values files are merged in the order of this list with the last file overriding + the first. Ignored when omitted. + items: + type: string + type: array + verify: + description: |- + Verify contains the secret name containing the trusted public keys + used to verify the signature and specifies which provider to use to check + whether OCI image is authentic. + This field is only supported for OCI sources. + Chart dependencies, which are not bundled in the umbrella chart artifact, are not verified. + properties: + provider: + default: cosign + description: Provider specifies the technology used to + sign the OCI Helm chart. + enum: + - cosign + type: string + secretRef: + description: |- + SecretRef specifies the Kubernetes Secret containing the + trusted public keys. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + required: + - provider + type: object + version: + default: '*' + description: |- + Version semver expression, ignored for charts from v1beta2.GitRepository and + v1beta2.Bucket sources. Defaults to latest when omitted. + type: string + required: + - chart + - sourceRef + type: object + required: + - spec + type: object + chartRef: + description: |- + ChartRef holds a reference to a source controller resource containing the + Helm chart artifact. + + Note: this field is provisional to the v2 API, and not actively used + by v2beta1 HelmReleases. + properties: + apiVersion: + description: APIVersion of the referent. + type: string + kind: + description: Kind of the referent. + enum: + - OCIRepository + - HelmChart + type: string + name: + description: Name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent, defaults to the namespace of the Kubernetes + resource object that contains the reference. + maxLength: 63 + minLength: 1 + type: string + required: + - kind + - name + type: object + dependsOn: + description: |- + DependsOn may contain a meta.NamespacedObjectReference slice with + references to HelmRelease resources that must be ready before this HelmRelease + can be reconciled. + items: + description: |- + NamespacedObjectReference contains enough information to locate the referenced Kubernetes resource object in any + namespace. + properties: + name: + description: Name of the referent. + type: string + namespace: + description: Namespace of the referent, when not specified it + acts as LocalObjectReference. + type: string + required: + - name + type: object + type: array + driftDetection: + description: |- + DriftDetection holds the configuration for detecting and handling + differences between the manifest in the Helm storage and the resources + currently existing in the cluster. + + Note: this field is provisional to the v2beta2 API, and not actively used + by v2beta1 HelmReleases. + properties: + ignore: + description: |- + Ignore contains a list of rules for specifying which changes to ignore + during diffing. + items: + description: |- + IgnoreRule defines a rule to selectively disregard specific changes during + the drift detection process. + properties: + paths: + description: |- + Paths is a list of JSON Pointer (RFC 6901) paths to be excluded from + consideration in a Kubernetes object. + items: + type: string + type: array + target: + description: |- + Target is a selector for specifying Kubernetes objects to which this + rule applies. + If Target is not set, the Paths will be ignored for all Kubernetes + objects within the manifest of the Helm release. + properties: + annotationSelector: + description: |- + AnnotationSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource annotations. + type: string + group: + description: |- + Group is the API group to select resources from. + Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + kind: + description: |- + Kind of the API Group to select resources from. + Together with Group and Version it is capable of unambiguously + identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + labelSelector: + description: |- + LabelSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource labels. + type: string + name: + description: Name to match resources with. + type: string + namespace: + description: Namespace to select resources from. + type: string + version: + description: |- + Version of the API Group to select resources from. + Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + type: object + required: + - paths + type: object + type: array + mode: + description: |- + Mode defines how differences should be handled between the Helm manifest + and the manifest currently applied to the cluster. + If not explicitly set, it defaults to DiffModeDisabled. + enum: + - enabled + - warn + - disabled + type: string + type: object + install: + description: Install holds the configuration for Helm install actions + for this HelmRelease. + properties: + crds: + description: |- + CRDs upgrade CRDs from the Helm Chart's crds directory according + to the CRD upgrade policy provided here. Valid values are `Skip`, + `Create` or `CreateReplace`. Default is `Create` and if omitted + CRDs are installed but not updated. + + Skip: do neither install nor replace (update) any CRDs. + + Create: new CRDs are created, existing CRDs are neither updated nor deleted. + + CreateReplace: new CRDs are created, existing CRDs are updated (replaced) + but not deleted. + + By default, CRDs are applied (installed) during Helm install action. + With this option users can opt-in to CRD replace existing CRDs on Helm + install actions, which is not (yet) natively supported by Helm. + https://helm.sh/docs/chart_best_practices/custom_resource_definitions. + enum: + - Skip + - Create + - CreateReplace + type: string + createNamespace: + description: |- + CreateNamespace tells the Helm install action to create the + HelmReleaseSpec.TargetNamespace if it does not exist yet. + On uninstall, the namespace will not be garbage collected. + type: boolean + disableHooks: + description: DisableHooks prevents hooks from running during the + Helm install action. + type: boolean + disableOpenAPIValidation: + description: |- + DisableOpenAPIValidation prevents the Helm install action from validating + rendered templates against the Kubernetes OpenAPI Schema. + type: boolean + disableWait: + description: |- + DisableWait disables the waiting for resources to be ready after a Helm + install has been performed. + type: boolean + disableWaitForJobs: + description: |- + DisableWaitForJobs disables waiting for jobs to complete after a Helm + install has been performed. + type: boolean + remediation: + description: |- + Remediation holds the remediation configuration for when the Helm install + action for the HelmRelease fails. The default is to not perform any action. + properties: + ignoreTestFailures: + description: |- + IgnoreTestFailures tells the controller to skip remediation when the Helm + tests are run after an install action but fail. Defaults to + 'Test.IgnoreFailures'. + type: boolean + remediateLastFailure: + description: |- + RemediateLastFailure tells the controller to remediate the last failure, when + no retries remain. Defaults to 'false'. + type: boolean + retries: + description: |- + Retries is the number of retries that should be attempted on failures before + bailing. Remediation, using an uninstall, is performed between each attempt. + Defaults to '0', a negative integer equals to unlimited retries. + type: integer + type: object + replace: + description: |- + Replace tells the Helm install action to re-use the 'ReleaseName', but only + if that name is a deleted release which remains in the history. + type: boolean + skipCRDs: + description: |- + SkipCRDs tells the Helm install action to not install any CRDs. By default, + CRDs are installed if not already present. + + Deprecated use CRD policy (`crds`) attribute with value `Skip` instead. + type: boolean + timeout: + description: |- + Timeout is the time to wait for any individual Kubernetes operation (like + Jobs for hooks) during the performance of a Helm install action. Defaults to + 'HelmReleaseSpec.Timeout'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + type: object + interval: + description: |- + Interval at which to reconcile the Helm release. + This interval is approximate and may be subject to jitter to ensure + efficient use of resources. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + kubeConfig: + description: |- + KubeConfig for reconciling the HelmRelease on a remote cluster. + When used in combination with HelmReleaseSpec.ServiceAccountName, + forces the controller to act on behalf of that Service Account at the + target cluster. + If the --default-service-account flag is set, its value will be used as + a controller level fallback for when HelmReleaseSpec.ServiceAccountName + is empty. + properties: + secretRef: + description: |- + SecretRef holds the name of a secret that contains a key with + the kubeconfig file as the value. If no key is set, the key will default + to 'value'. + It is recommended that the kubeconfig is self-contained, and the secret + is regularly updated if credentials such as a cloud-access-token expire. + Cloud specific `cmd-path` auth helpers will not function without adding + binaries and credentials to the Pod that is responsible for reconciling + Kubernetes resources. + properties: + key: + description: Key in the Secret, when not specified an implementation-specific + default key is used. + type: string + name: + description: Name of the Secret. + type: string + required: + - name + type: object + required: + - secretRef + type: object + maxHistory: + description: |- + MaxHistory is the number of revisions saved by Helm for this HelmRelease. + Use '0' for an unlimited number of revisions; defaults to '10'. + type: integer + persistentClient: + description: |- + PersistentClient tells the controller to use a persistent Kubernetes + client for this release. When enabled, the client will be reused for the + duration of the reconciliation, instead of being created and destroyed + for each (step of a) Helm action. + + This can improve performance, but may cause issues with some Helm charts + that for example do create Custom Resource Definitions during installation + outside Helm's CRD lifecycle hooks, which are then not observed to be + available by e.g. post-install hooks. + + If not set, it defaults to true. + type: boolean + postRenderers: + description: |- + PostRenderers holds an array of Helm PostRenderers, which will be applied in order + of their definition. + items: + description: PostRenderer contains a Helm PostRenderer specification. + properties: + kustomize: + description: Kustomization to apply as PostRenderer. + properties: + images: + description: |- + Images is a list of (image name, new name, new tag or digest) + for changing image names, tags or digests. This can also be achieved with a + patch, but this operator is simpler to specify. + items: + description: Image contains an image name, a new name, + a new tag or digest, which will replace the original + name and tag. + properties: + digest: + description: |- + Digest is the value used to replace the original image tag. + If digest is present NewTag value is ignored. + type: string + name: + description: Name is a tag-less image name. + type: string + newName: + description: NewName is the value used to replace + the original name. + type: string + newTag: + description: NewTag is the value used to replace the + original tag. + type: string + required: + - name + type: object + type: array + patches: + description: |- + Strategic merge and JSON patches, defined as inline YAML objects, + capable of targeting objects based on kind, label and annotation selectors. + items: + description: |- + Patch contains an inline StrategicMerge or JSON6902 patch, and the target the patch should + be applied to. + properties: + patch: + description: |- + Patch contains an inline StrategicMerge patch or an inline JSON6902 patch with + an array of operation objects. + type: string + target: + description: Target points to the resources that the + patch document should be applied to. + properties: + annotationSelector: + description: |- + AnnotationSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource annotations. + type: string + group: + description: |- + Group is the API group to select resources from. + Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + kind: + description: |- + Kind of the API Group to select resources from. + Together with Group and Version it is capable of unambiguously + identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + labelSelector: + description: |- + LabelSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource labels. + type: string + name: + description: Name to match resources with. + type: string + namespace: + description: Namespace to select resources from. + type: string + version: + description: |- + Version of the API Group to select resources from. + Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + type: object + required: + - patch + type: object + type: array + patchesJson6902: + description: JSON 6902 patches, defined as inline YAML objects. + items: + description: JSON6902Patch contains a JSON6902 patch and + the target the patch should be applied to. + properties: + patch: + description: Patch contains the JSON6902 patch document + with an array of operation objects. + items: + description: |- + JSON6902 is a JSON6902 operation object. + https://datatracker.ietf.org/doc/html/rfc6902#section-4 + properties: + from: + description: |- + From contains a JSON-pointer value that references a location within the target document where the operation is + performed. The meaning of the value depends on the value of Op, and is NOT taken into account by all operations. + type: string + op: + description: |- + Op indicates the operation to perform. Its value MUST be one of "add", "remove", "replace", "move", "copy", or + "test". + https://datatracker.ietf.org/doc/html/rfc6902#section-4 + enum: + - test + - remove + - add + - replace + - move + - copy + type: string + path: + description: |- + Path contains the JSON-pointer value that references a location within the target document where the operation + is performed. The meaning of the value depends on the value of Op. + type: string + value: + description: |- + Value contains a valid JSON structure. The meaning of the value depends on the value of Op, and is NOT taken into + account by all operations. + x-kubernetes-preserve-unknown-fields: true + required: + - op + - path + type: object + type: array + target: + description: Target points to the resources that the + patch document should be applied to. + properties: + annotationSelector: + description: |- + AnnotationSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource annotations. + type: string + group: + description: |- + Group is the API group to select resources from. + Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + kind: + description: |- + Kind of the API Group to select resources from. + Together with Group and Version it is capable of unambiguously + identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + labelSelector: + description: |- + LabelSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource labels. + type: string + name: + description: Name to match resources with. + type: string + namespace: + description: Namespace to select resources from. + type: string + version: + description: |- + Version of the API Group to select resources from. + Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + type: object + required: + - patch + - target + type: object + type: array + patchesStrategicMerge: + description: Strategic merge patches, defined as inline + YAML objects. + items: + x-kubernetes-preserve-unknown-fields: true + type: array + type: object + type: object + type: array + releaseName: + description: |- + ReleaseName used for the Helm release. Defaults to a composition of + '[TargetNamespace-]Name'. + maxLength: 53 + minLength: 1 + type: string + rollback: + description: Rollback holds the configuration for Helm rollback actions + for this HelmRelease. + properties: + cleanupOnFail: + description: |- + CleanupOnFail allows deletion of new resources created during the Helm + rollback action when it fails. + type: boolean + disableHooks: + description: DisableHooks prevents hooks from running during the + Helm rollback action. + type: boolean + disableWait: + description: |- + DisableWait disables the waiting for resources to be ready after a Helm + rollback has been performed. + type: boolean + disableWaitForJobs: + description: |- + DisableWaitForJobs disables waiting for jobs to complete after a Helm + rollback has been performed. + type: boolean + force: + description: Force forces resource updates through a replacement + strategy. + type: boolean + recreate: + description: Recreate performs pod restarts for the resource if + applicable. + type: boolean + timeout: + description: |- + Timeout is the time to wait for any individual Kubernetes operation (like + Jobs for hooks) during the performance of a Helm rollback action. Defaults to + 'HelmReleaseSpec.Timeout'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + type: object + serviceAccountName: + description: |- + The name of the Kubernetes service account to impersonate + when reconciling this HelmRelease. + type: string + storageNamespace: + description: |- + StorageNamespace used for the Helm storage. + Defaults to the namespace of the HelmRelease. + maxLength: 63 + minLength: 1 + type: string + suspend: + description: |- + Suspend tells the controller to suspend reconciliation for this HelmRelease, + it does not apply to already started reconciliations. Defaults to false. + type: boolean + targetNamespace: + description: |- + TargetNamespace to target when performing operations for the HelmRelease. + Defaults to the namespace of the HelmRelease. + maxLength: 63 + minLength: 1 + type: string + test: + description: Test holds the configuration for Helm test actions for + this HelmRelease. + properties: + enable: + description: |- + Enable enables Helm test actions for this HelmRelease after an Helm install + or upgrade action has been performed. + type: boolean + ignoreFailures: + description: |- + IgnoreFailures tells the controller to skip remediation when the Helm tests + are run but fail. Can be overwritten for tests run after install or upgrade + actions in 'Install.IgnoreTestFailures' and 'Upgrade.IgnoreTestFailures'. + type: boolean + timeout: + description: |- + Timeout is the time to wait for any individual Kubernetes operation during + the performance of a Helm test action. Defaults to 'HelmReleaseSpec.Timeout'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + type: object + timeout: + description: |- + Timeout is the time to wait for any individual Kubernetes operation (like Jobs + for hooks) during the performance of a Helm action. Defaults to '5m0s'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + uninstall: + description: Uninstall holds the configuration for Helm uninstall + actions for this HelmRelease. + properties: + deletionPropagation: + default: background + description: |- + DeletionPropagation specifies the deletion propagation policy when + a Helm uninstall is performed. + enum: + - background + - foreground + - orphan + type: string + disableHooks: + description: DisableHooks prevents hooks from running during the + Helm rollback action. + type: boolean + disableWait: + description: |- + DisableWait disables waiting for all the resources to be deleted after + a Helm uninstall is performed. + type: boolean + keepHistory: + description: |- + KeepHistory tells Helm to remove all associated resources and mark the + release as deleted, but retain the release history. + type: boolean + timeout: + description: |- + Timeout is the time to wait for any individual Kubernetes operation (like + Jobs for hooks) during the performance of a Helm uninstall action. Defaults + to 'HelmReleaseSpec.Timeout'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + type: object + upgrade: + description: Upgrade holds the configuration for Helm upgrade actions + for this HelmRelease. + properties: + cleanupOnFail: + description: |- + CleanupOnFail allows deletion of new resources created during the Helm + upgrade action when it fails. + type: boolean + crds: + description: |- + CRDs upgrade CRDs from the Helm Chart's crds directory according + to the CRD upgrade policy provided here. Valid values are `Skip`, + `Create` or `CreateReplace`. Default is `Skip` and if omitted + CRDs are neither installed nor upgraded. + + Skip: do neither install nor replace (update) any CRDs. + + Create: new CRDs are created, existing CRDs are neither updated nor deleted. + + CreateReplace: new CRDs are created, existing CRDs are updated (replaced) + but not deleted. + + By default, CRDs are not applied during Helm upgrade action. With this + option users can opt-in to CRD upgrade, which is not (yet) natively supported by Helm. + https://helm.sh/docs/chart_best_practices/custom_resource_definitions. + enum: + - Skip + - Create + - CreateReplace + type: string + disableHooks: + description: DisableHooks prevents hooks from running during the + Helm upgrade action. + type: boolean + disableOpenAPIValidation: + description: |- + DisableOpenAPIValidation prevents the Helm upgrade action from validating + rendered templates against the Kubernetes OpenAPI Schema. + type: boolean + disableWait: + description: |- + DisableWait disables the waiting for resources to be ready after a Helm + upgrade has been performed. + type: boolean + disableWaitForJobs: + description: |- + DisableWaitForJobs disables waiting for jobs to complete after a Helm + upgrade has been performed. + type: boolean + force: + description: Force forces resource updates through a replacement + strategy. + type: boolean + preserveValues: + description: |- + PreserveValues will make Helm reuse the last release's values and merge in + overrides from 'Values'. Setting this flag makes the HelmRelease + non-declarative. + type: boolean + remediation: + description: |- + Remediation holds the remediation configuration for when the Helm upgrade + action for the HelmRelease fails. The default is to not perform any action. + properties: + ignoreTestFailures: + description: |- + IgnoreTestFailures tells the controller to skip remediation when the Helm + tests are run after an upgrade action but fail. + Defaults to 'Test.IgnoreFailures'. + type: boolean + remediateLastFailure: + description: |- + RemediateLastFailure tells the controller to remediate the last failure, when + no retries remain. Defaults to 'false' unless 'Retries' is greater than 0. + type: boolean + retries: + description: |- + Retries is the number of retries that should be attempted on failures before + bailing. Remediation, using 'Strategy', is performed between each attempt. + Defaults to '0', a negative integer equals to unlimited retries. + type: integer + strategy: + description: Strategy to use for failure remediation. Defaults + to 'rollback'. + enum: + - rollback + - uninstall + type: string + type: object + timeout: + description: |- + Timeout is the time to wait for any individual Kubernetes operation (like + Jobs for hooks) during the performance of a Helm upgrade action. Defaults to + 'HelmReleaseSpec.Timeout'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + type: object + values: + description: Values holds the values for this Helm release. + x-kubernetes-preserve-unknown-fields: true + valuesFrom: + description: |- + ValuesFrom holds references to resources containing Helm values for this HelmRelease, + and information about how they should be merged. + items: + description: |- + ValuesReference contains a reference to a resource containing Helm values, + and optionally the key they can be found at. + properties: + kind: + description: Kind of the values referent, valid values are ('Secret', + 'ConfigMap'). + enum: + - Secret + - ConfigMap + type: string + name: + description: |- + Name of the values referent. Should reside in the same namespace as the + referring resource. + maxLength: 253 + minLength: 1 + type: string + optional: + description: |- + Optional marks this ValuesReference as optional. When set, a not found error + for the values reference is ignored, but any ValuesKey, TargetPath or + transient error will still result in a reconciliation failure. + type: boolean + targetPath: + description: |- + TargetPath is the YAML dot notation path the value should be merged at. When + set, the ValuesKey is expected to be a single flat value. Defaults to 'None', + which results in the values getting merged at the root. + maxLength: 250 + pattern: ^([a-zA-Z0-9_\-.\\\/]|\[[0-9]{1,5}\])+$ + type: string + valuesKey: + description: |- + ValuesKey is the data key where the values.yaml or a specific value can be + found at. Defaults to 'values.yaml'. + When set, must be a valid Data Key, consisting of alphanumeric characters, + '-', '_' or '.'. + maxLength: 253 + pattern: ^[\-._a-zA-Z0-9]+$ + type: string + required: + - kind + - name + type: object + type: array + required: + - chart + - interval + type: object + status: + default: + observedGeneration: -1 + description: HelmReleaseStatus defines the observed state of a HelmRelease. + properties: + conditions: + description: Conditions holds the conditions for the HelmRelease. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + failures: + description: |- + Failures is the reconciliation failure count against the latest desired + state. It is reset after a successful reconciliation. + format: int64 + type: integer + helmChart: + description: |- + HelmChart is the namespaced name of the HelmChart resource created by + the controller for the HelmRelease. + type: string + history: + description: |- + History holds the history of Helm releases performed for this HelmRelease + up to the last successfully completed release. + + Note: this field is provisional to the v2beta2 API, and not actively used + by v2beta1 HelmReleases. + items: + description: |- + Snapshot captures a point-in-time copy of the status information for a Helm release, + as managed by the controller. + properties: + apiVersion: + description: |- + APIVersion is the API version of the Snapshot. + Provisional: when the calculation method of the Digest field is changed, + this field will be used to distinguish between the old and new methods. + type: string + appVersion: + description: AppVersion is the chart app version of the release + object in storage. + type: string + chartName: + description: ChartName is the chart name of the release object + in storage. + type: string + chartVersion: + description: |- + ChartVersion is the chart version of the release object in + storage. + type: string + configDigest: + description: |- + ConfigDigest is the checksum of the config (better known as + "values") of the release object in storage. + It has the format of `:`. + type: string + deleted: + description: Deleted is when the release was deleted. + format: date-time + type: string + digest: + description: |- + Digest is the checksum of the release object in storage. + It has the format of `:`. + type: string + firstDeployed: + description: FirstDeployed is when the release was first deployed. + format: date-time + type: string + lastDeployed: + description: LastDeployed is when the release was last deployed. + format: date-time + type: string + name: + description: Name is the name of the release. + type: string + namespace: + description: Namespace is the namespace the release is deployed + to. + type: string + ociDigest: + description: OCIDigest is the digest of the OCI artifact associated + with the release. + type: string + status: + description: Status is the current state of the release. + type: string + testHooks: + additionalProperties: + description: |- + TestHookStatus holds the status information for a test hook as observed + to be run by the controller. + properties: + lastCompleted: + description: LastCompleted is the time the test hook last + completed. + format: date-time + type: string + lastStarted: + description: LastStarted is the time the test hook was + last started. + format: date-time + type: string + phase: + description: Phase the test hook was observed to be in. + type: string + type: object + description: |- + TestHooks is the list of test hooks for the release as observed to be + run by the controller. + type: object + version: + description: Version is the version of the release object in + storage. + type: integer + required: + - chartName + - chartVersion + - configDigest + - digest + - firstDeployed + - lastDeployed + - name + - namespace + - status + - version + type: object + type: array + installFailures: + description: |- + InstallFailures is the install failure count against the latest desired + state. It is reset after a successful reconciliation. + format: int64 + type: integer + lastAppliedRevision: + description: LastAppliedRevision is the revision of the last successfully + applied source. + type: string + lastAttemptedConfigDigest: + description: |- + LastAttemptedConfigDigest is the digest for the config (better known as + "values") of the last reconciliation attempt. + + Note: this field is provisional to the v2beta2 API, and not actively used + by v2beta1 HelmReleases. + type: string + lastAttemptedGeneration: + description: |- + LastAttemptedGeneration is the last generation the controller attempted + to reconcile. + + Note: this field is provisional to the v2beta2 API, and not actively used + by v2beta1 HelmReleases. + format: int64 + type: integer + lastAttemptedReleaseAction: + description: |- + LastAttemptedReleaseAction is the last release action performed for this + HelmRelease. It is used to determine the active remediation strategy. + + Note: this field is provisional to the v2beta2 API, and not actively used + by v2beta1 HelmReleases. + type: string + lastAttemptedRevision: + description: LastAttemptedRevision is the revision of the last reconciliation + attempt. + type: string + lastAttemptedValuesChecksum: + description: |- + LastAttemptedValuesChecksum is the SHA1 checksum of the values of the last + reconciliation attempt. + type: string + lastHandledForceAt: + description: |- + LastHandledForceAt holds the value of the most recent force request + value, so a change of the annotation value can be detected. + + Note: this field is provisional to the v2beta2 API, and not actively used + by v2beta1 HelmReleases. + type: string + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + lastHandledResetAt: + description: |- + LastHandledResetAt holds the value of the most recent reset request + value, so a change of the annotation value can be detected. + + Note: this field is provisional to the v2beta2 API, and not actively used + by v2beta1 HelmReleases. + type: string + lastReleaseRevision: + description: LastReleaseRevision is the revision of the last successful + Helm release. + type: integer + observedGeneration: + description: ObservedGeneration is the last observed generation. + format: int64 + type: integer + observedPostRenderersDigest: + description: |- + ObservedPostRenderersDigest is the digest for the post-renderers of + the last successful reconciliation attempt. + type: string + storageNamespace: + description: |- + StorageNamespace is the namespace of the Helm release storage for the + current release. + + Note: this field is provisional to the v2beta2 API, and not actively used + by v2beta1 HelmReleases. + type: string + upgradeFailures: + description: |- + UpgradeFailures is the upgrade failure count against the latest desired + state. It is reset after a successful reconciliation. + format: int64 + type: integer + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + deprecated: true + deprecationWarning: v2beta2 HelmRelease is deprecated, upgrade to v2 + name: v2beta2 + schema: + openAPIV3Schema: + description: HelmRelease is the Schema for the helmreleases API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: HelmReleaseSpec defines the desired state of a Helm release. + properties: + chart: + description: |- + Chart defines the template of the v1beta2.HelmChart that should be created + for this HelmRelease. + properties: + metadata: + description: ObjectMeta holds the template for metadata like labels + and annotations. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is an unstructured key value map stored with a resource that may be + set by external tools to store and retrieve arbitrary metadata. They are not + queryable and should be preserved when modifying objects. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + type: object + labels: + additionalProperties: + type: string + description: |- + Map of string keys and values that can be used to organize and categorize + (scope and select) objects. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + type: object + type: object + spec: + description: Spec holds the template for the v1beta2.HelmChartSpec + for this HelmRelease. + properties: + chart: + description: The name or path the Helm chart is available + at in the SourceRef. + maxLength: 2048 + minLength: 1 + type: string + ignoreMissingValuesFiles: + description: IgnoreMissingValuesFiles controls whether to + silently ignore missing values files rather than failing. + type: boolean + interval: + description: |- + Interval at which to check the v1.Source for updates. Defaults to + 'HelmReleaseSpec.Interval'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + reconcileStrategy: + default: ChartVersion + description: |- + Determines what enables the creation of a new artifact. Valid values are + ('ChartVersion', 'Revision'). + See the documentation of the values for an explanation on their behavior. + Defaults to ChartVersion when omitted. + enum: + - ChartVersion + - Revision + type: string + sourceRef: + description: The name and namespace of the v1.Source the chart + is available at. + properties: + apiVersion: + description: APIVersion of the referent. + type: string + kind: + description: Kind of the referent. + enum: + - HelmRepository + - GitRepository + - Bucket + type: string + name: + description: Name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace of the referent. + maxLength: 63 + minLength: 1 + type: string + required: + - kind + - name + type: object + valuesFile: + description: |- + Alternative values file to use as the default chart values, expected to + be a relative path in the SourceRef. Deprecated in favor of ValuesFiles, + for backwards compatibility the file defined here is merged before the + ValuesFiles items. Ignored when omitted. + type: string + valuesFiles: + description: |- + Alternative list of values files to use as the chart values (values.yaml + is not included by default), expected to be a relative path in the SourceRef. + Values files are merged in the order of this list with the last file overriding + the first. Ignored when omitted. + items: + type: string + type: array + verify: + description: |- + Verify contains the secret name containing the trusted public keys + used to verify the signature and specifies which provider to use to check + whether OCI image is authentic. + This field is only supported for OCI sources. + Chart dependencies, which are not bundled in the umbrella chart artifact, + are not verified. + properties: + provider: + default: cosign + description: Provider specifies the technology used to + sign the OCI Helm chart. + enum: + - cosign + - notation + type: string + secretRef: + description: |- + SecretRef specifies the Kubernetes Secret containing the + trusted public keys. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + required: + - provider + type: object + version: + default: '*' + description: |- + Version semver expression, ignored for charts from v1beta2.GitRepository and + v1beta2.Bucket sources. Defaults to latest when omitted. + type: string + required: + - chart + - sourceRef + type: object + required: + - spec + type: object + chartRef: + description: |- + ChartRef holds a reference to a source controller resource containing the + Helm chart artifact. + + Note: this field is provisional to the v2 API, and not actively used + by v2beta2 HelmReleases. + properties: + apiVersion: + description: APIVersion of the referent. + type: string + kind: + description: Kind of the referent. + enum: + - OCIRepository + - HelmChart + type: string + name: + description: Name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referent, defaults to the namespace of the Kubernetes + resource object that contains the reference. + maxLength: 63 + minLength: 1 + type: string + required: + - kind + - name + type: object + dependsOn: + description: |- + DependsOn may contain a meta.NamespacedObjectReference slice with + references to HelmRelease resources that must be ready before this HelmRelease + can be reconciled. + items: + description: |- + NamespacedObjectReference contains enough information to locate the referenced Kubernetes resource object in any + namespace. + properties: + name: + description: Name of the referent. + type: string + namespace: + description: Namespace of the referent, when not specified it + acts as LocalObjectReference. + type: string + required: + - name + type: object + type: array + driftDetection: + description: |- + DriftDetection holds the configuration for detecting and handling + differences between the manifest in the Helm storage and the resources + currently existing in the cluster. + properties: + ignore: + description: |- + Ignore contains a list of rules for specifying which changes to ignore + during diffing. + items: + description: |- + IgnoreRule defines a rule to selectively disregard specific changes during + the drift detection process. + properties: + paths: + description: |- + Paths is a list of JSON Pointer (RFC 6901) paths to be excluded from + consideration in a Kubernetes object. + items: + type: string + type: array + target: + description: |- + Target is a selector for specifying Kubernetes objects to which this + rule applies. + If Target is not set, the Paths will be ignored for all Kubernetes + objects within the manifest of the Helm release. + properties: + annotationSelector: + description: |- + AnnotationSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource annotations. + type: string + group: + description: |- + Group is the API group to select resources from. + Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + kind: + description: |- + Kind of the API Group to select resources from. + Together with Group and Version it is capable of unambiguously + identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + labelSelector: + description: |- + LabelSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource labels. + type: string + name: + description: Name to match resources with. + type: string + namespace: + description: Namespace to select resources from. + type: string + version: + description: |- + Version of the API Group to select resources from. + Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + type: object + required: + - paths + type: object + type: array + mode: + description: |- + Mode defines how differences should be handled between the Helm manifest + and the manifest currently applied to the cluster. + If not explicitly set, it defaults to DiffModeDisabled. + enum: + - enabled + - warn + - disabled + type: string + type: object + install: + description: Install holds the configuration for Helm install actions + for this HelmRelease. + properties: + crds: + description: |- + CRDs upgrade CRDs from the Helm Chart's crds directory according + to the CRD upgrade policy provided here. Valid values are `Skip`, + `Create` or `CreateReplace`. Default is `Create` and if omitted + CRDs are installed but not updated. + + Skip: do neither install nor replace (update) any CRDs. + + Create: new CRDs are created, existing CRDs are neither updated nor deleted. + + CreateReplace: new CRDs are created, existing CRDs are updated (replaced) + but not deleted. + + By default, CRDs are applied (installed) during Helm install action. + With this option users can opt in to CRD replace existing CRDs on Helm + install actions, which is not (yet) natively supported by Helm. + https://helm.sh/docs/chart_best_practices/custom_resource_definitions. + enum: + - Skip + - Create + - CreateReplace + type: string + createNamespace: + description: |- + CreateNamespace tells the Helm install action to create the + HelmReleaseSpec.TargetNamespace if it does not exist yet. + On uninstall, the namespace will not be garbage collected. + type: boolean + disableHooks: + description: DisableHooks prevents hooks from running during the + Helm install action. + type: boolean + disableOpenAPIValidation: + description: |- + DisableOpenAPIValidation prevents the Helm install action from validating + rendered templates against the Kubernetes OpenAPI Schema. + type: boolean + disableWait: + description: |- + DisableWait disables the waiting for resources to be ready after a Helm + install has been performed. + type: boolean + disableWaitForJobs: + description: |- + DisableWaitForJobs disables waiting for jobs to complete after a Helm + install has been performed. + type: boolean + remediation: + description: |- + Remediation holds the remediation configuration for when the Helm install + action for the HelmRelease fails. The default is to not perform any action. + properties: + ignoreTestFailures: + description: |- + IgnoreTestFailures tells the controller to skip remediation when the Helm + tests are run after an install action but fail. Defaults to + 'Test.IgnoreFailures'. + type: boolean + remediateLastFailure: + description: |- + RemediateLastFailure tells the controller to remediate the last failure, when + no retries remain. Defaults to 'false'. + type: boolean + retries: + description: |- + Retries is the number of retries that should be attempted on failures before + bailing. Remediation, using an uninstall, is performed between each attempt. + Defaults to '0', a negative integer equals to unlimited retries. + type: integer + type: object + replace: + description: |- + Replace tells the Helm install action to re-use the 'ReleaseName', but only + if that name is a deleted release which remains in the history. + type: boolean + skipCRDs: + description: |- + SkipCRDs tells the Helm install action to not install any CRDs. By default, + CRDs are installed if not already present. + + Deprecated use CRD policy (`crds`) attribute with value `Skip` instead. + type: boolean + timeout: + description: |- + Timeout is the time to wait for any individual Kubernetes operation (like + Jobs for hooks) during the performance of a Helm install action. Defaults to + 'HelmReleaseSpec.Timeout'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + type: object + interval: + description: Interval at which to reconcile the Helm release. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + kubeConfig: + description: |- + KubeConfig for reconciling the HelmRelease on a remote cluster. + When used in combination with HelmReleaseSpec.ServiceAccountName, + forces the controller to act on behalf of that Service Account at the + target cluster. + If the --default-service-account flag is set, its value will be used as + a controller level fallback for when HelmReleaseSpec.ServiceAccountName + is empty. + properties: + secretRef: + description: |- + SecretRef holds the name of a secret that contains a key with + the kubeconfig file as the value. If no key is set, the key will default + to 'value'. + It is recommended that the kubeconfig is self-contained, and the secret + is regularly updated if credentials such as a cloud-access-token expire. + Cloud specific `cmd-path` auth helpers will not function without adding + binaries and credentials to the Pod that is responsible for reconciling + Kubernetes resources. + properties: + key: + description: Key in the Secret, when not specified an implementation-specific + default key is used. + type: string + name: + description: Name of the Secret. + type: string + required: + - name + type: object + required: + - secretRef + type: object + maxHistory: + description: |- + MaxHistory is the number of revisions saved by Helm for this HelmRelease. + Use '0' for an unlimited number of revisions; defaults to '5'. + type: integer + persistentClient: + description: |- + PersistentClient tells the controller to use a persistent Kubernetes + client for this release. When enabled, the client will be reused for the + duration of the reconciliation, instead of being created and destroyed + for each (step of a) Helm action. + + This can improve performance, but may cause issues with some Helm charts + that for example do create Custom Resource Definitions during installation + outside Helm's CRD lifecycle hooks, which are then not observed to be + available by e.g. post-install hooks. + + If not set, it defaults to true. + type: boolean + postRenderers: + description: |- + PostRenderers holds an array of Helm PostRenderers, which will be applied in order + of their definition. + items: + description: PostRenderer contains a Helm PostRenderer specification. + properties: + kustomize: + description: Kustomization to apply as PostRenderer. + properties: + images: + description: |- + Images is a list of (image name, new name, new tag or digest) + for changing image names, tags or digests. This can also be achieved with a + patch, but this operator is simpler to specify. + items: + description: Image contains an image name, a new name, + a new tag or digest, which will replace the original + name and tag. + properties: + digest: + description: |- + Digest is the value used to replace the original image tag. + If digest is present NewTag value is ignored. + type: string + name: + description: Name is a tag-less image name. + type: string + newName: + description: NewName is the value used to replace + the original name. + type: string + newTag: + description: NewTag is the value used to replace the + original tag. + type: string + required: + - name + type: object + type: array + patches: + description: |- + Strategic merge and JSON patches, defined as inline YAML objects, + capable of targeting objects based on kind, label and annotation selectors. + items: + description: |- + Patch contains an inline StrategicMerge or JSON6902 patch, and the target the patch should + be applied to. + properties: + patch: + description: |- + Patch contains an inline StrategicMerge patch or an inline JSON6902 patch with + an array of operation objects. + type: string + target: + description: Target points to the resources that the + patch document should be applied to. + properties: + annotationSelector: + description: |- + AnnotationSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource annotations. + type: string + group: + description: |- + Group is the API group to select resources from. + Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + kind: + description: |- + Kind of the API Group to select resources from. + Together with Group and Version it is capable of unambiguously + identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + labelSelector: + description: |- + LabelSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource labels. + type: string + name: + description: Name to match resources with. + type: string + namespace: + description: Namespace to select resources from. + type: string + version: + description: |- + Version of the API Group to select resources from. + Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + type: object + required: + - patch + type: object + type: array + patchesJson6902: + description: |- + JSON 6902 patches, defined as inline YAML objects. + Deprecated: use Patches instead. + items: + description: JSON6902Patch contains a JSON6902 patch and + the target the patch should be applied to. + properties: + patch: + description: Patch contains the JSON6902 patch document + with an array of operation objects. + items: + description: |- + JSON6902 is a JSON6902 operation object. + https://datatracker.ietf.org/doc/html/rfc6902#section-4 + properties: + from: + description: |- + From contains a JSON-pointer value that references a location within the target document where the operation is + performed. The meaning of the value depends on the value of Op, and is NOT taken into account by all operations. + type: string + op: + description: |- + Op indicates the operation to perform. Its value MUST be one of "add", "remove", "replace", "move", "copy", or + "test". + https://datatracker.ietf.org/doc/html/rfc6902#section-4 + enum: + - test + - remove + - add + - replace + - move + - copy + type: string + path: + description: |- + Path contains the JSON-pointer value that references a location within the target document where the operation + is performed. The meaning of the value depends on the value of Op. + type: string + value: + description: |- + Value contains a valid JSON structure. The meaning of the value depends on the value of Op, and is NOT taken into + account by all operations. + x-kubernetes-preserve-unknown-fields: true + required: + - op + - path + type: object + type: array + target: + description: Target points to the resources that the + patch document should be applied to. + properties: + annotationSelector: + description: |- + AnnotationSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource annotations. + type: string + group: + description: |- + Group is the API group to select resources from. + Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + kind: + description: |- + Kind of the API Group to select resources from. + Together with Group and Version it is capable of unambiguously + identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + labelSelector: + description: |- + LabelSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource labels. + type: string + name: + description: Name to match resources with. + type: string + namespace: + description: Namespace to select resources from. + type: string + version: + description: |- + Version of the API Group to select resources from. + Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + type: object + required: + - patch + - target + type: object + type: array + patchesStrategicMerge: + description: |- + Strategic merge patches, defined as inline YAML objects. + Deprecated: use Patches instead. + items: + x-kubernetes-preserve-unknown-fields: true + type: array + type: object + type: object + type: array + releaseName: + description: |- + ReleaseName used for the Helm release. Defaults to a composition of + '[TargetNamespace-]Name'. + maxLength: 53 + minLength: 1 + type: string + rollback: + description: Rollback holds the configuration for Helm rollback actions + for this HelmRelease. + properties: + cleanupOnFail: + description: |- + CleanupOnFail allows deletion of new resources created during the Helm + rollback action when it fails. + type: boolean + disableHooks: + description: DisableHooks prevents hooks from running during the + Helm rollback action. + type: boolean + disableWait: + description: |- + DisableWait disables the waiting for resources to be ready after a Helm + rollback has been performed. + type: boolean + disableWaitForJobs: + description: |- + DisableWaitForJobs disables waiting for jobs to complete after a Helm + rollback has been performed. + type: boolean + force: + description: Force forces resource updates through a replacement + strategy. + type: boolean + recreate: + description: Recreate performs pod restarts for the resource if + applicable. + type: boolean + timeout: + description: |- + Timeout is the time to wait for any individual Kubernetes operation (like + Jobs for hooks) during the performance of a Helm rollback action. Defaults to + 'HelmReleaseSpec.Timeout'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + type: object + serviceAccountName: + description: |- + The name of the Kubernetes service account to impersonate + when reconciling this HelmRelease. + maxLength: 253 + minLength: 1 + type: string + storageNamespace: + description: |- + StorageNamespace used for the Helm storage. + Defaults to the namespace of the HelmRelease. + maxLength: 63 + minLength: 1 + type: string + suspend: + description: |- + Suspend tells the controller to suspend reconciliation for this HelmRelease, + it does not apply to already started reconciliations. Defaults to false. + type: boolean + targetNamespace: + description: |- + TargetNamespace to target when performing operations for the HelmRelease. + Defaults to the namespace of the HelmRelease. + maxLength: 63 + minLength: 1 + type: string + test: + description: Test holds the configuration for Helm test actions for + this HelmRelease. + properties: + enable: + description: |- + Enable enables Helm test actions for this HelmRelease after an Helm install + or upgrade action has been performed. + type: boolean + filters: + description: Filters is a list of tests to run or exclude from + running. + items: + description: Filter holds the configuration for individual Helm + test filters. + properties: + exclude: + description: Exclude specifies whether the named test should + be excluded. + type: boolean + name: + description: Name is the name of the test. + maxLength: 253 + minLength: 1 + type: string + required: + - name + type: object + type: array + ignoreFailures: + description: |- + IgnoreFailures tells the controller to skip remediation when the Helm tests + are run but fail. Can be overwritten for tests run after install or upgrade + actions in 'Install.IgnoreTestFailures' and 'Upgrade.IgnoreTestFailures'. + type: boolean + timeout: + description: |- + Timeout is the time to wait for any individual Kubernetes operation during + the performance of a Helm test action. Defaults to 'HelmReleaseSpec.Timeout'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + type: object + timeout: + description: |- + Timeout is the time to wait for any individual Kubernetes operation (like Jobs + for hooks) during the performance of a Helm action. Defaults to '5m0s'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + uninstall: + description: Uninstall holds the configuration for Helm uninstall + actions for this HelmRelease. + properties: + deletionPropagation: + default: background + description: |- + DeletionPropagation specifies the deletion propagation policy when + a Helm uninstall is performed. + enum: + - background + - foreground + - orphan + type: string + disableHooks: + description: DisableHooks prevents hooks from running during the + Helm rollback action. + type: boolean + disableWait: + description: |- + DisableWait disables waiting for all the resources to be deleted after + a Helm uninstall is performed. + type: boolean + keepHistory: + description: |- + KeepHistory tells Helm to remove all associated resources and mark the + release as deleted, but retain the release history. + type: boolean + timeout: + description: |- + Timeout is the time to wait for any individual Kubernetes operation (like + Jobs for hooks) during the performance of a Helm uninstall action. Defaults + to 'HelmReleaseSpec.Timeout'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + type: object + upgrade: + description: Upgrade holds the configuration for Helm upgrade actions + for this HelmRelease. + properties: + cleanupOnFail: + description: |- + CleanupOnFail allows deletion of new resources created during the Helm + upgrade action when it fails. + type: boolean + crds: + description: |- + CRDs upgrade CRDs from the Helm Chart's crds directory according + to the CRD upgrade policy provided here. Valid values are `Skip`, + `Create` or `CreateReplace`. Default is `Skip` and if omitted + CRDs are neither installed nor upgraded. + + Skip: do neither install nor replace (update) any CRDs. + + Create: new CRDs are created, existing CRDs are neither updated nor deleted. + + CreateReplace: new CRDs are created, existing CRDs are updated (replaced) + but not deleted. + + By default, CRDs are not applied during Helm upgrade action. With this + option users can opt-in to CRD upgrade, which is not (yet) natively supported by Helm. + https://helm.sh/docs/chart_best_practices/custom_resource_definitions. + enum: + - Skip + - Create + - CreateReplace + type: string + disableHooks: + description: DisableHooks prevents hooks from running during the + Helm upgrade action. + type: boolean + disableOpenAPIValidation: + description: |- + DisableOpenAPIValidation prevents the Helm upgrade action from validating + rendered templates against the Kubernetes OpenAPI Schema. + type: boolean + disableWait: + description: |- + DisableWait disables the waiting for resources to be ready after a Helm + upgrade has been performed. + type: boolean + disableWaitForJobs: + description: |- + DisableWaitForJobs disables waiting for jobs to complete after a Helm + upgrade has been performed. + type: boolean + force: + description: Force forces resource updates through a replacement + strategy. + type: boolean + preserveValues: + description: |- + PreserveValues will make Helm reuse the last release's values and merge in + overrides from 'Values'. Setting this flag makes the HelmRelease + non-declarative. + type: boolean + remediation: + description: |- + Remediation holds the remediation configuration for when the Helm upgrade + action for the HelmRelease fails. The default is to not perform any action. + properties: + ignoreTestFailures: + description: |- + IgnoreTestFailures tells the controller to skip remediation when the Helm + tests are run after an upgrade action but fail. + Defaults to 'Test.IgnoreFailures'. + type: boolean + remediateLastFailure: + description: |- + RemediateLastFailure tells the controller to remediate the last failure, when + no retries remain. Defaults to 'false' unless 'Retries' is greater than 0. + type: boolean + retries: + description: |- + Retries is the number of retries that should be attempted on failures before + bailing. Remediation, using 'Strategy', is performed between each attempt. + Defaults to '0', a negative integer equals to unlimited retries. + type: integer + strategy: + description: Strategy to use for failure remediation. Defaults + to 'rollback'. + enum: + - rollback + - uninstall + type: string + type: object + timeout: + description: |- + Timeout is the time to wait for any individual Kubernetes operation (like + Jobs for hooks) during the performance of a Helm upgrade action. Defaults to + 'HelmReleaseSpec.Timeout'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + type: object + values: + description: Values holds the values for this Helm release. + x-kubernetes-preserve-unknown-fields: true + valuesFrom: + description: |- + ValuesFrom holds references to resources containing Helm values for this HelmRelease, + and information about how they should be merged. + items: + description: |- + ValuesReference contains a reference to a resource containing Helm values, + and optionally the key they can be found at. + properties: + kind: + description: Kind of the values referent, valid values are ('Secret', + 'ConfigMap'). + enum: + - Secret + - ConfigMap + type: string + name: + description: |- + Name of the values referent. Should reside in the same namespace as the + referring resource. + maxLength: 253 + minLength: 1 + type: string + optional: + description: |- + Optional marks this ValuesReference as optional. When set, a not found error + for the values reference is ignored, but any ValuesKey, TargetPath or + transient error will still result in a reconciliation failure. + type: boolean + targetPath: + description: |- + TargetPath is the YAML dot notation path the value should be merged at. When + set, the ValuesKey is expected to be a single flat value. Defaults to 'None', + which results in the values getting merged at the root. + maxLength: 250 + pattern: ^([a-zA-Z0-9_\-.\\\/]|\[[0-9]{1,5}\])+$ + type: string + valuesKey: + description: |- + ValuesKey is the data key where the values.yaml or a specific value can be + found at. Defaults to 'values.yaml'. + maxLength: 253 + pattern: ^[\-._a-zA-Z0-9]+$ + type: string + required: + - kind + - name + type: object + type: array + required: + - interval + type: object + x-kubernetes-validations: + - message: either chart or chartRef must be set + rule: (has(self.chart) && !has(self.chartRef)) || (!has(self.chart) + && has(self.chartRef)) + status: + default: + observedGeneration: -1 + description: HelmReleaseStatus defines the observed state of a HelmRelease. + properties: + conditions: + description: Conditions holds the conditions for the HelmRelease. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + failures: + description: |- + Failures is the reconciliation failure count against the latest desired + state. It is reset after a successful reconciliation. + format: int64 + type: integer + helmChart: + description: |- + HelmChart is the namespaced name of the HelmChart resource created by + the controller for the HelmRelease. + type: string + history: + description: |- + History holds the history of Helm releases performed for this HelmRelease + up to the last successfully completed release. + items: + description: |- + Snapshot captures a point-in-time copy of the status information for a Helm release, + as managed by the controller. + properties: + apiVersion: + description: |- + APIVersion is the API version of the Snapshot. + Provisional: when the calculation method of the Digest field is changed, + this field will be used to distinguish between the old and new methods. + type: string + appVersion: + description: AppVersion is the chart app version of the release + object in storage. + type: string + chartName: + description: ChartName is the chart name of the release object + in storage. + type: string + chartVersion: + description: |- + ChartVersion is the chart version of the release object in + storage. + type: string + configDigest: + description: |- + ConfigDigest is the checksum of the config (better known as + "values") of the release object in storage. + It has the format of `:`. + type: string + deleted: + description: Deleted is when the release was deleted. + format: date-time + type: string + digest: + description: |- + Digest is the checksum of the release object in storage. + It has the format of `:`. + type: string + firstDeployed: + description: FirstDeployed is when the release was first deployed. + format: date-time + type: string + lastDeployed: + description: LastDeployed is when the release was last deployed. + format: date-time + type: string + name: + description: Name is the name of the release. + type: string + namespace: + description: Namespace is the namespace the release is deployed + to. + type: string + ociDigest: + description: OCIDigest is the digest of the OCI artifact associated + with the release. + type: string + status: + description: Status is the current state of the release. + type: string + testHooks: + additionalProperties: + description: |- + TestHookStatus holds the status information for a test hook as observed + to be run by the controller. + properties: + lastCompleted: + description: LastCompleted is the time the test hook last + completed. + format: date-time + type: string + lastStarted: + description: LastStarted is the time the test hook was + last started. + format: date-time + type: string + phase: + description: Phase the test hook was observed to be in. + type: string + type: object + description: |- + TestHooks is the list of test hooks for the release as observed to be + run by the controller. + type: object + version: + description: Version is the version of the release object in + storage. + type: integer + required: + - chartName + - chartVersion + - configDigest + - digest + - firstDeployed + - lastDeployed + - name + - namespace + - status + - version + type: object + type: array + installFailures: + description: |- + InstallFailures is the install failure count against the latest desired + state. It is reset after a successful reconciliation. + format: int64 + type: integer + lastAppliedRevision: + description: |- + LastAppliedRevision is the revision of the last successfully applied + source. + Deprecated: the revision can now be found in the History. + type: string + lastAttemptedConfigDigest: + description: |- + LastAttemptedConfigDigest is the digest for the config (better known as + "values") of the last reconciliation attempt. + type: string + lastAttemptedGeneration: + description: |- + LastAttemptedGeneration is the last generation the controller attempted + to reconcile. + format: int64 + type: integer + lastAttemptedReleaseAction: + description: |- + LastAttemptedReleaseAction is the last release action performed for this + HelmRelease. It is used to determine the active remediation strategy. + enum: + - install + - upgrade + type: string + lastAttemptedRevision: + description: |- + LastAttemptedRevision is the Source revision of the last reconciliation + attempt. For OCIRepository sources, the 12 first characters of the digest are + appended to the chart version e.g. "1.2.3+1234567890ab". + type: string + lastAttemptedRevisionDigest: + description: |- + LastAttemptedRevisionDigest is the digest of the last reconciliation attempt. + This is only set for OCIRepository sources. + type: string + lastAttemptedValuesChecksum: + description: |- + LastAttemptedValuesChecksum is the SHA1 checksum for the values of the last + reconciliation attempt. + Deprecated: Use LastAttemptedConfigDigest instead. + type: string + lastHandledForceAt: + description: |- + LastHandledForceAt holds the value of the most recent force request + value, so a change of the annotation value can be detected. + type: string + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + lastHandledResetAt: + description: |- + LastHandledResetAt holds the value of the most recent reset request + value, so a change of the annotation value can be detected. + type: string + lastReleaseRevision: + description: |- + LastReleaseRevision is the revision of the last successful Helm release. + Deprecated: Use History instead. + type: integer + observedGeneration: + description: ObservedGeneration is the last observed generation. + format: int64 + type: integer + observedPostRenderersDigest: + description: |- + ObservedPostRenderersDigest is the digest for the post-renderers of + the last successful reconciliation attempt. + type: string + storageNamespace: + description: |- + StorageNamespace is the namespace of the Helm release storage for the + current release. + maxLength: 63 + minLength: 1 + type: string + upgradeFailures: + description: |- + UpgradeFailures is the upgrade failure count against the latest desired + state. It is reset after a successful reconciliation. + format: int64 + type: integer + type: object + type: object + served: true + storage: false + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: helm-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.4.0 + name: helm-controller + namespace: flux-system +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: helm-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.4.0 + control-plane: controller + name: helm-controller + namespace: flux-system +spec: + replicas: 1 + selector: + matchLabels: + app: helm-controller + template: + metadata: + annotations: + prometheus.io/port: "8080" + prometheus.io/scrape: "true" + labels: + app: helm-controller + spec: + containers: + - args: + - --events-addr=http://notification-controller.flux-system.svc.cluster.local./ + - --watch-all-namespaces=true + - --log-level=info + - --log-encoding=json + - --enable-leader-election + env: + - name: RUNTIME_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + containerName: manager + resource: limits.cpu + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + containerName: manager + resource: limits.memory + image: ghcr.io/fluxcd/helm-controller:v1.1.0 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: healthz + name: manager + ports: + - containerPort: 8080 + name: http-prom + protocol: TCP + - containerPort: 9440 + name: healthz + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: healthz + resources: + limits: + cpu: 1000m + memory: 1Gi + requests: + cpu: 100m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /tmp + name: temp + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + securityContext: + fsGroup: 1337 + serviceAccountName: helm-controller + terminationGracePeriodSeconds: 600 + volumes: + - emptyDir: {} + name: temp +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + labels: + app.kubernetes.io/component: notification-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.4.0 + name: alerts.notification.toolkit.fluxcd.io +spec: + group: notification.toolkit.fluxcd.io + names: + kind: Alert + listKind: AlertList + plural: alerts + singular: alert + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + deprecated: true + deprecationWarning: v1beta1 Alert is deprecated, upgrade to v1beta3 + name: v1beta1 + schema: + openAPIV3Schema: + description: Alert is the Schema for the alerts API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: AlertSpec defines an alerting rule for events involving a + list of objects + properties: + eventSeverity: + default: info + description: |- + Filter events based on severity, defaults to ('info'). + If set to 'info' no events will be filtered. + enum: + - info + - error + type: string + eventSources: + description: Filter events based on the involved objects. + items: + description: |- + CrossNamespaceObjectReference contains enough information to let you locate the + typed referenced object at cluster level + properties: + apiVersion: + description: API version of the referent + type: string + kind: + description: Kind of the referent + enum: + - Bucket + - GitRepository + - Kustomization + - HelmRelease + - HelmChart + - HelmRepository + - ImageRepository + - ImagePolicy + - ImageUpdateAutomation + - OCIRepository + type: string + matchLabels: + additionalProperties: + type: string + description: |- + MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + name: + description: Name of the referent + maxLength: 53 + minLength: 1 + type: string + namespace: + description: Namespace of the referent + maxLength: 53 + minLength: 1 + type: string + required: + - kind + - name + type: object + type: array + exclusionList: + description: A list of Golang regular expressions to be used for excluding + messages. + items: + type: string + type: array + providerRef: + description: Send events using this provider. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + summary: + description: Short description of the impact and affected cluster. + type: string + suspend: + description: |- + This flag tells the controller to suspend subsequent events dispatching. + Defaults to false. + type: boolean + required: + - eventSources + - providerRef + type: object + status: + default: + observedGeneration: -1 + description: AlertStatus defines the observed state of Alert + properties: + conditions: + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + observedGeneration: + description: ObservedGeneration is the last observed generation. + format: int64 + type: integer + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + deprecated: true + deprecationWarning: v1beta2 Alert is deprecated, upgrade to v1beta3 + name: v1beta2 + schema: + openAPIV3Schema: + description: Alert is the Schema for the alerts API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: AlertSpec defines an alerting rule for events involving a + list of objects. + properties: + eventMetadata: + additionalProperties: + type: string + description: |- + EventMetadata is an optional field for adding metadata to events dispatched by the + controller. This can be used for enhancing the context of the event. If a field + would override one already present on the original event as generated by the emitter, + then the override doesn't happen, i.e. the original value is preserved, and an info + log is printed. + type: object + eventSeverity: + default: info + description: |- + EventSeverity specifies how to filter events based on severity. + If set to 'info' no events will be filtered. + enum: + - info + - error + type: string + eventSources: + description: |- + EventSources specifies how to filter events based + on the involved object kind, name and namespace. + items: + description: |- + CrossNamespaceObjectReference contains enough information to let you locate the + typed referenced object at cluster level + properties: + apiVersion: + description: API version of the referent + type: string + kind: + description: Kind of the referent + enum: + - Bucket + - GitRepository + - Kustomization + - HelmRelease + - HelmChart + - HelmRepository + - ImageRepository + - ImagePolicy + - ImageUpdateAutomation + - OCIRepository + type: string + matchLabels: + additionalProperties: + type: string + description: |- + MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + MatchLabels requires the name to be set to `*`. + type: object + name: + description: |- + Name of the referent + If multiple resources are targeted `*` may be set. + maxLength: 53 + minLength: 1 + type: string + namespace: + description: Namespace of the referent + maxLength: 53 + minLength: 1 + type: string + required: + - kind + - name + type: object + type: array + exclusionList: + description: |- + ExclusionList specifies a list of Golang regular expressions + to be used for excluding messages. + items: + type: string + type: array + inclusionList: + description: |- + InclusionList specifies a list of Golang regular expressions + to be used for including messages. + items: + type: string + type: array + providerRef: + description: ProviderRef specifies which Provider this Alert should + use. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + summary: + description: Summary holds a short description of the impact and affected + cluster. + maxLength: 255 + type: string + suspend: + description: |- + Suspend tells the controller to suspend subsequent + events handling for this Alert. + type: boolean + required: + - eventSources + - providerRef + type: object + status: + default: + observedGeneration: -1 + description: AlertStatus defines the observed state of the Alert. + properties: + conditions: + description: Conditions holds the conditions for the Alert. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last observed generation. + format: int64 + type: integer + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta3 + schema: + openAPIV3Schema: + description: Alert is the Schema for the alerts API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: AlertSpec defines an alerting rule for events involving a + list of objects. + properties: + eventMetadata: + additionalProperties: + type: string + description: |- + EventMetadata is an optional field for adding metadata to events dispatched by the + controller. This can be used for enhancing the context of the event. If a field + would override one already present on the original event as generated by the emitter, + then the override doesn't happen, i.e. the original value is preserved, and an info + log is printed. + type: object + eventSeverity: + default: info + description: |- + EventSeverity specifies how to filter events based on severity. + If set to 'info' no events will be filtered. + enum: + - info + - error + type: string + eventSources: + description: |- + EventSources specifies how to filter events based + on the involved object kind, name and namespace. + items: + description: |- + CrossNamespaceObjectReference contains enough information to let you locate the + typed referenced object at cluster level + properties: + apiVersion: + description: API version of the referent + type: string + kind: + description: Kind of the referent + enum: + - Bucket + - GitRepository + - Kustomization + - HelmRelease + - HelmChart + - HelmRepository + - ImageRepository + - ImagePolicy + - ImageUpdateAutomation + - OCIRepository + type: string + matchLabels: + additionalProperties: + type: string + description: |- + MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + MatchLabels requires the name to be set to `*`. + type: object + name: + description: |- + Name of the referent + If multiple resources are targeted `*` may be set. + maxLength: 53 + minLength: 1 + type: string + namespace: + description: Namespace of the referent + maxLength: 53 + minLength: 1 + type: string + required: + - kind + - name + type: object + type: array + exclusionList: + description: |- + ExclusionList specifies a list of Golang regular expressions + to be used for excluding messages. + items: + type: string + type: array + inclusionList: + description: |- + InclusionList specifies a list of Golang regular expressions + to be used for including messages. + items: + type: string + type: array + providerRef: + description: ProviderRef specifies which Provider this Alert should + use. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + summary: + description: Summary holds a short description of the impact and affected + cluster. + maxLength: 255 + type: string + suspend: + description: |- + Suspend tells the controller to suspend subsequent + events handling for this Alert. + type: boolean + required: + - eventSources + - providerRef + type: object + type: object + served: true + storage: true + subresources: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + labels: + app.kubernetes.io/component: notification-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.4.0 + name: providers.notification.toolkit.fluxcd.io +spec: + group: notification.toolkit.fluxcd.io + names: + kind: Provider + listKind: ProviderList + plural: providers + singular: provider + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + deprecated: true + deprecationWarning: v1beta1 Provider is deprecated, upgrade to v1beta3 + name: v1beta1 + schema: + openAPIV3Schema: + description: Provider is the Schema for the providers API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ProviderSpec defines the desired state of Provider + properties: + address: + description: HTTP/S webhook address of this provider + pattern: ^(http|https):// + type: string + certSecretRef: + description: |- + CertSecretRef can be given the name of a secret containing + a PEM-encoded CA certificate (`caFile`) + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + channel: + description: Alert channel for this provider + type: string + proxy: + description: HTTP/S address of the proxy + pattern: ^(http|https):// + type: string + secretRef: + description: |- + Secret reference containing the provider webhook URL + using "address" as data key + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + suspend: + description: |- + This flag tells the controller to suspend subsequent events handling. + Defaults to false. + type: boolean + timeout: + description: Timeout for sending alerts to the provider. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ + type: string + type: + description: Type of provider + enum: + - slack + - discord + - msteams + - rocket + - generic + - generic-hmac + - github + - gitlab + - bitbucket + - azuredevops + - googlechat + - webex + - sentry + - azureeventhub + - telegram + - lark + - matrix + - opsgenie + - alertmanager + - grafana + - githubdispatch + type: string + username: + description: Bot username for this provider + type: string + required: + - type + type: object + status: + default: + observedGeneration: -1 + description: ProviderStatus defines the observed state of Provider + properties: + conditions: + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + observedGeneration: + description: ObservedGeneration is the last reconciled generation. + format: int64 + type: integer + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + deprecated: true + deprecationWarning: v1beta2 Provider is deprecated, upgrade to v1beta3 + name: v1beta2 + schema: + openAPIV3Schema: + description: Provider is the Schema for the providers API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ProviderSpec defines the desired state of the Provider. + properties: + address: + description: |- + Address specifies the endpoint, in a generic sense, to where alerts are sent. + What kind of endpoint depends on the specific Provider type being used. + For the generic Provider, for example, this is an HTTP/S address. + For other Provider types this could be a project ID or a namespace. + maxLength: 2048 + type: string + certSecretRef: + description: |- + CertSecretRef specifies the Secret containing + a PEM-encoded CA certificate (in the `ca.crt` key). + + Note: Support for the `caFile` key has + been deprecated. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + channel: + description: Channel specifies the destination channel where events + should be posted. + maxLength: 2048 + type: string + interval: + description: Interval at which to reconcile the Provider with its + Secret references. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + proxy: + description: Proxy the HTTP/S address of the proxy server. + maxLength: 2048 + pattern: ^(http|https)://$ + type: string + secretRef: + description: |- + SecretRef specifies the Secret containing the authentication + credentials for this Provider. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + suspend: + description: |- + Suspend tells the controller to suspend subsequent + events handling for this Provider. + type: boolean + timeout: + description: Timeout for sending alerts to the Provider. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ + type: string + type: + description: Type specifies which Provider implementation to use. + enum: + - slack + - discord + - msteams + - rocket + - generic + - generic-hmac + - github + - gitlab + - gitea + - bitbucketserver + - bitbucket + - azuredevops + - googlechat + - googlepubsub + - webex + - sentry + - azureeventhub + - telegram + - lark + - matrix + - opsgenie + - alertmanager + - grafana + - githubdispatch + - pagerduty + - datadog + type: string + username: + description: Username specifies the name under which events are posted. + maxLength: 2048 + type: string + required: + - type + type: object + status: + default: + observedGeneration: -1 + description: ProviderStatus defines the observed state of the Provider. + properties: + conditions: + description: Conditions holds the conditions for the Provider. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last reconciled generation. + format: int64 + type: integer + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta3 + schema: + openAPIV3Schema: + description: Provider is the Schema for the providers API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ProviderSpec defines the desired state of the Provider. + properties: + address: + description: |- + Address specifies the endpoint, in a generic sense, to where alerts are sent. + What kind of endpoint depends on the specific Provider type being used. + For the generic Provider, for example, this is an HTTP/S address. + For other Provider types this could be a project ID or a namespace. + maxLength: 2048 + type: string + certSecretRef: + description: |- + CertSecretRef specifies the Secret containing + a PEM-encoded CA certificate (in the `ca.crt` key). + + Note: Support for the `caFile` key has + been deprecated. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + channel: + description: Channel specifies the destination channel where events + should be posted. + maxLength: 2048 + type: string + interval: + description: |- + Interval at which to reconcile the Provider with its Secret references. + Deprecated and not used in v1beta3. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + proxy: + description: Proxy the HTTP/S address of the proxy server. + maxLength: 2048 + pattern: ^(http|https)://$ + type: string + secretRef: + description: |- + SecretRef specifies the Secret containing the authentication + credentials for this Provider. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + suspend: + description: |- + Suspend tells the controller to suspend subsequent + events handling for this Provider. + type: boolean + timeout: + description: Timeout for sending alerts to the Provider. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ + type: string + type: + description: Type specifies which Provider implementation to use. + enum: + - slack + - discord + - msteams + - rocket + - generic + - generic-hmac + - github + - gitlab + - gitea + - bitbucketserver + - bitbucket + - azuredevops + - googlechat + - googlepubsub + - webex + - sentry + - azureeventhub + - telegram + - lark + - matrix + - opsgenie + - alertmanager + - grafana + - githubdispatch + - pagerduty + - datadog + - nats + type: string + username: + description: Username specifies the name under which events are posted. + maxLength: 2048 + type: string + required: + - type + type: object + type: object + served: true + storage: true + subresources: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + labels: + app.kubernetes.io/component: notification-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.4.0 + name: receivers.notification.toolkit.fluxcd.io +spec: + group: notification.toolkit.fluxcd.io + names: + kind: Receiver + listKind: ReceiverList + plural: receivers + singular: receiver + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + name: v1 + schema: + openAPIV3Schema: + description: Receiver is the Schema for the receivers API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ReceiverSpec defines the desired state of the Receiver. + properties: + events: + description: |- + Events specifies the list of event types to handle, + e.g. 'push' for GitHub or 'Push Hook' for GitLab. + items: + type: string + type: array + interval: + default: 10m + description: Interval at which to reconcile the Receiver with its + Secret references. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + resources: + description: A list of resources to be notified about changes. + items: + description: |- + CrossNamespaceObjectReference contains enough information to let you locate the + typed referenced object at cluster level + properties: + apiVersion: + description: API version of the referent + type: string + kind: + description: Kind of the referent + enum: + - Bucket + - GitRepository + - Kustomization + - HelmRelease + - HelmChart + - HelmRepository + - ImageRepository + - ImagePolicy + - ImageUpdateAutomation + - OCIRepository + type: string + matchLabels: + additionalProperties: + type: string + description: |- + MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + MatchLabels requires the name to be set to `*`. + type: object + name: + description: |- + Name of the referent + If multiple resources are targeted `*` may be set. + maxLength: 53 + minLength: 1 + type: string + namespace: + description: Namespace of the referent + maxLength: 53 + minLength: 1 + type: string + required: + - kind + - name + type: object + type: array + secretRef: + description: |- + SecretRef specifies the Secret containing the token used + to validate the payload authenticity. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + suspend: + description: |- + Suspend tells the controller to suspend subsequent + events handling for this receiver. + type: boolean + type: + description: |- + Type of webhook sender, used to determine + the validation procedure and payload deserialization. + enum: + - generic + - generic-hmac + - github + - gitlab + - bitbucket + - harbor + - dockerhub + - quay + - gcr + - nexus + - acr + - cdevents + type: string + required: + - resources + - secretRef + - type + type: object + status: + default: + observedGeneration: -1 + description: ReceiverStatus defines the observed state of the Receiver. + properties: + conditions: + description: Conditions holds the conditions for the Receiver. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last observed generation of + the Receiver object. + format: int64 + type: integer + webhookPath: + description: |- + WebhookPath is the generated incoming webhook address in the format + of '/hook/sha256sum(token+name+namespace)'. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + deprecated: true + deprecationWarning: v1beta1 Receiver is deprecated, upgrade to v1 + name: v1beta1 + schema: + openAPIV3Schema: + description: Receiver is the Schema for the receivers API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ReceiverSpec defines the desired state of Receiver + properties: + events: + description: |- + A list of events to handle, + e.g. 'push' for GitHub or 'Push Hook' for GitLab. + items: + type: string + type: array + resources: + description: A list of resources to be notified about changes. + items: + description: |- + CrossNamespaceObjectReference contains enough information to let you locate the + typed referenced object at cluster level + properties: + apiVersion: + description: API version of the referent + type: string + kind: + description: Kind of the referent + enum: + - Bucket + - GitRepository + - Kustomization + - HelmRelease + - HelmChart + - HelmRepository + - ImageRepository + - ImagePolicy + - ImageUpdateAutomation + - OCIRepository + type: string + matchLabels: + additionalProperties: + type: string + description: |- + MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + name: + description: Name of the referent + maxLength: 53 + minLength: 1 + type: string + namespace: + description: Namespace of the referent + maxLength: 53 + minLength: 1 + type: string + required: + - kind + - name + type: object + type: array + secretRef: + description: |- + Secret reference containing the token used + to validate the payload authenticity + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + suspend: + description: |- + This flag tells the controller to suspend subsequent events handling. + Defaults to false. + type: boolean + type: + description: |- + Type of webhook sender, used to determine + the validation procedure and payload deserialization. + enum: + - generic + - generic-hmac + - github + - gitlab + - bitbucket + - harbor + - dockerhub + - quay + - gcr + - nexus + - acr + type: string + required: + - resources + - secretRef + - type + type: object + status: + default: + observedGeneration: -1 + description: ReceiverStatus defines the observed state of Receiver + properties: + conditions: + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + observedGeneration: + description: ObservedGeneration is the last observed generation. + format: int64 + type: integer + url: + description: |- + Generated webhook URL in the format + of '/hook/sha256sum(token+name+namespace)'. + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + deprecated: true + deprecationWarning: v1beta2 Receiver is deprecated, upgrade to v1 + name: v1beta2 + schema: + openAPIV3Schema: + description: Receiver is the Schema for the receivers API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ReceiverSpec defines the desired state of the Receiver. + properties: + events: + description: |- + Events specifies the list of event types to handle, + e.g. 'push' for GitHub or 'Push Hook' for GitLab. + items: + type: string + type: array + interval: + description: Interval at which to reconcile the Receiver with its + Secret references. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + resources: + description: A list of resources to be notified about changes. + items: + description: |- + CrossNamespaceObjectReference contains enough information to let you locate the + typed referenced object at cluster level + properties: + apiVersion: + description: API version of the referent + type: string + kind: + description: Kind of the referent + enum: + - Bucket + - GitRepository + - Kustomization + - HelmRelease + - HelmChart + - HelmRepository + - ImageRepository + - ImagePolicy + - ImageUpdateAutomation + - OCIRepository + type: string + matchLabels: + additionalProperties: + type: string + description: |- + MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + MatchLabels requires the name to be set to `*`. + type: object + name: + description: |- + Name of the referent + If multiple resources are targeted `*` may be set. + maxLength: 53 + minLength: 1 + type: string + namespace: + description: Namespace of the referent + maxLength: 53 + minLength: 1 + type: string + required: + - kind + - name + type: object + type: array + secretRef: + description: |- + SecretRef specifies the Secret containing the token used + to validate the payload authenticity. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + suspend: + description: |- + Suspend tells the controller to suspend subsequent + events handling for this receiver. + type: boolean + type: + description: |- + Type of webhook sender, used to determine + the validation procedure and payload deserialization. + enum: + - generic + - generic-hmac + - github + - gitlab + - bitbucket + - harbor + - dockerhub + - quay + - gcr + - nexus + - acr + type: string + required: + - resources + - secretRef + - type + type: object + status: + default: + observedGeneration: -1 + description: ReceiverStatus defines the observed state of the Receiver. + properties: + conditions: + description: Conditions holds the conditions for the Receiver. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last observed generation of + the Receiver object. + format: int64 + type: integer + url: + description: |- + URL is the generated incoming webhook address in the format + of '/hook/sha256sum(token+name+namespace)'. + Deprecated: Replaced by WebhookPath. + type: string + webhookPath: + description: |- + WebhookPath is the generated incoming webhook address in the format + of '/hook/sha256sum(token+name+namespace)'. + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: notification-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.4.0 + name: notification-controller + namespace: flux-system +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: notification-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.4.0 + control-plane: controller + name: notification-controller + namespace: flux-system +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: http + selector: + app: notification-controller + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: notification-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.4.0 + control-plane: controller + name: webhook-receiver + namespace: flux-system +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: http-webhook + selector: + app: notification-controller + type: ClusterIP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: notification-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.4.0 + control-plane: controller + name: notification-controller + namespace: flux-system +spec: + replicas: 1 + selector: + matchLabels: + app: notification-controller + template: + metadata: + annotations: + prometheus.io/port: "8080" + prometheus.io/scrape: "true" + labels: + app: notification-controller + spec: + containers: + - args: + - --watch-all-namespaces=true + - --log-level=info + - --log-encoding=json + - --enable-leader-election + env: + - name: RUNTIME_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + containerName: manager + resource: limits.cpu + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + containerName: manager + resource: limits.memory + image: ghcr.io/fluxcd/notification-controller:v1.4.0 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: healthz + name: manager + ports: + - containerPort: 9090 + name: http + protocol: TCP + - containerPort: 9292 + name: http-webhook + protocol: TCP + - containerPort: 8080 + name: http-prom + protocol: TCP + - containerPort: 9440 + name: healthz + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: healthz + resources: + limits: + cpu: 1000m + memory: 1Gi + requests: + cpu: 100m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /tmp + name: temp + nodeSelector: + kubernetes.io/os: linux + securityContext: + fsGroup: 1337 + serviceAccountName: notification-controller + terminationGracePeriodSeconds: 10 + volumes: + - emptyDir: {} + name: temp diff --git a/clusters/dolo/flux-system/gotk-sync.yaml b/clusters/dolo/flux-system/gotk-sync.yaml new file mode 100644 index 0000000..a043391 --- /dev/null +++ b/clusters/dolo/flux-system/gotk-sync.yaml @@ -0,0 +1,27 @@ +# This manifest was generated by flux. DO NOT EDIT. +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: GitRepository +metadata: + name: flux-system + namespace: flux-system +spec: + interval: 1m0s + ref: + branch: master + secretRef: + name: flux-system + url: https://git.mnke.org/tony/homelab.git +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: flux-system + namespace: flux-system +spec: + interval: 10m0s + path: ./clusters/dolo + prune: true + sourceRef: + kind: GitRepository + name: flux-system diff --git a/clusters/dolo/flux-system/kustomization.yaml b/clusters/dolo/flux-system/kustomization.yaml new file mode 100644 index 0000000..3842229 --- /dev/null +++ b/clusters/dolo/flux-system/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- gotk-components.yaml +- gotk-sync.yaml diff --git a/data/ssh/id_rsa.pub b/data/ssh/id_rsa.pub new file mode 100644 index 0000000..529e1ac --- /dev/null +++ b/data/ssh/id_rsa.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDc9zu9e7Pabd214TfV0drG7Bw2B1RYSNvcFVrbTlrLR0JX2vZOA9SdvE2VmDABNh8ETddgNRYmDudooqHVvOAtWLKD3O7uPsjfq9pL9OxgYhe/0posS4v8/KL7d7eSWAGUNWpQRB2wSpwf5tJbGAMNmsAaES+6ePJE7EcPhXB6YaJarr3JiJsy7yy6yMMGy9lxUU9rpfi9MJRFUEpklLakWuhrUqQdzmIXigDAhiy2RSKhD4JzwKdEmWPhTjTnMltpa3EXiHIJ+3CHsx0MY4yiG/JYqRZ93shpqFzHw6TwPDTB3GgrQm68TK8Cf05Wl2QPdmcZvd0lbZOZnu4pkpZXXlywp35rKMPS9AsQ+/H+ut9Y0DBRbvClHFDupIHtNOsF1UXcabszfhgou/Uz77ZNlsgJVh0klKzh1Z2FWEGlU9i1TJs4H4OMBALQVXPpEz5vL6fYW3Iw30WUGciF4EZecJEu7bz6pN/RK6F57hjcjK0hi31+BR7ktCku2irB0Ds= tony@titanium diff --git a/proxmox/ansible/.gitignore b/proxmox/ansible/.gitignore new file mode 100644 index 0000000..f940e0b --- /dev/null +++ b/proxmox/ansible/.gitignore @@ -0,0 +1 @@ +kubeconfig diff --git a/proxmox/ansible/ansible.cfg b/proxmox/ansible/ansible.cfg new file mode 100644 index 0000000..9e14959 --- /dev/null +++ b/proxmox/ansible/ansible.cfg @@ -0,0 +1,712 @@ +[defaults] +# (boolean) By default, Ansible will issue a warning when received from a task action (module or action plugin). +# These warnings can be silenced by adjusting this setting to False. +;action_warnings=True + +# (list) Accept a list of cowsay templates that are 'safe' to use, set to an empty list if you want to enable all installed templates. +;cowsay_enabled_stencils=bud-frogs, bunny, cheese, daemon, default, dragon, elephant-in-snake, elephant, eyes, hellokitty, kitty, luke-koala, meow, milk, moofasa, moose, ren, sheep, small, stegosaurus, stimpy, supermilker, three-eyes, turkey, turtle, tux, udder, vader-koala, vader, www + +# (string) Specify a custom cowsay path or swap in your cowsay implementation of choice. +;cowpath= + +# (string) This allows you to choose a specific cowsay stencil for the banners or use 'random' to cycle through them. +;cow_selection=default + +# (boolean) This option forces color mode even when running without a TTY or the "nocolor" setting is True. +;force_color=False + +# (path) The default root path for Ansible config files on the controller. +;home=~/.ansible + +# (boolean) This setting allows suppressing colorizing output, which is used to give a better indication of failure and status information. +;nocolor=False + +# (boolean) If you have cowsay installed but want to avoid the 'cows' (why????), use this. +;nocows=False + +# (boolean) Sets the default value for the any_errors_fatal keyword, if True, Task failures will be considered fatal errors. +;any_errors_fatal=False + +# (path) The password file to use for the become plugin. ``--become-password-file``. +# If executable, it will be run and the resulting stdout will be used as the password. +;become_password_file= + +# (pathspec) Colon-separated paths in which Ansible will search for Become Plugins. +;become_plugins=/home/tony/.ansible/plugins/become:/usr/share/ansible/plugins/become + +# (string) Chooses which cache plugin to use, the default 'memory' is ephemeral. +;fact_caching=memory + +# (string) Defines connection or path information for the cache plugin. +;fact_caching_connection= + +# (string) Prefix to use for cache plugin files/tables. +;fact_caching_prefix=ansible_facts + +# (integer) Expiration timeout for the cache plugin data. +;fact_caching_timeout=86400 + +# (list) List of enabled callbacks, not all callbacks need enabling, but many of those shipped with Ansible do as we don't want them activated by default. +;callbacks_enabled= + +# (string) When a collection is loaded that does not support the running Ansible version (with the collection metadata key `requires_ansible`). +;collections_on_ansible_version_mismatch=warning + +# (pathspec) Colon-separated paths in which Ansible will search for collections content. Collections must be in nested *subdirectories*, not directly in these directories. For example, if ``COLLECTIONS_PATHS`` includes ``'{{ ANSIBLE_HOME ~ "/collections" }}'``, and you want to add ``my.collection`` to that directory, it must be saved as ``'{{ ANSIBLE_HOME} ~ "/collections/ansible_collections/my/collection" }}'``. + +;collections_path=/home/tony/.ansible/collections:/usr/share/ansible/collections + +# (boolean) A boolean to enable or disable scanning the sys.path for installed collections. +;collections_scan_sys_path=True + +# (path) The password file to use for the connection plugin. ``--connection-password-file``. +;connection_password_file= + +# (pathspec) Colon-separated paths in which Ansible will search for Action Plugins. +;action_plugins=/home/tony/.ansible/plugins/action:/usr/share/ansible/plugins/action + +# (boolean) When enabled, this option allows lookup plugins (whether used in variables as ``{{lookup('foo')}}`` or as a loop as with_foo) to return data that is not marked 'unsafe'. +# By default, such data is marked as unsafe to prevent the templating engine from evaluating any jinja2 templating language, as this could represent a security risk. This option is provided to allow for backward compatibility, however, users should first consider adding allow_unsafe=True to any lookups that may be expected to contain data that may be run through the templating engine late. +;allow_unsafe_lookups=False + +# (boolean) This controls whether an Ansible playbook should prompt for a login password. If using SSH keys for authentication, you probably do not need to change this setting. +;ask_pass=False + +# (boolean) This controls whether an Ansible playbook should prompt for a vault password. +;ask_vault_pass=False + +# (pathspec) Colon-separated paths in which Ansible will search for Cache Plugins. +;cache_plugins=/home/tony/.ansible/plugins/cache:/usr/share/ansible/plugins/cache + +# (pathspec) Colon-separated paths in which Ansible will search for Callback Plugins. +;callback_plugins=/home/tony/.ansible/plugins/callback:/usr/share/ansible/plugins/callback + +# (pathspec) Colon-separated paths in which Ansible will search for Cliconf Plugins. +;cliconf_plugins=/home/tony/.ansible/plugins/cliconf:/usr/share/ansible/plugins/cliconf + +# (pathspec) Colon-separated paths in which Ansible will search for Connection Plugins. +;connection_plugins=/home/tony/.ansible/plugins/connection:/usr/share/ansible/plugins/connection + +# (boolean) Toggles debug output in Ansible. This is *very* verbose and can hinder multiprocessing. Debug output can also include secret information despite no_log settings being enabled, which means debug mode should not be used in production. +;debug=False + +# (string) This indicates the command to use to spawn a shell under, which is required for Ansible's execution needs on a target. Users may need to change this in rare instances when shell usage is constrained, but in most cases, it may be left as is. +;executable=/bin/sh + +# (pathspec) Colon-separated paths in which Ansible will search for Jinja2 Filter Plugins. +;filter_plugins=/home/tony/.ansible/plugins/filter:/usr/share/ansible/plugins/filter + +# (boolean) This option controls if notified handlers run on a host even if a failure occurs on that host. +# When false, the handlers will not run if a failure has occurred on a host. +# This can also be set per play or on the command line. See Handlers and Failure for more details. +;force_handlers=False + +# (integer) Maximum number of forks Ansible will use to execute tasks on target hosts. +;forks=5 + +# (string) This setting controls the default policy of fact gathering (facts discovered about remote systems). +# This option can be useful for those wishing to save fact gathering time. Both 'smart' and 'explicit' will use the cache plugin. +;gathering=implicit + +# (string) This setting controls how duplicate definitions of dictionary variables (aka hash, map, associative array) are handled in Ansible. +# This does not affect variables whose values are scalars (integers, strings) or arrays. +# **WARNING**, changing this setting is not recommended as this is fragile and makes your content (plays, roles, collections) nonportable, leading to continual confusion and misuse. Don't change this setting unless you think you have an absolute need for it. +# We recommend avoiding reusing variable names and relying on the ``combine`` filter and ``vars`` and ``varnames`` lookups to create merged versions of the individual variables. In our experience, this is rarely needed and is a sign that too much complexity has been introduced into the data structures and plays. +# For some uses you can also look into custom vars_plugins to merge on input, even substituting the default ``host_group_vars`` that is in charge of parsing the ``host_vars/`` and ``group_vars/`` directories. Most users of this setting are only interested in inventory scope, but the setting itself affects all sources and makes debugging even harder. +# All playbooks and roles in the official examples repos assume the default for this setting. +# Changing the setting to ``merge`` applies across variable sources, but many sources will internally still overwrite the variables. For example ``include_vars`` will dedupe variables internally before updating Ansible, with 'last defined' overwriting previous definitions in same file. +# The Ansible project recommends you **avoid ``merge`` for new projects* +# It is the intention of the Ansible developers to eventually deprecate and remove this setting, but it is being kept as some users do heavily rely on it. New projects should **avoid 'merge'**. +;hash_behaviour=replace + +# (pathlist) Comma-separated list of Ansible inventory sources +;inventory=/etc/ansible/hosts + +# (pathspec) Colon-separated paths in which Ansible will search for HttpApi Plugins. +;httpapi_plugins=/home/tony/.ansible/plugins/httpapi:/usr/share/ansible/plugins/httpapi + +# (float) This sets the interval (in seconds) of Ansible internal processes polling each other. Lower values improve performance with large playbooks at the expense of extra CPU load. Higher values are more suitable for Ansible usage in automation scenarios when UI responsiveness is not required but CPU usage might be a concern. +# The default corresponds to the value hardcoded in Ansible <= 2.1 +;internal_poll_interval=0.001 + +# (pathspec) Colon-separated paths in which Ansible will search for Inventory Plugins. +;inventory_plugins=/home/tony/.ansible/plugins/inventory:/usr/share/ansible/plugins/inventory + +# (string) This is a developer-specific feature that allows enabling additional Jinja2 extensions. +# See the Jinja2 documentation for details. If you do not know what these do, you probably don't need to change this setting :) +;jinja2_extensions=[] + +# (boolean) This option preserves variable types during template operations. +;jinja2_native=False + +# (boolean) Enables/disables the cleaning up of the temporary files Ansible used to execute the tasks on the remote. +# If this option is enabled it will disable ``ANSIBLE_PIPELINING``. +;keep_remote_files=False + +# (boolean) Controls whether callback plugins are loaded when running /usr/bin/ansible. This may be used to log activity from the command line, send notifications, and so on. Callback plugins are always loaded for ``ansible-playbook``. +;bin_ansible_callbacks=False + +# (tmppath) Temporary directory for Ansible to use on the controller. +;local_tmp=/home/tony/.ansible/tmp + +# (list) List of logger names to filter out of the log file. +;log_filter= + +# (path) File to which Ansible will log on the controller. +# When not set the logging is disabled. +;log_path= + +# (pathspec) Colon-separated paths in which Ansible will search for Lookup Plugins. +;lookup_plugins=/home/tony/.ansible/plugins/lookup:/usr/share/ansible/plugins/lookup + +# (string) Sets the macro for the 'ansible_managed' variable available for :ref:`ansible_collections.ansible.builtin.template_module` and :ref:`ansible_collections.ansible.windows.win_template_module`. This is only relevant to those two modules. +;ansible_managed=Ansible managed + +# (string) This sets the default arguments to pass to the ``ansible`` adhoc binary if no ``-a`` is specified. +;module_args= + +# (string) Compression scheme to use when transferring Python modules to the target. +;module_compression=ZIP_DEFLATED + +# (string) Module to use with the ``ansible`` AdHoc command, if none is specified via ``-m``. +;module_name=command + +# (pathspec) Colon-separated paths in which Ansible will search for Modules. +;library=/home/tony/.ansible/plugins/modules:/usr/share/ansible/plugins/modules + +# (pathspec) Colon-separated paths in which Ansible will search for Module utils files, which are shared by modules. +;module_utils=/home/tony/.ansible/plugins/module_utils:/usr/share/ansible/plugins/module_utils + +# (pathspec) Colon-separated paths in which Ansible will search for Netconf Plugins. +;netconf_plugins=/home/tony/.ansible/plugins/netconf:/usr/share/ansible/plugins/netconf + +# (boolean) Toggle Ansible's display and logging of task details, mainly used to avoid security disclosures. +;no_log=False + +# (boolean) Toggle Ansible logging to syslog on the target when it executes tasks. On Windows hosts, this will disable a newer style PowerShell modules from writing to the event log. +;no_target_syslog=False + +# (raw) What templating should return as a 'null' value. When not set it will let Jinja2 decide. +;null_representation= + +# (integer) For asynchronous tasks in Ansible (covered in Asynchronous Actions and Polling), this is how often to check back on the status of those tasks when an explicit poll interval is not supplied. The default is a reasonably moderate 15 seconds which is a tradeoff between checking in frequently and providing a quick turnaround when something may have completed. +;poll_interval=15 + +# (path) Option for connections using a certificate or key file to authenticate, rather than an agent or passwords, you can set the default value here to avoid re-specifying ``--private-key`` with every invocation. +;private_key_file= + +# (boolean) By default, imported roles publish their variables to the play and other roles, this setting can avoid that. +# This was introduced as a way to reset role variables to default values if a role is used more than once in a playbook. +# Starting in version '2.17' M(ansible.builtin.include_roles) and M(ansible.builtin.import_roles) can individually override this via the C(public) parameter. +# Included roles only make their variables public at execution, unlike imported roles which happen at playbook compile time. +;private_role_vars=False + +# (integer) Port to use in remote connections, when blank it will use the connection plugin default. +;remote_port= + +# (string) Sets the login user for the target machines +# When blank it uses the connection plugin's default, normally the user currently executing Ansible. +;remote_user= + +# (pathspec) Colon-separated paths in which Ansible will search for Roles. +;roles_path=/home/tony/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles + +# (string) Set the main callback used to display Ansible output. You can only have one at a time. +# You can have many other callbacks, but just one can be in charge of stdout. +# See :ref:`callback_plugins` for a list of available options. +;stdout_callback=default + +# (string) Set the default strategy used for plays. +;strategy=linear + +# (pathspec) Colon-separated paths in which Ansible will search for Strategy Plugins. +;strategy_plugins=/home/tony/.ansible/plugins/strategy:/usr/share/ansible/plugins/strategy + +# (boolean) Toggle the use of "su" for tasks. +;su=False + +# (string) Syslog facility to use when Ansible logs to the remote target. +;syslog_facility=LOG_USER + +# (pathspec) Colon-separated paths in which Ansible will search for Terminal Plugins. +;terminal_plugins=/home/tony/.ansible/plugins/terminal:/usr/share/ansible/plugins/terminal + +# (pathspec) Colon-separated paths in which Ansible will search for Jinja2 Test Plugins. +;test_plugins=/home/tony/.ansible/plugins/test:/usr/share/ansible/plugins/test + +# (integer) This is the default timeout for connection plugins to use. +;timeout=10 + +# (string) Can be any connection plugin available to your ansible installation. +# There is also a (DEPRECATED) special 'smart' option, that will toggle between 'ssh' and 'paramiko' depending on controller OS and ssh versions. +;transport=ssh + +# (boolean) When True, this causes ansible templating to fail steps that reference variable names that are likely typoed. +# Otherwise, any '{{ template_expression }}' that contains undefined variables will be rendered in a template or ansible action line exactly as written. +;error_on_undefined_vars=True + +# (pathspec) Colon-separated paths in which Ansible will search for Vars Plugins. +;vars_plugins=/home/tony/.ansible/plugins/vars:/usr/share/ansible/plugins/vars + +# (string) The vault_id to use for encrypting by default. If multiple vault_ids are provided, this specifies which to use for encryption. The ``--encrypt-vault-id`` CLI option overrides the configured value. +;vault_encrypt_identity= + +# (string) The label to use for the default vault id label in cases where a vault id label is not provided. +;vault_identity=default + +# (list) A list of vault-ids to use by default. Equivalent to multiple ``--vault-id`` args. Vault-ids are tried in order. +;vault_identity_list= + +# (string) If true, decrypting vaults with a vault id will only try the password from the matching vault-id. +;vault_id_match=False + +# (path) The vault password file to use. Equivalent to ``--vault-password-file`` or ``--vault-id``. +# If executable, it will be run and the resulting stdout will be used as the password. +;vault_password_file= + +# (integer) Sets the default verbosity, equivalent to the number of ``-v`` passed in the command line. +;verbosity=0 + +# (boolean) Toggle to control the showing of deprecation warnings +;deprecation_warnings=True + +# (boolean) Toggle to control showing warnings related to running devel. +;devel_warning=True + +# (boolean) Normally ``ansible-playbook`` will print a header for each task that is run. These headers will contain the name: field from the task if you specified one. If you didn't then ``ansible-playbook`` uses the task's action to help you tell which task is presently running. Sometimes you run many of the same action and so you want more information about the task to differentiate it from others of the same action. If you set this variable to True in the config then ``ansible-playbook`` will also include the task's arguments in the header. +# This setting defaults to False because there is a chance that you have sensitive values in your parameters and you do not want those to be printed. +# If you set this to True you should be sure that you have secured your environment's stdout (no one can shoulder surf your screen and you aren't saving stdout to an insecure file) or made sure that all of your playbooks explicitly added the ``no_log: True`` parameter to tasks that have sensitive values :ref:`keep_secret_data` for more information. +;display_args_to_stdout=False + +# (boolean) Toggle to control displaying skipped task/host entries in a task in the default callback. +;display_skipped_hosts=True + +# (string) Root docsite URL used to generate docs URLs in warning/error text; must be an absolute URL with a valid scheme and trailing slash. +;docsite_root_url=https://docs.ansible.com/ansible-core/ + +# (pathspec) Colon-separated paths in which Ansible will search for Documentation Fragments Plugins. +;doc_fragment_plugins=/home/tony/.ansible/plugins/doc_fragments:/usr/share/ansible/plugins/doc_fragments + +# (string) By default, Ansible will issue a warning when a duplicate dict key is encountered in YAML. +# These warnings can be silenced by adjusting this setting to False. +;duplicate_dict_key=warn + +# (string) for the cases in which Ansible needs to return a file within an editor, this chooses the application to use. +;editor=vi + +# (boolean) Whether or not to enable the task debugger, this previously was done as a strategy plugin. +# Now all strategy plugins can inherit this behavior. The debugger defaults to activating when +# a task is failed on unreachable. Use the debugger keyword for more flexibility. +;enable_task_debugger=False + +# (boolean) Toggle to allow missing handlers to become a warning instead of an error when notifying. +;error_on_missing_handler=True + +# (list) Which modules to run during a play's fact gathering stage, using the default of 'smart' will try to figure it out based on connection type. +# If adding your own modules but you still want to use the default Ansible facts, you will want to include 'setup' or corresponding network module to the list (if you add 'smart', Ansible will also figure it out). +# This does not affect explicit calls to the 'setup' module, but does always affect the 'gather_facts' action (implicit or explicit). +;facts_modules=smart + +# (boolean) Set this to "False" if you want to avoid host key checking by the underlying connection plugin Ansible uses to connect to the host. +# Please read the documentation of the specific connection plugin used for details. +;host_key_checking=True + +# (boolean) Facts are available inside the `ansible_facts` variable, this setting also pushes them as their own vars in the main namespace. +# Unlike inside the `ansible_facts` dictionary where the prefix `ansible_` is removed from fact names, these will have the exact names that are returned by the module. +;inject_facts_as_vars=True + +# (string) Path to the Python interpreter to be used for module execution on remote targets, or an automatic discovery mode. Supported discovery modes are ``auto`` (the default), ``auto_silent``, ``auto_legacy``, and ``auto_legacy_silent``. All discovery modes employ a lookup table to use the included system Python (on distributions known to include one), falling back to a fixed ordered list of well-known Python interpreter locations if a platform-specific default is not available. The fallback behavior will issue a warning that the interpreter should be set explicitly (since interpreters installed later may change which one is used). This warning behavior can be disabled by setting ``auto_silent`` or ``auto_legacy_silent``. The value of ``auto_legacy`` provides all the same behavior, but for backward-compatibility with older Ansible releases that always defaulted to ``/usr/bin/python``, will use that interpreter if present. +;interpreter_python=auto + +# (boolean) If 'false', invalid attributes for a task will result in warnings instead of errors. +;invalid_task_attribute_failed=True + +# (boolean) By default, Ansible will issue a warning when there are no hosts in the inventory. +# These warnings can be silenced by adjusting this setting to False. +;localhost_warning=True + +# (int) This will set log verbosity if higher than the normal display verbosity, otherwise it will match that. +;log_verbosity= + +# (int) Maximum size of files to be considered for diff display. +;max_diff_size=104448 + +# (list) List of extensions to ignore when looking for modules to load. +# This is for rejecting script and binary module fallback extensions. +;module_ignore_exts=.pyc, .pyo, .swp, .bak, ~, .rpm, .md, .txt, .rst, .yaml, .yml, .ini + +# (bool) Enables whether module responses are evaluated for containing non-UTF-8 data. +# Disabling this may result in unexpected behavior. +# Only ansible-core should evaluate this configuration. +;module_strict_utf8_response=True + +# (list) TODO: write it +;network_group_modules=eos, nxos, ios, iosxr, junos, enos, ce, vyos, sros, dellos9, dellos10, dellos6, asa, aruba, aireos, bigip, ironware, onyx, netconf, exos, voss, slxos + +# (boolean) Previously Ansible would only clear some of the plugin loading caches when loading new roles, this led to some behaviors in which a plugin loaded in previous plays would be unexpectedly 'sticky'. This setting allows the user to return to that behavior. +;old_plugin_cache_clear=False + +# (string) for the cases in which Ansible needs to return output in a pageable fashion, this chooses the application to use. +;pager=less + +# (path) A number of non-playbook CLIs have a ``--playbook-dir`` argument; this sets the default value for it. +;playbook_dir= + +# (string) This sets which playbook dirs will be used as a root to process vars plugins, which includes finding host_vars/group_vars. +;playbook_vars_root=top + +# (path) A path to configuration for filtering which plugins installed on the system are allowed to be used. +# See :ref:`plugin_filtering_config` for details of the filter file's format. +# The default is /etc/ansible/plugin_filters.yml +;plugin_filters_cfg= + +# (string) Attempts to set RLIMIT_NOFILE soft limit to the specified value when executing Python modules (can speed up subprocess usage on Python 2.x. See https://bugs.python.org/issue11284). The value will be limited by the existing hard limit. Default value of 0 does not attempt to adjust existing system-defined limits. +;python_module_rlimit_nofile=0 + +# (bool) This controls whether a failed Ansible playbook should create a .retry file. +;retry_files_enabled=False + +# (path) This sets the path in which Ansible will save .retry files when a playbook fails and retry files are enabled. +# This file will be overwritten after each run with the list of failed hosts from all plays. +;retry_files_save_path= + +# (str) This setting can be used to optimize vars_plugin usage depending on the user's inventory size and play selection. +;run_vars_plugins=demand + +# (bool) This adds the custom stats set via the set_stats plugin to the default output. +;show_custom_stats=False + +# (string) Action to take when a module parameter value is converted to a string (this does not affect variables). For string parameters, values such as '1.00', "['a', 'b',]", and 'yes', 'y', etc. will be converted by the YAML parser unless fully quoted. +# Valid options are 'error', 'warn', and 'ignore'. +# Since 2.8, this option defaults to 'warn' but will change to 'error' in 2.12. +;string_conversion_action=warn + +# (boolean) Allows disabling of warnings related to potential issues on the system running Ansible itself (not on the managed hosts). +# These may include warnings about third-party packages or other conditions that should be resolved if possible. +;system_warnings=True + +# (string) A string to insert into target logging for tracking purposes +;target_log_info= + +# (boolean) This option defines whether the task debugger will be invoked on a failed task when ignore_errors=True is specified. +# True specifies that the debugger will honor ignore_errors, and False will not honor ignore_errors. +;task_debugger_ignore_errors=True + +# (integer) Set the maximum time (in seconds) for a task action to execute in. +# Timeout runs independently from templating or looping. It applies per each attempt of executing the task's action and remains unchanged by the total time spent on a task. +# When the action execution exceeds the timeout, Ansible interrupts the process. This is registered as a failure due to outside circumstances, not a task failure, to receive appropriate response and recovery process. +# If set to 0 (the default) there is no timeout. +;task_timeout=0 + +# (string) Make ansible transform invalid characters in group names supplied by inventory sources. +;force_valid_group_names=never + +# (boolean) Toggles the use of persistence for connections. +;use_persistent_connections=False + +# (bool) A toggle to disable validating a collection's 'metadata' entry for a module_defaults action group. Metadata containing unexpected fields or value types will produce a warning when this is True. +;validate_action_group_metadata=True + +# (list) Accept list for variable plugins that require it. +;vars_plugins_enabled=host_group_vars + +# (list) Allows to change the group variable precedence merge order. +;precedence=all_inventory, groups_inventory, all_plugins_inventory, all_plugins_play, groups_plugins_inventory, groups_plugins_play + +# (string) The salt to use for the vault encryption. If it is not provided, a random salt will be used. +;vault_encrypt_salt= + +# (bool) Force 'verbose' option to use stderr instead of stdout +;verbose_to_stderr=False + +# (integer) For asynchronous tasks in Ansible (covered in Asynchronous Actions and Polling), this is how long, in seconds, to wait for the task spawned by Ansible to connect back to the named pipe used on Windows systems. The default is 5 seconds. This can be too low on slower systems, or systems under heavy load. +# This is not the total time an async command can run for, but is a separate timeout to wait for an async command to start. The task will only start to be timed against its async_timeout once it has connected to the pipe, so the overall maximum duration the task can take will be extended by the amount specified here. +;win_async_startup_timeout=5 + +# (list) Check all of these extensions when looking for 'variable' files which should be YAML or JSON or vaulted versions of these. +# This affects vars_files, include_vars, inventory and vars plugins among others. +;yaml_valid_extensions=.yml, .yaml, .json + + +[privilege_escalation] +# (boolean) Display an agnostic become prompt instead of displaying a prompt containing the command line supplied become method. +;agnostic_become_prompt=True + +# (boolean) When ``False``(default), Ansible will skip using become if the remote user is the same as the become user, as this is normally a redundant operation. In other words root sudo to root. +# If ``True``, this forces Ansible to use the become plugin anyways as there are cases in which this is needed. +;become_allow_same_user=False + +# (boolean) Toggles the use of privilege escalation, allowing you to 'become' another user after login. +;become=False + +# (boolean) Toggle to prompt for privilege escalation password. +;become_ask_pass=False + +# (string) executable to use for privilege escalation, otherwise Ansible will depend on PATH. +;become_exe= + +# (string) Flags to pass to the privilege escalation executable. +;become_flags= + +# (string) Privilege escalation method to use when `become` is enabled. +;become_method=sudo + +# (string) The user your login/remote user 'becomes' when using privilege escalation, most systems will use 'root' when no user is specified. +;become_user=root + + +[persistent_connection] +# (path) Specify where to look for the ansible-connection script. This location will be checked before searching $PATH. +# If null, ansible will start with the same directory as the ansible script. +;ansible_connection_path= + +# (int) This controls the amount of time to wait for a response from a remote device before timing out a persistent connection. +;command_timeout=30 + +# (integer) This controls the retry timeout for persistent connection to connect to the local domain socket. +;connect_retry_timeout=15 + +# (integer) This controls how long the persistent connection will remain idle before it is destroyed. +;connect_timeout=30 + +# (path) Path to the socket to be used by the connection persistence system. +;control_path_dir=/home/tony/.ansible/pc + + +[connection] +# (boolean) This is a global option, each connection plugin can override either by having more specific options or not supporting pipelining at all. +# Pipelining, if supported by the connection plugin, reduces the number of network operations required to execute a module on the remote server, by executing many Ansible modules without actual file transfer. +# It can result in a very significant performance improvement when enabled. +# However this conflicts with privilege escalation (become). For example, when using 'sudo:' operations you must first disable 'requiretty' in /etc/sudoers on all managed hosts, which is why it is disabled by default. +# This setting will be disabled if ``ANSIBLE_KEEP_REMOTE_FILES`` is enabled. +;pipelining=False + + +[colors] +# (string) Defines the color to use on 'Changed' task status. +;changed=yellow + +# (string) Defines the default color to use for ansible-console. +;console_prompt=white + +# (string) Defines the color to use when emitting debug messages. +;debug=dark gray + +# (string) Defines the color to use when emitting deprecation messages. +;deprecate=purple + +# (string) Defines the color to use when showing added lines in diffs. +;diff_add=green + +# (string) Defines the color to use when showing diffs. +;diff_lines=cyan + +# (string) Defines the color to use when showing removed lines in diffs. +;diff_remove=red + +# (string) Defines the color to use when emitting a constant in the ansible-doc output. +;doc_constant=dark gray + +# (string) Defines the color to use when emitting a deprecated value in the ansible-doc output. +;doc_deprecated=magenta + +# (string) Defines the color to use when emitting a link in the ansible-doc output. +;doc_link=cyan + +# (string) Defines the color to use when emitting a module name in the ansible-doc output. +;doc_module=yellow + +# (string) Defines the color to use when emitting a plugin name in the ansible-doc output. +;doc_plugin=yellow + +# (string) Defines the color to use when emitting cross-reference in the ansible-doc output. +;doc_reference=magenta + +# (string) Defines the color to use when emitting error messages. +;error=red + +# (string) Defines the color to use for highlighting. +;highlight=white + +# (string) Defines the color to use when showing 'Included' task status. +;included=cyan + +# (string) Defines the color to use when showing 'OK' task status. +;ok=green + +# (string) Defines the color to use when showing 'Skipped' task status. +;skip=cyan + +# (string) Defines the color to use on 'Unreachable' status. +;unreachable=bright red + +# (string) Defines the color to use when emitting verbose messages. In other words, those that show with '-v's. +;verbose=blue + +# (string) Defines the color to use when emitting warning messages. +;warn=bright purple + + +[selinux] +# (boolean) This setting causes libvirt to connect to LXC containers by passing ``--noseclabel`` parameter to ``virsh`` command. This is necessary when running on systems which do not have SELinux. +;libvirt_lxc_noseclabel=False + +# (list) Some filesystems do not support safe operations and/or return inconsistent errors, this setting makes Ansible 'tolerate' those in the list without causing fatal errors. +# Data corruption may occur and writes are not always verified when a filesystem is in the list. +;special_context_filesystems=fuse, nfs, vboxsf, ramfs, 9p, vfat + + +[diff] +# (bool) Configuration toggle to tell modules to show differences when in 'changed' status, equivalent to ``--diff``. +;always=False + +# (integer) Number of lines of context to show when displaying the differences between files. +;context=3 + + +[galaxy] +# (path) The directory that stores cached responses from a Galaxy server. +# This is only used by the ``ansible-galaxy collection install`` and ``download`` commands. +# Cache files inside this dir will be ignored if they are world writable. +;cache_dir=/home/tony/.ansible/galaxy_cache + +# (bool) whether ``ansible-galaxy collection install`` should warn about ``--collections-path`` missing from configured :ref:`collections_paths`. +;collections_path_warning=True + +# (path) Collection skeleton directory to use as a template for the ``init`` action in ``ansible-galaxy collection``, same as ``--collection-skeleton``. +;collection_skeleton= + +# (list) patterns of files to ignore inside a Galaxy collection skeleton directory. +;collection_skeleton_ignore=^.git$, ^/.git_keep$ + +# (bool) Disable GPG signature verification during collection installation. +;disable_gpg_verify=False + +# (bool) Some steps in ``ansible-galaxy`` display a progress wheel which can cause issues on certain displays or when outputting the stdout to a file. +# This config option controls whether the display wheel is shown or not. +# The default is to show the display wheel if stdout has a tty. +;display_progress= + +# (path) Configure the keyring used for GPG signature verification during collection installation and verification. +;gpg_keyring= + +# (boolean) If set to yes, ansible-galaxy will not validate TLS certificates. This can be useful for testing against a server with a self-signed certificate. +;ignore_certs= + +# (list) A list of GPG status codes to ignore during GPG signature verification. See L(https://github.com/gpg/gnupg/blob/master/doc/DETAILS#general-status-codes) for status code descriptions. +# If fewer signatures successfully verify the collection than `GALAXY_REQUIRED_VALID_SIGNATURE_COUNT`, signature verification will fail even if all error codes are ignored. +;ignore_signature_status_codes= + +# (str) The number of signatures that must be successful during GPG signature verification while installing or verifying collections. +# This should be a positive integer or all to indicate all signatures must successfully validate the collection. +# Prepend + to the value to fail if no valid signatures are found for the collection. +;required_valid_signature_count=1 + +# (path) Role skeleton directory to use as a template for the ``init`` action in ``ansible-galaxy``/``ansible-galaxy role``, same as ``--role-skeleton``. +;role_skeleton= + +# (list) patterns of files to ignore inside a Galaxy role or collection skeleton directory. +;role_skeleton_ignore=^.git$, ^/.git_keep$ + +# (string) URL to prepend when roles don't specify the full URI, assume they are referencing this server as the source. +;server=https://galaxy.ansible.com + +# (list) A list of Galaxy servers to use when installing a collection. +# The value corresponds to the config ini header ``[galaxy_server.{{item}}]`` which defines the server details. +# See :ref:`galaxy_server_config` for more details on how to define a Galaxy server. +# The order of servers in this list is used as the order in which a collection is resolved. +# Setting this config option will ignore the :ref:`galaxy_server` config option. +;server_list= + +# (int) The default timeout for Galaxy API calls. Galaxy servers that don't configure a specific timeout will fall back to this value. +;server_timeout=60 + +# (path) Local path to galaxy access token file +;token_path=/home/tony/.ansible/galaxy_token + + +[inventory] +# (string) This setting changes the behaviour of mismatched host patterns, it allows you to force a fatal error, a warning or just ignore it. +;host_pattern_mismatch=warning + +# (boolean) If 'true', it is a fatal error when any given inventory source cannot be successfully parsed by any available inventory plugin; otherwise, this situation only attracts a warning. + +;any_unparsed_is_failed=False + +# (bool) Toggle to turn on inventory caching. +# This setting has been moved to the individual inventory plugins as a plugin option :ref:`inventory_plugins`. +# The existing configuration settings are still accepted with the inventory plugin adding additional options from inventory configuration. +# This message will be removed in 2.16. +;cache=False + +# (string) The plugin for caching inventory. +# This setting has been moved to the individual inventory plugins as a plugin option :ref:`inventory_plugins`. +# The existing configuration settings are still accepted with the inventory plugin adding additional options from inventory and fact cache configuration. +# This message will be removed in 2.16. +;cache_plugin= + +# (string) The inventory cache connection. +# This setting has been moved to the individual inventory plugins as a plugin option :ref:`inventory_plugins`. +# The existing configuration settings are still accepted with the inventory plugin adding additional options from inventory and fact cache configuration. +# This message will be removed in 2.16. +;cache_connection= + +# (string) The table prefix for the cache plugin. +# This setting has been moved to the individual inventory plugins as a plugin option :ref:`inventory_plugins`. +# The existing configuration settings are still accepted with the inventory plugin adding additional options from inventory and fact cache configuration. +# This message will be removed in 2.16. +;cache_prefix=ansible_inventory_ + +# (string) Expiration timeout for the inventory cache plugin data. +# This setting has been moved to the individual inventory plugins as a plugin option :ref:`inventory_plugins`. +# The existing configuration settings are still accepted with the inventory plugin adding additional options from inventory and fact cache configuration. +# This message will be removed in 2.16. +;cache_timeout=3600 + +# (list) List of enabled inventory plugins, it also determines the order in which they are used. +;enable_plugins=host_list, script, auto, yaml, ini, toml + +# (bool) Controls if ansible-inventory will accurately reflect Ansible's view into inventory or its optimized for exporting. +;export=False + +# (list) List of extensions to ignore when using a directory as an inventory source. +;ignore_extensions=.pyc, .pyo, .swp, .bak, ~, .rpm, .md, .txt, .rst, .orig, .ini, .cfg, .retry + +# (list) List of patterns to ignore when using a directory as an inventory source. +;ignore_patterns= + +# (bool) If 'true' it is a fatal error if every single potential inventory source fails to parse, otherwise, this situation will only attract a warning. + +;unparsed_is_failed=False + +# (boolean) By default, Ansible will issue a warning when no inventory was loaded and notes that it will use an implicit localhost-only inventory. +# These warnings can be silenced by adjusting this setting to False. +;inventory_unparsed_warning=True + + +[netconf_connection] +# (string) This variable is used to enable bastion/jump host with netconf connection. If set to True the bastion/jump host ssh settings should be present in ~/.ssh/config file, alternatively it can be set to custom ssh configuration file path to read the bastion/jump host settings. +;ssh_config= + + +[paramiko_connection] +# (boolean) TODO: write it +;host_key_auto_add=False + +# (boolean) TODO: write it +;look_for_keys=True + + +[jinja2] +# (list) This list of filters avoids 'type conversion' when templating variables. +# Useful when you want to avoid conversion into lists or dictionaries for JSON strings, for example. +;dont_type_filters=string, to_json, to_nice_json, to_yaml, to_nice_yaml, ppretty, json + + +[tags] +# (list) default list of tags to run in your plays, Skip Tags has precedence. +;run= + +# (list) default list of tags to skip in your plays, has precedence over Run Tags +;skip= + diff --git a/proxmox/ansible/collections/requirements.yml b/proxmox/ansible/collections/requirements.yml new file mode 100644 index 0000000..f13384d --- /dev/null +++ b/proxmox/ansible/collections/requirements.yml @@ -0,0 +1,10 @@ +collections: + - name: ansible.utils + - name: community.general + - name: community.docker + - name: ansible.posix + - name: kubernetes.core + - name: cloud.terraform + - name: https://github.com/techno-tim/k3s-ansible.git + type: git + version: master diff --git a/proxmox/ansible/dns.yml b/proxmox/ansible/dns.yml new file mode 100644 index 0000000..1c4eed3 --- /dev/null +++ b/proxmox/ansible/dns.yml @@ -0,0 +1,6 @@ +--- +- name: Set up DNS server + hosts: dns_server + remote_user: ubuntu + become: true + roles: [dns-server] diff --git a/proxmox/ansible/inventory/dolo/01-hosts.yml b/proxmox/ansible/inventory/dolo/01-hosts.yml new file mode 100644 index 0000000..7675677 --- /dev/null +++ b/proxmox/ansible/inventory/dolo/01-hosts.yml @@ -0,0 +1,5 @@ +--- +plugin: "cloud.terraform.terraform_provider" +# defaults to terraform, but we're using tofu +binary_path: "/usr/bin/tofu" +project_path: "../tf" diff --git a/proxmox/ansible/inventory/dolo/02-hosts.yml b/proxmox/ansible/inventory/dolo/02-hosts.yml new file mode 100644 index 0000000..7b6d90d --- /dev/null +++ b/proxmox/ansible/inventory/dolo/02-hosts.yml @@ -0,0 +1,9 @@ +plugin: constructed +strict: true + +groups: + # Pick out only the dolo nodes + master: group_names | intersect(['dolo_master', 'dolo']) | length == 2 + node: group_names | intersect(['dolo_node', 'dolo']) | length == 2 + k3s_cluster: group_names | intersect(['dolo_k3s_cluster', 'dolo']) | length == 2 + lvm: group_names | intersect(['dolo_storage', 'dolo']) | length == 2 diff --git a/proxmox/ansible/inventory/dolo/group_vars/all/.gitignore b/proxmox/ansible/inventory/dolo/group_vars/all/.gitignore new file mode 100644 index 0000000..769c244 --- /dev/null +++ b/proxmox/ansible/inventory/dolo/group_vars/all/.gitignore @@ -0,0 +1 @@ +secrets.yml diff --git a/proxmox/ansible/inventory/dolo/group_vars/all/main.yml b/proxmox/ansible/inventory/dolo/group_vars/all/main.yml new file mode 100644 index 0000000..02727a6 --- /dev/null +++ b/proxmox/ansible/inventory/dolo/group_vars/all/main.yml @@ -0,0 +1,135 @@ +--- +cluster_name: dolo + +k3s_version: v1.30.2+k3s2 +# this is the user that has ssh access to these machines +ansible_user: ubuntu +systemd_dir: /etc/systemd/system + +lvm: + pv_disks: + - /dev/sdb + vg_name: vg1 + lv_name: pvs + lv_size: +100%FREE + fs_type: ext4 + mount_path: /mnt/lvm-pvs + +# Set your timezone +system_timezone: America/Vancouver + +# interface which will be used for flannel +flannel_iface: eth0 + +# if using calico or cilium, you may specify the cluster pod cidr pool +cluster_cidr: 10.52.0.0/16 + +# enable cilium bgp control plane for lb services and pod cidrs. disables metallb. +cilium_bgp: false + +# enable kube-vip ARP broadcasts +kube_vip_arp: true + +# apiserver_endpoint is virtual ip-address which will be configured on each master +apiserver_endpoint: 10.0.185.1 + +# k3s_token is required masters can talk together securely +# this token should be alpha numeric only +k3s_token: "{{ secrets.k3s_token }}" + +# The IP on which the node is reachable in the cluster. +# Here, a sensible default is provided, you can still override +# it for each of your hosts, though. +k3s_node_ip: "{{ ansible_facts[flannel_iface]['ipv4']['address'] }}" + +# Disable the taint manually by setting: k3s_master_taint = false +k3s_master_taint: "{{ true if groups['node'] | default([]) | length >= 1 else false }}" + +# these arguments are recommended for servers as well as agents: +extra_args: >- + {{ '--flannel-iface=' + flannel_iface if calico_iface is not defined and cilium_iface is not defined else '' }} + --node-ip={{ k3s_node_ip }} + +# change these to your liking, the only required are: --disable servicelb, --tls-san {{ apiserver_endpoint }} +# the contents of the if block is also required if using calico or cilium +extra_server_args: >- + {{ extra_args }} + {{ '--node-taint node-role.kubernetes.io/master=true:NoSchedule' if k3s_master_taint else '' }} + {% if calico_iface is defined or cilium_iface is defined %} + --flannel-backend=none + --disable-network-policy + --cluster-cidr={{ cluster_cidr | default('10.52.0.0/16') }} + {% endif %} + --tls-san {{ apiserver_endpoint }} + --disable servicelb + --disable traefik + +extra_agent_args: >- + {{ extra_args }} + +# image tag for kube-vip +kube_vip_tag_version: v0.8.2 + +# metallb type frr or native +metal_lb_type: native + +# metallb mode layer2 or bgp +metal_lb_mode: layer2 + +# image tag for metal lb +metal_lb_speaker_tag_version: v0.14.8 +metal_lb_controller_tag_version: v0.14.8 + +# metallb ip range for load balancer +metal_lb_ip_range: 10.0.185.128-10.0.185.136 + +# Only enable if your nodes are proxmox LXC nodes, make sure to configure your proxmox nodes +# in your hosts.ini file. +# Please read https://gist.github.com/triangletodd/02f595cd4c0dc9aac5f7763ca2264185 before using this. +# Most notably, your containers must be privileged, and must not have nesting set to true. +# Please note this script disables most of the security of lxc containers, with the trade off being that lxc +# containers are significantly more resource efficient compared to full VMs. +# Mixing and matching VMs and lxc containers is not supported, ymmv if you want to do this. +# I would only really recommend using this if you have particularly low powered proxmox nodes where the overhead of +# VMs would use a significant portion of your available resources. +proxmox_lxc_configure: false + +# Only enable this if you have set up your own container registry to act as a mirror / pull-through cache +# (harbor / nexus / docker's official registry / etc). +# Can be beneficial for larger dev/test environments (for example if you're getting rate limited by docker hub), +# or air-gapped environments where your nodes don't have internet access after the initial setup +# (which is still needed for downloading the k3s binary and such). +# k3s's documentation about private registries here: https://docs.k3s.io/installation/private-registry +custom_registries: false +# The registries can be authenticated or anonymous, depending on your registry server configuration. +# If they allow anonymous access, simply remove the following bit from custom_registries_yaml +# configs: +# "registry.domain.com": +# auth: +# username: yourusername +# password: yourpassword +# The following is an example that pulls all images used in this playbook through your private registries. +# It also allows you to pull your own images from your private registry, without having to use imagePullSecrets +# in your deployments. +# If all you need is your own images and you don't care about caching the docker/quay/ghcr.io images, +# you can just remove those from the mirrors: section. +custom_registries_yaml: | + mirrors: + docker.io: + endpoint: + - "https://registry.domain.com/v2/dockerhub" + quay.io: + endpoint: + - "https://registry.domain.com/v2/quayio" + ghcr.io: + endpoint: + - "https://registry.domain.com/v2/ghcrio" + registry.domain.com: + endpoint: + - "https://registry.domain.com" + + configs: + "registry.domain.com": + auth: + username: yourusername + password: yourpassword diff --git a/proxmox/ansible/inventory/folly/01-hosts.yml b/proxmox/ansible/inventory/folly/01-hosts.yml new file mode 100644 index 0000000..7675677 --- /dev/null +++ b/proxmox/ansible/inventory/folly/01-hosts.yml @@ -0,0 +1,5 @@ +--- +plugin: "cloud.terraform.terraform_provider" +# defaults to terraform, but we're using tofu +binary_path: "/usr/bin/tofu" +project_path: "../tf" diff --git a/proxmox/ansible/inventory/folly/02-hosts.yml b/proxmox/ansible/inventory/folly/02-hosts.yml new file mode 100644 index 0000000..62346bf --- /dev/null +++ b/proxmox/ansible/inventory/folly/02-hosts.yml @@ -0,0 +1,8 @@ +plugin: constructed +strict: true + +groups: + master: group_names | intersect(['folly_master', 'folly']) | length == 2 + node: group_names | intersect(['folly_node', 'folly']) | length == 2 + k3s_cluster: group_names | intersect(['folly_k3s_cluster', 'folly']) | length == 2 + lvm: group_names | intersect(['folly_storage', 'folly']) | length == 2 diff --git a/proxmox/ansible/inventory/folly/group_vars/all/.gitignore b/proxmox/ansible/inventory/folly/group_vars/all/.gitignore new file mode 100644 index 0000000..769c244 --- /dev/null +++ b/proxmox/ansible/inventory/folly/group_vars/all/.gitignore @@ -0,0 +1 @@ +secrets.yml diff --git a/proxmox/ansible/inventory/folly/group_vars/all/main.yml b/proxmox/ansible/inventory/folly/group_vars/all/main.yml new file mode 100644 index 0000000..3e422a7 --- /dev/null +++ b/proxmox/ansible/inventory/folly/group_vars/all/main.yml @@ -0,0 +1,135 @@ +--- +cluster_name: folly + +lvm: + pv_disks: + - /dev/sdb + vg_name: vg1 + lv_name: pvs + lv_size: +100%FREE + fs_type: ext4 + mount_path: /mnt/lvm-pvs + +k3s_version: v1.30.2+k3s2 +# this is the user that has ssh access to these machines +ansible_user: ubuntu +systemd_dir: /etc/systemd/system + +# Set your timezone +system_timezone: America/Vancouver + +# interface which will be used for flannel +flannel_iface: eth0 + +# if using calico or cilium, you may specify the cluster pod cidr pool +cluster_cidr: 10.52.0.0/16 + +# enable cilium bgp control plane for lb services and pod cidrs. disables metallb. +cilium_bgp: false + +# enable kube-vip ARP broadcasts +kube_vip_arp: true + +# apiserver_endpoint is virtual ip-address which will be configured on each master +apiserver_endpoint: 10.0.186.1 + +# k3s_token is required masters can talk together securely +# this token should be alpha numeric only +k3s_token: "{{ secrets.k3s_token }}" + +# The IP on which the node is reachable in the cluster. +# Here, a sensible default is provided, you can still override +# it for each of your hosts, though. +k3s_node_ip: "{{ ansible_facts[flannel_iface]['ipv4']['address'] }}" + +# Disable the taint manually by setting: k3s_master_taint = false +k3s_master_taint: "{{ true if groups['node'] | default([]) | length >= 1 else false }}" + +# these arguments are recommended for servers as well as agents: +extra_args: >- + {{ '--flannel-iface=' + flannel_iface if calico_iface is not defined and cilium_iface is not defined else '' }} + --node-ip={{ k3s_node_ip }} + +# change these to your liking, the only required are: --disable servicelb, --tls-san {{ apiserver_endpoint }} +# the contents of the if block is also required if using calico or cilium +extra_server_args: >- + {{ extra_args }} + {{ '--node-taint node-role.kubernetes.io/master=true:NoSchedule' if k3s_master_taint else '' }} + {% if calico_iface is defined or cilium_iface is defined %} + --flannel-backend=none + --disable-network-policy + --cluster-cidr={{ cluster_cidr | default('10.52.0.0/16') }} + {% endif %} + --tls-san {{ apiserver_endpoint }} + --disable servicelb + --disable traefik + +extra_agent_args: >- + {{ extra_args }} + +# image tag for kube-vip +kube_vip_tag_version: v0.8.2 + +# metallb type frr or native +metal_lb_type: native + +# metallb mode layer2 or bgp +metal_lb_mode: layer2 + +# image tag for metal lb +metal_lb_speaker_tag_version: v0.14.8 +metal_lb_controller_tag_version: v0.14.8 + +# metallb ip range for load balancer +metal_lb_ip_range: 10.0.186.128-10.0.186.136 + +# Only enable if your nodes are proxmox LXC nodes, make sure to configure your proxmox nodes +# in your hosts.ini file. +# Please read https://gist.github.com/triangletodd/02f595cd4c0dc9aac5f7763ca2264185 before using this. +# Most notably, your containers must be privileged, and must not have nesting set to true. +# Please note this script disables most of the security of lxc containers, with the trade off being that lxc +# containers are significantly more resource efficient compared to full VMs. +# Mixing and matching VMs and lxc containers is not supported, ymmv if you want to do this. +# I would only really recommend using this if you have particularly low powered proxmox nodes where the overhead of +# VMs would use a significant portion of your available resources. +proxmox_lxc_configure: false + +# Only enable this if you have set up your own container registry to act as a mirror / pull-through cache +# (harbor / nexus / docker's official registry / etc). +# Can be beneficial for larger dev/test environments (for example if you're getting rate limited by docker hub), +# or air-gapped environments where your nodes don't have internet access after the initial setup +# (which is still needed for downloading the k3s binary and such). +# k3s's documentation about private registries here: https://docs.k3s.io/installation/private-registry +custom_registries: false +# The registries can be authenticated or anonymous, depending on your registry server configuration. +# If they allow anonymous access, simply remove the following bit from custom_registries_yaml +# configs: +# "registry.domain.com": +# auth: +# username: yourusername +# password: yourpassword +# The following is an example that pulls all images used in this playbook through your private registries. +# It also allows you to pull your own images from your private registry, without having to use imagePullSecrets +# in your deployments. +# If all you need is your own images and you don't care about caching the docker/quay/ghcr.io images, +# you can just remove those from the mirrors: section. +custom_registries_yaml: | + mirrors: + docker.io: + endpoint: + - "https://registry.domain.com/v2/dockerhub" + quay.io: + endpoint: + - "https://registry.domain.com/v2/quayio" + ghcr.io: + endpoint: + - "https://registry.domain.com/v2/ghcrio" + registry.domain.com: + endpoint: + - "https://registry.domain.com" + + configs: + "registry.domain.com": + auth: + username: yourusername + password: yourpassword diff --git a/proxmox/ansible/inventory/full/01-hosts.yml b/proxmox/ansible/inventory/full/01-hosts.yml new file mode 100644 index 0000000..c6af5cc --- /dev/null +++ b/proxmox/ansible/inventory/full/01-hosts.yml @@ -0,0 +1,6 @@ +--- +plugin: "cloud.terraform.terraform_provider" +# defaults to terraform, but we're using tofu +binary_path: "/usr/bin/tofu" +project_path: "../tf" + diff --git a/proxmox/ansible/inventory/full/02-hosts.yml b/proxmox/ansible/inventory/full/02-hosts.yml new file mode 100644 index 0000000..9b089c7 --- /dev/null +++ b/proxmox/ansible/inventory/full/02-hosts.yml @@ -0,0 +1,2 @@ +plugin: ansible.builtin.constructed +strict: true diff --git a/proxmox/ansible/inventory/full/group_vars/all/main.yml b/proxmox/ansible/inventory/full/group_vars/all/main.yml new file mode 100644 index 0000000..88f85d5 --- /dev/null +++ b/proxmox/ansible/inventory/full/group_vars/all/main.yml @@ -0,0 +1,3 @@ +dns_server: + admin_username: "{{ secrets.admin_username }}" + admin_password: "{{ secrets.admin_password }}" diff --git a/proxmox/ansible/inventory/full/group_vars/all/secrets.yml b/proxmox/ansible/inventory/full/group_vars/all/secrets.yml new file mode 100644 index 0000000..96c8816 --- /dev/null +++ b/proxmox/ansible/inventory/full/group_vars/all/secrets.yml @@ -0,0 +1,3 @@ +secrets: + admin_username: admin + admin_password: "r5qNySaG8VdNqhrAk5pIdbCr3+JeV1WqdvF4TPnUd3c=" diff --git a/proxmox/ansible/inventory/stingray/01-hosts.yml b/proxmox/ansible/inventory/stingray/01-hosts.yml new file mode 100644 index 0000000..7675677 --- /dev/null +++ b/proxmox/ansible/inventory/stingray/01-hosts.yml @@ -0,0 +1,5 @@ +--- +plugin: "cloud.terraform.terraform_provider" +# defaults to terraform, but we're using tofu +binary_path: "/usr/bin/tofu" +project_path: "../tf" diff --git a/proxmox/ansible/inventory/stingray/02-hosts.yml b/proxmox/ansible/inventory/stingray/02-hosts.yml new file mode 100644 index 0000000..7bd1d45 --- /dev/null +++ b/proxmox/ansible/inventory/stingray/02-hosts.yml @@ -0,0 +1,14 @@ +plugin: constructed +strict: true + +groups: + swarm_managers: group_names | intersect(['stingray_manager', 'stingray']) | length == 2 + # haproxy only on the first manager. + # Using the special variable "groups" doesn't work here (probably because + # we're constructing it), so we can't do something like + # `inventory_hostname == groups['stringray_manager'][0]` + haproxy: group_names | intersect(['stingray_manager', 'stingray']) | length == 2 and + "-01" in inventory_hostname + swarm_workers: group_names | intersect(['stingray_worker', 'stingray']) | length == 2 + gluster_nodes: group_names | intersect(['stingray']) | length == 1 + swarm: group_names | intersect(['stingray']) | length == 1 diff --git a/proxmox/ansible/inventory/stingray/group_vars/all/.gitignore b/proxmox/ansible/inventory/stingray/group_vars/all/.gitignore new file mode 100644 index 0000000..769c244 --- /dev/null +++ b/proxmox/ansible/inventory/stingray/group_vars/all/.gitignore @@ -0,0 +1 @@ +secrets.yml diff --git a/proxmox/ansible/inventory/stingray/group_vars/all/main.yml b/proxmox/ansible/inventory/stingray/group_vars/all/main.yml new file mode 100644 index 0000000..a576dda --- /dev/null +++ b/proxmox/ansible/inventory/stingray/group_vars/all/main.yml @@ -0,0 +1,25 @@ +ansible_user: ubuntu + +app_domain_name: stingray.mnke.org + +gluster_volume_path: /glusterfs/bricks +gluster_volume_name: gfs +gluster_mount_path: /mnt/gfs +device2_hdd_dev: /dev/sda + +portainer_app_name: portainer +portainer_admin_password: "{{ secrets.portainer_admin_password }}" +portainer_agent_secret: "{{ secrets.portainer_agent_secret }}" + +cf_dns_api_token: "{{ secrets.cf_dns_api_token }}" +cf_email: tonydu121@hotmail.com + +traefik_listen_port: 80 +traefik_secure_listen_port: 443 +traefik_admin_port: 8080 +traefik_admin_user: admin +traefik_admin_password: "{{ secrets.traefik_admin_password }}" +# staging or production for letsencrypt +traefik_tls_mode: production + +gitea_primary_domain_name: git.mnke.org diff --git a/proxmox/ansible/lvm.yml b/proxmox/ansible/lvm.yml new file mode 100644 index 0000000..ab53763 --- /dev/null +++ b/proxmox/ansible/lvm.yml @@ -0,0 +1,42 @@ +--- +- name: Create LVM and mount it + hosts: lvm + remote_user: ubuntu + become: true + vars: + pv_disks: "{{ lvm.pv_disks }}" + vg_name: "{{ lvm.vg_name }}" + lv_name: "{{ lvm.lv_name }}" + lv_size: "{{ lvm.lv_size }}" + fs_type: "{{ lvm.fs_type }}" + mount_path: "{{ lvm.mount_path }}" + tasks: + - name: Create a volume group + community.general.lvg: + vg: "{{ vg_name }}" + pvs: "{{ pv_disks }}" + pvresize: yes + + - name: Create Logical Volume for data persistence + community.general.lvol: + vg: "{{ vg_name }}" + lv: "{{ lv_name }}" + size: "{{ lv_size }}" + + - name: Create filesystem on LV + community.general.filesystem: + fstype: "{{ fs_type }}" + resizefs: true + dev: /dev/mapper/{{ vg_name }}-{{ lv_name }} + + - name: Get LV UUID + ansible.builtin.command: lsblk /dev/mapper/{{ vg_name }}-{{ lv_name }} -no UUID + register: lv_uuid + changed_when: false + + - name: Mount created filesystem + ansible.posix.mount: + path: "{{ mount_path }}" + src: UUID={{ lv_uuid.stdout }} + state: mounted + fstype: "{{ fs_type }}" diff --git a/proxmox/ansible/reset.yml b/proxmox/ansible/reset.yml new file mode 100644 index 0000000..05dc4f0 --- /dev/null +++ b/proxmox/ansible/reset.yml @@ -0,0 +1,25 @@ +--- +- name: Reset k3s cluster + hosts: k3s_cluster + gather_facts: true + roles: + - role: techno_tim.k3s_ansible.reset + become: true + - role: techno_tim.k3s_ansible.raspberrypi + become: true + vars: { state: absent } + post_tasks: + - name: Reboot and wait for node to come back up + become: true + ansible.builtin.reboot: + reboot_command: "{{ custom_reboot_command | default(omit) }}" + reboot_timeout: 3600 + +- name: Revert changes to Proxmox cluster + hosts: proxmox + gather_facts: true + become: true + remote_user: "{{ proxmox_lxc_ssh_user }}" + roles: + - role: techno_tim.k3s_ansible.reset_proxmox_lxc + when: proxmox_lxc_configure diff --git a/proxmox/ansible/roles/dns-server/defaults/main.yml b/proxmox/ansible/roles/dns-server/defaults/main.yml new file mode 100644 index 0000000..9688abf --- /dev/null +++ b/proxmox/ansible/roles/dns-server/defaults/main.yml @@ -0,0 +1 @@ +technitium_image: "technitium/dns-server:13.4.0" diff --git a/proxmox/ansible/roles/dns-server/tasks/main.yml b/proxmox/ansible/roles/dns-server/tasks/main.yml new file mode 100644 index 0000000..a22b1f0 --- /dev/null +++ b/proxmox/ansible/roles/dns-server/tasks/main.yml @@ -0,0 +1,52 @@ +- name: Ensure docker is installed + apt: + name: + - docker.io + - docker-compose-v2 + update_cache: yes + state: present + +- name: Set up directory + become: true + file: + path: /etc/technitium + state: directory + mode: '0755' + +- name: Copy compose file + become: true + template: + src: docker-compose.yml.j2 + dest: /etc/technitium/docker-compose.yml + mode: '0644' + +- name: Create password file + become: true + copy: + content: "{{ dns_server.admin_password }}" + dest: /etc/technitium/password.txt + mode: '0770' + +- name: Pull Technitium image + become: true + community.docker.docker_image: + name: "{{ technitium_image }}" + source: pull + +- name: Set resolv.conf + become: true + copy: + content: nameserver 127.0.0.1 + dest: /etc/resolv.conf + +- name: Disable systemd-resolved + become: true + service: + name: systemd-resolved + state: stopped + enabled: false + +- name: Start Technitium + become: true + community.docker.docker_compose_v2: + project_src: /etc/technitium diff --git a/proxmox/ansible/roles/dns-server/templates/docker-compose.yml.j2 b/proxmox/ansible/roles/dns-server/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..d8a844e --- /dev/null +++ b/proxmox/ansible/roles/dns-server/templates/docker-compose.yml.j2 @@ -0,0 +1,49 @@ +services: + dns-server: + container_name: dns-server + hostname: dns-server + image: {{ technitium_image }} + # For DHCP deployments, use "host" network mode and remove all the port mappings, including the ports array by commenting them + # network_mode: "host" + ports: + - "5380:5380/tcp" #DNS web console (HTTP) + - "53443:53443/tcp" #DNS web console (HTTPS) + - "53:53/udp" #DNS service + - "53:53/tcp" #DNS service + - "853:853/udp" #DNS-over-QUIC service + - "853:853/tcp" #DNS-over-TLS service + - "443:443/udp" #DNS-over-HTTPS service (HTTP/3) + - "443:443/tcp" #DNS-over-HTTPS service (HTTP/1.1, HTTP/2) + - "80:80/tcp" #DNS-over-HTTP service (use with reverse proxy or certbot certificate renewal) + - "8053:8053/tcp" #DNS-over-HTTP service (use with reverse proxy) + - "67:67/udp" #DHCP service + environment: + - DNS_SERVER_DOMAIN=dns-server #The primary domain name used by this DNS Server to identify itself. + # - DNS_SERVER_ADMIN_PASSWORD=password #DNS web console admin user password. + - DNS_SERVER_ADMIN_PASSWORD_FILE=/password.txt #The path to a file that contains a plain text password for the DNS web console admin user. + - DNS_SERVER_PREFER_IPV6=false #DNS Server will use IPv6 for querying whenever possible with this option enabled. + # - DNS_SERVER_WEB_SERVICE_LOCAL_ADDRESSES=172.17.0.1,127.0.0.1 #Comma separated list of network interface IP addresses that you want the web service to listen on for requests. The "172.17.0.1" address is the built-in Docker bridge. The "[::]" is the default value if not specified. Note! This must be used only with "host" network mode. + - DNS_SERVER_WEB_SERVICE_HTTP_PORT=5380 #The TCP port number for the DNS web console over HTTP protocol. + # - DNS_SERVER_WEB_SERVICE_HTTPS_PORT=53443 #The TCP port number for the DNS web console over HTTPS protocol. + # - DNS_SERVER_WEB_SERVICE_ENABLE_HTTPS=false #Enables HTTPS for the DNS web console. + # - DNS_SERVER_WEB_SERVICE_USE_SELF_SIGNED_CERT=false #Enables self signed TLS certificate for the DNS web console. + # - DNS_SERVER_OPTIONAL_PROTOCOL_DNS_OVER_HTTP=false #Enables DNS server optional protocol DNS-over-HTTP on TCP port 8053 to be used with a TLS terminating reverse proxy like nginx. + # - DNS_SERVER_RECURSION=AllowOnlyForPrivateNetworks #Recursion options: Allow, Deny, AllowOnlyForPrivateNetworks, UseSpecifiedNetworkACL. + # - DNS_SERVER_RECURSION_NETWORK_ACL=192.168.10.0/24, !192.168.10.2 #Comma separated list of IP addresses or network addresses to allow access. Add ! character at the start to deny access, e.g. !192.168.10.0/24 will deny entire subnet. The ACL is processed in the same order its listed. If no networks match, the default policy is to deny all except loopback. Valid only for `UseSpecifiedNetworkACL` recursion option. + # - DNS_SERVER_RECURSION_DENIED_NETWORKS=1.1.1.0/24 #Comma separated list of IP addresses or network addresses to deny recursion. Valid only for `UseSpecifiedNetworkACL` recursion option. This option is obsolete and DNS_SERVER_RECURSION_NETWORK_ACL should be used instead. + # - DNS_SERVER_RECURSION_ALLOWED_NETWORKS=127.0.0.1, 192.168.1.0/24 #Comma separated list of IP addresses or network addresses to allow recursion. Valid only for `UseSpecifiedNetworkACL` recursion option. This option is obsolete and DNS_SERVER_RECURSION_NETWORK_ACL should be used instead. + # - DNS_SERVER_ENABLE_BLOCKING=false #Sets the DNS server to block domain names using Blocked Zone and Block List Zone. + # - DNS_SERVER_ALLOW_TXT_BLOCKING_REPORT=false #Specifies if the DNS Server should respond with TXT records containing a blocked domain report for TXT type requests. + # - DNS_SERVER_BLOCK_LIST_URLS= #A comma separated list of block list URLs. + # - DNS_SERVER_FORWARDERS=1.1.1.1, 8.8.8.8 #Comma separated list of forwarder addresses. + # - DNS_SERVER_FORWARDER_PROTOCOL=Tcp #Forwarder protocol options: Udp, Tcp, Tls, Https, HttpsJson. + # - DNS_SERVER_LOG_USING_LOCAL_TIME=true #Enable this option to use local time instead of UTC for logging. + volumes: + - config:/etc/dns + - /etc/technitium/password.txt:/password.txt + restart: unless-stopped + sysctls: + - net.ipv4.ip_local_port_range=1024 65000 + +volumes: + config: diff --git a/proxmox/ansible/roles/docker-swarm/tasks/main.yml b/proxmox/ansible/roles/docker-swarm/tasks/main.yml new file mode 100644 index 0000000..8158ff6 --- /dev/null +++ b/proxmox/ansible/roles/docker-swarm/tasks/main.yml @@ -0,0 +1,97 @@ +--- +- name: Create /etc/docker + become: true + file: + path: /etc/docker + state: directory + mode: '0755' + +- name: Set docker daemon settings + become: true + # Otherwise we risk conflicts on the host subnet + copy: + content: | + { + "default-address-pools": [ + { + "base": "172.17.0.0/12", + "size": 20 + }, + { + "base": "172.168.0.0/16", + "size": 24 + } + ], + "dns": ["10.0.123.123"] + } + dest: /etc/docker/daemon.json + +- name: Install dependencies + become: true + apt: + name: + - python3 + - python3-pip + - python3-docker + - docker.io + - docker-buildx + - docker-compose-v2 + - python3-jsondiff + - apache2-utils + update_cache: yes + +- name: Enable docker + become: true + service: + name: docker + state: started + enabled: true + +- name: (swarm_manager) Create ingress network + # The ingress network conflicts with my subnet and ends up causing problems, + # so we have to set a different subnet first + when: inventory_hostname == groups.swarm_managers[0] + become: true + docker_network: + name: ingress + driver: overlay + ingress: true + scope: swarm + ipam_config: + - subnet: 172.254.0.0/16 + gateway: 172.254.0.1 + driver_options: + # I'm honestly not completely sure what this, but in the default + # ingress network that's created during swarm initialization, this exists + # and things don't seem to work without it. + com.docker.network.driver.overlay.vxlanid_list: 4096 + +- name: (swarm_manager) Init swarm + when: inventory_hostname == groups.swarm_managers[0] + become: true + docker_swarm: + state: present + advertise_addr: "{{ansible_default_ipv4.address}}" + register: manager_swarm_facts + failed_when: manager_swarm_facts.failed + +- when: inventory_hostname == groups.swarm_managers[0] + set_fact: + worker_join_token: "{{manager_swarm_facts.swarm_facts.JoinTokens.Worker}}" + +- name: (swarm_workers) Join swarm + when: inventory_hostname in groups.swarm_workers + become: true + docker_swarm: + state: join + join_token: "{{hostvars[groups.swarm_managers[0]].worker_join_token}}" + advertise_addr: "{{ansible_default_ipv4.address}}" + remote_addrs: ["{{hostvars[groups.swarm_managers[0]].ansible_default_ipv4.address}}"] + +- name: Add user to docker group + become: true + user: + name: "{{ ansible_user }}" + groups: + - docker + diff --git a/proxmox/ansible/roles/gluster/tasks/init.yml b/proxmox/ansible/roles/gluster/tasks/init.yml new file mode 100644 index 0000000..fdf65ca --- /dev/null +++ b/proxmox/ansible/roles/gluster/tasks/init.yml @@ -0,0 +1,46 @@ +--- +- name: Check if Gluster volume is initialized + become: true + stat: + path: "{{gluster_volume_path}}/{{inventory_hostname}}/brick" + register: glustervolume + +- name: Verify Gluster volume path + become: true + file: + path: "{{gluster_volume_path}}/{{inventory_hostname}}/brick" + state: directory + +- name: Initialize Gluster Cluster (on first node) + become: true + when: glustervolume.stat.exists == false and inventory_hostname == groups['gluster_nodes'][0] + loop: "{{ groups['gluster_nodes'] }}" + shell: gluster peer probe {{ item }} + +- name: Create Gluster Volume (on first node) + # TODO Make this scalable + become: true + when: glustervolume.stat.exists == false and inventory_hostname == groups['gluster_nodes'][0] + shell: > + gluster volume create {{gluster_volume_name}} \ + replica 3 \ + {{groups['gluster_nodes'][0]}}:{{gluster_volume_path}}/{{groups['gluster_nodes'][0]}}/brick \ + {{groups['gluster_nodes'][1]}}:{{gluster_volume_path}}/{{groups['gluster_nodes'][1]}}/brick \ + {{groups['gluster_nodes'][2]}}:{{gluster_volume_path}}/{{groups['gluster_nodes'][2]}}/brick + +- name: Secure Gluster Volume (on first node) + become: true + when: inventory_hostname == groups['gluster_nodes'][0] + shell: > + gluster volume set {{gluster_volume_name}} auth.allow \ + {{groups['gluster_nodes'][0]}},{{groups['gluster_nodes'][1]}},{{groups['gluster_nodes'][2]}} + changed_when: false + +- name: Start Gluster Volume (on first node) + become: true + when: glustervolume.stat.exists == false and inventory_hostname == groups['gluster_nodes'][0] + shell: gluster volume start {{gluster_volume_name}} + +- name: Wait 60s for Gluster volume to be replicated + when: glustervolume.stat.exists == false and inventory_hostname == groups['gluster_nodes'][0] + shell: sleep 60 diff --git a/proxmox/ansible/roles/gluster/tasks/install.yml b/proxmox/ansible/roles/gluster/tasks/install.yml new file mode 100644 index 0000000..b430315 --- /dev/null +++ b/proxmox/ansible/roles/gluster/tasks/install.yml @@ -0,0 +1,20 @@ +--- +- name: Install Gluster and dependencies + become: true + apt: + pkg: + - xfsprogs + - attr + - glusterfs-server + - glusterfs-common + - glusterfs-client + state: present + force_apt_get: true + update_cache: yes + +- name: Enable Gluster service + become: true + systemd: + name: glusterd + enabled: yes + state: started diff --git a/proxmox/ansible/roles/gluster/tasks/main.yml b/proxmox/ansible/roles/gluster/tasks/main.yml new file mode 100644 index 0000000..03aa52c --- /dev/null +++ b/proxmox/ansible/roles/gluster/tasks/main.yml @@ -0,0 +1,5 @@ +--- +- import_tasks: xfs.yml +- import_tasks: install.yml +- import_tasks: init.yml +- import_tasks: mount.yml diff --git a/proxmox/ansible/roles/gluster/tasks/mount.yml b/proxmox/ansible/roles/gluster/tasks/mount.yml new file mode 100644 index 0000000..e15f68e --- /dev/null +++ b/proxmox/ansible/roles/gluster/tasks/mount.yml @@ -0,0 +1,16 @@ +--- +- name: Verify Gluster mount path + become: true + file: + path: "{{gluster_mount_path}}" + state: directory + +- name: Mount Gluster volume + become: true + # TODO: Make this scalable in case different # of replicas + mount: + path: "{{gluster_mount_path}}" + src: "localhost:/{{gluster_volume_name}}" + fstype: glusterfs + opts: defaults,_netdev,backupvolfile-server=localhost + state: mounted diff --git a/proxmox/ansible/roles/gluster/tasks/xfs.yml b/proxmox/ansible/roles/gluster/tasks/xfs.yml new file mode 100644 index 0000000..b6cba87 --- /dev/null +++ b/proxmox/ansible/roles/gluster/tasks/xfs.yml @@ -0,0 +1,20 @@ +--- +- name: Create XFS Path {{gluster_volume_path}}/{{inventory_hostname}} + become: true + file: + path: "{{gluster_volume_path}}/{{inventory_hostname}}" + state: directory + +- name: Create a XFS filesystem on {{device2_hdd_dev}} + become: true + filesystem: + fstype: xfs + dev: "{{device2_hdd_dev}}" + +- name: Mount XFS volume {{device2_hdd_dev}} to {{gluster_volume_path}}/{{inventory_hostname}} + become: true + mount: + path: "{{gluster_volume_path}}/{{inventory_hostname}}" + src: "{{device2_hdd_dev}}" + fstype: xfs + state: mounted diff --git a/proxmox/ansible/roles/swarm-bootstrap/tasks/main.yml b/proxmox/ansible/roles/swarm-bootstrap/tasks/main.yml new file mode 100644 index 0000000..584ab95 --- /dev/null +++ b/proxmox/ansible/roles/swarm-bootstrap/tasks/main.yml @@ -0,0 +1,86 @@ +--- +- name: Verify stacks directory exists (on first swarm node) + when: inventory_hostname == groups['swarm_managers'][0] + file: + path: "/home/{{ansible_user}}/stacks/swarm-bootstrap" + state: directory + +- name: Verify bootstrap volume path (on first swarm node) + become: true + when: inventory_hostname == groups['swarm_managers'][0] + file: + path: "{{ item }}" + state: directory + loop: + - "{{gluster_mount_path}}/swarm-bootstrap/traefik/letsencrypt" + - "{{gluster_mount_path}}/swarm-bootstrap/traefik/secrets" + - "{{gluster_mount_path}}/swarm-bootstrap/portainer" + - "{{gluster_mount_path}}/swarm-bootstrap/gitea" + +- name: Create CF secret + become: true + copy: + content: "{{ cf_dns_api_token }}" + dest: "{{gluster_mount_path}}/swarm-bootstrap/traefik/secrets/cf-dns-api-token.secret" + mode: '0740' + +- name: Set DNS servers + become: true + tags: [set_dns_servers] + copy: + content: | + [Resolve] + DNS=10.0.123.123 + # FallbackDNS=1.1.1.1 + dest: /etc/systemd/resolved.conf + register: dns_servers_configuration + +- name: Restart systemd-resolved + tags: [set_dns_servers] + service: + name: systemd-resolved + state: restarted + when: dns_servers_configuration.changed + +- name: Generate Traefik admin password hash + when: inventory_hostname == groups['swarm_managers'][0] + shell: echo $(htpasswd -nb {{traefik_admin_user}} {{traefik_admin_password}}) | sed -e s/\\$/\\$\\$/g + register: traefikpassword + changed_when: false + +- name: Generate Portainer admin password hash + when: inventory_hostname == groups['swarm_managers'][0] + shell: echo $(htpasswd -nBb admin {{portainer_admin_password}}) | cut -d ":" -f 2 | sed -e s/\\$/\\$\\$/g + register: portainerpassword + changed_when: false + +- name: Create git user + become: true + user: + name: git + create_home: true + register: git_user + +- set_fact: + portainer_htpasswd: "{{portainerpassword.stdout}}" + traefik_htpasswd: "{{traefikpassword.stdout}}" + git_user_id: "{{git_user.uid}}" + git_group_id: "{{git_user.group}}" + when: inventory_hostname == groups['swarm_managers'][0] + +- name: Create docker-compose stack file (on first swarm node) + when: inventory_hostname == groups['swarm_managers'][0] + template: + src: docker-stack.yml.j2 + dest: /home/{{ansible_user}}/stacks/swarm-bootstrap/docker-stack.yml + mode: 0755 + +- name: Deploy stack from a compose file (on first swarm node) + when: inventory_hostname == groups['swarm_managers'][0] + become: true + docker_stack: + state: present + name: swarm-bootstrap + detach: false + compose: + - /home/{{ansible_user}}/stacks/swarm-bootstrap/docker-stack.yml diff --git a/proxmox/ansible/roles/swarm-bootstrap/templates/docker-stack.yml.j2 b/proxmox/ansible/roles/swarm-bootstrap/templates/docker-stack.yml.j2 new file mode 100644 index 0000000..53cdef6 --- /dev/null +++ b/proxmox/ansible/roles/swarm-bootstrap/templates/docker-stack.yml.j2 @@ -0,0 +1,181 @@ +networks: + gitea: + driver: overlay + attachable: true + name: gitea + traefik: + driver: overlay + attachable: true + name: traefik + portainer: + driver: overlay + attachable: true + name: portainer + +volumes: + gitea: + driver: local + driver_opts: + o: bind + type: none + device: {{gluster_mount_path}}/swarm-bootstrap/gitea + name: gitea + portainer_data: + driver: local + driver_opts: + o: bind + type: none + device: {{gluster_mount_path}}/swarm-bootstrap/portainer + name: portainer_data + traefik: + driver: local + driver_opts: + o: bind + type: none + device: {{gluster_mount_path}}/swarm-bootstrap/traefik + name: traefik + +secrets: + cf_dns_api_token: + file: "{{gluster_mount_path}}/swarm-bootstrap/traefik/secrets/cf-dns-api-token.secret" + +services: + traefik: + image: traefik:v3.3 + dns: + - 1.1.1.1 + command: + - "--log.level=DEBUG" + - "--api.dashboard=true" + # Allow invalid TLS certs internally + - "--api.insecure=true" + # Swarm settings + - "--providers.swarm=true" + - "--providers.swarm.exposedByDefault=false" + - "--providers.swarm.endpoint=unix:///var/run/docker.sock" + # HTTP + - "--entrypoints.web.address=:{{traefik_listen_port}}" + # Redirect to HTTPS + - "--entrypoints.web.http.redirections.entrypoint.to=websecure" + - "--entrypoints.web.http.redirections.entrypoint.scheme=https" + - "--entrypoints.websecure.address=:{{traefik_secure_listen_port}}" + # TLS + - "--certificatesresolvers.letsencrypt.acme.dnschallenge=true" + - "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare" + - "--certificatesresolvers.letsencrypt.acme.caserver={{'https://acme-v02.api.letsencrypt.org/directory' if traefik_tls_mode == 'production' else 'https://acme-staging-v02.api.letsencrypt.org/directory'}}" + - "--certificatesresolvers.letsencrypt.acme.email={{cf_email}}" + - "--certificatesresolvers.letsencrypt.acme.storage=/data/letsencrypt/acme.json" + ports: + - "{{traefik_listen_port}}:{{traefik_listen_port}}" + - "{{traefik_secure_listen_port}}:{{traefik_secure_listen_port}}" + - "{{traefik_admin_port}}:8080" + secrets: + - "cf_dns_api_token" + environment: + - "CLOUDFLARE_EMAIL={{cf_email}}" + - "CF_DNS_API_TOKEN_FILE=/run/secrets/cf_dns_api_token" + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - traefik:/data + networks: + - traefik + deploy: + labels: + - "traefik.enable=true" + - "traefik.http.routers.api.rule=Host(`traefik.{{app_domain_name}}`)" + - "traefik.http.routers.api.service=api@internal" + - "traefik.http.routers.api.middlewares=auth" + # TODO: Store this in a secret + # It's not thaaat big of a deal cuz it's hashed anyway though. + - "traefik.http.middlewares.auth.basicauth.users={{traefik_htpasswd}}" + # Dummy service for Swarm port detection. The port can be any valid integer value. + - "traefik.http.services.dummy-svc.loadbalancer.server.port=9999" + mode: global + placement: + constraints: [node.role == manager] + + whoami: + image: "traefik/whoami" + networks: + - traefik + deploy: + labels: + - "traefik.enable=true" + - "traefik.http.routers.whoami.rule=Host(`whoami.stingray.mnke.org`)" + - "traefik.http.routers.whoami.entrypoints=websecure" + - "traefik.http.routers.whoami.tls.certresolver=letsencrypt" + - "traefik.http.services.whoami.loadbalancer.server.port=80" + - "traefik.swarm.network=traefik" + + agent: + image: portainer/agent:latest + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - /var/lib/docker/volumes:/var/lib/docker/volumes + networks: + - portainer + environment: + AGENT_SECRET: {{portainer_agent_secret}} + deploy: + mode: global + placement: + constraints: [node.platform.os == linux] + + portainer: + image: portainer/portainer:latest + command: "-H tcp://tasks.agent:9001 --tlsskipverify --bind :9000 --tunnel-port 8000 --admin-password {{portainer_htpasswd}}" + ports: + - "9000:9000" + - "8000:8000" + volumes: + - portainer_data:/data + networks: + - portainer + - traefik + environment: + # TODO: Load this in a secret + AGENT_SECRET: {{portainer_agent_secret}} + deploy: + labels: + - "traefik.enable=true" + - "traefik.http.routers.portainer.rule=Host(`portainer.{{app_domain_name}}`)" + - "traefik.http.routers.portainer.entrypoints=websecure" + - "traefik.http.routers.portainer.tls.certresolver=letsencrypt" + - "traefik.http.services.portainer.loadbalancer.server.port=9000" + - "traefik.swarm.network=traefik" + mode: replicated + replicas: 1 + placement: + constraints: [node.role == manager] + + gitea: + image: docker.io/gitea/gitea:1.23.1 + environment: + - USER_UID={{git_user_id}} + - USER_GID={{git_group_id}} + - USER=git + - GITEA_APP_NAME=mnke + - GITEA__server__DOMAIN={{gitea_primary_domain_name}} + - GITEA__server__ROOT_URL=https://{{gitea_primary_domain_name}} + networks: + - gitea + - traefik + volumes: + - gitea:/data + - /etc/timezone:/etc/timezone:ro + - /etc/localtime:/etc/localtime:ro + ports: + - "3000:3000" + - "222:22" + deploy: + labels: + - "traefik.enable=true" + - "traefik.http.routers.gitea.rule=Host(`git.{{app_domain_name}}`) || Host(`{{gitea_primary_domain_name}}`)" + - "traefik.http.routers.gitea.entrypoints=websecure" + - "traefik.http.routers.gitea.tls.certresolver=letsencrypt" + - "traefik.http.services.gitea.loadbalancer.server.port=3000" + - "traefik.swarm.network=traefik" + mode: replicated + replicas: 1 + placement: + constraints: [node.role == manager] diff --git a/proxmox/ansible/site.yml b/proxmox/ansible/site.yml new file mode 100644 index 0000000..1b01d8f --- /dev/null +++ b/proxmox/ansible/site.yml @@ -0,0 +1,81 @@ +--- +- name: Pre tasks + hosts: k3s_cluster + pre_tasks: + - name: Verify Ansible is version 2.11 or above. (If this fails you may need to update Ansible) + ansible.builtin.assert: + that: ansible_version.full is version_compare('2.11', '>=') + msg: > + "Ansible is out of date. See here for more info: https://docs.technotim.live/posts/ansible-automation/" + tasks: + - name: Disable multipathd for longhorn + become: true + service: + name: "{{ item }}" + state: stopped + enabled: false + loop: + - multipathd.service + - multipathd.socket + +- name: Prepare Proxmox cluster + hosts: proxmox + gather_facts: true + become: true + environment: "{{ proxy_env | default({}) }}" + roles: + - role: techno_tim.k3s_ansible.proxmox_lxc + when: proxmox_lxc_configure + +- name: Prepare k3s nodes + hosts: k3s_cluster + gather_facts: true + environment: "{{ proxy_env | default({}) }}" + roles: + - role: techno_tim.k3s_ansible.lxc + become: true + when: proxmox_lxc_configure + - role: techno_tim.k3s_ansible.prereq + become: true + - role: techno_tim.k3s_ansible.download + become: true + - role: techno_tim.k3s_ansible.raspberrypi + become: true + - role: techno_tim.k3s_ansible.k3s_custom_registries + become: true + when: custom_registries + + +- name: Setup k3s servers + hosts: master + environment: "{{ proxy_env | default({}) }}" + roles: + - role: techno_tim.k3s_ansible.k3s_server + when: not (skip_setup_servers | default(false)) + become: true + +- name: Setup k3s agents + hosts: node + environment: "{{ proxy_env | default({}) }}" + roles: + - role: techno_tim.k3s_ansible.k3s_agent + when: not (skip_setup_agents | default(false)) + become: true + +- name: Configure k3s cluster + hosts: master + environment: "{{ proxy_env | default({}) }}" + roles: + - role: techno_tim.k3s_ansible.k3s_server_post + become: true + +- name: Storing kubeconfig in the playbook directory + hosts: master + environment: "{{ proxy_env | default({}) }}" + tasks: + - name: Copying kubeconfig from {{ hostvars[groups[group_name_master | default('master')][0]]['ansible_hostname'] }} + ansible.builtin.fetch: + src: "{{ ansible_user_dir }}/.kube/config" + dest: ./kubeconfig + flat: true + when: ansible_hostname == hostvars[groups[group_name_master | default('master')][0]]['ansible_hostname'] diff --git a/proxmox/ansible/swarm.yml b/proxmox/ansible/swarm.yml new file mode 100644 index 0000000..a2b73f4 --- /dev/null +++ b/proxmox/ansible/swarm.yml @@ -0,0 +1,7 @@ +--- +- name: Set up Docker Swarm + hosts: swarm + roles: + - docker-swarm + - gluster + - swarm-bootstrap diff --git a/proxmox/docker/stacks/db-ui/docker-stack.yml b/proxmox/docker/stacks/db-ui/docker-stack.yml new file mode 100644 index 0000000..60f51ee --- /dev/null +++ b/proxmox/docker/stacks/db-ui/docker-stack.yml @@ -0,0 +1,41 @@ +version: '3.1' + +networks: + traefik: + external: true + +services: + phpmyadmin: + image: phpmyadmin + environment: + - PMA_HOST=${DB_HOST:-db.home.mnke.org} + networks: + - traefik + deploy: + labels: + - "traefik.enable=true" + - "traefik.http.routers.pma.rule=Host(`${PMA_HOST:-pma.stingray.mnke.org}`)" + - "traefik.http.routers.pma.entrypoints=websecure" + - "traefik.http.routers.pma.tls.certresolver=letsencrypt" + - "traefik.http.services.pma.loadbalancer.server.port=80" + - "traefik.swarm.network=traefik" + mode: replicated + replicas: 1 + + pgadmin: + image: dpage/pgadmin4 + environment: + - PGADMIN_DEFAULT_EMAIL=${PGADMIN_EMAIL:-tony@mnke.org} + - PGADMIN_DEFAULT_PASSWORD=${PGADMIN_DEFAULT_PASSWORD:-password} + networks: + - traefik + deploy: + labels: + - "traefik.enable=true" + - "traefik.http.routers.pgadmin.rule=Host(`${PGADMIN_HOST:-pgadmin.stingray.mnke.org}`)" + - "traefik.http.routers.pgadmin.entrypoints=websecure" + - "traefik.http.routers.pgadmin.tls.certresolver=letsencrypt" + - "traefik.http.services.pgadmin.loadbalancer.server.port=80" + - "traefik.swarm.network=traefik" + mode: replicated + replicas: 1 diff --git a/proxmox/docker/stacks/dockge/docker-stack.yml b/proxmox/docker/stacks/dockge/docker-stack.yml new file mode 100644 index 0000000..cd1e54e --- /dev/null +++ b/proxmox/docker/stacks/dockge/docker-stack.yml @@ -0,0 +1,31 @@ +version: "3.8" + +networks: + traefik: + external: true + +services: + dockge: + image: louislam/dockge:1 + restart: unless-stopped + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - ${DATA_DIRECTORY:-/mnt/gfs/dockge/data}:/app/data + - /opt/stacks:/opt/stacks + environment: + # Tell Dockge where to find the stacks + - DOCKGE_STACKS_DIR=/opt/stacks + networks: + - traefik + deploy: + labels: + - "traefik.enable=true" + - "traefik.http.routers.dockge.rule=Host(`${DOCKGE_HOST:-dockge.stingray.mnke.org}`)" + - "traefik.http.routers.dockge.entrypoints=websecure" + - "traefik.http.routers.dockge.tls.certresolver=letsencrypt" + - "traefik.http.services.dockge.loadbalancer.server.port=5001" + - "traefik.swarm.network=traefik" + mode: replicated + replicas: 1 + placement: + constraints: [node.role == manager] diff --git a/proxmox/k8s/helmfile.d/00-core.yaml b/proxmox/k8s/helmfile.d/00-core.yaml new file mode 100644 index 0000000..537f5d2 --- /dev/null +++ b/proxmox/k8s/helmfile.d/00-core.yaml @@ -0,0 +1,83 @@ +--- +repositories: + - name: traefik + url: https://helm.traefik.io/traefik + - name: jetstack + url: https://charts.jetstack.io + - name: rancher-stable + url: https://releases.rancher.com/server-charts/stable + - name: longhorn + url: https://charts.longhorn.io + - name: bitnami + url: https://charts.bitnami.com/bitnami + - name: nfs-subdir-external-provisioner + url: https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner/ + - name: prometheus-community + url: https://prometheus-community.github.io/helm-charts + +environments: + staging: &staging + values: + - ./values/globals/staging.yaml.gotmpl + production: + default: *staging + +--- +releases: + - name: traefik + namespace: {{ .Values.globals.traefik.namespace }} + createNamespace: true + chart: traefik/traefik + values: + - ./values/traefik/values.yaml.gotmpl + + - name: cert-manager + namespace: {{ .Values.globals.certManager.namespace }} + createNamespace: true + chart: jetstack/cert-manager + values: + - ./values/cert-manager/values.yml + + - name: certs + chart: ./charts/certs + needs: + - {{ .Values.globals.certManager.namespace }}/cert-manager + values: + - ./values/certs/values.yaml.gotmpl + + - name: nfs-subdir-external-provisioner + namespace: {{ .Values.globals.nfsSubdirExternalProvisioner.namespace }} + createNamespace: true + chart: {{ .Values.globals.nfsSubdirExternalProvisioner.namespace }}/nfs-subdir-external-provisioner + values: + - ./values/nfs-subdir-external-provisioner/values.yaml.gotmpl + + - name: rancher + namespace: {{ .Values.globals.rancher.namespace }} + createNamespace: true + chart: rancher-stable/rancher + needs: + - {{ .Values.globals.certManager.namespace }}/cert-manager + values: + - ./values/rancher/values.yaml.gotmpl + + - name: longhorn + namespace: {{ .Values.globals.longhorn.namespace }} + createNamespace: true + chart: longhorn/longhorn + values: + - ./values/longhorn/values.yaml.gotmpl + needs: + - {{ .Values.globals.rancher.namespace }}/rancher + + + - name: kube-prometheus-stack + namespace: {{ .Values.globals.kubePrometheusStack.namespace }} + createNamespace: true + chart: prometheus-community/kube-prometheus-stack + needs: + - {{ .Values.globals.certManager.namespace }}/cert-manager + - {{ .Values.globals.longhorn.namespace }}/longhorn + values: + - ./values/kube-prometheus-stack/values.yaml.gotmpl + diff --git a/proxmox/k8s/helmfile.d/01-databases.yaml b/proxmox/k8s/helmfile.d/01-databases.yaml new file mode 100644 index 0000000..bcff3f4 --- /dev/null +++ b/proxmox/k8s/helmfile.d/01-databases.yaml @@ -0,0 +1,67 @@ +--- +repositories: + - name: bitnami + url: https://charts.bitnami.com/bitnami + - name: runix + url: https://helm.runix.net + +environments: + staging: &staging + values: + - ./values/globals/staging.yaml.gotmpl + production: + default: *staging + +--- +releases: + - name: mysql + namespace: {{ .Values.globals.mysql.namespace }} + createNamespace: true + chart: bitnami/mysql + values: + - ./values/mysql/values.yaml.gotmpl + + - name: phpmyadmin + namespace: {{ .Values.globals.phpmyadmin.namespace }} + createNamespace: true + chart: bitnami/phpmyadmin + values: + - ./values/phpmyadmin/values.yaml.gotmpl + needs: + - {{ .Values.globals.mysql.namespace }}/mysql + + - name: postgres + namespace: {{ .Values.globals.postgres.namespace }} + createNamespace: true + chart: bitnami/postgresql + values: + - ./values/postgres/values.yaml.gotmpl + + - name: pgadmin4 + namespace: {{ .Values.globals.pgadmin4.namespace }} + createNamespace: true + chart: runix/pgadmin4 + values: + - ./values/pgadmin4/values.yaml.gotmpl + needs: + - {{ .Values.globals.postgres.namespace }}/postgres + + - name: init-dbs + # It doesn't really matter where we put this, but I don't want it polluting + # the default namespace + namespace: init-dbs + createNamespace: true + chart: ./charts/init-dbs + values: + - ./values/init-dbs/values.yaml.gotmpl + needs: + - {{ .Values.globals.postgres.namespace }}/postgres + - {{ .Values.globals.mysql.namespace }}/mysql + + - name: redis + namespace: {{ .Values.globals.redis.namespace }} + createNamespace: true + chart: bitnami/redis + values: + - ./values/redis/values.yaml.gotmpl + diff --git a/proxmox/k8s/helmfile.d/02-applications.yaml b/proxmox/k8s/helmfile.d/02-applications.yaml new file mode 100644 index 0000000..83d0de7 --- /dev/null +++ b/proxmox/k8s/helmfile.d/02-applications.yaml @@ -0,0 +1,64 @@ +--- +repositories: + - name: gitlab + url: https://charts.gitlab.io + - name: bitnami + url: https://charts.bitnami.com/bitnami + - name: uptime-kuma + url: https://helm.irsigler.cloud + - name: authentik + url: https://charts.goauthentik.io + - name: harbor + url: https://helm.goharbor.io + +environments: + staging: &staging + values: + - ./values/globals/staging.yaml.gotmpl + production: + default: *staging + +--- +releases: + - name: uptime-kuma + namespace: {{ .Values.globals.uptimeKuma.namespace }} + createNamespace: true + chart: uptime-kuma/uptime-kuma + values: + - ./values/uptime-kuma/values.yaml.gotmpl + + - name: authentik + namespace: {{ .Values.globals.authentik.namespace }} + createNamespace: true + chart: authentik/authentik + values: + - ./values/authentik/values.yaml.gotmpl + + - name: argo-cd + namespace: {{ .Values.globals.argocd.namespace }} + createNamespace: true + chart: bitnami/argo-cd + values: + - ./values/argo-cd/values.yaml.gotmpl + + - name: harbor + namespace: {{ .Values.globals.harbor.namespace }} + createNamespace: true + chart: bitnami/harbor + values: + - ./values/harbor/values.yaml.gotmpl + + - name: ghost + namespace: {{ .Values.globals.ghost.namespace }} + createNamespace: true + chart: bitnami/ghost + values: + - ./values/ghost/values.yaml.gotmpl + + - name: gitea + installed: false + namespace: {{ .Values.globals.gitea.namespace }} + createNamespace: true + chart: bitnami/gitea + values: + - ./values/gitea/values.yaml.gotmpl diff --git a/proxmox/k8s/helmfile.d/charts/certs/.helmignore b/proxmox/k8s/helmfile.d/charts/certs/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/proxmox/k8s/helmfile.d/charts/certs/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/proxmox/k8s/helmfile.d/charts/certs/Chart.yaml b/proxmox/k8s/helmfile.d/charts/certs/Chart.yaml new file mode 100644 index 0000000..06cd0fa --- /dev/null +++ b/proxmox/k8s/helmfile.d/charts/certs/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: certs +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.16.0" diff --git a/proxmox/k8s/helmfile.d/charts/certs/templates/NOTES.txt b/proxmox/k8s/helmfile.d/charts/certs/templates/NOTES.txt new file mode 100644 index 0000000..e69de29 diff --git a/proxmox/k8s/helmfile.d/charts/certs/templates/_helpers.tpl b/proxmox/k8s/helmfile.d/charts/certs/templates/_helpers.tpl new file mode 100644 index 0000000..27f9fc8 --- /dev/null +++ b/proxmox/k8s/helmfile.d/charts/certs/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "certs.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "certs.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "certs.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "certs.labels" -}} +helm.sh/chart: {{ include "certs.chart" . }} +{{ include "certs.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "certs.selectorLabels" -}} +app.kubernetes.io/name: {{ include "certs.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "certs.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "certs.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/proxmox/k8s/helmfile.d/charts/certs/templates/certificate.yml b/proxmox/k8s/helmfile.d/charts/certs/templates/certificate.yml new file mode 100644 index 0000000..64fd72a --- /dev/null +++ b/proxmox/k8s/helmfile.d/charts/certs/templates/certificate.yml @@ -0,0 +1,17 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .Values.certificateName }} + namespace: {{ .Values.certificateNamespace }} +spec: + secretName: {{ .Values.certificateSecretName }} + issuerRef: + name: {{ .Values.issuerName | quote }} + kind: ClusterIssuer + commonName: {{ .Values.commonName | quote }} + dnsNames: + {{- range .Values.dnsNames }} + - {{ . | quote }} + {{- end}} + diff --git a/proxmox/k8s/helmfile.d/charts/certs/templates/cf-secret.yml b/proxmox/k8s/helmfile.d/charts/certs/templates/cf-secret.yml new file mode 100644 index 0000000..a5db44b --- /dev/null +++ b/proxmox/k8s/helmfile.d/charts/certs/templates/cf-secret.yml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.cloudflareTokenSecretName }} + namespace: {{ .Values.certManagerNamespace }} +type: Opaque +stringData: + cloudflare-token: {{ .Values.cloudflareSecretToken }} + diff --git a/proxmox/k8s/helmfile.d/charts/certs/templates/clusterissuer.yml b/proxmox/k8s/helmfile.d/charts/certs/templates/clusterissuer.yml new file mode 100644 index 0000000..bcb1f74 --- /dev/null +++ b/proxmox/k8s/helmfile.d/charts/certs/templates/clusterissuer.yml @@ -0,0 +1,24 @@ +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: {{ .Values.issuerName }} +spec: + acme: + server: {{- if eq .Values.issuerMode "staging" }} "https://acme-staging-v02.api.letsencrypt.org/directory" {{- else }} "https://acme-v02.api.letsencrypt.org/directory" {{- end }} + email: {{ .Values.acmeEmail }} + privateKeySecretRef: + name: {{ .Values.privateKeySecretRef }} + solvers: + - dns01: + cloudflare: + email: {{ .Values.cloudflareEmail }} + apiTokenSecretRef: + name: {{ .Values.cloudflareTokenSecretName }} + key: cloudflare-token + selector: + dnsZones: + {{- range .Values.dnsZones }} + - {{ . | quote }} + {{- end}} + diff --git a/proxmox/k8s/helmfile.d/charts/certs/values.yaml b/proxmox/k8s/helmfile.d/charts/certs/values.yaml new file mode 100644 index 0000000..97a1db8 --- /dev/null +++ b/proxmox/k8s/helmfile.d/charts/certs/values.yaml @@ -0,0 +1,28 @@ +acmeEmail: tonydu121@hotmail.com +cloudflareEmail: tonydu121@hotmail.com + +# staging or production +issuerMode: staging + +issuerName: letsencrypt +privateKeySecretRef: letsencrypt + +certManagerNamespace: cert-manager + +cloudflareSecretToken: redacted +cloudflareTokenSecretName: cloudflare-token-secret + +dnsZones: + - "mnke.org" + - "*.mnke.org" + - "*.hl.mnke.org" + +# TODO: Allow for multiple creation +certificateName: hl-mnke-org +certificateNamespace: default +certificateSecretName: hl-mnke-org-tls + +commonName: "*.hl.mnke.org" +dnsNames: + - "hl.mnke.org" + - "*.hl.mnke.org" diff --git a/proxmox/k8s/helmfile.d/charts/init-dbs/.helmignore b/proxmox/k8s/helmfile.d/charts/init-dbs/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/proxmox/k8s/helmfile.d/charts/init-dbs/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/proxmox/k8s/helmfile.d/charts/init-dbs/Chart.yaml b/proxmox/k8s/helmfile.d/charts/init-dbs/Chart.yaml new file mode 100644 index 0000000..d530203 --- /dev/null +++ b/proxmox/k8s/helmfile.d/charts/init-dbs/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: init-dbs +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.16.0" diff --git a/proxmox/k8s/helmfile.d/charts/init-dbs/templates/NOTES.txt b/proxmox/k8s/helmfile.d/charts/init-dbs/templates/NOTES.txt new file mode 100644 index 0000000..e69de29 diff --git a/proxmox/k8s/helmfile.d/charts/init-dbs/templates/_helpers.tpl b/proxmox/k8s/helmfile.d/charts/init-dbs/templates/_helpers.tpl new file mode 100644 index 0000000..c58e41b --- /dev/null +++ b/proxmox/k8s/helmfile.d/charts/init-dbs/templates/_helpers.tpl @@ -0,0 +1,51 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "init-dbs.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "init-dbs.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "init-dbs.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "init-dbs.labels" -}} +helm.sh/chart: {{ include "init-dbs.chart" . }} +{{ include "init-dbs.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "init-dbs.selectorLabels" -}} +app.kubernetes.io/name: {{ include "init-dbs.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/proxmox/k8s/helmfile.d/charts/init-dbs/templates/jobs.yaml b/proxmox/k8s/helmfile.d/charts/init-dbs/templates/jobs.yaml new file mode 100644 index 0000000..32403a3 --- /dev/null +++ b/proxmox/k8s/helmfile.d/charts/init-dbs/templates/jobs.yaml @@ -0,0 +1,112 @@ +{{- range .Values.postgres.databases }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "init-dbs.fullname" $ }}-postgres-{{ .database }} +spec: + template: + spec: + imagePullSecrets: + {{- toYaml $.Values.imagePullSecrets | nindent 8 }} + restartPolicy: OnFailure + containers: + - name: {{ include "init-dbs.fullname" $ }}-postgres-{{ .database }} + image: {{ $.Values.postgres.image.ref }} + imagePullPolicy: {{ $.Values.postgres.image.pullPolicy }} + command: + - /bin/sh + - -c + args: + # If the username and database exists, whatever, just exit. + # Yeah, if something else went wrong, we're still exiting with code 0, + # but it should be fine. + - | + sleep 10s && \ + psql -h {{ $.Values.postgres.host }} -U $PGUSER postgres \ + -tc "SELECT 1 FROM pg_database WHERE datname = '$DATABASE'" |\ + grep -q 1 ||\ + psql -h {{ $.Values.postgres.host }} -U $PGUSER postgres \ + -c "CREATE USER $USERNAME WITH ENCRYPTED PASSWORD '$PASSWORD';" \ + -c "CREATE DATABASE $DATABASE WITH OWNER = $USERNAME;" + env: + - name: PGUSER + valueFrom: + secretKeyRef: + key: username + name: {{ include "init-dbs.fullname" $ }}-postgres + - name: PGPASSWORD + valueFrom: + secretKeyRef: + key: password + name: {{ include "init-dbs.fullname" $ }}-postgres + - name: USERNAME + valueFrom: + secretKeyRef: + key: {{ .database }}-username + name: {{ include "init-dbs.fullname" $ }}-postgres + - name: PASSWORD + valueFrom: + secretKeyRef: + key: {{ .database }}-password + name: {{ include "init-dbs.fullname" $ }}-postgres + - name: DATABASE + valueFrom: + secretKeyRef: + key: {{ .database }}-database + name: {{ include "init-dbs.fullname" $ }}-postgres +{{- end }} + +{{- range .Values.mysql.databases }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "init-dbs.fullname" $ }}-mysql-{{ .database }} +spec: + template: + spec: + imagePullSecrets: + {{- toYaml $.Values.imagePullSecrets | nindent 8 }} + restartPolicy: OnFailure + containers: + - name: {{ include "init-dbs.fullname" $ }}-mysql-{{ .database }} + image: {{ $.Values.mysql.image.ref }} + imagePullPolicy: {{ $.Values.mysql.image.pullPolicy }} + command: + - /bin/sh + - -c + args: + - | + sleep 10s && \ + mysql -h {{ $.Values.mysql.host }} -u $MYUSER mysql --password=$MYPASSWORD \ + -e "CREATE DATABASE IF NOT EXISTS $DATABASE;" \ + -e "CREATE USER IF NOT EXISTS '$USERNAME'@'%' IDENTIFIED BY '$PASSWORD';" \ + -e "GRANT ALL PRIVILEGES ON $DATABASE TO '$USERNAME'@'%';" + env: + - name: MYUSER + valueFrom: + secretKeyRef: + key: username + name: {{ include "init-dbs.fullname" $ }}-mysql + - name: MYPASSWORD + valueFrom: + secretKeyRef: + key: password + name: {{ include "init-dbs.fullname" $ }}-mysql + - name: USERNAME + valueFrom: + secretKeyRef: + key: {{ .database }}-username + name: {{ include "init-dbs.fullname" $ }}-mysql + - name: PASSWORD + valueFrom: + secretKeyRef: + key: {{ .database }}-password + name: {{ include "init-dbs.fullname" $ }}-mysql + - name: DATABASE + valueFrom: + secretKeyRef: + key: {{ .database }}-database + name: {{ include "init-dbs.fullname" $ }}-mysql +{{- end }} diff --git a/proxmox/k8s/helmfile.d/charts/init-dbs/templates/secrets.yaml b/proxmox/k8s/helmfile.d/charts/init-dbs/templates/secrets.yaml new file mode 100644 index 0000000..2f4a021 --- /dev/null +++ b/proxmox/k8s/helmfile.d/charts/init-dbs/templates/secrets.yaml @@ -0,0 +1,33 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "init-dbs.fullname" $ }}-postgres + labels: + {{- include "init-dbs.labels" $ | nindent 4 }} +type: Opaque +stringData: + username: {{ .Values.postgres.username }} + password: {{ .Values.postgres.password }} + {{- range .Values.postgres.databases }} + {{ .database }}-database: {{ .database }} + {{ .database }}-username: {{ .username }} + {{ .database }}-password: {{ .password }} + {{- end }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "init-dbs.fullname" $ }}-mysql + labels: + {{- include "init-dbs.labels" $ | nindent 4 }} +type: Opaque +stringData: + username: {{ .Values.mysql.username }} + password: {{ .Values.mysql.password }} + {{- range .Values.mysql.databases }} + {{ .database }}-database: {{ .database }} + {{ .database }}-username: {{ .username }} + {{ .database }}-password: {{ .password }} + {{- end }} diff --git a/proxmox/k8s/helmfile.d/charts/init-dbs/values.yaml b/proxmox/k8s/helmfile.d/charts/init-dbs/values.yaml new file mode 100644 index 0000000..2c53126 --- /dev/null +++ b/proxmox/k8s/helmfile.d/charts/init-dbs/values.yaml @@ -0,0 +1,36 @@ +# This is for the secrets for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +imagePullSecrets: [] +# This is to override the chart name. +nameOverride: "" +fullnameOverride: "" + +postgres: + image: + ref: postgres + # This sets the pull policy for images. + pullPolicy: IfNotPresent + host: "" + username: postgres + password: "" + databases: + - database: test + username: test + password: test + - database: test1 + username: test1 + password: test1 +mysql: + image: + ref: mysql + # This sets the pull policy for images. + pullPolicy: IfNotPresent + host: "" + username: root + password: "" + databases: + - database: test + username: test + password: test + - database: test1 + username: test1 + password: test1 diff --git a/proxmox/k8s/helmfile.d/values/argo-cd/values.yaml.gotmpl b/proxmox/k8s/helmfile.d/values/argo-cd/values.yaml.gotmpl new file mode 100644 index 0000000..f89abd7 --- /dev/null +++ b/proxmox/k8s/helmfile.d/values/argo-cd/values.yaml.gotmpl @@ -0,0 +1,4190 @@ +# Copyright Broadcom, Inc. All Rights Reserved. +# SPDX-License-Identifier: APACHE-2.0 + +## @section Global parameters +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass + +## @param global.imageRegistry Global Docker image registry +## @param global.imagePullSecrets Global Docker registry secret names as an array +## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s) +## @param global.storageClass DEPRECATED: use global.defaultStorageClass instead +## +global: + imageRegistry: "" + ## E.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + defaultStorageClass: {{ .Values.globals.argocd.storageClass }} + storageClass: "" + ## Security parameters + ## + security: + ## @param global.security.allowInsecureImages Allows skipping image verification + allowInsecureImages: false + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: auto +## @section Common parameters + +## @param kubeVersion Override Kubernetes version +## +kubeVersion: "" +## @param nameOverride String to partially override common.names.fullname +## +nameOverride: "" +## @param fullnameOverride String to fully override common.names.fullname +## +fullnameOverride: "" +## @param commonLabels Labels to add to all deployed objects +## +commonLabels: {} +## @param commonAnnotations Annotations to add to all deployed objects +## +commonAnnotations: {} +## @param clusterDomain Kubernetes cluster domain name +## +clusterDomain: cluster.local +## @param extraDeploy Array of extra objects to deploy with the release +## +extraDeploy: [] +## @section Argo CD image parameters + +## Bitnami Argo CD image +## ref: https://hub.docker.com/r/bitnami/argo-cd/tags/ +## @param image.registry [default: REGISTRY_NAME] Argo CD image registry +## @param image.repository [default: REPOSITORY_NAME/argo-cd] Argo CD image repository +## @skip image.tag Argo CD image tag (immutable tags are recommended) +## @param image.digest Argo CD image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag +## @param image.pullPolicy Argo CD image pull policy +## @param image.pullSecrets Argo CD image pull secrets +## @param image.debug Enable Argo CD image debug mode +## +image: + registry: docker.io + repository: bitnami/argo-cd + tag: 2.13.4-debian-12-r0 + digest: "" + ## Specify a imagePullPolicy + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Enable debug mode + ## + debug: false +## @section Argo CD application controller parameters + +## Argo CD Controller +## +controller: + ## @param controller.kind Kind to deploy ArgoCD application controller in. + ## Use either StatefulSet or Deployment (default). StatefulSet is required when running in HA mode. + ## ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/high_availability/ + ## + kind: Deployment + ## @param controller.replicaCount Number of Argo CD replicas to deploy + ## + replicaCount: 1 + ## Configure extra options for Argo CD containers' liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param controller.startupProbe.enabled Enable startupProbe on Argo CD nodes + ## @param controller.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param controller.startupProbe.periodSeconds Period seconds for startupProbe + ## @param controller.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param controller.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param controller.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## @param controller.livenessProbe.enabled Enable livenessProbe on Argo CD nodes + ## @param controller.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param controller.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param controller.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param controller.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param controller.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## @param controller.readinessProbe.enabled Enable readinessProbe on Argo CD nodes + ## @param controller.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param controller.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param controller.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param controller.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param controller.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## @param controller.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param controller.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param controller.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## Argo CD resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param controller.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if controller.resources is set (controller.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "micro" + ## @param controller.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Configure Pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param controller.podSecurityContext.enabled Enabled Argo CD pods' Security Context + ## @param controller.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param controller.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param controller.podSecurityContext.supplementalGroups Set filesystem extra groups + ## @param controller.podSecurityContext.fsGroup Set Argo CD pod's Security Context fsGroup + ## + podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param controller.containerSecurityContext.enabled Enabled Argo CD containers' Security Context + ## @param controller.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param controller.containerSecurityContext.runAsUser Set Argo CD containers' Security Context runAsUser + ## @param controller.containerSecurityContext.runAsGroup Set Argo CD containers' Security Context runAsGroup + ## @param controller.containerSecurityContext.allowPrivilegeEscalation Set Argo CD containers' Security Context allowPrivilegeEscalation + ## @param controller.containerSecurityContext.capabilities.drop Set Argo CD containers' Security Context capabilities to be dropped + ## @param controller.containerSecurityContext.readOnlyRootFilesystem Set Argo CD containers' Security Context readOnlyRootFilesystem + ## @param controller.containerSecurityContext.runAsNonRoot Set Argo CD container's Security Context runAsNonRoot + ## @param controller.containerSecurityContext.privileged Set controller container's Security Context privileged + ## @param controller.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + privileged: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## ServiceAccount configuration for the Argo CD application controller + ## + serviceAccount: + ## @param controller.serviceAccount.create Specifies whether a ServiceAccount should be created + ## + create: true + ## @param controller.serviceAccount.name The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the common.names.fullname template + ## + name: "" + ## @param controller.serviceAccount.automountServiceAccountToken Automount service account token for the application controller service account + ## + automountServiceAccountToken: false + ## @param controller.serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`. + ## + annotations: {} + ## Enable admin clusterrole resources. Allows to Argo CD to deploy to the K8s cluster + ## @param controller.clusterAdminAccess Enable K8s cluster admin access for the application controller + ## + clusterAdminAccess: true + ## Enable Custom Rules for the Application Controller cluster role + ## @param controller.clusterRoleRules Use custom rules for the application controller's cluster role + ## + clusterRoleRules: [] + ## Argo CD application controller log format: text|json + ## @param controller.logFormat Format for the Argo CD application controller logs. Options: [text, json] + ## + logFormat: text + ## Argo CD application controller log level + ## @param controller.logLevel Log level for the Argo CD application controller + ## + logLevel: info + ## Argo CD application controller ports + ## @param controller.containerPorts.metrics Argo CD application controller metrics port number + containerPorts: + metrics: 8082 + ## Argo CD application controller service parameters + ## + service: + ## @param controller.service.type Argo CD service type + ## + type: ClusterIP + ## @param controller.service.ports.metrics Argo CD application controller service port + ## + ports: + metrics: 8082 + ## Node ports to expose + ## @param controller.service.nodePorts.metrics Node port for Argo CD application controller service + ## NOTE: choose port between <30000-32767> + ## + nodePorts: + metrics: "" + ## @param controller.service.clusterIP Argo CD application controller service Cluster IP + ## e.g.: + ## clusterIP: None + ## + clusterIP: "" + ## @param controller.service.loadBalancerIP Argo CD application controller service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerIP: "" + ## @param controller.service.loadBalancerSourceRanges Argo CD application controller service Load Balancer sources + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param controller.service.externalTrafficPolicy Argo CD application controller service external traffic policy + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param controller.service.annotations Additional custom annotations for Argo CD application controller service + ## + annotations: {} + ## @param controller.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param controller.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param controller.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + sessionAffinityConfig: {} + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param controller.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param controller.networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param controller.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param controller.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) + ## + kubeAPIServerPorts: [443, 6443, 8443] + ## @param controller.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param controller.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true) + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param controller.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param controller.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} + ## Metrics configuration for Argo CD application controller + ## + metrics: + ## @param controller.metrics.enabled Enable Argo CD application controller metrics + ## + enabled: true + service: + ## @param controller.metrics.service.type Argo CD application controller service type + ## + type: ClusterIP + ## @param controller.metrics.service.ports.metrics Argo CD application controller metrics service port + ## + ports: + metrics: 8082 + ## Node ports to expose + ## @param controller.metrics.service.nodePorts.metrics Node port for the application controller service + ## NOTE: choose port between <30000-32767> + ## + nodePorts: + metrics: "" + ## @param controller.metrics.service.clusterIP Argo CD application controller metrics service Cluster IP + ## e.g.: + ## clusterIP: None + ## + clusterIP: "" + ## @param controller.metrics.service.loadBalancerIP Argo CD application controller service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerIP: "" + ## @param controller.metrics.service.loadBalancerSourceRanges Argo CD application controller service Load Balancer sources + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param controller.metrics.service.externalTrafficPolicy Argo CD application controller service external traffic policy + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param controller.metrics.service.annotations Additional custom annotations for Argo CD application controller service + ## + annotations: {} + ## @param controller.metrics.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param controller.metrics.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + sessionAffinityConfig: {} + ## Argo CD application controller metrics service monitor configuration + ## + serviceMonitor: + ## @param controller.metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator + ## + enabled: false + ## @param controller.metrics.serviceMonitor.namespace Namespace which Prometheus is running in + ## e.g: + ## namespace: monitoring + ## + namespace: "" + ## @param controller.metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. + ## + jobLabel: "" + ## @param controller.metrics.serviceMonitor.interval Interval at which metrics should be scraped + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + interval: 30s + ## @param controller.metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + scrapeTimeout: 10s + ## @param controller.metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## + relabelings: [] + ## @param controller.metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## + metricRelabelings: [] + ## @param controller.metrics.serviceMonitor.selector ServiceMonitor selector labels + ## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration + ## + ## selector: + ## prometheus: my-prometheus + ## + selector: {} + ## @param controller.metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels + ## + honorLabels: false + ## Rules for PrometheusRule object if enabled + ## + ## E.g. + ## @param controller.metrics.rules.enabled Enable render extra rules for PrometheusRule object + ## @param controller.metrics.rules.spec Rules to render into the PrometheusRule object + ## @param controller.metrics.rules.selector Selector for the PrometheusRule object + ## @param controller.metrics.rules.namespace Namespace where to create the PrometheusRule object + ## @param controller.metrics.rules.additionalLabels Additional lables to add to the PrometheusRule object + ## + rules: + enabled: false + ## E.g + ## - alert: ArgoAppMissing + ## expr: | + ## absent(argocd_app_info) + ## for: 15m + ## labels: + ## severity: critical + ## annotations: + ## summary: "[ArgoCD] No reported applications" + ## description: > + ## ArgoCD has not reported any applications data for the past 15 minutes which + ## means that it must be down or not functioning properly. This needs to be + ## resolved for this cloud to continue to maintain state. + ## - alert: ArgoAppNotSynced + ## expr: | + ## argocd_app_info{sync_status!="Synced"} == 1 + ## for: 12h + ## labels: + ## severity: warning + ## annotations: + ## summary: "[{{`{{ $labels.name }}`}}] Application not synchronized" + ## description: > + ## The application [{{`{{ $labels.name }}`}} has not been synchronized for over + ## 12 hours which means that the state of this cloud has drifted away from the + ## state inside Git. + ## + spec: [] + ## E.g + ## selector: + ## prometheus: kube-prometheus + ## + selector: {} + namespace: monitoring + additionalLabels: {} + ## @param controller.command Override default container command (useful when using custom images) + ## + command: [] + ## Arguments that will be used by default for the application controller + ## @param controller.defaultArgs.statusProcessors Default status processors for Argo CD controller + ## @param controller.defaultArgs.operationProcessors Default operation processors for Argo CD controller + ## @param controller.defaultArgs.appResyncPeriod Default application resync period for Argo CD controller + ## @param controller.defaultArgs.selfHealTimeout Default self heal timeout for Argo CD controller + ## + defaultArgs: + statusProcessors: "20" + operationProcessors: "10" + appResyncPeriod: "180" + selfHealTimeout: "5" + ## @param controller.args Override default container args (useful when using custom images). Overrides the defaultArgs. + ## + args: [] + ## @param controller.extraArgs Add extra arguments to the default arguments for the Argo CD controller + ## + extraArgs: [] + ## ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/dynamic-cluster-distribution/ + ## + dynamicClusterDistribution: + ## @param controller.dynamicClusterDistribution.enabled Whether dynamic cluster distribution is enabled. + ## + enabled: false + ## @param controller.dynamicClusterDistribution.heartbeatDuration Time to update the cluster sharding (defaults to 10 seconds). + ## ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/dynamic-cluster-distribution/#working-of-dynamic-distribution + ## + heartbeatDuration: "" + ## @param controller.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: true + ## @param controller.hostAliases Argo CD pods host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param controller.podLabels Extra labels for Argo CD pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param controller.podAnnotations Annotations for Argo CD pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param controller.podAffinityPreset Pod affinity preset. Ignored if `controller.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param controller.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `controller.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node controller.affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param controller.nodeAffinityPreset.type Node affinity preset type. Ignored if `controller.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param controller.nodeAffinityPreset.key Node label key to match. Ignored if `controller.affinity` is set + ## + key: "" + ## @param controller.nodeAffinityPreset.values Node label values to match. Ignored if `controller.affinity` is set + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param controller.affinity Affinity for Argo CD pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## NOTE: `controller.podAffinityPreset`, `controller.podAntiAffinityPreset`, and `controller.nodeAffinityPreset` will be ignored when it's set + ## + affinity: {} + ## @param controller.nodeSelector Node labels for Argo CD pods assignment + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + ## + nodeSelector: {} + ## @param controller.tolerations Tolerations for Argo CD pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param controller.schedulerName Name of the k8s scheduler (other than default) + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param controller.shareProcessNamespace Enable shared process namespace in a pod. + ## If set to false (default), each container will run in separate namespace, controller will have PID=1. + ## If set to true, the /pause will run as init process and will reap any zombie PIDs, + ## for example, generated by a custom exec probe running longer than a probe timeoutSeconds. + ## Enable this only if customLivenessProbe or customReadinessProbe is used and zombie PIDs are accumulating. + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/ + ## + shareProcessNamespace: false + ## @param controller.topologySpreadConstraints Topology Spread Constraints for pod assignment + ## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## The value is evaluated as a template + ## + topologySpreadConstraints: [] + ## @param controller.updateStrategy.type Argo CD statefulset strategy type + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + ## StrategyType + ## Can be set to RollingUpdate or OnDelete + ## + type: RollingUpdate + ## @param controller.priorityClassName Argo CD pods' priorityClassName + ## + priorityClassName: "" + ## @param controller.runtimeClassName Name of the runtime class to be used by pod(s) + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + ## + runtimeClassName: "" + ## @param controller.lifecycleHooks for the Argo CD container(s) to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param controller.podManagementPolicy podManagementPolicy to manage scaling operation of pods (only in StatefulSet mode) + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies + ## + podManagementPolicy: "" + ## @param controller.extraEnvVars Array with extra environment variables to add to Argo CD nodes + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param controller.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Argo CD nodes + ## + extraEnvVarsCM: "" + ## @param controller.extraEnvVarsSecret Name of existing Secret containing extra env vars for Argo CD nodes + ## + extraEnvVarsSecret: "" + ## @param controller.extraVolumes Optionally specify extra list of additional volumes for the Argo CD pod(s) + ## + extraVolumes: [] + ## @param controller.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Argo CD container(s) + ## + extraVolumeMounts: [] + ## @param controller.sidecars Add additional sidecar containers to the Argo CD pod(s) + ## e.g: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param controller.initContainers Add additional init containers to the Argo CD pod(s) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + ## e.g: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## command: ['sh', '-c', 'echo "hello world"'] + ## + initContainers: [] + ## Pod Disruption Budget configuration + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb + ## @param controller.pdb.create Enable/disable a Pod Disruption Budget creation + ## @param controller.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled + ## @param controller.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `controller.pdb.minAvailable` and `controller.pdb.maxUnavailable` are empty. + ## + pdb: + create: true + minAvailable: "" + maxUnavailable: "" +## @section Argo CD ApplicationSet controller parameters + +## ApplicationSet controller +## +applicationSet: + ## @param applicationSet.enabled Enable ApplicationSet controller + ## + enabled: false + ## @param applicationSet.replicaCount The number of ApplicationSet controller pods to run + ## + replicaCount: 1 + ## @param applicationSet.command Override default container command (useful when using custom images) + ## + command: [] + ## Arguments that will be used by default for the application controller + ## @param applicationSet.defaultArgs.enableLeaderElection Enable leader election + ## @param applicationSet.defaultArgs.policy Default policy + ## @param applicationSet.defaultArgs.debug Enable debug mode + ## @param applicationSet.defaultArgs.dryRun Enable dry-run mode + ## + defaultArgs: + enableLeaderElection: false + policy: "sync" + debug: false + dryRun: false + ## @param applicationSet.args Override default container args (useful when using custom images). Overrides the defaultArgs. + ## + args: [] + ## @param applicationSet.extraArgs Add extra arguments to the default arguments for the Argo CD applicationSet controller + ## + extraArgs: [] + ## Argo CD applicationSet controller log format: text|json + ## @param applicationSet.logFormat Format for the Argo CD applicationSet controller logs. Options: [text, json] + ## + logFormat: text + ## Argo CD applicationSet controller log level + ## @param applicationSet.logLevel Log level for the Argo CD applicationSet controller + ## + logLevel: info + ## Argo CD applicationSet controller ports + ## @param applicationSet.containerPorts.metrics Argo CD applicationSet controller metrics port number + ## @param applicationSet.containerPorts.probe Argo CD applicationSet controller probe port number + ## + containerPorts: + metrics: 8085 + probe: 8081 + ## Metrics configuration for Argo CD applicationSet controller + ## + metrics: + ## @param applicationSet.metrics.enabled Enable Argo CD applicationSet controller metrics + ## + enabled: false + service: + ## @param applicationSet.metrics.service.type Argo CD applicationSet controller service type + ## + type: ClusterIP + ## @param applicationSet.metrics.service.ports.metrics Argo CD applicationSet controller metrics service port + ## + ports: + metrics: 8085 + ## Node ports to expose + ## @param applicationSet.metrics.service.nodePorts.metrics Node port for the applicationSet controller service + ## NOTE: choose port between <30000-32767> + ## + nodePorts: + metrics: "" + ## @param applicationSet.metrics.service.clusterIP Argo CD applicationSet controller metrics service Cluster IP + ## e.g.: + ## clusterIP: None + ## + clusterIP: "" + ## @param applicationSet.metrics.service.loadBalancerIP Argo CD applicationSet controller service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerIP: "" + ## @param applicationSet.metrics.service.loadBalancerSourceRanges Argo CD applicationSet controller service Load Balancer sources + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param applicationSet.metrics.service.externalTrafficPolicy Argo CD applicationSet controller service external traffic policy + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param applicationSet.metrics.service.annotations Additional custom annotations for Argo CD applicationSet controller service + ## + annotations: {} + ## @param applicationSet.metrics.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param applicationSet.metrics.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + ## Argo CD applicationSet controller metrics service monitor configuration + ## + serviceMonitor: + ## @param applicationSet.metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator + ## + enabled: false + ## @param applicationSet.metrics.serviceMonitor.namespace Namespace which Prometheus is running in + ## e.g: + ## namespace: monitoring + ## + namespace: "" + ## @param applicationSet.metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. + ## + jobLabel: "" + ## @param applicationSet.metrics.serviceMonitor.interval Interval at which metrics should be scraped + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + interval: 30s + ## @param applicationSet.metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + scrapeTimeout: 10s + ## @param applicationSet.metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## + relabelings: [] + ## @param applicationSet.metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## + metricRelabelings: [] + ## @param applicationSet.metrics.serviceMonitor.selector ServiceMonitor selector labels + ## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration + ## + ## selector: + ## prometheus: my-prometheus + ## + selector: {} + ## @param applicationSet.metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels + ## + honorLabels: false + ## Argo CD applicationSet controller service parameters + ## + service: + ## @param applicationSet.service.type Argo CD applicationSet controller service type + ## + type: ClusterIP + ## @param applicationSet.service.ports.webhook Argo CD applicationSet controller service port + ## + ports: + webhook: 7000 + ## Node ports to expose + ## @param applicationSet.service.nodePorts.webhook Node port for Argo CD applicationSet controller service + ## NOTE: choose port between <30000-32767> + ## + nodePorts: + webhook: "" + ## @param applicationSet.service.clusterIP Argo CD applicationSet controller service Cluster IP + ## e.g.: + ## clusterIP: None + ## + clusterIP: "" + ## @param applicationSet.service.loadBalancerIP Argo CD applicationSet controller service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerIP: "" + ## @param applicationSet.service.loadBalancerSourceRanges Argo CD applicationSet controller service Load Balancer sources + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param applicationSet.service.externalTrafficPolicy Argo CD applicationSet controller service external traffic policy + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param applicationSet.service.annotations Additional custom annotations for Argo CD applicationSet controller service + ## + annotations: {} + ## @param applicationSet.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param applicationSet.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param applicationSet.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param applicationSet.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param applicationSet.networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param applicationSet.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param applicationSet.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) + ## + kubeAPIServerPorts: [443, 6443, 8443] + ## @param applicationSet.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param applicationSet.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true) + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param applicationSet.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param applicationSet.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} + ## ServiceAccount configuration for the Argo CD applicationSet controller + ## + serviceAccount: + ## @param applicationSet.serviceAccount.create Specifies whether a ServiceAccount should be created + ## + create: true + ## @param applicationSet.serviceAccount.name The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the common.names.fullname template + ## + name: "" + ## @param applicationSet.serviceAccount.automountServiceAccountToken Automount service account token for the applicationSet controller service account + ## + automountServiceAccountToken: false + ## @param applicationSet.serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`. + ## + annotations: {} + ## Enable admin clusterrole resources. Allows Argo CD applicationSet controller to have access to multiple namespaces + ## @param applicationSet.clusterAdminAccess Enable K8s cluster admin access for the application controller + ## + clusterAdminAccess: false + ## Enable Custom Rules for Argo CD applicationSet controller cluster role + ## @param applicationSet.clusterRoleRules Use custom rules for Argo CD applicationSet controller's cluster role + ## + clusterRoleRules: [] + ## @param applicationSet.podAffinityPreset Pod affinity preset. Ignored if `applicationSet.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param applicationSet.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `applicationSet.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node applicationSet.affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param applicationSet.nodeAffinityPreset.type Node affinity preset type. Ignored if `applicationSet.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param applicationSet.nodeAffinityPreset.key Node label key to match. Ignored if `applicationSet.affinity` is set + ## + key: "" + ## @param applicationSet.nodeAffinityPreset.values Node label values to match. Ignored if `applicationSet.affinity` is set + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param applicationSet.affinity Affinity for Argo CD applicationSet controller pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## NOTE: `applicationSet.podAffinityPreset`, `applicationSet.podAntiAffinityPreset`, and `applicationSet.nodeAffinityPreset` will be ignored when it's set + ## + affinity: {} + ## @param applicationSet.podAnnotations Annotations for Argo CD applicationSet controller pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param applicationSet.podLabels Extra labels for Argo CD applicationSet controller pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param applicationSet.containerSecurityContext.enabled Enabled Argo CD applicationSet controller containers' Security Context + ## @param applicationSet.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param applicationSet.containerSecurityContext.runAsUser Set Argo CD applicationSet controller containers' Security Context runAsUser + ## @param applicationSet.containerSecurityContext.runAsGroup Set Argo CD applicationSet controller containers' Security Context runAsGroup + ## @param applicationSet.containerSecurityContext.allowPrivilegeEscalation Set Argo CD applicationSet controller containers' Security Context allowPrivilegeEscalation + ## @param applicationSet.containerSecurityContext.capabilities.drop Set Argo CD applicationSet controller containers' Security Context capabilities to be dropped + ## @param applicationSet.containerSecurityContext.readOnlyRootFilesystem Set Argo CD applicationSet controller containers' Security Context readOnlyRootFilesystem + ## @param applicationSet.containerSecurityContext.runAsNonRoot Set Argo CD applicationSet controller container's Security Context runAsNonRoot + ## @param applicationSet.containerSecurityContext.privileged Set applicationSet container's Security Context privileged + ## @param applicationSet.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + privileged: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## @param applicationSet.livenessProbe.enabled Enable livenessProbe on Argo CD applicationSet controller nodes + ## @param applicationSet.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param applicationSet.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param applicationSet.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param applicationSet.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param applicationSet.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## @param applicationSet.readinessProbe.enabled Enable readinessProbe on Argo CD applicationSet controller nodes + ## @param applicationSet.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param applicationSet.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param applicationSet.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param applicationSet.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param applicationSet.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## @param applicationSet.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param applicationSet.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## Argo CD applicationSet controller resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param applicationSet.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if applicationSet.resources is set (applicationSet.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param applicationSet.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Configure Pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param applicationSet.podSecurityContext.enabled Enabled Argo CD applicationSet controller pods' Security Context + ## @param applicationSet.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param applicationSet.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param applicationSet.podSecurityContext.supplementalGroups Set filesystem extra groups + ## @param applicationSet.podSecurityContext.fsGroup Set Argo CD applicationSet controller pod's Security Context fsGroup + ## + podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 + ## @param applicationSet.nodeSelector Node labels for Argo CD applicationSet controller pods assignment + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + ## + nodeSelector: {} + ## @param applicationSet.tolerations Tolerations for Argo CD applicationSet controller pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param applicationSet.updateStrategy.type Argo CD applicationSet controller statefulset strategy type + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + ## StrategyType + ## Can be set to RollingUpdate or OnDelete + ## + type: RollingUpdate + ## @param applicationSet.priorityClassName Argo CD applicationSet controller pods' priorityClassName + ## + priorityClassName: "" + ## @param applicationSet.extraVolumes Optionally specify extra list of additional volumes for the Argo CD applicationSet controller pod(s) + ## + extraVolumes: [] + ## @param applicationSet.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Argo CD applicationSet controller container(s) + ## + extraVolumeMounts: [] + ## @param applicationSet.extraEnvVars Array with extra environment variables to add to Argo CD applicationSet controller nodes + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param applicationSet.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Argo CD applicationSet controller nodes + ## + extraEnvVarsCM: "" + ## @param applicationSet.extraEnvVarsSecret Name of existing Secret containing extra env vars for Argo CD applicationSet controller nodes + ## + extraEnvVarsSecret: "" + ## Webhook for the Git Generator + ## Ref: https://argocd-applicationset.readthedocs.io/en/master/Generators-Git/#webhook-configuration) + ## + webhook: + ingress: + ## @param applicationSet.webhook.ingress.enabled Enable an ingress resource for Webhooks + ## + enabled: false + ## DEPRECATED: Use server.ingress.annotations instead of server.ingress.certManager + ## certManager: false + ## + ## @param applicationSet.webhook.ingress.annotations Additional ingress annotations + ## + annotations: {} + ## @param applicationSet.webhook.ingress.labels Additional ingress labels + ## + labels: {} + ## @param applicationSet.webhook.ingress.ingressClassName Defines which ingress controller will implement the resource + ## + ingressClassName: "" + ## @param applicationSet.webhook.ingress.hostname Ingress hostname for the Argo CD applicationSet ingress + ## Hostname must be provided if Ingress is enabled. + ## + hostname: "" + ## @param applicationSet.webhook.ingress.path Argo CD applicationSet ingress path + ## + path: /api/webhook + ## @param applicationSet.webhook.ingress.pathType Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` + ## + pathType: Prefix + ## @param applicationSet.webhook.ingress.extraHosts Extra hosts array for the Argo CD applicationSet ingress + ## The list of additional hostnames to be covered with this ingress record. + ## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array + ## + extraHosts: [] + ## @param applicationSet.webhook.ingress.extraPaths Extra paths for the Argo CD applicationSet ingress + ## Any additional arbitrary paths that may need to be added to the ingress under the main host. + ## For example: The ALB ingress controller requires a special rule for handling SSL redirection. + ## + extraPaths: [] + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + ## @param applicationSet.webhook.ingress.extraTls Extra TLS configuration for the Argo CD applicationSet ingress + ## The tls configuration for additional hostnames to be covered with this ingress record. + ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## + extraTls: [] + ## - hosts: + ## - argocd.server.local + ## secretName: argocd.server.local-tls + ## + ## @param applicationSet.webhook.ingress.tls Ingress TLS configuration + ## + tls: [] + ## Pod Disruption Budget configuration + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb + ## @param applicationSet.pdb.create Enable/disable a Pod Disruption Budget creation + ## @param applicationSet.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled + ## @param applicationSet.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `controller.pdb.minAvailable` and `controller.pdb.maxUnavailable` are empty. + ## + pdb: + create: true + minAvailable: "" + maxUnavailable: "" +## @section Argo CD notifications controller parameters + +## notifications controller +## +notifications: + ## @param notifications.enabled Enable notifications controller + ## + enabled: false + ## @param notifications.command Override default container command (useful when using custom images) + ## + command: [] + ## @param notifications.args Override default container args (useful when using custom images). + ## + args: [] + ## @param notifications.extraArgs Add extra arguments to the default arguments for the Argo CD notifications controller + ## + extraArgs: [] + ## @param notifications.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: true + ## Argo CD notifications controller log format: text|json + ## @param notifications.logFormat Format for the Argo CD notifications controller logs. Options: [text, json] + ## + logFormat: text + ## Argo CD notifications controller log level + ## @param notifications.logLevel Log level for the Argo CD notifications controller + ## + logLevel: info + ## Argo CD notifications controller ports + ## @param notifications.containerPorts.metrics Argo CD notifications controller metrics port number + ## + containerPorts: + metrics: 8085 + ## Metrics configuration for Argo CD notifications controller + ## + metrics: + ## @param notifications.metrics.enabled Enable Argo CD notifications controller metrics + ## + enabled: false + service: + ## @param notifications.metrics.service.type Argo CD notifications controller service type + ## + type: ClusterIP + ## @param notifications.metrics.service.ports.metrics Argo CD notifications controller metrics service port + ## + ports: + metrics: 8085 + ## Node ports to expose + ## @param notifications.metrics.service.nodePorts.metrics Node port for the notifications controller service + ## NOTE: choose port between <30000-32767> + ## + nodePorts: + metrics: "" + ## @param notifications.metrics.service.clusterIP Argo CD notifications controller metrics service Cluster IP + ## e.g.: + ## clusterIP: None + ## + clusterIP: "" + ## @param notifications.metrics.service.loadBalancerIP Argo CD notifications controller service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerIP: "" + ## @param notifications.metrics.service.loadBalancerSourceRanges Argo CD notifications controller service Load Balancer sources + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param notifications.metrics.service.externalTrafficPolicy Argo CD notifications controller service external traffic policy + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param notifications.metrics.service.annotations Additional custom annotations for Argo CD notifications controller service + ## + annotations: {} + ## @param notifications.metrics.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param notifications.metrics.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + ## Argo CD notifications controller metrics service monitor configuration + ## + serviceMonitor: + ## @param notifications.metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator + ## + enabled: false + ## @param notifications.metrics.serviceMonitor.namespace Namespace which Prometheus is running in + ## e.g: + ## namespace: monitoring + ## + namespace: "" + ## @param notifications.metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. + ## + jobLabel: "" + ## @param notifications.metrics.serviceMonitor.interval Interval at which metrics should be scraped + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + interval: 30s + ## @param notifications.metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + scrapeTimeout: 10s + ## @param notifications.metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## + relabelings: [] + ## @param notifications.metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## + metricRelabelings: [] + ## @param notifications.metrics.serviceMonitor.selector ServiceMonitor selector labels + ## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration + ## + ## selector: + ## prometheus: my-prometheus + ## + selector: {} + ## @param notifications.metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels + ## + honorLabels: false + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param notifications.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param notifications.networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param notifications.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param notifications.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) + ## + kubeAPIServerPorts: [443, 6443, 8443] + ## @param notifications.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param notifications.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true) + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param notifications.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param notifications.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} + ## ServiceAccount configuration for the Argo CD notifications controller + ## + serviceAccount: + ## @param notifications.serviceAccount.create Specifies whether a ServiceAccount should be created + ## + create: true + ## @param notifications.serviceAccount.name The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the common.names.fullname template + ## + name: "" + ## @param notifications.serviceAccount.automountServiceAccountToken Automount service account token for the notifications controller service account + ## + automountServiceAccountToken: false + ## @param notifications.serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`. + ## + annotations: {} + ## Enable admin clusterrole resources. Allows Argo CD notifications controller to have access to multiple namespaces + ## @param notifications.clusterAdminAccess Enable K8s cluster admin access for the notifications controller + ## + clusterAdminAccess: false + ## Enable Custom Rules for Argo CD notifications controller cluster role + ## @param notifications.clusterRoleRules Use custom rules for notifications controller's cluster role + ## + clusterRoleRules: [] + ## @param notifications.podAffinityPreset Pod affinity preset. Ignored if `notifications.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param notifications.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `notifications.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node notifications.affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param notifications.nodeAffinityPreset.type Node affinity preset type. Ignored if `notifications.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param notifications.nodeAffinityPreset.key Node label key to match. Ignored if `notifications.affinity` is set + ## + key: "" + ## @param notifications.nodeAffinityPreset.values Node label values to match. Ignored if `notifications.affinity` is set + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param notifications.affinity Affinity for Argo CD notifications controller pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## NOTE: `notifications.podAffinityPreset`, `notifications.podAntiAffinityPreset`, and `notifications.nodeAffinityPreset` will be ignored when it's set + ## + affinity: {} + ## @param notifications.podAnnotations Annotations for Argo CD notifications controller pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param notifications.podLabels Extra labels for Argo CD notifications controller pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param notifications.containerSecurityContext.enabled Enabled Argo CD notifications controller containers' Security Context + ## @param notifications.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param notifications.containerSecurityContext.runAsUser Set Argo CD notifications controller containers' Security Context runAsUser + ## @param notifications.containerSecurityContext.runAsGroup Set Argo CD notifications controller containers' Security Context runAsGroup + ## @param notifications.containerSecurityContext.allowPrivilegeEscalation Set Argo CD notifications controller containers' Security Context allowPrivilegeEscalation + ## @param notifications.containerSecurityContext.capabilities.drop Set Argo CD notifications controller containers' Security Context capabilities to be dropped + ## @param notifications.containerSecurityContext.readOnlyRootFilesystem Set Argo CD notifications controller containers' Security Context readOnlyRootFilesystem + ## @param notifications.containerSecurityContext.runAsNonRoot Set Argo CD notifications controller container's Security Context runAsNonRoot + ## @param notifications.containerSecurityContext.privileged Set notifications container's Security Context privileged + ## @param notifications.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + privileged: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## Argo CD notifications controller resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param notifications.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if notifications.resources is set (notifications.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param notifications.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Configure Pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param notifications.podSecurityContext.enabled Enabled Argo CD notifications controller pods' Security Context + ## @param notifications.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param notifications.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param notifications.podSecurityContext.supplementalGroups Set filesystem extra groups + ## @param notifications.podSecurityContext.fsGroup Set Argo CD notifications controller pod's Security Context fsGroup + ## + podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 + ## @param notifications.nodeSelector Node labels for Argo CD notifications controller pods assignment + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + ## + nodeSelector: {} + ## @param notifications.tolerations Tolerations for Argo CD notifications controller pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param notifications.priorityClassName Argo CD notifications controller pods' priorityClassName + ## + priorityClassName: "" + ## @param notifications.extraVolumes Optionally specify extra list of additional volumes for the Argo CD notifications controller pod(s) + ## + extraVolumes: [] + ## @param notifications.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Argo CD notifications controller container(s) + ## + extraVolumeMounts: [] + ## @param notifications.extraEnvVars Array with extra environment variables to add to Argo CD notifications controller nodes + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param notifications.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Argo CD notifications controller nodes + ## + extraEnvVarsCM: "" + ## @param notifications.extraEnvVarsSecret Name of existing Secret containing extra env vars for Argo CD notifications controller nodes + ## + extraEnvVarsSecret: "" + ## Configure extra options for Notification containers' liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param notifications.startupProbe.enabled Enable startupProbe on Notification nodes + ## @param notifications.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param notifications.startupProbe.periodSeconds Period seconds for startupProbe + ## @param notifications.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param notifications.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param notifications.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## @param notifications.livenessProbe.enabled Enable livenessProbe on Notification nodes + ## @param notifications.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param notifications.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param notifications.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param notifications.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param notifications.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## @param notifications.readinessProbe.enabled Enable readinessProbe on Notification nodes + ## @param notifications.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param notifications.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param notifications.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param notifications.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param notifications.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## @param notifications.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param notifications.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param notifications.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## Webhook for the Git Generator + ## Ref: https://argocd-notifications.readthedocs.io/en/master/Generators-Git/#webhook-configuration) + ## + webhook: + ingress: + ## @param notifications.webhook.ingress.enabled Enable an ingress resource for Webhooks + ## + enabled: false + ## DEPRECATED: Use server.ingress.annotations instead of server.ingress.certManager + ## certManager: false + ## + ## @param notifications.webhook.ingress.annotations Additional ingress annotations + ## + annotations: {} + ## @param notifications.webhook.ingress.labels Additional ingress labels + ## + labels: {} + ## @param notifications.webhook.ingress.ingressClassName Defines which ingress controller will implement the resource + ## + ingressClassName: "" + ## @param notifications.webhook.ingress.hostname Ingress hostname for the Argo CD notifications ingress + ## Hostname must be provided if Ingress is enabled. + ## + hostname: "" + ## @param notifications.webhook.ingress.path Argo CD notifications ingress path + ## + path: /api/webhook + ## @param notifications.webhook.ingress.pathType Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` + ## + pathType: Prefix + ## @param notifications.webhook.ingress.extraHosts Extra hosts array for the Argo CD notifications ingress + ## The list of additional hostnames to be covered with this ingress record. + ## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array + ## + extraHosts: [] + ## @param notifications.webhook.ingress.extraPaths Extra paths for the Argo CD notifications ingress + ## Any additional arbitrary paths that may need to be added to the ingress under the main host. + ## For example: The ALB ingress controller requires a special rule for handling SSL redirection. + ## + extraPaths: [] + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + ## @param notifications.webhook.ingress.extraTls Extra TLS configuration for the Argo CD notifications ingress + ## The tls configuration for additional hostnames to be covered with this ingress record. + ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## + extraTls: [] + ## - hosts: + ## - argocd.server.local + ## secretName: argocd.server.local-tls + ## + ## @param notifications.webhook.ingress.tls Ingress TLS configuration + ## + tls: [] + ## The optional bot component simplifies managing subscriptions + ## For more information: https://argocd-notifications.readthedocs.io/en/stable/bots/overview/ + bots: + slack: + ## @param notifications.bots.slack.enabled Enable notifications controller + ## + enabled: false + ## @param notifications.bots.slack.command Override default container command (useful when using custom images) + ## + command: [] + ## @param notifications.bots.slack.args Override default container args (useful when using custom images). + ## + args: [] + ## @param notifications.bots.slack.extraArgs Add extra arguments to the default arguments for the Argo CD Slack bot + ## + extraArgs: [] + ## Argo CD Slack bot service parameters + ## + service: + ## @param notifications.bots.slack.service.type Argo CD Slack bot service type + ## + type: LoadBalancer + ## @param notifications.bots.slack.service.ports.http Argo CD Slack bot service port + ## + ports: + http: 80 + ## Node ports to expose + ## @param notifications.bots.slack.service.nodePorts.http Node port for Argo CD Slack bot service + ## NOTE: choose port between <30000-32767> + ## + nodePorts: + http: "" + ## @param notifications.bots.slack.service.clusterIP Argo CD Slack bot service Cluster IP + ## e.g.: + ## clusterIP: None + ## + clusterIP: "" + ## @param notifications.bots.slack.service.loadBalancerIP Argo CD Slack bot service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerIP: "" + ## @param notifications.bots.slack.service.loadBalancerSourceRanges Argo CD Slack bot service Load Balancer sources + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param notifications.bots.slack.service.externalTrafficPolicy Argo CD Slack bot service external traffic policy + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param notifications.bots.slack.service.annotations Additional custom annotations for Argo CD Slack bot service + ## + annotations: {} + ## @param notifications.bots.slack.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param notifications.bots.slack.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param notifications.bots.slack.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param notifications.bots.slack.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param notifications.bots.slack.networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param notifications.bots.slack.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param notifications.bots.slack.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) + ## + kubeAPIServerPorts: [443, 6443, 8443] + ## @param notifications.bots.slack.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param notifications.bots.slack.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true) + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param notifications.bots.slack.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param notifications.bots.slack.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} + ## ServiceAccount configuration for the Argo CD Slack bot + ## + serviceAccount: + ## @param notifications.bots.slack.serviceAccount.create Specifies whether a ServiceAccount should be created + ## + create: true + ## @param notifications.bots.slack.serviceAccount.name The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the common.names.fullname template + ## + name: "" + ## @param notifications.bots.slack.serviceAccount.automountServiceAccountToken Automount service account token for the notifications controller service account + ## + automountServiceAccountToken: false + ## @param notifications.bots.slack.serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`. + ## + annotations: {} + ## @param notifications.bots.slack.podAffinityPreset Pod affinity preset. Ignored if `notifications.bots.slack.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param notifications.bots.slack.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `notifications.bots.slack.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node notifications.bots.slack.affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param notifications.bots.slack.nodeAffinityPreset.type Node affinity preset type. Ignored if `notifications.bots.slack.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param notifications.bots.slack.nodeAffinityPreset.key Node label key to match. Ignored if `notifications.bots.slack.affinity` is set + ## + key: "" + ## @param notifications.bots.slack.nodeAffinityPreset.values Node label values to match. Ignored if `notifications.bots.slack.affinity` is set + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## Argo CD Slack Bot controller ports + ## @param notifications.bots.slack.containerPorts.metrics Slack Bot controller metrics port number + ## + containerPorts: + metrics: 9001 + ## Configure extra options for Slack Bot containers' liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param notifications.bots.slack.startupProbe.enabled Enable startupProbe on Slack Bot nodes + ## @param notifications.bots.slack.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param notifications.bots.slack.startupProbe.periodSeconds Period seconds for startupProbe + ## @param notifications.bots.slack.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param notifications.bots.slack.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param notifications.bots.slack.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## @param notifications.bots.slack.livenessProbe.enabled Enable livenessProbe on Slack Bot nodes + ## @param notifications.bots.slack.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param notifications.bots.slack.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param notifications.bots.slack.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param notifications.bots.slack.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param notifications.bots.slack.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## @param notifications.bots.slack.readinessProbe.enabled Enable readinessProbe on Slack Bot nodes + ## @param notifications.bots.slack.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param notifications.bots.slack.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param notifications.bots.slack.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param notifications.bots.slack.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param notifications.bots.slack.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## @param notifications.bots.slack.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param notifications.bots.slack.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param notifications.bots.slack.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## @param notifications.bots.slack.affinity Affinity for Argo CD Slack bot pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## NOTE: `notifications.bots.slack.podAffinityPreset`, `notifications.bots.slack.podAntiAffinityPreset`, and `notifications.bots.slack.nodeAffinityPreset` will be ignored when it's set + ## + affinity: {} + ## @param notifications.bots.slack.podAnnotations Annotations for Argo CD Slack bot pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param notifications.bots.slack.podLabels Extra labels for Argo CD Slack bot pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param notifications.bots.slack.containerSecurityContext.enabled Enabled Argo CD Slack bot containers' Security Context + ## @param notifications.bots.slack.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param notifications.bots.slack.containerSecurityContext.runAsUser Set Argo CD Slack bot containers' Security Context runAsUser + ## @param notifications.bots.slack.containerSecurityContext.runAsGroup Set Argo CD Slack bot containers' Security Context runAsGroup + ## @param notifications.bots.slack.containerSecurityContext.allowPrivilegeEscalation Set Argo CD Slack bot containers' Security Context allowPrivilegeEscalation + ## @param notifications.bots.slack.containerSecurityContext.capabilities.drop Set Argo CD Slack bot containers' Security Context capabilities to be dropped + ## @param notifications.bots.slack.containerSecurityContext.readOnlyRootFilesystem Set Argo CD Slack bot containers' Security Context readOnlyRootFilesystem + ## @param notifications.bots.slack.containerSecurityContext.runAsNonRoot Set Argo CD Slack bot container's Security Context runAsNonRoot + ## @param notifications.bots.slack.containerSecurityContext.privileged Set notifications container's Security Context privileged + ## @param notifications.bots.slack.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + privileged: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## Argo CD Slack bot resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param notifications.bots.slack.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if notifications.bots.slack.resources is set (notifications.bots.slack.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param notifications.bots.slack.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Configure Pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param notifications.bots.slack.podSecurityContext.enabled Enabled Argo CD Slack bot pods' Security Context + ## @param notifications.bots.slack.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param notifications.bots.slack.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param notifications.bots.slack.podSecurityContext.supplementalGroups Set filesystem extra groups + ## @param notifications.bots.slack.podSecurityContext.fsGroup Set Argo CD Slack bot pod's Security Context fsGroup + ## + podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 + ## @param notifications.bots.slack.nodeSelector Node labels for Argo CD Slack bot pods assignment + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + ## + nodeSelector: {} + ## @param notifications.bots.slack.tolerations Tolerations for Argo CD Slack bot pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param notifications.bots.slack.priorityClassName Argo CD Slack bot pods' priorityClassName + ## + priorityClassName: "" + ## @param notifications.bots.slack.extraVolumes Optionally specify extra list of additional volumes for the Argo CD Slack bot pod(s) + ## + extraVolumes: [] + ## @param notifications.bots.slack.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Argo CD Slack bot container(s) + ## + extraVolumeMounts: [] + ## @param notifications.bots.slack.extraEnvVars Array with extra environment variables to add to Argo CD Slack bot nodes + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param notifications.bots.slack.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Argo CD Slack bot nodes + ## + extraEnvVarsCM: "" + ## @param notifications.bots.slack.extraEnvVarsSecret Name of existing Secret containing extra env vars for Argo CD Slack bot nodes + ## + extraEnvVarsSecret: "" + ## Pod Disruption Budget configuration + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb + ## @param notifications.pdb.create Enable/disable a Pod Disruption Budget creation + ## @param notifications.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled + ## @param notifications.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `notifications.pdb.minAvailable` and `notifications.pdb.maxUnavailable` are empty. + ## + pdb: + create: true + minAvailable: "" + maxUnavailable: "" +## @section Argo CD server Parameters + +## Argo CD server configuration +## +server: + ## @param server.replicaCount Number of Argo CD server replicas to deploy + ## + replicaCount: 1 + ## Configure extra options for Argo CD server containers' liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param server.startupProbe.enabled Enable startupProbe on Argo CD server nodes + ## @param server.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param server.startupProbe.periodSeconds Period seconds for startupProbe + ## @param server.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param server.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param server.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## @param server.livenessProbe.enabled Enable livenessProbe on Argo CD server nodes + ## @param server.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param server.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param server.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param server.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param server.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## @param server.readinessProbe.enabled Enable readinessProbe on Argo CD server nodes + ## @param server.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param server.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param server.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param server.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param server.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## @param server.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param server.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param server.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## Argo CD server resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param server.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if server.resources is set (server.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param server.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Configure Pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param server.podSecurityContext.enabled Enabled Argo CD server pods' Security Context + ## @param server.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param server.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param server.podSecurityContext.supplementalGroups Set filesystem extra groups + ## @param server.podSecurityContext.fsGroup Set Argo CD server pod's Security Context fsGroup + ## + podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param server.containerSecurityContext.enabled Enabled Argo CD server containers' Security Context + ## @param server.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param server.containerSecurityContext.runAsUser Set Argo CD server containers' Security Context runAsUser + ## @param server.containerSecurityContext.runAsGroup Set Argo CD server containers' Security Context runAsGroup + ## @param server.containerSecurityContext.allowPrivilegeEscalation Set Argo CD server containers' Security Context allowPrivilegeEscalation + ## @param server.containerSecurityContext.capabilities.drop Set Argo CD containers' server Security Context capabilities to be dropped + ## @param server.containerSecurityContext.readOnlyRootFilesystem Set Argo CD containers' server Security Context readOnlyRootFilesystem + ## @param server.containerSecurityContext.runAsNonRoot Set Argo CD server containers' Security Context runAsNonRoot + ## @param server.containerSecurityContext.privileged Set server container's Security Context privileged + ## @param server.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + privileged: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## Argo CD server deployment autoscaling + ## @param server.autoscaling.enabled Enable Argo CD server deployment autoscaling + ## @param server.autoscaling.minReplicas Argo CD server deployment autoscaling minimum number of replicas + ## @param server.autoscaling.maxReplicas Argo CD server deployment autoscaling maximum number of replicas + ## @param server.autoscaling.targetCPU Argo CD server deployment autoscaling target CPU percentage + ## @param server.autoscaling.targetMemory Argo CD server deployment autoscaling target CPU memory + ## + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 5 + targetCPU: 50 + targetMemory: 50 + ## Redirect all request to https + ## @param server.insecure Disable HTTPS redirection for Argo CD server + ## + insecure: false + ## @param server.logFormat ArgoCD server logs format. Options: [text, json] + ## + logFormat: text + ## @param server.logLevel ArgoCD server logs level + ## + logLevel: info + ## Argo CD server enable config + ## @param server.configEnabled Enable Argo CD server config + ## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-cm.yaml + ## + configEnabled: true + ## Argo CD server URL + ## @param server.url Argo CD server base URL. Required when configuring SSO. Required when enabling dex. + ## + url: "" + ## Argo CD server config. This object will be directly rendered + ## @param server.config [object] Argo CD server configuration that will end on the argocd-cm Config Map + ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/ + ## E.g: + ## repositories: + ## - url: git@github.com:group/repo.git + ## sshPrivateKeySecret: + ## name: secret-name + ## key: sshPrivateKey + ## - type: helm + ## url: https://charts.helm.sh/stable + ## name: stable + ## - type: helm + ## url: https://argoproj.github.io/argo-helm + ## name: argo + ## oidc.config: + ## name: AzureAD + ## issuer: https://login.microsoftonline.com/TENANT_ID/v2.0 + ## clientID: CLIENT_ID + ## clientSecret: $oidc.azuread.clientSecret + ## requestedIDTokenClaims: + ## groups: + ## essential: true + ## requestedScopes: + ## - openid + ## - profile + ## - email + ## dex.config: + ## connectors: + ## # GitHub example + ## - type: github + ## id: github + ## name: GitHub + ## config: + ## clientID: aabbccddeeff00112233 + ## clientSecret: $dex.github.clientSecret + ## orgs: + ## - name: your-github-org + config: + ## Argo CD external base URL. Required when configuring SSO. Required when enabling dex. + ## E.g: + ## url: https://argocd.example.com + ## + url: "{{ `{{ .Values.server.url }}` }}" + ## Argo CD instance label key + ## + application.instanceLabelKey: argocd.argoproj.io/instance + ## If Dex is enabled you need to add connectors here + ## dex.config: | + ## connectors: [] + ## + dex.config: "" + ## Configure the ingress for the Argo CD server + ## Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ + ## @param server.ingress.enabled Enable the creation of an ingress for the Argo CD server + ## @param server.ingress.pathType Path type for the Argo CD server ingress + ## @param server.ingress.apiVersion Ingress API version for the Argo CD server ingress + ## @param server.ingress.hostname Ingress hostname for the Argo CD server ingress + ## @param server.ingress.annotations Annotations for the Argo CD server ingress. To enable certificate autogeneration, place here your cert-manager annotations. + ## @param server.ingress.tls Enable TLS for the Argo CD server ingress + ## @param server.ingress.extraHosts Extra hosts array for the Argo CD server ingress + ## @param server.ingress.path Path array for the Argo CD server ingress + ## @param server.ingress.extraPaths Extra paths for the Argo CD server ingress + ## @param server.ingress.extraTls Extra TLS configuration for the Argo CD server ingress + ## @param server.ingress.secrets Secrets array to mount into the Ingress + ## @param server.ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) + ## + ingress: + ## Set to true to enable ingress record generation + ## + enabled: true + ## @param server.ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm + ## + selfSigned: false + ## DEPRECATED: Use server.ingress.annotations instead of server.ingress.certManager + ## certManager: false + ## + + ## Ingress Path type + ## + pathType: ImplementationSpecific + ## Override API Version (automatically detected if not set) + ## + apiVersion: "" + ## When the ingress is enabled, a host pointing to this will be created + ## + hostname: {{ .Values.globals.argocd.hostname }} + ## The Path to Argo CD server. You may need to set this to '/*' in order to use this + ## with ALB ingress controllers. + ## + path: / + ## For a full list of possible ingress annotations, please see + ## ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## + ## e.g: + ## annotations: + ## kubernetes.io/ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## + annotations: + kubernetes.io/ingress.class: {{ .Values.globals.argocd.ingressClass }} + cert-manager.io/cluster-issuer: {{ .Values.globals.certs.issuerName }} + ## Enable TLS configuration for the hostname defined at ingress.hostname parameter + ## You can use the ingress.secrets parameter to create this TLS secret or rely on cert-manager to create it + ## + tls: true + ## The list of additional hostnames to be covered with this ingress record. + ## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array + extraHosts: [] + ## - name: argocd.server.local + ## path: / + ## + + ## Any additional arbitrary paths that may need to be added to the ingress under the main host. + ## For example: The ALB ingress controller requires a special rule for handling SSL redirection. + extraPaths: [] + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + + ## The tls configuration for additional hostnames to be covered with this ingress record. + ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + extraTls: [] + ## - hosts: + ## - argocd.server.local + ## secretName: argocd.server.local-tls + ## + + ## If you're providing your own certificates, please use this to add the certificates as secrets + ## key and certificate should start with -----BEGIN CERTIFICATE----- or + ## REDACTED + ## + ## name should line up with a tlsSecret set further up + ## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set + ## + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + ## + secrets: [] + ## - name: argocd.server.local-tls + ## key: + ## certificate: + ## + + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + ingressClassName: {{ .Values.globals.argocd.ingressClass }} + ## @param server.ingress.extraRules Additional rules to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules + ## e.g: + ## extraRules: + ## - host: example.local + ## http: + ## path: / + ## backend: + ## service: + ## name: example-svc + ## port: + ## name: http + ## + extraRules: [] + ## Metrics configuration for Argo CD server + ## + metrics: + ## Enable metrics for Argo CD server + ## @param server.metrics.enabled Enable metrics for the Argo CD server + ## + enabled: true + service: + ## @param server.metrics.service.type Argo CD server service type + ## + type: ClusterIP + ## @param server.metrics.service.ports.metrics Argo CD server metrics service port + ## + ports: + metrics: 8083 + ## Node ports to expose + ## @param server.metrics.service.nodePorts.metrics Node port for Argo CD server metrics service + ## NOTE: choose port between <30000-32767> + ## + nodePorts: + metrics: "" + ## @param server.metrics.service.clusterIP Argo CD server metrics service Cluster IP + ## e.g.: + ## clusterIP: None + ## + clusterIP: "" + ## @param server.metrics.service.loadBalancerIP Argo CD server service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerIP: "" + ## @param server.metrics.service.loadBalancerSourceRanges Argo CD server service Load Balancer sources + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param server.metrics.service.externalTrafficPolicy Argo CD server service external traffic policy + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param server.metrics.service.annotations Additional custom annotations for Argo CD server service + ## + annotations: {} + ## @param server.metrics.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param server.metrics.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + sessionAffinityConfig: {} + ## Argo CD server metrics service monitor configuration + ## + serviceMonitor: + ## @param server.metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator + ## + enabled: false + ## @param server.metrics.serviceMonitor.namespace Namespace which Prometheus is running in + ## e.g: + ## namespace: monitoring + ## + namespace: "" + ## @param server.metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. + ## + jobLabel: "" + ## @param server.metrics.serviceMonitor.interval Interval at which metrics should be scraped + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + interval: 30s + ## @param server.metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + scrapeTimeout: 10s + ## @param server.metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## + relabelings: [] + ## @param server.metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## + metricRelabelings: [] + ## @param server.metrics.serviceMonitor.selector ServiceMonitor selector labels + ## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration + ## + ## selector: + ## prometheus: my-prometheus + ## + selector: {} + ## @param server.metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels + ## + honorLabels: false + ## Configure the ingress resource that allows you to access the Argo CD gRPC API + ## Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ + ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/ + ## @param server.ingressGrpc.enabled Enable the creation of an ingress for the Argo CD gRPC server + ## @param server.ingressGrpc.pathType Path type for the Argo CD gRPC server ingress + ## @param server.ingressGrpc.apiVersion Ingress API version for the Argo CD gRPC server ingress + ## @param server.ingressGrpc.hostname Ingress hostname for the Argo CD gRPC server ingress + ## @param server.ingressGrpc.annotations Annotations for the Argo CD gRPC server ingress. To enable certificate autogeneration, place here your cert-manager annotations + ## @param server.ingressGrpc.tls Enable TLS for the Argo CD server ingress + ## @param server.ingressGrpc.extraHosts Extra hosts array for the Argo CD gRPC server ingress + ## @param server.ingressGrpc.path Path array for the Argo CD gRPC server ingress + ## @param server.ingressGrpc.extraPaths Extra paths for the Argo CD gRPC server ingress + ## @param server.ingressGrpc.extraTls Extra TLS configuration for the Argo CD gRPC server ingress + ## @param server.ingressGrpc.secrets Secrets array to mount into the Ingress + ## @param server.ingressGrpc.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) + ## + ingressGrpc: + ## Set to true to enable ingress record generation + ## + enabled: false + ## @param server.ingressGrpc.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm + ## + selfSigned: false + ## DEPRECATED: Use server.ingressGrpc.annotations instead of server.ingressGrpc.certManager + ## certManager: false + ## + + ## Ingress Path type + ## + pathType: ImplementationSpecific + ## Override API Version (automatically detected if not set) + ## + apiVersion: "" + ## When the ingress is enabled, a host pointing to this will be created + ## + hostname: argocd.server.local + ## The Path to Argo CD server gRPC API. You may need to set this to '/*' in order to use this + ## with ALB ingress controllers. + ## + path: / + ## For a full list of possible ingress annotations, please see + ## ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## + ## e.g: + ## annotations: + ## kubernetes.io/ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## + annotations: {} + ## Enable TLS configuration for the hostname defined at ingress.hostname parameter + ## You can use the ingress.secrets parameter to create this TLS secret or relay on cert-manager to create it + ## + tls: false + ## The list of additional hostnames to be covered with this ingress record. + ## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array + extraHosts: [] + ## - name: argocd.server.local + ## path: / + ## + + ## Any additional arbitrary paths that may need to be added to the ingress under the main host. + ## For example: The ALB ingress controller requires a special rule for handling SSL redirection. + extraPaths: [] + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + + ## The tls configuration for additional hostnames to be covered with this ingress record. + ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + extraTls: [] + ## - hosts: + ## - argocd.server.local + ## secretName: argocd.server.local-tls + ## + + ## If you're providing your own certificates, please use this to add the certificates as secrets + ## key and certificate should start with -----BEGIN CERTIFICATE----- or + ## REDACTED + ## + ## name should line up with a tlsSecret set further up + ## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set + ## + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + ## + secrets: [] + ## - name: argocd.server.local-tls + ## key: + ## certificate: + ## + + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + ingressClassName: "" + ## @param server.ingressGrpc.extraRules Additional rules to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules + ## e.g: + ## extraRules: + ## - host: example.server.local + ## http: + ## path: / + ## backend: + ## service: + ## name: example-svc + ## port: + ## name: http + ## + extraRules: [] + ## Argo CD server container port + ## @param server.containerPorts.http Argo CD server HTTP container port + ## @param server.containerPorts.https Argo CD server HTTPS container port + ## @param server.containerPorts.metrics Argo CD server metrics container port + containerPorts: + http: 8080 + https: 8443 + metrics: 8083 + ## Argo CD server service parameters + ## + service: + ## @param server.service.type Argo CD service type + ## + type: ClusterIP + ## @param server.service.ports.http HTTP port for the gRPC ingress when enabled + ## @param server.service.ports.https HTTPS port for the gRPC ingress when enabled + ## + ports: + http: 80 + https: 443 + ## Node ports to expose + ## @param server.service.nodePorts.http Node port for HTTP + ## @param server.service.nodePorts.https Node port for HTTPS + ## NOTE: choose port between <30000-32767> + ## + nodePorts: + http: "" + https: "" + ## @param server.service.clusterIP Argo CD service Cluster IP + ## e.g.: + ## clusterIP: None + ## + clusterIP: "" + ## @param server.service.loadBalancerIP Argo CD service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerIP: "" + ## @param server.service.loadBalancerSourceRanges Argo CD service Load Balancer sources + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param server.service.externalTrafficPolicy Argo CD service external traffic policy + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param server.service.annotations Additional custom annotations for Argo CD service + ## + annotations: {} + ## @param server.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param server.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param server.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + sessionAffinityConfig: {} + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param server.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param server.networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param server.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param server.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) + ## + kubeAPIServerPorts: [443, 6443, 8443] + ## @param server.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param server.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true) + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param server.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param server.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} + ## @param server.command Override default container command (useful when using custom images) + ## + command: [] + ## @param server.args Override default container args (useful when using custom images) + ## + args: [] + ## @param server.extraArgs concat to the default args + ## + extraArgs: [] + ## @param server.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: true + ## @param server.hostAliases Argo CD server pods host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param server.podLabels Extra labels for Argo CD server pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param server.podAnnotations Annotations for Argo CD server pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param server.podAffinityPreset Pod affinity preset. Ignored if `server.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param server.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `server.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node server.affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param server.nodeAffinityPreset.type Node affinity preset type. Ignored if `server.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param server.nodeAffinityPreset.key Node label key to match. Ignored if `server.affinity` is set + ## + key: "" + ## @param server.nodeAffinityPreset.values Node label values to match. Ignored if `server.affinity` is set + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param server.affinity Affinity for Argo CD server pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## NOTE: `server.podAffinityPreset`, `server.podAntiAffinityPreset`, and `server.nodeAffinityPreset` will be ignored when it's set + ## + affinity: {} + ## @param server.nodeSelector Node labels for Argo CD server pods assignment + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + ## + nodeSelector: {} + ## @param server.tolerations Tolerations for Argo CD server pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param server.schedulerName Name of the k8s scheduler (other than default) + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param server.shareProcessNamespace Enable shared process namespace in a pod. + ## If set to false (default), each container will run in separate namespace, server will have PID=1. + ## If set to true, the /pause will run as init process and will reap any zombie PIDs, + ## for example, generated by a custom exec probe running longer than a probe timeoutSeconds. + ## Enable this only if customLivenessProbe or customReadinessProbe is used and zombie PIDs are accumulating. + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/ + ## + shareProcessNamespace: false + ## @param server.topologySpreadConstraints Topology Spread Constraints for pod assignment + ## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## The value is evaluated as a template + ## + topologySpreadConstraints: [] + ## @param server.updateStrategy.type Argo CD server statefulset strategy type + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + ## StrategyType + ## Can be set to RollingUpdate or OnDelete + ## + type: RollingUpdate + ## @param server.priorityClassName Argo CD server pods' priorityClassName + ## + priorityClassName: "" + ## @param server.runtimeClassName Name of the runtime class to be used by pod(s) + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + ## + runtimeClassName: "" + ## @param server.lifecycleHooks for the Argo CD server container(s) to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param server.extraEnvVars Array with extra environment variables to add to Argo CD server nodes + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param server.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Argo CD server nodes + ## + extraEnvVarsCM: "" + ## @param server.extraEnvVarsSecret Name of existing Secret containing extra env vars for Argo CD server nodes + ## + extraEnvVarsSecret: "" + ## @param server.extraVolumes Optionally specify extra list of additional volumes for the Argo CD server pod(s) + ## + extraVolumes: [] + ## @param server.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Argo CD server container(s) + ## + extraVolumeMounts: [] + ## @param server.sidecars Add additional sidecar containers to the Argo CD server pod(s) + ## e.g: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param server.initContainers Add additional init containers to the Argo CD server pod(s) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + ## e.g: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## command: ['sh', '-c', 'echo "hello world"'] + ## + initContainers: [] + ## ServiceAccount configuration for the Argo CD server + ## + serviceAccount: + ## @param server.serviceAccount.create Specifies whether a ServiceAccount should be created + ## + create: true + ## @param server.serviceAccount.name The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the common.names.fullname template + ## + name: "" + ## @param server.serviceAccount.automountServiceAccountToken Automount service account token for the server service account + ## + automountServiceAccountToken: false + ## @param server.serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`. + ## + annotations: {} + ## Enable admin clusterrole resources. Allows Argo CD server to have access to multiple namespaces + ## @param server.clusterAdminAccess Enable K8s cluster admin access for the server + ## + clusterAdminAccess: true + ## Enable Custom Rules for Argo CD server cluster role + ## @param server.clusterRoleRules Use custom rules for server's cluster role + ## + clusterRoleRules: [] + + ## Pod Disruption Budget configuration + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb + ## @param server.pdb.create Enable/disable a Pod Disruption Budget creation + ## @param server.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled + ## @param server.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `server.pdb.minAvailable` and `server.pdb.maxUnavailable` are empty. + ## + pdb: + create: true + minAvailable: "" + maxUnavailable: "" +## @section Argo CD repo server Parameters + +## Argo CD repository server configuration +## +repoServer: + ## @param repoServer.replicaCount Number of Argo CD repo server replicas to deploy + ## + replicaCount: 1 + ## Configure extra options for Argo CD repo server containers' liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param repoServer.startupProbe.enabled Enable startupProbe on Argo CD repo server nodes + ## @param repoServer.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param repoServer.startupProbe.periodSeconds Period seconds for startupProbe + ## @param repoServer.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param repoServer.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param repoServer.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## @param repoServer.livenessProbe.enabled Enable livenessProbe on Argo CD repo server nodes + ## @param repoServer.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param repoServer.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param repoServer.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param repoServer.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param repoServer.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## @param repoServer.readinessProbe.enabled Enable readinessProbe on Argo CD repo server nodes + ## @param repoServer.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param repoServer.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param repoServer.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param repoServer.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param repoServer.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## @param repoServer.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param repoServer.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param repoServer.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## Argo CD repo server resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param repoServer.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if repoServer.resources is set (repoServer.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param repoServer.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Configure Pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param repoServer.podSecurityContext.enabled Enabled Argo CD repo server pods' Security Context + ## @param repoServer.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param repoServer.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param repoServer.podSecurityContext.supplementalGroups Set filesystem extra groups + ## @param repoServer.podSecurityContext.fsGroup Set Argo CD repo server pod's Security Context fsGroup + ## + podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param repoServer.containerSecurityContext.enabled Enabled Argo CD repo server containers' Security Context + ## @param repoServer.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param repoServer.containerSecurityContext.runAsUser Set Argo CD repo server containers' Security Context runAsUser + ## @param repoServer.containerSecurityContext.runAsGroup Set Argo CD repo server containers' Security Context runAsGroup + ## @param repoServer.containerSecurityContext.allowPrivilegeEscalation Set Argo CD repo server containers' Security Context allowPrivilegeEscalation + ## @param repoServer.containerSecurityContext.capabilities.drop Set Argo CD containers' repo server Security Context capabilities to be dropped + ## @param repoServer.containerSecurityContext.readOnlyRootFilesystem Set Argo CD containers' repo server Security Context readOnlyRootFilesystem + ## @param repoServer.containerSecurityContext.runAsNonRoot Set Argo CD repo server containers' Security Context runAsNonRoot + ## @param repoServer.containerSecurityContext.privileged Set repoServer container's Security Context privileged + ## @param repoServer.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + privileged: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## Repo server service parameters + ## + service: + ## @param repoServer.service.type Repo server service type + ## + type: ClusterIP + ## @param repoServer.service.ports.repoServer Repo server service port + ## + ports: + repoServer: 8081 + ## Node ports to expose + ## @param repoServer.service.nodePorts.repoServer Node port for the repo server service + ## NOTE: choose port between <30000-32767> + ## + nodePorts: + repoServer: "" + ## @param repoServer.service.clusterIP Repo server service Cluster IP + ## e.g.: + ## clusterIP: None + ## + clusterIP: "" + ## @param repoServer.service.loadBalancerIP Repo server service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerIP: "" + ## @param repoServer.service.loadBalancerSourceRanges Repo server service Load Balancer sources + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param repoServer.service.externalTrafficPolicy Repo server service external traffic policy + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param repoServer.service.annotations Additional custom annotations for Repo server service + ## + annotations: {} + ## @param repoServer.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param repoServer.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param repoServer.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + sessionAffinityConfig: {} + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param repoServer.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param repoServer.networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param repoServer.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param repoServer.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) + ## + kubeAPIServerPorts: [443, 6443, 8443] + ## @param repoServer.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param repoServer.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true) + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param repoServer.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param repoServer.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} + ## Argo CD repo server log format: text|json + ## @param repoServer.logFormat Format for the Argo CD repo server logs. Options: [text, json] + ## + logFormat: text + ## Argo CD application controller log level + ## @param repoServer.logLevel Log level for the Argo CD repo server + ## + logLevel: info + ## Argo CD repo server container port + ## @param repoServer.containerPorts.repoServer Container port for Argo CD repo server + ## @param repoServer.containerPorts.metrics Metrics port for Argo CD repo server + ## + containerPorts: + repoServer: 8081 + metrics: 8084 + ## Metrics configuration for Argo CD repo server + ## + metrics: + ## Enable metrics for Argo CD repo server + ## @param repoServer.metrics.enabled Enable metrics for the Argo CD repo server + ## + enabled: true + service: + ## @param repoServer.metrics.service.type Argo CD repo server service type + ## + type: ClusterIP + ## @param repoServer.metrics.service.ports.metrics Argo CD repo server metrics service port + ## + ports: + metrics: 8084 + ## Node ports to expose + ## @param repoServer.metrics.service.nodePorts.metrics Node port for the repo server metrics service + ## NOTE: choose port between <30000-32767> + ## + nodePorts: + metrics: "" + ## @param repoServer.metrics.service.clusterIP Argo CD repo server metrics service Cluster IP + ## e.g.: + ## clusterIP: None + ## + clusterIP: "" + ## @param repoServer.metrics.service.loadBalancerIP Argo CD repo server service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerIP: "" + ## @param repoServer.metrics.service.loadBalancerSourceRanges Argo CD repo server service Load Balancer sources + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param repoServer.metrics.service.externalTrafficPolicy Argo CD repo server service external traffic policy + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param repoServer.metrics.service.annotations Additional custom annotations for Argo CD repo server service + ## + annotations: {} + ## @param repoServer.metrics.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param repoServer.metrics.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + sessionAffinityConfig: {} + ## Argo CD repo server metrics service monitor configuration + ## + serviceMonitor: + ## @param repoServer.metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator + ## + enabled: false + ## @param repoServer.metrics.serviceMonitor.namespace Namespace which Prometheus is running in + ## e.g: + ## namespace: monitoring + ## + namespace: "" + ## @param repoServer.metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. + ## + jobLabel: "" + ## @param repoServer.metrics.serviceMonitor.interval Interval at which metrics should be scraped + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + interval: 30s + ## @param repoServer.metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + scrapeTimeout: 10s + ## @param repoServer.metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## + relabelings: [] + ## @param repoServer.metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## + metricRelabelings: [] + ## @param repoServer.metrics.serviceMonitor.selector ServiceMonitor selector labels + ## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration + ## + ## selector: + ## prometheus: my-prometheus + ## + selector: {} + ## @param repoServer.metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels + ## + honorLabels: false + ## Argo CD repo server deployment autoscaling + ## @param repoServer.autoscaling.enabled Enable Argo CD repo server deployment autoscaling + ## @param repoServer.autoscaling.minReplicas Argo CD repo server deployment autoscaling minimum number of replicas + ## @param repoServer.autoscaling.maxReplicas Argo CD repo server deployment autoscaling maximum number of replicas + ## @param repoServer.autoscaling.targetCPU Argo CD repo server deployment autoscaling target CPU percentage + ## @param repoServer.autoscaling.targetMemory Argo CD repo server deployment autoscaling target CPU memory + ## + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 5 + targetCPU: 50 + targetMemory: 50 + ## ServiceAccount configuration for the Argo CD repo server + ## + serviceAccount: + ## @param repoServer.serviceAccount.create Specifies whether a ServiceAccount for repo server should be created + ## + create: true + ## @param repoServer.serviceAccount.name The name of the ServiceAccount for repo server to use. + ## If not set and create is true, a name is generated using the common.names.fullname template + ## + name: "" + ## @param repoServer.serviceAccount.automountServiceAccountToken Automount service account token for the repo server service account + ## + automountServiceAccountToken: false + ## @param repoServer.serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`. + ## + annotations: {} + ## Enable admin clusterrole resources. Allows Argo CD repo server to have access to multiple namespaces + ## @param repoServer.clusterAdminAccess Enable K8s cluster admin access for the repo server + ## + clusterAdminAccess: false + ## Enable Custom Rules for Argo CD server cluster role + ## @param repoServer.clusterRoleRules Use custom rules for repo server's cluster role + ## + clusterRoleRules: [] + ## @param repoServer.command Override default container command (useful when using custom images) + ## + command: [] + ## @param repoServer.args Override default container args (useful when using custom images) + ## + args: [] + ## @param repoServer.extraArgs Add extra args to the default repo server args + ## + extraArgs: [] + ## @param repoServer.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: true + ## @param repoServer.hostAliases Argo CD repo server pods host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param repoServer.podLabels Extra labels for Argo CD repo server pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param repoServer.podAnnotations Annotations for Argo CD repo server pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param repoServer.podAffinityPreset Pod affinity preset. Ignored if `repoServer.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param repoServer.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `repoServer.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node repoServer.affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param repoServer.nodeAffinityPreset.type Node affinity preset type. Ignored if `repoServer.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param repoServer.nodeAffinityPreset.key Node label key to match. Ignored if `repoServer.affinity` is set + ## + key: "" + ## @param repoServer.nodeAffinityPreset.values Node label values to match. Ignored if `repoServer.affinity` is set + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param repoServer.affinity Affinity for Argo CD repo server pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## NOTE: `repoServer.podAffinityPreset`, `repoServer.podAntiAffinityPreset`, and `repoServer.nodeAffinityPreset` will be ignored when it's set + ## + affinity: {} + ## @param repoServer.nodeSelector Node labels for Argo CD repo server pods assignment + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + ## + nodeSelector: {} + ## @param repoServer.tolerations Tolerations for Argo CD repo server pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param repoServer.schedulerName Name of the k8s scheduler (other than default) + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param repoServer.shareProcessNamespace Enable shared process namespace in a pod. + ## If set to false (default), each container will run in separate namespace, repoServer will have PID=1. + ## If set to true, the /pause will run as init process and will reap any zombie PIDs, + ## for example, generated by a custom exec probe running longer than a probe timeoutSeconds. + ## Enable this only if customLivenessProbe or customReadinessProbe is used and zombie PIDs are accumulating. + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/ + ## + shareProcessNamespace: false + ## @param repoServer.topologySpreadConstraints Topology Spread Constraints for pod assignment + ## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## The value is evaluated as a template + ## + topologySpreadConstraints: [] + ## @param repoServer.updateStrategy.type Argo CD repo server statefulset strategy type + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + ## StrategyType + ## Can be set to RollingUpdate or OnDelete + ## + type: RollingUpdate + ## @param repoServer.priorityClassName Argo CD repo server pods' priorityClassName + ## + priorityClassName: "" + ## @param repoServer.runtimeClassName Name of the runtime class to be used by pod(s) + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + ## + runtimeClassName: "" + ## @param repoServer.lifecycleHooks for the Argo CD repo server container(s) to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param repoServer.extraEnvVars Array with extra environment variables to add to Argo CD repo server nodes + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param repoServer.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Argo CD repo server nodes + ## + extraEnvVarsCM: "" + ## @param repoServer.extraEnvVarsSecret Name of existing Secret containing extra env vars for Argo CD repo server nodes + ## + extraEnvVarsSecret: "" + ## @param repoServer.extraVolumes Optionally specify extra list of additional volumes for the Argo CD repo server pod(s) + ## + extraVolumes: [] + ## @param repoServer.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Argo CD repo server container(s) + ## + extraVolumeMounts: [] + ## @param repoServer.sidecars Add additional sidecar containers to the Argo CD repo server pod(s) + ## e.g: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param repoServer.initContainers Add additional init containers to the Argo CD repo server pod(s) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + ## e.g: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## command: ['sh', '-c', 'echo "hello world"'] + ## + initContainers: [] + ## Pod Disruption Budget configuration + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb + ## @param repoServer.pdb.create Enable/disable a Pod Disruption Budget creation + ## @param repoServer.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled + ## @param repoServer.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `repoServer.pdb.minAvailable` and `repoServer.pdb.maxUnavailable` are empty. + ## + pdb: + create: true + minAvailable: "" + maxUnavailable: "" +## @section Dex Parameters + +## Dex configuration +## +dex: + ## Bitnami Dex image + ## ref: https://hub.docker.com/r/bitnami/argo-cd/tags/ + ## @param dex.image.registry [default: REGISTRY_NAME] Dex image registry + ## @param dex.image.repository [default: REPOSITORY_NAME/dex] Dex image repository + ## @skip dex.image.tag Dex image tag (immutable tags are recommended) + ## @param dex.image.digest Dex image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param dex.image.pullPolicy Dex image pull policy + ## @param dex.image.pullSecrets Dex image pull secrets + ## @param dex.image.debug Enable Dex image debug mode + ## + image: + registry: docker.io + repository: bitnami/dex + tag: 2.41.1-debian-12-r12 + digest: "" + ## Specify a imagePullPolicy + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Enable debug mode + ## + debug: false + ## Enable Dex deployment + ## @param dex.enabled Enable the creation of a Dex deployment for SSO + ## + enabled: false + ## @param dex.replicaCount Number of Dex replicas to deploy + ## + replicaCount: 1 + ## Configure extra options for Dex containers' liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param dex.startupProbe.enabled Enable startupProbe on Dex nodes + ## @param dex.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param dex.startupProbe.periodSeconds Period seconds for startupProbe + ## @param dex.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param dex.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param dex.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## @param dex.livenessProbe.enabled Enable livenessProbe on Dex nodes + ## @param dex.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param dex.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param dex.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param dex.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param dex.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## @param dex.readinessProbe.enabled Enable readinessProbe on Dex nodes + ## @param dex.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param dex.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param dex.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param dex.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param dex.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## @param dex.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param dex.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param dex.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## Dex resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param dex.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if dex.resources is set (dex.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param dex.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Configure Pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param dex.podSecurityContext.enabled Enabled Dex pods' Security Context + ## @param dex.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param dex.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param dex.podSecurityContext.supplementalGroups Set filesystem extra groups + ## @param dex.podSecurityContext.fsGroup Set Dex pod's Security Context fsGroup + ## + podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param dex.containerSecurityContext.enabled Enabled Dex containers' Security Context + ## @param dex.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param dex.containerSecurityContext.runAsUser Set Dex containers' Security Context runAsUser + ## @param dex.containerSecurityContext.runAsGroup Set Dex containers' Security Context runAsGroup + ## @param dex.containerSecurityContext.allowPrivilegeEscalation Set Dex containers' Security Context allowPrivilegeEscalation + ## @param dex.containerSecurityContext.readOnlyRootFilesystem Set Dex containers' server Security Context readOnlyRootFilesystem + ## @param dex.containerSecurityContext.runAsNonRoot Set Dex containers' Security Context runAsNonRoot + ## @param dex.containerSecurityContext.capabilities.drop Set Argo CD containers' repo server Security Context capabilities to be dropped + ## @param dex.containerSecurityContext.privileged Set dex container's Security Context privileged + ## @param dex.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + privileged: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## Dex service parameters + ## + service: + ## @param dex.service.type Dex service type + ## + type: ClusterIP + ## @param dex.service.ports.http Dex HTTP service port + ## @param dex.service.ports.grpc Dex grpc service port + ## + ports: + http: 5556 + grpc: 5557 + ## Node ports to expose + ## @param dex.service.nodePorts.http HTTP node port for the Dex service + ## @param dex.service.nodePorts.grpc gRPC node port for the Dex service + ## NOTE: choose port between <30000-32767> + ## + nodePorts: + http: "" + grpc: "" + ## @param dex.service.clusterIP Dex service Cluster IP + ## e.g.: + ## clusterIP: None + ## + clusterIP: "" + ## @param dex.service.loadBalancerIP Dex service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerIP: "" + ## @param dex.service.loadBalancerSourceRanges Dex service Load Balancer sources + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param dex.service.externalTrafficPolicy Dex service external traffic policy + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param dex.service.annotations Additional custom annotations for Dex service + ## + annotations: {} + ## @param dex.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param dex.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param dex.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + sessionAffinityConfig: {} + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param dex.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param dex.networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param dex.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param dex.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) + ## + kubeAPIServerPorts: [443, 6443, 8443] + ## @param dex.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param dex.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true) + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param dex.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param dex.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} + ## Dex container ports + ## @param dex.containerPorts.http Dex container HTTP port + ## @param dex.containerPorts.grpc Dex gRPC port + ## @param dex.containerPorts.metrics Dex metrics port + ## + containerPorts: + http: 5556 + grpc: 5557 + metrics: 5558 + ## Metrics configuration for Dex + ## + metrics: + ## Enable metrics for Argo Dex + ## @param dex.metrics.enabled Enable metrics service for Dex + ## + enabled: false + service: + ## @param dex.metrics.service.type Dex service type + ## + type: ClusterIP + ## @param dex.metrics.service.ports.metrics Dex metrics service port + ## + ports: + metrics: 5558 + ## Node ports to expose + ## @param dex.metrics.service.nodePorts.metrics Node port for the Dex service + ## NOTE: choose port between <30000-32767> + ## + nodePorts: + metrics: "" + ## @param dex.metrics.service.clusterIP Dex service metrics service Cluster IP + ## e.g.: + ## clusterIP: None + ## + clusterIP: "" + ## @param dex.metrics.service.loadBalancerIP Dex service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerIP: "" + ## @param dex.metrics.service.loadBalancerSourceRanges Dex service Load Balancer sources + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param dex.metrics.service.externalTrafficPolicy Dex service external traffic policy + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param dex.metrics.service.annotations Additional custom annotations for Dex service + ## + annotations: {} + ## @param dex.metrics.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param dex.metrics.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + sessionAffinityConfig: {} + ## Dex metrics service monitor configuration + ## + serviceMonitor: + ## @param dex.metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator + ## + enabled: false + ## @param dex.metrics.serviceMonitor.namespace Namespace which Prometheus is running in + ## e.g: + ## namespace: monitoring + ## + namespace: "" + ## @param dex.metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. + ## + jobLabel: "" + ## @param dex.metrics.serviceMonitor.interval Interval at which metrics should be scraped + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + interval: 30s + ## @param dex.metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + scrapeTimeout: 10s + ## @param dex.metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## + relabelings: [] + ## @param dex.metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## + metricRelabelings: [] + ## @param dex.metrics.serviceMonitor.selector ServiceMonitor selector labels + ## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration + ## + ## selector: + ## prometheus: my-prometheus + ## + selector: {} + ## @param dex.metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels + ## + honorLabels: false + ## ServiceAccount configuration for the Dex + ## + serviceAccount: + ## @param dex.serviceAccount.create Specifies whether a ServiceAccount should be created for Dex + ## + create: true + ## @param dex.serviceAccount.name The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the common.names.fullname template + ## + name: "" + ## @param dex.serviceAccount.automountServiceAccountToken Automount service account token for the Dex service account + ## + automountServiceAccountToken: false + ## @param dex.serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`. + ## + annotations: {} + ## @param dex.command Override default container command (useful when using custom images) + ## + command: [] + ## @param dex.args Override default container args (useful when using custom images) + ## + args: [] + ## @param dex.extraArgs Add extra args to the default args for Dex + ## + extraArgs: [] + ## @param dex.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: true + ## @param dex.hostAliases Dex pods host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param dex.podLabels Extra labels for Dex pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param dex.podAnnotations Annotations for Dex pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param dex.podAffinityPreset Pod affinity preset. Ignored if `dex.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param dex.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `dex.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node dex.affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param dex.nodeAffinityPreset.type Node affinity preset type. Ignored if `dex.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param dex.nodeAffinityPreset.key Node label key to match. Ignored if `dex.affinity` is set + ## + key: "" + ## @param dex.nodeAffinityPreset.values Node label values to match. Ignored if `dex.affinity` is set + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param dex.affinity Affinity for Dex pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## NOTE: `dex.podAffinityPreset`, `dex.podAntiAffinityPreset`, and `dex.nodeAffinityPreset` will be ignored when it's set + ## + affinity: {} + ## @param dex.nodeSelector Node labels for Dex pods assignment + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + ## + nodeSelector: {} + ## @param dex.tolerations Tolerations for Dex pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param dex.schedulerName Name of the k8s scheduler (other than default) + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param dex.shareProcessNamespace Enable shared process namespace in a pod. + ## If set to false (default), each container will run in separate namespace, dex will have PID=1. + ## If set to true, the /pause will run as init process and will reap any zombie PIDs, + ## for example, generated by a custom exec probe running longer than a probe timeoutSeconds. + ## Enable this only if customLivenessProbe or customReadinessProbe is used and zombie PIDs are accumulating. + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/ + ## + shareProcessNamespace: false + ## @param dex.topologySpreadConstraints Topology Spread Constraints for pod assignment + ## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## The value is evaluated as a template + ## + topologySpreadConstraints: [] + ## @param dex.updateStrategy.type Dex statefulset strategy type + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + ## StrategyType + ## Can be set to RollingUpdate or OnDelete + ## + type: RollingUpdate + ## @param dex.priorityClassName Dex pods' priorityClassName + ## + priorityClassName: "" + ## @param dex.runtimeClassName Name of the runtime class to be used by pod(s) + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + ## + runtimeClassName: "" + ## @param dex.lifecycleHooks for the Dex container(s) to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param dex.extraEnvVars Array with extra environment variables to add to Dex nodes + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param dex.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Dex nodes + ## + extraEnvVarsCM: "" + ## @param dex.extraEnvVarsSecret Name of existing Secret containing extra env vars for Dex nodes + ## + extraEnvVarsSecret: "" + ## @param dex.extraVolumes Optionally specify extra list of additional volumes for the Dex pod(s) + ## + extraVolumes: [] + ## @param dex.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Dex container(s) + ## + extraVolumeMounts: [] + ## @param dex.sidecars Add additional sidecar containers to the Dex pod(s) + ## e.g: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param dex.initContainers Add additional init containers to the Dex pod(s) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + ## e.g: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## command: ['sh', '-c', 'echo "hello world"'] + ## + initContainers: [] + ## Pod Disruption Budget configuration + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb + ## @param dex.pdb.create Enable/disable a Pod Disruption Budget creation + ## @param dex.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled + ## @param dex.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `dex.pdb.minAvailable` and `dex.pdb.maxUnavailable` are empty. + ## + pdb: + create: true + minAvailable: "" + maxUnavailable: "" +## @section Shared config for Argo CD components +config: + ## @param config.knownHosts [string] Known hosts to be added to the known hosts list by default. Check the values to see the default value + ## + knownHosts: | + bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw== + github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== + gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY= + gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf + gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9 + ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H + vs-ssh.visualstudio.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H + ## @param config.extraKnownHosts Add extra known hosts to the known hosts list + ## E.g.: + ## extraKnownHosts: | + ## gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf + ## gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9 + ## + extraKnownHosts: "" + ## @param config.createExtraKnownHosts Whether to create or not the extra known hosts configmap + ## + createExtraKnownHosts: true + ## @param config.styles Custom CSS styles + ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/custom-styles/ + ## E.g.: + ## styles: | + ## .nav-bar { + ## background: linear-gradient(to bottom, #999, #777, #333, #222, #111); + ## } + ## + styles: "" + ## @param config.existingStylesConfigmap Use an existing styles configmap + ## + existingStylesConfigmap: "" + ## @param config.tlsCerts TLS certificates used to verify the authenticity of the repository servers + ## Certificates will be generated by default if the values are not set. + ## E.g: + ## tlsCerts: + ## argocd-1.example.com: | + ## -----BEGIN CERTIFICATE----- + ## (...) + ## -----END CERTIFICATE----- + ## argocd-2.example.com: | + ## -----BEGIN CERTIFICATE----- + ## (...) + ## -----END CERTIFICATE----- + ## + tlsCerts: {} + ## @param config.gpgKeys GnuPG public keys to add to the keyring + ## Keys will be generated by default if the values are not set. + ## Note: Public keys should be exported with `gpg --export --armor ` + ## + gpgKeys: {} + # 4AEE18F83AFDEB23: | + # -----BEGIN PGP PUBLIC KEY BLOCK----- + # ... + # -----END PGP PUBLIC KEY BLOCK----- + + ## @param config.rbac Role-based authentication configuration + ## + rbac: {} + # policy.default: role:readonly + # policy.csv: | + # # Grant all members of the group 'my-org:team-alpha; the ability to sync apps in 'my-project' + # p, my-org:team-alpha, applications, sync, my-project/*, allow + # # Grant all members of 'my-org:team-beta' admins + # g, my-org:team-beta, role:admin + + ## Argo CD general secret configuration + ## + secret: + ## @param config.secret.create Whether to create or not the secret + ## + create: true + ## Annotations to be added to argocd-secret + ## @param config.secret.annotations General secret extra annotations + ## + annotations: {} + ## Webhook Configs + ## @param config.secret.githubSecret GitHub secret to configure webhooks + ## @param config.secret.gitlabSecret GitLab secret to configure webhooks + ## @param config.secret.bitbucketServerSecret BitBucket secret to configure webhooks + ## @param config.secret.bitbucketUUID BitBucket UUID to configure webhooks + ## @param config.secret.gogsSecret Gogs secret to configure webhooks + ## + githubSecret: "" + gitlabSecret: "" + bitbucketServerSecret: "" + bitbucketUUID: "" + gogsSecret: "" + ## Extra keys to add to the general config secret. Useful for injecting SSO secrets into environment variables. + ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/#sso + ## @param config.secret.extra Extra keys to add to the configuration secret. + ## All values must be non-empty. + ## E.g: + ## LDAP_PASSWORD: "mypassword" + ## + extra: {} + ## Argo CD TLS Data. + ## @param config.secret.argocdServerTlsConfig.key TLS key for the Argo CD config secret + ## @param config.secret.argocdServerTlsConfig.crt TLS certificate for the Argo CD config secret + ## E.g: + ## key: + ## crt: | + ## -----BEGIN CERTIFICATE----- + ## + ## -----END CERTIFICATE----- + ## -----BEGIN CERTIFICATE----- + ## + ## -----END CERTIFICATE----- + ## + argocdServerTlsConfig: + key: "" + crt: "" + ## Argo admin password + ## @param config.secret.argocdServerAdminPassword Argo CD server admin password. Autogenerated by default. + ## + argocdServerAdminPassword: {{ .Values.globals.argocd.adminPassword }} + ## Password modification time defaults to current time if not set + ## @param config.secret.argocdServerAdminPasswordMtime Argo CD server password modification time + ## E.g: + ## argocdServerAdminPasswordMtime: "2006-01-02T15:04:05Z" + ## + argocdServerAdminPasswordMtime: "" + ## Create a secret with optional repository credentials + ## @param config.secret.repositoryCredentials Repository credentials to add to the Argo CD server confgi secret + ## E.g. + ## repositoryCredentials: + ## sample-ssh-key: | + ## REDACTED + ## + ## REDACTED + ## + repositoryCredentials: {} + ## External Cluster Credentials + ## Refs: + ## - https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#clusters + ## - https://argo-cd.readthedocs.io/en/stable/operator-manual/security/#external-cluster-credentials + ## @param config.clusterCredentials Configure external cluster credentials + ## E.g + ## - name: mycluster + ## server: https://mycluster.com + ## labels: {} + ## annotations: {} + ## config: + ## bearerToken: "" + ## tlsClientConfig: + ## insecure: false + ## caData: "" + ## - name: mycluster2 + ## server: https://mycluster2.com + ## labels: {} + ## annotations: {} + ## namespaces: namespace1,namespace2 + ## config: + ## bearerToken: "" + ## tlsClientConfig: + ## insecure: false + ## caData: "" + ## + clusterCredentials: [] +## @section Init Container Parameters + +## 'volumePermissions' init container parameters +## Changes the owner and group of the persistent volume mount point to runAsUser:fsGroup values +## based on the *podSecurityContext/*containerSecurityContext parameters +## +volumePermissions: + ## @param volumePermissions.enabled Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` + ## + enabled: false + ## OS Shell + Utility image + ## ref: https://hub.docker.com/r/bitnami/os-shell/tags/ + ## @param volumePermissions.image.registry [default: REGISTRY_NAME] OS Shell + Utility image registry + ## @param volumePermissions.image.repository [default: REPOSITORY_NAME/os-shell] OS Shell + Utility image repository + ## @skip volumePermissions.image.tag OS Shell + Utility image tag (immutable tags are recommended) + ## @param volumePermissions.image.digest OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param volumePermissions.image.pullPolicy OS Shell + Utility image pull policy + ## @param volumePermissions.image.pullSecrets OS Shell + Utility image pull secrets + ## + image: + registry: docker.io + repository: bitnami/os-shell + tag: 12-debian-12-r35 + digest: "" + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Init container's resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Init container Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param volumePermissions.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param volumePermissions.containerSecurityContext.runAsUser Set init container's Security Context runAsUser + ## NOTE: when runAsUser is set to special value "auto", init container will try to chown the + ## data folder to auto-determined user&group, using commands: `id -u`:`id -G | cut -d" " -f2` + ## "auto" is especially useful for OpenShift which has scc with dynamic user ids (and 0 is not allowed) + ## + containerSecurityContext: + seLinuxOptions: {} + runAsUser: 0 +## @section Other Parameters + +## RBAC configuration +## +rbac: + ## @param rbac.create Specifies whether RBAC resources should be created + ## + create: true +## Redis parameters +## +redis: + ## Bitnami Redis image + ## ref: https://hub.docker.com/r/bitnami/redis/tags/ + ## @param redis.image.registry [default: REGISTRY_NAME] Redis image registry + ## @param redis.image.repository [default: REPOSITORY_NAME/redis] Redis image repository + ## @skip redis.image.tag Redis image tag (immutable tags are recommended) + ## @param redis.image.digest Redis image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param redis.image.pullPolicy Redis image pull policy + ## @param redis.image.pullSecrets Redis image pull secrets + ## + image: + registry: docker.io + repository: bitnami/redis + tag: 7.4.2-debian-12-r0 + digest: "" + ## Specify a imagePullPolicy + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param redis.enabled Enable Redis dependency + ## + enabled: false + ## @param redis.nameOverride Name override for the Redis dependency + ## + nameOverride: "" + ## @param redis.service.ports.redis Service port for Redis dependency + ## + service: + ports: + redis: 6379 + ## Use password authentication + ## @param redis.auth.enabled Enable Redis dependency authentication + ## @param redis.auth.existingSecret Existing secret to load redis dependency password + ## @param redis.auth.existingSecretPasswordKey Pasword key name inside the existing secret + ## + auth: + enabled: true + ## Name of existing secret object containing the password + ## + existingSecret: "" + ## + ## Password key to be retrieved from Redis® secret + ## + existingSecretPasswordKey: 'redis-password' + ## Cluster settings + ## @param redis.architecture Redis® architecture. Allowed values: `standalone` or `replication` + ## TODO(miguelaeh): We need to test the chart with redis sentinel, it seems to be supported at: https://github.com/argoproj/argo-cd/blob/2a410187565e15633b6f2a8c8d8da22cf02b257d/util/cache/cache.go#L40 + ## + architecture: standalone +## +## External Redis® +## +externalRedis: + ## Can be enabled after redisWait.enabled and redis.enabled are set to false + ## @param externalRedis.enabled Enables External Redis + ## + enabled: true + ## Redis® host + ## @param externalRedis.host External Redis host + ## + host: redis-master.{{ .Values.globals.redis.namespace }}.svc.cluster.local + ## Redis® port + ## @param externalRedis.port External Redis port + ## + port: 6379 + ## Redis® password for authentication + ## Ignored if existingSecret is set + ## @param externalRedis.password External Redis password + ## + password: {{ .Values.globals.redis.password }} + ## Name of existing secret object containing the password + ## @param externalRedis.existingSecret Existing secret for the external redis + ## + existingSecret: "" + ## Password key to be retrieved from Redis® secret + ## @param externalRedis.existingSecretPasswordKey Password key for the existing secret containing the external redis password + ## + existingSecretPasswordKey: 'redis-password' + ## Specify a label to use with the label selector + ## @param externalRedis.selector External Redis selector labels + ## + selector: {} + # + # selector: + # app.kubernetes.io/component: master + # app.kubernetes.io/instance: redis + # app.kubernetes.io/name: redis +## Wait-for-redis init container configuration +## +redisWait: + ## @param redisWait.enabled Enables waiting for redis + ## + enabled: false + ## @param redisWait.extraArgs Additional arguments for the redis-cli call, such as TLS + ## + extraArgs: '' + ## @param redisWait.containerSecurityContext.enabled Enabled Argo CD repo server containers' Security Context + ## @param redisWait.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param redisWait.containerSecurityContext.runAsUser Set Argo CD repo server containers' Security Context runAsUser + ## @param redisWait.containerSecurityContext.runAsGroup Set Argo CD repo server containers' Security Context runAsGroup + ## @param redisWait.containerSecurityContext.allowPrivilegeEscalation Set Argo CD repo server containers' Security Context allowPrivilegeEscalation + ## @param redisWait.containerSecurityContext.capabilities.drop Set Argo CD containers' repo server Security Context capabilities to be dropped + ## @param redisWait.containerSecurityContext.readOnlyRootFilesystem Set Argo CD containers' repo server Security Context readOnlyRootFilesystem + ## @param redisWait.containerSecurityContext.runAsNonRoot Set Argo CD repo server containers' Security Context runAsNonRoot + ## @param redisWait.containerSecurityContext.privileged Set redisWait container's Security Context privileged + ## @param redisWait.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + privileged: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + diff --git a/proxmox/k8s/helmfile.d/values/authentik/values.yaml.gotmpl b/proxmox/k8s/helmfile.d/values/authentik/values.yaml.gotmpl new file mode 100644 index 0000000..7846656 --- /dev/null +++ b/proxmox/k8s/helmfile.d/values/authentik/values.yaml.gotmpl @@ -0,0 +1,1036 @@ +--- +# -- Provide a name in place of `authentik`. Prefer using global.nameOverride if possible +nameOverride: "" +# -- String to fully override `"authentik.fullname"`. Prefer using global.fullnameOverride if possible +fullnameOverride: "" +# -- Override the Kubernetes version, which is used to evaluate certain manifests +kubeVersionOverride: "" + + +## Globally shared configuration for authentik components. +global: + # -- Provide a name in place of `authentik` + nameOverride: "" + # -- String to fully override `"authentik.fullname"` + fullnameOverride: "" + # -- A custom namespace to override the default namespace for the deployed resources. + namespaceOverride: "" + # -- Common labels for all resources. + additionalLabels: {} + # app: authentik + + # Number of old deployment ReplicaSets to retain. The rest will be garbage collected. + revisionHistoryLimit: 3 + + # Default image used by all authentik components. For GeoIP configuration, see the geoip values below. + image: + # -- If defined, a repository applied to all authentik deployments + repository: ghcr.io/goauthentik/server + # -- Overrides the global authentik whose default is the chart appVersion + tag: "" + # -- If defined, an image digest applied to all authentik deployments + digest: "" + # -- If defined, an imagePullPolicy applied to all authentik deployments + pullPolicy: IfNotPresent + + # -- Secrets with credentials to pull images from a private registry + imagePullSecrets: [] + + # -- Annotations for all deployed Deployments + deploymentAnnotations: {} + + # -- Annotations for all deployed pods + podAnnotations: {} + + # -- Annotations for all deployed secrets + secretAnnotations: {} + + # -- Labels for all deployed pods + podLabels: {} + + # -- Add Prometheus scrape annotations to all metrics services. This can be used as an alternative to the ServiceMonitors. + addPrometheusAnnotations: false + + # -- Toggle and define pod-level security context. + # @default -- `{}` (See [values.yaml]) + securityContext: {} + # runAsUser: 1000 + # runAsGroup: 1000 + # fsGroup: 1000 + + # -- Mapping between IP and hostnames that will be injected as entries in the pod's hosts files + hostAliases: [] + # - ip: 10.20.30.40 + # hostnames: + # - my.hostname + + # -- Default priority class for all components + priorityClassName: "" + + # -- Default node selector for all components + nodeSelector: {} + + # -- Default tolerations for all components + tolerations: [] + + # Default affinity preset for all components + affinity: + # -- Default pod anti-affinity rules. Either: `none`, `soft` or `hard` + podAntiAffinity: soft + # Node affinity rules + nodeAffinity: + # -- Default node affinity rules. Either `none`, `soft` or `hard` + type: hard + # -- Default match expressions for node affinity + matchExpressions: [] + # - key: topology.kubernetes.io/zone + # operator: In + # values: + # - zonea + # - zoneb + + # -- Default [TopologySpreadConstraints] rules for all components + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + + # -- Deployment strategy for all deployed Deployments + deploymentStrategy: {} + # type: RollingUpdate + # rollingUpdate: + # maxSurge: 25% + # maxUnavailable: 25% + + # -- Environment variables to pass to all deployed Deployments. Does not apply to GeoIP + # See configuration options at https://goauthentik.io/docs/installation/configuration/ + # @default -- `[]` (See [values.yaml]) + env: [] + # - name: AUTHENTIK_VAR_NAME + # value: VALUE + # - name: AUTHENTIK_VAR_OTHER + # valueFrom: + # secretKeyRef: + # name: secret-name + # key: secret-key + # - name: AUTHENTIK_VAR_ANOTHER + # valueFrom: + # configMapKeyRef: + # name: config-map-name + # key: config-map-key + + # -- envFrom to pass to all deployed Deployments. Does not apply to GeoIP + # @default -- `[]` (See [values.yaml]) + envFrom: [] + # - configMapRef: + # name: config-map-name + # - secretRef: + # name: secret-name + + # -- Additional volumeMounts to all deployed Deployments. Does not apply to GeoIP + # @default -- `[]` (See [values.yaml]) + volumeMounts: [] + # - name: custom + # mountPath: /custom + + # -- Additional volumes to all deployed Deployments. + # @default -- `[]` (See [values.yaml]) + volumes: [] + # - name: custom + # emptyDir: {} + + +## Authentik configuration +authentik: + # -- Log level for server and worker + log_level: info + # -- Secret key used for cookie singing and unique user IDs, + # don't change this after the first install + secret_key: {{ .Values.globals.authentik.secretKey }} + events: + context_processors: + # -- Path for the GeoIP City database. If the file doesn't exist, GeoIP features are disabled. + geoip: /geoip/GeoLite2-City.mmdb + # -- Path for the GeoIP ASN database. If the file doesn't exist, GeoIP features are disabled. + asn: /geoip/GeoLite2-ASN.mmdb + email: + # -- SMTP Server emails are sent from, fully optional + host: "" + # -- SMTP server port + port: 587 + # -- SMTP credentials, when left empty, no authentication will be done + username: "" + # -- SMTP credentials, when left empty, no authentication will be done + password: "" + # -- Enable either use_tls or use_ssl, they can't be enabled at the same time. + use_tls: false + # -- Enable either use_tls or use_ssl, they can't be enabled at the same time. + use_ssl: false + # -- Connection timeout + timeout: 30 + # -- Email from address, can either be in the format "foo@bar.baz" or "authentik " + from: "" + outposts: + # -- Template used for managed outposts. The following placeholders can be used + # %(type)s - the type of the outpost + # %(version)s - version of your authentik install + # %(build_hash)s - only for beta versions, the build hash of the image + container_image_base: ghcr.io/goauthentik/%(type)s:%(version)s + error_reporting: + # -- This sends anonymous usage-data, stack traces on errors and + # performance data to sentry.beryju.org, and is fully opt-in + enabled: false + # -- This is a string that is sent to sentry with your error reports + environment: "k8s" + # -- Send PII (Personally identifiable information) data to sentry + send_pii: false + postgresql: + # -- set the postgresql hostname to talk to + # if unset and .Values.postgresql.enabled == true, will generate the default + # @default -- `{{ .Release.Name }}-postgresql` + host: "postgres-postgresql.{{ .Values.globals.postgres.namespace }}.svc.cluster.local" + # -- postgresql Database name + # @default -- `authentik` + name: "{{ .Values.globals.authentik.postgres.database }}" + # -- postgresql Username + # @default -- `authentik` + user: "{{ .Values.globals.authentik.postgres.username }}" + password: "{{ .Values.globals.authentik.postgres.password }}" + port: 5432 + redis: + # -- set the redis hostname to talk to + # @default -- `{{ .Release.Name }}-redis-master` + host: "redis-master.{{ .Values.globals.redis.namespace }}.svc.cluster.local" + password: "{{ .Values.globals.redis.password }}" + + +blueprints: + # -- List of config maps to mount blueprints from. + # Only keys in the configMap ending with `.yaml` will be discovered and applied. + configMaps: [] + # -- List of secrets to mount blueprints from. + # Only keys in the secret ending with `.yaml` will be discovered and applied. + secrets: [] + + +## authentik server +server: + # -- authentik server name + name: server + + # -- The number of server pods to run + replicas: 1 + + ## authentik server Horizontal Pod Autoscaler + autoscaling: + # -- Enable Horizontal Pod Autoscaler ([HPA]) for the authentik server + enabled: false + # -- Minimum number of replicas for the authentik server [HPA] + minReplicas: 1 + # -- Maximum number of replicas for the authentik server [HPA] + maxReplicas: 5 + # -- Average CPU utilization percentage for the authentik server [HPA] + targetCPUUtilizationPercentage: 50 + # -- Average memory utilization percentage for the authentik server [HPA] + targetMemoryUtilizationPercentage: ~ + # -- Configures the scaling behavior of the target in both Up and Down directions. + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 1 + # periodSeconds: 180 + # scaleUp: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 2 + # periodSeconds: 60 + # -- Configures custom HPA metrics for the authentik server + # Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + metrics: [] + + ## authentik server Pod Disruption Budget + ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + pdb: + # -- Deploy a [PodDistrubtionBudget] for the authentik server + enabled: false + # -- Labels to be added to the authentik server pdb + labels: {} + # -- Annotations to be added to the authentik server pdb + annotations: {} + # -- Number of pods that are available after eviction as number or percentage (eg.: 50%) + # @default -- `""` (defaults to 0 if not specified) + minAvailable: "" + # -- Number of pods that are unavailable after eviction as number or percentage (eg.: 50%) + ## Has higher precedence over `server.pdb.minAvailable` + maxUnavailable: "" + + ## authentik server image + ## This should match what is deployed in the worker. Prefer using global.image + image: + # -- Repository to use to the authentik server + # @default -- `""` (defaults to global.image.repository) + repository: "" # defaults to global.image.repository + # -- Tag to use to the authentik server + # @default -- `""` (defaults to global.image.tag) + tag: "" # defaults to global.image.tag + # -- Digest to use to the authentik server + # @default -- `""` (defaults to global.image.digest) + digest: "" # defaults to global.image.digest + # -- Image pull policy to use to the authentik server + # @default -- `""` (defaults to global.image.pullPolicy) + pullPolicy: "" # defaults to global.image.pullPolicy + + # -- Secrets with credentials to pull images from a private registry + # @default -- `[]` (defaults to global.imagePullSecrets) + imagePullSecrets: [] + + # -- Environment variables to pass to the authentik server. Does not apply to GeoIP + # See configuration options at https://goauthentik.io/docs/installation/configuration/ + # @default -- `[]` (See [values.yaml]) + env: [] + # - name: AUTHENTIK_VAR_NAME + # value: VALUE + # - name: AUTHENTIK_VAR_OTHER + # valueFrom: + # secretKeyRef: + # name: secret-name + # key: secret-key + # - name: AUTHENTIK_VAR_ANOTHER + # valueFrom: + # configMapKeyRef: + # name: config-map-name + # key: config-map-key + + # -- envFrom to pass to the authentik server. Does not apply to GeoIP + # @default -- `[]` (See [values.yaml]) + envFrom: [] + # - configMapRef: + # name: config-map-name + # - secretRef: + # name: secret-name + + # -- Specify postStart and preStop lifecycle hooks for you authentik server container + lifecycle: {} + + # -- Additional containers to be added to the authentik server pod + ## Note: Supports use of custom Helm templates + extraContainers: [] + # - name: my-sidecar + # image: nginx:latest + + # -- Init containers to add to the authentik server pod + ## Note: Supports use of custom Helm templates + initContainers: [] + # - name: download-tools + # image: alpine:3 + # command: [sh, -c] + # args: + # - echo init + + # -- Additional volumeMounts to the authentik server main container + volumeMounts: [] + # - name: custom + # mountPath: /custom + + # -- Additional volumes to the authentik server pod + volumes: [] + # - name: custom + # emptyDir: {} + + # -- Annotations to be added to the authentik server Deployment + deploymentAnnotations: {} + + # -- Annotations to be added to the authentik server pods + podAnnotations: {} + + # -- Labels to be added to the authentik server pods + podLabels: {} + + # -- Resource limits and requests for the authentik server + resources: {} + # requests: + # cpu: 100m + # memory: 512Mi + # limits: + # memory: 512Mi + + # authentik server container ports + containerPorts: + # -- http container port + http: 9000 + # -- https container port + https: 9443 + # -- metrics container port + metrics: 9300 + + # -- Host Network for authentik server pods + hostNetwork: false + + # -- [DNS configuration] + dnsConfig: {} + # -- Alternative DNS policy for authentik server pods + dnsPolicy: "" + + # -- serviceAccount to use for authentik server pods + serviceAccountName: ~ + + # -- authentik server pod-level security context + # @default -- `{}` (See [values.yaml]) + securityContext: {} + # runAsUser: 1000 + # runAsGroup: 1000 + # fsGroup: 1000 + + # -- authentik server container-level security context + # @default -- See [values.yaml] + containerSecurityContext: {} + # Not all of the following has been tested. Use at your own risk. + # runAsNonRoot: true + # readOnlyRootFilesystem: true + # allowPrivilegeEscalation: false + # seccomProfile: + # type: RuntimeDefault + # capabilities: + # drop: + # - ALL + + ## Liveness, readiness and startup probes for authentik server + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ + livenessProbe: + # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded + failureThreshold: 3 + # -- Number of seconds after the container has started before [probe] is initiated + initialDelaySeconds: 5 + # -- How often (in seconds) to perform the [probe] + periodSeconds: 10 + # -- Minimum consecutive successes for the [probe] to be considered successful after having failed + successThreshold: 1 + # -- Number of seconds after which the [probe] times out + timeoutSeconds: 1 + ## Probe configuration + httpGet: + path: /-/health/live/ + port: http + + readinessProbe: + # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded + failureThreshold: 3 + # -- Number of seconds after the container has started before [probe] is initiated + initialDelaySeconds: 5 + # -- How often (in seconds) to perform the [probe] + periodSeconds: 10 + # -- Minimum consecutive successes for the [probe] to be considered successful after having failed + successThreshold: 1 + # -- Number of seconds after which the [probe] times out + timeoutSeconds: 1 + ## Probe configuration + httpGet: + path: /-/health/ready/ + port: http + + startupProbe: + # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded + failureThreshold: 60 + # -- Number of seconds after the container has started before [probe] is initiated + initialDelaySeconds: 5 + # -- How often (in seconds) to perform the [probe] + periodSeconds: 10 + # -- Minimum consecutive successes for the [probe] to be considered successful after having failed + successThreshold: 1 + # -- Number of seconds after which the [probe] times out + timeoutSeconds: 1 + ## Probe configuration + httpGet: + path: /-/health/live/ + port: http + + # -- terminationGracePeriodSeconds for container lifecycle hook + terminationGracePeriodSeconds: 30 + + # -- Prority class for the authentik server pods + # @default -- `""` (defaults to global.priorityClassName) + priorityClassName: "" + + # -- [Node selector] + # @default -- `{}` (defaults to global.nodeSelector) + nodeSelector: {} + + # -- [Tolerations] for use with node taints + # @default -- `[]` (defaults to global.tolerations) + tolerations: [] + + # -- Assign custom [affinity] rules to the deployment + # @default -- `{}` (defaults to the global.affinity preset) + affinity: {} + + # -- Assign custom [TopologySpreadConstraints] rules to the authentik server + # @default -- `[]` (defaults to global.topologySpreadConstraints) + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## If labelSelector is left out, it will default to the labelSelector configuration of the deployment + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + + # -- Deployment strategy to be added to the authentik server Deployment + # @default -- `{}` (defaults to global.deploymentStrategy) + deploymentStrategy: {} + # type: RollingUpdate + # rollingUpdate: + # maxSurge: 25% + # maxUnavailable: 25% + + ## authentik server service configuration + service: + # -- authentik server service annotations + annotations: {} + # -- authentik server service labels + labels: {} + # -- authentik server service type + type: ClusterIP + # -- authentik server service http port for NodePort service type (only if `server.service.type` is set to `NodePort`) + nodePortHttp: 30080 + # -- authentik server service https port for NodePort service type (only if `server.service.type` is set to `NodePort`) + nodePortHttps: 30443 + # -- authentik server service http port + servicePortHttp: 80 + # -- authentik server service https port + servicePortHttps: 443 + # -- authentik server service http port name + servicePortHttpName: http + # -- authentik server service https port name + servicePortHttpsName: https + # -- authentik server service http port appProtocol + # servicePortHttpAppProtocol: HTTP + # -- authentik server service https port appProtocol + # servicePortHttpsAppProtocol: HTTPS + # -- LoadBalancer will get created with the IP specified in this field + loadBalancerIP: "" + # -- Source IP ranges to allow access to service from + loadBalancerSourceRanges: [] + # -- authentik server service external IPs + externalIPs: [] + # -- Denotes if this service desires to route external traffic to node-local or cluster-wide endpoints + externalTrafficPolicy: "" + # -- Used to maintain session affinity. Supports `ClientIP` and `None` + sessionAffinity: "" + # -- Session affinity configuration + sessionAffinityConfig: {} + + ## authentik server metrics service configuration + metrics: + # -- deploy metrics service + enabled: true + service: + # -- metrics service type + type: ClusterIP + # -- metrics service clusterIP. `None` makes a "headless service" (no virtual IP) + clusterIP: "" + # -- metrics service annotations + annotations: {} + # -- metrics service labels + labels: {} + # -- metrics service port + servicePort: 9300 + # -- metrics service port name + portName: metrics + serviceMonitor: + # -- enable a prometheus ServiceMonitor + enabled: false + # -- Prometheus ServiceMonitor interval + interval: 30s + # -- Prometheus ServiceMonitor scrape timeout + scrapeTimeout: 3s + # -- Prometheus [RelabelConfigs] to apply to samples before scraping + relabelings: [] + # -- Prometheus [MetricsRelabelConfigs] to apply to samples before ingestion + metricRelabelings: [] + # -- Prometheus ServiceMonitor selector + selector: {} + # prometheus: kube-prometheus + + # -- Prometheus ServiceMonitor scheme + scheme: "" + # -- Prometheus ServiceMonitor tlsConfig + tlsConfig: {} + # -- Prometheus ServiceMonitor namespace + namespace: "" + # -- Prometheus ServiceMonitor labels + labels: {} + # -- Prometheus ServiceMonitor annotations + annotations: {} + + ingress: + # -- enable an ingress resource for the authentik server + enabled: true + # -- additional ingress annotations + annotations: + kubernetes.io/ingress.class: {{ .Values.globals.authentik.ingressClass }} + cert-manager.io/cluster-issuer: {{ .Values.globals.certs.issuerName }} + # -- additional ingress labels + labels: {} + # -- defines which ingress controller will implement the resource + ingressClassName: "{{ .Values.globals.authentik.ingressClass }}" + # -- List of ingress hosts + hosts: + {{- range .Values.globals.authentik.hostnames }} + - {{ . }} + {{- end }} + + # -- List of ingress paths + paths: + - / + # -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` + pathType: Prefix + # -- additional ingress paths + extraPaths: [] + # - path: /* + # pathType: Prefix + # backend: + # service: + # name: ssl-redirect + # port: + # name: use-annotation + + # -- ingress TLS configuration + tls: + - secretName: authentik-tls + hosts: + {{- range .Values.globals.authentik.hostnames }} + - {{ . }} + {{- end }} + + # -- uses `server.service.servicePortHttps` instead of `server.service.servicePortHttp` + https: false + + +## authentik worker +worker: + # -- authentik worker name + name: worker + + # -- The number of worker pods to run + replicas: 1 + + ## authentik worker Horizontal Pod Autoscaler + autoscaling: + # -- Enable Horizontal Pod Autoscaler ([HPA]) for the authentik worker + enabled: false + # -- Minimum number of replicas for the authentik worker [HPA] + minReplicas: 1 + # -- Maximum number of replicas for the authentik worker [HPA] + maxReplicas: 5 + # -- Average CPU utilization percentage for the authentik worker [HPA] + targetCPUUtilizationPercentage: 50 + # -- Average memory utilization percentage for the authentik worker [HPA] + targetMemoryUtilizationPercentage: ~ + # -- Configures the scaling behavior of the target in both Up and Down directions. + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 1 + # periodSeconds: 180 + # scaleUp: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 2 + # periodSeconds: 60 + # -- Configures custom HPA metrics for the authentik worker + # Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + metrics: [] + + ## authentik worker Pod Disruption Budget + ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + pdb: + # -- Deploy a [PodDistrubtionBudget] for the authentik worker + enabled: false + # -- Labels to be added to the authentik worker pdb + labels: {} + # -- Annotations to be added to the authentik worker pdb + annotations: {} + # -- Number of pods that are available after eviction as number or percentage (eg.: 50%) + # @default -- `""` (defaults to 0 if not specified) + minAvailable: "" + # -- Number of pods that are unavailable after eviction as number or percentage (eg.: 50%) + ## Has higher precedence over `worker.pdb.minAvailable` + maxUnavailable: "" + + ## authentik worker image + ## This should match what is deployed in the server. Prefer using global.image + image: + # -- Repository to use to the authentik worker + # @default -- `""` (defaults to global.image.repository) + repository: "" # defaults to global.image.repository + # -- Tag to use to the authentik worker + # @default -- `""` (defaults to global.image.tag) + tag: "" # defaults to global.image.tag + # -- Digest to use to the authentik worker + # @default -- `""` (defaults to global.image.digest) + digest: "" # defaults to global.image.digest + # -- Image pull policy to use to the authentik worker + # @default -- `""` (defaults to global.image.pullPolicy) + pullPolicy: "" # defaults to global.image.pullPolicy + + # -- Secrets with credentials to pull images from a private registry + # @default -- `[]` (defaults to global.imagePullSecrets) + imagePullSecrets: [] + + # -- Environment variables to pass to the authentik worker. Does not apply to GeoIP + # See configuration options at https://goauthentik.io/docs/installation/configuration/ + # @default -- `[]` (See [values.yaml]) + env: [] + # - name: AUTHENTIK_VAR_NAME + # value: VALUE + # - name: AUTHENTIK_VAR_OTHER + # valueFrom: + # secretKeyRef: + # name: secret-name + # key: secret-key + # - name: AUTHENTIK_VAR_ANOTHER + # valueFrom: + # configMapKeyRef: + # name: config-map-name + # key: config-map-key + + # -- envFrom to pass to the authentik worker. Does not apply to GeoIP + # @default -- `[]` (See [values.yaml]) + envFrom: [] + # - configMapRef: + # name: config-map-name + # - secretRef: + # name: secret-name + + # -- Specify postStart and preStop lifecycle hooks for you authentik worker container + lifecycle: {} + + # -- Additional containers to be added to the authentik worker pod + ## Note: Supports use of custom Helm templates + extraContainers: [] + # - name: my-sidecar + # image: nginx:latest + + # -- Init containers to add to the authentik worker pod + ## Note: Supports use of custom Helm templates + initContainers: [] + # - name: download-tools + # image: alpine:3 + # command: [sh, -c] + # args: + # - echo init + + # -- Additional volumeMounts to the authentik worker main container + volumeMounts: [] + # - name: custom + # mountPath: /custom + + # -- Additional volumes to the authentik worker pod + volumes: [] + # - name: custom + # emptyDir: {} + + # -- Annotations to be added to the authentik worker Deployment + deploymentAnnotations: {} + + # -- Annotations to be added to the authentik worker pods + podAnnotations: {} + + # -- Labels to be added to the authentik worker pods + podLabels: {} + + # -- Resource limits and requests for the authentik worker + resources: {} + # requests: + # cpu: 100m + # memory: 512Mi + # limits: + # memory: 512Mi + + # -- Host Network for authentik worker pods + hostNetwork: false + + # -- [DNS configuration] + dnsConfig: {} + # -- Alternative DNS policy for authentik worker pods + dnsPolicy: "" + + # -- serviceAccount to use for authentik worker pods. If set, overrides the value used when serviceAccount.create is true + serviceAccountName: ~ + + # -- authentik worker pod-level security context + # @default -- `{}` (See [values.yaml]) + securityContext: {} + # runAsUser: 1000 + # runAsGroup: 1000 + # fsGroup: 1000 + + # -- authentik worker container-level security context + # @default -- See [values.yaml] + containerSecurityContext: {} + # Not all of the following has been tested. Use at your own risk. + # runAsNonRoot: true + # readOnlyRootFilesystem: true + # allowPrivilegeEscalation: false + # seccomProfile: + # type: RuntimeDefault + # capabilities: + # drop: + # - ALL + + livenessProbe: + # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded + failureThreshold: 3 + # -- Number of seconds after the container has started before [probe] is initiated + initialDelaySeconds: 5 + # -- How often (in seconds) to perform the [probe] + periodSeconds: 10 + # -- Minimum consecutive successes for the [probe] to be considered successful after having failed + successThreshold: 1 + # -- Number of seconds after which the [probe] times out + timeoutSeconds: 1 + ## Probe configuration + exec: + command: + - ak + - healthcheck + + readinessProbe: + # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded + failureThreshold: 3 + # -- Number of seconds after the container has started before [probe] is initiated + initialDelaySeconds: 5 + # -- How often (in seconds) to perform the [probe] + periodSeconds: 10 + # -- Minimum consecutive successes for the [probe] to be considered successful after having failed + successThreshold: 1 + # -- Number of seconds after which the [probe] times out + timeoutSeconds: 1 + ## Probe configuration + exec: + command: + - ak + - healthcheck + + startupProbe: + # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded + failureThreshold: 60 + # -- Number of seconds after the container has started before [probe] is initiated + initialDelaySeconds: 30 + # -- How often (in seconds) to perform the [probe] + periodSeconds: 10 + # -- Minimum consecutive successes for the [probe] to be considered successful after having failed + successThreshold: 1 + # -- Number of seconds after which the [probe] times out + timeoutSeconds: 1 + ## Probe configuration + exec: + command: + - ak + - healthcheck + + # -- terminationGracePeriodSeconds for container lifecycle hook + terminationGracePeriodSeconds: 30 + + # -- Prority class for the authentik worker pods + # @default -- `""` (defaults to global.priorityClassName) + priorityClassName: "" + + # -- [Node selector] + # @default -- `{}` (defaults to global.nodeSelector) + nodeSelector: {} + + # -- [Tolerations] for use with node taints + # @default -- `[]` (defaults to global.tolerations) + tolerations: [] + + # -- Assign custom [affinity] rules to the deployment + # @default -- `{}` (defaults to the global.affinity preset) + affinity: {} + + # -- Assign custom [TopologySpreadConstraints] rules to the authentik worker + # @default -- `[]` (defaults to global.topologySpreadConstraints) + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## If labelSelector is left out, it will default to the labelSelector configuration of the deployment + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + + # -- Deployment strategy to be added to the authentik worker Deployment + # @default -- `{}` (defaults to global.deploymentStrategy) + deploymentStrategy: {} + # type: RollingUpdate + # rollingUpdate: + # maxSurge: 25% + # maxUnavailable: 25% + + +serviceAccount: + # -- Create service account. Needed for managed outposts + create: true + # -- additional service account annotations + annotations: {} + serviceAccountSecret: + # As we use the authentik-remote-cluster chart as subchart, and that chart + # creates a service account secret by default which we don't need here, + # disable its creation + enabled: false + fullnameOverride: authentik + + +geoip: + # -- enable GeoIP sidecars for the authentik server and worker pods + enabled: false + + editionIds: "GeoLite2-City GeoLite2-ASN" + # -- GeoIP update frequency, in hours + updateInterval: 8 + # -- sign up under https://www.maxmind.com/en/geolite2/signup + accountId: "" + # -- sign up under https://www.maxmind.com/en/geolite2/signup + licenseKey: "" + ## use existing secret instead of values above + existingSecret: + # -- name of an existing secret to use instead of values above + secretName: "" + # -- key in the secret containing the account ID + accountId: "account_id" + # -- key in the secret containing the license key + licenseKey: "license_key" + + image: + # -- If defined, a repository for GeoIP images + repository: ghcr.io/maxmind/geoipupdate + # -- If defined, a tag for GeoIP images + tag: v7.1.0 + # -- If defined, an image digest for GeoIP images + digest: "" + # -- If defined, an imagePullPolicy for GeoIP images + pullPolicy: IfNotPresent + + # -- Environment variables to pass to the GeoIP containers + # @default -- `[]` (See [values.yaml]) + env: [] + # - name: GEOIPUPDATE_VAR_NAME + # value: VALUE + # - name: GEOIPUPDATE_VAR_OTHER + # valueFrom: + # secretKeyRef: + # name: secret-name + # key: secret-key + # - name: GEOIPUPDATE_VAR_ANOTHER + # valueFrom: + # configMapKeyRef: + # name: config-map-name + # key: config-map-key + + # -- envFrom to pass to the GeoIP containers + # @default -- `[]` (See [values.yaml]) + envFrom: [] + # - configMapRef: + # name: config-map-name + # - secretRef: + # name: secret-name + + # -- Additional volumeMounts to the GeoIP containers. Make sure the volumes exists for the server and the worker. + volumeMounts: [] + # - name: custom + # mountPath: /custom + + # -- Resource limits and requests for GeoIP containers + resources: {} + # requests: + # cpu: 100m + # memory: 128Mi + # limits: + # memory: 128Mi + + # -- GeoIP container-level security context + # @default -- See [values.yaml] + containerSecurityContext: {} + # Not all of the following has been tested. Use at your own risk. + # runAsNonRoot: true + # readOnlyRootFilesystem: true + # allowPrivilegeEscalation: false + # seccomProfile: + # type: RuntimeDefault + # capabilities: + # drop: + # - ALL + + +prometheus: + rules: + enabled: false + # -- PrometheusRule namespace + namespace: "" + # -- PrometheusRule selector + selector: {} + # prometheus: kube-prometheus + + # -- PrometheusRule labels + labels: {} + # -- PrometheusRule annotations + annotations: {} + + +postgresql: + # -- enable the Bitnami PostgreSQL chart. Refer to https://github.com/bitnami/charts/blob/main/bitnami/postgresql/ for possible values. + enabled: false + image: + repository: bitnami/postgresql + tag: 15.8.0-debian-12-r18 + auth: + username: authentik + database: authentik + # password: "" + primary: + extendedConfiguration: | + max_connections = 500 + resourcesPreset: "none" + # persistence: + # enabled: true + # storageClass: + # accessModes: + # - ReadWriteOnce + readReplicas: + resourcesPreset: "none" + backup: + resourcesPreset: "none" + passwordUpdateJob: + resourcesPreset: "none" + volumePermissions: + resourcesPreset: "none" + metrics: + resourcesPreset: "none" + + +redis: + # -- enable the Bitnami Redis chart. Refer to https://github.com/bitnami/charts/blob/main/bitnami/redis/ for possible values. + enabled: false + architecture: standalone + auth: + enabled: false + master: + resourcesPreset: "none" + replica: + resourcesPreset: "none" + sentinel: + resourcesPreset: "none" + metrics: + resourcesPreset: "none" + volumePermissions: + resourcesPreset: "none" + sysctl: + resourcesPreset: "none" + + +# -- additional resources to deploy. Those objects are templated. +additionalObjects: [] + diff --git a/proxmox/k8s/helmfile.d/values/cert-manager/values.yml b/proxmox/k8s/helmfile.d/values/cert-manager/values.yml new file mode 100644 index 0000000..fe409db --- /dev/null +++ b/proxmox/k8s/helmfile.d/values/cert-manager/values.yml @@ -0,0 +1,11 @@ +crds: + enabled: true +replicaCount: 3 +extraArgs: + - --dns01-recursive-nameservers=1.1.1.1:53,9.9.9.9:53 + - --dns01-recursive-nameservers-only +podDnsPolicy: None +podDnsConfig: + nameservers: + - 1.1.1.1 + - 9.9.9.9 diff --git a/proxmox/k8s/helmfile.d/values/certs/values.yaml.gotmpl b/proxmox/k8s/helmfile.d/values/certs/values.yaml.gotmpl new file mode 100644 index 0000000..a85c518 --- /dev/null +++ b/proxmox/k8s/helmfile.d/values/certs/values.yaml.gotmpl @@ -0,0 +1,28 @@ +acmeEmail: {{ .Values.globals.certs.acmeEmail }} +cloudflareEmail: {{ .Values.globals.certs.cloudflareEmail }} + +# staging or production +issuerMode: {{ .Values.globals.certs.certIssuerMode }} + +issuerName: {{ .Values.globals.certs.issuerName }} +privateKeySecretRef: {{ .Values.globals.certs.privateKeySecretRef }} + +certManagerNamespace: {{ .Values.globals.certManager.namespace }} + +cloudflareSecretToken: {{ .Values.globals.certs.cloudflareSecretToken }} +cloudflareTokenSecretName: {{ .Values.globals.certs.cloudflareTokenSecretName }} + +dnsZones: + {{- range .Values.globals.certs.hlMnkeOrg.dnsZones }} + - {{ . | quote }} + {{- end}} + +certificateName: {{ .Values.globals.certs.hlMnkeOrg.certificateName }} +certificateSecretName: {{ .Values.globals.certs.hlMnkeOrg.certificateSecretName }} +certificateNamespace: {{ .Values.globals.certs.hlMnkeOrg.certificateNamespace }} + +commonName: {{ .Values.globals.certs.hlMnkeOrg.commonName }} +dnsNames: + {{- range .Values.globals.certs.hlMnkeOrg.dnsNames }} + - {{ . | quote }} + {{- end}} diff --git a/proxmox/k8s/helmfile.d/values/ghost/values.yaml.gotmpl b/proxmox/k8s/helmfile.d/values/ghost/values.yaml.gotmpl new file mode 100644 index 0000000..940b09b --- /dev/null +++ b/proxmox/k8s/helmfile.d/values/ghost/values.yaml.gotmpl @@ -0,0 +1,876 @@ +# Copyright Broadcom, Inc. All Rights Reserved. +# SPDX-License-Identifier: APACHE-2.0 + +## @section Global parameters +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass + +## @param global.imageRegistry Global Docker image registry +## @param global.imagePullSecrets Global Docker registry secret names as an array +## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s) +## +global: + imageRegistry: "" + ## E.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + defaultStorageClass: {{ .Values.globals.ghost.storageClass }} + ## Security parameters + ## + security: + ## @param global.security.allowInsecureImages Allows skipping image verification + allowInsecureImages: false + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: auto +## @section Common parameters + +## @param kubeVersion Override Kubernetes version +## +kubeVersion: "" +## @param nameOverride String to partially override common.names.fullname +## +nameOverride: "" +## @param fullnameOverride String to fully override common.names.fullname +## +fullnameOverride: "" +## @param commonLabels Labels to add to all deployed objects +## +commonLabels: {} +## @param commonAnnotations Annotations to add to all deployed objects +## +commonAnnotations: {} +## @param clusterDomain Kubernetes cluster domain name +## +clusterDomain: cluster.local +## @param extraDeploy Array of extra objects to deploy with the release +## +extraDeploy: [] +## Enable diagnostic mode in the deployment +## +diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## + enabled: false + ## @param diagnosticMode.command Command to override all containers in the deployment + ## + command: + - sleep + ## @param diagnosticMode.args Args to override all containers in the deployment + ## + args: + - infinity +## @section Ghost Image parameters + +## Bitnami Ghost image +## ref: https://hub.docker.com/r/bitnami/ghost/tags/ +## @param image.registry [default: REGISTRY_NAME] Ghost image registry +## @param image.repository [default: REPOSITORY_NAME/ghost] Ghost image repository +## @skip image.tag Ghost image tag (immutable tags are recommended) +## @param image.digest Ghost image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag +## @param image.pullPolicy Ghost image pull policy +## @param image.pullSecrets Ghost image pull secrets +## @param image.debug Enable image debug mode +## +image: + registry: docker.io + repository: bitnami/ghost + tag: 5.108.1-debian-12-r0 + digest: "" + ## Specify a imagePullPolicy + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Enable debug mode + ## + debug: true +## @section Ghost Configuration parameters +## Ghost settings based on environment variables +## ref: https://github.com/bitnami/containers/tree/main/bitnami/ghost#configuration + +## @param ghostUsername Ghost user name +## +ghostUsername: user +## @param ghostPassword Ghost user password +## Defaults to a random 10-character alphanumeric string if not set +## +ghostPassword: "{{ .Values.globals.ghost.ghostPassword }}" +## @param existingSecret Name of existing secret containing Ghost credentials +## NOTE: Must contain key `ghost-password` +## NOTE: When it's set, the `ghostPassword` parameter is ignored +## +existingSecret: "" +## @param ghostEmail Ghost user email +## +ghostEmail: {{ .Values.globals.ghost.ghostEmail }} +## @param ghostBlogTitle Ghost Blog title +## +ghostBlogTitle: User's Blog +## @param ghostHost Ghost host to create application URLs +## +ghostHost: {{ .Values.globals.ghost.primaryHost }} +## @param ghostPath URL sub path where to server the Ghost application +## +ghostPath: / +## @param ghostEnableHttps Configure Ghost to build application URLs using https +## +## This turns on whether URLs like the home page button use HTTPS URL schemes. +## If you turn this on, then shit will break because it seems like +## the reverse proxy (or any client) encounters a 301 redirect to https from +## ghost, but then ghost doesn't actually serve HTTPS so the reverse proxy +## ends up 501 internal server error'ing. We _do_ want to have HTTPS URLS in +## Ghost, so we need to turn this on, and for some ABSOLUTELY UNGODLY REASON, +## if I turn this on (and thereby making every request 501 error) AND THEN turn +## it off again (allowing normal traffic again), we continue generating HTTPS +## URLs. I'm going to fucking punch my monitor. +## +## - Tony +ghostEnableHttps: false +## SMTP mail delivery configuration +## ref: https://github.com/bitnami/containers/tree/main/bitnami/ghost/#smtp-configuration +## @param smtpHost SMTP server host +## @param smtpPort SMTP server port +## @param smtpUser SMTP username +## @param smtpPassword SMTP user password +## @param smtpService SMTP service +## @param smtpProtocol SMTP protocol (ssl or tls) +## +smtpHost: "" +smtpPort: "" +smtpUser: "" +smtpPassword: "" +smtpService: "" +smtpProtocol: "" +## @param smtpExistingSecret The name of an existing secret with SMTP credentials +## NOTE: Must contain key `smtp-password` +## NOTE: When it's set, the `smtpPassword` parameter is ignored +## +smtpExistingSecret: "" +## @param allowEmptyPassword Allow the container to be started with blank passwords +## +allowEmptyPassword: false +## @param ghostSkipInstall Skip performing the initial bootstrapping for Ghost +## +ghostSkipInstall: false +## @param command Override default container command (useful when using custom images) +## +command: [] +## @param args Override default container args (useful when using custom images) +## +args: [] +## @param extraEnvVars Array with extra environment variables to add to the Ghost container +## e.g: +## extraEnvVars: +## - name: FOO +## value: "bar" +## +extraEnvVars: [] +## @param extraEnvVarsCM Name of existing ConfigMap containing extra env vars +## +extraEnvVarsCM: "" +## @param extraEnvVarsSecret Name of existing Secret containing extra env vars +## +extraEnvVarsSecret: "" +## @section Ghost deployment parameters + +## @param replicaCount Number of Ghost replicas to deploy +## NOTE: ReadWriteMany PVC(s) are required if replicaCount > 1 +## +replicaCount: 1 +## @param updateStrategy.type Ghost deployment strategy type +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy +## NOTE: Set it to `Recreate` if you use a PV that cannot be mounted on multiple pods +## e.g: +## updateStrategy: +## type: RollingUpdate +## rollingUpdate: +## maxSurge: 25% +## maxUnavailable: 25% +## +updateStrategy: + type: RollingUpdate +## @param priorityClassName Ghost pod priority class name +## +priorityClassName: "" +## @param schedulerName Name of the k8s scheduler (other than default) +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +schedulerName: "" +## @param topologySpreadConstraints Topology Spread Constraints for pod assignment +## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +## The value is evaluated as a template +## +topologySpreadConstraints: [] +## @param automountServiceAccountToken Mount Service Account token in pod +## +automountServiceAccountToken: false +## @param hostAliases Ghost pod host aliases +## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ +## +hostAliases: [] +## @param extraVolumes Optionally specify extra list of additional volumes for Ghost pods +## +extraVolumes: [] +## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts for Ghost container(s) +## +extraVolumeMounts: [] +## @param sidecars Add additional sidecar containers to the Ghost pod +## e.g: +## sidecars: +## - name: your-image-name +## image: your-image +## imagePullPolicy: Always +## ports: +## - name: portname +## containerPort: 1234 +## +sidecars: [] +## @param initContainers Add additional init containers to the Ghost pods +## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ +## e.g: +## initContainers: +## - name: your-image-name +## image: your-image +## imagePullPolicy: Always +## ports: +## - name: portname +## containerPort: 1234 +## +initContainers: [] +## Pod Disruption Budget configuration +## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb +## @param pdb.create Enable/disable a Pod Disruption Budget creation +## @param pdb.minAvailable Minimum number/percentage of pods that should remain scheduled +## @param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `pdb.minAvailable` and `pdb.maxUnavailable` are empty. +## +pdb: + create: true + minAvailable: "" + maxUnavailable: "" +## @param lifecycleHooks Add lifecycle hooks to the Ghost deployment +## +lifecycleHooks: {} +## @param podLabels Extra labels for Ghost pods +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +## +podLabels: {} +## @param podAnnotations Annotations for Ghost pods +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +## +podAnnotations: {} +## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAffinityPreset: "" +## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAntiAffinityPreset: soft +## Node affinity preset +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity +## +nodeAffinityPreset: + ## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set + ## + key: "" + ## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] +## @param affinity Affinity for pod assignment +## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## NOTE: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set +## +affinity: {} +## @param nodeSelector Node labels for pod assignment +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ +## +nodeSelector: {} +## @param tolerations Tolerations for pod assignment +## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] +## Ghost containers' resource requests and limits +## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ +## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). +## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 +## +resourcesPreset: "medium" +## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) +## Example: +## resources: +## requests: +## cpu: 2 +## memory: 512Mi +## limits: +## cpu: 3 +## memory: 1024Mi +## +resources: {} +## Container ports +## @param containerPorts.http Ghost HTTP container port +## @param containerPorts.https Ghost HTTPS container port +## +containerPorts: + http: 2368 + https: 2368 +## @param extraContainerPorts Optionally specify extra list of additional ports for WordPress container(s) +## e.g: +## extraContainerPorts: +## - name: myservice +## containerPort: 9090 +## +extraContainerPorts: [] +## Configure Pods Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## @param podSecurityContext.enabled Enabled Ghost pods' Security Context +## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy +## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface +## @param podSecurityContext.supplementalGroups Set filesystem extra groups +## @param podSecurityContext.fsGroup Set Ghost pod's Security Context fsGroup +## +podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 +## Configure Container Security Context (only main container) +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container +## @param containerSecurityContext.enabled Enabled containers' Security Context +## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container +## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser +## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup +## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot +## @param containerSecurityContext.privileged Set container's Security Context privileged +## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem +## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation +## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped +## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile +containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + # capabilities: + # drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" +## Configure extra options for Ghost containers' liveness, readiness and startup probes +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes +## @param startupProbe.enabled Enable startupProbe +## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe +## @param startupProbe.periodSeconds Period seconds for startupProbe +## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe +## @param startupProbe.failureThreshold Failure threshold for startupProbe +## @param startupProbe.successThreshold Success threshold for startupProbe +## +startupProbe: + enabled: false + initialDelaySeconds: 120 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 +## @param livenessProbe.enabled Enable livenessProbe +## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe +## @param livenessProbe.periodSeconds Period seconds for livenessProbe +## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe +## @param livenessProbe.failureThreshold Failure threshold for livenessProbe +## @param livenessProbe.successThreshold Success threshold for livenessProbe +## +livenessProbe: + enabled: true + initialDelaySeconds: 120 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 +## @param readinessProbe.enabled Enable readinessProbe +## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe +## @param readinessProbe.periodSeconds Period seconds for readinessProbe +## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe +## @param readinessProbe.failureThreshold Failure threshold for readinessProbe +## @param readinessProbe.successThreshold Success threshold for readinessProbe +## +readinessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 5 + timeoutSeconds: 3 + failureThreshold: 6 + successThreshold: 1 +## @param customLivenessProbe Custom livenessProbe that overrides the default one +## +customLivenessProbe: {} +## @param customReadinessProbe Custom readinessProbe that overrides the default one +# +# The default httpGet probe fails, and I think it's because of this: +# - We enabled ghostEnableHttps +# - The httpGet probe probes for http://xyz:2368, which then redirects to +# https://xyz:2368 +# - However, Ghost itself does not provide TLS. That option just makes HTTP +# redirect to HTTPS +# - The probe is now expecting TLS, but Ghost is still sending regular HTTP +# and the probe thus fails +# +# So we're just gonna do a TCP port check. The alternative is curl'ing and +# expecting a 301 response, but that doesn't seem much better than the TCP +# check, especially since it's so simple. +customReadinessProbe: + exec: + command: + - "true" + # tcpSocket: + # port: 2368 + +## @section Traffic Exposure Parameters + +## Ghost service parameters +## +service: + ## @param service.type Ghost service type + ## + type: ClusterIP + ## @param service.ports.http Ghost service HTTP port + ## @param service.ports.https Ghost service HTTPS port + ## + ports: + http: 80 + https: 443 + ## Node ports to expose + ## @param service.nodePorts.http Node port for HTTP + ## @param service.nodePorts.https Node port for HTTPS + ## NOTE: choose port between <30000-32767> + ## + nodePorts: + http: "" + https: "" + ## @param service.clusterIP Ghost service Cluster IP + ## e.g.: + ## clusterIP: None + ## + clusterIP: "" + ## @param service.loadBalancerIP Ghost service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerIP: "" + ## @param service.loadBalancerSourceRanges Ghost service Load Balancer sources + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param service.externalTrafficPolicy Ghost service external traffic policy + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param service.annotations Additional custom annotations for Ghost service + ## + annotations: {} + ## @param service.extraPorts Extra port to expose on Ghost service + ## + extraPorts: [] + ## @param service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + sessionAffinityConfig: {} +## Configure the ingress resource that allows you to access the Ghost installation +## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ +## +ingress: + ## @param ingress.enabled Enable ingress record generation for Ghost + ## + enabled: true + ## @param ingress.pathType Ingress path type + ## + pathType: ImplementationSpecific + ## @param ingress.apiVersion Force Ingress API version (automatically detected if not set) + ## + apiVersion: "" + ## @param ingress.hostname Default host for the ingress record + ## + hostname: {{ .Values.globals.ghost.primaryHost }} + ## @param ingress.path Default path for the ingress record + ## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers + ## + path: / + ## @param ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. + ## For a full list of possible ingress annotations, please see + ## ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## + ## e.g: + ## annotations: + ## kubernetes.io/ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## + annotations: + kubernetes.io/ingress.class: {{ .Values.globals.ghost.ingressClass }} + cert-manager.io/cluster-issuer: {{ .Values.globals.certs.issuerName }} + ## @param ingress.tls Enable TLS configuration for the host defined at `ingress.hostname` parameter + ## TLS certificates will be retrieved from a TLS secret with name: `\{\{- printf "%s-tls" .Values.ingress.hostname \}\}` + ## You can: + ## - Use the `ingress.secrets` parameter to create this TLS secret + ## - Rely on cert-manager to create it by setting the corresponding annotations + ## - Rely on Helm to create self-signed certificates by setting `ingress.selfSigned=true` + ## + tls: true + ## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm + ## + selfSigned: false + ## @param ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record + ## e.g: + ## extraHosts: + ## - name: ghost.local + ## path: / + ## + extraHosts: [] + ## @param ingress.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host + ## e.g: + ## extraPaths: + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + extraPaths: [] + ## @param ingress.extraTls TLS configuration for additional hostname(s) to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## e.g: + ## extraTls: + ## - hosts: + ## - ghost.local + ## secretName: ghost.local-tls + ## + extraTls: [] + ## @param ingress.secrets Custom TLS certificates as secrets + ## NOTE: 'key' and 'certificate' are expected in PEM format + ## NOTE: 'name' should line up with a 'secretName' set further up + ## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates + ## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + ## e.g: + ## secrets: + ## - name: ghost.local-tls + ## key: |- + ## REDACTED + ## ... + ## REDACTED + ## certificate: |- + ## -----BEGIN CERTIFICATE----- + ## ... + ## -----END CERTIFICATE----- + ## + secrets: [] + ## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + ingressClassName: {{ .Values.globals.ghost.ingressClass }} + ## @param ingress.extraRules Additional rules to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules + ## e.g: + ## extraRules: + ## - host: example.local + ## http: + ## path: / + ## backend: + ## service: + ## name: example-svc + ## port: + ## name: http + ## + extraRules: [] +## @section Persistence Parameters + +## Persistence Parameters +## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ +## +persistence: + ## @param persistence.enabled Enable persistence using Persistent Volume Claims + ## + enabled: true + ## @param persistence.storageClass Persistent Volume storage class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner + ## + storageClass: "" + ## @param persistence.annotations Additional custom annotations for the PVC + ## + annotations: {} + ## @param persistence.accessModes [array] Persistent Volume access modes + ## + accessModes: + - ReadWriteMany + ## @param persistence.size Persistent Volume size + ## + size: 8Gi + ## @param persistence.existingClaim The name of an existing PVC to use for persistence + ## + existingClaim: "" + ## @param persistence.subPath The name of a volume's sub path to mount for persistence + ## + subPath: "" +## 'volumePermissions' init container parameters +## Changes the owner and group of the persistent volume mount point to runAsUser:fsGroup values +## based on the podSecurityContext/containerSecurityContext parameters +## +volumePermissions: + ## @param volumePermissions.enabled Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` + ## + enabled: false + ## OS Shell + Utility image + ## ref: https://hub.docker.com/r/bitnami/os-shell/tags/ + ## @param volumePermissions.image.registry [default: REGISTRY_NAME] OS Shell + Utility image registry + ## @param volumePermissions.image.repository [default: REPOSITORY_NAME/os-shell] OS Shell + Utility image repository + ## @skip volumePermissions.image.tag OS Shell + Utility image tag (immutable tags are recommended) + ## @param volumePermissions.image.digest OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param volumePermissions.image.pullPolicy OS Shell + Utility image pull policy + ## @param volumePermissions.image.pullSecrets OS Shell + Utility image pull secrets + ## + image: + registry: docker.io + repository: bitnami/os-shell + tag: 12-debian-12-r35 + digest: "" + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Init container's resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "none" + ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Init container Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param volumePermissions.securityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param volumePermissions.securityContext.runAsUser Set init container's Security Context runAsUser + ## NOTE: when runAsUser is set to special value "auto", init container will try to chown the + ## data folder to auto-determined user&group, using commands: `id -u`:`id -G | cut -d" " -f2` + ## "auto" is especially useful for OpenShift which has scc with dynamic user ids (and 0 is not allowed) + ## + securityContext: + seLinuxOptions: {} + runAsUser: 0 +## @section Database Parameters + +## MySQL chart configuration +## ref: https://github.com/bitnami/charts/blob/main/bitnami/mysql/values.yaml +## +mysql: + ## @param mysql.enabled Deploy a MySQL server to satisfy the applications database requirements + ## To use an external database set this to false and configure the `externalDatabase` parameters + ## + enabled: false + ## @param mysql.architecture MySQL architecture. Allowed values: `standalone` or `replication` + ## + architecture: standalone + ## MySQL Authentication parameters + ## @param mysql.auth.rootPassword MySQL root password + ## @param mysql.auth.database MySQL custom database + ## @param mysql.auth.username MySQL custom user name + ## @param mysql.auth.password MySQL custom user password + ## @param mysql.auth.existingSecret Existing secret with MySQL credentials + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/mysql#setting-the-root-password-on-first-run + ## https://github.com/bitnami/containers/tree/main/bitnami/mysql/#creating-a-database-on-first-run + ## https://github.com/bitnami/containers/tree/main/bitnami/mysql/#creating-a-database-user-on-first-run + auth: + rootPassword: "password" + database: bitnami_ghost + username: bn_ghost + password: "password" + existingSecret: "" + ## MySQL Primary configuration + ## + primary: + ## MySQL Primary Persistence parameters + ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ + ## @param mysql.primary.persistence.enabled Enable persistence on MySQL using PVC(s) + ## @param mysql.primary.persistence.storageClass Persistent Volume storage class + ## @param mysql.primary.persistence.accessModes [array] Persistent Volume access modes + ## @param mysql.primary.persistence.size Persistent Volume size + ## + persistence: + enabled: true + storageClass: "" + accessModes: + - ReadWriteOnce + size: 8Gi + ## MySQL primary container's resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param mysql.primary.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "small" + ## @param mysql.primary.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} +## External Database Configuration +## All of these values are only used if `mysql.enabled=false` +## +externalDatabase: + ## @param externalDatabase.host External Database server host + ## + host: mysql.{{ .Values.globals.mysql.namespace }}.svc.cluster.local + ## @param externalDatabase.port External Database server port + ## + port: 3306 + ## @param externalDatabase.user External Database username + ## + user: {{ .Values.globals.ghost.mysql.username }} + ## @param externalDatabase.password External Database user password + ## + password: {{ .Values.globals.ghost.mysql.password }} + ## @param externalDatabase.database External Database database name + ## + database: {{ .Values.globals.ghost.mysql.database }} + ## @param externalDatabase.existingSecret The name of an existing secret with database credentials + ## NOTE: Must contain key `mysql-password` + ## NOTE: When it's set, the `externalDatabase.password` parameter is ignored + ## + existingSecret: "" + ## @param externalDatabase.ssl External Database ssl + ## + ssl: false + ## @param externalDatabase.sslCaFile External Database ssl CA filepath + ## + sslCaFile: "" +## @section NetworkPolicy parameters + +## Network Policy configuration +## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ +## +networkPolicy: + ## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} + +## Pods Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +## @param serviceAccount.create Specifies whether a ServiceAccount should be created +## @param serviceAccount.name Name of the service account to use. If not set and create is true, a name is generated using the fullname template. +## @param serviceAccount.automountServiceAccountToken Automount service account token for the server service account +## @param serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`. +## +serviceAccount: + create: true + name: "" + automountServiceAccountToken: false + annotations: {} + diff --git a/proxmox/k8s/helmfile.d/values/gitea/values.yaml.gotmpl b/proxmox/k8s/helmfile.d/values/gitea/values.yaml.gotmpl new file mode 100644 index 0000000..c688966 --- /dev/null +++ b/proxmox/k8s/helmfile.d/values/gitea/values.yaml.gotmpl @@ -0,0 +1,782 @@ +# Copyright Broadcom, Inc. All Rights Reserved. +# SPDX-License-Identifier: APACHE-2.0 + +## @section Global parameters +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass +## + +## @param global.imageRegistry Global Docker image registry +## @param global.imagePullSecrets Global Docker registry secret names as an array +## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s) +## @param global.storageClass DEPRECATED: use global.defaultStorageClass instead +## +global: + imageRegistry: "" + ## E.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + defaultStorageClass: "" + storageClass: "" + ## Security parameters + ## + security: + ## @param global.security.allowInsecureImages Allows skipping image verification + allowInsecureImages: false + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: auto +## @section Common parameters +## + +## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) +## +kubeVersion: "" +## @param nameOverride String to partially override gitea.fullname template (will maintain the release name) +## +nameOverride: "" +## @param fullnameOverride String to fully override gitea.fullname template +## +fullnameOverride: "" +## @param namespaceOverride String to fully override common.names.namespace +## +namespaceOverride: "" +## @param commonAnnotations Common annotations to add to all Gitea resources (sub-charts are not considered). Evaluated as a template +## +commonAnnotations: {} +## @param commonLabels Common labels to add to all Gitea resources (sub-charts are not considered). Evaluated as a template +## +commonLabels: {} +## @param extraDeploy Array of extra objects to deploy with the release (evaluated as a template). +## +extraDeploy: [] +## @section Gitea parameters +## + +## Bitnami Gitea image version +## ref: https://hub.docker.com/r/bitnami/gitea/tags/ +## @param image.registry [default: REGISTRY_NAME] Gitea image registry +## @param image.repository [default: REPOSITORY_NAME/gitea] Gitea Image name +## @skip image.tag Gitea Image tag +## @param image.digest Gitea image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag +## @param image.pullPolicy Gitea image pull policy +## @param image.pullSecrets Specify docker-registry secret names as an array +## @param image.debug Specify if debug logs should be enabled +## +image: + registry: docker.io + repository: bitnami/gitea + tag: 1.23.1-debian-12-r3 + digest: "" + ## Specify a imagePullPolicy + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Set to true if you would like to see extra information on logs + ## + debug: false +## @param adminUsername User of the application +## ref: https://github.com/bitnami/containers/tree/main/bitnami/gitea#configuration +## +adminUsername: bn_user +## @param adminPassword Application password +## Defaults to a random 10-character alphanumeric string if not set +## ref: https://github.com/bitnami/containers/tree/main/bitnami/gitea#configuration +## +adminPassword: "" +## @param adminEmail Admin email +## ref: https://github.com/bitnami/containers/tree/main/bitnami/gitea#configuration +## +adminEmail: user@example.com +## @param appName Gitea application name +## ref: https://github.com/bitnami/containers/tree/main/bitnami/gitea#configuration +## +appName: example +## @param runMode Gitea application host +## ref: https://github.com/bitnami/containers/tree/main/bitnami/gitea#configuration +## +runMode: prod +## @param exposeSSH Make the SSH server accesible +## +exposeSSH: true +## @param rootURL UI Root URL (for link generation) +## +rootURL: "" +## @param command Override default container command (useful when using custom images) +## +command: [] +## @param args Override default container args (useful when using custom images) +## +args: [] +## @param updateStrategy.type Update strategy - only really applicable for deployments with RWO PVs attached +## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the +## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will +## terminate the single previous pod, so that the new, incoming pod can attach to the PV +## +updateStrategy: + type: RollingUpdate +## @param priorityClassName Gitea pods' priorityClassName +## +priorityClassName: "" +## @param schedulerName Name of the k8s scheduler (other than default) +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +schedulerName: "" +## @param topologySpreadConstraints Topology Spread Constraints for pod assignment +## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +## The value is evaluated as a template +## +topologySpreadConstraints: [] +## @param automountServiceAccountToken Mount Service Account token in pod +## +automountServiceAccountToken: false +## @param hostAliases [array] Add deployment host aliases +## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ +## +hostAliases: [] +## @param extraEnvVars Extra environment variables +## For example: +## +extraEnvVars: [] +# - name: BEARER_AUTH +# value: true +## @param extraEnvVarsCM ConfigMap containing extra env vars +## +extraEnvVarsCM: "" +## @param extraEnvVarsSecret Secret containing extra env vars (in case of sensitive data) +## +extraEnvVarsSecret: "" +## @param extraVolumes Array of extra volumes to be added to the deployment (evaluated as template). Requires setting `extraVolumeMounts` +## +extraVolumes: [] +## @param extraVolumeMounts Array of extra volume mounts to be added to the container (evaluated as template). Normally used with `extraVolumes`. +## +extraVolumeMounts: [] +## @param initContainers Add additional init containers to the pod (evaluated as a template) +## +initContainers: [] +## Pod Disruption Budget configuration +## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb +## @param pdb.create Enable/disable a Pod Disruption Budget creation +## @param pdb.minAvailable Minimum number/percentage of pods that should remain scheduled +## @param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `pdb.minAvailable` and `pdb.maxUnavailable` are empty. +## +pdb: + create: true + minAvailable: "" + maxUnavailable: "" +## @param sidecars Attach additional containers to the pod (evaluated as a template) +## +sidecars: [] +## @param tolerations Tolerations for pod assignment +## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] +## @param existingSecret Name of a secret with the application password +## +existingSecret: "" +## @param existingSecretKey Key inside the existing secret containing the password +## +existingSecretKey: "admin-password" +## SMTP mail delivery configuration +## ref: https://github.com/bitnami/containers/tree/main/bitnami/gitea/#smtp-configuration +## @param smtpHost SMTP host +## @param smtpPort SMTP port +## @param smtpUser SMTP user +## @param smtpPassword SMTP password +## +smtpHost: "" +smtpPort: "" +smtpUser: "" +smtpPassword: "" +## @param smtpExistingSecret The name of an existing secret with SMTP credentials +## NOTE: Must contain key `smtp-password` +## NOTE: When it's set, the `smtpPassword` parameter is ignored +## +smtpExistingSecret: "" +## @param containerPorts [object] Container ports +## +containerPorts: + http: 3000 + ssh: 2222 +## @param extraContainerPorts Optionally specify extra list of additional ports for Gitea container(s) +## e.g: +## extraContainerPorts: +## - name: myservice +## containerPort: 9090 +## +extraContainerPorts: [] +## Enable OpenID Configurations +## @param openid.enableSignIn Enable sign in with OpenID +## @param openid.enableSignUp Enable sign up with OpenID +openid: + enableSignIn: false + enableSignUp: false +## Enable persistence using Persistent Volume Claims +## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ +## +persistence: + ## @param persistence.enabled Enable persistence using PVC + ## + enabled: true + ## @param persistence.storageClass PVC Storage Class for Gitea volume + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: "" + ## @param persistence.accessModes PVC Access Mode for Gitea volume + ## Requires persistence.enabled: true + ## If defined, PVC must be created manually before volume will be bound + ## + accessModes: + - ReadWriteOnce + ## @param persistence.size PVC Storage Request for Gitea volume + ## + size: 8Gi + ## @param persistence.dataSource Custom PVC data source + ## + dataSource: {} + ## @param persistence.existingClaim A manually managed Persistent Volume Claim + ## Requires persistence.enabled: true + ## If defined, PVC must be created manually before volume will be bound + ## + existingClaim: "" + ## @param persistence.hostPath If defined, the gitea-data volume will mount to the specified hostPath. + ## Requires persistence.enabled: true + ## Requires persistence.existingClaim: nil|false + ## Default: nil. + ## + hostPath: "" + ## @param persistence.annotations Persistent Volume Claim annotations + ## + annotations: {} + ## @param persistence.selector Selector to match an existing Persistent Volume for Gitea data PVC + ## If set, the PVC can't have a PV dynamically provisioned for it + ## E.g. + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} +## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAffinityPreset: "" +## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAntiAffinityPreset: soft +## Node affinity preset +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity +## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## @param nodeAffinityPreset.key Node label key to match Ignored if `affinity` is set. +## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set. +## +nodeAffinityPreset: + type: "" + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] +## @param affinity Affinity for pod assignment +## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set +## +affinity: {} +## @param nodeSelector Node labels for pod assignment. Evaluated as a template. +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ +## +nodeSelector: {} +## Gitea container's resource requests and limits +## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ +## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). +## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 +## +resourcesPreset: "micro" +## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) +## Example: +## resources: +## requests: +## cpu: 2 +## memory: 512Mi +## limits: +## cpu: 3 +## memory: 1024Mi +## +resources: {} +## Configure Pods Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## @param podSecurityContext.enabled Enable Gitea pods' Security Context +## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy +## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface +## @param podSecurityContext.supplementalGroups Set filesystem extra groups +## @param podSecurityContext.fsGroup Gitea pods' group ID +## +podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 +## Configure Container Security Context (only main container) +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container +## @param containerSecurityContext.enabled Enabled containers' Security Context +## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container +## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser +## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup +## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot +## @param containerSecurityContext.privileged Set container's Security Context privileged +## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem +## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation +## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped +## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile +## +containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" +## Configure extra options for startup probe +## Gitea core exposes / to unauthenticated requests, making it a good +## default startup and readiness path. However, that may not always be the +## case. For example, if the image value is overridden to an image containing a +## module that alters that route, or an image that does not auto-install Gitea. +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes +## @param startupProbe.enabled Enable startupProbe +## @param startupProbe.path Request path for startupProbe +## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe +## @param startupProbe.periodSeconds Period seconds for startupProbe +## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe +## @param startupProbe.failureThreshold Failure threshold for startupProbe +## @param startupProbe.successThreshold Success threshold for startupProbe +## +startupProbe: + enabled: false + path: / + initialDelaySeconds: 600 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 5 + successThreshold: 1 +## Configure extra options for liveness probe +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes +## @param livenessProbe.enabled Enable livenessProbe +## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe +## @param livenessProbe.periodSeconds Period seconds for livenessProbe +## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe +## @param livenessProbe.failureThreshold Failure threshold for livenessProbe +## @param livenessProbe.successThreshold Success threshold for livenessProbe +## +livenessProbe: + enabled: true + initialDelaySeconds: 600 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 5 + successThreshold: 1 +## Configure extra options for readiness probe +## Gitea core exposes / to unauthenticated requests, making it a good +## default startup and readiness path. However, that may not always be the +## case. For example, if the image value is overridden to an image containing a +## module that alters that route, or an image that does not auto-install Gitea. +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes +## @param readinessProbe.enabled Enable readinessProbe +## @param readinessProbe.path Request path for readinessProbe +## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe +## @param readinessProbe.periodSeconds Period seconds for readinessProbe +## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe +## @param readinessProbe.failureThreshold Failure threshold for readinessProbe +## @param readinessProbe.successThreshold Success threshold for readinessProbe +## +readinessProbe: + enabled: true + path: / + initialDelaySeconds: 30 + periodSeconds: 5 + timeoutSeconds: 1 + failureThreshold: 5 + successThreshold: 1 +## @param customStartupProbe Override default startup probe +## +customStartupProbe: {} +## @param customLivenessProbe Override default liveness probe +## +customLivenessProbe: {} +## @param customReadinessProbe Override default readiness probe +## +customReadinessProbe: {} +## @param lifecycleHooks LifecycleHook to set additional configuration at startup Evaluated as a template +## +lifecycleHooks: {} +## @param podAnnotations Pod annotations +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +## +podAnnotations: {} +## @param podLabels Add additional labels to the pod (evaluated as a template) +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +## +podLabels: {} +## @section Traffic Exposure Parameters +## + +## Kubernetes configuration. For minikube, set this to NodePort, elsewhere use LoadBalancer +## +service: + ## @param service.type Kubernetes Service type + ## + type: LoadBalancer + ## @param service.ports.http Service HTTP port + ## @param service.ports.ssh Service SSH port + ## + ports: + http: 80 + ssh: 22 + ## @param service.loadBalancerSourceRanges Restricts access for LoadBalancer (only with `service.type: LoadBalancer`) + ## e.g: + ## loadBalancerSourceRanges: + ## - 0.0.0.0/0 + ## + loadBalancerSourceRanges: [] + ## @param service.loadBalancerIP loadBalancerIP for the Gitea Service (optional, cloud specific) + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerIP: "" + ## @param service.nodePorts [object] Kubernetes node port + ## nodePorts: + ## http: + ## https: + ## + nodePorts: + http: "" + ssh: "" + ## @param service.externalTrafficPolicy Enable client source IP preservation + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param service.clusterIP Gitea service Cluster IP + ## e.g.: + ## clusterIP: None + ## + clusterIP: "" + ## @param service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param service.annotations Additional custom annotations for Gitea service + ## + annotations: {} + ## @param service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + +## Network Policy configuration +## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ +## +networkPolicy: + ## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} + +## Configure the ingress resource that allows you to access the +## Gitea installation. Set up the URL +## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ +## +ingress: + ## @param ingress.enabled Enable ingress controller resource + ## + enabled: false + ## @param ingress.pathType Ingress Path type + ## + pathType: ImplementationSpecific + ## @param ingress.apiVersion Override API Version (automatically detected if not set) + ## + apiVersion: "" + ## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + ingressClassName: "" + ## @param ingress.hostname Default host for the ingress resource + ## + hostname: "gitea.local" + ## @param ingress.path The Path to Gitea. You may need to set this to '/*' in order to use this + ## with ALB ingress controllers. + ## + path: / + ## @param ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. + ## For a full list of possible ingress annotations, please see + ## ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## + ## e.g: + ## annotations: + ## kubernetes.io/ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## + annotations: {} + ## @param ingress.tls Enable TLS configuration for the hostname defined at ingress.hostname parameter + ## You can use the ingress.secrets parameter to create this TLS secret or relay on cert-manager to create it + ## + tls: false + ## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm + ## + selfSigned: false + ## @param ingress.extraHosts The list of additional hostnames to be covered with this ingress record. + ## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array + ## extraHosts: + ## - name: gitea.local + ## path: / + ## + extraHosts: [] + ## @param ingress.extraPaths Any additional arbitrary paths that may need to be added to the ingress under the main host. + ## For example: The ALB ingress controller requires a special rule for handling SSL redirection. + ## extraPaths: + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + extraPaths: [] + ## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record. + ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## extraTls: + ## - hosts: + ## - gitea.local + ## secretName: gitea.local-tls + ## + extraTls: [] + ## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets + ## key and certificate should start with -----BEGIN CERTIFICATE----- or + ## REDACTED + ## + ## name should line up with a tlsSecret set further up + ## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set + ## + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + ## Example: + ## - name: gitea.local-tls + ## key: + ## certificate: + ## + secrets: [] + ## @param ingress.extraRules Additional rules to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules + ## e.g: + ## extraRules: + ## - host: example.local + ## http: + ## path: / + ## backend: + ## service: + ## name: example-svc + ## port: + ## name: http + ## + extraRules: [] +## @section Other Parameters +## + +## Service account for Gitea to use. +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +## +serviceAccount: + ## @param serviceAccount.create Enable creation of ServiceAccount for Gitea pod + ## + create: true + ## @param serviceAccount.name The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the common.names.fullname template + ## + name: "" + ## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created + ## Can be set to false if pods using this serviceAccount do not need to use K8s API + ## + automountServiceAccountToken: false + ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount + ## + annotations: {} +## @section Database parameters +## + +## PostgreSQL chart configuration +## ref: https://github.com/bitnami/charts/blob/main/bitnami/postgresql/values.yaml +## @param postgresql.enabled Switch to enable or disable the PostgreSQL helm chart +## @param postgresql.auth.username Name for a custom user to create +## @param postgresql.auth.password Password for the custom user to create +## @param postgresql.auth.database Name for a custom database to create +## @param postgresql.auth.existingSecret Name of existing secret to use for PostgreSQL credentials +## @param postgresql.architecture PostgreSQL architecture (`standalone` or `replication`) +## @param postgresql.service.ports.postgresql PostgreSQL service port +## +postgresql: + enabled: false + auth: + username: bn_gitea + password: "" + database: bitnami_gitea + existingSecret: "" + architecture: standalone + service: + ports: + postgresql: 5432 +## External PostgreSQL configuration +## All of these values are only used when postgresql.enabled is set to false +## @param externalDatabase.host Database host +## @param externalDatabase.port Database port number +## @param externalDatabase.user Non-root username for JupyterHub +## @param externalDatabase.password Password for the non-root username for JupyterHub +## @param externalDatabase.database JupyterHub database name +## @param externalDatabase.existingSecret Name of an existing secret resource containing the database credentials +## @param externalDatabase.existingSecretPasswordKey Name of an existing secret key containing the database credentials +## +externalDatabase: + host: postgres-postgresql.{{ .Values.globals.postgres.namespace }}.svc.cluster.local + port: 5432 + user: {{ .Values.globals.gitea.postgres.username }} + database: {{ .Values.globals.gitea.postgres.database }} + password: {{ .Values.globals.gitea.postgres.password }} + existingSecret: "" + existingSecretPasswordKey: "db-password" +## @section Volume Permissions parameters +## + +## Init containers parameters: +## volumePermissions: Change the owner and group of the persistent volume mountpoint to runAsUser:fsGroup values from the securityContext section. +## +volumePermissions: + ## @param volumePermissions.enabled Enable init container that changes volume permissions in the data directory (for cases where the default k8s `runAsUser` and `fsUser` values do not work) + ## + enabled: false + ## @param volumePermissions.image.registry [default: REGISTRY_NAME] Init container volume-permissions image registry + ## @param volumePermissions.image.repository [default: REPOSITORY_NAME/os-shell] Init container volume-permissions image name + ## @skip volumePermissions.image.tag Init container volume-permissions image tag + ## @param volumePermissions.image.digest Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy + ## @param volumePermissions.image.pullSecrets Specify docker-registry secret names as an array + ## + image: + registry: docker.io + repository: bitnami/os-shell + tag: 12-debian-12-r35 + digest: "" + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Init containers' resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + diff --git a/proxmox/k8s/helmfile.d/values/gitlab/values.yaml.gotmpl b/proxmox/k8s/helmfile.d/values/gitlab/values.yaml.gotmpl new file mode 100644 index 0000000..dbcda86 --- /dev/null +++ b/proxmox/k8s/helmfile.d/values/gitlab/values.yaml.gotmpl @@ -0,0 +1,1398 @@ +## NOTICE +# +# Due to the scope and complexity of this chart, all possible values are +# not documented in this file. Extensive documentation is available. +# +# Please read the docs: https://docs.gitlab.com/charts/ +# +# Because properties are regularly added, updated, or relocated, it is +# _strongly suggest_ to not "copy and paste" this YAML. Please provide +# Helm only those properties you need, and allow the defaults to be +# provided by the version of this chart at the time of deployment. + +## Advanced Configuration +## https://docs.gitlab.com/charts/advanced +# +# Documentation for advanced configuration, such as +# - External PostgreSQL +# - External Gitaly +# - External Redis +# - External NGINX +# - External Object Storage providers +# - PersistentVolume configuration + +## The global properties are used to configure multiple charts at once. +## https://docs.gitlab.com/charts/charts/globals +global: + common: + labels: {} + + image: {} + # Registry value override is only available for the following Charts: + # - Spamcheck + # - Mailroom + # If specifying a value here, be sure to also configure + # `gitlab..image.repository` to a value that does not + # include the default registry domain `registry.gitlab.com`. + # Support for other charts is coming as an iterative rollout. + # See https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2859 + # for more information. + # registry: + + # pullPolicy: IfNotPresent + # pullSecrets: [] + # tagSuffix: "" + + ## Supplemental Pod labels. Will not be used for selectors. + pod: + labels: {} + + ## https://docs.gitlab.com/charts/installation/deployment#deploy-the-community-edition + edition: ee + + ## https://docs.gitlab.com/charts/charts/globals#gitlab-version + gitlabVersion: "17.8.1" + + ## https://docs.gitlab.com/charts/charts/globals#application-resource + application: + create: false + links: [] + allowClusterRoles: true + ## https://docs.gitlab.com/charts/charts/globals#configure-host-settings + hosts: + domain: example.com + hostSuffix: + https: true + externalIP: + ssh: + gitlab: {} + minio: {} + registry: {} + tls: {} + smartcard: {} + kas: {} + pages: {} + + ## https://docs.gitlab.com/charts/charts/globals#configure-ingress-settings + ingress: + apiVersion: "" + configureCertmanager: true + useNewIngressForCerts: false + provider: nginx + # class: + annotations: {} + enabled: true + tls: {} + # enabled: true + # secretName: + path: / + pathType: Prefix + + # Override the API version to use for HorizontalPodAutoscaler + hpa: + apiVersion: "" + + # Enable KEDA globally (https://keda.sh/) + keda: + enabled: false + + # Override the API version to use for PodDisruptionBudget + pdb: + apiVersion: "" + + # Override the API version to use for CronJob + batch: + cronJob: + apiVersion: "" + + # Override enablement of ServiceMonitor and PodMonitor objects. + monitoring: + enabled: false + + gitlab: + ## Enterprise license for this GitLab installation + ## Secret created according to https://docs.gitlab.com/charts/installation/secrets#initial-enterprise-license + ## If allowing shared-secrets generation, this is OPTIONAL. + license: {} + # secret: RELEASE-gitlab-license + # key: license + + ## Initial root password for this GitLab installation + ## Secret created according to https://docs.gitlab.com/charts/installation/secrets#initial-root-password + ## If allowing shared-secrets generation, this is OPTIONAL. + initialRootPassword: {} + # secret: RELEASE-gitlab-initial-root-password + # key: password + + ## https://docs.gitlab.com/charts/charts/globals#configure-postgresql-settings + psql: + connectTimeout: + keepalives: + keepalivesIdle: + keepalivesInterval: + keepalivesCount: + tcpUserTimeout: + password: {} + # useSecret: + # secret: + # key: + # file: + # host: postgresql.hostedsomewhere.else + # port: 123 + # username: gitlab + # database: gitlabhq_production + # applicationName: + # preparedStatements: false + # databaseTasks: true + main: {} + # host: postgresql.hostedsomewhere.else + # port: 123 + # username: gitlab + # database: gitlabhq_production + # applicationName: + # preparedStatements: false + # databaseTasks: true + ci: {} + # host: postgresql.hostedsomewhere.else + # port: 123 + # username: gitlab + # database: gitlabhq_production_ci + # applicationName: + # preparedStatements: false + # databaseTasks: false + + ## https://docs.gitlab.com/charts/charts/globals#configure-redis-settings + redis: + auth: + enabled: true + # secret: + # key: + # connectTimeout: 1 + # readTimeout: 1 + # writeTimeout: 1 + # host: redis.hostedsomewhere.else + # port: 6379 + # database: 0 + # user: webservice + # sentinels: + # - host: + # port: + sentinelAuth: + enabled: false + # secret: + # key: + + ## https://docs.gitlab.com/charts/charts/globals#configure-gitaly-settings + gitaly: + enabled: true + authToken: {} + # secret: + # key: + # serviceName: + internal: + names: [default] + external: [] + service: + name: gitaly + type: ClusterIP + externalPort: 8075 + internalPort: 8075 + tls: + externalPort: 8076 + internalPort: 8076 + tls: + enabled: false + # secretName: + + praefect: + enabled: false + ntpHost: pool.ntp.org + replaceInternalGitaly: true + authToken: {} + autoMigrate: true + dbSecret: {} + virtualStorages: + - name: default + gitalyReplicas: 3 + maxUnavailable: 1 + psql: + sslMode: disable + # serviceName: + service: + name: praefect + type: ClusterIP + externalPort: 8075 + internalPort: 8075 + tls: + externalPort: 8076 + internalPort: 8076 + tls: + enabled: false + # secretName: + + ## https://docs.gitlab.com/charts/charts/globals#configure-minio-settings + minio: + enabled: true + credentials: {} + # secret: + + ## https://docs.gitlab.com/charts/charts/globals#configure-appconfig-settings + ## Rails based portions of this chart share many settings + appConfig: + ## https://docs.gitlab.com/charts/charts/globals#general-application-settings + # cdnHost: + enableUsagePing: true + enableSeatLink: true + enableImpersonation: + applicationSettingsCacheSeconds: 60 + usernameChangingEnabled: true + issueClosingPattern: + defaultTheme: + defaultColorMode: + defaultSyntaxHighlightingTheme: + defaultProjectsFeatures: + issues: true + mergeRequests: true + wiki: true + snippets: true + builds: true + graphQlTimeout: + webhookTimeout: + maxRequestDurationSeconds: + + ## https://docs.gitlab.com/charts/charts/globals#cron-jobs-related-settings + cron_jobs: {} + ## Flag stuck CI builds as failed + # stuck_ci_jobs_worker: + # cron: "0 * * * *" + ## Schedule pipelines in the near future + # pipeline_schedule_worker: + # cron: "19 * * * *" + ## Remove expired build artifacts + # expire_build_artifacts_worker: + # cron: "*/7 * * * *" + ## Periodically run 'git fsck' on all repositories. + # repository_check_worker: + # cron: "20 * * * *" + ## Send admin emails once a week + # admin_email_worker: + # cron: "0 0 * * 0" + ## Remove outdated repository archives + # repository_archive_cache_worker: + # cron: "0 * * * *" + ## Verify custom GitLab Pages domains + # pages_domain_verification_cron_worker: + # cron: "*/15 * * * *" + # schedule_migrate_external_diffs_worker: + # cron: "15 * * * *" + ## Prune stale group runners on opted-in namespaces + # ci_runners_stale_group_runners_prune_worker_cron: + # cron: "30 * * * *" + ## Periodically update ci_runner_versions table with up-to-date versions and status + # ci_runner_versions_reconciliation_worker: + # cron: "@daily" + ## Periodically clean up stale ci_runner_machines records + # ci_runners_stale_machines_cleanup_worker: + # cron: "36 * * * *" + # ci_click_house_finished_pipelines_sync_worker: + # cron: "*/4 * * * *" + # args: [0, 1] + ### GitLab Geo + # Geo Primary only! + # geo_prune_event_log_worker: + # cron: "*/5 * * * *" + ## GitLab Geo repository sync worker + # geo_repository_sync_worker: + # cron: "*/5 * * * *" + ## GitLab Geo file download dispatch worker + # geo_file_download_dispatch_worker: + # cron: "*/10 * * * *" + ## GitLab Geo repository verification primary batch worker + # geo_repository_verification_primary_batch_worker: + # cron: "*/5 * * * *" + ## GitLab Geo repository verification secondary scheduler worker + # geo_repository_verification_secondary_scheduler_worker: + # cron: "*/5 * * * *" + ## GitLab Geo migrated local files clean up worker + # geo_migrated_local_files_clean_up_worker: + # cron: "15 */6 * * *" + ### LDAP + # ldap_sync_worker: + # cron: "30 1 * * *" + # ldap_group_sync_worker: + # cron: "0 * * * *" + ### Snapshot active user statistics + # historical_data_worker: + # cron: "0 12 * * *" + # loose_foreign_keys_cleanup_worker_cron: + # cron: "*/5 * * * *" + + ## https://docs.gitlab.com/charts/charts/globals#content-security-policy + contentSecurityPolicy: + enabled: false + report_only: true + # directives: {} + + ## https://docs.gitlab.com/charts/charts/globals#gravatarlibravatar-settings + gravatar: + plainUrl: + sslUrl: + + ## https://docs.gitlab.com/charts/charts/globals#hooking-analytics-services-to-the-gitlab-instance + extra: + googleAnalyticsId: + matomoUrl: + matomoSiteId: + matomoDisableCookies: + oneTrustId: + googleTagManagerNonceId: + bizible: + + ## https://docs.gitlab.com/charts/charts/globals#lfs-artifacts-uploads-packages-external-mr-diffs-and-dependency-proxy + object_store: + enabled: false + proxy_download: true + storage_options: {} + # server_side_encryption: + # server_side_encryption_kms_key_id + connection: {} + # secret: + # key: + lfs: + enabled: true + proxy_download: true + bucket: git-lfs + connection: {} + # secret: + # key: + artifacts: + enabled: true + proxy_download: true + bucket: gitlab-artifacts + connection: {} + # secret: + # key: + uploads: + enabled: true + proxy_download: true + bucket: gitlab-uploads + connection: {} + # secret: + # key: + packages: + enabled: true + proxy_download: true + bucket: gitlab-packages + connection: {} + externalDiffs: + enabled: false + when: + proxy_download: true + bucket: gitlab-mr-diffs + connection: {} + terraformState: + enabled: false + bucket: gitlab-terraform-state + connection: {} + ciSecureFiles: + enabled: false + bucket: gitlab-ci-secure-files + connection: {} + dependencyProxy: + enabled: false + proxy_download: true + bucket: gitlab-dependency-proxy + connection: {} + + backups: + bucket: gitlab-backups + tmpBucket: tmp + + ## https://docs.gitlab.com/charts/charts/globals#outgoing-email + ## Microsoft Graph Mailer settings + microsoft_graph_mailer: + enabled: false + user_id: "" + tenant: "" + client_id: "" + client_secret: + secret: "" + key: secret + azure_ad_endpoint: "https://login.microsoftonline.com" + graph_endpoint: "https://graph.microsoft.com" + + ## https://docs.gitlab.com/charts/installation/command-line-options.html#incoming-email-configuration + ## https://docs.gitlab.com/charts/charts/gitlab/mailroom/index.html#incoming-email + incomingEmail: + enabled: false + address: "" + host: "imap.gmail.com" + port: 993 + ssl: true + startTls: false + user: "" + password: + secret: "" + key: password + deleteAfterDelivery: true + expungeDeleted: false + logger: + logPath: "/dev/stdout" + mailbox: inbox + idleTimeout: 60 + inboxMethod: "imap" + clientSecret: + key: secret + pollInterval: 60 + deliveryMethod: webhook + authToken: {} + # secret: + # key: + + ## https://docs.gitlab.com/charts/charts/gitlab/mailroom/index.html#service-desk-email + serviceDeskEmail: + enabled: false + address: "" + host: "imap.gmail.com" + port: 993 + ssl: true + startTls: false + user: "" + password: + secret: "" + key: password + deleteAfterDelivery: true + expungeDeleted: false + logger: + logPath: "/dev/stdout" + mailbox: inbox + idleTimeout: 60 + inboxMethod: "imap" + clientSecret: + key: secret + pollInterval: 60 + deliveryMethod: webhook + authToken: {} + # secret: + # key: + + ## https://docs.gitlab.com/charts/charts/globals#ldap + ldap: + # prevent the use of LDAP for sign-in via web. + preventSignin: false + servers: {} + ## See documentation for complete example of a configured LDAP server + + duoAuth: + enabled: false + # hostname: + # integrationKey: + # secretKey: + # secret: + # key: + + ## https://docs.gitlab.com/charts/charts/globals#kas-settings + gitlab_kas: {} + # secret: + # key: + # enabled: + # externalUrl: + # internalUrl: + + ## https://docs.gitlab.com/charts/charts/globals#suggested-reviewers-settings + suggested_reviewers: {} + # secret: + # key: + + ## https://docs.gitlab.com/charts/charts/globals#omniauth + omniauth: + enabled: false + autoSignInWithProvider: + syncProfileFromProvider: [] + syncProfileAttributes: [email] + allowSingleSignOn: [saml] + blockAutoCreatedUsers: true + autoLinkLdapUser: false + autoLinkSamlUser: false + autoLinkUser: [] + externalProviders: [] + allowBypassTwoFactor: [] + providers: [] + # - secret: gitlab-google-oauth2 + # key: provider + + ## https://docs.gitlab.com/charts/charts/globals#kerberos + kerberos: + enabled: false + keytab: + # secret: + key: keytab + servicePrincipalName: "" + krb5Config: "" + dedicatedPort: + enabled: false + port: 8443 + https: true + simpleLdapLinkingAllowedRealms: [] + + ## https://docs.gitlab.com/charts/charts/globals#configure-appconfig-settings + sentry: + enabled: false + dsn: + clientside_dsn: + environment: + + gitlab_docs: + enabled: false + host: "" + + smartcard: + enabled: false + CASecret: + clientCertificateRequiredHost: + sanExtensions: false + requiredForGitAccess: false + + sidekiq: + routingRules: [] + + # Config that only applies to the defaults on initial install + initialDefaults: {} + # signupEnabled: + ## End of global.appConfig + + oauth: + gitlab-pages: {} + # secret: + # appIdKey: + # appSecretKey: + # redirectUri: + # authScope: + + ## https://docs.gitlab.com/charts/advanced/geo/ + geo: + enabled: false + # Valid values: primary, secondary + role: primary + ## Geo Secondary only + # nodeName allows multiple instances behind a load balancer. + nodeName: # defaults to `gitlab.gitlab.host` + # ingressClass: + # PostgreSQL connection details only needed for `secondary` + psql: + password: {} + # secret: + # key: + # host: postgresql.hostedsomewhere.else + # port: 123 + # username: gitlab_replicator + # database: gitlabhq_geo_production + # ssl: + # secret: + # clientKey: + # clientCertificate: + # serverCA: + registry: + replication: + enabled: false + primaryApiUrl: + ## Consumes global.registry.notificationSecret + + ## https://docs.gitlab.com/charts/charts/gitlab/kas/ + kas: + enabled: true + service: + apiExternalPort: 8153 # port for connections from the GitLab backend + tls: + enabled: false + verify: true + # secretName: + # caSecretName: + + ## https://docs.gitlab.com/charts/charts/gitlab/spamcheck/ + spamcheck: + enabled: false + + ## https://docs.gitlab.com/charts/charts/globals#configure-gitlab-shell + shell: + authToken: {} + # secret: + # key: + hostKeys: {} + # secret: + ## https://docs.gitlab.com/charts/charts/globals#tcp-proxy-protocol + tcp: + proxyProtocol: false + + ## Rails application secrets + ## Secret created according to https://docs.gitlab.com/charts/installation/secrets#gitlab-rails-secret + ## If allowing shared-secrets generation, this is OPTIONAL. + railsSecrets: {} + # secret: + + ## Rails generic setting, applicable to all Rails-based containers + rails: + bootsnap: # Enable / disable Shopify/Bootsnap cache + enabled: true + sessionStore: + sessionCookieTokenPrefix: "" + + ## https://docs.gitlab.com/charts/charts/globals#configure-registry-settings + registry: + bucket: registry + + certificate: {} + # secret: + httpSecret: {} + # secret: + # key: + notificationSecret: {} + # secret: + # key: + tls: + enabled: false + # secretName: + redis: + cache: + password: {} + rateLimiting: + password: {} + # https://docs.docker.com/registry/notifications/#configuration + notifications: {} + # endpoints: + # - name: FooListener + # url: https://foolistener.com/event + # timeout: 500ms + # threshold: 10 # DEPRECATED: use maxretries instead https://gitlab.com/gitlab-org/container-registry/-/issues/1243. + # maxretries: 5 + # backoff: 1s + # headers: + # FooBar: ['1', '2'] + # Authorization: + # secret: gitlab-registry-authorization-header + # SpecificPassword: + # secret: gitlab-registry-specific-password + # key: password + # events: {} + + # Settings utilized by other services referencing registry: + enabled: true + host: + # port: 443 + api: + protocol: http + serviceName: registry + port: 5000 + tokenIssuer: gitlab-issuer + + pages: + enabled: false + accessControl: false + path: + host: + port: + https: # default true + externalHttp: [] + externalHttps: [] + artifactsServer: true + localStore: + enabled: false + # path: /srv/gitlab/shared/pages + objectStore: + enabled: true + bucket: gitlab-pages + # proxy_download: true + connection: {} + # secret: + # key: + apiSecret: {} + # secret: + # key: + authSecret: {} + # secret: + # key: + namespaceInPath: false + + ## GitLab Runner + ## Secret created according to https://docs.gitlab.com/charts/installation/secrets#gitlab-runner-secret + ## If allowing shared-secrets generation, this is OPTIONAL. + runner: + registrationToken: {} + # secret: + + ## https://docs.gitlab.com/charts/charts/globals#outgoing-email + ## Outgoing email server settings + smtp: + enabled: false + address: smtp.mailgun.org + port: 2525 + user_name: "" + ## https://docs.gitlab.com/charts/installation/secrets#smtp-password + password: + secret: "" + key: password + # domain: + authentication: "plain" + starttls_auto: false + openssl_verify_mode: "peer" + open_timeout: 30 + read_timeout: 60 + pool: false + + ## https://docs.gitlab.com/charts/charts/globals#outgoing-email + ## Email persona used in email sent by GitLab + email: + from: "" + display_name: GitLab + reply_to: "" + subject_suffix: "" + smime: + enabled: false + secretName: "" + keyName: "tls.key" + certName: "tls.crt" + + ## Timezone for containers. + time_zone: UTC + + ## Global Service Annotations and Labels + service: + labels: {} + annotations: {} + + ## Global Deployment Annotations + deployment: + annotations: {} + + + # Setting a global nodeAffinity only applies to the registry chart for now. + # See issue https://gitlab.com/gitlab-com/gl-infra/production-engineering/-/issues/25403 for more information + + nodeAffinity: + + antiAffinity: soft + affinity: + podAntiAffinity: + topologyKey: "kubernetes.io/hostname" + nodeAffinity: + key: topology.kubernetes.io/zone + values: [] + + # Priority class assigned to pods, may be overridden for individual components + # https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/ + priorityClassName: "" + + ## https://docs.gitlab.com/charts/charts/globals#configure-workhorse-settings + ## Global settings related to Workhorse + workhorse: + serviceName: webservice-default + # scheme: + # host: + # port: + ## https://docs.gitlab.com/charts/installation/secrets#gitlab-workhorse-secret + # secret: + # key: + tls: + enabled: false + + ## https://docs.gitlab.com/charts/charts/globals#configure-webservice + webservice: + workerTimeout: 60 + + ## https://docs.gitlab.com/charts/charts/globals#custom-certificate-authorities + # configuration of certificates container & custom CA injection + certificates: + image: + repository: registry.gitlab.com/gitlab-org/build/cng/certificates + # Default tag is `global.gitlabVersion` or `master` if the former one is undefined. + # tag: master + # pullPolicy: IfNotPresent + # pullSecrets: [] + customCAs: [] + # - secret: custom-CA + # - secret: more-custom-CAs + # keys: + # - custom-ca-1.crt + # - configMap: custom-CA-cm + # - configMap: more-custom-CAs-cm + # keys: + # - custom-ca-2.crt + # - custom-ca-3.crt + + ## kubectl image used by hooks to carry out specific jobs + kubectl: + image: + repository: registry.gitlab.com/gitlab-org/build/cng/kubectl + # Default tag is `global.gitlabVersion` or `master` if the former one is undefined. + # tag: master + # pullPolicy: IfNotPresent + # pullSecrets: [] + securityContext: + # in most base images, this is `nobody:nogroup` + runAsUser: 65534 + fsGroup: 65534 + seccompProfile: + type: "RuntimeDefault" + gitlabBase: + image: + repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-base + # Default tag is `global.gitlabVersion` or `master` if the former one is undefined. + # Charts using this image as init container support further overrides with `init.image.tag`. + # tag: master + # pullPolicy: IfNotPresent + # pullSecrets: [] + + ## https://docs.gitlab.com/charts/charts/globals#service-accounts + serviceAccount: + enabled: false + create: true + annotations: {} + automountServiceAccountToken: false + ## Name to be used for serviceAccount, otherwise defaults to chart fullname + # name: + + ## https://docs.gitlab.com/charts/charts/globals/#tracing + tracing: + connection: + string: "" + urlTemplate: "" + + zoekt: + gateway: + basicAuth: {} + indexer: + internalApi: {} + + ## https://docs.gitlab.com/charts/charts/globals + extraEnv: {} + # SOME_KEY: some_value + # SOME_OTHER_KEY: some_other_value + + ## https://docs.gitlab.com/charts/charts/globals + extraEnvFrom: {} + # MY_NODE_NAME: + # fieldRef: + # fieldPath: spec.nodeName + # MY_CPU_REQUEST: + # resourceFieldRef: + # containerName: test-container + # resource: requests.cpu + # SECRET_THING: + # secretKeyRef: + # name: special-secret + # key: special_token + # # optional: boolean + # CONFIG_STRING: + # configMapKeyRef: + # name: useful-config + # key: some-string + # # optional: boolean + + ## https://docs.gitlab.com/charts/charts/globals/#jobs + job: + nameSuffixOverride: + + traefik: + apiVersion: "" # newer apiVersion: "traefik.io/v1alpha1" + +## End of global + +upgradeCheck: + enabled: true + image: {} + # repository: + # tag: + # pullPolicy: IfNotPresent + # pullSecrets: [] + securityContext: + # in alpine/debian/busybox based images, this is `nobody:nogroup` + runAsUser: 65534 + fsGroup: 65534 + seccompProfile: + type: "RuntimeDefault" + ## Allow to overwrite the specific security context under which the container is running. + containerSecurityContext: + runAsUser: 65534 + allowPrivilegeEscalation: false + runAsNonRoot: true + capabilities: + drop: [ "ALL" ] + tolerations: [] + annotations: {} + configMapAnnotations: {} + resources: + requests: + cpu: 50m + priorityClassName: "" + +## Settings to for the Let's Encrypt ACME Issuer +# certmanager-issuer: +# # The email address to register certificates requested from Let's Encrypt. +# # Required if using Let's Encrypt. +# email: email@example.com + +## Installation & configuration of jetstack/cert-manager +## See requirements.yaml for current version +certmanager: + installCRDs: true + nameOverride: certmanager + # Install cert-manager chart. Set to false if you already have cert-manager + # installed or if you are not using cert-manager. + install: true + # Other cert-manager configurations from upstream + # See https://github.com/jetstack/cert-manager/blob/master/deploy/charts/cert-manager/README#configuration + rbac: + create: true + +## https://docs.gitlab.com/charts/charts/nginx/ +## https://docs.gitlab.com/charts/architecture/decisions#nginx-ingress +## Installation & configuration of charts/ingress-nginx: +nginx-ingress: &nginx-ingress + enabled: true + tcpExternalConfig: "true" + controller: &nginx-ingress-controller + addHeaders: + Referrer-Policy: strict-origin-when-cross-origin + config: &nginx-ingress-controller-config + annotation-value-word-blocklist: "load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},',\"" + hsts: "true" + hsts-include-subdomains: "false" + hsts-max-age: "63072000" + server-name-hash-bucket-size: "256" + use-http2: "true" + ssl-ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4" + ssl-protocols: "TLSv1.3 TLSv1.2" + server-tokens: "false" + # Configure smaller defaults for upstream-keepalive-*, see https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration + upstream-keepalive-connections: 100 # Limit of 100 held-open connections + upstream-keepalive-time: 30s # 30 second limit for connection reuse + upstream-keepalive-timeout: 5 # 5 second timeout to hold open idle connections + upstream-keepalive-requests: 1000 # 1000 requests per connection, before recycling + + service: + externalTrafficPolicy: "Local" + ingressClassByName: false + ingressClassResource: + name: '{{ include "ingress.class.name" $ | quote }}' + resources: + requests: + cpu: 100m + memory: 100Mi + publishService: + enabled: true + replicaCount: 2 + minAvailable: 1 + scope: + enabled: true + metrics: + enabled: true + service: + annotations: + gitlab.com/prometheus_scrape: "true" + gitlab.com/prometheus_port: "10254" + prometheus.io/scrape: "true" + prometheus.io/port: "10254" + admissionWebhooks: + enabled: false + defaultBackend: + resources: + requests: + cpu: 5m + memory: 5Mi + rbac: + create: true + # Needed for k8s 1.20 and 1.21 + # https://github.com/kubernetes/ingress-nginx/issues/7510 + # https://github.com/kubernetes/ingress-nginx/issues/7519 + scope: false + serviceAccount: + create: true + +# Ingress controller to handle requests forwarded from other Geo sites. +# Configuration differences compared to the main nginx ingress: +# - Pass X-Forwarded-For headers as is +# - Use a different IngressClass name +nginx-ingress-geo: + <<: *nginx-ingress + enabled: false + controller: + <<: *nginx-ingress-controller + config: + <<: *nginx-ingress-controller-config + # Pass incoming X-Forwarded-* headers to upstream. Required to handle requests + # from other Geo sites. + # https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#use-forwarded-headers + use-forwarded-headers: true + electionID: ingress-controller-leader-geo + ingressClassResource: + name: '{{ include "gitlab.geo.ingress.class.name" $ | quote }}' + controllerValue: 'k8s.io/nginx-ingress-geo' + # A pre-defined/static external IP can be configured with global.hosts.externalGeoIP. + externalIpTpl: '{{ .Values.global.hosts.externalGeoIP }}' + +haproxy: + install: false + controller: + service: + type: LoadBalancer + tcpPorts: + - name: ssh + port: 22 + targetPort: 22 + extraArgs: + - --configmap-tcp-services=$(POD_NAMESPACE)/$(POD_NAMESPACE)-haproxy-tcp + +## Installation & configuration of stable/prometheus +## See requirements.yaml for current version +prometheus: + install: true + rbac: + create: true + alertmanager: + enabled: false + alertmanagerFiles: + alertmanager.yml: {} + kubeStateMetrics: + enabled: false + nodeExporter: + enabled: false + pushgateway: + enabled: false + server: + retention: 15d + strategy: + type: Recreate + image: + tag: v2.38.0 + containerSecurityContext: + runAsUser: 1000 + allowPrivilegeEscalation: false + runAsNonRoot: true + capabilities: + drop: [ "ALL" ] + seccompProfile: + type: "RuntimeDefault" + podSecurityPolicy: + enabled: false + configmapReload: + prometheus: + containerSecurityContext: + runAsUser: 1000 + allowPrivilegeEscalation: false + runAsNonRoot: true + capabilities: + drop: [ "ALL" ] + seccompProfile: + type: "RuntimeDefault" + serverFiles: + prometheus.yml: + scrape_configs: + - job_name: prometheus + static_configs: + - targets: + - localhost:9090 + - job_name: kubernetes-apiservers + kubernetes_sd_configs: + - role: endpoints + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + relabel_configs: + - source_labels: + [ + __meta_kubernetes_namespace, + __meta_kubernetes_service_name, + __meta_kubernetes_endpoint_port_name, + ] + action: keep + regex: default;kubernetes;https + - job_name: kubernetes-pods + kubernetes_sd_configs: + - role: pod + relabel_configs: + - source_labels: + [__meta_kubernetes_pod_annotation_gitlab_com_prometheus_scrape] + action: keep + regex: true + - source_labels: + [__meta_kubernetes_pod_annotation_gitlab_com_prometheus_scheme] + action: replace + regex: (https?) + target_label: __scheme__ + - source_labels: + [__meta_kubernetes_pod_annotation_gitlab_com_prometheus_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: + [ + __address__, + __meta_kubernetes_pod_annotation_gitlab_com_prometheus_port, + ] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: kubernetes_namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: kubernetes_pod_name + - job_name: kubernetes-service-endpoints + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_gitlab_com_prometheus_scrape + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_gitlab_com_prometheus_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_gitlab_com_prometheus_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_gitlab_com_prometheus_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: kubernetes_node + - job_name: kubernetes-services + metrics_path: /probe + params: + module: [http_2xx] + kubernetes_sd_configs: + - role: service + relabel_configs: + - source_labels: + [ + __meta_kubernetes_service_annotation_gitlab_com_prometheus_probe, + ] + action: keep + regex: true + - source_labels: [__address__] + target_label: __param_target + - target_label: __address__ + replacement: blackbox + - source_labels: [__param_target] + target_label: instance + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + target_label: kubernetes_namespace + - source_labels: [__meta_kubernetes_service_name] + target_label: kubernetes_name + +## Configuration of Redis +## https://docs.gitlab.com/charts/architecture/decisions#redis +## https://docs.gitlab.com/charts/installation/deployment.html#redis +redis: + install: true + image: + tag: "6.2.16-debian-12-r1" + auth: + existingSecret: gitlab-redis-secret + existingSecretKey: redis-password + usePasswordFiles: true + architecture: standalone + cluster: + enabled: false + metrics: + enabled: true + image: + tag: "1.46.0-debian-11-r8" + +## Installation & configuration of stable/postgresql +## See requirements.yaml for current version +postgresql: + install: true + auth: + ## These need to be set, for the sake of bitnami/postgresql upgrade patterns. + ## They are overridden by use of `existingSecret` + password: bogus-satisfy-upgrade + postgresPassword: bogus-satisfy-upgrade + ## + usePasswordFiles: false + existingSecret: '{{ include "gitlab.psql.password.secret" . }}' + secretKeys: + adminPasswordKey: postgresql-postgres-password + userPasswordKey: '{{ include "gitlab.psql.password.key" $ }}' + image: + tag: 14.8.0 + primary: + initdb: + scriptsConfigMap: '{{ include "gitlab.psql.initdbscripts" $}}' + extraVolumeMounts: + - name: custom-init-scripts + mountPath: /docker-entrypoint-preinitdb.d/init_revision.sh + subPath: init_revision.sh + podAnnotations: + postgresql.gitlab/init-revision: "1" + metrics: + enabled: true + service: + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9187" + gitlab.com/prometheus_scrape: "true" + gitlab.com/prometheus_port: "9187" + + ## Optionally define additional custom metrics + ## ref: https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file + +## Installation & configuration charts/registry +## https://docs.gitlab.com/charts/architecture/decisions#registry +## https://docs.gitlab.com/charts/charts/registry/ +# registry: +# enabled: false + +## Automatic shared secret generation +## https://docs.gitlab.com/charts/installation/secrets +## https://docs.gitlab.com/charts/charts/shared-secrets.html +shared-secrets: + enabled: true + rbac: + create: true + selfsign: + image: + # pullPolicy: IfNotPresent + # pullSecrets: [] + repository: registry.gitlab.com/gitlab-org/build/cng/cfssl-self-sign + # Default tag is `master`, overridable by `global.gitlabVersion`. + # tag: master + keyAlgorithm: "rsa" + keySize: "4096" + expiry: "3650d" + caSubject: "GitLab Helm Chart" + env: production + serviceAccount: + enabled: true + create: true + name: # Specify a pre-existing ServiceAccount name + resources: + requests: + cpu: 50m + securityContext: + # in debian/alpine based images, this is `nobody:nogroup` + runAsUser: 65534 + fsGroup: 65534 + seccompProfile: + type: "RuntimeDefault" + containerSecurityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + capabilities: + drop: [ "ALL" ] + tolerations: [] + podLabels: {} + annotations: {} + +## Installation & configuration of gitlab/gitlab-runner +## See requirements.yaml for current version +gitlab-runner: + install: true + rbac: + create: true + runners: + locked: false + # Set secret to an arbitrary value because the runner chart renders the gitlab-runner.secret template only if it is not empty. + # The parent/GitLab chart overrides the template to render the actual secret name. + secret: "nonempty" + config: | + [[runners]] + [runners.kubernetes] + image = "ubuntu:22.04" + {{- if .Values.global.minio.enabled }} + [runners.cache] + Type = "s3" + Path = "gitlab-runner" + Shared = true + [runners.cache.s3] + ServerAddress = {{ include "gitlab-runner.cache-tpl.s3ServerAddress" . }} + BucketName = "runner-cache" + BucketLocation = "us-east-1" + Insecure = false + {{ end }} + podAnnotations: + gitlab.com/prometheus_scrape: "true" + gitlab.com/prometheus_port: 9252 + podSecurityContext: + seccompProfile: + type: "RuntimeDefault" + +traefik: + install: false + ports: + gitlab-shell: + expose: true + port: 2222 + exposedPort: 22 + +## Settings for individual sub-charts under GitLab +## Note: Many of these settings are configurable via globals +gitlab: + ## https://docs.gitlab.com/charts/charts/gitlab/toolbox + toolbox: + replicas: 1 + antiAffinityLabels: + matchLabels: + app: gitaly + ## https://docs.gitlab.com/charts/charts/gitlab/migrations + # migrations: + # enabled: false + ## https://docs.gitlab.com/charts/charts/gitlab/webservice + # webservice: + # enabled: false + ## https://docs.gitlab.com/charts/charts/gitlab/sidekiq + # sidekiq: + # enabled: false + ## https://docs.gitlab.com/charts/charts/gitlab/gitaly + # gitaly: + ## https://docs.gitlab.com/charts/charts/gitlab/gitlab-shell + # gitlab-shell: + # enabled: false + ## https://docs.gitlab.com/charts/charts/gitlab/gitlab-pages + # gitlab-pages: + ## https://docs.gitlab.com/charts/charts/gitlab/kas + # kas: + ## https://docs.gitlab.com/charts/charts/gitlab/praefect + # praefect: + +## Installation & configuration of gitlab/gitlab-zoekt +gitlab-zoekt: + install: false + gateway: + basicAuth: + enabled: true + secretName: '{{ include "gitlab.zoekt.gateway.basicAuth.secretName" $ }}' + indexer: + internalApi: + enabled: true + secretName: '{{ include "gitlab.zoekt.indexer.internalApi.secretName" $ }}' + secretKey: '{{ include "gitlab.zoekt.indexer.internalApi.secretKey" $ }}' + gitlabUrl: '{{ include "gitlab.zoekt.indexer.internalApi.gitlabUrl" $ }}' diff --git a/proxmox/k8s/helmfile.d/values/globals/.gitignore b/proxmox/k8s/helmfile.d/values/globals/.gitignore new file mode 100644 index 0000000..03cdeec --- /dev/null +++ b/proxmox/k8s/helmfile.d/values/globals/.gitignore @@ -0,0 +1 @@ +secrets.yaml diff --git a/proxmox/k8s/helmfile.d/values/globals/staging.yaml.gotmpl b/proxmox/k8s/helmfile.d/values/globals/staging.yaml.gotmpl new file mode 100644 index 0000000..7d7df2c --- /dev/null +++ b/proxmox/k8s/helmfile.d/values/globals/staging.yaml.gotmpl @@ -0,0 +1,216 @@ +{{ $email := "tonydu121@hotmail.com" }} +{{ $domain := "mnke.org" }} +{{ $subdomain := "dolo" }} +{{ $appDomain := print $subdomain "." $domain }} +# This should be an IP in the MetalLB range +{{ $primaryLoadBalancerIP := "10.0.185.128" }} +{{ $environment := "staging" }} +{{ $ingressClass := "traefik" }} +{{ $nfsStorageClass := "nfs-client" }} +{{ $longhornStorageClass := "longhorn" }} + +{{ + $ghostDatabase := dict + "database" "ghost" + "username" ( fetchSecretValue "ref+file://values/globals/secrets.yaml#ghost/mysql/username" ) + "password" ( fetchSecretValue "ref+file://values/globals/secrets.yaml#ghost/mysql/password" ) +}} +{{ + $mysqlDatabases := list + $ghostDatabase +}} + +{{ + $authentikDatabase := dict + "database" "authentik" + "username" ( fetchSecretValue "ref+file://values/globals/secrets.yaml#authentik/postgres/username" ) + "password" ( fetchSecretValue "ref+file://values/globals/secrets.yaml#authentik/postgres/password" ) +}} +{{ + $harborDatabase := dict + "database" "harborcore" + "username" ( fetchSecretValue "ref+file://values/globals/secrets.yaml#harbor/postgres/username" ) + "password" ( fetchSecretValue "ref+file://values/globals/secrets.yaml#harbor/postgres/password" ) +}} +{{ + $giteaDatabase := dict + "database" "gitea" + "username" ( fetchSecretValue "ref+file://values/globals/secrets.yaml#gitea/postgres/username" ) + "password" ( fetchSecretValue "ref+file://values/globals/secrets.yaml#gitea/postgres/password" ) +}} +{{ + $postgresDatabases := list + $authentikDatabase + $harborDatabase + $giteaDatabase +}} + +globals: + email: {{ $email }} + environment: {{ $environment }} + + certManager: + namespace: cert-manager + + traefik: + namespace: traefik + ingressClass: {{ $ingressClass }} + loadBalancerIP: {{ $primaryLoadBalancerIP }} + + certs: + acmeEmail: {{ $email }} + cloudflareEmail: {{ $email }} + certIssuerMode: {{ $environment }} + + cloudflareSecretToken: {{ fetchSecretValue "ref+file://values/globals/secrets.yaml#cloudflare/secretToken" }} + cloudflareTokenSecretName: cloudflare-token-secret + + issuerName: letsencrypt + privateKeySecretRef: letsencrypt + + hlMnkeOrg: + certificateName: {{ $subdomain }}.{{ $domain }} + certificateSecretName: {{ $subdomain }}.{{ $domain }}-tls + certificateNamespace: default + commonName: "{{ $appDomain }}" + dnsZones: + - "{{ $domain }}" + dnsNames: + - "{{ $appDomain }}" + - "*.{{ $appDomain }}" + + longhorn: + namespace: longhorn-system + storageClass: {{ $longhornStorageClass }} + + nfsSubdirExternalProvisioner: + namespace: nfs-subdir-external-provisioner + replicaCount: 1 + nfs: + server: truenas.local + path: /mnt/emc14t9/k8s-pv + storageClass: {{ $nfsStorageClass }} + accessModes: ReadWriteMany + + rancher: + namespace: cattle-system + ingressClass: {{ $ingressClass }} + hostname: rancher.{{ $appDomain }} + replicas: 3 + bootstrapPassword: {{ fetchSecretValue "ref+file://values/globals/secrets.yaml#rancher/bootstrapPassword" }} + + uptimeKuma: + namespace: uptime-kuma + ingressClass: {{ $ingressClass }} + hosts: + - uptime.{{ $appDomain }} + storageClass: {{ $longhornStorageClass }} + + mysql: + namespace: db + storageClass: {{ $longhornStorageClass }} + username: {{ fetchSecretValue "ref+file://values/globals/secrets.yaml#mysql/username" }} + password: {{ fetchSecretValue "ref+file://values/globals/secrets.yaml#mysql/password" }} + rootPassword: {{ fetchSecretValue "ref+file://values/globals/secrets.yaml#mysql/rootPassword" }} + databases: + {{ $mysqlDatabases | toYaml | nindent 4 }} + + postgres: + namespace: db + storageClass: {{ $longhornStorageClass }} + username: {{ fetchSecretValue "ref+file://values/globals/secrets.yaml#postgres/username" }} + password: {{ fetchSecretValue "ref+file://values/globals/secrets.yaml#postgres/password" }} + postgresPassword: {{ fetchSecretValue "ref+file://values/globals/secrets.yaml#postgres/postgresPassword" }} + databases: + {{ $postgresDatabases | toYaml | nindent 4 }} + + phpmyadmin: + namespace: db + hostname: pma.{{ $appDomain }} + storageClass: {{ $longhornStorageClass }} + ingressClass: {{ $ingressClass }} + + pgadmin4: + namespace: db + hostname: pg.{{ $appDomain }} + ingressClass: {{ $ingressClass }} + storageClass: {{ $longhornStorageClass }} + storageSize: 2Gi + accessMode: ReadWriteOnce + # can be email or nickname + email: tony@mnke.org + password: {{ fetchSecretValue "ref+file://values/globals/secrets.yaml#pgadmin4/password" }} + + redis: + namespace: redis + storageClass: {{ $longhornStorageClass }} + storageSize: 8Gi + accessMode: ReadWriteMany + password: {{ fetchSecretValue "ref+file://values/globals/secrets.yaml#redis/password" }} + + ghost: + namespace: ghost + primaryHost: blog.mnke.org + storageClass: {{ $longhornStorageClass }} + ingressClass: {{ $ingressClass }} + ghostEmail: {{ $email }} + ghostPassword: {{ fetchSecretValue "ref+file://values/globals/secrets.yaml#ghost/password" }} + mysql: + {{ $ghostDatabase | toYaml | nindent 6 }} + + authentik: + namespace: authentik + storageClass: {{ $longhornStorageClass }} + ingressClass: {{ $ingressClass }} + secretKey: {{ fetchSecretValue "ref+file://values/globals/secrets.yaml#authentik/secretKey" }} + hostnames: + - auth.{{ $appDomain }} + - auth.{{ $domain }} + postgres: + {{ $authentikDatabase | toYaml | nindent 6 }} + + harbor: + namespace: harbor + hostname: harbor.{{ $appDomain }} + ingressClass: {{ $ingressClass }} + storageClass: {{ $nfsStorageClass }} + username: {{ fetchSecretValue "ref+file://values/globals/secrets.yaml#harbor/username" }} + password: {{ fetchSecretValue "ref+file://values/globals/secrets.yaml#harbor/password" }} + htpasswd: {{ fetchSecretValue "ref+file://values/globals/secrets.yaml#harbor/htpasswd" }} + registrySecret: {{ fetchSecretValue "ref+file://values/globals/secrets.yaml#harbor/registrySecret" }} + jobserviceSecret: {{ fetchSecretValue "ref+file://values/globals/secrets.yaml#harbor/jobserviceSecret" }} + coreSecretKey: {{ fetchSecretValue "ref+file://values/globals/secrets.yaml#harbor/coreSecretKey" }} + coreSecret: {{ fetchSecretValue "ref+file://values/globals/secrets.yaml#harbor/coreSecret" }} + coreCsrfKey: {{ fetchSecretValue "ref+file://values/globals/secrets.yaml#harbor/coreCsrfKey" }} + coreTlsKey: {{ fetchSecretValue "ref+file://values/globals/secrets.yaml#harbor/coreTlsKey" | quote }} + coreTlsCert: {{ fetchSecretValue "ref+file://values/globals/secrets.yaml#harbor/coreTlsCert" | quote }} + + postgres: + {{ $harborDatabase | toYaml | nindent 6 }} + + kubePrometheusStack: + namespace: kube-prometheus-stack + ingressClass: {{ $ingressClass }} + storageClass: {{ $nfsStorageClass }} + thanosRuler: + storageSize: 4Gi + prometheus: + storageSize: 4Gi + grafana: + storageSize: 4Gi + adminPassword: {{ fetchSecretValue "ref+file://values/globals/secrets.yaml#kubePrometheusStack/grafana/adminPassword" }} + hosts: + - gf.{{ $appDomain }} + + argocd: + namespace: argo-cd + ingressClass: {{ $ingressClass }} + storageClass: {{ $nfsStorageClass }} + hostname: argocd.{{ $appDomain }} + adminPassword: {{ fetchSecretValue "ref+file://values/globals/secrets.yaml#argocd/adminPassword" }} + + gitea: + namespace: gitea + ingressClass: {{ $ingressClass }} + postgres: + {{ $giteaDatabase | toYaml | nindent 6 }} diff --git a/proxmox/k8s/helmfile.d/values/harbor/values.yaml.gotmpl b/proxmox/k8s/helmfile.d/values/harbor/values.yaml.gotmpl new file mode 100644 index 0000000..a0e3988 --- /dev/null +++ b/proxmox/k8s/helmfile.d/values/harbor/values.yaml.gotmpl @@ -0,0 +1,3815 @@ +# Copyright Broadcom, Inc. All Rights Reserved. +# SPDX-License-Identifier: APACHE-2.0 + +## @section Global parameters +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass +## + +## @param global.imageRegistry Global Docker image registry +## @param global.imagePullSecrets Global Docker registry secret names as an array +## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s) +## @param global.storageClass DEPRECATED: use global.defaultStorageClass instead +## +global: + imageRegistry: "" + ## E.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + defaultStorageClass: {{ .Values.globals.harbor.storageClass }} + storageClass: "" + ## Security parameters + ## + security: + ## @param global.security.allowInsecureImages Allows skipping image verification + allowInsecureImages: false + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: auto +## @section Common Parameters +## + +## @param nameOverride String to partially override common.names.fullname template (will maintain the release name) +## +nameOverride: "" +## @param fullnameOverride String to fully override common.names.fullname template with a string +## +fullnameOverride: "" +## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) +## +kubeVersion: "" +## @param clusterDomain Kubernetes Cluster Domain +## +clusterDomain: cluster.local +## @param commonAnnotations Annotations to add to all deployed objects +## +commonAnnotations: {} +## @param commonLabels Labels to add to all deployed objects +## +commonLabels: {} +## @param extraDeploy Array of extra objects to deploy with the release (evaluated as a template). +## +extraDeploy: [] +## Enable diagnostic mode in the deployment(s)/statefulset(s) +## +diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## + enabled: false + ## @param diagnosticMode.command Command to override all containers in the the deployment(s)/statefulset(s) + ## + command: + - sleep + ## @param diagnosticMode.args Args to override all containers in the the deployment(s)/statefulset(s) + ## + args: + - infinity +## @section Harbor common parameters +## + +## @param adminPassword The initial password of Harbor admin. Change it from portal after launching Harbor +## +adminPassword: {{ .Values.globals.harbor.password }} +## @param externalURL The external URL for Harbor Core service +## It is used to +## 1) populate the docker/helm commands showed on portal +## +## Format: protocol://domain[:port]. Usually: +## 1) if "exposureType" is "ingress", the "domain" should be +## the value of "ingress.hostname" +## 2) if "exposureType" is "proxy" and "service.type" is "ClusterIP", +## the "domain" should be the value of "service.clusterIP" +## 3) if "exposureType" is "proxy" and "service.type" is "NodePort", +## the "domain" should be the IP address of k8s node +## 4) if "exposureType" is "proxy" and "service.type" is "LoadBalancer", +## the "domain" should be the LoadBalancer IP +## +externalURL: https://{{ .Values.globals.harbor.hostname }} +## Note: If Harbor is exposed via Ingress, the NGINX server will not be used +## @param proxy.httpProxy The URL of the HTTP proxy server +## @param proxy.httpsProxy The URL of the HTTPS proxy server +## @param proxy.noProxy The URLs that the proxy settings not apply to +## @param proxy.components The component list that the proxy settings apply to +## +proxy: + httpProxy: "" + httpsProxy: "" + noProxy: 127.0.0.1,localhost,.local,.internal + components: + - core + - jobservice + - trivy +## @param logLevel The log level used for Harbor services. Allowed values are [ fatal \| error \| warn \| info \| debug \| trace ] +## +logLevel: debug +## TLS settings +## Note: TLS cert files need to provided in each components in advance. +## +internalTLS: + ## @param internalTLS.enabled Use TLS in all the supported containers: core, jobservice, portal, registry and trivy + ## + enabled: false + ## @param internalTLS.caBundleSecret Name of an existing secret with a custom CA that will be injected into the trust store for core, jobservice, registry, trivy components + ## The secret must contain the key "ca.crt" + ## + caBundleSecret: "" +## IP family parameters +## +ipFamily: + ## @param ipFamily.ipv6.enabled Enable listening on IPv6 ([::]) for NGINX-based components (NGINX,portal) + ## Note: enabling IPv6 will cause NGINX to crash on start on systems with IPv6 disabled (`ipv6.disable` kernel flag) + ## + ipv6: + enabled: false + ## @param ipFamily.ipv4.enabled Enable listening on IPv4 for NGINX-based components (NGINX,portal) + ## + ipv4: + enabled: true +## @section Traffic Exposure Parameters +## + +## @param exposureType The way to expose Harbor. Allowed values are [ ingress \| proxy ] +## Use "proxy" to use a deploy NGINX proxy in front of Harbor services +## Use "ingress" to use an Ingress Controller as proxy +## +exposureType: ingress +## Service parameters +## +service: + ## @param service.type NGINX proxy service type + ## + type: ClusterIP + ## @param service.ports.http NGINX proxy service HTTP port + ## @param service.ports.https NGINX proxy service HTTPS port + ## + ports: + http: 80 + https: 443 + ## Node ports to expose + ## @param service.nodePorts.http Node port for HTTP + ## @param service.nodePorts.https Node port for HTTPS + ## NOTE: choose port between <30000-32767> + ## + nodePorts: + http: "" + https: "" + ## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin + ## Values: ClientIP or None + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## + sessionAffinity: None + ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + ## @param service.clusterIP NGINX proxy service Cluster IP + ## e.g.: + ## clusterIP: None + ## + clusterIP: "" + ## @param service.loadBalancerIP NGINX proxy service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerIP: "" + ## @param service.loadBalancerSourceRanges NGINX proxy service Load Balancer sources + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param service.externalTrafficPolicy NGINX proxy service external traffic policy + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param service.annotations Additional custom annotations for NGINX proxy service + ## + annotations: {} + ## @param service.extraPorts Extra port to expose on NGINX proxy service + ## + extraPorts: [] +ingress: + ## Configure the ingress resource that allows you to access Harbor Core + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ + ## + core: + ## @param ingress.core.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + ingressClassName: {{ .Values.globals.harbor.ingressClass }} + ## @param ingress.core.pathType Ingress path type + ## + pathType: ImplementationSpecific + ## @param ingress.core.apiVersion Force Ingress API version (automatically detected if not set) + ## + apiVersion: "" + ## @param ingress.core.controller The ingress controller type. Currently supports `default`, `gce` and `ncp` + ## leave as `default` for most ingress controllers. + ## set to `gce` if using the GCE ingress controller + ## set to `ncp` if using the NCP (NSX-T Container Plugin) ingress controller + ## + controller: default + ## @param ingress.core.hostname Default host for the ingress record + ## + hostname: {{ .Values.globals.harbor.hostname }} + ## @param ingress.core.annotations [object] Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## e.g: + ## annotations: + ## kubernetes.io/ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## + annotations: + cert-manager.io/cluster-issuer: {{ .Values.globals.certs.issuerName }} + kubernetes.io/ingress.class: {{ .Values.globals.harbor.ingressClass }} + ## @param ingress.core.tls Enable TLS configuration for the host defined at `ingress.core.hostname` parameter + ## TLS certificates will be retrieved from a TLS secret with name: + ## You can: + ## - Use the `ingress.core.secrets` parameter to create this TLS secret + ## - Rely on cert-manager to create it by setting the corresponding annotations + ## - Rely on Helm to create self-signed certificates by setting `ingress.core.selfSigned=true` + ## + tls: true + ## @param ingress.core.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm + ## + selfSigned: false + ## @param ingress.core.extraHosts An array with additional hostname(s) to be covered with the ingress record + ## e.g: + ## extraHosts: + ## - name: core.harbor.domain + ## path: / + ## + extraHosts: [] + ## @param ingress.core.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host + ## e.g: + ## extraPaths: + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + extraPaths: [] + ## @param ingress.core.extraTls TLS configuration for additional hostname(s) to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## e.g: + ## extraTls: + ## - hosts: + ## - core.harbor.domain + ## secretName: core.harbor.domain-tls + ## + extraTls: [] + ## @param ingress.core.secrets Custom TLS certificates as secrets + ## NOTE: 'key' and 'certificate' are expected in PEM format + ## NOTE: 'name' should line up with a 'secretName' set further up + ## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates + ## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + ## e.g: + ## secrets: + ## - name: core.harbor.domain-tls + ## key: |- + ## REDACTED + ## ... + ## REDACTED + ## certificate: |- + ## -----BEGIN CERTIFICATE----- + ## ... + ## -----END CERTIFICATE----- + ## + secrets: [] + ## @param ingress.core.extraRules Additional rules to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules + ## e.g: + ## extraRules: + ## - host: example.local + ## http: + ## path: / + ## backend: + ## service: + ## name: example-svc + ## port: + ## name: http + ## + extraRules: [] + ## +## @section Persistence Parameters +## + +## The persistence is enabled by default and a default StorageClass +## is needed in the k8s cluster to provision volumes dynamically. +## Specify another StorageClass in the "storageClass" or set "existingClaim" +## if you have already existing persistent volumes to use +## +## For storing images and charts, you can also use "azure", "gcs", "s3", +## "swift" or "oss". Set it in the "imageChartStorage" section +## +persistence: + ## @param persistence.enabled Enable the data persistence or not + ## + enabled: true + ## Resource Policy + ## @param persistence.resourcePolicy Setting it to `keep` to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted + ## + resourcePolicy: "keep" + persistentVolumeClaim: + ## @param persistence.persistentVolumeClaim.registry.existingClaim Name of an existing PVC to use + ## @param persistence.persistentVolumeClaim.registry.storageClass PVC Storage Class for Harbor Registry data volume + ## Note: The default StorageClass will be used if not defined. Set it to `-` to disable dynamic provisioning + ## @param persistence.persistentVolumeClaim.registry.subPath The sub path used in the volume + ## @param persistence.persistentVolumeClaim.registry.accessModes The access mode of the volume + ## @param persistence.persistentVolumeClaim.registry.size The size of the volume + ## @param persistence.persistentVolumeClaim.registry.annotations Annotations for the PVC + ## @param persistence.persistentVolumeClaim.registry.selector Selector to match an existing Persistent Volume + ## + registry: + existingClaim: "" + storageClass: "" + subPath: "" + accessModes: + - ReadWriteOnce + size: 5Gi + annotations: {} + selector: {} + ## @param persistence.persistentVolumeClaim.jobservice.existingClaim Name of an existing PVC to use + ## @param persistence.persistentVolumeClaim.jobservice.storageClass PVC Storage Class for Harbor Jobservice data volume + ## Note: The default StorageClass will be used if not defined. Set it to `-` to disable dynamic provisioning + ## @param persistence.persistentVolumeClaim.jobservice.subPath The sub path used in the volume + ## @param persistence.persistentVolumeClaim.jobservice.accessModes The access mode of the volume + ## @param persistence.persistentVolumeClaim.jobservice.size The size of the volume + ## @param persistence.persistentVolumeClaim.jobservice.annotations Annotations for the PVC + ## @param persistence.persistentVolumeClaim.jobservice.selector Selector to match an existing Persistent Volume + ## + jobservice: + existingClaim: "" + storageClass: "" + subPath: "" + accessModes: + - ReadWriteOnce + size: 1Gi + annotations: {} + selector: {} + ## @param persistence.persistentVolumeClaim.trivy.storageClass PVC Storage Class for Trivy data volume + ## Note: The default StorageClass will be used if not defined. Set it to `-` to disable dynamic provisioning + ## @param persistence.persistentVolumeClaim.trivy.accessModes The access mode of the volume + ## @param persistence.persistentVolumeClaim.trivy.size The size of the volume + ## @param persistence.persistentVolumeClaim.trivy.annotations Annotations for the PVC + ## @param persistence.persistentVolumeClaim.trivy.selector Selector to match an existing Persistent Volume + ## + trivy: + storageClass: "" + accessModes: + - ReadWriteOnce + size: 5Gi + annotations: {} + selector: {} + ## Define which storage backend is used for registry to store + ## images and charts. + ## ref: https://github.com/docker/distribution/blob/master/docs/configuration.md#storage + ## + imageChartStorage: + ## @param persistence.imageChartStorage.caBundleSecret Specify the `caBundleSecret` if the storage service uses a self-signed certificate. The secret must contain keys named `ca.crt` which will be injected into the trust store of registry's containers. + ## + caBundleSecret: "" + ## @param persistence.imageChartStorage.disableredirect The configuration for managing redirects from content backends. For backends which do not supported it (such as using MinIO® for `s3` storage type), please set it to `true` to disable redirects. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect) for more information about the detail + ## + disableredirect: false + ## @param persistence.imageChartStorage.type The type of storage for images and charts: `filesystem`, `azure`, `gcs`, `s3`, `swift` or `oss`. The type must be `filesystem` if you want to use persistent volumes for registry. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#storage) for more information about the detail + ## + type: filesystem + ## Images/charts storage parameters when type is "filesystem" + ## @param persistence.imageChartStorage.filesystem.rootdirectory Filesystem storage type setting: Storage root directory + ## @param persistence.imageChartStorage.filesystem.maxthreads Filesystem storage type setting: Maximum threads directory + ## + filesystem: + rootdirectory: /storage + maxthreads: "" + ## Images/charts storage parameters when type is "azure" + ## @param persistence.imageChartStorage.azure.accountname Azure storage type setting: Name of the Azure account + ## @param persistence.imageChartStorage.azure.accountkey Azure storage type setting: Key of the Azure account + ## @param persistence.imageChartStorage.azure.container Azure storage type setting: Container + ## @param persistence.imageChartStorage.azure.storagePrefix Azure storage type setting: Storage prefix + ## @param persistence.imageChartStorage.azure.realm Azure storage type setting: Realm of the Azure account + ## + azure: + accountname: accountname + accountkey: base64encodedaccountkey + container: containername + storagePrefix: /azure/harbor/charts + ## Example realm + ## realm: core.windows.net + ## + realm: "" + ## Images/charts storage parameters when type is "gcs" + ## @param persistence.imageChartStorage.gcs.bucket GCS storage type setting: Bucket name + ## @param persistence.imageChartStorage.gcs.encodedkey GCS storage type setting: Base64 encoded key + ## @param persistence.imageChartStorage.gcs.rootdirectory GCS storage type setting: Root directory name + ## @param persistence.imageChartStorage.gcs.chunksize GCS storage type setting: Chunk size name + ## + gcs: + bucket: bucketname + ## The base64 encoded json file which contains the gcs key (file's content) + ## + encodedkey: "" + rootdirectory: "" + chunksize: "" + ## Images/charts storage parameters when type is "s3" + ## ref: https://docs.docker.com/registry/storage-drivers/s3/ + ## @param persistence.imageChartStorage.s3.region S3 storage type setting: Region + ## @param persistence.imageChartStorage.s3.bucket S3 storage type setting: Bucket name + ## @param persistence.imageChartStorage.s3.accesskey S3 storage type setting: Access key name + ## @param persistence.imageChartStorage.s3.secretkey S3 storage type setting: Secret Key name + ## @param persistence.imageChartStorage.s3.regionendpoint S3 storage type setting: Region Endpoint + ## @param persistence.imageChartStorage.s3.encrypt S3 storage type setting: Encrypt + ## @param persistence.imageChartStorage.s3.keyid S3 storage type setting: Key ID + ## @param persistence.imageChartStorage.s3.secure S3 storage type setting: Secure + ## @param persistence.imageChartStorage.s3.skipverify S3 storage type setting: TLS skip verification + ## @param persistence.imageChartStorage.s3.v4auth S3 storage type setting: V4 authorization + ## @param persistence.imageChartStorage.s3.chunksize S3 storage type setting: V4 authorization + ## @param persistence.imageChartStorage.s3.rootdirectory S3 storage type setting: Root directory name + ## @param persistence.imageChartStorage.s3.storageClass S3 storage type setting: Storage class + ## @param persistence.imageChartStorage.s3.sse S3 storage type setting: SSE name + ## @param persistence.imageChartStorage.s3.multipartcopythresholdsize S3 storage type setting: Threshold size for multipart copy + ## + s3: + region: us-west-1 + bucket: bucketname + accesskey: "" + secretkey: "" + regionendpoint: "" + encrypt: "" + keyid: "" + secure: "" + skipverify: "" + v4auth: "" + chunksize: "" + rootdirectory: "" + storageClass: "" + sse: "" + multipartcopythresholdsize: "" + ## Images/charts storage parameters when type is "swift" + ## @param persistence.imageChartStorage.swift.authurl Swift storage type setting: Authentication url + ## @param persistence.imageChartStorage.swift.username Swift storage type setting: Authentication url + ## @param persistence.imageChartStorage.swift.password Swift storage type setting: Password + ## @param persistence.imageChartStorage.swift.container Swift storage type setting: Container + ## @param persistence.imageChartStorage.swift.region Swift storage type setting: Region + ## @param persistence.imageChartStorage.swift.tenant Swift storage type setting: Tenant + ## @param persistence.imageChartStorage.swift.tenantid Swift storage type setting: TenantID + ## @param persistence.imageChartStorage.swift.domain Swift storage type setting: Domain + ## @param persistence.imageChartStorage.swift.domainid Swift storage type setting: DomainID + ## @param persistence.imageChartStorage.swift.trustid Swift storage type setting: TrustID + ## @param persistence.imageChartStorage.swift.insecureskipverify Swift storage type setting: Verification + ## @param persistence.imageChartStorage.swift.chunksize Swift storage type setting: Chunk + ## @param persistence.imageChartStorage.swift.prefix Swift storage type setting: Prefix + ## @param persistence.imageChartStorage.swift.secretkey Swift storage type setting: Secre Key + ## @param persistence.imageChartStorage.swift.accesskey Swift storage type setting: Access Key + ## @param persistence.imageChartStorage.swift.authversion Swift storage type setting: Auth + ## @param persistence.imageChartStorage.swift.endpointtype Swift storage type setting: Endpoint + ## @param persistence.imageChartStorage.swift.tempurlcontainerkey Swift storage type setting: Temp URL container key + ## @param persistence.imageChartStorage.swift.tempurlmethods Swift storage type setting: Temp URL methods + ## + swift: + authurl: https://storage.myprovider.com/v3/auth + username: "" + password: "" + container: "" + region: "" + tenant: "" + tenantid: "" + domain: "" + domainid: "" + trustid: "" + insecureskipverify: "" + chunksize: "" + prefix: "" + secretkey: "" + accesskey: "" + authversion: "" + endpointtype: "" + tempurlcontainerkey: "" + tempurlmethods: "" + ## Images/charts storage parameters when type is "oss" + ## @param persistence.imageChartStorage.oss.accesskeyid OSS storage type setting: Access key ID + ## @param persistence.imageChartStorage.oss.accesskeysecret OSS storage type setting: Access key secret name containing the token + ## @param persistence.imageChartStorage.oss.region OSS storage type setting: Region name + ## @param persistence.imageChartStorage.oss.bucket OSS storage type setting: Bucket name + ## @param persistence.imageChartStorage.oss.endpoint OSS storage type setting: Endpoint + ## @param persistence.imageChartStorage.oss.internal OSS storage type setting: Internal + ## @param persistence.imageChartStorage.oss.encrypt OSS storage type setting: Encrypt + ## @param persistence.imageChartStorage.oss.secure OSS storage type setting: Secure + ## @param persistence.imageChartStorage.oss.chunksize OSS storage type setting: Chunk + ## @param persistence.imageChartStorage.oss.rootdirectory OSS storage type setting: Directory + ## @param persistence.imageChartStorage.oss.secretkey OSS storage type setting: Secret key + ## + oss: + accesskeyid: "" + accesskeysecret: "" + region: "" + bucket: "" + endpoint: "" + internal: "" + encrypt: "" + secure: "" + chunksize: "" + rootdirectory: "" + secretkey: "" +## @section Tracing parameters +## + +## Tracing parameters: +## tracing: Configure tracing for Harbor, only one of tracing.jeager.enabled and tracing.otel.enabled should be set +## +tracing: + ## @param tracing.enabled Enable tracing + ## + enabled: false + ## @param tracing.sampleRate Tracing sample rate from 0 to 1 + ## + sampleRate: 1 + ## @param tracing.namespace Used to differentiate traces between different harbor services + ## + namespace: "" + ## @param tracing.attributes A key value dict containing user defined attributes used to initialize the trace provider + ## e.g: + ## attributes: + ## application: harbor + ## + attributes: {} + ## @extra tracing.jaeger Configuration for exporting to jaeger. If using jaeger collector mode, use endpoint, username and password. If using jaeger agent mode, use agentHostname and agentPort. + ## e.g: + ## jaeger: + ## enabled: true + ## endpoint: http://hostname:14268/api/traces + ## username: "jaeger-username" + ## password: "jaeger-password" + ## @param tracing.jaeger.enabled Enable jaeger export + ## @param tracing.jaeger.endpoint Jaeger endpoint + ## @param tracing.jaeger.username Jaeger username + ## @param tracing.jaeger.password Jaeger password + ## @param tracing.jaeger.agentHost Jaeger agent hostname + ## @param tracing.jaeger.agentPort Jaeger agent port + ## + jaeger: + enabled: false + endpoint: "" + username: "" + password: "" + agentHost: "" + agentPort: "" + ## @extra tracing.otel Configuration for exporting to an otel endpoint + ## @param tracing.otel.enabled Enable otel export + ## @param tracing.otel.endpoint The hostname and port for an otel compatible backend + ## @param tracing.otel.urlpath Url path of otel endpoint + ## @param tracing.otel.compression Enable data compression + ## @param tracing.otel.timeout The timeout for data transfer + ## @param tracing.otel.insecure Ignore cert verification for otel backend + ## + otel: + enabled: false + endpoint: "hostname:4318" + urlpath: "/v1/traces" + compression: false + timeout: 10s + insecure: true +## @section Volume Permissions parameters +## + +## Init containers parameters: +## certificateVolume: Copy /etc/ssl/certs to a volume so that they can be updated when a read-only volume is in use. +## +certificateVolume: + ## Init container resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param certificateVolume.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if certificateVolume.resources is set (certificateVolume.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param certificateVolume.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} +## volumePermissions: Change the owner and group of the persistent volume(s) mountpoint(s) to 'runAsUser:fsGroup' on each node +## +volumePermissions: + ## @param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume + ## + enabled: false + ## @param volumePermissions.image.registry [default: REGISTRY_NAME] Init container volume-permissions image registry + ## @param volumePermissions.image.repository [default: REPOSITORY_NAME/os-shell] Init container volume-permissions image repository + ## @skip volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended) + ## @param volumePermissions.image.digest Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy + ## @param volumePermissions.image.pullSecrets Init container volume-permissions image pull secrets + ## + image: + registry: docker.io + repository: bitnami/os-shell + tag: 12-debian-12-r35 + digest: "" + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Init container resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Init container' Security Context + ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser + ## and not the below volumePermissions.containerSecurityContext.runAsUser + ## @param volumePermissions.containerSecurityContext.enabled Enable init container Security Context + ## @param volumePermissions.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param volumePermissions.containerSecurityContext.runAsUser User ID for the init container + ## + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 0 +## @section NGINX Parameters +## +nginx: + ## Bitnami NGINX image + ## ref: https://hub.docker.com/r/bitnami/nginx/tags/ + ## @param nginx.image.registry [default: REGISTRY_NAME] NGINX image registry + ## @param nginx.image.repository [default: REPOSITORY_NAME/nginx] NGINX image repository + ## @skip nginx.image.tag NGINX image tag (immutable tags are recommended) + ## @param nginx.image.digest NGINX image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param nginx.image.pullPolicy NGINX image pull policy + ## @param nginx.image.pullSecrets NGINX image pull secrets + ## @param nginx.image.debug Enable NGINX image debug mode + ## + image: + registry: docker.io + repository: bitnami/nginx + tag: 1.27.3-debian-12-r5 + digest: "" + ## Specify a imagePullPolicy + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Enable debug mode + ## + debug: false + ## TLS parameters + ## + tls: + ## @param nginx.tls.enabled Enable TLS termination + ## + enabled: true + ## @param nginx.tls.existingSecret Existing secret name containing your own TLS certificates. + ## The secret must contain the keys: + ## `tls.crt` - the certificate (required), + ## `tls.key` - the private key (required), + ## `ca.crt` - CA certificate (optional) + ## Self-signed TLS certificates will be used otherwise. + ## + existingSecret: "" + ## @param nginx.tls.commonName The common name used to generate the self-signed TLS certificates + ## + commonName: core.harbor.domain + ## @param nginx.behindReverseProxy If NGINX is behind another reverse proxy, set to true + ## if the reverse proxy already provides the 'X-Forwarded-Proto' header field. + ## This is, for example, the case for the OpenShift HAProxy router. + ## + behindReverseProxy: false + ## @param nginx.command Override default container command (useful when using custom images) + ## + command: [] + ## @param nginx.args Override default container args (useful when using custom images) + ## + args: [] + ## @param nginx.extraEnvVars Array with extra environment variables to add NGINX pods + ## + extraEnvVars: [] + ## @param nginx.extraEnvVarsCM ConfigMap containing extra environment variables for NGINX pods + ## + extraEnvVarsCM: "" + ## @param nginx.extraEnvVarsSecret Secret containing extra environment variables (in case of sensitive data) for NGINX pods + ## + extraEnvVarsSecret: "" + ## @param nginx.containerPorts.http NGINX HTTP container port + ## @param nginx.containerPorts.https NGINX HTTPS container port + ## + containerPorts: + http: 8080 + https: 8443 + ## @param nginx.replicaCount Number of NGINX replicas + ## + replicaCount: 1 + ## Configure extra options for NGINX containers' liveness, readiness and startup probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes + ## @param nginx.livenessProbe.enabled Enable livenessProbe on NGINX containers + ## @param nginx.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param nginx.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param nginx.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param nginx.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param nginx.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param nginx.readinessProbe.enabled Enable readinessProbe on NGINX containers + ## @param nginx.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param nginx.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param nginx.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param nginx.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param nginx.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param nginx.startupProbe.enabled Enable startupProbe on NGINX containers + ## @param nginx.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param nginx.startupProbe.periodSeconds Period seconds for startupProbe + ## @param nginx.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param nginx.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param nginx.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 15 + successThreshold: 1 + ## @param nginx.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param nginx.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## @param nginx.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## NGINX resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param nginx.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if nginx.resources is set (nginx.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "small" + ## @param nginx.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Configure NGINX pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param nginx.podSecurityContext.enabled Enabled NGINX pods' Security Context + ## @param nginx.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param nginx.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param nginx.podSecurityContext.supplementalGroups Set filesystem extra groups + ## @param nginx.podSecurityContext.fsGroup Set NGINX pod's Security Context fsGroup + ## + podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 + ## Configure NGINX containers (only main one) Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param nginx.containerSecurityContext.enabled Enabled containers' Security Context + ## @param nginx.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param nginx.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param nginx.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param nginx.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param nginx.containerSecurityContext.privileged Set container's Security Context privileged + ## @param nginx.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param nginx.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param nginx.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param nginx.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## @param nginx.updateStrategy.type NGINX deployment strategy type - only really applicable for deployments with RWO PVs attached + ## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the + ## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will + ## terminate the single previous pod, so that the new, incoming pod can attach to the PV + ## + updateStrategy: + type: RollingUpdate + ## @param nginx.lifecycleHooks LifecycleHook for the NGINX container(s) to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param nginx.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false + ## Harbor Nginx ServiceAccount configuration + ## + serviceAccount: + ## @param nginx.serviceAccount.create Specifies whether a ServiceAccount should be created + ## + create: false + ## @param nginx.serviceAccount.name The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the common.names.fullname template + ## + name: "" + ## @param nginx.serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created + ## + automountServiceAccountToken: false + ## @param nginx.serviceAccount.annotations Additional custom annotations for the ServiceAccount + ## + annotations: {} + ## @param nginx.hostAliases NGINX pods host aliases + ## + hostAliases: [] + ## @param nginx.podLabels Add additional labels to the NGINX pods (evaluated as a template) + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param nginx.podAnnotations Annotations to add to the NGINX pods (evaluated as a template) + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param nginx.podAffinityPreset NGINX Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param nginx.podAntiAffinityPreset NGINX Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node affinity preset + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## Allowed values: soft, hard + ## + nodeAffinityPreset: + ## @param nginx.nodeAffinityPreset.type NGINX Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param nginx.nodeAffinityPreset.key NGINX Node label key to match Ignored if `affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param nginx.nodeAffinityPreset.values NGINX Node label values to match. Ignored if `affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param nginx.affinity NGINX Affinity for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param nginx.nodeSelector NGINX Node labels for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + ## + nodeSelector: {} + ## @param nginx.tolerations NGINX Tolerations for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param nginx.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods + ## + topologySpreadConstraints: [] + ## @param nginx.priorityClassName Priority Class Name + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + ## + priorityClassName: "" + ## @param nginx.schedulerName Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param nginx.sidecars Add additional sidecar containers to the NGINX pods + ## Example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param nginx.initContainers Add additional init containers to the NGINX pods + ## Example: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + initContainers: [] + ## Pod Disruption Budget configuration + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb + ## @param nginx.pdb.create Enable/disable a Pod Disruption Budget creation + ## @param nginx.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled + ## @param nginx.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `nginx.pdb.minAvailable` and `nginx.pdb.maxUnavailable` are empty. + ## + pdb: + create: true + minAvailable: "" + maxUnavailable: "" + ## @param nginx.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the NGINX pods + ## + extraVolumeMounts: [] + ## @param nginx.extraVolumes Optionally specify extra list of additional volumes for the NGINX pods + ## + extraVolumes: [] + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param nginx.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param nginx.networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param nginx.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param nginx.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param nginx.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param nginx.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param nginx.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} +## @section Harbor Portal Parameters +## +portal: + ## Bitnami Harbor Portal image + ## ref: https://hub.docker.com/r/bitnami/harbor-portal/tags/ + ## @param portal.image.registry [default: REGISTRY_NAME] Harbor Portal image registry + ## @param portal.image.repository [default: REPOSITORY_NAME/harbor-portal] Harbor Portal image repository + ## @skip portal.image.tag Harbor Portal image tag (immutable tags are recommended) + ## @param portal.image.digest Harbor Portal image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param portal.image.pullPolicy Harbor Portal image pull policy + ## @param portal.image.pullSecrets Harbor Portal image pull secrets + ## @param portal.image.debug Enable Harbor Portal image debug mode + ## + image: + registry: docker.io + repository: bitnami/harbor-portal + tag: 2.12.2-debian-12-r0 + digest: "" + ## Specify a imagePullPolicy + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Enable debug mode + ## + debug: false + ## Use TLS in the container + ## + tls: + ## @param portal.tls.existingSecret Name of an existing secret with the certificates for internal TLS access + ## Requires `internalTLS.enabled` to be set to `true`` + ## Self-signed TLS certificates will be used otherwise + ## + existingSecret: "" + ## @param portal.command Override default container command (useful when using custom images) + ## + command: [] + ## @param portal.args Override default container args (useful when using custom images) + ## + args: [] + ## @param portal.extraEnvVars Array with extra environment variables to add Harbor Portal pods + ## + extraEnvVars: [] + ## @param portal.extraEnvVarsCM ConfigMap containing extra environment variables for Harbor Portal pods + ## + extraEnvVarsCM: "" + ## @param portal.extraEnvVarsSecret Secret containing extra environment variables (in case of sensitive data) for Harbor Portal pods + ## + extraEnvVarsSecret: "" + ## @param portal.containerPorts.http Harbor Portal HTTP container port + ## @param portal.containerPorts.https Harbor Portal HTTPS container port + ## + containerPorts: + http: 8080 + https: 8443 + ## @param portal.replicaCount Number of Harbor Portal replicas + ## + replicaCount: 1 + ## Configure extra options for Harbor Portal containers' liveness, readiness and startup probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes + ## @param portal.livenessProbe.enabled Enable livenessProbe on Harbor Portal containers + ## @param portal.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param portal.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param portal.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param portal.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param portal.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param portal.readinessProbe.enabled Enable readinessProbe on Harbor Portal containers + ## @param portal.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param portal.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param portal.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param portal.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param portal.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param portal.startupProbe.enabled Enable startupProbe on Harbor Portal containers + ## @param portal.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param portal.startupProbe.periodSeconds Period seconds for startupProbe + ## @param portal.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param portal.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param portal.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 15 + successThreshold: 1 + ## @param portal.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param portal.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## @param portal.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## Harbor Portal resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param portal.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if portal.resources is set (portal.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "small" + ## @param portal.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Configure Harbor Portal pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param portal.podSecurityContext.enabled Enabled Harbor Portal pods' Security Context + ## @param portal.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param portal.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param portal.podSecurityContext.supplementalGroups Set filesystem extra groups + ## @param portal.podSecurityContext.fsGroup Set Harbor Portal pod's Security Context fsGroup + ## + podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 + ## Configure Harbor Portal containers (only main one) Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param portal.containerSecurityContext.enabled Enabled containers' Security Context + ## @param portal.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param portal.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param portal.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param portal.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param portal.containerSecurityContext.privileged Set container's Security Context privileged + ## @param portal.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param portal.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param portal.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param portal.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## @param portal.updateStrategy.type Harbor Portal deployment strategy type - only really applicable for deployments with RWO PVs attached + ## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the + ## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will + ## terminate the single previous pod, so that the new, incoming pod can attach to the PV + ## + updateStrategy: + type: RollingUpdate + ## @param portal.lifecycleHooks LifecycleHook for the Harbor Portal container(s) to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param portal.hostAliases Harbor Portal pods host aliases + ## + hostAliases: [] + ## @param portal.podLabels Add additional labels to the Harbor Portal pods (evaluated as a template) + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param portal.podAnnotations Annotations to add to the Harbor Portal pods (evaluated as a template) + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param portal.podAffinityPreset Harbor Portal Pod affinity preset. Ignored if `portal.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param portal.podAntiAffinityPreset Harbor Portal Pod anti-affinity preset. Ignored if `portal.affinity` is set. Allowed values: `soft` or `hard` + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node affinity preset + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param portal.nodeAffinityPreset.type Harbor Portal Node affinity preset type. Ignored if `portal.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param portal.nodeAffinityPreset.key Harbor Portal Node label key to match Ignored if `portal.affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param portal.nodeAffinityPreset.values Harbor Portal Node label values to match. Ignored if `portal.affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param portal.affinity Harbor Portal Affinity for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: portal.podAffinityPreset, portal.podAntiAffinityPreset, and portal.nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param portal.nodeSelector Harbor Portal Node labels for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + ## + nodeSelector: {} + ## @param portal.tolerations Harbor Portal Tolerations for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param portal.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods + ## + topologySpreadConstraints: [] + ## @param portal.priorityClassName Priority Class Name + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + ## + priorityClassName: "" + ## @param portal.schedulerName Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param portal.sidecars Add additional sidecar containers to the Harbor Portal pods + ## Example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param portal.initContainers Add additional init containers to the Harbor Portal pods + ## Example: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + initContainers: [] + ## Pod Disruption Budget configuration + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb + ## @param portal.pdb.create Enable/disable a Pod Disruption Budget creation + ## @param portal.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled + ## @param portal.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `portal.pdb.minAvailable` and `portal.pdb.maxUnavailable` are empty. + ## + pdb: + create: true + minAvailable: "" + maxUnavailable: "" + ## @param portal.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Harbor Portal pods + ## + extraVolumeMounts: [] + ## @param portal.extraVolumes Optionally specify extra list of additional volumes for the Harbor Portal pods + ## + extraVolumes: [] + ## @param portal.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false + ## Harbor Portal ServiceAccount configuration + ## + serviceAccount: + ## @param portal.serviceAccount.create Specifies whether a ServiceAccount should be created + ## + create: false + ## @param portal.serviceAccount.name The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the common.names.fullname template + ## + name: "" + ## @param portal.serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created + ## + automountServiceAccountToken: false + ## @param portal.serviceAccount.annotations Additional custom annotations for the ServiceAccount + ## + annotations: {} + ## Harbor Portal service configuration + ## + service: + ## @param portal.service.ports.http Harbor Portal HTTP service port + ## @param portal.service.ports.https Harbor Portal HTTPS service port + ## + ports: + http: 80 + https: 443 + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param portal.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param portal.networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param portal.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param portal.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param portal.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param portal.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param portal.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} +## @section Harbor Core Parameters +## +core: + ## Bitnami Harbor Core image + ## ref: https://hub.docker.com/r/bitnami/harbor-core/tags/ + ## @param core.image.registry [default: REGISTRY_NAME] Harbor Core image registry + ## @param core.image.repository [default: REPOSITORY_NAME/harbor-core] Harbor Core image repository + ## @skip core.image.tag Harbor Core image tag (immutable tags are recommended) + ## @param core.image.digest Harbor Core image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param core.image.pullPolicy Harbor Core image pull policy + ## @param core.image.pullSecrets Harbor Core image pull secrets + ## @param core.image.debug Enable Harbor Core image debug mode + ## + image: + registry: docker.io + repository: bitnami/harbor-core + tag: 2.12.2-debian-12-r1 + digest: "" + ## Specify a imagePullPolicy + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Enable debug mode + ## + debug: false + ## @param core.sessionLifetime Explicitly set a session timeout (in seconds) overriding the backend default. + ## + sessionLifetime: "" + ## @param core.uaaSecret If using external UAA auth which has a self signed cert, you can provide a pre-created secret containing it under the key `ca.crt`. + ## + uaaSecret: "" + ## @param core.secretKey The key used for encryption. Must be a string of 16 chars + ## e.g: + ## secretKey: "not-a-secure-string" + ## + secretKey: {{ .Values.globals.harbor.coreSecretKey }} + ## @param core.secret Secret used when the core server communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. + ## + secret: {{ .Values.globals.harbor.coreSecret }} + ## @param core.tokenKey Key of the certificate used for token encryption/decryption. + ## + tokenKey: {{ .Values.globals.harbor.coreTlsKey | quote }} + ## @param core.tokenCert Certificate used for token encryption/decryption. + ## + tokenCert: {{ .Values.globals.harbor.coreTlsCert | quote }} + ## @param core.secretName Fill the name of a kubernetes secret if you want to use your own TLS certificate and private key for token encryption/decryption. The secret must contain two keys named: `tls.crt` - the certificate and `tls.key` - the private key. The default key pair will be used if it isn't set + ## + secretName: "" + ## @param core.existingSecret Existing secret for core + ## The secret must contain the keys: + ## `secret` (required), + ## `secretKey` (required), + ## + existingSecret: "" + ## @param core.existingEnvVarsSecret Existing secret for core envvars + ## The secret must contain the keys: + ## `CSRF_KEY` (optional - alternatively auto-generated), + ## `HARBOR_ADMIN_PASSWORD` (optional - alternatively auto-generated), + ## `POSTGRESQL_PASSWORD` (optional - alternatively uses weak upstream default. Read below if you set it. You must also set postgresql.auth.existingSecret to the same value as core.existingEnvVarsSecret for this to work!), + ## `postgres-password` (required if POSTGRESQL_PASSWORD is set & must be the same as POSTGRESQL_PASSWORD.) + ## `HARBOR_DATABASE_PASSWORD` (required if POSTGRESQL_PASSWORD is set & must be the same as POSTGRESQL_PASSWORD.) + ## `REGISTRY_CREDENTIAL_USERNAME` (optional - alternatively weak defaults), + ## `REGISTRY_CREDENTIAL_PASSWORD` (optional - alternatively weak defaults), + ## `_REDIS_URL_CORE` (required - if using the internal Redis - set to base64 of "redis://harbor-redis-master:6379/0") + ## `_REDIS_URL_REG` (required - if using the internal Redis - set to base64 of "redis://harbor-redis-master:6379/2") + ## + ## If you do not know how to start, let the chart generate a full secret for you before defining an existingEnvVarsSecret + ## Notes: + ## As a EnvVars secret, this secret also store redis config urls + ## The HARBOR_ADMIN_PASSWORD is only required at initial deployment, once the password is set in database, it is not used anymore + ## + existingEnvVarsSecret: "" + ## @param core.csrfKey The CSRF key. Will be generated automatically if it isn't specified + ## + csrfKey: {{ .Values.globals.harbor.coreCsrfKey }} + ## Use TLS in the container + ## + tls: + ## @param core.tls.existingSecret Name of an existing secret with the certificates for internal TLS access + ## Requires `internalTLS.enabled` to be set to `true`` + ## Self-signed TLS certificates will be used otherwise + ## + existingSecret: "" + ## @param core.command Override default container command (useful when using custom images) + ## + command: [] + ## @param core.args Override default container args (useful when using custom images) + ## + args: [] + ## @param core.extraEnvVars Array with extra environment variables to add Harbor Core pods + ## + extraEnvVars: [] + ## @param core.extraEnvVarsCM ConfigMap containing extra environment variables for Harbor Core pods + ## + extraEnvVarsCM: "" + ## @param core.extraEnvVarsSecret Secret containing extra environment variables (in case of sensitive data) for Harbor Core pods + ## + extraEnvVarsSecret: "" + ## @param core.configOverwriteJson String containing a JSON with configuration overrides + ## Source: https://goharbor.io/docs/latest/install-config/configure-user-settings-cli/#harbor-user-settings + ## + configOverwriteJson: "" + ## @param core.configOverwriteJsonSecret Secret containing the JSON configuration overrides + ## Source: https://goharbor.io/docs/latest/install-config/configure-user-settings-cli/#harbor-user-settings + ## + configOverwriteJsonSecret: "" + ## @param core.containerPorts.http Harbor Core HTTP container port + ## @param core.containerPorts.https Harbor Core HTTPS container port + ## @param core.containerPorts.metrics Harbor Core metrics container port + ## + containerPorts: + http: 8080 + https: 8443 + metrics: 8001 + ## @param core.replicaCount Number of Harbor Core replicas + ## + replicaCount: 1 + ## Configure extra options for Harbor Core containers' liveness, readiness and startup probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes + ## @param core.livenessProbe.enabled Enable livenessProbe on Harbor Core containers + ## @param core.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param core.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param core.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param core.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param core.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param core.readinessProbe.enabled Enable readinessProbe on Harbor Core containers + ## @param core.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param core.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param core.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param core.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param core.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param core.startupProbe.enabled Enable startupProbe on Harbor Core containers + ## @param core.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param core.startupProbe.periodSeconds Period seconds for startupProbe + ## @param core.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param core.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param core.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 15 + successThreshold: 1 + ## @param core.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param core.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## @param core.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## Harbor Core resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param core.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if core.resources is set (core.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "small" + ## @param core.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Configure Harbor Core pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param core.podSecurityContext.enabled Enabled Harbor Core pods' Security Context + ## @param core.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param core.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param core.podSecurityContext.supplementalGroups Set filesystem extra groups + ## @param core.podSecurityContext.fsGroup Set Harbor Core pod's Security Context fsGroup + ## + podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 + ## Configure Harbor Core containers (only main one) Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param core.containerSecurityContext.enabled Enabled containers' Security Context + ## @param core.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param core.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param core.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param core.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param core.containerSecurityContext.privileged Set container's Security Context privileged + ## @param core.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param core.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param core.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param core.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## @param core.updateStrategy.type Harbor Core deployment strategy type - only really applicable for deployments with RWO PVs attached + ## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the + ## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will + ## terminate the single previous pod, so that the new, incoming pod can attach to the PV + ## + updateStrategy: + type: RollingUpdate + ## @param core.lifecycleHooks LifecycleHook for the Harbor Core container(s) to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param core.hostAliases Harbor Core pods host aliases + ## + hostAliases: [] + ## @param core.podLabels Add additional labels to the Harbor Core pods (evaluated as a template) + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param core.podAnnotations Annotations to add to the Harbor Core pods (evaluated as a template) + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param core.podAffinityPreset Harbor Core Pod affinity preset. Ignored if `core.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param core.podAntiAffinityPreset Harbor Core Pod anti-affinity preset. Ignored if `core.affinity` is set. Allowed values: `soft` or `hard` + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node affinity preset + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param core.nodeAffinityPreset.type Harbor Core Node affinity preset type. Ignored if `core.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param core.nodeAffinityPreset.key Harbor Core Node label key to match Ignored if `core.affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param core.nodeAffinityPreset.values Harbor Core Node label values to match. Ignored if `core.affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param core.affinity Harbor Core Affinity for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: core.podAffinityPreset, core.podAntiAffinityPreset, and core.nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param core.nodeSelector Harbor Core Node labels for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + ## + nodeSelector: {} + ## @param core.tolerations Harbor Core Tolerations for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param core.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods + ## + topologySpreadConstraints: [] + ## @param core.priorityClassName Priority Class Name + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + ## + priorityClassName: "" + ## @param core.schedulerName Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param core.sidecars Add additional sidecar containers to the Harbor Core pods + ## Example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param core.initContainers Add additional init containers to the Harbor Core pods + ## Example: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + initContainers: [] + ## Pod Disruption Budget configuration + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb + ## @param core.pdb.create Enable/disable a Pod Disruption Budget creation + ## @param core.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled + ## @param core.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `core.pdb.minAvailable` and `core.pdb.maxUnavailable` are empty. + ## + pdb: + create: true + minAvailable: "" + maxUnavailable: "" + ## @param core.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Harbor Core pods + ## + extraVolumeMounts: [] + ## @param core.extraVolumes Optionally specify extra list of additional volumes for the Harbor Core pods + ## + extraVolumes: [] + ## @param core.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false + ## Harbor Core ServiceAccount configuration + ## + serviceAccount: + ## @param core.serviceAccount.create Specifies whether a ServiceAccount should be created + ## + create: false + ## @param core.serviceAccount.name The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the common.names.fullname template + ## + name: "" + ## @param core.serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created + ## + automountServiceAccountToken: false + ## @param core.serviceAccount.annotations Additional custom annotations for the ServiceAccount + ## + annotations: {} + ## Harbor Core service configuration + ## + service: + ## @param core.service.ports.http Harbor Core HTTP service port + ## @param core.service.ports.https Harbor Core HTTPS service port + ## @param core.service.ports.metrics Harbor Core metrics service port + ## + ports: + http: 80 + https: 443 + metrics: 8001 + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param core.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param core.networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param core.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param core.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param core.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param core.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param core.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} +## @section Harbor Jobservice Parameters +## +jobservice: + ## Bitnami Harbor Jobservice image + ## ref: https://hub.docker.com/r/bitnami/harbor-jobservice/tags/ + ## @param jobservice.image.registry [default: REGISTRY_NAME] Harbor Jobservice image registry + ## @param jobservice.image.repository [default: REPOSITORY_NAME/harbor-jobservice] Harbor Jobservice image repository + ## @skip jobservice.image.tag Harbor Jobservice image tag (immutable tags are recommended) + ## @param jobservice.image.digest Harbor Jobservice image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param jobservice.image.pullPolicy Harbor Jobservice image pull policy + ## @param jobservice.image.pullSecrets Harbor Jobservice image pull secrets + ## @param jobservice.image.debug Enable Harbor Jobservice image debug mode + ## + image: + registry: docker.io + repository: bitnami/harbor-jobservice + tag: 2.12.2-debian-12-r1 + digest: "" + ## Specify a imagePullPolicy + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Enable debug mode + ## + debug: false + ## @param jobservice.maxJobWorkers The max job workers + ## + maxJobWorkers: 10 + ## @param jobservice.redisNamespace Redis namespace for jobservice + ## + redisNamespace: harbor_job_service_namespace + ## @param jobservice.jobLogger The logger for jobs: `file`, `database` or `stdout` + ## + jobLogger: file + ## @param jobservice.secret Secret used when the job service communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. + ## If a secret key is not specified, Helm will generate one. + ## Must be a string of 16 chars. + ## + secret: {{ .Values.globals.harbor.jobserviceSecret }} + ## @param jobservice.existingSecret Existing secret for jobservice + ## The secret must contain the keys: + ## `secret` (required), + ## + existingSecret: "" + ## @param jobservice.existingEnvVarsSecret Existing secret for jobservice envvars + ## The secret must contain the keys: + ## `REGISTRY_CREDENTIAL_PASSWORD` (optional), + ## `JOB_SERVICE_POOL_REDIS_URL` (required - if using the internal Redis - set to base64 of "redis://harbor-redis-master:6379/1"), + ## + ## If you do not know how to start, let the chart generate a full secret for you before defining an existingEnvVarsSecret + existingEnvVarsSecret: "" + ## Use TLS in the container + ## + tls: + ## @param jobservice.tls.existingSecret Name of an existing secret with the certificates for internal TLS access + ## Requires `internalTLS.enabled` to be set to `true`` + ## Self-signed TLS certificates will be used otherwise + ## + existingSecret: "" + ## @param jobservice.command Override default container command (useful when using custom images) + ## + command: [] + ## @param jobservice.args Override default container args (useful when using custom images) + ## + args: [] + ## @param jobservice.extraEnvVars Array with extra environment variables to add Harbor Jobservice pods + ## + extraEnvVars: [] + ## @param jobservice.extraEnvVarsCM ConfigMap containing extra environment variables for Harbor Jobservice pods + ## + extraEnvVarsCM: "" + ## @param jobservice.extraEnvVarsSecret Secret containing extra environment variables (in case of sensitive data) for Harbor Jobservice pods + ## + extraEnvVarsSecret: "" + ## @param jobservice.containerPorts.http Harbor Jobservice HTTP container port + ## @param jobservice.containerPorts.https Harbor Jobservice HTTPS container port + ## @param jobservice.containerPorts.metrics Harbor Jobservice metrics container port + ## + containerPorts: + http: 8080 + https: 8443 + metrics: 8001 + ## @param jobservice.replicaCount Number of Harbor Jobservice replicas + ## + replicaCount: 1 + ## Configure extra options for Harbor Jobservice containers' liveness, readiness and startup probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes + ## @param jobservice.livenessProbe.enabled Enable livenessProbe on Harbor Jobservice containers + ## @param jobservice.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param jobservice.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param jobservice.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param jobservice.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param jobservice.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param jobservice.readinessProbe.enabled Enable readinessProbe on Harbor Jobservice containers + ## @param jobservice.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param jobservice.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param jobservice.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param jobservice.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param jobservice.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param jobservice.startupProbe.enabled Enable startupProbe on Harbor Jobservice containers + ## @param jobservice.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param jobservice.startupProbe.periodSeconds Period seconds for startupProbe + ## @param jobservice.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param jobservice.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param jobservice.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 15 + successThreshold: 1 + ## @param jobservice.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param jobservice.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## @param jobservice.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## Harbor Jobservice resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param jobservice.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if jobservice.resources is set (jobservice.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "small" + ## @param jobservice.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Configure Harbor Jobservice pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param jobservice.podSecurityContext.enabled Enabled Harbor Jobservice pods' Security Context + ## @param jobservice.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param jobservice.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param jobservice.podSecurityContext.supplementalGroups Set filesystem extra groups + ## @param jobservice.podSecurityContext.fsGroup Set Harbor Jobservice pod's Security Context fsGroup + ## + podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 + ## Configure Harbor Jobservice containers (only main one) Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param jobservice.containerSecurityContext.enabled Enabled containers' Security Context + ## @param jobservice.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param jobservice.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param jobservice.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param jobservice.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param jobservice.containerSecurityContext.privileged Set container's Security Context privileged + ## @param jobservice.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param jobservice.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param jobservice.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param jobservice.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## @param jobservice.updateStrategy.type Harbor Jobservice deployment strategy type - only really applicable for deployments with RWO PVs attached + ## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the + ## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will + ## terminate the single previous pod, so that the new, incoming pod can attach to the PV + ## + updateStrategy: + type: RollingUpdate + ## @param jobservice.lifecycleHooks LifecycleHook for the Harbor Jobservice container(s) to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param jobservice.hostAliases Harbor Jobservice pods host aliases + ## + hostAliases: [] + ## @param jobservice.podLabels Add additional labels to the Harbor Jobservice pods (evaluated as a template) + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param jobservice.podAnnotations Annotations to add to the Harbor Jobservice pods (evaluated as a template) + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param jobservice.podAffinityPreset Harbor Jobservice Pod affinity preset. Ignored if `jobservice.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param jobservice.podAntiAffinityPreset Harbor Jobservice Pod anti-affinity preset. Ignored if `jobservice.affinity` is set. Allowed values: `soft` or `hard` + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node affinity preset + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param jobservice.nodeAffinityPreset.type Harbor Jobservice Node affinity preset type. Ignored if `jobservice.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param jobservice.nodeAffinityPreset.key Harbor Jobservice Node label key to match Ignored if `jobservice.affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param jobservice.nodeAffinityPreset.values Harbor Jobservice Node label values to match. Ignored if `jobservice.affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param jobservice.affinity Harbor Jobservice Affinity for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: jobservice.podAffinityPreset, jobservice.podAntiAffinityPreset, and jobservice.nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param jobservice.nodeSelector Harbor Jobservice Node labels for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + ## + nodeSelector: {} + ## @param jobservice.tolerations Harbor Jobservice Tolerations for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param jobservice.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods + ## + topologySpreadConstraints: [] + ## @param jobservice.priorityClassName Priority Class Name + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + ## + priorityClassName: "" + ## @param jobservice.schedulerName Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param jobservice.sidecars Add additional sidecar containers to the Harbor Jobservice pods + ## Example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param jobservice.initContainers Add additional init containers to the Harbor Jobservice pods + ## Example: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + initContainers: [] + ## Pod Disruption Budget configuration + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb + ## @param jobservice.pdb.create Enable/disable a Pod Disruption Budget creation + ## @param jobservice.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled + ## @param jobservice.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `jobservice.pdb.minAvailable` and `jobservice.pdb.maxUnavailable` are empty. + ## + pdb: + create: true + minAvailable: "" + maxUnavailable: "" + ## @param jobservice.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Harbor Jobservice pods + ## + extraVolumeMounts: [] + ## @param jobservice.extraVolumes Optionally specify extra list of additional volumes for the Harbor Jobservice pods + ## + extraVolumes: [] + ## @param jobservice.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false + ## Harbor Jobservice ServiceAccount configuration + ## + serviceAccount: + ## @param jobservice.serviceAccount.create Specifies whether a ServiceAccount should be created + ## + create: false + ## @param jobservice.serviceAccount.name The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the common.names.fullname template + ## + name: "" + ## @param jobservice.serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created + ## + automountServiceAccountToken: false + ## @param jobservice.serviceAccount.annotations Additional custom annotations for the ServiceAccount + ## + annotations: {} + ## Harbor Jobservice service configuration + ## + service: + ## @param jobservice.service.ports.http Harbor Jobservice HTTP service port + ## @param jobservice.service.ports.https Harbor Jobservice HTTPS service port + ## @param jobservice.service.ports.metrics Harbor Jobservice HTTPS service port + ## + ports: + http: 80 + https: 443 + metrics: 8001 + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param jobservice.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param jobservice.networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param jobservice.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param jobservice.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param jobservice.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param jobservice.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param jobservice.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} +## @section Harbor Registry Parameters +## + +## Registry Parameters +## +registry: + ## @param registry.secret Secret is used to secure the upload state from client and registry storage backend. See: + ## and registry storage backend. + ## See: https://github.com/docker/distribution/blob/master/docs/configuration.md#http + ## If a secret key is not specified, Helm will generate one. + ## Must be a string of 16 chars. + ## + secret: {{ .Values.globals.harbor.registrySecret }} + ## @param registry.existingSecret Existing secret for registry + ## The secret must contain the keys: + ## `REGISTRY_HTPASSWD` (required - replaces insecure defaults), + ## `REGISTRY_HTTP_SECRET` (optional - generated on the fly if not secified), + ## `REGISTRY_REDIS_PASSWORD` (optional), + ## + existingSecret: "" + ## @param registry.relativeurls Make the registry return relative URLs in Location headers. The client is responsible for resolving the correct URL. + ## + relativeurls: false + ## @param registry.credentials.username The username for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd) + ## @param registry.credentials.password The password for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). It is suggested you update this value before installation. + ## @param registry.credentials.htpasswd The content of htpasswd file based on the value of `registry.credentials.username` `registry.credentials.password`. Currently `helm` does not support bcrypt in the template script, if the credential is updated you need to manually generated by calling + ## + credentials: + username: {{ .Values.globals.harbor.username }} + password: {{ .Values.globals.harbor.password }} + ## If you update the username or password of registry, make sure use cli tool htpasswd to generate the bcrypt hash + ## e.g. "htpasswd -nbBC10 $username $password" + ## + htpasswd: {{ .Values.globals.harbor.htpasswd }} + middleware: + ## @param registry.middleware.enabled Middleware is used to add support for a CDN between backend storage and `docker pull` recipient. See + ## + enabled: false + ## @param registry.middleware.type CDN type for the middleware + ## + type: cloudFront + ## @param registry.middleware.cloudFront.baseurl CloudFront CDN settings: Base URL + ## @param registry.middleware.cloudFront.keypairid CloudFront CDN settings: Keypair ID + ## @param registry.middleware.cloudFront.duration CloudFront CDN settings: Duration + ## @param registry.middleware.cloudFront.ipfilteredby CloudFront CDN settings: IP filters + ## @param registry.middleware.cloudFront.privateKeySecret CloudFront CDN settings: Secret name with the private key + ## + cloudFront: + baseurl: example.cloudfront.net + keypairid: KEYPAIRID + duration: 3000s + ipfilteredby: none + ## The secret key that should be present is CLOUDFRONT_KEY_DATA, which should be the encoded private key + ## that allows access to CloudFront + ## + privateKeySecret: my-secret + ## Use TLS in the container + ## + tls: + ## @param registry.tls.existingSecret Name of an existing secret with the certificates for internal TLS access + ## Requires `internalTLS.enabled` to be set to `true`` + ## Self-signed TLS certificates will be used otherwise + ## + existingSecret: "" + ## @param registry.replicaCount Number of Harbor Registry replicas + ## + replicaCount: 1 + ## Configure Harbor Registry pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param registry.podSecurityContext.enabled Enabled Harbor Registry pods' Security Context + ## @param registry.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param registry.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param registry.podSecurityContext.supplementalGroups Set filesystem extra groups + ## @param registry.podSecurityContext.fsGroup Set Harbor Registry pod's Security Context fsGroup + ## + podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 + ## @param registry.updateStrategy.type Harbor Registry deployment strategy type - only really applicable for deployments with RWO PVs attached + ## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the + ## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will + ## terminate the single previous pod, so that the new, incoming pod can attach to the PV + ## + updateStrategy: + type: RollingUpdate + ## @param registry.hostAliases Harbor Registry pods host aliases + ## + hostAliases: [] + ## @param registry.podLabels Add additional labels to the Harbor Registry pods (evaluated as a template) + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param registry.podAnnotations Annotations to add to the Harbor Registry pods (evaluated as a template) + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param registry.podAffinityPreset Harbor Registry Pod affinity preset. Ignored if `registry.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param registry.podAntiAffinityPreset Harbor Registry Pod anti-affinity preset. Ignored if `registry.affinity` is set. Allowed values: `soft` or `hard` + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node affinity preset + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param registry.nodeAffinityPreset.type Harbor Registry Node affinity preset type. Ignored if `registry.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param registry.nodeAffinityPreset.key Harbor Registry Node label key to match Ignored if `registry.affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param registry.nodeAffinityPreset.values Harbor Registry Node label values to match. Ignored if `registry.affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param registry.affinity Harbor Registry Affinity for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: registry.podAffinityPreset, registry.podAntiAffinityPreset, and registry.nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param registry.nodeSelector Harbor Registry Node labels for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + ## + nodeSelector: {} + ## @param registry.tolerations Harbor Registry Tolerations for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param registry.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods + ## + topologySpreadConstraints: [] + ## @param registry.priorityClassName Priority Class Name + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + ## + priorityClassName: "" + ## @param registry.schedulerName Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param registry.sidecars Add additional sidecar containers to the Harbor Registry pods + ## Example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param registry.initContainers Add additional init containers to the Harbor Registry pods + ## Example: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + initContainers: [] + ## Pod Disruption Budget configuration + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb + ## @param registry.pdb.create Enable/disable a Pod Disruption Budget creation + ## @param registry.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled + ## @param registry.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `registry.pdb.minAvailable` and `registry.pdb.maxUnavailable` are empty. + ## + pdb: + create: true + minAvailable: "" + maxUnavailable: "" + ## @param registry.extraVolumes Optionally specify extra list of additional volumes for the Harbor Registry pods + ## + extraVolumes: [] + ## @param registry.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false + ## Harbor Registry ServiceAccount configuration + ## + serviceAccount: + ## @param registry.serviceAccount.create Specifies whether a ServiceAccount should be created + ## + create: true + ## @param registry.serviceAccount.name The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the common.names.fullname template + ## + name: "" + ## @param registry.serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created + ## + automountServiceAccountToken: false + ## @param registry.serviceAccount.annotations Additional custom annotations for the ServiceAccount + ## + annotations: {} + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param registry.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param registry.networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param registry.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param registry.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param registry.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param registry.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param registry.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} + ## Harbor Registry main container parameters + ## + server: + ## Bitnami Harbor Registry image + ## ref: https://hub.docker.com/r/bitnami/harbor-registry/tags/ + ## @param registry.server.image.registry [default: REGISTRY_NAME] Harbor Registry image registry + ## @param registry.server.image.repository [default: REPOSITORY_NAME/harbor-registry] Harbor Registry image repository + ## @skip registry.server.image.tag Harbor Registry image tag (immutable tags are recommended) + ## @param registry.server.image.digest Harbor Registry image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param registry.server.image.pullPolicy Harbor Registry image pull policy + ## @param registry.server.image.pullSecrets Harbor Registry image pull secrets + ## @param registry.server.image.debug Enable Harbor Registry image debug mode + ## + image: + registry: docker.io + repository: bitnami/harbor-registry + tag: 2.12.2-debian-12-r1 + digest: "" + ## Specify a imagePullPolicy + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Enable debug mode + ## + debug: false + ## @param registry.server.command Override default container command (useful when using custom images) + ## + command: [] + ## @param registry.server.args Override default container args (useful when using custom images) + ## + args: [] + ## @param registry.server.extraEnvVars Array with extra environment variables to add Harbor Registry main containers + ## + extraEnvVars: [] + ## @param registry.server.extraEnvVarsCM ConfigMap containing extra environment variables for Harbor Registry main containers + ## + extraEnvVarsCM: "" + ## @param registry.server.extraEnvVarsSecret Secret containing extra environment variables (in case of sensitive data) for Harbor Registry main containers + ## + extraEnvVarsSecret: "" + ## @param registry.server.containerPorts.http Harbor Registry HTTP container port + ## @param registry.server.containerPorts.https Harbor Registry HTTPS container port + ## @param registry.server.containerPorts.debug Harbor Registry debug container port + ## @param registry.server.containerPorts.metrics Harbor Registry metrics container port + ## + containerPorts: + http: 5000 + https: 5443 + debug: 5001 + metrics: 8001 + ## Configure extra options for Harbor Registry main containers' liveness, readiness and startup probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes + ## @param registry.server.livenessProbe.enabled Enable livenessProbe on Harbor Registry main containers + ## @param registry.server.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param registry.server.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param registry.server.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param registry.server.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param registry.server.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param registry.server.readinessProbe.enabled Enable readinessProbe on Harbor Registry main containers + ## @param registry.server.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param registry.server.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param registry.server.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param registry.server.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param registry.server.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param registry.server.startupProbe.enabled Enable startupProbe on Harbor Registry main containers + ## @param registry.server.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param registry.server.startupProbe.periodSeconds Period seconds for startupProbe + ## @param registry.server.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param registry.server.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param registry.server.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 15 + successThreshold: 1 + ## @param registry.server.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param registry.server.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## @param registry.server.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## Harbor Registry main resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param registry.server.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if registry.server.resources is set (registry.server.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "small" + ## @param registry.server.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Configure Harbor Registry main containers (only main one) Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param registry.server.containerSecurityContext.enabled Enabled containers' Security Context + ## @param registry.server.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param registry.server.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param registry.server.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param registry.server.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param registry.server.containerSecurityContext.privileged Set container's Security Context privileged + ## @param registry.server.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param registry.server.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param registry.server.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param registry.server.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## @param registry.server.lifecycleHooks LifecycleHook for the Harbor Registry main container(s) to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param registry.server.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Harbor Registry main pods + ## + extraVolumeMounts: [] + ## Harbor Registry service configuration + ## + service: + ## @param registry.server.service.ports.http Harbor Registry HTTP service port + ## @param registry.server.service.ports.https Harbor Registry HTTPS service port + ## @param registry.server.service.ports.metrics Harbor Registry metrics service port + ## + ports: + http: 5000 + https: 5443 + metrics: 8001 + ## Harbor Registryctl parameters + ## + controller: + ## Bitnami Harbor Registryctl image + ## ref: https://hub.docker.com/r/bitnami/harbor-registryctl/tags/ + ## @param registry.controller.image.registry [default: REGISTRY_NAME] Harbor Registryctl image registry + ## @param registry.controller.image.repository [default: REPOSITORY_NAME/harbor-registryctl] Harbor Registryctl image repository + ## @skip registry.controller.image.tag Harbor Registryctl image tag (immutable tags are recommended) + ## @param registry.controller.image.digest Harbor Registryctl image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param registry.controller.image.pullPolicy Harbor Registryctl image pull policy + ## @param registry.controller.image.pullSecrets Harbor Registryctl image pull secrets + ## @param registry.controller.image.debug Enable Harbor Registryctl image debug mode + ## + image: + registry: docker.io + repository: bitnami/harbor-registryctl + tag: 2.12.2-debian-12-r1 + digest: "" + ## Specify a imagePullPolicy + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Enable debug mode + ## + debug: false + ## @param registry.controller.command Override default container command (useful when using custom images) + ## + command: [] + ## @param registry.controller.args Override default container args (useful when using custom images) + ## + args: [] + ## @param registry.controller.extraEnvVars Array with extra environment variables to add Harbor Registryctl containers + ## + extraEnvVars: [] + ## @param registry.controller.extraEnvVarsCM ConfigMap containing extra environment variables for Harbor Registryctl containers + ## + extraEnvVarsCM: "" + ## @param registry.controller.extraEnvVarsSecret Secret containing extra environment variables (in case of sensitive data) for Harbor Registryctl containers + ## + extraEnvVarsSecret: "" + ## @param registry.controller.containerPorts.http Harbor Registryctl HTTP container port + ## @param registry.controller.containerPorts.https Harbor Registryctl HTTPS container port + ## + containerPorts: + http: 8080 + https: 8443 + ## Configure extra options for Harbor Registryctl containers' liveness, readiness and startup probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes + ## @param registry.controller.livenessProbe.enabled Enable livenessProbe on Harbor Registryctl containers + ## @param registry.controller.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param registry.controller.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param registry.controller.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param registry.controller.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param registry.controller.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param registry.controller.readinessProbe.enabled Enable readinessProbe on Harbor Registryctl containers + ## @param registry.controller.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param registry.controller.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param registry.controller.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param registry.controller.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param registry.controller.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param registry.controller.startupProbe.enabled Enable startupProbe on Harbor Registryctl containers + ## @param registry.controller.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param registry.controller.startupProbe.periodSeconds Period seconds for startupProbe + ## @param registry.controller.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param registry.controller.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param registry.controller.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 15 + successThreshold: 1 + ## @param registry.controller.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param registry.controller.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## @param registry.controller.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## Harbor Registryctl resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param registry.controller.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if registry.controller.resources is set (registry.controller.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "small" + ## @param registry.controller.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Configure Harbor Registryctl containers (only main one) Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param registry.controller.containerSecurityContext.enabled Enabled containers' Security Context + ## @param registry.controller.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param registry.controller.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param registry.controller.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param registry.controller.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param registry.controller.containerSecurityContext.privileged Set container's Security Context privileged + ## @param registry.controller.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param registry.controller.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param registry.controller.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param registry.controller.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## @param registry.controller.lifecycleHooks LifecycleHook for the Harbor Registryctl container(s) to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param registry.controller.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Harbor Registryctl pods + ## + extraVolumeMounts: [] + ## Harbor Registryctl service configuration + ## + service: + ## @param registry.controller.service.ports.http Harbor Registryctl HTTP service port + ## @param registry.controller.service.ports.https Harbor Registryctl HTTPS service port + ## + ports: + http: 8080 + https: 8443 +## @section Harbor Adapter Trivy Parameters +## +trivy: + ## Bitnami Harbor Adapter Trivy image + ## ref: https://hub.docker.com/r/bitnami/harbor-adapter-trivy/tags/ + ## @param trivy.image.registry [default: REGISTRY_NAME] Harbor Adapter Trivy image registry + ## @param trivy.image.repository [default: REPOSITORY_NAME/harbor-adapter-trivy] Harbor Adapter Trivy image repository + ## @skip trivy.image.tag Harbor Adapter Trivy image tag (immutable tags are recommended) + ## @param trivy.image.digest Harbor Adapter Trivy image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param trivy.image.pullPolicy Harbor Adapter Trivy image pull policy + ## @param trivy.image.pullSecrets Harbor Adapter Trivy image pull secrets + ## @param trivy.image.debug Enable Harbor Adapter Trivy image debug mode + ## + image: + registry: docker.io + repository: bitnami/harbor-adapter-trivy + tag: 2.12.2-debian-12-r0 + digest: "" + ## Specify a imagePullPolicy + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Enable debug mode + ## + debug: false + ## @param trivy.enabled Enable Trivy + ## + enabled: true + ## @param trivy.debugMode The flag to enable Trivy debug mode + ## + debugMode: false + ## @param trivy.vulnType Comma-separated list of vulnerability types. Possible values `os` and `library`. + ## + vulnType: "os,library" + ## @param trivy.severity Comma-separated list of severities to be checked + ## + severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" + ## @param trivy.ignoreUnfixed The flag to display only fixed vulnerabilities + ## + ignoreUnfixed: false + ## @param trivy.insecure The flag to skip verifying registry certificate + ## + insecure: false + ## @param trivy.existingEnvVarsSecret Existing secret for trivy + ## The secret must contain the keys: + ## `SCANNER_TRIVY_GITHUB_TOKEN` (optional) + ## `SCANNER_REDIS_URL` (required - if using the internal Redis - set to base64 of "redis://harbor-redis-master:6379/5") + ## `SCANNER_STORE_REDIS_URL` (required - if using the internal Redis - set to base64 of "redis://harbor-redis-master:6379/5") + ## `SCANNER_JOB_QUEUE_REDIS_URL` (required - if using the internal Redis - set to base64 of "redis://harbor-redis-master:6379/5") + ## + existingEnvVarsSecret: "" + ## @param trivy.gitHubToken The GitHub access token to download Trivy DB + ## + ## Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases. + ## It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached + ## in the local file system (`/home/scanner/.cache/trivy/db/trivy.db`). In addition, the database contains the update + ## timestamp so Trivy can detect whether it should download a newer version from the Internet or use the cached one. + ## Currently, the database is updated every 12 hours and published as a new release to GitHub. + ## + ## Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough + ## for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000 + ## requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult + ## https://developer.github.com/v3/#rate-limiting + ## + ## You can create a GitHub token by following the instructions in + ## https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line + ## + gitHubToken: "" + ## @param trivy.skipUpdate The flag to disable Trivy DB downloads from GitHub + ## You might want to set the value of this flag to `true` in test or CI/CD environments to avoid GitHub rate limiting issues. + ## If the value is set to `true` you have to manually download the `trivy.db` file and mount it in the + ## `/bitnami/harbor-adapter-trivy/.cache/trivy/db/trivy.db` path. + ## ref: https://trivy.dev/dev/docs/configuration/db/ + ## + skipUpdate: false + ## @param trivy.skipJavaDbUpdate The flag to disable Trivy JAVA DB downloads. + ## You might want to set the value of this flag to `true` in test or CI/CD environments to avoid GitHub rate limiting issues. + ## If the value is set to `true` you have to manually download the `trivy-java.db` file and mount it in the + ## `/bitnami/harbor-adapter-trivy/.cache/trivy/java-db/trivy-java.db` path. + ## + skipJavaDbUpdate: false + ## @param trivy.dbRepository OCI repositor(ies) to retrieve the trivy vulnerability database from + dbRepository: "" + ## @param trivy.javaDbRepository OCI repositor(ies) to retrieve the Java trivy vulnerability database from + javaDbRepository: "" + ## @param trivy.cacheDir Directory to store the cache + ## + cacheDir: "/bitnami/harbor-adapter-trivy/.cache" + ## Use TLS in the container + ## + tls: + ## @param trivy.tls.existingSecret Name of an existing secret with the certificates for internal TLS access + ## Requires `internalTLS.enabled` to be set to `true`` + ## Self-signed TLS certificates will be used otherwise + ## + existingSecret: "" + ## @param trivy.command Override default container command (useful when using custom images) + ## + command: [] + ## @param trivy.args Override default container args (useful when using custom images) + ## + args: [] + ## @param trivy.extraEnvVars Array with extra environment variables to add Trivy pods + ## + extraEnvVars: [] + ## @param trivy.extraEnvVarsCM ConfigMap containing extra environment variables for Trivy pods + ## + extraEnvVarsCM: "" + ## @param trivy.extraEnvVarsSecret Secret containing extra environment variables (in case of sensitive data) for Trivy pods + ## + extraEnvVarsSecret: "" + ## @param trivy.containerPorts.http Trivy HTTP container port + ## @param trivy.containerPorts.https Trivy HTTPS container port + ## + containerPorts: + http: 8080 + https: 8443 + ## @param trivy.replicaCount Number of Trivy replicas + ## + replicaCount: 1 + ## Configure extra options for Trivy containers' liveness, readiness and startup probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes + ## @param trivy.livenessProbe.enabled Enable livenessProbe on Trivy containers + ## @param trivy.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param trivy.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param trivy.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param trivy.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param trivy.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param trivy.readinessProbe.enabled Enable readinessProbe on Trivy containers + ## @param trivy.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param trivy.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param trivy.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param trivy.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param trivy.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param trivy.startupProbe.enabled Enable startupProbe on Trivy containers + ## @param trivy.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param trivy.startupProbe.periodSeconds Period seconds for startupProbe + ## @param trivy.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param trivy.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param trivy.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 15 + successThreshold: 1 + ## @param trivy.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param trivy.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## @param trivy.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## Trivy resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param trivy.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if trivy.resources is set (trivy.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "small" + ## @param trivy.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Configure Trivy pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param trivy.podSecurityContext.enabled Enabled Trivy pods' Security Context + ## @param trivy.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param trivy.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param trivy.podSecurityContext.supplementalGroups Set filesystem extra groups + ## @param trivy.podSecurityContext.fsGroup Set Trivy pod's Security Context fsGroup + ## + podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 + ## Configure Trivy containers (only main one) Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param trivy.containerSecurityContext.enabled Enabled containers' Security Context + ## @param trivy.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param trivy.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param trivy.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param trivy.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param trivy.containerSecurityContext.privileged Set container's Security Context privileged + ## @param trivy.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param trivy.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param trivy.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param trivy.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## @param trivy.updateStrategy.type Trivy deployment strategy type - only really applicable for deployments with RWO PVs attached + ## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the + ## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will + ## terminate the single previous pod, so that the new, incoming pod can attach to the PV + ## + updateStrategy: + type: RollingUpdate + ## @param trivy.lifecycleHooks LifecycleHook for the Trivy container(s) to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param trivy.hostAliases Trivy pods host aliases + ## + hostAliases: [] + ## @param trivy.podLabels Add additional labels to the Trivy pods (evaluated as a template) + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param trivy.podAnnotations Annotations to add to the Trivy pods (evaluated as a template) + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param trivy.podAffinityPreset Trivy Pod affinity preset. Ignored if `trivy.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param trivy.podAntiAffinityPreset Trivy Pod anti-affinity preset. Ignored if `trivy.affinity` is set. Allowed values: `soft` or `hard` + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node affinity preset + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param trivy.nodeAffinityPreset.type Trivy Node affinity preset type. Ignored if `trivy.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param trivy.nodeAffinityPreset.key Trivy Node label key to match Ignored if `trivy.affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param trivy.nodeAffinityPreset.values Trivy Node label values to match. Ignored if `trivy.affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param trivy.affinity Trivy Affinity for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: trivy.podAffinityPreset, trivy.podAntiAffinityPreset, and trivy.nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param trivy.nodeSelector Trivy Node labels for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + ## + nodeSelector: {} + ## @param trivy.tolerations Trivy Tolerations for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param trivy.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods + ## + topologySpreadConstraints: [] + ## @param trivy.priorityClassName Priority Class Name + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + ## + priorityClassName: "" + ## @param trivy.schedulerName Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param trivy.sidecars Add additional sidecar containers to the Trivy pods + ## Example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param trivy.initContainers Add additional init containers to the Trivy pods + ## Example: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + initContainers: [] + ## Pod Disruption Budget configuration + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb + ## @param trivy.pdb.create Enable/disable a Pod Disruption Budget creation + ## @param trivy.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled + ## @param trivy.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `trivy.pdb.minAvailable` and `trivy.pdb.maxUnavailable` are empty. + ## + pdb: + create: true + minAvailable: "" + maxUnavailable: "" + ## @param trivy.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Trivy pods + ## + extraVolumeMounts: [] + ## @param trivy.extraVolumes Optionally specify extra list of additional volumes for the Trivy pods + ## + extraVolumes: [] + ## @param trivy.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false + ## Trivy ServiceAccount configuration + ## + serviceAccount: + ## @param trivy.serviceAccount.create Specifies whether a ServiceAccount should be created + ## + create: false + ## @param trivy.serviceAccount.name The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the common.names.fullname template + ## + name: "" + ## @param trivy.serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created + ## + automountServiceAccountToken: false + ## @param trivy.serviceAccount.annotations Additional custom annotations for the ServiceAccount + ## + annotations: {} + ## Trivy service configuration + ## + service: + ## @param trivy.service.ports.http Trivy HTTP service port + ## @param trivy.service.ports.https Trivy HTTPS service port + ## + ports: + http: 8080 + https: 8443 + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param trivy.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param trivy.networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param trivy.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param trivy.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param trivy.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param trivy.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param trivy.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} +## @section Harbor Exporter Parameters +## +exporter: + ## Bitnami Harbor Exporter image + ## ref: https://hub.docker.com/r/bitnami/harbor-exporter/tags/ + ## @param exporter.image.registry [default: REGISTRY_NAME] Harbor Exporter image registry + ## @param exporter.image.repository [default: REPOSITORY_NAME/harbor-exporter] Harbor Exporter image repository + ## @skip exporter.image.tag Harbor Exporter image tag + ## @param exporter.image.digest Harbor Exporter image image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param exporter.image.pullPolicy Harbor exporter image pull policy + ## @param exporter.image.pullSecrets Specify docker-registry secret names as an array + ## @param exporter.image.debug Specify if debug logs should be enabled + ## + image: + registry: docker.io + repository: bitnami/harbor-exporter + tag: 2.12.2-debian-12-r1 + digest: "" + ## Specify a imagePullPolicy + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Enable debug mode + ## + debug: false + ## @param exporter.command Override default container command (useful when using custom images) + ## + command: [] + ## @param exporter.args Override default container args (useful when using custom images) + ## + args: [] + ## @param exporter.extraEnvVars Array containing extra env vars + ## For example: + ## - name: HARBOR_DATABASE_SSLMODE + ## value: verify-ca + ## + extraEnvVars: [] + ## @param exporter.extraEnvVarsCM ConfigMap containing extra env vars + ## + extraEnvVarsCM: "" + ## @param exporter.extraEnvVarsSecret Secret containing extra env vars (in case of sensitive data) + ## + extraEnvVarsSecret: "" + ## @param exporter.containerPorts.metrics Harbor Exporter HTTP container port + ## + containerPorts: + metrics: 8001 + ## @param exporter.replicaCount The replica count + ## + replicaCount: 1 + ## Harbor Exporter containers' liveness probe + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## @param exporter.livenessProbe.enabled Enable livenessProbe + ## @param exporter.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param exporter.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param exporter.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param exporter.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param exporter.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## Harbor Exporter containers' readiness probe + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## @param exporter.readinessProbe.enabled Enable readinessProbe + ## @param exporter.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param exporter.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param exporter.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param exporter.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param exporter.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param exporter.startupProbe.enabled Enable startupProbe on Harbor Exporter containers + ## @param exporter.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param exporter.startupProbe.periodSeconds Period seconds for startupProbe + ## @param exporter.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param exporter.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param exporter.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 15 + successThreshold: 1 + ## @param exporter.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param exporter.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## @param exporter.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## Harbor Exporter resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param exporter.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if exporter.resources is set (exporter.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param exporter.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Configure Exporter pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param exporter.podSecurityContext.enabled Enabled Exporter pods' Security Context + ## @param exporter.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param exporter.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param exporter.podSecurityContext.supplementalGroups Set filesystem extra groups + ## @param exporter.podSecurityContext.fsGroup Set Exporter pod's Security Context fsGroup + ## + podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 + ## Configure Exporter containers (only main one) Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param exporter.containerSecurityContext.enabled Enabled containers' Security Context + ## @param exporter.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param exporter.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param exporter.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param exporter.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param exporter.containerSecurityContext.privileged Set container's Security Context privileged + ## @param exporter.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param exporter.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param exporter.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param exporter.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## @param exporter.updateStrategy.type The update strategy for deployments with persistent volumes: RollingUpdate or Recreate. Set it as Recreate when RWM for volumes isn't supported + ## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the + ## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will + ## terminate the single previous pod, so that the new, incoming pod can attach to the PV + ## + updateStrategy: + type: RollingUpdate + ## @param exporter.lifecycleHooks LifecycleHook to set additional configuration at startup, e.g. LDAP settings via REST API. Evaluated as a template + ## + lifecycleHooks: {} + ## @param exporter.hostAliases Exporter pods host aliases + ## + hostAliases: [] + ## @param exporter.podLabels Add additional labels to the pod (evaluated as a template) + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param exporter.podAnnotations Annotations to add to the exporter pod + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param exporter.podAffinityPreset Harbor Exporter Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param exporter.podAntiAffinityPreset Harbor Exporter Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node affinity preset + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param exporter.nodeAffinityPreset.type Harbor Exporter Node affinity preset type. Ignored if `exporter.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param exporter.nodeAffinityPreset.key Harbor Exporter Node label key to match Ignored if `exporter.affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param exporter.nodeAffinityPreset.values Harbor Exporter Node label values to match. Ignored if `exporter.affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param exporter.affinity Harbor Exporter Affinity for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: `exporter.podAffinityPreset`, `exporter.podAntiAffinityPreset`, and `exporter.nodeAffinityPreset` will be ignored when it's set + ## + affinity: {} + ## @param exporter.priorityClassName Exporter pods Priority Class Name + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + ## + priorityClassName: "" + ## @param exporter.schedulerName Name of the k8s scheduler (other than default) + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param exporter.nodeSelector Harbor Exporter Node labels for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + ## + nodeSelector: {} + ## @param exporter.tolerations Harbor Exporter Tolerations for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param exporter.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods + ## + topologySpreadConstraints: [] + ## @param exporter.initContainers Add additional init containers to the pod (evaluated as a template) + ## + initContainers: [] + ## Pod Disruption Budget configuration + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb + ## @param exporter.pdb.create Enable/disable a Pod Disruption Budget creation + ## @param exporter.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled + ## @param exporter.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `exporter.pdb.minAvailable` and `exporter.pdb.maxUnavailable` are empty. + ## + pdb: + create: true + minAvailable: "" + maxUnavailable: "" + ## @param exporter.extraVolumeMounts + ## + extraVolumeMounts: [] + ## @param exporter.extraVolumes + ## + extraVolumes: [] + ## @param exporter.sidecars Attach additional containers to the pod (evaluated as a template) + ## + sidecars: [] + ## @param exporter.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false + ## Harbor Exporter ServiceAccount configuration + ## + serviceAccount: + ## @param exporter.serviceAccount.create Specifies whether a ServiceAccount should be created + ## + create: false + ## @param exporter.serviceAccount.name The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the common.names.fullname template + ## + name: "" + ## @param exporter.serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created + ## + automountServiceAccountToken: false + ## @param exporter.serviceAccount.annotations Additional custom annotations for the ServiceAccount + ## + annotations: {} + ## Exporter service configuration + ## + service: + ## @param exporter.service.ports.metrics Exporter HTTP service port + ## + ports: + metrics: 8001 + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param exporter.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param exporter.networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param exporter.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param exporter.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param exporter.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param exporter.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param exporter.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} +## @section PostgreSQL Parameters +## + +## PostgreSQL chart configuration +## ref: https://github.com/bitnami/charts/blob/main/bitnami/postgresql/values.yaml +## @param postgresql.enabled Switch to enable or disable the PostgreSQL helm chart +## @param postgresql.auth.enablePostgresUser Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user +## @param postgresql.auth.postgresPassword Password for the "postgres" admin user +## @param postgresql.auth.existingSecret Name of existing secret to use for PostgreSQL credentials +## @param postgresql.architecture PostgreSQL architecture (`standalone` or `replication`) +## @param postgresql.primary.extendedConfiguration Extended PostgreSQL Primary configuration (appended to main or default configuration) +## @param postgresql.primary.initdb.scripts [object] Initdb scripts to create Harbor databases +## +postgresql: + enabled: false + ## Override PostgreSQL default image as 14.x is not supported https://goharbor.io/docs/2.4.0/install-config/ + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql + ## @param postgresql.image.registry [default: REGISTRY_NAME] PostgreSQL image registry + ## @param postgresql.image.repository [default: REPOSITORY_NAME/postgresql] PostgreSQL image repository + ## @skip postgresql.image.tag PostgreSQL image tag (immutable tags are recommended) + ## @param postgresql.image.digest PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## + image: + registry: docker.io + repository: bitnami/postgresql + tag: 14.15.0-debian-12-r8 + digest: "" + auth: + enablePostgresUser: true + postgresPassword: not-secure-database-password + existingSecret: "" + architecture: standalone + primary: + extendedConfiguration: | + max_connections = 1024 + initdb: + scripts: + initial-registry.sql: | + CREATE DATABASE registry ENCODING 'UTF8'; + \c registry; + CREATE TABLE schema_migrations(version bigint not null primary key, dirty boolean not null); + ## PostgreSQL Primary resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param postgresql.primary.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param postgresql.primary.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} +## External PostgreSQL configuration +## All of these values are only used when postgresql.enabled is set to false +## @param externalDatabase.host Database host +## @param externalDatabase.port Database port number +## @param externalDatabase.user Non-root username for Harbor +## @param externalDatabase.password Password for the non-root username for Harbor +## @param externalDatabase.sslmode External database ssl mode +## @param externalDatabase.coreDatabase External database name for core +## @param externalDatabase.existingSecret The name of an existing secret with database credentials +## @param externalDatabase.existingSecretPasswordKey Password key on the existing secret +## +externalDatabase: + host: postgres-postgresql.{{ .Values.globals.postgres.namespace }}.svc.cluster.local + port: 5432 + user: {{ .Values.globals.harbor.postgres.username }} + password: {{ .Values.globals.harbor.postgres.password }} + sslmode: disable + coreDatabase: {{ .Values.globals.harbor.postgres.database }} + existingSecret: "" + existingSecretPasswordKey: "db-password" + +## @section Redis® parameters +## + +## Redis® chart configuration +## ref: https://github.com/bitnami/charts/blob/main/bitnami/redis/values.yaml +## @param redis.enabled Switch to enable or disable the Redis® helm +## @param redis.auth.enabled Enable password authentication +## @param redis.auth.password Redis® password +## @param redis.auth.existingSecret The name of an existing secret with Redis® credentials +## @param redis.architecture Redis® architecture. Allowed values: `standalone` or `replication` +## @param redis.sentinel.enabled Use Redis® Sentinel on Redis® pods. +## @param redis.sentinel.masterSet Master set name +## @param redis.sentinel.service.ports.sentinel Redis® service port for Redis® Sentinel +## +redis: + enabled: false + auth: + enabled: false + ## Redis® password (both master and slave). Defaults to a random 10-character alphanumeric string if not set and auth.enabled is true. + ## It should always be set using the password value or in the existingSecret to avoid issues + ## with Harbor. + ## The password value is ignored if existingSecret is set + ## + password: "" + existingSecret: "" + architecture: standalone + sentinel: + enabled: false + masterSet: mymaster + service: + ports: + sentinel: 26379 + master: + ## Redis® master resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param redis.master.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if master.resources is set (master.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param redis.master.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} +## External Redis® configuration +## All of these values are only used when redis.enabled is set to false +## @param externalRedis.host Redis® host +## @param externalRedis.port Redis® port number +## @param externalRedis.password Redis® password +## @param externalRedis.coreDatabaseIndex Index for core database +## @param externalRedis.jobserviceDatabaseIndex Index for jobservice database +## @param externalRedis.registryDatabaseIndex Index for registry database +## @param externalRedis.trivyAdapterDatabaseIndex Index for trivy adapter database +## +externalRedis: + host: redis-master.{{ .Values.globals.redis.namespace }}.svc.cluster.local + port: 6379 + password: {{ .Values.globals.redis.password }} + coreDatabaseIndex: "0" + jobserviceDatabaseIndex: "1" + registryDatabaseIndex: "2" + trivyAdapterDatabaseIndex: "5" + ## Redis® sentinel configuration + ## @param externalRedis.sentinel.enabled If external redis with sentinal is used, set it to `true` + ## @param externalRedis.sentinel.masterSet Name of sentinel masterSet if sentinel is used + ## @param externalRedis.sentinel.hosts Sentinel hosts and ports in the format + ## + sentinel: + enabled: false + masterSet: "mymaster" + hosts: "" +## @section Harbor metrics parameters +## +metrics: + ## @param metrics.enabled Whether or not to enable metrics for different + ## + enabled: true + ## @param metrics.path Path where metrics are exposed + ## + path: /metrics + ## Prometheus Operator ServiceMonitor configuration + ## + serviceMonitor: + ## @param metrics.serviceMonitor.enabled if `true`, creates a Prometheus Operator ServiceMonitor (requires `metrics.enabled` to be `true`) + ## + enabled: false + ## @param metrics.serviceMonitor.namespace Namespace in which Prometheus is running + ## + namespace: "" + ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + interval: "" + ## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + scrapeTimeout: "" + ## @param metrics.serviceMonitor.labels Additional labels that can be used so ServiceMonitor will be discovered by Prometheus + ## + labels: {} + ## @param metrics.serviceMonitor.selector Prometheus instance selector labels + ## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration + ## + selector: {} + ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping + ## + relabelings: [] + ## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion + ## + metricRelabelings: [] + ## @param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint + ## + honorLabels: false + ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. + ## + jobLabel: "" + diff --git a/proxmox/k8s/helmfile.d/values/init-dbs/values.yaml.gotmpl b/proxmox/k8s/helmfile.d/values/init-dbs/values.yaml.gotmpl new file mode 100644 index 0000000..5911482 --- /dev/null +++ b/proxmox/k8s/helmfile.d/values/init-dbs/values.yaml.gotmpl @@ -0,0 +1,34 @@ +# This is for the secrets for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +imagePullSecrets: [] +# This is to override the chart name. +nameOverride: "" +fullnameOverride: "" + +postgres: + image: + ref: postgres + # This sets the pull policy for images. + pullPolicy: IfNotPresent + host: postgres-postgresql.{{ .Values.globals.postgres.namespace }}.svc.cluster.local + username: postgres + password: {{ .Values.globals.postgres.postgresPassword }} + databases: + {{- range .Values.globals.postgres.databases }} + - database: {{ .database }} + username: {{ .username }} + password: {{ .password }} + {{- end }} +mysql: + image: + ref: mysql + # This sets the pull policy for images. + pullPolicy: IfNotPresent + host: mysql.{{ .Values.globals.mysql.namespace }}.svc.cluster.local + username: root + password: {{ .Values.globals.mysql.rootPassword }} + databases: + {{- range .Values.globals.mysql.databases }} + - database: {{ .database }} + username: {{ .username }} + password: {{ .password }} + {{- end }} diff --git a/proxmox/k8s/helmfile.d/values/kube-prometheus-stack/values.yaml.gotmpl b/proxmox/k8s/helmfile.d/values/kube-prometheus-stack/values.yaml.gotmpl new file mode 100644 index 0000000..be64576 --- /dev/null +++ b/proxmox/k8s/helmfile.d/values/kube-prometheus-stack/values.yaml.gotmpl @@ -0,0 +1,5142 @@ +# Default values for kube-prometheus-stack. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +## Provide a name in place of kube-prometheus-stack for `app:` labels +## +nameOverride: "" + +## Override the deployment namespace +## +namespaceOverride: "" + +## Provide a k8s version to auto dashboard import script example: kubeTargetVersionOverride: 1.26.6 +## +kubeTargetVersionOverride: "" + +## Allow kubeVersion to be overridden while creating the ingress +## +kubeVersionOverride: "" + +## Provide a name to substitute for the full names of resources +## +fullnameOverride: "" + +## Labels to apply to all resources +## +commonLabels: {} +# scmhash: abc123 +# myLabel: aakkmd + +## Install Prometheus Operator CRDs +## +crds: + enabled: true + ## The CRD upgrade job mitigates the limitation of helm not being able to upgrade CRDs. + ## The job will apply the CRDs to the cluster before the operator is deployed, using helm hooks. + ## It deploy a corresponding clusterrole, clusterrolebinding and serviceaccount to apply the CRDs. + ## This feature is in preview, off by default and may change in the future. + upgradeJob: + enabled: false + image: + busybox: + registry: docker.io + repository: busybox + tag: "latest" + sha: "" + pullPolicy: IfNotPresent + kubectl: + registry: registry.k8s.io + repository: kubectl + tag: "" # defaults to the Kubernetes version + sha: "" + pullPolicy: IfNotPresent + + env: {} + ## Define resources requests and limits for single Pods. + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + + ## Additional volumes + ## + extraVolumes: [] + + ## Additional volume mounts + ## + extraVolumeMounts: [] + + ## Define which Nodes the Pods are scheduled on. + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Assign custom affinity rules to the upgrade-crd job + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + affinity: {} + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: kubernetes.io/e2e-az-name + # operator: In + # values: + # - e2e-az1 + # - e2e-az2 + + ## If specified, the pod's tolerations. + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal" + # value: "value" + # effect: "NoSchedule" + + ## If specified, the pod's topology spread constraints. + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: alertmanager + + # ## Labels to add to the upgrade-crd job + # ## + labels: {} + + ## Annotations to add to the upgrade-crd job + ## + annotations: {} + + ## Labels to add to the upgrade-crd pod + ## + podLabels: {} + + ## Annotations to add to the upgrade-crd pod + ## + podAnnotations: {} + + ## Service account for upgrade crd job to use. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ + ## + serviceAccount: + create: true + name: "" + annotations: {} + labels: {} + automountServiceAccountToken: true + + ## Container-specific security context configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## + containerSecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + + ## SecurityContext holds pod-level security attributes and common container settings. + ## This defaults to non root user with uid 1000 and gid 2000. *v1.PodSecurityContext false + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## + securityContext: + fsGroup: 65534 + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault + +## custom Rules to override "for" and "severity" in defaultRules +## +customRules: {} + # AlertmanagerFailedReload: + # for: 3m + # AlertmanagerMembersInconsistent: + # for: 5m + # severity: "warning" + +## Create default rules for monitoring the cluster +## +defaultRules: + create: true + rules: + alertmanager: true + etcd: true + configReloaders: true + general: true + k8sContainerCpuUsageSecondsTotal: true + k8sContainerMemoryCache: true + k8sContainerMemoryRss: true + k8sContainerMemorySwap: true + k8sContainerResource: true + k8sContainerMemoryWorkingSetBytes: true + k8sPodOwner: true + kubeApiserverAvailability: true + kubeApiserverBurnrate: true + kubeApiserverHistogram: true + kubeApiserverSlos: true + kubeControllerManager: true + kubelet: true + kubeProxy: true + kubePrometheusGeneral: true + kubePrometheusNodeRecording: true + kubernetesApps: true + kubernetesResources: true + kubernetesStorage: true + kubernetesSystem: true + kubeSchedulerAlerting: true + kubeSchedulerRecording: true + kubeStateMetrics: true + network: true + node: true + nodeExporterAlerting: true + nodeExporterRecording: true + prometheus: true + prometheusOperator: true + windows: true + + ## Reduce app namespace alert scope + appNamespacesTarget: "" + + ## Set keep_firing_for for all alerts + keepFiringFor: "" + + ## Labels for default rules + labels: {} + ## Annotations for default rules + annotations: {} + + ## Additional labels for PrometheusRule alerts + additionalRuleLabels: {} + + ## Additional annotations for PrometheusRule alerts + additionalRuleAnnotations: {} + + ## Additional labels for specific PrometheusRule alert groups + additionalRuleGroupLabels: + alertmanager: {} + etcd: {} + configReloaders: {} + general: {} + k8sContainerCpuUsageSecondsTotal: {} + k8sContainerMemoryCache: {} + k8sContainerMemoryRss: {} + k8sContainerMemorySwap: {} + k8sContainerResource: {} + k8sPodOwner: {} + kubeApiserverAvailability: {} + kubeApiserverBurnrate: {} + kubeApiserverHistogram: {} + kubeApiserverSlos: {} + kubeControllerManager: {} + kubelet: {} + kubeProxy: {} + kubePrometheusGeneral: {} + kubePrometheusNodeRecording: {} + kubernetesApps: {} + kubernetesResources: {} + kubernetesStorage: {} + kubernetesSystem: {} + kubeSchedulerAlerting: {} + kubeSchedulerRecording: {} + kubeStateMetrics: {} + network: {} + node: {} + nodeExporterAlerting: {} + nodeExporterRecording: {} + prometheus: {} + prometheusOperator: {} + + ## Additional annotations for specific PrometheusRule alerts groups + additionalRuleGroupAnnotations: + alertmanager: {} + etcd: {} + configReloaders: {} + general: {} + k8sContainerCpuUsageSecondsTotal: {} + k8sContainerMemoryCache: {} + k8sContainerMemoryRss: {} + k8sContainerMemorySwap: {} + k8sContainerResource: {} + k8sPodOwner: {} + kubeApiserverAvailability: {} + kubeApiserverBurnrate: {} + kubeApiserverHistogram: {} + kubeApiserverSlos: {} + kubeControllerManager: {} + kubelet: {} + kubeProxy: {} + kubePrometheusGeneral: {} + kubePrometheusNodeRecording: {} + kubernetesApps: {} + kubernetesResources: {} + kubernetesStorage: {} + kubernetesSystem: {} + kubeSchedulerAlerting: {} + kubeSchedulerRecording: {} + kubeStateMetrics: {} + network: {} + node: {} + nodeExporterAlerting: {} + nodeExporterRecording: {} + prometheus: {} + prometheusOperator: {} + + additionalAggregationLabels: [] + + ## Prefix for runbook URLs. Use this to override the first part of the runbookURLs that is common to all rules. + runbookUrl: "https://runbooks.prometheus-operator.dev/runbooks" + + node: + fsSelector: 'fstype!=""' + # fsSelector: 'fstype=~"ext[234]|btrfs|xfs|zfs"' + + ## Disabled PrometheusRule alerts + disabled: {} + # KubeAPIDown: true + # NodeRAIDDegraded: true + +## Deprecated way to provide custom recording or alerting rules to be deployed into the cluster. +## +# additionalPrometheusRules: [] +# - name: my-rule-file +# groups: +# - name: my_group +# rules: +# - record: my_record +# expr: 100 * my_record + +## Provide custom recording or alerting rules to be deployed into the cluster. +## +additionalPrometheusRulesMap: {} +# rule-name: +# groups: +# - name: my_group +# rules: +# - record: my_record +# expr: 100 * my_record + +## +global: + rbac: + create: true + + ## Create ClusterRoles that extend the existing view, edit and admin ClusterRoles to interact with prometheus-operator CRDs + ## Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles + createAggregateClusterRoles: false + pspEnabled: false + pspAnnotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + # seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + # apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + + ## Global image registry to use if it needs to be overriden for some specific use cases (e.g local registries, custom images, ...) + ## + imageRegistry: "" + + ## Reference to one or more secrets to be used when pulling images + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + imagePullSecrets: [] + # - name: "image-pull-secret" + # or + # - "image-pull-secret" + +windowsMonitoring: + ## Deploys the windows-exporter and Windows-specific dashboards and rules (job name must be 'windows-exporter') + enabled: false + +## Configuration for prometheus-windows-exporter +## ref: https://github.com/prometheus-community/helm-charts/tree/main/charts/prometheus-windows-exporter +## +prometheus-windows-exporter: + ## Enable ServiceMonitor and set Kubernetes label to use as a job label + ## + prometheus: + monitor: + enabled: true + jobLabel: jobLabel + + releaseLabel: true + + ## Set job label to 'windows-exporter' as required by the default Prometheus rules and Grafana dashboards + ## + podLabels: + jobLabel: windows-exporter + + ## Enable memory and container metrics as required by the default Prometheus rules and Grafana dashboards + ## + config: |- + collectors: + enabled: '[defaults],memory,container' + +## Configuration for alertmanager +## ref: https://prometheus.io/docs/alerting/alertmanager/ +## +alertmanager: + + ## Deploy alertmanager + ## + enabled: true + + ## Annotations for Alertmanager + ## + annotations: {} + + ## Api that prometheus will use to communicate with alertmanager. Possible values are v1, v2 + ## + apiVersion: v2 + + ## @param alertmanager.enableFeatures Enable access to Alertmanager disabled features. + ## + enableFeatures: [] + + ## Create dashboard configmap even if alertmanager deployment has been disabled + ## + forceDeployDashboards: false + + ## Service account for Alertmanager to use. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ + ## + serviceAccount: + create: true + name: "" + annotations: {} + automountServiceAccountToken: true + + ## Configure pod disruption budgets for Alertmanager + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/#specifying-a-poddisruptionbudget + ## + podDisruptionBudget: + enabled: false + minAvailable: 1 + maxUnavailable: "" + + ## Alertmanager configuration directives + ## ref: https://prometheus.io/docs/alerting/configuration/#configuration-file + ## https://prometheus.io/webtools/alerting/routing-tree-editor/ + ## + config: + global: + resolve_timeout: 5m + inhibit_rules: + - source_matchers: + - 'severity = critical' + target_matchers: + - 'severity =~ warning|info' + equal: + - 'namespace' + - 'alertname' + - source_matchers: + - 'severity = warning' + target_matchers: + - 'severity = info' + equal: + - 'namespace' + - 'alertname' + - source_matchers: + - 'alertname = InfoInhibitor' + target_matchers: + - 'severity = info' + equal: + - 'namespace' + - target_matchers: + - 'alertname = InfoInhibitor' + route: + group_by: ['namespace'] + group_wait: 30s + group_interval: 5m + repeat_interval: 12h + receiver: 'null' + routes: + - receiver: 'null' + matchers: + - alertname = "Watchdog" + receivers: + - name: 'null' + templates: + - '/etc/alertmanager/config/*.tmpl' + + ## Alertmanager configuration directives (as string type, preferred over the config hash map) + ## stringConfig will be used only, if tplConfig is true + ## ref: https://prometheus.io/docs/alerting/configuration/#configuration-file + ## https://prometheus.io/webtools/alerting/routing-tree-editor/ + ## + stringConfig: "" + + ## Pass the Alertmanager configuration directives through Helm's templating + ## engine. If the Alertmanager configuration contains Alertmanager templates, + ## they'll need to be properly escaped so that they are not interpreted by + ## Helm + ## ref: https://helm.sh/docs/developing_charts/#using-the-tpl-function + ## https://prometheus.io/docs/alerting/configuration/#tmpl_string + ## https://prometheus.io/docs/alerting/notifications/ + ## https://prometheus.io/docs/alerting/notification_examples/ + tplConfig: false + + ## Alertmanager template files to format alerts + ## By default, templateFiles are placed in /etc/alertmanager/config/ and if + ## they have a .tmpl file suffix will be loaded. See config.templates above + ## to change, add other suffixes. If adding other suffixes, be sure to update + ## config.templates above to include those suffixes. + ## ref: https://prometheus.io/docs/alerting/notifications/ + ## https://prometheus.io/docs/alerting/notification_examples/ + ## + templateFiles: {} + # + + ingress: + enabled: false + + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + # ingressClassName: nginx + + annotations: {} + + labels: {} + + ## Override ingress to a different defined port on the service + # servicePort: 8081 + ## Override ingress to a different service then the default, this is useful if you need to + ## point to a specific instance of the alertmanager (eg kube-prometheus-stack-alertmanager-0) + # serviceName: kube-prometheus-stack-alertmanager-0 + + ## Hosts must be provided if Ingress is enabled. + ## + hosts: [] + # - alertmanager.domain.com + + ## Paths to use for ingress rules - one path should match the alertmanagerSpec.routePrefix + ## + paths: [] + # - / + + ## For Kubernetes >= 1.18 you should specify the pathType (determines how Ingress paths should be matched) + ## See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#better-path-matching-with-path-types + # pathType: ImplementationSpecific + + ## TLS configuration for Alertmanager Ingress + ## Secret must be manually created in the namespace + ## + tls: [] + # - secretName: alertmanager-general-tls + # hosts: + # - alertmanager.example.com + + # -- BETA: Configure the gateway routes for the chart here. + # More routes can be added by adding a dictionary key like the 'main' route. + # Be aware that this is an early beta of this feature, + # kube-prometheus-stack does not guarantee this works and is subject to change. + # Being BETA this can/will change in the future without notice, do not use unless you want to take that risk + # [[ref]](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io%2fv1alpha2) + route: + main: + # -- Enables or disables the route + enabled: false + + # -- Set the route apiVersion, e.g. gateway.networking.k8s.io/v1 or gateway.networking.k8s.io/v1alpha2 + apiVersion: gateway.networking.k8s.io/v1 + # -- Set the route kind + # Valid options are GRPCRoute, HTTPRoute, TCPRoute, TLSRoute, UDPRoute + kind: HTTPRoute + + annotations: {} + labels: {} + + hostnames: [] + # - my-filter.example.com + parentRefs: [] + # - name: acme-gw + + matches: + - path: + type: PathPrefix + value: / + + ## Filters define the filters that are applied to requests that match this rule. + filters: [] + + ## Additional custom rules that can be added to the route + additionalRules: [] + + ## Configuration for Alertmanager secret + ## + secret: + annotations: {} + + ## Configuration for creating an Ingress that will map to each Alertmanager replica service + ## alertmanager.servicePerReplica must be enabled + ## + ingressPerReplica: + enabled: false + + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + # ingressClassName: nginx + + annotations: {} + labels: {} + + ## Final form of the hostname for each per replica ingress is + ## + ## Prefix for the per replica ingress that will have `-$replicaNumber` + ## appended to the end + hostPrefix: "" + ## Domain that will be used for the per replica ingress + hostDomain: "" + + ## Paths to use for ingress rules + ## + paths: [] + # - / + + ## For Kubernetes >= 1.18 you should specify the pathType (determines how Ingress paths should be matched) + ## See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#better-path-matching-with-path-types + # pathType: ImplementationSpecific + + ## Secret name containing the TLS certificate for alertmanager per replica ingress + ## Secret must be manually created in the namespace + tlsSecretName: "" + + ## Separated secret for each per replica Ingress. Can be used together with cert-manager + ## + tlsSecretPerReplica: + enabled: false + ## Final form of the secret for each per replica ingress is + ## + prefix: "alertmanager" + + ## Configuration for Alertmanager service + ## + service: + annotations: {} + labels: {} + clusterIP: "" + ipDualStack: + enabled: false + ipFamilies: ["IPv6", "IPv4"] + ipFamilyPolicy: "PreferDualStack" + + ## Port for Alertmanager Service to listen on + ## + port: 9093 + ## To be used with a proxy extraContainer port + ## + targetPort: 9093 + ## Port to expose on each node + ## Only used if service.type is 'NodePort' + ## + nodePort: 30903 + ## List of IP addresses at which the Prometheus server service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + + ## Additional ports to open for Alertmanager service + ## + additionalPorts: [] + # - name: oauth-proxy + # port: 8081 + # targetPort: 8081 + # - name: oauth-metrics + # port: 8082 + # targetPort: 8082 + + externalIPs: [] + loadBalancerIP: "" + loadBalancerSourceRanges: [] + + ## Denotes if this Service desires to route external traffic to node-local or cluster-wide endpoints + ## + externalTrafficPolicy: Cluster + + ## If you want to make sure that connections from a particular client are passed to the same Pod each time + ## Accepts 'ClientIP' or 'None' + ## + sessionAffinity: None + + ## If you want to modify the ClientIP sessionAffinity timeout + ## The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP" + ## + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 + + ## Service type + ## + type: ClusterIP + + ## Configuration for creating a separate Service for each statefulset Alertmanager replica + ## + servicePerReplica: + enabled: false + annotations: {} + + ## Port for Alertmanager Service per replica to listen on + ## + port: 9093 + + ## To be used with a proxy extraContainer port + targetPort: 9093 + + ## Port to expose on each node + ## Only used if servicePerReplica.type is 'NodePort' + ## + nodePort: 30904 + + ## Loadbalancer source IP ranges + ## Only used if servicePerReplica.type is "LoadBalancer" + loadBalancerSourceRanges: [] + + ## Denotes if this Service desires to route external traffic to node-local or cluster-wide endpoints + ## + externalTrafficPolicy: Cluster + + ## Service type + ## + type: ClusterIP + + ## Configuration for creating a ServiceMonitor for AlertManager + ## + serviceMonitor: + ## If true, a ServiceMonitor will be created for the AlertManager service. + ## + selfMonitor: true + + ## Scrape interval. If not set, the Prometheus default scrape interval is used. + ## + interval: "" + + ## Additional labels + ## + additionalLabels: {} + + ## SampleLimit defines per-scrape limit on number of scraped samples that will be accepted. + ## + sampleLimit: 0 + + ## TargetLimit defines a limit on the number of scraped targets that will be accepted. + ## + targetLimit: 0 + + ## Per-scrape limit on number of labels that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelLimit: 0 + + ## Per-scrape limit on length of labels name that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelNameLengthLimit: 0 + + ## Per-scrape limit on length of labels value that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelValueLengthLimit: 0 + + ## proxyUrl: URL of a proxy that should be used for scraping. + ## + proxyUrl: "" + + ## scheme: HTTP scheme to use for scraping. Can be used with `tlsConfig` for example if using istio mTLS. + scheme: "" + + ## enableHttp2: Whether to enable HTTP2. + ## See https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#endpoint + enableHttp2: true + + ## tlsConfig: TLS configuration to use when scraping the endpoint. For example if using istio mTLS. + ## Of type: https://github.com/coreos/prometheus-operator/blob/main/Documentation/api.md#tlsconfig + tlsConfig: {} + + bearerTokenFile: + + ## MetricRelabelConfigs to apply to samples after scraping, but before ingestion. + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig + ## + metricRelabelings: [] + # - action: keep + # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' + # sourceLabels: [__name__] + + ## RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig + ## + relabelings: [] + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^()$ + # targetLabel: nodename + # replacement: $1 + # action: replace + + ## Additional Endpoints + ## + additionalEndpoints: [] + # - port: oauth-metrics + # path: /metrics + + ## Settings affecting alertmanagerSpec + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#alertmanagerspec + ## + alertmanagerSpec: + ## Statefulset's persistent volume claim retention policy + ## whenDeleted and whenScaled determine whether + ## statefulset's PVCs are deleted (true) or retained (false) + ## on scaling down and deleting statefulset, respectively. + ## Requires Kubernetes version 1.27.0+. + ## Ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention + persistentVolumeClaimRetentionPolicy: {} + # whenDeleted: Retain + # whenScaled: Retain + + ## Standard object's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata + ## Metadata Labels and Annotations gets propagated to the Alertmanager pods. + ## + podMetadata: {} + + ## Image of Alertmanager + ## + image: + registry: quay.io + repository: prometheus/alertmanager + tag: v0.28.0 + sha: "" + + ## If true then the user will be responsible to provide a secret with alertmanager configuration + ## So when true the config part will be ignored (including templateFiles) and the one in the secret will be used + ## + useExistingSecret: false + + ## Secrets is a list of Secrets in the same namespace as the Alertmanager object, which shall be mounted into the + ## Alertmanager Pods. The Secrets are mounted into /etc/alertmanager/secrets/. + ## + secrets: [] + + ## If false then the user will opt out of automounting API credentials. + ## + automountServiceAccountToken: true + + ## ConfigMaps is a list of ConfigMaps in the same namespace as the Alertmanager object, which shall be mounted into the Alertmanager Pods. + ## The ConfigMaps are mounted into /etc/alertmanager/configmaps/. + ## + configMaps: [] + + ## ConfigSecret is the name of a Kubernetes Secret in the same namespace as the Alertmanager object, which contains configuration for + ## this Alertmanager instance. Defaults to 'alertmanager-' The secret is mounted into /etc/alertmanager/config. + ## + # configSecret: + + ## WebTLSConfig defines the TLS parameters for HTTPS + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#alertmanagerwebspec + web: {} + + ## AlertmanagerConfigs to be selected to merge and configure Alertmanager with. + ## + alertmanagerConfigSelector: {} + ## Example which selects all alertmanagerConfig resources + ## with label "alertconfig" with values any of "example-config" or "example-config-2" + # alertmanagerConfigSelector: + # matchExpressions: + # - key: alertconfig + # operator: In + # values: + # - example-config + # - example-config-2 + # + ## Example which selects all alertmanagerConfig resources with label "role" set to "example-config" + # alertmanagerConfigSelector: + # matchLabels: + # role: example-config + + ## Namespaces to be selected for AlertmanagerConfig discovery. If nil, only check own namespace. + ## + alertmanagerConfigNamespaceSelector: {} + ## Example which selects all namespaces + ## with label "alertmanagerconfig" with values any of "example-namespace" or "example-namespace-2" + # alertmanagerConfigNamespaceSelector: + # matchExpressions: + # - key: alertmanagerconfig + # operator: In + # values: + # - example-namespace + # - example-namespace-2 + + ## Example which selects all namespaces with label "alertmanagerconfig" set to "enabled" + # alertmanagerConfigNamespaceSelector: + # matchLabels: + # alertmanagerconfig: enabled + + ## AlermanagerConfig to be used as top level configuration + ## + alertmanagerConfiguration: {} + ## Example with select a global alertmanagerconfig + # alertmanagerConfiguration: + # name: global-alertmanager-Configuration + + ## Defines the strategy used by AlertmanagerConfig objects to match alerts. eg: + ## + alertmanagerConfigMatcherStrategy: {} + ## Example with use OnNamespace strategy + # alertmanagerConfigMatcherStrategy: + # type: OnNamespace + + ## Define Log Format + # Use logfmt (default) or json logging + logFormat: logfmt + + ## Log level for Alertmanager to be configured with. + ## + logLevel: info + + ## Size is the expected size of the alertmanager cluster. The controller will eventually make the size of the + ## running cluster equal to the expected size. + replicas: 1 + + ## Time duration Alertmanager shall retain data for. Default is '120h', and must match the regular expression + ## [0-9]+(ms|s|m|h) (milliseconds seconds minutes hours). + ## + retention: 120h + + ## Storage is the definition of how storage will be used by the Alertmanager instances. + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/user-guides/storage.md + ## + storage: {} + # volumeClaimTemplate: + # spec: + # storageClassName: gluster + # accessModes: ["ReadWriteOnce"] + # resources: + # requests: + # storage: 50Gi + # selector: {} + + + ## The external URL the Alertmanager instances will be available under. This is necessary to generate correct URLs. This is necessary if Alertmanager is not served from root of a DNS name. string false + ## + externalUrl: + + ## The route prefix Alertmanager registers HTTP handlers for. This is useful, if using ExternalURL and a proxy is rewriting HTTP routes of a request, and the actual ExternalURL is still true, + ## but the server serves requests under a different route prefix. For example for use with kubectl proxy. + ## + routePrefix: / + + ## scheme: HTTP scheme to use. Can be used with `tlsConfig` for example if using istio mTLS. + scheme: "" + + ## tlsConfig: TLS configuration to use when connect to the endpoint. For example if using istio mTLS. + ## Of type: https://github.com/coreos/prometheus-operator/blob/main/Documentation/api.md#tlsconfig + tlsConfig: {} + + ## If set to true all actions on the underlying managed objects are not going to be performed, except for delete actions. + ## + paused: false + + ## Define which Nodes the Pods are scheduled on. + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Define resources requests and limits for single Pods. + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + # requests: + # memory: 400Mi + + ## Pod anti-affinity can prevent the scheduler from placing Prometheus replicas on the same node. + ## The default value "soft" means that the scheduler should *prefer* to not schedule two replica pods onto the same node but no guarantee is provided. + ## The value "hard" means that the scheduler is *required* to not schedule two replica pods onto the same node. + ## The value "" will disable pod anti-affinity so that no anti-affinity rules will be configured. + ## + podAntiAffinity: "soft" + + ## If anti-affinity is enabled sets the topologyKey to use for anti-affinity. + ## This can be changed to, for example, failure-domain.beta.kubernetes.io/zone + ## + podAntiAffinityTopologyKey: kubernetes.io/hostname + + ## Assign custom affinity rules to the alertmanager instance + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + affinity: {} + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: kubernetes.io/e2e-az-name + # operator: In + # values: + # - e2e-az1 + # - e2e-az2 + + ## If specified, the pod's tolerations. + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal" + # value: "value" + # effect: "NoSchedule" + + ## If specified, the pod's topology spread constraints. + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: alertmanager + + ## SecurityContext holds pod-level security attributes and common container settings. + ## This defaults to non root user with uid 1000 and gid 2000. *v1.PodSecurityContext false + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## + securityContext: + runAsGroup: 2000 + runAsNonRoot: true + runAsUser: 1000 + fsGroup: 2000 + seccompProfile: + type: RuntimeDefault + + ## ListenLocal makes the Alertmanager server listen on loopback, so that it does not bind against the Pod IP. + ## Note this is only for the Alertmanager UI, not the gossip communication. + ## + listenLocal: false + + ## Containers allows injecting additional containers. This is meant to allow adding an authentication proxy to an Alertmanager pod. + ## + containers: [] + # containers: + # - name: oauth-proxy + # image: quay.io/oauth2-proxy/oauth2-proxy:v7.5.1 + # args: + # - --upstream=http://127.0.0.1:9093 + # - --http-address=0.0.0.0:8081 + # - --metrics-address=0.0.0.0:8082 + # - ... + # ports: + # - containerPort: 8081 + # name: oauth-proxy + # protocol: TCP + # - containerPort: 8082 + # name: oauth-metrics + # protocol: TCP + # resources: {} + + # Additional volumes on the output StatefulSet definition. + volumes: [] + + # Additional VolumeMounts on the output StatefulSet definition. + volumeMounts: [] + + ## InitContainers allows injecting additional initContainers. This is meant to allow doing some changes + ## (permissions, dir tree) on mounted volumes before starting prometheus + initContainers: [] + + ## Priority class assigned to the Pods + ## + priorityClassName: "" + + ## AdditionalPeers allows injecting a set of additional Alertmanagers to peer with to form a highly available cluster. + ## + additionalPeers: [] + + ## PortName to use for Alert Manager. + ## + portName: "http-web" + + ## ClusterAdvertiseAddress is the explicit address to advertise in cluster. Needs to be provided for non RFC1918 [1] (public) addresses. [1] RFC1918: https://tools.ietf.org/html/rfc1918 + ## + clusterAdvertiseAddress: false + + ## clusterGossipInterval determines interval between gossip attempts. + ## Needs to be specified as GoDuration, a time duration that can be parsed by Go’s time.ParseDuration() (e.g. 45ms, 30s, 1m, 1h20m15s) + clusterGossipInterval: "" + + ## clusterPeerTimeout determines timeout for cluster peering. + ## Needs to be specified as GoDuration, a time duration that can be parsed by Go’s time.ParseDuration() (e.g. 45ms, 30s, 1m, 1h20m15s) + clusterPeerTimeout: "" + + ## clusterPushpullInterval determines interval between pushpull attempts. + ## Needs to be specified as GoDuration, a time duration that can be parsed by Go’s time.ParseDuration() (e.g. 45ms, 30s, 1m, 1h20m15s) + clusterPushpullInterval: "" + + ## clusterLabel defines the identifier that uniquely identifies the Alertmanager cluster. + clusterLabel: "" + + ## ForceEnableClusterMode ensures Alertmanager does not deactivate the cluster mode when running with a single replica. + ## Use case is e.g. spanning an Alertmanager cluster across Kubernetes clusters with a single replica in each. + forceEnableClusterMode: false + + ## Minimum number of seconds for which a newly created pod should be ready without any of its container crashing for it to + ## be considered available. Defaults to 0 (pod will be considered available as soon as it is ready). + minReadySeconds: 0 + + ## Additional configuration which is not covered by the properties above. (passed through tpl) + additionalConfig: {} + + ## Additional configuration which is not covered by the properties above. + ## Useful, if you need advanced templating inside alertmanagerSpec. + ## Otherwise, use alertmanager.alertmanagerSpec.additionalConfig (passed through tpl) + additionalConfigString: "" + + ## ExtraSecret can be used to store various data in an extra secret + ## (use it for example to store hashed basic auth credentials) + extraSecret: + ## if not set, name will be auto generated + # name: "" + annotations: {} + data: {} + # auth: | + # foo:$apr1$OFG3Xybp$ckL0FHDAkoXYIlH9.cysT0 + # someoneelse:$apr1$DMZX2Z4q$6SbQIfyuLQd.xmo/P0m2c. + +## Using default values from https://github.com/grafana/helm-charts/blob/main/charts/grafana/values.yaml +## +grafana: + enabled: true + namespaceOverride: "" + + ## ForceDeployDatasources Create datasource configmap even if grafana deployment has been disabled + ## + forceDeployDatasources: false + + ## ForceDeployDashboard Create dashboard configmap even if grafana deployment has been disabled + ## + forceDeployDashboards: false + + ## Deploy default dashboards + ## + defaultDashboardsEnabled: true + + ## Timezone for the default dashboards + ## Other options are: browser or a specific timezone, i.e. Europe/Luxembourg + ## + defaultDashboardsTimezone: browser + + ## Editable flag for the default dashboards + ## + defaultDashboardsEditable: true + + adminPassword: {{ .Values.globals.kubePrometheusStack.grafana.adminPassword }} + + rbac: + ## If true, Grafana PSPs will be created + ## + pspEnabled: false + + ingress: + ## If true, Grafana Ingress will be created + ## + enabled: true + + ## IngressClassName for Grafana Ingress. + ## Should be provided if Ingress is enable. + ## + # ingressClassName: nginx + + ## Annotations for Grafana Ingress + ## + annotations: + kubernetes.io/ingress.class: {{ .Values.globals.kubePrometheusStack.ingressClass }} + cert-manager.io/cluster-issuer: {{ .Values.globals.certs.issuerName }} + + ## Labels to be added to the Ingress + ## + labels: {} + + ## Hostnames. + ## Must be provided if Ingress is enable. + ## + # hosts: + # - grafana.domain.com + hosts: + {{- range .Values.globals.kubePrometheusStack.grafana.hosts }} + - {{ . }} + {{- end }} + + ## Path for grafana ingress + path: / + + ## TLS configuration for grafana Ingress + ## Secret must be manually created in the namespace + ## + tls: + {{- range .Values.globals.kubePrometheusStack.grafana.hosts }} + - secretName: {{ . }}-tls + hosts: + - {{ . }} + {{- end }} + # - secretName: grafana-general-tls + # hosts: + # - grafana.example.com + + # # To make Grafana persistent (Using Statefulset) + # # + persistence: + enabled: true + type: sts + storageClassName: {{ .Values.globals.kubePrometheusStack.storageClass }} + accessModes: + - ReadWriteOnce + size: {{ .Values.globals.kubePrometheusStack.grafana.storageSize }} + finalizers: + - kubernetes.io/pvc-protection + + serviceAccount: + create: true + autoMount: true + + sidecar: + dashboards: + enabled: true + label: grafana_dashboard + labelValue: "1" + # Allow discovery in all namespaces for dashboards + searchNamespace: ALL + + # Support for new table panels, when enabled grafana auto migrates the old table panels to newer table panels + enableNewTablePanelSyntax: false + + ## Annotations for Grafana dashboard configmaps + ## + annotations: {} + multicluster: + global: + enabled: false + etcd: + enabled: false + provider: + allowUiUpdates: false + datasources: + enabled: true + defaultDatasourceEnabled: true + isDefaultDatasource: true + + name: Prometheus + uid: prometheus + + ## URL of prometheus datasource + ## + # url: http://prometheus-stack-prometheus:9090/ + + ## Prometheus request timeout in seconds + # timeout: 30 + + # If not defined, will use prometheus.prometheusSpec.scrapeInterval or its default + # defaultDatasourceScrapeInterval: 15s + + ## Annotations for Grafana datasource configmaps + ## + annotations: {} + + ## Set method for HTTP to send query to datasource + httpMethod: POST + + ## Create datasource for each Pod of Prometheus StatefulSet; + ## this uses headless service `prometheus-operated` which is + ## created by Prometheus Operator + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/0fee93e12dc7c2ea1218f19ae25ec6b893460590/pkg/prometheus/statefulset.go#L255-L286 + createPrometheusReplicasDatasources: false + label: grafana_datasource + labelValue: "1" + + ## Field with internal link pointing to existing data source in Grafana. + ## Can be provisioned via additionalDataSources + exemplarTraceIdDestinations: {} + # datasourceUid: Jaeger + # traceIdLabelName: trace_id + alertmanager: + enabled: true + name: Alertmanager + uid: alertmanager + handleGrafanaManagedAlerts: false + implementation: prometheus + + extraConfigmapMounts: [] + # - name: certs-configmap + # mountPath: /etc/grafana/ssl/ + # configMap: certs-configmap + # readOnly: true + + deleteDatasources: [] + # - name: example-datasource + # orgId: 1 + + ## Configure additional grafana datasources (passed through tpl) + ## ref: http://docs.grafana.org/administration/provisioning/#datasources + additionalDataSources: [] + # - name: prometheus-sample + # access: proxy + # basicAuth: true + # secureJsonData: + # basicAuthPassword: pass + # basicAuthUser: daco + # editable: false + # jsonData: + # tlsSkipVerify: true + # orgId: 1 + # type: prometheus + # url: https://{{ printf "%s-prometheus.svc" .Release.Name }}:9090 + # version: 1 + + # Flag to mark provisioned data sources for deletion if they are no longer configured. + # It takes no effect if data sources are already listed in the deleteDatasources section. + # ref: https://grafana.com/docs/grafana/latest/administration/provisioning/#example-data-source-config-file + prune: false + + ## Passed to grafana subchart and used by servicemonitor below + ## + service: + portName: http-web + ipFamilies: [] + ipFamilyPolicy: "" + + serviceMonitor: + # If true, a ServiceMonitor CRD is created for a prometheus operator + # https://github.com/coreos/prometheus-operator + # + enabled: true + + # Path to use for scraping metrics. Might be different if server.root_url is set + # in grafana.ini + path: "/metrics" + + # namespace: monitoring (defaults to use the namespace this chart is deployed to) + + # labels for the ServiceMonitor + labels: {} + + # Scrape interval. If not set, the Prometheus default scrape interval is used. + # + interval: "" + scheme: http + tlsConfig: {} + scrapeTimeout: 30s + + ## RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig + ## + relabelings: [] + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^()$ + # targetLabel: nodename + # replacement: $1 + # action: replace + +## Flag to disable all the kubernetes component scrapers +## +kubernetesServiceMonitors: + enabled: true + +## Component scraping the kube api server +## +kubeApiServer: + enabled: true + tlsConfig: + serverName: kubernetes + insecureSkipVerify: false + serviceMonitor: + ## Scrape interval. If not set, the Prometheus default scrape interval is used. + ## + interval: "" + + ## SampleLimit defines per-scrape limit on number of scraped samples that will be accepted. + ## + sampleLimit: 0 + + ## TargetLimit defines a limit on the number of scraped targets that will be accepted. + ## + targetLimit: 0 + + ## Per-scrape limit on number of labels that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelLimit: 0 + + ## Per-scrape limit on length of labels name that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelNameLengthLimit: 0 + + ## Per-scrape limit on length of labels value that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelValueLengthLimit: 0 + + ## proxyUrl: URL of a proxy that should be used for scraping. + ## + proxyUrl: "" + + jobLabel: component + selector: + matchLabels: + component: apiserver + provider: kubernetes + + ## MetricRelabelConfigs to apply to samples after scraping, but before ingestion. + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig + ## + metricRelabelings: + # Drop excessively noisy apiserver buckets. + - action: drop + regex: (etcd_request|apiserver_request_slo|apiserver_request_sli|apiserver_request)_duration_seconds_bucket;(0\.15|0\.2|0\.3|0\.35|0\.4|0\.45|0\.6|0\.7|0\.8|0\.9|1\.25|1\.5|1\.75|2|3|3\.5|4|4\.5|6|7|8|9|15|20|30|40|45|50)(\.0)? + sourceLabels: + - __name__ + - le + # - action: keep + # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' + # sourceLabels: [__name__] + + ## RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig + ## + relabelings: [] + # - sourceLabels: + # - __meta_kubernetes_namespace + # - __meta_kubernetes_service_name + # - __meta_kubernetes_endpoint_port_name + # action: keep + # regex: default;kubernetes;https + # - targetLabel: __address__ + # replacement: kubernetes.default.svc:443 + + ## Additional labels + ## + additionalLabels: {} + # foo: bar + + ## defines the labels which are transferred from the associated Kubernetes Service object onto the ingested metrics. + ## https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#servicemonitor + targetLabels: [] + +## Component scraping the kubelet and kubelet-hosted cAdvisor +## +kubelet: + enabled: true + namespace: kube-system + + serviceMonitor: + ## Enable scraping /metrics from kubelet's service + kubelet: true + + ## Attach metadata to discovered targets. Requires Prometheus v2.45 for endpoints created by the operator. + ## + attachMetadata: + node: false + + ## Scrape interval. If not set, the Prometheus default scrape interval is used. + ## + interval: "" + + ## If true, Prometheus use (respect) labels provided by exporter. + ## + honorLabels: true + + ## If true, Prometheus ingests metrics with timestamp provided by exporter. If false, Prometheus ingests metrics with timestamp of scrape. + ## + honorTimestamps: true + + ## If true, defines whether Prometheus tracks staleness of the metrics that have an explicit timestamp present in scraped data. Has no effect if `honorTimestamps` is false. + ## We recommend enabling this if you want the best possible accuracy for container_ metrics scraped from cadvisor. + ## For more details see: https://github.com/prometheus-community/helm-charts/pull/5063#issuecomment-2545374849 + trackTimestampsStaleness: true + + ## SampleLimit defines per-scrape limit on number of scraped samples that will be accepted. + ## + sampleLimit: 0 + + ## TargetLimit defines a limit on the number of scraped targets that will be accepted. + ## + targetLimit: 0 + + ## Per-scrape limit on number of labels that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelLimit: 0 + + ## Per-scrape limit on length of labels name that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelNameLengthLimit: 0 + + ## Per-scrape limit on length of labels value that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelValueLengthLimit: 0 + + ## proxyUrl: URL of a proxy that should be used for scraping. + ## + proxyUrl: "" + + ## Enable scraping the kubelet over https. For requirements to enable this see + ## https://github.com/prometheus-operator/prometheus-operator/issues/926 + ## + https: true + + ## Skip TLS certificate validation when scraping. + ## This is enabled by default because kubelet serving certificate deployed by kubeadm is by default self-signed + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#kubelet-serving-certs + ## + insecureSkipVerify: true + + ## Enable scraping /metrics/probes from kubelet's service + ## + probes: true + + ## Enable scraping /metrics/resource from kubelet's service + ## This is disabled by default because container metrics are already exposed by cAdvisor + ## + resource: false + # From kubernetes 1.18, /metrics/resource/v1alpha1 renamed to /metrics/resource + resourcePath: "/metrics/resource/v1alpha1" + ## Configure the scrape interval for resource metrics. This is configured to the default Kubelet cAdvisor + ## minimum housekeeping interval in order to avoid missing samples. Note, this value is ignored + ## if kubelet.serviceMonitor.interval is not empty. + resourceInterval: 10s + + ## Enable scraping /metrics/cadvisor from kubelet's service + ## + cAdvisor: true + ## Configure the scrape interval for cAdvisor. This is configured to the default Kubelet cAdvisor + ## minimum housekeeping interval in order to avoid missing samples. Note, this value is ignored + ## if kubelet.serviceMonitor.interval is not empty. + cAdvisorInterval: 10s + ## MetricRelabelConfigs to apply to samples after scraping, but before ingestion. + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig + ## + cAdvisorMetricRelabelings: + # Drop less useful container CPU metrics. + - sourceLabels: [__name__] + action: drop + regex: 'container_cpu_(cfs_throttled_seconds_total|load_average_10s|system_seconds_total|user_seconds_total)' + # Drop less useful container / always zero filesystem metrics. + - sourceLabels: [__name__] + action: drop + regex: 'container_fs_(io_current|io_time_seconds_total|io_time_weighted_seconds_total|reads_merged_total|sector_reads_total|sector_writes_total|writes_merged_total)' + # Drop less useful / always zero container memory metrics. + - sourceLabels: [__name__] + action: drop + regex: 'container_memory_(mapped_file|swap)' + # Drop less useful container process metrics. + - sourceLabels: [__name__] + action: drop + regex: 'container_(file_descriptors|tasks_state|threads_max)' + # Drop container_memory_failures_total{scope="hierarchy"} metrics, + # we only need the container scope. + - sourceLabels: [__name__, scope] + action: drop + regex: 'container_memory_failures_total;hierarchy' + # Drop container_network_... metrics that match various interfaces that + # correspond to CNI and similar interfaces. This avoids capturing network + # metrics for host network containers. + - sourceLabels: [__name__, interface] + action: drop + regex: 'container_network_;(cali|cilium|cni|lxc|nodelocaldns|tunl)' + # Drop container spec metrics that overlap with kube-state-metrics. + - sourceLabels: [__name__] + action: drop + regex: 'container_spec' + # Drop cgroup metrics with no pod. + - sourceLabels: [id, pod] + action: drop + regex: '.+;' + # - sourceLabels: [__name__, image] + # separator: ; + # regex: container_([a-z_]+); + # replacement: $1 + # action: drop + # - sourceLabels: [__name__] + # separator: ; + # regex: container_(network_tcp_usage_total|network_udp_usage_total|tasks_state|cpu_load_average_10s) + # replacement: $1 + # action: drop + + ## MetricRelabelConfigs to apply to samples after scraping, but before ingestion. + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig + ## + probesMetricRelabelings: [] + # - sourceLabels: [__name__, image] + # separator: ; + # regex: container_([a-z_]+); + # replacement: $1 + # action: drop + # - sourceLabels: [__name__] + # separator: ; + # regex: container_(network_tcp_usage_total|network_udp_usage_total|tasks_state|cpu_load_average_10s) + # replacement: $1 + # action: drop + + ## RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig + ## + ## metrics_path is required to match upstream rules and charts + cAdvisorRelabelings: + - action: replace + sourceLabels: [__metrics_path__] + targetLabel: metrics_path + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^()$ + # targetLabel: nodename + # replacement: $1 + # action: replace + + ## RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig + ## + probesRelabelings: + - action: replace + sourceLabels: [__metrics_path__] + targetLabel: metrics_path + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^()$ + # targetLabel: nodename + # replacement: $1 + # action: replace + + ## RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig + ## + resourceRelabelings: + - action: replace + sourceLabels: [__metrics_path__] + targetLabel: metrics_path + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^()$ + # targetLabel: nodename + # replacement: $1 + # action: replace + + ## MetricRelabelConfigs to apply to samples after scraping, but before ingestion. + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig + ## + metricRelabelings: + # Reduce bucket cardinality of kubelet storage operations. + - action: drop + sourceLabels: [__name__, le] + regex: (csi_operations|storage_operation_duration)_seconds_bucket;(0.25|2.5|15|25|120|600)(\.0)? + # - sourceLabels: [__name__, image] + # separator: ; + # regex: container_([a-z_]+); + # replacement: $1 + # action: drop + # - sourceLabels: [__name__] + # separator: ; + # regex: container_(network_tcp_usage_total|network_udp_usage_total|tasks_state|cpu_load_average_10s) + # replacement: $1 + # action: drop + + ## RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig + ## + ## metrics_path is required to match upstream rules and charts + relabelings: + - action: replace + sourceLabels: [__metrics_path__] + targetLabel: metrics_path + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^()$ + # targetLabel: nodename + # replacement: $1 + # action: replace + + ## Additional labels + ## + additionalLabels: {} + # foo: bar + + ## defines the labels which are transferred from the associated Kubernetes Service object onto the ingested metrics. + ## https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#servicemonitor + targetLabels: [] + +## Component scraping the kube controller manager +## +kubeControllerManager: + enabled: true + + ## If your kube controller manager is not deployed as a pod, specify IPs it can be found on + ## + endpoints: [] + # - 10.141.4.22 + # - 10.141.4.23 + # - 10.141.4.24 + + ## If using kubeControllerManager.endpoints only the port and targetPort are used + ## + service: + enabled: true + ## If null or unset, the value is determined dynamically based on target Kubernetes version due to change + ## of default port in Kubernetes 1.22. + ## + port: null + targetPort: null + ipDualStack: + enabled: false + ipFamilies: ["IPv6", "IPv4"] + ipFamilyPolicy: "PreferDualStack" + # selector: + # component: kube-controller-manager + + serviceMonitor: + enabled: true + ## Scrape interval. If not set, the Prometheus default scrape interval is used. + ## + interval: "" + + ## SampleLimit defines per-scrape limit on number of scraped samples that will be accepted. + ## + sampleLimit: 0 + + ## TargetLimit defines a limit on the number of scraped targets that will be accepted. + ## + targetLimit: 0 + + ## Per-scrape limit on number of labels that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelLimit: 0 + + ## Per-scrape limit on length of labels name that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelNameLengthLimit: 0 + + ## Per-scrape limit on length of labels value that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelValueLengthLimit: 0 + + ## proxyUrl: URL of a proxy that should be used for scraping. + ## + proxyUrl: "" + + ## port: Name of the port the metrics will be scraped from + ## + port: http-metrics + + jobLabel: jobLabel + selector: {} + # matchLabels: + # component: kube-controller-manager + + ## Enable scraping kube-controller-manager over https. + ## Requires proper certs (not self-signed) and delegated authentication/authorization checks. + ## If null or unset, the value is determined dynamically based on target Kubernetes version. + ## + https: null + + # Skip TLS certificate validation when scraping + insecureSkipVerify: null + + # Name of the server to use when validating TLS certificate + serverName: null + + ## MetricRelabelConfigs to apply to samples after scraping, but before ingestion. + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig + ## + metricRelabelings: [] + # - action: keep + # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' + # sourceLabels: [__name__] + + ## RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig + ## + relabelings: [] + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^()$ + # targetLabel: nodename + # replacement: $1 + # action: replace + + ## Additional labels + ## + additionalLabels: {} + # foo: bar + + ## defines the labels which are transferred from the associated Kubernetes Service object onto the ingested metrics. + ## https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#servicemonitor + targetLabels: [] + +## Component scraping coreDns. Use either this or kubeDns +## +coreDns: + enabled: true + service: + enabled: true + port: 9153 + targetPort: 9153 + + ipDualStack: + enabled: false + ipFamilies: ["IPv6", "IPv4"] + ipFamilyPolicy: "PreferDualStack" + # selector: + # k8s-app: kube-dns + serviceMonitor: + enabled: true + ## Scrape interval. If not set, the Prometheus default scrape interval is used. + ## + interval: "" + + ## SampleLimit defines per-scrape limit on number of scraped samples that will be accepted. + ## + sampleLimit: 0 + + ## TargetLimit defines a limit on the number of scraped targets that will be accepted. + ## + targetLimit: 0 + + ## Per-scrape limit on number of labels that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelLimit: 0 + + ## Per-scrape limit on length of labels name that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelNameLengthLimit: 0 + + ## Per-scrape limit on length of labels value that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelValueLengthLimit: 0 + + ## proxyUrl: URL of a proxy that should be used for scraping. + ## + proxyUrl: "" + + ## port: Name of the port the metrics will be scraped from + ## + port: http-metrics + + jobLabel: jobLabel + selector: {} + # matchLabels: + # k8s-app: kube-dns + + ## MetricRelabelConfigs to apply to samples after scraping, but before ingestion. + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig + ## + metricRelabelings: [] + # - action: keep + # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' + # sourceLabels: [__name__] + + ## RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig + ## + relabelings: [] + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^()$ + # targetLabel: nodename + # replacement: $1 + # action: replace + + ## Additional labels + ## + additionalLabels: {} + # foo: bar + + ## defines the labels which are transferred from the associated Kubernetes Service object onto the ingested metrics. + ## https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#servicemonitor + targetLabels: [] + +## Component scraping kubeDns. Use either this or coreDns +## +kubeDns: + enabled: false + service: + dnsmasq: + port: 10054 + targetPort: 10054 + skydns: + port: 10055 + targetPort: 10055 + ipDualStack: + enabled: false + ipFamilies: ["IPv6", "IPv4"] + ipFamilyPolicy: "PreferDualStack" + # selector: + # k8s-app: kube-dns + serviceMonitor: + ## Scrape interval. If not set, the Prometheus default scrape interval is used. + ## + interval: "" + + ## SampleLimit defines per-scrape limit on number of scraped samples that will be accepted. + ## + sampleLimit: 0 + + ## TargetLimit defines a limit on the number of scraped targets that will be accepted. + ## + targetLimit: 0 + + ## Per-scrape limit on number of labels that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelLimit: 0 + + ## Per-scrape limit on length of labels name that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelNameLengthLimit: 0 + + ## Per-scrape limit on length of labels value that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelValueLengthLimit: 0 + + ## proxyUrl: URL of a proxy that should be used for scraping. + ## + proxyUrl: "" + + jobLabel: jobLabel + selector: {} + # matchLabels: + # k8s-app: kube-dns + + ## MetricRelabelConfigs to apply to samples after scraping, but before ingestion. + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig + ## + metricRelabelings: [] + # - action: keep + # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' + # sourceLabels: [__name__] + + ## RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig + ## + relabelings: [] + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^()$ + # targetLabel: nodename + # replacement: $1 + # action: replace + + ## MetricRelabelConfigs to apply to samples after scraping, but before ingestion. + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig + ## + dnsmasqMetricRelabelings: [] + # - action: keep + # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' + # sourceLabels: [__name__] + + ## RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig + ## + dnsmasqRelabelings: [] + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^()$ + # targetLabel: nodename + # replacement: $1 + # action: replace + + ## Additional labels + ## + additionalLabels: {} + # foo: bar + + ## defines the labels which are transferred from the associated Kubernetes Service object onto the ingested metrics. + ## https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#servicemonitor + targetLabels: [] + +## Component scraping etcd +## +kubeEtcd: + enabled: true + + ## If your etcd is not deployed as a pod, specify IPs it can be found on + ## + endpoints: [] + # - 10.141.4.22 + # - 10.141.4.23 + # - 10.141.4.24 + + ## Etcd service. If using kubeEtcd.endpoints only the port and targetPort are used + ## + service: + enabled: true + port: 2381 + targetPort: 2381 + ipDualStack: + enabled: false + ipFamilies: ["IPv6", "IPv4"] + ipFamilyPolicy: "PreferDualStack" + # selector: + # component: etcd + + ## Configure secure access to the etcd cluster by loading a secret into prometheus and + ## specifying security configuration below. For example, with a secret named etcd-client-cert + ## + ## serviceMonitor: + ## scheme: https + ## insecureSkipVerify: false + ## serverName: localhost + ## caFile: /etc/prometheus/secrets/etcd-client-cert/etcd-ca + ## certFile: /etc/prometheus/secrets/etcd-client-cert/etcd-client + ## keyFile: /etc/prometheus/secrets/etcd-client-cert/etcd-client-key + ## + serviceMonitor: + enabled: true + ## Scrape interval. If not set, the Prometheus default scrape interval is used. + ## + interval: "" + + ## SampleLimit defines per-scrape limit on number of scraped samples that will be accepted. + ## + sampleLimit: 0 + + ## TargetLimit defines a limit on the number of scraped targets that will be accepted. + ## + targetLimit: 0 + + ## Per-scrape limit on number of labels that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelLimit: 0 + + ## Per-scrape limit on length of labels name that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelNameLengthLimit: 0 + + ## Per-scrape limit on length of labels value that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelValueLengthLimit: 0 + + ## proxyUrl: URL of a proxy that should be used for scraping. + ## + proxyUrl: "" + scheme: http + insecureSkipVerify: false + serverName: "" + caFile: "" + certFile: "" + keyFile: "" + + ## port: Name of the port the metrics will be scraped from + ## + port: http-metrics + + jobLabel: jobLabel + selector: {} + # matchLabels: + # component: etcd + + ## MetricRelabelConfigs to apply to samples after scraping, but before ingestion. + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig + ## + metricRelabelings: [] + # - action: keep + # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' + # sourceLabels: [__name__] + + ## RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig + ## + relabelings: [] + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^()$ + # targetLabel: nodename + # replacement: $1 + # action: replace + + ## Additional labels + ## + additionalLabels: {} + # foo: bar + + ## defines the labels which are transferred from the associated Kubernetes Service object onto the ingested metrics. + ## https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#servicemonitor + targetLabels: [] + +## Component scraping kube scheduler +## +kubeScheduler: + enabled: true + + ## If your kube scheduler is not deployed as a pod, specify IPs it can be found on + ## + endpoints: [] + # - 10.141.4.22 + # - 10.141.4.23 + # - 10.141.4.24 + + ## If using kubeScheduler.endpoints only the port and targetPort are used + ## + service: + enabled: true + ## If null or unset, the value is determined dynamically based on target Kubernetes version due to change + ## of default port in Kubernetes 1.23. + ## + port: null + targetPort: null + ipDualStack: + enabled: false + ipFamilies: ["IPv6", "IPv4"] + ipFamilyPolicy: "PreferDualStack" + # selector: + # component: kube-scheduler + + serviceMonitor: + enabled: true + ## Scrape interval. If not set, the Prometheus default scrape interval is used. + ## + interval: "" + + ## SampleLimit defines per-scrape limit on number of scraped samples that will be accepted. + ## + sampleLimit: 0 + + ## TargetLimit defines a limit on the number of scraped targets that will be accepted. + ## + targetLimit: 0 + + ## Per-scrape limit on number of labels that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelLimit: 0 + + ## Per-scrape limit on length of labels name that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelNameLengthLimit: 0 + + ## Per-scrape limit on length of labels value that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelValueLengthLimit: 0 + + ## proxyUrl: URL of a proxy that should be used for scraping. + ## + proxyUrl: "" + ## Enable scraping kube-scheduler over https. + ## Requires proper certs (not self-signed) and delegated authentication/authorization checks. + ## If null or unset, the value is determined dynamically based on target Kubernetes version. + ## + https: null + + ## port: Name of the port the metrics will be scraped from + ## + port: http-metrics + + jobLabel: jobLabel + selector: {} + # matchLabels: + # component: kube-scheduler + + ## Skip TLS certificate validation when scraping + insecureSkipVerify: null + + ## Name of the server to use when validating TLS certificate + serverName: null + + ## MetricRelabelConfigs to apply to samples after scraping, but before ingestion. + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig + ## + metricRelabelings: [] + # - action: keep + # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' + # sourceLabels: [__name__] + + ## RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig + ## + relabelings: [] + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^()$ + # targetLabel: nodename + # replacement: $1 + # action: replace + + ## Additional labels + ## + additionalLabels: {} + # foo: bar + + ## defines the labels which are transferred from the associated Kubernetes Service object onto the ingested metrics. + ## https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#servicemonitor + targetLabels: [] + +## Component scraping kube proxy +## +kubeProxy: + enabled: true + + ## If your kube proxy is not deployed as a pod, specify IPs it can be found on + ## + endpoints: [] + # - 10.141.4.22 + # - 10.141.4.23 + # - 10.141.4.24 + + service: + enabled: true + port: 10249 + targetPort: 10249 + ipDualStack: + enabled: false + ipFamilies: ["IPv6", "IPv4"] + ipFamilyPolicy: "PreferDualStack" + # selector: + # k8s-app: kube-proxy + + serviceMonitor: + enabled: true + ## Scrape interval. If not set, the Prometheus default scrape interval is used. + ## + interval: "" + + ## SampleLimit defines per-scrape limit on number of scraped samples that will be accepted. + ## + sampleLimit: 0 + + ## TargetLimit defines a limit on the number of scraped targets that will be accepted. + ## + targetLimit: 0 + + ## Per-scrape limit on number of labels that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelLimit: 0 + + ## Per-scrape limit on length of labels name that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelNameLengthLimit: 0 + + ## Per-scrape limit on length of labels value that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelValueLengthLimit: 0 + + ## proxyUrl: URL of a proxy that should be used for scraping. + ## + proxyUrl: "" + + ## port: Name of the port the metrics will be scraped from + ## + port: http-metrics + + jobLabel: jobLabel + selector: {} + # matchLabels: + # k8s-app: kube-proxy + + ## Enable scraping kube-proxy over https. + ## Requires proper certs (not self-signed) and delegated authentication/authorization checks + ## + https: false + + ## MetricRelabelConfigs to apply to samples after scraping, but before ingestion. + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig + ## + metricRelabelings: [] + # - action: keep + # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' + # sourceLabels: [__name__] + + ## RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig + ## + relabelings: [] + # - action: keep + # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' + # sourceLabels: [__name__] + + ## Additional labels + ## + additionalLabels: {} + # foo: bar + + ## defines the labels which are transferred from the associated Kubernetes Service object onto the ingested metrics. + ## https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#servicemonitor + targetLabels: [] + +## Component scraping kube state metrics +## +kubeStateMetrics: + enabled: true + +## Configuration for kube-state-metrics subchart +## +kube-state-metrics: + namespaceOverride: "" + rbac: + create: true + releaseLabel: true + prometheus: + monitor: + enabled: true + + ## Scrape interval. If not set, the Prometheus default scrape interval is used. + ## + interval: "" + + ## SampleLimit defines per-scrape limit on number of scraped samples that will be accepted. + ## + sampleLimit: 0 + + ## TargetLimit defines a limit on the number of scraped targets that will be accepted. + ## + targetLimit: 0 + + ## Per-scrape limit on number of labels that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelLimit: 0 + + ## Per-scrape limit on length of labels name that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelNameLengthLimit: 0 + + ## Per-scrape limit on length of labels value that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelValueLengthLimit: 0 + + ## Scrape Timeout. If not set, the Prometheus default scrape timeout is used. + ## + scrapeTimeout: "" + + ## proxyUrl: URL of a proxy that should be used for scraping. + ## + proxyUrl: "" + + # Keep labels from scraped data, overriding server-side labels + ## + honorLabels: true + + ## MetricRelabelConfigs to apply to samples after scraping, but before ingestion. + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig + ## + metricRelabelings: [] + # - action: keep + # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' + # sourceLabels: [__name__] + + ## RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig + ## + relabelings: [] + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^()$ + # targetLabel: nodename + # replacement: $1 + # action: replace + + selfMonitor: + enabled: false + +## Deploy node exporter as a daemonset to all nodes +## +nodeExporter: + enabled: true + operatingSystems: + linux: + enabled: true + aix: + enabled: true + darwin: + enabled: true + + ## ForceDeployDashboard Create dashboard configmap even if nodeExporter deployment has been disabled + ## + forceDeployDashboards: false + +## Configuration for prometheus-node-exporter subchart +## +prometheus-node-exporter: + namespaceOverride: "" + podLabels: + ## Add the 'node-exporter' label to be used by serviceMonitor to match standard common usage in rules and grafana dashboards + ## + jobLabel: node-exporter + releaseLabel: true + extraArgs: + - --collector.filesystem.mount-points-exclude=^/(dev|proc|sys|var/lib/docker/.+|var/lib/kubelet/.+)($|/) + - --collector.filesystem.fs-types-exclude=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$ + service: + portName: http-metrics + ipDualStack: + enabled: false + ipFamilies: ["IPv6", "IPv4"] + ipFamilyPolicy: "PreferDualStack" + labels: + jobLabel: node-exporter + + prometheus: + monitor: + enabled: true + + jobLabel: jobLabel + + ## Scrape interval. If not set, the Prometheus default scrape interval is used. + ## + interval: "" + + ## SampleLimit defines per-scrape limit on number of scraped samples that will be accepted. + ## + sampleLimit: 0 + + ## TargetLimit defines a limit on the number of scraped targets that will be accepted. + ## + targetLimit: 0 + + ## Per-scrape limit on number of labels that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelLimit: 0 + + ## Per-scrape limit on length of labels name that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelNameLengthLimit: 0 + + ## Per-scrape limit on length of labels value that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelValueLengthLimit: 0 + + ## How long until a scrape request times out. If not set, the Prometheus default scape timeout is used. + ## + scrapeTimeout: "" + + ## proxyUrl: URL of a proxy that should be used for scraping. + ## + proxyUrl: "" + + ## MetricRelabelConfigs to apply to samples after scraping, but before ingestion. + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig + ## + metricRelabelings: [] + # - sourceLabels: [__name__] + # separator: ; + # regex: ^node_mountstats_nfs_(event|operations|transport)_.+ + # replacement: $1 + # action: drop + + ## RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig + ## + relabelings: [] + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^()$ + # targetLabel: nodename + # replacement: $1 + # action: replace + + ## Attach node metadata to discovered targets. Requires Prometheus v2.35.0 and above. + ## + # attachMetadata: + # node: false + + rbac: + ## If true, create PSPs for node-exporter + ## + pspEnabled: false + +## Manages Prometheus and Alertmanager components +## +prometheusOperator: + enabled: true + + fullnameOverride: "" + + ## Number of old replicasets to retain ## + ## The default value is 10, 0 will garbage-collect old replicasets ## + revisionHistoryLimit: 10 + + ## Strategy of the deployment + ## + strategy: {} + + ## Prometheus-Operator v0.39.0 and later support TLS natively. + ## + tls: + enabled: true + # Value must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants + tlsMinVersion: VersionTLS13 + # The default webhook port is 10250 in order to work out-of-the-box in GKE private clusters and avoid adding firewall rules. + internalPort: 10250 + + ## Liveness probe for the prometheusOperator deployment + ## + livenessProbe: + enabled: true + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + ## Readiness probe for the prometheusOperator deployment + ## + readinessProbe: + enabled: true + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + + ## Admission webhook support for PrometheusRules resources added in Prometheus Operator 0.30 can be enabled to prevent incorrectly formatted + ## rules from making their way into prometheus and potentially preventing the container from starting + admissionWebhooks: + ## Valid values: Fail, Ignore, IgnoreOnInstallOnly + ## IgnoreOnInstallOnly - If Release.IsInstall returns "true", set "Ignore" otherwise "Fail" + failurePolicy: "" + ## The default timeoutSeconds is 10 and the maximum value is 30. + timeoutSeconds: 10 + enabled: true + ## A PEM encoded CA bundle which will be used to validate the webhook's server certificate. + ## If unspecified, system trust roots on the apiserver are used. + caBundle: "" + ## If enabled, generate a self-signed certificate, then patch the webhook configurations with the generated data. + ## On chart upgrades (or if the secret exists) the cert will not be re-generated. You can use this to provide your own + ## certs ahead of time if you wish. + ## + annotations: {} + # argocd.argoproj.io/hook: PreSync + # argocd.argoproj.io/hook-delete-policy: HookSucceeded + + namespaceSelector: {} + objectSelector: {} + + mutatingWebhookConfiguration: + annotations: {} + # argocd.argoproj.io/hook: PreSync + + validatingWebhookConfiguration: + annotations: {} + # argocd.argoproj.io/hook: PreSync + + deployment: + enabled: false + + ## Number of replicas + ## + replicas: 1 + + ## Strategy of the deployment + ## + strategy: {} + + # Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + podDisruptionBudget: {} + # maxUnavailable: 1 + # minAvailable: 1 + + ## Number of old replicasets to retain ## + ## The default value is 10, 0 will garbage-collect old replicasets ## + revisionHistoryLimit: 10 + + ## Prometheus-Operator v0.39.0 and later support TLS natively. + ## + tls: + enabled: true + # Value must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants + tlsMinVersion: VersionTLS13 + # The default webhook port is 10250 in order to work out-of-the-box in GKE private clusters and avoid adding firewall rules. + internalPort: 10250 + + ## Service account for Prometheus Operator Webhook to use. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ + ## + serviceAccount: + annotations: {} + automountServiceAccountToken: false + create: true + name: "" + + ## Configuration for Prometheus operator Webhook service + ## + service: + annotations: {} + labels: {} + clusterIP: "" + ipDualStack: + enabled: false + ipFamilies: ["IPv6", "IPv4"] + ipFamilyPolicy: "PreferDualStack" + + ## Port to expose on each node + ## Only used if service.type is 'NodePort' + ## + nodePort: 31080 + + nodePortTls: 31443 + + ## Additional ports to open for Prometheus operator Webhook service + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#multi-port-services + ## + additionalPorts: [] + + ## Loadbalancer IP + ## Only use if service.type is "LoadBalancer" + ## + loadBalancerIP: "" + loadBalancerSourceRanges: [] + + ## Denotes if this Service desires to route external traffic to node-local or cluster-wide endpoints + ## + externalTrafficPolicy: Cluster + + ## Service type + ## NodePort, ClusterIP, LoadBalancer + ## + type: ClusterIP + + ## List of IP addresses at which the Prometheus server service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + # ## Labels to add to the operator webhook deployment + # ## + labels: {} + + ## Annotations to add to the operator webhook deployment + ## + annotations: {} + + ## Labels to add to the operator webhook pod + ## + podLabels: {} + + ## Annotations to add to the operator webhook pod + ## + podAnnotations: {} + + ## Assign a PriorityClassName to pods if set + # priorityClassName: "" + + ## Define Log Format + # Use logfmt (default) or json logging + # logFormat: logfmt + + ## Decrease log verbosity to errors only + # logLevel: error + + ## Prometheus-operator webhook image + ## + image: + registry: quay.io + repository: prometheus-operator/admission-webhook + # if not set appVersion field from Chart.yaml is used + tag: "" + sha: "" + pullPolicy: IfNotPresent + + ## Define Log Format + # Use logfmt (default) or json logging + # logFormat: logfmt + + ## Decrease log verbosity to errors only + # logLevel: error + + + ## Liveness probe + ## + livenessProbe: + enabled: true + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + + ## Readiness probe + ## + readinessProbe: + enabled: true + failureThreshold: 3 + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + + ## Resource limits & requests + ## + resources: {} + # limits: + # cpu: 200m + # memory: 200Mi + # requests: + # cpu: 100m + # memory: 100Mi + + # Required for use in managed kubernetes clusters (such as AWS EKS) with custom CNI (such as calico), + # because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working + ## + hostNetwork: false + + ## Define which Nodes the Pods are scheduled on. + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Tolerations for use with node taints + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal" + # value: "value" + # effect: "NoSchedule" + + ## Assign custom affinity rules to the prometheus operator + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + affinity: {} + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: kubernetes.io/e2e-az-name + # operator: In + # values: + # - e2e-az1 + # - e2e-az2 + dnsConfig: {} + # nameservers: + # - 1.2.3.4 + # searches: + # - ns1.svc.cluster-domain.example + # - my.dns.search.suffix + # options: + # - name: ndots + # value: "2" + # - name: edns0 + securityContext: + fsGroup: 65534 + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault + + ## Container-specific security context configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## + containerSecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + + ## If false then the user will opt out of automounting API credentials. + ## + automountServiceAccountToken: true + + patch: + enabled: true + image: + registry: registry.k8s.io + repository: ingress-nginx/kube-webhook-certgen + tag: v1.5.1 # latest tag: https://github.com/kubernetes/ingress-nginx/blob/main/images/kube-webhook-certgen/TAG + sha: "" + pullPolicy: IfNotPresent + resources: {} + ## Provide a priority class name to the webhook patching job + ## + priorityClassName: "" + ttlSecondsAfterFinished: 60 + annotations: {} + # argocd.argoproj.io/hook: PreSync + # argocd.argoproj.io/hook-delete-policy: HookSucceeded + podAnnotations: {} + nodeSelector: {} + affinity: {} + tolerations: [] + + ## SecurityContext holds pod-level security attributes and common container settings. + ## This defaults to non root user with uid 2000 and gid 2000. *v1.PodSecurityContext false + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## + securityContext: + runAsGroup: 2000 + runAsNonRoot: true + runAsUser: 2000 + seccompProfile: + type: RuntimeDefault + ## Service account for Prometheus Operator Webhook Job Patch to use. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ + ## + serviceAccount: + create: true + annotations: {} + automountServiceAccountToken: true + + # Security context for create job container + createSecretJob: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + + # Security context for patch job container + patchWebhookJob: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + + # Use certmanager to generate webhook certs + certManager: + enabled: false + # self-signed root certificate + rootCert: + duration: "" # default to be 5y + admissionCert: + duration: "" # default to be 1y + # issuerRef: + # name: "issuer" + # kind: "ClusterIssuer" + + ## Namespaces to scope the interaction of the Prometheus Operator and the apiserver (allow list). + ## This is mutually exclusive with denyNamespaces. Setting this to an empty object will disable the configuration + ## + namespaces: {} + # releaseNamespace: true + # additional: + # - kube-system + + ## Namespaces not to scope the interaction of the Prometheus Operator (deny list). + ## + denyNamespaces: [] + + ## Filter namespaces to look for prometheus-operator custom resources + ## + alertmanagerInstanceNamespaces: [] + alertmanagerConfigNamespaces: [] + prometheusInstanceNamespaces: [] + thanosRulerInstanceNamespaces: [] + + ## The clusterDomain value will be added to the cluster.peer option of the alertmanager. + ## Without this specified option cluster.peer will have value alertmanager-monitoring-alertmanager-0.alertmanager-operated:9094 (default value) + ## With this specified option cluster.peer will have value alertmanager-monitoring-alertmanager-0.alertmanager-operated.namespace.svc.cluster-domain:9094 + ## + # clusterDomain: "cluster.local" + + networkPolicy: + ## Enable creation of NetworkPolicy resources. + ## + enabled: false + + ## Flavor of the network policy to use. + # Can be: + # * kubernetes for networking.k8s.io/v1/NetworkPolicy + # * cilium for cilium.io/v2/CiliumNetworkPolicy + flavor: kubernetes + + # cilium: + # egress: + + ## match labels used in selector + # matchLabels: {} + + ## Service account for Prometheus Operator to use. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ + ## + serviceAccount: + create: true + name: "" + automountServiceAccountToken: true + annotations: {} + + # -- terminationGracePeriodSeconds for container lifecycle hook + terminationGracePeriodSeconds: 30 + # -- Specify lifecycle hooks for the controller + lifecycle: {} + ## Configuration for Prometheus operator service + ## + service: + annotations: {} + labels: {} + clusterIP: "" + ipDualStack: + enabled: false + ipFamilies: ["IPv6", "IPv4"] + ipFamilyPolicy: "PreferDualStack" + + ## Port to expose on each node + ## Only used if service.type is 'NodePort' + ## + nodePort: 30080 + + nodePortTls: 30443 + + ## Additional ports to open for Prometheus operator service + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#multi-port-services + ## + additionalPorts: [] + + ## Loadbalancer IP + ## Only use if service.type is "LoadBalancer" + ## + loadBalancerIP: "" + loadBalancerSourceRanges: [] + + ## Denotes if this Service desires to route external traffic to node-local or cluster-wide endpoints + ## + externalTrafficPolicy: Cluster + + ## Service type + ## NodePort, ClusterIP, LoadBalancer + ## + type: ClusterIP + + ## List of IP addresses at which the Prometheus server service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + # ## Labels to add to the operator deployment + # ## + labels: {} + + ## Annotations to add to the operator deployment + ## + annotations: {} + + ## Labels to add to the operator pod + ## + podLabels: {} + + ## Annotations to add to the operator pod + ## + podAnnotations: {} + + ## Assign a PriorityClassName to pods if set + # priorityClassName: "" + + ## Define Log Format + # Use logfmt (default) or json logging + # logFormat: logfmt + + ## Decrease log verbosity to errors only + # logLevel: error + + kubeletService: + ## If true, the operator will create and maintain a service for scraping kubelets + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/helm/prometheus-operator/README.md + ## + enabled: true + namespace: kube-system + selector: "" + name: "" + + ## Create Endpoints objects for kubelet targets. + kubeletEndpointsEnabled: true + ## Create EndpointSlice objects for kubelet targets. + kubeletEndpointSliceEnabled: false + + ## Extra arguments to pass to prometheusOperator + # https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/operator.md + extraArgs: [] + # - --labels="cluster=talos-cluster" + + ## Create a servicemonitor for the operator + ## + serviceMonitor: + ## If true, create a serviceMonitor for prometheus operator + ## + selfMonitor: true + + ## Labels for ServiceMonitor + additionalLabels: {} + + ## Scrape interval. If not set, the Prometheus default scrape interval is used. + ## + interval: "" + + ## SampleLimit defines per-scrape limit on number of scraped samples that will be accepted. + ## + sampleLimit: 0 + + ## TargetLimit defines a limit on the number of scraped targets that will be accepted. + ## + targetLimit: 0 + + ## Per-scrape limit on number of labels that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelLimit: 0 + + ## Per-scrape limit on length of labels name that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelNameLengthLimit: 0 + + ## Per-scrape limit on length of labels value that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelValueLengthLimit: 0 + + ## Scrape timeout. If not set, the Prometheus default scrape timeout is used. + scrapeTimeout: "" + + ## Metric relabel configs to apply to samples before ingestion. + ## + metricRelabelings: [] + # - action: keep + # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' + # sourceLabels: [__name__] + + # relabel configs to apply to samples before ingestion. + ## + relabelings: [] + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^()$ + # targetLabel: nodename + # replacement: $1 + # action: replace + + ## Resource limits & requests + ## + resources: {} + # limits: + # cpu: 200m + # memory: 200Mi + # requests: + # cpu: 100m + # memory: 100Mi + + ## Operator Environment + ## env: + ## VARIABLE: value + env: + GOGC: "30" + + # Required for use in managed kubernetes clusters (such as AWS EKS) with custom CNI (such as calico), + # because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working + ## + hostNetwork: false + + ## Define which Nodes the Pods are scheduled on. + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Tolerations for use with node taints + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal" + # value: "value" + # effect: "NoSchedule" + + ## Assign custom affinity rules to the prometheus operator + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + affinity: {} + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: kubernetes.io/e2e-az-name + # operator: In + # values: + # - e2e-az1 + # - e2e-az2 + dnsConfig: {} + # nameservers: + # - 1.2.3.4 + # searches: + # - ns1.svc.cluster-domain.example + # - my.dns.search.suffix + # options: + # - name: ndots + # value: "2" + # - name: edns0 + securityContext: + fsGroup: 65534 + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault + + ## Container-specific security context configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## + containerSecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + + # Enable vertical pod autoscaler support for prometheus-operator + verticalPodAutoscaler: + enabled: false + + # Recommender responsible for generating recommendation for the object. + # List should be empty (then the default recommender will generate the recommendation) + # or contain exactly one recommender. + # recommenders: + # - name: custom-recommender-performance + + # List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory + controlledResources: [] + # Specifies which resource values should be controlled: RequestsOnly or RequestsAndLimits. + # controlledValues: RequestsAndLimits + + # Define the max allowed resources for the pod + maxAllowed: {} + # cpu: 200m + # memory: 100Mi + # Define the min allowed resources for the pod + minAllowed: {} + # cpu: 200m + # memory: 100Mi + + updatePolicy: + # Specifies minimal number of replicas which need to be alive for VPA Updater to attempt pod eviction + # minReplicas: 1 + # Specifies whether recommended updates are applied when a Pod is started and whether recommended updates + # are applied during the life of a Pod. Possible values are "Off", "Initial", "Recreate", and "Auto". + updateMode: Auto + + ## Prometheus-operator image + ## + image: + registry: quay.io + repository: prometheus-operator/prometheus-operator + # if not set appVersion field from Chart.yaml is used + tag: "" + sha: "" + pullPolicy: IfNotPresent + + ## Prometheus image to use for prometheuses managed by the operator + ## + # prometheusDefaultBaseImage: prometheus/prometheus + + ## Prometheus image registry to use for prometheuses managed by the operator + ## + # prometheusDefaultBaseImageRegistry: quay.io + + ## Alertmanager image to use for alertmanagers managed by the operator + ## + # alertmanagerDefaultBaseImage: prometheus/alertmanager + + ## Alertmanager image registry to use for alertmanagers managed by the operator + ## + # alertmanagerDefaultBaseImageRegistry: quay.io + + ## Prometheus-config-reloader + ## + prometheusConfigReloader: + image: + registry: quay.io + repository: prometheus-operator/prometheus-config-reloader + # if not set appVersion field from Chart.yaml is used + tag: "" + sha: "" + + # add prometheus config reloader liveness and readiness probe. Default: false + enableProbe: false + + # resource config for prometheusConfigReloader + resources: {} + # requests: + # cpu: 200m + # memory: 50Mi + # limits: + # cpu: 200m + # memory: 50Mi + + ## Thanos side-car image when configured + ## + thanosImage: + registry: quay.io + repository: thanos/thanos + tag: v0.37.2 + sha: "" + + ## Set a Label Selector to filter watched prometheus and prometheusAgent + ## + prometheusInstanceSelector: "" + + ## Set a Label Selector to filter watched alertmanager + ## + alertmanagerInstanceSelector: "" + + ## Set a Label Selector to filter watched thanosRuler + thanosRulerInstanceSelector: "" + + ## Set a Field Selector to filter watched secrets + ## + secretFieldSelector: "type!=kubernetes.io/dockercfg,type!=kubernetes.io/service-account-token,type!=helm.sh/release.v1" + + ## If false then the user will opt out of automounting API credentials. + ## + automountServiceAccountToken: true + + ## Additional volumes + ## + extraVolumes: [] + + ## Additional volume mounts + ## + extraVolumeMounts: [] + +## Deploy a Prometheus instance +## +prometheus: + enabled: true + + ## Toggle prometheus into agent mode + ## Note many of features described below (e.g. rules, query, alerting, remote read, thanos) will not work in agent mode. + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/designs/prometheus-agent.md + ## + agentMode: false + + ## Annotations for Prometheus + ## + annotations: {} + + ## Configure network policy for the prometheus + networkPolicy: + enabled: false + + ## Flavor of the network policy to use. + # Can be: + # * kubernetes for networking.k8s.io/v1/NetworkPolicy + # * cilium for cilium.io/v2/CiliumNetworkPolicy + flavor: kubernetes + + # cilium: + # endpointSelector: + # egress: + # ingress: + + # egress: + # - {} + # ingress: + # - {} + # podSelector: + # matchLabels: + # app: prometheus + + ## Service account for Prometheuses to use. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ + ## + serviceAccount: + create: true + name: "" + annotations: {} + automountServiceAccountToken: true + + # Service for thanos service discovery on sidecar + # Enable this can make Thanos Query can use + # `--store=dnssrv+_grpc._tcp.${kube-prometheus-stack.fullname}-thanos-discovery.${namespace}.svc.cluster.local` to discovery + # Thanos sidecar on prometheus nodes + # (Please remember to change ${kube-prometheus-stack.fullname} and ${namespace}. Not just copy and paste!) + thanosService: + enabled: false + annotations: {} + labels: {} + + ## Denotes if this Service desires to route external traffic to node-local or cluster-wide endpoints + ## + externalTrafficPolicy: Cluster + + ## Service type + ## + type: ClusterIP + + ## Service dual stack + ## + ipDualStack: + enabled: false + ipFamilies: ["IPv6", "IPv4"] + ipFamilyPolicy: "PreferDualStack" + + ## gRPC port config + portName: grpc + port: 10901 + targetPort: "grpc" + + ## HTTP port config (for metrics) + httpPortName: http + httpPort: 10902 + targetHttpPort: "http" + + ## ClusterIP to assign + # Default is to make this a headless service ("None") + clusterIP: "None" + + ## Port to expose on each node, if service type is NodePort + ## + nodePort: 30901 + httpNodePort: 30902 + + # ServiceMonitor to scrape Sidecar metrics + # Needs thanosService to be enabled as well + thanosServiceMonitor: + enabled: false + interval: "" + + ## Additional labels + ## + additionalLabels: {} + + ## scheme: HTTP scheme to use for scraping. Can be used with `tlsConfig` for example if using istio mTLS. + scheme: "" + + ## tlsConfig: TLS configuration to use when scraping the endpoint. For example if using istio mTLS. + ## Of type: https://github.com/coreos/prometheus-operator/blob/main/Documentation/api.md#tlsconfig + tlsConfig: {} + + bearerTokenFile: + + ## Metric relabel configs to apply to samples before ingestion. + metricRelabelings: [] + + ## relabel configs to apply to samples before ingestion. + relabelings: [] + + # Service for external access to sidecar + # Enabling this creates a service to expose thanos-sidecar outside the cluster. + thanosServiceExternal: + enabled: false + annotations: {} + labels: {} + loadBalancerIP: "" + loadBalancerSourceRanges: [] + + ## gRPC port config + portName: grpc + port: 10901 + targetPort: "grpc" + + ## HTTP port config (for metrics) + httpPortName: http + httpPort: 10902 + targetHttpPort: "http" + + ## Denotes if this Service desires to route external traffic to node-local or cluster-wide endpoints + ## + externalTrafficPolicy: Cluster + + ## Service type + ## + type: LoadBalancer + + ## Port to expose on each node + ## + nodePort: 30901 + httpNodePort: 30902 + + ## Configuration for Prometheus service + ## + service: + annotations: {} + labels: {} + clusterIP: "" + ipDualStack: + enabled: false + ipFamilies: ["IPv6", "IPv4"] + ipFamilyPolicy: "PreferDualStack" + + ## Port for Prometheus Service to listen on + ## + port: 9090 + + ## To be used with a proxy extraContainer port + targetPort: 9090 + + ## Port for Prometheus Reloader to listen on + ## + reloaderWebPort: 8080 + + ## List of IP addresses at which the Prometheus server service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + ## Port to expose on each node + ## Only used if service.type is 'NodePort' + ## + nodePort: 30090 + + ## Loadbalancer IP + ## Only use if service.type is "LoadBalancer" + loadBalancerIP: "" + loadBalancerSourceRanges: [] + + ## Denotes if this Service desires to route external traffic to node-local or cluster-wide endpoints + ## + externalTrafficPolicy: Cluster + + ## Service type + ## + type: ClusterIP + + ## Additional ports to open for Prometheus service + ## + additionalPorts: [] + # additionalPorts: + # - name: oauth-proxy + # port: 8081 + # targetPort: 8081 + # - name: oauth-metrics + # port: 8082 + # targetPort: 8082 + + ## Consider that all endpoints are considered "ready" even if the Pods themselves are not + ## Ref: https://kubernetes.io/docs/reference/kubernetes-api/service-resources/service-v1/#ServiceSpec + publishNotReadyAddresses: false + + ## If you want to make sure that connections from a particular client are passed to the same Pod each time + ## Accepts 'ClientIP' or 'None' + ## + sessionAffinity: None + + ## If you want to modify the ClientIP sessionAffinity timeout + ## The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP" + ## + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 + + ## Configuration for creating a separate Service for each statefulset Prometheus replica + ## + servicePerReplica: + enabled: false + annotations: {} + + ## Port for Prometheus Service per replica to listen on + ## + port: 9090 + + ## To be used with a proxy extraContainer port + targetPort: 9090 + + ## Port to expose on each node + ## Only used if servicePerReplica.type is 'NodePort' + ## + nodePort: 30091 + + ## Loadbalancer source IP ranges + ## Only used if servicePerReplica.type is "LoadBalancer" + loadBalancerSourceRanges: [] + + ## Denotes if this Service desires to route external traffic to node-local or cluster-wide endpoints + ## + externalTrafficPolicy: Cluster + + ## Service type + ## + type: ClusterIP + + ## Service dual stack + ## + ipDualStack: + enabled: false + ipFamilies: ["IPv6", "IPv4"] + ipFamilyPolicy: "PreferDualStack" + + ## Configure pod disruption budgets for Prometheus + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/#specifying-a-poddisruptionbudget + ## + podDisruptionBudget: + enabled: false + minAvailable: 1 + maxUnavailable: "" + + # Ingress exposes thanos sidecar outside the cluster + thanosIngress: + enabled: false + + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + # ingressClassName: nginx + + annotations: {} + labels: {} + servicePort: 10901 + + ## Port to expose on each node + ## Only used if service.type is 'NodePort' + ## + nodePort: 30901 + + ## Hosts must be provided if Ingress is enabled. + ## + hosts: [] + # - thanos-gateway.domain.com + + ## Paths to use for ingress rules + ## + paths: [] + # - / + + ## For Kubernetes >= 1.18 you should specify the pathType (determines how Ingress paths should be matched) + ## See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#better-path-matching-with-path-types + # pathType: ImplementationSpecific + + ## TLS configuration for Thanos Ingress + ## Secret must be manually created in the namespace + ## + tls: [] + # - secretName: thanos-gateway-tls + # hosts: + # - thanos-gateway.domain.com + # + + ## ExtraSecret can be used to store various data in an extra secret + ## (use it for example to store hashed basic auth credentials) + extraSecret: + ## if not set, name will be auto generated + # name: "" + annotations: {} + data: {} + # auth: | + # foo:$apr1$OFG3Xybp$ckL0FHDAkoXYIlH9.cysT0 + # someoneelse:$apr1$DMZX2Z4q$6SbQIfyuLQd.xmo/P0m2c. + + ingress: + enabled: false + + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + # ingressClassName: nginx + + annotations: {} + labels: {} + + ## Redirect ingress to an additional defined port on the service + # servicePort: 8081 + + ## Hostnames. + ## Must be provided if Ingress is enabled. + ## + # hosts: + # - prometheus.domain.com + hosts: [] + + ## Paths to use for ingress rules - one path should match the prometheusSpec.routePrefix + ## + paths: [] + # - / + + ## For Kubernetes >= 1.18 you should specify the pathType (determines how Ingress paths should be matched) + ## See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#better-path-matching-with-path-types + # pathType: ImplementationSpecific + + ## TLS configuration for Prometheus Ingress + ## Secret must be manually created in the namespace + ## + tls: [] + # - secretName: prometheus-general-tls + # hosts: + # - prometheus.example.com + + # -- BETA: Configure the gateway routes for the chart here. + # More routes can be added by adding a dictionary key like the 'main' route. + # Be aware that this is an early beta of this feature, + # kube-prometheus-stack does not guarantee this works and is subject to change. + # Being BETA this can/will change in the future without notice, do not use unless you want to take that risk + # [[ref]](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io%2fv1alpha2) + route: + main: + # -- Enables or disables the route + enabled: false + + # -- Set the route apiVersion, e.g. gateway.networking.k8s.io/v1 or gateway.networking.k8s.io/v1alpha2 + apiVersion: gateway.networking.k8s.io/v1 + # -- Set the route kind + # Valid options are GRPCRoute, HTTPRoute, TCPRoute, TLSRoute, UDPRoute + kind: HTTPRoute + + annotations: {} + labels: {} + + hostnames: [] + # - my-filter.example.com + parentRefs: [] + # - name: acme-gw + + matches: + - path: + type: PathPrefix + value: / + + ## Filters define the filters that are applied to requests that match this rule. + filters: [] + + ## Additional custom rules that can be added to the route + additionalRules: [] + + ## Configuration for creating an Ingress that will map to each Prometheus replica service + ## prometheus.servicePerReplica must be enabled + ## + ingressPerReplica: + enabled: false + + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + # ingressClassName: nginx + + annotations: {} + labels: {} + + ## Final form of the hostname for each per replica ingress is + ## + ## Prefix for the per replica ingress that will have `-$replicaNumber` + ## appended to the end + hostPrefix: "" + ## Domain that will be used for the per replica ingress + hostDomain: "" + + ## Paths to use for ingress rules + ## + paths: [] + # - / + + ## For Kubernetes >= 1.18 you should specify the pathType (determines how Ingress paths should be matched) + ## See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#better-path-matching-with-path-types + # pathType: ImplementationSpecific + + ## Secret name containing the TLS certificate for Prometheus per replica ingress + ## Secret must be manually created in the namespace + tlsSecretName: "" + + ## Separated secret for each per replica Ingress. Can be used together with cert-manager + ## + tlsSecretPerReplica: + enabled: false + ## Final form of the secret for each per replica ingress is + ## + prefix: "prometheus" + + ## Configure additional options for default pod security policy for Prometheus + ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ + podSecurityPolicy: + allowedCapabilities: [] + allowedHostPaths: [] + volumes: [] + + serviceMonitor: + ## If true, create a serviceMonitor for prometheus + ## + selfMonitor: true + + ## Scrape interval. If not set, the Prometheus default scrape interval is used. + ## + interval: "" + + ## Additional labels + ## + additionalLabels: {} + + ## SampleLimit defines per-scrape limit on number of scraped samples that will be accepted. + ## + sampleLimit: 0 + + ## TargetLimit defines a limit on the number of scraped targets that will be accepted. + ## + targetLimit: 0 + + ## Per-scrape limit on number of labels that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelLimit: 0 + + ## Per-scrape limit on length of labels name that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelNameLengthLimit: 0 + + ## Per-scrape limit on length of labels value that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelValueLengthLimit: 0 + + ## scheme: HTTP scheme to use for scraping. Can be used with `tlsConfig` for example if using istio mTLS. + scheme: "" + + ## tlsConfig: TLS configuration to use when scraping the endpoint. For example if using istio mTLS. + ## Of type: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#tlsconfig + tlsConfig: {} + + bearerTokenFile: + + ## Metric relabel configs to apply to samples before ingestion. + ## + metricRelabelings: [] + # - action: keep + # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' + # sourceLabels: [__name__] + + # relabel configs to apply to samples before ingestion. + ## + relabelings: [] + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^()$ + # targetLabel: nodename + # replacement: $1 + # action: replace + + ## Additional Endpoints + ## + additionalEndpoints: [] + # - port: oauth-metrics + # path: /metrics + + ## Settings affecting prometheusSpec + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#prometheusspec + ## + prometheusSpec: + ## Statefulset's persistent volume claim retention policy + ## whenDeleted and whenScaled determine whether + ## statefulset's PVCs are deleted (true) or retained (false) + ## on scaling down and deleting statefulset, respectively. + ## Requires Kubernetes version 1.27.0+. + ## Ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention + persistentVolumeClaimRetentionPolicy: {} + # whenDeleted: Retain + # whenScaled: Retain + + ## If true, pass --storage.tsdb.max-block-duration=2h to prometheus. This is already done if using Thanos + ## + ## AutomountServiceAccountToken indicates whether a service account token should be automatically mounted in the pod, + ## If the field isn’t set, the operator mounts the service account token by default. + ## Warning: be aware that by default, Prometheus requires the service account token for Kubernetes service discovery, + ## It is possible to use strategic merge patch to project the service account token into the ‘prometheus’ container. + automountServiceAccountToken: true + + disableCompaction: false + ## APIServerConfig + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#apiserverconfig + ## + apiserverConfig: {} + + ## Allows setting additional arguments for the Prometheus container + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.Prometheus + additionalArgs: [] + + ## Interval between consecutive scrapes. + ## Defaults to 30s. + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/release-0.44/pkg/prometheus/promcfg.go#L180-L183 + ## + scrapeInterval: "" + + ## Number of seconds to wait for target to respond before erroring + ## + scrapeTimeout: "" + + ## List of scrape classes to expose to scraping objects such as + ## PodMonitors, ServiceMonitors, Probes and ScrapeConfigs. + ## + scrapeClasses: [] + # - name: istio-mtls + # default: false + # tlsConfig: + # caFile: /etc/prometheus/secrets/istio.default/root-cert.pem + # certFile: /etc/prometheus/secrets/istio.default/cert-chain.pem + + ## Interval between consecutive evaluations. + ## + evaluationInterval: "" + + ## ListenLocal makes the Prometheus server listen on loopback, so that it does not bind against the Pod IP. + ## + listenLocal: false + + ## EnableAdminAPI enables Prometheus the administrative HTTP API which includes functionality such as deleting time series. + ## This is disabled by default. + ## ref: https://prometheus.io/docs/prometheus/latest/querying/api/#tsdb-admin-apis + ## + enableAdminAPI: false + + ## Sets version of Prometheus overriding the Prometheus version as derived + ## from the image tag. Useful in cases where the tag does not follow semver v2. + version: "" + + ## WebTLSConfig defines the TLS parameters for HTTPS + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#webtlsconfig + web: {} + + ## Exemplars related settings that are runtime reloadable. + ## It requires to enable the exemplar storage feature to be effective. + exemplars: {} + ## Maximum number of exemplars stored in memory for all series. + ## If not set, Prometheus uses its default value. + ## A value of zero or less than zero disables the storage. + # maxSize: 100000 + + # EnableFeatures API enables access to Prometheus disabled features. + # ref: https://prometheus.io/docs/prometheus/latest/disabled_features/ + enableFeatures: [] + # - exemplar-storage + + ## Image of Prometheus. + ## + image: + registry: quay.io + repository: prometheus/prometheus + tag: v3.1.0 + sha: "" + + ## Tolerations for use with node taints + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal" + # value: "value" + # effect: "NoSchedule" + + ## If specified, the pod's topology spread constraints. + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: prometheus + + ## Alertmanagers to which alerts will be sent + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#alertmanagerendpoints + ## + ## Default configuration will connect to the alertmanager deployed as part of this release + ## + alertingEndpoints: [] + # - name: "" + # namespace: "" + # port: http + # scheme: http + # pathPrefix: "" + # tlsConfig: {} + # bearerTokenFile: "" + # apiVersion: v2 + + ## External labels to add to any time series or alerts when communicating with external systems + ## + externalLabels: {} + + ## enable --web.enable-remote-write-receiver flag on prometheus-server + ## + enableRemoteWriteReceiver: false + + ## Name of the external label used to denote replica name + ## + replicaExternalLabelName: "" + + ## If true, the Operator won't add the external label used to denote replica name + ## + replicaExternalLabelNameClear: false + + ## Name of the external label used to denote Prometheus instance name + ## + prometheusExternalLabelName: "" + + ## If true, the Operator won't add the external label used to denote Prometheus instance name + ## + prometheusExternalLabelNameClear: false + + ## External URL at which Prometheus will be reachable. + ## + externalUrl: "" + + ## Define which Nodes the Pods are scheduled on. + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Secrets is a list of Secrets in the same namespace as the Prometheus object, which shall be mounted into the Prometheus Pods. + ## The Secrets are mounted into /etc/prometheus/secrets/. Secrets changes after initial creation of a Prometheus object are not + ## reflected in the running Pods. To change the secrets mounted into the Prometheus Pods, the object must be deleted and recreated + ## with the new list of secrets. + ## + secrets: [] + + ## ConfigMaps is a list of ConfigMaps in the same namespace as the Prometheus object, which shall be mounted into the Prometheus Pods. + ## The ConfigMaps are mounted into /etc/prometheus/configmaps/. + ## + configMaps: [] + + ## QuerySpec defines the query command line flags when starting Prometheus. + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#queryspec + ## + query: {} + + ## If nil, select own namespace. Namespaces to be selected for PrometheusRules discovery. + ruleNamespaceSelector: {} + ## Example which selects PrometheusRules in namespaces with label "prometheus" set to "somelabel" + # ruleNamespaceSelector: + # matchLabels: + # prometheus: somelabel + + ## If true, a nil or {} value for prometheus.prometheusSpec.ruleSelector will cause the + ## prometheus resource to be created with selectors based on values in the helm deployment, + ## which will also match the PrometheusRule resources created + ## + ruleSelectorNilUsesHelmValues: true + + ## PrometheusRules to be selected for target discovery. + ## If {}, select all PrometheusRules + ## + ruleSelector: {} + ## Example which select all PrometheusRules resources + ## with label "prometheus" with values any of "example-rules" or "example-rules-2" + # ruleSelector: + # matchExpressions: + # - key: prometheus + # operator: In + # values: + # - example-rules + # - example-rules-2 + # + ## Example which select all PrometheusRules resources with label "role" set to "example-rules" + # ruleSelector: + # matchLabels: + # role: example-rules + + ## If true, a nil or {} value for prometheus.prometheusSpec.serviceMonitorSelector will cause the + ## prometheus resource to be created with selectors based on values in the helm deployment, + ## which will also match the servicemonitors created + ## + serviceMonitorSelectorNilUsesHelmValues: true + + ## ServiceMonitors to be selected for target discovery. + ## If {}, select all ServiceMonitors + ## + serviceMonitorSelector: {} + ## Example which selects ServiceMonitors with label "prometheus" set to "somelabel" + # serviceMonitorSelector: + # matchLabels: + # prometheus: somelabel + + ## Namespaces to be selected for ServiceMonitor discovery. + ## + serviceMonitorNamespaceSelector: {} + ## Example which selects ServiceMonitors in namespaces with label "prometheus" set to "somelabel" + # serviceMonitorNamespaceSelector: + # matchLabels: + # prometheus: somelabel + + ## If true, a nil or {} value for prometheus.prometheusSpec.podMonitorSelector will cause the + ## prometheus resource to be created with selectors based on values in the helm deployment, + ## which will also match the podmonitors created + ## + podMonitorSelectorNilUsesHelmValues: true + + ## PodMonitors to be selected for target discovery. + ## If {}, select all PodMonitors + ## + podMonitorSelector: {} + ## Example which selects PodMonitors with label "prometheus" set to "somelabel" + # podMonitorSelector: + # matchLabels: + # prometheus: somelabel + + ## If nil, select own namespace. Namespaces to be selected for PodMonitor discovery. + podMonitorNamespaceSelector: {} + ## Example which selects PodMonitor in namespaces with label "prometheus" set to "somelabel" + # podMonitorNamespaceSelector: + # matchLabels: + # prometheus: somelabel + + ## If true, a nil or {} value for prometheus.prometheusSpec.probeSelector will cause the + ## prometheus resource to be created with selectors based on values in the helm deployment, + ## which will also match the probes created + ## + probeSelectorNilUsesHelmValues: true + + ## Probes to be selected for target discovery. + ## If {}, select all Probes + ## + probeSelector: {} + ## Example which selects Probes with label "prometheus" set to "somelabel" + # probeSelector: + # matchLabels: + # prometheus: somelabel + + ## If nil, select own namespace. Namespaces to be selected for Probe discovery. + probeNamespaceSelector: {} + ## Example which selects Probe in namespaces with label "prometheus" set to "somelabel" + # probeNamespaceSelector: + # matchLabels: + # prometheus: somelabel + + ## If true, a nil or {} value for prometheus.prometheusSpec.scrapeConfigSelector will cause the + ## prometheus resource to be created with selectors based on values in the helm deployment, + ## which will also match the scrapeConfigs created + ## + ## If null and scrapeConfigSelector is also null, exclude field from the prometheusSpec + ## (keeping downward compatibility with older versions of CRD) + ## + scrapeConfigSelectorNilUsesHelmValues: true + + ## scrapeConfigs to be selected for target discovery. + ## If {}, select all scrapeConfigs + ## + scrapeConfigSelector: {} + ## Example which selects scrapeConfigs with label "prometheus" set to "somelabel" + # scrapeConfigSelector: + # matchLabels: + # prometheus: somelabel + + ## If nil, select own namespace. Namespaces to be selected for scrapeConfig discovery. + ## If null, exclude the field from the prometheusSpec (keeping downward compatibility with older versions of CRD) + scrapeConfigNamespaceSelector: {} + ## Example which selects scrapeConfig in namespaces with label "prometheus" set to "somelabel" + # scrapeConfigNamespaceSelector: + # matchLabels: + # prometheus: somelabel + + ## How long to retain metrics + ## + retention: 10d + + ## Maximum size of metrics + ## + retentionSize: "" + + ## Allow out-of-order/out-of-bounds samples ingested into Prometheus for a specified duration + ## See https://prometheus.io/docs/prometheus/latest/configuration/configuration/#tsdb + tsdb: + outOfOrderTimeWindow: 0s + + ## Enable compression of the write-ahead log using Snappy. + ## + walCompression: true + + ## If true, the Operator won't process any Prometheus configuration changes + ## + paused: false + + ## Number of replicas of each shard to deploy for a Prometheus deployment. + ## Number of replicas multiplied by shards is the total number of Pods created. + ## + replicas: 1 + + ## EXPERIMENTAL: Number of shards to distribute targets onto. + ## Number of replicas multiplied by shards is the total number of Pods created. + ## Note that scaling down shards will not reshard data onto remaining instances, it must be manually moved. + ## Increasing shards will not reshard data either but it will continue to be available from the same instances. + ## To query globally use Thanos sidecar and Thanos querier or remote write data to a central location. + ## Sharding is done on the content of the `__address__` target meta-label. + ## + shards: 1 + + ## Log level for Prometheus be configured in + ## + logLevel: info + + ## Log format for Prometheus be configured in + ## + logFormat: logfmt + + ## Prefix used to register routes, overriding externalUrl route. + ## Useful for proxies that rewrite URLs. + ## + routePrefix: / + + ## Standard object's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata + ## Metadata Labels and Annotations gets propagated to the prometheus pods. + ## + podMetadata: {} + # labels: + # app: prometheus + # k8s-app: prometheus + + ## Pod anti-affinity can prevent the scheduler from placing Prometheus replicas on the same node. + ## The default value "soft" means that the scheduler should *prefer* to not schedule two replica pods onto the same node but no guarantee is provided. + ## The value "hard" means that the scheduler is *required* to not schedule two replica pods onto the same node. + ## The value "" will disable pod anti-affinity so that no anti-affinity rules will be configured. + podAntiAffinity: "soft" + + ## If anti-affinity is enabled sets the topologyKey to use for anti-affinity. + ## This can be changed to, for example, failure-domain.beta.kubernetes.io/zone + ## + podAntiAffinityTopologyKey: kubernetes.io/hostname + + ## Assign custom affinity rules to the prometheus instance + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + affinity: {} + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: kubernetes.io/e2e-az-name + # operator: In + # values: + # - e2e-az1 + # - e2e-az2 + + ## The remote_read spec configuration for Prometheus. + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#remotereadspec + remoteRead: [] + # - url: http://remote1/read + ## additionalRemoteRead is appended to remoteRead + additionalRemoteRead: [] + + ## The remote_write spec configuration for Prometheus. + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#remotewritespec + remoteWrite: [] + # - url: http://remote1/push + ## additionalRemoteWrite is appended to remoteWrite + additionalRemoteWrite: [] + + ## Enable/Disable Grafana dashboards provisioning for prometheus remote write feature + remoteWriteDashboards: false + + ## Resource limits & requests + ## + resources: {} + # requests: + # memory: 400Mi + + ## Prometheus StorageSpec for persistent data + storageSpec: + ## Using PersistentVolumeClaim + ## + volumeClaimTemplate: + spec: + storageClassName: {{ .Values.globals.kubePrometheusStack.storageClass }} + accessModes: ["ReadWriteOnce"] + resources: + requests: + storage: {{ .Values.globals.kubePrometheusStack.prometheus.storageSize }} + selector: {} + + ## Using tmpfs volume + ## + # emptyDir: + # medium: Memory + + # Additional volumes on the output StatefulSet definition. + volumes: [] + + # Additional VolumeMounts on the output StatefulSet definition. + volumeMounts: [] + + ## AdditionalScrapeConfigs allows specifying additional Prometheus scrape configurations. Scrape configurations + ## are appended to the configurations generated by the Prometheus Operator. Job configurations must have the form + ## as specified in the official Prometheus documentation: + ## https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config. As scrape configs are + ## appended, the user is responsible to make sure it is valid. Note that using this feature may expose the possibility + ## to break upgrades of Prometheus. It is advised to review Prometheus release notes to ensure that no incompatible + ## scrape configs are going to break Prometheus after the upgrade. + ## AdditionalScrapeConfigs can be defined as a list or as a templated string. + ## + ## The scrape configuration example below will find master nodes, provided they have the name mst, relabel the + ## port to 2379 and allow etcd scraping provided it is running on all Kubernetes master nodes + ## + additionalScrapeConfigs: [] + # - job_name: kube-etcd + # kubernetes_sd_configs: + # - role: node + # scheme: https + # tls_config: + # ca_file: /etc/prometheus/secrets/etcd-client-cert/etcd-ca + # cert_file: /etc/prometheus/secrets/etcd-client-cert/etcd-client + # key_file: /etc/prometheus/secrets/etcd-client-cert/etcd-client-key + # relabel_configs: + # - action: labelmap + # regex: __meta_kubernetes_node_label_(.+) + # - source_labels: [__address__] + # action: replace + # targetLabel: __address__ + # regex: ([^:;]+):(\d+) + # replacement: ${1}:2379 + # - source_labels: [__meta_kubernetes_node_name] + # action: keep + # regex: mst + # - source_labels: [__meta_kubernetes_node_name] + # action: replace + # targetLabel: node + # regex: () + # replacement: ${1} + # metric_relabel_configs: + # - regex: (kubernetes_io_hostname|failure_domain_beta_kubernetes_io_region|beta_kubernetes_io_os|beta_kubernetes_io_arch|beta_kubernetes_io_instance_type|failure_domain_beta_kubernetes_io_zone) + # action: labeldrop + # + ## If scrape config contains a repetitive section, you may want to use a template. + ## In the following example, you can see how to define `gce_sd_configs` for multiple zones + # additionalScrapeConfigs: | + # - job_name: "node-exporter" + # gce_sd_configs: + # relabel_configs: + # ... + + + ## If additional scrape configurations are already deployed in a single secret file you can use this section. + ## Expected values are the secret name and key + ## Cannot be used with additionalScrapeConfigs + additionalScrapeConfigsSecret: {} + # enabled: false + # name: + # key: + + ## additionalPrometheusSecretsAnnotations allows to add annotations to the kubernetes secret. This can be useful + ## when deploying via spinnaker to disable versioning on the secret, strategy.spinnaker.io/versioned: 'false' + additionalPrometheusSecretsAnnotations: {} + + ## AdditionalAlertManagerConfigs allows for manual configuration of alertmanager jobs in the form as specified + ## in the official Prometheus documentation https://prometheus.io/docs/prometheus/latest/configuration/configuration/#. + ## AlertManager configurations specified are appended to the configurations generated by the Prometheus Operator. + ## As AlertManager configs are appended, the user is responsible to make sure it is valid. Note that using this + ## feature may expose the possibility to break upgrades of Prometheus. It is advised to review Prometheus release + ## notes to ensure that no incompatible AlertManager configs are going to break Prometheus after the upgrade. + ## + additionalAlertManagerConfigs: [] + # - consul_sd_configs: + # - server: consul.dev.test:8500 + # scheme: http + # datacenter: dev + # tag_separator: ',' + # services: + # - metrics-prometheus-alertmanager + + ## If additional alertmanager configurations are already deployed in a single secret, or you want to manage + ## them separately from the helm deployment, you can use this section. + ## Expected values are the secret name and key + ## Cannot be used with additionalAlertManagerConfigs + additionalAlertManagerConfigsSecret: {} + # name: + # key: + # optional: false + + ## AdditionalAlertRelabelConfigs allows specifying Prometheus alert relabel configurations. Alert relabel configurations specified are appended + ## to the configurations generated by the Prometheus Operator. Alert relabel configurations specified must have the form as specified in the + ## official Prometheus documentation: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#alert_relabel_configs. + ## As alert relabel configs are appended, the user is responsible to make sure it is valid. Note that using this feature may expose the + ## possibility to break upgrades of Prometheus. It is advised to review Prometheus release notes to ensure that no incompatible alert relabel + ## configs are going to break Prometheus after the upgrade. + ## + additionalAlertRelabelConfigs: [] + # - separator: ; + # regex: prometheus_replica + # replacement: $1 + # action: labeldrop + + ## If additional alert relabel configurations are already deployed in a single secret, or you want to manage + ## them separately from the helm deployment, you can use this section. + ## Expected values are the secret name and key + ## Cannot be used with additionalAlertRelabelConfigs + additionalAlertRelabelConfigsSecret: {} + # name: + # key: + + ## SecurityContext holds pod-level security attributes and common container settings. + ## This defaults to non root user with uid 1000 and gid 2000. + ## https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md + ## + securityContext: + runAsGroup: 2000 + runAsNonRoot: true + runAsUser: 1000 + fsGroup: 2000 + seccompProfile: + type: RuntimeDefault + + ## Priority class assigned to the Pods + ## + priorityClassName: "" + + ## Thanos configuration allows configuring various aspects of a Prometheus server in a Thanos environment. + ## This section is experimental, it may change significantly without deprecation notice in any release. + ## This is experimental and may change significantly without backward compatibility in any release. + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#thanosspec + ## + thanos: {} + # secretProviderClass: + # provider: gcp + # parameters: + # secrets: | + # - resourceName: "projects/$PROJECT_ID/secrets/testsecret/versions/latest" + # fileName: "objstore.yaml" + ## ObjectStorageConfig configures object storage in Thanos. + # objectStorageConfig: + # # use existing secret, if configured, objectStorageConfig.secret will not be used + # existingSecret: {} + # # name: "" + # # key: "" + # # will render objectStorageConfig secret data and configure it to be used by Thanos custom resource, + # # ignored when prometheusspec.thanos.objectStorageConfig.existingSecret is set + # # https://thanos.io/tip/thanos/storage.md/#s3 + # secret: {} + # # type: S3 + # # config: + # # bucket: "" + # # endpoint: "" + # # region: "" + # # access_key: "" + # # secret_key: "" + + ## Containers allows injecting additional containers. This is meant to allow adding an authentication proxy to a Prometheus pod. + ## if using proxy extraContainer update targetPort with proxy container port + containers: [] + # containers: + # - name: oauth-proxy + # image: quay.io/oauth2-proxy/oauth2-proxy:v7.5.1 + # args: + # - --upstream=http://127.0.0.1:9090 + # - --http-address=0.0.0.0:8081 + # - --metrics-address=0.0.0.0:8082 + # - ... + # ports: + # - containerPort: 8081 + # name: oauth-proxy + # protocol: TCP + # - containerPort: 8082 + # name: oauth-metrics + # protocol: TCP + # resources: {} + + ## InitContainers allows injecting additional initContainers. This is meant to allow doing some changes + ## (permissions, dir tree) on mounted volumes before starting prometheus + initContainers: [] + + ## PortName to use for Prometheus. + ## + portName: "http-web" + + ## ArbitraryFSAccessThroughSMs configures whether configuration based on a service monitor can access arbitrary files + ## on the file system of the Prometheus container e.g. bearer token files. + arbitraryFSAccessThroughSMs: false + + ## OverrideHonorLabels if set to true overrides all user configured honor_labels. If HonorLabels is set in ServiceMonitor + ## or PodMonitor to true, this overrides honor_labels to false. + overrideHonorLabels: false + + ## OverrideHonorTimestamps allows to globally enforce honoring timestamps in all scrape configs. + overrideHonorTimestamps: false + + ## When ignoreNamespaceSelectors is set to true, namespaceSelector from all PodMonitor, ServiceMonitor and Probe objects will be ignored, + ## they will only discover targets within the namespace of the PodMonitor, ServiceMonitor and Probe object, + ## and servicemonitors will be installed in the default service namespace. + ## Defaults to false. + ignoreNamespaceSelectors: false + + ## EnforcedNamespaceLabel enforces adding a namespace label of origin for each alert and metric that is user created. + ## The label value will always be the namespace of the object that is being created. + ## Disabled by default + enforcedNamespaceLabel: "" + + ## PrometheusRulesExcludedFromEnforce - list of prometheus rules to be excluded from enforcing of adding namespace labels. + ## Works only if enforcedNamespaceLabel set to true. Make sure both ruleNamespace and ruleName are set for each pair + ## Deprecated, use `excludedFromEnforcement` instead + prometheusRulesExcludedFromEnforce: [] + + ## ExcludedFromEnforcement - list of object references to PodMonitor, ServiceMonitor, Probe and PrometheusRule objects + ## to be excluded from enforcing a namespace label of origin. + ## Works only if enforcedNamespaceLabel set to true. + ## See https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#objectreference + excludedFromEnforcement: [] + + ## QueryLogFile specifies the file to which PromQL queries are logged. Note that this location must be writable, + ## and can be persisted using an attached volume. Alternatively, the location can be set to a stdout location such + ## as /dev/stdout to log querie information to the default Prometheus log stream. This is only available in versions + ## of Prometheus >= 2.16.0. For more details, see the Prometheus docs (https://prometheus.io/docs/guides/query-log/) + queryLogFile: false + + # Use to set global sample_limit for Prometheus. This act as default SampleLimit for ServiceMonitor or/and PodMonitor. + # Set to 'false' to disable global sample_limit. or set to a number to override the default value. + sampleLimit: false + + # EnforcedKeepDroppedTargetsLimit defines on the number of targets dropped by relabeling that will be kept in memory. + # The value overrides any spec.keepDroppedTargets set by ServiceMonitor, PodMonitor, Probe objects unless spec.keepDroppedTargets + # is greater than zero and less than spec.enforcedKeepDroppedTargets. 0 means no limit. + enforcedKeepDroppedTargets: 0 + + ## EnforcedSampleLimit defines global limit on number of scraped samples that will be accepted. This overrides any SampleLimit + ## set per ServiceMonitor or/and PodMonitor. It is meant to be used by admins to enforce the SampleLimit to keep overall + ## number of samples/series under the desired limit. Note that if SampleLimit is lower that value will be taken instead. + enforcedSampleLimit: false + + ## EnforcedTargetLimit defines a global limit on the number of scraped targets. This overrides any TargetLimit set + ## per ServiceMonitor or/and PodMonitor. It is meant to be used by admins to enforce the TargetLimit to keep the overall + ## number of targets under the desired limit. Note that if TargetLimit is lower, that value will be taken instead, except + ## if either value is zero, in which case the non-zero value will be used. If both values are zero, no limit is enforced. + enforcedTargetLimit: false + + + ## Per-scrape limit on number of labels that will be accepted for a sample. If more than this number of labels are present + ## post metric-relabeling, the entire scrape will be treated as failed. 0 means no limit. Only valid in Prometheus versions + ## 2.27.0 and newer. + enforcedLabelLimit: false + + ## Per-scrape limit on length of labels name that will be accepted for a sample. If a label name is longer than this number + ## post metric-relabeling, the entire scrape will be treated as failed. 0 means no limit. Only valid in Prometheus versions + ## 2.27.0 and newer. + enforcedLabelNameLengthLimit: false + + ## Per-scrape limit on length of labels value that will be accepted for a sample. If a label value is longer than this + ## number post metric-relabeling, the entire scrape will be treated as failed. 0 means no limit. Only valid in Prometheus + ## versions 2.27.0 and newer. + enforcedLabelValueLengthLimit: false + + ## AllowOverlappingBlocks enables vertical compaction and vertical query merge in Prometheus. This is still experimental + ## in Prometheus so it may change in any upcoming release. + allowOverlappingBlocks: false + + ## Minimum number of seconds for which a newly created pod should be ready without any of its container crashing for it to + ## be considered available. Defaults to 0 (pod will be considered available as soon as it is ready). + minReadySeconds: 0 + + # Required for use in managed kubernetes clusters (such as AWS EKS) with custom CNI (such as calico), + # because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working + # Use the host's network namespace if true. Make sure to understand the security implications if you want to enable it. + # When hostNetwork is enabled, this will set dnsPolicy to ClusterFirstWithHostNet automatically. + hostNetwork: false + + # HostAlias holds the mapping between IP and hostnames that will be injected + # as an entry in the pod’s hosts file. + hostAliases: [] + # - ip: 10.10.0.100 + # hostnames: + # - a1.app.local + # - b1.app.local + + ## TracingConfig configures tracing in Prometheus. + ## See https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#prometheustracingconfig + tracingConfig: {} + + ## Defines the service discovery role used to discover targets from ServiceMonitor objects and Alertmanager endpoints. + ## If set, the value should be either “Endpoints” or “EndpointSlice”. If unset, the operator assumes the “Endpoints” role. + serviceDiscoveryRole: "" + + ## Additional configuration which is not covered by the properties above. (passed through tpl) + additionalConfig: {} + + ## Additional configuration which is not covered by the properties above. + ## Useful, if you need advanced templating inside alertmanagerSpec. + ## Otherwise, use prometheus.prometheusSpec.additionalConfig (passed through tpl) + additionalConfigString: "" + + ## Defines the maximum time that the `prometheus` container's startup probe + ## will wait before being considered failed. The startup probe will return + ## success after the WAL replay is complete. If set, the value should be + ## greater than 60 (seconds). Otherwise it will be equal to 900 seconds (15 + ## minutes). + maximumStartupDurationSeconds: 0 + + additionalRulesForClusterRole: [] + # - apiGroups: [ "" ] + # resources: + # - nodes/proxy + # verbs: [ "get", "list", "watch" ] + + additionalServiceMonitors: [] + ## Name of the ServiceMonitor to create + ## + # - name: "" + + ## Additional labels to set used for the ServiceMonitorSelector. Together with standard labels from + ## the chart + ## + # additionalLabels: {} + + ## Service label for use in assembling a job name of the form