From fa481f6c14dd858b3ad68af655b3e8f1cbba7db2 Mon Sep 17 00:00:00 2001 From: Juan Ariza Toledano Date: Wed, 12 May 2021 17:56:41 +0200 Subject: [PATCH] [bitnami/kubeapps] New major version: standardization (#6301) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * [bitnami/kubeapps] New major version: standardization Signed-off-by: juan131 * Update bitnami/kubeapps/README.md Co-authored-by: Michael Nelson * Update bitnami/kubeapps/README.md Co-authored-by: Michael Nelson * Reorder parameters Signed-off-by: juan131 * Apply suggestions from code review Co-authored-by: Antonio Gámez * Update Chart.lock Signed-off-by: juan131 * Fix kubeapps chart to use helper for pinniped-proxy full name. * Remove hardcore settings and unused macros Signed-off-by: juan131 * [bitnami/kubeapps] New major version: standardization Signed-off-by: juan131 * Merge conflicts Signed-off-by: juan131 * Remove some pending hardcore references Signed-off-by: juan131 * Switch values order Signed-off-by: juan131 * [bitnami/kubeapps] Update components versions Signed-off-by: Bitnami Containers Co-authored-by: Michael Nelson Co-authored-by: Antonio Gámez Co-authored-by: Bitnami Containers --- .github/PULL_REQUEST_TEMPLATE.md | 2 - bitnami/kubeapps/Chart.lock | 6 +- bitnami/kubeapps/Chart.yaml | 4 +- bitnami/kubeapps/README.md | 544 ++++- bitnami/kubeapps/templates/NOTES.txt | 2 + bitnami/kubeapps/templates/_helpers.tpl | 137 +- .../templates/apprepositories-secret.yaml | 40 - .../kubeapps/templates/apprepositories.yaml | 61 - .../templates/apprepository-deployment.yaml | 75 - .../templates/apprepository-rbac.yaml | 161 -- .../apprepository-serviceaccount.yaml | 13 - .../apprepository/apprepositories-secret.yaml | 55 + .../apprepository/apprepositories.yaml | 64 + .../templates/apprepository/deployment.yaml | 94 + .../templates/apprepository/rbac.yaml | 217 ++ .../apprepository/serviceaccount.yaml | 13 + .../templates/assetsvc-deployment.yaml | 78 - .../kubeapps/templates/assetsvc-service.yaml | 16 - .../templates/assetsvc/deployment.yaml | 97 + .../kubeapps/templates/assetsvc/service.yaml | 28 + .../templates/dashboard-deployment.yaml | 102 - .../kubeapps/templates/dashboard-service.yaml | 15 - .../configmap.yaml} | 15 +- .../templates/dashboard/deployment.yaml | 153 ++ .../kubeapps/templates/dashboard/service.yaml | 28 + bitnami/kubeapps/templates/extra-list.yaml | 4 + .../configmap.yaml} | 21 +- .../templates/frontend/deployment.yaml | 196 ++ .../{ => frontend}/oauth2-secret.yaml | 11 +- .../kubeapps/templates/frontend/service.yaml | 76 + bitnami/kubeapps/templates/ingress.yaml | 20 +- .../kubeapps-frontend-deployment.yaml | 137 -- .../templates/kubeapps-frontend-service.yaml | 48 - .../kubeapps/templates/kubeops-config.yaml | 14 - .../templates/kubeops-deployment.yaml | 108 - bitnami/kubeapps/templates/kubeops-rbac.yaml | 99 - .../kubeapps/templates/kubeops-service.yaml | 15 - .../templates/kubeops-serviceaccount.yaml | 6 - .../kubeapps/templates/kubeops/config.yaml | 18 + .../templates/kubeops/deployment.yaml | 142 ++ bitnami/kubeapps/templates/kubeops/rbac.yaml | 141 ++ .../kubeapps/templates/kubeops/service.yaml | 28 + .../templates/kubeops/serviceaccount.yaml | 13 + .../templates/tests/test-assetsvc.yaml | 17 +- .../templates/tests/test-dashboard.yaml | 5 - bitnami/kubeapps/templates/tls-secrets.yaml | 22 +- bitnami/kubeapps/values.schema.json | 18 - bitnami/kubeapps/values.yaml | 1808 ++++++++++++----- githooks/pre-commit/kubeapps | 8 - 49 files changed, 3277 insertions(+), 1718 deletions(-) delete mode 100644 bitnami/kubeapps/templates/apprepositories-secret.yaml delete mode 100644 bitnami/kubeapps/templates/apprepositories.yaml delete mode 100644 bitnami/kubeapps/templates/apprepository-deployment.yaml delete mode 100644 bitnami/kubeapps/templates/apprepository-rbac.yaml delete mode 100644 bitnami/kubeapps/templates/apprepository-serviceaccount.yaml create mode 100644 bitnami/kubeapps/templates/apprepository/apprepositories-secret.yaml create mode 100644 bitnami/kubeapps/templates/apprepository/apprepositories.yaml create mode 100644 bitnami/kubeapps/templates/apprepository/deployment.yaml create mode 100644 bitnami/kubeapps/templates/apprepository/rbac.yaml create mode 100644 bitnami/kubeapps/templates/apprepository/serviceaccount.yaml delete mode 100644 bitnami/kubeapps/templates/assetsvc-deployment.yaml delete mode 100644 bitnami/kubeapps/templates/assetsvc-service.yaml create mode 100644 bitnami/kubeapps/templates/assetsvc/deployment.yaml create mode 100644 bitnami/kubeapps/templates/assetsvc/service.yaml delete mode 100644 bitnami/kubeapps/templates/dashboard-deployment.yaml delete mode 100644 bitnami/kubeapps/templates/dashboard-service.yaml rename bitnami/kubeapps/templates/{dashboard-config.yaml => dashboard/configmap.yaml} (80%) create mode 100644 bitnami/kubeapps/templates/dashboard/deployment.yaml create mode 100644 bitnami/kubeapps/templates/dashboard/service.yaml create mode 100644 bitnami/kubeapps/templates/extra-list.yaml rename bitnami/kubeapps/templates/{kubeapps-frontend-config.yaml => frontend/configmap.yaml} (89%) create mode 100644 bitnami/kubeapps/templates/frontend/deployment.yaml rename bitnami/kubeapps/templates/{ => frontend}/oauth2-secret.yaml (61%) create mode 100644 bitnami/kubeapps/templates/frontend/service.yaml delete mode 100644 bitnami/kubeapps/templates/kubeapps-frontend-deployment.yaml delete mode 100644 bitnami/kubeapps/templates/kubeapps-frontend-service.yaml delete mode 100644 bitnami/kubeapps/templates/kubeops-config.yaml delete mode 100644 bitnami/kubeapps/templates/kubeops-deployment.yaml delete mode 100644 bitnami/kubeapps/templates/kubeops-rbac.yaml delete mode 100644 bitnami/kubeapps/templates/kubeops-service.yaml delete mode 100644 bitnami/kubeapps/templates/kubeops-serviceaccount.yaml create mode 100644 bitnami/kubeapps/templates/kubeops/config.yaml create mode 100644 bitnami/kubeapps/templates/kubeops/deployment.yaml create mode 100644 bitnami/kubeapps/templates/kubeops/rbac.yaml create mode 100644 bitnami/kubeapps/templates/kubeops/service.yaml create mode 100644 bitnami/kubeapps/templates/kubeops/serviceaccount.yaml delete mode 100755 githooks/pre-commit/kubeapps diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index ed1facf422..1575eaab29 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -37,5 +37,3 @@ request, mention that information here.--> - [ ] Chart version bumped in `Chart.yaml` according to [semver](http://semver.org/). - [ ] Variables are documented in the README.md - [ ] Title of the PR starts with chart name (e.g. `[bitnami/chart]`) - -:warning: Keep in mind that if you want to make changes to the kubeapps chart, please implement them in the [kubeapps repository](https://github.com/kubeapps/kubeapps/tree/master/chart/kubeapps). This is only a synchronized mirror. diff --git a/bitnami/kubeapps/Chart.lock b/bitnami/kubeapps/Chart.lock index c2430c7a6c..fe62de5173 100644 --- a/bitnami/kubeapps/Chart.lock +++ b/bitnami/kubeapps/Chart.lock @@ -4,6 +4,6 @@ dependencies: version: 1.4.3 - name: postgresql repository: https://charts.bitnami.com/bitnami - version: 10.3.18 -digest: sha256:7e02170e3674d24949c420931e5d008449c185c44d05fe73d72c96a8514c9a67 -generated: "2021-04-27T17:09:59.360429792+02:00" + version: 10.4.3 +digest: sha256:5bea8fec70b627945acf0f833e2f9ee0546a7c7eb4e79b29c1ceef78d8650a71 +generated: "2021-05-12T15:22:26.370125885Z" diff --git a/bitnami/kubeapps/Chart.yaml b/bitnami/kubeapps/Chart.yaml index 3150f517ce..f81741be68 100644 --- a/bitnami/kubeapps/Chart.yaml +++ b/bitnami/kubeapps/Chart.yaml @@ -10,7 +10,7 @@ dependencies: version: 1.x.x - name: postgresql repository: https://charts.bitnami.com/bitnami - version: '10.X.X' + version: 10.x.x description: Kubeapps is a dashboard for your Kubernetes cluster that makes it easy to deploy and manage applications in your cluster using Helm home: https://kubeapps.com icon: https://raw.githubusercontent.com/kubeapps/kubeapps/master/docs/img/logo.png @@ -25,4 +25,4 @@ maintainers: name: kubeapps sources: - https://github.com/kubeapps/kubeapps -version: 6.1.2 +version: 7.0.0 diff --git a/bitnami/kubeapps/README.md b/bitnami/kubeapps/README.md index bd31128554..74af967c16 100644 --- a/bitnami/kubeapps/README.md +++ b/bitnami/kubeapps/README.md @@ -29,9 +29,10 @@ It also packages the [Bitnami PostgreSQL chart](https://github.com/bitnami/chart ## Prerequisites -- Kubernetes 1.15+ (tested with Azure Kubernetes Service, Google Kubernetes Engine, minikube and Docker for Desktop Kubernetes) +- Kubernetes 1.16+ (tested with both bare-metal and managed clusters, including EKS, AKS, GKE and Tanzu Kubernetes Grid, as well as dev clusters, such as Kind, Minikube and Docker for Desktop Kubernetes) - Helm 3.0.2+ - Administrative access to the cluster to create Custom Resource Definitions (CRDs) +- PV provisioner support in the underlying infrastructure (required for PostgreSQL database) ## Installing the Chart @@ -51,7 +52,417 @@ Once you have installed Kubeapps follow the [Getting Started Guide](https://gith ## Parameters -For a full list of configuration parameters of the Kubeapps chart, see the [values.yaml](values.yaml) file. +### Global parameters + +| Name | Description | Value | +| ------------------------- | ----------------------------------------------- | ----- | +| `global.imageRegistry` | Global Docker image registry | `nil` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `nil` | + + +### Common parameters + +| Name | Description | Value | +| ------------------- | -------------------------------------------------- | ------- | +| `kubeVersion` | Override Kubernetes version | `nil` | +| `nameOverride` | String to partially override common.names.fullname | `nil` | +| `fullnameOverride` | String to fully override common.names.fullname | `nil` | +| `commonLabels` | Labels to add to all deployed objects | `{}` | +| `commonAnnotations` | Annotations to add to all deployed objects | `{}` | +| `extraDeploy` | Array of extra objects to deploy with the release | `[]` | +| `enableIPv6` | Enable IPv6 configuration | `false` | + + +### Traffic Exposure Parameters + +| Name | Description | Value | +| --------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------ | +| `ingress.enabled` | Enable ingress record generation for Kubeapps | `false` | +| `ingress.apiVersion` | Force Ingress API version (automatically detected if not set) | `nil` | +| `ingress.hostname` | Default host for the ingress record | `kubeapps.local` | +| `ingress.path` | Default path for the ingress record | `/` | +| `ingress.pathType` | Ingress path type | `ImplementationSpecific` | +| `ingress.annotations` | Additional custom annotations for the ingress record | `{}` | +| `ingress.tls` | Enable TLS configuration for the host defined at `ingress.hostname` parameter | `false` | +| `ingress.certManager` | Add the corresponding annotations for cert-manager integration | `false` | +| `ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | +| `ingress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` | +| `ingress.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` | +| `ingress.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` | +| `ingress.secrets` | Custom TLS certificates as secrets | `[]` | + + +### Frontend parameters + +| Name | Description | Value | +| ------------------------------------------------ | ----------------------------------------------------------------------------------------- | ----------------------- | +| `frontend.image.registry` | NGINX image registry | `docker.io` | +| `frontend.image.repository` | NGINX image repository | `bitnami/nginx` | +| `frontend.image.tag` | NGINX image tag (immutable tags are recommended) | `1.19.10-debian-10-r11` | +| `frontend.image.pullPolicy` | NGINX image pull policy | `IfNotPresent` | +| `frontend.image.pullSecrets` | NGINX image pull secrets | `[]` | +| `frontend.image.debug` | Enable image debug mode | `false` | +| `frontend.proxypassAccessTokenAsBearer` | Use access_token as the Bearer when talking to the k8s api server | `false` | +| `frontend.proxypassExtraSetHeader` | Set an additional proxy header for all requests proxied via NGINX | `nil` | +| `frontend.largeClientHeaderBuffers` | Set large_client_header_buffers in NGINX config | `4 32k` | +| `frontend.replicaCount` | Number of frontend replicas to deploy | `2` | +| `frontend.resources.limits.cpu` | The CPU limits for the NGINX container | `250m` | +| `frontend.resources.limits.memory` | The memory limits for the NGINX container | `128Mi` | +| `frontend.resources.requests.cpu` | The requested CPU for the NGINX container | `25m` | +| `frontend.resources.requests.memory` | The requested memory for the NGINX container | `32Mi` | +| `frontend.extraEnvVars` | Array with extra environment variables to add to the NGINX container | `[]` | +| `frontend.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for the NGINX container | `nil` | +| `frontend.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for the NGINX container | `nil` | +| `frontend.containerPort` | NGINX HTTP container port | `8080` | +| `frontend.podSecurityContext.enabled` | Enabled frontend pods' Security Context | `true` | +| `frontend.podSecurityContext.fsGroup` | Set frontend pod's Security Context fsGroup | `1001` | +| `frontend.containerSecurityContext.enabled` | Enabled NGINX containers' Security Context | `true` | +| `frontend.containerSecurityContext.runAsUser` | Set NGINX container's Security Context runAsUser | `1001` | +| `frontend.containerSecurityContext.runAsNonRoot` | Set NGINX container's Security Context runAsNonRoot | `true` | +| `frontend.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `frontend.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `60` | +| `frontend.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `frontend.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `frontend.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `frontend.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `frontend.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `frontend.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `0` | +| `frontend.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `frontend.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | +| `frontend.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `frontend.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `frontend.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `frontend.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `frontend.lifecycleHooks` | Custom lifecycle hooks for frontend containers | `{}` | +| `frontend.podLabels` | Extra labels for frontend pods | `{}` | +| `frontend.podAnnotations` | Annotations for frontend pods | `{}` | +| `frontend.podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `frontend.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `frontend.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `frontend.nodeAffinityPreset.key` | Node label key to match. Ignored if `affinity` is set | `""` | +| `frontend.nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set | `[]` | +| `frontend.affinity` | Affinity for pod assignment | `{}` | +| `frontend.nodeSelector` | Node labels for pod assignment | `{}` | +| `frontend.tolerations` | Tolerations for pod assignment | `[]` | +| `frontend.priorityClassName` | Priority class name for frontend pods | `nil` | +| `frontend.hostAliases` | Custom host aliases for frontend pods | `[]` | +| `frontend.extraVolumes` | Optionally specify extra list of additional volumes for frontend pods | `[]` | +| `frontend.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for frontend container(s) | `[]` | +| `frontend.sidecars` | Add additional sidecar containers to the frontend pod | `{}` | +| `frontend.initContainers` | Add additional init containers to the frontend pods | `{}` | +| `frontend.service.type` | Frontend service type | `ClusterIP` | +| `frontend.service.port` | Frontend service HTTP port | `80` | +| `frontend.service.nodePort` | Node port for HTTP | `nil` | +| `frontend.service.clusterIP` | Frontend service Cluster IP | `nil` | +| `frontend.service.loadBalancerIP` | Frontend service Load Balancer IP | `nil` | +| `frontend.service.loadBalancerSourceRanges` | Frontend service Load Balancer sources | `[]` | +| `frontend.service.externalTrafficPolicy` | Frontend service external traffic policy | `Cluster` | +| `frontend.service.annotations` | Additional custom annotations for frontend service | `{}` | + + +### Dashboard parameters + +| Name | Description | Value | +| ------------------------------------------------- | ----------------------------------------------------------------------------------------- | ---------------------------- | +| `dashboard.image.registry` | Dashboard image registry | `docker.io` | +| `dashboard.image.repository` | Dashboard image repository | `bitnami/kubeapps-dashboard` | +| `dashboard.image.tag` | Dashboard image tag (immutable tags are recommended) | `2.3.2-debian-10-r0` | +| `dashboard.image.pullPolicy` | Dashboard image pull policy | `IfNotPresent` | +| `dashboard.image.pullSecrets` | Dashboard image pull secrets | `[]` | +| `dashboard.image.debug` | Enable image debug mode | `false` | +| `dashboard.customStyle` | Custom CSS injected to the Dashboard to customize Kubeapps look and feel | `""` | +| `dashboard.customComponents` | Custom Form components injected into the BasicDeploymentForm | `""` | +| `dashboard.customLocale` | Custom translations injected to the Dashboard to customize the strings used in Kubeapps | `""` | +| `dashboard.replicaCount` | Number of Dashboard replicas to deploy | `2` | +| `dashboard.extraEnvVars` | Array with extra environment variables to add to the Dashboard container | `[]` | +| `dashboard.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for the Dashboard container | `nil` | +| `dashboard.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for the Dashboard container | `nil` | +| `dashboard.containerPort` | Dashboard HTTP container port | `8080` | +| `dashboard.resources.limits.cpu` | The CPU limits for the Dashboard container | `250m` | +| `dashboard.resources.limits.memory` | The memory limits for the Dashboard container | `128Mi` | +| `dashboard.resources.requests.cpu` | The requested CPU for the Dashboard container | `25m` | +| `dashboard.resources.requests.memory` | The requested memory for the Dashboard container | `32Mi` | +| `dashboard.podSecurityContext.enabled` | Enabled Dashboard pods' Security Context | `true` | +| `dashboard.podSecurityContext.fsGroup` | Set Dashboard pod's Security Context fsGroup | `1001` | +| `dashboard.containerSecurityContext.enabled` | Enabled Dashboard containers' Security Context | `true` | +| `dashboard.containerSecurityContext.runAsUser` | Set Dashboard container's Security Context runAsUser | `1001` | +| `dashboard.containerSecurityContext.runAsNonRoot` | Set Dashboard container's Security Context runAsNonRoot | `true` | +| `dashboard.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `dashboard.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `60` | +| `dashboard.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `dashboard.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `dashboard.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `dashboard.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `dashboard.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `dashboard.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `0` | +| `dashboard.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `dashboard.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | +| `dashboard.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `dashboard.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `dashboard.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `dashboard.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `dashboard.lifecycleHooks` | Custom lifecycle hooks for Dashboard containers | `{}` | +| `dashboard.podLabels` | Extra labels for Dasbhoard pods | `{}` | +| `dashboard.podAnnotations` | Annotations for Dasbhoard pods | `{}` | +| `dashboard.podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `dashboard.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `dashboard.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `dashboard.nodeAffinityPreset.key` | Node label key to match. Ignored if `affinity` is set | `""` | +| `dashboard.nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set | `[]` | +| `dashboard.affinity` | Affinity for pod assignment | `{}` | +| `dashboard.nodeSelector` | Node labels for pod assignment | `{}` | +| `dashboard.tolerations` | Tolerations for pod assignment | `[]` | +| `dashboard.priorityClassName` | Priority class name for Dashboard pods | `nil` | +| `dashboard.hostAliases` | Custom host aliases for Dashboard pods | `[]` | +| `dashboard.extraVolumes` | Optionally specify extra list of additional volumes for Dasbhoard pods | `[]` | +| `dashboard.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for Dasbhoard container(s) | `[]` | +| `dashboard.sidecars` | Add additional sidecar containers to the Dasbhoard pod | `{}` | +| `dashboard.initContainers` | Add additional init containers to the Dasbhoard pods | `{}` | +| `dashboard.service.port` | Dasbhoard service HTTP port | `8080` | +| `dashboard.service.annotations` | Additional custom annotations for Dasbhoard service | `{}` | + + +### AppRepository Controller parameters + +| Name | Description | Value | +| ----------------------------------------------------- | ----------------------------------------------------------------------------------------- | ------------------------------------------- | +| `apprepository.image.registry` | Kubeapps AppRepository Controller image registry | `docker.io` | +| `apprepository.image.repository` | Kubeapps AppRepository Controller image repository | `bitnami/kubeapps-apprepository-controller` | +| `apprepository.image.tag` | Kubeapps AppRepository Controller image tag (immutable tags are recommended) | `2.3.2-scratch-r0` | +| `apprepository.image.pullPolicy` | Kubeapps AppRepository Controller image pull policy | `IfNotPresent` | +| `apprepository.image.pullSecrets` | Kubeapps AppRepository Controller image pull secrets | `[]` | +| `apprepository.syncImage.registry` | Kubeapps Asset Syncer image registry | `docker.io` | +| `apprepository.syncImage.repository` | Kubeapps Asset Syncer image repository | `bitnami/kubeapps-asset-syncer` | +| `apprepository.syncImage.tag` | Kubeapps Asset Syncer image tag (immutable tags are recommended) | `2.3.2-scratch-r0` | +| `apprepository.syncImage.pullPolicy` | Kubeapps Asset Syncer image pull policy | `IfNotPresent` | +| `apprepository.syncImage.pullSecrets` | Kubeapps Asset Syncer image pull secrets | `[]` | +| `apprepository.initialRepos` | Initial chart repositories to configure | `[]` | +| `apprepository.initialReposProxy` | Proxy configuration to access chart repositories | `{}` | +| `apprepository.crontab` | Schedule for syncing App repositories (default to 10 minutes) | `nil` | +| `apprepository.watchAllNamespaces` | Watch all namespaces to support separate AppRepositories per namespace | `true` | +| `apprepository.replicaCount` | Number of AppRepository Controller replicas to deploy | `1` | +| `apprepository.resources.limits.cpu` | The CPU limits for the AppRepository Controller container | `250m` | +| `apprepository.resources.limits.memory` | The memory limits for the AppRepository Controller container | `128Mi` | +| `apprepository.resources.requests.cpu` | The requested CPU for the AppRepository Controller container | `25m` | +| `apprepository.resources.requests.memory` | The requested memory for the AppRepository Controller container | `32Mi` | +| `apprepository.podSecurityContext.enabled` | Enabled AppRepository Controller pods' Security Context | `true` | +| `apprepository.podSecurityContext.fsGroup` | Set AppRepository Controller pod's Security Context fsGroup | `1001` | +| `apprepository.containerSecurityContext.enabled` | Enabled AppRepository Controller containers' Security Context | `true` | +| `apprepository.containerSecurityContext.runAsUser` | Set AppRepository Controller container's Security Context runAsUser | `1001` | +| `apprepository.containerSecurityContext.runAsNonRoot` | Set AppRepository Controller container's Security Context runAsNonRoot | `true` | +| `apprepository.lifecycleHooks` | Custom lifecycle hooks for AppRepository Controller containers | `{}` | +| `apprepository.podLabels` | Extra labels for AppRepository Controller pods | `{}` | +| `apprepository.podAnnotations` | Annotations for AppRepository Controller pods | `{}` | +| `apprepository.podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `apprepository.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `apprepository.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `apprepository.nodeAffinityPreset.key` | Node label key to match. Ignored if `affinity` is set | `""` | +| `apprepository.nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set | `[]` | +| `apprepository.affinity` | Affinity for pod assignment | `{}` | +| `apprepository.nodeSelector` | Node labels for pod assignment | `{}` | +| `apprepository.tolerations` | Tolerations for pod assignment | `[]` | +| `apprepository.priorityClassName` | Priority class name for AppRepository Controller pods | `nil` | +| `apprepository.hostAliases` | Custom host aliases for AppRepository Controller pods | `[]` | + + +### Kubeops parameters + +| Name | Description | Value | +| ----------------------------------------------- | ----------------------------------------------------------------------------------------- | -------------------------- | +| `kubeops.image.registry` | Kubeops image registry | `docker.io` | +| `kubeops.image.repository` | Kubeops image repository | `bitnami/kubeapps-kubeops` | +| `kubeops.image.tag` | Kubeops image tag (immutable tags are recommended) | `2.3.2-scratch-r0` | +| `kubeops.image.pullPolicy` | Kubeops image pull policy | `IfNotPresent` | +| `kubeops.image.pullSecrets` | Kubeops image pull secrets | `[]` | +| `kubeops.namespaceHeaderName` | Additional header name for trusted namespaces | `nil` | +| `kubeops.namespaceHeaderPattern` | Additional header pattern for trusted namespaces | `nil` | +| `kubeops.qps` | Kubeops QPS (queries per second) rate | `nil` | +| `kubeops.burst` | Kubeops burst rate | `nil` | +| `kubeops.replicaCount` | Number of Kubeops replicas to deploy | `2` | +| `kubeops.terminationGracePeriodSeconds` | The grace time period for sig term | `300` | +| `kubeops.extraEnvVars` | Array with extra environment variables to add to the Kubeops container | `[]` | +| `kubeops.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for the Kubeops container | `nil` | +| `kubeops.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for the Kubeops container | `nil` | +| `kubeops.containerPort` | Kubeops HTTP container port | `8080` | +| `kubeops.resources.limits.cpu` | The CPU limits for the Kubeops container | `250m` | +| `kubeops.resources.limits.memory` | The memory limits for the Kubeops container | `256Mi` | +| `kubeops.resources.requests.cpu` | The requested CPU for the Kubeops container | `25m` | +| `kubeops.resources.requests.memory` | The requested memory for the Kubeops container | `32Mi` | +| `kubeops.podSecurityContext.enabled` | Enabled Kubeops pods' Security Context | `true` | +| `kubeops.podSecurityContext.fsGroup` | Set Kubeops pod's Security Context fsGroup | `1001` | +| `kubeops.containerSecurityContext.enabled` | Enabled Kubeops containers' Security Context | `true` | +| `kubeops.containerSecurityContext.runAsUser` | Set Kubeops container's Security Context runAsUser | `1001` | +| `kubeops.containerSecurityContext.runAsNonRoot` | Set Kubeops container's Security Context runAsNonRoot | `true` | +| `kubeops.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `kubeops.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `60` | +| `kubeops.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `kubeops.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `kubeops.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `kubeops.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `kubeops.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `kubeops.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `0` | +| `kubeops.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `kubeops.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | +| `kubeops.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `kubeops.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `kubeops.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `kubeops.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `kubeops.lifecycleHooks` | Custom lifecycle hooks for Kubeops containers | `{}` | +| `kubeops.podLabels` | Extra labels for Kubeops pods | `{}` | +| `kubeops.podAnnotations` | Annotations for Kubeops pods | `{}` | +| `kubeops.podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `kubeops.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `kubeops.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `kubeops.nodeAffinityPreset.key` | Node label key to match. Ignored if `affinity` is set | `""` | +| `kubeops.nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set | `[]` | +| `kubeops.affinity` | Affinity for pod assignment | `{}` | +| `kubeops.nodeSelector` | Node labels for pod assignment | `{}` | +| `kubeops.tolerations` | Tolerations for pod assignment | `[]` | +| `kubeops.priorityClassName` | Priority class name for Kubeops pods | `nil` | +| `kubeops.hostAliases` | Custom host aliases for Kubeops pods | `[]` | +| `kubeops.service.port` | Kubeops service HTTP port | `8080` | +| `kubeops.service.annotations` | Additional custom annotations for Kubeops service | `{}` | + + +### Assetsvc parameters + +| Name | Description | Value | +| ------------------------------------------------ | ----------------------------------------------------------------------------------------- | --------------------------- | +| `assetsvc.image.registry` | Kubeapps Assetsvc image registry | `docker.io` | +| `assetsvc.image.repository` | Kubeapps Assetsvc image repository | `bitnami/kubeapps-assetsvc` | +| `assetsvc.image.tag` | Kubeapps Assetsvc image tag (immutable tags are recommended) | `2.3.2-scratch-r0` | +| `assetsvc.image.pullPolicy` | Kubeapps Assetsvc image pull policy | `IfNotPresent` | +| `assetsvc.image.pullSecrets` | Kubeapps Assetsvc image pull secrets | `[]` | +| `assetsvc.replicaCount` | Number of Assetsvc replicas to deploy | `2` | +| `assetsvc.extraEnvVars` | Array with extra environment variables to add to the Assetsvc container | `[]` | +| `assetsvc.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for the Assetsvc container | `nil` | +| `assetsvc.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for the Assetsvc container | `nil` | +| `assetsvc.containerPort` | Assetsvc HTTP container port | `8080` | +| `assetsvc.resources.limits.cpu` | The CPU limits for the Assetsvc container | `250m` | +| `assetsvc.resources.limits.memory` | The memory limits for the Assetsvc container | `128Mi` | +| `assetsvc.resources.requests.cpu` | The requested CPU for the Assetsvc container | `25m` | +| `assetsvc.resources.requests.memory` | The requested memory for the Assetsvc container | `32Mi` | +| `assetsvc.podSecurityContext.enabled` | Enabled Assetsvc pods' Security Context | `true` | +| `assetsvc.podSecurityContext.fsGroup` | Set Assetsvc pod's Security Context fsGroup | `1001` | +| `assetsvc.containerSecurityContext.enabled` | Enabled Assetsvc containers' Security Context | `true` | +| `assetsvc.containerSecurityContext.runAsUser` | Set Assetsvc container's Security Context runAsUser | `1001` | +| `assetsvc.containerSecurityContext.runAsNonRoot` | Set Assetsvc container's Security Context runAsNonRoot | `true` | +| `assetsvc.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `assetsvc.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `60` | +| `assetsvc.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `assetsvc.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `assetsvc.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `assetsvc.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `assetsvc.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `assetsvc.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `0` | +| `assetsvc.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `assetsvc.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | +| `assetsvc.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `assetsvc.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `assetsvc.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `assetsvc.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `assetsvc.lifecycleHooks` | Custom lifecycle hooks for Assetsvc containers | `{}` | +| `assetsvc.podLabels` | Extra labels for Assetsvc pods | `{}` | +| `assetsvc.podAnnotations` | Annotations for Assetsvc pods | `{}` | +| `assetsvc.podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `assetsvc.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `assetsvc.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `assetsvc.nodeAffinityPreset.key` | Node label key to match. Ignored if `affinity` is set | `""` | +| `assetsvc.nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set | `[]` | +| `assetsvc.affinity` | Affinity for pod assignment | `{}` | +| `assetsvc.nodeSelector` | Node labels for pod assignment | `{}` | +| `assetsvc.tolerations` | Tolerations for pod assignment | `[]` | +| `assetsvc.priorityClassName` | Priority class name for Assetsvc pods | `nil` | +| `assetsvc.hostAliases` | Custom host aliases for Assetsvc pods | `[]` | +| `assetsvc.service.port` | Assetsvc service HTTP port | `8080` | +| `assetsvc.service.annotations` | Additional custom annotations for Assetsvc service | `{}` | + + +### Auth Proxy parameters + +| Name | Description | Value | +| ------------------------------------------------- | ----------------------------------------------------------------------------- | ---------------------- | +| `authProxy.enabled` | Specifies whether Kubeapps should configure OAuth login/logout | `false` | +| `authProxy.image.registry` | OAuth2 Proxy image registry | `docker.io` | +| `authProxy.image.repository` | OAuth2 Proxy image repository | `bitnami/oauth2-proxy` | +| `authProxy.image.tag` | OAuth2 Proxy image tag (immutable tags are recommended) | `7.1.2-debian-10-r22` | +| `authProxy.image.pullPolicy` | OAuth2 Proxy image pull policy | `IfNotPresent` | +| `authProxy.image.pullSecrets` | OAuth2 Proxy image pull secrets | `[]` | +| `authProxy.external` | Use an external Auth Proxy instead of deploying its own one | `false` | +| `authProxy.oauthLoginURI` | OAuth Login URI to which the Kubeapps frontend redirects for authn | `/oauth2/start` | +| `authProxy.oauthLogoutURI` | OAuth Logout URI to which the Kubeapps frontend redirects for authn | `/oauth2/sign_out` | +| `authProxy.skipKubeappsLoginPage` | Skip the Kubeapps login page when using OIDC and directly redirect to the IdP | `false` | +| `authProxy.provider` | OAuth provider | `""` | +| `authProxy.clientID` | OAuth Client ID | `""` | +| `authProxy.clientSecret` | OAuth Client secret | `""` | +| `authProxy.cookieSecret` | Secret used by oauth2-proxy to encrypt any credentials | `""` | +| `authProxy.emailDomain` | Allowed email domains | `*` | +| `authProxy.additionalFlags` | Additional flags for oauth2-proxy | `[]` | +| `authProxy.containerPort` | Auth Proxy HTTP container port | `3000` | +| `authProxy.containerSecurityContext.enabled` | Enabled Auth Proxy containers' Security Context | `true` | +| `authProxy.containerSecurityContext.runAsUser` | Set Auth Proxy container's Security Context runAsUser | `1001` | +| `authProxy.containerSecurityContext.runAsNonRoot` | Set Auth Proxy container's Security Context runAsNonRoot | `true` | +| `authProxy.resources.limits.cpu` | The CPU limits for the OAuth2 Proxy container | `250m` | +| `authProxy.resources.limits.memory` | The memory limits for the OAuth2 Proxy container | `128Mi` | +| `authProxy.resources.requests.cpu` | The requested CPU for the OAuth2 Proxy container | `25m` | +| `authProxy.resources.requests.memory` | The requested memory for the OAuth2 Proxy container | `32Mi` | + + +### Pinniped Proxy parameters + +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------ | --------------------------------- | +| `pinnipedProxy.enabled` | Specifies whether Kubeapps should configure Pinniped Proxy | `false` | +| `pinnipedProxy.image.registry` | Pinniped Proxy image registry | `docker.io` | +| `pinnipedProxy.image.repository` | Pinniped Proxy image repository | `bitnami/kubeapps-pinniped-proxy` | +| `pinnipedProxy.image.tag` | Pinniped Proxy image tag (immutable tags are recommended) | `2.3.2-debian-10-r0` | +| `pinnipedProxy.image.pullPolicy` | Pinniped Proxy image pull policy | `IfNotPresent` | +| `pinnipedProxy.image.pullSecrets` | Pinniped Proxy image pull secrets | `[]` | +| `pinnipedProxy.defaultPinnipedNamespace` | Specify the (default) namespace in which pinniped concierge is installed | `pinniped-concierge` | +| `pinnipedProxy.defaultAuthenticatorType` | Specify the (default) authenticator type | `JWTAuthenticator` | +| `pinnipedProxy.defaultAuthenticatorName` | Specify the (default) authenticator name | `jwt-authenticator` | +| `pinnipedProxy.defaultPinnipedAPISuffix` | Specify the (default) API suffix | `pinniped.dev` | +| `pinnipedProxy.containerPort` | Kubeops HTTP container port | `3333` | +| `pinnipedProxy.containerSecurityContext.enabled` | Enabled Pinniped Proxy containers' Security Context | `true` | +| `pinnipedProxy.containerSecurityContext.runAsUser` | Set Pinniped Proxy container's Security Context runAsUser | `1001` | +| `pinnipedProxy.containerSecurityContext.runAsNonRoot` | Set Pinniped Proxy container's Security Context runAsNonRoot | `true` | +| `pinnipedProxy.resources.limits.cpu` | The CPU limits for the Pinniped Proxy container | `250m` | +| `pinnipedProxy.resources.limits.memory` | The memory limits for the Pinniped Proxy container | `128Mi` | +| `pinnipedProxy.resources.requests.cpu` | The requested CPU for the Pinniped Proxy container | `25m` | +| `pinnipedProxy.resources.requests.memory` | The requested memory for the Pinniped Proxy container | `32Mi` | + + +### Other Parameters + +| Name | Description | Value | +| ------------------------- | ----------------------------------------------------------------------------- | ----------------------- | +| `allowNamespaceDiscovery` | Allow users to discover available namespaces (only the ones they have access) | `true` | +| `clusters` | List of clusters that Kubeapps can target for deployments | `[]` | +| `featureFlags` | Feature flags (used to switch on development features) | `{}` | +| `rbac.create` | Specifies whether RBAC resources should be created | `true` | +| `testImage.registry` | NGINX image registry | `docker.io` | +| `testImage.repository` | NGINX image repository | `bitnami/nginx` | +| `testImage.tag` | NGINX image tag (immutable tags are recommended) | `1.19.10-debian-10-r11` | +| `testImage.pullPolicy` | NGINX image pull policy | `IfNotPresent` | +| `testImage.pullSecrets` | NGINX image pull secrets | `[]` | + + +### Database Parameters + +| Name | Description | Value | +| -------------------------------------- | ---------------------------------------------------------------------------- | -------- | +| `postgresql.enabled` | Deploy a PostgreSQL server to satisfy the applications database requirements | `true` | +| `postgresql.replication.enabled` | Enable replication for high availability | `true` | +| `postgresql.postgresqlDatabase` | Database name for Kubeapps to be created on the first run | `assets` | +| `postgresql.postgresqlPassword` | Password for 'postgres' user | `""` | +| `postgresql.persistence.enabled` | Enable persistence on PostgreSQL using PVC(s) | `false` | +| `postgresql.persistence.size` | Persistent Volume size | `8Gi` | +| `postgresql.securityContext.enabled` | Enabled PostgreSQL replicas pods' Security Context | `false` | +| `postgresql.resources.limits` | The resources limits for the PostreSQL container | `{}` | +| `postgresql.resources.requests.cpu` | The requested CPU for the PostreSQL container | `250m` | +| `postgresql.resources.requests.memory` | The requested memory for the PostreSQL container | `256Mi` | + Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, @@ -103,7 +514,6 @@ To enable ingress integration, please set `ingress.enabled` to `true` Most likely you will only want to have one hostname that maps to this Kubeapps installation (use the `ingress.hostname` parameter to set the hostname), however, it is possible to have more than one host. To facilitate this, the `ingress.extraHosts` object is an array. -If you plan to serve Kubeapps under a subpath (eg., `example.com/subpath`), you will have to disable the default path by setting `ingress.hostname=""` and the enter the hostname and path in the extraHost array; for instance: `ingress.extraHosts[0].name="example.com"` and `ingress.extraHosts[0].path="/subpath"` ##### Annotations For annotations, please see [this document](https://github.com/kubeapps/kubeapps/blob/master/docs/user-guide/nginx-configuration/annotations.md). Not all annotations are supported by all ingress controllers, but this document does a good job of indicating which annotation is supported by many popular ingress controllers. Annotations can be set using `ingress.annotations`. @@ -140,8 +550,8 @@ In the first two cases, it's needed a certificate and a key. We would expect the ``` - If you are going to use Helm to manage the certificates based on the parameters, please copy these values into the `certificate` and `key` values for a given `ingress.secrets` entry. -- In case you are going to manage TLS secrects separately, please know that you can must a TLS secret with name *INGRESS_HOSTNAME-tls* (where *INGRESS_HOSTNAME* is a placeholder to be replaced with the hostname you set using the `ingress.hostname` parameter). -- To use self-signed certificates created by Helm, set `ingress.tls` to `true` and `ingress.certManager` to `false`. +- In case you are going to manage TLS secrets separately, please know that you must use a TLS secret with name *INGRESS_HOSTNAME-tls* (where *INGRESS_HOSTNAME* is a placeholder to be replaced with the hostname you set using the `ingress.hostname` parameter). +- To use self-signed certificates created by Helm, set both `ingress.tls` and `ingress.selfSigned` to `true`. - If your cluster has a [cert-manager](https://github.com/jetstack/cert-manager) add-on to automate the management and issuance of TLS certificates, set `ingress.certManager` boolean to true to enable the corresponding annotations for cert-manager. ## Upgrading Kubeapps @@ -190,7 +600,7 @@ kubectl delete namespace kubeapps - [How to install Kubeapps in production scenarios?](#how-to-install-kubeapps-in-production-scenarios) - [How to use Kubeapps?](#how-to-use-kubeapps) - [How to configure Kubeapps with Ingress](#how-to-configure-kubeapps-with-ingress) - * [Serving Kubeapps in a subpath](#serving-kubeapps-in-a-subpath) + - [Serving Kubeapps in a subpath](#serving-kubeapps-in-a-subpath) - [Can Kubeapps install apps into more than one cluster?](#can-kubeapps-install-apps-into-more-than-one-cluster) - [Can Kubeapps be installed without Internet connection?](#can-kubeapps-be-installed-without-internet-connection) - [Does Kubeapps support private repositories?](#does-kubeapps-support-private-repositories) @@ -223,6 +633,7 @@ helm install kubeapps --namespace kubeapps \ --set ingress.hostname=example.com \ bitnami/kubeapps ``` + #### Serving Kubeapps in a subpath You may want to serve Kubeapps with a subpath, for instance `http://example.com/subpath`, you have to set the proper Ingress configuration. If you are using the ingress configuration provided by the Kubeapps chart, you will have to set the `ingress.extraHosts` parameter: @@ -235,6 +646,7 @@ helm install kubeapps --namespace kubeapps \ --set ingress.extraHosts[0].path="/catalog" bitnami/kubeapps ``` + Besides, if you are using the OAuth2/OIDC login (more information at the [using an OIDC provider documentation](https://github.com/kubeapps/kubeapps/blob/master/docs/user/using-an-OIDC-provider.md)), you will need, also, to configure the different URLs: ```bash @@ -286,14 +698,13 @@ To reduce this time, you can increase the number of checks that Kubeapps will pe Feel free to [open an issue](https://github.com/kubeapps/kubeapps/issues/new) if you have any questions! - ## Troubleshooting ### Nginx Ipv6 error When starting the application with the `--set enableIPv6=true` option, the Nginx server present in the services `kubeapps` and `kubeapps-internal-dashboard` may fail with the following: -``` +```console nginx: [emerg] socket() [::]:8080 failed (97: Address family not supported by protocol) ``` @@ -303,13 +714,13 @@ This usually means that your cluster is not compatible with IPv6. To disable it, If during installation you run into an error similar to: -``` +```console Error: release kubeapps failed: clusterroles.rbac.authorization.k8s.io "kubeapps-apprepository-controller" is forbidden: attempt to grant extra privileges: [{[get] [batch] [cronjobs] [] []... ``` Or: -``` +```console Error: namespaces "kubeapps" is forbidden: User "system:serviceaccount:kube-system:default" cannot get namespaces in the namespace "kubeapps" ``` @@ -330,25 +741,23 @@ helm install --name kubeapps --namespace kubeapps bitnami/kubeapps --set rbac.cr It is possible that when upgrading Kubeapps an error appears. That can be caused by a breaking change in the new chart or because the current chart installation is in an inconsistent state. If you find issues upgrading Kubeapps you can follow these steps: > Note: These steps assume that you have installed Kubeapps in the namespace `kubeapps` using the name `kubeapps`. If that is not the case replace the command with your namespace and/or name. - > Note: If you are upgrading from 2.3.1 see the [following section](#upgrading-to-2-3-1). - +> Note: If you are upgrading from 2.3.1 see the [following section](#upgrading-to-2-3-1). > Note: If you are upgrading from 1.X to 2.X see the [following section](#upgrading-to-2-0). - -1. (Optional) Backup your personal repositories (if you have any): +1. (Optional) Backup your personal repositories (if you have any): ```bash kubectl get apprepository -A -o yaml > .yaml ``` -2. Delete Kubeapps: +2. Delete Kubeapps: ```bash helm del --purge kubeapps ``` -3. (Optional) Delete the App Repositories CRD: +3. (Optional) Delete the App Repositories CRD: > **Warning**: Don't execute this step if you have more than one Kubeapps installation in your cluster. @@ -356,7 +765,7 @@ helm del --purge kubeapps kubectl delete crd apprepositories.kubeapps.com ``` -4. (Optional) Clean the Kubeapps namespace: +4. (Optional) Clean the Kubeapps namespace: > **Warning**: Don't execute this step if you have workloads other than Kubeapps in the `kubeapps` namespace. @@ -364,14 +773,14 @@ kubectl delete crd apprepositories.kubeapps.com kubectl delete namespace kubeapps ``` -5. Install the latest version of Kubeapps (using any custom modifications you need): +5. Install the latest version of Kubeapps (using any custom modifications you need): ```bash helm repo update helm install --name kubeapps --namespace kubeapps bitnami/kubeapps ``` -6. (Optional) Restore any repositories you backed up in the first step: +6. (Optional) Restore any repositories you backed up in the first step: ```bash kubectl apply -f .yaml @@ -379,53 +788,14 @@ kubectl apply -f .yaml After that you should be able to access the new version of Kubeapps. If the above doesn't work for you or you run into any other issues please open an [issue](https://github.com/kubeapps/kubeapps/issues/new). -### Upgrading to 2.0.1 (Chart 5.0.0) +### Upgrading to chart version 7.0.0 -[On November 13, 2020, Helm 2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm 3 and to be consistent with the Helm project itself regarding the Helm 2 EOL. +In this release, no breaking changes were included in Kubeapps (version 2.3.2). However, the chart adopted the standardizations included in the rest of the charts in the Bitnami catalog. -**What changes were introduced in this major version?** +Most of these standardizations simply add new parameters that allow to add more customizations such as adding custom env. variables, volumes or sidecar containers. That said, some of them include breaking changes: -- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. -- Move dependency information from the *requirements.yaml* to the *Chart.yaml* -- After running `helm dependency update`, a *Chart.lock* file is generated containing the same structure used in the previous *requirements.lock* -- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts -- In the case of PostgreSQL subchart, apart from the same changes that are described in this section, there are also other major changes due to the master/slave nomenclature was replaced by primary/readReplica. [Here](https://github.com/bitnami/charts/pull/4385) you can find more information about the changes introduced. - -**Considerations when upgrading to this version** - -- If you want to upgrade to this version using Helm 2, this scenario is not supported as this version doesn't support Helm 2 anymore -- If you installed the previous version with Helm 2 and wants to upgrade to this version with Helm 3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm 2 to 3 -- If you want to upgrade to this version from a previous one installed with Helm 3, you shouldn't face any issues related to the new `apiVersion`. Due to the PostgreSQL major version bump, it's necessary to remove the existing statefulsets: - -> Note: The command below assumes that Kubeapps has been deployed in the kubeapps namespace using "kubeapps" as release name, if that's not the case, adapt the command accordingly. - -```console -$ kubectl delete statefulset -n kubeapps kubeapps-postgresql-master kubeapps-postgresql-slave -``` - -**Useful links** - -- https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/ -- https://helm.sh/docs/topics/v2_v3_migration/ -- https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/ - -### Upgrading to 2.0 - -Kubeapps 2.0 (Chart version 4.0.0) introduces some breaking changes: - - - Helm 2 is no longer supported. If you are still using some Helm 2 charts, [migrate them with the available tools](https://helm.sh/docs/topics/v2_v3_migration/). Note that some charts (but not all of them) may require to be migrated to the [new Chart specification (v2)](https://helm.sh/docs/topics/charts/#the-apiversion-field). If you are facing any issue managing this migration and Kubeapps, please open a new issue! - - MongoDB® is no longer supported. Since 2.0, the only database supported is PostgreSQL. - - PostgreSQL chart dependency has been upgraded to a new major version. - -Due to the last point, it's necessary to run a command before upgrading to Kubeapps 2.0: - -> Note: The command below assumes that Kubeapps has been deployed in the kubeapps namespace using "kubeapps" as release name, if that's not the case, adapt the command accordingly. - -```bash -kubectl delete statefulset -n kubeapps kubeapps-postgresql-master kubeapps-postgresql-slave -``` - -After that you should be able to upgrade Kubeapps as always and the database will be repopulated. +- Chart labels were adapted to follow the [Helm charts standard labels](https://helm.sh/docs/chart_best_practices/labels/#standard-labels). +- `securityContext.*` parameters are deprecated in favor of `XXX.podSecurityContext.*` and `XXX.containerSecurityContext.*`, where XXX is placeholder you need to replace with the actual component(s). For instance, to modify the container security context for "kubeops" use `kubeops.podSecurityContext` and `kubeops.containerSecurityContext` parameters. ### Upgrading to 2.3.1 @@ -470,3 +840,51 @@ After that, you will be able to upgrade Kubeapps to 2.3.1 using the existing dat ```console $ helm upgrade kubeapps bitnami/kubeapps -n kubeapps --set postgresql.postgresqlPassword=$POSTGRESQL_PASSWORD ``` + +### Upgrading to 2.0.1 (Chart 5.0.0) + +[On November 13, 2020, Helm 2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm 3 and to be consistent with the Helm project itself regarding the Helm 2 EOL. + +**What changes were introduced in this major version?** + +- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. +- Move dependency information from the *requirements.yaml* to the *Chart.yaml* +- After running `helm dependency update`, a *Chart.lock* file is generated containing the same structure used in the previous *requirements.lock* +- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts +- In the case of PostgreSQL subchart, apart from the same changes that are described in this section, there are also other major changes due to the master/slave nomenclature was replaced by primary/readReplica. [Here](https://github.com/bitnami/charts/pull/4385) you can find more information about the changes introduced. + +**Considerations when upgrading to this version** + +- If you want to upgrade to this version using Helm 2, this scenario is not supported as this version doesn't support Helm 2 anymore +- If you installed the previous version with Helm 2 and wants to upgrade to this version with Helm 3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm 2 to 3 +- If you want to upgrade to this version from a previous one installed with Helm 3, you shouldn't face any issues related to the new `apiVersion`. Due to the PostgreSQL major version bump, it's necessary to remove the existing statefulsets: + +> Note: The command below assumes that Kubeapps has been deployed in the kubeapps namespace using "kubeapps" as release name, if that's not the case, adapt the command accordingly. + +```console +$ kubectl delete statefulset -n kubeapps kubeapps-postgresql-master kubeapps-postgresql-slave +``` + +**Useful links** + +- https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/ +- https://helm.sh/docs/topics/v2_v3_migration/ +- https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/ + +### Upgrading to 2.0 + +Kubeapps 2.0 (Chart version 4.0.0) introduces some breaking changes: + +- Helm 2 is no longer supported. If you are still using some Helm 2 charts, [migrate them with the available tools](https://helm.sh/docs/topics/v2_v3_migration/). Note that some charts (but not all of them) may require to be migrated to the [new Chart specification (v2)](https://helm.sh/docs/topics/charts/#the-apiversion-field). If you are facing any issue managing this migration and Kubeapps, please open a new issue! +- MongoDB® is no longer supported. Since 2.0, the only database supported is PostgreSQL. +- PostgreSQL chart dependency has been upgraded to a new major version. + +Due to the last point, it's necessary to run a command before upgrading to Kubeapps 2.0: + +> Note: The command below assumes that Kubeapps has been deployed in the kubeapps namespace using "kubeapps" as release name, if that's not the case, adapt the command accordingly. + +```bash +kubectl delete statefulset -n kubeapps kubeapps-postgresql-master kubeapps-postgresql-slave +``` + +After that you should be able to upgrade Kubeapps as always and the database will be repopulated. diff --git a/bitnami/kubeapps/templates/NOTES.txt b/bitnami/kubeapps/templates/NOTES.txt index 8f4acccbbc..83bb36324b 100644 --- a/bitnami/kubeapps/templates/NOTES.txt +++ b/bitnami/kubeapps/templates/NOTES.txt @@ -71,3 +71,5 @@ To access Kubeapps from outside your K8s cluster, follow the steps below: {{- $passwordValidationErrors = append $passwordValidationErrors $postgresqlPasswordValidationErrors -}} {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $) -}} +{{- include "kubeapps.checkRollingTags" . }} +{{- include "kubeapps.validateValues" . }} diff --git a/bitnami/kubeapps/templates/_helpers.tpl b/bitnami/kubeapps/templates/_helpers.tpl index a89d6728b1..85ef8fc0dc 100644 --- a/bitnami/kubeapps/templates/_helpers.tpl +++ b/bitnami/kubeapps/templates/_helpers.tpl @@ -1,39 +1,10 @@ {{/* vim: set filetype=mustache: */}} -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "kubeapps.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Common labels for additional kubeapps applications. Used on resources whose app name is different -from kubeapps -*/}} -{{- define "kubeapps.extraAppLabels" -}} -chart: {{ include "kubeapps.chart" . }} -release: {{ .Release.Name }} -heritage: {{ .Release.Service }} -helm.sh/chart: {{ include "kubeapps.chart" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -app.kubernetes.io/name: {{ include "common.names.name" . }} -{{- end -}} - -{{/* -Common labels -*/}} -{{- define "kubeapps.labels" -}} -app: {{ include "common.names.name" . }} -{{ template "kubeapps.extraAppLabels" . }} -{{- end -}} - {{/* Return the proper Docker Image Registry Secret Names */}} {{- define "kubeapps.imagePullSecrets" -}} -{{ include "common.images.pullSecrets" (dict "images" (list .Values.frontend.image .Values.dashboard.image .Values.apprepository.image .Values.apprepository.syncImage .Values.assetsvc.image .Values.kubeops.image .Values.authProxy.image .Values.pinnipedProxy.image .Values.hooks.image .Values.testImage) "global" .Values.global) }} +{{ include "common.images.pullSecrets" (dict "images" (list .Values.frontend.image .Values.dashboard.image .Values.apprepository.image .Values.apprepository.syncImage .Values.assetsvc.image .Values.kubeops.image .Values.authProxy.image .Values.pinnipedProxy.image .Values.testImage) "global" .Values.global) }} {{- end -}} {{/* @@ -49,98 +20,63 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this Create name for the apprepository-controller based on the fullname */}} {{- define "kubeapps.apprepository.fullname" -}} -{{ include "common.names.fullname" . }}-internal-apprepository-controller -{{- end -}} - -{{/* -Create name for the apprepository pre-upgrade job -*/}} -{{- define "kubeapps.apprepository-job-postupgrade.fullname" -}} -{{ include "common.names.fullname" . }}-internal-apprepository-job-postupgrade -{{- end -}} - -{{/* -Create name for the apprepository cleanup job -*/}} -{{- define "kubeapps.apprepository-jobs-cleanup.fullname" -}} -{{ include "common.names.fullname" . }}-internal-apprepository-jobs-cleanup -{{- end -}} - -{{/* -Create name for the db-secret secret bootstrap job -*/}} -{{- define "kubeapps.db-secret-jobs-cleanup.fullname" -}} -{{ include "common.names.fullname" . }}-internal-db-secret-jobs-cleanup -{{- end -}} - -{{/* -Create name for the kubeapps upgrade job -*/}} -{{- define "kubeapps.kubeapps-jobs-upgrade.fullname" -}} -{{ include "common.names.fullname" . }}-internal-kubeapps-jobs-upgrade +{{- printf "%s-internal-apprepository-controller" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}} {{- end -}} {{/* Create name for the assetsvc based on the fullname */}} {{- define "kubeapps.assetsvc.fullname" -}} -{{ include "common.names.fullname" . }}-internal-assetsvc +{{- printf "%s-internal-assetsvc" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}} {{- end -}} {{/* Create name for the dashboard based on the fullname */}} {{- define "kubeapps.dashboard.fullname" -}} -{{ include "common.names.fullname" . }}-internal-dashboard +{{- printf "%s-internal-dashboard" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}} {{- end -}} {{/* Create name for the dashboard config based on the fullname */}} {{- define "kubeapps.dashboard-config.fullname" -}} -{{ include "common.names.fullname" . }}-internal-dashboard-config +{{- printf "%s-internal-dashboard-config" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}} {{- end -}} {{/* Create name for the frontend config based on the fullname */}} {{- define "kubeapps.frontend-config.fullname" -}} -{{ include "common.names.fullname" . }}-frontend-config -{{- end -}} - -{{/* -Create proxy_pass for the frontend config -*/}} -{{- define "kubeapps.frontend-config.proxy_pass" -}} -http://{{ template "kubeapps.kubeops.fullname" . }}:{{ .Values.kubeops.service.port }} +{{- printf "%s-frontend-config" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}} {{- end -}} {{/* Create name for kubeops based on the fullname */}} {{- define "kubeapps.kubeops.fullname" -}} -{{ include "common.names.fullname" . }}-internal-kubeops +{{- printf "%s-internal-kubeops" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}} {{- end -}} {{/* Create name for the kubeops config based on the fullname */}} {{- define "kubeapps.kubeops-config.fullname" -}} -{{ include "common.names.fullname" . }}-kubeops-config +{{- printf "%s-kubeops-config" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}} {{- end -}} {{/* -Create name for the secrets related to an app repository +Create proxy_pass for the frontend config */}} -{{- define "kubeapps.apprepository-secret.name" -}} -apprepo-{{ .name }}-secrets +{{- define "kubeapps.frontend-config.proxy_pass" -}} +http://{{ include "kubeapps.kubeops.fullname" . }}:{{ .Values.kubeops.service.port }} {{- end -}} {{/* Create name for the secrets related to oauth2_proxy */}} {{- define "kubeapps.oauth2_proxy-secret.name" -}} -{{ template "common.names.fullname" . }}-oauth2 +{{- printf "%s-oauth2" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}} {{- end -}} {{/* @@ -148,7 +84,7 @@ Create name for pinniped-proxy based on the fullname. Currently used for a service name only. */}} {{- define "kubeapps.pinniped-proxy.fullname" -}} -{{ include "common.names.fullname" . }}-internal-pinniped-proxy +{{- printf "%s-internal-pinniped-proxy" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}} {{- end -}} {{/* @@ -167,9 +103,9 @@ Frontend service port number */}} {{- define "kubeapps.frontend-port-number" -}} {{- if .Values.authProxy.enabled -}} -3000 +{{ .Values.authProxy.containerPort | int }} {{- else -}} -8080 +{{ .Values.frontend.containerPort | int }} {{- end -}} {{- end -}} @@ -215,3 +151,46 @@ Return the Postgresql secret name {{- printf "%s" (include "kubeapps.postgresql.fullname" .) -}} {{- end -}} {{- end -}} + +{{/* +Compile all warnings into a single message, and call fail. +*/}} +{{- define "kubeapps.validateValues" -}} +{{- $messages := list -}} +{{- $messages := append $messages (include "kubeapps.validateValues.ingress.tls" .) -}} +{{- $messages := without $messages "" -}} +{{- $message := join "\n" $messages -}} + +{{- if $message -}} +{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}} +{{- end -}} +{{- end -}} + +{{/* +Validate values of Kubeapps - TLS configuration for Ingress +*/}} +{{- define "kubeapps.validateValues.ingress.tls" -}} +{{- if and .Values.ingress.enabled .Values.ingress.tls (not .Values.ingress.certManager) (not .Values.ingress.selfSigned) (empty .Values.ingress.extraTls) }} +kubeapps: ingress.tls + You enabled the TLS configuration for the default ingress hostname but + you did not enable any of the available mechanisms to create the TLS secret + to be used by the Ingress Controller. + Please use any of these alternatives: + - Use the `ingress.extraTls` and `ingress.secrets` parameters to provide your custom TLS certificates. + - Relay on cert-manager to create it by setting `ingress.certManager=true` + - Relay on Helm to create self-signed certificates by setting `ingress.selfSigned=true` +{{- end -}} +{{- end -}} + +{{/* +Check if there are rolling tags in the images +*/}} +{{- define "kubeapps.checkRollingTags" -}} +{{- include "common.warnings.rollingTag" .Values.frontend.image }} +{{- include "common.warnings.rollingTag" .Values.dashboard.image }} +{{- include "common.warnings.rollingTag" .Values.apprepository.image }} +{{- include "common.warnings.rollingTag" .Values.assetsvc.image }} +{{- include "common.warnings.rollingTag" .Values.kubeops.image }} +{{- include "common.warnings.rollingTag" .Values.authProxy.image }} +{{- include "common.warnings.rollingTag" .Values.pinnipedProxy.image }} +{{- end -}} diff --git a/bitnami/kubeapps/templates/apprepositories-secret.yaml b/bitnami/kubeapps/templates/apprepositories-secret.yaml deleted file mode 100644 index 3405391318..0000000000 --- a/bitnami/kubeapps/templates/apprepositories-secret.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{- range .Values.apprepository.initialRepos }} -{{- if or .caCert .authorizationHeader }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "kubeapps.apprepository-secret.name" . }} - {{- if .namespace }} - namespace: {{ .namespace }} - {{- end }} - labels:{{ include "kubeapps.labels" $ | nindent 4 }} -data: - {{- if .caCert }} - ca.crt: |- - {{ .caCert | b64enc }} - {{- end }} - {{- if .authorizationHeader }} - authorizationHeader: |- - {{ .authorizationHeader | b64enc }} - {{- end }} ---- -{{/* credentials are required in the release namespace for syncer jobs */}} -{{- if .namespace }} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ .namespace }}-apprepo-{{ .name }}" - labels:{{ include "kubeapps.labels" $ | nindent 4 }} -data: - {{- if .caCert }} - ca.crt: |- - {{ .caCert | b64enc }} - {{- end }} - {{- if .authorizationHeader }} - authorizationHeader: |- - {{ .authorizationHeader | b64enc }} - {{- end }} ---- -{{- end }} -{{- end }} -{{- end }} diff --git a/bitnami/kubeapps/templates/apprepositories.yaml b/bitnami/kubeapps/templates/apprepositories.yaml deleted file mode 100644 index 0d12c8750f..0000000000 --- a/bitnami/kubeapps/templates/apprepositories.yaml +++ /dev/null @@ -1,61 +0,0 @@ -{{- range .Values.apprepository.initialRepos }} -apiVersion: kubeapps.com/v1alpha1 -kind: AppRepository -metadata: - name: {{ .name }} -{{- if .namespace }} - namespace: {{ .namespace }} -{{- end }} - labels:{{ include "kubeapps.extraAppLabels" $ | nindent 4 }} - app: {{ template "kubeapps.apprepository.fullname" $ }} -spec: -{{- if .type }} - type: {{ .type }} -{{- else }} - type: helm -{{- end }} - url: {{ .url }} -{{- if .ociRepositories }} - ociRepositories: -{{- range .ociRepositories }} - - {{ . }} -{{- end }} -{{- end }} -{{- if or $.Values.securityContext.enabled $.Values.apprepository.initialReposProxy.enabled .nodeSelector }} - syncJobPodTemplate: - spec: - {{- if $.Values.apprepository.initialReposProxy.enabled }} - containers: - - env: - - name: https_proxy - value: {{ $.Values.apprepository.initialReposProxy.https_proxy }} - - name: http_proxy - value: {{ $.Values.apprepository.initialReposProxy.http_proxy }} - - name: no_proxy - value: {{ $.Values.apprepository.initialReposProxy.no_proxy }} - {{- end }} - {{- if $.Values.securityContext.enabled }} - securityContext: - runAsUser: {{ $.Values.securityContext.runAsUser }} - {{- end }} - {{- if .nodeSelector }} - nodeSelector: {{- toYaml .nodeSelector | nindent 8 }} - {{- end }} -{{- end }} - {{- if or .caCert .authorizationHeader }} - auth: - {{- if .caCert }} - customCA: - secretKeyRef: - key: ca.crt - name: {{ template "kubeapps.apprepository-secret.name" . }} - {{- end }} - {{- if .authorizationHeader }} - header: - secretKeyRef: - key: authorizationHeader - name: {{ template "kubeapps.apprepository-secret.name" . }} - {{- end }} - {{- end }} ---- -{{ end -}} diff --git a/bitnami/kubeapps/templates/apprepository-deployment.yaml b/bitnami/kubeapps/templates/apprepository-deployment.yaml deleted file mode 100644 index eaea30f416..0000000000 --- a/bitnami/kubeapps/templates/apprepository-deployment.yaml +++ /dev/null @@ -1,75 +0,0 @@ -apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} -kind: Deployment -metadata: - name: {{ template "kubeapps.apprepository.fullname" . }} - labels: - {{- include "kubeapps.extraAppLabels" . | nindent 4 }} - app: {{ template "kubeapps.apprepository.fullname" . }} -spec: - replicas: {{ .Values.apprepository.replicaCount }} - selector: - matchLabels: - app: {{ template "kubeapps.apprepository.fullname" . }} - release: {{ .Release.Name }} - template: - metadata: - {{- with .Values.apprepository.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - app: {{ template "kubeapps.apprepository.fullname" . }} - release: {{ .Release.Name }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/name: {{ template "common.names.name" . }} - spec: - serviceAccountName: {{ template "kubeapps.apprepository.fullname" . }} -{{- include "kubeapps.imagePullSecrets" . | indent 6 }} - {{- if .Values.apprepository.affinity }} - affinity: {{- include "common.tplvalues.render" (dict "value" .Values.apprepository.affinity "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.apprepository.nodeSelector }} - nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.apprepository.nodeSelector "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.apprepository.tolerations }} - tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.apprepository.tolerations "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.securityContext.enabled }} - securityContext: - fsGroup: {{ .Values.securityContext.fsGroup }} - runAsUser: {{ .Values.securityContext.runAsUser }} - {{- end }} - containers: - - name: controller - image: {{ include "common.images.image" (dict "imageRoot" .Values.apprepository.image "global" .Values.global) }} - imagePullPolicy: {{ .Values.apprepository.image.pullPolicy | quote }} - command: - - /apprepository-controller - args: - - --user-agent-comment=kubeapps/{{ .Chart.AppVersion }} - - --repo-sync-image={{ include "common.images.image" (dict "imageRoot" .Values.apprepository.syncImage "global" .Values.global) }} - {{- if .Values.global }} - {{- if.Values.global.imagePullSecrets }} - {{- range $key, $value := .Values.global.imagePullSecrets }} - - --repo-sync-image-pullsecrets={{ $value | quote }} - {{- end }} - {{- end }} - {{- end }} - - --repo-sync-cmd=/asset-syncer - - --namespace={{ .Release.Namespace }} - {{- if .Values.postgresql.existingSecret }} - - --database-secret-name={{ .Values.postgresql.existingSecret }} - {{- else }} - - --database-secret-name={{ template "kubeapps.postgresql.fullname" . }} - {{- end }} - - --database-secret-key=postgresql-password - - --database-url={{ template "kubeapps.postgresql.fullname" . }}:5432 - - --database-user=postgres - - --database-name=assets - {{- if .Values.apprepository.crontab }} - - --crontab={{ .Values.apprepository.crontab }} - {{- end }} - - --repos-per-namespace={{ .Values.apprepository.watchAllNamespaces}} - {{- if .Values.apprepository.resources }} - resources: {{- toYaml .Values.apprepository.resources | nindent 12 }} - {{- end }} diff --git a/bitnami/kubeapps/templates/apprepository-rbac.yaml b/bitnami/kubeapps/templates/apprepository-rbac.yaml deleted file mode 100644 index 380d9a6103..0000000000 --- a/bitnami/kubeapps/templates/apprepository-rbac.yaml +++ /dev/null @@ -1,161 +0,0 @@ -{{- if .Values.rbac.create -}} -apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} -kind: Role -metadata: - name: {{ template "kubeapps.apprepository.fullname" . }} - labels:{{ include "kubeapps.extraAppLabels" . | nindent 4 }} - app: {{ template "kubeapps.apprepository.fullname" . }} -rules: - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - apiGroups: - - batch - resources: - - cronjobs - verbs: - - create - - get - - list - - update - - watch - - delete - - apiGroups: - - batch - resources: - - jobs - verbs: - - create - - apiGroups: - - kubeapps.com - resources: - - apprepositories - - apprepositories/finalizers - verbs: - - get - - list - - update - - watch ---- -apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} -kind: RoleBinding -metadata: - name: {{ template "kubeapps.apprepository.fullname" . }} - labels:{{ include "kubeapps.extraAppLabels" . | nindent 4 }} - app: {{ template "kubeapps.apprepository.fullname" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ template "kubeapps.apprepository.fullname" . }} -subjects: - - kind: ServiceAccount - name: {{ template "kubeapps.apprepository.fullname" . }} - namespace: {{ .Release.Namespace }} ---- -# Define role, but no binding, so users can be bound to this role -apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} -kind: Role -metadata: - name: {{ .Release.Name }}-repositories-read -rules: - - apiGroups: - - kubeapps.com - resources: - - apprepositories - verbs: - - list - - get ---- -# Define role, but no binding, so users can be bound to this role -apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} -kind: Role -metadata: - name: {{ .Release.Name }}-repositories-write -rules: - - apiGroups: - - kubeapps.com - resources: - - apprepositories - verbs: - - "*" - - apiGroups: - - "" - resources: - - secrets - verbs: - - create ---- -# The Kubeapps app repository controller can read and watch its own -# AppRepository resources cluster-wide. The read and write cluster-roles can -# also be bound to users in specific namespaces as required. -apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} -kind: ClusterRole -metadata: - name: "kubeapps:{{ .Release.Namespace }}:apprepositories-read" - labels:{{ include "kubeapps.extraAppLabels" . | nindent 4 }} - app: {{ template "kubeapps.apprepository.fullname" . }} -rules: - - apiGroups: - - kubeapps.com - resources: - - apprepositories - - apprepositories/finalizers - verbs: - - get - - list - - watch ---- -apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} -kind: ClusterRoleBinding -metadata: - name: "kubeapps:controller:{{ .Release.Namespace }}:apprepositories-read" - labels:{{ include "kubeapps.extraAppLabels" . | nindent 4 }} - app: {{ template "kubeapps.apprepository.fullname" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: "kubeapps:{{ .Release.Namespace }}:apprepositories-read" -subjects: - - kind: ServiceAccount - name: {{ template "kubeapps.apprepository.fullname" . }} - namespace: {{ .Release.Namespace }} ---- -apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} -kind: ClusterRole -metadata: - name: "kubeapps:{{ .Release.Namespace }}:apprepositories-write" - labels:{{ include "kubeapps.extraAppLabels" . | nindent 4 }} - app: {{ template "kubeapps.apprepository.fullname" . }} -rules: - - apiGroups: - - kubeapps.com - resources: - - apprepositories - verbs: - - '*' - - apiGroups: - - "" - resources: - - secrets - verbs: - - '*' ---- -apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} -kind: ClusterRole -metadata: - name: "kubeapps:{{ .Release.Namespace }}:apprepositories-refresh" - labels:{{ include "kubeapps.extraAppLabels" . | nindent 4 }} - app: {{ template "kubeapps.apprepository.fullname" . }} -rules: - - apiGroups: - - kubeapps.com - resources: - - apprepositories - verbs: - - get - - update -{{- end -}} diff --git a/bitnami/kubeapps/templates/apprepository-serviceaccount.yaml b/bitnami/kubeapps/templates/apprepository-serviceaccount.yaml deleted file mode 100644 index 9b9fbf60bf..0000000000 --- a/bitnami/kubeapps/templates/apprepository-serviceaccount.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "kubeapps.apprepository.fullname" . }} - labels:{{ include "kubeapps.extraAppLabels" . | nindent 4 }} - app: {{ template "kubeapps.apprepository.fullname" . }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "kubeapps.apprepository-job-postupgrade.fullname" . }} - labels:{{ include "kubeapps.extraAppLabels" . | nindent 4 }} - app: {{ template "kubeapps.apprepository.fullname" . }} diff --git a/bitnami/kubeapps/templates/apprepository/apprepositories-secret.yaml b/bitnami/kubeapps/templates/apprepository/apprepositories-secret.yaml new file mode 100644 index 0000000000..3fccaf6ee7 --- /dev/null +++ b/bitnami/kubeapps/templates/apprepository/apprepositories-secret.yaml @@ -0,0 +1,55 @@ +{{- range .Values.apprepository.initialRepos }} +{{- if or .caCert .authorizationHeader }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "apprepo-%s-secrets" .name }} + {{- if .namespace }} + namespace: {{ .namespace | quote }} + {{- else }} + namespace: {{ $.Release.Namespace | quote }} + {{- end }} + labels: {{- include "common.labels.standard" $ | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + {{- if .caCert }} + ca.crt: |- + {{ .caCert | b64enc }} + {{- end }} + {{- if .authorizationHeader }} + authorizationHeader: |- + {{ .authorizationHeader | b64enc }} + {{- end }} +--- +{{/* credentials are required in the release namespace for syncer jobs */}} +{{- if .namespace }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-apprepo-%s" .namespace .name }} + namespace: {{ $.Release.Namespace | quote }} + labels: {{- include "common.labels.standard" $ | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + {{- if .caCert }} + ca.crt: |- + {{ .caCert | b64enc }} + {{- end }} + {{- if .authorizationHeader }} + authorizationHeader: |- + {{ .authorizationHeader | b64enc }} + {{- end }} +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/bitnami/kubeapps/templates/apprepository/apprepositories.yaml b/bitnami/kubeapps/templates/apprepository/apprepositories.yaml new file mode 100644 index 0000000000..ba8283f179 --- /dev/null +++ b/bitnami/kubeapps/templates/apprepository/apprepositories.yaml @@ -0,0 +1,64 @@ +{{- range .Values.apprepository.initialRepos }} +apiVersion: kubeapps.com/v1alpha1 +kind: AppRepository +metadata: + name: {{ .name }} + {{- if .namespace }} + namespace: {{ .namespace | quote }} + {{- else }} + namespace: {{ $.Release.Namespace | quote }} + {{- end }} + labels: {{- include "common.labels.standard" $ | nindent 4 }} + {{- if $.Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" $.Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if $.Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + type: {{ default "helm" .type }} + url: {{ .url }} + {{- if .ociRepositories }} + ociRepositories: + {{- range .ociRepositories }} + - {{ . }} + {{- end }} + {{- end }} + {{- if or $.Values.apprepository.containerSecurityContext.enabled $.Values.apprepository.initialReposProxy.enabled .nodeSelector }} + syncJobPodTemplate: + spec: + {{- if $.Values.apprepository.initialReposProxy.enabled }} + containers: + - env: + - name: https_proxy + value: {{ $.Values.apprepository.initialReposProxy.httpsProxy }} + - name: http_proxy + value: {{ $.Values.apprepository.initialReposProxy.httpProxy }} + - name: no_proxy + value: {{ $.Values.apprepository.initialReposProxy.noProxy }} + {{- end }} + {{- if $.Values.apprepository.containerSecurityContext.enabled }} + securityContext: + runAsUser: {{ $.Values.apprepository.containerSecurityContext.runAsUser }} + {{- end }} + {{- if .nodeSelector }} + nodeSelector: {{- toYaml .nodeSelector | nindent 8 }} + {{- end }} + {{- end }} + {{- if or .caCert .authorizationHeader }} + auth: + {{- if .caCert }} + customCA: + secretKeyRef: + key: ca.crt + name: {{ printf "apprepo-%s-secrets" .name }} + {{- end }} + {{- if .authorizationHeader }} + header: + secretKeyRef: + key: authorizationHeader + name: {{ printf "apprepo-%s-secrets" .name }} + {{- end }} + {{- end }} +--- +{{ end -}} diff --git a/bitnami/kubeapps/templates/apprepository/deployment.yaml b/bitnami/kubeapps/templates/apprepository/deployment.yaml new file mode 100644 index 0000000000..dd1aeac93f --- /dev/null +++ b/bitnami/kubeapps/templates/apprepository/deployment.yaml @@ -0,0 +1,94 @@ +apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} +kind: Deployment +metadata: + name: {{ template "kubeapps.apprepository.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: apprepository + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" . ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.apprepository.replicaCount }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: apprepository + template: + metadata: + {{- if .Values.apprepository.podAnnotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" .Values.apprepository.podAnnotations "context" $) | nindent 8 }} + {{- end }} + labels: {{- include "common.labels.standard" . | nindent 8 }} + app.kubernetes.io/component: apprepository + {{- if .Values.apprepository.podLabels }} + {{- include "common.tplvalues.render" (dict "value" .Values.apprepository.podLabels "context" $) | nindent 8 }} + {{- end }} + spec: + {{- include "kubeapps.imagePullSecrets" . | indent 6 }} + serviceAccountName: {{ template "kubeapps.apprepository.fullname" . }} + {{- if .Values.apprepository.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.apprepository.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.apprepository.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.apprepository.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.apprepository.podAffinityPreset "component" "apprepository" "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.apprepository.podAntiAffinityPreset "component" "apprepository" "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.apprepository.nodeAffinityPreset.type "key" .Values.apprepository.nodeAffinityPreset.key "values" .Values.apprepository.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.apprepository.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.apprepository.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.apprepository.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.apprepository.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.apprepository.priorityClassName }} + priorityClassName: {{ .Values.apprepository.priorityClassName | quote }} + {{- end }} + {{- if .Values.apprepository.podSecurityContext.enabled }} + securityContext: {{- omit .Values.apprepository.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + containers: + - name: controller + image: {{ include "common.images.image" (dict "imageRoot" .Values.apprepository.image "global" .Values.global) }} + imagePullPolicy: {{ .Values.apprepository.image.pullPolicy | quote }} + {{- if .Values.apprepository.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.apprepository.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.apprepository.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.apprepository.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + command: + - /apprepository-controller + args: + - --user-agent-comment=kubeapps/{{ .Chart.AppVersion }} + - --repo-sync-image={{ include "common.images.image" (dict "imageRoot" .Values.apprepository.syncImage "global" .Values.global) }} + {{- if .Values.global }} + {{- if.Values.global.imagePullSecrets }} + {{- range $key, $value := .Values.global.imagePullSecrets }} + - --repo-sync-image-pullsecrets={{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + - --repo-sync-cmd=/asset-syncer + - --namespace={{ .Release.Namespace }} + {{- if .Values.postgresql.existingSecret }} + - --database-secret-name={{ .Values.postgresql.existingSecret }} + {{- else }} + - --database-secret-name={{ template "kubeapps.postgresql.fullname" . }} + {{- end }} + - --database-secret-key=postgresql-password + - --database-url={{ template "kubeapps.postgresql.fullname" . }}:{{ default "5432" .Values.postgresql.service.port }} + - --database-user=postgres + - --database-name={{ .Values.postgresql.postgresqlDatabase }} + {{- if .Values.apprepository.crontab }} + - --crontab={{ .Values.apprepository.crontab }} + {{- end }} + - --repos-per-namespace={{ .Values.apprepository.watchAllNamespaces }} + {{- if .Values.apprepository.resources }} + resources: {{- toYaml .Values.apprepository.resources | nindent 12 }} + {{- end }} diff --git a/bitnami/kubeapps/templates/apprepository/rbac.yaml b/bitnami/kubeapps/templates/apprepository/rbac.yaml new file mode 100644 index 0000000000..b82d3039a9 --- /dev/null +++ b/bitnami/kubeapps/templates/apprepository/rbac.yaml @@ -0,0 +1,217 @@ +{{- if .Values.rbac.create -}} +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +kind: Role +metadata: + name: {{ template "kubeapps.apprepository.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: apprepository + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" . ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +rules: + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - batch + resources: + - cronjobs + verbs: + - create + - get + - list + - update + - watch + - delete + - apiGroups: + - batch + resources: + - jobs + verbs: + - create + - apiGroups: + - kubeapps.com + resources: + - apprepositories + - apprepositories/finalizers + verbs: + - get + - list + - update + - watch +--- +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +kind: RoleBinding +metadata: + name: {{ template "kubeapps.apprepository.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: apprepository + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" . ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "kubeapps.apprepository.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "kubeapps.apprepository.fullname" . }} + namespace: {{ .Release.Namespace }} +--- +# Define role, but no binding, so users can be bound to this role +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +kind: Role +metadata: + name: {{ .Release.Name }}-repositories-read + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: apprepository + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" . ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +rules: + - apiGroups: + - kubeapps.com + resources: + - apprepositories + verbs: + - list + - get +--- +# Define role, but no binding, so users can be bound to this role +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +kind: Role +metadata: + name: {{ .Release.Name }}-repositories-write + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: apprepository + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" . ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +rules: + - apiGroups: + - kubeapps.com + resources: + - apprepositories + verbs: + - "*" + - apiGroups: + - "" + resources: + - secrets + verbs: + - create +--- +# The Kubeapps app repository controller can read and watch its own +# AppRepository resources cluster-wide. The read and write cluster-roles can +# also be bound to users in specific namespaces as required. +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +kind: ClusterRole +metadata: + name: "kubeapps:{{ .Release.Namespace }}:apprepositories-read" + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: apprepository + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" . ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +rules: + - apiGroups: + - kubeapps.com + resources: + - apprepositories + - apprepositories/finalizers + verbs: + - get + - list + - watch +--- +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +kind: ClusterRoleBinding +metadata: + name: "kubeapps:controller:{{ .Release.Namespace }}:apprepositories-read" + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: apprepository + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" . ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "kubeapps:{{ .Release.Namespace }}:apprepositories-read" +subjects: + - kind: ServiceAccount + name: {{ template "kubeapps.apprepository.fullname" . }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +kind: ClusterRole +metadata: + name: "kubeapps:{{ .Release.Namespace }}:apprepositories-write" + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: apprepository + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" . ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +rules: + - apiGroups: + - kubeapps.com + resources: + - apprepositories + verbs: + - '*' + - apiGroups: + - "" + resources: + - secrets + verbs: + - '*' +--- +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +kind: ClusterRole +metadata: + name: "kubeapps:{{ .Release.Namespace }}:apprepositories-refresh" + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: apprepository + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" . ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +rules: + - apiGroups: + - kubeapps.com + resources: + - apprepositories + verbs: + - get + - update +{{- end -}} diff --git a/bitnami/kubeapps/templates/apprepository/serviceaccount.yaml b/bitnami/kubeapps/templates/apprepository/serviceaccount.yaml new file mode 100644 index 0000000000..43c583311c --- /dev/null +++ b/bitnami/kubeapps/templates/apprepository/serviceaccount.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "kubeapps.apprepository.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: apprepository + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" . ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} diff --git a/bitnami/kubeapps/templates/assetsvc-deployment.yaml b/bitnami/kubeapps/templates/assetsvc-deployment.yaml deleted file mode 100644 index df43e397ef..0000000000 --- a/bitnami/kubeapps/templates/assetsvc-deployment.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} -kind: Deployment -metadata: - name: {{ template "kubeapps.assetsvc.fullname" . }} - labels: - {{- include "kubeapps.extraAppLabels" . | nindent 4 }} - app: {{ template "kubeapps.assetsvc.fullname" . }} -spec: - replicas: {{ .Values.assetsvc.replicaCount }} - selector: - matchLabels: - app: {{ template "kubeapps.assetsvc.fullname" . }} - release: {{ .Release.Name }} - template: - metadata: - {{- with .Values.assetsvc.podAnnotations }} - annotations: - {{- toYaml . | nindent 8}} - {{- end }} - labels: - app: {{ template "kubeapps.assetsvc.fullname" . }} - app.kubernetes.io/name: {{ template "common.names.name" . }} - release: {{ .Release.Name }} - app.kubernetes.io/instance: {{ .Release.Name }} - spec: -{{- include "kubeapps.imagePullSecrets" . | indent 6 }} - {{- if .Values.assetsvc.affinity }} - affinity: {{- include "common.tplvalues.render" (dict "value" .Values.assetsvc.affinity "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.assetsvc.nodeSelector }} - nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.assetsvc.nodeSelector "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.assetsvc.tolerations }} - tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.assetsvc.tolerations "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.securityContext.enabled }} - securityContext: - fsGroup: {{ .Values.securityContext.fsGroup }} - runAsUser: {{ .Values.securityContext.runAsUser }} - {{- end }} - containers: - - name: assetsvc - image: {{ include "common.images.image" (dict "imageRoot" .Values.assetsvc.image "global" .Values.global) }} - imagePullPolicy: {{ .Values.assetsvc.image.pullPolicy | quote }} - command: - - /assetsvc - args: - - --database-user=postgres - - --database-name=assets - - --database-url={{ template "kubeapps.postgresql.fullname" . }}-headless:5432 - env: - - name: DB_PASSWORD - valueFrom: - secretKeyRef: - key: postgresql-password - {{- if .Values.postgresql.existingSecret }} - name: {{ .Values.postgresql.existingSecret }} - {{- else }} - name: {{ template "kubeapps.postgresql.fullname" . }} - {{- end }} - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: PORT - value: {{ .Values.assetsvc.service.port | quote }} - ports: - - name: http - containerPort: {{ .Values.assetsvc.service.port }} - {{- if .Values.assetsvc.livenessProbe }} - livenessProbe: {{- toYaml .Values.assetsvc.livenessProbe | nindent 12 }} - {{- end }} - {{- if .Values.assetsvc.readinessProbe }} - readinessProbe: {{- toYaml .Values.assetsvc.readinessProbe | nindent 12 }} - {{- end }} - {{- if .Values.assetsvc.resource }} - resources: {{- toYaml .Values.assetsvc.resources | nindent 12 }} - {{- end }} diff --git a/bitnami/kubeapps/templates/assetsvc-service.yaml b/bitnami/kubeapps/templates/assetsvc-service.yaml deleted file mode 100644 index 0f118efeb1..0000000000 --- a/bitnami/kubeapps/templates/assetsvc-service.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ template "kubeapps.assetsvc.fullname" . }} - labels:{{ include "kubeapps.extraAppLabels" . | nindent 4 }} - app: {{ template "common.names.name" . }} -spec: - type: ClusterIP - ports: - - port: {{ .Values.assetsvc.service.port }} - targetPort: http - protocol: TCP - name: http - selector: - app: {{ template "kubeapps.assetsvc.fullname" . }} - release: {{ .Release.Name }} diff --git a/bitnami/kubeapps/templates/assetsvc/deployment.yaml b/bitnami/kubeapps/templates/assetsvc/deployment.yaml new file mode 100644 index 0000000000..bf2654e73e --- /dev/null +++ b/bitnami/kubeapps/templates/assetsvc/deployment.yaml @@ -0,0 +1,97 @@ +apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} +kind: Deployment +metadata: + name: {{ template "kubeapps.assetsvc.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: assetsvc + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" . ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.assetsvc.replicaCount }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: assetsvc + template: + metadata: + {{- if .Values.assetsvc.podAnnotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" .Values.assetsvc.podAnnotations "context" $) | nindent 8 }} + {{- end }} + labels: {{- include "common.labels.standard" . | nindent 8 }} + app.kubernetes.io/component: assetsvc + {{- if .Values.assetsvc.podLabels }} + {{- include "common.tplvalues.render" (dict "value" .Values.assetsvc.podLabels "context" $) | nindent 8 }} + {{- end }} + spec: + {{- include "kubeapps.imagePullSecrets" . | indent 6 }} + {{- if .Values.assetsvc.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.assetsvc.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.assetsvc.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.assetsvc.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.assetsvc.podAffinityPreset "component" "assetsvc" "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.assetsvc.podAntiAffinityPreset "component" "assetsvc" "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.assetsvc.nodeAffinityPreset.type "key" .Values.assetsvc.nodeAffinityPreset.key "values" .Values.assetsvc.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.assetsvc.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.assetsvc.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.assetsvc.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.assetsvc.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.assetsvc.priorityClassName }} + priorityClassName: {{ .Values.assetsvc.priorityClassName | quote }} + {{- end }} + {{- if .Values.assetsvc.podSecurityContext.enabled }} + securityContext: {{- omit .Values.assetsvc.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + containers: + - name: assetsvc + image: {{ include "common.images.image" (dict "imageRoot" .Values.assetsvc.image "global" .Values.global) }} + imagePullPolicy: {{ .Values.assetsvc.image.pullPolicy | quote }} + {{- if .Values.assetsvc.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.assetsvc.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.assetsvc.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.assetsvc.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + command: + - /assetsvc + args: + - --database-user=postgres + - --database-name={{ .Values.postgresql.postgresqlDatabase }} + - --database-url={{ template "kubeapps.postgresql.fullname" . }}-headless:{{ default "5432" .Values.postgresql.service.port }} + env: + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + key: postgresql-password + name: {{ include "kubeapps.postgresql.secretName" . }} + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: PORT + value: {{ .Values.assetsvc.containerPort | quote }} + ports: + - name: http + containerPort: {{ .Values.assetsvc.containerPort }} + {{- if .Values.assetsvc.livenessProbe.enabled }} + livenessProbe: {{- omit .Values.assetsvc.livenessProbe "enabled" | toYaml | nindent 12 }} + {{- else if .Values.assetsvc.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.assetsvc.customLivenessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.assetsvc.readinessProbe.enabled }} + readinessProbe: {{- omit .Values.assetsvc.readinessProbe "enabled" | toYaml | nindent 12 }} + {{- else if .Values.assetsvc.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.assetsvc.customReadinessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.assetsvc.resource }} + resources: {{- toYaml .Values.assetsvc.resources | nindent 12 }} + {{- end }} diff --git a/bitnami/kubeapps/templates/assetsvc/service.yaml b/bitnami/kubeapps/templates/assetsvc/service.yaml new file mode 100644 index 0000000000..90e7c0ed1b --- /dev/null +++ b/bitnami/kubeapps/templates/assetsvc/service.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "kubeapps.assetsvc.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: assetsvc + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" . ) | nindent 4 }} + {{- end }} + {{- if or .Values.assetsvc.service.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.assetsvc.service.annotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.assetsvc.service.annotations "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + type: ClusterIP + ports: + - port: {{ .Values.assetsvc.service.port }} + targetPort: http + protocol: TCP + name: http + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + app.kubernetes.io/component: assetsvc diff --git a/bitnami/kubeapps/templates/dashboard-deployment.yaml b/bitnami/kubeapps/templates/dashboard-deployment.yaml deleted file mode 100644 index 3878f8585b..0000000000 --- a/bitnami/kubeapps/templates/dashboard-deployment.yaml +++ /dev/null @@ -1,102 +0,0 @@ -apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} -kind: Deployment -metadata: - name: {{ template "kubeapps.dashboard.fullname" . }} - labels: - {{- include "kubeapps.extraAppLabels" . | nindent 4 }} - app: {{ template "kubeapps.dashboard.fullname" . }} -spec: - replicas: {{ .Values.dashboard.replicaCount }} - selector: - matchLabels: - app: {{ template "kubeapps.dashboard.fullname" . }} - release: {{ .Release.Name }} - template: - metadata: - annotations: - checksum/config: {{ include (print $.Template.BasePath "/dashboard-config.yaml") . | sha256sum }} - {{- with .Values.dashboard.podAnnotations }} - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - app: {{ template "kubeapps.dashboard.fullname" . }} - app.kubernetes.io/name: {{ template "common.names.name" . }} - release: {{ .Release.Name }} - app.kubernetes.io/instance: {{ .Release.Name }} - chart: {{ template "kubeapps.chart" . }} - helm.sh/chart: {{ template "kubeapps.chart" . }} - spec: -{{- include "kubeapps.imagePullSecrets" . | indent 6 }} - {{- if .Values.dashboard.affinity }} - affinity: {{- include "common.tplvalues.render" (dict "value" .Values.dashboard.affinity "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.dashboard.nodeSelector }} - nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.dashboard.nodeSelector "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.dashboard.tolerations }} - tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.dashboard.tolerations "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.securityContext.enabled }} - securityContext: - fsGroup: {{ .Values.securityContext.fsGroup }} - runAsUser: {{ .Values.securityContext.runAsUser }} - {{- end }} - containers: - - name: dashboard - image: {{ include "common.images.image" (dict "imageRoot" .Values.dashboard.image "global" .Values.global) }} - imagePullPolicy: {{ .Values.dashboard.image.pullPolicy | quote }} - {{- if .Values.dashboard.livenessProbe }} - livenessProbe: {{- toYaml .Values.dashboard.livenessProbe | nindent 12 }} - {{- end }} - {{- if .Values.dashboard.readinessProbe }} - readinessProbe: {{- toYaml .Values.dashboard.readinessProbe | nindent 12 }} - {{- end }} - volumeMounts: - - name: vhost - mountPath: /opt/bitnami/nginx/conf/server_blocks - - name: config - mountPath: /app/config.json - subPath: config.json - - mountPath: /app/custom-css - name: custom-css - - mountPath: /app/custom-locale - name: custom-locale - - mountPath: /app/custom-components - name: custom-components - ports: - - name: http - containerPort: {{ .Values.dashboard.service.port }} - {{- if .Values.dashboard.resources }} - resources: {{- toYaml .Values.dashboard.resources | nindent 12 }} - {{- end }} - volumes: - - name: vhost - configMap: - name: {{ template "kubeapps.dashboard-config.fullname" . }} - items: - - key: vhost.conf - path: vhost.conf - - name: config - configMap: - name: {{ template "kubeapps.dashboard-config.fullname" . }} - items: - - key: config.json - path: config.json - - name: custom-css - configMap: - name: {{ template "kubeapps.dashboard-config.fullname" . }} - items: - - key: custom_style.css - path: custom_style.css - - name: custom-locale - configMap: - name: {{ template "kubeapps.dashboard-config.fullname" . }} - items: - - key: custom_locale.json - path: custom_locale.json - - name: custom-components - configMap: - name: {{ template "kubeapps.dashboard-config.fullname" . }} - items: - - key: custom_components.js - path: custom_components.js diff --git a/bitnami/kubeapps/templates/dashboard-service.yaml b/bitnami/kubeapps/templates/dashboard-service.yaml deleted file mode 100644 index 53a059caa7..0000000000 --- a/bitnami/kubeapps/templates/dashboard-service.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ template "kubeapps.dashboard.fullname" . }} - labels:{{ include "kubeapps.labels" . | nindent 4 }} -spec: - type: ClusterIP - ports: - - port: {{ .Values.dashboard.service.port }} - targetPort: http - protocol: TCP - name: http - selector: - app: {{ template "kubeapps.dashboard.fullname" . }} - release: {{ .Release.Name }} diff --git a/bitnami/kubeapps/templates/dashboard-config.yaml b/bitnami/kubeapps/templates/dashboard/configmap.yaml similarity index 80% rename from bitnami/kubeapps/templates/dashboard-config.yaml rename to bitnami/kubeapps/templates/dashboard/configmap.yaml index fc19367458..e2fa529492 100644 --- a/bitnami/kubeapps/templates/dashboard-config.yaml +++ b/bitnami/kubeapps/templates/dashboard/configmap.yaml @@ -2,17 +2,24 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ template "kubeapps.dashboard-config.fullname" . }} - labels:{{ include "kubeapps.extraAppLabels" . | nindent 4 }} - app: {{ template "kubeapps.dashboard-config.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: dashboard + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" . ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} data: vhost.conf: |- server { - listen {{ .Values.dashboard.service.port }}; + listen {{ .Values.dashboard.containerPort }}; {{- if .Values.frontend.largeClientHeaderBuffers }} large_client_header_buffers {{ .Values.frontend.largeClientHeaderBuffers }}; {{- end }} {{- if .Values.enableIPv6 }} - listen [::]:{{ .Values.dashboard.service.port }}; + listen [::]:{{ .Values.dashboard.containerPort }}; {{- end}} server_name _; diff --git a/bitnami/kubeapps/templates/dashboard/deployment.yaml b/bitnami/kubeapps/templates/dashboard/deployment.yaml new file mode 100644 index 0000000000..350fb9983a --- /dev/null +++ b/bitnami/kubeapps/templates/dashboard/deployment.yaml @@ -0,0 +1,153 @@ +apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} +kind: Deployment +metadata: + name: {{ template "kubeapps.dashboard.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: dashboard + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" . ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.dashboard.replicaCount }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: dashboard + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/dashboard/configmap.yaml") . | sha256sum }} + {{- if .Values.dashboard.podAnnotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.dashboard.podAnnotations "context" $) | nindent 8 }} + {{- end }} + labels: {{- include "common.labels.standard" . | nindent 8 }} + app.kubernetes.io/component: dashboard + {{- if .Values.dashboard.podLabels }} + {{- include "common.tplvalues.render" (dict "value" .Values.dashboard.podLabels "context" $) | nindent 8 }} + {{- end }} + spec: + {{- include "kubeapps.imagePullSecrets" . | indent 6 }} + {{- if .Values.dashboard.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.dashboard.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.dashboard.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.dashboard.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.dashboard.podAffinityPreset "component" "dashboard" "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.dashboard.podAntiAffinityPreset "component" "dashboard" "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.dashboard.nodeAffinityPreset.type "key" .Values.dashboard.nodeAffinityPreset.key "values" .Values.dashboard.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.dashboard.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.dashboard.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.dashboard.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.dashboard.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.dashboard.priorityClassName }} + priorityClassName: {{ .Values.dashboard.priorityClassName | quote }} + {{- end }} + {{- if .Values.dashboard.podSecurityContext.enabled }} + securityContext: {{- omit .Values.dashboard.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + {{- if .Values.dashboard.initContainers }} + initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.dashboard.initContainers "context" $) | nindent 8 }} + {{- end }} + containers: + - name: dashboard + image: {{ include "common.images.image" (dict "imageRoot" .Values.dashboard.image "global" .Values.global) }} + imagePullPolicy: {{ .Values.dashboard.image.pullPolicy | quote }} + {{- if .Values.dashboard.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.dashboard.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.dashboard.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.dashboard.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" .Values.dashboard.image.debug | quote }} + {{- if .Values.dashboard.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.dashboard.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if or .Values.dashboard.extraEnvVarsCM .Values.dashboard.extraEnvVarsSecret }} + envFrom: + {{- if .Values.dashboard.extraEnvVarsCM }} + - configMapRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.dashboard.extraEnvVarsCM "context" $) }} + {{- end }} + {{- if .Values.dashboard.extraEnvVarsSecret }} + - secretRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.dashboard.extraEnvVarsSecret "context" $) }} + {{- end }} + {{- end }} + {{- if .Values.dashboard.livenessProbe.enabled }} + livenessProbe: {{- omit .Values.dashboard.livenessProbe "enabled" | toYaml | nindent 12 }} + {{- else if .Values.dashboard.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.dashboard.customLivenessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.dashboard.readinessProbe.enabled }} + readinessProbe: {{- omit .Values.dashboard.readinessProbe "enabled" | toYaml | nindent 12 }} + {{- else if .Values.dashboard.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.dashboard.customReadinessProbe "context" $) | nindent 12 }} + {{- end }} + ports: + - name: http + containerPort: {{ .Values.dashboard.containerPort }} + {{- if .Values.dashboard.resources }} + resources: {{- toYaml .Values.dashboard.resources | nindent 12 }} + {{- end }} + volumeMounts: + - name: vhost + mountPath: /opt/bitnami/nginx/conf/server_blocks + - name: config + mountPath: /app/config.json + subPath: config.json + - mountPath: /app/custom-css + name: custom-css + - mountPath: /app/custom-locale + name: custom-locale + - mountPath: /app/custom-components + name: custom-components + {{- if .Values.dashboard.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.dashboard.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.dashboard.sidecars }} + {{- include "common.tplvalues.render" (dict "value" .Values.dashboard.sidecars "context" $) | nindent 8 }} + {{- end }} + volumes: + - name: vhost + configMap: + name: {{ template "kubeapps.dashboard-config.fullname" . }} + items: + - key: vhost.conf + path: vhost.conf + - name: config + configMap: + name: {{ template "kubeapps.dashboard-config.fullname" . }} + items: + - key: config.json + path: config.json + - name: custom-css + configMap: + name: {{ template "kubeapps.dashboard-config.fullname" . }} + items: + - key: custom_style.css + path: custom_style.css + - name: custom-locale + configMap: + name: {{ template "kubeapps.dashboard-config.fullname" . }} + items: + - key: custom_locale.json + path: custom_locale.json + - name: custom-components + configMap: + name: {{ template "kubeapps.dashboard-config.fullname" . }} + items: + - key: custom_components.js + path: custom_components.js + {{- if .Values.dashboard.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.dashboard.extraVolumes "context" $) | nindent 8 }} + {{- end }} diff --git a/bitnami/kubeapps/templates/dashboard/service.yaml b/bitnami/kubeapps/templates/dashboard/service.yaml new file mode 100644 index 0000000000..71bec5d0bd --- /dev/null +++ b/bitnami/kubeapps/templates/dashboard/service.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "kubeapps.dashboard.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: dashboard + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" . ) | nindent 4 }} + {{- end }} + {{- if or .Values.dashboard.service.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.dashboard.service.annotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.dashboard.service.annotations "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + type: ClusterIP + ports: + - port: {{ .Values.dashboard.service.port }} + targetPort: http + protocol: TCP + name: http + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + app.kubernetes.io/component: dashboard diff --git a/bitnami/kubeapps/templates/extra-list.yaml b/bitnami/kubeapps/templates/extra-list.yaml new file mode 100644 index 0000000000..9ac65f9e16 --- /dev/null +++ b/bitnami/kubeapps/templates/extra-list.yaml @@ -0,0 +1,4 @@ +{{- range .Values.extraDeploy }} +--- +{{ include "common.tplvalues.render" (dict "value" . "context" $) }} +{{- end }} diff --git a/bitnami/kubeapps/templates/kubeapps-frontend-config.yaml b/bitnami/kubeapps/templates/frontend/configmap.yaml similarity index 89% rename from bitnami/kubeapps/templates/kubeapps-frontend-config.yaml rename to bitnami/kubeapps/templates/frontend/configmap.yaml index 798d23e599..3aef3f4cd7 100644 --- a/bitnami/kubeapps/templates/kubeapps-frontend-config.yaml +++ b/bitnami/kubeapps/templates/frontend/configmap.yaml @@ -2,8 +2,15 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ template "kubeapps.frontend-config.fullname" . }} - labels: {{ include "kubeapps.extraAppLabels" . | nindent 4 }} - app: {{ template "kubeapps.frontend-config.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: frontend + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" . ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} data: k8s-api-proxy.conf: |- # Disable buffering for log streaming @@ -22,11 +29,11 @@ data: # Google Kubernetes Engine requires the access_token as the Bearer when talking to the k8s api server. proxy_set_header Authorization "Bearer $http_x_forwarded_access_token"; {{- end }} - {{- range .Values.clusters }} +{{- range .Values.clusters }} {{- if .certificateAuthorityData }} {{ .name }}-ca.pem: {{ .certificateAuthorityData }} {{- end }} - {{- end}} +{{- end}} vhost.conf: |- # Retain the default nginx handling of requests without a "Connection" header map $http_upgrade $connection_upgrade { @@ -39,12 +46,12 @@ data: proxy_set_header Connection $connection_upgrade; server { - listen 8080; + listen {{ .Values.frontend.containerPort }}; {{- if .Values.frontend.largeClientHeaderBuffers }} large_client_header_buffers {{ .Values.frontend.largeClientHeaderBuffers }}; {{- end }} {{- if .Values.enableIPv6 }} - listen [::]:8080; + listen [::]:{{ .Values.frontend.containerPort }}; {{- end}} server_name _; @@ -82,7 +89,7 @@ data: {{- if .certificateAuthorityData }} proxy_set_header PINNIPED_PROXY_API_SERVER_CERT {{ .certificateAuthorityData }}; {{- end }} - proxy_pass http://kubeapps-internal-pinniped-proxy.{{ $.Release.Namespace }}:{{ $.Values.pinnipedProxy.service.port }}; + proxy_pass http://{{ template "kubeapps.pinniped-proxy.fullname" $ }}.{{ $.Release.Namespace }}:{{ $.Values.pinnipedProxy.service.port }}; {{- else }} # Otherwise we route directly through to the clusters with existing credentials. proxy_pass {{ $apiServiceBaseURL }}; diff --git a/bitnami/kubeapps/templates/frontend/deployment.yaml b/bitnami/kubeapps/templates/frontend/deployment.yaml new file mode 100644 index 0000000000..b02236576f --- /dev/null +++ b/bitnami/kubeapps/templates/frontend/deployment.yaml @@ -0,0 +1,196 @@ +apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} +kind: Deployment +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: frontend + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" . ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.frontend.replicaCount }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: frontend + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/frontend/configmap.yaml") . | sha256sum }} + {{- if .Values.frontend.podAnnotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.frontend.podAnnotations "context" $) | nindent 8 }} + {{- end }} + labels: {{- include "common.labels.standard" . | nindent 8 }} + app.kubernetes.io/component: frontend + {{- if .Values.frontend.podLabels }} + {{- include "common.tplvalues.render" (dict "value" .Values.frontend.podLabels "context" $) | nindent 8 }} + {{- end }} + spec: + {{- include "kubeapps.imagePullSecrets" . | indent 6 }} + {{- if .Values.frontend.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.frontend.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.frontend.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.frontend.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.frontend.podAffinityPreset "component" "frontend" "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.frontend.podAntiAffinityPreset "component" "frontend" "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.frontend.nodeAffinityPreset.type "key" .Values.frontend.nodeAffinityPreset.key "values" .Values.frontend.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.frontend.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.frontend.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.frontend.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.frontend.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.frontend.priorityClassName }} + priorityClassName: {{ .Values.frontend.priorityClassName | quote }} + {{- end }} + {{- if .Values.frontend.podSecurityContext.enabled }} + securityContext: {{- omit .Values.frontend.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + {{- if .Values.frontend.initContainers }} + initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.frontend.initContainers "context" $) | nindent 8 }} + {{- end }} + containers: + - name: nginx + image: {{ include "common.images.image" (dict "imageRoot" .Values.frontend.image "global" .Values.global) }} + imagePullPolicy: {{ .Values.frontend.image.pullPolicy | quote }} + {{- if .Values.frontend.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.frontend.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.frontend.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.frontend.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" .Values.frontend.image.debug | quote }} + {{- if .Values.frontend.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.frontend.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if or .Values.frontend.extraEnvVarsCM .Values.frontend.extraEnvVarsSecret }} + envFrom: + {{- if .Values.frontend.extraEnvVarsCM }} + - configMapRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.frontend.extraEnvVarsCM "context" $) }} + {{- end }} + {{- if .Values.frontend.extraEnvVarsSecret }} + - secretRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.frontend.extraEnvVarsSecret "context" $) }} + {{- end }} + {{- end }} + {{- if .Values.frontend.livenessProbe.enabled }} + livenessProbe: {{- omit .Values.frontend.livenessProbe "enabled" | toYaml | nindent 12 }} + {{- else if .Values.dashboard.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.frontend.customLivenessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.frontend.readinessProbe.enabled }} + readinessProbe: {{- omit .Values.frontend.readinessProbe "enabled" | toYaml | nindent 12 }} + {{- else if .Values.frontend.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.frontend.customReadinessProbe "context" $) | nindent 12 }} + {{- end }} + ports: + - name: http + containerPort: {{ .Values.frontend.containerPort }} + {{- if .Values.frontend.resources }} + resources: {{- toYaml .Values.frontend.resources | nindent 12 }} + {{- end }} + volumeMounts: + - name: vhost + mountPath: /opt/bitnami/nginx/conf/server_blocks + {{- if .Values.frontend.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.frontend.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if and .Values.authProxy.enabled (not .Values.authProxy.external) }} + - name: auth-proxy + image: {{ include "common.images.image" (dict "imageRoot" .Values.authProxy.image "global" .Values.global) }} + imagePullPolicy: {{ .Values.authProxy.image.pullPolicy | quote }} + {{- if .Values.authProxy.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.authProxy.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + args: + - --provider={{ required "You must fill \".Values.authProxy.provider\" with the provider. Valid values at https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview" .Values.authProxy.provider }} + - --upstream=http://localhost:{{ .Values.frontend.containerPort }}/ + - --http-address=0.0.0.0:{{ .Values.authProxy.containerPort }} + - --email-domain={{ .Values.authProxy.emailDomain }} + - --pass-basic-auth=false + - --pass-access-token=true + - --pass-authorization-header=true + - --skip-auth-regex=^\/config\.json$ + - --skip-auth-regex=^\/manifest\.json$ + - --skip-auth-regex=^\/custom_style\.css$ + - --skip-auth-regex=^\/custom_locale\.json$ + - --skip-auth-regex=^\/favicon.*\.png$ + - --skip-auth-regex=^\/static\/ + - --skip-auth-regex=^\/$ + - --scope=openid email groups + {{- range .Values.authProxy.additionalFlags }} + - {{ . }} + {{- end }} + env: + - name: OAUTH2_PROXY_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ template "kubeapps.oauth2_proxy-secret.name" . }} + key: clientID + - name: OAUTH2_PROXY_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ template "kubeapps.oauth2_proxy-secret.name" . }} + key: clientSecret + - name: OAUTH2_PROXY_COOKIE_SECRET + valueFrom: + secretKeyRef: + name: {{ template "kubeapps.oauth2_proxy-secret.name" . }} + key: cookieSecret + ports: + - name: proxy + containerPort: {{ .Values.authProxy.containerPort }} + {{- if .Values.authProxy.resources }} + resources: {{- toYaml .Values.authProxy.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- if and (gt (len .Values.clusters) 1) (not .Values.authProxy.enabled) }} + {{ fail "clusters can be configured only when using an auth proxy for cluster oidc authentication."}} + {{- end }} + {{- if and .Values.pinnipedProxy.enabled }} + - name: pinniped-proxy + image: {{ include "common.images.image" (dict "imageRoot" .Values.pinnipedProxy.image "global" .Values.global) }} + imagePullPolicy: {{ .Values.pinnipedProxy.image.pullPolicy | quote }} + {{- if .Values.pinnipedProxy.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.pinnipedProxy.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + command: + - pinniped-proxy + env: + - name: DEFAULT_PINNIPED_NAMESPACE + value: {{ .Values.pinnipedProxy.defaultPinnipedNamespace }} + - name: DEFAULT_PINNIPED_AUTHENTICATOR_TYPE + value: {{ .Values.pinnipedProxy.defaultAuthenticatorType }} + - name: DEFAULT_PINNIPED_AUTHENTICATOR_NAME + value: {{ .Values.pinnipedProxy.defaultAuthenticatorName }} + - name: DEFAULT_PINNIPED_API_SUFFIX + value: {{ .Values.pinnipedProxy.defaultPinnipedAPISuffix }} + - name: RUST_LOG + value: info + ports: + - name: pinniped-proxy + containerPort: {{ .Values.pinnipedProxy.containerPort }} + {{- if .Values.pinnipedProxy.resources }} + resources: {{- toYaml .Values.pinnipedProxy.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.pinnipedProxy.sidecars }} + {{- include "common.tplvalues.render" (dict "value" .Values.pinnipedProxy.sidecars "context" $) | nindent 8 }} + {{- end }} + volumes: + - name: vhost + configMap: + name: {{ template "kubeapps.frontend-config.fullname" . }} + {{- if .Values.frontend.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.frontend.extraVolumes "context" $) | nindent 8 }} + {{- end }} diff --git a/bitnami/kubeapps/templates/oauth2-secret.yaml b/bitnami/kubeapps/templates/frontend/oauth2-secret.yaml similarity index 61% rename from bitnami/kubeapps/templates/oauth2-secret.yaml rename to bitnami/kubeapps/templates/frontend/oauth2-secret.yaml index 6e0f0f426a..42d47f637f 100644 --- a/bitnami/kubeapps/templates/oauth2-secret.yaml +++ b/bitnami/kubeapps/templates/frontend/oauth2-secret.yaml @@ -3,10 +3,15 @@ apiVersion: v1 kind: Secret metadata: name: {{ template "kubeapps.oauth2_proxy-secret.name" . }} - {{- if .namespace }} - namespace: {{ .namespace }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: frontend + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" . ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} - labels:{{ include "kubeapps.labels" $ | nindent 4 }} data: clientID: {{ required "You must fill \".Values.authProxy.clientID\" with the Client ID of the provider" .Values.authProxy.clientID | b64enc }} clientSecret: {{ required "You must fill \".Values.authProxy.clientSecret\" with the Client Secret of the provider" .Values.authProxy.clientSecret | b64enc }} diff --git a/bitnami/kubeapps/templates/frontend/service.yaml b/bitnami/kubeapps/templates/frontend/service.yaml new file mode 100644 index 0000000000..46fbc7c4b3 --- /dev/null +++ b/bitnami/kubeapps/templates/frontend/service.yaml @@ -0,0 +1,76 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: frontend + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" . ) | nindent 4 }} + {{- end }} + {{- if or .Values.frontend.service.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.frontend.service.annotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.frontend.service.annotations "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + type: {{ .Values.frontend.service.type }} + {{- if and .Values.frontend.service.clusterIP (eq .Values.frontend.service.type "ClusterIP") }} + clusterIP: {{ .Values.frontend.service.clusterIP }} + {{- end }} + {{- if (or (eq .Values.frontend.service.type "LoadBalancer") (eq .Values.frontend.service.type "NodePort")) }} + externalTrafficPolicy: {{ .Values.frontend.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if (and (eq .Values.frontend.service.type "LoadBalancer") .Values.frontend.service.loadBalancerSourceRanges) }} + loadBalancerSourceRanges: {{- toYaml .Values.frontend.service.loadBalancerSourceRanges | nindent 4 }} + {{- end }} + {{- if and (eq .Values.frontend.service.type "LoadBalancer") (not (empty .Values.frontend.service.loadBalancerIP)) }} + loadBalancerIP: {{ .Values.frontend.service.loadBalancerIP }} + {{- end }} + ports: + - port: {{ .Values.frontend.service.port }} + {{- if and .Values.authProxy.enabled (not .Values.authProxy.external) }} + targetPort: proxy + {{- else }} + targetPort: http + {{- end }} + {{- if and (or (eq .Values.frontend.service.type "NodePort") (eq .Values.frontend.service.type "LoadBalancer")) (not (empty .Values.frontend.service.nodePort)) }} + nodePort: {{ .Values.frontend.service.nodePort }} + {{- else if eq .Values.frontend.service.type "ClusterIP" }} + nodePort: null + {{- end }} + protocol: TCP + name: http + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + app.kubernetes.io/component: frontend +{{- if .Values.pinnipedProxy.enabled }} +--- +# Include an additional ClusterIP service for the pinniped-proxy as some configurations +# require the normal frontend service to use NodePort. +apiVersion: v1 +kind: Service +metadata: + name: {{ template "kubeapps.pinniped-proxy.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: frontend + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" . ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + type: ClusterIP + ports: + - port: {{ .Values.pinnipedProxy.service.port }} + targetPort: pinniped-proxy + protocol: TCP + name: pinniped-proxy + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + app.kubernetes.io/component: frontend +{{- end }} diff --git a/bitnami/kubeapps/templates/ingress.yaml b/bitnami/kubeapps/templates/ingress.yaml index 19b36ed528..580818fea7 100644 --- a/bitnami/kubeapps/templates/ingress.yaml +++ b/bitnami/kubeapps/templates/ingress.yaml @@ -3,13 +3,20 @@ apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} kind: Ingress metadata: name: {{ template "common.names.fullname" . }} - labels: {{ include "kubeapps.labels" . | nindent 4 }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" . ) | nindent 4 }} + {{- end }} annotations: {{- if .Values.ingress.certManager }} kubernetes.io/tls-acme: "true" {{- end }} {{- if .Values.ingress.annotations }} - {{- include "common.tplvalues.render" (dict "value" .Values.ingress.annotations "context" $ ) | nindent 4 }} + {{- include "common.tplvalues.render" (dict "value" .Values.ingress.annotations "context" . ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" . ) | nindent 4 }} {{- end }} spec: rules: @@ -17,6 +24,9 @@ spec: - host: {{ .Values.ingress.hostname }} http: paths: + {{- if .Values.ingress.extraPaths }} + {{- toYaml .Values.ingress.extraPaths | nindent 10 }} + {{- end }} - path: {{ .Values.ingress.path }} {{- if eq "true" (include "common.ingress.supportsPathType" .) }} pathType: {{ .Values.ingress.pathType }} @@ -33,11 +43,11 @@ spec: {{- end }} backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" .) "servicePort" "http" "context" $) | nindent 14 }} {{- end }} - {{- if or .Values.ingress.tls .Values.ingress.extraTls }} + {{- if or (and .Values.ingress.tls (or .Values.ingress.certManager .Values.ingress.selfSigned)) .Values.ingress.extraTls }} tls: - {{- if .Values.ingress.tls }} + {{- if and .Values.ingress.tls (or .Values.ingress.certManager .Values.ingress.selfSigned) }} - hosts: - - {{ .Values.ingress.hostname }} + - {{ .Values.ingress.hostname | quote }} secretName: {{ printf "%s-tls" .Values.ingress.hostname }} {{- end }} {{- if .Values.ingress.extraTls }} diff --git a/bitnami/kubeapps/templates/kubeapps-frontend-deployment.yaml b/bitnami/kubeapps/templates/kubeapps-frontend-deployment.yaml deleted file mode 100644 index 750d32389b..0000000000 --- a/bitnami/kubeapps/templates/kubeapps-frontend-deployment.yaml +++ /dev/null @@ -1,137 +0,0 @@ -apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} -kind: Deployment -metadata: - name: {{ template "common.names.fullname" . }} - labels: - {{- include "kubeapps.extraAppLabels" . | nindent 4 }} - app: {{ template "common.names.fullname" . }} -spec: - replicas: {{ .Values.frontend.replicaCount }} - selector: - matchLabels: - app: {{ template "common.names.fullname" . }} - release: {{ .Release.Name }} - template: - metadata: - annotations: - checksum/config: {{ include (print $.Template.BasePath "/kubeapps-frontend-config.yaml") . | sha256sum }} - {{- with .Values.frontend.podAnnotations }} - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - app: {{ template "common.names.fullname" . }} - app.kubernetes.io/name: {{ template "common.names.name" . }} - release: {{ .Release.Name }} - app.kubernetes.io/instance: {{ .Release.Name }} - spec: -{{- include "kubeapps.imagePullSecrets" . | indent 6 }} - {{- if .Values.frontend.affinity }} - affinity: {{- include "common.tplvalues.render" (dict "value" .Values.frontend.affinity "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.frontend.nodeSelector }} - nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.frontend.nodeSelector "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.frontend.tolerations }} - tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.frontend.tolerations "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.securityContext.enabled }} - securityContext: - fsGroup: {{ .Values.securityContext.fsGroup }} - runAsUser: {{ .Values.securityContext.runAsUser }} - {{- end }} - containers: - - name: nginx - image: {{ include "common.images.image" (dict "imageRoot" .Values.frontend.image "global" .Values.global) }} - imagePullPolicy: {{ .Values.frontend.image.pullPolicy | quote }} - {{- if .Values.frontend.livenessProbe }} - livenessProbe: {{- toYaml .Values.frontend.livenessProbe | nindent 12 }} - {{- end }} - {{- if .Values.frontend.readinessProbe }} - readinessProbe: {{- toYaml .Values.frontend.readinessProbe | nindent 12 }} - {{- end }} - volumeMounts: - - name: vhost - mountPath: /opt/bitnami/nginx/conf/server_blocks - ports: - - name: http - containerPort: 8080 - {{- if .Values.frontend.resources }} - resources: {{- toYaml .Values.frontend.resources | nindent 12 }} - {{- end }} - {{- if and .Values.authProxy.enabled (not .Values.authProxy.external) }} - - name: auth-proxy - args: - - --provider={{ required "You must fill \".Values.authProxy.provider\" with the provider. Valid values at https://pusher.github.io/oauth2_proxy/auth-configuration" .Values.authProxy.provider }} - - --upstream=http://localhost:8080/ - - --http-address=0.0.0.0:3000 - - --email-domain={{ .Values.authProxy.emailDomain }} - - --pass-basic-auth=false - - --pass-access-token=true - - --pass-authorization-header=true - - --skip-auth-regex=^\/config\.json$ - - --skip-auth-regex=^\/manifest\.json$ - - --skip-auth-regex=^\/custom_style\.css$ - - --skip-auth-regex=^\/custom_locale\.json$ - - --skip-auth-regex=^\/favicon.*\.png$ - - --skip-auth-regex=^\/static\/ - - --skip-auth-regex=^\/$ - - --scope=openid email groups - {{- range .Values.authProxy.additionalFlags }} - - {{ . }} - {{- end }} - image: {{ include "common.images.image" (dict "imageRoot" .Values.authProxy.image "global" .Values.global) }} - imagePullPolicy: {{ .Values.authProxy.image.pullPolicy | quote }} - env: - - name: OAUTH2_PROXY_CLIENT_ID - valueFrom: - secretKeyRef: - name: {{ template "kubeapps.oauth2_proxy-secret.name" . }} - key: clientID - - name: OAUTH2_PROXY_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: {{ template "kubeapps.oauth2_proxy-secret.name" . }} - key: clientSecret - - name: OAUTH2_PROXY_COOKIE_SECRET - valueFrom: - secretKeyRef: - name: {{ template "kubeapps.oauth2_proxy-secret.name" . }} - key: cookieSecret - ports: - - name: proxy - containerPort: 3000 - {{- if .Values.authProxy.resources }} - resources: {{- toYaml .Values.authProxy.resources | nindent 12 }} - {{- end }} - {{- end }} - {{- if and (gt (len .Values.clusters) 1) (not .Values.authProxy.enabled) }} - {{ fail "clusters can be configured only when using an auth proxy for cluster oidc authentication."}} - {{- end }} - {{- if and .Values.pinnipedProxy.enabled }} - - name: pinniped-proxy - command: - - pinniped-proxy - env: - - name: DEFAULT_PINNIPED_NAMESPACE - value: {{ .Values.pinnipedProxy.defaultPinnipedNamespace }} - - name: DEFAULT_PINNIPED_AUTHENTICATOR_TYPE - value: {{ .Values.pinnipedProxy.defaultAuthenticatorType }} - - name: DEFAULT_PINNIPED_AUTHENTICATOR_NAME - value: {{ .Values.pinnipedProxy.defaultAuthenticatorName }} - - name: DEFAULT_PINNIPED_API_SUFFIX - value: {{ .Values.pinnipedProxy.defaultPinnipedAPISuffix }} - - name: RUST_LOG - value: info - image: {{ include "common.images.image" (dict "imageRoot" .Values.pinnipedProxy.image "global" .Values.global) }} - imagePullPolicy: {{ .Values.pinnipedProxy.image.pullPolicy | quote }} - ports: - - name: pinniped-proxy - containerPort: 3333 - {{- if .Values.pinnipedProxy.resources }} - resources: {{- toYaml .Values.pinnipedProxy.resources | nindent 12 }} - {{- end }} - {{- end }} - volumes: - - name: vhost - configMap: - name: {{ template "kubeapps.frontend-config.fullname" . }} diff --git a/bitnami/kubeapps/templates/kubeapps-frontend-service.yaml b/bitnami/kubeapps/templates/kubeapps-frontend-service.yaml deleted file mode 100644 index ba905b5dc3..0000000000 --- a/bitnami/kubeapps/templates/kubeapps-frontend-service.yaml +++ /dev/null @@ -1,48 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ template "common.names.fullname" . }} - labels:{{ include "kubeapps.labels" . | nindent 4 }} - {{- if .Values.frontend.service.annotations }} - annotations: {{- include "common.tplvalues.render" (dict "value" .Values.frontend.service.annotations "context" $) | nindent 4 }} - {{- end }} -spec: - type: {{ .Values.frontend.service.type }} - {{- if and (eq .Values.frontend.service.type "LoadBalancer") (not (empty .Values.frontend.service.loadBalancerIP)) }} - loadBalancerIP: {{ .Values.frontend.service.loadBalancerIP }} - {{- end }} - ports: - - port: {{ .Values.frontend.service.port }} - {{- if and .Values.authProxy.enabled (not .Values.authProxy.external) }} - targetPort: proxy - {{- else }} - targetPort: http - {{- end }} - {{- if and (eq .Values.frontend.service.type "NodePort") (not (empty .Values.frontend.service.nodePort)) }} - nodePort: {{ .Values.frontend.service.nodePort }} - {{- end }} - protocol: TCP - name: http - selector: - app: {{ template "common.names.fullname" . }} - release: {{ .Release.Name }} -{{- if .Values.pinnipedProxy.enabled }} ---- -# Include an additional ClusterIP service for the pinniped-proxy as some configurations -# require the normal frontend service to use NodePort. -apiVersion: v1 -kind: Service -metadata: - name: {{ template "kubeapps.pinniped-proxy.fullname" . }} - labels:{{ include "kubeapps.labels" . | nindent 4 }} -spec: - type: ClusterIP - ports: - - port: {{ .Values.pinnipedProxy.service.port }} - targetPort: pinniped-proxy - protocol: TCP - name: pinniped-proxy - selector: - app: {{ template "common.names.fullname" . }} - release: {{ .Release.Name }} -{{- end }} diff --git a/bitnami/kubeapps/templates/kubeops-config.yaml b/bitnami/kubeapps/templates/kubeops-config.yaml deleted file mode 100644 index fd44000f1c..0000000000 --- a/bitnami/kubeapps/templates/kubeops-config.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if gt (len .Values.clusters) 0 -}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "kubeapps.kubeops-config.fullname" . }} - labels: - app: {{ template "kubeapps.kubeops-config.fullname" . }} - chart: {{ template "kubeapps.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -data: - clusters.conf: |- -{{ .Values.clusters | toPrettyJson | indent 4 }} -{{- end -}} diff --git a/bitnami/kubeapps/templates/kubeops-deployment.yaml b/bitnami/kubeapps/templates/kubeops-deployment.yaml deleted file mode 100644 index d228ea8737..0000000000 --- a/bitnami/kubeapps/templates/kubeops-deployment.yaml +++ /dev/null @@ -1,108 +0,0 @@ -apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} -kind: Deployment -metadata: - name: {{ template "kubeapps.kubeops.fullname" . }} - labels: - {{- include "kubeapps.extraAppLabels" . | nindent 4 }} - app: {{ template "kubeapps.kubeops.fullname" . }} -spec: - replicas: {{ .Values.kubeops.replicaCount }} - selector: - matchLabels: - app: {{ template "kubeapps.kubeops.fullname" . }} - release: {{ .Release.Name }} - template: - metadata: - {{- with .Values.kubeops.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - app: {{ template "kubeapps.kubeops.fullname" . }} - app.kubernetes.io/name: {{ template "common.names.name" . }} - release: {{ .Release.Name }} - app.kubernetes.io/instance: {{ .Release.Name }} - spec: -{{- include "kubeapps.imagePullSecrets" . | indent 6 }} - serviceAccountName: {{ template "kubeapps.kubeops.fullname" . }} - # Increase termination timeout to let remaining operations to finish before killing the pods - # This is because new releases/upgrades/deletions are synchronous operations - terminationGracePeriodSeconds: 300 - {{- if .Values.kubeops.affinity }} - affinity: {{- include "common.tplvalues.render" (dict "value" .Values.kubeops.affinity "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.kubeops.nodeSelector }} - nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.kubeops.nodeSelector "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.kubeops.tolerations }} - tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.kubeops.tolerations "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.securityContext.enabled }} - securityContext: - fsGroup: {{ .Values.securityContext.fsGroup }} - runAsUser: {{ .Values.securityContext.runAsUser }} - {{- end }} - containers: - - name: kubeops - image: {{ include "common.images.image" (dict "imageRoot" .Values.kubeops.image "global" .Values.global) }} - imagePullPolicy: {{ .Values.kubeops.image.pullPolicy | quote }} - command: - - /kubeops - args: - - --user-agent-comment=kubeapps/{{ .Chart.AppVersion }} - - --assetsvc-url=http://{{ template "kubeapps.assetsvc.fullname" . }}:{{ .Values.assetsvc.service.port }} - {{- if .Values.clusters }} - - --clusters-config-path=/config/clusters.conf - {{- end }} - {{- if .Values.pinnipedProxy.enabled }} - - --pinniped-proxy-url=http://kubeapps-internal-pinniped-proxy.{{ .Release.Namespace }}:{{ .Values.pinnipedProxy.service.port }} - {{- end }} - {{- if .Values.kubeops.burst }} - - --burst={{ .Values.kubeops.burst }} - {{- end }} - {{- if .Values.kubeops.QPS }} - - --qps={{ .Values.kubeops.QPS }} - {{- end }} - {{- if .Values.kubeops.namespaceHeaderName }} - - --ns-header-name={{ .Values.kubeops.namespaceHeaderName }} - {{- end }} - {{- if .Values.kubeops.namespaceHeaderPattern }} - - --ns-header-pattern={{ .Values.kubeops.namespaceHeaderPattern }} - {{- end }} - {{- if .Values.clusters }} - volumeMounts: - - name: kubeops-config - mountPath: /config - - name: ca-certs - mountPath: /etc/additional-clusters-cafiles - {{- end }} - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: PORT - value: {{ .Values.kubeops.service.port | quote }} - {{- if .Values.kubeops.extraEnvVars }} - {{- include "common.tplvalues.render" (dict "value" .Values.kubeops.extraEnvVars "context" $) | nindent 12 }} - {{- end }} - ports: - - name: http - containerPort: {{ .Values.kubeops.service.port }} - {{- if .Values.kubeops.livenessProbe }} - livenessProbe: {{- toYaml .Values.kubeops.livenessProbe | nindent 12 }} - {{- end }} - {{- if .Values.kubeops.readinessProbe }} - readinessProbe: {{- toYaml .Values.kubeops.readinessProbe | nindent 12 }} - {{- end }} - {{- if .Values.kubeops.resources }} - resources: {{- toYaml .Values.kubeops.resources | nindent 12 }} - {{- end }} - {{- if .Values.clusters }} - volumes: - - name: kubeops-config - configMap: - name: {{ template "kubeapps.kubeops-config.fullname" . }} - - name: ca-certs - emptyDir: {} - {{- end }} diff --git a/bitnami/kubeapps/templates/kubeops-rbac.yaml b/bitnami/kubeapps/templates/kubeops-rbac.yaml deleted file mode 100644 index 064846fcf7..0000000000 --- a/bitnami/kubeapps/templates/kubeops-rbac.yaml +++ /dev/null @@ -1,99 +0,0 @@ -{{- if .Values.rbac.create -}} -apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} -kind: Role -metadata: - name: {{ template "kubeapps.kubeops.fullname" . }} - labels:{{ include "kubeapps.extraAppLabels" . | nindent 4 }} - app: {{ template "kubeapps.kubeops.fullname" . }} -rules: - - apiGroups: - - "" - resources: - - secrets - verbs: - - get - - create - - delete - - apiGroups: - - "kubeapps.com" - resources: - - apprepositories - verbs: - - get - - list ---- -apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} -kind: RoleBinding -metadata: - name: {{ template "kubeapps.kubeops.fullname" . }} - labels:{{ include "kubeapps.extraAppLabels" . | nindent 4 }} - app: {{ template "kubeapps.kubeops.fullname" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ template "kubeapps.kubeops.fullname" . }} -subjects: - - kind: ServiceAccount - name: {{ template "kubeapps.kubeops.fullname" . }} - namespace: {{ .Release.Namespace }} -{{- if .Values.allowNamespaceDiscovery }} ---- -apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} -kind: ClusterRole -metadata: - name: "kubeapps:controller:kubeops-ns-discovery-{{ .Release.Namespace }}" - labels:{{ include "kubeapps.extraAppLabels" . | nindent 4 }} - app: {{ template "kubeapps.kubeops.fullname" . }} -rules: - - apiGroups: - - "" - resources: - - namespaces - verbs: - - list ---- -apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} -kind: ClusterRoleBinding -metadata: - name: "kubeapps:controller:kubeops-ns-discovery-{{ .Release.Namespace }}" - labels:{{ include "kubeapps.extraAppLabels" . | nindent 4 }} - app: {{ template "kubeapps.kubeops.fullname" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: "kubeapps:controller:kubeops-ns-discovery-{{ .Release.Namespace }}" -subjects: - - kind: ServiceAccount - name: {{ template "kubeapps.kubeops.fullname" . }} - namespace: {{ .Release.Namespace }} -{{- end }} ---- -apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} -kind: ClusterRole -metadata: - name: "kubeapps:controller:kubeops-operators-{{ .Release.Namespace }}" - labels:{{ include "kubeapps.extraAppLabels" . | nindent 4 }} - app: {{ template "kubeapps.kubeops.fullname" . }} -rules: - - apiGroups: - - packages.operators.coreos.com - resources: - - packagemanifests/icon - verbs: - - get ---- -apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} -kind: ClusterRoleBinding -metadata: - name: "kubeapps:controller:kubeops-operators-{{ .Release.Namespace }}" - labels:{{ include "kubeapps.extraAppLabels" . | nindent 4 }} - app: {{ template "kubeapps.kubeops.fullname" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: "kubeapps:controller:kubeops-operators-{{ .Release.Namespace }}" -subjects: - - kind: ServiceAccount - name: {{ template "kubeapps.kubeops.fullname" . }} - namespace: {{ .Release.Namespace }} -{{- end }} diff --git a/bitnami/kubeapps/templates/kubeops-service.yaml b/bitnami/kubeapps/templates/kubeops-service.yaml deleted file mode 100644 index eaacbeb618..0000000000 --- a/bitnami/kubeapps/templates/kubeops-service.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ template "kubeapps.kubeops.fullname" . }} - labels:{{ include "kubeapps.labels" . | nindent 4 }} -spec: - type: ClusterIP - ports: - - port: {{ .Values.kubeops.service.port }} - targetPort: http - protocol: TCP - name: http - selector: - app: {{ template "kubeapps.kubeops.fullname" . }} - release: {{ .Release.Name }} diff --git a/bitnami/kubeapps/templates/kubeops-serviceaccount.yaml b/bitnami/kubeapps/templates/kubeops-serviceaccount.yaml deleted file mode 100644 index 321ac9521a..0000000000 --- a/bitnami/kubeapps/templates/kubeops-serviceaccount.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "kubeapps.kubeops.fullname" . }} - labels:{{ include "kubeapps.extraAppLabels" . | nindent 4 }} - app: {{ template "kubeapps.kubeops.fullname" . }} diff --git a/bitnami/kubeapps/templates/kubeops/config.yaml b/bitnami/kubeapps/templates/kubeops/config.yaml new file mode 100644 index 0000000000..0a4a18b31e --- /dev/null +++ b/bitnami/kubeapps/templates/kubeops/config.yaml @@ -0,0 +1,18 @@ +{{- if gt (len .Values.clusters) 0 }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "kubeapps.kubeops-config.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: kubeops + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" . ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + clusters.conf: |- +{{ .Values.clusters | toPrettyJson | indent 4 }} +{{- end }} diff --git a/bitnami/kubeapps/templates/kubeops/deployment.yaml b/bitnami/kubeapps/templates/kubeops/deployment.yaml new file mode 100644 index 0000000000..caa4ef435d --- /dev/null +++ b/bitnami/kubeapps/templates/kubeops/deployment.yaml @@ -0,0 +1,142 @@ +apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} +kind: Deployment +metadata: + name: {{ template "kubeapps.kubeops.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app.kubernetes.io/component: kubeops + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" . ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.kubeops.replicaCount }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: kubeops + template: + metadata: + {{- if .Values.kubeops.podAnnotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" .Values.kubeops.podAnnotations "context" $) | nindent 8 }} + {{- end }} + labels: {{- include "common.labels.standard" . | nindent 8 }} + app.kubernetes.io/component: kubeops + {{- if .Values.kubeops.podLabels }} + {{- include "common.tplvalues.render" (dict "value" .Values.kubeops.podLabels "context" $) | nindent 8 }} + {{- end }} + spec: + {{- include "kubeapps.imagePullSecrets" . | indent 6 }} + serviceAccountName: {{ template "kubeapps.kubeops.fullname" . }} + {{- if .Values.kubeops.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.kubeops.hostAliases "context" $) | nindent 8 }} + {{- end }} + # Increase termination timeout to let remaining operations to finish before killing the pods + # This is because new releases/upgrades/deletions are synchronous operations + {{- if .Values.kubeops.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.kubeops.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.kubeops.podAffinityPreset "component" "kubeops" "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.kubeops.podAntiAffinityPreset "component" "kubeops" "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.kubeops.nodeAffinityPreset.type "key" .Values.kubeops.nodeAffinityPreset.key "values" .Values.kubeops.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.kubeops.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.kubeops.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.kubeops.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.kubeops.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.kubeops.priorityClassName }} + priorityClassName: {{ .Values.kubeops.priorityClassName | quote }} + {{- end }} + {{- if .Values.kubeops.podSecurityContext.enabled }} + securityContext: {{- omit .Values.kubeops.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ .Values.kubeops.terminationGracePeriodSeconds }} + containers: + - name: kubeops + image: {{ include "common.images.image" (dict "imageRoot" .Values.kubeops.image "global" .Values.global) }} + imagePullPolicy: {{ .Values.kubeops.image.pullPolicy | quote }} + {{- if .Values.kubeops.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.kubeops.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.kubeops.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.kubeops.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + command: + - /kubeops + args: + - --user-agent-comment=kubeapps/{{ .Chart.AppVersion }} + - --assetsvc-url=http://{{ template "kubeapps.assetsvc.fullname" . }}:{{ .Values.assetsvc.service.port }} + {{- if .Values.clusters }} + - --clusters-config-path=/config/clusters.conf + {{- end }} + {{- if .Values.pinnipedProxy.enabled }} + - --pinniped-proxy-url=http://{{ template "kubeapps.pinniped-proxy.fullname" . }}.{{ .Release.Namespace }}:{{ .Values.pinnipedProxy.service.port }} + {{- end }} + {{- if .Values.kubeops.burst }} + - --burst={{ .Values.kubeops.burst }} + {{- end }} + {{- if .Values.kubeops.QPS }} + - --qps={{ .Values.kubeops.QPS }} + {{- end }} + {{- if .Values.kubeops.namespaceHeaderName }} + - --ns-header-name={{ .Values.kubeops.namespaceHeaderName }} + {{- end }} + {{- if .Values.kubeops.namespaceHeaderPattern }} + - --ns-header-pattern={{ .Values.kubeops.namespaceHeaderPattern }} + {{- end }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: PORT + value: {{ .Values.kubeops.containerPort | quote }} + {{- if .Values.kubeops.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.kubeops.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if or .Values.kubeops.extraEnvVarsCM .Values.kubeops.extraEnvVarsSecret }} + envFrom: + {{- if .Values.kubeops.extraEnvVarsCM }} + - configMapRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.kubeops.extraEnvVarsCM "context" $) }} + {{- end }} + {{- if .Values.kubeops.extraEnvVarsSecret }} + - secretRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.kubeops.extraEnvVarsSecret "context" $) }} + {{- end }} + {{- end }} + ports: + - name: http + containerPort: {{ .Values.kubeops.containerPort }} + {{- if .Values.kubeops.livenessProbe.enabled }} + livenessProbe: {{- omit .Values.kubeops.livenessProbe "enabled" | toYaml | nindent 12 }} + {{- else if .Values.kubeops.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.kubeops.customLivenessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.kubeops.readinessProbe.enabled }} + readinessProbe: {{- omit .Values.kubeops.readinessProbe "enabled" | toYaml | nindent 12 }} + {{- else if .Values.kubeops.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.kubeops.customReadinessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.kubeops.resources }} + resources: {{- toYaml .Values.kubeops.resources | nindent 12 }} + {{- end }} + {{- if .Values.clusters }} + volumeMounts: + - name: kubeops-config + mountPath: /config + - name: ca-certs + mountPath: /etc/additional-clusters-cafiles + {{- end }} + {{- if .Values.clusters }} + volumes: + - name: kubeops-config + configMap: + name: {{ template "kubeapps.kubeops-config.fullname" . }} + - name: ca-certs + emptyDir: {} + {{- end }} diff --git a/bitnami/kubeapps/templates/kubeops/rbac.yaml b/bitnami/kubeapps/templates/kubeops/rbac.yaml new file mode 100644 index 0000000000..90dd59bc1b --- /dev/null +++ b/bitnami/kubeapps/templates/kubeops/rbac.yaml @@ -0,0 +1,141 @@ +{{- if .Values.rbac.create -}} +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +kind: Role +metadata: + name: {{ template "kubeapps.kubeops.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: kubeops + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" . ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create + - delete + - apiGroups: + - "kubeapps.com" + resources: + - apprepositories + verbs: + - get + - list +--- +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +kind: RoleBinding +metadata: + name: {{ template "kubeapps.kubeops.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: kubeops + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" . ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "kubeapps.kubeops.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "kubeapps.kubeops.fullname" . }} + namespace: {{ .Release.Namespace }} +{{- if .Values.allowNamespaceDiscovery }} +--- +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +kind: ClusterRole +metadata: + name: "kubeapps:controller:kubeops-ns-discovery-{{ .Release.Namespace }}" + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: kubeops + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" . ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +rules: + - apiGroups: + - "" + resources: + - namespaces + verbs: + - list +--- +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +kind: ClusterRoleBinding +metadata: + name: "kubeapps:controller:kubeops-ns-discovery-{{ .Release.Namespace }}" + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: kubeops + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" . ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "kubeapps:controller:kubeops-ns-discovery-{{ .Release.Namespace }}" +subjects: + - kind: ServiceAccount + name: {{ template "kubeapps.kubeops.fullname" . }} + namespace: {{ .Release.Namespace }} +{{- end }} +--- +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +kind: ClusterRole +metadata: + name: "kubeapps:controller:kubeops-operators-{{ .Release.Namespace }}" + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: kubeops + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" . ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +rules: + - apiGroups: + - packages.operators.coreos.com + resources: + - packagemanifests/icon + verbs: + - get +--- +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +kind: ClusterRoleBinding +metadata: + name: "kubeapps:controller:kubeops-operators-{{ .Release.Namespace }}" + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: kubeops + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" . ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "kubeapps:controller:kubeops-operators-{{ .Release.Namespace }}" +subjects: + - kind: ServiceAccount + name: {{ template "kubeapps.kubeops.fullname" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/bitnami/kubeapps/templates/kubeops/service.yaml b/bitnami/kubeapps/templates/kubeops/service.yaml new file mode 100644 index 0000000000..e57f210982 --- /dev/null +++ b/bitnami/kubeapps/templates/kubeops/service.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "kubeapps.kubeops.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: kubeops + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" . ) | nindent 4 }} + {{- end }} + {{- if or .Values.kubeops.service.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.kubeops.service.annotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.kubeops.service.annotations "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + type: ClusterIP + ports: + - port: {{ .Values.kubeops.service.port }} + targetPort: http + protocol: TCP + name: http + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + app.kubernetes.io/component: kubeops diff --git a/bitnami/kubeapps/templates/kubeops/serviceaccount.yaml b/bitnami/kubeapps/templates/kubeops/serviceaccount.yaml new file mode 100644 index 0000000000..7408e4a61d --- /dev/null +++ b/bitnami/kubeapps/templates/kubeops/serviceaccount.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "kubeapps.kubeops.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: kubeops + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" . ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} diff --git a/bitnami/kubeapps/templates/tests/test-assetsvc.yaml b/bitnami/kubeapps/templates/tests/test-assetsvc.yaml index 7226d51d58..761634464c 100644 --- a/bitnami/kubeapps/templates/tests/test-assetsvc.yaml +++ b/bitnami/kubeapps/templates/tests/test-assetsvc.yaml @@ -21,18 +21,13 @@ spec: - | n=0 until [ "$n" -ge 5 ]; do - if curl -o /tmp/output $ASSETSVC_HOST:$ASSETSVC_PORT/v1/clusters/default/namespaces/{{ .Release.Namespace }}/charts && cat /tmp/output && cat /tmp/output | grep wordpress; then - break - fi - sleep 10 - ((n+=1)) + if curl -o /tmp/output $ASSETSVC_HOST:$ASSETSVC_PORT/v1/clusters/default/namespaces/{{ .Release.Namespace }}/charts && cat /tmp/output && cat /tmp/output | grep wordpress; then + break + fi + sleep 10 + ((n+=1)) done if [ "$n" -eq 5 ]; then - exit 1 + exit 1 fi - {{- if .Values.securityContext.enabled }} - securityContext: - fsGroup: {{ .Values.securityContext.fsGroup }} - runAsUser: {{ .Values.securityContext.runAsUser }} - {{- end }} restartPolicy: Never diff --git a/bitnami/kubeapps/templates/tests/test-dashboard.yaml b/bitnami/kubeapps/templates/tests/test-dashboard.yaml index 87aabbbb4d..8b9f9eb8d2 100644 --- a/bitnami/kubeapps/templates/tests/test-dashboard.yaml +++ b/bitnami/kubeapps/templates/tests/test-dashboard.yaml @@ -15,9 +15,4 @@ spec: - sh - -c - curl -o /tmp/output $DASHBOARD_HOST && cat /tmp/output && cat /tmp/output | grep 'You need to enable JavaScript to run this app' - {{- if .Values.securityContext.enabled }} - securityContext: - fsGroup: {{ .Values.securityContext.fsGroup }} - runAsUser: {{ .Values.securityContext.runAsUser }} - {{- end }} restartPolicy: Never diff --git a/bitnami/kubeapps/templates/tls-secrets.yaml b/bitnami/kubeapps/templates/tls-secrets.yaml index b9d412825b..fbb967dd97 100644 --- a/bitnami/kubeapps/templates/tls-secrets.yaml +++ b/bitnami/kubeapps/templates/tls-secrets.yaml @@ -5,8 +5,14 @@ apiVersion: v1 kind: Secret metadata: name: {{ .name }} - namespace: {{ $.Release.Namespace }} - labels: {{ include "kubeapps.labels" $ | nindent 4 }} + namespace: {{ $.Release.Namespace | quote }} + labels: {{- include "common.labels.standard" $ | nindent 4 }} + {{- if $.Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" $.Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if $.Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} type: kubernetes.io/tls data: tls.crt: {{ .certificate | b64enc }} @@ -14,15 +20,21 @@ data: --- {{- end }} {{- end }} -{{- if and .Values.ingress.tls (not .Values.ingress.certManager) }} +{{- if and .Values.ingress.tls .Values.ingress.selfSigned }} {{- $ca := genCA "kubeapps-ca" 365 }} {{- $cert := genSignedCert .Values.ingress.hostname nil (list .Values.ingress.hostname) 365 $ca }} apiVersion: v1 kind: Secret metadata: name: {{ printf "%s-tls" .Values.ingress.hostname }} - namespace: {{ .Release.Namespace }} - labels: {{ include "kubeapps.labels" . | nindent 4 }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" . ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} type: kubernetes.io/tls data: tls.crt: {{ $cert.Cert | b64enc | quote }} diff --git a/bitnami/kubeapps/values.schema.json b/bitnami/kubeapps/values.schema.json index 9c9bc51822..38bead5d1f 100644 --- a/bitnami/kubeapps/values.schema.json +++ b/bitnami/kubeapps/values.schema.json @@ -130,24 +130,6 @@ } } } - }, - "securityContext": { - "properties": { - "enabled": { - "title": "Enable security context", - "type": "boolean", - "default": false - }, - "fsgroup": { - "title": "File System Group ID", - "type": "integer" - }, - "runAsUser": { - "title": "File System User ID", - "type": "integer" - } - }, - "title": "Security Context" } } } diff --git a/bitnami/kubeapps/values.yaml b/bitnami/kubeapps/values.yaml index d97931fa6a..632f4052aa 100644 --- a/bitnami/kubeapps/values.yaml +++ b/bitnami/kubeapps/values.yaml @@ -1,376 +1,906 @@ +## @section Global parameters ## Global Docker image parameters ## Please, note that this will override the image parameters, including dependencies, configured to use the global value -## Current available global Docker image parameters: imageRegistry and imagePullSecrets +## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass + +## @param global.imageRegistry Global Docker image registry +## @param global.imagePullSecrets Global Docker registry secret names as an array +## @param global.storageClass Global StorageClass for Persistent Volume(s) ## -# global: -# imageRegistry: myRegistryName -# imagePullSecrets: -# - myRegistryKeySecretName -# storageClass: myStorageClass +global: + imageRegistry: + ## E.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + storageClass: -## Disable this feature flag to disallow users to discover available namespaces (only the ones they have access). -## When set to true, Kubeapps creates a ClusterRole to be able to list namespaces. -allowNamespaceDiscovery: true +## @section Common parameters -## Enable IPv6 Configuration for Nginx +## @param kubeVersion Override Kubernetes version +## +kubeVersion: +## @param nameOverride String to partially override common.names.fullname +## +nameOverride: +## @param fullnameOverride String to fully override common.names.fullname +## +fullnameOverride: +## @param commonLabels Labels to add to all deployed objects +## +commonLabels: {} +## @param commonAnnotations Annotations to add to all deployed objects +## +commonAnnotations: {} +## @param extraDeploy Array of extra objects to deploy with the release +## +extraDeploy: [] +## @param enableIPv6 Enable IPv6 configuration +## enableIPv6: false -## clusters can be configured with a list of clusters that Kubeapps can target for deployments. -## When populated with a single cluster (as it is by default), Kubeapps will not allow users to -## change the target cluster. When populated with multiple clusters, Kubeapps will present the clusters to -## the user as potential targets for install or browsing. -## Note that you can define a single cluster without an apiServiceURL and the chart will assume this is -## the name you are assigning to the cluster on which Kubeapps is itself installed. Specifying more than -## one cluster without an apiServiceURL will cause the chart display an error. -## The base64-encoded certificateAuthorityData can be obtained from the additional cluster's kube config -## file, for example, to get the ca data for the 0th cluster in your config (adjust the index 0 as necessary): -## kubectl --kubeconfig ~/.kube/kind-config-kubeapps-additional config view --raw -o jsonpath='{.clusters[0].cluster.certificate-authority-data}' -# -# clusters: -# - name: default -# - name: second-cluster -# apiServiceURL: https://second-cluster:6443 -# # certificateAuthorityData is required for secure communication with the additional API server. -# certificateAuthorityData: LS0tLS1CRUdJ... -# # serviceToken is an optional token configured to allow LIST namespaces and packagemanifests (operators) only on the additional cluster -# # so that the UI can present a list of (only) those namespaces to which the user has access and the available operators. -# serviceToken: ... -clusters: - - name: default - # isKubeappsCluster is an optional parameter that allows defining the cluster in which Kubeapps is installed; - # this param is useful when every cluster is using an apiServiceURL (e.g., when using the Pinniped Impersonation Proxy) as the chart cannot infer the cluster on which Kubeapps is installed in that case. - # isKubeappsCluster: true +## @section Traffic Exposure Parameters -## Force target Kubernetes version (using Helm capabilites if not set) -## -kubeVersion: "" - -## The frontend service is the main reverse proxy used to access the Kubeapps UI -## To expose Kubeapps externally either configure the ingress object below or -## set frontend.service.type=LoadBalancer in the frontend configuration. -## ref: http://kubernetes.io/docs/user-guide/ingress/ +## Configure the ingress resource that allows you to access the Kubeapps installation +## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ ## ingress: - ## Set to true to enable ingress record generation + ## @param ingress.enabled Enable ingress record generation for Kubeapps ## enabled: false - - ## Override API Version (automatically detected if not set) + ## @param ingress.apiVersion Force Ingress API version (automatically detected if not set) ## - apiVersion: "" - - ## Ingress Path type - ## - pathType: ImplementationSpecific - - ## Set this to true in order to add the corresponding annotations for cert-manager - ## - certManager: false - - ## When the ingress is enabled, a host pointing to this will be created + apiVersion: + ## @param ingress.hostname Default host for the ingress record ## hostname: kubeapps.local - - ## The Path to Kubeapps Dashboard. You may need to set this to '/*' in order to use this - ## with ALB ingress controllers. + ## @param ingress.path Default path for the ingress record + ## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers ## path: / - - ## Enable TLS configuration for the hostname defined at ingress.hostname parameter - ## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.ingress.hostname }} - ## You can use the ingress.secrets parameter to create this TLS secret, relay on cert-manager to create it, or - ## let the chart create self-signed certificates for you + ## @param ingress.pathType Ingress path type ## - tls: false - - ## Ingress annotations done as key:value pairs - ## For a full list of possible ingress annotations, - ## please see https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md - ## - ## If certManager is set to true, annotation kubernetes.io/tls-acme: "true" will automatically be set + pathType: ImplementationSpecific + ## @param ingress.annotations [object] Additional custom annotations for the ingress record + ## NOTE: If `ingress.certManager=true`, annotation `kubernetes.io/tls-acme: "true"` will automatically be added ## annotations: - # kubernetes.io/ingress.class: nginx - ## Keep the connection open with the API server even if idle (the default is 60 seconds) - ## Setting it to 10 minutes which should be enough for our current use case of deploying/upgrading/deleting apps - ## nginx.ingress.kubernetes.io/proxy-read-timeout: "600" - - ## The list of additional hostnames to be covered with this ingress record. - ## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array + ## @param ingress.tls Enable TLS configuration for the host defined at `ingress.hostname` parameter + ## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}` + ## You can: + ## - Use the `ingress.secrets` parameter to create this TLS secret + ## - Relay on cert-manager to create it by setting `ingress.certManager=true` + ## - Relay on Helm to create self-signed certificates by setting `ingress.selfSigned=true` + ## + tls: false + ## @param ingress.certManager Add the corresponding annotations for cert-manager integration + ## + certManager: false + ## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm + ## + selfSigned: false + ## @param ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record ## e.g: ## extraHosts: ## - name: kubeapps.local ## path: / ## extraHosts: [] - - ## The tls configuration for additional hostnames to be covered with this ingress record. - ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## @param ingress.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host + ## e.g: + ## extraPaths: + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + extraPaths: [] + ## @param ingress.extraTls TLS configuration for additional hostname(s) to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls ## e.g: ## extraTls: - ## - hosts: - ## - kubeapps.local - ## secretName: kubeapps.local-tls + ## - hosts: + ## - kubeapps.local + ## secretName: kubeapps.local-tls ## extraTls: [] - - ## If you're providing your own certificates, please use this to add the certificates as secrets - ## key and certificate should start with -----BEGIN CERTIFICATE----- or - ## -----BEGIN RSA PRIVATE KEY----- - ## - ## name should line up with a tlsSecret set further up - ## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set + ## @param ingress.secrets Custom TLS certificates as secrets + ## NOTE: 'key' and 'certificate' are expected in PEM format + ## NOTE: 'name' should line up with a 'secretName' set further up + ## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates + ## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days ## It is also possible to create and manage the certificates outside of this helm chart ## Please see README.md for more information ## e.g: ## secrets: ## - name: kubeapps.local-tls - ## key: - ## certificate: + ## key: |- + ## -----BEGIN RSA PRIVATE KEY----- + ## ... + ## -----END RSA PRIVATE KEY----- + ## certificate: |- + ## -----BEGIN CERTIFICATE----- + ## ... + ## -----END CERTIFICATE----- ## secrets: [] -## Frontend paramters +## @section Frontend parameters + +## Frontend parameters ## frontend: - replicaCount: 2 - ## Add additional annotations to the frontend pods - ## - podAnnotations: {} - ## Bitnami Nginx image + ## Bitnami NGINX image ## ref: https://hub.docker.com/r/bitnami/nginx/tags/ + ## @param frontend.image.registry NGINX image registry + ## @param frontend.image.repository NGINX image repository + ## @param frontend.image.tag NGINX image tag (immutable tags are recommended) + ## @param frontend.image.pullPolicy NGINX image pull policy + ## @param frontend.image.pullSecrets NGINX image pull secrets + ## @param frontend.image.debug Enable image debug mode ## image: registry: docker.io repository: bitnami/nginx - tag: 1.19.10-debian-10-r11 + tag: 1.19.10-debian-10-r25 ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images ## pullPolicy: IfNotPresent - - ## Frontend service parameters + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Enable debug mode + ## + debug: false + ## @param frontend.proxypassAccessTokenAsBearer Use access_token as the Bearer when talking to the k8s api server + ## NOTE: Some K8s distributions such as GKE requires it ## - service: - ## Service type - ## - type: ClusterIP - ## HTTP Port - ## - port: 80 - ## Set a static load balancer IP (only when frontend.service.type="LoadBalancer") - ## ref: http://kubernetes.io/docs/user-guide/services/#type-loadbalancer - ## - # loadBalancerIP: - ## Set a specific NodePort (only when frontend.service.type="NodePort") - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#nodeport - # nodePort: - ## Provide any additional annotations which may be required. This can be used to - ## set the LoadBalancer service type to internal only. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer - ## - annotations: {} - ## NGINX containers' liveness and readiness probes - ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + proxypassAccessTokenAsBearer: false + ## @param frontend.proxypassExtraSetHeader Set an additional proxy header for all requests proxied via NGINX + ## Authorization header(s) set in this way will be included with the request from kubeops to the k8s service API URL. + ## ref: https://github.com/kubeapps/kubeapps/blob/7e31d0e7241f826aa365856c134cf901d40890e7/pkg/http-handler/http-handler.go#L247 + ## e.g: + ## proxypassExtraSetHeader: Authorization "Bearer $cookie_sessionid"; ## - livenessProbe: - httpGet: - path: /healthz - port: 8080 - initialDelaySeconds: 60 - timeoutSeconds: 5 - readinessProbe: - httpGet: - path: / - port: 8080 - initialDelaySeconds: 0 - timeoutSeconds: 5 - ## NGINX containers' resource requests and limits + proxypassExtraSetHeader: + ## @param frontend.largeClientHeaderBuffers Set large_client_header_buffers in NGINX config + ## NOTE: Can be required when using OIDC or LDAP due to large cookies + ## + largeClientHeaderBuffers: "4 32k" + ## @param frontend.replicaCount Number of frontend replicas to deploy + ## + replicaCount: 2 + ## Frontend containers' resource requests and limits ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## @param frontend.resources.limits.cpu The CPU limits for the NGINX container + ## @param frontend.resources.limits.memory The memory limits for the NGINX container + ## @param frontend.resources.requests.cpu The requested CPU for the NGINX container + ## @param frontend.resources.requests.memory The requested memory for the NGINX container ## resources: - ## Default values set based on usage data from running Kubeapps instances - ## ref: https://github.com/kubeapps/kubeapps/issues/478#issuecomment-422979262 - ## limits: cpu: 250m memory: 128Mi requests: cpu: 25m memory: 32Mi - ## Affinity for pod assignment - ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## @param frontend.extraEnvVars Array with extra environment variables to add to the NGINX container + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" ## - affinity: {} - ## Node labels for pod assignment. Evaluated as a template. - ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + extraEnvVars: [] + ## @param frontend.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for the NGINX container ## - nodeSelector: {} - ## Tolerations for pod assignment. Evaluated as a template. - ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + extraEnvVarsCM: + ## @param frontend.extraEnvVarsSecret Name of existing Secret containing extra env vars for the NGINX container ## - tolerations: {} - ## Use access_token as the Bearer when talking to the k8s api server - ## Some K8s distributions such as GKE requires it + extraEnvVarsSecret: + ## @param frontend.containerPort NGINX HTTP container port ## - proxypassAccessTokenAsBearer: false - - ## Set an additional proxy header for all requests proxied via NGINX to the kubeops backend. - ## Authorization header(s) set in this way will be included with the request from kubeops to the - ## k8s service API URL. - ## Ref: https://github.com/kubeapps/kubeapps/blob/7e31d0e7241f826aa365856c134cf901d40890e7/pkg/http-handler/http-handler.go#L247 - # proxypassExtraSetHeader: Authorization "Bearer $cookie_sessionid"; - - ## Set large_client_header_buffers in nginx config - ## Can be required when using OIDC or LDAP due to large cookies - # - largeClientHeaderBuffers: "4 32k" - -## AppRepository Controller is the controller used to manage the repositories to -## sync. Set apprepository.initialRepos to configure the initial set of -## repositories to use when first installing Kubeapps. -## -apprepository: - ## Running a single controller replica to avoid sync job duplication + containerPort: 8080 + ## Configure Pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param frontend.podSecurityContext.enabled Enabled frontend pods' Security Context + ## @param frontend.podSecurityContext.fsGroup Set frontend pod's Security Context fsGroup ## - replicaCount: 1 - ## Add additional annotations to the controllers pods + podSecurityContext: + enabled: true + fsGroup: 1001 + ## Configure Container Security Context (only main container) + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param frontend.containerSecurityContext.enabled Enabled NGINX containers' Security Context + ## @param frontend.containerSecurityContext.runAsUser Set NGINX container's Security Context runAsUser + ## @param frontend.containerSecurityContext.runAsNonRoot Set NGINX container's Security Context runAsNonRoot + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsNonRoot: true + ## Configure extra options for frontend containers' liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param frontend.livenessProbe.enabled Enable livenessProbe + ## @skip frontend.livenessProbe.httpGet + ## @param frontend.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param frontend.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param frontend.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param frontend.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param frontend.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + httpGet: + path: /healthz + port: 8080 + initialDelaySeconds: 60 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param frontend.readinessProbe.enabled Enable readinessProbe + ## @skip frontend.readinessProbe.httpGet + ## @param frontend.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param frontend.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param frontend.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param frontend.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param frontend.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + httpGet: + path: / + port: 8080 + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param frontend.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param frontend.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## @param frontend.lifecycleHooks Custom lifecycle hooks for frontend containers + ## + lifecycleHooks: {} + ## @param frontend.podLabels Extra labels for frontend pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param frontend.podAnnotations Annotations for frontend pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ ## podAnnotations: {} - ## Schedule for syncing apprepositories. Every ten minutes by default - # crontab: "*/10 * * * *" + ## @param frontend.podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param frontend.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## nodeAffinityPreset Node affinity preset + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param frontend.nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param frontend.nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set + ## + key: "" + ## @param frontend.nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param frontend.affinity Affinity for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## NOTE: frontend.podAffinityPreset, frontend.podAntiAffinityPreset, and frontend.nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param frontend.nodeSelector Node labels for pod assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param frontend.tolerations Tolerations for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param frontend.priorityClassName Priority class name for frontend pods + ## + priorityClassName: + ## @param frontend.hostAliases Custom host aliases for frontend pods + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param frontend.extraVolumes Optionally specify extra list of additional volumes for frontend pods + ## + extraVolumes: [] + ## @param frontend.extraVolumeMounts Optionally specify extra list of additional volumeMounts for frontend container(s) + ## + extraVolumeMounts: [] + ## @param frontend.sidecars Add additional sidecar containers to the frontend pod + ## e.g: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: {} + ## @param frontend.initContainers Add additional init containers to the frontend pods + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + ## e.g: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## command: ['sh', '-c', 'echo "hello world"'] + ## + initContainers: {} + ## Frontend service parameters + ## + service: + ## @param frontend.service.type Frontend service type + ## + type: ClusterIP + ## @param frontend.service.port Frontend service HTTP port + ## + port: 80 + ## @param frontend.service.nodePort Node port for HTTP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#nodeport + ## + nodePort: + ## @param frontend.service.clusterIP Frontend service Cluster IP + ## e.g.: + ## clusterIP: None + ## + clusterIP: + ## @param frontend.service.loadBalancerIP Frontend service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerIP: + ## @param frontend.service.loadBalancerSourceRanges Frontend service Load Balancer sources + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param frontend.service.externalTrafficPolicy Frontend service external traffic policy + ## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param frontend.service.annotations Additional custom annotations for frontend service + ## + annotations: {} + +## @section Dashboard parameters + +## Dashboard parameters +## +dashboard: + ## Bitnami Kubeapps Dashboard image + ## ref: https://hub.docker.com/r/bitnami/kubeops/tags/ + ## @param dashboard.image.registry Dashboard image registry + ## @param dashboard.image.repository Dashboard image repository + ## @param dashboard.image.tag Dashboard image tag (immutable tags are recommended) + ## @param dashboard.image.pullPolicy Dashboard image pull policy + ## @param dashboard.image.pullSecrets Dashboard image pull secrets + ## @param dashboard.image.debug Enable image debug mode + ## + image: + registry: docker.io + repository: bitnami/kubeapps-dashboard + tag: 2.3.2-debian-10-r13 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Enable debug mode + ## + debug: false + ## @param dashboard.customStyle Custom CSS injected to the Dashboard to customize Kubeapps look and feel + ## e.g: + ## customStyle: |- + ## .header.header-7 { + ## background-color: #991700; + ## } + ## + customStyle: "" + ## @param dashboard.customComponents Custom Form components injected into the BasicDeploymentForm + ## ref: https://github.com/kubeapps/kubeapps/blob/master/docs/developer/custom-form-component-support.md + ## + customComponents: "" + ## @param dashboard.customLocale Custom translations injected to the Dashboard to customize the strings used in Kubeapps + ## ref: https://github.com/kubeapps/kubeapps/blob/master/docs/developer/translate-kubeapps.md + ## e.g: + ## customLocale: + ## "Kubeapps": "My Dashboard" + ## "login-oidc": "Login with my company SSO" + ## + customLocale: "" + ## @param dashboard.replicaCount Number of Dashboard replicas to deploy + ## + replicaCount: 2 + ## @param dashboard.extraEnvVars Array with extra environment variables to add to the Dashboard container + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param dashboard.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for the Dashboard container + ## + extraEnvVarsCM: + ## @param dashboard.extraEnvVarsSecret Name of existing Secret containing extra env vars for the Dashboard container + ## + extraEnvVarsSecret: + ## @param dashboard.containerPort Dashboard HTTP container port + ## + containerPort: 8080 + ## Dashboard containers' resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## @param dashboard.resources.limits.cpu The CPU limits for the Dashboard container + ## @param dashboard.resources.limits.memory The memory limits for the Dashboard container + ## @param dashboard.resources.requests.cpu The requested CPU for the Dashboard container + ## @param dashboard.resources.requests.memory The requested memory for the Dashboard container + ## + resources: + limits: + cpu: 250m + memory: 128Mi + requests: + cpu: 25m + memory: 32Mi + ## Configure Pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param dashboard.podSecurityContext.enabled Enabled Dashboard pods' Security Context + ## @param dashboard.podSecurityContext.fsGroup Set Dashboard pod's Security Context fsGroup + ## + podSecurityContext: + enabled: true + fsGroup: 1001 + ## Configure Container Security Context (only main container) + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param dashboard.containerSecurityContext.enabled Enabled Dashboard containers' Security Context + ## @param dashboard.containerSecurityContext.runAsUser Set Dashboard container's Security Context runAsUser + ## @param dashboard.containerSecurityContext.runAsNonRoot Set Dashboard container's Security Context runAsNonRoot + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsNonRoot: true + ## Configure extra options for Dashboard containers' liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param dashboard.livenessProbe.enabled Enable livenessProbe + ## @skip dashboard.livenessProbe.httpGet + ## @param dashboard.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param dashboard.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param dashboard.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param dashboard.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param dashboard.livenessProbe.successThreshold Success threshold for livenessProbe + ## Dashboard containers' liveness and readiness probes + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## + livenessProbe: + enabled: true + httpGet: + path: / + port: 8080 + initialDelaySeconds: 60 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param dashboard.readinessProbe.enabled Enable readinessProbe + ## @skip dashboard.readinessProbe.httpGet + ## @param dashboard.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param dashboard.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param dashboard.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param dashboard.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param dashboard.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + httpGet: + path: / + port: 8080 + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param dashboard.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param dashboard.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## @param dashboard.lifecycleHooks Custom lifecycle hooks for Dashboard containers + ## + lifecycleHooks: {} + ## @param dashboard.podLabels Extra labels for Dasbhoard pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param dashboard.podAnnotations Annotations for Dasbhoard pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param dashboard.podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param dashboard.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node affinity preset + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param dashboard.nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param dashboard.nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set + ## + key: "" + ## @param dashboard.nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param dashboard.affinity Affinity for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## NOTE: dashboard.podAffinityPreset, dashboard.podAntiAffinityPreset, and dashboard.nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param dashboard.nodeSelector Node labels for pod assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param dashboard.tolerations Tolerations for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param dashboard.priorityClassName Priority class name for Dashboard pods + ## + priorityClassName: + ## @param dashboard.hostAliases Custom host aliases for Dashboard pods + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param dashboard.extraVolumes Optionally specify extra list of additional volumes for Dasbhoard pods + ## + extraVolumes: [] + ## @param dashboard.extraVolumeMounts Optionally specify extra list of additional volumeMounts for Dasbhoard container(s) + ## + extraVolumeMounts: [] + ## @param dashboard.sidecars Add additional sidecar containers to the Dasbhoard pod + ## e.g: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: {} + ## @param dashboard.initContainers Add additional init containers to the Dasbhoard pods + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + ## e.g: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## command: ['sh', '-c', 'echo "hello world"'] + ## + initContainers: {} + ## Dasbhoard service parameters + ## + service: + ## @param dashboard.service.port Dasbhoard service HTTP port + ## + port: 8080 + ## @param dashboard.service.annotations Additional custom annotations for Dasbhoard service + ## + annotations: {} + +## @section AppRepository Controller parameters + +## AppRepository Controller parameters +## +apprepository: ## Bitnami Kubeapps AppRepository Controller image ## ref: https://hub.docker.com/r/bitnami/kubeapps-apprepository-controller/tags/ + ## @param apprepository.image.registry Kubeapps AppRepository Controller image registry + ## @param apprepository.image.repository Kubeapps AppRepository Controller image repository + ## @param apprepository.image.tag Kubeapps AppRepository Controller image tag (immutable tags are recommended) + ## @param apprepository.image.pullPolicy Kubeapps AppRepository Controller image pull policy + ## @param apprepository.image.pullSecrets Kubeapps AppRepository Controller image pull secrets ## image: registry: docker.io repository: bitnami/kubeapps-apprepository-controller tag: 2.3.2-scratch-r0 ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images ## pullPolicy: IfNotPresent - ## Kubeapps assets synchronization tool - ## Image used to perform chart repository syncs + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Bitnami Kubeapps Asset Syncer image ## ref: https://hub.docker.com/r/bitnami/kubeapps-asset-syncer/tags/ + ## @param apprepository.syncImage.registry Kubeapps Asset Syncer image registry + ## @param apprepository.syncImage.repository Kubeapps Asset Syncer image repository + ## @param apprepository.syncImage.tag Kubeapps Asset Syncer image tag (immutable tags are recommended) + ## @param apprepository.syncImage.pullPolicy Kubeapps Asset Syncer image pull policy + ## @param apprepository.syncImage.pullSecrets Kubeapps Asset Syncer image pull secrets ## syncImage: registry: docker.io repository: bitnami/kubeapps-asset-syncer tag: 2.3.2-scratch-r0 ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images ## pullPolicy: IfNotPresent - - ## Initial charts repo proxies to configure - ## - initialReposProxy: - enabled: false - # http_proxy: "http://yourproxy:3128" - # https_proxy: "http://yourproxy:3128" - # no_proxy: "0.0.0.0/0" - ## Initial chart repositories to configure + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param apprepository.initialRepos [array] Initial chart repositories to configure + ## e.g: + ## initialRepos: + ## - name: chartmuseum + ## url: https://chartmuseum.default:8080 + ## nodeSelector: + ## somelabel: somevalue + ## # Specify an Authorization Header if you are using an authentication method. + ## authorizationHeader: "Bearer xrxNC..." + ## # If you're providing your own certificates, please use this to add the certificates as secrets. + ## # It should start with -----BEGIN CERTIFICATE----- or + ## # -----BEGIN RSA PRIVATE KEY----- + ## caCert: + ## # Create this apprepository in a custom namespace + ## namespace: + ## # In case of an OCI registry, specify the type + ## type: oci + ## # And specify the list of repositories + ## ociRepositories: + ## - nginx + ## - jenkins ## initialRepos: - name: bitnami url: https://charts.bitnami.com/bitnami - # Additional repositories - # - name: chartmuseum - # url: https://chartmuseum.default:8080 - # nodeSelector: - # somelabel: somevalue - # # Specify an Authorization Header if you are using an authentication method. - # authorizationHeader: "Bearer xrxNC..." - # # If you're providing your own certificates, please use this to add the certificates as secrets. - # # It should start with -----BEGIN CERTIFICATE----- or - # # -----BEGIN RSA PRIVATE KEY----- - # caCert: - # # Create this apprepository in a custom namespace - # namespace: - # # In case of an OCI registry, specify the type - # type: oci - # # And specify the list of repositories - # ociRepositories: - # - nginx - # - jenkins + ## @param apprepository.initialReposProxy [object] Proxy configuration to access chart repositories + ## + initialReposProxy: + enabled: false + httpProxy: + httpsProxy: + noProxy: + ## @param apprepository.crontab Schedule for syncing App repositories (default to 10 minutes) + ## e.g: + ## crontab: "*/10 * * * *" + ## + crontab: + ## @param apprepository.watchAllNamespaces Watch all namespaces to support separate AppRepositories per namespace + ## Switch this off only if you require running multiple instances of Kubeapps in different namespaces + ## without each instance watching AppRepositories of each other + ## + watchAllNamespaces: true + ## @param apprepository.replicaCount Number of AppRepository Controller replicas to deploy + ## Running a single controller replica to avoid sync job duplication + ## + replicaCount: 1 ## AppRepository Controller containers' resource requests and limits ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## @param apprepository.resources.limits.cpu The CPU limits for the AppRepository Controller container + ## @param apprepository.resources.limits.memory The memory limits for the AppRepository Controller container + ## @param apprepository.resources.requests.cpu The requested CPU for the AppRepository Controller container + ## @param apprepository.resources.requests.memory The requested memory for the AppRepository Controller container ## resources: - ## Default values set based on usage data from running Kubeapps instances - ## ref: https://github.com/kubeapps/kubeapps/issues/478#issuecomment-422979262 - ## limits: cpu: 250m memory: 128Mi requests: cpu: 25m memory: 32Mi - ## Affinity for pod assignment - ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Configure Pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param apprepository.podSecurityContext.enabled Enabled AppRepository Controller pods' Security Context + ## @param apprepository.podSecurityContext.fsGroup Set AppRepository Controller pod's Security Context fsGroup ## - affinity: {} - ## Node labels for pod assignment. Evaluated as a template. - ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + podSecurityContext: + enabled: true + fsGroup: 1001 + ## Configure Container Security Context (only main container) + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param apprepository.containerSecurityContext.enabled Enabled AppRepository Controller containers' Security Context + ## @param apprepository.containerSecurityContext.runAsUser Set AppRepository Controller container's Security Context runAsUser + ## @param apprepository.containerSecurityContext.runAsNonRoot Set AppRepository Controller container's Security Context runAsNonRoot ## - nodeSelector: {} - ## Tolerations for pod assignment. Evaluated as a template. - ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsNonRoot: true + ## @param apprepository.lifecycleHooks Custom lifecycle hooks for AppRepository Controller containers ## - tolerations: {} - ## The controller watches all namespaces by default to support separate AppRepositories per namespace. - ## Switch this off only if you require running multiple instances of Kubeapps in different namespaces - ## without each instance watching AppRepositories of each other. - watchAllNamespaces: true - -## Hooks are used to perform actions like populating apprepositories -## or creating required resources during installation or upgrade -## -hooks: - ## Bitnami Kubectl image - ## ref: https://hub.docker.com/r/bitnami/kubectl/tags/ + lifecycleHooks: {} + ## @param apprepository.podLabels Extra labels for AppRepository Controller pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ ## - image: - registry: docker.io - repository: bitnami/kubectl - tag: 1.19.10-debian-10-r9 - ## Specify a imagePullPolicy - ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images - ## - pullPolicy: IfNotPresent - - ## Affinity for hooks' pods assignment - ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - ## - affinity: {} - ## Node labels for hooks' pods assignment. Evaluated as a template. - ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ - ## - nodeSelector: {} - ## Tolerations for hooks' pods assignment. Evaluated as a template. - ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - ## - tolerations: {} - -# Kubeops is an interface between the Kubeapps Dashboard and Helm 3/Kubernetes. -kubeops: - replicaCount: 2 - ## Add additional annotations to the kubeops pods + podLabels: {} + ## @param apprepository.podAnnotations Annotations for AppRepository Controller pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ ## podAnnotations: {} + ## @param apprepository.podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param apprepository.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## nodeAffinityPreset Node affinity preset + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param apprepository.nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param apprepository.nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set + ## + key: "" + ## @param apprepository.nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param apprepository.affinity Affinity for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## NOTE: apprepository.podAffinityPreset, apprepository.podAntiAffinityPreset, and apprepository.nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param apprepository.nodeSelector Node labels for pod assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param apprepository.tolerations Tolerations for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param apprepository.priorityClassName Priority class name for AppRepository Controller pods + ## + priorityClassName: + ## @param apprepository.hostAliases Custom host aliases for AppRepository Controller pods + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + +## @section Kubeops parameters + +## Kubeops parameters +## +kubeops: + ## Bitnami Kubeops image + ## ref: https://hub.docker.com/r/bitnami/kubeops/tags/ + ## @param kubeops.image.registry Kubeops image registry + ## @param kubeops.image.repository Kubeops image repository + ## @param kubeops.image.tag Kubeops image tag (immutable tags are recommended) + ## @param kubeops.image.pullPolicy Kubeops image pull policy + ## @param kubeops.image.pullSecrets Kubeops image pull secrets + ## image: registry: docker.io repository: bitnami/kubeapps-kubeops tag: 2.3.2-scratch-r0 ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images ## pullPolicy: IfNotPresent - - service: - port: 8080 + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param kubeops.namespaceHeaderName Additional header name for trusted namespaces + ## e.g: + ## namespaceHeaderName: X-Consumer-Groups + ## + namespaceHeaderName: + ## @param kubeops.namespaceHeaderPattern Additional header pattern for trusted namespaces + ## e.g: + ## namespaceHeaderPattern: namespace:^([\w-]+):\w+$ + ## + namespaceHeaderPattern: + ## @param kubeops.qps Kubeops QPS (queries per second) rate + ## + qps: + ## @param kubeops.burst Kubeops burst rate + ## + burst: + ## @param kubeops.replicaCount Number of Kubeops replicas to deploy + ## + replicaCount: 2 + ## @param kubeops.terminationGracePeriodSeconds The grace time period for sig term + ## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution + ## + terminationGracePeriodSeconds: 300 + ## @param kubeops.extraEnvVars Array with extra environment variables to add to the Kubeops container + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param kubeops.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for the Kubeops container + ## + extraEnvVarsCM: + ## @param kubeops.extraEnvVarsSecret Name of existing Secret containing extra env vars for the Kubeops container + ## + extraEnvVarsSecret: + ## @param kubeops.containerPort Kubeops HTTP container port + ## + containerPort: 8080 + ## Kubeops containers' resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## @param kubeops.resources.limits.cpu The CPU limits for the Kubeops container + ## @param kubeops.resources.limits.memory The memory limits for the Kubeops container + ## @param kubeops.resources.requests.cpu The requested CPU for the Kubeops container + ## @param kubeops.resources.requests.memory The requested memory for the Kubeops container + ## resources: limits: cpu: 250m @@ -378,369 +908,617 @@ kubeops: requests: cpu: 25m memory: 32Mi + ## Configure Pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param kubeops.podSecurityContext.enabled Enabled Kubeops pods' Security Context + ## @param kubeops.podSecurityContext.fsGroup Set Kubeops pod's Security Context fsGroup + ## + podSecurityContext: + enabled: true + fsGroup: 1001 + ## Configure Container Security Context (only main container) + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param kubeops.containerSecurityContext.enabled Enabled Kubeops containers' Security Context + ## @param kubeops.containerSecurityContext.runAsUser Set Kubeops container's Security Context runAsUser + ## @param kubeops.containerSecurityContext.runAsNonRoot Set Kubeops container's Security Context runAsNonRoot + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsNonRoot: true + ## Configure extra options for Kubeops containers' liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param kubeops.livenessProbe.enabled Enable livenessProbe + ## @skip kubeops.livenessProbe.httpGet + ## @param kubeops.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param kubeops.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param kubeops.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param kubeops.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param kubeops.livenessProbe.successThreshold Success threshold for livenessProbe ## Kubeops containers' liveness and readiness probes ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes ## livenessProbe: + enabled: true httpGet: path: /live port: 8080 initialDelaySeconds: 60 + periodSeconds: 10 timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param kubeops.readinessProbe.enabled Enable readinessProbe + ## @skip kubeops.readinessProbe.httpGet + ## @param kubeops.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param kubeops.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param kubeops.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param kubeops.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param kubeops.readinessProbe.successThreshold Success threshold for readinessProbe + ## readinessProbe: + enabled: true httpGet: path: /ready port: 8080 initialDelaySeconds: 0 + periodSeconds: 10 timeoutSeconds: 5 - ## Additional environment variables to set - ## E.g: - ## extraEnvVars: - ## - name: TZ - ## value: Europe/Madrid + failureThreshold: 6 + successThreshold: 1 + ## @param kubeops.customLivenessProbe Custom livenessProbe that overrides the default one ## - extraEnvVars: [] - nodeSelector: {} - tolerations: [] - affinity: {} - ## Kubeops QPS and Burst configuration (per user request) - ## Used when requesting namespaces - # QPS: 10 - # burst: 15 - ## Kubeops additional header parameters for trusted namespaces. - ## - namespaceHeaderName - header field name, it can be injected by autorization proxy. - ## - namespaceHeaderPattern - regular expression that matches only single item from the header list. - ## The first capturing group must match the namespace. - ## example: X-Consumer-Groups: namespace:ns1:read, namespace:ns2:write - # namespaceHeaderName: X-Consumer-Groups - # namespaceHeaderPattern: namespace:^([\w-]+):\w+$ - -## Assetsvc is used to serve assets metadata over a REST API. -## -assetsvc: - replicaCount: 2 - ## Add additional annotations to the assetsvc pods + customLivenessProbe: {} + ## @param kubeops.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## @param kubeops.lifecycleHooks Custom lifecycle hooks for Kubeops containers + ## + lifecycleHooks: {} + ## @param kubeops.podLabels Extra labels for Kubeops pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param kubeops.podAnnotations Annotations for Kubeops pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ ## podAnnotations: {} + ## @param kubeops.podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param kubeops.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## nodeAffinityPreset Node affinity preset + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param kubeops.nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param kubeops.nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set + ## + key: "" + ## @param kubeops.nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param kubeops.affinity Affinity for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## NOTE: kubeops.podAffinityPreset, kubeops.podAntiAffinityPreset, and kubeops.nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param kubeops.nodeSelector Node labels for pod assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param kubeops.tolerations Tolerations for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param kubeops.priorityClassName Priority class name for Kubeops pods + ## + priorityClassName: + ## @param kubeops.hostAliases Custom host aliases for Kubeops pods + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## Kubeops service parameters + ## + service: + ## @param kubeops.service.port Kubeops service HTTP port + ## + port: 8080 + ## @param kubeops.service.annotations Additional custom annotations for Kubeops service + ## + annotations: {} + +## @section Assetsvc parameters + +## Assetsvc parameters +## +assetsvc: ## Bitnami Kubeapps Assetsvc image ## ref: https://hub.docker.com/r/bitnami/kubeapps-assetsvc/tags/ + ## @param assetsvc.image.registry Kubeapps Assetsvc image registry + ## @param assetsvc.image.repository Kubeapps Assetsvc image repository + ## @param assetsvc.image.tag Kubeapps Assetsvc image tag (immutable tags are recommended) + ## @param assetsvc.image.pullPolicy Kubeapps Assetsvc image pull policy + ## @param assetsvc.image.pullSecrets Kubeapps Assetsvc image pull secrets ## image: registry: docker.io repository: bitnami/kubeapps-assetsvc tag: 2.3.2-scratch-r0 ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images ## pullPolicy: IfNotPresent - - ## Assetsvc service parameters - ## - service: - ## HTTP Port + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName ## - port: 8080 + pullSecrets: [] + ## @param assetsvc.replicaCount Number of Assetsvc replicas to deploy + ## + replicaCount: 2 + ## @param assetsvc.extraEnvVars Array with extra environment variables to add to the Assetsvc container + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param assetsvc.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for the Assetsvc container + ## + extraEnvVarsCM: + ## @param assetsvc.extraEnvVarsSecret Name of existing Secret containing extra env vars for the Assetsvc container + ## + extraEnvVarsSecret: + ## @param assetsvc.containerPort Assetsvc HTTP container port + ## + containerPort: 8080 ## Assetsvc containers' resource requests and limits ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## @param assetsvc.resources.limits.cpu The CPU limits for the Assetsvc container + ## @param assetsvc.resources.limits.memory The memory limits for the Assetsvc container + ## @param assetsvc.resources.requests.cpu The requested CPU for the Assetsvc container + ## @param assetsvc.resources.requests.memory The requested memory for the Assetsvc container ## resources: - ## Default values set based on usage data from running Kubeapps instances - ## ref: https://github.com/kubeapps/kubeapps/issues/478#issuecomment-422979262 - ## limits: cpu: 250m memory: 128Mi requests: cpu: 25m memory: 32Mi + ## Configure Pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param assetsvc.podSecurityContext.enabled Enabled Assetsvc pods' Security Context + ## @param assetsvc.podSecurityContext.fsGroup Set Assetsvc pod's Security Context fsGroup + ## + podSecurityContext: + enabled: true + fsGroup: 1001 + ## Configure Container Security Context (only main container) + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param assetsvc.containerSecurityContext.enabled Enabled Assetsvc containers' Security Context + ## @param assetsvc.containerSecurityContext.runAsUser Set Assetsvc container's Security Context runAsUser + ## @param assetsvc.containerSecurityContext.runAsNonRoot Set Assetsvc container's Security Context runAsNonRoot + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsNonRoot: true + ## Configure extra options for Assetsvc containers' liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param assetsvc.livenessProbe.enabled Enable livenessProbe + ## @skip assetsvc.livenessProbe.httpGet + ## @param assetsvc.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param assetsvc.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param assetsvc.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param assetsvc.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param assetsvc.livenessProbe.successThreshold Success threshold for livenessProbe ## Assetsvc containers' liveness and readiness probes ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes ## livenessProbe: + enabled: true httpGet: path: /live port: 8080 initialDelaySeconds: 60 + periodSeconds: 10 timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param assetsvc.readinessProbe.enabled Enable readinessProbe + ## @skip assetsvc.readinessProbe.httpGet + ## @param assetsvc.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param assetsvc.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param assetsvc.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param assetsvc.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param assetsvc.readinessProbe.successThreshold Success threshold for readinessProbe + ## readinessProbe: + enabled: true httpGet: path: /ready port: 8080 initialDelaySeconds: 0 + periodSeconds: 10 timeoutSeconds: 5 - ## Affinity for Assetsvc pods assignment - ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + failureThreshold: 6 + successThreshold: 1 + ## @param assetsvc.customLivenessProbe Custom livenessProbe that overrides the default one ## - affinity: {} - ## Node labels for Assetsvc pods assignment. Evaluated as a template. - ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + customLivenessProbe: {} + ## @param assetsvc.customReadinessProbe Custom readinessProbe that overrides the default one ## - nodeSelector: {} - ## Tolerations for Assetsvc pods assignment. Evaluated as a template. - ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + customReadinessProbe: {} + ## @param assetsvc.lifecycleHooks Custom lifecycle hooks for Assetsvc containers ## - tolerations: {} - -## Dashboard serves the compiled static React frontend application. This is an -## internal service used by the main frontend reverse-proxy and should not be -## accessed directly. -## -dashboard: - replicaCount: 2 - ## Add additional annotations to the dashboard pods + lifecycleHooks: {} + ## @param assetsvc.podLabels Extra labels for Assetsvc pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param assetsvc.podAnnotations Annotations for Assetsvc pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ ## podAnnotations: {} - ## Bitnami Kubeapps Dashboard image - ## ref: https://hub.docker.com/r/bitnami/kubeapps-dashboard/tags/ + ## @param assetsvc.podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param assetsvc.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## nodeAffinityPreset Node affinity preset + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param assetsvc.nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param assetsvc.nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set + ## + key: "" + ## @param assetsvc.nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param assetsvc.affinity Affinity for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## NOTE: assetsvc.podAffinityPreset, assetsvc.podAntiAffinityPreset, and assetsvc.nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param assetsvc.nodeSelector Node labels for pod assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param assetsvc.tolerations Tolerations for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param assetsvc.priorityClassName Priority class name for Assetsvc pods + ## + priorityClassName: + ## @param assetsvc.hostAliases Custom host aliases for Assetsvc pods + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## Assetsvc service parameters + ## + service: + ## @param assetsvc.service.port Assetsvc service HTTP port + ## + port: 8080 + ## @param assetsvc.service.annotations Additional custom annotations for Assetsvc service + ## + annotations: {} + +## @section Auth Proxy parameters + +## Auth Proxy configuration for OIDC support +## ref: https://github.com/kubeapps/kubeapps/blob/master/docs/user/using-an-OIDC-provider.md +## +authProxy: + ## @param authProxy.enabled Specifies whether Kubeapps should configure OAuth login/logout + ## + enabled: false + ## Bitnami OAuth2 Proxy image + ## ref: https://hub.docker.com/r/bitnami/oauth2-proxy/tags/ + ## @param authProxy.image.registry OAuth2 Proxy image registry + ## @param authProxy.image.repository OAuth2 Proxy image repository + ## @param authProxy.image.tag OAuth2 Proxy image tag (immutable tags are recommended) + ## @param authProxy.image.pullPolicy OAuth2 Proxy image pull policy + ## @param authProxy.image.pullSecrets OAuth2 Proxy image pull secrets ## image: registry: docker.io - repository: bitnami/kubeapps-dashboard - tag: 2.3.2-debian-10-r0 + repository: bitnami/oauth2-proxy + tag: 7.1.3-debian-10-r12 ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images ## pullPolicy: IfNotPresent - - ## Dashboard service parameters - ## - service: - ## HTTP Port + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName ## - port: 8080 - ## Dashboard containers' liveness and readiness probes - ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + pullSecrets: [] + ## @param authProxy.external Use an external Auth Proxy instead of deploying its own one ## - livenessProbe: - httpGet: - path: / - port: 8080 - initialDelaySeconds: 60 - timeoutSeconds: 5 - readinessProbe: - httpGet: - path: / - port: 8080 - initialDelaySeconds: 0 - timeoutSeconds: 5 - ## Dashboard containers' resource requests and limits + external: false + ## @param authProxy.oauthLoginURI OAuth Login URI to which the Kubeapps frontend redirects for authn + ## @param authProxy.oauthLogoutURI OAuth Logout URI to which the Kubeapps frontend redirects for authn + ## + oauthLoginURI: /oauth2/start + oauthLogoutURI: /oauth2/sign_out + ## @param authProxy.skipKubeappsLoginPage Skip the Kubeapps login page when using OIDC and directly redirect to the IdP + ## + skipKubeappsLoginPage: false + ## @param authProxy.provider OAuth provider + ## @param authProxy.clientID OAuth Client ID + ## @param authProxy.clientSecret OAuth Client secret + ## NOTE: Mandatory parameters for the internal auth-proxy + ## + provider: "" + clientID: "" + clientSecret: "" + ## @param authProxy.cookieSecret Secret used by oauth2-proxy to encrypt any credentials + ## NOTE: It must be a particular number of bytes. It's recommended using the following + ## script to generate a cookieSecret: + ## python -c 'import os,base64; print base64.urlsafe_b64encode(os.urandom(16))' + ## ref: https://pusher.github.io/oauth2_proxy/configuration + ## + cookieSecret: "" + ## @param authProxy.emailDomain Allowed email domains + ## Use "example.com" to restrict logins to emails from example.com + ## + emailDomain: "*" + ## @param authProxy.additionalFlags Additional flags for oauth2-proxy + ## e.g: + ## additionalFlags: + ## - --ssl-insecure-skip-verify + ## - --cookie-secure=false + ## - --scope=https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/cloud-platform + ## - --oidc-issuer-url=https://accounts.google.com # Only needed if provider is oidc + ## + additionalFlags: [] + ## @param authProxy.containerPort Auth Proxy HTTP container port + ## + containerPort: 3000 + ## Configure Container Security Context for Auth Proxy + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param authProxy.containerSecurityContext.enabled Enabled Auth Proxy containers' Security Context + ## @param authProxy.containerSecurityContext.runAsUser Set Auth Proxy container's Security Context runAsUser + ## @param authProxy.containerSecurityContext.runAsNonRoot Set Auth Proxy container's Security Context runAsNonRoot + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsNonRoot: true + ## OAuth2 Proxy containers' resource requests and limits ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## @param authProxy.resources.limits.cpu The CPU limits for the OAuth2 Proxy container + ## @param authProxy.resources.limits.memory The memory limits for the OAuth2 Proxy container + ## @param authProxy.resources.requests.cpu The requested CPU for the OAuth2 Proxy container + ## @param authProxy.resources.requests.memory The requested memory for the OAuth2 Proxy container ## resources: - ## Default values set based on usage data from running Kubeapps instances - ## ref: https://github.com/kubeapps/kubeapps/issues/478#issuecomment-422979262 - ## limits: cpu: 250m memory: 128Mi requests: cpu: 25m memory: 32Mi - ## Affinity for Dashboard pods assignment - ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + +## @section Pinniped Proxy parameters + +## Pinniped Proxy configuration for converting user OIDC tokens to k8s client authorization certs +## NOTE: This component is alpha functionality in Kubeapps until we complete testing and documentation. +## +pinnipedProxy: + ## @param pinnipedProxy.enabled Specifies whether Kubeapps should configure Pinniped Proxy ## - affinity: {} - ## Node labels for Dashboard pods assignment. Evaluated as a template. - ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + enabled: false + ## Bitnami Pinniped Proxy image + ## ref: https://hub.docker.com/r/bitnami/kubeapps-pinniped-proxy/tags/ + ## @param pinnipedProxy.image.registry Pinniped Proxy image registry + ## @param pinnipedProxy.image.repository Pinniped Proxy image repository + ## @param pinnipedProxy.image.tag Pinniped Proxy image tag (immutable tags are recommended) + ## @param pinnipedProxy.image.pullPolicy Pinniped Proxy image pull policy + ## @param pinnipedProxy.image.pullSecrets Pinniped Proxy image pull secrets ## - nodeSelector: {} - ## Tolerations for Dashboard pods assignment. Evaluated as a template. - ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + image: + registry: docker.io + repository: bitnami/kubeapps-pinniped-proxy + tag: 2.3.2-debian-10-r11 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param pinnipedProxy.defaultPinnipedNamespace Specify the (default) namespace in which pinniped concierge is installed ## - tolerations: {} - ## Custom CSS injected to the Dashboard to customize Kubeapps look and feel + defaultPinnipedNamespace: pinniped-concierge + ## @param pinnipedProxy.defaultAuthenticatorType Specify the (default) authenticator type + ## + defaultAuthenticatorType: JWTAuthenticator + ## @param pinnipedProxy.defaultAuthenticatorName Specify the (default) authenticator name + ## + defaultAuthenticatorName: jwt-authenticator + ## @param pinnipedProxy.defaultPinnipedAPISuffix Specify the (default) API suffix + ## + defaultPinnipedAPISuffix: pinniped.dev + ## @param pinnipedProxy.containerPort Kubeops HTTP container port + ## + containerPort: 3333 + ## Configure Container Security Context for Pinniped Proxy + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param pinnipedProxy.containerSecurityContext.enabled Enabled Pinniped Proxy containers' Security Context + ## @param pinnipedProxy.containerSecurityContext.runAsUser Set Pinniped Proxy container's Security Context runAsUser + ## @param pinnipedProxy.containerSecurityContext.runAsNonRoot Set Pinniped Proxy container's Security Context runAsNonRoot + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsNonRoot: true + ## Pinniped Proxy containers' resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## @param pinnipedProxy.resources.limits.cpu The CPU limits for the Pinniped Proxy container + ## @param pinnipedProxy.resources.limits.memory The memory limits for the Pinniped Proxy container + ## @param pinnipedProxy.resources.requests.cpu The requested CPU for the Pinniped Proxy container + ## @param pinnipedProxy.resources.requests.memory The requested memory for the Pinniped Proxy container + ## + resources: + limits: + cpu: 250m + memory: 128Mi + requests: + cpu: 25m + memory: 32Mi + +## @section Other Parameters + +## @param allowNamespaceDiscovery Allow users to discover available namespaces (only the ones they have access) +## NOTE: When set to true, Kubeapps creates a ClusterRole to be able to list namespaces. +## +allowNamespaceDiscovery: true +## @param clusters [array] List of clusters that Kubeapps can target for deployments +## When populated with a single cluster (as it is by default), Kubeapps will not allow users to +## change the target cluster. When populated with multiple clusters, Kubeapps will present the clusters to +## the user as potential targets for install or browsing. +## - Note that you can define a single cluster without an apiServiceURL and the chart will assume this is +## the name you are assigning to the cluster on which Kubeapps is itself installed. Specifying more than +## one cluster without an apiServiceURL will cause the chart display an error. +## - The base64-encoded certificateAuthorityData can be obtained from the additional cluster's kube config +## file, for example, to get the ca data for the 0th cluster in your config (adjust the index 0 as necessary): +## kubectl --kubeconfig ~/.kube/kind-config-kubeapps-additional config view --raw -o jsonpath='{.clusters[0].cluster.certificate-authority-data}' +## - serviceToken is an optional token configured to allow LIST namespaces and package manifests (operators) only on the additional cluster +## so that the UI can present a list of (only) those namespaces to which the user has access and the available operators. +## - isKubeappsCluster is an optional parameter that allows defining the cluster in which Kubeapps is installed; +## this param is useful when every cluster is using an apiServiceURL (e.g., when using the Pinniped Impersonation Proxy) +## as the chart cannot infer the cluster on which Kubeapps is installed in that case. +## e.g.: +## clusters: +## - name: default +## domain: cluster.local +## - name: second-cluster +## domain: cluster.local +## apiServiceURL: https://second-cluster:6443 +## certificateAuthorityData: LS0tLS1CRUdJ... +## serviceToken: ... +## isKubeappsCluster: true +## +clusters: + - name: default + domain: cluster.local +## @param featureFlags [object] Feature flags (used to switch on development features) +## +featureFlags: + invalidateCache: true +## RBAC configuration +## +rbac: + ## @param rbac.create Specifies whether RBAC resources should be created + ## + create: true +## Image used for the tests +## Bitnami NGINX image +## ref: https://hub.docker.com/r/bitnami/nginx/tags/ +## @param testImage.registry NGINX image registry +## @param testImage.repository NGINX image repository +## @param testImage.tag NGINX image tag (immutable tags are recommended) +## @param testImage.pullPolicy NGINX image pull policy +## @param testImage.pullSecrets NGINX image pull secrets +## +testImage: + registry: docker.io + repository: bitnami/nginx + tag: 1.19.10-debian-10-r25 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ ## e.g: - ## customStyle: |- - ## .header.header-7 { - ## background-color: #991700; - ## } - customStyle: "" - ## Custom Form components injected into the BasicDeploymentForm - ## Read the reference below for a step-by-step integration - ## https://github.com/kubeapps/kubeapps/blob/master/docs/developer/custom-form-component-support.md - customComponents: "" - ## Custom translations injected to the Dashboard to customize the strings used in Kubeapps - ## Ref: https://github.com/kubeapps/kubeapps/blob/master/docs/developer/translate-kubeapps.md - ## e.g: - ## customLocale: - ## "Kubeapps": "My Dashboard" - ## "login-oidc": "Login with my company SSO" - customLocale: "" + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + +## @section Database Parameters ## PostgreSQL chart configuration ## ref: https://github.com/bitnami/charts/blob/master/bitnami/postgresql/values.yaml ## postgresql: - # Enable PostgreSQL. This should be true + ## @param postgresql.enabled Deploy a PostgreSQL server to satisfy the applications database requirements + ## enabled: true - ## Enable replication for high availability + ## @param postgresql.replication.enabled Enable replication for high availability + ## replication: enabled: true - ## Create a database for Kubeapps on the first run + ## @param postgresql.postgresqlDatabase Database name for Kubeapps to be created on the first run + ## postgresqlDatabase: assets - ## PostgreSQL password + ## @param postgresql.postgresqlPassword Password for 'postgres' user ## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run ## - # postgresqlPassword: - ## Kubeapps uses PostgreSQL as a cache and persistence is not required + postgresqlPassword: "" + ## PostgreSQL Persistence parameters + ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + ## @param postgresql.persistence.enabled Enable persistence on PostgreSQL using PVC(s) + ## @param postgresql.persistence.size Persistent Volume size ## persistence: enabled: false size: 8Gi - ## Pod Security Context + ## @param postgresql.securityContext.enabled Enabled PostgreSQL replicas pods' Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ ## securityContext: enabled: false - ## PostgreSQL containers' resource requests and limits + ## PostreSQL containers' resource requests and limits ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## @param postgresql.resources.limits The resources limits for the PostreSQL container + ## @param postgresql.resources.requests.cpu The requested CPU for the PostreSQL container + ## @param postgresql.resources.requests.memory The requested memory for the PostreSQL container ## resources: + limits: {} requests: memory: 256Mi cpu: 250m - -## RBAC paramters -## -rbac: - ## Perform creation of RBAC resources - ## - create: true - -## Pod Security Context -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -## -securityContext: - enabled: false - runAsUser: 1001 - fsGroup: 1001 - -## Image used for the tests. The only requirement is to include curl -## -testImage: - registry: docker.io - repository: bitnami/nginx - tag: 1.19.10-debian-10-r11 - -# Auth Proxy configuration for OIDC support -# ref: https://github.com/kubeapps/kubeapps/blob/master/docs/user/using-an-OIDC-provider.md -authProxy: - ## Set to true if Kubeapps should configure the OAuth login/logout URIs defined below. - # - enabled: false - ## When authProxy.enabled is true, by default Kubeapps will deploy its own - ## auth-proxy service as part of the Kubeapps frontend. Set external to true - ## if you are configuring your own auth proxy service external to Kubeapps - ## and therefore don't want Kubeapps to deploy its own auth-proxy. - # - external: false - ## Overridable flags for OAuth URIs to which the Kubeapps frontend redirects for authn. - ## Useful when serving Kubeapps under a sub path or using an external auth proxy. - ## - oauthLoginURI: /oauth2/start - oauthLogoutURI: /oauth2/sign_out - - ## Skip the Kubeapps login page when using OIDC and directly redirect to the IdP - ## - skipKubeappsLoginPage: false - - ## The remaining auth proxy values are relevant only if an internal auth-proxy is - ## being configured by Kubeapps. - ## Bitnami OAuth2 Proxy image - ## ref: https://hub.docker.com/r/bitnami/oauth2-proxy/tags/ - ## - image: - registry: docker.io - repository: bitnami/oauth2-proxy - tag: 7.1.2-debian-10-r22 - ## Specify a imagePullPolicy - ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images - ## - pullPolicy: IfNotPresent - - ## Mandatory parameters for the internal auth-proxy. - ## - provider: "" - clientID: "" - clientSecret: "" - ## cookieSecret is used by oauth2-proxy to encrypt any credentials so that it requires - ## no storage. Note that it must be a particular number of bytes. Recommend using the - ## following to generate a cookieSecret as per the oauth2 configuration documentation - ## at https://pusher.github.io/oauth2_proxy/configuration : - ## python -c 'import os,base64; print base64.urlsafe_b64encode(os.urandom(16))' - cookieSecret: "" - ## Use "example.com" to restrict logins to emails from example.com - emailDomain: "*" - ## Additional flags for oauth2-proxy - ## - additionalFlags: [] - # - --ssl-insecure-skip-verify - # - --cookie-secure=false - # - --scope=https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/cloud-platform - # - --oidc-issuer-url=https://accounts.google.com # Only needed if provider is oidc - ## OAuth2 Proxy containers' resource requests and limits - ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ - ## - resources: - ## Default values set based on usage data from running Kubeapps instances - ## ref: https://github.com/kubeapps/kubeapps/issues/478#issuecomment-422979262 - ## - limits: - cpu: 250m - memory: 128Mi - requests: - cpu: 25m - memory: 32Mi - -# Pinniped Proxy configuration for converting user OIDC tokens to k8s client authorization certs. -# NOTE: This component is alpha functionality in Kubeapps until we complete testing and documentation. -pinnipedProxy: - ## Set to true if Kubeapps should configure pinniped-proxy on the frontend. - # - enabled: false - - ## pinnipedProxy service parameters - ## - service: - ## HTTP Port - ## - port: 3333 - - image: - registry: docker.io - repository: bitnami/kubeapps-pinniped-proxy - tag: 2.3.2-debian-10-r0 - ## Specify a imagePullPolicy - ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images - ## - pullPolicy: IfNotPresent - - ## Specify the (default) namespace in which pinniped concierge is installed - ## on the cluster(s) as well as the default authenticator type and name for use by - ## Kubeapps. These default options are useful if all clusters use have a similar - ## pinniped-concierge setup, otherwise we need to specify these for each cluster. - defaultPinnipedNamespace: pinniped-concierge - defaultAuthenticatorType: JWTAuthenticator - defaultAuthenticatorName: jwt-authenticator - ## The defaultPinnipedAPISuffix flag is not fully supported yet, - ## please use the default value "pinniped.dev" - defaultPinnipedAPISuffix: pinniped.dev - - ## OAuth2 Proxy containers' resource requests and limits - ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ - ## - resources: - ## Default values set based on usage data from running Kubeapps instances - ## ref: https://github.com/kubeapps/kubeapps/issues/478#issuecomment-422979262 - ## - limits: - cpu: 250m - memory: 128Mi - requests: - cpu: 25m - memory: 32Mi - -## Feature flags -## These are used to switch on in development features or new features which are ready to be released. -featureFlags: - invalidateCache: true diff --git a/githooks/pre-commit/kubeapps b/githooks/pre-commit/kubeapps deleted file mode 100755 index 8014211760..0000000000 --- a/githooks/pre-commit/kubeapps +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash - -if git diff --name-only --cached | grep '/kubeapps/'; then - printf '\n\U1F6AB Commit cancelled\n\nKubeapps changes detected in this repository.\nPlease, implement them in the kubeapps repository (https://github.com/kubeapps/kubeapps/tree/master/chart/kubeapps).\n' - exit 1 -fi - -exit 0