diff --git a/.vib/chainloop/ginkgo/chainloop_suite_test.go b/.vib/chainloop/ginkgo/chainloop_suite_test.go new file mode 100644 index 00000000000000..bc5d43bcd52f4c --- /dev/null +++ b/.vib/chainloop/ginkgo/chainloop_suite_test.go @@ -0,0 +1,31 @@ +package chainloop_test + +import ( + "flag" + "testing" + "time" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" +) + +var ( + kubeconfig string + releaseName string + namespace string + timeoutSeconds int + timeout time.Duration +) + +func init() { + flag.StringVar(&kubeconfig, "kubeconfig", "", "absolute path to the kubeconfig file") + flag.StringVar(&releaseName, "name", "", "name of the primary statefulset") + flag.StringVar(&namespace, "namespace", "", "namespace where the application is running") + flag.IntVar(&timeoutSeconds, "timeout", 500, "timeout in seconds") + timeout = time.Duration(timeoutSeconds) * time.Second +} + +func TestChainloop(t *testing.T) { + RegisterFailHandler(Fail) + RunSpecs(t, "Chainloop Persistence Test Suite") +} diff --git a/.vib/chainloop/ginkgo/chainloop_test.go b/.vib/chainloop/ginkgo/chainloop_test.go new file mode 100644 index 00000000000000..88ea6fc79b02f3 --- /dev/null +++ b/.vib/chainloop/ginkgo/chainloop_test.go @@ -0,0 +1,159 @@ +package chainloop_test + +import ( + "context" + "fmt" + "time" + + utils "github.com/bitnami/charts/.vib/common-tests/ginkgo-utils" + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + appsv1 "k8s.io/api/apps/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/client-go/kubernetes" +) + +const ( + PollingInterval = 1 * time.Second +) + +// portDefinition is a struct to define a port in a service +type portDefinition struct { + name string + number string +} + +var _ = Describe("Chainloop", Ordered, func() { + var c *kubernetes.Clientset + var ctx context.Context + var cancel context.CancelFunc + + BeforeEach(func() { + ctx, cancel = context.WithCancel(context.Background()) + + conf := utils.MustBuildClusterConfig(kubeconfig) + c = kubernetes.NewForConfigOrDie(conf) + }) + + When("Chainloop chart is fully deployed", func() { + It("cas deployment is running", func() { + getReadyReplicas := func(ss *appsv1.Deployment) int32 { return ss.Status.ReadyReplicas } + getOpts := metav1.GetOptions{} + + By("checking all the replicas are available") + stsName := fmt.Sprintf("%s-cas", releaseName) + dpl, err := c.AppsV1().Deployments(namespace).Get(ctx, stsName, getOpts) + Expect(err).NotTo(HaveOccurred()) + Expect(dpl.Status.Replicas).NotTo(BeZero()) + origReplicas := *dpl.Spec.Replicas + + Eventually(func() (*appsv1.Deployment, error) { + return c.AppsV1().Deployments(namespace).Get(ctx, stsName, getOpts) + }, timeout, PollingInterval).Should(WithTransform(getReadyReplicas, Equal(origReplicas))) + + By("checking all the services are available") + svcs := []struct { + name string + ports []portDefinition + }{ + { + name: "cas", + ports: []portDefinition{ + { + name: "http", + number: "80", + }, + }, + }, + { + name: "cas-api", + ports: []portDefinition{ + { + name: "grpc", + number: "80", + }, + }, + }, + } + + for _, inSvc := range svcs { + svcName := fmt.Sprintf("%v-%v", releaseName, inSvc.name) + svc, err := c.CoreV1().Services(namespace).Get(ctx, svcName, metav1.GetOptions{}) + Expect(err).NotTo(HaveOccurred()) + + for _, port := range inSvc.ports { + outPort, err := utils.SvcGetPortByName(svc, port.name) + Expect(err).NotTo(HaveOccurred()) + Expect(outPort).NotTo(BeNil()) + Expect(outPort).To(Equal(port.number)) + } + } + + By("checking main container image is running") + _, err = utils.DplGetContainerImage(dpl, "cas") + Expect(err).NotTo(HaveOccurred()) + }) + + It("controlplane deployment is running", func() { + getReadyReplicas := func(ss *appsv1.Deployment) int32 { return ss.Status.ReadyReplicas } + getOpts := metav1.GetOptions{} + + By("checking all the replicas are available") + stsName := fmt.Sprintf("%s-controlplane", releaseName) + dpl, err := c.AppsV1().Deployments(namespace).Get(ctx, stsName, getOpts) + Expect(err).NotTo(HaveOccurred()) + Expect(dpl.Status.Replicas).NotTo(BeZero()) + origReplicas := *dpl.Spec.Replicas + + Eventually(func() (*appsv1.Deployment, error) { + return c.AppsV1().Deployments(namespace).Get(ctx, stsName, getOpts) + }, timeout, PollingInterval).Should(WithTransform(getReadyReplicas, Equal(origReplicas))) + + By("checking all the services are available") + svcs := []struct { + name string + ports []portDefinition + }{ + { + name: "controlplane", + ports: []portDefinition{ + { + name: "http", + number: "80", + }, + }, + }, + { + name: "controlplane-api", + ports: []portDefinition{ + { + name: "grpc", + number: "80", + }, + }, + }, + } + + for _, inSvc := range svcs { + svcName := fmt.Sprintf("%v-%v", releaseName, inSvc.name) + svc, err := c.CoreV1().Services(namespace).Get(ctx, svcName, metav1.GetOptions{}) + Expect(err).NotTo(HaveOccurred()) + + for _, port := range inSvc.ports { + outPort, err := utils.SvcGetPortByName(svc, port.name) + Expect(err).NotTo(HaveOccurred()) + Expect(outPort).NotTo(BeNil()) + Expect(outPort).To(Equal(port.number)) + } + } + + By("checking main container image is running") + _, err = utils.DplGetContainerImage(dpl, "controlplane") + Expect(err).NotTo(HaveOccurred()) + }) + }) + + AfterEach(func() { + cancel() + }) +}) diff --git a/.vib/chainloop/ginkgo/go.mod b/.vib/chainloop/ginkgo/go.mod new file mode 100644 index 00000000000000..a6756abfb16064 --- /dev/null +++ b/.vib/chainloop/ginkgo/go.mod @@ -0,0 +1,57 @@ +module test-chainloop-chart + +go 1.20 + +replace github.com/bitnami/charts/.vib/common-tests/ginkgo-utils => ../../common-tests/ginkgo-utils + +require ( + github.com/bitnami/charts/.vib/common-tests/ginkgo-utils v0.0.0-00010101000000-000000000000 + github.com/onsi/ginkgo/v2 v2.11.0 + github.com/onsi/gomega v1.27.8 + k8s.io/api v0.28.0 + k8s.io/apimachinery v0.28.0 + k8s.io/client-go v0.28.0 +) + +require ( + github.com/davecgh/go-spew v1.1.1 // indirect + github.com/emicklei/go-restful/v3 v3.9.0 // indirect + github.com/go-logr/logr v1.2.4 // indirect + github.com/go-openapi/jsonpointer v0.19.6 // indirect + github.com/go-openapi/jsonreference v0.20.2 // indirect + github.com/go-openapi/swag v0.22.3 // indirect + github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect + github.com/gogo/protobuf v1.3.2 // indirect + github.com/golang/protobuf v1.5.3 // indirect + github.com/google/gnostic-models v0.6.8 // indirect + github.com/google/go-cmp v0.5.9 // indirect + github.com/google/gofuzz v1.2.0 // indirect + github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 // indirect + github.com/google/uuid v1.3.0 // indirect + github.com/imdario/mergo v0.3.6 // indirect + github.com/josharian/intern v1.0.0 // indirect + github.com/json-iterator/go v1.1.12 // indirect + github.com/mailru/easyjson v0.7.7 // indirect + github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect + github.com/modern-go/reflect2 v1.0.2 // indirect + github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect + github.com/spf13/pflag v1.0.5 // indirect + golang.org/x/net v0.23.0 // indirect + golang.org/x/oauth2 v0.8.0 // indirect + golang.org/x/sys v0.18.0 // indirect + golang.org/x/term v0.18.0 // indirect + golang.org/x/text v0.14.0 // indirect + golang.org/x/time v0.3.0 // indirect + golang.org/x/tools v0.9.3 // indirect + google.golang.org/appengine v1.6.7 // indirect + google.golang.org/protobuf v1.33.0 // indirect + gopkg.in/inf.v0 v0.9.1 // indirect + gopkg.in/yaml.v2 v2.4.0 // indirect + gopkg.in/yaml.v3 v3.0.1 // indirect + k8s.io/klog/v2 v2.100.1 // indirect + k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect + k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect + sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect + sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect + sigs.k8s.io/yaml v1.3.0 // indirect +) diff --git a/.vib/chainloop/ginkgo/go.sum b/.vib/chainloop/ginkgo/go.sum new file mode 100644 index 00000000000000..5d481c1be1d259 --- /dev/null +++ b/.vib/chainloop/ginkgo/go.sum @@ -0,0 +1,160 @@ +github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= +github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= +github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= +github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/emicklei/go-restful/v3 v3.9.0 h1:XwGDlfxEnQZzuopoqxwSEllNcCOM9DhhFyhFIIGKwxE= +github.com/emicklei/go-restful/v3 v3.9.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= +github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= +github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= +github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE= +github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= +github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g= +github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= +github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= +github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= +github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= +github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= +github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= +github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= +github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec= +github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= +github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= +github.com/imdario/mergo v0.3.6 h1:xTNEAn+kxVO7dTZGu0CegyqKZmoWFI0rF8UxjlB2d28= +github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= +github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= +github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= +github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= +github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= +github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= +github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= +github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= +github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/onsi/ginkgo/v2 v2.11.0 h1:WgqUCUt/lT6yXoQ8Wef0fsNn5cAuMK7+KT9UFRz2tcU= +github.com/onsi/ginkgo/v2 v2.11.0/go.mod h1:ZhrRA5XmEE3x3rhlzamx/JJvujdZoJ2uvgI7kR0iZvM= +github.com/onsi/gomega v1.27.8 h1:gegWiwZjBsf2DgiSbf5hpokZ98JVDMcWkUiigk6/KXc= +github.com/onsi/gomega v1.27.8/go.mod h1:2J8vzI/s+2shY9XHRApDkdgPo1TKT7P2u6fXeJKFnNQ= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= +github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= +github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8= +github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.10.0 h1:lFO9qtOdlre5W1jxS3r/4szv2/6iXxScdzjoBMXNhYk= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs= +golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= +golang.org/x/oauth2 v0.8.0 h1:6dkIjl3j3LtZ/O3sTgZTMsLKSftL/B8Zgq4huOIIUu8= +golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4= +golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8= +golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= +golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.9.3 h1:Gn1I8+64MsuTb/HpH+LmQtNas23LhUVr3rYZ0eKuaMM= +golang.org/x/tools v0.9.3/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= +google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= +google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= +google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= +gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +k8s.io/api v0.28.0 h1:3j3VPWmN9tTDI68NETBWlDiA9qOiGJ7sdKeufehBYsM= +k8s.io/api v0.28.0/go.mod h1:0l8NZJzB0i/etuWnIXcwfIv+xnDOhL3lLW919AWYDuY= +k8s.io/apimachinery v0.28.0 h1:ScHS2AG16UlYWk63r46oU3D5y54T53cVI5mMJwwqFNA= +k8s.io/apimachinery v0.28.0/go.mod h1:X0xh/chESs2hP9koe+SdIAcXWcQ+RM5hy0ZynB+yEvw= +k8s.io/client-go v0.28.0 h1:ebcPRDZsCjpj62+cMk1eGNX1QkMdRmQ6lmz5BLoFWeM= +k8s.io/client-go v0.28.0/go.mod h1:0Asy9Xt3U98RypWJmU1ZrRAGKhP6NqDPmptlAzK2kMc= +k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg= +k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= +k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 h1:LyMgNKD2P8Wn1iAwQU5OhxCKlKJy0sHc+PcDwFB24dQ= +k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM= +k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 h1:qY1Ad8PODbnymg2pRbkyMT/ylpTrCM8P2RJ0yroCyIk= +k8s.io/utils v0.0.0-20230406110748-d93618cff8a2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= +sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= +sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE= +sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E= +sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo= +sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= diff --git a/.vib/chainloop/runtime-parameters.yaml b/.vib/chainloop/runtime-parameters.yaml new file mode 100644 index 00000000000000..7b801bc9944934 --- /dev/null +++ b/.vib/chainloop/runtime-parameters.yaml @@ -0,0 +1,7 @@ +development: true +controlplane: + auth: + oidc: + url: http://chainloop-dex:5556/dex + clientID: chainloop-dev + clientSecret: ZXhhbXBsZS1hcHAtc2VjcmV0 \ No newline at end of file diff --git a/.vib/chainloop/vib-publish.json b/.vib/chainloop/vib-publish.json new file mode 100644 index 00000000000000..bcd64c92a36dcb --- /dev/null +++ b/.vib/chainloop/vib-publish.json @@ -0,0 +1,38 @@ +{ + "phases": { + "package": { + "context": { + "resources": { + "url": "{SHA_ARCHIVE}", + "path": "/bitnami/chainloop" + } + }, + "actions": [ + { + "action_id": "helm-package" + }, + { + "action_id": "helm-lint" + } + ] + }, + "publish": { + "actions": [ + { + "action_id": "helm-publish", + "params": { + "repository": { + "kind": "S3", + "url": "{VIB_ENV_S3_URL}", + "authn": { + "access_key_id": "{VIB_ENV_S3_ACCESS_KEY_ID}", + "secret_access_key": "{VIB_ENV_S3_SECRET_ACCESS_KEY}", + "role": "{VIB_ENV_S3_ROLE_ARN}" + } + } + } + } + ] + } + } +} \ No newline at end of file diff --git a/.vib/chainloop/vib-verify.json b/.vib/chainloop/vib-verify.json new file mode 100644 index 00000000000000..ea0e422d929209 --- /dev/null +++ b/.vib/chainloop/vib-verify.json @@ -0,0 +1,49 @@ +{ + "phases": { + "package": { + "context": { + "resources": { + "url": "{SHA_ARCHIVE}", + "path": "/bitnami/chainloop" + } + }, + "actions": [ + { + "action_id": "helm-package" + }, + { + "action_id": "helm-lint" + } + ] + }, + "verify": { + "context": { + "resources": { + "url": "{SHA_ARCHIVE}", + "path": "/bitnami/chainloop" + }, + "target_platform": { + "target_platform_id": "{VIB_ENV_TARGET_PLATFORM}", + "size": { + "name": "S4" + } + } + }, + "actions": [ + { + "action_id": "ginkgo", + "params": { + "resources": { + "path": "/.vib/chainloop/ginkgo" + }, + "params": { + "kubeconfig": "{{kubeconfig}}", + "namespace": "{{namespace}}", + "name": "chainloop" + } + } + } + ] + } + } +} \ No newline at end of file diff --git a/bitnami/chainloop/.helmignore b/bitnami/chainloop/.helmignore new file mode 100644 index 00000000000000..0e8a0eb36f4ca2 --- /dev/null +++ b/bitnami/chainloop/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/bitnami/chainloop/CHANGELOG.md b/bitnami/chainloop/CHANGELOG.md new file mode 100644 index 00000000000000..a45fbebed24e7e --- /dev/null +++ b/bitnami/chainloop/CHANGELOG.md @@ -0,0 +1,5 @@ +# Changelog + +## 0.1.0 (2024-08-08) + +* New chart: Chainloop ([#27100](https://github.com/bitnami/charts/pull/27100)) diff --git a/bitnami/chainloop/Chart.lock b/bitnami/chainloop/Chart.lock new file mode 100644 index 00000000000000..1e85c2651b3275 --- /dev/null +++ b/bitnami/chainloop/Chart.lock @@ -0,0 +1,12 @@ +dependencies: +- name: common + repository: oci://registry-1.docker.io/bitnamicharts + version: 2.21.0 +- name: postgresql + repository: oci://registry-1.docker.io/bitnamicharts + version: 15.5.20 +- name: vault + repository: oci://registry-1.docker.io/bitnamicharts + version: 1.4.18 +digest: sha256:3c8f91b4005b34cdb16f4e4603cc641d4f8c1b2107be8b8499af72ff6a540015 +generated: "2024-08-08T18:05:43.024689+02:00" diff --git a/bitnami/chainloop/Chart.yaml b/bitnami/chainloop/Chart.yaml new file mode 100644 index 00000000000000..414f7208b7bfcc --- /dev/null +++ b/bitnami/chainloop/Chart.yaml @@ -0,0 +1,66 @@ +# Copyright Broadcom, Inc. All Rights Reserved. +# SPDX-License-Identifier: APACHE-2.0 + +annotations: + category: DeveloperTools + license: Apache-2.0 + images: | + - image: docker.io/bitnami/chainloop-artifact-cas:0.95.3-debian-12-r0 + name: artifact-cas + - image: docker.io/bitnami/chainloop-control-plane:0.95.3-debian-12-r0 + name: control-plane + - image: docker.io/bitnami/chainloop-control-plane-migrations:0.95.3-debian-12-r0 + name: control-plane-migrations + - image: docker.io/bitnami/dex:2.40.0-debian-12-r1 + name: dex +apiVersion: v2 +appVersion: 0.95.3 +dependencies: + - name: common + repository: oci://registry-1.docker.io/bitnamicharts + tags: + - bitnami-common + version: 2.x.x + - condition: postgresql.enabled + name: postgresql + repository: oci://registry-1.docker.io/bitnamicharts + version: 15.x.x + - condition: development + name: vault + repository: oci://registry-1.docker.io/bitnamicharts + version: 1.4.x +description: Chainloop is an open source software supply chain control plane, a single source of truth for artifacts plus a declarative attestation crafting process. +home: https://bitnami.com +icon: https://bitnami.com/assets/stacks/chainloop/img/chainloop-stack-220x234.png +keywords: + - chainloop + - evidence-store + - supply-chain-security + - devops + - devsecops + - security + - compliance + - cyclonedx + - spdx + - sbom + - attestation + - oss-compliance + - in-toto + - slsa + - sbom-distribution + - open-source-licensing + - slsa-provenance + - metadata-platform + - sbom-discovery + - regulated-industry +maintainers: + - name: Broadcom, Inc. All Rights Reserved. + url: https://github.com/bitnami/charts +name: chainloop +sources: + - https://github.com/bitnami/charts/tree/main/bitnami/chainloop + - https://github.com/bitnami/containers/tree/main/bitnami/chainloop-control-plane + - https://github.com/bitnami/containers/tree/main/bitnami/chainloop-control-plane-migrations + - https://github.com/bitnami/containers/tree/main/bitnami/chainloop-artifact-cas + - https://github.com/chainloop-dev/chainloop +version: 0.1.0 diff --git a/bitnami/chainloop/README.md b/bitnami/chainloop/README.md new file mode 100644 index 00000000000000..65537f0e192e7b --- /dev/null +++ b/bitnami/chainloop/README.md @@ -0,0 +1,1026 @@ + + +# Chainloop Helm Chart + +[Chainloop](https://github.com/chainloop-dev/chainloop) is an open-source software supply chain control plane, a single source of truth for artifacts plus a declarative attestation crafting process. + +## Introduction + +This chart bootstraps a [Chainloop](https://github.com/chainloop-dev/chainloop) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +## Prerequisites + +- Kubernetes 1.19+ +- Helm 3.2.0+ +- PV provisioner support in the underlying infrastructure (If built-in PostgreSQL is enabled) + +Compatibility with the following Ingress Controllers has been verified, other controllers might or might not work. + +- [Nginx Ingress Controller](https://kubernetes.github.io/ingress-nginx/) +- [Traefik](https://doc.traefik.io/traefik/providers/kubernetes-ingress/) + +## Installing the Chart + +This chart comes in **two flavors**, [`standard`](#standard-default) and [`development`](#development). + +### Standard (default) + +![Deployment](https://raw.githubusercontent.com/chainloop-dev/chainloop/main/docs/img/deployment.png) + +The default deployment mode relies on external dependencies to be available in advance. + +The Helm Chart in this mode includes + +- Chainloop [Controlplane](https://github.com/chainloop-dev/chainloop/tree/main/app/controlplane) +- Chainloop [Artifact proxy](https://github.com/chainloop-dev/chainloop/tree/main/app/artifact-cas) +- A PostgreSQL dependency enabled by default + +During installation, you'll need to provide + +- Open ID Connect Identity Provider (IDp) settings i.e [Auth0 settings](https://auth0.com/docs/get-started/applications/application-settings#basic-information) +- Connection settings for a secrets storage backend, either [Hashicorp Vault](https://www.vaultproject.io/) or [AWS Secrets Manager](https://aws.amazon.com/secrets-manager) +- ECDSA (ES512) key-pair used for Controlplane to CAS Authentication + +Instructions on how to create the ECDSA keypair can be found [here](#generate-a-ecdsa-key-pair). + +#### Installation examples for standard mode + +> **NOTE**: **We do not recommend passing nor storing sensitive data in plain text**. For production, please consider having your overrides encrypted with tools such as [Sops](https://github.com/mozilla/sops), [Helm Secrets](https://github.com/jkroepke/helm-secrets) or [Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets). + +Deploy Chainloop configured to talk to the bundled PostgreSQL an external OIDC IDp and a Vault instance. + +```console +helm install [RELEASE_NAME] oci://REGISTRY_NAME/REPOSITORY_NAME/chainloop \ + # Open ID Connect (OIDC) + --set controlplane.auth.oidc.url=[OIDC URL] \ + --set controlplane.auth.oidc.clientID=[clientID] \ + --set controlplane.auth.oidc.clientSecret=[clientSecret] \ + # Secrets backend + --set secretsBackend.vault.address="https://[vault address]:8200" \ + --set secretsBackend.vault.token=[token] \ + # Server Auth KeyPair + --set casJWTPrivateKey="$(cat private.ec.key)" \ + --set casJWTPublicKey="$(cat public.pem)" +``` + +Deploy using AWS Secrets Manager instead of Vault + +```console +helm install [RELEASE_NAME] oci://REGISTRY_NAME/REPOSITORY_NAME/chainloop \ + # Open ID Connect (OIDC) + # ... + # Secrets backend + --set secretsBackend.backend=awsSecretManager \ + --set secretsBackend.awsSecretManager.accessKey=[AWS ACCESS KEY ID] \ + --set secretsBackend.awsSecretManager.secretKey=[AWS SECRET KEY] \ + --set secretsBackend.awsSecretManager.region=[AWS region]\ + # Server Auth KeyPair + # ... +``` + +or using GCP Secret Manager + +```console +helm install [RELEASE_NAME] oci://REGISTRY_NAME/REPOSITORY_NAME/chainloop \ + # Open ID Connect (OIDC) + # ... + # Secrets backend + --set secretsBackend.backend=gcpSecretManager \ + --set secretsBackend.gcpSecretManager.projectId=[GCP Project ID] \ + --set secretsBackend.gcpSecretManager.serviceAccountKey=[GCP Auth KEY] \ + # Server Auth KeyPair + # ... +``` + +or Azure KeyVault + +```console +helm install [RELEASE_NAME] oci://REGISTRY_NAME/REPOSITORY_NAME/chainloop \ + # Open ID Connect (OIDC) + # ... + # Secrets backend + --set secretsBackend.backend=azureKeyVault \ + --set secretsBackend.azureKeyVault.tenantID=[AD tenant ID] \ + --set secretsBackend.azureKeyVault.clientID=[Service Principal ID] \ + --set secretsBackend.azureKeyVault.clientSecret=[Service Principal secret] \ + --set secretsBackend.azureKeyVault.vaultURI=[Azure KeyVault URI] + # Server Auth KeyPair + # ... +``` + +Connect to an external PostgreSQL database instead + +```console +helm install [RELEASE_NAME] oci://REGISTRY_NAME/REPOSITORY_NAME/chainloop \ + # Open ID Connect (OIDC) + # ... + # Secrets backend + # ... + # Server Auth KeyPair + # ... + # External DB setup + --set postgresql.enabled=false \ + --set controlplane.externalDatabase.host=[DB_HOST] \ + --set controlplane.externalDatabase.user=[DB_USER] \ + --set controlplane.externalDatabase.password=[DB_PASSWORD] \ + --set controlplane.externalDatabase.database=[DB_NAME] +``` + +### Development + +To provide an easy way to give Chainloop a try, this Helm Chart has an **opt-in development** mode that can be enabled with the flag `development=true` + +> IMPORTANT: DO NOT USE THIS MODE IN PRODUCTION + +![Deployment](https://raw.githubusercontent.com/chainloop-dev/chainloop/main/docs/img/deployment-dev.png) + +The Helm Chart in this mode includes + +- Chainloop [Controlplane](https://github.com/chainloop-dev/chainloop/tree/main/app/controlplane) +- Chainloop [Artifact proxy](https://github.com/chainloop-dev/chainloop/tree/main/app/artifact-cas) +- A PostgreSQL dependency enabled by default +- **A pre-configured Hashicorp Vault instance running in development mode (unsealed, in-memory, insecure)** +- **A pre-configured Dex OIDC instance.** + +The pre-setup users configuration on the Chart include two users, the information is as follows: + +```text +username: sarah@chainloop.local +password: password + +username: john@chainloop.local +password: password +``` + +The overall OIDC configuration can be found at the `values.yaml` file. + +> **CAUTION**: Do not use this mode in production, for that, use the [standard mode](#standard-default) instead. + +#### Installation examples for development mode + +Deploy by leveraging built-in Vault and PostgreSQL instances + +```console +helm install [RELEASE_NAME] oci://REGISTRY_NAME/REPOSITORY_NAME/chainloop --set development=true +``` + +## AirGap and Relocation Support + +This chart is compatible with relocation processes performed by the [Helm Relocation Plugin](https://github.com/vmware-labs/distribution-tooling-for-helm) + +This is a two-step process (wrap -> unwrap) + +- Pull all the container images and Helm chart and wrap them in an intermediate tarball. +- Unwrap the tarball and push container images, update the Helm Chart with new image references and push it to the target registry. + +For example: to relocate to an Azure Container Registry + +```sh +helm dt wrap oci://REGISTRY_NAME/REPOSITORY_NAME/chainloop +# 🎉 Helm chart wrapped into "chainloop-1.77.0.wrap.tgz" + +# Now you can take the tarball to an air-gapped environment and unwrap it like this +helm dt unwrap chainloop-1.77.0.wrap.tgz oci://chainloop.azurecr.io --yes +# Unwrapping Helm chart "chainloop-1.77.0.wrap.tgz" +# ✔ All images pushed successfully +# ✔ Helm chart successfully pushed +# +# 🎉 Helm chart unwrapped successfully: You can use it now by running "helm install oci://chainloop.azurecr.io/chart/chainloop --generate-name" +``` + +## How to guides + +### CAS upload speeds are slow, what can I do? + +Chainloop uses gRPC streaming to perform artifact uploads. This method is susceptible to being very slow on high latency scenarios. [#375](https://github.com/chainloop-dev/chainloop/issues/375) + +To improve upload speeds, you need to increase [http2 flow control buffer](https://httpwg.org/specs/rfc7540.html#DisableFlowControl). This can be done in NGINX by setting the following annotation in the ingress resource. + +```yaml +# Improve upload speed by adding client buffering used by http2 control-flows +nginx.ingress.kubernetes.io/client-body-buffer-size: "3M" + +``` + +Note: For other reverse proxies, you'll need to find the equivalent configuration. + +### Generate a ECDSA key-pair + +An ECDSA key-pair is required to perform authentication between the control-plane and the Artifact CAS + +You can generate both the private and public keys by running + +```bash +# Private Key (private.ec.key) +openssl ecparam -name secp521r1 -genkey -noout -out private.ec.key +# Public Key (public.pem) +openssl ec -in private.ec.key -pubout -out public.pem +``` + +Then, you can either provide it in a custom `values.yaml` file override + +```yaml +casJWTPrivateKey: |- + -----BEGIN EC PRIVATE KEY----- + REDACTED + -----END EC PRIVATE KEY----- +casJWTPublicKey: | + -----BEGIN PUBLIC KEY----- + REDACTED + -----END PUBLIC KEY----- +``` + +or as shown before, provide them as imperative inputs during Helm Install/Upgrade `--set casJWTPrivateKey="$(cat private.ec.key)"--set casJWTPublicKey="$(cat public.pem)"` + +### Enable a custom domain with TLS + +Chainloop uses three endpoints so we'll need to enable the ingress resource for each one of them. + +See below an example of a `values.yaml` override + +```yaml +controlplane: + ingress: + enabled: true + hostname: cp.chainloop.dev + + ingressAPI: + enabled: true + hostname: api.cp.chainloop.dev + +cas: + ingressAPI: + enabled: true + hostname: api.cas.chainloop.dev +``` + +A complete setup that uses + +- [NGINX as ingress Controller](https://kubernetes.github.io/ingress-nginx) +- [cert-manager](https://cert-manager.io/) as TLS provider + +would look like + +```yaml +controlplane: + ingress: + enabled: true + tls: true + ingressClassName: nginx + hostname: cp.chainloop.dev + annotations: + # This depends on your configured issuer + cert-manager.io/cluster-issuer: "letsencrypt-prod" + + ingressAPI: + enabled: true + tls: true + ingressClassName: nginx + hostname: api.cp.chainloop.dev + annotations: + nginx.ingress.kubernetes.io/backend-protocol: "GRPC" + cert-manager.io/cluster-issuer: "letsencrypt-prod" + +cas: + ingressAPI: + enabled: true + tls: true + ingressClassName: nginx + hostname: api.cas.chainloop.dev + annotations: + nginx.ingress.kubernetes.io/backend-protocol: "GRPC" + cert-manager.io/cluster-issuer: "letsencrypt-prod" + # limit the size of the files that go through the proxy + # 0 means to not check the size of the request so we do not get 413 error. + # For now we are going to set a limit on 100MB files + # Even though we send data in chunks of 1MB, this size refers to all the data sent in the streaming connection + nginx.ingress.kubernetes.io/proxy-body-size: "100m" +``` + +Remember, once you have set up your domain, make sure you use the [CLI pointing](#configure-chainloop-cli-to-point-to-your-instance) to it instead of the defaults. + +### Connect to an external PostgreSQL database + +```yaml +# Disable built-in DB +postgresql: + enabled: false + +# Provide with external connection +controlplane: + externalDatabase: + host: 1.2.3.4 + port: 5432 + user: chainloop + password: [REDACTED] + database: chainloop-controlplane-prod +``` + +Alternatively, if you are using [Google Cloud SQL](https://cloud.google.com/sql) and you are running Chainloop in Google Kubernetes Engine. You can connect instead via [a proxy](https://cloud.google.com/sql/docs/mysql/connect-kubernetes-engine#proxy) + +This method can also be easily enabled in this chart by doing + +```yaml +# Disable built-in DB +postgresql: + enabled: false + +# Provide with external connection +controlplane: + sqlProxy: + # Inject the proxy sidecar + enabled: true + ## @param controlplane.sqlProxy.connectionName Google Cloud SQL connection name + connectionName: "my-sql-instance" + # Then you'll need to configure your DB settings to use the proxy IP address + externalDatabase: + host: [proxy-sidecar-ip-address] + port: 5432 + user: chainloop + password: [REDACTED] + database: chainloop-controlplane-prod +``` + +### Use AWS secrets manager + +Instead of using [Hashicorp Vault](https://www.vaultproject.io/) (default), you can use [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/) by adding these settings in your `values.yaml` file + +```yaml +secretsBackend: + backend: awsSecretManager + awsSecretManager: + accessKey: [KEY] + secretKey: [SECRET] + region: [REGION] +``` + +### Use GCP secret manager + +Or [Google Cloud Secret Manager](https://cloud.google.com/secret-manager) with the following settings + +```yaml +secretsBackend: + backend: gcpSecretManager + gcpSecretManager: + projectId: [PROJECT_ID] + serviceAccountKey: [KEY] +``` + +### Use Azure KeyVault + +[Azure KeyVault](https://azure.microsoft.com/en-us/products/key-vault/) is also supported + +```yaml +secretsBackend: + backend: azureKeyVault + azureKeyVault: + tenantID: [TENANT_ID] # Active Directory Tenant ID + clientID: [CLIENT_ID] # Registered application / service principal client ID + clientSecret: [CLIENT_SECRET] # Service principal client secret + vaultURI: [VAULT URI] # Azure Key Vault URL + +``` + +### Deploy in keyless mode with file-based CA + +*This feature is experimental, as it doesn't yet support verification.* + +You can enable keyless signing mode by providing a custom Certificate Authority. +For example, these commands generate a self-signed certificate with an RSA private key of length 4096 and AES256 encryption with a validity of 365 days: + +```bash +> openssl genrsa -aes256 -out ca.key 4096 +... +> openssl req -new -x509 -sha256 -key ca.key -out ca.crt -days 365 +... +``` + +Then you can configure your deployment values with: + +```yaml +controlplane: + keylessSigning: + enabled: true + backend: fileCA + fileCA: + cert: | + -----BEGIN CERTIFICATE----- + ... + -----END CERTIFICATE----- + key: | + -----BEGIN ENCRYPTED PRIVATE KEY----- + ... + -----END ENCRYPTED PRIVATE KEY----- + keyPass: "REDACTED" +``` + +### Insert custom Certificate Authorities (CAs) + +In some scenarios, you might want to add custom Certificate Authorities to the Chainloop deployment. Like in the instance where your OIDC provider uses a self-signed certificate. To do so, add the PEM-encoded CA certificate to the `customCAs` list in either `controlplane` or `cas` sections, in your `values.yaml` file like in the example below. + +```yaml + customCAs: + - |- + -----BEGIN CERTIFICATE----- + MIIFmDCCA4CgAwIBAgIQU9C87nMpOIFKYpfvOHFHFDANBgkqhkiG9w0BAQsFADBm + BhMCVVMxMzAxBgNVBAoTKihTVEFHSU5HKSBJbnRlcm5ldCBTZWN1cml0eSBSZXNl + REDACTED + 5CunuvCXmEQJHo7kGcViT7sETn6Jz9KOhvYcXkJ7po6d93A/jy4GKPIPnsKKNEmR + 7DiA+/9Qdp9RBWJpTS9i/mDnJg1xvo8Xz49mrrgfmcAXTCJqXi24NatI3Oc= + -----END CERTIFICATE----- +``` + +### Send exceptions to Sentry + +You can configure different sentry projects for both the controlplane and the artifact CAS + +```yaml +# for controlplane +controlplane: + ... + sentry: + enabled: true + dsn: [your secret sentry project DSN URL] + environment: production +# Artifact CAS +cas: + ... + sentry: + enabled: true + dsn: [your secret sentry project DSN URL] + environment: production +``` + +### Enable Prometheus Monitoring in GKE + +Chainloop exposes Prometheus compatible `/metrics` endpoints that can be easily scraped by a Prometheus data collector Server. + +Google Cloud has a [managed Prometheus offering](https://cloud.google.com/stackdriver/docs/managed-prometheus/setup-managed) that could be easily enabled by setting `--set GKEMonitoring.enabled=true`. This will inject the required `PodMonitoring` custom resources. + +### Configure Chainloop CLI to point to your instance + +Once you have your instance of Chainloop deployed, you need to configure the [CLI](https://github.com/chainloop-dev/chainloop/releases) to point to both the CAS and the Control plane gRPC APIs like this. + +```bash +chainloop config save \ + --control-plane my-controlplane.acme.com:443 \ + --artifact-cas cas.acme.com:443 +``` + +## Parameters + +### Global parameters + +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | +| `development` | Deploys Chainloop pre-configured FOR DEVELOPMENT ONLY. It includes a Vault instance in development mode and pre-configured authentication certificates and passphrases | `false` | + +### Common parameters + +| Name | Description | Value | +| ------------------- | -------------------------------------------------- | ------- | +| `kubeVersion` | Override Kubernetes version | `""` | +| `commonAnnotations` | Annotations to add to all deployed objects | `{}` | +| `commonLabels` | Labels to add to all deployed objects | `{}` | +| `extraDeploy` | Array of extra objects to deploy with the release | `[]` | +| `rbac.create` | Specifies whether RBAC resources should be created | `false` | +| `rbac.rules` | Custom RBAC rules to set | `[]` | + +### Secrets Backend + +| Name | Description | Value | +| --------------------------------------------------- | ----------------------------------------------------------------------------------------- | ----------- | +| `secretsBackend.backend` | Secrets backend type ("vault", "awsSecretManager" or "gcpSecretManager", "azureKeyVault") | `vault` | +| `secretsBackend.secretPrefix` | Prefix that will be pre-pended to all secrets in the storage backend | `chainloop` | +| `secretsBackend.vault.address` | Vault address | `""` | +| `secretsBackend.vault.token` | Vault authentication token | `""` | +| `secretsBackend.awsSecretManager.accessKey` | AWS Access KEY ID | `""` | +| `secretsBackend.awsSecretManager.secretKey` | AWS Secret Key | `""` | +| `secretsBackend.awsSecretManager.region` | AWS Secrets Manager Region | `""` | +| `secretsBackend.gcpSecretManager.projectId` | GCP Project ID | `""` | +| `secretsBackend.gcpSecretManager.serviceAccountKey` | GCP Auth Key | `""` | +| `secretsBackend.azureKeyVault.tenantID` | Active Directory Tenant ID | `""` | +| `secretsBackend.azureKeyVault.clientID` | Registered application / service principal client ID | `""` | +| `secretsBackend.azureKeyVault.clientSecret` | Service principal client secret | `""` | +| `secretsBackend.azureKeyVault.vaultURI` | Azure Key Vault URL | `""` | + +### Authentication + +| Name | Description | Value | +| ------------------ | --------------------------------------------------------------------- | ----- | +| `casJWTPrivateKey` | ECDSA (ES512) private key used for Controlplane to CAS Authentication | `""` | +| `casJWTPublicKey` | ECDSA (ES512) public key | `""` | + +### Control Plane + +| Name | Description | Value | +| ---------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------- | +| `controlplane.replicaCount` | Number of replicas | `2` | +| `controlplane.image.registry` | image registry | `REGISTRY_NAME` | +| `controlplane.image.repository` | image repository | `REPOSITORY_NAME/chainloop-control-plane` | +| `controlplane.image.digest` | image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `controlplane.image.pullPolicy` | image pull policy | `IfNotPresent` | +| `controlplane.image.pullSecrets` | image pull secrets | `[]` | +| `controlplane.containerPorts.http` | controlplane HTTP container port | `8000` | +| `controlplane.containerPorts.grpc` | controlplane gRPC container port | `9000` | +| `controlplane.containerPorts.metrics` | controlplane prometheus metrics container port | `5000` | +| `controlplane.tls.existingSecret` | Existing secret with TLS certificates. The secret must contains 2 keys: tls.crt and tls.key respectively containing the certificate and private key. | `""` | +| `controlplane.existingConfigMap` | | `""` | +| `controlplane.pluginsDir` | Directory where to look for plugins | `/plugins` | +| `controlplane.referrerSharedIndex` | Configure the shared, public index API endpoint that can be used to discover metadata referrers | | +| `controlplane.referrerSharedIndex.enabled` | Enable index API endpoint | `false` | +| `controlplane.referrerSharedIndex.allowedOrgs` | List of UUIDs of organizations that are allowed to publish to the shared index | `[]` | +| `controlplane.onboarding` | List of organizations to automatically onboard when a user logs in | `[]` | +| `controlplane.prometheus_org_metrics` | List of organizations to expose metrics for using Prometheus | `[]` | +| `controlplane.migration.ssl` | Connect to the database using SSL (required fro AWS RDS, etc) | `false` | +| `controlplane.migration.image.registry` | image registry | `REGISTRY_NAME` | +| `controlplane.migration.image.repository` | image repository | `REPOSITORY_NAME/chainloop-control-plane-migrations` | +| `controlplane.migration.image.digest` | image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `controlplane.migration.image.pullPolicy` | image pull policy | `IfNotPresent` | +| `controlplane.migration.image.pullSecrets` | image pull secrets | `[]` | +| `controlplane.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | +| `controlplane.serviceAccount.annotations` | Annotations for service account. Evaluated as a template. Only used if `create` is `true`. | `{}` | +| `controlplane.serviceAccount.name` | Name of the service account to use. If not set and create is true, a name is generated using the fullname template. | `""` | +| `controlplane.serviceAccount.automountServiceAccountToken` | Mount Service Account token in controlplane pods | `false` | + +### Control Plane Database + +| Name | Description | Value | +| ---------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------ | +| `controlplane.externalDatabase` | External PostgreSQL configuration. These values are only used when postgresql.enabled is set to false | | +| `controlplane.externalDatabase.host` | Database host | `""` | +| `controlplane.externalDatabase.port` | Database port number | `5432` | +| `controlplane.externalDatabase.user` | Non-root username | `""` | +| `controlplane.externalDatabase.database` | Database name | `""` | +| `controlplane.externalDatabase.password` | Password for the non-root username | `""` | + +### Control Plane Authentication + +| Name | Description | Value | +| -------------------------------------------- | ------------------------------------------------------------------------------------------------------ | ----- | +| `controlplane.auth.passphrase` | Passphrase used to sign the Auth Tokens generated by the controlplane. Leave empty for auto-generation | `""` | +| `controlplane.auth.oidc.url` | Full authentication path, it should match the issuer URL of the Identity provider (IDp) | `""` | +| `controlplane.auth.oidc.clientID` | OIDC IDp clientID | `""` | +| `controlplane.auth.oidc.clientSecret` | OIDC IDp clientSecret | `""` | +| `controlplane.auth.oidc.loginURLOverride` | Optional OIDC login URL override, useful to point to custom login pages | `""` | +| `controlplane.auth.oidc.externalURL` | Optional External URL for the controlplane to the outside world | `""` | +| `controlplane.auth.allowList` | Content of the allow_list.yaml config file | `{}` | +| `controlplane.auth.allowList.rules` | List of domains or emails to allow | | +| `controlplane.auth.allowList.selectedRoutes` | List of selected routes to allow. If not set it applies to all routes | | +| `controlplane.auth.allowList.customMessage` | Custom message to display when a user is not allowed | | + +### Control Plane Networking + +| Name | Description | Value | +| -------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | +| `controlplane.service.type` | Service type | `ClusterIP` | +| `controlplane.service.ports.http` | controlplane service HTTP port | `80` | +| `controlplane.service.nodePorts.http` | Node port for HTTP | `""` | +| `controlplane.service.nodePorts.https` | Node port for HTTPS | `""` | +| `controlplane.service.clusterIP` | controlplane service Cluster IP | `""` | +| `controlplane.service.loadBalancerIP` | controlplane service Load Balancer IP | `""` | +| `controlplane.service.loadBalancerSourceRanges` | controlplane service Load Balancer sources | `[]` | +| `controlplane.service.externalTrafficPolicy` | controlplane service external traffic policy | `Cluster` | +| `controlplane.service.annotations` | Additional custom annotations for controlplane service | `{}` | +| `controlplane.service.extraPorts` | Extra ports to expose in controlplane service (normally used with the `sidecars` value) | `[]` | +| `controlplane.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `controlplane.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `controlplane.serviceAPI.type` | Service type | `ClusterIP` | +| `controlplane.serviceAPI.ports.http` | controlplane service HTTP port | `80` | +| `controlplane.serviceAPI.ports.https` | controlplane service HTTPS port | `443` | +| `controlplane.serviceAPI.nodePorts.http` | Node port for HTTP | `""` | +| `controlplane.serviceAPI.nodePorts.https` | Node port for HTTPS | `""` | +| `controlplane.serviceAPI.clusterIP` | controlplane service Cluster IP | `""` | +| `controlplane.serviceAPI.loadBalancerIP` | controlplane service Load Balancer IP | `""` | +| `controlplane.serviceAPI.loadBalancerSourceRanges` | controlplane service Load Balancer sources | `[]` | +| `controlplane.serviceAPI.externalTrafficPolicy` | controlplane service external traffic policy | `Cluster` | +| `controlplane.serviceAPI.annotations` | Additional custom annotations for controlplane service | | +| `controlplane.serviceAPI.extraPorts` | Extra ports to expose in controlplane service (normally used with the `sidecars` value) | `[]` | +| `controlplane.serviceAPI.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `controlplane.serviceAPI.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `controlplane.ingress.enabled` | Enable ingress record generation for controlplane | `false` | +| `controlplane.ingress.pathType` | Ingress path type | `ImplementationSpecific` | +| `controlplane.ingress.hostname` | Default host for the ingress record | `cp.dev.local` | +| `controlplane.ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | +| `controlplane.ingress.path` | Default path for the ingress record | `/` | +| `controlplane.ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` | +| `controlplane.ingress.tls` | Enable TLS configuration for the host defined at `controlplane.ingress.hostname` parameter | `false` | +| `controlplane.ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | +| `controlplane.ingress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` | +| `controlplane.ingress.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` | +| `controlplane.ingress.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` | +| `controlplane.ingress.secrets` | Custom TLS certificates as secrets | `[]` | +| `controlplane.ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` | +| `controlplane.ingressAPI.enabled` | Enable ingress record generation for controlplane | `false` | +| `controlplane.ingressAPI.pathType` | Ingress path type | `ImplementationSpecific` | +| `controlplane.ingressAPI.hostname` | Default host for the ingress record | `api.cp.dev.local` | +| `controlplane.ingressAPI.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | +| `controlplane.ingressAPI.path` | Default path for the ingress record | `/` | +| `controlplane.ingressAPI.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | | +| `controlplane.ingressAPI.tls` | Enable TLS configuration for the host defined at `controlplane.ingress.hostname` parameter | `false` | +| `controlplane.ingressAPI.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | +| `controlplane.ingressAPI.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` | +| `controlplane.ingressAPI.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` | +| `controlplane.ingressAPI.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` | +| `controlplane.ingressAPI.secrets` | Custom TLS certificates as secrets | `[]` | +| `controlplane.ingressAPI.extraRules` | Additional rules to be covered with this ingress record | `[]` | + +### Controlplane Misc + +| Name | Description | Value | +| ---------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | +| `controlplane.resourcesPreset` | Set init container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `micro` | +| `controlplane.resources` | Set controlplane container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `controlplane.podSecurityContext.enabled` | Enable controlplane pods' Security Context | `true` | +| `controlplane.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy for controlplane pods | `Always` | +| `controlplane.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface for controlplane pods | `[]` | +| `controlplane.podSecurityContext.supplementalGroups` | Set filesystem extra groups for controlplane pods | `[]` | +| `controlplane.podSecurityContext.fsGroup` | Set fsGroup in controlplane pods' Security Context | `1001` | +| `controlplane.containerSecurityContext.enabled` | Enabled controlplane container' Security Context | `true` | +| `controlplane.containerSecurityContext.seLinuxOptions` | Set SELinux options in controlplane container | `{}` | +| `controlplane.containerSecurityContext.runAsUser` | Set runAsUser in controlplane container' Security Context | `1001` | +| `controlplane.containerSecurityContext.runAsGroup` | Set runAsGroup in controlplane container' Security Context | `1001` | +| `controlplane.containerSecurityContext.runAsNonRoot` | Set runAsNonRoot in controlplane container' Security Context | `true` | +| `controlplane.containerSecurityContext.readOnlyRootFilesystem` | Set readOnlyRootFilesystem in controlplane container' Security Context | `true` | +| `controlplane.containerSecurityContext.privileged` | Set privileged in controlplane container' Security Context | `false` | +| `controlplane.containerSecurityContext.allowPrivilegeEscalation` | Set allowPrivilegeEscalation in controlplane container' Security Context | `false` | +| `controlplane.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped in controlplane container | `["ALL"]` | +| `controlplane.containerSecurityContext.seccompProfile.type` | Set seccomp profile in controlplane container | `RuntimeDefault` | +| `controlplane.sentry.enabled` | Enable sentry.io alerting | `false` | +| `controlplane.sentry.dsn` | DSN endpoint | `""` | +| `controlplane.sentry.environment` | Environment tag | `production` | + +### Keyless signing configuration + +| Name | Description | Value | +| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | --------------- | +| `controlplane.keylessSigning.enabled` | Activates or deactivates the feature | `false` | +| `controlplane.keylessSigning.backend` | The backend to use. Currently only "fileCA" and "ejbcaCA" are supported | `fileCA` | +| `controlplane.keylessSigning.fileCA.cert` | The PEM-encoded certificate of the file based CA | `""` | +| `controlplane.keylessSigning.fileCA.key` | The PEM-encoded private key of the file based CA | `""` | +| `controlplane.keylessSigning.fileCA.keyPass` | The secret key pass | `""` | +| `controlplane.keylessSigning.ejbcaCA.serverURL` | The url of the EJBCA service ("https://host/ejbca") | `""` | +| `controlplane.keylessSigning.ejbcaCA.clientKey` | PEM-encoded the private key for EJBCA cert authentication | `""` | +| `controlplane.keylessSigning.ejbcaCA.clientCert` | PEM-encoded certificate for EJBCA cert authentication | `""` | +| `controlplane.keylessSigning.ejbcaCA.certProfileName` | Name of the certificate profile to use in EJBCA | `""` | +| `controlplane.keylessSigning.ejbcaCA.endEntityProfileName` | Name of the Entity Profile to use in EJBCA | `""` | +| `controlplane.keylessSigning.ejbcaCA.caName` | Name of the CA issuer to use in EJBCA | `""` | +| `controlplane.customCAs` | List of custom CA certificates content | `[]` | +| `controlplane.automountServiceAccountToken` | Mount Service Account token in controlplane pods | `false` | +| `controlplane.hostAliases` | controlplane pods host aliases | `[]` | +| `controlplane.deploymentAnnotations` | Annotations for controlplane deployment | `{}` | +| `controlplane.podLabels` | Extra labels for controlplane pods | `{}` | +| `controlplane.podAffinityPreset` | Pod affinity preset. Ignored if `controlplane.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `controlplane.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `controlplane.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `controlplane.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `controlplane.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `controlplane.nodeAffinityPreset.key` | Node label key to match. Ignored if `controlplane.affinity` is set | `""` | +| `controlplane.nodeAffinityPreset.values` | Node label values to match. Ignored if `controlplane.affinity` is set | `[]` | +| `controlplane.affinity` | Affinity for controlplane pods assignment | `{}` | +| `controlplane.nodeSelector` | Node labels for controlplane pods assignment | `{}` | +| `controlplane.tolerations` | Tolerations for controlplane pods assignment | `[]` | +| `controlplane.updateStrategy.type` | controlplane deployment strategy type | `RollingUpdate` | +| `controlplane.priorityClassName` | controlplane pods' priorityClassName | `""` | +| `controlplane.topologySpreadConstraints` | Topology Spread Constraints for controlplane pod assignment spread across your cluster among failure-domains | `[]` | +| `controlplane.schedulerName` | Name of the k8s scheduler (other than default) for controlplane pods | `""` | +| `controlplane.terminationGracePeriodSeconds` | Seconds controlplane pods need to terminate gracefully | `""` | +| `controlplane.lifecycleHooks` | for controlplane containers to automate configuration before or after startup | `{}` | +| `controlplane.extraEnvVars` | Array with extra environment variables to add to controlplane containers | `[]` | +| `controlplane.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for controlplane containers | `""` | +| `controlplane.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for controlplane containers | `""` | +| `controlplane.extraVolumes` | Optionally specify extra list of additional volumes for the controlplane pods | `[]` | +| `controlplane.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the controlplane containers | `[]` | +| `controlplane.sidecars` | Add additional sidecar containers to the controlplane pods | `[]` | +| `controlplane.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `controlplane.networkPolicy.allowExternal` | Don't require client label for connections | `true` | +| `controlplane.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `controlplane.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `controlplane.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `controlplane.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `controlplane.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | +| `controlplane.initContainers` | Add additional init containers to the controlplane pods | `[]` | +| `controlplane.autoscaling.vpa.enabled` | Enable VPA for %%MAIN_CONTAINER_NAME%% pods | `false` | +| `controlplane.autoscaling.vpa.annotations` | Annotations for VPA resource | `{}` | +| `controlplane.autoscaling.vpa.controlledResources` | VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory | `[]` | +| `controlplane.autoscaling.vpa.maxAllowed` | VPA Max allowed resources for the pod | `{}` | +| `controlplane.autoscaling.vpa.minAllowed` | VPA Min allowed resources for the pod | `{}` | +| `controlplane.autoscaling.vpa.updatePolicy.updateMode` | Autoscaling update policy | `Auto` | +| `controlplane.autoscaling.hpa.enabled` | Enable HPA for controlplane pods | `false` | +| `controlplane.autoscaling.hpa.minReplicas` | Minimum number of replicas | `""` | +| `controlplane.autoscaling.hpa.maxReplicas` | Maximum number of replicas | `""` | +| `controlplane.autoscaling.hpa.targetCPU` | Target CPU utilization percentage | `""` | +| `controlplane.autoscaling.hpa.targetMemory` | Target Memory utilization percentage | `""` | +| `controlplane.pdb.enabled` | Create Pod Disruption Budget for the controlplane component | `false` | +| `controlplane.pdb.minAvailable` | Sets the min number of pods availables for the Pod Disruption Budget | `""` | +| `controlplane.pdb.maxUnavailable` | Sets the max number of pods unavailable for the Pod Disruption Budget | `""` | + +### Artifact Content Addressable (CAS) API + +| Name | Description | Value | +| ------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------- | +| `cas.replicaCount` | Number of replicas | `2` | +| `cas.image.registry` | image registry | `REGISTRY_NAME` | +| `cas.image.repository` | image repository | `REPOSITORY_NAME/chainloop-artifact-cas` | +| `cas.image.digest` | image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `cas.image.pullPolicy` | image pull policy | `IfNotPresent` | +| `cas.image.pullSecrets` | image pull secrets | `[]` | +| `cas.containerPorts.http` | controlplane HTTP container port | `8000` | +| `cas.containerPorts.grpc` | controlplane gRPC container port | `9000` | +| `cas.containerPorts.metrics` | controlplane prometheus metrics container port | `5000` | +| `cas.tls.existingSecret` | Existing secret with TLS certificates. The secret must contains 2 keys: tls.crt and tls.key respectively containing the certificate and private key. | `""` | +| `cas.existingConfigMap` | | `""` | +| `cas.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | +| `cas.serviceAccount.annotations` | Annotations for service account. Evaluated as a template. Only used if `create` is `true`. | `{}` | +| `cas.serviceAccount.name` | Name of the service account to use. If not set and create is true, a name is generated using the fullname template. | `""` | +| `cas.serviceAccount.automountServiceAccountToken` | Mount Service Account token in controlplane pods | `false` | + +### CAS Networking + +| Name | Description | Value | +| ----------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | +| `cas.service.type` | Service type | `ClusterIP` | +| `cas.service.ports.http` | cas service HTTP port | `80` | +| `cas.service.ports.https` | cas service HTTPS port | `443` | +| `cas.service.nodePorts.http` | Node port for HTTP | `""` | +| `cas.service.nodePorts.https` | Node port for HTTPS | `""` | +| `cas.service.clusterIP` | cas service Cluster IP | `""` | +| `cas.service.loadBalancerIP` | cas service Load Balancer IP | `""` | +| `cas.service.loadBalancerSourceRanges` | cas service Load Balancer sources | `[]` | +| `cas.service.externalTrafficPolicy` | cas service external traffic policy | `Cluster` | +| `cas.service.annotations` | Additional custom annotations for cas service | `{}` | +| `cas.service.extraPorts` | Extra ports to expose in cas service (normally used with the `sidecars` value) | `[]` | +| `cas.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `cas.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `cas.serviceAPI.type` | Service type | `ClusterIP` | +| `cas.serviceAPI.ports.http` | cas service HTTP port | `80` | +| `cas.serviceAPI.ports.https` | cas service HTTPS port | `443` | +| `cas.serviceAPI.nodePorts.http` | Node port for HTTP | `""` | +| `cas.serviceAPI.nodePorts.https` | Node port for HTTPS | `""` | +| `cas.serviceAPI.clusterIP` | cas service Cluster IP | `""` | +| `cas.serviceAPI.loadBalancerIP` | cas service Load Balancer IP | `""` | +| `cas.serviceAPI.loadBalancerSourceRanges` | cas service Load Balancer sources | `[]` | +| `cas.serviceAPI.externalTrafficPolicy` | cas service external traffic policy | `Cluster` | +| `cas.serviceAPI.annotations` | Additional custom annotations for cas service | | +| `cas.serviceAPI.extraPorts` | Extra ports to expose in cas service (normally used with the `sidecars` value) | `[]` | +| `cas.serviceAPI.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `cas.serviceAPI.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `cas.ingress.enabled` | Enable ingress record generation for controlplane | `false` | +| `cas.ingress.pathType` | Ingress path type | `ImplementationSpecific` | +| `cas.ingress.hostname` | Default host for the ingress record | `cas.dev.local` | +| `cas.ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | +| `cas.ingress.path` | Default path for the ingress record | `/` | +| `cas.ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` | +| `cas.ingress.tls` | Enable TLS configuration for the host defined at `controlplane.ingress.hostname` parameter | `false` | +| `cas.ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | +| `cas.ingress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` | +| `cas.ingress.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` | +| `cas.ingress.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` | +| `cas.ingress.secrets` | Custom TLS certificates as secrets | `[]` | +| `cas.ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` | +| `cas.ingressAPI.enabled` | Enable ingress record generation for controlplane | `false` | +| `cas.ingressAPI.pathType` | Ingress path type | `ImplementationSpecific` | +| `cas.ingressAPI.hostname` | Default host for the ingress record | `api.cas.dev.local` | +| `cas.ingressAPI.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | +| `cas.ingressAPI.path` | Default path for the ingress record | `/` | +| `cas.ingressAPI.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | | +| `cas.ingressAPI.tls` | Enable TLS configuration for the host defined at `controlplane.ingress.hostname` parameter | `false` | +| `cas.ingressAPI.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | +| `cas.ingressAPI.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` | +| `cas.ingressAPI.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` | +| `cas.ingressAPI.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` | +| `cas.ingressAPI.secrets` | Custom TLS certificates as secrets | `[]` | +| `cas.ingressAPI.extraRules` | Additional rules to be covered with this ingress record | `[]` | + +### CAS Misc + +| Name | Description | Value | +| ------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | +| `cas.sentry.enabled` | Enable sentry.io alerting | `false` | +| `cas.sentry.dsn` | DSN endpoint | `""` | +| `cas.sentry.environment` | Environment tag | `production` | +| `cas.customCAs` | List of custom CA certificates content | `[]` | +| `cas.resourcesPreset` | Set init container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `micro` | +| `cas.resources` | Set cas container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `cas.podSecurityContext.enabled` | Enable cas pods' Security Context | `true` | +| `cas.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy for cas pods | `Always` | +| `cas.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface for cas pods | `[]` | +| `cas.podSecurityContext.supplementalGroups` | Set filesystem extra groups for cas pods | `[]` | +| `cas.podSecurityContext.fsGroup` | Set fsGroup in cas pods' Security Context | `1001` | +| `cas.containerSecurityContext.enabled` | Enabled cas container' Security Context | `true` | +| `cas.containerSecurityContext.seLinuxOptions` | Set SELinux options in cas container | `{}` | +| `cas.containerSecurityContext.runAsUser` | Set runAsUser in cas container' Security Context | `1001` | +| `cas.containerSecurityContext.runAsGroup` | Set runAsGroup in cas container' Security Context | `1001` | +| `cas.containerSecurityContext.runAsNonRoot` | Set runAsNonRoot in cas container' Security Context | `true` | +| `cas.containerSecurityContext.readOnlyRootFilesystem` | Set readOnlyRootFilesystem in cas container' Security Context | `true` | +| `cas.containerSecurityContext.privileged` | Set privileged in cas container' Security Context | `false` | +| `cas.containerSecurityContext.allowPrivilegeEscalation` | Set allowPrivilegeEscalation in cas container' Security Context | `false` | +| `cas.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped in cas container | `["ALL"]` | +| `cas.containerSecurityContext.seccompProfile.type` | Set seccomp profile in cas container | `RuntimeDefault` | +| `cas.automountServiceAccountToken` | Mount Service Account token in cas pods | `false` | +| `cas.hostAliases` | cas pods host aliases | `[]` | +| `cas.deploymentAnnotations` | Annotations for cas deployment | `{}` | +| `cas.podLabels` | Extra labels for cas pods | `{}` | +| `cas.podAffinityPreset` | Pod affinity preset. Ignored if `cas.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `cas.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `cas.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `cas.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `cas.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `cas.nodeAffinityPreset.key` | Node label key to match. Ignored if `cas.affinity` is set | `""` | +| `cas.nodeAffinityPreset.values` | Node label values to match. Ignored if `cas.affinity` is set | `[]` | +| `cas.affinity` | Affinity for cas pods assignment | `{}` | +| `cas.nodeSelector` | Node labels for cas pods assignment | `{}` | +| `cas.tolerations` | Tolerations for cas pods assignment | `[]` | +| `cas.updateStrategy.type` | cas deployment strategy type | `RollingUpdate` | +| `cas.priorityClassName` | cas pods' priorityClassName | `""` | +| `cas.topologySpreadConstraints` | Topology Spread Constraints for cas pod assignment spread across your cluster among failure-domains | `[]` | +| `cas.schedulerName` | Name of the k8s scheduler (other than default) for cas pods | `""` | +| `cas.terminationGracePeriodSeconds` | Seconds cas pods need to terminate gracefully | `""` | +| `cas.lifecycleHooks` | for cas containers to automate configuration before or after startup | `{}` | +| `cas.extraEnvVars` | Array with extra environment variables to add to cas containers | `[]` | +| `cas.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for cas containers | `""` | +| `cas.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for cas containers | `""` | +| `cas.extraVolumes` | Optionally specify extra list of additional volumes for the cas pods | `[]` | +| `cas.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the cas containers | `[]` | +| `cas.sidecars` | Add additional sidecar containers to the cas pods | `[]` | +| `cas.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `cas.networkPolicy.allowExternal` | Don't require client label for connections | `true` | +| `cas.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `cas.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `cas.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `cas.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `cas.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | +| `cas.initContainers` | Add additional init containers to the cas pods | `[]` | +| `cas.autoscaling.vpa.enabled` | Enable VPA for %%MAIN_CONTAINER_NAME%% pods | `false` | +| `cas.autoscaling.vpa.annotations` | Annotations for VPA resource | `{}` | +| `cas.autoscaling.vpa.controlledResources` | VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory | `[]` | +| `cas.autoscaling.vpa.maxAllowed` | VPA Max allowed resources for the pod | `{}` | +| `cas.autoscaling.vpa.minAllowed` | VPA Min allowed resources for the pod | `{}` | +| `cas.autoscaling.vpa.updatePolicy.updateMode` | Autoscaling update policy | `Auto` | +| `cas.autoscaling.hpa.enabled` | Enable HPA for cas pods | `false` | +| `cas.autoscaling.hpa.minReplicas` | Minimum number of replicas | `""` | +| `cas.autoscaling.hpa.maxReplicas` | Maximum number of replicas | `""` | +| `cas.autoscaling.hpa.targetCPU` | Target CPU utilization percentage | `""` | +| `cas.autoscaling.hpa.targetMemory` | Target Memory utilization percentage | `""` | +| `cas.pdb.enabled` | Create Pod Disruption Budget for the cas component | `false` | +| `cas.pdb.minAvailable` | Sets the min number of pods available for the Pod Disruption Budget | `""` | +| `cas.pdb.maxUnavailable` | Sets the max number of pods unavailable for the Pod Disruption Budget | `""` | + +### Dependencies + +| Name | Description | Value | +| ------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------- | +| `postgresql.enabled` | Switch to enable or disable the PostgreSQL helm chart | `true` | +| `postgresql.auth.enablePostgresUser` | Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user | `false` | +| `postgresql.auth.username` | Name for a custom user to create | `chainloop` | +| `postgresql.auth.password` | Password for the custom user to create | `chainlooppwd` | +| `postgresql.auth.database` | Name for a custom database to create | `chainloop-cp` | +| `postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials | `""` | +| `vault.server.args` | Arguments to pass to the vault server. This is useful for setting the server in development mode | `["server","-dev"]` | +| `vault.server.config` | Configuration for the vault server. Small override of default Bitnami configuration | `storage "inmem" {} +disable_mlock = true +ui = true +service_registration "kubernetes" {}` | +| `vault.server.extraEnvVars[0].name` | Root token for the vault server | `VAULT_DEV_ROOT_TOKEN_ID` | +| `vault.server.extraEnvVars[0].value` | The value of the root token. Default: notasecret | `notasecret` | +| `vault.server.extraEnvVars[1].name` | Address to listen on development mode | `VAULT_DEV_LISTEN_ADDRESS` | +| `vault.server.extraEnvVars[1].value` | The address to listen on. Default: [::]:8200 | `[::]:8200` | +| `dex.image.registry` | Dex image registry | `REGISTRY_NAME` | +| `dex.image.repository` | Dex image repository | `REPOSITORY_NAME/dex` | +| `dex.image.pullPolicy` | Dex image pull policy | `IfNotPresent` | +| `dex.image.pullSecrets` | Dex image pull secrets | `[]` | +| `dex.image.debug` | Enable Dex image debug mode | `false` | +| `dex.replicaCount` | Number of Dex replicas to deploy | `1` | +| `dex.startupProbe.enabled` | Enable startupProbe on Dex nodes | `true` | +| `dex.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | +| `dex.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `dex.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | +| `dex.startupProbe.failureThreshold` | Failure threshold for startupProbe | `3` | +| `dex.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `dex.livenessProbe.enabled` | Enable livenessProbe on Dex nodes | `true` | +| `dex.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `10` | +| `dex.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `dex.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` | +| `dex.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | +| `dex.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `dex.readinessProbe.enabled` | Enable readinessProbe on Dex nodes | `true` | +| `dex.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `10` | +| `dex.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `dex.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `dex.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `dex.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `dex.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `dex.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `dex.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `dex.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if dex.resources is set (dex.resources is recommended for production). | `nano` | +| `dex.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `dex.podSecurityContext.enabled` | Enabled Dex pods' Security Context | `true` | +| `dex.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `dex.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `dex.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `dex.podSecurityContext.fsGroup` | Set Dex pod's Security Context fsGroup | `1001` | +| `dex.containerSecurityContext.enabled` | Enabled Dex containers' Security Context | `true` | +| `dex.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `dex.containerSecurityContext.runAsUser` | Set Dex containers' Security Context runAsUser | `1001` | +| `dex.containerSecurityContext.runAsGroup` | Set Dex containers' Security Context runAsGroup | `1001` | +| `dex.containerSecurityContext.allowPrivilegeEscalation` | Set Dex containers' Security Context allowPrivilegeEscalation | `false` | +| `dex.containerSecurityContext.readOnlyRootFilesystem` | Set Dex containers' server Security Context readOnlyRootFilesystem | `true` | +| `dex.containerSecurityContext.runAsNonRoot` | Set Dex containers' Security Context runAsNonRoot | `true` | +| `dex.containerSecurityContext.capabilities.drop` | Set Chainloop containers' Security Context capabilities to be dropped | `["ALL"]` | +| `dex.containerSecurityContext.privileged` | Set dex container's Security Context privileged | `false` | +| `dex.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `dex.service.type` | Dex service type | `ClusterIP` | +| `dex.service.ports.http` | Dex HTTP service port | `5556` | +| `dex.service.ports.grpc` | Dex grpc service port | `5557` | +| `dex.service.nodePorts.http` | HTTP node port for the Dex service | `""` | +| `dex.service.nodePorts.grpc` | gRPC node port for the Dex service | `""` | +| `dex.service.clusterIP` | Dex service Cluster IP | `""` | +| `dex.service.loadBalancerIP` | Dex service Load Balancer IP | `""` | +| `dex.service.loadBalancerSourceRanges` | Dex service Load Balancer sources | `[]` | +| `dex.service.externalTrafficPolicy` | Dex service external traffic policy | `Cluster` | +| `dex.service.annotations` | Additional custom annotations for Dex service | `{}` | +| `dex.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `dex.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `dex.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `dex.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `dex.networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `dex.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `dex.networkPolicy.kubeAPIServerPorts` | List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) | `[]` | +| `dex.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `dex.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true) | `[]` | +| `dex.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `dex.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | +| `dex.containerPorts.http` | Dex container HTTP port | `5556` | +| `dex.containerPorts.grpc` | Dex gRPC port | `5557` | +| `dex.containerPorts.metrics` | Dex metrics port | `5558` | +| `dex.metrics.enabled` | Enable metrics service for Dex | `false` | +| `dex.metrics.service.type` | Dex service type | `ClusterIP` | +| `dex.metrics.service.ports.metrics` | Dex metrics service port | `5558` | +| `dex.metrics.service.nodePorts.metrics` | Node port for the Dex service | `""` | +| `dex.metrics.service.clusterIP` | Dex service metrics service Cluster IP | `""` | +| `dex.metrics.service.loadBalancerIP` | Dex service Load Balancer IP | `""` | +| `dex.metrics.service.loadBalancerSourceRanges` | Dex service Load Balancer sources | `[]` | +| `dex.metrics.service.externalTrafficPolicy` | Dex service external traffic policy | `Cluster` | +| `dex.metrics.service.annotations` | Additional custom annotations for Dex service | `{}` | +| `dex.metrics.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `dex.metrics.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `dex.metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using PrometheusOperator | `false` | +| `dex.metrics.serviceMonitor.namespace` | Namespace which Prometheus is running in | `""` | +| `dex.metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | +| `dex.metrics.serviceMonitor.interval` | Interval at which metrics should be scraped | `30s` | +| `dex.metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `10s` | +| `dex.metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` | +| `dex.metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` | +| `dex.metrics.serviceMonitor.selector` | ServiceMonitor selector labels | `{}` | +| `dex.metrics.serviceMonitor.honorLabels` | honorLabels chooses the metric's labels on collisions with target labels | `false` | +| `dex.serviceAccount.create` | Specifies whether a ServiceAccount should be created for Dex | `true` | +| `dex.serviceAccount.name` | The name of the ServiceAccount to use. | `""` | +| `dex.serviceAccount.automountServiceAccountToken` | Automount service account token for the Dex service account | `false` | +| `dex.serviceAccount.annotations` | Annotations for service account. Evaluated as a template. Only used if `create` is `true`. | `{}` | +| `dex.command` | Override default container command (useful when using custom images) | `[]` | +| `dex.args` | Override default container args (useful when using custom images) | `[]` | +| `dex.extraArgs` | Add extra args to the default args for Dex | `[]` | +| `dex.automountServiceAccountToken` | Mount Service Account token in pod | `true` | +| `dex.hostAliases` | Dex pods host aliases | `[]` | +| `dex.podLabels` | Extra labels for Dex pods | `{}` | +| `dex.podAnnotations` | Annotations for Dex pods | `{}` | +| `dex.podAffinityPreset` | Pod affinity preset. Ignored if `dex.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `dex.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `dex.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `dex.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `dex.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `dex.nodeAffinityPreset.key` | Node label key to match. Ignored if `dex.affinity` is set | `""` | +| `dex.nodeAffinityPreset.values` | Node label values to match. Ignored if `dex.affinity` is set | `[]` | +| `dex.affinity` | Affinity for Dex pods assignment | `{}` | +| `dex.nodeSelector` | Node labels for Dex pods assignment | `{}` | +| `dex.tolerations` | Tolerations for Dex pods assignment | `[]` | +| `dex.schedulerName` | Name of the k8s scheduler (other than default) | `""` | +| `dex.shareProcessNamespace` | Enable shared process namespace in a pod. | `false` | +| `dex.topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` | +| `dex.updateStrategy.type` | Dex statefulset strategy type | `RollingUpdate` | +| `dex.priorityClassName` | Dex pods' priorityClassName | `""` | +| `dex.runtimeClassName` | Name of the runtime class to be used by pod(s) | `""` | +| `dex.lifecycleHooks` | for the Dex container(s) to automate configuration before or after startup | `{}` | +| `dex.extraEnvVars` | Array with extra environment variables to add to Dex nodes | `[]` | +| `dex.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Dex nodes | `""` | +| `dex.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Dex nodes | `""` | +| `dex.extraVolumes` | Optionally specify extra list of additional volumes for the Dex pod(s) | `[]` | +| `dex.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Dex container(s) | `[]` | +| `dex.sidecars` | Add additional sidecar containers to the Dex pod(s) | `[]` | +| `dex.initContainers` | Add additional init containers to the Dex pod(s) | `[]` | +| `dex.pdb.create` | Enable/disable a Pod Disruption Budget creation | `true` | +| `dex.pdb.minAvailable` | Minimum number/percentage of pods that should remain scheduled | `""` | +| `dex.pdb.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `dex.pdb.minAvailable` and `dex.pdb.maxUnavailable` are empty. | `""` | + +## License + +Copyright © 2023 The Chainloop Authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +[https://www.apache.org/licenses/LICENSE-2.0](https://www.apache.org/licenses/LICENSE-2.0) + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/bitnami/chainloop/templates/NOTES.txt b/bitnami/chainloop/templates/NOTES.txt new file mode 100644 index 00000000000000..5504f2d54f41b9 --- /dev/null +++ b/bitnami/chainloop/templates/NOTES.txt @@ -0,0 +1,66 @@ +CHART NAME: {{ .Chart.Name }} +CHART VERSION: {{ .Chart.Version }} +APP VERSION: {{ .Chart.AppVersion }} + +** Please be patient while the chart is being deployed ** + +{{- if .Values.development }} + +########################################################################### + DEVELOPMENT MODE +########################################################################### + +██████╗ ███████╗██╗ ██╗ █████╗ ██████╗ ███████╗ +██╔══██╗██╔════╝██║ ██║██╔══██╗██╔══██╗██╔════╝ +██████╔╝█████╗ ██║ █╗ ██║███████║██████╔╝█████╗ +██╔══██╗██╔══╝ ██║███╗██║██╔══██║██╔══██╗██╔══╝ +██████╔╝███████╗╚███╔███╔╝██║ ██║██║ ██║███████╗ +╚═════╝ ╚══════╝ ╚══╝╚══╝ ╚═╝ ╚═╝╚═╝ ╚══════╝ + +Instance running in development mode! + +Development mode, by default + +- Runs an insecure, unsealed, non-persistent instance of Vault +- Is configured with development authentication keys + +########################################################################### +Pre-configured static users +########################################################################### + +Development configuration comes with two pre-setup users: +- username: sarah@chainloop.local +- password: password + +- username: john@chainloop.local +- password: password + +DO NOT USE IT FOR PRODUCTION PURPOSES + +{{- end }} + +########################################################################### + CONFIGURE CLI +########################################################################### + +Configure the CLI to point to this instance, for example + + chainloop --insecure config save \ + --control-plane {{ include "chainloop.controlplane.grpc_url" . }} \ + --artifact-cas {{ include "chainloop.cas.grpc_url" . }} + +Refer to this link for more information +https://docs.chainloop.dev/getting-started/installation#configure-cli-optional + +########################################################################### + USEFUL LINKS +########################################################################### + +- GitHub repository: https://github.com/chainloop-dev/chainloop +- Documentation: https://docs.chainloop.dev + + +{{- include "common.warnings.rollingTag" .Values.controlplane.image }} +{{- include "common.warnings.rollingTag" .Values.cas.image }} +{{- include "common.warnings.rollingTag" .Values.controlplane.migration.image }} +{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.controlplane.image .Values.cas.image .Values.controlplane.migration.image) "context" $) }} diff --git a/bitnami/chainloop/templates/_helpers.tpl b/bitnami/chainloop/templates/_helpers.tpl new file mode 100644 index 00000000000000..9ae28f17080a66 --- /dev/null +++ b/bitnami/chainloop/templates/_helpers.tpl @@ -0,0 +1,466 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- define "chainloop.postgresql.fullname" -}} +{{- include "common.names.dependency.fullname" (dict "chartName" "postgresql" "chartValues" .Values.postgresql "context" $) -}} +{{- end -}} + +{{- define "chainloop.vault.fullname" -}} +{{- include "common.names.dependency.fullname" (dict "chartName" "vault" "chartValues" .Values.vault "context" $) -}} +{{- end -}} + +{{/* +Returns a private key used for CAS <-> Controlplane communication +If we are running ind development mode we add a default one otherwise we require providing it +*/}} +{{- define "chainloop.casjwt.private_key" -}} + {{- if .Values.development }} + {{- coalesce .Values.casJWTPrivateKey (include "chainloop.casjwt.private_key.devel" .) }} + {{- else }} + {{- required "Authentication Private Key \"casJWTPrivateKey\" required" .Values.casJWTPrivateKey }} + {{- end }} +{{- end }} + +{{/* +Returns a public key used for CAS <-> Controlplane communication +If we are running ind development mode we add a default one otherwise we require providing it +*/}} +{{- define "chainloop.casjwt.public_key" -}} + {{- if .Values.development }} + {{- coalesce .Values.casJWTPublicKey (include "chainloop.casjwt.public_key.devel" .) }} + {{- else }} + {{- required "Authentication Public Key \"casJWTPublicKey\" required" .Values.casJWTPublicKey }} + {{- end }} +{{- end }} + +{{/* +DEVELOPMENT ONLY PRIVATE KEY +NOTE: It can not be generated by HELM because we also need a public key +*/}} +{{- define "chainloop.casjwt.private_key.devel" -}} +-----BEGIN EC PRIVATE KEY----- +MIHcAgEBBEIA762MbJK9IBnaqG0sd9uFRM+Z7Y+Aq5UfmbWf0+acKMYpYoy/8kBE +tI6cpcA2KvmW5qurOjIMh5ISr+P2GmzSZX+gBwYFK4EEACOhgYkDgYYABAFzPMcM +NUnPoC7b+s+/OyxRC7V/+elthj6Cq85WCj0KZ2qDvmd4QsYnsTIQ7NM7E+9WztdP +rJBaMdfauMarLlc7/AAHqoa0lv7HNIa0PpupZD4VXmnIe/ZkhHvKOuw0Bdoq2D2B +3U25sylQQto3nZ4IqnsXmrtYGIFI9om3PoliT9/J7g== +-----END EC PRIVATE KEY----- +{{- end -}} + +{{/* +DEVELOPMENT ONLY PUBLIC KEY +*/}} +{{- define "chainloop.casjwt.public_key.devel" -}} +-----BEGIN PUBLIC KEY----- +MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBczzHDDVJz6Au2/rPvzssUQu1f/np +bYY+gqvOVgo9Cmdqg75neELGJ7EyEOzTOxPvVs7XT6yQWjHX2rjGqy5XO/wAB6qG +tJb+xzSGtD6bqWQ+FV5pyHv2ZIR7yjrsNAXaKtg9gd1NubMpUELaN52eCKp7F5q7 +WBiBSPaJtz6JYk/fye4= +-----END PUBLIC KEY----- +{{- end -}} + +{{- define "chainloop.credentials_service_settings" -}} +{{- with .Values.secretsBackend }} +secretPrefix: {{ required "secret prefix required" .secretPrefix | quote }} +{{- if eq .backend "vault" }} +{{- $tokenEnvVar := "" }} +{{- range $.Values.vault.server.extraEnvVars }} + {{- if eq .name "VAULT_DEV_ROOT_TOKEN_ID" }} + {{- $tokenEnvVar = .value }} + {{- end }} +{{- end }} +vault: + {{- if and $.Values.development (or (not .vault) (not .vault.address)) }} + address: {{ printf "http://%s-server:8200" (include "chainloop.vault.fullname" $) | quote }} + {{- if $tokenEnvVar }} + token: {{ $tokenEnvVar | quote }} + {{- else }} + {{- required "VAULT_DEV_ROOT_TOKEN_ID environment variable is required when development mode is enabled" (index $.Values.vault.server.extraEnvVars "VAULT_DEV_ROOT_TOKEN_ID") }} + {{- end }} +{{- else if (required "vault backend selected but configuration not provided" .vault ) }} + address: {{ required "vault address required" .vault.address | quote }} + token: {{ required "vault token required" .vault.token | quote }} +{{- end }} + +{{- else if eq .backend "awsSecretManager" }} +awsSecretManager: + region: {{ required "region required" .awsSecretManager.region | quote }} + creds: + accessKey: {{ required "access key required" .awsSecretManager.accessKey | quote }} + secretKey: {{ required "secret key required" .awsSecretManager.secretKey | quote }} + +{{- else if eq .backend "gcpSecretManager" }} +gcpSecretManager: + projectId: {{ required "project id required" .gcpSecretManager.projectId | quote }} + serviceAccountKey: "/gcp-secrets/serviceAccountKey.json" + {{- if eq .gcpSecretManager.serviceAccountKey "" }} + {{- fail ".Values.secretsBackend.gcpSecretManager.serviceAccountKey not set" }} + {{- end }} +{{- else if eq .backend "azureKeyVault" }} +azure_key_vault: + tenant_id: {{ required "AD tenantID required" .azureKeyVault.tenantID | quote }} + client_id: {{ required "Service principal ID required" .azureKeyVault.clientID | quote }} + client_secret: {{ required "Service principal secret required" .azureKeyVault.clientSecret | quote }} + vault_uri: {{ required "Azure Vault URL required" .azureKeyVault.vaultURI | quote }} +{{- end }} +{{- end }} +{{- end -}} + +{{- define "chainloop.node_port" -}} +{{- if (and (or (eq .type "NodePort") (eq .type "LoadBalancer")) .nodePorts (not (empty .nodePorts.http))) }} +{{- .nodePorts.http }} +{{- else -}} +null +{{- end -}} +{{- end -}} + +{{/* +############################################################################## +Controlplane helpers +############################################################################## +*/}} + +{{- define "chainloop.controlplane.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.controlplane.image "global" .Values.global) }} +{{- end -}} + +{{/* +Chainloop Controlplane release name +*/}} +{{- define "chainloop.controlplane.fullname" -}} +{{- printf "%s-%s" (include "common.names.fullname" .) "controlplane" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Chainloop Controlplane Chart fullname +*/}} +{{- define "chainloop.controlplane.name" -}} +{{- printf "%s-%s" (include "common.names.name" .) "controlplane" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "chainloop.controlplane.labels" -}} +{{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" .) }} +app.kubernetes.io/component: controlplane +{{- end }} + +-{{/* +-Selector labels +-*/}} +{{- define "chainloop.controlplane.selectorLabels" -}} +{{- $podLabels := include "common.tplvalues.merge" (dict "values" (list .Values.controlplane.podLabels .Values.commonLabels) "context" .) }} +{{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" . ) }} +app.kubernetes.io/component: controlplane +{{- end }} + +{{- define "chainloop.controlplane.migration.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.controlplane.migration.image "global" .Values.global) }} +{{- end -}} + +{{/* +Migration labels +*/}} +{{- define "chainloop.controlplane.migration.labels" -}} +{{- include "common.labels.standard" . }} +app.kubernetes.io/component: controlplane-migration +{{- end }} + + +{{/* +OIDC settings, will fallback to development settings if needed +*/}} +{{- define "controlplane.oidc_settings" -}} + {{- if .Values.development }} + {{- with .Values.controlplane.auth }} + domain: "{{ coalesce .oidc.url "http://chainloop-dex:5556/dex" }}" + client_id: "{{ coalesce .oidc.clientID "chainloop-dev" }}" + client_secret: "{{ coalesce .oidc.clientSecret "ZXhhbXBsZS1hcHAtc2VjcmV0" }}" + {{- if .oidc.loginURLOverride }} + login_url_override: "{{ .oidc.loginURLOverride }}" + {{- end }} + {{- end }} + {{- else }} + {{- with .Values.controlplane.auth }} + domain: "{{ required "oidc URL endpoint required" .oidc.url }}" + client_id: "{{ required "oidc clientID required" .oidc.clientID }}" + client_secret: "{{ required "oidc clientSecret required" .oidc.clientSecret }}" + {{- if .oidc.loginURLOverride }} + login_url_override: "{{ .oidc.loginURLOverride }}" + {{- end }} + {{- end }} + {{- end }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "controlplane.serviceAccountName" -}} +{{- if .Values.controlplane.serviceAccount.create }} +{{- default (include "chainloop.controlplane.fullname" .) .Values.controlplane.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.controlplane.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Return the Postgresql connection string +*/}} +{{- define "controlplane.database.connection_string" -}} +{{- printf "postgresql://%s:%s@%s:%s/%s" (include "controlplane.database.user" .) (include "controlplane.database.escapedPassword" .) (include "controlplane.database.host" .) (include "controlplane.database.port" .) (include "controlplane.database.name" .) }} +{{- end -}} + +{{/* +Return the Postgresql connection string for Atlas migration +*/}} +{{- define "controlplane.database.atlas_connection_string" -}} +{{- $connStr := printf "postgres://%s:%s@%s:%s/%s" (include "controlplane.database.user" .) (include "controlplane.database.escapedPassword" .) (include "controlplane.database.host" .) (include "controlplane.database.port" .) (include "controlplane.database.name" .) }} +{{- .Values.controlplane.migration.ssl | ternary $connStr (printf "%s?sslmode=disable" $connStr) }} +{{- end -}} + +{{/* +Return the Postgresql hostname +*/}} +{{- define "controlplane.database.host" -}} +{{- ternary (include "chainloop.postgresql.fullname" .) .Values.controlplane.externalDatabase.host .Values.postgresql.enabled -}} +{{- end -}} + +{{/* +Return the Postgresql port +*/}} +{{- define "controlplane.database.port" -}} +{{- ternary 5432 .Values.controlplane.externalDatabase.port .Values.postgresql.enabled -}} +{{- end -}} + +{{/* +Return the Postgresql password +*/}} +{{- define "controlplane.database.password" -}} +{{- if .Values.postgresql.enabled }} + {{- if .Values.global.postgresql }} + {{- if .Values.global.postgresql.auth }} + {{- coalesce .Values.global.postgresql.auth.password .Values.postgresql.auth.password -}} + {{- else -}} + {{- .Values.postgresql.auth.password -}} + {{- end -}} + {{- else -}} + {{- .Values.postgresql.auth.password -}} + {{- end -}} +{{- else -}} + {{- .Values.controlplane.externalDatabase.password -}} +{{- end -}} +{{- end -}} + + +{{/* +Return the URL-scaped Postgresql password +*/}} +{{ define "controlplane.database.escapedPassword" -}} + {{- include "controlplane.database.password" . | urlquery | replace "+" "%20" -}} +{{- end -}} + +{{/* +Return the Postgresql database name +*/}} +{{- define "controlplane.database.name" -}} +{{- if .Values.postgresql.enabled }} + {{- if .Values.global.postgresql }} + {{- if .Values.global.postgresql.auth }} + {{- coalesce .Values.global.postgresql.auth.database .Values.postgresql.auth.database -}} + {{- else -}} + {{- .Values.postgresql.auth.database -}} + {{- end -}} + {{- else -}} + {{- .Values.postgresql.auth.database -}} + {{- end -}} +{{- else -}} + {{- .Values.controlplane.externalDatabase.database -}} +{{- end -}} +{{- end -}} + +{{/* +Return the Postgresql user +*/}} +{{- define "controlplane.database.user" -}} +{{- if .Values.postgresql.enabled }} + {{- if .Values.global.postgresql }} + {{- if .Values.global.postgresql.auth }} + {{- coalesce .Values.global.postgresql.auth.username .Values.postgresql.auth.username -}} + {{- else -}} + {{- .Values.postgresql.auth.username -}} + {{- end -}} + {{- else -}} + {{- .Values.postgresql.auth.username -}} + {{- end -}} +{{- else -}} + {{- .Values.controlplane.externalDatabase.user -}} +{{- end -}} +{{- end -}} + +{{/* +Figure out the external URL the controlplane can be reached at +This endpoint is used for the CLI to know where to go for log in +NOTE: Load balancer service type is not supported +*/}} +{{- define "chainloop.controlplane.external_url" -}} +{{- $service := .Values.controlplane.service }} +{{- $ingress := .Values.controlplane.ingress }} + +{{- if .Values.controlplane.auth.oidc.externalURL }} +{{- .Values.controlplane.auth.oidc.externalURL }} +{{- else if (and $ingress $ingress.enabled $ingress.hostname) }} +{{- printf "%s://%s" (ternary "https" "http" $ingress.tls ) $ingress.hostname }} +{{- else if (and (eq $service.type "NodePort") $service.nodePorts (not (empty $service.nodePorts.http))) }} +{{- printf "http://localhost:%s" $service.nodePorts.http }} +{{- else -}} +null +{{- end -}} +{{- end -}} + +{{/* +Figure out the gRPC URL the controlplane can be reached at +*/}} +{{- define "chainloop.controlplane.grpc_url" -}} +{{- $service := .Values.controlplane.serviceAPI }} +{{- $ingress := .Values.controlplane.ingress }} + +{{- if (and $ingress $ingress.enabled $ingress.hostname) }} +{{- printf "api.%s" $ingress.hostname }} +{{- else if (not (empty $service.ports.https)) }} +{{- printf "localhost:%d" ($service.ports.https | int) }} +{{- else }} +{{- printf "localhost:%d" ($service.ports.http | int) }} +{{- end -}} +{{- end -}} + +{{- define "chainloop.sentry" -}} +observability: + sentry: + dsn: {{ required "Sentry DSN required" .dsn | quote }} + environment: {{ required "Sentry environment required" .environment | quote }} +{{- end -}} + +{{/* +############################################################################## +CAS Helpers +############################################################################## +*/}} + +{{- define "chainloop.cas.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.cas.image "global" .Values.global) }} +{{- end -}} + +{{/* +Chainloop CAS release name +*/}} +{{- define "chainloop.cas.fullname" -}} +{{- printf "%s-%s" (include "common.names.fullname" .) "cas" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Chainloop CAS Chart fullname +*/}} +{{- define "chainloop.cas.name" -}} +{{- printf "%s-%s" (include "common.names.name" .) "cas" | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{/* + +Common labels +*/}} +{{- define "chainloop.cas.labels" -}} +{{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" .) }} +app.kubernetes.io/component: cas +{{- end }} + +-{{/* +-Selector labels +-*/}} +{{- define "chainloop.cas.selectorLabels" -}} +{{- $podLabels := include "common.tplvalues.merge" (dict "values" (list .Values.cas.podLabels .Values.commonLabels) "context" .) }} +{{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" . ) }} +app.kubernetes.io/component: cas +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "chainloop.cas.serviceAccountName" -}} +{{- if .Values.cas.serviceAccount.create }} +{{- default (include "chainloop.cas.fullname" .) .Values.cas.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.cas.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +External URL the CAS can be reached at +This endpoint is used for the cas to redirect downloads +NOTE: Load balancer service type is not supported +*/}} +{{- define "chainloop.cas.external_url" -}} +{{- $service := .Values.cas.service }} +{{- $ingress := .Values.cas.ingress }} + +{{- if (and $ingress $ingress.enabled $ingress.hostname) }} +{{- printf "%s://%s" (ternary "https" "http" $ingress.tls ) $ingress.hostname }} +{{- else if (and (eq $service.type "NodePort") $service.nodePorts (not (empty $service.nodePorts.http))) }} +{{- printf "http://localhost:%s" $service.nodePorts.http }} +{{- end -}} +{{- end -}} + +{{/* +Figure out the gRPC URL the cas can be reached at +*/}} +{{- define "chainloop.cas.grpc_url" -}} +{{- $service := .Values.cas.serviceAPI }} +{{- $ingress := .Values.cas.ingress }} + +{{- if (and $ingress $ingress.enabled $ingress.hostname) }} +{{- printf "api.%s" $ingress.hostname }} +{{- else if (not (empty $service.ports.https)) }} +{{- printf "localhost:%d" ($service.ports.https | int) }} +{{- else }} +{{- printf "localhost:%d" ($service.ports.http | int) }} +{{- end -}} +{{- end -}} + +{{/* +############################################################################## +Dex helpers +############################################################################## +*/}} + +{{/* +Return the proper Dex image name +*/}} +{{- define "chainloop.dex.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.dex.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper service name for Dex +*/}} +{{- define "chainloop.dex" -}} +{{- printf "%s-dex" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} +{{- end -}} + +{{/* +Create the name of the service account to use for Dex +*/}} +{{- define "chainloop.dex.serviceAccountName" -}} +{{- if .Values.dex.serviceAccount.create -}} + {{ default (printf "%s-dex" (include "common.names.fullname" .)) .Values.dex.serviceAccount.name | trunc 63 | trimSuffix "-" }} +{{- else -}} + {{ default "default" .Values.dex.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Chainloop Dex release name +*/}} +{{- define "chainloop.dex.fullname" -}} +{{- printf "%s-%s" (include "common.names.fullname" .) "dex" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/bitnami/chainloop/templates/cas/configmap.yaml b/bitnami/chainloop/templates/cas/configmap.yaml new file mode 100644 index 00000000000000..1849b5037f7b1f --- /dev/null +++ b/bitnami/chainloop/templates/cas/configmap.yaml @@ -0,0 +1,35 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if (empty .Values.cas.existingConfigMap) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "chainloop.cas.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{ include "chainloop.cas.labels" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + server.yaml: | + server: + http: + addr: "0.0.0.0:{{ .Values.cas.containerPorts.http }}" + # Timeouts for http downloads + # grpc downloads/uploads don't require this because they don't have timeouts + timeout: 300s + grpc: + {{- if .Values.cas.tls.existingSecret }} + tls_config: + certificate: /data/server-certs/tls.crt + private_key: /data/server-certs/tls.key + {{- end }} + addr: "0.0.0.0:{{ .Values.cas.containerPorts.grpc }}" + # Some unary RPCs are slow, so we need to increase the timeout + timeout: 5s + http_metrics: + addr: "0.0.0.0:{{ .Values.cas.containerPorts.metrics}}" +{{- end }} diff --git a/bitnami/chainloop/templates/cas/deployment.yaml b/bitnami/chainloop/templates/cas/deployment.yaml new file mode 100644 index 00000000000000..c92a31a8fe9d89 --- /dev/null +++ b/bitnami/chainloop/templates/cas/deployment.yaml @@ -0,0 +1,179 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} +kind: Deployment +metadata: + name: {{ include "chainloop.cas.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{ include "chainloop.cas.labels" . | nindent 4 }} + {{- if or .Values.cas.deploymentAnnotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.cas.deploymentAnnotations .Values.commonAnnotations) "context" .) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if not .Values.cas.autoscaling.hpa.enabled }} + replicas: {{ .Values.cas.replicaCount }} + {{- end }} + {{- if .Values.cas.updateStrategy }} + strategy: {{- toYaml .Values.cas.updateStrategy | nindent 4 }} + {{- end }} + selector: + matchLabels: {{ include "chainloop.cas.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/cas" "/configmap.yaml") . | sha256sum }} + checksum/config-secret: {{ include (print $.Template.BasePath "/cas" "/secret-config.yaml") . | sha256sum }} + checksum/public-key-secret: {{ include (print $.Template.BasePath "/cas" "/secret-jwt-public-key.yaml") . | sha256sum }} + labels: {{ include "chainloop.cas.labels" . | nindent 8 }} + spec: + {{- include "common.images.renderPullSecrets" (dict "images" (list .Values.cas.image) "context" $) | nindent 6 }} + serviceAccountName: {{ include "chainloop.cas.serviceAccountName" . }} + automountServiceAccountToken: {{ .Values.cas.automountServiceAccountToken }} + {{- if .Values.cas.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.cas.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.cas.affinity }} + affinity: {{- include "common.tplvalues.render" ( dict "value" .Values.cas.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + {{- $podLabels := include "common.tplvalues.merge" (dict "values" (list .Values.cas.podLabels .Values.commonLabels) "context" .) }} + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.cas.podAffinityPreset "component" "cas" "customLabels" $podLabels "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.cas.podAntiAffinityPreset "component" "cas" "customLabels" $podLabels "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.cas.nodeAffinityPreset.type "key" .Values.cas.nodeAffinityPreset.key "values" .Values.cas.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.cas.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.cas.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.cas.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.cas.tolerations "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.cas.priorityClassName }} + priorityClassName: {{ .Values.cas.priorityClassName | quote }} + {{- end }} + {{- if .Values.cas.schedulerName }} + schedulerName: {{ .Values.cas.schedulerName | quote }} + {{- end }} + {{- if .Values.cas.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.cas.topologySpreadConstraints "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.cas.podSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.cas.podSecurityContext "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.cas.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.cas.terminationGracePeriodSeconds }} + {{- end }} + initContainers: + {{- if .Values.cas.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.cas.initContainers "context" $) | nindent 8 }} + {{- end }} + containers: + - name: cas + {{- if .Values.cas.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.cas.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + image: {{ include "chainloop.cas.image" . }} + imagePullPolicy: {{ .Values.cas.image.pullPolicy }} + command: [ "./artifact-cas" ] + args: [ "--conf", "/data/conf" ] + ports: + - name: http + containerPort: {{ .Values.cas.containerPorts.http }} + - name: metrics + containerPort: {{ .Values.cas.containerPorts.metrics }} + - name: grpc + containerPort: {{ .Values.cas.containerPorts.grpc }} + startupProbe: + httpGet: + path: /statusz + port: http + periodSeconds: 5 + livenessProbe: + httpGet: + path: /statusz + port: http + readinessProbe: + httpGet: + path: /statusz?readiness=1 + port: http + {{- if .Values.cas.resources }} + resources: {{- toYaml .Values.cas.resources | nindent 12 }} + {{- else if ne .Values.cas.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.cas.resourcesPreset) | nindent 12 }} + {{- end }} + {{- if .Values.cas.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.cas.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + env: + {{- if .Values.cas.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.cas.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + envFrom: + {{- if .Values.cas.extraEnvVarsCM }} + - configMapRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.cas.extraEnvVarsCM "context" $) }} + {{- end }} + {{- if .Values.cas.extraEnvVarsSecret }} + - secretRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.cas.extraEnvVarsSecret "context" $) }} + {{- end }} + volumeMounts: + - name: config + mountPath: "/data/conf" + - name: jwt-public-key + mountPath: "/tmp" + {{- if eq "gcpSecretManager" .Values.secretsBackend.backend }} + - name: gcp-secretmanager-serviceaccountkey + mountPath: /gcp-secrets + {{- end }} + {{- if .Values.cas.tls.existingSecret }} + - name: server-certs + mountPath: /data/server-certs + {{- end }} + {{- if (not (empty .Values.cas.customCAs)) }} + - name: custom-cas + # NOTE: /etc/ssl/certs already contains the system CA certs + # Let's use another known path https://go.dev/src/crypto/x509/root_linux.go + mountPath: /etc/pki/tls/certs + readOnly: true + {{- end }} + {{- if .Values.cas.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.cas.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.cas.sidecars }} + {{- include "common.tplvalues.render" ( dict "value" .Values.cas.sidecars "context" $) | nindent 8 }} + {{- end }} + volumes: + - name: config + projected: + sources: + - configMap: + name: {{ include "chainloop.cas.fullname" . }} + - secret: + name: {{ include "chainloop.cas.fullname" . }} + - name: jwt-public-key + secret: + secretName: {{ include "chainloop.cas.fullname" . }}-jwt-public-key + {{- if .Values.cas.tls.existingSecret }} + - name: server-certs + secret: + secretName: {{ .Values.cas.tls.existingSecret }} + {{- end }} + {{- if eq "gcpSecretManager" .Values.secretsBackend.backend }} + - name: gcp-secretmanager-serviceaccountkey + secret: + secretName: {{ include "chainloop.cas.fullname" . }}-gcp-secretmanager-serviceaccountkey + {{- end }} + {{- if (not (empty .Values.cas.customCAs)) }} + - name: custom-cas + projected: + sources: + - secret: + name: {{ include "chainloop.cas.fullname" . }}-custom-cas + {{- end }} + {{- if .Values.cas.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.cas.extraVolumes "context" $) | nindent 8 }} + {{- end }} diff --git a/bitnami/chainloop/templates/cas/hpa.yaml b/bitnami/chainloop/templates/cas/hpa.yaml new file mode 100644 index 00000000000000..c0fe8c9ccadfe8 --- /dev/null +++ b/bitnami/chainloop/templates/cas/hpa.yaml @@ -0,0 +1,48 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.cas.autoscaling.hpa.enabled }} +apiVersion: {{ include "common.capabilities.hpa.apiVersion" ( dict "context" $ )}} +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{ include "chainloop.cas.labels" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + scaleTargetRef: + apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} + kind: Deployment + name: {{ include "common.names.fullname" . }} + minReplicas: {{ .Values.cas.autoscaling.hpa.minReplicas }} + maxReplicas: {{ .Values.cas.autoscaling.hpa.maxReplicas }} + metrics: + {{- if .Values.cas.autoscaling.hpa.targetMemory }} + - type: Resource + resource: + name: memory + {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }} + targetAverageUtilization: {{ .Values.cas.autoscaling.hpa.targetMemory }} + {{- else }} + target: + type: Utilization + averageUtilization: {{ .Values.cas.autoscaling.hpa.targetMemory }} + {{- end }} + {{- end }} + {{- if .Values.cas.autoscaling.hpa.targetCPU }} + - type: Resource + resource: + name: cpu + {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }} + targetAverageUtilization: {{ .Values.cas.autoscaling.hpa.targetCPU }} + {{- else }} + target: + type: Utilization + averageUtilization: {{ .Values.cas.autoscaling.hpa.targetCPU }} + {{- end }} + {{- end }} +{{- end }} diff --git a/bitnami/chainloop/templates/cas/ingress-grpc.yaml b/bitnami/chainloop/templates/cas/ingress-grpc.yaml new file mode 100644 index 00000000000000..53f0c74cbbcac2 --- /dev/null +++ b/bitnami/chainloop/templates/cas/ingress-grpc.yaml @@ -0,0 +1,65 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.cas.ingressAPI.enabled }} +{{- $fullName := printf "%s-%s" (include "chainloop.cas.fullname" .) "api" -}} +apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} +kind: Ingress +metadata: + name: {{ $fullName }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "chainloop.cas.labels" . | nindent 4 }} + {{- if or .Values.cas.ingressAPI.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.cas.ingressAPI.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.cas.ingressAPI.annotations "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + {{- if and .Values.cas.ingressAPI.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }} + ingressClassName: {{ .Values.cas.ingressAPI.ingressClassName | quote }} + {{- end }} + rules: + {{- if .Values.cas.ingressAPI.hostname }} + - host: {{ .Values.cas.ingressAPI.hostname }} + http: + paths: + {{- if .Values.cas.ingressAPI.extraPaths }} + {{- toYaml .Values.cas.ingressAPI.extraPaths | nindent 10 }} + {{- end }} + - path: {{ .Values.cas.ingressAPI.path }} + {{- if eq "true" (include "common.ingress.supportsPathType" .) }} + pathType: {{ .Values.cas.ingressAPI.pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" $fullName "servicePort" "grpc" "context" $) | nindent 14 }} + {{- end }} + {{- range .Values.cas.ingressAPI.extraHosts }} + - host: {{ .name | quote }} + http: + paths: + - path: {{ default "/" .path }} + {{- if eq "true" (include "common.ingress.supportsPathType" $) }} + pathType: {{ default "ImplementationSpecific" .pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" $fullName "servicePort" "grpc" "context" $) | nindent 14 }} + {{- end }} + {{- if .Values.cas.ingressAPI.extraRules }} + {{- include "common.tplvalues.render" (dict "value" .Values.cas.ingressAPI.extraRules "context" $) | nindent 4 }} + {{- end }} + {{- if or (and .Values.cas.ingressAPI.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.cas.ingressAPI.annotations )) .Values.cas.ingressAPI.selfSigned)) .Values.cas.ingressAPI.extraTls }} + tls: + {{- if and .Values.cas.ingressAPI.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.cas.ingressAPI.annotations )) .Values.cas.ingressAPI.selfSigned) }} + - hosts: + - {{ .Values.cas.ingressAPI.hostname | quote }} + secretName: {{ printf "%s-tls" .Values.cas.ingressAPI.hostname }} + {{- end }} + {{- if .Values.cas.ingressAPI.extraTls }} + {{- include "common.tplvalues.render" (dict "value" .Values.cas.ingressAPI.extraTls "context" $) | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/bitnami/chainloop/templates/cas/ingress.yaml b/bitnami/chainloop/templates/cas/ingress.yaml new file mode 100644 index 00000000000000..053e7cff87c7e2 --- /dev/null +++ b/bitnami/chainloop/templates/cas/ingress.yaml @@ -0,0 +1,65 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.cas.ingress.enabled }} +{{- $fullName := include "chainloop.cas.fullname" . -}} +apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} +kind: Ingress +metadata: + name: {{ $fullName }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "chainloop.cas.labels" . | nindent 4 }} + {{- if or .Values.cas.ingress.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.cas.ingress.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.cas.ingress.annotations "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + {{- if and .Values.cas.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }} + ingressClassName: {{ .Values.cas.ingress.ingressClassName | quote }} + {{- end }} + rules: + {{- if .Values.cas.ingress.hostname }} + - host: {{ .Values.cas.ingress.hostname }} + http: + paths: + {{- if .Values.cas.ingress.extraPaths }} + {{- toYaml .Values.cas.ingress.extraPaths | nindent 10 }} + {{- end }} + - path: {{ .Values.cas.ingress.path }} + {{- if eq "true" (include "common.ingress.supportsPathType" .) }} + pathType: {{ .Values.cas.ingress.pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" $fullName "servicePort" "http" "context" $) | nindent 14 }} + {{- end }} + {{- range .Values.cas.ingress.extraHosts }} + - host: {{ .name | quote }} + http: + paths: + - path: {{ default "/" .path }} + {{- if eq "true" (include "common.ingress.supportsPathType" $) }} + pathType: {{ default "ImplementationSpecific" .pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" $fullName "servicePort" "http" "context" $) | nindent 14 }} + {{- end }} + {{- if .Values.cas.ingress.extraRules }} + {{- include "common.tplvalues.render" (dict "value" .Values.cas.ingress.extraRules "context" $) | nindent 4 }} + {{- end }} + {{- if or (and .Values.cas.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.cas.ingress.annotations )) .Values.cas.ingress.selfSigned)) .Values.cas.ingress.extraTls }} + tls: + {{- if and .Values.cas.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.cas.ingress.annotations )) .Values.cas.ingress.selfSigned) }} + - hosts: + - {{ .Values.cas.ingress.hostname | quote }} + secretName: {{ printf "%s-tls" .Values.cas.ingress.hostname }} + {{- end }} + {{- if .Values.cas.ingress.extraTls }} + {{- include "common.tplvalues.render" (dict "value" .Values.cas.ingress.extraTls "context" $) | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/bitnami/chainloop/templates/cas/networkpolicy.yaml b/bitnami/chainloop/templates/cas/networkpolicy.yaml new file mode 100644 index 00000000000000..9d2153160fb25e --- /dev/null +++ b/bitnami/chainloop/templates/cas/networkpolicy.yaml @@ -0,0 +1,74 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.cas.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ printf "%s-cas" (include "common.names.fullname" .) }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: cas + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.cas.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: cas + policyTypes: + - Ingress + - Egress + {{- if .Values.cas.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow outbound connections to other cluster pods + - ports: + - port: {{ .Values.controlplane.containerPorts.http }} + - port: {{ .Values.controlplane.containerPorts.grpc }} + - port: {{ .Values.controlplane.containerPorts.metrics }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + {{- if .Values.cas.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.cas.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.cas.containerPorts.http }} + {{- if not .Values.cas.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: + {{ printf "%s-cas" (include "common.names.fullname" .) }}: "true" + {{- if .Values.cas.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.cas.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.cas.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.cas.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.cas.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.cas.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/bitnami/chainloop/templates/cas/pdb.yaml b/bitnami/chainloop/templates/cas/pdb.yaml new file mode 100644 index 00000000000000..827c03b40df307 --- /dev/null +++ b/bitnami/chainloop/templates/cas/pdb.yaml @@ -0,0 +1,26 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.cas.pdb.enabled }} +apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.cas.pdb.minAvailable }} + minAvailable: {{ .Values.cas.pdb.minAvailable }} + {{- end }} + {{- if or .Values.cas.pdb.maxUnavailable ( not .Values.cas.pdb.minAvailable ) }} + maxUnavailable: {{ .Values.cas.pdb.maxUnavailable | default 1 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.cas.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} +{{- end }} diff --git a/bitnami/chainloop/templates/cas/secret-config.yaml b/bitnami/chainloop/templates/cas/secret-config.yaml new file mode 100644 index 00000000000000..e1bb7f2f912a8e --- /dev/null +++ b/bitnami/chainloop/templates/cas/secret-config.yaml @@ -0,0 +1,27 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "chainloop.cas.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{ include "chainloop.cas.labels" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: Opaque +stringData: + {{- if and .Values.cas.sentry .Values.cas.sentry.enabled }} + config.observability.yaml: | + {{- include "chainloop.sentry" .Values.cas.sentry | nindent 4 }} + {{- end }} + config.secret.yaml: | + credentials_service: {{- include "chainloop.credentials_service_settings" . | indent 6 }} + auth: + public_key_path: "/tmp/cas.public.pem" + # Deprecated, use public_key_path instead. Remove option once release of the app 0.15+ is out. + robot_account_public_key_path: "/tmp/cas.public.pem" + # TODO: add observability diff --git a/bitnami/chainloop/templates/cas/secret-customcas.yaml b/bitnami/chainloop/templates/cas/secret-customcas.yaml new file mode 100644 index 00000000000000..f7e5a8c4641031 --- /dev/null +++ b/bitnami/chainloop/templates/cas/secret-customcas.yaml @@ -0,0 +1,18 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- $customCAs := .Values.cas.customCAs }} +{{- if (not (empty $customCAs)) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "chainloop.cas.fullname" . }}-custom-cas + labels: + {{- include "chainloop.cas.labels" . | nindent 4 }} +data: + {{- range $index, $pem := $customCAs }} + custom-{{ $index }}.crt: {{ $pem | b64enc | quote }} + {{- end -}} +{{- end -}} diff --git a/bitnami/chainloop/templates/cas/secret-gcp-secret-manager.yaml b/bitnami/chainloop/templates/cas/secret-gcp-secret-manager.yaml new file mode 100644 index 00000000000000..59b8c0af0187d9 --- /dev/null +++ b/bitnami/chainloop/templates/cas/secret-gcp-secret-manager.yaml @@ -0,0 +1,16 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if eq "gcpSecretManager" .Values.secretsBackend.backend }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "chainloop.cas.fullname" . }}-gcp-secretmanager-serviceaccountkey + labels: + {{- include "chainloop.cas.labels" . | nindent 4 }} +type: Opaque +data: + serviceAccountKey.json: {{ .Values.secretsBackend.gcpSecretManager.serviceAccountKey | b64enc | quote }} +{{- end }} diff --git a/bitnami/chainloop/templates/cas/secret-jwt-public-key.yaml b/bitnami/chainloop/templates/cas/secret-jwt-public-key.yaml new file mode 100644 index 00000000000000..bcd18afb1e86e9 --- /dev/null +++ b/bitnami/chainloop/templates/cas/secret-jwt-public-key.yaml @@ -0,0 +1,14 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "chainloop.cas.fullname" . }}-jwt-public-key + labels: + {{- include "chainloop.cas.labels" . | nindent 4 }} +type: Opaque +data: + cas.public.pem: {{ include "chainloop.casjwt.public_key" . | b64enc | quote }} diff --git a/bitnami/chainloop/templates/cas/service-account.yaml b/bitnami/chainloop/templates/cas/service-account.yaml new file mode 100644 index 00000000000000..afa0775bc6dbd9 --- /dev/null +++ b/bitnami/chainloop/templates/cas/service-account.yaml @@ -0,0 +1,18 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.cas.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "chainloop.cas.serviceAccountName" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{ include "chainloop.cas.labels" . | nindent 4 }} + {{- if or .Values.cas.serviceAccount.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.cas.serviceAccount.annotations .Values.commonAnnotations) "context" .) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.cas.serviceAccount.automountServiceAccountToken }} + {{- end }} diff --git a/bitnami/chainloop/templates/cas/service-grpc.yaml b/bitnami/chainloop/templates/cas/service-grpc.yaml new file mode 100644 index 00000000000000..4d2794df293886 --- /dev/null +++ b/bitnami/chainloop/templates/cas/service-grpc.yaml @@ -0,0 +1,52 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +apiVersion: v1 +kind: Service +metadata: + name: {{ include "chainloop.cas.fullname" . }}-api + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{ include "chainloop.cas.labels" . | nindent 4 }} + {{- if or .Values.cas.serviceAPI.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.cas.serviceAPI.annotations .Values.commonAnnotations) "context" .) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.cas.serviceAPI.type }} + {{- if and .Values.cas.serviceAPI.clusterIP (eq .Values.cas.serviceAPI.type "ClusterIP") }} + clusterIP: {{ .Values.cas.serviceAPI.clusterIP }} + {{- end }} + {{- if .Values.cas.serviceAPI.sessionAffinity }} + sessionAffinity: {{ .Values.cas.serviceAPI.sessionAffinity }} + {{- end }} + {{- if .Values.cas.serviceAPI.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.cas.serviceAPI.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + {{- if or (eq .Values.cas.serviceAPI.type "LoadBalancer") (eq .Values.cas.serviceAPI.type "NodePort") }} + externalTrafficPolicy: {{ .Values.cas.serviceAPI.externalTrafficPolicy | quote }} + {{- end }} + {{- if and (eq .Values.cas.serviceAPI.type "LoadBalancer") (not (empty .Values.cas.serviceAPI.loadBalancerSourceRanges)) }} + loadBalancerSourceRanges: {{ .Values.cas.serviceAPI.loadBalancerSourceRanges }} + {{- end }} + {{- if and (eq .Values.cas.serviceAPI.type "LoadBalancer") (not (empty .Values.cas.serviceAPI.loadBalancerIP)) }} + loadBalancerIP: {{ .Values.cas.serviceAPI.loadBalancerIP }} + {{- end }} + ports: + - name: grpc + {{- $port := coalesce .Values.cas.serviceAPI.port .Values.cas.serviceAPI.ports.http }} + port: {{ $port }} + {{- if not (eq $port .Values.cas.containerPorts.grpc) }} + targetPort: {{ .Values.cas.containerPorts.grpc }} + {{- end }} + protocol: TCP + {{- if and (or (eq .Values.cas.serviceAPI.type "NodePort") (eq .Values.cas.serviceAPI.type "LoadBalancer")) (not (empty .Values.cas.serviceAPI.nodePorts.http)) }} + nodePort: {{ .Values.cas.serviceAPI.nodePorts.http }} + {{- else if eq .Values.cas.serviceAPI.type "ClusterIP" }} + nodePort: null + {{- end }} + {{- if .Values.cas.serviceAPI.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.cas.serviceAPI.extraPorts "context" $) | nindent 4 }} + {{- end }} + selector: {{ include "chainloop.cas.selectorLabels" . | nindent 4 }} diff --git a/bitnami/chainloop/templates/cas/service-http.yaml b/bitnami/chainloop/templates/cas/service-http.yaml new file mode 100644 index 00000000000000..3526e3917fa238 --- /dev/null +++ b/bitnami/chainloop/templates/cas/service-http.yaml @@ -0,0 +1,52 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +apiVersion: v1 +kind: Service +metadata: + name: {{ include "chainloop.cas.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{ include "chainloop.cas.labels" . | nindent 4 }} + {{- if or .Values.cas.service.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.cas.service.annotations .Values.commonAnnotations) "context" .) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.cas.service.type }} + {{- if and .Values.cas.service.clusterIP (eq .Values.cas.service.type "ClusterIP") }} + clusterIP: {{ .Values.cas.service.clusterIP }} + {{- end }} + {{- if .Values.cas.service.sessionAffinity }} + sessionAffinity: {{ .Values.cas.service.sessionAffinity }} + {{- end }} + {{- if .Values.cas.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.cas.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + {{- if or (eq .Values.cas.service.type "LoadBalancer") (eq .Values.cas.service.type "NodePort") }} + externalTrafficPolicy: {{ .Values.cas.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if and (eq .Values.cas.service.type "LoadBalancer") (not (empty .Values.cas.service.loadBalancerSourceRanges)) }} + loadBalancerSourceRanges: {{ .Values.cas.service.loadBalancerSourceRanges }} + {{- end }} + {{- if and (eq .Values.cas.service.type "LoadBalancer") (not (empty .Values.cas.service.loadBalancerIP)) }} + loadBalancerIP: {{ .Values.cas.service.loadBalancerIP }} + {{- end }} + ports: + - name: http + {{- $port := coalesce .Values.cas.service.port .Values.cas.service.ports.http }} + port: {{ $port }} + {{- if not (eq $port .Values.cas.containerPorts.http) }} + targetPort: {{ .Values.cas.containerPorts.http }} + {{- end }} + protocol: TCP + {{- if and (or (eq .Values.cas.service.type "NodePort") (eq .Values.cas.service.type "LoadBalancer")) (not (empty .Values.cas.service.nodePorts.http)) }} + nodePort: {{ .Values.cas.service.nodePorts.http }} + {{- else if eq .Values.cas.service.type "ClusterIP" }} + nodePort: null + {{- end }} + {{- if .Values.cas.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.cas.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + selector: {{ include "chainloop.cas.selectorLabels" . | nindent 4 }} diff --git a/bitnami/chainloop/templates/cas/vpa.yaml b/bitnami/chainloop/templates/cas/vpa.yaml new file mode 100644 index 00000000000000..30deaee6bf67e2 --- /dev/null +++ b/bitnami/chainloop/templates/cas/vpa.yaml @@ -0,0 +1,44 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and (.Capabilities.APIVersions.Has "autoscaling.k8s.io/v1/VerticalPodAutoscaler") .Values.cas.autoscaling.vpa.enabled }} +apiVersion: autoscaling.k8s.io/v1 +kind: VerticalPodAutoscaler +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: cas + {{- if or .Values.cas.autoscaling.vpa.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.cas.autoscaling.vpa.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + resourcePolicy: + containerPolicies: + - containerName: cas + {{- with .Values.cas.autoscaling.vpa.controlledResources }} + controlledResources: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.cas.autoscaling.vpa.maxAllowed }} + maxAllowed: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.cas.autoscaling.vpa.minAllowed }} + minAllowed: + {{- toYaml . | nindent 8 }} + {{- end }} + targetRef: + apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} + kind: Deployment + name: {{ include "common.names.fullname" . }} + {{- if .Values.cas.autoscaling.vpa.updatePolicy }} + updatePolicy: + {{- with .Values.cas.autoscaling.vpa.updatePolicy.updateMode }} + updateMode: {{ . }} + {{- end }} + {{- end }} +{{- end }} diff --git a/bitnami/chainloop/templates/controlplane/configmap.yaml b/bitnami/chainloop/templates/controlplane/configmap.yaml new file mode 100644 index 00000000000000..3856a9970919e8 --- /dev/null +++ b/bitnami/chainloop/templates/controlplane/configmap.yaml @@ -0,0 +1,55 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if (empty .Values.controlplane.existingConfigMap) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "chainloop.controlplane.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "chainloop.controlplane.labels" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + {{- if .Values.controlplane.auth.allowList }} + allow_list.yaml: | + auth: + allow_list: + {{- toYaml .Values.controlplane.auth.allowList | nindent 8 }} + {{- end }} + config.yaml: | + server: + http: + addr: "0.0.0.0:{{ .Values.controlplane.containerPorts.http }}" + timeout: 10s + external_url: {{ include "chainloop.controlplane.external_url" . }} + http_metrics: + addr: "0.0.0.0:{{ .Values.controlplane.containerPorts.metrics }}" + grpc: + addr: "0.0.0.0:{{ .Values.controlplane.containerPorts.grpc }}" + timeout: 10s + {{- if .Values.controlplane.tls.existingSecret }} + tls_config: + certificate: /data/server-certs/tls.crt + private_key: /data/server-certs/tls.key + {{- end }} + cas_server: + grpc: + addr: {{ printf "%s-api:%.0f" (include "chainloop.cas.fullname" .) (coalesce .Values.cas.serviceAPI.port .Values.cas.serviceAPI.ports.http) }} + insecure: {{ empty .Values.cas.tls.existingSecret }} + download_url: {{ include "chainloop.cas.external_url" . }}/download + plugins_dir: {{ .Values.controlplane.pluginsDir }} + referrer_shared_index: + {{- toYaml .Values.controlplane.referrerSharedIndex | nindent 6 }} + {{ if .Values.controlplane.onboarding }} + onboarding: + {{- toYaml .Values.controlplane.onboarding | nindent 6 }} + {{- end }} + {{ if .Values.controlplane.prometheus_org_metrics }} + prometheus_integration: + {{- toYaml .Values.controlplane.prometheus_org_metrics | nindent 6 }} + {{- end }} +{{- end }} diff --git a/bitnami/chainloop/templates/controlplane/deployment.yaml b/bitnami/chainloop/templates/controlplane/deployment.yaml new file mode 100644 index 00000000000000..0cc018a51a970c --- /dev/null +++ b/bitnami/chainloop/templates/controlplane/deployment.yaml @@ -0,0 +1,222 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} +kind: Deployment +metadata: + name: {{ include "chainloop.controlplane.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "chainloop.controlplane.labels" . | nindent 4 }} + {{- if or .Values.controlplane.deploymentAnnotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.controlplane.deploymentAnnotations .Values.commonAnnotations) "context" .) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if not .Values.controlplane.autoscaling.hpa.enabled }} + replicas: {{ .Values.controlplane.replicaCount }} + {{- end }} + {{- if .Values.controlplane.updateStrategy }} + strategy: {{- toYaml .Values.controlplane.updateStrategy | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" (dict "values" (list .Values.controlplane.podLabels .Values.commonLabels) "context" .) }} + selector: + matchLabels: {{ include "chainloop.controlplane.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/controlplane" "/configmap.yaml") . | sha256sum }} + checksum/secret-config: {{ include (print $.Template.BasePath "/controlplane" "/secret-config.yaml") . | sha256sum }} + checksum/cas-private-key: {{ include (print $.Template.BasePath "/controlplane" "/secret-jwt-cas-private-key.yaml") . | sha256sum }} + kubectl.kubernetes.io/default-container: controlplane + labels: {{- include "chainloop.controlplane.labels" . | nindent 8 }} + spec: + {{- include "common.images.renderPullSecrets" (dict "images" (list .Values.controlplane.image .Values.controlplane.migration.image) "context" $) | nindent 6 }} + serviceAccountName: {{ include "controlplane.serviceAccountName" . }} + automountServiceAccountToken: {{ .Values.controlplane.automountServiceAccountToken }} + {{- if .Values.controlplane.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.controlplane.affinity }} + affinity: {{- include "common.tplvalues.render" ( dict "value" .Values.controlplane.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.controlplane.podAffinityPreset "component" "controlplane" "customLabels" $podLabels "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.controlplane.podAntiAffinityPreset "component" "controlplane" "customLabels" $podLabels "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.controlplane.nodeAffinityPreset.type "key" .Values.controlplane.nodeAffinityPreset.key "values" .Values.controlplane.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.controlplane.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.controlplane.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.controlplane.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.tolerations "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.controlplane.priorityClassName }} + priorityClassName: {{ .Values.controlplane.priorityClassName | quote }} + {{- end }} + {{- if .Values.controlplane.schedulerName }} + schedulerName: {{ .Values.controlplane.schedulerName | quote }} + {{- end }} + {{- if .Values.controlplane.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.topologySpreadConstraints "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.controlplane.podSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.controlplane.podSecurityContext "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.controlplane.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.controlplane.terminationGracePeriodSeconds }} + {{- end }} + initContainers: + {{- if .Values.controlplane.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.initContainers "context" $) | nindent 8 }} + {{- end }} + - name: migrate + image: {{ include "chainloop.controlplane.migration.image" . }} + imagePullPolicy: {{ .Values.controlplane.image.pullPolicy }} + command: [ "./atlas" ] + args: + - migrate + - apply + - --url + - $(CONNECTION_STRING) + - --dir + - file:///migrations + env: + - name: CONNECTION_STRING + valueFrom: + secretKeyRef: + name: {{ include "chainloop.controlplane.fullname" . }} + key: db_migrate_source + containers: + - name: controlplane + {{- if .Values.controlplane.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.controlplane.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + image: {{ include "chainloop.controlplane.image" . }} + imagePullPolicy: {{ .Values.controlplane.image.pullPolicy }} + command: [ "./control-plane" ] + args: [ "--conf", "/data/conf" ] + ports: + - name: http + containerPort: {{ .Values.controlplane.containerPorts.http }} + - name: metrics + containerPort: {{ .Values.controlplane.containerPorts.metrics }} + - name: grpc + containerPort: {{ .Values.controlplane.containerPorts.grpc }} + startupProbe: + httpGet: + path: /statusz + port: http + periodSeconds: 5 + livenessProbe: + httpGet: + path: /statusz + port: http + periodSeconds: 5 + readinessProbe: + httpGet: + path: /statusz?readiness=1 + port: http + periodSeconds: 5 + {{- if .Values.controlplane.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + env: + {{- if .Values.controlplane.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + envFrom: + {{- if .Values.controlplane.extraEnvVarsCM }} + - configMapRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.controlplane.extraEnvVarsCM "context" $) }} + {{- end }} + {{- if .Values.controlplane.extraEnvVarsSecret }} + - secretRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.controlplane.extraEnvVarsSecret "context" $) }} + {{- end }} + {{- if .Values.controlplane.resources }} + resources: {{- toYaml .Values.controlplane.resources | nindent 12 }} + {{- else if ne .Values.controlplane.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.controlplane.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: config + mountPath: /data/conf + - name: tmp + mountPath: /tmp + - name: jwt-cas-private-key + mountPath: /secrets + {{- if and .Values.controlplane.keylessSigning.enabled (eq "fileCA" .Values.controlplane.keylessSigning.backend) }} + - name: file-ca-cert + mountPath: /ca_secrets + {{- end }} + {{- if and .Values.controlplane.keylessSigning.enabled (eq "ejbcaCA" .Values.controlplane.keylessSigning.backend) }} + - name: ejbca-ca-client + mountPath: /ca_secrets + {{- end }} + {{- if .Values.controlplane.tls.existingSecret }} + - name: server-certs + mountPath: /data/server-certs + {{- end }} + {{- if eq "gcpSecretManager" .Values.secretsBackend.backend }} + - name: gcp-secretmanager-serviceaccountkey + mountPath: /gcp-secrets + {{- end }} + {{- if (not (empty .Values.controlplane.customCAs)) }} + - name: custom-cas + # NOTE: /etc/ssl/certs already contains the system CA certs + # Let's use another known path https://go.dev/src/crypto/x509/root_linux.go + mountPath: /etc/pki/tls/certs + readOnly: true + {{- end }} + {{- if .Values.controlplane.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.controlplane.sidecars }} + {{- include "common.tplvalues.render" ( dict "value" .Values.controlplane.sidecars "context" $) | nindent 8 }} + {{- end }} + volumes: + - name: config + projected: + sources: + - secret: + name: {{ include "chainloop.controlplane.fullname" . }} + - configMap: + name: {{ include "chainloop.controlplane.fullname" . }} + {{- if (not (empty .Values.controlplane.customCAs)) }} + - name: custom-cas + projected: + sources: + - secret: + name: {{ include "chainloop.controlplane.fullname" . }}-custom-cas + {{- end }} + # required for the plugins to store the socket files + - name: tmp + emptyDir: {} + - name: jwt-cas-private-key + secret: + secretName: {{ include "chainloop.controlplane.fullname" . }}-jwt-cas + {{- if .Values.controlplane.tls.existingSecret }} + - name: server-certs + secret: + secretName: {{ .Values.controlplane.tls.existingSecret }} + {{- end }} + {{- if eq "gcpSecretManager" .Values.secretsBackend.backend }} + - name: gcp-secretmanager-serviceaccountkey + secret: + secretName: {{ include "chainloop.controlplane.fullname" . }}-gcp-secretmanager-serviceaccountkey + {{- end }} + {{- if and .Values.controlplane.keylessSigning.enabled (eq "fileCA" .Values.controlplane.keylessSigning.backend) }} + - name: file-ca-cert + secret: + secretName: {{ include "chainloop.controlplane.fullname" . }}-keyless-file-ca + {{- end }} + {{- if and .Values.controlplane.keylessSigning.enabled (eq "ejbcaCA" .Values.controlplane.keylessSigning.backend) }} + - name: ejbca-ca-client + secret: + secretName: {{ include "chainloop.controlplane.fullname" . }}-keyless-ejbca-ca + {{- end }} + {{- if .Values.controlplane.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.extraVolumes "context" $) | nindent 8 }} + {{- end }} diff --git a/bitnami/chainloop/templates/controlplane/hpa.yaml b/bitnami/chainloop/templates/controlplane/hpa.yaml new file mode 100644 index 00000000000000..6e66ca01e7d8be --- /dev/null +++ b/bitnami/chainloop/templates/controlplane/hpa.yaml @@ -0,0 +1,48 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.controlplane.autoscaling.hpa.enabled }} +apiVersion: {{ include "common.capabilities.hpa.apiVersion" ( dict "context" $ )}} +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "chainloop.controlplane.labels" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + scaleTargetRef: + apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} + kind: Deployment + name: {{ include "common.names.fullname" . }} + minReplicas: {{ .Values.controlplane.autoscaling.hpa.minReplicas }} + maxReplicas: {{ .Values.controlplane.autoscaling.hpa.maxReplicas }} + metrics: + {{- if .Values.controlplane.autoscaling.hpa.targetMemory }} + - type: Resource + resource: + name: memory + {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }} + targetAverageUtilization: {{ .Values.controlplane.autoscaling.hpa.targetMemory }} + {{- else }} + target: + type: Utilization + averageUtilization: {{ .Values.controlplane.autoscaling.hpa.targetMemory }} + {{- end }} + {{- end }} + {{- if .Values.controlplane.autoscaling.hpa.targetCPU }} + - type: Resource + resource: + name: cpu + {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }} + targetAverageUtilization: {{ .Values.controlplane.autoscaling.hpa.targetCPU }} + {{- else }} + target: + type: Utilization + averageUtilization: {{ .Values.controlplane.autoscaling.hpa.targetCPU }} + {{- end }} + {{- end }} +{{- end }} diff --git a/bitnami/chainloop/templates/controlplane/ingress-grpc.yaml b/bitnami/chainloop/templates/controlplane/ingress-grpc.yaml new file mode 100644 index 00000000000000..b0cf6b35ab02a9 --- /dev/null +++ b/bitnami/chainloop/templates/controlplane/ingress-grpc.yaml @@ -0,0 +1,65 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.controlplane.ingressAPI.enabled }} +{{- $fullName := printf "%s-%s" (include "chainloop.controlplane.fullname" .) "api" -}} +apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} +kind: Ingress +metadata: + name: {{ $fullName }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "chainloop.controlplane.labels" . | nindent 4 }} + {{- if or .Values.controlplane.ingressAPI.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.controlplane.ingressAPI.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.controlplane.ingressAPI.annotations "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + {{- if and .Values.controlplane.ingressAPI.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }} + ingressClassName: {{ .Values.controlplane.ingressAPI.ingressClassName | quote }} + {{- end }} + rules: + {{- if .Values.controlplane.ingressAPI.hostname }} + - host: {{ .Values.controlplane.ingressAPI.hostname }} + http: + paths: + {{- if .Values.controlplane.ingressAPI.extraPaths }} + {{- toYaml .Values.controlplane.ingressAPI.extraPaths | nindent 10 }} + {{- end }} + - path: {{ .Values.controlplane.ingressAPI.path }} + {{- if eq "true" (include "common.ingress.supportsPathType" .) }} + pathType: {{ .Values.controlplane.ingressAPI.pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" $fullName "servicePort" "grpc" "context" $) | nindent 14 }} + {{- end }} + {{- range .Values.controlplane.ingressAPI.extraHosts }} + - host: {{ .name | quote }} + http: + paths: + - path: {{ default "/" .path }} + {{- if eq "true" (include "common.ingress.supportsPathType" $) }} + pathType: {{ default "ImplementationSpecific" .pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" $fullName "servicePort" "grpc" "context" $) | nindent 14 }} + {{- end }} + {{- if .Values.controlplane.ingressAPI.extraRules }} + {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.ingressAPI.extraRules "context" $) | nindent 4 }} + {{- end }} + {{- if or (and .Values.controlplane.ingressAPI.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.controlplane.ingressAPI.annotations )) .Values.controlplane.ingressAPI.selfSigned)) .Values.controlplane.ingressAPI.extraTls }} + tls: + {{- if and .Values.controlplane.ingressAPI.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.controlplane.ingressAPI.annotations )) .Values.controlplane.ingressAPI.selfSigned) }} + - hosts: + - {{ .Values.controlplane.ingressAPI.hostname | quote }} + secretName: {{ printf "%s-tls" .Values.controlplane.ingressAPI.hostname }} + {{- end }} + {{- if .Values.controlplane.ingressAPI.extraTls }} + {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.ingressAPI.extraTls "context" $) | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/bitnami/chainloop/templates/controlplane/ingress.yaml b/bitnami/chainloop/templates/controlplane/ingress.yaml new file mode 100644 index 00000000000000..68c21a2104d925 --- /dev/null +++ b/bitnami/chainloop/templates/controlplane/ingress.yaml @@ -0,0 +1,65 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.controlplane.ingress.enabled }} +{{- $fullName := include "chainloop.controlplane.fullname" . -}} +apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} +kind: Ingress +metadata: + name: {{ $fullName }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "chainloop.controlplane.labels" . | nindent 4 }} + {{- if or .Values.controlplane.ingress.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.controlplane.ingress.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.controlplane.ingress.annotations "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + {{- if and .Values.controlplane.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }} + ingressClassName: {{ .Values.controlplane.ingress.ingressClassName | quote }} + {{- end }} + rules: + {{- if .Values.controlplane.ingress.hostname }} + - host: {{ .Values.controlplane.ingress.hostname }} + http: + paths: + {{- if .Values.controlplane.ingress.extraPaths }} + {{- toYaml .Values.controlplane.ingress.extraPaths | nindent 10 }} + {{- end }} + - path: {{ .Values.controlplane.ingress.path }} + {{- if eq "true" (include "common.ingress.supportsPathType" .) }} + pathType: {{ .Values.controlplane.ingress.pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" $fullName "servicePort" "http" "context" $) | nindent 14 }} + {{- end }} + {{- range .Values.controlplane.ingress.extraHosts }} + - host: {{ .name | quote }} + http: + paths: + - path: {{ default "/" .path }} + {{- if eq "true" (include "common.ingress.supportsPathType" $) }} + pathType: {{ default "ImplementationSpecific" .pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" $fullName "servicePort" "http" "context" $) | nindent 14 }} + {{- end }} + {{- if .Values.controlplane.ingress.extraRules }} + {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.ingress.extraRules "context" $) | nindent 4 }} + {{- end }} + {{- if or (and .Values.controlplane.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.controlplane.ingress.annotations )) .Values.controlplane.ingress.selfSigned)) .Values.controlplane.ingress.extraTls }} + tls: + {{- if and .Values.controlplane.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.controlplane.ingress.annotations )) .Values.controlplane.ingress.selfSigned) }} + - hosts: + - {{ .Values.controlplane.ingress.hostname | quote }} + secretName: {{ printf "%s-tls" .Values.controlplane.ingress.hostname }} + {{- end }} + {{- if .Values.controlplane.ingress.extraTls }} + {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.ingress.extraTls "context" $) | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/bitnami/chainloop/templates/controlplane/networkpolicy.yaml b/bitnami/chainloop/templates/controlplane/networkpolicy.yaml new file mode 100644 index 00000000000000..d1452093a9e75b --- /dev/null +++ b/bitnami/chainloop/templates/controlplane/networkpolicy.yaml @@ -0,0 +1,74 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.controlplane.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ printf "%s-controlplane" (include "common.names.fullname" .) }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: controlplane + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.controlplane.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: controlplane + policyTypes: + - Ingress + - Egress + {{- if .Values.controlplane.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow outbound connections to other cluster pods + - ports: + - port: {{ .Values.controlplane.containerPorts.http }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + {{- if .Values.controlplane.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.controlplane.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.controlplane.containerPorts.http }} + - port: {{ .Values.controlplane.containerPorts.grpc }} + - port: {{ .Values.controlplane.containerPorts.metrics }} + {{- if not .Values.controlplane.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: + {{ printf "%s-controlplane" (include "common.names.fullname" .) }}: "true" + {{- if .Values.controlplane.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.controlplane.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.controlplane.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.controlplane.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.controlplane.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.controlplane.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/bitnami/chainloop/templates/controlplane/pdb.yaml b/bitnami/chainloop/templates/controlplane/pdb.yaml new file mode 100644 index 00000000000000..79af838e3dd97b --- /dev/null +++ b/bitnami/chainloop/templates/controlplane/pdb.yaml @@ -0,0 +1,26 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.controlplane.pdb.enabled }} +apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.controlplane.pdb.minAvailable }} + minAvailable: {{ .Values.controlplane.pdb.minAvailable }} + {{- end }} + {{- if or .Values.controlplane.pdb.maxUnavailable ( not .Values.controlplane.pdb.minAvailable ) }} + maxUnavailable: {{ .Values.controlplane.pdb.maxUnavailable | default 1 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.controlplane.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} +{{- end }} diff --git a/bitnami/chainloop/templates/controlplane/secret-config.yaml b/bitnami/chainloop/templates/controlplane/secret-config.yaml new file mode 100644 index 00000000000000..62b9c78f17494c --- /dev/null +++ b/bitnami/chainloop/templates/controlplane/secret-config.yaml @@ -0,0 +1,69 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "chainloop.controlplane.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "chainloop.controlplane.labels" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: Opaque +{{- $hmacpass := include "common.secrets.passwords.manage" (dict "secret" (include "chainloop.controlplane.fullname" .) "key" "generated_jws_hmac_secret" "providedValues" (list "controlplane.auth.passphrase") "context" $) }} +data: + # We store it also as a different key so it can be reused during upgrades by the common.secrets.passwords.manage helper + generated_jws_hmac_secret: {{ $hmacpass }} + db_migrate_source: {{include "controlplane.database.atlas_connection_string" . | b64enc | quote }} +stringData: + {{- if and .Values.controlplane.sentry .Values.controlplane.sentry.enabled }} + {{- fail "configuring sentry at the top level is no longer supported. Add the configuration to the controlplane section in the values.yaml file" }} + {{- end -}} + {{- if and .Values.controlplane.sentry .Values.controlplane.sentry.enabled }} + config.observability.yaml: | + {{- include "chainloop.sentry" .Values.controlplane.sentry | nindent 4 }} + {{- end }} + {{- if and .Values.controlplane.keylessSigning.enabled (eq "fileCA" .Values.controlplane.keylessSigning.backend) }} + fileca.secret.yaml: | + {{- with .Values.controlplane.keylessSigning.fileCA }} + certificate_authority: + file_ca: + cert_path: "/ca_secrets/file_ca.cert" + key_path: "/ca_secrets/file_ca.key" + key_pass: "{{- required "FileCA keyPass is mandatory" .keyPass }}" + {{- end }} + {{- end }} + {{- if and .Values.controlplane.keylessSigning.enabled (eq "ejbcaCA" .Values.controlplane.keylessSigning.backend) }} + ejbca.secret.yaml: | + {{- with .Values.controlplane.keylessSigning.ejbcaCA }} + certificate_authority: + ejbca_ca: + cert_path: "/ca_secrets/ejbca_client.cert" + key_path: "/ca_secrets/ejbca_client.key" + server_url: "{{- required "EJBCA server URL is mandatory" .serverURL }}" + certificate_profile_name: "{{- required "EJBCA certificate profile name is mandatory" .certProfileName }}" + end_entity_profile_name: "{{- required "EJBCA end entity profile name is mandatory" .endEntityProfileName }}" + certificate_authority_name: "{{- required "EJBCA certificate authority name is mandatory" .caName }}" + {{- end }} + {{- end }} + config.secret.yaml: | + data: + database: + driver: pgx + source: {{include "controlplane.database.connection_string" . }} + + credentials_service: {{- include "chainloop.credentials_service_settings" . | indent 6 }} + + auth: + oidc: {{- include "controlplane.oidc_settings" . | indent 4 }} + + # HMAC key used to sign the JWTs generated by the controlplane + # The helper returns the base64 quoted value of the secret + # We need to remove the quotes and then decoding it so it's compatible with the stringData stanza + generated_jws_hmac_secret: {{ $hmacpass | replace "\"" "" | b64dec | quote }} + + # Private key used to sign the JWTs meant to be consumed by the CAS + cas_robot_account_private_key_path: "/secrets/cas.private.key" diff --git a/bitnami/chainloop/templates/controlplane/secret-customcas.yaml b/bitnami/chainloop/templates/controlplane/secret-customcas.yaml new file mode 100644 index 00000000000000..a99c3f69cf53bb --- /dev/null +++ b/bitnami/chainloop/templates/controlplane/secret-customcas.yaml @@ -0,0 +1,18 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- $customCAs := .Values.controlplane.customCAs }} +{{- if (not (empty $customCAs)) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "chainloop.controlplane.fullname" . }}-custom-cas + labels: + {{- include "chainloop.controlplane.labels" . | nindent 4 }} +data: + {{- range $index, $pem := $customCAs }} + custom-{{ $index }}.crt: {{ $pem | b64enc | quote }} + {{- end -}} +{{- end -}} diff --git a/bitnami/chainloop/templates/controlplane/secret-ejbca-ca.yaml b/bitnami/chainloop/templates/controlplane/secret-ejbca-ca.yaml new file mode 100644 index 00000000000000..92350a017ac845 --- /dev/null +++ b/bitnami/chainloop/templates/controlplane/secret-ejbca-ca.yaml @@ -0,0 +1,17 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.controlplane.keylessSigning.enabled (eq "ejbcaCA" .Values.controlplane.keylessSigning.backend) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "chainloop.controlplane.fullname" . }}-keyless-ejbca-ca + labels: + {{- include "chainloop.controlplane.labels" . | nindent 4 }} +type: Opaque +data: + ejbca_client.cert: {{ .Values.controlplane.keylessSigning.ejbcaCA.clientCert | b64enc | quote }} + ejbca_client.key: {{ .Values.controlplane.keylessSigning.ejbcaCA.clientKey | b64enc | quote }} +{{- end }} diff --git a/bitnami/chainloop/templates/controlplane/secret-file-ca.yaml b/bitnami/chainloop/templates/controlplane/secret-file-ca.yaml new file mode 100644 index 00000000000000..dac8173f603432 --- /dev/null +++ b/bitnami/chainloop/templates/controlplane/secret-file-ca.yaml @@ -0,0 +1,17 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.controlplane.keylessSigning.enabled (eq "fileCA" .Values.controlplane.keylessSigning.backend) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "chainloop.controlplane.fullname" . }}-keyless-file-ca + labels: + {{- include "chainloop.controlplane.labels" . | nindent 4 }} +type: Opaque +data: + file_ca.cert: {{ .Values.controlplane.keylessSigning.fileCA.cert | b64enc | quote }} + file_ca.key: {{ .Values.controlplane.keylessSigning.fileCA.key | b64enc | quote }} +{{- end }} diff --git a/bitnami/chainloop/templates/controlplane/secret-gcp-secret-manager.yaml b/bitnami/chainloop/templates/controlplane/secret-gcp-secret-manager.yaml new file mode 100644 index 00000000000000..30462001ba44d8 --- /dev/null +++ b/bitnami/chainloop/templates/controlplane/secret-gcp-secret-manager.yaml @@ -0,0 +1,16 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if eq "gcpSecretManager" .Values.secretsBackend.backend }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "chainloop.controlplane.fullname" . }}-gcp-secretmanager-serviceaccountkey + labels: + {{- include "chainloop.controlplane.labels" . | nindent 4 }} +type: Opaque +data: + serviceAccountKey.json: {{ .Values.secretsBackend.gcpSecretManager.serviceAccountKey | b64enc | quote }} +{{- end }} diff --git a/bitnami/chainloop/templates/controlplane/secret-jwt-cas-private-key.yaml b/bitnami/chainloop/templates/controlplane/secret-jwt-cas-private-key.yaml new file mode 100644 index 00000000000000..4250de865d0734 --- /dev/null +++ b/bitnami/chainloop/templates/controlplane/secret-jwt-cas-private-key.yaml @@ -0,0 +1,14 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "chainloop.controlplane.fullname" . }}-jwt-cas + labels: + {{- include "chainloop.controlplane.labels" . | nindent 4 }} +type: Opaque +data: + cas.private.key: {{ include "chainloop.casjwt.private_key" . | b64enc | quote }} diff --git a/bitnami/chainloop/templates/controlplane/service-account.yaml b/bitnami/chainloop/templates/controlplane/service-account.yaml new file mode 100644 index 00000000000000..2973e245e7b27f --- /dev/null +++ b/bitnami/chainloop/templates/controlplane/service-account.yaml @@ -0,0 +1,18 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.controlplane.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "controlplane.serviceAccountName" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "chainloop.controlplane.labels" . | nindent 4 }} + {{- if or .Values.controlplane.serviceAccount.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.controlplane.serviceAccount.annotations .Values.commonAnnotations) "context" .) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.controlplane.serviceAccount.automountServiceAccountToken }} + {{- end }} diff --git a/bitnami/chainloop/templates/controlplane/service-grpc.yaml b/bitnami/chainloop/templates/controlplane/service-grpc.yaml new file mode 100644 index 00000000000000..5111ddd4be5f0c --- /dev/null +++ b/bitnami/chainloop/templates/controlplane/service-grpc.yaml @@ -0,0 +1,52 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +apiVersion: v1 +kind: Service +metadata: + name: {{ include "chainloop.controlplane.fullname" . }}-api + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "chainloop.controlplane.labels" . | nindent 4 }} + {{- if or .Values.controlplane.serviceAPI.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.controlplane.serviceAPI.annotations .Values.commonAnnotations) "context" .) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.controlplane.serviceAPI.type }} + {{- if and .Values.controlplane.serviceAPI.clusterIP (eq .Values.controlplane.serviceAPI.type "ClusterIP") }} + clusterIP: {{ .Values.controlplane.serviceAPI.clusterIP }} + {{- end }} + {{- if .Values.controlplane.serviceAPI.sessionAffinity }} + sessionAffinity: {{ .Values.controlplane.serviceAPI.sessionAffinity }} + {{- end }} + {{- if .Values.controlplane.serviceAPI.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.serviceAPI.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + {{- if or (eq .Values.controlplane.serviceAPI.type "LoadBalancer") (eq .Values.controlplane.serviceAPI.type "NodePort") }} + externalTrafficPolicy: {{ .Values.controlplane.serviceAPI.externalTrafficPolicy | quote }} + {{- end }} + {{- if and (eq .Values.controlplane.serviceAPI.type "LoadBalancer") (not (empty .Values.controlplane.serviceAPI.loadBalancerSourceRanges)) }} + loadBalancerSourceRanges: {{ .Values.controlplane.serviceAPI.loadBalancerSourceRanges }} + {{- end }} + {{- if and (eq .Values.controlplane.serviceAPI.type "LoadBalancer") (not (empty .Values.controlplane.serviceAPI.loadBalancerIP)) }} + loadBalancerIP: {{ .Values.controlplane.serviceAPI.loadBalancerIP }} + {{- end }} + ports: + - name: grpc + {{- $port := coalesce .Values.controlplane.serviceAPI.port .Values.controlplane.serviceAPI.ports.http }} + port: {{ $port }} + {{- if not (eq $port .Values.controlplane.containerPorts.grpc) }} + targetPort: {{ .Values.controlplane.containerPorts.grpc }} + {{- end }} + protocol: TCP + {{- if and (or (eq .Values.controlplane.serviceAPI.type "NodePort") (eq .Values.controlplane.serviceAPI.type "LoadBalancer")) (not (empty .Values.controlplane.serviceAPI.nodePorts.http)) }} + nodePort: {{ .Values.controlplane.serviceAPI.nodePorts.http }} + {{- else if eq .Values.controlplane.serviceAPI.type "ClusterIP" }} + nodePort: null + {{- end }} + {{- if .Values.controlplane.serviceAPI.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.serviceAPI.extraPorts "context" $) | nindent 4 }} + {{- end }} + selector: {{ include "chainloop.controlplane.selectorLabels" . | nindent 4 }} diff --git a/bitnami/chainloop/templates/controlplane/service-http.yaml b/bitnami/chainloop/templates/controlplane/service-http.yaml new file mode 100644 index 00000000000000..1b1a6ad67cb739 --- /dev/null +++ b/bitnami/chainloop/templates/controlplane/service-http.yaml @@ -0,0 +1,53 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +apiVersion: v1 +kind: Service +metadata: + name: {{ include "chainloop.controlplane.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "chainloop.controlplane.labels" . | nindent 4 }} + {{- if or .Values.controlplane.service.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.controlplane.service.annotations .Values.commonAnnotations) "context" .) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.controlplane.service.type }} + {{- if and .Values.controlplane.service.clusterIP (eq .Values.controlplane.service.type "ClusterIP") }} + clusterIP: {{ .Values.controlplane.service.clusterIP }} + {{- end }} + {{- if .Values.controlplane.service.sessionAffinity }} + sessionAffinity: {{ .Values.controlplane.service.sessionAffinity }} + {{- end }} + {{- if .Values.controlplane.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + {{- if or (eq .Values.controlplane.service.type "LoadBalancer") (eq .Values.controlplane.service.type "NodePort") }} + externalTrafficPolicy: {{ .Values.controlplane.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if and (eq .Values.controlplane.service.type "LoadBalancer") (not (empty .Values.controlplane.service.loadBalancerSourceRanges)) }} + loadBalancerSourceRanges: {{ .Values.controlplane.service.loadBalancerSourceRanges }} + {{- end }} + {{- if and (eq .Values.controlplane.service.type "LoadBalancer") (not (empty .Values.controlplane.service.loadBalancerIP)) }} + loadBalancerIP: {{ .Values.controlplane.service.loadBalancerIP }} + {{- end }} + ports: + - name: http + {{- $port := coalesce .Values.controlplane.service.port .Values.controlplane.service.ports.http }} + port: {{ $port }} + {{- if not (eq $port .Values.controlplane.containerPorts.http) }} + targetPort: {{ .Values.controlplane.containerPorts.http }} + {{- end }} + protocol: TCP + {{- if and (or (eq .Values.controlplane.service.type "NodePort") (eq .Values.controlplane.service.type "LoadBalancer")) (not (empty .Values.controlplane.service.nodePorts.http)) }} + nodePort: {{ .Values.controlplane.service.nodePorts.http }} + {{- else if eq .Values.controlplane.service.type "ClusterIP" }} + nodePort: null + {{- end }} + {{- if .Values.controlplane.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" (dict "values" (list .Values.controlplane.podLabels .Values.commonLabels) "context" .) | fromYaml }} + selector: {{ include "chainloop.controlplane.selectorLabels" . | nindent 4 }} diff --git a/bitnami/chainloop/templates/controlplane/vpa.yaml b/bitnami/chainloop/templates/controlplane/vpa.yaml new file mode 100644 index 00000000000000..3b501856ed3558 --- /dev/null +++ b/bitnami/chainloop/templates/controlplane/vpa.yaml @@ -0,0 +1,44 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and (.Capabilities.APIVersions.Has "autoscaling.k8s.io/v1/VerticalPodAutoscaler") .Values.controlplane.autoscaling.vpa.enabled }} +apiVersion: autoscaling.k8s.io/v1 +kind: VerticalPodAutoscaler +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: controlplane + {{- if or .Values.controlplane.autoscaling.vpa.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.controlplane.autoscaling.vpa.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + resourcePolicy: + containerPolicies: + - containerName: controlplane + {{- with .Values.controlplane.autoscaling.vpa.controlledResources }} + controlledResources: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controlplane.autoscaling.vpa.maxAllowed }} + maxAllowed: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controlplane.autoscaling.vpa.minAllowed }} + minAllowed: + {{- toYaml . | nindent 8 }} + {{- end }} + targetRef: + apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} + kind: Deployment + name: {{ include "common.names.fullname" . }} + {{- if .Values.controlplane.autoscaling.vpa.updatePolicy }} + updatePolicy: + {{- with .Values.controlplane.autoscaling.vpa.updatePolicy.updateMode }} + updateMode: {{ . }} + {{- end }} + {{- end }} +{{- end }} diff --git a/bitnami/chainloop/templates/dex/deployment.yaml b/bitnami/chainloop/templates/dex/deployment.yaml new file mode 100644 index 00000000000000..acd1971cb01bad --- /dev/null +++ b/bitnami/chainloop/templates/dex/deployment.yaml @@ -0,0 +1,195 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.development }} +apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} +kind: Deployment +metadata: + name: {{ include "chainloop.dex" . }} + namespace: {{ include "common.names.namespace" . | quote }} + {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dex.image "chart" .Chart ) ) }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: dex + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.dex.replicaCount }} + {{- if .Values.dex.updateStrategy }} + strategy: {{- toYaml .Values.dex.updateStrategy | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.dex.podLabels .Values.commonLabels $versionLabel ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: dex + template: + metadata: + {{- if .Values.dex.podAnnotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" .Values.dex.podAnnotations "context" $) | nindent 8 }} + {{- end }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} + app.kubernetes.io/component: dex + spec: + serviceAccountName: {{ include "chainloop.dex.serviceAccountName" . }} + {{- include "common.images.renderPullSecrets" (dict "images" (list .Values.dex.image) "context" $) | nindent 6 }} + automountServiceAccountToken: {{ .Values.dex.automountServiceAccountToken }} + {{- if .Values.dex.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.dex.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.dex.affinity }} + affinity: {{- include "common.tplvalues.render" ( dict "value" .Values.dex.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.dex.podAffinityPreset "component" "dex" "customLabels" $podLabels "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.dex.podAntiAffinityPreset "component" "dex" "customLabels" $podLabels "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.dex.nodeAffinityPreset.type "key" .Values.dex.nodeAffinityPreset.key "values" .Values.dex.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.dex.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.dex.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.dex.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.dex.tolerations "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.dex.schedulerName }} + schedulerName: {{ .Values.dex.schedulerName }} + {{- end }} + {{- if .Values.dex.shareProcessNamespace }} + shareProcessNamespace: {{ .Values.dex.shareProcessNamespace }} + {{- end }} + {{- if .Values.dex.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.dex.topologySpreadConstraints "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.dex.priorityClassName }} + priorityClassName: {{ .Values.dex.priorityClassName | quote }} + {{- end }} + {{- if .Values.dex.runtimeClassName }} + runtimeClassName: {{ .Values.dex.runtimeClassName }} + {{- end }} + {{- if .Values.dex.podSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.dex.podSecurityContext "context" $) | nindent 8 }} + {{- end }} + initContainers: + {{- if .Values.dex.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.dex.initContainers "context" $) | nindent 8 }} + {{- end }} + containers: + - name: dex + image: {{ include "chainloop.dex.image" . }} + imagePullPolicy: {{ .Values.dex.image.pullPolicy }} + {{- if .Values.dex.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.dex.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.dex.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.dex.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.dex.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.dex.command "context" $) | nindent 12 }} + {{- else }} + command: + - /opt/bitnami/dex/bin/dex + - serve + {{- end }} + {{- if .Values.dex.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.dex.args "context" $) | nindent 12 }} + {{- else }} + args: + - /data/conf/config.yaml + {{- if .Values.dex.extraArgs }} + {{- include "common.tplvalues.render" (dict "value" .Values.dex.extraArgs "context" $) | nindent 12 }} + {{- end }} + {{- end }} + ports: + - name: http + containerPort: {{ .Values.dex.containerPorts.http }} + protocol: TCP + - name: grpc + containerPort: {{ .Values.dex.containerPorts.grpc }} + protocol: TCP + - name: metrics + containerPort: {{ .Values.dex.containerPorts.metrics }} + protocol: TCP + env: + {{- if .Values.dex.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.dex.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + envFrom: + {{- if .Values.dex.extraEnvVarsCM }} + - configMapRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.dex.extraEnvVarsCM "context" $) }} + {{- end }} + {{- if .Values.dex.extraEnvVarsSecret }} + - secretRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.dex.extraEnvVarsSecret "context" $) }} + {{- end }} + {{- if .Values.dex.resources }} + resources: {{- toYaml .Values.dex.resources | nindent 12 }} + {{- else if ne .Values.dex.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.dex.resourcesPreset) | nindent 12 }} + {{- end }} + {{- if .Values.dex.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.dex.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.dex.startupProbe.enabled }} + startupProbe: + httpGet: + path: /dex/.well-known/openid-configuration + port: http + initialDelaySeconds: {{ .Values.dex.startupProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.dex.startupProbe.periodSeconds }} + timeoutSeconds: {{ .Values.dex.startupProbe.timeoutSeconds }} + successThreshold: {{ .Values.dex.startupProbe.successThreshold }} + failureThreshold: {{ .Values.dex.startupProbe.failureThreshold }} + {{- end }} + {{- if .Values.dex.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.dex.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.dex.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: /dex/.well-known/openid-configuration + port: http + initialDelaySeconds: {{ .Values.dex.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.dex.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.dex.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.dex.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.dex.livenessProbe.failureThreshold }} + {{- end }} + {{- if .Values.dex.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.dex.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.dex.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: /dex/.well-known/openid-configuration + port: http + initialDelaySeconds: {{ .Values.dex.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.dex.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.dex.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.dex.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.dex.readinessProbe.failureThreshold }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /shared + subPath: app-static-dir + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: config + mountPath: /data/conf + {{- if .Values.dex.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.dex.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.dex.sidecars }} + {{- include "common.tplvalues.render" ( dict "value" .Values.dex.sidecars "context" $) | nindent 8 }} + {{- end }} + volumes: + - name: empty-dir + emptyDir: {} + - name: config + secret: + secretName: {{ include "chainloop.dex.fullname" . }}-config + {{- if .Values.dex.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.dex.extraVolumes "context" $) | nindent 8 }} + {{- end }} +{{- end }} diff --git a/bitnami/chainloop/templates/dex/metrics-svc.yaml b/bitnami/chainloop/templates/dex/metrics-svc.yaml new file mode 100644 index 00000000000000..75ddd1101bd9e4 --- /dev/null +++ b/bitnami/chainloop/templates/dex/metrics-svc.yaml @@ -0,0 +1,53 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.development .Values.dex.metrics.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "chainloop.dex" . }}-metrics + namespace: {{ include "common.names.namespace" . | quote }} + {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dex.image "chart" .Chart ) ) }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: dex + {{- if or .Values.commonAnnotations .Values.dex.metrics.service.annotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.dex.metrics.service.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.dex.metrics.service.type }} + {{- if and .Values.dex.metrics.service.clusterIP (eq .Values.dex.metrics.service.type "ClusterIP") }} + clusterIP: {{ .Values.dex.metrics.service.clusterIP }} + {{- end }} + {{- if (or (eq .Values.dex.metrics.service.type "LoadBalancer") (eq .Values.dex.metrics.service.type "NodePort")) }} + externalTrafficPolicy: {{ .Values.dex.metrics.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if eq .Values.dex.metrics.service.type "LoadBalancer" }} + loadBalancerSourceRanges: {{ .Values.dex.metrics.service.loadBalancerSourceRanges }} + {{- end }} + {{- if (and (eq .Values.dex.metrics.service.type "LoadBalancer") (not (empty .Values.dex.metrics.service.loadBalancerIP))) }} + loadBalancerIP: {{ .Values.dex.metrics.service.loadBalancerIP }} + {{- end }} + {{- if .Values.dex.metrics.service.sessionAffinity }} + sessionAffinity: {{ .Values.dex.metrics.service.sessionAffinity }} + {{- end }} + {{- if .Values.dex.metrics.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.dex.metrics.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + ports: + - name: metrics + port: {{ coalesce .Values.dex.metrics.service.port .Values.dex.metrics.service.ports.metrics }} + targetPort: metrics + protocol: TCP + {{- if (and (or (eq .Values.dex.service.type "NodePort") (eq .Values.dex.service.type "LoadBalancer")) (not (empty (coalesce .Values.dex.metrics.service.nodePort .Values.dex.metrics.service.nodePorts.metrics)))) }} + nodePort: {{ coalesce .Values.dex.metrics.service.nodePort .Values.dex.metrics.service.nodePorts.metrics }} + {{- else if eq .Values.dex.metrics.service.type "ClusterIP" }} + nodePort: null + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.dex.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: dex +{{- end }} diff --git a/bitnami/chainloop/templates/dex/networkpolicy.yaml b/bitnami/chainloop/templates/dex/networkpolicy.yaml new file mode 100644 index 00000000000000..678b2e1ba9bb2e --- /dev/null +++ b/bitnami/chainloop/templates/dex/networkpolicy.yaml @@ -0,0 +1,88 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.development .Values.dex.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ include "chainloop.dex" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: dex + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.dex.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: dex + policyTypes: + - Ingress + - Egress + {{- if .Values.dex.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + - ports: + # Allow dns resolution + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow access to kube-apicontroller + {{- range $port := .Values.dex.networkPolicy.kubeAPIServerPorts }} + - port: {{ $port }} + {{- end }} + # Allow outbound connections to repo server + - ports: + - port: {{ .Values.controlplane.containerPorts.grpc }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/component: repo-server + # Allow outbound connections to server + - ports: + - port: {{ .Values.controlplane.containerPorts.http }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/component: server + {{- if .Values.dex.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.dex.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.dex.containerPorts.http }} + - port: {{ .Values.dex.containerPorts.grpc }} + - port: {{ .Values.dex.containerPorts.metrics }} + {{- if not .Values.dex.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + - podSelector: + matchLabels: + {{ include "chainloop.dex" . }}-client: "true" + {{- if .Values.dex.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.dex.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.dex.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.dex.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.dex.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.dex.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/bitnami/chainloop/templates/dex/pdb.yaml b/bitnami/chainloop/templates/dex/pdb.yaml new file mode 100644 index 00000000000000..37ac53fee2c1c5 --- /dev/null +++ b/bitnami/chainloop/templates/dex/pdb.yaml @@ -0,0 +1,28 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.development .Values.dex.pdb.create }} +apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ include "chainloop.dex" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: dex + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.dex.pdb.minAvailable }} + minAvailable: {{ .Values.dex.pdb.minAvailable }} + {{- end }} + {{- if or .Values.dex.pdb.maxUnavailable (not .Values.dex.pdb.minAvailable) }} + maxUnavailable: {{ .Values.dex.pdb.maxUnavailable | default 1 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" (dict "values" (list .Values.dex.podLabels .Values.commonLabels) "context" .) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: dex +{{- end }} diff --git a/bitnami/chainloop/templates/dex/role.yaml b/bitnami/chainloop/templates/dex/role.yaml new file mode 100644 index 00000000000000..5011e79ffa7a61 --- /dev/null +++ b/bitnami/chainloop/templates/dex/role.yaml @@ -0,0 +1,28 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.development .Values.rbac.create }} +kind: Role +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +metadata: + name: {{ include "chainloop.dex" . }} + namespace: {{ include "common.names.namespace" . | quote }} + {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dex.image "chart" .Chart ) ) }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +rules: + - apiGroups: + - "" + resources: + - secrets + - configmaps + verbs: + - get + - list + - watch +{{- end }} diff --git a/bitnami/chainloop/templates/dex/rolebinding.yaml b/bitnami/chainloop/templates/dex/rolebinding.yaml new file mode 100644 index 00000000000000..48a11198c867aa --- /dev/null +++ b/bitnami/chainloop/templates/dex/rolebinding.yaml @@ -0,0 +1,25 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.development .Values.dex.serviceAccount.create .Values.rbac.create }} +kind: RoleBinding +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +metadata: + name: {{ include "chainloop.dex" . }} + namespace: {{ include "common.names.namespace" . | quote }} + {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dex.image "chart" .Chart ) ) }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +subjects: + - kind: ServiceAccount + name: {{ include "chainloop.dex.serviceAccountName" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "chainloop.dex" . }} +{{- end }} diff --git a/bitnami/chainloop/templates/dex/secret.yaml b/bitnami/chainloop/templates/dex/secret.yaml new file mode 100644 index 00000000000000..cb2f444d29d58c --- /dev/null +++ b/bitnami/chainloop/templates/dex/secret.yaml @@ -0,0 +1,44 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.development }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "chainloop.dex.fullname" . }}-config + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: dex + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: Opaque +stringData: + config.yaml: | + issuer: http://{{ include "chainloop.dex" . }}:{{ .Values.dex.containerPorts.http }}/dex + + storage: + type: memory + + web: + http: 0.0.0.0:{{ .Values.dex.containerPorts.http }} + + staticClients: + - id: chainloop-dev + name: "Chainloop Dev" + secret: ZXhhbXBsZS1hcHAtc2VjcmV0 + redirectURIs: + - "http://0.0.0.0:8000/auth/callback" + - "http://localhost:8000/auth/callback" + {{ $controlPlaneUrl := include "chainloop.controlplane.external_url" . }} + {{- if not (eq $controlPlaneUrl "null") -}} + - "{{ $controlPlaneUrl }}/auth/callback" + {{- end -}} + + # required to enable static passwords + enablePasswordDB: true + + staticPasswords: {{- include "common.tplvalues.render" ( dict "value" .Values.dex.staticUsers "context" $ ) | nindent 6 }} +{{- end }} diff --git a/bitnami/chainloop/templates/dex/service-account.yaml b/bitnami/chainloop/templates/dex/service-account.yaml new file mode 100644 index 00000000000000..0d5cfa5bfa955b --- /dev/null +++ b/bitnami/chainloop/templates/dex/service-account.yaml @@ -0,0 +1,21 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.development .Values.dex.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "chainloop.dex.serviceAccountName" . }} + namespace: {{ include "common.names.namespace" . | quote }} + {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dex.image "chart" .Chart ) ) }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: dex + {{- if or .Values.dex.serviceAccount.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.dex.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.dex.serviceAccount.automountServiceAccountToken }} +{{- end }} diff --git a/bitnami/chainloop/templates/dex/service.yaml b/bitnami/chainloop/templates/dex/service.yaml new file mode 100644 index 00000000000000..c0e116e56473bb --- /dev/null +++ b/bitnami/chainloop/templates/dex/service.yaml @@ -0,0 +1,65 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.development }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "chainloop.dex" . }} + namespace: {{ include "common.names.namespace" . | quote }} + {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dex.image "chart" .Chart ) ) }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: dex + {{- if or .Values.commonAnnotations .Values.dex.service.annotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.dex.service.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.dex.service.type }} + {{- if and .Values.dex.service.clusterIP (eq .Values.dex.service.type "ClusterIP") }} + clusterIP: {{ .Values.dex.service.clusterIP }} + {{- end }} + {{- if (or (eq .Values.dex.service.type "LoadBalancer") (eq .Values.dex.service.type "NodePort")) }} + externalTrafficPolicy: {{ .Values.dex.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if eq .Values.dex.service.type "LoadBalancer" }} + loadBalancerSourceRanges: {{ .Values.dex.service.loadBalancerSourceRanges }} + {{- end }} + {{- if (and (eq .Values.dex.service.type "LoadBalancer") (not (empty .Values.dex.service.loadBalancerIP))) }} + loadBalancerIP: {{ .Values.dex.service.loadBalancerIP }} + {{- end }} + {{- if .Values.dex.service.sessionAffinity }} + sessionAffinity: {{ .Values.dex.service.sessionAffinity }} + {{- end }} + {{- if .Values.dex.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.dex.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + ports: + - name: http + port: {{ .Values.dex.service.ports.http }} + targetPort: http + protocol: TCP + {{- if (and (or (eq .Values.dex.service.type "NodePort") (eq .Values.dex.service.type "LoadBalancer")) (not (empty .Values.dex.service.nodePorts.http))) }} + nodePort: {{ .Values.dex.service.nodePorts.http }} + {{- else if eq .Values.dex.service.type "ClusterIP" }} + nodePort: null + {{- end }} + - name: grpc + port: {{ .Values.dex.service.ports.grpc }} + targetPort: grpc + protocol: TCP + {{- if (and (or (eq .Values.dex.service.type "NodePort") (eq .Values.dex.service.type "LoadBalancer")) (not (empty .Values.dex.service.nodePorts.grpc))) }} + nodePort: {{ .Values.dex.service.nodePorts.grpc }} + {{- else if eq .Values.dex.service.type "ClusterIP" }} + nodePort: null + {{- end }} + {{- if .Values.dex.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.dex.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.dex.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: dex +{{- end }} diff --git a/bitnami/chainloop/templates/dex/servicemonitor.yaml b/bitnami/chainloop/templates/dex/servicemonitor.yaml new file mode 100644 index 00000000000000..1bca7af9de213c --- /dev/null +++ b/bitnami/chainloop/templates/dex/servicemonitor.yaml @@ -0,0 +1,49 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.development .Values.dex.metrics.enabled .Values.dex.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "chainloop.dex" . }} + namespace: {{ default include ( "common.names.namespace" . ) .Values.dex.metrics.serviceMonitor.namespace | quote }} + {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dex.image "chart" .Chart ) ) }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + {{- if .Values.dex.metrics.serviceMonitor.selector }} + {{- include "common.tplvalues.render" (dict "value" .Values.dex.metrics.serviceMonitor.selector "context" $) | nindent 4 }} + {{- end }} + app.kubernetes.io/component: dex + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" .Values.commonAnnotations "context" $) | nindent 4 }} + {{- end }} +spec: + jobLabel: {{ .Values.dex.metrics.serviceMonitor.jobLabel | quote }} + endpoints: + - port: http-metrics + path: /metrics + {{- if .Values.dex.metrics.serviceMonitor.interval }} + interval: {{ .Values.dex.metrics.serviceMonitor.interval }} + {{- end }} + {{- if .Values.dex.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.dex.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} + {{- if .Values.dex.metrics.serviceMonitor.honorLabels }} + honorLabels: {{ .Values.dex.metrics.serviceMonitor.honorLabels }} + {{- end }} + {{- if .Values.dex.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.dex.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.dex.metrics.serviceMonitor.relabelings }} + relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.dex.metrics.serviceMonitor.relabelings "context" $) | nindent 8 }} + {{- end }} + namespaceSelector: + matchNames: + - {{ include "common.names.namespace" . }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: dex +{{- end }} + diff --git a/bitnami/chainloop/templates/extra-list.yaml b/bitnami/chainloop/templates/extra-list.yaml new file mode 100644 index 00000000000000..2dcd26f306bb8d --- /dev/null +++ b/bitnami/chainloop/templates/extra-list.yaml @@ -0,0 +1,9 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- range .Values.extraDeploy }} +--- +{{ include "common.tplvalues.render" (dict "value" . "context" $) }} +{{- end }} \ No newline at end of file diff --git a/bitnami/chainloop/values.yaml b/bitnami/chainloop/values.yaml new file mode 100644 index 00000000000000..637617043d2f2b --- /dev/null +++ b/bitnami/chainloop/values.yaml @@ -0,0 +1,2256 @@ +# Copyright Broadcom, Inc. All Rights Reserved. +# SPDX-License-Identifier: APACHE-2.0 + +## Default values for Chainloop Helm Chart + +## @section Global parameters +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass + +## @param global.imageRegistry Global Docker image registry +## @param global.imagePullSecrets Global Docker registry secret names as an array +## +global: + imageRegistry: "" + ## E.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: auto + +## @param development Deploys Chainloop pre-configured FOR DEVELOPMENT ONLY. It includes a Vault instance in development mode and pre-configured authentication certificates and passphrases +## +development: false + +## @section Common parameters +## +## @param kubeVersion Override Kubernetes version +## +kubeVersion: "" + +## @param commonAnnotations Annotations to add to all deployed objects +## +commonAnnotations: {} + +## @param commonLabels Labels to add to all deployed objects +## +commonLabels: {} + +## @param extraDeploy Array of extra objects to deploy with the release +## +extraDeploy: [] + +## RBAC configuration +## +rbac: + ## @param rbac.create Specifies whether RBAC resources should be created + ## + create: false + ## @param rbac.rules Custom RBAC rules to set + ## e.g: + ## rules: + ## - apiGroups: + ## - "" + ## resources: + ## - pods + ## verbs: + ## - get + ## - list + ## + rules: [] + +## @section Secrets Backend +## + +## Location where to store sensitive data. If development=true and no overrides are provided, the setup will connect to a development instance of Vault +## +secretsBackend: + ## @param secretsBackend.backend Secrets backend type ("vault", "awsSecretManager" or "gcpSecretManager", "azureKeyVault") + ## + backend: "vault" # "awsSecretManager | gcpSecretManager | azureKeyVault" + ## @param secretsBackend.secretPrefix Prefix that will be pre-pended to all secrets in the storage backend + ## + secretPrefix: "chainloop" + + ## @param secretsBackend.vault.address Vault address + ## @param secretsBackend.vault.token Vault authentication token + ## + vault: + address: "" + token: "" + + ## @param secretsBackend.awsSecretManager.accessKey AWS Access KEY ID + ## @param secretsBackend.awsSecretManager.secretKey AWS Secret Key + ## @param secretsBackend.awsSecretManager.region AWS Secrets Manager Region + ## + awsSecretManager: + accessKey: "" + secretKey: "" + region: "" + + ## @param secretsBackend.gcpSecretManager.projectId GCP Project ID + ## @param secretsBackend.gcpSecretManager.serviceAccountKey GCP Auth Key + ## + gcpSecretManager: + projectId: "" + serviceAccountKey: "" + + ## @param secretsBackend.azureKeyVault.tenantID Active Directory Tenant ID + ## @param secretsBackend.azureKeyVault.clientID Registered application / service principal client ID + ## @param secretsBackend.azureKeyVault.clientSecret Service principal client secret + ## @param secretsBackend.azureKeyVault.vaultURI Azure Key Vault URL + ## + azureKeyVault: + tenantID: "" + clientID: "" + clientSecret: "" + vaultURI: "" + +## @section Authentication +## + +## ECDSA (ES512) key-pair used for Controlplane to; CAS Authentication +## The controlplane will use the private key to generate a JWT at user request +## The CAS will use the public key to verify the authenticity of that token +## If development=true is set, a development key will be configured automatically +## otherwise you'll need to provide new keys via .Values.casJWTPrivateKey and .Values.cas.casJWTPublicKey + +## @param casJWTPrivateKey ECDSA (ES512) private key used for Controlplane to CAS Authentication +## +## To generate one +## openssl ecparam -name secp521r1 -genkey -noout -out private.ec.key +## casJWTPrivateKey: |- +## -----BEGIN EC PRIVATE KEY----- +## -----END EC PRIVATE KEY----- +## +casJWTPrivateKey: "" + +## @param casJWTPublicKey ECDSA (ES512) public key +## +# openssl ec -in private.ec.key -pubout -out public.pem +# casJWTPublicKey: | +# -----BEGIN PUBLIC KEY----- +# -----END PUBLIC KEY----- +casJWTPublicKey: "" + +## @section Control Plane +################################### +## CONTROL PLANE # +################################### +controlplane: + ## @param controlplane.replicaCount Number of replicas + replicaCount: 2 + + ## Bitnami Chainloop Controlplane image + ## ref: https://hub.docker.com/r/bitnami/chainloop-control-plane/tags/ + ## @param controlplane.image.registry [default: REGISTRY_NAME] image registry + ## @param controlplane.image.repository [default: REPOSITORY_NAME/chainloop-control-plane] image repository + ## @skip controlplane.image.tag image tag (immutable tags are recommended) + ## @param controlplane.image.digest image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param controlplane.image.pullPolicy image pull policy + ## @param controlplane.image.pullSecrets image pull secrets + ## + image: + registry: docker.io + repository: bitnami/chainloop-control-plane + tag: 0.95.3-debian-12-r0 + digest: "" + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [ ] + + ## @param controlplane.containerPorts.http controlplane HTTP container port + ## @param controlplane.containerPorts.grpc controlplane gRPC container port + ## @param controlplane.containerPorts.metrics controlplane prometheus metrics container port + ## + containerPorts: + http: 8000 + grpc: 9000 + metrics: 5000 + + ## + ## TLS configuration + ## + tls: + ## @param controlplane.tls.existingSecret Existing secret with TLS certificates. The secret must contains 2 keys: tls.crt and tls.key respectively containing the certificate and private key. + ## NOTE: When it's set it will disable secret creation. + ## + existingSecret: "" + + ## Use an existing configmap instead of creating a configmap with the specified parameters + ## @param controlplane.existingConfigMap + ## + existingConfigMap: "" + + ## @param controlplane.pluginsDir Directory where to look for plugins + pluginsDir: /plugins + + ## @extra controlplane.referrerSharedIndex Configure the shared, public index API endpoint that can be used to discover metadata referrers + ## @param controlplane.referrerSharedIndex.enabled Enable index API endpoint + ## @param controlplane.referrerSharedIndex.allowedOrgs List of UUIDs of organizations that are allowed to publish to the shared index + referrerSharedIndex: + enabled: false + allowedOrgs: [] + + ## @param controlplane.onboarding List of organizations to automatically onboard when a user logs in + ## e.g: + ## onboarding: + ## - name: "" + ## role: "" + onboarding: [] + + ## @param controlplane.prometheus_org_metrics List of organizations to expose metrics for using Prometheus + ## e.g.: + ## prometheus_org_metrics: + ## - org_name: "read-only-demo" + prometheus_org_metrics: [] + + # Database migration + ## @param controlplane.migration.ssl Connect to the database using SSL (required fro AWS RDS, etc) + ## @skip controlplane.migration.image.tag + migration: + ## Bitnami Chainloop Controlplane migration image + ## ref: https://hub.docker.com/r/bitnami/chainloop-control-plane-migrations/tags/ + ## @param controlplane.migration.image.registry [default: REGISTRY_NAME] image registry + ## @param controlplane.migration.image.repository [default: REPOSITORY_NAME/chainloop-control-plane-migrations] image repository + ## @skip controlplane.migration.image.tag image tag (immutable tags are recommended) + ## @param controlplane.migration.image.digest image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param controlplane.migration.image.pullPolicy image pull policy + ## @param controlplane.migration.image.pullSecrets image pull secrets + ## + image: + registry: docker.io + repository: bitnami/chainloop-control-plane-migrations + tag: 0.95.3-debian-12-r0 + digest: "" + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [ ] + # Run the migration job forcing SSL, required in AWS RDS for PostgreSQL 15 + ssl: false + + ## ServiceAccount configuration for the Controlplane Migration + ## + ## @param controlplane.serviceAccount.create Specifies whether a ServiceAccount should be created + ## @param controlplane.serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`. + ## @param controlplane.serviceAccount.name Name of the service account to use. If not set and create is true, a name is generated using the fullname template. + ## @param controlplane.serviceAccount.automountServiceAccountToken Mount Service Account token in controlplane pods + serviceAccount: + create: true + annotations: {} + name: "" + automountServiceAccountToken: false + + ## @section Control Plane Database + + ## @extra controlplane.externalDatabase External PostgreSQL configuration. These values are only used when postgresql.enabled is set to false + ## @param controlplane.externalDatabase.host Database host + ## @param controlplane.externalDatabase.port Database port number + ## @param controlplane.externalDatabase.user Non-root username + ## @param controlplane.externalDatabase.database Database name + ## @param controlplane.externalDatabase.password Password for the non-root username + ## + externalDatabase: + host: "" + port: 5432 + user: "" + database: "" + password: "" + + ## @section Control Plane Authentication + auth: + ## @param controlplane.auth.passphrase Passphrase used to sign the Auth Tokens generated by the controlplane. Leave empty for auto-generation + ## + passphrase: "" + + ## @param controlplane.auth.oidc.url Full authentication path, it should match the issuer URL of the Identity provider (IDp) + ## @param controlplane.auth.oidc.clientID OIDC IDp clientID + ## @param controlplane.auth.oidc.clientSecret OIDC IDp clientSecret + ## @param controlplane.auth.oidc.loginURLOverride Optional OIDC login URL override, useful to point to custom login pages + ## @param controlplane.auth.oidc.externalURL Optional External URL for the controlplane to the outside world + oidc: + url: "" + clientID: "" + clientSecret: "" + loginURLOverride: "" + externalURL: "" + + ## @param controlplane.auth.allowList Content of the allow_list.yaml config file + ## @extra controlplane.auth.allowList.rules List of domains or emails to allow + ## @extra controlplane.auth.allowList.selectedRoutes List of selected routes to allow. If not set it applies to all routes + ## @extra controlplane.auth.allowList.customMessage Custom message to display when a user is not allowed + ## e.g. + ## allowList: + ## rules: [] + ## selectedRoutes: [] + ## customMessage: "" + allowList: {} + + ## @section Control Plane Networking + service: + ## @param controlplane.service.type Service type + type: ClusterIP + + ## @param controlplane.service.ports.http controlplane service HTTP port + ## + ports: + http: 80 + ## Node ports to expose + ## @param controlplane.service.nodePorts.http Node port for HTTP + ## @param controlplane.service.nodePorts.https Node port for HTTPS + ## NOTE: choose port between <30000-32767> + ## + nodePorts: + http: "" + https: "" + ## @param controlplane.service.clusterIP controlplane service Cluster IP + ## e.g.: + ## clusterIP: None + ## + clusterIP: "" + ## @param controlplane.service.loadBalancerIP controlplane service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerIP: "" + ## @param controlplane.service.loadBalancerSourceRanges controlplane service Load Balancer sources + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param controlplane.service.externalTrafficPolicy controlplane service external traffic policy + ## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param controlplane.service.annotations Additional custom annotations for controlplane service + ## + annotations: {} + ## @param controlplane.service.extraPorts Extra ports to expose in controlplane service (normally used with the `sidecars` value) + ## + extraPorts: [] + ## @param controlplane.service.sessionAffinity Control where client requests go, to the same pod or round-robin + ## Values: ClientIP or None + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## + sessionAffinity: None + ## @param controlplane.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + + serviceAPI: + ## @param controlplane.serviceAPI.type Service type + type: ClusterIP + + ## @param controlplane.serviceAPI.ports.http controlplane service HTTP port + ## @param controlplane.serviceAPI.ports.https controlplane service HTTPS port + ## + ports: + http: 80 + https: 443 + ## Node ports to expose + ## @param controlplane.serviceAPI.nodePorts.http Node port for HTTP + ## @param controlplane.serviceAPI.nodePorts.https Node port for HTTPS + ## NOTE: choose port between <30000-32767> + ## + nodePorts: + http: "" + https: "" + ## @param controlplane.serviceAPI.clusterIP controlplane service Cluster IP + ## e.g.: + ## clusterIP: None + ## + clusterIP: "" + ## @param controlplane.serviceAPI.loadBalancerIP controlplane service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerIP: "" + ## @param controlplane.serviceAPI.loadBalancerSourceRanges controlplane service Load Balancer sources + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param controlplane.serviceAPI.externalTrafficPolicy controlplane service external traffic policy + ## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @extra controlplane.serviceAPI.annotations Additional custom annotations for controlplane service + ## + annotations: + ## @skip controlplane.serviceAPI.annotations.traefik.ingress.kubernetes.io/service.serversscheme + traefik.ingress.kubernetes.io/service.serversscheme: h2c + ## @param controlplane.serviceAPI.extraPorts Extra ports to expose in controlplane service (normally used with the `sidecars` value) + ## + extraPorts: [] + ## @param controlplane.serviceAPI.sessionAffinity Control where client requests go, to the same pod or round-robin + ## Values: ClientIP or None + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## + sessionAffinity: None + ## @param controlplane.serviceAPI.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + + ## ref: http://kubernetes.io/docs/user-guide/ingress/ + ingress: + ## @param controlplane.ingress.enabled Enable ingress record generation for controlplane + ## + enabled: false + ## @param controlplane.ingress.pathType Ingress path type + ## + pathType: ImplementationSpecific + ## @param controlplane.ingress.hostname Default host for the ingress record + ## + hostname: cp.dev.local + ## @param controlplane.ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + ingressClassName: "" + ## @param controlplane.ingress.path Default path for the ingress record + ## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers + ## + path: / + ## @param controlplane.ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## e.g: + ## annotations: + ## kubernetes.io/controlplane.ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## + annotations: {} + ## @param controlplane.ingress.tls Enable TLS configuration for the host defined at `controlplane.ingress.hostname` parameter + ## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.controlplane.ingress.hostname }}` + ## You can: + ## - Use the `controlplane.ingress.secrets` parameter to create this TLS secret + ## - Rely on cert-manager to create it by setting the corresponding annotations + ## - Rely on Helm to create self-signed certificates by setting `controlplane.ingress.selfSigned=true` + ## + tls: false + ## @param controlplane.ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm + ## + selfSigned: false + ## @param controlplane.ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record + ## e.g: + ## extraHosts: + ## - name: cp.dev.local + ## path: / + ## + extraHosts: [] + ## @param controlplane.ingress.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host + ## e.g: + ## extraPaths: + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + extraPaths: [] + ## @param controlplane.ingress.extraTls TLS configuration for additional hostname(s) to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## e.g: + ## extraTls: + ## - hosts: + ## - cp.dev.local + ## secretName: cp.dev.local-tls + ## + extraTls: [] + ## @param controlplane.ingress.secrets Custom TLS certificates as secrets + ## NOTE: 'key' and 'certificate' are expected in PEM format + ## NOTE: 'name' should line up with a 'secretName' set further up + ## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates + ## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + ## e.g: + ## secrets: + ## - name: cp.dev.local-tls + ## key: |- + ## -----BEGIN RSA PRIVATE KEY----- + ## ... + ## -----END RSA PRIVATE KEY----- + ## certificate: |- + ## -----BEGIN CERTIFICATE----- + ## ... + ## -----END CERTIFICATE----- + ## + secrets: [] + ## @param controlplane.ingress.extraRules Additional rules to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules + ## e.g: + ## extraRules: + ## - host: example.local + ## http: + ## path: / + ## backend: + ## service: + ## name: example-svc + ## port: + ## name: http + ## + extraRules: [] + + ## ref: http://kubernetes.io/docs/user-guide/ingress/ + ingressAPI: + ## @param controlplane.ingressAPI.enabled Enable ingress record generation for controlplane + ## + enabled: false + ## @param controlplane.ingressAPI.pathType Ingress path type + ## + pathType: ImplementationSpecific + ## @param controlplane.ingressAPI.hostname Default host for the ingress record + ## + hostname: api.cp.dev.local + ## @param controlplane.ingressAPI.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + ingressClassName: "" + ## @param controlplane.ingressAPI.path Default path for the ingress record + ## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers + ## + path: / + ## @extra controlplane.ingressAPI.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## e.g: + ## annotations: + ## kubernetes.io/controlplane.ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## + annotations: + ## @skip controlplane.ingressAPI.annotations.nginx.ingress.kubernetes.io/backend-protocol + ## Tell Nginx Ingress Controller to expect gRPC traffic + nginx.ingress.kubernetes.io/backend-protocol: "GRPC" + + ## @param controlplane.ingressAPI.tls Enable TLS configuration for the host defined at `controlplane.ingress.hostname` parameter + ## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.controlplane.ingress.hostname }}` + ## You can: + ## - Use the `controlplane.ingress.secrets` parameter to create this TLS secret + ## - Rely on cert-manager to create it by setting the corresponding annotations + ## - Rely on Helm to create self-signed certificates by setting `controlplane.ingress.selfSigned=true` + ## + tls: false + ## @param controlplane.ingressAPI.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm + ## + selfSigned: false + ## @param controlplane.ingressAPI.extraHosts An array with additional hostname(s) to be covered with the ingress record + ## e.g: + ## extraHosts: + ## - name: cp.dev.local + ## path: / + ## + extraHosts: [] + ## @param controlplane.ingressAPI.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host + ## e.g: + ## extraPaths: + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + extraPaths: [] + ## @param controlplane.ingressAPI.extraTls TLS configuration for additional hostname(s) to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## e.g: + ## extraTls: + ## - hosts: + ## - cp.dev.local + ## secretName: cp.dev.local-tls + ## + extraTls: [] + ## @param controlplane.ingressAPI.secrets Custom TLS certificates as secrets + ## NOTE: 'key' and 'certificate' are expected in PEM format + ## NOTE: 'name' should line up with a 'secretName' set further up + ## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates + ## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + ## e.g: + ## secrets: + ## - name: cp.dev.local-tls + ## key: |- + ## -----BEGIN RSA PRIVATE KEY----- + ## ... + ## -----END RSA PRIVATE KEY----- + ## certificate: |- + ## -----BEGIN CERTIFICATE----- + ## ... + ## -----END CERTIFICATE----- + ## + secrets: [] + ## @param controlplane.ingressAPI.extraRules Additional rules to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules + ## e.g: + ## extraRules: + ## - host: example.local + ## http: + ## path: / + ## backend: + ## service: + ## name: example-svc + ## port: + ## name: http + ## + extraRules: [] + + ## @section Controlplane Misc + + ## Init container's resource requests and limits + ## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param controlplane.resourcesPreset Set init container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "micro" + ## @param controlplane.resources Set controlplane container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Configure Pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param controlplane.podSecurityContext.enabled Enable controlplane pods' Security Context + ## @param controlplane.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy for controlplane pods + ## @param controlplane.podSecurityContext.sysctls Set kernel settings using the sysctl interface for controlplane pods + ## @param controlplane.podSecurityContext.supplementalGroups Set filesystem extra groups for controlplane pods + ## @param controlplane.podSecurityContext.fsGroup Set fsGroup in controlplane pods' Security Context + ## + podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 + + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param controlplane.containerSecurityContext.enabled Enabled controlplane container' Security Context + ## @param controlplane.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in controlplane container + ## @param controlplane.containerSecurityContext.runAsUser Set runAsUser in controlplane container' Security Context + ## @param controlplane.containerSecurityContext.runAsGroup Set runAsGroup in controlplane container' Security Context + ## @param controlplane.containerSecurityContext.runAsNonRoot Set runAsNonRoot in controlplane container' Security Context + ## @param controlplane.containerSecurityContext.readOnlyRootFilesystem Set readOnlyRootFilesystem in controlplane container' Security Context + ## @param controlplane.containerSecurityContext.privileged Set privileged in controlplane container' Security Context + ## @param controlplane.containerSecurityContext.allowPrivilegeEscalation Set allowPrivilegeEscalation in controlplane container' Security Context + ## @param controlplane.containerSecurityContext.capabilities.drop List of capabilities to be dropped in controlplane container + ## @param controlplane.containerSecurityContext.seccompProfile.type Set seccomp profile in controlplane container + ## + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + readOnlyRootFilesystem: true + privileged: false + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + + ## @param controlplane.sentry.enabled Enable sentry.io alerting + ## @param controlplane.sentry.dsn DSN endpoint + ## @param controlplane.sentry.environment Environment tag + sentry: + enabled: false + dsn: "" + environment: production + + ## @section Keyless signing configuration + + ## Configuration for keyless signing using one of the supported providers + ## @param controlplane.keylessSigning.enabled Activates or deactivates the feature + ## @param controlplane.keylessSigning.backend The backend to use. Currently only "fileCA" and "ejbcaCA" are supported + ## @param controlplane.keylessSigning.fileCA.cert The PEM-encoded certificate of the file based CA + ## -----BEGIN CERTIFICATE----- + ## ... + ## -----END CERTIFICATE----- + ## @param controlplane.keylessSigning.fileCA.key The PEM-encoded private key of the file based CA + ## -----BEGIN RSA PRIVATE KEY----- + ## ... + ## -----END RSA PRIVATE KEY----- + ## @param controlplane.keylessSigning.fileCA.keyPass The secret key pass + ## @param controlplane.keylessSigning.ejbcaCA.serverURL The url of the EJBCA service ("https://host/ejbca") + ## @param controlplane.keylessSigning.ejbcaCA.clientKey PEM-encoded the private key for EJBCA cert authentication + ## @param controlplane.keylessSigning.ejbcaCA.clientCert PEM-encoded certificate for EJBCA cert authentication + ## @param controlplane.keylessSigning.ejbcaCA.certProfileName Name of the certificate profile to use in EJBCA + ## @param controlplane.keylessSigning.ejbcaCA.endEntityProfileName Name of the Entity Profile to use in EJBCA + ## @param controlplane.keylessSigning.ejbcaCA.caName Name of the CA issuer to use in EJBCA + keylessSigning: + enabled: false + backend: fileCA + fileCA: + cert: "" + key: "" + keyPass: "" + ejbcaCA: + serverURL: "" + clientKey: "" + clientCert: "" + certProfileName: "" + endEntityProfileName: "" + caName: "" + + ## Inject custom CA certificates to the controlplane container + ## @param controlplane.customCAs List of custom CA certificates content + customCAs: [] + + ## @param controlplane.automountServiceAccountToken Mount Service Account token in controlplane pods + ## + automountServiceAccountToken: false + + ## @param controlplane.hostAliases controlplane pods host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + + ## @param controlplane.deploymentAnnotations Annotations for controlplane deployment + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + deploymentAnnotations: {} + + ## @param controlplane.podLabels Extra labels for controlplane pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + + ## @param controlplane.podAffinityPreset Pod affinity preset. Ignored if `controlplane.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param controlplane.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `controlplane.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node controlplane.affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + + ## Node controlplane.affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param controlplane.nodeAffinityPreset.type Node affinity preset type. Ignored if `controlplane.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param controlplane.nodeAffinityPreset.key Node label key to match. Ignored if `controlplane.affinity` is set + ## + key: "" + ## @param controlplane.nodeAffinityPreset.values Node label values to match. Ignored if `controlplane.affinity` is set + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param controlplane.affinity Affinity for controlplane pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## NOTE: `controlplane.podAffinityPreset`, `controlplane.podAntiAffinityPreset`, and `controlplane.nodeAffinityPreset` will be ignored when it's set + ## + affinity: {} + ## @param controlplane.nodeSelector Node labels for controlplane pods assignment + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + ## + nodeSelector: {} + ## @param controlplane.tolerations Tolerations for controlplane pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + + ## @param controlplane.updateStrategy.type controlplane deployment strategy type + updateStrategy: + ## Can be set to RollingUpdate or Recreate + type: RollingUpdate + ## @param controlplane.priorityClassName controlplane pods' priorityClassName + ## + priorityClassName: "" + ## @param controlplane.topologySpreadConstraints Topology Spread Constraints for controlplane pod assignment spread across your cluster among failure-domains + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods + ## + topologySpreadConstraints: [] + ## @param controlplane.schedulerName Name of the k8s scheduler (other than default) for controlplane pods + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param controlplane.terminationGracePeriodSeconds Seconds controlplane pods need to terminate gracefully + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods + ## + terminationGracePeriodSeconds: "" + ## @param controlplane.lifecycleHooks for controlplane containers to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param controlplane.extraEnvVars Array with extra environment variables to add to controlplane containers + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param controlplane.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for controlplane containers + ## + extraEnvVarsCM: "" + ## @param controlplane.extraEnvVarsSecret Name of existing Secret containing extra env vars for controlplane containers + ## + extraEnvVarsSecret: "" + ## @param controlplane.extraVolumes Optionally specify extra list of additional volumes for the controlplane pods + ## + extraVolumes: [] + ## @param controlplane.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the controlplane containers + ## + extraVolumeMounts: [] + ## @param controlplane.sidecars Add additional sidecar containers to the controlplane pods + ## e.g: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + + ## Controlplane Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param controlplane.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param controlplane.networkPolicy.allowExternal Don't require client label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## client label will have network access to the ports Web is listening + ## on. When true, Web will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param controlplane.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param controlplane.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [ ] + ## @param controlplane.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [ ] + ## @param controlplane.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param controlplane.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: { } + ingressNSPodMatchLabels: { } + + ## @param controlplane.initContainers Add additional init containers to the controlplane pods + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + ## e.g: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## command: ['sh', '-c', 'echo "hello world"'] + ## + initContainers: [] + ## Autoscaling configuration + ## ref: https://kubernetes.io/docs/concepts/workloads/autoscaling/ + ## + autoscaling: + ## @param controlplane.autoscaling.vpa.enabled Enable VPA for %%MAIN_CONTAINER_NAME%% pods + ## @param controlplane.autoscaling.vpa.annotations Annotations for VPA resource + ## @param controlplane.autoscaling.vpa.controlledResources VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory + ## @param controlplane.autoscaling.vpa.maxAllowed VPA Max allowed resources for the pod + ## @param controlplane.autoscaling.vpa.minAllowed VPA Min allowed resources for the pod + ## + vpa: + enabled: false + annotations: { } + controlledResources: [ ] + maxAllowed: { } + minAllowed: { } + ## @param controlplane.autoscaling.vpa.updatePolicy.updateMode Autoscaling update policy + ## Specifies whether recommended updates are applied when a Pod is started and whether recommended updates are applied during the life of a Pod + ## Possible values are "Off", "Initial", "Recreate", and "Auto". + ## + updatePolicy: + updateMode: Auto + + ## @param controlplane.autoscaling.hpa.enabled Enable HPA for controlplane pods + ## @param controlplane.autoscaling.hpa.minReplicas Minimum number of replicas + ## @param controlplane.autoscaling.hpa.maxReplicas Maximum number of replicas + ## @param controlplane.autoscaling.hpa.targetCPU Target CPU utilization percentage + ## @param controlplane.autoscaling.hpa.targetMemory Target Memory utilization percentage + ## + hpa: + enabled: false + minReplicas: "" + maxReplicas: "" + targetCPU: "" + targetMemory: "" + + ## Pod disruption budget configuration + ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + ## @param controlplane.pdb.enabled Create Pod Disruption Budget for the controlplane component + ## @param controlplane.pdb.minAvailable Sets the min number of pods availables for the Pod Disruption Budget + ## @param controlplane.pdb.maxUnavailable Sets the max number of pods unavailable for the Pod Disruption Budget + ## + pdb: + enabled: false + minAvailable: "" + maxUnavailable: "" + +## @section Artifact Content Addressable (CAS) API +################################## +# Artifacts CAS # +################################## +cas: + ## @param cas.replicaCount Number of replicas + replicaCount: 2 + + ## Bitnami Chainloop Artifact CAS image + ## ref: https://hub.docker.com/r/bitnami/chainloop-artifact-cas/tags/ + ## @param cas.image.registry [default: REGISTRY_NAME] image registry + ## @param cas.image.repository [default: REPOSITORY_NAME/chainloop-artifact-cas] image repository + ## @skip cas.image.tag image tag (immutable tags are recommended) + ## @param cas.image.digest image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param cas.image.pullPolicy image pull policy + ## @param cas.image.pullSecrets image pull secrets + ## + image: + registry: docker.io + repository: bitnami/chainloop-artifact-cas + tag: 0.95.3-debian-12-r0 + digest: "" + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [ ] + + ## @param cas.containerPorts.http controlplane HTTP container port + ## @param cas.containerPorts.grpc controlplane gRPC container port + ## @param cas.containerPorts.metrics controlplane prometheus metrics container port + ## + containerPorts: + http: 8000 + grpc: 9000 + metrics: 5000 + + ## + ## TLS configuration + ## + tls: + ## @param cas.tls.existingSecret Existing secret with TLS certificates. The secret must contains 2 keys: tls.crt and tls.key respectively containing the certificate and private key. + ## NOTE: When it's set it will disable secret creation. + ## + existingSecret: "" + + ## Use an existing configmap instead of creating a configmap with the specified parameters + ## @param cas.existingConfigMap + ## + existingConfigMap: "" + + ## ServiceAccount configuration for the Controlplane Artifact CAS + ## + ## @param cas.serviceAccount.create Specifies whether a ServiceAccount should be created + ## @param cas.serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`. + ## @param cas.serviceAccount.name Name of the service account to use. If not set and create is true, a name is generated using the fullname template. + ## @param cas.serviceAccount.automountServiceAccountToken Mount Service Account token in controlplane pods + serviceAccount: + create: true + annotations: {} + name: "" + automountServiceAccountToken: false + + ## @section CAS Networking + service: + ## @param cas.service.type Service type + type: ClusterIP + + ## @param cas.service.ports.http cas service HTTP port + ## @param cas.service.ports.https cas service HTTPS port + ## + ports: + http: 80 + https: 443 + ## Node ports to expose + ## @param cas.service.nodePorts.http Node port for HTTP + ## @param cas.service.nodePorts.https Node port for HTTPS + ## NOTE: choose port between <30000-32767> + ## + nodePorts: + http: "" + https: "" + ## @param cas.service.clusterIP cas service Cluster IP + ## e.g.: + ## clusterIP: None + ## + clusterIP: "" + ## @param cas.service.loadBalancerIP cas service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerIP: "" + ## @param cas.service.loadBalancerSourceRanges cas service Load Balancer sources + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param cas.service.externalTrafficPolicy cas service external traffic policy + ## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param cas.service.annotations Additional custom annotations for cas service + ## + annotations: {} + ## @param cas.service.extraPorts Extra ports to expose in cas service (normally used with the `sidecars` value) + ## + extraPorts: [] + ## @param cas.service.sessionAffinity Control where client requests go, to the same pod or round-robin + ## Values: ClientIP or None + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## + sessionAffinity: None + ## @param cas.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + + serviceAPI: + ## @param cas.serviceAPI.type Service type + type: ClusterIP + + ## @param cas.serviceAPI.ports.http cas service HTTP port + ## @param cas.serviceAPI.ports.https cas service HTTPS port + ## + ports: + http: 80 + https: 443 + ## Node ports to expose + ## @param cas.serviceAPI.nodePorts.http Node port for HTTP + ## @param cas.serviceAPI.nodePorts.https Node port for HTTPS + ## NOTE: choose port between <30000-32767> + ## + nodePorts: + http: "" + https: "" + ## @param cas.serviceAPI.clusterIP cas service Cluster IP + ## e.g.: + ## clusterIP: None + ## + clusterIP: "" + ## @param cas.serviceAPI.loadBalancerIP cas service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerIP: "" + ## @param cas.serviceAPI.loadBalancerSourceRanges cas service Load Balancer sources + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param cas.serviceAPI.externalTrafficPolicy cas service external traffic policy + ## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @extra cas.serviceAPI.annotations Additional custom annotations for cas service + ## + annotations: + ## @skip cas.serviceAPI.annotations.traefik.ingress.kubernetes.io/service.serversscheme + traefik.ingress.kubernetes.io/service.serversscheme: h2c + ## @param cas.serviceAPI.extraPorts Extra ports to expose in cas service (normally used with the `sidecars` value) + ## + extraPorts: [] + ## @param cas.serviceAPI.sessionAffinity Control where client requests go, to the same pod or round-robin + ## Values: ClientIP or None + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## + sessionAffinity: None + ## @param cas.serviceAPI.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + + + ## ref: http://kubernetes.io/docs/user-guide/ingress/ + ingress: + ## @param cas.ingress.enabled Enable ingress record generation for controlplane + ## + enabled: false + ## @param cas.ingress.pathType Ingress path type + ## + pathType: ImplementationSpecific + ## @param cas.ingress.hostname Default host for the ingress record + ## + hostname: cas.dev.local + ## @param cas.ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + ingressClassName: "" + ## @param cas.ingress.path Default path for the ingress record + ## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers + ## + path: / + ## @param cas.ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## e.g: + ## annotations: + ## kubernetes.io/cas.ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## + annotations: {} + ## @param cas.ingress.tls Enable TLS configuration for the host defined at `controlplane.ingress.hostname` parameter + ## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.controlplane.ingress.hostname }}` + ## You can: + ## - Use the `controlplane.ingress.secrets` parameter to create this TLS secret + ## - Rely on cert-manager to create it by setting the corresponding annotations + ## - Rely on Helm to create self-signed certificates by setting `controlplane.ingress.selfSigned=true` + ## + tls: false + ## @param cas.ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm + ## + selfSigned: false + ## @param cas.ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record + ## e.g: + ## extraHosts: + ## - name: cp.dev.local + ## path: / + ## + extraHosts: [] + ## @param cas.ingress.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host + ## e.g: + ## extraPaths: + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + extraPaths: [] + ## @param cas.ingress.extraTls TLS configuration for additional hostname(s) to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## e.g: + ## extraTls: + ## - hosts: + ## - cp.dev.local + ## secretName: cp.dev.local-tls + ## + extraTls: [] + ## @param cas.ingress.secrets Custom TLS certificates as secrets + ## NOTE: 'key' and 'certificate' are expected in PEM format + ## NOTE: 'name' should line up with a 'secretName' set further up + ## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates + ## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + ## e.g: + ## secrets: + ## - name: cp.dev.local-tls + ## key: |- + ## -----BEGIN RSA PRIVATE KEY----- + ## ... + ## -----END RSA PRIVATE KEY----- + ## certificate: |- + ## -----BEGIN CERTIFICATE----- + ## ... + ## -----END CERTIFICATE----- + ## + secrets: [] + ## @param cas.ingress.extraRules Additional rules to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules + ## e.g: + ## extraRules: + ## - host: example.local + ## http: + ## path: / + ## backend: + ## service: + ## name: example-svc + ## port: + ## name: http + ## + extraRules: [] + + ## ref: http://kubernetes.io/docs/user-guide/ingress/ + ingressAPI: + ## @param cas.ingressAPI.enabled Enable ingress record generation for controlplane + ## + enabled: false + ## @param cas.ingressAPI.pathType Ingress path type + ## + pathType: ImplementationSpecific + ## @param cas.ingressAPI.hostname Default host for the ingress record + ## + hostname: api.cas.dev.local + ## @param cas.ingressAPI.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + ingressClassName: "" + ## @param cas.ingressAPI.path Default path for the ingress record + ## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers + ## + path: / + ## @extra cas.ingressAPI.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## e.g: + ## annotations: + ## kubernetes.io/controlplane.ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## + annotations: + # Nginx Ingress settings + ## @skip cas.ingressAPI.annotations.nginx.ingress.kubernetes.io/proxy-body-size + # Limit file uploads/downloads to 100MB. Alternatively you can disable this limitation by setting it to 0 + # Even though we send data in chunks of 1MB, this size refers to all the data sent during the whole streaming session + nginx.ingress.kubernetes.io/proxy-body-size: "100m" + ## @skip cas.ingressAPI.annotations.nginx.ingress.kubernetes.io/backend-protocol + ## Tell Nginx Ingress Controller to expect gRPC traffic + nginx.ingress.kubernetes.io/backend-protocol: "GRPC" + ## @skip cas.ingressAPI.annotations.nginx.ingress.kubernetes.io/client-body-buffer-size + # Improve upload speed by adding client buffering used by http2 control-flows + # https://github.com/chainloop-dev/chainloop/issues/375 + nginx.ingress.kubernetes.io/client-body-buffer-size: "3M" + + ## @param cas.ingressAPI.tls Enable TLS configuration for the host defined at `controlplane.ingress.hostname` parameter + ## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.controlplane.ingress.hostname }}` + ## You can: + ## - Use the `controlplane.ingress.secrets` parameter to create this TLS secret + ## - Rely on cert-manager to create it by setting the corresponding annotations + ## - Rely on Helm to create self-signed certificates by setting `controlplane.ingress.selfSigned=true` + ## + tls: false + ## @param cas.ingressAPI.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm + ## + selfSigned: false + ## @param cas.ingressAPI.extraHosts An array with additional hostname(s) to be covered with the ingress record + ## e.g: + ## extraHosts: + ## - name: cp.dev.local + ## path: / + ## + extraHosts: [] + ## @param cas.ingressAPI.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host + ## e.g: + ## extraPaths: + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + extraPaths: [] + ## @param cas.ingressAPI.extraTls TLS configuration for additional hostname(s) to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## e.g: + ## extraTls: + ## - hosts: + ## - cp.dev.local + ## secretName: cp.dev.local-tls + ## + extraTls: [] + ## @param cas.ingressAPI.secrets Custom TLS certificates as secrets + ## NOTE: 'key' and 'certificate' are expected in PEM format + ## NOTE: 'name' should line up with a 'secretName' set further up + ## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates + ## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + ## e.g: + ## secrets: + ## - name: cp.dev.local-tls + ## key: |- + ## -----BEGIN RSA PRIVATE KEY----- + ## ... + ## -----END RSA PRIVATE KEY----- + ## certificate: |- + ## -----BEGIN CERTIFICATE----- + ## ... + ## -----END CERTIFICATE----- + ## + secrets: [] + ## @param cas.ingressAPI.extraRules Additional rules to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules + ## e.g: + ## extraRules: + ## - host: example.local + ## http: + ## path: / + ## backend: + ## service: + ## name: example-svc + ## port: + ## name: http + ## + extraRules: [] + + ## @section CAS Misc + ## @param cas.sentry.enabled Enable sentry.io alerting + ## @param cas.sentry.dsn DSN endpoint + ## @param cas.sentry.environment Environment tag + sentry: + enabled: false + dsn: "" + environment: production + + ## Inject custom CA certificates to the CAS container + ## @param cas.customCAs List of custom CA certificates content + customCAs: [] + + ## Init container's resource requests and limits + ## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param cas.resourcesPreset Set init container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "micro" + ## @param cas.resources Set cas container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Configure Pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param cas.podSecurityContext.enabled Enable cas pods' Security Context + ## @param cas.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy for cas pods + ## @param cas.podSecurityContext.sysctls Set kernel settings using the sysctl interface for cas pods + ## @param cas.podSecurityContext.supplementalGroups Set filesystem extra groups for cas pods + ## @param cas.podSecurityContext.fsGroup Set fsGroup in cas pods' Security Context + ## + podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 + + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param cas.containerSecurityContext.enabled Enabled cas container' Security Context + ## @param cas.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in cas container + ## @param cas.containerSecurityContext.runAsUser Set runAsUser in cas container' Security Context + ## @param cas.containerSecurityContext.runAsGroup Set runAsGroup in cas container' Security Context + ## @param cas.containerSecurityContext.runAsNonRoot Set runAsNonRoot in cas container' Security Context + ## @param cas.containerSecurityContext.readOnlyRootFilesystem Set readOnlyRootFilesystem in cas container' Security Context + ## @param cas.containerSecurityContext.privileged Set privileged in cas container' Security Context + ## @param cas.containerSecurityContext.allowPrivilegeEscalation Set allowPrivilegeEscalation in cas container' Security Context + ## @param cas.containerSecurityContext.capabilities.drop List of capabilities to be dropped in cas container + ## @param cas.containerSecurityContext.seccompProfile.type Set seccomp profile in cas container + ## + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + readOnlyRootFilesystem: true + privileged: false + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + + ## @param cas.automountServiceAccountToken Mount Service Account token in cas pods + ## + automountServiceAccountToken: false + + ## @param cas.hostAliases cas pods host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + + ## @param cas.deploymentAnnotations Annotations for cas deployment + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + deploymentAnnotations: {} + + ## @param cas.podLabels Extra labels for cas pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + + ## @param cas.podAffinityPreset Pod affinity preset. Ignored if `cas.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param cas.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `cas.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node cas.affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + + ## Node cas.affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param cas.nodeAffinityPreset.type Node affinity preset type. Ignored if `cas.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param cas.nodeAffinityPreset.key Node label key to match. Ignored if `cas.affinity` is set + ## + key: "" + ## @param cas.nodeAffinityPreset.values Node label values to match. Ignored if `cas.affinity` is set + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param cas.affinity Affinity for cas pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## NOTE: `cas.podAffinityPreset`, `cas.podAntiAffinityPreset`, and `cas.nodeAffinityPreset` will be ignored when it's set + ## + affinity: {} + ## @param cas.nodeSelector Node labels for cas pods assignment + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + ## + nodeSelector: {} + ## @param cas.tolerations Tolerations for cas pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + + ## @param cas.updateStrategy.type cas deployment strategy type + updateStrategy: + ## Can be set to RollingUpdate or Recreate + type: RollingUpdate + ## @param cas.priorityClassName cas pods' priorityClassName + ## + priorityClassName: "" + ## @param cas.topologySpreadConstraints Topology Spread Constraints for cas pod assignment spread across your cluster among failure-domains + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods + ## + topologySpreadConstraints: [] + ## @param cas.schedulerName Name of the k8s scheduler (other than default) for cas pods + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param cas.terminationGracePeriodSeconds Seconds cas pods need to terminate gracefully + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods + ## + terminationGracePeriodSeconds: "" + ## @param cas.lifecycleHooks for cas containers to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param cas.extraEnvVars Array with extra environment variables to add to cas containers + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param cas.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for cas containers + ## + extraEnvVarsCM: "" + ## @param cas.extraEnvVarsSecret Name of existing Secret containing extra env vars for cas containers + ## + extraEnvVarsSecret: "" + ## @param cas.extraVolumes Optionally specify extra list of additional volumes for the cas pods + ## + extraVolumes: [] + ## @param cas.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the cas containers + ## + extraVolumeMounts: [] + ## @param cas.sidecars Add additional sidecar containers to the cas pods + ## e.g: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + + ## Web Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param cas.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param cas.networkPolicy.allowExternal Don't require client label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## client label will have network access to the ports Web is listening + ## on. When true, Web will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param cas.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param cas.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [ ] + ## @param cas.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [ ] + ## @param cas.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param cas.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: { } + ingressNSPodMatchLabels: { } + + ## @param cas.initContainers Add additional init containers to the cas pods + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + ## e.g: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## command: ['sh', '-c', 'echo "hello world"'] + ## + initContainers: [] + ## Autoscaling configuration + ## ref: https://kubernetes.io/docs/concepts/workloads/autoscaling/ + ## + autoscaling: + ## @param cas.autoscaling.vpa.enabled Enable VPA for %%MAIN_CONTAINER_NAME%% pods + ## @param cas.autoscaling.vpa.annotations Annotations for VPA resource + ## @param cas.autoscaling.vpa.controlledResources VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory + ## @param cas.autoscaling.vpa.maxAllowed VPA Max allowed resources for the pod + ## @param cas.autoscaling.vpa.minAllowed VPA Min allowed resources for the pod + ## + vpa: + enabled: false + annotations: { } + controlledResources: [ ] + maxAllowed: { } + minAllowed: { } + ## @param cas.autoscaling.vpa.updatePolicy.updateMode Autoscaling update policy + ## Specifies whether recommended updates are applied when a Pod is started and whether recommended updates are applied during the life of a Pod + ## Possible values are "Off", "Initial", "Recreate", and "Auto". + ## + updatePolicy: + updateMode: Auto + + ## @param cas.autoscaling.hpa.enabled Enable HPA for cas pods + ## @param cas.autoscaling.hpa.minReplicas Minimum number of replicas + ## @param cas.autoscaling.hpa.maxReplicas Maximum number of replicas + ## @param cas.autoscaling.hpa.targetCPU Target CPU utilization percentage + ## @param cas.autoscaling.hpa.targetMemory Target Memory utilization percentage + ## + hpa: + enabled: false + minReplicas: "" + maxReplicas: "" + targetCPU: "" + targetMemory: "" + + ## Pod disruption budget configuration + ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + ## @param cas.pdb.enabled Create Pod Disruption Budget for the cas component + ## @param cas.pdb.minAvailable Sets the min number of pods available for the Pod Disruption Budget + ## @param cas.pdb.maxUnavailable Sets the max number of pods unavailable for the Pod Disruption Budget + ## + pdb: + enabled: false + minAvailable: "" + maxUnavailable: "" + + +## @section Dependencies +# ################################## +# # Dependencies # +################################## + +## PostgreSQL chart configuration +## ref: https://github.com/bitnami/charts/blob/main/bitnami/postgresql/values.yaml +## @param postgresql.enabled Switch to enable or disable the PostgreSQL helm chart +## @param postgresql.auth.enablePostgresUser Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user +## @param postgresql.auth.username Name for a custom user to create +## @param postgresql.auth.password Password for the custom user to create +## @param postgresql.auth.database Name for a custom database to create +## @param postgresql.auth.existingSecret Name of existing secret to use for PostgreSQL credentials +postgresql: + enabled: true + auth: + enablePostgresUser: false + username: "chainloop" + password: "chainlooppwd" + database: "chainloop-cp" + existingSecret: "" + +# Vault server running in development mode --set development=true +# IMPORTANT: This is not meant to run in production + +## Bitnami Hashicorp Vault chart configuration +## ref: https://github.com/bitnami/charts/blob/main/bitnami/vault/values.yaml +## @param vault.server.args Arguments to pass to the vault server. This is useful for setting the server in development mode +## @param vault.server.config Configuration for the vault server. Small override of default Bitnami configuration +## @param vault.server.extraEnvVars[0].name Root token for the vault server +## @param vault.server.extraEnvVars[0].value The value of the root token. Default: notasecret +## @param vault.server.extraEnvVars[1].name Address to listen on development mode +## @param vault.server.extraEnvVars[1].value The address to listen on. Default: [::]:8200 +vault: + server: + args: [ + "server", + "-dev" + ] + extraEnvVars: + - name: VAULT_DEV_ROOT_TOKEN_ID + value: "notasecret" + - name: VAULT_DEV_LISTEN_ADDRESS + value: "[::]:8200" + config: "storage \"inmem\" {}\ndisable_mlock = true\nui = true\nservice_registration \"kubernetes\" {}" + +# IMPORTANT: This is not meant to run in production +# Dex server +## Dex configuration running in development mode --set development=true +## +dex: + ## Bitnami Dex image + ## @skip dex.staticUsers[0].email + ## @skip dex.staticUsers[0].hash + ## @skip dex.staticUsers[1].email + ## @skip dex.staticUsers[1].hash + staticUsers: + - email: "john@chainloop.local" + # password: "password" + hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" + - email: "sarah@chainloop.local" + # password: "password" + hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" + ## @param dex.image.registry [default: REGISTRY_NAME] Dex image registry + ## @param dex.image.repository [default: REPOSITORY_NAME/dex] Dex image repository + ## @skip dex.image.tag Dex image tag (immutable tags are recommended) + ## @param dex.image.pullPolicy Dex image pull policy + ## @param dex.image.pullSecrets Dex image pull secrets + ## @param dex.image.debug Enable Dex image debug mode + ## + image: + registry: docker.io + repository: bitnami/dex + tag: 2.40.0-debian-12-r1 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Enable debug mode + ## + debug: false + ## @param dex.replicaCount Number of Dex replicas to deploy + ## + replicaCount: 1 + ## Configure extra options for Dex containers' liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param dex.startupProbe.enabled Enable startupProbe on Dex nodes + ## @param dex.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param dex.startupProbe.periodSeconds Period seconds for startupProbe + ## @param dex.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param dex.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param dex.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: true + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## @param dex.livenessProbe.enabled Enable livenessProbe on Dex nodes + ## @param dex.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param dex.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param dex.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param dex.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param dex.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## @param dex.readinessProbe.enabled Enable readinessProbe on Dex nodes + ## @param dex.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param dex.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param dex.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param dex.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param dex.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## @param dex.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param dex.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param dex.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## Dex resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param dex.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if dex.resources is set (dex.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param dex.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Configure Pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param dex.podSecurityContext.enabled Enabled Dex pods' Security Context + ## @param dex.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param dex.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param dex.podSecurityContext.supplementalGroups Set filesystem extra groups + ## @param dex.podSecurityContext.fsGroup Set Dex pod's Security Context fsGroup + ## + podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param dex.containerSecurityContext.enabled Enabled Dex containers' Security Context + ## @param dex.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param dex.containerSecurityContext.runAsUser Set Dex containers' Security Context runAsUser + ## @param dex.containerSecurityContext.runAsGroup Set Dex containers' Security Context runAsGroup + ## @param dex.containerSecurityContext.allowPrivilegeEscalation Set Dex containers' Security Context allowPrivilegeEscalation + ## @param dex.containerSecurityContext.readOnlyRootFilesystem Set Dex containers' server Security Context readOnlyRootFilesystem + ## @param dex.containerSecurityContext.runAsNonRoot Set Dex containers' Security Context runAsNonRoot + ## @param dex.containerSecurityContext.capabilities.drop Set Chainloop containers' Security Context capabilities to be dropped + ## @param dex.containerSecurityContext.privileged Set dex container's Security Context privileged + ## @param dex.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + privileged: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## Dex service parameters + ## + service: + ## @param dex.service.type Dex service type + ## + type: ClusterIP + ## @param dex.service.ports.http Dex HTTP service port + ## @param dex.service.ports.grpc Dex grpc service port + ## + ports: + http: 5556 + grpc: 5557 + ## Node ports to expose + ## @param dex.service.nodePorts.http HTTP node port for the Dex service + ## @param dex.service.nodePorts.grpc gRPC node port for the Dex service + ## NOTE: choose port between <30000-32767> + ## + nodePorts: + http: "" + grpc: "" + ## @param dex.service.clusterIP Dex service Cluster IP + ## e.g.: + ## clusterIP: None + ## + clusterIP: "" + ## @param dex.service.loadBalancerIP Dex service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerIP: "" + ## @param dex.service.loadBalancerSourceRanges Dex service Load Balancer sources + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param dex.service.externalTrafficPolicy Dex service external traffic policy + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param dex.service.annotations Additional custom annotations for Dex service + ## + annotations: {} + ## @param dex.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param dex.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param dex.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + sessionAffinityConfig: {} + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param dex.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param dex.networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param dex.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param dex.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) + ## + kubeAPIServerPorts: [443, 6443, 8443] + ## @param dex.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param dex.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true) + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param dex.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param dex.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} + ## Dex container ports + ## @param dex.containerPorts.http Dex container HTTP port + ## @param dex.containerPorts.grpc Dex gRPC port + ## @param dex.containerPorts.metrics Dex metrics port + ## + containerPorts: + http: 5556 + grpc: 5557 + metrics: 5558 + ## Metrics configuration for Dex + ## + metrics: + ## Enable metrics for Chainloop Dex + ## @param dex.metrics.enabled Enable metrics service for Dex + ## + enabled: false + service: + ## @param dex.metrics.service.type Dex service type + ## + type: ClusterIP + ## @param dex.metrics.service.ports.metrics Dex metrics service port + ## + ports: + metrics: 5558 + ## Node ports to expose + ## @param dex.metrics.service.nodePorts.metrics Node port for the Dex service + ## NOTE: choose port between <30000-32767> + ## + nodePorts: + metrics: "" + ## @param dex.metrics.service.clusterIP Dex service metrics service Cluster IP + ## e.g.: + ## clusterIP: None + ## + clusterIP: "" + ## @param dex.metrics.service.loadBalancerIP Dex service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerIP: "" + ## @param dex.metrics.service.loadBalancerSourceRanges Dex service Load Balancer sources + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param dex.metrics.service.externalTrafficPolicy Dex service external traffic policy + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param dex.metrics.service.annotations Additional custom annotations for Dex service + ## + annotations: {} + ## @param dex.metrics.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param dex.metrics.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + sessionAffinityConfig: {} + ## Dex metrics service monitor configuration + ## + serviceMonitor: + ## @param dex.metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator + ## + enabled: false + ## @param dex.metrics.serviceMonitor.namespace Namespace which Prometheus is running in + ## e.g: + ## namespace: monitoring + ## + namespace: "" + ## @param dex.metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. + ## + jobLabel: "" + ## @param dex.metrics.serviceMonitor.interval Interval at which metrics should be scraped + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + interval: 30s + ## @param dex.metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + scrapeTimeout: 10s + ## @param dex.metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## + relabelings: [] + ## @param dex.metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## + metricRelabelings: [] + ## @param dex.metrics.serviceMonitor.selector ServiceMonitor selector labels + ## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration + ## + ## selector: + ## prometheus: my-prometheus + ## + selector: {} + ## @param dex.metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels + ## + honorLabels: false + ## ServiceAccount configuration for the Dex + ## + serviceAccount: + ## @param dex.serviceAccount.create Specifies whether a ServiceAccount should be created for Dex + ## + create: true + ## @param dex.serviceAccount.name The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the common.names.fullname template + ## + name: "" + ## @param dex.serviceAccount.automountServiceAccountToken Automount service account token for the Dex service account + ## + automountServiceAccountToken: false + ## @param dex.serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`. + ## + annotations: {} + ## @param dex.command Override default container command (useful when using custom images) + ## + command: [] + ## @param dex.args Override default container args (useful when using custom images) + ## + args: [] + ## @param dex.extraArgs Add extra args to the default args for Dex + ## + extraArgs: [] + ## @param dex.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: true + ## @param dex.hostAliases Dex pods host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param dex.podLabels Extra labels for Dex pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param dex.podAnnotations Annotations for Dex pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param dex.podAffinityPreset Pod affinity preset. Ignored if `dex.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param dex.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `dex.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node dex.affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param dex.nodeAffinityPreset.type Node affinity preset type. Ignored if `dex.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param dex.nodeAffinityPreset.key Node label key to match. Ignored if `dex.affinity` is set + ## + key: "" + ## @param dex.nodeAffinityPreset.values Node label values to match. Ignored if `dex.affinity` is set + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param dex.affinity Affinity for Dex pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## NOTE: `dex.podAffinityPreset`, `dex.podAntiAffinityPreset`, and `dex.nodeAffinityPreset` will be ignored when it's set + ## + affinity: {} + ## @param dex.nodeSelector Node labels for Dex pods assignment + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + ## + nodeSelector: {} + ## @param dex.tolerations Tolerations for Dex pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param dex.schedulerName Name of the k8s scheduler (other than default) + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param dex.shareProcessNamespace Enable shared process namespace in a pod. + ## If set to false (default), each container will run in separate namespace, dex will have PID=1. + ## If set to true, the /pause will run as init process and will reap any zombie PIDs, + ## for example, generated by a custom exec probe running longer than a probe timeoutSeconds. + ## Enable this only if customLivenessProbe or customReadinessProbe is used and zombie PIDs are accumulating. + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/ + ## + shareProcessNamespace: false + ## @param dex.topologySpreadConstraints Topology Spread Constraints for pod assignment + ## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## The value is evaluated as a template + ## + topologySpreadConstraints: [] + ## @param dex.updateStrategy.type Dex statefulset strategy type + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + ## StrategyType + ## Can be set to RollingUpdate or OnDelete + ## + type: RollingUpdate + ## @param dex.priorityClassName Dex pods' priorityClassName + ## + priorityClassName: "" + ## @param dex.runtimeClassName Name of the runtime class to be used by pod(s) + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + ## + runtimeClassName: "" + ## @param dex.lifecycleHooks for the Dex container(s) to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param dex.extraEnvVars Array with extra environment variables to add to Dex nodes + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param dex.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Dex nodes + ## + extraEnvVarsCM: "" + ## @param dex.extraEnvVarsSecret Name of existing Secret containing extra env vars for Dex nodes + ## + extraEnvVarsSecret: "" + ## @param dex.extraVolumes Optionally specify extra list of additional volumes for the Dex pod(s) + ## + extraVolumes: [] + ## @param dex.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Dex container(s) + ## + extraVolumeMounts: [] + ## @param dex.sidecars Add additional sidecar containers to the Dex pod(s) + ## e.g: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param dex.initContainers Add additional init containers to the Dex pod(s) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + ## e.g: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## command: ['sh', '-c', 'echo "hello world"'] + ## + initContainers: [] + ## Pod Disruption Budget configuration + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb + ## @param dex.pdb.create Enable/disable a Pod Disruption Budget creation + ## @param dex.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled + ## @param dex.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `dex.pdb.minAvailable` and `dex.pdb.maxUnavailable` are empty. + ## + pdb: + create: true + minAvailable: "" + maxUnavailable: ""