truecharts/library-charts
1
0
Fork 0
mirror of https://github.com/truecharts/library-charts.git synced 2026-06-13 02:30:27 -03:00
Code Issues Packages Projects Releases Wiki Activity

feat(common): readd TrueCharts specific features to refactor (#292)

Browse Source 
**Description**
This PR re-adds TrueCharts specific portions back into the refactor done
by iX-Systems to the common-chart

**⚙️ Type of change**

- [ ] ⚙️ Feature/App addition
- [ ] 🪛 Bugfix
- [ ] ⚠️ Breaking change (fix or feature that would cause existing
functionality to not work as expected)
- [ ] 🔃 Refactor of current code

**🧪 How Has This Been Tested?**
<!--
Please describe the tests that you ran to verify your changes. Provide
instructions so we can reproduce. Please also list any relevant details
for your test configuration
-->

**📃 Notes:**
<!-- Please enter any other relevant information here -->

**✔️ Checklist:**

- [ ] ⚖️ My code follows the style guidelines of this project
- [ ] 👀 I have performed a self-review of my own code
- [ ] #️⃣ I have commented my code, particularly in hard-to-understand
areas
- [ ] 📄 I have made corresponding changes to the documentation
- [ ] ⚠️ My changes generate no new warnings
- [ ] 🧪 I have added tests to this description that prove my fix is
effective or that my feature works
- [ ] ⬆️ I increased versions for any altered app according to semantic
versioning

** App addition**

If this PR is an app addition please make sure you have done the
following.

- [ ] 🪞 I have opened a PR on
[truecharts/containers](https://github.com/truecharts/containers) adding
the container to TrueCharts mirror repo.
- [ ] 🖼️ I have added an icon in the Chart's root directory called
`icon.png`

---

_Please don't blindly check all the boxes. Read them and only check
those that apply.
Those checkboxes are there for the reviewer to see what is this all
about and
the status of this PR with a quick glance._

Co-authored-by: Stavros kois <s.kois@outlook.com>
Co-authored-by: Stavros Kois <47820033+stavros-k@users.noreply.github.com>
This commit is contained in:
Kjeld Schouten-Lebbing
2023-01-23 00:37:30 +01:00
committed by GitHub
parent bfca126f92
commit 303df87c51
69 changed files with 7824 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
.github/workflows/common_library_tests.yaml vendored
View File

@@ -16,7 +16,7 @@ jobs:
helm-version:
- v3.9.4
- v3.10.3
- v3.11.0-rc.2
- v3.11.0
steps:
- name: Checkout
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3
@@ -56,7 +56,7 @@ jobs:
helm-version:
- v3.9.4
- v3.10.3
- v3.11.0-rc.2
- v3.11.0
steps:
- name: Checkout
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3
@@ -73,6 +73,7 @@ jobs:
with:
path: |
/home/runner/.local/share/helm/plugins/helm-unittest
/tmp/_dist/
key: helm-${{ matrix.helm-version }}-unittest-v${{ env.helmUnitVersion }}
restore-keys: |
helm-${{ matrix.helm-version }}-unittest-v${{ env.helmUnitVersion }}
@@ -80,7 +81,7 @@ jobs:
- name: Run Unittests
shell: bash
run: |
(helm unittest -h > /dev/null) || helm plugin install https://github.com/quintush/helm-unittest --version v${helmUnitVersion} || (sleep 10 && helm plugin install https://github.com/quintush/helm-unittest --version v${helmUnitVersion})
(helm unittest -h > /dev/null) || helm plugin install https://github.com/quintush/helm-unittest --version v${helmUnitVersion} || (sleep 10 && helm plugin install https://github.com/quintush/helm-unittest --version v${helmUnitVersion}) || echo "finished unittest reinstall tries"
# Run tests
cd library/common-test/
@@ -111,6 +112,12 @@ jobs:
- rbac-values.yaml
- secrets-values.yaml
- statefulset-values.yaml
- ingress-values.yaml
- networkPolicy-values.yaml
- codeserver-values.yaml
- metrics-values.yaml
- manifest-values.yaml
- stagingmanifest-values.yaml
steps:
- name: Checkout
@@ -186,7 +193,7 @@ jobs:
mv -f library/common-test/runtests/${{ matrix.values }} library/common-test/values.yaml
# Stat kail on the background to grab logs from tests
./kail --ignore-ns kube-system >> /tmp/output.log &
./kail --ignore-ns kube-system --ignore-ns cert-manager --ignore-ns metallb-system --ignore-ns prometheus-operator >> /tmp/output.log &
# Actually run the test
ct install --config .github/ct-install-config/ct-install.yaml \

5
.gitignore vendored
View File

@@ -52,3 +52,8 @@ charts/*/Chart.lock
charts/*/charts
helper-charts/*/Chart.lock
helper-charts/*/charts
library/*/Chart.lock
library/*/charts
library/**/charts/*.tgz
library/**/render/*
library/library/common-test/charts/

4
library/common-test/ci/basic-values.yaml
View File

@@ -10,6 +10,10 @@ service:
protocol: HTTP
port: 8080
manifests:
enabled: false
staging: false
args:
- --port
- "8080"

35
library/common-test/ci/codeserver-values.yaml Normal file
View File

@@ -0,0 +1,35 @@
image:
repository: ghcr.io/truecharts/whoami
pullPolicy: IfNotPresent
tag: 1.8.7@sha256:8c61f0ca92fd806fcb4ed1465cb793c05443f37951554b105b0f2dc686a95772
service:
main:
ports:
main:
port: 8080
args:
- --port
- '8080'
manifests:
enabled: false
staging: false
probes:
liveness:
enabled: true
readiness:
enabled: true
startup:
enabled: true
addons:
codeserver:
enabled: true
service:
type: LoadBalancer
ports:
codeserver:
nodePort: 30067

11
library/common-test/ci/extra-containers-values.yaml
View File

@@ -3,11 +3,6 @@ image:
pullPolicy: IfNotPresent
tag: latest
someImage:
repository: hello-world
tag: latest
pullPolicy: IfNotPresent
service:
main:
ports:
@@ -43,13 +38,13 @@ additionalContainers:
path: /
initContainers:
some-name:
imageSelector: someImage
imageSelector: scratchImage
systemContainers:
some-name:
imageSelector: someImage
imageSelector: scratchImage
installContainers:
some-name:
imageSelector: someImage
imageSelector: scratchImage
probes:
liveness:

163
library/common-test/ci/ingress-values.yaml Normal file
View File

@@ -0,0 +1,163 @@
image:
repository: ghcr.io/truecharts/whoami
pullPolicy: IfNotPresent
tag: 1.8.7@sha256:8c61f0ca92fd806fcb4ed1465cb793c05443f37951554b105b0f2dc686a95772
service:
main:
ports:
main:
port: 8080
autolink:
enabled: true
ports:
autolink:
enabled: true
port: 8081
manifests:
enabled: false
staging: false
args:
- --port
- '8080'
probes:
liveness:
enabled: true
readiness:
enabled: true
startup:
enabled: true
# -- Configure the ingresses for the chart here.
# Additional ingresses can be added by adding a dictionary key similar to the 'main' ingress.
# @default -- See below
ingress:
main:
enabled: true
hosts:
- host: chart-example.local
paths:
- path: /
pathType: Prefix
service:
name:
port:
tls: []
# TODO: Enable when SCALE Certs are readded
# scalecert:
# enabled: true
# hosts:
# - host: scalecert.chart-example.local
# paths:
# - path: /
# pathType: Prefix
# service:
# name:
# port:
# tls:
# - scaleCert: "1"
# hosts:
# - scalecert.chart-example.local
label:
enabled: true
fixedMiddlewares:
- chain-basic
labels:
labelexample1: labelvalue2
hosts:
- host: label.chart-example.local
paths:
- path: /
pathType: Prefix
service:
name:
port:
tls: []
autolink:
enabled: true
fixedMiddlewares:
- chain-basic
hosts:
- host: label.chart-example.local
paths:
- path: /
pathType: Prefix
service:
name:
port:
tls: []
autoLink: true
notls:
enabled: true
fixedMiddlewares:
- chain-basic
hosts:
- host: notls.chart-example.local
paths:
- path: /
pathType: Prefix
service:
name:
port:
"ixCertificateAuthorities": {}
"ixCertificates":
"1":
"CA_type_existing": false
"CA_type_intermediate": false
"CA_type_internal": false
"CSR": ""
"DN": "/C=US/O=iXsystems/CN=localhost/emailAddress=info@ixsystems.com/ST=Tennessee/L=Maryville/subjectAltName=DNS:localhost"
"cert_type": "CERTIFICATE"
"cert_type_CSR": false
"cert_type_existing": true
"cert_type_internal": false
"certificate": "-----BEGIN CERTIFICATE-----\nMIIDqjCCApKgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgDELMAkGA1UEBhMCVVMx\nEjAQBgNVBAoMCWlYc3lzdGVtczESMBAGA1UEAwwJbG9jYWxob3N0MSEwHwYJKoZI\nhvcNAQkBFhJpbmZvQGl4c3lzdGVtcy5jb20xEjAQBgNVBAgMCVRlbm5lc3NlZTES\nMBAGA1UEBwwJTWFyeXZpbGxlMB4XDTIwMDkyNTE0MDUzOFoXDTIyMTIyOTE0MDUz\nOFowgYAxCzAJBgNVBAYTAlVTMRIwEAYDVQQKDAlpWHN5c3RlbXMxEjAQBgNVBAMM\nCWxvY2FsaG9zdDEhMB8GCSqGSIb3DQEJARYSaW5mb0BpeHN5c3RlbXMuY29tMRIw\nEAYDVQQIDAlUZW5uZXNzZWUxEjAQBgNVBAcMCU1hcnl2aWxsZTCCASIwDQYJKoZI\nhvcNAQEBBQADggEPADCCAQoCggEBALpoGliii6X8DeoFdLcR7jjsfJIn3nC8f1pT\nLQ3RURHUOEyhPT3Z6TkhaHeHoj8D6kiXROhyJJq3kw5OeqGZisfpGQhkxjpxkfh9\nfAhlvhuLwCWHaMvSh1TaT+h9+eHfcx3un5CIaH8b1KYRBMH+jmKFpr7jkPNkBXLS\nMA7jKIIa8pD9R6lF4gAsbqJafCbT3R7bqkd9xp3n3j2YhqQzETU2lmu4fra3BPio\nofK47kSkguUC6mtk6VrDf2+QtCKlY0dtbF3e2ZBNWo1aj86sjCtoEmqOCMsPRLc/\nXwQcfEqHY4XfafXwqk0G0UxV2ce18xKoR/pN3MpLBZ65NzPnpn0CAwEAAaMtMCsw\nFAYDVR0RBA0wC4IJbG9jYWxob3N0MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqG\nSIb3DQEBCwUAA4IBAQBFW1R037y7wllg/gRk9p2T1stiG8iIXosblmL4Ak1YToTQ\n/0to5GY2ZYW29+rbA4SDTS5eeu2YqZ0A/fF3wey7ggzMS7KyNBOvx5QBJRw3PJGn\n+THfhXvdfkOyeUC6KWRGLgl+/zBFvgh6vFDq3jmv0NI4ehVBTBMCJn7r6577S16T\nwtgKMCooizII0Odu5HIF10gTieFIH3PQYm9JBji9iyemb9Ht3wn7fXQptfGadz/l\nWz/Dv9+a6IOr7JVJMHnqAIvPzpkav4efuVPOX1zbhjg4K5g+nRYfjr5F5upOd0Y3\nznWTUBUyI7CXRkpHtSDXfEqKgnk/8uv7GWw+hyKr\n-----END CERTIFICATE-----\n"
"certificate_path": "/etc/certificates/freenas_default.crt"
"chain": false
"chain_list": [
"-----BEGIN CERTIFICATE-----\nMIIDqjCCApKgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgDELMAkGA1UEBhMCVVMx\nEjAQBgNVBAoMCWlYc3lzdGVtczESMBAGA1UEAwwJbG9jYWxob3N0MSEwHwYJKoZI\nhvcNAQkBFhJpbmZvQGl4c3lzdGVtcy5jb20xEjAQBgNVBAgMCVRlbm5lc3NlZTES\nMBAGA1UEBwwJTWFyeXZpbGxlMB4XDTIwMDkyNTE0MDUzOFoXDTIyMTIyOTE0MDUz\nOFowgYAxCzAJBgNVBAYTAlVTMRIwEAYDVQQKDAlpWHN5c3RlbXMxEjAQBgNVBAMM\nCWxvY2FsaG9zdDEhMB8GCSqGSIb3DQEJARYSaW5mb0BpeHN5c3RlbXMuY29tMRIw\nEAYDVQQIDAlUZW5uZXNzZWUxEjAQBgNVBAcMCU1hcnl2aWxsZTCCASIwDQYJKoZI\nhvcNAQEBBQADggEPADCCAQoCggEBALpoGliii6X8DeoFdLcR7jjsfJIn3nC8f1pT\nLQ3RURHUOEyhPT3Z6TkhaHeHoj8D6kiXROhyJJq3kw5OeqGZisfpGQhkxjpxkfh9\nfAhlvhuLwCWHaMvSh1TaT+h9+eHfcx3un5CIaH8b1KYRBMH+jmKFpr7jkPNkBXLS\nMA7jKIIa8pD9R6lF4gAsbqJafCbT3R7bqkd9xp3n3j2YhqQzETU2lmu4fra3BPio\nofK47kSkguUC6mtk6VrDf2+QtCKlY0dtbF3e2ZBNWo1aj86sjCtoEmqOCMsPRLc/\nXwQcfEqHY4XfafXwqk0G0UxV2ce18xKoR/pN3MpLBZ65NzPnpn0CAwEAAaMtMCsw\nFAYDVR0RBA0wC4IJbG9jYWxob3N0MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqG\nSIb3DQEBCwUAA4IBAQBFW1R037y7wllg/gRk9p2T1stiG8iIXosblmL4Ak1YToTQ\n/0to5GY2ZYW29+rbA4SDTS5eeu2YqZ0A/fF3wey7ggzMS7KyNBOvx5QBJRw3PJGn\n+THfhXvdfkOyeUC6KWRGLgl+/zBFvgh6vFDq3jmv0NI4ehVBTBMCJn7r6577S16T\nwtgKMCooizII0Odu5HIF10gTieFIH3PQYm9JBji9iyemb9Ht3wn7fXQptfGadz/l\nWz/Dv9+a6IOr7JVJMHnqAIvPzpkav4efuVPOX1zbhjg4K5g+nRYfjr5F5upOd0Y3\nznWTUBUyI7CXRkpHtSDXfEqKgnk/8uv7GWw+hyKr\n-----END CERTIFICATE-----\n"
]
"city": "Maryville"
"common": "localhost"
"country": "US"
"csr_path": "/etc/certificates/freenas_default.csr"
"digest_algorithm": "SHA256"
"email": "info@ixsystems.com"
"extensions":
"ExtendedKeyUsage": "TLS Web Server Authentication"
"SubjectAltName": "DNS:localhost"
"fingerprint": "9C:5A:1D:1B:E7:9E:0B:89:2B:37:F4:19:83:ED:3C:6B:D8:14:0D:9B"
"from": "Fri Sep 25 16:05:38 2020"
"id": 1
"internal": "NO"
"issuer": "external"
"key_length": 2048
"key_type": "RSA"
"lifetime": 825
"name": "freenas_default"
"organization": "iXsystems"
"organizational_unit": ""
"parsed": true
"privatekey": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC6aBpYooul/A3q\nBXS3Ee447HySJ95wvH9aUy0N0VER1DhMoT092ek5IWh3h6I/A+pIl0TociSat5MO\nTnqhmYrH6RkIZMY6cZH4fXwIZb4bi8Alh2jL0odU2k/offnh33Md7p+QiGh/G9Sm\nEQTB/o5ihaa+45DzZAVy0jAO4yiCGvKQ/UepReIALG6iWnwm090e26pHfcad5949\nmIakMxE1NpZruH62twT4qKHyuO5EpILlAuprZOlaw39vkLQipWNHbWxd3tmQTVqN\nWo/OrIwraBJqjgjLD0S3P18EHHxKh2OF32n18KpNBtFMVdnHtfMSqEf6TdzKSwWe\nuTcz56Z9AgMBAAECggEARwcb4uIs7BZbBu0FSCyg5TfXT6m5bKOmszg2VqmHho+i\n1DAsMcEyyP4d3E3mWLSZNQfOzfOQVxPUCQOGXsUuyHXdgAFGN0bHJDRMara59a0O\njj5GhEO4JXD6OdCmwpZuOt2OF3iiuKxWHuElOvZQMuJSYzI7LULTgKjufv23lbsf\nxMO/v9yi57c5EGgnQ8siLKOy/FQZapn4Z9qKn+lVyk5gfaKP0pDsvV4d7nGYMDD2\nYijfkSyNecApFdtWiLE5zLUlvF6oNj8o66z3YrVNKrCPzhA/5Rkkwwk32SNxvKU3\nVZFSNPeOZ60BicxYcWO+b2aAa0WF+uazJAZ4q52gUQKBgQDu88R+0wm76secYkzE\nQglteLNZKFcvth0kI5xH42Hmk9IXkGimFoDJCIrLAuopyGnfNmqmh2is3QUMUPdR\n/wDLnKc4MCezEidNoD2RBC+bzM1hB9oye/b5sOZUDFXSa0k4XSLu1UEuy1yWhkuS\n6JjY1KQfc4FN0K0Fjqqo7UCTCwKBgQDHtKQh/NvMJ2ok4YW+/QAsus4mEK9eCyUy\nOuyDszQYrGvjkS7STKJVNxGLhWb0XKSIAxMZ66b1MwOt+71h7xNn6pcancfVdK7F\n1Xl5J+76SwbXSgQwTZuoMDxPIvZn7v/2ep5Ni/BcOhMcPIcobWb/OmXrFN1brBvo\nlFNQyWWhlwKBgFDAyPMjVvLO0U6kWdUpjA4W8GV9IJnbLdX8wt/4lClcY2/bOcKH\ncFaAMIeTIJemR0FMHpbQxCtHNmGHK03mo9orwsdWXtRBmk69jJDpnT1F5VKZWMAe\n7MRNaEmXMZm+8CvALgIQx8qMp2mnUPsA6Ea+9gg6/MPTdeWe5UXZiC0pAoGAGtSt\nPJfBXBNrklruYjORo3DRo5GYThVHQRFjl2orNKltsVxfIwgCw1ortEgPBgOwY0mu\ndkwP2V+qPeTVk+PQAqUk+gF6yLXtiUzeDiYMWHpeB+y81VSH9jfM0oELA/m7T/03\naYnEmE+BI8kKC6dvMBlDeisKdneQJFZRP0hfrC8CgYEAgYIyCGwcydKpe2Nkj0Fz\nKTtCMC/k4DvJfd5Kb9AbmrPUfKgA9Xj4GT6yPG6uBMi8r5etvLCKJ2x2NtN024a8\nQJLATYPrSsaZkE+9zM0j5nYAgbKpxBhlDzDAzn//3ByVzfgJ25S80XhTI2lfbLH/\nU07ssxdZaQCo+WuD82OvNcg=\n-----END PRIVATE KEY-----\n"
"privatekey_path": "/etc/certificates/freenas_default.key"
"revoked": false
"revoked_date": ""
"root_path": "/etc/certificates"
"san": [
"DNS:localhost"
]
"serial": 1
"signedby": ""
"state": "Tennessee"
"subject_name_hash": 3193428416
"type": 8
"until": "Thu Dec 29 15:05:38 2022"

26
library/common-test/ci/manifest-values.yaml Normal file
View File

@@ -0,0 +1,26 @@
image:
repository: ghcr.io/truecharts/whoami
pullPolicy: IfNotPresent
tag: 1.8.7@sha256:8c61f0ca92fd806fcb4ed1465cb793c05443f37951554b105b0f2dc686a95772
service:
main:
ports:
main:
port: 8080
args:
- --port
- '8080'
manifests:
enabled: true
staging: false
probes:
liveness:
enabled: true
readiness:
enabled: true
startup:
enabled: true

16
library/common-test/ci/metrics-values.yaml Normal file
View File

@@ -0,0 +1,16 @@
image:
repository: ghcr.io/truecharts/whoami
pullPolicy: IfNotPresent
tag: 1.8.7@sha256:8c61f0ca92fd806fcb4ed1465cb793c05443f37951554b105b0f2dc686a95772
service:
main:
ports:
main:
port: 8080
args:
- --port
- '8080'
# TODO: add metrics test values

73
library/common-test/ci/networkPolicy-values.yaml Normal file
View File

@@ -0,0 +1,73 @@
image:
repository: ghcr.io/truecharts/whoami
pullPolicy: IfNotPresent
tag: 1.8.7@sha256:8c61f0ca92fd806fcb4ed1465cb793c05443f37951554b105b0f2dc686a95772
service:
main:
ports:
main:
port: 8080
args:
- --port
- '8080'
manifests:
enabled: false
staging: false
probes:
liveness:
enabled: true
readiness:
enabled: true
startup:
enabled: true
networkPolicy:
main:
enabled: true
ingress:
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
- namespaceSelector:
matchLabels:
project: myproject2
podSelector:
matchLabels:
role: frontend2
ports:
- protocol: TCP
port: 6379
egress:
- to:
- ipBlock:
cidr: 172.17.2.0/16
except:
- 172.17.2.0/24
- namespaceSelector:
matchLabels:
project: myproject3
- podSelector:
matchLabels:
role: frontend3
- namespaceSelector:
matchLabels:
project: myproject4
podSelector:
matchLabels:
role: frontend4
ports:
- protocol: TCP
port: 5978

4
library/common-test/ci/persistence-values.yaml
View File

@@ -13,6 +13,10 @@ args:
- --port
- '8080'
manifests:
enabled: false
staging: false
probes:
liveness:
enabled: true

4
library/common-test/ci/rbac-values.yaml
View File

@@ -13,6 +13,10 @@ args:
- --port
- '8080'
manifests:
enabled: false
staging: false
probes:
liveness:
enabled: true

26
library/common-test/ci/stagingmanifest-values.yaml Normal file
View File

@@ -0,0 +1,26 @@
image:
repository: ghcr.io/truecharts/whoami
pullPolicy: IfNotPresent
tag: 1.8.7@sha256:8c61f0ca92fd806fcb4ed1465cb793c05443f37951554b105b0f2dc686a95772
service:
main:
ports:
main:
port: 8080
args:
- --port
- '8080'
manifests:
enabled: true
staging: true
probes:
liveness:
enabled: true
readiness:
enabled: true
startup:
enabled: true

47
library/common-test/tests/addons/codeserver_test.yaml Normal file
View File

@@ -0,0 +1,47 @@
suite: addon codeserver
templates:
- common.yaml
tests:
- it: default should pass
asserts:
- hasDocuments:
count: 3
- documentIndex: 1
isKind:
of: Service
- documentIndex: &DeploymentDocument 0
isKind:
of: Deployment
- documentIndex: *DeploymentDocument
notEqual:
path: spec.template.spec.containers[0].name
value: RELEASE-NAME-common-test-additional-codeserver
- it: addon enabled should pass
set:
addons:
codeserver:
enabled: true
volumeMounts:
- name: "config"
mountPath: "/data/config"
asserts:
- hasDocuments:
count: 4
- documentIndex: 2
isKind:
of: Service
- documentIndex: &DeploymentDocument 0
isKind:
of: Deployment
- documentIndex: *DeploymentDocument
equal:
path: spec.template.spec.containers[1].name
value: RELEASE-NAME-common-test-additional-codeserver
- documentIndex: &AddonServiceDocument 1
isKind:
of: Service
- documentIndex: *AddonServiceDocument
equal:
path: metadata.name
value: RELEASE-NAME-common-test-codeserver

149
library/common-test/tests/addons/vpn_test.yaml Normal file
View File

@@ -0,0 +1,149 @@
suite: addon vpn
templates:
- common.yaml
tests:
- it: default should pass
asserts:
- hasDocuments:
count: 3
- documentIndex: &DeploymentDocument 0
isKind:
of: Deployment
- documentIndex: 1
isKind:
of: Service
- documentIndex: *DeploymentDocument
notEqual:
path: spec.template.spec.containers[0].name
value: RELEASE-NAME-common-test-additional-vpn
- it: addon enabled with configFile should pass
set:
addons:
vpn:
type: openvpn
configFile:
enabled: true
asserts:
- hasDocuments:
count: 4
- documentIndex: &AddonVPNConfigSecretDocument 0
isKind:
of: Secret
- documentIndex: &DeploymentDocument 1
isKind:
of: Deployment
- documentIndex: *DeploymentDocument
contains:
path: spec.template.spec.containers[1].volumeMounts
content:
mountPath: /vpn/vpn.conf
name: vpnconfig
- documentIndex: *DeploymentDocument
contains:
path: spec.template.spec.volumes
content:
name: vpnconfig
hostPath:
path: /vpn/vpn.conf
type: File
- documentIndex: *AddonVPNConfigSecretDocument
equal:
path: metadata.name
value: RELEASE-NAME-common-test-openvpn
- it: addon enabled with managed secret should pass
set:
addons:
vpn:
type: openvpn
openvpn:
username: something
password: something
asserts:
- hasDocuments:
count: 4
- documentIndex: &SecretDocument 0
isKind:
of: Secret
- documentIndex: 2
isKind:
of: Service
- documentIndex: &DeploymentDocument 1
isKind:
of: Deployment
- documentIndex: *DeploymentDocument
notEqual:
path: spec.template.spec.containers[0].name
value: vpn
- it: tailscale addon enabled with authkey should pass
set:
addons:
vpn:
type: tailscale
tailscale:
authkey: something
asserts:
- hasDocuments:
count: 4
- documentIndex: &ServiceDocument 2
isKind:
of: Service
- documentIndex: &SecretDocument 0
isKind:
of: Secret
- documentIndex: *SecretDocument
isNotNull:
path: data.TS_AUTH_KEY
- documentIndex: *SecretDocument
equal:
path: metadata.name
value: RELEASE-NAME-common-test-tailscale-secret
- documentIndex: &DeploymentDocument 1
isKind:
of: Deployment
- documentIndex: *DeploymentDocument
notEqual:
path: spec.template.spec.containers[0].name
value: RELEASE-NAME-common-test-additional-tailscale
- documentIndex: *DeploymentDocument
equal:
path: spec.template.spec.containers[1].name
value: RELEASE-NAME-common-test-additional-tailscale
- documentIndex: *DeploymentDocument
contains:
path: spec.template.spec.containers[1].env
content:
name: TS_KUBE_SECRET
value: ""
- documentIndex: *DeploymentDocument
contains:
path: spec.template.spec.containers[1].env
content:
name: TS_SOCKET
value: /var/run/tailscale/tailscaled.sock
- documentIndex: *DeploymentDocument
contains:
path: spec.template.spec.containers[1].env
content:
name: TS_STATE_DIR
value: /var/lib/tailscale
- documentIndex: *DeploymentDocument
contains:
path: spec.template.spec.containers[1].env
content:
name: TS_AUTH_ONCE
value: "true"
- documentIndex: *DeploymentDocument
contains:
path: spec.template.spec.containers[1].env
content:
name: TS_USERSPACE
value: "true"
- documentIndex: *DeploymentDocument
contains:
path: spec.template.spec.containers[1].env
content:
name: TS_ACCEPT_DNS
value: "false"

2
library/common-test/tests/container_in_deployment/volumeMounts_test.yaml
View File

@@ -14,6 +14,8 @@ tests:
value:
- mountPath: /shared
name: shared
- mountPath: /dev/shm
name: shm
- mountPath: /tmp
name: tmp
- mountPath: /var/logs

5
library/common-test/tests/cronjob_standalone/default_test.yaml
View File

@@ -139,6 +139,8 @@ tests:
value:
- mountPath: /shared
name: shared
- mountPath: /dev/shm
name: shm
- mountPath: /tmp
name: tmp
- mountPath: /var/logs
@@ -148,6 +150,9 @@ tests:
value:
- name: shared
emptyDir: {}
- name: shm
emptyDir:
medium: Memory
- name: tmp
emptyDir: {}
- name: varlogs

2
library/common-test/tests/daemonset/default_test.yaml
View File

@@ -111,6 +111,8 @@ tests:
value:
- mountPath: /shared
name: shared
- mountPath: /dev/shm
name: shm
- mountPath: /tmp
name: tmp
- mountPath: /var/logs

2
library/common-test/tests/deployment/default_test.yaml
View File

@@ -115,6 +115,8 @@ tests:
value:
- mountPath: /shared
name: shared
- mountPath: /dev/shm
name: shm
- mountPath: /tmp
name: tmp
- mountPath: /var/logs

99
library/common-test/tests/ingress/metadata_test.yaml Normal file
View File

@@ -0,0 +1,99 @@
suite: ingress metadata
templates:
- common.yaml
tests:
- it: default metadata should pass
set:
ingress.main.enabled: true
asserts:
- documentIndex: &ingressDocument 3
isKind:
of: Ingress
- documentIndex: *ingressDocument
equal:
path: metadata.annotations
value:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.middlewares: default-chain-basic@kubernetescrd
- documentIndex: *ingressDocument
equal:
path: metadata.labels
value:
app: common-test
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: common-test
helm.sh/chart: common-test-1.0.0
release: RELEASE-NAME
- it: custom metadata should pass
set:
ingress:
main:
enabled: true
annotations:
test_annotation: test
labels:
test_label: test
asserts:
- documentIndex: &ingressDocument 3
isKind:
of: Ingress
- documentIndex: *ingressDocument
equal:
path: metadata.annotations
value:
test_annotation: test
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.middlewares: default-chain-basic@kubernetescrd
- documentIndex: *ingressDocument
equal:
path: metadata.labels
value:
app: common-test
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: common-test
helm.sh/chart: common-test-1.0.0
release: RELEASE-NAME
test_label: test
- it: custom metadata with global metadata should pass
set:
global:
labels:
global_label: test
annotations:
global_annotation: test
ingress:
main:
enabled: true
annotations:
test_annotation: test
labels:
test_label: test
asserts:
- documentIndex: &ingressDocument 3
isKind:
of: Ingress
- documentIndex: *ingressDocument
equal:
path: metadata.annotations
value:
global_annotation: test
test_annotation: test
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.middlewares: default-chain-basic@kubernetescrd
- documentIndex: *ingressDocument
equal:
path: metadata.labels
value:
app: common-test
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: common-test
release: RELEASE-NAME
global_label: test
helm.sh/chart: common-test-1.0.0
test_label: test

87
library/common-test/tests/ingress/presence_test.yaml Normal file
View File

@@ -0,0 +1,87 @@
suite: ingress presence
templates:
- common.yaml
tests:
- it: default should pass
asserts:
- hasDocuments:
count: 3
- documentIndex: 0
not: true
isKind:
of: Ingress
- documentIndex: 1
not: true
isKind:
of: Ingress
- documentIndex: 2
not: true
isKind:
of: Ingress
- it: explicitly disabled should pass
set:
ingress.main.enabled: false
asserts:
- hasDocuments:
count: 3
- documentIndex: 0
not: true
isKind:
of: Ingress
- documentIndex: 1
not: true
isKind:
of: Ingress
- documentIndex: 2
not: true
isKind:
of: Ingress
- it: explicitly enabled should pass
set:
ingress.main.enabled: true
asserts:
- hasDocuments:
count: 4
- documentIndex: 0
not: true
isKind:
of: Ingress
- documentIndex: 1
not: true
isKind:
of: Ingress
- documentIndex: 2
not: true
isKind:
of: Ingress
- documentIndex: 3
isKind:
of: Ingress
- it: multiple enabled should pass
set:
ingress.main.enabled: true
ingress.test.enabled: true
asserts:
- hasDocuments:
count: 5
- documentIndex: 0
not: true
isKind:
of: Ingress
- documentIndex: 1
not: true
isKind:
of: Ingress
- documentIndex: 2
not: true
isKind:
of: Ingress
- documentIndex: 3
isKind:
of: Ingress
- documentIndex: 4
isKind:
of: Ingress

42
library/common-test/tests/ingress/service_reference_test.yaml Normal file
View File

@@ -0,0 +1,42 @@
suite: ingress service reference
templates:
- common.yaml
tests:
- it: default should pass
set:
ingress.main.enabled: true
asserts:
- documentIndex: &ingressDocument 3
isKind:
of: Ingress
- documentIndex: *ingressDocument
equal:
path: spec.rules[0].http.paths[0].backend.service
value:
name: RELEASE-NAME-common-test
port:
number: 65535
- it: custom service reference should pass
set:
ingress.main:
enabled: true
hosts:
- host: chart-test.local
paths:
- path: /
service:
name: pathService
port: 1234
asserts:
- documentIndex: &ingressDocument 3
isKind:
of: Ingress
- documentIndex: *ingressDocument
equal:
path: spec.rules[0].http.paths[0].backend.service
value:
name: pathService
port:
number: 1234

72
library/common-test/tests/ingress/tls_test.yaml Normal file
View File

@@ -0,0 +1,72 @@
suite: ingress tls
templates:
- common.yaml
tests:
- it: default should pass
set:
ingress.main.enabled: true
asserts:
- documentIndex: &ingressDocument 3
isKind:
of: Ingress
- documentIndex: *ingressDocument
isNull:
path: spec.tls
- it: tls enabled should pass
set:
ingress.main:
enabled: true
tls:
- secretName: test
hosts:
- hostname
asserts:
- documentIndex: &ingressDocument 3
isKind:
of: Ingress
- documentIndex: *ingressDocument
equal:
path: spec.tls[0]
value:
secretName: test
hosts:
- hostname
- it: tls enabled without secret should pass
set:
ingress.main:
enabled: true
tls:
- hosts:
- hostname
asserts:
- documentIndex: &ingressDocument 3
isKind:
of: Ingress
- documentIndex: *ingressDocument
equal:
path: spec.tls[0]
value:
hosts:
- hostname
- it: tls enabled with secret template should pass
set:
ingress.main:
enabled: true
tls:
- secretName: "{{ .Release.Name }}-secret"
hosts:
- hostname
asserts:
- documentIndex: &ingressDocument 3
isKind:
of: Ingress
- documentIndex: *ingressDocument
equal:
path: spec.tls[0]
value:
secretName: RELEASE-NAME-secret
hosts:
- hostname

72
library/common-test/tests/ingress/values_test.yaml Normal file
View File

@@ -0,0 +1,72 @@
suite: ingress values
templates:
- common.yaml
tests:
- it: default should pass
set:
ingress.main.enabled: true
asserts:
- documentIndex: &ingressDocument 3
isKind:
of: Ingress
- documentIndex: *ingressDocument
equal:
path: spec.rules[0].host
value: chart-example.local
- documentIndex: *ingressDocument
equal:
path: spec.rules[0].http.paths[0].path
value: "/"
- it: custom host and path should pass
set:
ingress.main:
enabled: true
hosts:
- host: chart-test.local
paths:
- path: /test
asserts:
- documentIndex: &ingressDocument 3
isKind:
of: Ingress
- documentIndex: *ingressDocument
equal:
path: spec.rules[0].host
value: chart-test.local
- documentIndex: *ingressDocument
equal:
path: spec.rules[0].http.paths[0].path
value: "/test"
- it: host with template should pass
set:
ingress.main:
enabled: true
hosts:
- host: "{{ .Release.Name }}.hostname"
asserts:
- documentIndex: &ingressDocument 3
isKind:
of: Ingress
- documentIndex: *ingressDocument
equal:
path: spec.rules[0].host
value: RELEASE-NAME.hostname
- it: path with template should pass
set:
ingress.main:
enabled: true
hosts:
- host: chart-test.local
paths:
- path: "/{{ .Release.Name }}.path"
asserts:
- documentIndex: &ingressDocument 3
isKind:
of: Ingress
- documentIndex: *ingressDocument
equal:
path: spec.rules[0].http.paths[0].path
value: "/RELEASE-NAME.path"

5
library/common-test/tests/job_standalone/default_test.yaml
View File

@@ -120,6 +120,8 @@ tests:
value:
- mountPath: /shared
name: shared
- mountPath: /dev/shm
name: shm
- mountPath: /tmp
name: tmp
- mountPath: /var/logs
@@ -129,6 +131,9 @@ tests:
value:
- name: shared
emptyDir: {}
- name: shm
emptyDir:
medium: Memory
- name: tmp
emptyDir: {}
- name: varlogs

14
library/common-test/tests/metrics/defaults_test.yaml Normal file
View File

@@ -0,0 +1,14 @@
suite: metrics defaults
templates:
- common.yaml
tests:
- it: default should pass
asserts:
- hasDocuments:
count: 3
- documentIndex: 1
isKind:
of: Service
- documentIndex: &DeploymentDocument 0
isKind:
of: Deployment

2
library/common-test/tests/statefulset/default_test.yaml
View File

@@ -120,6 +120,8 @@ tests:
value:
- mountPath: /shared
name: shared
- mountPath: /dev/shm
name: shm
- mountPath: /tmp
name: tmp
- mountPath: /var/logs

2
library/common-test/tests/statefulset/vct_test.yaml
View File

@@ -66,6 +66,8 @@ tests:
value:
- mountPath: /shared
name: shared
- mountPath: /dev/shm
name: shm
- mountPath: /tmp
name: tmp
- mountPath: /var/logs

4
library/common-test/values.yaml
View File

@@ -3,3 +3,7 @@ service:
ports:
main:
port: 65535
manifests:
enabled: false
staging: false

4422
library/common/crds/cert-manager.crds.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

35
library/common/templates/addons/code-server/_codeserver.tpl Normal file
View File

@@ -0,0 +1,35 @@
{{/*
Template to render code-server addon
It will include / inject the required templates based on the given values.
*/}}
{{- define "tc.v1.common.addon.codeserver" -}}
{{- if .Values.addons.codeserver.enabled -}}
{{/* Append the code-server container to the additionalContainers */}}
{{- $container := include "tc.v1.common.addon.codeserver.container" . | fromYaml -}}
{{- if $container -}}
{{- $_ := set .Values.additionalContainers "codeserver" $container -}}
{{- end -}}
{{/* Add the code-server service */}}
{{- if .Values.addons.codeserver.service.enabled -}}
{{- $serviceValues := .Values.addons.codeserver.service -}}
{{- $_ := set .Values.service "codeserver" $serviceValues -}}
{{- end -}}
{{/* Add the code-server ingress */}}
{{- if .Values.addons.codeserver.ingress.enabled -}}
{{- $ingressValues := .Values.addons.codeserver.ingress -}}
{{- $_ := set $ingressValues "nameOverride" "codeserver" -}}
{{/* Determine the target service name & port */}}
{{- $svcName := printf "%v-codeserver" (include "ix.v1.common.names.fullname" .) -}}
{{- $svcPort := .Values.addons.codeserver.service.ports.codeserver.port -}}
{{- range $_, $host := $ingressValues.hosts -}}
{{- $_ := set (index $host.paths 0) "service" (dict "name" $svcName "port" $svcPort) -}}
{{- end -}}
{{- $_ := set $ "ObjectValues" (dict "ingress" $ingressValues) -}}
{{- include "tc.v1.common.class.ingress" $ -}}
{{- $_ := unset $ "ObjectValues" -}}
{{- end -}}
{{- end -}}
{{- end -}}

40
library/common/templates/addons/code-server/_container.tpl Normal file
View File

@@ -0,0 +1,40 @@
{{/*
The code-server sidecar container to be inserted.
*/}}
{{- define "tc.v1.common.addon.codeserver.container" -}}
imageSelector: "codeserverImage"
imagePullPolicy: {{ .Values.codeserverImage.pullPolicy }}
securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
readOnlyRootFilesystem: false
env:
{{- range $envList := .Values.addons.codeserver.envList -}}
{{- if and $envList.name $envList.value }}
{{ $envList.name }}: {{ $envList.value | quote }}
{{- else }}
{{- fail "Please specify name/value for codeserver environment variable" -}}
{{- end -}}
{{- end -}}
{{- with .Values.addons.codeserver.env -}}
{{- range $k, $v := . }}
{{ $k }}: {{ $v | quote }}
{{- end -}}
{{- end }}
ports:
- name: codeserver
containerPort: {{ .Values.addons.codeserver.service.ports.codeserver.port }}
protocol: TCP
args:
{{- range .Values.addons.codeserver.args }}
- {{ . | quote }}
{{- end }}
- "--port"
- "{{ .Values.addons.codeserver.service.ports.codeserver.port }}"
- {{ .Values.addons.codeserver.workingDir | default "/" }}
volumeMounts:
- inherit: all
resources:
inherit: true
{{- end -}}

24
library/common/templates/addons/vpn/_vpn.tpl Normal file
View File

@@ -0,0 +1,24 @@
{{/*
Template to render VPN addon
It will include / inject the required templates based on the given values.
*/}}
{{- define "tc.v1.common.addon.vpn" -}}
{{- if ne "disabled" .Values.addons.vpn.type -}}
{{- if eq "openvpn" .Values.addons.vpn.type -}}
{{- include "tc.v1.common.addon.openvpn" . }}
{{- end -}}
{{- if eq "wireguard" .Values.addons.vpn.type -}}
{{- include "tc.v1.common.addon.wireguard" . }}
{{- end -}}
{{- if eq "tailscale" .Values.addons.vpn.type -}}
{{- include "tc.v1.common.addon.tailscale" . }}
{{- end -}}
{{- if ne "tailscale" .Values.addons.vpn.type -}}
{{- $_ := set .Values.persistence "vpnconfig" .Values.addons.vpn.configFile -}}
{{- end -}}
{{- end -}}
{{- end -}}

17
library/common/templates/addons/vpn/openvpn/_addon.tpl Normal file
View File

@@ -0,0 +1,17 @@
{{/*
Template to render OpenVPN addon. It will add the container to the list of additionalContainers
and add a credentials secret if speciffied.
*/}}
{{- define "tc.v1.common.addon.openvpn" -}}
{{/* Append the openVPN container to the additionalContainers */}}
{{- $container := include "tc.v1.common.addon.openvpn.container" . | fromYaml -}}
{{- if $container -}}
{{- $_ := set .Values.additionalContainers "openvpn" $container -}}
{{- end -}}
{{/* Include the secret if not empty */}}
{{- $secret := include "tc.v1.common.addon.openvpn.secret" . -}}
{{- if $secret -}}
{{- $secret | nindent 0 -}}
{{- end -}}
{{- end -}}

66
library/common/templates/addons/vpn/openvpn/_container.tpl Normal file
View File

@@ -0,0 +1,66 @@
{{/*
The OpenVPN sidecar container to be inserted.
*/}}
{{- define "tc.v1.common.addon.openvpn.container" -}}
imageSelector: openvpnImage
imagePullPolicy: {{ .Values.openvpnImage.pullPolicy }}
securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
capabilities:
add:
- NET_ADMIN
- SYS_MODULE
env:
{{- range $envList := .Values.addons.vpn.envList -}}
{{- if and $envList.name $envList.value }}
{{ $envList.name }}: {{ $envList.value | quote }}
{{- else -}}
{{- fail "Please specify name/value for VPN environment variable" -}}
{{- end -}}
{{- end -}}
{{- with .Values.addons.vpn.env }}
{{- range $k, $v := . }}
{{ $k }}: {{ $v | quote }}
{{- end -}}
{{- end -}}
{{- if .Values.addons.vpn.killSwitch }}
FIREWALL: "ON"
ROUTE_1: "172.16.0.0/12"
{{- range $index, $value := .Values.addons.vpn.excludedNetworks_IPv4 }}
ROUTE_{{ add $index 2 }}: {{ $value | quote }}
{{- end -}}
{{- if .Values.addons.vpn.excludedNetworks_IPv6 -}}
{{- $excludednetworksv6 := "" -}}
{{- range .Values.addons.vpn.excludedNetworks_IPv4 }}
{{- $excludednetworksv6 = (printf "%v;%v" $excludednetworksv6 .) -}}
{{- end -}}
{{- range $index, $value := .Values.addons.vpn.excludedNetworks_IPv6 }}
ROUTE6_{{ add $index 1 }}: {{ $value | quote }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- if or ( .Values.addons.vpn.openvpn.username ) ( .Values.addons.vpn.openvpn.password ) }}
envFrom:
- secretRef:
name: {{ include "ix.v1.common.names.fullname" . }}-openvpn
{{- end }}
volumeMounts:
- mountPath: {{ .Values.persistence.shared.mountPath }}
name: shared
{{- if .Values.addons.vpn.configFile }}
{{- if .Values.addons.vpn.configFile.enabled }}
- name: vpnconfig
mountPath: /vpn/vpn.conf
{{- end }}
{{- end }}
{{- with .Values.addons.vpn.livenessProbe }}
livenessProbe:
{{- toYaml . | nindent 2 }}
{{- end }}
resources:
inherit: true
{{- end -}}

12
library/common/templates/addons/vpn/openvpn/_secret.tpl Normal file
View File

@@ -0,0 +1,12 @@
{{/*
The OpenVPN credentials secrets to be included.
*/}}
{{- define "tc.v1.common.addon.openvpn.secret" -}}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ include "ix.v1.common.names.fullname" $ }}-openvpn
data:
VPN_AUTH: {{ ( printf "%v;%v" .Values.addons.vpn.openvpn.username .Values.addons.vpn.openvpn.password ) | b64enc }}
{{- end -}}

13
library/common/templates/addons/vpn/tailscale/_addon.tpl Normal file
View File

@@ -0,0 +1,13 @@
{{/*
Template to render Tailscale addon. It will add the container to the list of additionalContainers.
*/}}
{{- define "tc.v1.common.addon.tailscale" -}}
{{/* Append the Tailscale container to the additionalContainers */}}
{{- $container := (include "tc.v1.common.addon.tailscale.container" . | fromYaml) -}}
{{- if $container -}}
{{- $_ := set .Values.additionalContainers "tailscale" $container -}}
{{- include "tailscale.secret" . -}}
{{- $_ := set .Values.persistence (printf "%v-%v" .Release.Name "tailscale" ) (include "tailscale.addon.persistence" . | fromYaml) -}}
{{- end -}}
{{- end -}}

93
library/common/templates/addons/vpn/tailscale/_container.tpl Normal file
View File

@@ -0,0 +1,93 @@
{{/*
The Tailscale sidecar container to be inserted.
*/}}
{{- define "tc.v1.common.addon.tailscale.container" -}}
{{- $secretName := printf "%s-tailscale-secret" (include "ix.v1.common.names.fullname" .) }}
name: tailscale
imageSelector: "tailscaleImage"
imagePullPolicy: {{ .Values.tailscaleImage.pullPolicy }}
command:
- /usr/local/bin/containerboot
securityContext:
{{- if .Values.addons.vpn.tailscale.userspace }}
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
readOnlyRootFilesystem: true
{{- else }}
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
readOnlyRootFilesystem: false
{{- end }}
capabilities:
add:
- NET_ADMIN
envFrom:
- secretRef:
name: {{ $secretName }}
{{/*
Set KUBE_SECRET to empty string to force tailscale
to use the filesystem for state tracking.
With secret for state tracking you can't always
know if the app that uses this sidecard will
use a custom ServiceAccount and will lead to falure.
*/}}
env:
TS_KUBE_SECRET: ""
TS_SOCKET: /var/run/tailscale/tailscaled.sock
TS_STATE_DIR: /var/lib/tailscale
TS_AUTH_ONCE: {{ .Values.addons.vpn.tailscale.auth_once | quote }}
TS_USERSPACE: {{ .Values.addons.vpn.tailscale.userspace | quote }}
TS_ACCEPT_DNS: {{ .Values.addons.vpn.tailscale.accept_dns | quote }}
{{- with .Values.addons.vpn.tailscale.outbound_http_proxy_listen }}
TS_OUTBOUND_HTTP_PROXY_LISTEN: {{ . }}
{{- end -}}
{{- with .Values.addons.vpn.tailscale.routes }}
TS_ROUTES: {{ . }}
{{- end -}}
{{- with .Values.addons.vpn.tailscale.dest_ip }}
TS_DEST_IP: {{ . }}
{{- end -}}
{{- with .Values.addons.vpn.tailscale.sock5_server }}
TS_SOCKS5_SERVER: {{ . }}
{{- end -}}
{{- with .Values.addons.vpn.tailscale.extra_args }}
TS_EXTRA_ARGS: {{ . | quote }}
{{- end -}}
{{- with .Values.addons.vpn.tailscale.daemon_extra_args }}
TS_TAILSCALED_EXTRA_ARGS: {{ . | quote }}
{{- end -}}
{{- range $envList := .Values.addons.vpn.envList -}}
{{- if and $envList.name $envList.value }}
{{ $envList.name }}: {{ $envList.value | quote }}
{{- else -}}
{{- fail "Please specify name/value for VPN environment variable" -}}
{{- end -}}
{{- end -}}
{{- with .Values.addons.vpn.env -}}
{{- range $k, $v := . }}
{{ $k }}: {{ $v | quote }}
{{- end -}}
{{- end }}
volumeMounts:
- mountPath: {{ .Values.persistence.shared.mountPath }}
name: shared
- mountPath: /var/lib/tailscale
name: {{ printf "%v-%v" .Release.Name "tailscale" }}
{{- with .Values.addons.vpn.livenessProbe }}
livenessProbe:
{{- toYaml . | nindent 2 }}
{{- end -}}
{{- with .Values.addons.vpn.resources }}
resources:
inherit: true
{{- end -}}
{{- end -}}

6
library/common/templates/addons/vpn/tailscale/_persistence.tpl Normal file
View File

@@ -0,0 +1,6 @@
{{- define "tailscale.addon.persistence" -}}
enabled: true
mountPath: /var/lib/tailscale
type: emptyDir
noMount: true
{{- end -}}

17
library/common/templates/addons/vpn/tailscale/_secret.tpl Normal file
View File

@@ -0,0 +1,17 @@
{{/* Define the secret */}}
{{- define "tailscale.secret" -}}
{{- $secretName := printf "%s-tailscale-secret" (include "ix.v1.common.names.fullname" .) }}
---
{{/* This secrets are loaded on tailscale */}}
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: {{ $secretName }}
data:
{{- with .Values.addons.vpn.tailscale.authkey }}
TS_AUTH_KEY: {{ . | b64enc }}
{{- end }}
{{- end }}

11
library/common/templates/addons/vpn/wireguard/_addon.tpl Normal file
View File

@@ -0,0 +1,11 @@
{{/*
Template to render Wireguard addon. It will add the container to the list of additionalContainers.
*/}}
*/}}
{{- define "tc.v1.common.addon.wireguard" -}}
{{/* Append the Wireguard container to the additionalContainers */}}
{{- $container := fromYaml (include "tc.v1.common.addon.wireguard.container" .) -}}
{{- if $container -}}
{{- $_ := set .Values.additionalContainers "wireguard" $container -}}
{{- end -}}
{{- end -}}

62
library/common/templates/addons/vpn/wireguard/_container.tpl Normal file
View File

@@ -0,0 +1,62 @@
{{/*
The Wireguard sidecar container to be inserted.
*/}}
{{- define "tc.v1.common.addon.wireguard.container" -}}
imageSelector: wireguardImage
imagePullPolicy: {{ .Values.wireguardImage.pullPolicy }}
securityContext:
runAsUser: 568
runAsGroup: 568
capabilities:
add:
- NET_ADMIN
- SYS_MODULE
env:
SEPARATOR: ";"
IPTABLES_BACKEND: "nft"
{{- range $envList := .Values.addons.vpn.envList -}}
{{- if and $envList.name $envList.value }}
{{ $envList.name }}: {{ $envList.value | quote }}
{{- else -}}
{{- fail "Please specify name/value for VPN environment variable" -}}
{{- end -}}
{{- end -}}
{{- with .Values.addons.vpn.env -}}
{{- range $k, $v := . }}
{{ $k }}: {{ $v | quote }}
{{- end -}}
{{- end -}}
{{- if .Values.addons.vpn.killSwitch }}
KILLSWITCH: "true"
{{- $excludednetworksv4 := "172.16.0.0/12" -}}
{{- range .Values.addons.vpn.excludedNetworks_IPv4 -}}
{{- $excludednetworksv4 = (printf "%v;%v" $excludednetworksv4 .) -}}
{{- end }}
KILLSWITCH_EXCLUDEDNETWORKS_IPV4: {{ $excludednetworksv4 | quote }}
{{- if .Values.addons.vpn.excludedNetworks_IPv6 -}}
{{- $excludednetworksv6 := "" -}}
{{- range .Values.addons.vpn.excludedNetworks_IPv4 }}
{{- $excludednetworksv6 = (printf "%v;%v" $excludednetworksv6 .) -}}
{{- end }}
KILLSWITCH_EXCLUDEDNETWORKS_IPV6: {{ .Values.addons.vpn.excludedNetworks_IPv6 | quote }}
{{- end -}}
{{- end }}
volumeMounts:
- mountPath: {{ .Values.persistence.shared.mountPath }}
name: shared
{{- if .Values.addons.vpn.configFile }}
- name: vpnconfig
mountPath: /etc/wireguard/wg0.conf
{{- end }}
{{- with .Values.addons.vpn.livenessProbe }}
livenessProbe:
{{- toYaml . | nindent 2 }}
{{- end -}}
{{- with .Values.addons.vpn.resources }}
resources:
inherit: true
{{- end -}}
{{- end -}}

57
library/common/templates/class/_horizontalPodAutoscaler.tpl Normal file
View File

@@ -0,0 +1,57 @@
{{/*
This template serves as a blueprint for horizontal pod autoscaler objects that are created
using the common library.
*/}}
{{- define "tc.v1.common.class.hpa" -}}
{{- $targetName := include "ix.v1.common.names.fullname" . -}}
{{- $fullName := include "ix.v1.common.names.fullname" . -}}
{{- $hpaName := $fullName -}}
{{- $values := .Values.hpa -}}
{{- if hasKey . "ObjectValues" -}}
{{- with .ObjectValues.hpa -}}
{{- $values = . -}}
{{- end -}}
{{- end -}}
{{- $hpaLabels := $values.labels -}}
{{- $hpaAnnotations := $values.annotations -}}
{{- if and (hasKey $values "nameOverride") $values.nameOverride -}}
{{- $hpaName = printf "%v-%v" $hpaName $values.nameOverride -}}
{{- end }}
---
apiVersion: {{ include "tc.v1.common.capabilities.hpa.apiVersion" $ }}
kind: HorizontalPodAutoscaler
metadata:
name: {{ $hpaName }}
{{- $labels := (mustMerge ($hpaLabels | default dict) (include "ix.v1.common.labels" $ | fromYaml)) -}}
{{- with (include "ix.v1.common.util.labels.render" (dict "root" $ "labels" $labels) | trim) }}
labels:
{{- . | nindent 4 }}
{{- end -}}
{{- $annotations := (mustMerge ($hpaAnnotations | default dict) (include "ix.v1.common.annotations" $ | fromYaml)) -}}
{{- with (include "ix.v1.common.util.annotations.render" (dict "root" $ "annotations" $annotations) | trim) }}
annotations:
{{- . | nindent 4 }}
{{- end -}}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: {{ $values.targetKind | default ( include "ix.v1.common.names.controllerType" . ) }}
name: {{ $values.target | default $targetName }}
minReplicas: {{ $values.minReplicas | default 1 }}
maxReplicas: {{ $values.maxReplicas | default 3 }}
metrics:
{{- if $values.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
targetAverageUtilization: {{ $values.targetCPUUtilizationPercentage }}
{{- end -}}
{{- if $values.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
targetAverageUtilization: {{ $values.targetMemoryUtilizationPercentage }}
{{- end -}}
{{- end -}}

167
library/common/templates/class/_ingress.tpl Normal file
View File

@@ -0,0 +1,167 @@
{{/*
This template serves as a blueprint for all Ingress objects that are created
within the common library.
*/}}
{{- define "tc.v1.common.class.ingress" -}}
{{- $fullName := include "ix.v1.common.names.fullname" . -}}
{{- $ingressName := $fullName -}}
{{- $values := .Values.ingress -}}
{{- if hasKey . "ObjectValues" -}}
{{- with .ObjectValues.ingress -}}
{{- $values = . -}}
{{- end -}}
{{- end -}}
{{- $ingressLabels := $values.labels -}}
{{- $ingressAnnotations := $values.annotations -}}
{{- if and (hasKey $values "nameOverride") $values.nameOverride -}}
{{- $ingressName = printf "%v-%v" $ingressName $values.nameOverride -}}
{{- end -}}
{{/* Get the name of the primary service, if any */}}
{{- $primarySeriviceName := (include "ix.v1.common.lib.util.service.primary" (dict "services" .Values.service "root" .)) -}}
{{/* Get service values of the primary service, if any */}}
{{- $primaryService := get .Values.service $primarySeriviceName -}}
{{- $autoLinkService := $primaryService -}}
{{- $defaultServiceName := $fullName -}}
{{- if and (hasKey $primaryService "nameOverride") $primaryService.nameOverride -}}
{{- $defaultServiceName = printf "%v-%v" $defaultServiceName $primaryService.nameOverride -}}
{{- end -}}
{{- $defaultServicePort := get $primaryService.ports (include "ix.v1.common.lib.util.service.ports.primary" (dict "svcValues" $primaryService "svcName" $primarySeriviceName )) -}}
{{- if and (hasKey $values "nameOverride") ( $values.nameOverride ) ( $values.autoLink ) -}}
{{- $autoLinkService = get .Values.service $values.nameOverride -}}
{{- $defaultServiceName = $ingressName -}}
{{- $defaultServicePort = get $autoLinkService.ports $values.nameOverride -}}
{{- end -}}
{{- $mddwrNamespace := "default" -}}
{{- if $values.ingressClassName -}}
{{- $mddwrNamespace = ( printf "ix-%s" $values.ingressClassName ) -}}
{{- end -}}
{{- $fixedMiddlewares := "" -}}
{{- if $values.enableFixedMiddlewares -}}
{{- range $index, $fixedMiddleware := $values.fixedMiddlewares -}}
{{- if $index -}}
{{- $fixedMiddlewares = ( printf "%v, %v-%v@%v" $fixedMiddlewares $mddwrNamespace $fixedMiddleware "kubernetescrd" ) -}}
{{- else -}}
{{- $fixedMiddlewares = ( printf "%v-%v@%v" $mddwrNamespace $fixedMiddleware "kubernetescrd" ) -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- $middlewares := "" -}}
{{- range $index, $middleware := $values.middlewares -}}
{{- if $index -}}
{{- $middlewares = ( printf "%v, %v-%v@%v" $middlewares $mddwrNamespace $middleware "kubernetescrd" ) -}}
{{- else -}}
{{- $middlewares = ( printf "%v-%v@%v" $mddwrNamespace $middleware "kubernetescrd" ) -}}
{{- end -}}
{{ end }}
{{- if and ( $fixedMiddlewares ) ( $middlewares ) -}}
{{- $middlewares = ( printf "%v, %v" $fixedMiddlewares $middlewares ) -}}
{{- else if $fixedMiddlewares -}}
{{- $middlewares = ( printf "%s" $fixedMiddlewares ) -}}
{{- end }}
---
apiVersion: {{ include "tc.v1.common.capabilities.ingress.apiVersion" $ }}
kind: Ingress
metadata:
name: {{ $ingressName }}
{{- $labels := (mustMerge ($ingressLabels | default dict) (include "ix.v1.common.labels" $ | fromYaml)) -}}
{{- with (include "ix.v1.common.util.labels.render" (dict "root" $ "labels" $labels) | trim) }}
labels:
{{- . | nindent 4 }}
{{- end -}}
{{- $annotations := (mustMerge ($ingressAnnotations | default dict) (include "ix.v1.common.annotations" $ | fromYaml)) }}
annotations:
{{- with $values.certificateIssuer }}
cert-manager.io/cluster-issuer: {{ tpl ( toYaml . ) $ }}
{{- end }}
"traefik.ingress.kubernetes.io/router.entrypoints": {{ $values.entrypoint | default "websecure" }}
"traefik.ingress.kubernetes.io/router.middlewares": {{ $middlewares | quote }}
{{- with (include "ix.v1.common.util.annotations.render" (dict "root" $ "annotations" $annotations) | trim) }}
{{- . | nindent 4 }}
{{- end }}
spec:
{{- if $values.ingressClassName }}
ingressClassName: {{ $values.ingressClassName }}
{{- end -}}
{{- if $values.certificateIssuer }}
tls:
{{- range $index, $hostsValues := $values.hosts }}
- hosts:
- {{ tpl $hostsValues.host $ | quote }}
secretName: {{ ( printf "%v-%v-%v" $ingressName "tls" $index ) }}
{{- end -}}
{{- else if $values.tls }}
tls:
{{- range $index, $tlsValues := $values.tls }}
- hosts:
{{- range $tlsValues.hosts }}
- {{ tpl . $ | quote }}
{{- end -}}
{{- if $tlsValues.certificateIssuer }}
secretName: {{ ( printf "%v-%v-%v" $ingressName "tls" $index ) }}
{{- else if $tlsValues.scaleCert }}
secretName: {{ ( printf "%v-%v-%v-%v-%v-%v" $ingressName "tls" $index "ixcert" $tlsValues.scaleCert $.Release.Revision ) }}
{{- else if .secretName }}
secretName: {{ tpl .secretName $ | quote}}
{{- end -}}
{{- end -}}
{{- end }}
rules:
{{- range $values.hosts }}
- host: {{ tpl .host $ | quote }}
http:
paths:
{{- range .paths -}}
{{- $service := $defaultServiceName -}}
{{- $port := $defaultServicePort.port -}}
{{- if .service -}}
{{- $service = default $service .service.name -}}
{{- $port = default $port .service.port -}}
{{- end }}
- path: {{ tpl .path $ | quote }}
pathType: {{ default "Prefix" .pathType }}
backend:
service:
name: {{ $service }}
port:
number: {{ $port }}
{{- end -}}
{{- end -}}
{{- if and $values.tls ( not $values.certificateIssuer ) -}}
{{- range $index, $tlsValues := $values.tls -}}
{{- if $tlsValues.certificateIssuer }}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ ( printf "%v-%v-%v" $ingressName "tls" $index ) }}
spec:
secretName: {{ ( printf "%v-%v-%v" $ingressName "tls" $index ) }}
dnsNames:
{{- range $tlsValues.hosts }}
- {{ tpl . $ | quote }}
{{- end }}
privateKey:
algorithm: ECDSA
size: 256
issuerRef:
name: {{ tpl $tlsValues.certificateIssuer $ | quote }}
kind: ClusterIssuer
group: cert-manager.io
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}

180
library/common/templates/class/_networkPolicy.tpl Normal file
View File

@@ -0,0 +1,180 @@
{{/*
Blueprint for the NetworkPolicy object
*/}}
{{- define "tc.v1.common.class.networkpolicy" -}}
{{- $fullName := include "ix.v1.common.names.fullname" . -}}
{{- $networkPolicyName := $fullName -}}
{{- $values := .Values.networkPolicy -}}
{{- if hasKey . "ObjectValues" -}}
{{- with .ObjectValues.networkPolicy -}}
{{- $values = . -}}
{{- end -}}
{{- end -}}
{{- $networkpolicyLabels := $values.labels -}}
{{- $networkpolicyAnnotations := $values.annotations -}}
{{- if and (hasKey $values "nameOverride") $values.nameOverride -}}
{{- $networkPolicyName = printf "%v-%v" $networkPolicyName $values.nameOverride -}}
{{- end }}
---
kind: NetworkPolicy
apiVersion: {{ include "tc.v1.common.capabilities.networkpolicy.apiVersion" $ }}
metadata:
name: {{ $networkPolicyName }}
{{- $labels := (mustMerge ($networkpolicyLabels | default dict) (include "ix.v1.common.labels" $ | fromYaml)) -}}
{{- with (include "ix.v1.common.util.labels.render" (dict "root" $ "labels" $labels) | trim) }}
labels:
{{- . | nindent 4 }}
{{- end -}}
{{- $annotations := (mustMerge ($networkpolicyAnnotations | default dict) (include "ix.v1.common.annotations" $ | fromYaml)) -}}
{{- with (include "ix.v1.common.util.annotations.render" (dict "root" $ "annotations" $annotations) | trim) }}
annotations:
{{- . | nindent 4 }}
{{- end }}
spec:
podSelector:
{{- if $values.podSelector }}
{{- with $values.podSelector }}
{{- . | toYaml | nindent 4 }}
{{- end -}}
{{- else }}
matchLabels:
{{- include "ix.v1.common.labels.selectorLabels" . | nindent 6 }}
{{- end -}}
{{- if $values.policyType }}
{{- if eq $values.policyType "ingress" }}
policyTypes: ["Ingress"]
{{- else if eq $values.policyType "egress" }}
policyTypes: ["Egress"]
{{- else if eq $values.policyType "ingress-egress" }}
policyTypes: ["Ingress", "Egress"]
{{- end -}}
{{- end -}}
{{- if $values.egress }}
egress:
{{- range $values.egress }}
- to:
{{- range .to -}}
{{- $nss := false -}}
{{- $ipb := false -}}
{{- if .ipBlock -}}
{{- if .ipBlock.cidr -}}
{{- $ipb = true }}
- ipBlock:
cidr: {{ .ipBlock.cidr }}
{{- if .ipBlock.except }}
except:
{{- range .ipBlock.except }}
- {{ . }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- if and ( .namespaceSelector ) ( not $ipb ) -}}
{{- if or ( .namespaceSelector.matchLabels ) ( .namespaceSelector.matchExpressions ) -}}
{{- $nss = true }}
- namespaceSelector:
{{- if .namespaceSelector.matchLabels }}
matchLabels:
{{- .namespaceSelector.matchLabels | toYaml | nindent 12 }}
{{- end -}}
{{- if .namespaceSelector.matchExpressions }}
matchExpressions:
{{- .namespaceSelector.matchExpressions | toYaml | nindent 12 }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- if and ( .podSelector ) ( not $ipb ) -}}
{{- if or ( .podSelector.matchLabels ) ( .podSelector.matchExpressions ) -}}
{{- if $nss }}
podSelector:
{{- else }}
- podSelector:
{{- end -}}
{{- if .podSelector.matchLabels }}
matchLabels:
{{- .podSelector.matchLabels | toYaml | nindent 12 }}
{{- end -}}
{{- if .podSelector.matchExpressions }}
matchExpressions:
{{- .podSelector.matchExpressions | toYaml | nindent 12 }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- with .ports }}
ports:
{{- . | toYaml | nindent 6 }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- if $values.ingress }}
ingress:
{{- range $values.ingress }}
- from:
{{- range .from -}}
{{- $nss := false -}}
{{- $ipb := false -}}
{{- if .ipBlock -}}
{{- if .ipBlock.cidr -}}
{{- $ipb = true }}
- ipBlock:
cidr: {{ .ipBlock.cidr }}
{{- if .ipBlock.except }}
except:
{{- range .ipBlock.except }}
- {{ . }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- if and ( .namespaceSelector ) ( not $ipb ) -}}
{{- if or ( .namespaceSelector.matchLabels ) ( .namespaceSelector.matchExpressions ) -}}
{{- $nss = true }}
- namespaceSelector:
{{- if .namespaceSelector.matchLabels }}
matchLabels:
{{- .namespaceSelector.matchLabels | toYaml | nindent 12 }}
{{- end -}}
{{- if .namespaceSelector.matchExpressions }}
matchExpressions:
{{- .namespaceSelector.matchExpressions | toYaml | nindent 12 }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- if and ( .podSelector ) ( not $ipb ) -}}
{{- if or ( .podSelector.matchLabels ) ( .podSelector.matchExpressions ) -}}
{{- if $nss }}
podSelector:
{{- else }}
- podSelector:
{{- end }}
{{- if .podSelector.matchLabels }}
matchLabels:
{{- .podSelector.matchLabels | toYaml | nindent 12 }}
{{- end -}}
{{- if .podSelector.matchExpressions }}
matchExpressions:
{{- .podSelector.matchExpressions | toYaml | nindent 12 }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- with .ports }}
ports:
{{- . | toYaml | nindent 6 }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}

56
library/common/templates/class/_podMonitor.tpl Normal file
View File

@@ -0,0 +1,56 @@
{{- define "ix.v1.common.class.podmonitor" -}}
{{- $fullName := include "ix.v1.common.names.fullname" . -}}
{{- $podmonitorName := $fullName -}}
{{- $values := .Values.podmonitor -}}
{{- if hasKey . "ObjectValues" -}}
{{- with .ObjectValues.podmonitor -}}
{{- $values = . -}}
{{- end -}}
{{- end -}}
{{- $podmonitorLabels := $values.labels -}}
{{- $podmonitorAnnotations := $values.annotations -}}
{{- if and (hasKey $values "nameOverride") $values.nameOverride -}}
{{- $podmonitorName = printf "%v-%v" $podmonitorName $values.nameOverride -}}
{{- end }}
---
apiVersion: {{ include "tc.v1.common.capabilities.podmonitor.apiVersion" $ }}
kind: PodMonitor
metadata:
name: {{ $podmonitorName }}
{{- $labels := (mustMerge ($podmonitorLabels | default dict) (include "ix.v1.common.labels" $ | fromYaml)) -}}
{{- with (include "ix.v1.common.util.labels.render" (dict "root" $ "labels" $labels) | trim) }}
labels:
{{- . | nindent 4 }}
{{- end -}}
{{- $annotations := (mustMerge ($podmonitorAnnotations | default dict) (include "ix.v1.common.annotations" $ | fromYaml)) -}}
{{- with (include "ix.v1.common.util.annotations.render" (dict "root" $ "annotations" $annotations) | trim) }}
annotations:
{{- . | nindent 4 }}
{{- end -}}
spec:
jobLabel: app.kubernetes.io/name
selector:
{{- if $values.matchLabels }}
{{- tpl (toYaml $values.matchLabels) $ | nindent 4 }}
{{- else }}
{{- include "ix.v1.common.labels.selectorLabels" . | nindent 4 }}
{{- end }}
podMetricsEndpoints:
{{- range $values.endpoints }}
- port: {{ .port }}
{{- with .interval }}
interval: {{ . }}
{{- end -}}
{{- with .scrapeTimeout }}
scrapeTimeout: {{ . }}
{{- end -}}
{{- with .path }}
path: {{ . }}
{{- end -}}
{{- with .honorLabels }}
honorLabels: {{ . }}
{{- end -}}
{{- end -}}
{{- end -}}

54
library/common/templates/class/_prometheusRule.tpl Normal file
View File

@@ -0,0 +1,54 @@
{{- define "ix.v1.common.class.prometheusrule" -}}
{{- $fullName := include "ix.v1.common.names.fullname" . -}}
{{- $prometheusruleName := $fullName -}}
{{- $values := .Values.prometheusrule -}}
{{- if hasKey . "ObjectValues" -}}
{{- with .ObjectValues.prometheusrule -}}
{{- $values = . -}}
{{- end -}}
{{- end -}}
{{- $prometheusruleLabels := $values.labels -}}
{{- $prometheusruleAnnotations := $values.annotations -}}
{{- if and (hasKey $values "nameOverride") $values.nameOverride -}}
{{- $prometheusruleName = printf "%v-%v" $prometheusruleName $values.nameOverride -}}
{{- end }}
---
apiVersion: {{ include "tc.v1.common.capabilities.prometheusrule.apiVersion" $ }}
kind: PrometheusRule
metadata:
name: {{ $prometheusruleName }}
{{- $labels := (mustMerge ($prometheusruleLabels | default dict) (include "ix.v1.common.labels" $ | fromYaml)) -}}
{{- with (include "ix.v1.common.util.labels.render" (dict "root" $ "labels" $labels) | trim) }}
labels:
{{- . | nindent 4 }}
{{- end -}}
{{- $annotations := (mustMerge ($prometheusruleAnnotations | default dict) (include "ix.v1.common.annotations" $ | fromYaml)) -}}
{{- with (include "ix.v1.common.util.annotations.render" (dict "root" $ "annotations" $annotations) | trim) }}
annotations:
{{- . | nindent 4 }}
{{- end -}}
spec:
groups:
{{- range $name, $groupValues := .groups }}
- name: {{ $prometheusruleName }}-{{ $name }}
rules:
{{- with $groupValues.rules }}
{{- toYaml . | nindent 8 }}
{{- end -}}
{{- with $groupValues.additionalrules }}
{{- toYaml . | nindent 8 }}
{{- end -}}
{{- end -}}
{{- range $id, $groupValues := .additionalgroups }}
- name: {{ $prometheusruleName }}-{{ if $groupValues.name }}{{ $groupValues.name }}{{ else }}{{ $id }}{{ end }}
rules:
{{- with $groupValues.rules }}
{{- toYaml . | nindent 8 }}
{{- end -}}
{{- with $groupValues.additionalrules }}
{{- toYaml . | nindent 8 }}
{{- end -}}
{{- end -}}
{{- end -}}

56
library/common/templates/class/_serviceMonitor.tpl Normal file
View File

@@ -0,0 +1,56 @@
{{- define "ix.v1.common.class.servicemonitor" -}}
{{- $fullName := include "ix.v1.common.names.fullname" . -}}
{{- $servicemonitorName := $fullName -}}
{{- $values := .Values.servicemonitor -}}
{{- if hasKey . "ObjectValues" -}}
{{- with .ObjectValues.servicemonitor -}}
{{- $values = . -}}
{{- end -}}
{{- end -}}
{{- $servicemonitorLabels := $values.labels -}}
{{- $servicemonitorAnnotations := $values.annotations -}}
{{- if and (hasKey $values "nameOverride") $values.nameOverride -}}
{{- $servicemonitorName = printf "%v-%v" $servicemonitorName $values.nameOverride -}}
{{- end }}
---
apiVersion: {{ include "tc.v1.common.capabilities.servicemonitor.apiVersion" $ }}
kind: PodMonitor
metadata:
name: {{ $servicemonitorName }}
{{- $labels := (mustMerge ($servicemonitorLabels | default dict) (include "ix.v1.common.labels" $ | fromYaml)) -}}
{{- with (include "ix.v1.common.util.labels.render" (dict "root" $ "labels" $labels) | trim) }}
labels:
{{- . | nindent 4 }}
{{- end -}}
{{- $annotations := (mustMerge ($servicemonitorAnnotations | default dict) (include "ix.v1.common.annotations" $ | fromYaml)) -}}
{{- with (include "ix.v1.common.util.annotations.render" (dict "root" $ "annotations" $annotations) | trim) }}
annotations:
{{- . | nindent 4 }}
{{- end -}}
spec:
jobLabel: app.kubernetes.io/name
selector:
{{- if $values.matchLabels }}
{{- tpl (toYaml $values.matchLabels) $ | nindent 4 }}
{{- else -}}
{{- include "ix.v1.common.labels.selectorLabels" . | nindent 4 -}}
{{- end -}}
endpoints:
{{- range $values.endpoints }}
- port: {{ .port }}
{{- with .interval }}
interval: {{ . }}
{{- end -}}
{{- with .scrapeTimeout }}
scrapeTimeout: {{ . }}
{{- end -}}
{{- with .path }}
path: {{ . }}
{{- end -}}
{{- with .honorLabels }}
honorLabels: {{ . }}
{{- end -}}
{{- end -}}
{{- end -}}

10
library/common/templates/lib/container/_volumeMounts.tpl
View File

@@ -69,6 +69,16 @@
{{- end -}}
{{- end -}}
{{- end -}}
{{- else if eq $volMount.inherit "setPermissions" -}} {{/* Inherit all volumes with setPermissions enabled */}}
{{- range $name, $item := $root.Values.persistence -}}
{{- if $item.enabled -}}
{{- if $item.setPermissions -}}
{{- include "ix.v1.common.container.volumeMount" (dict "root" $root
"item" $item
"name" $name) | indent 0 -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}{{/* Here we can add other inherit cases */}}
{{- else -}}
{{- if not $volMount.name -}}

46
library/common/templates/lib/dependencies/_clickhouseInjector.tpl Normal file
View File

@@ -0,0 +1,46 @@
{{/*
This template generates a random password and ensures it persists across updates/edits to the chart
*/}}
{{- define "tc.v1.common.dependencies.clickhouse.injector" -}}
{{- if .Values.clickhouse.enabled }}
{{- $secretName := "clickhousecreds" }}
{{- $dbPass := "" }}
{{- with (lookup "v1" "Secret" .Release.Namespace $secretName) }}
{{- $dbPass = (index .data "clickhouse-password") | b64dec }}
{{- else }}
{{- $dbPass = randAlphaNum 50 }}
{{- end }}
{{- $host := printf "%v-clickhouse" .Release.Name }}
{{- $portHost := printf "%v-clickhouse:8123" .Release.Name }}
{{- $ping := printf "http://%v-clickhouse:8123/ping" .Release.Name }}
{{- $url := printf "http://%v:%v@%v-clickhouse:8123/%v" .Values.clickhouse.clickhouseUsername $dbPass .Release.Name .Values.clickhouse.clickhouseDatabase }}
{{- $jdbc := printf "jdbc:ch://%v-clickhouse:8123/%v" .Release.Name }}
---
apiVersion: v1
kind: Secret
metadata:
labels:
{{- include "tc.common.labels" . | nindent 4 }}
name: {{ $secretName }}
data:
clickhouse-password: {{ $dbPass | b64enc | quote }}
plainhost: {{ $host | b64enc | quote }}
plainporthost: {{ $portHost | b64enc | quote }}
ping: {{ $ping | b64enc | quote }}
url: {{ $url | b64enc | quote }}
jdbc: {{ $jdbc | b64enc | quote }}
{{- $_ := set .Values.clickhouse "clickhousePassword" ($dbPass | quote) }}
{{- $_ := set .Values.clickhouse.url "plain" ($host | quote) }}
{{- $_ := set .Values.clickhouse.url "plainhost" ($host | quote) }}
{{- $_ := set .Values.clickhouse.url "plainport" ($portHost | quote) }}
{{- $_ := set .Values.clickhouse.url "plainporthost" ($portHost | quote) }}
{{- $_ := set .Values.clickhouse.url "ping" ($ping | quote) }}
{{- $_ := set .Values.clickhouse.url "complete" ($url | quote) }}
{{- $_ := set .Values.clickhouse.url "jdbc" ($jdbc | quote) }}
{{- end }}
{{- end -}}

183
library/common/templates/lib/dependencies/_cnpgInjector.tpl Normal file
View File

@@ -0,0 +1,183 @@
{{/*
This template serves as a blueprint for all cnpg objects that are created
within the common library.
*/}}
{{- define "tc.v1.common.dependencies.cnpg.main" -}}
{{- if .Values.cnpg.enabled }}
{{- $cnpgName := include "tc.common.names.fullname" . }}
{{- $cnpgName = printf "%v-%v" $cnpgName "cnpg" }}
---
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: {{ $cnpgName }}
{{- with (merge (.Values.cnpg.labels | default dict) (include "tc.common.labels" $ | fromYaml)) }}
labels: {{- tpl ( toYaml . ) $ | nindent 4 }}
{{- end }}
annotations:
{{- with (merge (.Values.cnpg.annotations | default dict) (include "tc.common.annotations" $ | fromYaml)) }}
{{- tpl ( toYaml . ) $ | nindent 4 }}
{{- end }}
spec:
instances: {{ .Values.cnpg.instances | default 2 }}
bootstrap:
initdb:
database: {{ .Values.cnpg.database | default "app" }}
owner: {{ .Values.cnpg.user | default "app" }}
secret:
name: cnpg-user
superuserSecret:
name: cnpg-superuser
primaryUpdateStrategy: {{ .Values.cnpg.primaryUpdateStrategy | default "unsupervised" }}
storage:
pvcTemplate:
{{ include "tc.common.storage.storageClassName" ( dict "persistence" .Values.cnpg.storage "global" $) }}
accessModes:
- ReadWriteOnce
resources:
requests:
storage: {{ .Values.cnpg.storage.size | default "256Gi" | quote }}
walStorage:
pvcTemplate:
{{ include "tc.common.storage.storageClassName" ( dict "persistence" .Values.cnpg.storage "global" $) }}
accessModes:
- ReadWriteOnce
resources:
requests:
storage: {{ .Values.cnpg.storage.walsize | default "256Gi" | quote }}
monitoring:
enablePodMonitor: {{ .Values.cnpg.monitoring.enablePodMonitor | default true }}
nodeMaintenanceWindow:
inProgress: false
reusePVC: on
---
apiVersion: postgresql.cnpg.io/v1
kind: Pooler
metadata:
{{ $poolerrwname := printf "pooler-%s-rw" $cnpgName }}
name: {{ $poolerrwname }}
spec:
cluster:
name: {{ $cnpgName }}
instances: {{ .Values.cnpg.instances | default 2 }}
type: rw
pgbouncer:
poolMode: session
parameters:
max_client_conn: "1000"
default_pool_size: "10"
{{ if ( .Values.cnpg.monitoring.enablePodMonitor | default true ) }}
---
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: {{ $cnpgName }}-rw
spec:
selector:
matchLabels:
cnpg.io/poolerName: {{ $poolerrwname }}
podMetricsEndpoints:
- port: metrics
{{ end }}
{{ if ( .Values.cnpg.acceptRO | default true ) }}
---
apiVersion: postgresql.cnpg.io/v1
kind: Pooler
metadata:
{{ $poolerroname := printf "pooler-%s-ro" $cnpgName }}
name: {{ $poolerroname }}
spec:
cluster:
name: {{ $cnpgName }}
instances: {{ .Values.cnpg.instances | default 2 }}
type: ro
pgbouncer:
poolMode: session
parameters:
max_client_conn: "1000"
default_pool_size: "10"
{{ if ( .Values.cnpg.monitoring.enablePodMonitor | default true ) }}
---
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: {{ $cnpgName }}-ro
spec:
selector:
matchLabels:
cnpg.io/poolerName: {{ $poolerroname }}
podMetricsEndpoints:
- port: metrics
{{ end }}
{{ end }}
---
apiVersion: v1
kind: Secret
metadata:
labels:
{{- include "tc.common.labels" . | nindent 4 }}
name: cnpgcreds
{{- $dbprevious := lookup "v1" "Secret" .Release.Namespace "cnpgcreds" }}
{{- $dbPass := "" }}
{{- $pgPass := "" }}
data:
{{- if $dbprevious }}
{{- $dbPass = ( index $dbprevious.data "user-password" ) | b64dec }}
{{- $pgPass = ( index $dbprevious.data "superuser-password" ) | b64dec }}
user-password: {{ ( index $dbprevious.data "user-password" ) }}
superuser-password: {{ ( index $dbprevious.data "superuser-password" ) }}
{{- else }}
{{- $dbPass = .Values.cnpg.password | default ( randAlphaNum 62 ) }}
{{- $pgPass = .Values.cnpg.superUserPassword | default ( randAlphaNum 62 ) }}
user-password: {{ $dbPass | b64enc | quote }}
superuser-password: {{ $pgPass | b64enc | quote }}
{{- end }}
{{- $std := ( ( printf "postgresql://%v:%v@%v:5432/%v" .Values.cnpg.user $dbPass $poolerrwname .Values.cnpg.database ) | b64enc | quote ) }}
{{- $nossl := ( ( printf "postgresql://%v:%v@%v:5432/%v?sslmode=disable" .Values.cnpg.user $dbPass $poolerrwname .Values.cnpg.database ) | b64enc | quote ) }}
{{- $porthost := ( ( printf "%s:5432" $poolerrwname ) | b64enc | quote ) }}
{{- $host := ( ( printf "%s" $poolerrwname ) | b64enc | quote ) }}
{{- $jdbc := ( ( printf "jdbc:postgresql://%v:5432/%v" $poolerrwname .Values.cnpg.database ) | b64enc | quote ) }}
std: {{ $std }}
nossl: {{ $nossl }}
porthost: {{ $porthost }}
host: {{ $host }}
jdbc: {{ $jdbc }}
type: Opaque
{{- $_ := set .Values.cnpg.creds "password" ( $dbPass | quote ) }}
{{- $_ := set .Values.cnpg.creds "superUserPassword" ( $pgPass | quote ) }}
{{- $_ := set .Values.cnpg.creds "std" $std }}
{{- $_ := set .Values.cnpg.creds "nossl" $nossl }}
{{- $_ := set .Values.cnpg.creds "porthost" $porthost }}
{{- $_ := set .Values.cnpg.creds "host" $host }}
{{- $_ := set .Values.cnpg.creds "jdbc" $jdbc }}
---
apiVersion: v1
data:
username: {{ "postgres" | b64enc | quote }}
password: {{ $pgPass | b64enc | quote }}
kind: Secret
metadata:
name: cnpg-superuser
type: kubernetes.io/basic-auth
---
apiVersion: v1
data:
username: {{ .Values.cnpg.user | b64enc | quote }}
password: {{ $dbPass | b64enc | quote }}
kind: Secret
metadata:
name: cnpg-user
type: kubernetes.io/basic-auth
{{- end }}
{{- end -}}

48
library/common/templates/lib/dependencies/_mariadbInjector.tpl Normal file
View File

@@ -0,0 +1,48 @@
{{/*
This template generates a random password and ensures it persists across updates/edits to the chart
*/}}
{{- define "tc.v1.common.dependencies.mariadb.injector" -}}
{{- $pghost := printf "%v-%v" .Release.Name "mariadb" }}
{{- if .Values.mariadb.enabled }}
---
apiVersion: v1
kind: Secret
metadata:
labels:
{{- include "tc.common.labels" . | nindent 4 }}
name: mariadbcreds
{{- $dbprevious := lookup "v1" "Secret" .Release.Namespace "mariadbcreds" }}
{{- $dbPass := "" }}
{{- $rootPass := "" }}
data:
{{- if $dbprevious }}
{{- $dbPass = ( index $dbprevious.data "mariadb-password" ) | b64dec }}
{{- $rootPass = ( index $dbprevious.data "mariadb-root-password" ) | b64dec }}
mariadb-password: {{ ( index $dbprevious.data "mariadb-password" ) }}
mariadb-root-password: {{ ( index $dbprevious.data "mariadb-root-password" ) }}
{{- else }}
{{- $dbPass = randAlphaNum 50 }}
{{- $rootPass = randAlphaNum 50 }}
mariadb-password: {{ $dbPass | b64enc | quote }}
mariadb-root-password: {{ $rootPass | b64enc | quote }}
{{- end }}
url: {{ ( printf "sql://%v:%v@%v-mariadb:3306/%v" .Values.mariadb.mariadbUsername $dbPass .Release.Name .Values.mariadb.mariadbDatabase ) | b64enc | quote }}
urlnossl: {{ ( printf "sql://%v:%v@%v-mariadb:3306/%v?sslmode=disable" .Values.mariadb.mariadbUsername $dbPass .Release.Name .Values.mariadb.mariadbDatabase ) | b64enc | quote }}
plainporthost: {{ ( printf "%v-%v:3306" .Release.Name "mariadb" ) | b64enc | quote }}
plainhost: {{ ( printf "%v-%v" .Release.Name "mariadb" ) | b64enc | quote }}
jdbc: {{ ( printf "jdbc:sqlserver://%v-mariadb:3306/%v" .Release.Name .Values.mariadb.mariadbDatabase ) | b64enc | quote }}
jdbc-mysql: {{ ( printf "jdbc:mysql://%v-mariadb:3306/%v" .Release.Name .Values.mariadb.mariadbDatabase ) | b64enc | quote }}
jdbc-mariadb: {{ ( printf "jdbc:mariadb://%v-mariadb:3306/%v" .Release.Name .Values.mariadb.mariadbDatabase ) | b64enc | quote }}
type: Opaque
{{- $_ := set .Values.mariadb "mariadbPassword" ( $dbPass | quote ) }}
{{- $_ := set .Values.mariadb "mariadbRootPassword" ( $rootPass | quote ) }}
{{- $_ := set .Values.mariadb.url "plain" ( ( printf "%v-%v" .Release.Name "mariadb" ) | quote ) }}
{{- $_ := set .Values.mariadb.url "plainhost" ( ( printf "%v-%v" .Release.Name "mariadb" ) | quote ) }}
{{- $_ := set .Values.mariadb.url "plainport" ( ( printf "%v-%v:3306" .Release.Name "mariadb" ) | quote ) }}
{{- $_ := set .Values.mariadb.url "plainporthost" ( ( printf "%v-%v:3306" .Release.Name "mariadb" ) | quote ) }}
{{- $_ := set .Values.mariadb.url "complete" ( ( printf "sql://%v:%v@%v-mariadb:3306/%v" .Values.mariadb.mariadbUsername $dbPass .Release.Name .Values.mariadb.mariadbDatabase ) | quote ) }}
{{- $_ := set .Values.mariadb.url "jdbc" ( ( printf "jdbc:sqlserver://%v-mariadb:3306/%v" .Release.Name .Values.mariadb.mariadbDatabase ) | quote ) }}
{{- end }}
{{- end -}}

47
library/common/templates/lib/dependencies/_mongodbInjector.tpl Normal file
View File

@@ -0,0 +1,47 @@
{{/*
This template generates a random password and ensures it persists across updates/edits to the chart
*/}}
{{- define "tc.v1.common.dependencies.mongodb.injector" -}}
{{- $pghost := printf "%v-%v" .Release.Name "mongodb" }}
{{- if .Values.mongodb.enabled }}
---
apiVersion: v1
kind: Secret
metadata:
labels:
{{- include "tc.common.labels" . | nindent 4 }}
name: mongodbcreds
{{- $dbprevious := lookup "v1" "Secret" .Release.Namespace "mongodbcreds" }}
{{- $dbPass := "" }}
{{- $rootPass := "" }}
data:
{{- if $dbprevious }}
{{- $dbPass = ( index $dbprevious.data "mongodb-password" ) | b64dec }}
{{- $rootPass = ( index $dbprevious.data "mongodb-root-password" ) | b64dec }}
mongodb-password: {{ ( index $dbprevious.data "mongodb-password" ) }}
mongodb-root-password: {{ ( index $dbprevious.data "mongodb-root-password" ) }}
{{- else }}
{{- $dbPass = randAlphaNum 50 }}
{{- $rootPass = randAlphaNum 50 }}
mongodb-password: {{ $dbPass | b64enc | quote }}
mongodb-root-password: {{ $rootPass | b64enc | quote }}
{{- end }}
url: {{ ( printf "mongodb://%v:%v@%v-mongodb:27017/%v" .Values.mongodb.mongodbUsername $dbPass .Release.Name .Values.mongodb.mongodbDatabase ) | b64enc | quote }}
urlssl: {{ ( printf "mongodb://%v:%v@%v-mongodb:27017/%v?ssl=true" .Values.mongodb.mongodbUsername $dbPass .Release.Name .Values.mongodb.mongodbDatabase ) | b64enc | quote }}
urltls: {{ ( printf "mongodb://%v:%v@%v-mongodb:27017/%v?tls=true" .Values.mongodb.mongodbUsername $dbPass .Release.Name .Values.mongodb.mongodbDatabase ) | b64enc | quote }}
jdbc: {{ ( printf "jdbc:mongodb://%v-mongodb:27017/%v" .Release.Name .Values.mongodb.mongodbDatabase ) | b64enc | quote }}
plainhost: {{ ( printf "%v-%v" .Release.Name "mongodb" ) | b64enc | quote }}
plainporthost: {{ ( printf "%v-%v:27017" .Release.Name "mongodb" ) | b64enc | quote }}
type: Opaque
{{- $_ := set .Values.mongodb "mongodbPassword" ( $dbPass | quote ) }}
{{- $_ := set .Values.mongodb "mongodbRootPassword" ( $rootPass | quote ) }}
{{- $_ := set .Values.mongodb.url "plain" ( ( printf "%v-%v" .Release.Name "mongodb" ) | quote ) }}
{{- $_ := set .Values.mongodb.url "plainhost" ( ( printf "%v-%v" .Release.Name "mongodb" ) | quote ) }}
{{- $_ := set .Values.mongodb.url "plainport" ( ( printf "%v-%v:27017" .Release.Name "mongodb" ) | quote ) }}
{{- $_ := set .Values.mongodb.url "plainporthost" ( ( printf "%v-%v:27017" .Release.Name "mongodb" ) | quote ) }}
{{- $_ := set .Values.mongodb.url "complete" ( ( printf "mongodb://%v:%v@%v-mongodb:27017/%v" .Values.mongodb.mongodbUsername $dbPass .Release.Name .Values.mongodb.mongodbDatabase ) | quote ) }}
{{- $_ := set .Values.mongodb.url "jdbc" ( ( printf "jdbc:mongodb://%v-mongodb:27017/%v" .Release.Name .Values.mongodb.mongodbDatabase ) | quote ) }}
{{- end }}
{{- end -}}

48
library/common/templates/lib/dependencies/_postgresInjector.tpl Normal file
View File

@@ -0,0 +1,48 @@
{{/*
This template generates a random password and ensures it persists across updates/edits to the chart
*/}}
{{- define "tc.v1.common.dependencies.postgresql.injector" -}}
{{- $pghost := printf "%v-%v" .Release.Name "postgresql" }}
{{- if .Values.postgresql.enabled }}
---
apiVersion: v1
kind: Secret
metadata:
labels:
{{- include "tc.common.labels" . | nindent 4 }}
name: dbcreds
{{- $dbprevious := lookup "v1" "Secret" .Release.Namespace "dbcreds" }}
{{- $dbPass := "" }}
{{- $pgPass := "" }}
data:
{{- if $dbprevious }}
{{- $dbPass = ( index $dbprevious.data "postgresql-password" ) | b64dec }}
{{- $pgPass = ( index $dbprevious.data "postgresql-postgres-password" ) | b64dec }}
postgresql-password: {{ ( index $dbprevious.data "postgresql-password" ) }}
postgresql-postgres-password: {{ ( index $dbprevious.data "postgresql-postgres-password" ) }}
{{- else }}
{{- $dbPass = randAlphaNum 50 }}
{{- $pgPass = randAlphaNum 50 }}
postgresql-password: {{ $dbPass | b64enc | quote }}
postgresql-postgres-password: {{ $pgPass | b64enc | quote }}
{{- end }}
url: {{ ( printf "postgresql://%v:%v@%v-postgresql:5432/%v" .Values.postgresql.postgresqlUsername $dbPass .Release.Name .Values.postgresql.postgresqlDatabase ) | b64enc | quote }}
url-noql: {{ ( printf "postgres://%v:%v@%v-postgresql:5432/%v" .Values.postgresql.postgresqlUsername $dbPass .Release.Name .Values.postgresql.postgresqlDatabase ) | b64enc | quote }}
urlnossl: {{ ( printf "postgresql://%v:%v@%v-postgresql:5432/%v?sslmode=disable" .Values.postgresql.postgresqlUsername $dbPass .Release.Name .Values.postgresql.postgresqlDatabase ) | b64enc | quote }}
plainporthost: {{ ( printf "%v-%v" .Release.Name "postgresql" ) | b64enc | quote }}
plainhost: {{ ( printf "%v-%v" .Release.Name "postgresql" ) | b64enc | quote }}
jdbc: {{ ( printf "jdbc:postgresql://%v-postgresql:5432/%v" .Release.Name .Values.postgresql.postgresqlDatabase ) | b64enc | quote }}
type: Opaque
{{- $_ := set .Values.postgresql "postgresqlPassword" ( $dbPass | quote ) }}
{{- $_ := set .Values.postgresql "postgrespassword" ( $pgPass | quote ) }}
{{- $_ := set .Values.postgresql.url "plain" ( ( printf "%v-%v" .Release.Name "postgresql" ) | quote ) }}
{{- $_ := set .Values.postgresql.url "plainhost" ( ( printf "%v-%v" .Release.Name "postgresql" ) | quote ) }}
{{- $_ := set .Values.postgresql.url "plainport" ( ( printf "%v-%v:5432" .Release.Name "postgresql" ) | quote ) }}
{{- $_ := set .Values.postgresql.url "plainporthost" ( ( printf "%v-%v:5432" .Release.Name "postgresql" ) | quote ) }}
{{- $_ := set .Values.postgresql.url "complete" ( ( printf "postgresql://%v:%v@%v-postgresql:5432/%v" .Values.postgresql.postgresqlUsername $dbPass .Release.Name .Values.postgresql.postgresqlDatabase ) | quote ) }}
{{- $_ := set .Values.postgresql.url "complete-noql" ( ( printf "postgres://%v:%v@%v-postgresql:5432/%v" .Values.postgresql.postgresqlUsername $dbPass .Release.Name .Values.postgresql.postgresqlDatabase ) | quote ) }}
{{- $_ := set .Values.postgresql.url "jdbc" ( ( printf "jdbc:postgresql://%v-postgresql:5432/%v" .Release.Name .Values.postgresql.postgresqlDatabase ) | quote ) }}
{{- end }}
{{- end -}}

38
library/common/templates/lib/dependencies/_redisInjector.tpl Normal file
View File

@@ -0,0 +1,38 @@
{{/*
This template generates a random password and ensures it persists across updates/edits to the chart
*/}}
{{- define "tc.v1.common.dependencies.redis.injector" -}}
{{- $pghost := printf "%v-%v" .Release.Name "redis" }}
{{- if .Values.redis.enabled }}
---
apiVersion: v1
kind: Secret
metadata:
labels:
{{- include "tc.common.labels" . | nindent 4 }}
name: rediscreds
{{- $dbprevious := lookup "v1" "Secret" .Release.Namespace "rediscreds" }}
{{- $dbPass := "" }}
{{- $dbIndex := default "0" .Values.redis.redisDatabase }}
data:
{{- if $dbprevious }}
{{- $dbPass = ( index $dbprevious.data "redis-password" ) | b64dec }}
redis-password: {{ ( index $dbprevious.data "redis-password" ) }}
{{- else }}
{{- $dbPass = randAlphaNum 50 }}
redis-password: {{ $dbPass | b64enc | quote }}
{{- end }}
url: {{ ( printf "redis://%v:%v@%v-redis:6379/%v" .Values.redis.redisUsername $dbPass .Release.Name $dbIndex ) | b64enc | quote }}
plainhostpass: {{ ( printf "%v:%v@%v-redis" .Values.redis.redisUsername $dbPass .Release.Name ) | b64enc | quote }}
plainporthost: {{ ( printf "%v-%v:6379" .Release.Name "redis" ) | b64enc | quote }}
plainhost: {{ ( printf "%v-%v" .Release.Name "redis" ) | b64enc | quote }}
type: Opaque
{{- $_ := set .Values.redis "redisPassword" ( $dbPass | quote ) }}
{{- $_ := set .Values.redis.url "plain" ( ( printf "%v-%v" .Release.Name "redis" ) | quote ) }}
{{- $_ := set .Values.redis.url "plainhost" ( ( printf "%v-%v" .Release.Name "redis" ) | quote ) }}
{{- $_ := set .Values.redis.url "plainport" ( ( printf "%v-%v:6379" .Release.Name "redis" ) | quote ) }}
{{- $_ := set .Values.redis.url "plainporthost" ( ( printf "%v-%v:6379" .Release.Name "redis" ) | quote ) }}
{{- end }}
{{- end -}}

33
library/common/templates/lib/dependencies/_solrInjector.tpl Normal file
View File

@@ -0,0 +1,33 @@
{{/*
This template generates a random password and ensures it persists across updates/edits to the chart
*/}}
{{- define "tc.v1.common.dependencies.solr.injector" -}}
{{- $host := printf "%v-%v" .Release.Name "solr" }}
{{- if .Values.solr.enabled }}
---
apiVersion: v1
kind: Secret
metadata:
labels:
{{- include "tc.common.labels" . | nindent 4 }}
name: solrcreds
{{- $solrprevious := lookup "v1" "Secret" .Release.Namespace "solrcreds" }}
{{- $solrPass := "" }}
data:
{{- if $solrprevious }}
{{- $solrPass = ( index $solrprevious.data "solr-password" ) | b64dec }}
solr-password: {{ ( index $solrprevious.data "solr-password" ) }}
{{- else }}
{{- $solrPass = randAlphaNum 50 }}
solr-password: {{ $solrPass | b64enc | quote }}
{{- end }}
url: {{ ( printf "http://%v:%v@%v-solr:8983/url/%v" .Values.solr.solrUsername $solrPass .Release.Name .Values.solr.solrCores ) | b64enc | quote }}
plainhost: {{ ( ( printf "%v-%v" .Release.Name "solr" ) ) | b64enc | quote }}
type: Opaque
{{- $_ := set .Values.solr "solrPassword" ( $solrPass | quote ) }}
{{- $_ := set .Values.solr.url "plain" ( ( printf "%v-%v" .Release.Name "solr" ) | quote ) }}
{{- $_ := set .Values.solr.url "plainhost" ( ( printf "%v-%v" .Release.Name "solr" ) | quote ) }}
{{- end }}
{{- end -}}

29
library/common/templates/lib/general/_tc_capabilities.tpl Normal file
View File

@@ -0,0 +1,29 @@
{{/* Return the appropriate apiVersion for PodMonitor */}}
{{- define "tc.v1.common.capabilities.podmonitor.apiVersion" -}}
{{- print "monitoring.coreos.com/v1" -}}
{{- end -}}
{{/* Return the appropriate apiVersion for ServiceMonitor */}}
{{- define "tc.v1.common.capabilities.servicemonitor.apiVersion" -}}
{{- print "monitoring.coreos.com/v1" -}}
{{- end -}}
{{/* Return the appropriate apiVersion for PrometheusRule */}}
{{- define "tc.v1.common.capabilities.prometheusrule.apiVersion" -}}
{{- print "monitoring.coreos.com/v1" -}}
{{- end -}}
{{/* Return the appropriate apiVersion for Ingress */}}
{{- define "tc.v1.common.capabilities.ingress.apiVersion" -}}
{{- print "networking.k8s.io/v1" -}}
{{- end -}}
{{/* Return the appropriate apiVersion for NetworkPolicy*/}}
{{- define "tc.v1.common.capabilities.networkpolicy.apiVersion" -}}
{{- print "networking.k8s.io/v1" -}}
{{- end -}}
{{/* Return the appropriate apiVersion for HorizontalPodAutoscaler aka HPA*/}}
{{- define "tc.v1.common.capabilities.hpa.apiVersion" -}}
{{- print "autoscaling/v2" -}}
{{- end -}}

13
library/common/templates/lib/util/_autoperms.tpl Normal file
View File

@@ -0,0 +1,13 @@
{{/* Returns if there are any auto-permissions enabled */}}
{{- define "tc.v1.common.lib.util.autoperms.detect" -}}
{{- $autoperms := false -}}
{{- range $name, $mount := .Values.persistence -}}
{{- if and $mount.enabled $mount.setPermissions -}}
{{- if $mount.readOnly -}}
{{- fail (printf "You cannot automatically set Permissions with readOnly enabled") -}}
{{- end -}}
{{- $autoperms = true -}}
{{- end -}}
{{- end }}
{{- $autoperms -}}
{{- end -}}

89
library/common/templates/lib/util/_manifest_manager.tpl Normal file
View File

@@ -0,0 +1,89 @@
{{- define "tc.v1.common.lib.util.manifest.manage" -}}
{{- if .Values.manifests.enabled }}
{{- $fullName := include "ix.v1.common.names.fullname" . }}
---
apiVersion: batch/v1
kind: Job
metadata:
namespace: {{ .Release.Namespace }}
name: {{ $fullName }}-manifests
annotations:
"helm.sh/hook": pre-install, pre-upgrade
"helm.sh/hook-weight": "-6"
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
spec:
template:
spec:
serviceAccountName: {{ $fullName }}-manifests
containers:
- name: {{ $fullName }}-manifests
image: {{ .Values.kubectlImage.repository }}:{{ .Values.kubectlImage.tag }}
securityContext:
runAsUser: 568
runAsGroup: 568
readOnlyRootFilesystem: true
runAsNonRoot: true
command:
- "/bin/sh"
- "-c"
- |
/bin/sh <<'EOF'
echo "installing manifests..."
kubectl apply --server-side --force-conflicts --grace-period 30 --v=4 -k https://github.com/truecharts/manifests/{{ if .Values.manifests.staging }}staging{{ else }}manifests{{ end }} || kubectl apply --server-side --force-conflicts --grace-period 30 -k https://github.com/truecharts/manifests/{{ if .Values.manifests.staging }}staging{{ else }}manifests || echo "job failed..."{{ end }}
kubectl wait --namespace metallb-system --for=condition=ready pod --selector=app=metallb --timeout=90s || echo "metallb-system wait failed..."
kubectl wait --namespace cert-manager --for=condition=ready pod --selector=app=cert-manager --timeout=90s || echo "cert-manager wait failed..."
cmctl check api --wait=2m || echo "cmctl wait failed..."
EOF
volumeMounts:
- name: {{ $fullName }}-manifests-temp
mountPath: /tmp
- name: {{ $fullName }}-manifests-home
mountPath: /home/apps/
restartPolicy: Never
volumes:
- name: {{ $fullName }}-manifests-temp
emptyDir: {}
- name: {{ $fullName }}-manifests-home
emptyDir: {}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ $fullName }}-manifests
annotations:
"helm.sh/hook": pre-install, pre-upgrade
"helm.sh/hook-weight": "-7"
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ $fullName }}-manifests
annotations:
"helm.sh/hook": pre-install, pre-upgrade
"helm.sh/hook-weight": "-7"
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ $fullName }}-manifests
subjects:
- kind: ServiceAccount
name: {{ $fullName }}-manifests
namespace: {{ .Release.Namespace }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ $fullName }}-manifests
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": pre-install, pre-upgrade
"helm.sh/hook-weight": "-7"
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
{{- end }}
{{- end -}}

21
library/common/templates/lib/util/_primary_ingress.tpl Normal file
View File

@@ -0,0 +1,21 @@
{{/* Return the name of the primary ingress object */}}
{{- define "tc.v1.common.lib.util.ingress.primary" -}}
{{- $enabledIngresses := dict -}}
{{- range $name, $ingress := .Values.ingress -}}
{{- if $ingress.enabled -}}
{{- $_ := set $enabledIngresses $name . -}}
{{- end -}}
{{- end -}}
{{- $result := "" -}}
{{- range $name, $ingress := $enabledIngresses -}}
{{- if and (hasKey $ingress "primary") $ingress.primary -}}
{{- $result = $name -}}
{{- end -}}
{{- end -}}
{{- if not $result -}}
{{- $result = keys $enabledIngresses | first -}}
{{- end -}}
{{- $result -}}
{{- end -}}

21
library/common/templates/lib/util/_primary_metrics.tpl Normal file
View File

@@ -0,0 +1,21 @@
{{/* Return the name of the primary metrics object */}}
{{- define "tc.v1.common.lib.util.metrics.primary" -}}
{{- $enabledIngresses := dict -}}
{{- range $name, $metrics := .Values.metrics -}}
{{- if $metrics.enabled -}}
{{- $_ := set $enabledIngresses $name . -}}
{{- end -}}
{{- end -}}
{{- $result := "" -}}
{{- range $name, $metrics := $enabledIngresses -}}
{{- if and (hasKey $metrics "primary") $metrics.primary -}}
{{- $result = $name -}}
{{- end -}}
{{- end -}}
{{- if not $result -}}
{{- $result = keys $enabledIngresses | first -}}
{{- end -}}
{{- $result -}}
{{- end -}}

1
library/common/templates/loader/_apply.tpl
View File

@@ -36,4 +36,5 @@
{{- include "ix.v1.common.util.envCheckDupes" (dict "root" .) -}}
{{- include "tc.v1.common.loader.apply" . | nindent 0 -}}
{{- end -}}

2
library/common/templates/loader/_init.tpl
View File

@@ -3,4 +3,6 @@
{{- include "ix.v1.common.values.init" . -}}
{{- include "ix.v1.common.loader.lists" . -}}
{{- include "tc.v1.common.loader.init" . -}}
{{- end -}}

12
library/common/templates/loader/_tc_apply.tpl Normal file
View File

@@ -0,0 +1,12 @@
{{- define "tc.v1.common.loader.apply" -}}
{{- include "tc.v1.common.spawner.ingress" . | nindent 0 -}}
{{- include "tc.v1.common.spawner.hpa" . | nindent 0 -}}
{{- include "tc.v1.common.spawner.networkpolicy" . | nindent 0 -}}
{{- include "tc.v1.common.spawner.metrics" . | nindent 0 -}}
{{- include "tc.v1.common.lib.util.manifest.manage" . | nindent 0 -}}
{{- end -}}

33
library/common/templates/loader/_tc_init.tpl Normal file
View File

@@ -0,0 +1,33 @@
{{- define "tc.v1.common.loader.init" -}}
{{/* Autogenerate cnpg objects if needed */}}
{{- include "tc.v1.common.dependencies.cnpg.main" . }}
{{/* Autogenerate postgresql passwords if needed */}}
{{- include "tc.v1.common.dependencies.postgresql.injector" . }}
{{/* Autogenerate redis passwords if needed */}}
{{- include "tc.v1.common.dependencies.redis.injector" . }}
{{/* Autogenerate mariadb passwords if needed */}}
{{- include "tc.v1.common.dependencies.mariadb.injector" . }}
{{/* Autogenerate mongodb passwords if needed */}}
{{- include "tc.v1.common.dependencies.mongodb.injector" . }}
{{/* Autogenerate clickhouse passwords if needed */}}
{{- include "tc.v1.common.dependencies.clickhouse.injector" . }}
{{/* Autogenerate solr passwords if needed */}}
{{- include "tc.v1.common.dependencies.solr.injector" . }}
{{/* Enable code-server add-on if required */}}
{{- if .Values.addons.codeserver.enabled }}
{{- include "tc.v1.common.addon.codeserver" . }}
{{- end -}}
{{/* Enable VPN add-on if required */}}
{{- if ne "disabled" .Values.addons.vpn.type -}}
{{- include "tc.v1.common.addon.vpn" . }}
{{- end -}}
{{- end -}}

19
library/common/templates/spawner/_horizontalPodAutoscaler.tpl Normal file
View File

@@ -0,0 +1,19 @@
{{/*
Renders the configMap objects required by the chart.
*/}}
{{- define "tc.v1.common.spawner.hpa" -}}
{{/* Generate named configMaps as required */}}
{{- range $name, $hpa := .Values.horizontalPodAutoscaler -}}
{{- if $hpa.enabled -}}
{{- $hpaValues := $hpa -}}
{{/* set the default nameOverride to the hpa name */}}
{{- if not $hpaValues.nameOverride -}}
{{- $_ := set $hpaValues "nameOverride" $name -}}
{{- end -}}
{{- $_ := set $ "ObjectValues" (dict "hpa" $hpaValues) -}}
{{- include "tc.v1.common.class.hpa" $ -}}
{{- end -}}
{{- end -}}
{{- end -}}

33
library/common/templates/spawner/_ingress.tpl Normal file
View File

@@ -0,0 +1,33 @@
{{/* Renders the Ingress objects required by the chart */}}
{{- define "tc.v1.common.spawner.ingress" -}}
{{/* Generate named ingresses as required */}}
{{- range $name, $ingress := .Values.ingress -}}
{{- if $ingress.enabled -}}
{{- $ingressValues := $ingress -}}
{{/* set defaults */}}
{{- if and (not $ingressValues.nameOverride) (ne $name (include "tc.v1.common.lib.util.ingress.primary" $)) -}}
{{- $_ := set $ingressValues "nameOverride" $name -}}
{{- end -}}
{{- $_ := set $ "ObjectValues" (dict "ingress" $ingressValues) -}}
{{- include "tc.v1.common.class.ingress" $ -}}
{{- if and ( $ingressValues.tls ) ( not $ingressValues.clusterIssuer ) -}}
{{- range $index, $tlsValues := $ingressValues.tls -}}
{{- if and ( .scaleCert ) ( $.Values.global.ixChartContext ) -}}
{{- $nameOverride := ( printf "%v-%v" "tls" $index ) -}}
{{- if $ingressValues.nameOverride -}}
{{- $nameOverride = ( printf "%v-%v-%v" $ingressValues.nameOverride "tls" $index ) -}}
{{- end -}}
{{- $_ := set $tlsValues "nameOverride" $nameOverride -}}
{{- $_ := set $ "ObjectValues" (dict "certHolder" $tlsValues) -}}
{{- include "ix.v1.common.scale.cert.secret" $ -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}

28
library/common/templates/spawner/_metrics.tpl Normal file
View File

@@ -0,0 +1,28 @@
{{/* Renders the Ingress objects required by the chart */}}
{{- define "tc.v1.common.spawner.metrics" -}}
{{/* Generate named metricses as required */}}
{{- range $name, $metrics := .Values.metrics -}}
{{- if $metrics.enabled -}}
{{- $metricsValues := $metrics -}}
{{/* set defaults */}}
{{- if and (not $metricsValues.nameOverride) (ne $name (include "tc.v1.common.lib.util.metrics.primary" $)) -}}
{{- $_ := set $metricsValues "nameOverride" $name -}}
{{- end -}}
{{- $_ := set $ "ObjectValues" (dict "metrics" $metricsValues) -}}
{{- if eq $metricsValues.type "podmonitor" -}}
{{- include "tc.v1.common.class.podmonitor" $ -}}
{{- else if eq $metricsValues.type "servicemonitor" -}}
{{- include "tc.v1.common.class.servicemonitor" $ -}}
{{- else -}}
{{/* TODO: Add Fail case */}}
{{- end -}}
{{- if $metricsValues.PrometheusRule -}}
{{- include "tc.v1.common.class.prometheusrule" $ -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}

19
library/common/templates/spawner/_networkPolicy.tpl Normal file
View File

@@ -0,0 +1,19 @@
{{/*
Renders the networkPolicy objects required by the chart.
*/}}
{{- define "tc.v1.common.spawner.networkpolicy" -}}
{{/* Generate named networkpolicy as required */}}
{{- range $name, $networkPolicy := .Values.networkPolicy -}}
{{- if $networkPolicy.enabled -}}
{{- $networkPolicyValues := $networkPolicy -}}
{{/* set the default nameOverride to the networkpolicy name */}}
{{- if not $networkPolicyValues.nameOverride -}}
{{- $_ := set $networkPolicyValues "nameOverride" $name -}}
{{- end -}}
{{- $_ := set $ "ObjectValues" (dict "networkPolicy" $networkPolicyValues) -}}
{{- include "tc.v1.common.class.networkpolicy" $ -}}
{{- end -}}
{{- end -}}
{{- end -}}

701
library/common/values.yaml
View File

@@ -8,6 +8,67 @@ image:
tag: tag
pullPolicy: IfNotPresent
openvpnImage:
repository: tccr.io/truecharts/openvpn-client
tag: latest@sha256:1f83decdf614cbf48e2429921b6f0efa0e825f447f5c510b65bc90f660227688
pullPolicy: IfNotPresent
wireguardImage:
repository: tccr.io/truecharts/wireguard
tag: v1.0.20210914@sha256:9f56e5660e8df8d4d38521ed73a4cc29fa24bf578007bfbe633e00184e2ebfbc
pullPolicy: IfNotPresent
tailscaleImage:
repository: tailscale/tailscale
# TODO: Switch to stable once a v1.33.x is released
tag: v1.34.1@sha256:69bec9fdea25765e1b9dd129ccaeaf1e160f1132bb390535772fa939f0bf620b
pullPolicy: IfNotPresent
codeserverImage:
repository: tccr.io/truecharts/code-server
tag: 4.9.1@sha256:b339bd8f6da4c73c0259d6951991278aa1595a6be570a207ce635c75aac9893d
pullPolicy: IfNotPresent
alpineImage:
repository: tccr.io/truecharts/alpine
tag: v3.17.0@sha256:f8607e14a5e456c1b8fe50b7f0c9371b4aae543d23080f5e2fe0bdbb06d2413b
pullPolicy: IfNotPresent
scratchImage:
repository: tccr.io/truecharts/scratch
tag: latest@sha256:b4289ea433ec1308f6f2e8bff3f23bcd52b751ccb691284210ed826385ba9317
pullPolicy: IfNotPresent
kubectlImage:
repository: tccr.io/truecharts/kubectl
tag: v1.26.0@sha256:e56d1c8dd3ba85bb8410cc9f5c04f03f814e4b76ffcc7f12730868faba5b9c52
pullPolicy: IfNotPresent
wgetImage:
repository: tccr.io/truecharts/wget
tag: v0.0.1
pullPolicy: IfNotPresent
postgresClientImage:
repository: tccr.io/truecharts/db-wait-postgresql
tag: v0.0.1
pullPolicy: IfNotPresent
mariadbClientImage:
repository: tccr.io/truecharts/db-wait-mariadb
tag: v0.0.1
pullPolicy: IfNotPresent
redisClientImage:
repository: tccr.io/truecharts/db-wait-redis
tag: v0.0.1
pullPolicy: IfNotPresent
mongodbClientImage:
repository: tccr.io/truecharts/db-wait-mongodb
tag: v0.0.1
pullPolicy: IfNotPresent
# Defines the image that will be used
imageSelector: ""
@@ -243,6 +304,7 @@ global:
backoffLimit: 6
completionMode: NonIndexed
# - Bellow values are needed (in addition to the default global)
# as those are being referenced on other values in values.yaml sometimes
@@ -273,6 +335,11 @@ resources:
cpu: 10m
memory: 50Mi
# -- Used to inject our own operator manifests into SCALE
manifests:
enabled: true
staging: false
nameOverride: ""
fullnameOverride: ""
@@ -295,18 +362,6 @@ runtimeClassName: ""
tolerations: []
# podSecurityContext:
# fsGroup: 568
# fsGroupChangePolicy: OnRootMismatch
# securityContext:
# runAsUser: 568
# runAsGroup: 568
# privileged: false
# readOnlyRootFilesystem: true
# allowPrivilegeEscalation: false
# runAsNonRoot: true
termination:
messagePath: ""
messagePolicy: ""
@@ -340,6 +395,275 @@ controller:
# -- Set statefulset RollingUpdate partition
partition:
additionalContainers: {}
systemContainers:
auto-permissions:
enabled: '{{ if or ( eq ( include "tc.v1.common.lib.util.autoperms.detect" $ ) "true" ) ( and ( .Values.addons.vpn.configFile.enabled ) ( ne .Values.addons.vpn.type "disabled" ) ( ne .Values.addons.vpn.type "tailscale" ) ) }}true{{ else }}false{{ end }}'
imageSelector: alpineImage
securityContext:
runAsUser: 0
runAsNonRoot: false
resources:
inherit: true
command:
- "/bin/sh"
- "-c"
- |
/bin/sh <<'EOF'
echo "Automatically correcting permissions..."
{{- $hostPathMounts := dict -}}
{{- range $name, $mount := .Values.persistence -}}
{{- if and $mount.enabled $mount.setPermissions -}}
{{- $name = default ( $name| toString ) $mount.name -}}
{{- $_ := set $hostPathMounts $name $mount -}}
{{- end -}}
{{- end }}
{{- if and ( .Values.addons.vpn.configFile.enabled ) ( ne .Values.addons.vpn.type "disabled" ) ( ne .Values.addons.vpn.type "tailscale" ) }}
echo "Automatically correcting permissions for vpn config file..."
/usr/sbin/nfs4xdr_winacl -a chown -O 568 -G 568 -c /vpn/vpn.conf -p /vpn/vpn.conf || echo "Failed setting permissions..."
{{- end }}
{{- range $_, $hpm := $hostPathMounts }}
echo "Automatically correcting permissions for {{ $hpm.mountPath }}..."
/usr/sbin/nfs4xdr_winacl -a chown -G {{ $.Values.podSecurityContext.fsGroup | default $.Values.global.defaults.podSecurityContext.fsGroup }} -r -c {{ tpl $hpm.mountPath $ | squote }} -p {{ tpl $hpm.mountPath $ | squote }} || echo "Failed setting permissions..."
{{- end }}
EOF
volumeMounts:
- inherit: "setPermissions"
redis-wait:
enabled: "{{ if .Values.redis.enabled }}true{{ else }}false{{ end }}"
imageSelector: redisClientImage
securityContext:
runAsUser: 568
runAsGroup: 568
readOnlyRootFilesystem: true
runAsNonRoot: true
resources:
inherit: true
env:
REDIS_HOST:
secretKeyRef:
name: rediscreds
key: plainhost
REDIS_PASSWORD:
secretKeyRef:
name: rediscreds
key: redis-password
REDIS_PORT:
value: "6379"
command:
- "/bin/sh"
- "-c"
- |
/bin/bash <<'EOF'
echo "Executing DB waits..."
[[ -n "$REDIS_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_PASSWORD";
export LIVE=false;
until "$LIVE";
do
response=$(
timeout -s 3 2 \
redis-cli \
-h "$REDIS_HOST" \
-p "$REDIS_PORT" \
ping
)
if [ "$response" == "PONG" ] || [ "$response" == "LOADING Redis is loading the dataset in memory" ]; then
LIVE=true
echo "$response"
echo "Redis Responded, ending initcontainer and starting main container(s)..."
else
echo "$response"
echo "Redis not responding... Sleeping for 10 sec..."
sleep 10
fi;
done
EOF
mariadb-wait:
enabled: "{{ if .Values.mariadb.enabled }}true{{ else }}false{{end}}"
imageSelector: mariadbClientImage
securityContext:
runAsUser: 568
runAsGroup: 568
readOnlyRootFilesystem: true
runAsNonRoot: true
resources:
inherit: true
env:
MARIADB_HOST:
secretKeyRef:
name: mariadbcreds
key: plainhost
MARIADB_ROOT_PASSWORD:
secretKeyRef:
name: mariadbcreds
key: mariadb-root-password
command:
- "/bin/sh"
- "-c"
- |
/bin/bash <<'EOF'
echo "Executing DB waits..."
until
mysqladmin -uroot -h"${MARIADB_HOST}" -p"${MARIADB_ROOT_PASSWORD}" ping \
&& mysqladmin -uroot -h"${MARIADB_HOST}" -p"${MARIADB_ROOT_PASSWORD}" status;
do sleep 2;
done
EOF
mongodb-wait:
enabled: "{{ if .Values.mongodb.enabled }}true{{ else }}false{{end}}"
imageSelector: mongodbClientImage
securityContext:
runAsUser: 568
runAsGroup: 568
readOnlyRootFilesystem: true
runAsNonRoot: true
resources:
inherit: true
env:
MONGODB_HOST:
secretKeyRef:
name: mongodbcreds
key: plainhost
MONGODB_DATABASE:
value: "{{ .Values.mongodb.mongodbDatabase }}"
command:
- "/bin/sh"
- "-c"
- |
/bin/bash <<'EOF'
echo "Executing DB waits..."
until
HOME=/config && echo "db.runCommand(\"ping\")" | mongosh --host ${MONGODB_HOST} --port 27017 ${MONGODB_DATABASE} --quiet;
do sleep 2;
done
EOF
clickhouse-wait:
enabled: "{{ if .Values.clickhouse.enabled }}true{{ else }}false{{end}}"
imageSelector: alpineImage
securityContext:
runAsUser: 568
runAsGroup: 568
readOnlyRootFilesystem: true
runAsNonRoot: true
resources:
inherit: true
env:
CLICKHOUSE_PING:
secretKeyRef:
name: clickhousecreds
key: ping
command:
- "/bin/sh"
- "-c"
- |
/bin/bash <<'EOF'
echo "Executing DB waits..."
until wget --quiet --tries=1 --spider "${CLICKHOUSE_PING}"; do
echo "ClickHouse - no response. Sleeping 2 seconds..."
sleep 2
done
echo "ClickHouse - accepting connections"
EOF
solr-wait:
enabled: "{{ if .Values.solr.enabled }}true{{ else }}false{{end}}"
imageSelector: wgetImage
securityContext:
runAsUser: 568
runAsGroup: 568
readOnlyRootFilesystem: true
runAsNonRoot: true
resources:
inherit: true
env:
SOLR_HOST:
secretKeyRef:
name: solrcreds
key: plainhost
SOLR_CORES:
value: "{{ .Values.solr.solrCores }}"
SOLR_ENABLE_AUTHENTICATION:
value: "{{ .Values.solr.solrEnableAuthentication }}"
SOLR_ADMIN_USERNAME:
value: "{{ .Values.solr.solrUsername }}"
SOLR_ADMIN_PASSWORD:
secretKeyRef:
name: solrcreds
key: solr-password
command:
- "/bin/sh"
- "-c"
- |
/bin/bash <<'EOF'
echo "Executing DB waits..."
if [ "$SOLR_ENABLE_AUTHENTICATION" == "yes" ]; then
until curl --fail --user "${SOLR_ADMIN_USERNAME}":"${SOLR_ADMIN_PASSWORD}" "${SOLR_HOST}":8983/solr/"${SOLR_CORES}"/admin/ping; do
echo "Solr is not responding... Sleeping 2 seconds..."
sleep 2
done
else
until curl --fail "${SOLR_HOST}":8983/solr/"${SOLR_CORES}"/admin/ping; do
echo "Solr is not responding... Sleeping 2 seconds..."
sleep 2
done
fi;
EOF
postgresql-wait:
enabled: "{{ if .Values.postgresql.enabled }}true{{ else }}false{{end}}"
imageSelector: postgresClientImage
securityContext:
runAsUser: 568
runAsGroup: 568
readOnlyRootFilesystem: true
runAsNonRoot: true
resources:
inherit: true
command:
- "/bin/sh"
- "-c"
- |
/bin/bash <<'EOF'
echo "Executing DB waits..."
{{- $pghost := printf "%v-%v" .Release.Name "postgresql" }}
until
pg_isready -U {{ .Values.postgresql.postgresqlUsername }} -h {{ $pghost }}
do sleep 2
done
EOF
cnpg-wait:
enabled: "{{ if .Values.cnpg.enabled }}true{{ else }}false{{end}}"
imageSelector: postgresClientImage
securityContext:
runAsUser: 568
runAsGroup: 568
readOnlyRootFilesystem: true
runAsNonRoot: true
resources:
inherit: true
command:
- "/bin/sh"
- "-c"
- |
/bin/bash <<'EOF'
echo "Executing DB waits..."
{{- $cnpgName := include "ix.v1.common.names.fullname" . -}}
{{- $cnpgName = printf "%v-%v" $cnpgName "cnpg" -}}
{{- $pghost := printf "%s-rw" $cnpgName }}
until
pg_isready -U {{ .Values.cnpg.user }} -h {{ $pghost }}
do sleep 2
done
until
pg_isready -U {{ .Values.cnpg.user }} -h pooler-{{ $pghost }}
do sleep 2
done
EOF
initContainers: {}
# -- Configure the services for the chart here.
# Additional services can be added by adding a dictionary key similar to the 'main' service.
# @default -- See below
@@ -374,8 +698,7 @@ service:
# [[ref]](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport)
nodePort:
# TODO: Discuss if we are going to add defaults like:
# - /dev/shm
persistence:
# -- Create an emptyDir volume dedicated to be shared between all containers
# [[ref]]https://kubernetes.io/docs/concepts/storage/volumes/#emptydir)
@@ -398,9 +721,359 @@ persistence:
type: emptyDir
mountPath: /tmp
# -- Create an emptyDir volume to for /dev/shm
# [[ref]]https://kubernetes.io/docs/concepts/storage/volumes/#emptydir)
# @default -- See below
shm:
enabled: true
type: emptyDir
mountPath: /dev/shm
medium: Memory
# -- Used in conjunction with `controller.type: StatefulSet` to create individual disks for each instance.
volumeClaimTemplates: {}
# data:
# mountPath: /data
# accessMode: "ReadWriteOnce"
# size: 1Gi
# -- Configure the ingresses for the chart here.
# Additional ingresses can be added by adding a dictionary key similar to the 'main' ingress.
# @default -- See below
ingress:
main:
# -- Enables or disables the ingress
enabled: false
# -- Make this the primary ingress (used in probes, notes, etc...).
# If there is more than 1 ingress, make sure that only 1 ingress is marked as primary.
primary: true
# -- Override the name suffix that is used for this ingress.
nameOverride:
# -- Autolink the ingress to a service and port, both with the same name as the ingress.
autoLink: false
# -- disable to ignore any default middlwares
enableFixedMiddlewares: true
# -- set the Cert-Manager clusterissuer for this ingress
clusterIssuer: ""
# -- List of middlewares in the traefikmiddlewares k8s namespace to add automatically
# Creates an annotation with the middlewares and appends k8s and traefik namespaces to the middleware names
# Primarily used for TrueNAS SCALE to add additional (seperate) middlewares without exposing them to the end-user
fixedMiddlewares:
- chain-basic
# -- Additional List of middlewares in the traefikmiddlewares k8s namespace to add automatically
# Creates an annotation with the middlewares and appends k8s and traefik namespaces to the middleware names
middlewares: []
annotationsList: []
# - name: somename
# value: somevalue
# -- Provide additional annotations which may be required.
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
labelsList: []
# - name: somename
# value: somevalue
# -- Set labels on the deployment/statefulset/daemonset
# -- Provide additional labels which may be required.
# -- Provide additional labels which may be required.
labels: {}
# -- Set the ingressClass that is used for this ingress.
# Requires Kubernetes >=1.19
ingressClassName: # "nginx"
## Configure the hosts for the ingress
hosts:
- # -- Host address. Helm template can be passed.
host: chart-example.local
## Configure the paths for the host
paths:
- # -- Path. Helm template can be passed.
path: /
# -- Ignored if not kubeVersion >= 1.14-0
pathType: Prefix
service:
# -- Overrides the service name reference for this path
name:
# -- Overrides the service port reference for this path
port:
# -- Configure TLS for the ingress. Both secretName and hosts can process a Helm template.
# Gets ignored when clusterIssuer is filled
tls: []
# - secretName: chart-example-tls
# # Cannot be combined with scaleCert
# clusterIssuer: ""
# # Cannot be combined with clusterIssuer
# scaleCert: ""
# hosts:
# - chart-example.local
metrics:
main:
enabled: false
# options: servicemonitor, podmonitor
type: "servicemonitor"
# defaults to selectorLabels
matchLabels: ""
endpoints:
port: ""
interval: ""
scrapeTimeout: ""
path: ""
honorLabels: ""
prometheusRule:
enabled: false
groups: {}
# somegroup:
# # list of rules
# rules: []
# # list to support adding rules via the SCALE GUI without overwrithing the rules
# additionalrules: []
# List to support adding groups using the SCALE GUI
additionalgroups:
#- name: "somegroup"
# # list of rules
# rules: []
# # list to support adding rules via the SCALE GUI without overwrithing the rules
# additionalrules: []
# -- The common chart supports several add-ons. These can be configured under this key.
# @default -- See below
addons:
# -- The common chart supports adding a VPN add-on. It can be configured under this key.
# For more info, check out [our docs](http://docs.k8s-at-home.com/our-helm-charts/common-library-add-ons/#wireguard-vpn)
# @default -- See values.yaml
vpn:
# -- Specify the VPN type. Valid options are disabled, openvpn, wireguard or tailscale
type: disabled
# -- OpenVPN specific configuration
# @default -- See below
openvpn:
# -- Credentials to connect to the VPN Service (used with -a)
# Only using password is enough
username: ""
password: ""
# -- Tailscale specific configuration
# @default -- See below
# See more info for the configuration
# https://github.com/tailscale/tailscale/blob/main/docs/k8s/run.sh
tailscale:
# -- Auth key to connect to the VPN Service
authkey: ""
# As a sidecar, it should only need to run in userspace
userspace: true
auth_once: true
accept_dns: false
routes: ""
dest_ip: ""
sock5_server: ""
extra_args: ""
daemon_extra_args: ""
outbound_http_proxy_listen: ""
# -- Annotations for tailscale sidecar
annotations: {}
killSwitch: true
excludedNetworks_IPv4: []
excludedNetworks_IPv6: []
# -- Set the VPN container specific securityContext
# @default -- See values.yaml
securityContext: {}
# -- All variables specified here will be added to the vpn sidecar container
# See the documentation of the VPN image for all config values
env: {}
# TZ: UTC
# -- All variables specified here will be added to the vpn sidecar container
# See the documentation of the VPN image for all config values
envList: []
# - name: someenv
# value: somevalue
# -- Provide a customized vpn configuration file to be used by the VPN.
configFile:
enabled: true
type: hostPath
# -- Which path on the host should be mounted.
hostPath: /vpn/vpn.conf
noMount: true
# -- Specifying a hostPathType adds a check before trying to mount the path.
# See Kubernetes documentation for options.
hostPathType: "File"
# -- The common library supports adding a code-server add-on to access files. It can be configured under this key.
# For more info, check out [our docs](http://docs.k8s-at-home.com/our-helm-charts/common-library-add-ons/#code-server)
# @default -- See values.yaml
codeserver:
# -- Enable running a code-server container in the pod
enabled: false
# -- Set any environment variables for code-server here
env: {}
# TZ: UTC
# -- All variables specified here will be added to the codeserver sidecar container
# See the documentation of the codeserver image for all config values
envList: []
# - name: someenv
# value: somevalue
# -- Set codeserver command line arguments.
# Consider setting --user-data-dir to a persistent location to preserve code-server setting changes
args:
- --auth
- none
# - --user-data-dir
# - "/config/.vscode"
# -- Specify the working dir that will be opened when code-server starts
# If not given, the app will default to the mountpah of the first specified volumeMount
workingDir: "/"
# -- Optionally allow access a Git repository by passing in a private SSH key
# @default -- See below
git:
# -- Raw SSH private key
deployKey: ""
# -- Base64-encoded SSH private key. When both variables are set, the raw SSH key takes precedence.
deployKeyBase64: ""
# -- Existing secret containing SSH private key
# The chart expects it to be present under the `id_rsa` key.
deployKeySecret: ""
service:
# -- Enable a service for the code-server add-on.
enabled: true
type: ClusterIP
# Specify the default port information
ports:
codeserver:
port: 12321
enabled: true
protocol: TCP
targetPort: 12321
## Specify the nodePort value for the LoadBalancer and NodePort service types.
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
##
# nodePort: 36107
ingress:
# -- Enable an ingress for the code-server add-on.
enabled: false
annotations: {}
# kubernetes.io/ingress.class: nginx
labels: {}
hosts:
- host: code.chart-example.local
paths:
- path: /
# Ignored if not kubeVersion >= 1.14-0
pathType: Prefix
tls: []
##
# This section contains some-preconfig for frequently used dependencies
##
# -- Postgresql dependency configuration
# @default -- See below
postgresql:
enabled: false
existingSecret: "dbcreds"
# -- can be used to make an easy accessable note which URLS to use to access the DB.
url: {}
manifests:
enabled: false
cnpg:
enabled: false
# -- number of instances for both postgres and pgbouncer
instances: 2
database: "app"
user: "app"
# password:
# superUserPassword:
# -- change to supervised to disable unsupervised updates
# Example of rolling update strategy:
# - unsupervised: automated update of the primary once all
# replicas have been upgraded (default)
# - supervised: requires manual supervision to perform
# the switchover of the primary
primaryUpdateStrategy: unsupervised
# -- enable to create extra pgbouncer for readonly access
acceptRO: false
# -- storage size for the two pvc's per instance
storage:
size: "256Gi"
walsize: "256Gi"
# -- set to enable prometheus metrics
monitoring:
enablePodMonitor: true
# -- contains credentials and urls output by generator
creds: {}
# -- Redis dependency configuration
# @default -- See below
redis:
enabled: false
existingSecret: "rediscreds"
# -- can be used to make an easy accessable note which URLS to use to access the DB.
url: {}
manifests:
enabled: false
# -- mariadb dependency configuration
# @default -- See below
mariadb:
enabled: false
existingSecret: "mariadbcreds"
# -- can be used to make an easy accessable note which URLS to use to access the DB.
url: {}
manifests:
enabled: false
# -- mongodb dependency configuration
# @default -- See below
mongodb:
enabled: false
existingSecret: "mongodbcreds"
# -- can be used to make an easy accessable note which URLS to use to access the DB.
url: {}
manifests:
enabled: false
# -- clickhouse dependency configuration
# @default -- See below
clickhouse:
enabled: false
existingSecret: "clickhousecreds"
# -- can be used to make an easy accessable note which URLS to use to access the DB.
url: {}
manifests:
enabled: false
# -- solr dependency configuration
# @default -- See below
solr:
enabled: false
solrCores: 1
solrEnableAuthentication: "no"
existingSecret: "solrcreds"
# -- can be used to make an easy accessable note which URLS to use to access the DB.
url: {}
manifests:
enabled: false