From 1a56936e72956735d74b93b553b9c5ac084ac88d Mon Sep 17 00:00:00 2001 From: Javier Rodriguez Date: Tue, 11 Jun 2024 15:08:10 +0200 Subject: [PATCH 01/37] New chart: Chainloop Signed-off-by: Javier Rodriguez --- .vib/chainloop/ginkgo/chainloop_suite_test.go | 74 ++ .vib/chainloop/ginkgo/chainloop_test.go | 129 +++ .vib/chainloop/ginkgo/go.mod | 57 ++ .vib/chainloop/ginkgo/go.sum | 160 ++++ .vib/chainloop/runtime-parameters.yaml | 7 + .vib/chainloop/vib-verify.json | 32 + bitnami/chainloop/.helmignore | 23 + bitnami/chainloop/Chart.lock | 12 + bitnami/chainloop/Chart.yaml | 27 + bitnami/chainloop/LICENSE.md | 201 +++++ bitnami/chainloop/README.md | 667 ++++++++++++++ bitnami/chainloop/templates/NOTES.txt | 47 + bitnami/chainloop/templates/_helpers.tpl | 412 +++++++++ .../templates/cas/config.configmap.yaml | 25 + .../templates/cas/config.secret.yaml | 19 + .../chainloop/templates/cas/deployment.yaml | 89 ++ .../cas/gcp_secret_manager.secret.yaml | 11 + .../templates/cas/gke_monitoring.yaml | 13 + bitnami/chainloop/templates/cas/hpa.yaml | 40 + bitnami/chainloop/templates/cas/ingress.yaml | 60 ++ .../chainloop/templates/cas/ingress_grpc.yaml | 60 ++ .../templates/cas/jwt_public_key.secret.yaml | 9 + .../chainloop/templates/cas/service_grpc.yaml | 20 + .../chainloop/templates/cas/service_http.yaml | 19 + .../templates/cas/serviceaccount.yaml | 12 + .../controlplane/config.configmap.yaml | 44 + .../templates/controlplane/config.secret.yaml | 58 ++ .../templates/controlplane/deployment.yaml | 122 +++ .../controlplane/deployment_sqlproxy.yaml | 61 ++ .../controlplane/file_ca.secret.yaml | 17 + .../gcp_secret_manager.secret.yaml | 16 + .../controlplane/gke_monitoring.yaml | 18 + .../chainloop/templates/controlplane/hpa.yaml | 45 + .../templates/controlplane/ingress.yaml | 65 ++ .../templates/controlplane/ingress_grpc.yaml | 65 ++ .../jwt_cas_private_key.secret.yaml | 14 + .../templates/controlplane/service_grpc.yaml | 25 + .../templates/controlplane/service_http.yaml | 24 + .../controlplane/service_sql-proxy.yaml | 22 + .../controlplane/serviceaccount.yaml | 17 + bitnami/chainloop/values.yaml | 840 ++++++++++++++++++ 41 files changed, 3678 insertions(+) create mode 100644 .vib/chainloop/ginkgo/chainloop_suite_test.go create mode 100644 .vib/chainloop/ginkgo/chainloop_test.go create mode 100644 .vib/chainloop/ginkgo/go.mod create mode 100644 .vib/chainloop/ginkgo/go.sum create mode 100644 .vib/chainloop/runtime-parameters.yaml create mode 100644 .vib/chainloop/vib-verify.json create mode 100644 bitnami/chainloop/.helmignore create mode 100644 bitnami/chainloop/Chart.lock create mode 100644 bitnami/chainloop/Chart.yaml create mode 100644 bitnami/chainloop/LICENSE.md create mode 100644 bitnami/chainloop/README.md create mode 100644 bitnami/chainloop/templates/NOTES.txt create mode 100644 bitnami/chainloop/templates/_helpers.tpl create mode 100644 bitnami/chainloop/templates/cas/config.configmap.yaml create mode 100644 bitnami/chainloop/templates/cas/config.secret.yaml create mode 100644 bitnami/chainloop/templates/cas/deployment.yaml create mode 100644 bitnami/chainloop/templates/cas/gcp_secret_manager.secret.yaml create mode 100644 bitnami/chainloop/templates/cas/gke_monitoring.yaml create mode 100644 bitnami/chainloop/templates/cas/hpa.yaml create mode 100644 bitnami/chainloop/templates/cas/ingress.yaml create mode 100644 bitnami/chainloop/templates/cas/ingress_grpc.yaml create mode 100644 bitnami/chainloop/templates/cas/jwt_public_key.secret.yaml create mode 100644 bitnami/chainloop/templates/cas/service_grpc.yaml create mode 100644 bitnami/chainloop/templates/cas/service_http.yaml create mode 100644 bitnami/chainloop/templates/cas/serviceaccount.yaml create mode 100644 bitnami/chainloop/templates/controlplane/config.configmap.yaml create mode 100644 bitnami/chainloop/templates/controlplane/config.secret.yaml create mode 100644 bitnami/chainloop/templates/controlplane/deployment.yaml create mode 100644 bitnami/chainloop/templates/controlplane/deployment_sqlproxy.yaml create mode 100644 bitnami/chainloop/templates/controlplane/file_ca.secret.yaml create mode 100644 bitnami/chainloop/templates/controlplane/gcp_secret_manager.secret.yaml create mode 100644 bitnami/chainloop/templates/controlplane/gke_monitoring.yaml create mode 100644 bitnami/chainloop/templates/controlplane/hpa.yaml create mode 100644 bitnami/chainloop/templates/controlplane/ingress.yaml create mode 100644 bitnami/chainloop/templates/controlplane/ingress_grpc.yaml create mode 100644 bitnami/chainloop/templates/controlplane/jwt_cas_private_key.secret.yaml create mode 100644 bitnami/chainloop/templates/controlplane/service_grpc.yaml create mode 100644 bitnami/chainloop/templates/controlplane/service_http.yaml create mode 100644 bitnami/chainloop/templates/controlplane/service_sql-proxy.yaml create mode 100644 bitnami/chainloop/templates/controlplane/serviceaccount.yaml create mode 100644 bitnami/chainloop/values.yaml diff --git a/.vib/chainloop/ginkgo/chainloop_suite_test.go b/.vib/chainloop/ginkgo/chainloop_suite_test.go new file mode 100644 index 00000000000000..af04d87bfeab54 --- /dev/null +++ b/.vib/chainloop/ginkgo/chainloop_suite_test.go @@ -0,0 +1,74 @@ +package chainloop_test + +import ( + "context" + "flag" + "testing" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + batchv1 "k8s.io/api/batch/v1" + v1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/client-go/kubernetes" +) + +var ( + kubeconfig string + releaseName string + namespace string + timeoutSeconds int +) + +func init() { + flag.StringVar(&kubeconfig, "kubeconfig", "", "absolute path to the kubeconfig file") + flag.StringVar(&releaseName, "name", "", "name of the primary statefulset") + flag.StringVar(&namespace, "namespace", "", "namespace where the application is running") + flag.IntVar(&timeoutSeconds, "timeout", 180, "timeout in seconds") +} + +func TestChainloop(t *testing.T) { + RegisterFailHandler(Fail) + RunSpecs(t, "Chainloop Persistence Test Suite") +} + +func createJob(ctx context.Context, c kubernetes.Interface, name, image string) error { + securityContext := &v1.SecurityContext{ + Privileged: &[]bool{false}[0], + AllowPrivilegeEscalation: &[]bool{false}[0], + RunAsNonRoot: &[]bool{true}[0], + Capabilities: &v1.Capabilities{ + Drop: []v1.Capability{"ALL"}, + }, + SeccompProfile: &v1.SeccompProfile{ + Type: "RuntimeDefault", + }, + } + job := &batchv1.Job{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + }, + TypeMeta: metav1.TypeMeta{ + Kind: "Job", + }, + Spec: batchv1.JobSpec{ + Template: v1.PodTemplateSpec{ + Spec: v1.PodSpec{ + RestartPolicy: "Never", + Containers: []v1.Container{ + { + Name: "chainloop-cli", + Image: image, + Command: []string{"chainloop", "version"}, + SecurityContext: securityContext, + }, + }, + }, + }, + }, + } + + _, err := c.BatchV1().Jobs(namespace).Create(ctx, job, metav1.CreateOptions{}) + + return err +} diff --git a/.vib/chainloop/ginkgo/chainloop_test.go b/.vib/chainloop/ginkgo/chainloop_test.go new file mode 100644 index 00000000000000..6c2b32b6cc32ed --- /dev/null +++ b/.vib/chainloop/ginkgo/chainloop_test.go @@ -0,0 +1,129 @@ +package chainloop_test + +import ( + "context" + "fmt" + "time" + + utils "github.com/bitnami/charts/.vib/common-tests/ginkgo-utils" + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/client-go/kubernetes" +) + +const ( + PollingInterval = 1 * time.Second +) + +type portDefinition struct { + name string + number string +} + +var _ = Describe("Chainloop", Ordered, func() { + var c *kubernetes.Clientset + var ctx context.Context + var cancel context.CancelFunc + + BeforeEach(func() { + ctx, cancel = context.WithCancel(context.Background()) + + conf := utils.MustBuildClusterConfig(kubeconfig) + c = kubernetes.NewForConfigOrDie(conf) + }) + + When("Chainloop chart is fully deployed", func() { + It("all services exposes expected ports", func() { + svcs := []struct { + name string + ports []portDefinition + }{ + { + name: "cas", + ports: []portDefinition{ + { + name: "http", + number: "80", + }, + }, + }, + { + name: "cas-api", + ports: []portDefinition{ + { + name: "grpc", + number: "80", + }, + }, + }, + { + name: "controlplane", + ports: []portDefinition{ + { + name: "http", + number: "80", + }, + }, + }, + { + name: "controlplane-api", + ports: []portDefinition{ + { + name: "grpc", + number: "80", + }, + }, + }, + { + name: "postgresql", + ports: []portDefinition{ + { + name: "tcp-postgresql", + number: "5432", + }, + }, + }, + { + name: "vault-server", + ports: []portDefinition{ + { + name: "http", + number: "8200", + }, { + name: "https-internal", + number: "8201", + }, + }, + }, + } + + for _, inSvc := range svcs { + svcName := fmt.Sprintf("%v-%v", releaseName, inSvc.name) + svc, err := c.CoreV1().Services(namespace).Get(ctx, svcName, metav1.GetOptions{}) + Expect(err).NotTo(HaveOccurred()) + + for _, port := range inSvc.ports { + outPort, err := utils.SvcGetPortByName(svc, port.name) + Expect(err).NotTo(HaveOccurred()) + Expect(outPort).NotTo(BeNil()) + Expect(outPort).To(Equal(port.number)) + } + } + }) + + It("all pods are running", func() { + pods, err := c.CoreV1().Pods(namespace).List(ctx, metav1.ListOptions{}) + Expect(err).NotTo(HaveOccurred()) + + for _, pod := range pods.Items { + _, err := utils.IsPodRunning(ctx, c.CoreV1(), namespace, pod.Name) + Expect(err).NotTo(HaveOccurred()) + } + }) + }) + + AfterEach(func() { + cancel() + }) +}) diff --git a/.vib/chainloop/ginkgo/go.mod b/.vib/chainloop/ginkgo/go.mod new file mode 100644 index 00000000000000..a6756abfb16064 --- /dev/null +++ b/.vib/chainloop/ginkgo/go.mod @@ -0,0 +1,57 @@ +module test-chainloop-chart + +go 1.20 + +replace github.com/bitnami/charts/.vib/common-tests/ginkgo-utils => ../../common-tests/ginkgo-utils + +require ( + github.com/bitnami/charts/.vib/common-tests/ginkgo-utils v0.0.0-00010101000000-000000000000 + github.com/onsi/ginkgo/v2 v2.11.0 + github.com/onsi/gomega v1.27.8 + k8s.io/api v0.28.0 + k8s.io/apimachinery v0.28.0 + k8s.io/client-go v0.28.0 +) + +require ( + github.com/davecgh/go-spew v1.1.1 // indirect + github.com/emicklei/go-restful/v3 v3.9.0 // indirect + github.com/go-logr/logr v1.2.4 // indirect + github.com/go-openapi/jsonpointer v0.19.6 // indirect + github.com/go-openapi/jsonreference v0.20.2 // indirect + github.com/go-openapi/swag v0.22.3 // indirect + github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect + github.com/gogo/protobuf v1.3.2 // indirect + github.com/golang/protobuf v1.5.3 // indirect + github.com/google/gnostic-models v0.6.8 // indirect + github.com/google/go-cmp v0.5.9 // indirect + github.com/google/gofuzz v1.2.0 // indirect + github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 // indirect + github.com/google/uuid v1.3.0 // indirect + github.com/imdario/mergo v0.3.6 // indirect + github.com/josharian/intern v1.0.0 // indirect + github.com/json-iterator/go v1.1.12 // indirect + github.com/mailru/easyjson v0.7.7 // indirect + github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect + github.com/modern-go/reflect2 v1.0.2 // indirect + github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect + github.com/spf13/pflag v1.0.5 // indirect + golang.org/x/net v0.23.0 // indirect + golang.org/x/oauth2 v0.8.0 // indirect + golang.org/x/sys v0.18.0 // indirect + golang.org/x/term v0.18.0 // indirect + golang.org/x/text v0.14.0 // indirect + golang.org/x/time v0.3.0 // indirect + golang.org/x/tools v0.9.3 // indirect + google.golang.org/appengine v1.6.7 // indirect + google.golang.org/protobuf v1.33.0 // indirect + gopkg.in/inf.v0 v0.9.1 // indirect + gopkg.in/yaml.v2 v2.4.0 // indirect + gopkg.in/yaml.v3 v3.0.1 // indirect + k8s.io/klog/v2 v2.100.1 // indirect + k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect + k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect + sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect + sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect + sigs.k8s.io/yaml v1.3.0 // indirect +) diff --git a/.vib/chainloop/ginkgo/go.sum b/.vib/chainloop/ginkgo/go.sum new file mode 100644 index 00000000000000..5d481c1be1d259 --- /dev/null +++ b/.vib/chainloop/ginkgo/go.sum @@ -0,0 +1,160 @@ +github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= +github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= +github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= +github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/emicklei/go-restful/v3 v3.9.0 h1:XwGDlfxEnQZzuopoqxwSEllNcCOM9DhhFyhFIIGKwxE= +github.com/emicklei/go-restful/v3 v3.9.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= +github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= +github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= +github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE= +github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= +github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g= +github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= +github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= +github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= +github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= +github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= +github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= +github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= +github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec= +github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= +github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= +github.com/imdario/mergo v0.3.6 h1:xTNEAn+kxVO7dTZGu0CegyqKZmoWFI0rF8UxjlB2d28= +github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= +github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= +github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= +github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= +github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= +github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= +github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= +github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= +github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/onsi/ginkgo/v2 v2.11.0 h1:WgqUCUt/lT6yXoQ8Wef0fsNn5cAuMK7+KT9UFRz2tcU= +github.com/onsi/ginkgo/v2 v2.11.0/go.mod h1:ZhrRA5XmEE3x3rhlzamx/JJvujdZoJ2uvgI7kR0iZvM= +github.com/onsi/gomega v1.27.8 h1:gegWiwZjBsf2DgiSbf5hpokZ98JVDMcWkUiigk6/KXc= +github.com/onsi/gomega v1.27.8/go.mod h1:2J8vzI/s+2shY9XHRApDkdgPo1TKT7P2u6fXeJKFnNQ= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= +github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= +github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8= +github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.10.0 h1:lFO9qtOdlre5W1jxS3r/4szv2/6iXxScdzjoBMXNhYk= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs= +golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= +golang.org/x/oauth2 v0.8.0 h1:6dkIjl3j3LtZ/O3sTgZTMsLKSftL/B8Zgq4huOIIUu8= +golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4= +golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8= +golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= +golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.9.3 h1:Gn1I8+64MsuTb/HpH+LmQtNas23LhUVr3rYZ0eKuaMM= +golang.org/x/tools v0.9.3/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= +google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= +google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= +google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= +gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +k8s.io/api v0.28.0 h1:3j3VPWmN9tTDI68NETBWlDiA9qOiGJ7sdKeufehBYsM= +k8s.io/api v0.28.0/go.mod h1:0l8NZJzB0i/etuWnIXcwfIv+xnDOhL3lLW919AWYDuY= +k8s.io/apimachinery v0.28.0 h1:ScHS2AG16UlYWk63r46oU3D5y54T53cVI5mMJwwqFNA= +k8s.io/apimachinery v0.28.0/go.mod h1:X0xh/chESs2hP9koe+SdIAcXWcQ+RM5hy0ZynB+yEvw= +k8s.io/client-go v0.28.0 h1:ebcPRDZsCjpj62+cMk1eGNX1QkMdRmQ6lmz5BLoFWeM= +k8s.io/client-go v0.28.0/go.mod h1:0Asy9Xt3U98RypWJmU1ZrRAGKhP6NqDPmptlAzK2kMc= +k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg= +k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= +k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 h1:LyMgNKD2P8Wn1iAwQU5OhxCKlKJy0sHc+PcDwFB24dQ= +k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM= +k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 h1:qY1Ad8PODbnymg2pRbkyMT/ylpTrCM8P2RJ0yroCyIk= +k8s.io/utils v0.0.0-20230406110748-d93618cff8a2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= +sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= +sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE= +sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E= +sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo= +sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= diff --git a/.vib/chainloop/runtime-parameters.yaml b/.vib/chainloop/runtime-parameters.yaml new file mode 100644 index 00000000000000..857b2c6aac48f9 --- /dev/null +++ b/.vib/chainloop/runtime-parameters.yaml @@ -0,0 +1,7 @@ +development: true +controlplane: + auth: + oidc: + url: + clientID: + clientSecret: \ No newline at end of file diff --git a/.vib/chainloop/vib-verify.json b/.vib/chainloop/vib-verify.json new file mode 100644 index 00000000000000..0344ad978dc8c6 --- /dev/null +++ b/.vib/chainloop/vib-verify.json @@ -0,0 +1,32 @@ +{ + "phases": { + "verify": { + "context": { + "resources": { + "url": "{SHA_ARCHIVE}", + "path": "/bitnami/chainloop" + }, + "target_platform": { + "target_platform_id": "{VIB_ENV_TARGET_PLATFORM}", + "size": { + "name": "S4" + } + } + }, + "actions": [ + { + "action_id": "ginkgo", + "params": { + "resources": { + "path": "/.vib/chainloop/ginkgo" + }, + "params": { + "kubeconfig": "{{kubeconfig}}", + "namespace": "{{namespace}}" + } + } + } + ] + } + } +} diff --git a/bitnami/chainloop/.helmignore b/bitnami/chainloop/.helmignore new file mode 100644 index 00000000000000..0e8a0eb36f4ca2 --- /dev/null +++ b/bitnami/chainloop/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/bitnami/chainloop/Chart.lock b/bitnami/chainloop/Chart.lock new file mode 100644 index 00000000000000..205604869cffd9 --- /dev/null +++ b/bitnami/chainloop/Chart.lock @@ -0,0 +1,12 @@ +dependencies: +- name: common + repository: https://charts.bitnami.com/bitnami + version: 2.20.2 +- name: postgresql + repository: https://charts.bitnami.com/bitnami + version: 12.12.10 +- name: vault + repository: https://charts.bitnami.com/bitnami + version: 1.4.5 +digest: sha256:f36d00d6d657f2e9f7f1dc6df78e852471cff214b8a7a8ad9722351b978aefdf +generated: "2024-06-10T14:18:12.118269+02:00" diff --git a/bitnami/chainloop/Chart.yaml b/bitnami/chainloop/Chart.yaml new file mode 100644 index 00000000000000..291efc4f942420 --- /dev/null +++ b/bitnami/chainloop/Chart.yaml @@ -0,0 +1,27 @@ +# Copyright Chainloop, Inc. All Rights Reserved. +# SPDX-License-Identifier: APACHE-2.0 + +apiVersion: v2 +name: chainloop +description: Chainloop is an open source software supply chain control plane, a single source of truth for artifacts plus a declarative attestation crafting process. + +type: application +# Bump the patch (not minor, not major) version on each change in the Chart Source code +version: 1.56.1 +# Do not update appVersion, this is handled automatically by the release process +appVersion: v0.91.1 + +dependencies: + - name: common + repository: https://charts.bitnami.com/bitnami + tags: + - bitnami-common + version: 2.x.x + - condition: postgresql.enabled + name: postgresql + repository: https://charts.bitnami.com/bitnami + version: 12.x.x + - condition: development + name: vault + repository: https://charts.bitnami.com/bitnami + version: 1.4.x diff --git a/bitnami/chainloop/LICENSE.md b/bitnami/chainloop/LICENSE.md new file mode 100644 index 00000000000000..261eeb9e9f8b2b --- /dev/null +++ b/bitnami/chainloop/LICENSE.md @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/bitnami/chainloop/README.md b/bitnami/chainloop/README.md new file mode 100644 index 00000000000000..803b1c17e4062e --- /dev/null +++ b/bitnami/chainloop/README.md @@ -0,0 +1,667 @@ +# Chainloop Helm Chart + +[Chainloop](https://github.com/chainloop-dev/chainloop) is an open-source software supply chain control plane, a single source of truth for artifacts plus a declarative attestation crafting process. + +## Introduction + +This chart bootstraps a [Chainloop](https://github.com/chainloop-dev/chainloop) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +## Prerequisites + +- Kubernetes 1.19+ +- Helm 3.2.0+ +- PV provisioner support in the underlying infrastructure (If built-in PostgreSQL is enabled) + +Compatibility with the following Ingress Controllers has been verified, other controllers might or might not work. + +- [Nginx Ingress Controller](https://kubernetes.github.io/ingress-nginx/) +- [Traefik](https://doc.traefik.io/traefik/providers/kubernetes-ingress/) + +## TL;DR + +Deploy Chainloop in [development mode](#development) by running + +```console +helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \ + --set development=true \ + --set controlplane.auth.oidc.url=[OIDC URL] \ + --set controlplane.auth.oidc.clientID=[clientID] \ + --set controlplane.auth.oidc.clientSecret=[clientSecret] +``` + +> **CAUTION**: Do not use this mode in production, for that, use the [standard mode](#standard-default) instead. + +## Installing the Chart + +This chart comes in **two flavors**, `standard` and [`development`](#development). + +### Standard (default) + +![Deployment](../../docs/img/deployment.png) + +The default deployment mode relies on external dependencies to be available in advance. + +The Helm Chart in this mode includes + +- Chainloop [Controlplane](https://github.com/chainloop-dev/chainloop/tree/main/app/controlplane) +- Chainloop [Artifact proxy](https://github.com/chainloop-dev/chainloop/tree/main/app/artifact-cas) +- A PostgreSQL dependency enabled by default + +During installation, you'll need to provide + +- Open ID Connect Identity Provider (IDp) settings i.e [Auth0 settings](https://auth0.com/docs/get-started/applications/application-settings#basic-information) +- Connection settings for a secrets storage backend, either [Hashicorp Vault](https://www.vaultproject.io/) or [AWS Secrets Manager](https://aws.amazon.com/secrets-manager) +- ECDSA (ES512) key-pair used for Controlplane <-> CAS Authentication + +Instructions on how to create the ECDSA keypair can be found [here](#generate-a-ecdsa-key-pair). + +#### Installation Examples + +> **NOTE**: **We do not recommend passing nor storing sensitive data in plain text**. For production, please consider having your overrides encrypted with tools such as [Sops](https://github.com/mozilla/sops), [Helm Secrets](https://github.com/jkroepke/helm-secrets) or [Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets). + +Deploy Chainloop configured to talk to the bundled PostgreSQL an external OIDC IDp and a Vault instance. + +```console +helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \ + # Open ID Connect (OIDC) + --set controlplane.auth.oidc.url=[OIDC URL] \ + --set controlplane.auth.oidc.clientID=[clientID] \ + --set controlplane.auth.oidc.clientSecret=[clientSecret] \ + # Secrets backend + --set secretsBackend.vault.address="https://[vault address]:8200" \ + --set secretsBackend.vault.token=[token] \ + # Server Auth KeyPair + --set casJWTPrivateKey="$(cat private.ec.key)" \ + --set casJWTPublicKey="$(cat public.pem)" +``` + +Deploy using AWS Secrets Manager instead of Vault + +```console +helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \ + # Open ID Connect (OIDC) + # ... + # Secrets backend + --set secretsBackend.backend=awsSecretManager \ + --set secretsBackend.awsSecretManager.accessKey=[AWS ACCESS KEY ID] \ + --set secretsBackend.awsSecretManager.secretKey=[AWS SECRET KEY] \ + --set secretsBackend.awsSecretManager.region=[AWS region]\ + # Server Auth KeyPair + # ... +``` + +or using GCP Secret Manager + +```console +helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \ + # Open ID Connect (OIDC) + # ... + # Secrets backend + --set secretsBackend.backend=gcpSecretManager \ + --set secretsBackend.gcpSecretManager.projectId=[GCP Project ID] \ + --set secretsBackend.gcpSecretManager.serviceAccountKey=[GCP Auth KEY] \ + # Server Auth KeyPair + # ... +``` + +or Azure KeyVault + +```console +helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \ + # Open ID Connect (OIDC) + # ... + # Secrets backend + --set secretsBackend.backend=azureKeyVault \ + --set secretsBackend.azureKeyVault.tenantID=[AD tenant ID] \ + --set secretsBackend.azureKeyVault.clientID=[Service Principal ID] \ + --set secretsBackend.azureKeyVault.clientSecret=[Service Principal secret] \ + --set secretsBackend.azureKeyVault.vaultURI=[Azure KeyVault URI] + # Server Auth KeyPair + # ... +``` + +Connect to an external PostgreSQL database instead + +```console +helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \ + # Open ID Connect (OIDC) + # ... + # Secrets backend + # ... + # Server Auth KeyPair + # ... + # External DB setup + --set postgresql.enabled=false \ + --set controlplane.externalDatabase.host=[DB_HOST] \ + --set controlplane.externalDatabase.user=[DB_USER] \ + --set controlplane.externalDatabase.password=[DB_PASSWORD] \ + --set controlplane.externalDatabase.database=[DB_NAME] +``` + +### Development + +To provide an easy way to give Chainloop a try, this Helm Chart has an **opt-in development** mode that can be enabled with the flag `development=true` + +> IMPORTANT: DO NOT USE THIS MODE IN PRODUCTION + +![Deployment](../../docs/img/deployment-dev.png) + +The Helm Chart in this mode includes + +- Chainloop [Controlplane](https://github.com/chainloop-dev/chainloop/tree/main/app/controlplane) +- Chainloop [Artifact proxy](https://github.com/chainloop-dev/chainloop/tree/main/app/artifact-cas) +- A PostgreSQL dependency enabled by default +- **A pre-configured Hashicorp Vault instance running in development mode (unsealed, in-memory, insecure)** + +> **CAUTION**: Do not use this mode in production, for that, use the [standard mode](#standard-default) instead. + +During installation, you'll need to provide + +- Open ID Connect Identity Provider (IDp) settings i.e [Auth0 settings](https://auth0.com/docs/get-started/applications/application-settings#basic-information) +- ~~Connection settings for a secrets storage backend, either [Hashicorp Vault](https://www.vaultproject.io/) or [AWS Secrets Manager](https://aws.amazon.com/secrets-manager)~~ +- ~~ECDSA (ES512) key-pair used for Controlplane <-> CAS Authentication~~ + +#### Installation Examples + +Deploy by leveraging built-in Vault and PostgreSQL instances + +```console +helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \ + --set development=true \ + --set controlplane.auth.oidc.url=[OIDC URL] \ + --set controlplane.auth.oidc.clientID=[clientID] \ + --set controlplane.auth.oidc.clientSecret=[clientSecret] +``` + +## How to guides + +### CAS upload speeds are slow, what can I do? + +Chainloop uses gRPC streaming to perform artifact uploads. This method is susceptible to being very slow on high latency scenarios. [#375](https://github.com/chainloop-dev/chainloop/issues/375) + +To improve upload speeds, you need to increase [http2 flow control buffer](https://httpwg.org/specs/rfc7540.html#DisableFlowControl). This can be done in NGINX by setting the following annotation in the ingress resource. + +``` +# Improve upload speed by adding client buffering used by http2 control-flows +nginx.ingress.kubernetes.io/client-body-buffer-size: "3M" +``` + +Note: For other reverse proxies, you'll need to find the equivalent configuration. + +### Generate a ECDSA key-pair + +An ECDSA key-pair is required to perform authentication between the control-plane and the Artifact CAS + +You can generate both the private and public keys by running + +```bash +# Private Key (private.ec.key) +openssl ecparam -name secp521r1 -genkey -noout -out private.ec.key +# Public Key (public.pem) +openssl ec -in private.ec.key -pubout -out public.pem +``` + +Then, you can either provide it in a custom `values.yaml` file override + +```yaml +casJWTPrivateKey: |- + -----BEGIN EC PRIVATE KEY----- + REDACTED + -----END EC PRIVATE KEY----- +casJWTPublicKey: | + -----BEGIN PUBLIC KEY----- + REDACTED + -----END PUBLIC KEY----- +``` + +or as shown before, provide them as imperative inputs during Helm Install/Upgrade `--set casJWTPrivateKey="$(cat private.ec.key)"--set casJWTPublicKey="$(cat public.pem)"` + +### Enable a custom domain with TLS + +Chainloop uses three endpoints so we'll need to enable the ingress resource for each one of them. + +See below an example of a `values.yaml` override + +```yaml +controlplane: + ingress: + enabled: true + hostname: cp.chainloop.dev + + ingressAPI: + enabled: true + hostname: api.cp.chainloop.dev + +cas: + ingressAPI: + enabled: true + hostname: api.cas.chainloop.dev +``` + +A complete setup that uses + +- NGINX as ingress Controller https://kubernetes.github.io/ingress-nginx/ +- [cert-manager](https://cert-manager.io/) as TLS provider + +would look like + +```yaml +controlplane: + ingress: + enabled: true + tls: true + ingressClassName: nginx + hostname: cp.chainloop.dev + annotations: + # This depends on your configured issuer + cert-manager.io/cluster-issuer: "letsencrypt-prod" + + ingressAPI: + enabled: true + tls: true + ingressClassName: nginx + hostname: api.cp.chainloop.dev + annotations: + nginx.ingress.kubernetes.io/backend-protocol: "GRPC" + cert-manager.io/cluster-issuer: "letsencrypt-prod" + +cas: + ingressAPI: + enabled: true + tls: true + ingressClassName: nginx + hostname: api.cas.chainloop.dev + annotations: + nginx.ingress.kubernetes.io/backend-protocol: "GRPC" + cert-manager.io/cluster-issuer: "letsencrypt-prod" + # limit the size of the files that go through the proxy + # 0 means to not check the size of the request so we do not get 413 error. + # For now we are going to set a limit on 100MB files + # Even though we send data in chunks of 1MB, this size refers to all the data sent in the streaming connection + nginx.ingress.kubernetes.io/proxy-body-size: "100m" +``` + +Remember, once you have set up your domain, make sure you use the [CLI pointing](#configure-chainloop-cli-to-point-to-your-instance) to it instead of the defaults. + +### Connect to an external PostgreSQL database + +```yaml +# Disable built-in DB +postgresql: + enabled: false + +# Provide with external connection +controlplane: + externalDatabase: + host: 1.2.3.4 + port: 5432 + user: chainloop + password: [REDACTED] + database: chainloop-controlplane-prod +``` + +Alternatively, if you are using [Google Cloud SQL](https://cloud.google.com/sql) and you are running Chainloop in Google Kubernetes Engine. You can connect instead via [a proxy](https://cloud.google.com/sql/docs/mysql/connect-kubernetes-engine#proxy) + +This method can also be easily enabled in this chart by doing + +```yaml +# Disable built-in DB +postgresql: + enabled: false + +# Provide with external connection +controlplane: + sqlProxy: + # Inject the proxy sidecar + enabled: true + ## @param controlplane.sqlProxy.connectionName Google Cloud SQL connection name + connectionName: "my-sql-instance" + # Then you'll need to configure your DB settings to use the proxy IP address + externalDatabase: + host: [proxy-sidecar-ip-address] + port: 5432 + user: chainloop + password: [REDACTED] + database: chainloop-controlplane-prod +``` + +### Use AWS secrets manager + +Instead of using [Hashicorp Vault](https://www.vaultproject.io/) (default), you can use [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/) by adding these settings in your `values.yaml` file + +```yaml +secretsBackend: + backend: awsSecretManager + awsSecretManager: + accessKey: [KEY] + secretKey: [SECRET] + region: [REGION] +``` + +### Use GCP secret manager + +Or [Google Cloud Secret Manager](https://cloud.google.com/secret-manager) with the following settings + +```yaml +secretsBackend: + backend: gcpSecretManager + gcpSecretManager: + projectId: [PROJECT_ID] + serviceAccountKey: [KEY] +``` + +### Use Azure KeyVault + +[Azure KeyVault](https://azure.microsoft.com/en-us/products/key-vault/) is also supported + +```yaml +secretsBackend: + backend: azureKeyVault + azureKeyVault: + tenantID: [TENANT_ID] # Active Directory Tenant ID + clientID: [CLIENT_ID] # Registered application / service principal client ID + clientSecret: [CLIENT_SECRET] # Service principal client secret + vaultURI: [VAULT URI] # Azure Key Vault URL + +``` + +### Deploy in keyless mode with file-based CA + +*This feature is experimental, as it doesn't yet support verification.* + +You can enable keyless signing mode by providing a custom Certificate Authority. +For example, these commands generate a self-signed certificate with an RSA private key of length 4096 and AES256 encryption: + +```bash +> openssl genrsa -aes256 -out ca.key 4096 +... +> openssl req -new -x509 -sha256 -key ca.key -out ca.crt +... +``` + +Then you can configure your deployment values with: +```yaml +controlplane: + keylessSigning: + enabled: true + backend: fileCA + fileCA: + cert: | + -----BEGIN CERTIFICATE----- + ... + -----END CERTIFICATE----- + key: | + -----BEGIN ENCRYPTED PRIVATE KEY----- + ... + -----END ENCRYPTED PRIVATE KEY----- + keyPass: "REDACTED" +``` + +### Send exceptions to Sentry + +You can configure different sentry projects for both the controlplane and the artifact CAS + +```yaml +# for controlplane +controlplane: + ... + sentry: + enabled: true + dsn: [your secret sentry project DSN URL] + environment: production +# Artifact CAS +cas: + ... + sentry: + enabled: true + dsn: [your secret sentry project DSN URL] + environment: production +``` + +### Enable Prometheus Monitoring in GKE + +Chainloop exposes Prometheus compatible `/metrics` endpoints that can be easily scraped by a Prometheus data collector Server. + +Google Cloud has a [managed Prometheus offering](https://cloud.google.com/stackdriver/docs/managed-prometheus/setup-managed) that could be easily enabled by setting `--set GKEMonitoring.enabled=true`. This will inject the required `PodMonitoring` custom resources. + +### Configure Chainloop CLI to point to your instance + +Once you have your instance of Chainloop deployed, you need to configure the [CLI](https://github.com/chainloop-dev/chainloop/releases) to point to both the CAS and the Control plane gRPC APIs like this. + +``` +chainloop config save \ + --control-plane my-controlplane.acme.com:443 \ + --artifact-cas cas.acme.com:443 +``` + +## Parameters + +### Common parameters + +| Name | Description | Value | +| ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `kubeVersion` | Override Kubernetes version | `""` | +| `development` | Deploys Chainloop pre-configured FOR DEVELOPMENT ONLY. It includes a Vault instance in development mode and pre-configured authentication certificates and passphrases | `false` | +| `GKEMonitoring.enabled` | Enable GKE podMonitoring (prometheus.io scrape) to scrape the controlplane and CAS /metrics endpoints | `false` | + +### Secrets Backend + +| Name | Description | Value | +| --------------------------------------------------- | ----------------------------------------------------------------------------------------- | ----------- | +| `secretsBackend.backend` | Secrets backend type ("vault", "awsSecretManager" or "gcpSecretManager", "azureKeyVault") | `vault` | +| `secretsBackend.secretPrefix` | Prefix that will be pre-pended to all secrets in the storage backend | `chainloop` | +| `secretsBackend.vault.address` | Vault address | | +| `secretsBackend.vault.token` | Vault authentication token | | +| `secretsBackend.awsSecretManager.accessKey` | AWS Access KEY ID | | +| `secretsBackend.awsSecretManager.secretKey` | AWS Secret Key | | +| `secretsBackend.awsSecretManager.region` | AWS Secrets Manager Region | | +| `secretsBackend.gcpSecretManager.projectId` | GCP Project ID | | +| `secretsBackend.gcpSecretManager.serviceAccountKey` | GCP Auth Key | | +| `secretsBackend.azureKeyVault.tenantID` | Active Directory Tenant ID | | +| `secretsBackend.azureKeyVault.clientID` | Registered application / service principal client ID | | +| `secretsBackend.azureKeyVault.clientSecret` | Service principal client secret | | +| `secretsBackend.azureKeyVault.vaultURI` | Azure Key Vault URL | | + +### Authentication + +| Name | Description | Value | +| ------------------ | ---------------------------------------------------------------------- | ----- | +| `casJWTPrivateKey` | ECDSA (ES512) private key used for Controlplane <-> CAS Authentication | `""` | +| `casJWTPublicKey` | ECDSA (ES512) public key | `""` | + +### Control Plane + +| Name | Description | Value | +| ---------------------------------------------- | ----------------------------------------------------------------------------------------------- | ----------------------------------------------- | +| `controlplane.replicaCount` | Number of replicas | `2` | +| `controlplane.image.repository` | FQDN uri for the image | `ghcr.io/chainloop-dev/chainloop/control-plane` | +| `controlplane.image.tag` | Image tag (immutable tags are recommended). If no set chart.appVersion will be used | | +| `controlplane.tlsConfig.secret.name` | name of a secret containing TLS certificate to be used by the controlplane grpc server. | `""` | +| `controlplane.pluginsDir` | Directory where to look for plugins | `/plugins` | +| `controlplane.referrerSharedIndex` | Configure the shared, public index API endpoint that can be used to discover metadata referrers | | +| `controlplane.referrerSharedIndex.enabled` | Enable index API endpoint | `false` | +| `controlplane.referrerSharedIndex.allowedOrgs` | List of UUIDs of organizations that are allowed to publish to the shared index | `[]` | + +### Control Plane Database + +| Name | Description | Value | +| ---------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------- | +| `controlplane.externalDatabase` | External PostgreSQL configuration. These values are only used when postgresql.enabled is set to false | | +| `controlplane.externalDatabase.host` | Database host | `""` | +| `controlplane.externalDatabase.port` | Database port number | `5432` | +| `controlplane.externalDatabase.user` | Non-root username | `""` | +| `controlplane.externalDatabase.database` | Database name | `""` | +| `controlplane.externalDatabase.password` | Password for the non-root username | `""` | +| `controlplane.sqlProxy.enabled` | Enable sidecar to connect to DB via Google Cloud SQL proxy | `false` | +| `controlplane.sqlProxy.connectionName` | Google Cloud SQL connection name | `""` | +| `controlplane.sqlProxy.resources` | Sidecar container resources | `{}` | + +### Control Plane Authentication + +| Name | Description | Value | +| ------------------------------------- | ------------------------------------------------------------------------------------------------------ | ----- | +| `controlplane.auth.passphrase` | Passphrase used to sign the Auth Tokens generated by the controlplane. Leave empty for auto-generation | `""` | +| `controlplane.auth.oidc.url` | Full authentication path, it should match the issuer URL of the Identity provider (IDp) | `""` | +| `controlplane.auth.oidc.clientID` | OIDC IDp clientID | `""` | +| `controlplane.auth.oidc.clientSecret` | OIDC IDp clientSecret | `""` | + +### Control Plane Networking + +| Name | Description | Value | +| ------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | +| `controlplane.service.type` | Service type | `ClusterIP` | +| `controlplane.service.port` | Service port | `80` | +| `controlplane.service.targetPort` | Service target Port | `http` | +| `controlplane.service.nodePorts.http` | Node port for HTTP. NOTE: choose port between <30000-32767> | | +| `controlplane.serviceAPI.type` | Service type | `ClusterIP` | +| `controlplane.serviceAPI.port` | Service port | `80` | +| `controlplane.serviceAPI.targetPort` | Service target Port | `grpc` | +| `controlplane.serviceAPI.annotations` | Service annotations | | +| `controlplane.serviceAPI.nodePorts.http` | Node port for HTTP. NOTE: choose port between <30000-32767> | | +| `controlplane.ingress.enabled` | Enable ingress record generation for %%MAIN_CONTAINER_NAME%% | `false` | +| `controlplane.ingress.pathType` | Ingress path type | `ImplementationSpecific` | +| `controlplane.ingress.hostname` | Default host for the ingress record | `cp.dev.local` | +| `controlplane.ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | +| `controlplane.ingress.path` | Default path for the ingress record | `/` | +| `controlplane.ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` | +| `controlplane.ingress.tls` | Enable TLS configuration for the host defined at `controlplane.ingress.hostname` parameter | `false` | +| `controlplane.ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | +| `controlplane.ingress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` | +| `controlplane.ingress.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` | +| `controlplane.ingress.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` | +| `controlplane.ingress.secrets` | Custom TLS certificates as secrets | `[]` | +| `controlplane.ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` | +| `controlplane.ingressAPI.enabled` | Enable ingress record generation for %%MAIN_CONTAINER_NAME%% | `false` | +| `controlplane.ingressAPI.pathType` | Ingress path type | `ImplementationSpecific` | +| `controlplane.ingressAPI.hostname` | Default host for the ingress record | `api.cp.dev.local` | +| `controlplane.ingressAPI.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | +| `controlplane.ingressAPI.path` | Default path for the ingress record | `/` | +| `controlplane.ingressAPI.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | | +| `controlplane.ingressAPI.tls` | Enable TLS configuration for the host defined at `controlplane.ingress.hostname` parameter | `false` | +| `controlplane.ingressAPI.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | +| `controlplane.ingressAPI.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` | +| `controlplane.ingressAPI.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` | +| `controlplane.ingressAPI.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` | +| `controlplane.ingressAPI.secrets` | Custom TLS certificates as secrets | `[]` | +| `controlplane.ingressAPI.extraRules` | Additional rules to be covered with this ingress record | `[]` | + +### Controlplane Misc + +| Name | Description | Value | +| ------------------------------------------------------------ | ------------------------------------------------------------------------ | ------------ | +| `controlplane.resources.limits.cpu` | Container resource limits CPU | `250m` | +| `controlplane.resources.limits.memory` | Container resource limits memory | `512Mi` | +| `controlplane.resources.requests.cpu` | Container resource requests CPU | `250m` | +| `controlplane.resources.requests.memory` | Container resource requests memory | `512Mi` | +| `controlplane.autoscaling.enabled` | Enable deployment autoscaling | `false` | +| `controlplane.autoscaling.minReplicas` | Minimum number of replicas | `1` | +| `controlplane.autoscaling.maxReplicas` | Maximum number of replicas | `100` | +| `controlplane.autoscaling.targetCPUUtilizationPercentage` | Target CPU percentage | `80` | +| `controlplane.autoscaling.targetMemoryUtilizationPercentage` | Target CPU memory | `80` | +| `controlplane.sentry.enabled` | Enable sentry.io alerting | `false` | +| `controlplane.sentry.dsn` | DSN endpoint https://docs.sentry.io/product/sentry-basics/dsn-explainer/ | `""` | +| `controlplane.sentry.environment` | Environment tag | `production` | +| `controlplane.keylessSigning.enabled` | Activates or deactivates de feature | `false` | +| `controlplane.keylessSigning.backend` | The backend to use. Currently only "fileCA" is supported | `fileCA` | +| `controlplane.keylessSigning.fileCA.cert` | The PEM-encoded certificate of the file based CA | `""` | +| `controlplane.keylessSigning.fileCA.key` | The PEM-encoded private key of the file based CA | `""` | +| `controlplane.keylessSigning.fileCA.keyPass` | The secret key pass | `""` | + +### Artifact Content Addressable (CAS) API + +| Name | Description | Value | +| --------------------------- | --------------------------------------------------------------------------------------- | ---------------------------------------------- | +| `cas.replicaCount` | Number of replicas | `2` | +| `cas.image.repository` | FQDN uri for the image | `ghcr.io/chainloop-dev/chainloop/artifact-cas` | +| `cas.image.tag` | Image tag (immutable tags are recommended). If no set chart.appVersion will be used | | +| `cas.tlsConfig.secret.name` | name of a secret containing TLS certificate to be used by the controlplane grpc server. | `""` | + +### CAS Networking + +| Name | Description | Value | +| --------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | +| `cas.service.type` | Service type | `ClusterIP` | +| `cas.service.port` | Service port | `80` | +| `cas.service.targetPort` | Service target Port | `http` | +| `cas.service.nodePorts.http` | Node port for HTTP. NOTE: choose port between <30000-32767> | | +| `cas.serviceAPI.type` | Service type | `ClusterIP` | +| `cas.serviceAPI.port` | Service port | `80` | +| `cas.serviceAPI.targetPort` | Service target Port | `grpc` | +| `cas.serviceAPI.annotations` | Service annotations | | +| `cas.serviceAPI.nodePorts.http` | Node port for HTTP. NOTE: choose port between <30000-32767> | | +| `cas.ingress.enabled` | Enable ingress record generation for %%MAIN_CONTAINER_NAME%% | `false` | +| `cas.ingress.pathType` | Ingress path type | `ImplementationSpecific` | +| `cas.ingress.hostname` | Default host for the ingress record | `cas.dev.local` | +| `cas.ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | +| `cas.ingress.path` | Default path for the ingress record | `/` | +| `cas.ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` | +| `cas.ingress.tls` | Enable TLS configuration for the host defined at `controlplane.ingress.hostname` parameter | `false` | +| `cas.ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | +| `cas.ingress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` | +| `cas.ingress.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` | +| `cas.ingress.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` | +| `cas.ingress.secrets` | Custom TLS certificates as secrets | `[]` | +| `cas.ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` | +| `cas.ingressAPI.enabled` | Enable ingress record generation for %%MAIN_CONTAINER_NAME%% | `false` | +| `cas.ingressAPI.pathType` | Ingress path type | `ImplementationSpecific` | +| `cas.ingressAPI.hostname` | Default host for the ingress record | `api.cas.dev.local` | +| `cas.ingressAPI.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | +| `cas.ingressAPI.path` | Default path for the ingress record | `/` | +| `cas.ingressAPI.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | | +| `cas.ingressAPI.tls` | Enable TLS configuration for the host defined at `controlplane.ingress.hostname` parameter | `false` | +| `cas.ingressAPI.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | +| `cas.ingressAPI.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` | +| `cas.ingressAPI.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` | +| `cas.ingressAPI.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` | +| `cas.ingressAPI.secrets` | Custom TLS certificates as secrets | `[]` | +| `cas.ingressAPI.extraRules` | Additional rules to be covered with this ingress record | `[]` | + +### CAS Misc + +| Name | Description | Value | +| --------------------------------------------------- | ------------------------------------------------------------------------ | ------------ | +| `cas.resources.limits.cpu` | Container resource limits CPU | `250m` | +| `cas.resources.limits.memory` | Container resource limits memory | `512Mi` | +| `cas.resources.requests.cpu` | Container resource requests CPU | `250m` | +| `cas.resources.requests.memory` | Container resource requests memory | `512Mi` | +| `cas.autoscaling.enabled` | Enable deployment autoscaling | `false` | +| `cas.autoscaling.minReplicas` | Minimum number of replicas | `1` | +| `cas.autoscaling.maxReplicas` | Maximum number of replicas | `100` | +| `cas.autoscaling.targetCPUUtilizationPercentage` | Target CPU percentage | `80` | +| `cas.autoscaling.targetMemoryUtilizationPercentage` | Target CPU memory | `80` | +| `cas.sentry.enabled` | Enable sentry.io alerting | `false` | +| `cas.sentry.dsn` | DSN endpoint https://docs.sentry.io/product/sentry-basics/dsn-explainer/ | `""` | +| `cas.sentry.environment` | Environment tag | `production` | + +### Dependencies + +| Name | Description | Value | +| ------------------------------------ | ------------------------------------------------------------------------------------------------------ |----------------------------------------------------------------------------------------------------------------------------| +| `postgresql.enabled` | Switch to enable or disable the PostgreSQL helm chart | `true` | +| `postgresql.auth.enablePostgresUser` | Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user | `false` | +| `postgresql.auth.username` | Name for a custom user to create | `chainloop` | +| `postgresql.auth.password` | Password for the custom user to create | `chainlooppwd` | +| `postgresql.auth.database` | Name for a custom database to create | `chainloop-cp` | +| `postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials | `""` | +| `vault.server.args` | Arguments to pass to the vault server. This is useful for setting the server in development mode | `["server","-dev"]` | +| `vault.server.config` | Configuration for the vault server. Small override of default Bitnami configuration | 
storage "inmem" {}
disable_mlock = true
ui = true
service_registration "kubernetes" {}
| +| `vault.server.extraEnvVars[0].name` | Root token for the vault server | `VAULT_DEV_ROOT_TOKEN_ID` | +| `vault.server.extraEnvVars[0].value` | The value of the root token. Default: notasecret | `notasecret` | +| `vault.server.extraEnvVars[1].name` | Address to listen on development mode | `VAULT_DEV_LISTEN_ADDRESS` | +| `vault.server.extraEnvVars[1].value` | The address to listen on. Default: [::]:8200 | `[::]:8200` | + +## License + +Copyright © 2023 The Chainloop Authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/bitnami/chainloop/templates/NOTES.txt b/bitnami/chainloop/templates/NOTES.txt new file mode 100644 index 00000000000000..2285f5513653a5 --- /dev/null +++ b/bitnami/chainloop/templates/NOTES.txt @@ -0,0 +1,47 @@ + +** Please be patient while the chart is being deployed ** + +{{- if .Values.development }} + +########################################################################### + DEVELOPMENT MODE +########################################################################### + +██████╗ ███████╗██╗ ██╗ █████╗ ██████╗ ███████╗ +██╔══██╗██╔════╝██║ ██║██╔══██╗██╔══██╗██╔════╝ +██████╔╝█████╗ ██║ █╗ ██║███████║██████╔╝█████╗ +██╔══██╗██╔══╝ ██║███╗██║██╔══██║██╔══██╗██╔══╝ +██████╔╝███████╗╚███╔███╔╝██║ ██║██║ ██║███████╗ +╚═════╝ ╚══════╝ ╚══╝╚══╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝ + +Instance running in development mode! + +Development mode, by default + +- Runs an insecure, unsealed, non-persistent instance of Vault +- Is configured with development authentication keys + +DO NOT USE IT FOR PRODUCTION PURPOSES + +########################################################################### + CONFIGURE CLI +########################################################################### + +Configure the CLI to point to this instance, for example + + chainloop --insecure config save \ + --control-plane my-controlplane.acme.com:80 \ + --artifact-cas cas.acme.com:80 + +Refer to this link for more information +https://docs.chainloop.dev/getting-started/installation#configure-cli-optional + +########################################################################### + USEFUL LINKS +########################################################################### + +- GitHub repository: https://github.com/chainloop-dev/chainloop +- Documentation: https://docs.chainloop.dev + +{{- end }} + diff --git a/bitnami/chainloop/templates/_helpers.tpl b/bitnami/chainloop/templates/_helpers.tpl new file mode 100644 index 00000000000000..a647de1c4107c4 --- /dev/null +++ b/bitnami/chainloop/templates/_helpers.tpl @@ -0,0 +1,412 @@ +{{- /* +Copyright Chainloop, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- define "chainloop.postgresql.fullname" -}} +{{- include "common.names.dependency.fullname" (dict "chartName" "postgresql" "chartValues" .Values.postgresql "context" $) -}} +{{- end -}} + +{{- define "chainloop.vault.fullname" -}} +{{- include "common.names.dependency.fullname" (dict "chartName" "vault" "chartValues" .Values.vault "context" $) -}} +{{- end -}} + +{{/* +Returns a private key used for CAS <-> Controlplane communication +If we are running ind development mode we add a default one otherwise we require providing it +*/}} +{{- define "chainloop.casjwt.private_key" -}} + {{- if .Values.development }} + {{- coalesce .Values.casJWTPrivateKey (include "chainloop.casjwt.private_key.devel" .) }} + {{- else }} + {{- required "Authentication Private Key \"casJWTPrivateKey\" required" .Values.casJWTPrivateKey }} + {{- end }} +{{- end }} + +{{/* +Returns a public key used for CAS <-> Controlplane communication +If we are running ind development mode we add a default one otherwise we require providing it +*/}} +{{- define "chainloop.casjwt.public_key" -}} + {{- if .Values.development }} + {{- coalesce .Values.casJWTPublicKey (include "chainloop.casjwt.public_key.devel" .) }} + {{- else }} + {{- required "Authentication Public Key \"casJWTPublicKey\" required" .Values.casJWTPublicKey }} + {{- end }} +{{- end }} + +{{/* +DEVELOPMENT ONLY PRIVATE KEY +NOTE: It can not be generated by HELM because we also need a public key +*/}} +{{- define "chainloop.casjwt.private_key.devel" -}} +-----BEGIN EC PRIVATE KEY----- +MIHcAgEBBEIA762MbJK9IBnaqG0sd9uFRM+Z7Y+Aq5UfmbWf0+acKMYpYoy/8kBE +tI6cpcA2KvmW5qurOjIMh5ISr+P2GmzSZX+gBwYFK4EEACOhgYkDgYYABAFzPMcM +NUnPoC7b+s+/OyxRC7V/+elthj6Cq85WCj0KZ2qDvmd4QsYnsTIQ7NM7E+9WztdP +rJBaMdfauMarLlc7/AAHqoa0lv7HNIa0PpupZD4VXmnIe/ZkhHvKOuw0Bdoq2D2B +3U25sylQQto3nZ4IqnsXmrtYGIFI9om3PoliT9/J7g== +-----END EC PRIVATE KEY----- +{{- end -}} + +{{/* +DEVELOPMENT ONLY PUBLIC KEY +*/}} +{{- define "chainloop.casjwt.public_key.devel" -}} +-----BEGIN PUBLIC KEY----- +MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBczzHDDVJz6Au2/rPvzssUQu1f/np +bYY+gqvOVgo9Cmdqg75neELGJ7EyEOzTOxPvVs7XT6yQWjHX2rjGqy5XO/wAB6qG +tJb+xzSGtD6bqWQ+FV5pyHv2ZIR7yjrsNAXaKtg9gd1NubMpUELaN52eCKp7F5q7 +WBiBSPaJtz6JYk/fye4= +-----END PUBLIC KEY----- +{{- end -}} + +{{- define "chainloop.credentials_service_settings" -}} +{{- with .Values.secretsBackend }} +secretPrefix: {{ required "secret prefix required" .secretPrefix | quote }} +{{- if eq .backend "vault" }} +{{- $tokenEnvVar := "" }} +{{- range $.Values.vault.server.extraEnvVars }} + {{- if eq .name "VAULT_DEV_ROOT_TOKEN_ID" }} + {{- $tokenEnvVar = .value }} + {{- end }} +{{- end }} +vault: + {{- if and $.Values.development (or (not .vault) not .vault.address) }} + address: {{ printf "http://%s-server:8200" (include "chainloop.vault.fullname" $) | quote }} + {{- if $tokenEnvVar }} + token: {{ $tokenEnvVar | quote }} + {{- else }} + {{- required "VAULT_DEV_ROOT_TOKEN_ID environment variable is required when development mode is enabled" (index $.Values.vault.server.extraEnvVars "VAULT_DEV_ROOT_TOKEN_ID") }} + {{- end }} +{{- else if (required "vault backend selected but configuration not provided" .vault ) }} + address: {{ required "vault address required" .vault.address | quote }} + token: {{ required "vault token required" .vault.token | quote }} +{{- end }} + +{{- else if eq .backend "awsSecretManager" }} +awsSecretManager: + region: {{ required "region required" .awsSecretManager.region | quote }} + creds: + accessKey: {{ required "access key required" .awsSecretManager.accessKey | quote }} + secretKey: {{ required "secret key required" .awsSecretManager.secretKey | quote }} + +{{- else if eq .backend "gcpSecretManager" }} +gcpSecretManager: + projectId: {{ required "project id required" .gcpSecretManager.projectId | quote }} + serviceAccountKey: "/gcp-secrets/serviceAccountKey.json" + {{- if eq .gcpSecretManager.serviceAccountKey "" }} + {{- fail ".Values.secretsBackend.gcpSecretManager.serviceAccountKey not set" }} + {{- end }} +{{- else if eq .backend "azureKeyVault" }} +azure_key_vault: + tenant_id: {{ required "AD tenantID required" .azureKeyVault.tenantID | quote }} + client_id: {{ required "Service principal ID required" .azureKeyVault.clientID | quote }} + client_secret: {{ required "Service principal secret required" .azureKeyVault.clientSecret | quote }} + vault_uri: {{ required "Azure Vault URL required" .azureKeyVault.vaultURI | quote }} +{{- end }} +{{- end }} +{{- end -}} + +{{- define "chainloop.node_port" -}} +{{- if (and (or (eq .type "NodePort") (eq .type "LoadBalancer")) .nodePorts (not (empty .nodePorts.http))) }} +{{- .nodePorts.http }} +{{- else -}} +null +{{- end -}} +{{- end -}} + +{{/* +############################################################################## +Controlplane helpers +############################################################################## +*/}} + +{{/* +Chainloop Controlplane release name +*/}} +{{- define "chainloop.controlplane.fullname" -}} +{{- printf "%s-%s" (include "common.names.fullname" .) "controlplane" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Chainloop Controlplane Chart fullname +*/}} +{{- define "chainloop.controlplane.name" -}} +{{- printf "%s-%s" (include "common.names.name" .) "controlplane" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "chainloop.controlplane.labels" -}} +{{- include "common.labels.standard" . }} +app.kubernetes.io/part-of: chainloop +app.kubernetes.io/component: controlplane +{{- end }} + +{{/* +Migration labels +*/}} +{{- define "chainloop.controlplane.migration.labels" -}} +{{- include "common.labels.standard" . }} +app.kubernetes.io/part-of: chainloop +app.kubernetes.io/component: controlplane-migration +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "chainloop.controlplane.selectorLabels" -}} +{{- include "common.labels.matchLabels" .}} +app.kubernetes.io/component: controlplane +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "controlplane.serviceAccountName" -}} +{{- if .Values.controlplane.serviceAccount.create }} +{{- default (include "chainloop.controlplane.fullname" .) .Values.controlplane.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.controlplane.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Return the Postgresql connection string +*/}} +{{- define "controlplane.database.connection_string" -}} +{{- printf "postgresql://%s:%s@%s:%s/%s" (include "controlplane.database.user" .) (include "controlplane.database.escapedPassword" .) (include "controlplane.database.host" .) (include "controlplane.database.port" .) (include "controlplane.database.name" .) }} +{{- end -}} + +{{/* +Return the Postgresql connection string for Atlas migration +*/}} +{{- define "controlplane.database.atlas_connection_string" -}} +{{- $connStr := printf "postgres://%s:%s@%s:%s/%s" (include "controlplane.database.user" .) (include "controlplane.database.escapedPassword" .) (include "controlplane.database.host" .) (include "controlplane.database.port" .) (include "controlplane.database.name" .) }} +{{- .Values.controlplane.migration.ssl | ternary $connStr (printf "%s?sslmode=disable" $connStr) }} +{{- end -}} + +{{/* +Return the Postgresql hostname +*/}} +{{- define "controlplane.database.host" -}} +{{- if .Values.controlplane.sqlProxy.enabled }} + {{- include "chainloop.sql-proxy.fullname" . -}} +{{- else -}} + {{- ternary (include "chainloop.postgresql.fullname" .) .Values.controlplane.externalDatabase.host .Values.postgresql.enabled -}} +{{- end -}} +{{- end -}} + +{{/* +Return the Postgresql port +*/}} +{{- define "controlplane.database.port" -}} +{{- if .Values.controlplane.sqlProxy.enabled }} + {{- 5432 -}} +{{- else -}} + {{- ternary 5432 .Values.controlplane.externalDatabase.port .Values.postgresql.enabled -}} +{{- end -}} +{{- end -}} + +{{/* +Return the Postgresql password +*/}} +{{- define "controlplane.database.password" -}} +{{- if .Values.postgresql.enabled }} + {{- if .Values.global.postgresql }} + {{- if .Values.global.postgresql.auth }} + {{- coalesce .Values.global.postgresql.auth.password .Values.postgresql.auth.password -}} + {{- else -}} + {{- .Values.postgresql.auth.password -}} + {{- end -}} + {{- else -}} + {{- .Values.postgresql.auth.password -}} + {{- end -}} +{{- else -}} + {{- .Values.controlplane.externalDatabase.password -}} +{{- end -}} +{{- end -}} + + +{{/* +Return the URL-scaped Postgresql password +*/}} +{{ define "controlplane.database.escapedPassword" -}} + {{- include "controlplane.database.password" . | urlquery | replace "+" "%20" -}} +{{- end -}} + +{{/* +Return the Postgresql database name +*/}} +{{- define "controlplane.database.name" -}} +{{- if .Values.postgresql.enabled }} + {{- if .Values.global.postgresql }} + {{- if .Values.global.postgresql.auth }} + {{- coalesce .Values.global.postgresql.auth.database .Values.postgresql.auth.database -}} + {{- else -}} + {{- .Values.postgresql.auth.database -}} + {{- end -}} + {{- else -}} + {{- .Values.postgresql.auth.database -}} + {{- end -}} +{{- else -}} + {{- .Values.controlplane.externalDatabase.database -}} +{{- end -}} +{{- end -}} + +{{/* +Return the Postgresql user +*/}} +{{- define "controlplane.database.user" -}} +{{- if .Values.postgresql.enabled }} + {{- if .Values.global.postgresql }} + {{- if .Values.global.postgresql.auth }} + {{- coalesce .Values.global.postgresql.auth.username .Values.postgresql.auth.username -}} + {{- else -}} + {{- .Values.postgresql.auth.username -}} + {{- end -}} + {{- else -}} + {{- .Values.postgresql.auth.username -}} + {{- end -}} +{{- else -}} + {{- .Values.controlplane.externalDatabase.user -}} +{{- end -}} +{{- end -}} + +{{/* +Figure out the external URL the controlplane can be reached at +This endpoint is used for the CLI to know where to go for log in +NOTE: Load balancer service type is not supported +*/}} +{{- define "chainloop.controlplane.external_url" -}} +{{- $service := .Values.controlplane.service }} +{{- $ingress := .Values.controlplane.ingress }} + +{{- if (and $ingress $ingress.enabled $ingress.hostname) }} +{{- printf "%s://%s" (ternary "https" "http" $ingress.tls ) $ingress.hostname }} +{{- else if (and (eq $service.type "NodePort") $service.nodePorts (not (empty $service.nodePorts.http))) }} +{{- printf "http://localhost:%s" $service.nodePorts.http }} +{{- else -}} +null +{{- end -}} +{{- end -}} + +{{- define "chainloop.sentry" -}} +observability: + sentry: + dsn: {{ required "Sentry DSN required" .dsn | quote }} + environment: {{ required "Sentry environment required" .environment | quote }} +{{- end -}} + +{{/* +############################################################################## +sql-proxy helpers +############################################################################## +*/}} + +{{/* +Chainloop sql-proxy release name +*/}} +{{- define "chainloop.sql-proxy.fullname" -}} +{{- printf "%s-%s" (include "common.names.fullname" .) "sql-proxy" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Chainloop sql-proxy Chart fullname +*/}} +{{- define "chainloop.sql-proxy.name" -}} +{{- printf "%s-%s" (include "common.names.name" .) "sql-proxy" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "chainloop.sql-proxy.labels" -}} +{{- include "common.labels.standard" . }} +app.kubernetes.io/part-of: chainloop +app.kubernetes.io/component: sql-proxy +{{- end }} + +{{/* +Migration labels +*/}} +{{- define "chainloop.sql-proxy.migration.labels" -}} +{{- include "common.labels.standard" . }} +app.kubernetes.io/part-of: chainloop +app.kubernetes.io/component: sql-proxy-migration +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "chainloop.sql-proxy.selectorLabels" -}} +{{- include "common.labels.matchLabels" .}} +app.kubernetes.io/component: sql-proxy +{{- end }} + +{{/* +############################################################################## +CAS Helpers +############################################################################## +*/}} + +{{/* +Chainloop CAS release name +*/}} + +{{- define "chainloop.cas.fullname" -}} +{{- printf "%s-%s" (include "common.names.fullname" .) "cas" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Chainloop CAS Chart fullname +*/}} +{{- define "chainloop.cas.name" -}} +{{- printf "%s-%s" (include "common.names.name" .) "cas" | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{/* + +Common labels +*/}} +{{- define "chainloop.cas.labels" -}} +{{- include "common.labels.standard" . }} +app.kubernetes.io/part-of: chainloop +app.kubernetes.io/component: cas +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "chainloop.cas.selectorLabels" -}} +{{- include "common.labels.matchLabels" .}} +app.kubernetes.io/component: cas +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "chainloop.cas.serviceAccountName" -}} +{{- if .Values.cas.serviceAccount.create }} +{{- default (include "chainloop.cas.fullname" .) .Values.cas.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.cas.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +External URL the CAS can be reached at +This endpoint is used for the cas to redirect downloads +NOTE: Load balancer service type is not supported +*/}} +{{- define "chainloop.cas.external_url" -}} +{{- $service := .Values.cas.service }} +{{- $ingress := .Values.cas.ingress }} + +{{- if (and $ingress $ingress.enabled $ingress.hostname) }} +{{- printf "%s://%s" (ternary "https" "http" $ingress.tls ) $ingress.hostname }} +{{- else if (and (eq $service.type "NodePort") $service.nodePorts (not (empty $service.nodePorts.http))) }} +{{- printf "http://localhost:%s" $service.nodePorts.http }} +{{- end -}} +{{- end -}} diff --git a/bitnami/chainloop/templates/cas/config.configmap.yaml b/bitnami/chainloop/templates/cas/config.configmap.yaml new file mode 100644 index 00000000000000..755f2b2406c9f4 --- /dev/null +++ b/bitnami/chainloop/templates/cas/config.configmap.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "chainloop.cas.fullname" . }} + labels: + {{- include "chainloop.cas.labels" . | nindent 4 }} +data: + server.yaml: | + server: + http: + addr: 0.0.0.0:8000 + # Timeouts for http downloads + # grpc downloads/uploads don't require this because they don't have timeouts + timeout: 300s + grpc: + {{- if .Values.cas.tlsConfig.secret.name }} + tls_config: + certificate: /data/server-certs/tls.crt + private_key: /data/server-certs/tls.key + {{- end }} + addr: 0.0.0.0:9000 + # Some unary RPCs are slow, so we need to increase the timeout + timeout: 5s + http_metrics: + addr: 0.0.0.0:5000 diff --git a/bitnami/chainloop/templates/cas/config.secret.yaml b/bitnami/chainloop/templates/cas/config.secret.yaml new file mode 100644 index 00000000000000..7476c54172b09e --- /dev/null +++ b/bitnami/chainloop/templates/cas/config.secret.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "chainloop.cas.fullname" . }} + labels: + {{- include "chainloop.cas.labels" . | nindent 4 }} +type: Opaque +stringData: + {{- if and .Values.cas.sentry .Values.cas.sentry.enabled }} + config.observability.yaml: | + {{- include "chainloop.sentry" .Values.cas.sentry | nindent 4 }} + {{- end }} + config.secret.yaml: | + credentials_service: {{- include "chainloop.credentials_service_settings" . | indent 6 }} + auth: + public_key_path: "/tmp/cas.public.pem" + # Deprecated, use public_key_path instead. Remove option once release of the app 0.15+ is out. + robot_account_public_key_path: "/tmp/cas.public.pem" + # TODO: add observability \ No newline at end of file diff --git a/bitnami/chainloop/templates/cas/deployment.yaml b/bitnami/chainloop/templates/cas/deployment.yaml new file mode 100644 index 00000000000000..222e9bbe70a757 --- /dev/null +++ b/bitnami/chainloop/templates/cas/deployment.yaml @@ -0,0 +1,89 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "chainloop.cas.fullname" . }} + labels: + {{- include "chainloop.cas.labels" . | nindent 4 }} +spec: + {{- if not .Values.cas.autoscaling.enabled }} + replicas: {{ .Values.cas.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "chainloop.cas.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/cas" "/config.configmap.yaml") . | sha256sum }} + checksum/config-secret: {{ include (print $.Template.BasePath "/cas" "/config.secret.yaml") . | sha256sum }} + checksum/public-key-secret: {{ include (print $.Template.BasePath "/cas" "/jwt_public_key.secret.yaml") . | sha256sum }} + labels: + {{- include "chainloop.cas.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.cas.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "chainloop.cas.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.cas.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.cas.securityContext | nindent 12 }} + image: "{{ .Values.cas.image.repository }}:{{ .Values.cas.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.cas.image.pullPolicy }} + ports: + - name: http + containerPort: 8000 + protocol: TCP + - name: grpc + containerPort: 9000 + protocol: TCP + - name: metrics + containerPort: 5000 + protocol: TCP + livenessProbe: + httpGet: + path: /statusz + port: http + readinessProbe: + httpGet: + path: /statusz?readiness=1 + port: http + resources: + {{- toYaml .Values.cas.resources | nindent 12 }} + volumeMounts: + - name: config + mountPath: "/data/conf" + - name: jwt-public-key + mountPath: "/tmp" + {{- if eq "gcpSecretManager" .Values.secretsBackend.backend }} + - name: gcp-secretmanager-serviceaccountkey + mountPath: /gcp-secrets + {{- end }} + {{- if .Values.cas.tlsConfig.secret.name }} + - name: server-certs + mountPath: /data/server-certs + {{- end }} + volumes: + - name: config + projected: + sources: + - configMap: + name: {{ include "chainloop.cas.fullname" . }} + - secret: + name: {{ include "chainloop.cas.fullname" . }} + - name: jwt-public-key + secret: + secretName: {{ include "chainloop.cas.fullname" . }}-jwt-public-key + {{- if .Values.cas.tlsConfig.secret.name }} + - name: server-certs + secret: + secretName: {{ .Values.cas.tlsConfig.secret.name }} + {{- end }} + {{- if eq "gcpSecretManager" .Values.secretsBackend.backend }} + - name: gcp-secretmanager-serviceaccountkey + secret: + secretName: {{ include "chainloop.controlplane.fullname" . }}-gcp-secretmanager-serviceaccountkey + {{- end }} \ No newline at end of file diff --git a/bitnami/chainloop/templates/cas/gcp_secret_manager.secret.yaml b/bitnami/chainloop/templates/cas/gcp_secret_manager.secret.yaml new file mode 100644 index 00000000000000..00335194d4d52e --- /dev/null +++ b/bitnami/chainloop/templates/cas/gcp_secret_manager.secret.yaml @@ -0,0 +1,11 @@ +{{- if eq "gcpSecretManager" .Values.secretsBackend.backend }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "chainloop.cas.fullname" . }}-gcp-secretmanager-serviceaccountkey + labels: + {{- include "chainloop.cas.labels" . | nindent 4 }} +type: Opaque +data: + serviceAccountKey.json: {{ .Values.secretsBackend.gcpSecretManager.serviceAccountKey | b64enc | quote }} +{{- end }} \ No newline at end of file diff --git a/bitnami/chainloop/templates/cas/gke_monitoring.yaml b/bitnami/chainloop/templates/cas/gke_monitoring.yaml new file mode 100644 index 00000000000000..9260d461b82655 --- /dev/null +++ b/bitnami/chainloop/templates/cas/gke_monitoring.yaml @@ -0,0 +1,13 @@ +{{- if .Values.GKEMonitoring.enabled -}} +apiVersion: monitoring.googleapis.com/v1 +kind: PodMonitoring +metadata: + name: {{ include "chainloop.cas.fullname" . }} +spec: + selector: + matchLabels: + {{- include "chainloop.cas.selectorLabels" . | nindent 6 }} + endpoints: + - port: metrics + interval: 30s +{{- end }} \ No newline at end of file diff --git a/bitnami/chainloop/templates/cas/hpa.yaml b/bitnami/chainloop/templates/cas/hpa.yaml new file mode 100644 index 00000000000000..e5db27edd75ec3 --- /dev/null +++ b/bitnami/chainloop/templates/cas/hpa.yaml @@ -0,0 +1,40 @@ +{{- if .Values.cas.autoscaling.enabled }} +apiVersion: {{ include "common.capabilities.hpa.apiVersion" ( dict "context" $ ) }} +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "chainloop.cas.fullname" . }} + labels: + {{- include "chainloop.cas.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} + kind: Deployment + name: {{ include "chainloop.cas.fullname" . }} + minReplicas: {{ .Values.cas.autoscaling.minReplicas }} + maxReplicas: {{ .Values.cas.autoscaling.maxReplicas }} + metrics: + {{- if .Values.cas.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }} + targetAverageUtilization: {{ .Values.cas.autoscaling.targetCPUUtilizationPercentage }} + {{- else }} + target: + type: Utilization + averageUtilization: {{ .Values.cas.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- end }} + {{- if .Values.cas.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }} + targetAverageUtilization: {{ .Values.cas.autoscaling.targetMemoryUtilizationPercentage }} + {{- else }} + target: + type: Utilization + averageUtilization: {{ .Values.cas.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- end }} +{{- end }} diff --git a/bitnami/chainloop/templates/cas/ingress.yaml b/bitnami/chainloop/templates/cas/ingress.yaml new file mode 100644 index 00000000000000..01053851a568ed --- /dev/null +++ b/bitnami/chainloop/templates/cas/ingress.yaml @@ -0,0 +1,60 @@ +{{- if .Values.cas.ingress.enabled }} +{{- $fullName := include "chainloop.cas.fullname" . -}} +apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} +kind: Ingress +metadata: + name: {{ $fullName }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "chainloop.cas.labels" . | nindent 4 }} + {{- if or .Values.cas.ingress.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.cas.ingress.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.cas.ingress.annotations "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + {{- if and .Values.cas.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }} + ingressClassName: {{ .Values.cas.ingress.ingressClassName | quote }} + {{- end }} + rules: + {{- if .Values.cas.ingress.hostname }} + - host: {{ .Values.cas.ingress.hostname }} + http: + paths: + {{- if .Values.cas.ingress.extraPaths }} + {{- toYaml .Values.cas.ingress.extraPaths | nindent 10 }} + {{- end }} + - path: {{ .Values.cas.ingress.path }} + {{- if eq "true" (include "common.ingress.supportsPathType" .) }} + pathType: {{ .Values.cas.ingress.pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" $fullName "servicePort" "http" "context" $) | nindent 14 }} + {{- end }} + {{- range .Values.cas.ingress.extraHosts }} + - host: {{ .name | quote }} + http: + paths: + - path: {{ default "/" .path }} + {{- if eq "true" (include "common.ingress.supportsPathType" $) }} + pathType: {{ default "ImplementationSpecific" .pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" $fullName "servicePort" "http" "context" $) | nindent 14 }} + {{- end }} + {{- if .Values.cas.ingress.extraRules }} + {{- include "common.tplvalues.render" (dict "value" .Values.cas.ingress.extraRules "context" $) | nindent 4 }} + {{- end }} + {{- if or (and .Values.cas.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.cas.ingress.annotations )) .Values.cas.ingress.selfSigned)) .Values.cas.ingress.extraTls }} + tls: + {{- if and .Values.cas.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.cas.ingress.annotations )) .Values.cas.ingress.selfSigned) }} + - hosts: + - {{ .Values.cas.ingress.hostname | quote }} + secretName: {{ printf "%s-tls" .Values.cas.ingress.hostname }} + {{- end }} + {{- if .Values.cas.ingress.extraTls }} + {{- include "common.tplvalues.render" (dict "value" .Values.cas.ingress.extraTls "context" $) | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/bitnami/chainloop/templates/cas/ingress_grpc.yaml b/bitnami/chainloop/templates/cas/ingress_grpc.yaml new file mode 100644 index 00000000000000..35cb6aa44a4f94 --- /dev/null +++ b/bitnami/chainloop/templates/cas/ingress_grpc.yaml @@ -0,0 +1,60 @@ +{{- if .Values.cas.ingressAPI.enabled }} +{{- $fullName := printf "%s-%s" (include "chainloop.cas.fullname" .) "api" -}} +apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} +kind: Ingress +metadata: + name: {{ $fullName }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "chainloop.cas.labels" . | nindent 4 }} + {{- if or .Values.cas.ingressAPI.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.cas.ingressAPI.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.cas.ingressAPI.annotations "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + {{- if and .Values.cas.ingressAPI.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }} + ingressClassName: {{ .Values.cas.ingressAPI.ingressClassName | quote }} + {{- end }} + rules: + {{- if .Values.cas.ingressAPI.hostname }} + - host: {{ .Values.cas.ingressAPI.hostname }} + http: + paths: + {{- if .Values.cas.ingressAPI.extraPaths }} + {{- toYaml .Values.cas.ingressAPI.extraPaths | nindent 10 }} + {{- end }} + - path: {{ .Values.cas.ingressAPI.path }} + {{- if eq "true" (include "common.ingress.supportsPathType" .) }} + pathType: {{ .Values.cas.ingressAPI.pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" $fullName "servicePort" "grpc" "context" $) | nindent 14 }} + {{- end }} + {{- range .Values.cas.ingressAPI.extraHosts }} + - host: {{ .name | quote }} + http: + paths: + - path: {{ default "/" .path }} + {{- if eq "true" (include "common.ingress.supportsPathType" $) }} + pathType: {{ default "ImplementationSpecific" .pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" $fullName "servicePort" "grpc" "context" $) | nindent 14 }} + {{- end }} + {{- if .Values.cas.ingressAPI.extraRules }} + {{- include "common.tplvalues.render" (dict "value" .Values.cas.ingressAPI.extraRules "context" $) | nindent 4 }} + {{- end }} + {{- if or (and .Values.cas.ingressAPI.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.cas.ingressAPI.annotations )) .Values.cas.ingressAPI.selfSigned)) .Values.cas.ingressAPI.extraTls }} + tls: + {{- if and .Values.cas.ingressAPI.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.cas.ingressAPI.annotations )) .Values.cas.ingressAPI.selfSigned) }} + - hosts: + - {{ .Values.cas.ingressAPI.hostname | quote }} + secretName: {{ printf "%s-tls" .Values.cas.ingressAPI.hostname }} + {{- end }} + {{- if .Values.cas.ingressAPI.extraTls }} + {{- include "common.tplvalues.render" (dict "value" .Values.cas.ingressAPI.extraTls "context" $) | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/bitnami/chainloop/templates/cas/jwt_public_key.secret.yaml b/bitnami/chainloop/templates/cas/jwt_public_key.secret.yaml new file mode 100644 index 00000000000000..6880bdab12de17 --- /dev/null +++ b/bitnami/chainloop/templates/cas/jwt_public_key.secret.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "chainloop.cas.fullname" . }}-jwt-public-key + labels: + {{- include "chainloop.cas.labels" . | nindent 4 }} +type: Opaque +data: + cas.public.pem: {{ include "chainloop.casjwt.public_key" . | b64enc | quote }} \ No newline at end of file diff --git a/bitnami/chainloop/templates/cas/service_grpc.yaml b/bitnami/chainloop/templates/cas/service_grpc.yaml new file mode 100644 index 00000000000000..6bcd23f4a7a540 --- /dev/null +++ b/bitnami/chainloop/templates/cas/service_grpc.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "chainloop.cas.fullname" . }}-api + labels: + {{- include "chainloop.cas.labels" . | nindent 4 }} + {{- with .Values.cas.serviceAPI.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.cas.serviceAPI.type }} + ports: + - port: {{ .Values.cas.serviceAPI.port }} + targetPort: {{ .Values.cas.serviceAPI.targetPort }} + protocol: TCP + name: grpc + nodePort: {{ include "chainloop.node_port" .Values.cas.serviceAPI }} + selector: + {{- include "chainloop.cas.selectorLabels" . | nindent 4 }} diff --git a/bitnami/chainloop/templates/cas/service_http.yaml b/bitnami/chainloop/templates/cas/service_http.yaml new file mode 100644 index 00000000000000..c7beb1afa9987c --- /dev/null +++ b/bitnami/chainloop/templates/cas/service_http.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "chainloop.cas.fullname" . }} + labels: + {{- include "chainloop.cas.labels" . | nindent 4 }} + {{- with .Values.cas.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.cas.service.type }} + ports: + - port: {{ .Values.cas.service.port }} + targetPort: {{ .Values.cas.service.targetPort }} + protocol: TCP + name: http + nodePort: {{ include "chainloop.node_port" .Values.cas.service }} + selector: {{- include "chainloop.cas.selectorLabels" . | nindent 4 }} diff --git a/bitnami/chainloop/templates/cas/serviceaccount.yaml b/bitnami/chainloop/templates/cas/serviceaccount.yaml new file mode 100644 index 00000000000000..f204aa4172d6ad --- /dev/null +++ b/bitnami/chainloop/templates/cas/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.cas.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "chainloop.cas.serviceAccountName" . }} + labels: + {{- include "chainloop.cas.labels" . | nindent 4 }} + {{- with .Values.cas.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/bitnami/chainloop/templates/controlplane/config.configmap.yaml b/bitnami/chainloop/templates/controlplane/config.configmap.yaml new file mode 100644 index 00000000000000..0d395f281f3b4e --- /dev/null +++ b/bitnami/chainloop/templates/controlplane/config.configmap.yaml @@ -0,0 +1,44 @@ +{{- /* +Copyright Chainloop, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "chainloop.controlplane.fullname" . }} + labels: + {{- include "chainloop.controlplane.labels" . | nindent 4 }} +data: + {{- if .Values.controlplane.allowList }} + allow_list.yaml: | + auth: + allow_list: + {{- range .Values.controlplane.allowList }} + - {{ . | quote }} + {{- end }} + {{- end }} + config.yaml: | + server: + http: + addr: 0.0.0.0:8000 + timeout: 10s + external_url: {{ include "chainloop.controlplane.external_url" . }} + http_metrics: + addr: 0.0.0.0:5000 + grpc: + addr: 0.0.0.0:9000 + timeout: 10s + {{- if .Values.controlplane.tlsConfig.secret.name }} + tls_config: + certificate: /data/server-certs/tls.crt + private_key: /data/server-certs/tls.key + {{- end }} + cas_server: + grpc: + addr: {{ printf "%s-api:%.0f" (include "chainloop.cas.fullname" .) .Values.cas.serviceAPI.port }} + insecure: true + download_url: {{ include "chainloop.cas.external_url" . }}/download + plugins_dir: {{ .Values.controlplane.pluginsDir }} + referrer_shared_index: + {{- toYaml .Values.controlplane.referrerSharedIndex | nindent 6 }} \ No newline at end of file diff --git a/bitnami/chainloop/templates/controlplane/config.secret.yaml b/bitnami/chainloop/templates/controlplane/config.secret.yaml new file mode 100644 index 00000000000000..739910a1f648e9 --- /dev/null +++ b/bitnami/chainloop/templates/controlplane/config.secret.yaml @@ -0,0 +1,58 @@ +{{- /* +Copyright Chainloop, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "chainloop.controlplane.fullname" . }} + labels: + {{- include "chainloop.controlplane.labels" . | nindent 4 }} +type: Opaque +{{- $hmacpass := include "common.secrets.passwords.manage" (dict "secret" (include "chainloop.controlplane.fullname" .) "key" "generated_jws_hmac_secret" "providedValues" (list "controlplane.auth.passphrase") "context" $) }} +data: + # We store it also as a different key so it can be reused during upgrades by the common.secrets.passwords.manage helper + generated_jws_hmac_secret: {{ $hmacpass }} +stringData: + {{- if and .Values.sentry .Values.sentry.enabled }} + {{- fail "configuring sentry at the top level is no longer supported. Add the configuration to the controlplane section in the values.yaml file" }} + {{- end -}} + {{- if and .Values.controlplane.sentry .Values.controlplane.sentry.enabled }} + config.observability.yaml: | + {{- include "chainloop.sentry" .Values.controlplane.sentry | nindent 4 }} + {{- end }} + {{- if and .Values.controlplane.keylessSigning .Values.controlplane.keylessSigning.enabled }} + fileca.secret.yaml: | + {{- with .Values.controlplane.keylessSigning.fileCA }} + certificate_authority: + file_ca: + cert_path: "/ca_secrets/file_ca.cert" + key_path: "/ca_secrets/file_ca.key" + key_pass: "{{- required "FileCA keyPass is mandatory" .keyPass }}" + {{- end }} + {{- end }} + config.secret.yaml: | + data: + database: + driver: pgx + source: {{include "controlplane.database.connection_string" . }} + + credentials_service: {{- include "chainloop.credentials_service_settings" . | indent 6 }} + + auth: + oidc: + {{- with .Values.controlplane.auth }} + redirect_url_scheme: {{ .redirectURLScheme }} + domain: "{{ required "oidc URL endpoint required" .oidc.url }}" + client_id: "{{ required "oidc clientID required" .oidc.clientID }}" + client_secret: "{{ required "oidc clientSecret required" .oidc.clientSecret }}" + {{- end }} + + # HMAC key used to sign the JWTs generated by the controlplane + # The helper returns the base64 quoted value of the secret + # We need to remove the quotes and then decoding it so it's compatible with the stringData stanza + generated_jws_hmac_secret: {{ $hmacpass | replace "\"" "" | b64dec | quote }} + + # Private key used to sign the JWTs meant to be consumed by the CAS + cas_robot_account_private_key_path: "/secrets/cas.private.key" diff --git a/bitnami/chainloop/templates/controlplane/deployment.yaml b/bitnami/chainloop/templates/controlplane/deployment.yaml new file mode 100644 index 00000000000000..e0b21fb4c77356 --- /dev/null +++ b/bitnami/chainloop/templates/controlplane/deployment.yaml @@ -0,0 +1,122 @@ +{{- /* +Copyright Chainloop, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "chainloop.controlplane.fullname" . }} + labels: + {{- include "chainloop.controlplane.labels" . | nindent 4 }} +spec: + {{- if not .Values.controlplane.autoscaling.enabled }} + replicas: {{ .Values.controlplane.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "chainloop.controlplane.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/controlplane" "/config.configmap.yaml") . | sha256sum }} + checksum/secret-config: {{ include (print $.Template.BasePath "/controlplane" "/config.secret.yaml") . | sha256sum }} + checksum/cas-private-key: {{ include (print $.Template.BasePath "/controlplane" "/jwt_cas_private_key.secret.yaml") . | sha256sum }} + kubectl.kubernetes.io/default-container: controlplane + labels: + {{- include "chainloop.controlplane.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.controlplane.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "controlplane.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.controlplane.podSecurityContext | nindent 8 }} + initContainers: + - name: migrate + image: "{{ .Values.controlplane.migration.image.repository }}:{{ .Values.controlplane.migration.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.controlplane.image.pullPolicy }} + args: + - migrate + - apply + - --url + - "{{include "controlplane.database.atlas_connection_string" . }}" + - --dir + - file:///migrations + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.controlplane.securityContext | nindent 12 }} + image: "{{ .Values.controlplane.image.repository }}:{{ .Values.controlplane.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.controlplane.image.pullPolicy }} + ports: + - name: http + containerPort: 8000 + protocol: TCP + - name: metrics + containerPort: 5000 + protocol: TCP + - name: grpc + containerPort: 9000 + protocol: TCP + livenessProbe: + httpGet: + path: /statusz + port: http + periodSeconds: 5 + readinessProbe: + httpGet: + path: /statusz?readiness=1 + port: http + periodSeconds: 5 + resources: + {{- toYaml .Values.controlplane.resources | nindent 12 }} + volumeMounts: + - name: config + mountPath: /data/conf + - name: tmp + mountPath: /tmp + - name: jwt-cas-private-key + mountPath: /secrets + {{- if .Values.controlplane.keylessSigning.enabled }} + - name: file-ca-cert + mountPath: /ca_secrets + {{- end }} + {{- if .Values.controlplane.tlsConfig.secret.name }} + - name: server-certs + mountPath: /data/server-certs + {{- end }} + {{- if eq "gcpSecretManager" .Values.secretsBackend.backend }} + - name: gcp-secretmanager-serviceaccountkey + mountPath: /gcp-secrets + {{- end }} + volumes: + - name: config + projected: + sources: + - secret: + name: {{ include "chainloop.controlplane.fullname" . }} + - configMap: + name: {{ include "chainloop.controlplane.fullname" . }} + # required for the plugins to store the socket files + - name: tmp + emptyDir: {} + - name: jwt-cas-private-key + secret: + secretName: {{ include "chainloop.controlplane.fullname" . }}-jwt-cas + {{- if .Values.controlplane.tlsConfig.secret.name }} + - name: server-certs + secret: + secretName: {{ .Values.controlplane.tlsConfig.secret.name }} + {{- end }} + {{- if eq "gcpSecretManager" .Values.secretsBackend.backend }} + - name: gcp-secretmanager-serviceaccountkey + secret: + secretName: {{ include "chainloop.controlplane.fullname" . }}-gcp-secretmanager-serviceaccountkey + {{- end }} + {{- if .Values.controlplane.keylessSigning.enabled }} + - name: file-ca-cert + secret: + secretName: {{ include "chainloop.controlplane.fullname" . }}-keyless-file-ca + {{- end }} \ No newline at end of file diff --git a/bitnami/chainloop/templates/controlplane/deployment_sqlproxy.yaml b/bitnami/chainloop/templates/controlplane/deployment_sqlproxy.yaml new file mode 100644 index 00000000000000..fa0673fe66d4c9 --- /dev/null +++ b/bitnami/chainloop/templates/controlplane/deployment_sqlproxy.yaml @@ -0,0 +1,61 @@ +{{- /* +Copyright Chainloop, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{ if .Values.controlplane.sqlProxy.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "chainloop.sql-proxy.fullname" . }} + labels: + {{- include "chainloop.sql-proxy.labels" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + {{- include "chainloop.sql-proxy.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: cloud-sql-proxy + labels: + {{- include "chainloop.sql-proxy.selectorLabels" . | nindent 8 }} + spec: + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/component: controlplane + topologyKey: kubernetes.io/hostname + {{- with .Values.controlplane.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "controlplane.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.controlplane.podSecurityContext | nindent 8 }} + containers: + + - name: cloud-sql-proxy + # It is recommended to use the latest version of the Cloud SQL proxy + # Make sure to update on a regular schedule! + image: gcr.io/cloudsql-docker/gce-proxy:1.33.10 # make sure the use the latest version + command: + - "/cloud_sql_proxy" + # If connecting from a VPC-native GKE cluster, you can use the + # following flag to have the proxy connect over private IP + # - "-ip_address_types=PRIVATE" + + # By default, the proxy will write all logs to stderr. In some + # environments, anything printed to stderr is consider an error. To + # disable this behavior and write all logs to stdout (except errors + # which will still go to stderr), use: + - "-log_debug_stdout" + - "-instances={{ .Values.controlplane.sqlProxy.connectionName }}=tcp:0.0.0.0:5432" + securityContext: + runAsNonRoot: true + resources: + {{- toYaml .Values.controlplane.sqlProxy.resources | nindent 12 }} +{{- end }} \ No newline at end of file diff --git a/bitnami/chainloop/templates/controlplane/file_ca.secret.yaml b/bitnami/chainloop/templates/controlplane/file_ca.secret.yaml new file mode 100644 index 00000000000000..4e53fbcca7c83f --- /dev/null +++ b/bitnami/chainloop/templates/controlplane/file_ca.secret.yaml @@ -0,0 +1,17 @@ +{{- /* +Copyright Chainloop, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.controlplane.keylessSigning.enabled (eq "fileCA" .Values.controlplane.keylessSigning.backend) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "chainloop.controlplane.fullname" . }}-keyless-file-ca + labels: + {{- include "chainloop.controlplane.labels" . | nindent 4 }} +type: Opaque +data: + file_ca.cert: {{ .Values.controlplane.keylessSigning.fileCA.cert | b64enc | quote }} + file_ca.key: {{ .Values.controlplane.keylessSigning.fileCA.key | b64enc | quote }} +{{- end }} \ No newline at end of file diff --git a/bitnami/chainloop/templates/controlplane/gcp_secret_manager.secret.yaml b/bitnami/chainloop/templates/controlplane/gcp_secret_manager.secret.yaml new file mode 100644 index 00000000000000..8f248f59e46900 --- /dev/null +++ b/bitnami/chainloop/templates/controlplane/gcp_secret_manager.secret.yaml @@ -0,0 +1,16 @@ +{{- /* +Copyright Chainloop, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if eq "gcpSecretManager" .Values.secretsBackend.backend }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "chainloop.controlplane.fullname" . }}-gcp-secretmanager-serviceaccountkey + labels: + {{- include "chainloop.controlplane.labels" . | nindent 4 }} +type: Opaque +data: + serviceAccountKey.json: {{ .Values.secretsBackend.gcpSecretManager.serviceAccountKey | b64enc | quote }} +{{- end }} \ No newline at end of file diff --git a/bitnami/chainloop/templates/controlplane/gke_monitoring.yaml b/bitnami/chainloop/templates/controlplane/gke_monitoring.yaml new file mode 100644 index 00000000000000..af7ed239d9057b --- /dev/null +++ b/bitnami/chainloop/templates/controlplane/gke_monitoring.yaml @@ -0,0 +1,18 @@ +{{- /* +Copyright Chainloop, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.GKEMonitoring.enabled -}} +apiVersion: monitoring.googleapis.com/v1 +kind: PodMonitoring +metadata: + name: {{ include "chainloop.controlplane.fullname" . }} +spec: + selector: + matchLabels: + {{- include "chainloop.controlplane.selectorLabels" . | nindent 6 }} + endpoints: + - port: metrics + interval: 30s +{{- end }} \ No newline at end of file diff --git a/bitnami/chainloop/templates/controlplane/hpa.yaml b/bitnami/chainloop/templates/controlplane/hpa.yaml new file mode 100644 index 00000000000000..810be999fcfce3 --- /dev/null +++ b/bitnami/chainloop/templates/controlplane/hpa.yaml @@ -0,0 +1,45 @@ +{{- /* +Copyright Chainloop, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.controlplane.autoscaling.enabled }} +apiVersion: {{ include "common.capabilities.hpa.apiVersion" ( dict "context" $ ) }} +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "chainloop.controlplane.fullname" . }} + labels: + {{- include "chainloop.controlplane.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "chainloop.controlplane.fullname" . }} + minReplicas: {{ .Values.controlplane.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controlplane.autoscaling.maxReplicas }} + metrics: + {{- if .Values.controlplane.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }} + targetAverageUtilization: {{ .Values.controlplane.autoscaling.targetCPUUtilizationPercentage }} + {{- else }} + target: + type: Utilization + averageUtilization: {{ .Values.controlplane.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- end }} + {{- if .Values.controlplane.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }} + targetAverageUtilization: {{ .Values.controlplane.autoscaling.targetMemoryUtilizationPercentage }} + {{- else }} + target: + type: Utilization + averageUtilization: {{ .Values.controlplane.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- end }} +{{- end }} diff --git a/bitnami/chainloop/templates/controlplane/ingress.yaml b/bitnami/chainloop/templates/controlplane/ingress.yaml new file mode 100644 index 00000000000000..de35e887b6a352 --- /dev/null +++ b/bitnami/chainloop/templates/controlplane/ingress.yaml @@ -0,0 +1,65 @@ +{{- /* +Copyright Chainloop, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.controlplane.ingress.enabled }} +{{- $fullName := include "chainloop.controlplane.fullname" . -}} +apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} +kind: Ingress +metadata: + name: {{ $fullName }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "chainloop.controlplane.labels" . | nindent 4 }} + {{- if or .Values.controlplane.ingress.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.controlplane.ingress.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.controlplane.ingress.annotations "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + {{- if and .Values.controlplane.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }} + ingressClassName: {{ .Values.controlplane.ingress.ingressClassName | quote }} + {{- end }} + rules: + {{- if .Values.controlplane.ingress.hostname }} + - host: {{ .Values.controlplane.ingress.hostname }} + http: + paths: + {{- if .Values.controlplane.ingress.extraPaths }} + {{- toYaml .Values.controlplane.ingress.extraPaths | nindent 10 }} + {{- end }} + - path: {{ .Values.controlplane.ingress.path }} + {{- if eq "true" (include "common.ingress.supportsPathType" .) }} + pathType: {{ .Values.controlplane.ingress.pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" $fullName "servicePort" "http" "context" $) | nindent 14 }} + {{- end }} + {{- range .Values.controlplane.ingress.extraHosts }} + - host: {{ .name | quote }} + http: + paths: + - path: {{ default "/" .path }} + {{- if eq "true" (include "common.ingress.supportsPathType" $) }} + pathType: {{ default "ImplementationSpecific" .pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" $fullName "servicePort" "http" "context" $) | nindent 14 }} + {{- end }} + {{- if .Values.controlplane.ingress.extraRules }} + {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.ingress.extraRules "context" $) | nindent 4 }} + {{- end }} + {{- if or (and .Values.controlplane.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.controlplane.ingress.annotations )) .Values.controlplane.ingress.selfSigned)) .Values.controlplane.ingress.extraTls }} + tls: + {{- if and .Values.controlplane.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.controlplane.ingress.annotations )) .Values.controlplane.ingress.selfSigned) }} + - hosts: + - {{ .Values.controlplane.ingress.hostname | quote }} + secretName: {{ printf "%s-tls" .Values.controlplane.ingress.hostname }} + {{- end }} + {{- if .Values.controlplane.ingress.extraTls }} + {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.ingress.extraTls "context" $) | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/bitnami/chainloop/templates/controlplane/ingress_grpc.yaml b/bitnami/chainloop/templates/controlplane/ingress_grpc.yaml new file mode 100644 index 00000000000000..3934f33a75af22 --- /dev/null +++ b/bitnami/chainloop/templates/controlplane/ingress_grpc.yaml @@ -0,0 +1,65 @@ +{{- /* +Copyright Chainloop, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.controlplane.ingressAPI.enabled }} +{{- $fullName := printf "%s-%s" (include "chainloop.controlplane.fullname" .) "api" -}} +apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} +kind: Ingress +metadata: + name: {{ $fullName }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "chainloop.controlplane.labels" . | nindent 4 }} + {{- if or .Values.controlplane.ingressAPI.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.controlplane.ingressAPI.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.controlplane.ingressAPI.annotations "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + {{- if and .Values.controlplane.ingressAPI.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }} + ingressClassName: {{ .Values.controlplane.ingressAPI.ingressClassName | quote }} + {{- end }} + rules: + {{- if .Values.controlplane.ingressAPI.hostname }} + - host: {{ .Values.controlplane.ingressAPI.hostname }} + http: + paths: + {{- if .Values.controlplane.ingressAPI.extraPaths }} + {{- toYaml .Values.controlplane.ingressAPI.extraPaths | nindent 10 }} + {{- end }} + - path: {{ .Values.controlplane.ingressAPI.path }} + {{- if eq "true" (include "common.ingress.supportsPathType" .) }} + pathType: {{ .Values.controlplane.ingressAPI.pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" $fullName "servicePort" "grpc" "context" $) | nindent 14 }} + {{- end }} + {{- range .Values.controlplane.ingressAPI.extraHosts }} + - host: {{ .name | quote }} + http: + paths: + - path: {{ default "/" .path }} + {{- if eq "true" (include "common.ingress.supportsPathType" $) }} + pathType: {{ default "ImplementationSpecific" .pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" $fullName "servicePort" "grpc" "context" $) | nindent 14 }} + {{- end }} + {{- if .Values.controlplane.ingressAPI.extraRules }} + {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.ingressAPI.extraRules "context" $) | nindent 4 }} + {{- end }} + {{- if or (and .Values.controlplane.ingressAPI.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.controlplane.ingressAPI.annotations )) .Values.controlplane.ingressAPI.selfSigned)) .Values.controlplane.ingressAPI.extraTls }} + tls: + {{- if and .Values.controlplane.ingressAPI.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.controlplane.ingressAPI.annotations )) .Values.controlplane.ingressAPI.selfSigned) }} + - hosts: + - {{ .Values.controlplane.ingressAPI.hostname | quote }} + secretName: {{ printf "%s-tls" .Values.controlplane.ingressAPI.hostname }} + {{- end }} + {{- if .Values.controlplane.ingressAPI.extraTls }} + {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.ingressAPI.extraTls "context" $) | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/bitnami/chainloop/templates/controlplane/jwt_cas_private_key.secret.yaml b/bitnami/chainloop/templates/controlplane/jwt_cas_private_key.secret.yaml new file mode 100644 index 00000000000000..577163c22b332f --- /dev/null +++ b/bitnami/chainloop/templates/controlplane/jwt_cas_private_key.secret.yaml @@ -0,0 +1,14 @@ +{{- /* +Copyright Chainloop, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "chainloop.controlplane.fullname" . }}-jwt-cas + labels: + {{- include "chainloop.controlplane.labels" . | nindent 4 }} +type: Opaque +data: + cas.private.key: {{ include "chainloop.casjwt.private_key" . | b64enc | quote }} diff --git a/bitnami/chainloop/templates/controlplane/service_grpc.yaml b/bitnami/chainloop/templates/controlplane/service_grpc.yaml new file mode 100644 index 00000000000000..249e96f6dc10df --- /dev/null +++ b/bitnami/chainloop/templates/controlplane/service_grpc.yaml @@ -0,0 +1,25 @@ +{{- /* +Copyright Chainloop, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +apiVersion: v1 +kind: Service +metadata: + name: {{ include "chainloop.controlplane.fullname" . }}-api + labels: + {{- include "chainloop.controlplane.labels" . | nindent 4 }} + {{- with .Values.controlplane.serviceAPI.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.controlplane.serviceAPI.type }} + ports: + - port: {{ .Values.controlplane.serviceAPI.port }} + targetPort: {{ .Values.controlplane.serviceAPI.targetPort }} + protocol: TCP + name: grpc + nodePort: {{ include "chainloop.node_port" .Values.controlplane.serviceAPI }} + selector: + {{- include "chainloop.controlplane.selectorLabels" . | nindent 4 }} diff --git a/bitnami/chainloop/templates/controlplane/service_http.yaml b/bitnami/chainloop/templates/controlplane/service_http.yaml new file mode 100644 index 00000000000000..e4deaf9182807b --- /dev/null +++ b/bitnami/chainloop/templates/controlplane/service_http.yaml @@ -0,0 +1,24 @@ +{{- /* +Copyright Chainloop, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +apiVersion: v1 +kind: Service +metadata: + name: {{ include "chainloop.controlplane.fullname" . }} + labels: + {{- include "chainloop.controlplane.labels" . | nindent 4 }} + {{- with .Values.controlplane.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.controlplane.service.type }} + ports: + - port: {{ .Values.controlplane.service.port }} + targetPort: {{ .Values.controlplane.service.targetPort }} + protocol: TCP + name: http + nodePort: {{ include "chainloop.node_port" .Values.controlplane.service }} + selector: {{- include "chainloop.controlplane.selectorLabels" . | nindent 4 }} diff --git a/bitnami/chainloop/templates/controlplane/service_sql-proxy.yaml b/bitnami/chainloop/templates/controlplane/service_sql-proxy.yaml new file mode 100644 index 00000000000000..f265cf90fa257d --- /dev/null +++ b/bitnami/chainloop/templates/controlplane/service_sql-proxy.yaml @@ -0,0 +1,22 @@ +{{- /* +Copyright Chainloop, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{ if .Values.controlplane.sqlProxy.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "chainloop.sql-proxy.fullname" . }} + labels: + {{- include "chainloop.sql-proxy.labels" . | nindent 4 }} +spec: + type: ClusterIP + ports: + - port: {{ .Values.controlplane.externalDatabase.port }} + targetPort: {{ .Values.controlplane.externalDatabase.port }} + protocol: TCP + name: tpc + selector: + {{- include "chainloop.sql-proxy.selectorLabels" . | nindent 4 }} +{{- end }} \ No newline at end of file diff --git a/bitnami/chainloop/templates/controlplane/serviceaccount.yaml b/bitnami/chainloop/templates/controlplane/serviceaccount.yaml new file mode 100644 index 00000000000000..282d4b09a131c5 --- /dev/null +++ b/bitnami/chainloop/templates/controlplane/serviceaccount.yaml @@ -0,0 +1,17 @@ +{{- /* +Copyright Chainloop, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.controlplane.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "controlplane.serviceAccountName" . }} + labels: + {{- include "chainloop.controlplane.labels" . | nindent 4 }} + {{- with .Values.controlplane.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/bitnami/chainloop/values.yaml b/bitnami/chainloop/values.yaml new file mode 100644 index 00000000000000..61c16d340e7918 --- /dev/null +++ b/bitnami/chainloop/values.yaml @@ -0,0 +1,840 @@ +# Copyright Chainloop, Inc. All Rights Reserved. +# SPDX-License-Identifier: APACHE-2.0 + +## Default values for Chainloop Helm Chart + +## @skip global +global: {} + +## @section Common parameters +## +## @param kubeVersion Override Kubernetes version +## +kubeVersion: "" + +## @param development Deploys Chainloop pre-configured FOR DEVELOPMENT ONLY. It includes a Vault instance in development mode and pre-configured authentication certificates and passphrases +## +development: false + +## @param GKEMonitoring.enabled Enable GKE podMonitoring (prometheus.io scrape) to scrape the controlplane and CAS /metrics endpoints +GKEMonitoring: + enabled: false + +## @section Secrets Backend +## + +## Location where to store sensitive data. If development.true? and no overrides provided, the setup will connect to a development instance of Vault +secretsBackend: + ## @param secretsBackend.backend Secrets backend type ("vault", "awsSecretManager" or "gcpSecretManager", "azureKeyVault") + ## + backend: "vault" # "awsSecretManager | gcpSecretManager | azureKeyVault" + ## @param secretsBackend.secretPrefix Prefix that will be pre-pended to all secrets in the storage backend + ## + secretPrefix: "chainloop" + + ## @extra secretsBackend.vault.address Vault address + ## @extra secretsBackend.vault.token Vault authentication token + ## + # vault: + # address: "" + # token: "" + + ## @extra secretsBackend.awsSecretManager.accessKey AWS Access KEY ID + ## @extra secretsBackend.awsSecretManager.secretKey AWS Secret Key + ## @extra secretsBackend.awsSecretManager.region AWS Secrets Manager Region + ## + # awsSecretManager: + # accessKey: "" + # secretKey: "" + # region: "" + + ## @extra secretsBackend.gcpSecretManager.projectId GCP Project ID + ## @extra secretsBackend.gcpSecretManager.serviceAccountKey GCP Auth Key + ## + # gcpSecretManager: + # projectId: "" + # serviceAccountKey: "" + + ## @extra secretsBackend.azureKeyVault.tenantID Active Directory Tenant ID + ## @extra secretsBackend.azureKeyVault.clientID Registered application / service principal client ID + ## @extra secretsBackend.azureKeyVault.clientSecret Service principal client secret + ## @extra secretsBackend.azureKeyVault.vaultURI Azure Key Vault URL + ## + # azureKeyVault: + # tenantID: "" + # clientID: "" + # clientSecret: "" + # vaultURI: "" + +## @section Authentication +## + +## ECDSA (ES512) key-pair used for Controlplane <-> CAS Authentication +## The controlplane will use the private key to generate a JWT at user request +## The CAS will use the public key to verify the authenticity of that token +## If development=true is set, a development key will be configured automatically +## otherwise you'll need to provide new keys via .Values.casJWTPrivateKey and .Values.cas.casJWTPublicKey + +## @param casJWTPrivateKey ECDSA (ES512) private key used for Controlplane <-> CAS Authentication +## +## To generate one +## openssl ecparam -name secp521r1 -genkey -noout -out private.ec.key +## casJWTPrivateKey: |- +## -----BEGIN EC PRIVATE KEY----- +## -----END EC PRIVATE KEY----- +## +casJWTPrivateKey: "" + +## @param casJWTPublicKey ECDSA (ES512) public key +## +# openssl ec -in private.ec.key -pubout -out public.pem +# casJWTPublicKey: | +# -----BEGIN PUBLIC KEY----- +# -----END PUBLIC KEY----- +casJWTPublicKey: "" + +## @section Control Plane +################################### +## CONTROL PLANE # +################################### +controlplane: + ## @param controlplane.replicaCount Number of replicas + replicaCount: 2 + + ## @param controlplane.image.repository FQDN uri for the image + ## @extra controlplane.image.tag Image tag (immutable tags are recommended). If no set chart.appVersion will be used + image: + repository: ghcr.io/chainloop-dev/chainloop/control-plane + # Overrides the image tag whose default is the chart appVersion. + # tag: latest + + ## @param controlplane.tlsConfig.secret.name name of a secret containing TLS certificate to be used by the controlplane grpc server. + tlsConfig: + secret: + # the secret must contains 2 keys: tls.crt and tls.key respectively containing the certificate and private key. + name: "" + + ## @param controlplane.pluginsDir Directory where to look for plugins + pluginsDir: /plugins + + ## @extra controlplane.referrerSharedIndex Configure the shared, public index API endpoint that can be used to discover metadata referrers + ## @param controlplane.referrerSharedIndex.enabled Enable index API endpoint + ## @param controlplane.referrerSharedIndex.allowedOrgs List of UUIDs of organizations that are allowed to publish to the shared index + referrerSharedIndex: + enabled: false + allowedOrgs: [] + + # Database migration + ## @skip controlplane.migration + migration: + image: + repository: ghcr.io/chainloop-dev/chainloop/control-plane-migrations + # Overrides the image tag whose default is the chart appVersion. + # tag: latest + # Run the migration job forcing SSL, required in AWS RDS for PostgreSQL 15 + ssl: false + + ## @skip controlplane.serviceAccount + serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + + ## @section Control Plane Database + + ## @extra controlplane.externalDatabase External PostgreSQL configuration. These values are only used when postgresql.enabled is set to false + ## @param controlplane.externalDatabase.host Database host + ## @param controlplane.externalDatabase.port Database port number + ## @param controlplane.externalDatabase.user Non-root username + ## @param controlplane.externalDatabase.database Database name + ## @param controlplane.externalDatabase.password Password for the non-root username + ## + externalDatabase: + host: "" + port: 5432 + user: "" + database: "" + password: "" + + sqlProxy: + ## @param controlplane.sqlProxy.enabled Enable sidecar to connect to DB via Google Cloud SQL proxy + enabled: false + ## @param controlplane.sqlProxy.connectionName Google Cloud SQL connection name + connectionName: "" + ## @param controlplane.sqlProxy.resources Sidecar container resources + resources: {} + + ## @section Control Plane Authentication + auth: + ## @param controlplane.auth.passphrase Passphrase used to sign the Auth Tokens generated by the controlplane. Leave empty for auto-generation + ## + passphrase: "" + + ## @param controlplane.auth.oidc.url Full authentication path, it should match the issuer URL of the Identity provider (IDp) + ## @param controlplane.auth.oidc.clientID OIDC IDp clientID + ## @param controlplane.auth.oidc.clientSecret OIDC IDp clientSecret + oidc: + url: "" + clientID: "" + clientSecret: "" + + ## @section Control Plane Networking + service: + ## @param controlplane.service.type Service type + type: ClusterIP + ## @param controlplane.service.port Service port + port: 80 + ## @param controlplane.service.targetPort Service target Port + targetPort: http + ## @extra controlplane.service.nodePorts.http Node port for HTTP. NOTE: choose port between <30000-32767> + # nodePorts: + # http: "30800" + annotations: + {} + ## @skip controlplane.service.annotations + + serviceAPI: + ## @param controlplane.serviceAPI.type Service type + type: ClusterIP + ## @param controlplane.serviceAPI.port Service port + port: 80 + ## @param controlplane.serviceAPI.targetPort Service target Port + targetPort: grpc + ## @extra controlplane.serviceAPI.annotations Service annotations + annotations: + ## @skip controlplane.serviceAPI.annotations.traefik.ingress.kubernetes.io/service.serversscheme + traefik.ingress.kubernetes.io/service.serversscheme: h2c + + ## @extra controlplane.serviceAPI.nodePorts.http Node port for HTTP. NOTE: choose port between <30000-32767> + # nodePorts: + # http: "30900" + + ## ref: http://kubernetes.io/docs/user-guide/ingress/ + ingress: + ## @param controlplane.ingress.enabled Enable ingress record generation for %%MAIN_CONTAINER_NAME%% + ## + enabled: false + ## @param controlplane.ingress.pathType Ingress path type + ## + pathType: ImplementationSpecific + ## @param controlplane.ingress.hostname Default host for the ingress record + ## + hostname: cp.dev.local + ## @param controlplane.ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + ingressClassName: "" + ## @param controlplane.ingress.path Default path for the ingress record + ## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers + ## + path: / + ## @param controlplane.ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## e.g: + ## annotations: + ## kubernetes.io/controlplane.ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## + annotations: {} + ## @param controlplane.ingress.tls Enable TLS configuration for the host defined at `controlplane.ingress.hostname` parameter + ## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.controlplane.ingress.hostname }}` + ## You can: + ## - Use the `controlplane.ingress.secrets` parameter to create this TLS secret + ## - Rely on cert-manager to create it by setting the corresponding annotations + ## - Rely on Helm to create self-signed certificates by setting `controlplane.ingress.selfSigned=true` + ## + tls: false + ## @param controlplane.ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm + ## + selfSigned: false + ## @param controlplane.ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record + ## e.g: + ## extraHosts: + ## - name: cp.dev.local + ## path: / + ## + extraHosts: [] + ## @param controlplane.ingress.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host + ## e.g: + ## extraPaths: + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + extraPaths: [] + ## @param controlplane.ingress.extraTls TLS configuration for additional hostname(s) to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## e.g: + ## extraTls: + ## - hosts: + ## - cp.dev.local + ## secretName: cp.dev.local-tls + ## + extraTls: [] + ## @param controlplane.ingress.secrets Custom TLS certificates as secrets + ## NOTE: 'key' and 'certificate' are expected in PEM format + ## NOTE: 'name' should line up with a 'secretName' set further up + ## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates + ## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + ## e.g: + ## secrets: + ## - name: cp.dev.local-tls + ## key: |- + ## -----BEGIN RSA PRIVATE KEY----- + ## ... + ## -----END RSA PRIVATE KEY----- + ## certificate: |- + ## -----BEGIN CERTIFICATE----- + ## ... + ## -----END CERTIFICATE----- + ## + secrets: [] + ## @param controlplane.ingress.extraRules Additional rules to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules + ## e.g: + ## extraRules: + ## - host: example.local + ## http: + ## path: / + ## backend: + ## service: + ## name: example-svc + ## port: + ## name: http + ## + extraRules: [] + + ## ref: http://kubernetes.io/docs/user-guide/ingress/ + ingressAPI: + ## @param controlplane.ingressAPI.enabled Enable ingress record generation for %%MAIN_CONTAINER_NAME%% + ## + enabled: false + ## @param controlplane.ingressAPI.pathType Ingress path type + ## + pathType: ImplementationSpecific + ## @param controlplane.ingressAPI.hostname Default host for the ingress record + ## + hostname: api.cp.dev.local + ## @param controlplane.ingressAPI.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + ingressClassName: "" + ## @param controlplane.ingressAPI.path Default path for the ingress record + ## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers + ## + path: / + ## @extra controlplane.ingressAPI.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## e.g: + ## annotations: + ## kubernetes.io/controlplane.ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## + annotations: + ## @skip controlplane.ingressAPI.annotations.nginx.ingress.kubernetes.io/backend-protocol + ## Tell Nginx Ingress Controller to expect gRPC traffic + nginx.ingress.kubernetes.io/backend-protocol: "GRPC" + + ## @param controlplane.ingressAPI.tls Enable TLS configuration for the host defined at `controlplane.ingress.hostname` parameter + ## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.controlplane.ingress.hostname }}` + ## You can: + ## - Use the `controlplane.ingress.secrets` parameter to create this TLS secret + ## - Rely on cert-manager to create it by setting the corresponding annotations + ## - Rely on Helm to create self-signed certificates by setting `controlplane.ingress.selfSigned=true` + ## + tls: false + ## @param controlplane.ingressAPI.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm + ## + selfSigned: false + ## @param controlplane.ingressAPI.extraHosts An array with additional hostname(s) to be covered with the ingress record + ## e.g: + ## extraHosts: + ## - name: cp.dev.local + ## path: / + ## + extraHosts: [] + ## @param controlplane.ingressAPI.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host + ## e.g: + ## extraPaths: + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + extraPaths: [] + ## @param controlplane.ingressAPI.extraTls TLS configuration for additional hostname(s) to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## e.g: + ## extraTls: + ## - hosts: + ## - cp.dev.local + ## secretName: cp.dev.local-tls + ## + extraTls: [] + ## @param controlplane.ingressAPI.secrets Custom TLS certificates as secrets + ## NOTE: 'key' and 'certificate' are expected in PEM format + ## NOTE: 'name' should line up with a 'secretName' set further up + ## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates + ## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + ## e.g: + ## secrets: + ## - name: cp.dev.local-tls + ## key: |- + ## -----BEGIN RSA PRIVATE KEY----- + ## ... + ## -----END RSA PRIVATE KEY----- + ## certificate: |- + ## -----BEGIN CERTIFICATE----- + ## ... + ## -----END CERTIFICATE----- + ## + secrets: [] + ## @param controlplane.ingressAPI.extraRules Additional rules to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules + ## e.g: + ## extraRules: + ## - host: example.local + ## http: + ## path: / + ## backend: + ## service: + ## name: example-svc + ## port: + ## name: http + ## + extraRules: [] + + ## @section Controlplane Misc + + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param controlplane.resources.limits.cpu Container resource limits CPU + ## @param controlplane.resources.limits.memory Container resource limits memory + ## @param controlplane.resources.requests.cpu Container resource requests CPU + ## @param controlplane.resources.requests.memory Container resource requests memory + resources: + # GKE auto-pilot min + # https://cloud.google.com/kubernetes-engine/docs/concepts/autopilot-resource-requests#min-max-requests + requests: + cpu: 250m + memory: 512Mi + limits: + cpu: 250m + memory: 512Mi + + ## Deployment autoscaling + ## @param controlplane.autoscaling.enabled Enable deployment autoscaling + ## @param controlplane.autoscaling.minReplicas Minimum number of replicas + ## @param controlplane.autoscaling.maxReplicas Maximum number of replicas + ## @param controlplane.autoscaling.targetCPUUtilizationPercentage Target CPU percentage + ## @param controlplane.autoscaling.targetMemoryUtilizationPercentage Target CPU memory + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + targetMemoryUtilizationPercentage: 80 + + ## @param controlplane.sentry.enabled Enable sentry.io alerting + ## @param controlplane.sentry.dsn DSN endpoint https://docs.sentry.io/product/sentry-basics/dsn-explainer/ + ## @param controlplane.sentry.environment Environment tag + sentry: + enabled: false + dsn: "" + environment: production + + ## Configuration for keyless signing using one of the supported providers + ## @param controlplane.keylessSigning.enabled Activates or deactivates de feature + ## @param controlplane.keylessSigning.backend The backend to use. Currently only "fileCA" is supported + ## @param controlplane.keylessSigning.fileCA.cert The PEM-encoded certificate of the file based CA + ## -----BEGIN CERTIFICATE----- + ## ... + ## -----END CERTIFICATE----- + ## @param controlplane.keylessSigning.fileCA.key The PEM-encoded private key of the file based CA + ## -----BEGIN RSA PRIVATE KEY----- + ## ... + ## -----END RSA PRIVATE KEY----- + ## @param controlplane.keylessSigning.fileCA.keyPass The secret key pass + keylessSigning: + enabled: false + backend: fileCA + fileCA: + cert: "" + key: "" + keyPass: "" + +## @section Artifact Content Addressable (CAS) API +################################## +# Artifacts CAS # +################################## +cas: + ## @param cas.replicaCount Number of replicas + replicaCount: 2 + + ## @param cas.image.repository FQDN uri for the image + ## @extra cas.image.tag Image tag (immutable tags are recommended). If no set chart.appVersion will be used + image: + repository: ghcr.io/chainloop-dev/chainloop/artifact-cas + # Overrides the image tag whose default is the chart appVersion. + # tag: latest + + ## @param cas.tlsConfig.secret.name name of a secret containing TLS certificate to be used by the controlplane grpc server. + tlsConfig: + secret: + # the secret must contains 2 keys: tls.crt and tls.key respectively containing the certificate and private key. + name: "" + + ## @skip cas.serviceAccount + serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + + ## @section CAS Networking + service: + ## @param cas.service.type Service type + type: ClusterIP + ## @param cas.service.port Service port + port: 80 + ## @param cas.service.targetPort Service target Port + targetPort: http + ## @extra cas.service.nodePorts.http Node port for HTTP. NOTE: choose port between <30000-32767> + # nodePorts: + # http: "30800" + annotations: + {} + ## @skip cas.service.annotations + + serviceAPI: + ## @param cas.serviceAPI.type Service type + type: ClusterIP + ## @param cas.serviceAPI.port Service port + port: 80 + ## @param cas.serviceAPI.targetPort Service target Port + targetPort: grpc + ## @extra cas.serviceAPI.annotations Service annotations + annotations: + ## @skip cas.serviceAPI.annotations.traefik.ingress.kubernetes.io/service.serversscheme + traefik.ingress.kubernetes.io/service.serversscheme: h2c + + ## @extra cas.serviceAPI.nodePorts.http Node port for HTTP. NOTE: choose port between <30000-32767> + # nodePorts: + # http: "30901" + + ## ref: http://kubernetes.io/docs/user-guide/ingress/ + ingress: + ## @param cas.ingress.enabled Enable ingress record generation for %%MAIN_CONTAINER_NAME%% + ## + enabled: false + ## @param cas.ingress.pathType Ingress path type + ## + pathType: ImplementationSpecific + ## @param cas.ingress.hostname Default host for the ingress record + ## + hostname: cas.dev.local + ## @param cas.ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + ingressClassName: "" + ## @param cas.ingress.path Default path for the ingress record + ## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers + ## + path: / + ## @param cas.ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## e.g: + ## annotations: + ## kubernetes.io/cas.ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## + annotations: {} + ## @param cas.ingress.tls Enable TLS configuration for the host defined at `controlplane.ingress.hostname` parameter + ## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.controlplane.ingress.hostname }}` + ## You can: + ## - Use the `controlplane.ingress.secrets` parameter to create this TLS secret + ## - Rely on cert-manager to create it by setting the corresponding annotations + ## - Rely on Helm to create self-signed certificates by setting `controlplane.ingress.selfSigned=true` + ## + tls: false + ## @param cas.ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm + ## + selfSigned: false + ## @param cas.ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record + ## e.g: + ## extraHosts: + ## - name: cp.dev.local + ## path: / + ## + extraHosts: [] + ## @param cas.ingress.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host + ## e.g: + ## extraPaths: + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + extraPaths: [] + ## @param cas.ingress.extraTls TLS configuration for additional hostname(s) to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## e.g: + ## extraTls: + ## - hosts: + ## - cp.dev.local + ## secretName: cp.dev.local-tls + ## + extraTls: [] + ## @param cas.ingress.secrets Custom TLS certificates as secrets + ## NOTE: 'key' and 'certificate' are expected in PEM format + ## NOTE: 'name' should line up with a 'secretName' set further up + ## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates + ## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + ## e.g: + ## secrets: + ## - name: cp.dev.local-tls + ## key: |- + ## -----BEGIN RSA PRIVATE KEY----- + ## ... + ## -----END RSA PRIVATE KEY----- + ## certificate: |- + ## -----BEGIN CERTIFICATE----- + ## ... + ## -----END CERTIFICATE----- + ## + secrets: [] + ## @param cas.ingress.extraRules Additional rules to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules + ## e.g: + ## extraRules: + ## - host: example.local + ## http: + ## path: / + ## backend: + ## service: + ## name: example-svc + ## port: + ## name: http + ## + extraRules: [] + + ## ref: http://kubernetes.io/docs/user-guide/ingress/ + ingressAPI: + ## @param cas.ingressAPI.enabled Enable ingress record generation for %%MAIN_CONTAINER_NAME%% + ## + enabled: false + ## @param cas.ingressAPI.pathType Ingress path type + ## + pathType: ImplementationSpecific + ## @param cas.ingressAPI.hostname Default host for the ingress record + ## + hostname: api.cas.dev.local + ## @param cas.ingressAPI.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + ingressClassName: "" + ## @param cas.ingressAPI.path Default path for the ingress record + ## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers + ## + path: / + ## @extra cas.ingressAPI.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## e.g: + ## annotations: + ## kubernetes.io/controlplane.ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## + annotations: + # Nginx Ingress settings + ## @skip cas.ingressAPI.annotations.nginx.ingress.kubernetes.io/proxy-body-size + # Limit file uploads/downloads to 100MB. Alternatively you can disable this limitation by setting it to 0 + # Even though we send data in chunks of 1MB, this size refers to all the data sent during the whole streaming session + nginx.ingress.kubernetes.io/proxy-body-size: "100m" + ## @skip cas.ingressAPI.annotations.nginx.ingress.kubernetes.io/backend-protocol + ## Tell Nginx Ingress Controller to expect gRPC traffic + nginx.ingress.kubernetes.io/backend-protocol: "GRPC" + ## @skip cas.ingressAPI.annotations.nginx.ingress.kubernetes.io/client-body-buffer-size + # Improve upload speed by adding client buffering used by http2 control-flows + # https://github.com/chainloop-dev/chainloop/issues/375 + nginx.ingress.kubernetes.io/client-body-buffer-size: "3M" + + ## @param cas.ingressAPI.tls Enable TLS configuration for the host defined at `controlplane.ingress.hostname` parameter + ## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.controlplane.ingress.hostname }}` + ## You can: + ## - Use the `controlplane.ingress.secrets` parameter to create this TLS secret + ## - Rely on cert-manager to create it by setting the corresponding annotations + ## - Rely on Helm to create self-signed certificates by setting `controlplane.ingress.selfSigned=true` + ## + tls: false + ## @param cas.ingressAPI.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm + ## + selfSigned: false + ## @param cas.ingressAPI.extraHosts An array with additional hostname(s) to be covered with the ingress record + ## e.g: + ## extraHosts: + ## - name: cp.dev.local + ## path: / + ## + extraHosts: [] + ## @param cas.ingressAPI.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host + ## e.g: + ## extraPaths: + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + extraPaths: [] + ## @param cas.ingressAPI.extraTls TLS configuration for additional hostname(s) to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## e.g: + ## extraTls: + ## - hosts: + ## - cp.dev.local + ## secretName: cp.dev.local-tls + ## + extraTls: [] + ## @param cas.ingressAPI.secrets Custom TLS certificates as secrets + ## NOTE: 'key' and 'certificate' are expected in PEM format + ## NOTE: 'name' should line up with a 'secretName' set further up + ## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates + ## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + ## e.g: + ## secrets: + ## - name: cp.dev.local-tls + ## key: |- + ## -----BEGIN RSA PRIVATE KEY----- + ## ... + ## -----END RSA PRIVATE KEY----- + ## certificate: |- + ## -----BEGIN CERTIFICATE----- + ## ... + ## -----END CERTIFICATE----- + ## + secrets: [] + ## @param cas.ingressAPI.extraRules Additional rules to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules + ## e.g: + ## extraRules: + ## - host: example.local + ## http: + ## path: / + ## backend: + ## service: + ## name: example-svc + ## port: + ## name: http + ## + extraRules: [] + + ## @section CAS Misc + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param cas.resources.limits.cpu Container resource limits CPU + ## @param cas.resources.limits.memory Container resource limits memory + ## @param cas.resources.requests.cpu Container resource requests CPU + ## @param cas.resources.requests.memory Container resource requests memory + resources: + # GKE auto-pilot min + # https://cloud.google.com/kubernetes-engine/docs/concepts/autopilot-resource-requests#min-max-requests + requests: + cpu: 250m + memory: 512Mi + limits: + cpu: 250m + memory: 512Mi + + ## Deployment autoscaling + ## @param cas.autoscaling.enabled Enable deployment autoscaling + ## @param cas.autoscaling.minReplicas Minimum number of replicas + ## @param cas.autoscaling.maxReplicas Maximum number of replicas + ## @param cas.autoscaling.targetCPUUtilizationPercentage Target CPU percentage + ## @param cas.autoscaling.targetMemoryUtilizationPercentage Target CPU memory + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + targetMemoryUtilizationPercentage: 80 + + ## @param cas.sentry.enabled Enable sentry.io alerting + ## @param cas.sentry.dsn DSN endpoint https://docs.sentry.io/product/sentry-basics/dsn-explainer/ + ## @param cas.sentry.environment Environment tag + sentry: + enabled: false + dsn: "" + environment: production + +## @section Dependencies +# ################################## +# # Dependencies # +################################## + +## PostgreSQL chart configuration +## ref: https://github.com/bitnami/charts/blob/main/bitnami/postgresql/values.yaml +## @param postgresql.enabled Switch to enable or disable the PostgreSQL helm chart +## @param postgresql.auth.enablePostgresUser Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user +## @param postgresql.auth.username Name for a custom user to create +## @param postgresql.auth.password Password for the custom user to create +## @param postgresql.auth.database Name for a custom database to create +## @param postgresql.auth.existingSecret Name of existing secret to use for PostgreSQL credentials +postgresql: + enabled: true + auth: + enablePostgresUser: false + username: "chainloop" + password: "chainlooppwd" + database: "chainloop-cp" + existingSecret: "" + +# Vault server running in development mode --set development=true +# IMPORTANT: This is not meant to run in production + +## Bitnami Hashicorp Vault chart configuration +## ref: https://github.com/bitnami/charts/blob/main/bitnami/vault/values.yaml +## @param vault.server.args Arguments to pass to the vault server. This is useful for setting the server in development mode +## @param vault.server.config Configuration for the vault server. Small override of default Bitnami configuration +## @param vault.server.extraEnvVars[0].name Root token for the vault server +## @param vault.server.extraEnvVars[0].value The value of the root token. Default: notasecret +## @param vault.server.extraEnvVars[1].name Address to listen on development mode +## @param vault.server.extraEnvVars[1].value The address to listen on. Default: [::]:8200 +vault: + server: + args: [ + "server", + "-dev" + ] + extraEnvVars: + - name: VAULT_DEV_ROOT_TOKEN_ID + value: "notasecret" + - name: VAULT_DEV_LISTEN_ADDRESS + value: "[::]:8200" + config: | + storage "inmem" {} + + disable_mlock = true + ui = true + + service_registration "kubernetes" {} \ No newline at end of file From 2c678963df49f9755eb6c5ebd2af0e8b79a2b219 Mon Sep 17 00:00:00 2001 From: Bitnami Containers Date: Tue, 11 Jun 2024 14:59:44 +0000 Subject: [PATCH 02/37] Update CHANGELOG.md Signed-off-by: Bitnami Containers --- bitnami/chainloop/CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 bitnami/chainloop/CHANGELOG.md diff --git a/bitnami/chainloop/CHANGELOG.md b/bitnami/chainloop/CHANGELOG.md new file mode 100644 index 00000000000000..3875f00c2a1b1b --- /dev/null +++ b/bitnami/chainloop/CHANGELOG.md @@ -0,0 +1,5 @@ +# Changelog + +## 1.56.1 (2024-06-11) + +* New chart: Chainloop ([#27100](https://github.com/bitnami/charts/pull/27100)) From 4b5cc1d9281c9a07ce07972b9df7c041a96f0265 Mon Sep 17 00:00:00 2001 From: Bitnami Containers Date: Tue, 11 Jun 2024 14:59:46 +0000 Subject: [PATCH 03/37] Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers --- bitnami/chainloop/README.md | 34 ++++++++++++++++++++-------------- 1 file changed, 20 insertions(+), 14 deletions(-) diff --git a/bitnami/chainloop/README.md b/bitnami/chainloop/README.md index 803b1c17e4062e..2dbefc5a029083 100644 --- a/bitnami/chainloop/README.md +++ b/bitnami/chainloop/README.md @@ -635,20 +635,26 @@ chainloop config save \ ### Dependencies -| Name | Description | Value | -| ------------------------------------ | ------------------------------------------------------------------------------------------------------ |----------------------------------------------------------------------------------------------------------------------------| -| `postgresql.enabled` | Switch to enable or disable the PostgreSQL helm chart | `true` | -| `postgresql.auth.enablePostgresUser` | Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user | `false` | -| `postgresql.auth.username` | Name for a custom user to create | `chainloop` | -| `postgresql.auth.password` | Password for the custom user to create | `chainlooppwd` | -| `postgresql.auth.database` | Name for a custom database to create | `chainloop-cp` | -| `postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials | `""` | -| `vault.server.args` | Arguments to pass to the vault server. This is useful for setting the server in development mode | `["server","-dev"]` | -| `vault.server.config` | Configuration for the vault server. Small override of default Bitnami configuration | 
storage "inmem" {}
disable_mlock = true
ui = true
service_registration "kubernetes" {}
| -| `vault.server.extraEnvVars[0].name` | Root token for the vault server | `VAULT_DEV_ROOT_TOKEN_ID` | -| `vault.server.extraEnvVars[0].value` | The value of the root token. Default: notasecret | `notasecret` | -| `vault.server.extraEnvVars[1].name` | Address to listen on development mode | `VAULT_DEV_LISTEN_ADDRESS` | -| `vault.server.extraEnvVars[1].value` | The address to listen on. Default: [::]:8200 | `[::]:8200` | +| Name | Description | Value | +| ------------------------------------ | ------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------- | +| `postgresql.enabled` | Switch to enable or disable the PostgreSQL helm chart | `true` | +| `postgresql.auth.enablePostgresUser` | Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user | `false` | +| `postgresql.auth.username` | Name for a custom user to create | `chainloop` | +| `postgresql.auth.password` | Password for the custom user to create | `chainlooppwd` | +| `postgresql.auth.database` | Name for a custom database to create | `chainloop-cp` | +| `postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials | `""` | +| `vault.server.args` | Arguments to pass to the vault server. This is useful for setting the server in development mode | `["server","-dev"]` | +| `vault.server.config` | Configuration for the vault server. Small override of default Bitnami configuration | `storage "inmem" {} + +disable_mlock = true +ui = true + +service_registration "kubernetes" {} +` | +| `vault.server.extraEnvVars[0].name` | Root token for the vault server | `VAULT_DEV_ROOT_TOKEN_ID` | +| `vault.server.extraEnvVars[0].value` | The value of the root token. Default: notasecret | `notasecret` | +| `vault.server.extraEnvVars[1].name` | Address to listen on development mode | `VAULT_DEV_LISTEN_ADDRESS` | +| `vault.server.extraEnvVars[1].value` | The address to listen on. Default: [::]:8200 | `[::]:8200` | ## License From 189c9b1ee7c8bbe15ec42b2ef298cea9e548ff85 Mon Sep 17 00:00:00 2001 From: Javier Rodriguez Date: Tue, 11 Jun 2024 17:14:19 +0200 Subject: [PATCH 04/37] Fix README links Signed-off-by: Javier Rodriguez --- bitnami/chainloop/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bitnami/chainloop/README.md b/bitnami/chainloop/README.md index 2dbefc5a029083..f01ef621f39be2 100644 --- a/bitnami/chainloop/README.md +++ b/bitnami/chainloop/README.md @@ -37,7 +37,7 @@ This chart comes in **two flavors**, `standard` and [`development`](#development ### Standard (default) -![Deployment](../../docs/img/deployment.png) +![Deployment](https://raw.githubusercontent.com/chainloop-dev/chainloop/main/docs/img/deployment.png) The default deployment mode relies on external dependencies to be available in advance. @@ -144,7 +144,7 @@ To provide an easy way to give Chainloop a try, this Helm Chart has an **opt-in > IMPORTANT: DO NOT USE THIS MODE IN PRODUCTION -![Deployment](../../docs/img/deployment-dev.png) +![Deployment](https://raw.githubusercontent.com/chainloop-dev/chainloop/main/docs/img/deployment-dev.png) The Helm Chart in this mode includes @@ -664,7 +664,7 @@ Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at - + Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, From 7cb347c2ed488df6841d45240e4b16c10614798e Mon Sep 17 00:00:00 2001 From: Javier Rodriguez Date: Wed, 12 Jun 2024 08:07:17 +0200 Subject: [PATCH 05/37] Modify license headers Signed-off-by: Javier Rodriguez --- bitnami/chainloop/Chart.yaml | 2 +- bitnami/chainloop/templates/_helpers.tpl | 2 +- bitnami/chainloop/templates/cas/config.configmap.yaml | 5 +++++ bitnami/chainloop/templates/cas/config.secret.yaml | 5 +++++ bitnami/chainloop/templates/cas/deployment.yaml | 5 +++++ .../chainloop/templates/cas/gcp_secret_manager.secret.yaml | 5 +++++ bitnami/chainloop/templates/cas/gke_monitoring.yaml | 5 +++++ bitnami/chainloop/templates/cas/hpa.yaml | 5 +++++ bitnami/chainloop/templates/cas/ingress.yaml | 5 +++++ bitnami/chainloop/templates/cas/ingress_grpc.yaml | 5 +++++ bitnami/chainloop/templates/cas/jwt_public_key.secret.yaml | 5 +++++ bitnami/chainloop/templates/cas/service_grpc.yaml | 5 +++++ bitnami/chainloop/templates/cas/service_http.yaml | 5 +++++ bitnami/chainloop/templates/cas/serviceaccount.yaml | 5 +++++ .../chainloop/templates/controlplane/config.configmap.yaml | 2 +- bitnami/chainloop/templates/controlplane/config.secret.yaml | 2 +- bitnami/chainloop/templates/controlplane/deployment.yaml | 2 +- .../templates/controlplane/deployment_sqlproxy.yaml | 2 +- bitnami/chainloop/templates/controlplane/file_ca.secret.yaml | 2 +- .../templates/controlplane/gcp_secret_manager.secret.yaml | 2 +- bitnami/chainloop/templates/controlplane/gke_monitoring.yaml | 2 +- bitnami/chainloop/templates/controlplane/hpa.yaml | 2 +- bitnami/chainloop/templates/controlplane/ingress.yaml | 2 +- bitnami/chainloop/templates/controlplane/ingress_grpc.yaml | 2 +- .../templates/controlplane/jwt_cas_private_key.secret.yaml | 2 +- bitnami/chainloop/templates/controlplane/service_grpc.yaml | 2 +- bitnami/chainloop/templates/controlplane/service_http.yaml | 2 +- .../chainloop/templates/controlplane/service_sql-proxy.yaml | 2 +- bitnami/chainloop/templates/controlplane/serviceaccount.yaml | 2 +- bitnami/chainloop/values.yaml | 2 +- 30 files changed, 78 insertions(+), 18 deletions(-) diff --git a/bitnami/chainloop/Chart.yaml b/bitnami/chainloop/Chart.yaml index 291efc4f942420..b88420c8f3d392 100644 --- a/bitnami/chainloop/Chart.yaml +++ b/bitnami/chainloop/Chart.yaml @@ -1,4 +1,4 @@ -# Copyright Chainloop, Inc. All Rights Reserved. +# Copyright Broadcom, Inc. All Rights Reserved. # SPDX-License-Identifier: APACHE-2.0 apiVersion: v2 diff --git a/bitnami/chainloop/templates/_helpers.tpl b/bitnami/chainloop/templates/_helpers.tpl index a647de1c4107c4..516c9a650411bc 100644 --- a/bitnami/chainloop/templates/_helpers.tpl +++ b/bitnami/chainloop/templates/_helpers.tpl @@ -1,5 +1,5 @@ {{- /* -Copyright Chainloop, Inc. All Rights Reserved. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} diff --git a/bitnami/chainloop/templates/cas/config.configmap.yaml b/bitnami/chainloop/templates/cas/config.configmap.yaml index 755f2b2406c9f4..80e9e9616f57c4 100644 --- a/bitnami/chainloop/templates/cas/config.configmap.yaml +++ b/bitnami/chainloop/templates/cas/config.configmap.yaml @@ -1,3 +1,8 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + apiVersion: v1 kind: ConfigMap metadata: diff --git a/bitnami/chainloop/templates/cas/config.secret.yaml b/bitnami/chainloop/templates/cas/config.secret.yaml index 7476c54172b09e..57fb8c4aaec264 100644 --- a/bitnami/chainloop/templates/cas/config.secret.yaml +++ b/bitnami/chainloop/templates/cas/config.secret.yaml @@ -1,3 +1,8 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + apiVersion: v1 kind: Secret metadata: diff --git a/bitnami/chainloop/templates/cas/deployment.yaml b/bitnami/chainloop/templates/cas/deployment.yaml index 222e9bbe70a757..610e18524d6989 100644 --- a/bitnami/chainloop/templates/cas/deployment.yaml +++ b/bitnami/chainloop/templates/cas/deployment.yaml @@ -1,3 +1,8 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + apiVersion: apps/v1 kind: Deployment metadata: diff --git a/bitnami/chainloop/templates/cas/gcp_secret_manager.secret.yaml b/bitnami/chainloop/templates/cas/gcp_secret_manager.secret.yaml index 00335194d4d52e..7d17c91f3cf15b 100644 --- a/bitnami/chainloop/templates/cas/gcp_secret_manager.secret.yaml +++ b/bitnami/chainloop/templates/cas/gcp_secret_manager.secret.yaml @@ -1,3 +1,8 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{- if eq "gcpSecretManager" .Values.secretsBackend.backend }} apiVersion: v1 kind: Secret diff --git a/bitnami/chainloop/templates/cas/gke_monitoring.yaml b/bitnami/chainloop/templates/cas/gke_monitoring.yaml index 9260d461b82655..0599ebc1cd6ccc 100644 --- a/bitnami/chainloop/templates/cas/gke_monitoring.yaml +++ b/bitnami/chainloop/templates/cas/gke_monitoring.yaml @@ -1,3 +1,8 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{- if .Values.GKEMonitoring.enabled -}} apiVersion: monitoring.googleapis.com/v1 kind: PodMonitoring diff --git a/bitnami/chainloop/templates/cas/hpa.yaml b/bitnami/chainloop/templates/cas/hpa.yaml index e5db27edd75ec3..95dc30af6497a9 100644 --- a/bitnami/chainloop/templates/cas/hpa.yaml +++ b/bitnami/chainloop/templates/cas/hpa.yaml @@ -1,3 +1,8 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{- if .Values.cas.autoscaling.enabled }} apiVersion: {{ include "common.capabilities.hpa.apiVersion" ( dict "context" $ ) }} kind: HorizontalPodAutoscaler diff --git a/bitnami/chainloop/templates/cas/ingress.yaml b/bitnami/chainloop/templates/cas/ingress.yaml index 01053851a568ed..c6db3b0df69052 100644 --- a/bitnami/chainloop/templates/cas/ingress.yaml +++ b/bitnami/chainloop/templates/cas/ingress.yaml @@ -1,3 +1,8 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{- if .Values.cas.ingress.enabled }} {{- $fullName := include "chainloop.cas.fullname" . -}} apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} diff --git a/bitnami/chainloop/templates/cas/ingress_grpc.yaml b/bitnami/chainloop/templates/cas/ingress_grpc.yaml index 35cb6aa44a4f94..6316776aa4c19f 100644 --- a/bitnami/chainloop/templates/cas/ingress_grpc.yaml +++ b/bitnami/chainloop/templates/cas/ingress_grpc.yaml @@ -1,3 +1,8 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{- if .Values.cas.ingressAPI.enabled }} {{- $fullName := printf "%s-%s" (include "chainloop.cas.fullname" .) "api" -}} apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} diff --git a/bitnami/chainloop/templates/cas/jwt_public_key.secret.yaml b/bitnami/chainloop/templates/cas/jwt_public_key.secret.yaml index 6880bdab12de17..cc74fd28a433df 100644 --- a/bitnami/chainloop/templates/cas/jwt_public_key.secret.yaml +++ b/bitnami/chainloop/templates/cas/jwt_public_key.secret.yaml @@ -1,3 +1,8 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + apiVersion: v1 kind: Secret metadata: diff --git a/bitnami/chainloop/templates/cas/service_grpc.yaml b/bitnami/chainloop/templates/cas/service_grpc.yaml index 6bcd23f4a7a540..f8605df1c1e12e 100644 --- a/bitnami/chainloop/templates/cas/service_grpc.yaml +++ b/bitnami/chainloop/templates/cas/service_grpc.yaml @@ -1,3 +1,8 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + apiVersion: v1 kind: Service metadata: diff --git a/bitnami/chainloop/templates/cas/service_http.yaml b/bitnami/chainloop/templates/cas/service_http.yaml index c7beb1afa9987c..51c16c26429fcb 100644 --- a/bitnami/chainloop/templates/cas/service_http.yaml +++ b/bitnami/chainloop/templates/cas/service_http.yaml @@ -1,3 +1,8 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + apiVersion: v1 kind: Service metadata: diff --git a/bitnami/chainloop/templates/cas/serviceaccount.yaml b/bitnami/chainloop/templates/cas/serviceaccount.yaml index f204aa4172d6ad..adfa3d9e78a08e 100644 --- a/bitnami/chainloop/templates/cas/serviceaccount.yaml +++ b/bitnami/chainloop/templates/cas/serviceaccount.yaml @@ -1,3 +1,8 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{- if .Values.cas.serviceAccount.create -}} apiVersion: v1 kind: ServiceAccount diff --git a/bitnami/chainloop/templates/controlplane/config.configmap.yaml b/bitnami/chainloop/templates/controlplane/config.configmap.yaml index 0d395f281f3b4e..6bfdf726427ee4 100644 --- a/bitnami/chainloop/templates/controlplane/config.configmap.yaml +++ b/bitnami/chainloop/templates/controlplane/config.configmap.yaml @@ -1,5 +1,5 @@ {{- /* -Copyright Chainloop, Inc. All Rights Reserved. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} diff --git a/bitnami/chainloop/templates/controlplane/config.secret.yaml b/bitnami/chainloop/templates/controlplane/config.secret.yaml index 739910a1f648e9..f2624a9675c77d 100644 --- a/bitnami/chainloop/templates/controlplane/config.secret.yaml +++ b/bitnami/chainloop/templates/controlplane/config.secret.yaml @@ -1,5 +1,5 @@ {{- /* -Copyright Chainloop, Inc. All Rights Reserved. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} diff --git a/bitnami/chainloop/templates/controlplane/deployment.yaml b/bitnami/chainloop/templates/controlplane/deployment.yaml index e0b21fb4c77356..7838261bee3794 100644 --- a/bitnami/chainloop/templates/controlplane/deployment.yaml +++ b/bitnami/chainloop/templates/controlplane/deployment.yaml @@ -1,5 +1,5 @@ {{- /* -Copyright Chainloop, Inc. All Rights Reserved. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} diff --git a/bitnami/chainloop/templates/controlplane/deployment_sqlproxy.yaml b/bitnami/chainloop/templates/controlplane/deployment_sqlproxy.yaml index fa0673fe66d4c9..dca85b4cc0bb37 100644 --- a/bitnami/chainloop/templates/controlplane/deployment_sqlproxy.yaml +++ b/bitnami/chainloop/templates/controlplane/deployment_sqlproxy.yaml @@ -1,5 +1,5 @@ {{- /* -Copyright Chainloop, Inc. All Rights Reserved. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} diff --git a/bitnami/chainloop/templates/controlplane/file_ca.secret.yaml b/bitnami/chainloop/templates/controlplane/file_ca.secret.yaml index 4e53fbcca7c83f..f0c7d5cd83b6fb 100644 --- a/bitnami/chainloop/templates/controlplane/file_ca.secret.yaml +++ b/bitnami/chainloop/templates/controlplane/file_ca.secret.yaml @@ -1,5 +1,5 @@ {{- /* -Copyright Chainloop, Inc. All Rights Reserved. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} diff --git a/bitnami/chainloop/templates/controlplane/gcp_secret_manager.secret.yaml b/bitnami/chainloop/templates/controlplane/gcp_secret_manager.secret.yaml index 8f248f59e46900..6038871b47c0b7 100644 --- a/bitnami/chainloop/templates/controlplane/gcp_secret_manager.secret.yaml +++ b/bitnami/chainloop/templates/controlplane/gcp_secret_manager.secret.yaml @@ -1,5 +1,5 @@ {{- /* -Copyright Chainloop, Inc. All Rights Reserved. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} diff --git a/bitnami/chainloop/templates/controlplane/gke_monitoring.yaml b/bitnami/chainloop/templates/controlplane/gke_monitoring.yaml index af7ed239d9057b..1d9c34c4e174ac 100644 --- a/bitnami/chainloop/templates/controlplane/gke_monitoring.yaml +++ b/bitnami/chainloop/templates/controlplane/gke_monitoring.yaml @@ -1,5 +1,5 @@ {{- /* -Copyright Chainloop, Inc. All Rights Reserved. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} diff --git a/bitnami/chainloop/templates/controlplane/hpa.yaml b/bitnami/chainloop/templates/controlplane/hpa.yaml index 810be999fcfce3..4125f007cf3b71 100644 --- a/bitnami/chainloop/templates/controlplane/hpa.yaml +++ b/bitnami/chainloop/templates/controlplane/hpa.yaml @@ -1,5 +1,5 @@ {{- /* -Copyright Chainloop, Inc. All Rights Reserved. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} diff --git a/bitnami/chainloop/templates/controlplane/ingress.yaml b/bitnami/chainloop/templates/controlplane/ingress.yaml index de35e887b6a352..3c8d5e47fafbef 100644 --- a/bitnami/chainloop/templates/controlplane/ingress.yaml +++ b/bitnami/chainloop/templates/controlplane/ingress.yaml @@ -1,5 +1,5 @@ {{- /* -Copyright Chainloop, Inc. All Rights Reserved. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} diff --git a/bitnami/chainloop/templates/controlplane/ingress_grpc.yaml b/bitnami/chainloop/templates/controlplane/ingress_grpc.yaml index 3934f33a75af22..9d36b72fba4a45 100644 --- a/bitnami/chainloop/templates/controlplane/ingress_grpc.yaml +++ b/bitnami/chainloop/templates/controlplane/ingress_grpc.yaml @@ -1,5 +1,5 @@ {{- /* -Copyright Chainloop, Inc. All Rights Reserved. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} diff --git a/bitnami/chainloop/templates/controlplane/jwt_cas_private_key.secret.yaml b/bitnami/chainloop/templates/controlplane/jwt_cas_private_key.secret.yaml index 577163c22b332f..4250de865d0734 100644 --- a/bitnami/chainloop/templates/controlplane/jwt_cas_private_key.secret.yaml +++ b/bitnami/chainloop/templates/controlplane/jwt_cas_private_key.secret.yaml @@ -1,5 +1,5 @@ {{- /* -Copyright Chainloop, Inc. All Rights Reserved. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} diff --git a/bitnami/chainloop/templates/controlplane/service_grpc.yaml b/bitnami/chainloop/templates/controlplane/service_grpc.yaml index 249e96f6dc10df..880d58002dc562 100644 --- a/bitnami/chainloop/templates/controlplane/service_grpc.yaml +++ b/bitnami/chainloop/templates/controlplane/service_grpc.yaml @@ -1,5 +1,5 @@ {{- /* -Copyright Chainloop, Inc. All Rights Reserved. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} diff --git a/bitnami/chainloop/templates/controlplane/service_http.yaml b/bitnami/chainloop/templates/controlplane/service_http.yaml index e4deaf9182807b..8a65b952c4abd0 100644 --- a/bitnami/chainloop/templates/controlplane/service_http.yaml +++ b/bitnami/chainloop/templates/controlplane/service_http.yaml @@ -1,5 +1,5 @@ {{- /* -Copyright Chainloop, Inc. All Rights Reserved. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} diff --git a/bitnami/chainloop/templates/controlplane/service_sql-proxy.yaml b/bitnami/chainloop/templates/controlplane/service_sql-proxy.yaml index f265cf90fa257d..681b69da365af1 100644 --- a/bitnami/chainloop/templates/controlplane/service_sql-proxy.yaml +++ b/bitnami/chainloop/templates/controlplane/service_sql-proxy.yaml @@ -1,5 +1,5 @@ {{- /* -Copyright Chainloop, Inc. All Rights Reserved. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} diff --git a/bitnami/chainloop/templates/controlplane/serviceaccount.yaml b/bitnami/chainloop/templates/controlplane/serviceaccount.yaml index 282d4b09a131c5..425ef00fe6154d 100644 --- a/bitnami/chainloop/templates/controlplane/serviceaccount.yaml +++ b/bitnami/chainloop/templates/controlplane/serviceaccount.yaml @@ -1,5 +1,5 @@ {{- /* -Copyright Chainloop, Inc. All Rights Reserved. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} diff --git a/bitnami/chainloop/values.yaml b/bitnami/chainloop/values.yaml index 61c16d340e7918..739c0f67a2ad36 100644 --- a/bitnami/chainloop/values.yaml +++ b/bitnami/chainloop/values.yaml @@ -1,4 +1,4 @@ -# Copyright Chainloop, Inc. All Rights Reserved. +# Copyright Broadcom, Inc. All Rights Reserved. # SPDX-License-Identifier: APACHE-2.0 ## Default values for Chainloop Helm Chart From 52a8c5673da7244b8176b643cab7232b20826625 Mon Sep 17 00:00:00 2001 From: Bitnami Containers Date: Wed, 12 Jun 2024 06:09:31 +0000 Subject: [PATCH 06/37] Update CHANGELOG.md Signed-off-by: Bitnami Containers --- bitnami/chainloop/CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bitnami/chainloop/CHANGELOG.md b/bitnami/chainloop/CHANGELOG.md index 3875f00c2a1b1b..a711652ab47871 100644 --- a/bitnami/chainloop/CHANGELOG.md +++ b/bitnami/chainloop/CHANGELOG.md @@ -1,5 +1,5 @@ # Changelog -## 1.56.1 (2024-06-11) +## 1.56.1 (2024-06-12) * New chart: Chainloop ([#27100](https://github.com/bitnami/charts/pull/27100)) From 78af872301fb5d5392bf5d673bd03f845c1a0f9f Mon Sep 17 00:00:00 2001 From: Javier Rodriguez Date: Wed, 12 Jun 2024 08:39:10 +0200 Subject: [PATCH 07/37] Fix README.md linter Signed-off-by: Javier Rodriguez --- bitnami/chainloop/README.md | 52 +++++++++++++++++-------------------- 1 file changed, 24 insertions(+), 28 deletions(-) diff --git a/bitnami/chainloop/README.md b/bitnami/chainloop/README.md index f01ef621f39be2..4b085f87a05a11 100644 --- a/bitnami/chainloop/README.md +++ b/bitnami/chainloop/README.md @@ -55,7 +55,7 @@ During installation, you'll need to provide Instructions on how to create the ECDSA keypair can be found [here](#generate-a-ecdsa-key-pair). -#### Installation Examples +#### Installation examples for standard mode > **NOTE**: **We do not recommend passing nor storing sensitive data in plain text**. For production, please consider having your overrides encrypted with tools such as [Sops](https://github.com/mozilla/sops), [Helm Secrets](https://github.com/jkroepke/helm-secrets) or [Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets). @@ -161,7 +161,7 @@ During installation, you'll need to provide - ~~Connection settings for a secrets storage backend, either [Hashicorp Vault](https://www.vaultproject.io/) or [AWS Secrets Manager](https://aws.amazon.com/secrets-manager)~~ - ~~ECDSA (ES512) key-pair used for Controlplane <-> CAS Authentication~~ -#### Installation Examples +#### Installation examples for development mode Deploy by leveraging built-in Vault and PostgreSQL instances @@ -181,12 +181,13 @@ Chainloop uses gRPC streaming to perform artifact uploads. This method is suscep To improve upload speeds, you need to increase [http2 flow control buffer](https://httpwg.org/specs/rfc7540.html#DisableFlowControl). This can be done in NGINX by setting the following annotation in the ingress resource. -``` +```yaml # Improve upload speed by adding client buffering used by http2 control-flows nginx.ingress.kubernetes.io/client-body-buffer-size: "3M" + ``` -Note: For other reverse proxies, you'll need to find the equivalent configuration. +Note: For other reverse proxies, you'll need to find the equivalent configuration. ### Generate a ECDSA key-pair @@ -240,7 +241,7 @@ cas: A complete setup that uses -- NGINX as ingress Controller https://kubernetes.github.io/ingress-nginx/ +- [NGINX as ingress Controller](https://kubernetes.github.io/ingress-nginx) - [cert-manager](https://cert-manager.io/) as TLS provider would look like @@ -380,6 +381,7 @@ For example, these commands generate a self-signed certificate with an RSA priva ``` Then you can configure your deployment values with: + ```yaml controlplane: keylessSigning: @@ -428,7 +430,7 @@ Google Cloud has a [managed Prometheus offering](https://cloud.google.com/stackd Once you have your instance of Chainloop deployed, you need to configure the [CLI](https://github.com/chainloop-dev/chainloop/releases) to point to both the CAS and the Control plane gRPC APIs like this. -``` +```bash chainloop config save \ --control-plane my-controlplane.acme.com:443 \ --artifact-cas cas.acme.com:443 @@ -559,7 +561,7 @@ chainloop config save \ | `controlplane.autoscaling.targetCPUUtilizationPercentage` | Target CPU percentage | `80` | | `controlplane.autoscaling.targetMemoryUtilizationPercentage` | Target CPU memory | `80` | | `controlplane.sentry.enabled` | Enable sentry.io alerting | `false` | -| `controlplane.sentry.dsn` | DSN endpoint https://docs.sentry.io/product/sentry-basics/dsn-explainer/ | `""` | +| `controlplane.sentry.dsn` | [DSN endpoint](https://docs.sentry.io/product/sentry-basics/dsn-explainer) | `""` | | `controlplane.sentry.environment` | Environment tag | `production` | | `controlplane.keylessSigning.enabled` | Activates or deactivates de feature | `false` | | `controlplane.keylessSigning.backend` | The backend to use. Currently only "fileCA" is supported | `fileCA` | @@ -630,31 +632,25 @@ chainloop config save \ | `cas.autoscaling.targetCPUUtilizationPercentage` | Target CPU percentage | `80` | | `cas.autoscaling.targetMemoryUtilizationPercentage` | Target CPU memory | `80` | | `cas.sentry.enabled` | Enable sentry.io alerting | `false` | -| `cas.sentry.dsn` | DSN endpoint https://docs.sentry.io/product/sentry-basics/dsn-explainer/ | `""` | +| `cas.sentry.dsn` | [DSN endpoint](https://docs.sentry.io/product/sentry-basics/dsn-explainer) | `""` | | `cas.sentry.environment` | Environment tag | `production` | ### Dependencies -| Name | Description | Value | -| ------------------------------------ | ------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------- | -| `postgresql.enabled` | Switch to enable or disable the PostgreSQL helm chart | `true` | -| `postgresql.auth.enablePostgresUser` | Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user | `false` | -| `postgresql.auth.username` | Name for a custom user to create | `chainloop` | -| `postgresql.auth.password` | Password for the custom user to create | `chainlooppwd` | -| `postgresql.auth.database` | Name for a custom database to create | `chainloop-cp` | -| `postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials | `""` | -| `vault.server.args` | Arguments to pass to the vault server. This is useful for setting the server in development mode | `["server","-dev"]` | -| `vault.server.config` | Configuration for the vault server. Small override of default Bitnami configuration | `storage "inmem" {} - -disable_mlock = true -ui = true - -service_registration "kubernetes" {} -` | -| `vault.server.extraEnvVars[0].name` | Root token for the vault server | `VAULT_DEV_ROOT_TOKEN_ID` | -| `vault.server.extraEnvVars[0].value` | The value of the root token. Default: notasecret | `notasecret` | -| `vault.server.extraEnvVars[1].name` | Address to listen on development mode | `VAULT_DEV_LISTEN_ADDRESS` | -| `vault.server.extraEnvVars[1].value` | The address to listen on. Default: [::]:8200 | `[::]:8200` | +| Name | Description | Value | +|--------------------------------------| ------------------------------------------------------------------------------------------------------ |------------------------------------------------------------------------------------------------| +| `postgresql.enabled` | Switch to enable or disable the PostgreSQL helm chart | `true` | +| `postgresql.auth.enablePostgresUser` | Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user | `false` | +| `postgresql.auth.username` | Name for a custom user to create | `chainloop` | +| `postgresql.auth.password` | Password for the custom user to create | `chainlooppwd` | +| `postgresql.auth.database` | Name for a custom database to create | `chainloop-cp` | +| `postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials | `""` | +| `vault.server.args` | Arguments to pass to the vault server. This is useful for setting the server in development mode | `["server","-dev"]` | +| `vault.server.config` | Configuration for the vault server. Small override of default Bitnami configuration | `"inmem" {}
disable_mlock = true
ui = true
service_registration "kubernetes" {}` | +| `vault.server.extraEnvVars[0].name` | Root token for the vault server | `VAULT_DEV_ROOT_TOKEN_ID` | +| `vault.server.extraEnvVars[0].value` | The value of the root token. Default: notasecret | `notasecret` | +| `vault.server.extraEnvVars[1].name` | Address to listen on development mode | `VAULT_DEV_LISTEN_ADDRESS` | +| `vault.server.extraEnvVars[1].value` | The address to listen on. Default: [::]:8200 | `[::]:8200` | ## License From 008ce9ca649e06251f796f86609aa006b72f450e Mon Sep 17 00:00:00 2001 From: Bitnami Containers Date: Wed, 12 Jun 2024 06:41:30 +0000 Subject: [PATCH 08/37] Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers --- bitnami/chainloop/README.md | 38 +++++++++++++++++++++---------------- 1 file changed, 22 insertions(+), 16 deletions(-) diff --git a/bitnami/chainloop/README.md b/bitnami/chainloop/README.md index 4b085f87a05a11..bff5da15b3e686 100644 --- a/bitnami/chainloop/README.md +++ b/bitnami/chainloop/README.md @@ -561,7 +561,7 @@ chainloop config save \ | `controlplane.autoscaling.targetCPUUtilizationPercentage` | Target CPU percentage | `80` | | `controlplane.autoscaling.targetMemoryUtilizationPercentage` | Target CPU memory | `80` | | `controlplane.sentry.enabled` | Enable sentry.io alerting | `false` | -| `controlplane.sentry.dsn` | [DSN endpoint](https://docs.sentry.io/product/sentry-basics/dsn-explainer) | `""` | +| `controlplane.sentry.dsn` | DSN endpoint https://docs.sentry.io/product/sentry-basics/dsn-explainer/ | `""` | | `controlplane.sentry.environment` | Environment tag | `production` | | `controlplane.keylessSigning.enabled` | Activates or deactivates de feature | `false` | | `controlplane.keylessSigning.backend` | The backend to use. Currently only "fileCA" is supported | `fileCA` | @@ -632,25 +632,31 @@ chainloop config save \ | `cas.autoscaling.targetCPUUtilizationPercentage` | Target CPU percentage | `80` | | `cas.autoscaling.targetMemoryUtilizationPercentage` | Target CPU memory | `80` | | `cas.sentry.enabled` | Enable sentry.io alerting | `false` | -| `cas.sentry.dsn` | [DSN endpoint](https://docs.sentry.io/product/sentry-basics/dsn-explainer) | `""` | +| `cas.sentry.dsn` | DSN endpoint https://docs.sentry.io/product/sentry-basics/dsn-explainer/ | `""` | | `cas.sentry.environment` | Environment tag | `production` | ### Dependencies -| Name | Description | Value | -|--------------------------------------| ------------------------------------------------------------------------------------------------------ |------------------------------------------------------------------------------------------------| -| `postgresql.enabled` | Switch to enable or disable the PostgreSQL helm chart | `true` | -| `postgresql.auth.enablePostgresUser` | Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user | `false` | -| `postgresql.auth.username` | Name for a custom user to create | `chainloop` | -| `postgresql.auth.password` | Password for the custom user to create | `chainlooppwd` | -| `postgresql.auth.database` | Name for a custom database to create | `chainloop-cp` | -| `postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials | `""` | -| `vault.server.args` | Arguments to pass to the vault server. This is useful for setting the server in development mode | `["server","-dev"]` | -| `vault.server.config` | Configuration for the vault server. Small override of default Bitnami configuration | `"inmem" {}
disable_mlock = true
ui = true
service_registration "kubernetes" {}` | -| `vault.server.extraEnvVars[0].name` | Root token for the vault server | `VAULT_DEV_ROOT_TOKEN_ID` | -| `vault.server.extraEnvVars[0].value` | The value of the root token. Default: notasecret | `notasecret` | -| `vault.server.extraEnvVars[1].name` | Address to listen on development mode | `VAULT_DEV_LISTEN_ADDRESS` | -| `vault.server.extraEnvVars[1].value` | The address to listen on. Default: [::]:8200 | `[::]:8200` | +| Name | Description | Value | +| ------------------------------------ | ------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------- | +| `postgresql.enabled` | Switch to enable or disable the PostgreSQL helm chart | `true` | +| `postgresql.auth.enablePostgresUser` | Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user | `false` | +| `postgresql.auth.username` | Name for a custom user to create | `chainloop` | +| `postgresql.auth.password` | Password for the custom user to create | `chainlooppwd` | +| `postgresql.auth.database` | Name for a custom database to create | `chainloop-cp` | +| `postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials | `""` | +| `vault.server.args` | Arguments to pass to the vault server. This is useful for setting the server in development mode | `["server","-dev"]` | +| `vault.server.config` | Configuration for the vault server. Small override of default Bitnami configuration | `storage "inmem" {} + +disable_mlock = true +ui = true + +service_registration "kubernetes" {} +` | +| `vault.server.extraEnvVars[0].name` | Root token for the vault server | `VAULT_DEV_ROOT_TOKEN_ID` | +| `vault.server.extraEnvVars[0].value` | The value of the root token. Default: notasecret | `notasecret` | +| `vault.server.extraEnvVars[1].name` | Address to listen on development mode | `VAULT_DEV_LISTEN_ADDRESS` | +| `vault.server.extraEnvVars[1].value` | The address to listen on. Default: [::]:8200 | `[::]:8200` | ## License From 596420805a9bcf2f12a372340dab9a8591fe36a9 Mon Sep 17 00:00:00 2001 From: Javier Rodriguez Date: Wed, 12 Jun 2024 08:54:01 +0200 Subject: [PATCH 09/37] More changes on linter Signed-off-by: Javier Rodriguez --- bitnami/chainloop/README.md | 97 +++++++++++++++++------------------ bitnami/chainloop/values.yaml | 12 ++--- 2 files changed, 50 insertions(+), 59 deletions(-) diff --git a/bitnami/chainloop/README.md b/bitnami/chainloop/README.md index bff5da15b3e686..8dbf7e967512c7 100644 --- a/bitnami/chainloop/README.md +++ b/bitnami/chainloop/README.md @@ -549,25 +549,25 @@ chainloop config save \ ### Controlplane Misc -| Name | Description | Value | -| ------------------------------------------------------------ | ------------------------------------------------------------------------ | ------------ | -| `controlplane.resources.limits.cpu` | Container resource limits CPU | `250m` | -| `controlplane.resources.limits.memory` | Container resource limits memory | `512Mi` | -| `controlplane.resources.requests.cpu` | Container resource requests CPU | `250m` | -| `controlplane.resources.requests.memory` | Container resource requests memory | `512Mi` | -| `controlplane.autoscaling.enabled` | Enable deployment autoscaling | `false` | -| `controlplane.autoscaling.minReplicas` | Minimum number of replicas | `1` | -| `controlplane.autoscaling.maxReplicas` | Maximum number of replicas | `100` | -| `controlplane.autoscaling.targetCPUUtilizationPercentage` | Target CPU percentage | `80` | -| `controlplane.autoscaling.targetMemoryUtilizationPercentage` | Target CPU memory | `80` | -| `controlplane.sentry.enabled` | Enable sentry.io alerting | `false` | -| `controlplane.sentry.dsn` | DSN endpoint https://docs.sentry.io/product/sentry-basics/dsn-explainer/ | `""` | -| `controlplane.sentry.environment` | Environment tag | `production` | -| `controlplane.keylessSigning.enabled` | Activates or deactivates de feature | `false` | -| `controlplane.keylessSigning.backend` | The backend to use. Currently only "fileCA" is supported | `fileCA` | -| `controlplane.keylessSigning.fileCA.cert` | The PEM-encoded certificate of the file based CA | `""` | -| `controlplane.keylessSigning.fileCA.key` | The PEM-encoded private key of the file based CA | `""` | -| `controlplane.keylessSigning.fileCA.keyPass` | The secret key pass | `""` | +| Name | Description | Value | +| ------------------------------------------------------------ | -------------------------------------------------------------------------- | ------------ | +| `controlplane.resources.limits.cpu` | Container resource limits CPU | `250m` | +| `controlplane.resources.limits.memory` | Container resource limits memory | `512Mi` | +| `controlplane.resources.requests.cpu` | Container resource requests CPU | `250m` | +| `controlplane.resources.requests.memory` | Container resource requests memory | `512Mi` | +| `controlplane.autoscaling.enabled` | Enable deployment autoscaling | `false` | +| `controlplane.autoscaling.minReplicas` | Minimum number of replicas | `1` | +| `controlplane.autoscaling.maxReplicas` | Maximum number of replicas | `100` | +| `controlplane.autoscaling.targetCPUUtilizationPercentage` | Target CPU percentage | `80` | +| `controlplane.autoscaling.targetMemoryUtilizationPercentage` | Target CPU memory | `80` | +| `controlplane.sentry.enabled` | Enable sentry.io alerting | `false` | +| `controlplane.sentry.dsn` | DSN endpoint (https://docs.sentry.io/product/sentry-basics/dsn-explainer/) | `""` | +| `controlplane.sentry.environment` | Environment tag | `production` | +| `controlplane.keylessSigning.enabled` | Activates or deactivates de feature | `false` | +| `controlplane.keylessSigning.backend` | The backend to use. Currently only "fileCA" is supported | `fileCA` | +| `controlplane.keylessSigning.fileCA.cert` | The PEM-encoded certificate of the file based CA | `""` | +| `controlplane.keylessSigning.fileCA.key` | The PEM-encoded private key of the file based CA | `""` | +| `controlplane.keylessSigning.fileCA.keyPass` | The secret key pass | `""` | ### Artifact Content Addressable (CAS) API @@ -620,43 +620,40 @@ chainloop config save \ ### CAS Misc -| Name | Description | Value | -| --------------------------------------------------- | ------------------------------------------------------------------------ | ------------ | -| `cas.resources.limits.cpu` | Container resource limits CPU | `250m` | -| `cas.resources.limits.memory` | Container resource limits memory | `512Mi` | -| `cas.resources.requests.cpu` | Container resource requests CPU | `250m` | -| `cas.resources.requests.memory` | Container resource requests memory | `512Mi` | -| `cas.autoscaling.enabled` | Enable deployment autoscaling | `false` | -| `cas.autoscaling.minReplicas` | Minimum number of replicas | `1` | -| `cas.autoscaling.maxReplicas` | Maximum number of replicas | `100` | -| `cas.autoscaling.targetCPUUtilizationPercentage` | Target CPU percentage | `80` | -| `cas.autoscaling.targetMemoryUtilizationPercentage` | Target CPU memory | `80` | -| `cas.sentry.enabled` | Enable sentry.io alerting | `false` | -| `cas.sentry.dsn` | DSN endpoint https://docs.sentry.io/product/sentry-basics/dsn-explainer/ | `""` | -| `cas.sentry.environment` | Environment tag | `production` | +| Name | Description | Value | +| --------------------------------------------------- | -------------------------------------------------------------------------- | ------------ | +| `cas.resources.limits.cpu` | Container resource limits CPU | `250m` | +| `cas.resources.limits.memory` | Container resource limits memory | `512Mi` | +| `cas.resources.requests.cpu` | Container resource requests CPU | `250m` | +| `cas.resources.requests.memory` | Container resource requests memory | `512Mi` | +| `cas.autoscaling.enabled` | Enable deployment autoscaling | `false` | +| `cas.autoscaling.minReplicas` | Minimum number of replicas | `1` | +| `cas.autoscaling.maxReplicas` | Maximum number of replicas | `100` | +| `cas.autoscaling.targetCPUUtilizationPercentage` | Target CPU percentage | `80` | +| `cas.autoscaling.targetMemoryUtilizationPercentage` | Target CPU memory | `80` | +| `cas.sentry.enabled` | Enable sentry.io alerting | `false` | +| `cas.sentry.dsn` | DSN endpoint (https://docs.sentry.io/product/sentry-basics/dsn-explainer/) | `""` | +| `cas.sentry.environment` | Environment tag | `production` | ### Dependencies -| Name | Description | Value | -| ------------------------------------ | ------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------- | -| `postgresql.enabled` | Switch to enable or disable the PostgreSQL helm chart | `true` | -| `postgresql.auth.enablePostgresUser` | Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user | `false` | -| `postgresql.auth.username` | Name for a custom user to create | `chainloop` | -| `postgresql.auth.password` | Password for the custom user to create | `chainlooppwd` | -| `postgresql.auth.database` | Name for a custom database to create | `chainloop-cp` | -| `postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials | `""` | -| `vault.server.args` | Arguments to pass to the vault server. This is useful for setting the server in development mode | `["server","-dev"]` | +| Name | Description | Value | +| ------------------------------------ | ------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------- | +| `postgresql.enabled` | Switch to enable or disable the PostgreSQL helm chart | `true` | +| `postgresql.auth.enablePostgresUser` | Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user | `false` | +| `postgresql.auth.username` | Name for a custom user to create | `chainloop` | +| `postgresql.auth.password` | Password for the custom user to create | `chainlooppwd` | +| `postgresql.auth.database` | Name for a custom database to create | `chainloop-cp` | +| `postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials | `""` | +| `vault.server.args` | Arguments to pass to the vault server. This is useful for setting the server in development mode | `["server","-dev"]` | | `vault.server.config` | Configuration for the vault server. Small override of default Bitnami configuration | `storage "inmem" {} - disable_mlock = true ui = true - -service_registration "kubernetes" {} -` | -| `vault.server.extraEnvVars[0].name` | Root token for the vault server | `VAULT_DEV_ROOT_TOKEN_ID` | -| `vault.server.extraEnvVars[0].value` | The value of the root token. Default: notasecret | `notasecret` | -| `vault.server.extraEnvVars[1].name` | Address to listen on development mode | `VAULT_DEV_LISTEN_ADDRESS` | -| `vault.server.extraEnvVars[1].value` | The address to listen on. Default: [::]:8200 | `[::]:8200` | +service_registration "kubernetes" {}` | +| `vault.server.extraEnvVars[0].name` | Root token for the vault server | `VAULT_DEV_ROOT_TOKEN_ID` | +| `vault.server.extraEnvVars[0].value` | The value of the root token. Default: notasecret | `notasecret` | +| `vault.server.extraEnvVars[1].name` | Address to listen on development mode | `VAULT_DEV_LISTEN_ADDRESS` | +| `vault.server.extraEnvVars[1].value` | The address to listen on. Default: [::]:8200 | `[::]:8200` | ## License diff --git a/bitnami/chainloop/values.yaml b/bitnami/chainloop/values.yaml index 739c0f67a2ad36..2e31fca8f54a74 100644 --- a/bitnami/chainloop/values.yaml +++ b/bitnami/chainloop/values.yaml @@ -448,7 +448,7 @@ controlplane: targetMemoryUtilizationPercentage: 80 ## @param controlplane.sentry.enabled Enable sentry.io alerting - ## @param controlplane.sentry.dsn DSN endpoint https://docs.sentry.io/product/sentry-basics/dsn-explainer/ + ## @param controlplane.sentry.dsn DSN endpoint (https://docs.sentry.io/product/sentry-basics/dsn-explainer/) ## @param controlplane.sentry.environment Environment tag sentry: enabled: false @@ -780,7 +780,7 @@ cas: targetMemoryUtilizationPercentage: 80 ## @param cas.sentry.enabled Enable sentry.io alerting - ## @param cas.sentry.dsn DSN endpoint https://docs.sentry.io/product/sentry-basics/dsn-explainer/ + ## @param cas.sentry.dsn DSN endpoint (https://docs.sentry.io/product/sentry-basics/dsn-explainer/) ## @param cas.sentry.environment Environment tag sentry: enabled: false @@ -831,10 +831,4 @@ vault: value: "notasecret" - name: VAULT_DEV_LISTEN_ADDRESS value: "[::]:8200" - config: | - storage "inmem" {} - - disable_mlock = true - ui = true - - service_registration "kubernetes" {} \ No newline at end of file + config: "storage \"inmem\" {}\ndisable_mlock = true\nui = true\nservice_registration \"kubernetes\" {}" From 61eeef38004748d715ac4ca7148ccb924c3215c1 Mon Sep 17 00:00:00 2001 From: Javier Rodriguez Date: Wed, 12 Jun 2024 08:59:22 +0200 Subject: [PATCH 10/37] remove links Signed-off-by: Javier Rodriguez --- bitnami/chainloop/README.md | 66 +++++++++++++++++------------------ bitnami/chainloop/values.yaml | 4 +-- 2 files changed, 35 insertions(+), 35 deletions(-) diff --git a/bitnami/chainloop/README.md b/bitnami/chainloop/README.md index 8dbf7e967512c7..d5a2e05c40779c 100644 --- a/bitnami/chainloop/README.md +++ b/bitnami/chainloop/README.md @@ -549,25 +549,25 @@ chainloop config save \ ### Controlplane Misc -| Name | Description | Value | -| ------------------------------------------------------------ | -------------------------------------------------------------------------- | ------------ | -| `controlplane.resources.limits.cpu` | Container resource limits CPU | `250m` | -| `controlplane.resources.limits.memory` | Container resource limits memory | `512Mi` | -| `controlplane.resources.requests.cpu` | Container resource requests CPU | `250m` | -| `controlplane.resources.requests.memory` | Container resource requests memory | `512Mi` | -| `controlplane.autoscaling.enabled` | Enable deployment autoscaling | `false` | -| `controlplane.autoscaling.minReplicas` | Minimum number of replicas | `1` | -| `controlplane.autoscaling.maxReplicas` | Maximum number of replicas | `100` | -| `controlplane.autoscaling.targetCPUUtilizationPercentage` | Target CPU percentage | `80` | -| `controlplane.autoscaling.targetMemoryUtilizationPercentage` | Target CPU memory | `80` | -| `controlplane.sentry.enabled` | Enable sentry.io alerting | `false` | -| `controlplane.sentry.dsn` | DSN endpoint (https://docs.sentry.io/product/sentry-basics/dsn-explainer/) | `""` | -| `controlplane.sentry.environment` | Environment tag | `production` | -| `controlplane.keylessSigning.enabled` | Activates or deactivates de feature | `false` | -| `controlplane.keylessSigning.backend` | The backend to use. Currently only "fileCA" is supported | `fileCA` | -| `controlplane.keylessSigning.fileCA.cert` | The PEM-encoded certificate of the file based CA | `""` | -| `controlplane.keylessSigning.fileCA.key` | The PEM-encoded private key of the file based CA | `""` | -| `controlplane.keylessSigning.fileCA.keyPass` | The secret key pass | `""` | +| Name | Description | Value | +| ------------------------------------------------------------ | -------------------------------------------------------- | ------------ | +| `controlplane.resources.limits.cpu` | Container resource limits CPU | `250m` | +| `controlplane.resources.limits.memory` | Container resource limits memory | `512Mi` | +| `controlplane.resources.requests.cpu` | Container resource requests CPU | `250m` | +| `controlplane.resources.requests.memory` | Container resource requests memory | `512Mi` | +| `controlplane.autoscaling.enabled` | Enable deployment autoscaling | `false` | +| `controlplane.autoscaling.minReplicas` | Minimum number of replicas | `1` | +| `controlplane.autoscaling.maxReplicas` | Maximum number of replicas | `100` | +| `controlplane.autoscaling.targetCPUUtilizationPercentage` | Target CPU percentage | `80` | +| `controlplane.autoscaling.targetMemoryUtilizationPercentage` | Target CPU memory | `80` | +| `controlplane.sentry.enabled` | Enable sentry.io alerting | `false` | +| `controlplane.sentry.dsn` | DSN endpoint | `""` | +| `controlplane.sentry.environment` | Environment tag | `production` | +| `controlplane.keylessSigning.enabled` | Activates or deactivates de feature | `false` | +| `controlplane.keylessSigning.backend` | The backend to use. Currently only "fileCA" is supported | `fileCA` | +| `controlplane.keylessSigning.fileCA.cert` | The PEM-encoded certificate of the file based CA | `""` | +| `controlplane.keylessSigning.fileCA.key` | The PEM-encoded private key of the file based CA | `""` | +| `controlplane.keylessSigning.fileCA.keyPass` | The secret key pass | `""` | ### Artifact Content Addressable (CAS) API @@ -620,20 +620,20 @@ chainloop config save \ ### CAS Misc -| Name | Description | Value | -| --------------------------------------------------- | -------------------------------------------------------------------------- | ------------ | -| `cas.resources.limits.cpu` | Container resource limits CPU | `250m` | -| `cas.resources.limits.memory` | Container resource limits memory | `512Mi` | -| `cas.resources.requests.cpu` | Container resource requests CPU | `250m` | -| `cas.resources.requests.memory` | Container resource requests memory | `512Mi` | -| `cas.autoscaling.enabled` | Enable deployment autoscaling | `false` | -| `cas.autoscaling.minReplicas` | Minimum number of replicas | `1` | -| `cas.autoscaling.maxReplicas` | Maximum number of replicas | `100` | -| `cas.autoscaling.targetCPUUtilizationPercentage` | Target CPU percentage | `80` | -| `cas.autoscaling.targetMemoryUtilizationPercentage` | Target CPU memory | `80` | -| `cas.sentry.enabled` | Enable sentry.io alerting | `false` | -| `cas.sentry.dsn` | DSN endpoint (https://docs.sentry.io/product/sentry-basics/dsn-explainer/) | `""` | -| `cas.sentry.environment` | Environment tag | `production` | +| Name | Description | Value | +| --------------------------------------------------- | ---------------------------------- | ------------ | +| `cas.resources.limits.cpu` | Container resource limits CPU | `250m` | +| `cas.resources.limits.memory` | Container resource limits memory | `512Mi` | +| `cas.resources.requests.cpu` | Container resource requests CPU | `250m` | +| `cas.resources.requests.memory` | Container resource requests memory | `512Mi` | +| `cas.autoscaling.enabled` | Enable deployment autoscaling | `false` | +| `cas.autoscaling.minReplicas` | Minimum number of replicas | `1` | +| `cas.autoscaling.maxReplicas` | Maximum number of replicas | `100` | +| `cas.autoscaling.targetCPUUtilizationPercentage` | Target CPU percentage | `80` | +| `cas.autoscaling.targetMemoryUtilizationPercentage` | Target CPU memory | `80` | +| `cas.sentry.enabled` | Enable sentry.io alerting | `false` | +| `cas.sentry.dsn` | DSN endpoint | `""` | +| `cas.sentry.environment` | Environment tag | `production` | ### Dependencies diff --git a/bitnami/chainloop/values.yaml b/bitnami/chainloop/values.yaml index 2e31fca8f54a74..aecb4d5b48a93e 100644 --- a/bitnami/chainloop/values.yaml +++ b/bitnami/chainloop/values.yaml @@ -448,7 +448,7 @@ controlplane: targetMemoryUtilizationPercentage: 80 ## @param controlplane.sentry.enabled Enable sentry.io alerting - ## @param controlplane.sentry.dsn DSN endpoint (https://docs.sentry.io/product/sentry-basics/dsn-explainer/) + ## @param controlplane.sentry.dsn DSN endpoint ## @param controlplane.sentry.environment Environment tag sentry: enabled: false @@ -780,7 +780,7 @@ cas: targetMemoryUtilizationPercentage: 80 ## @param cas.sentry.enabled Enable sentry.io alerting - ## @param cas.sentry.dsn DSN endpoint (https://docs.sentry.io/product/sentry-basics/dsn-explainer/) + ## @param cas.sentry.dsn DSN endpoint ## @param cas.sentry.environment Environment tag sentry: enabled: false From 18e52b59c9567c9d7b02cb6b0d4a9ddf983a88c9 Mon Sep 17 00:00:00 2001 From: Javier Rodriguez Date: Wed, 12 Jun 2024 16:30:47 +0200 Subject: [PATCH 11/37] Update chart dependency Signed-off-by: Javier Rodriguez --- .vib/chainloop/runtime-parameters.yaml | 6 +-- bitnami/chainloop/Chart.lock | 7 +++- bitnami/chainloop/Chart.yaml | 4 ++ .../templates/dex/config.configmap.yaml | 40 +++++++++++++++++++ bitnami/chainloop/values.yaml | 29 ++++++++++++++ 5 files changed, 81 insertions(+), 5 deletions(-) create mode 100644 bitnami/chainloop/templates/dex/config.configmap.yaml diff --git a/.vib/chainloop/runtime-parameters.yaml b/.vib/chainloop/runtime-parameters.yaml index 857b2c6aac48f9..7b801bc9944934 100644 --- a/.vib/chainloop/runtime-parameters.yaml +++ b/.vib/chainloop/runtime-parameters.yaml @@ -2,6 +2,6 @@ development: true controlplane: auth: oidc: - url: - clientID: - clientSecret: \ No newline at end of file + url: http://chainloop-dex:5556/dex + clientID: chainloop-dev + clientSecret: ZXhhbXBsZS1hcHAtc2VjcmV0 \ No newline at end of file diff --git a/bitnami/chainloop/Chart.lock b/bitnami/chainloop/Chart.lock index 205604869cffd9..108ec30aeac2ca 100644 --- a/bitnami/chainloop/Chart.lock +++ b/bitnami/chainloop/Chart.lock @@ -8,5 +8,8 @@ dependencies: - name: vault repository: https://charts.bitnami.com/bitnami version: 1.4.5 -digest: sha256:f36d00d6d657f2e9f7f1dc6df78e852471cff214b8a7a8ad9722351b978aefdf -generated: "2024-06-10T14:18:12.118269+02:00" +- name: dex + repository: https://charts.dexidp.io + version: 0.18.0 +digest: sha256:4209e844d04d1c15fccdc55572cbf729f5a95766a6720ea24ee7167327007dbb +generated: "2024-06-12T14:33:53.972613+02:00" diff --git a/bitnami/chainloop/Chart.yaml b/bitnami/chainloop/Chart.yaml index b88420c8f3d392..0c40dda0e9162e 100644 --- a/bitnami/chainloop/Chart.yaml +++ b/bitnami/chainloop/Chart.yaml @@ -25,3 +25,7 @@ dependencies: name: vault repository: https://charts.bitnami.com/bitnami version: 1.4.x + - name: dex + condition: development + repository: https://charts.dexidp.io + version: 0.18.0 diff --git a/bitnami/chainloop/templates/dex/config.configmap.yaml b/bitnami/chainloop/templates/dex/config.configmap.yaml new file mode 100644 index 00000000000000..39aeebe8ba7e5d --- /dev/null +++ b/bitnami/chainloop/templates/dex/config.configmap.yaml @@ -0,0 +1,40 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.development }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: chainloop-dex-config + namespace: {{ include "common.names.namespace" . | quote }} +data: + config.yaml: | + issuer: http://0.0.0.0:5556/dex + + storage: + type: memory + + web: + http: 0.0.0.0:5556 + + staticClients: + - id: chainloop-dev + redirectURIs: + - "http://0.0.0.0:8000/auth/callback" + - "http://localhost:8000/auth/callback" + name: "Chainloop Dev" + secret: ZXhhbXBsZS1hcHAtc2VjcmV0 + + # required to enable static passwords + enablePasswordDB: true + + staticPasswords: + - email: "john@chainloop.local" + # password: "password" + hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" + - email: "sarah@chainloop.local" + # password: "password" + hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" +{{- end }} \ No newline at end of file diff --git a/bitnami/chainloop/values.yaml b/bitnami/chainloop/values.yaml index aecb4d5b48a93e..3e49036dc1e8c1 100644 --- a/bitnami/chainloop/values.yaml +++ b/bitnami/chainloop/values.yaml @@ -832,3 +832,32 @@ vault: - name: VAULT_DEV_LISTEN_ADDRESS value: "[::]:8200" config: "storage \"inmem\" {}\ndisable_mlock = true\nui = true\nservice_registration \"kubernetes\" {}" + +dex: + config: + issuer: http://chainloop-dex:5556/dex + + storage: + type: memory + + web: + http: 0.0.0.0:5556 + + staticClients: + - id: chainloop-dev + redirectURIs: + - "http://0.0.0.0:8000/auth/callback" + - "http://localhost:8000/auth/callback" + name: "Chainloop Dev" + secret: ZXhhbXBsZS1hcHAtc2VjcmV0 + + # required to enable static passwords + enablePasswordDB: true + + staticPasswords: + - email: "john@chainloop.local" + # password: "password" + hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" + - email: "sarah@chainloop.local" + # password: "password" + hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" \ No newline at end of file From 1848dabe4ca599b3e36520240f931ad1aa23db3f Mon Sep 17 00:00:00 2001 From: Javier Rodriguez Date: Thu, 13 Jun 2024 08:12:19 +0200 Subject: [PATCH 12/37] Generate README.md Signed-off-by: Javier Rodriguez --- bitnami/chainloop/README.md | 40 +++++++++++++++++++++++------------ bitnami/chainloop/values.yaml | 14 ++++++++++++ 2 files changed, 40 insertions(+), 14 deletions(-) diff --git a/bitnami/chainloop/README.md b/bitnami/chainloop/README.md index d5a2e05c40779c..4374b8244aef07 100644 --- a/bitnami/chainloop/README.md +++ b/bitnami/chainloop/README.md @@ -637,23 +637,35 @@ chainloop config save \ ### Dependencies -| Name | Description | Value | -| ------------------------------------ | ------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------- | -| `postgresql.enabled` | Switch to enable or disable the PostgreSQL helm chart | `true` | -| `postgresql.auth.enablePostgresUser` | Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user | `false` | -| `postgresql.auth.username` | Name for a custom user to create | `chainloop` | -| `postgresql.auth.password` | Password for the custom user to create | `chainlooppwd` | -| `postgresql.auth.database` | Name for a custom database to create | `chainloop-cp` | -| `postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials | `""` | -| `vault.server.args` | Arguments to pass to the vault server. This is useful for setting the server in development mode | `["server","-dev"]` | -| `vault.server.config` | Configuration for the vault server. Small override of default Bitnami configuration | `storage "inmem" {} +| Name | Description | Value | +| ------------------------------------------ | ------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------- | +| `postgresql.enabled` | Switch to enable or disable the PostgreSQL helm chart | `true` | +| `postgresql.auth.enablePostgresUser` | Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user | `false` | +| `postgresql.auth.username` | Name for a custom user to create | `chainloop` | +| `postgresql.auth.password` | Password for the custom user to create | `chainlooppwd` | +| `postgresql.auth.database` | Name for a custom database to create | `chainloop-cp` | +| `postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials | `""` | +| `vault.server.args` | Arguments to pass to the vault server. This is useful for setting the server in development mode | `["server","-dev"]` | +| `vault.server.config` | Configuration for the vault server. Small override of default Bitnami configuration | `storage "inmem" {} disable_mlock = true ui = true service_registration "kubernetes" {}` | -| `vault.server.extraEnvVars[0].name` | Root token for the vault server | `VAULT_DEV_ROOT_TOKEN_ID` | -| `vault.server.extraEnvVars[0].value` | The value of the root token. Default: notasecret | `notasecret` | -| `vault.server.extraEnvVars[1].name` | Address to listen on development mode | `VAULT_DEV_LISTEN_ADDRESS` | -| `vault.server.extraEnvVars[1].value` | The address to listen on. Default: [::]:8200 | `[::]:8200` | +| `vault.server.extraEnvVars[0].name` | Root token for the vault server | `VAULT_DEV_ROOT_TOKEN_ID` | +| `vault.server.extraEnvVars[0].value` | The value of the root token. Default: notasecret | `notasecret` | +| `vault.server.extraEnvVars[1].name` | Address to listen on development mode | `VAULT_DEV_LISTEN_ADDRESS` | +| `vault.server.extraEnvVars[1].value` | The address to listen on. Default: [::]:8200 | `[::]:8200` | +| `dex.config.issuer` | The issuer URL of the Identity provider (IDp) | `http://chainloop-dex:5556/dex` | +| `dex.config.storage.type` | Storage type for the dex server | `memory` | +| `dex.config.web.http` | HTTP address for the dex server | `0.0.0.0:5556` | +| `dex.config.staticClients[0].id` | Client ID for the static client | `chainloop-dev` | +| `dex.config.staticClients[0].redirectURIs` | Redirect URIs for the static client | `["http://0.0.0.0:8000/auth/callback","http://localhost:8000/auth/callback"]` | +| `dex.config.staticClients[0].name` | Name for the static client | `Chainloop Dev` | +| `dex.config.staticClients[0].secret` | Secret for the static client | `ZXhhbXBsZS1hcHAtc2VjcmV0` | +| `dex.config.enablePasswordDB` | Enable static passwords | `true` | +| `dex.config.staticPasswords[0].email` | Email for the static password | `john@chainloop.local` | +| `dex.config.staticPasswords[0].hash` | Hash for the static password | `$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W` | +| `dex.config.staticPasswords[1].email` | Email for the static password | `sarah@chainloop.local` | +| `dex.config.staticPasswords[1].hash` | Hash for the static password | `$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W` | ## License diff --git a/bitnami/chainloop/values.yaml b/bitnami/chainloop/values.yaml index 3e49036dc1e8c1..8e57b04d7b7291 100644 --- a/bitnami/chainloop/values.yaml +++ b/bitnami/chainloop/values.yaml @@ -833,6 +833,20 @@ vault: value: "[::]:8200" config: "storage \"inmem\" {}\ndisable_mlock = true\nui = true\nservice_registration \"kubernetes\" {}" +# Dex server running in development mode --set development=true +# IMPORTANT: This is not meant to run in production +## @param dex.config.issuer The issuer URL of the Identity provider (IDp) +## @param dex.config.storage.type Storage type for the dex server +## @param dex.config.web.http HTTP address for the dex server +## @param dex.config.staticClients[0].id Client ID for the static client +## @param dex.config.staticClients[0].redirectURIs Redirect URIs for the static client +## @param dex.config.staticClients[0].name Name for the static client +## @param dex.config.staticClients[0].secret Secret for the static client +## @param dex.config.enablePasswordDB Enable static passwords +## @param dex.config.staticPasswords[0].email Email for the static password +## @param dex.config.staticPasswords[0].hash Hash for the static password +## @param dex.config.staticPasswords[1].email Email for the static password +## @param dex.config.staticPasswords[1].hash Hash for the static password dex: config: issuer: http://chainloop-dex:5556/dex From 76789e4f9488b27ec2c8dc885aaeb0f99cb27b39 Mon Sep 17 00:00:00 2001 From: Bitnami Containers Date: Thu, 13 Jun 2024 06:14:01 +0000 Subject: [PATCH 13/37] Update CHANGELOG.md Signed-off-by: Bitnami Containers --- bitnami/chainloop/CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bitnami/chainloop/CHANGELOG.md b/bitnami/chainloop/CHANGELOG.md index a711652ab47871..fcac5426a1cdba 100644 --- a/bitnami/chainloop/CHANGELOG.md +++ b/bitnami/chainloop/CHANGELOG.md @@ -1,5 +1,5 @@ # Changelog -## 1.56.1 (2024-06-12) +## 1.56.1 (2024-06-13) * New chart: Chainloop ([#27100](https://github.com/bitnami/charts/pull/27100)) From 293a779fd32c51569fb79b541d7808d406074cea Mon Sep 17 00:00:00 2001 From: Bitnami Containers Date: Fri, 14 Jun 2024 07:24:11 +0000 Subject: [PATCH 14/37] Update CHANGELOG.md Signed-off-by: Bitnami Containers --- bitnami/chainloop/CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bitnami/chainloop/CHANGELOG.md b/bitnami/chainloop/CHANGELOG.md index fcac5426a1cdba..dbe7b227ca2e74 100644 --- a/bitnami/chainloop/CHANGELOG.md +++ b/bitnami/chainloop/CHANGELOG.md @@ -1,5 +1,5 @@ # Changelog -## 1.56.1 (2024-06-13) +## 1.56.1 (2024-06-14) * New chart: Chainloop ([#27100](https://github.com/bitnami/charts/pull/27100)) From ad82d2632f0e11c3dfa1985f5711fc0153671f3f Mon Sep 17 00:00:00 2001 From: Miguel Date: Wed, 24 Jul 2024 15:37:09 +0200 Subject: [PATCH 15/37] chore: update chart Signed-off-by: Miguel --- bitnami/chainloop/Chart.lock | 10 +- bitnami/chainloop/Chart.yaml | 15 +- bitnami/chainloop/README.md | 207 ++++++++++++------ bitnami/chainloop/templates/_helpers.tpl | 17 +- .../templates/cas/customcas.secret.yaml | 18 ++ .../chainloop/templates/cas/deployment.yaml | 23 +- .../controlplane/config.configmap.yaml | 18 +- .../templates/controlplane/config.secret.yaml | 19 +- .../controlplane/customcas.secret.yaml | 18 ++ .../templates/controlplane/deployment.yaml | 44 +++- .../controlplane/ejbca_ca.secret.yaml | 17 ++ .../templates/dex/config.configmap.yaml | 40 ---- bitnami/chainloop/values.yaml | 115 +++++++--- 13 files changed, 395 insertions(+), 166 deletions(-) create mode 100644 bitnami/chainloop/templates/cas/customcas.secret.yaml create mode 100644 bitnami/chainloop/templates/controlplane/customcas.secret.yaml create mode 100644 bitnami/chainloop/templates/controlplane/ejbca_ca.secret.yaml delete mode 100644 bitnami/chainloop/templates/dex/config.configmap.yaml diff --git a/bitnami/chainloop/Chart.lock b/bitnami/chainloop/Chart.lock index 108ec30aeac2ca..c7db09d9c57877 100644 --- a/bitnami/chainloop/Chart.lock +++ b/bitnami/chainloop/Chart.lock @@ -1,15 +1,15 @@ dependencies: - name: common repository: https://charts.bitnami.com/bitnami - version: 2.20.2 + version: 2.20.4 - name: postgresql repository: https://charts.bitnami.com/bitnami - version: 12.12.10 + version: 15.5.16 - name: vault repository: https://charts.bitnami.com/bitnami - version: 1.4.5 + version: 1.4.11 - name: dex repository: https://charts.dexidp.io version: 0.18.0 -digest: sha256:4209e844d04d1c15fccdc55572cbf729f5a95766a6720ea24ee7167327007dbb -generated: "2024-06-12T14:33:53.972613+02:00" +digest: sha256:94515adbbfef1d109d520d44ef61cd0f07681afd5f14d4f104b68e9a9e1bec87 +generated: "2024-07-13T08:52:36.287808567+02:00" diff --git a/bitnami/chainloop/Chart.yaml b/bitnami/chainloop/Chart.yaml index 0c40dda0e9162e..33ffb587e022df 100644 --- a/bitnami/chainloop/Chart.yaml +++ b/bitnami/chainloop/Chart.yaml @@ -7,9 +7,9 @@ description: Chainloop is an open source software supply chain control plane, a type: application # Bump the patch (not minor, not major) version on each change in the Chart Source code -version: 1.56.1 +version: 1.81.0 # Do not update appVersion, this is handled automatically by the release process -appVersion: v0.91.1 +appVersion: v0.94.2 dependencies: - name: common @@ -20,7 +20,7 @@ dependencies: - condition: postgresql.enabled name: postgresql repository: https://charts.bitnami.com/bitnami - version: 12.x.x + version: 15.x.x - condition: development name: vault repository: https://charts.bitnami.com/bitnami @@ -29,3 +29,12 @@ dependencies: condition: development repository: https://charts.dexidp.io version: 0.18.0 + +annotations: + images: | + - image: ghcr.io/chainloop-dev/chainloop/artifact-cas:v0.94.2 + name: artifact-cas + - image: ghcr.io/chainloop-dev/chainloop/control-plane:v0.94.2 + name: control-plane + - image: ghcr.io/chainloop-dev/chainloop/control-plane-migrations:v0.94.2 + name: control-plane-migrations \ No newline at end of file diff --git a/bitnami/chainloop/README.md b/bitnami/chainloop/README.md index 4374b8244aef07..5f1c27c3a7606a 100644 --- a/bitnami/chainloop/README.md +++ b/bitnami/chainloop/README.md @@ -51,7 +51,7 @@ During installation, you'll need to provide - Open ID Connect Identity Provider (IDp) settings i.e [Auth0 settings](https://auth0.com/docs/get-started/applications/application-settings#basic-information) - Connection settings for a secrets storage backend, either [Hashicorp Vault](https://www.vaultproject.io/) or [AWS Secrets Manager](https://aws.amazon.com/secrets-manager) -- ECDSA (ES512) key-pair used for Controlplane <-> CAS Authentication +- ECDSA (ES512) key-pair used for Controlplane to CAS Authentication Instructions on how to create the ECDSA keypair can be found [here](#generate-a-ecdsa-key-pair). @@ -159,7 +159,7 @@ During installation, you'll need to provide - Open ID Connect Identity Provider (IDp) settings i.e [Auth0 settings](https://auth0.com/docs/get-started/applications/application-settings#basic-information) - ~~Connection settings for a secrets storage backend, either [Hashicorp Vault](https://www.vaultproject.io/) or [AWS Secrets Manager](https://aws.amazon.com/secrets-manager)~~ -- ~~ECDSA (ES512) key-pair used for Controlplane <-> CAS Authentication~~ +- ~~ECDSA (ES512) key-pair used for Controlplane to CAS Authentication~~ #### Installation examples for development mode @@ -173,6 +173,30 @@ helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \ --set controlplane.auth.oidc.clientSecret=[clientSecret] ``` +## AirGap and Relocation Support + +This chart is compatible with relocation processes performed by the [Helm Relocation Plugin](https://github.com/vmware-labs/distribution-tooling-for-helm) + +This is a two-step process (wrap -> unwrap) + +- Pull all the container images and Helm chart and wrap them in an intermediate tarball. +- Unwrap the tarball and push container images, update the Helm Chart with new image references and push it to the target registry. + +For example: to relocate to an Azure Container Registry + +```sh +helm dt wrap oci://ghcr.io/chainloop-dev/charts/chainloop +# 🎉 Helm chart wrapped into "chainloop-1.77.0.wrap.tgz" + +# Now you can take the tarball to an air-gapped environment and unwrap it like this +helm dt unwrap chainloop-1.77.0.wrap.tgz oci://chainloop.azurecr.io --yes +# Unwrapping Helm chart "chainloop-1.77.0.wrap.tgz" +# ✔ All images pushed successfully +# ✔ Helm chart successfully pushed +# +# 🎉 Helm chart unwrapped successfully: You can use it now by running "helm install oci://chainloop.azurecr.io/chart/chainloop --generate-name" +``` + ## How to guides ### CAS upload speeds are slow, what can I do? @@ -371,12 +395,12 @@ secretsBackend: *This feature is experimental, as it doesn't yet support verification.* You can enable keyless signing mode by providing a custom Certificate Authority. -For example, these commands generate a self-signed certificate with an RSA private key of length 4096 and AES256 encryption: +For example, these commands generate a self-signed certificate with an RSA private key of length 4096 and AES256 encryption with a validity of 365 days: ```bash > openssl genrsa -aes256 -out ca.key 4096 ... -> openssl req -new -x509 -sha256 -key ca.key -out ca.crt +> openssl req -new -x509 -sha256 -key ca.key -out ca.crt -days 365 ... ``` @@ -399,6 +423,22 @@ controlplane: keyPass: "REDACTED" ``` +### Insert custom Certificate Authorities (CAs) + +In some scenarios, you might want to add custom Certificate Authorities to the Chainloop deployment. Like in the instance where your OIDC provider uses a self-signed certificate. To do so, add the PEM-encoded CA certificate to the `customCAs` list in either `controlplane` or `cas` sections, in your `values.yaml` file like in the example below. + +```yaml + customCAs: + - |- + -----BEGIN CERTIFICATE----- + MIIFmDCCA4CgAwIBAgIQU9C87nMpOIFKYpfvOHFHFDANBgkqhkiG9w0BAQsFADBm + BhMCVVMxMzAxBgNVBAoTKihTVEFHSU5HKSBJbnRlcm5ldCBTZWN1cml0eSBSZXNl + REDACTED + 5CunuvCXmEQJHo7kGcViT7sETn6Jz9KOhvYcXkJ7po6d93A/jy4GKPIPnsKKNEmR + 7DiA+/9Qdp9RBWJpTS9i/mDnJg1xvo8Xz49mrrgfmcAXTCJqXi24NatI3Oc= + -----END CERTIFICATE----- +``` + ### Send exceptions to Sentry You can configure different sentry projects for both the controlplane and the artifact CAS @@ -438,6 +478,13 @@ chainloop config save \ ## Parameters +### Global parameters + +| Name | Description | Value | +| ------------------------- | ----------------------------------------------- | ----- | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | + ### Common parameters | Name | Description | Value | @@ -466,23 +513,29 @@ chainloop config save \ ### Authentication -| Name | Description | Value | -| ------------------ | ---------------------------------------------------------------------- | ----- | -| `casJWTPrivateKey` | ECDSA (ES512) private key used for Controlplane <-> CAS Authentication | `""` | -| `casJWTPublicKey` | ECDSA (ES512) public key | `""` | +| Name | Description | Value | +| ------------------ | --------------------------------------------------------------------- | ----- | +| `casJWTPrivateKey` | ECDSA (ES512) private key used for Controlplane to CAS Authentication | `""` | +| `casJWTPublicKey` | ECDSA (ES512) public key | `""` | ### Control Plane -| Name | Description | Value | -| ---------------------------------------------- | ----------------------------------------------------------------------------------------------- | ----------------------------------------------- | -| `controlplane.replicaCount` | Number of replicas | `2` | -| `controlplane.image.repository` | FQDN uri for the image | `ghcr.io/chainloop-dev/chainloop/control-plane` | -| `controlplane.image.tag` | Image tag (immutable tags are recommended). If no set chart.appVersion will be used | | -| `controlplane.tlsConfig.secret.name` | name of a secret containing TLS certificate to be used by the controlplane grpc server. | `""` | -| `controlplane.pluginsDir` | Directory where to look for plugins | `/plugins` | -| `controlplane.referrerSharedIndex` | Configure the shared, public index API endpoint that can be used to discover metadata referrers | | -| `controlplane.referrerSharedIndex.enabled` | Enable index API endpoint | `false` | -| `controlplane.referrerSharedIndex.allowedOrgs` | List of UUIDs of organizations that are allowed to publish to the shared index | `[]` | +| Name | Description | Value | +| ---------------------------------------------- | ----------------------------------------------------------------------------------------------- | -------------------------------------------------- | +| `controlplane.replicaCount` | Number of replicas | `2` | +| `controlplane.image.registry` | Image registry | `ghcr.io` | +| `controlplane.image.repository` | Image repository | `chainloop-dev/chainloop/control-plane` | +| `controlplane.tlsConfig.secret.name` | name of a secret containing TLS certificate to be used by the controlplane grpc server. | `""` | +| `controlplane.pluginsDir` | Directory where to look for plugins | `/plugins` | +| `controlplane.referrerSharedIndex` | Configure the shared, public index API endpoint that can be used to discover metadata referrers | | +| `controlplane.referrerSharedIndex.enabled` | Enable index API endpoint | `false` | +| `controlplane.referrerSharedIndex.allowedOrgs` | List of UUIDs of organizations that are allowed to publish to the shared index | `[]` | +| `controlplane.onboarding.name` | Name of the organization to onboard | | +| `controlplane.onboarding.role` | Role of the organization to onboard | | +| `controlplane.prometheus_org_metrics` | List of organizations to expose metrics for using Prometheus | | +| `controlplane.migration.image.registry` | Image registry | `ghcr.io` | +| `controlplane.migration.image.repository` | Image repository | `chainloop-dev/chainloop/control-plane-migrations` | +| `controlplane.migration.ssl` | Connect to the database using SSL (required fro AWS RDS, etc) | `false` | ### Control Plane Database @@ -500,12 +553,17 @@ chainloop config save \ ### Control Plane Authentication -| Name | Description | Value | -| ------------------------------------- | ------------------------------------------------------------------------------------------------------ | ----- | -| `controlplane.auth.passphrase` | Passphrase used to sign the Auth Tokens generated by the controlplane. Leave empty for auto-generation | `""` | -| `controlplane.auth.oidc.url` | Full authentication path, it should match the issuer URL of the Identity provider (IDp) | `""` | -| `controlplane.auth.oidc.clientID` | OIDC IDp clientID | `""` | -| `controlplane.auth.oidc.clientSecret` | OIDC IDp clientSecret | `""` | +| Name | Description | Value | +| -------------------------------------------- | ------------------------------------------------------------------------------------------------------ | ----- | +| `controlplane.auth.passphrase` | Passphrase used to sign the Auth Tokens generated by the controlplane. Leave empty for auto-generation | `""` | +| `controlplane.auth.oidc.url` | Full authentication path, it should match the issuer URL of the Identity provider (IDp) | `""` | +| `controlplane.auth.oidc.clientID` | OIDC IDp clientID | `""` | +| `controlplane.auth.oidc.clientSecret` | OIDC IDp clientSecret | `""` | +| `controlplane.auth.oidc.loginURLOverride` | Optional OIDC login URL override, useful to point to custom login pages | | +| `controlplane.auth.oidc.externalURL` | Optional External URL for the controlplane to the outside world | | +| `controlplane.auth.allowList.rules` | List of domains or emails to allow | | +| `controlplane.auth.allowList.selectedRoutes` | List of selected routes to allow. If not set it applies to all routes | | +| `controlplane.auth.allowList.customMessage` | Custom message to display when a user is not allowed | | ### Control Plane Networking @@ -514,12 +572,12 @@ chainloop config save \ | `controlplane.service.type` | Service type | `ClusterIP` | | `controlplane.service.port` | Service port | `80` | | `controlplane.service.targetPort` | Service target Port | `http` | -| `controlplane.service.nodePorts.http` | Node port for HTTP. NOTE: choose port between <30000-32767> | | +| `controlplane.service.nodePorts.http` | Node port for HTTP. NOTE: choose port between [30000-32767] | | | `controlplane.serviceAPI.type` | Service type | `ClusterIP` | | `controlplane.serviceAPI.port` | Service port | `80` | | `controlplane.serviceAPI.targetPort` | Service target Port | `grpc` | | `controlplane.serviceAPI.annotations` | Service annotations | | -| `controlplane.serviceAPI.nodePorts.http` | Node port for HTTP. NOTE: choose port between <30000-32767> | | +| `controlplane.serviceAPI.nodePorts.http` | Node port for HTTP. NOTE: choose port between [30000-32767] | | | `controlplane.ingress.enabled` | Enable ingress record generation for %%MAIN_CONTAINER_NAME%% | `false` | | `controlplane.ingress.pathType` | Ingress path type | `ImplementationSpecific` | | `controlplane.ingress.hostname` | Default host for the ingress record | `cp.dev.local` | @@ -549,34 +607,46 @@ chainloop config save \ ### Controlplane Misc -| Name | Description | Value | -| ------------------------------------------------------------ | -------------------------------------------------------- | ------------ | -| `controlplane.resources.limits.cpu` | Container resource limits CPU | `250m` | -| `controlplane.resources.limits.memory` | Container resource limits memory | `512Mi` | -| `controlplane.resources.requests.cpu` | Container resource requests CPU | `250m` | -| `controlplane.resources.requests.memory` | Container resource requests memory | `512Mi` | -| `controlplane.autoscaling.enabled` | Enable deployment autoscaling | `false` | -| `controlplane.autoscaling.minReplicas` | Minimum number of replicas | `1` | -| `controlplane.autoscaling.maxReplicas` | Maximum number of replicas | `100` | -| `controlplane.autoscaling.targetCPUUtilizationPercentage` | Target CPU percentage | `80` | -| `controlplane.autoscaling.targetMemoryUtilizationPercentage` | Target CPU memory | `80` | -| `controlplane.sentry.enabled` | Enable sentry.io alerting | `false` | -| `controlplane.sentry.dsn` | DSN endpoint | `""` | -| `controlplane.sentry.environment` | Environment tag | `production` | -| `controlplane.keylessSigning.enabled` | Activates or deactivates de feature | `false` | -| `controlplane.keylessSigning.backend` | The backend to use. Currently only "fileCA" is supported | `fileCA` | -| `controlplane.keylessSigning.fileCA.cert` | The PEM-encoded certificate of the file based CA | `""` | -| `controlplane.keylessSigning.fileCA.key` | The PEM-encoded private key of the file based CA | `""` | -| `controlplane.keylessSigning.fileCA.keyPass` | The secret key pass | `""` | +| Name | Description | Value | +| ------------------------------------------------------------ | ---------------------------------- | ------------ | +| `controlplane.resources.limits.cpu` | Container resource limits CPU | `250m` | +| `controlplane.resources.limits.memory` | Container resource limits memory | `512Mi` | +| `controlplane.resources.requests.cpu` | Container resource requests CPU | `250m` | +| `controlplane.resources.requests.memory` | Container resource requests memory | `512Mi` | +| `controlplane.autoscaling.enabled` | Enable deployment autoscaling | `false` | +| `controlplane.autoscaling.minReplicas` | Minimum number of replicas | `1` | +| `controlplane.autoscaling.maxReplicas` | Maximum number of replicas | `100` | +| `controlplane.autoscaling.targetCPUUtilizationPercentage` | Target CPU percentage | `80` | +| `controlplane.autoscaling.targetMemoryUtilizationPercentage` | Target CPU memory | `80` | +| `controlplane.sentry.enabled` | Enable sentry.io alerting | `false` | +| `controlplane.sentry.dsn` | DSN endpoint | `""` | +| `controlplane.sentry.environment` | Environment tag | `production` | + +### Keyless signing configuration + +| Name | Description | Value | +| ---------------------------------------------------------- | ----------------------------------------------------------------------- | -------- | +| `controlplane.keylessSigning.enabled` | Activates or deactivates the feature | `false` | +| `controlplane.keylessSigning.backend` | The backend to use. Currently only "fileCA" and "ejbcaCA" are supported | `fileCA` | +| `controlplane.keylessSigning.fileCA.cert` | The PEM-encoded certificate of the file based CA | `""` | +| `controlplane.keylessSigning.fileCA.key` | The PEM-encoded private key of the file based CA | `""` | +| `controlplane.keylessSigning.fileCA.keyPass` | The secret key pass | `""` | +| `controlplane.keylessSigning.ejbcaCA.serverURL` | The url of the EJBCA service (https://host/ejbca) | `""` | +| `controlplane.keylessSigning.ejbcaCA.clientKey` | PEM-encoded the private key for EJBCA cert authentication | `""` | +| `controlplane.keylessSigning.ejbcaCA.clientCert` | PEM-encoded certificate for EJBCA cert authentication | `""` | +| `controlplane.keylessSigning.ejbcaCA.certProfileName` | Name of the certificate profile to use in EJBCA | `""` | +| `controlplane.keylessSigning.ejbcaCA.endEntityProfileName` | Name of the Entity Profile to use in EJBCA | `""` | +| `controlplane.keylessSigning.ejbcaCA.caName` | Name of the CA issuer to use in EJBCA | `""` | +| `controlplane.customCAs` | List of custom CA certificates content | `[]` | ### Artifact Content Addressable (CAS) API -| Name | Description | Value | -| --------------------------- | --------------------------------------------------------------------------------------- | ---------------------------------------------- | -| `cas.replicaCount` | Number of replicas | `2` | -| `cas.image.repository` | FQDN uri for the image | `ghcr.io/chainloop-dev/chainloop/artifact-cas` | -| `cas.image.tag` | Image tag (immutable tags are recommended). If no set chart.appVersion will be used | | -| `cas.tlsConfig.secret.name` | name of a secret containing TLS certificate to be used by the controlplane grpc server. | `""` | +| Name | Description | Value | +| --------------------------- | --------------------------------------------------------------------------------------- | -------------------------------------- | +| `cas.replicaCount` | Number of replicas | `2` | +| `cas.image.registry` | Image registry | `ghcr.io` | +| `cas.image.repository` | Image repository | `chainloop-dev/chainloop/artifact-cas` | +| `cas.tlsConfig.secret.name` | name of a secret containing TLS certificate to be used by the controlplane grpc server. | `""` | ### CAS Networking @@ -585,12 +655,12 @@ chainloop config save \ | `cas.service.type` | Service type | `ClusterIP` | | `cas.service.port` | Service port | `80` | | `cas.service.targetPort` | Service target Port | `http` | -| `cas.service.nodePorts.http` | Node port for HTTP. NOTE: choose port between <30000-32767> | | +| `cas.service.nodePorts.http` | Node port for HTTP. NOTE: choose port between [30000-32767] | | | `cas.serviceAPI.type` | Service type | `ClusterIP` | | `cas.serviceAPI.port` | Service port | `80` | | `cas.serviceAPI.targetPort` | Service target Port | `grpc` | | `cas.serviceAPI.annotations` | Service annotations | | -| `cas.serviceAPI.nodePorts.http` | Node port for HTTP. NOTE: choose port between <30000-32767> | | +| `cas.serviceAPI.nodePorts.http` | Node port for HTTP. NOTE: choose port between [30000-32767] | | | `cas.ingress.enabled` | Enable ingress record generation for %%MAIN_CONTAINER_NAME%% | `false` | | `cas.ingress.pathType` | Ingress path type | `ImplementationSpecific` | | `cas.ingress.hostname` | Default host for the ingress record | `cas.dev.local` | @@ -620,20 +690,21 @@ chainloop config save \ ### CAS Misc -| Name | Description | Value | -| --------------------------------------------------- | ---------------------------------- | ------------ | -| `cas.resources.limits.cpu` | Container resource limits CPU | `250m` | -| `cas.resources.limits.memory` | Container resource limits memory | `512Mi` | -| `cas.resources.requests.cpu` | Container resource requests CPU | `250m` | -| `cas.resources.requests.memory` | Container resource requests memory | `512Mi` | -| `cas.autoscaling.enabled` | Enable deployment autoscaling | `false` | -| `cas.autoscaling.minReplicas` | Minimum number of replicas | `1` | -| `cas.autoscaling.maxReplicas` | Maximum number of replicas | `100` | -| `cas.autoscaling.targetCPUUtilizationPercentage` | Target CPU percentage | `80` | -| `cas.autoscaling.targetMemoryUtilizationPercentage` | Target CPU memory | `80` | -| `cas.sentry.enabled` | Enable sentry.io alerting | `false` | -| `cas.sentry.dsn` | DSN endpoint | `""` | -| `cas.sentry.environment` | Environment tag | `production` | +| Name | Description | Value | +| --------------------------------------------------- | -------------------------------------- | ------------ | +| `cas.resources.limits.cpu` | Container resource limits CPU | `250m` | +| `cas.resources.limits.memory` | Container resource limits memory | `512Mi` | +| `cas.resources.requests.cpu` | Container resource requests CPU | `250m` | +| `cas.resources.requests.memory` | Container resource requests memory | `512Mi` | +| `cas.autoscaling.enabled` | Enable deployment autoscaling | `false` | +| `cas.autoscaling.minReplicas` | Minimum number of replicas | `1` | +| `cas.autoscaling.maxReplicas` | Maximum number of replicas | `100` | +| `cas.autoscaling.targetCPUUtilizationPercentage` | Target CPU percentage | `80` | +| `cas.autoscaling.targetMemoryUtilizationPercentage` | Target CPU memory | `80` | +| `cas.sentry.enabled` | Enable sentry.io alerting | `false` | +| `cas.sentry.dsn` | DSN endpoint | `""` | +| `cas.sentry.environment` | Environment tag | `production` | +| `cas.customCAs` | List of custom CA certificates content | `[]` | ### Dependencies @@ -675,7 +746,7 @@ Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at - +[https://www.apache.org/licenses/LICENSE-2.0](https://www.apache.org/licenses/LICENSE-2.0) Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, diff --git a/bitnami/chainloop/templates/_helpers.tpl b/bitnami/chainloop/templates/_helpers.tpl index 516c9a650411bc..6558ce784bb6ba 100644 --- a/bitnami/chainloop/templates/_helpers.tpl +++ b/bitnami/chainloop/templates/_helpers.tpl @@ -122,6 +122,10 @@ Controlplane helpers ############################################################################## */}} +{{- define "chainloop.controlplane.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.controlplane.image "global" .Values.global) }} +{{- end -}} + {{/* Chainloop Controlplane release name */}} @@ -145,6 +149,10 @@ app.kubernetes.io/part-of: chainloop app.kubernetes.io/component: controlplane {{- end }} +{{- define "chainloop.controlplane.migration.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.controlplane.migration.image "global" .Values.global) }} +{{- end -}} + {{/* Migration labels */}} @@ -284,7 +292,9 @@ NOTE: Load balancer service type is not supported {{- $service := .Values.controlplane.service }} {{- $ingress := .Values.controlplane.ingress }} -{{- if (and $ingress $ingress.enabled $ingress.hostname) }} +{{- if .Values.controlplane.auth.oidc.externalURL }} +{{- .Values.controlplane.auth.oidc.externalURL }} +{{- else if (and $ingress $ingress.enabled $ingress.hostname) }} {{- printf "%s://%s" (ternary "https" "http" $ingress.tls ) $ingress.hostname }} {{- else if (and (eq $service.type "NodePort") $service.nodePorts (not (empty $service.nodePorts.http))) }} {{- printf "http://localhost:%s" $service.nodePorts.http }} @@ -352,10 +362,13 @@ CAS Helpers ############################################################################## */}} +{{- define "chainloop.cas.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.cas.image "global" .Values.global) }} +{{- end -}} + {{/* Chainloop CAS release name */}} - {{- define "chainloop.cas.fullname" -}} {{- printf "%s-%s" (include "common.names.fullname" .) "cas" | trunc 63 | trimSuffix "-" -}} {{- end -}} diff --git a/bitnami/chainloop/templates/cas/customcas.secret.yaml b/bitnami/chainloop/templates/cas/customcas.secret.yaml new file mode 100644 index 00000000000000..f7e5a8c4641031 --- /dev/null +++ b/bitnami/chainloop/templates/cas/customcas.secret.yaml @@ -0,0 +1,18 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- $customCAs := .Values.cas.customCAs }} +{{- if (not (empty $customCAs)) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "chainloop.cas.fullname" . }}-custom-cas + labels: + {{- include "chainloop.cas.labels" . | nindent 4 }} +data: + {{- range $index, $pem := $customCAs }} + custom-{{ $index }}.crt: {{ $pem | b64enc | quote }} + {{- end -}} +{{- end -}} diff --git a/bitnami/chainloop/templates/cas/deployment.yaml b/bitnami/chainloop/templates/cas/deployment.yaml index 610e18524d6989..27a955a4367053 100644 --- a/bitnami/chainloop/templates/cas/deployment.yaml +++ b/bitnami/chainloop/templates/cas/deployment.yaml @@ -25,10 +25,7 @@ spec: labels: {{- include "chainloop.cas.selectorLabels" . | nindent 8 }} spec: - {{- with .Values.cas.image.pullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} + {{- include "common.images.renderPullSecrets" (dict "images" (list .Values.cas.image) "context" $) | nindent 6 }} serviceAccountName: {{ include "chainloop.cas.serviceAccountName" . }} securityContext: {{- toYaml .Values.cas.podSecurityContext | nindent 8 }} @@ -36,7 +33,7 @@ spec: - name: {{ .Chart.Name }} securityContext: {{- toYaml .Values.cas.securityContext | nindent 12 }} - image: "{{ .Values.cas.image.repository }}:{{ .Values.cas.image.tag | default .Chart.AppVersion }}" + image: {{ include "chainloop.cas.image" . }} imagePullPolicy: {{ .Values.cas.image.pullPolicy }} ports: - name: http @@ -71,6 +68,13 @@ spec: - name: server-certs mountPath: /data/server-certs {{- end }} + {{- if (not (empty .Values.cas.customCAs)) }} + - name: custom-cas + # NOTE: /etc/ssl/certs already contains the system CA certs + # Let's use another known path https://go.dev/src/crypto/x509/root_linux.go + mountPath: /etc/pki/tls/certs + readOnly: true + {{- end }} volumes: - name: config projected: @@ -91,4 +95,11 @@ spec: - name: gcp-secretmanager-serviceaccountkey secret: secretName: {{ include "chainloop.controlplane.fullname" . }}-gcp-secretmanager-serviceaccountkey - {{- end }} \ No newline at end of file + {{- end }} + {{- if (not (empty .Values.cas.customCAs)) }} + - name: custom-cas + projected: + sources: + - secret: + name: {{ include "chainloop.cas.fullname" . }}-custom-cas + {{- end }} diff --git a/bitnami/chainloop/templates/controlplane/config.configmap.yaml b/bitnami/chainloop/templates/controlplane/config.configmap.yaml index 6bfdf726427ee4..8cca05b8ff9cda 100644 --- a/bitnami/chainloop/templates/controlplane/config.configmap.yaml +++ b/bitnami/chainloop/templates/controlplane/config.configmap.yaml @@ -10,13 +10,11 @@ metadata: labels: {{- include "chainloop.controlplane.labels" . | nindent 4 }} data: - {{- if .Values.controlplane.allowList }} + {{- if .Values.controlplane.auth.allowList }} allow_list.yaml: | auth: allow_list: - {{- range .Values.controlplane.allowList }} - - {{ . | quote }} - {{- end }} + {{- toYaml .Values.controlplane.auth.allowList | nindent 8 }} {{- end }} config.yaml: | server: @@ -37,8 +35,16 @@ data: cas_server: grpc: addr: {{ printf "%s-api:%.0f" (include "chainloop.cas.fullname" .) .Values.cas.serviceAPI.port }} - insecure: true + insecure: {{ empty .Values.cas.tlsConfig.secret.name }} download_url: {{ include "chainloop.cas.external_url" . }}/download plugins_dir: {{ .Values.controlplane.pluginsDir }} referrer_shared_index: - {{- toYaml .Values.controlplane.referrerSharedIndex | nindent 6 }} \ No newline at end of file + {{- toYaml .Values.controlplane.referrerSharedIndex | nindent 6 }} + {{ if .Values.controlplane.onboarding }} + onboarding: + {{- toYaml .Values.controlplane.onboarding | nindent 6 }} + {{- end }} + {{ if .Values.controlplane.prometheus_org_metrics }} + prometheus_integration: + {{- toYaml .Values.controlplane.prometheus_org_metrics | nindent 6 }} + {{- end }} diff --git a/bitnami/chainloop/templates/controlplane/config.secret.yaml b/bitnami/chainloop/templates/controlplane/config.secret.yaml index f2624a9675c77d..d8d0637ccf4be9 100644 --- a/bitnami/chainloop/templates/controlplane/config.secret.yaml +++ b/bitnami/chainloop/templates/controlplane/config.secret.yaml @@ -14,6 +14,7 @@ type: Opaque data: # We store it also as a different key so it can be reused during upgrades by the common.secrets.passwords.manage helper generated_jws_hmac_secret: {{ $hmacpass }} + db_migrate_source: {{include "controlplane.database.atlas_connection_string" . | b64enc | quote }} stringData: {{- if and .Values.sentry .Values.sentry.enabled }} {{- fail "configuring sentry at the top level is no longer supported. Add the configuration to the controlplane section in the values.yaml file" }} @@ -22,7 +23,7 @@ stringData: config.observability.yaml: | {{- include "chainloop.sentry" .Values.controlplane.sentry | nindent 4 }} {{- end }} - {{- if and .Values.controlplane.keylessSigning .Values.controlplane.keylessSigning.enabled }} + {{- if and .Values.controlplane.keylessSigning.enabled (eq "fileCA" .Values.controlplane.keylessSigning.backend) }} fileca.secret.yaml: | {{- with .Values.controlplane.keylessSigning.fileCA }} certificate_authority: @@ -32,6 +33,19 @@ stringData: key_pass: "{{- required "FileCA keyPass is mandatory" .keyPass }}" {{- end }} {{- end }} + {{- if and .Values.controlplane.keylessSigning.enabled (eq "ejbcaCA" .Values.controlplane.keylessSigning.backend) }} + ejbca.secret.yaml: | + {{- with .Values.controlplane.keylessSigning.ejbcaCA }} + certificate_authority: + ejbca_ca: + cert_path: "/ca_secrets/ejbca_client.cert" + key_path: "/ca_secrets/ejbca_client.key" + server_url: "{{- required "EJBCA server URL is mandatory" .serverURL }}" + certificate_profile_name: "{{- required "EJBCA certificate profile name is mandatory" .certProfileName }}" + end_entity_profile_name: "{{- required "EJBCA end entity profile name is mandatory" .endEntityProfileName }}" + certificate_authority_name: "{{- required "EJBCA certificate authority name is mandatory" .caName }}" + {{- end }} + {{- end }} config.secret.yaml: | data: database: @@ -47,6 +61,9 @@ stringData: domain: "{{ required "oidc URL endpoint required" .oidc.url }}" client_id: "{{ required "oidc clientID required" .oidc.clientID }}" client_secret: "{{ required "oidc clientSecret required" .oidc.clientSecret }}" + {{- if .oidc.loginURLOverride }} + login_url_override: "{{ .oidc.loginURLOverride }}" + {{- end }} {{- end }} # HMAC key used to sign the JWTs generated by the controlplane diff --git a/bitnami/chainloop/templates/controlplane/customcas.secret.yaml b/bitnami/chainloop/templates/controlplane/customcas.secret.yaml new file mode 100644 index 00000000000000..a99c3f69cf53bb --- /dev/null +++ b/bitnami/chainloop/templates/controlplane/customcas.secret.yaml @@ -0,0 +1,18 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- $customCAs := .Values.controlplane.customCAs }} +{{- if (not (empty $customCAs)) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "chainloop.controlplane.fullname" . }}-custom-cas + labels: + {{- include "chainloop.controlplane.labels" . | nindent 4 }} +data: + {{- range $index, $pem := $customCAs }} + custom-{{ $index }}.crt: {{ $pem | b64enc | quote }} + {{- end -}} +{{- end -}} diff --git a/bitnami/chainloop/templates/controlplane/deployment.yaml b/bitnami/chainloop/templates/controlplane/deployment.yaml index 7838261bee3794..5186328aca7141 100644 --- a/bitnami/chainloop/templates/controlplane/deployment.yaml +++ b/bitnami/chainloop/templates/controlplane/deployment.yaml @@ -26,29 +26,32 @@ spec: labels: {{- include "chainloop.controlplane.selectorLabels" . | nindent 8 }} spec: - {{- with .Values.controlplane.image.pullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} + {{- include "common.images.renderPullSecrets" (dict "images" (list .Values.controlplane.image .Values.controlplane.migration.image) "context" $) | nindent 6 }} serviceAccountName: {{ include "controlplane.serviceAccountName" . }} securityContext: {{- toYaml .Values.controlplane.podSecurityContext | nindent 8 }} initContainers: - name: migrate - image: "{{ .Values.controlplane.migration.image.repository }}:{{ .Values.controlplane.migration.image.tag | default .Chart.AppVersion }}" + image: {{ include "chainloop.controlplane.migration.image" . }} imagePullPolicy: {{ .Values.controlplane.image.pullPolicy }} args: - migrate - apply - --url - - "{{include "controlplane.database.atlas_connection_string" . }}" + - $(CONNECTION_STRING) - --dir - file:///migrations + env: + - name: CONNECTION_STRING + valueFrom: + secretKeyRef: + name: {{ include "chainloop.controlplane.fullname" . }} + key: db_migrate_source containers: - name: {{ .Chart.Name }} securityContext: {{- toYaml .Values.controlplane.securityContext | nindent 12 }} - image: "{{ .Values.controlplane.image.repository }}:{{ .Values.controlplane.image.tag | default .Chart.AppVersion }}" + image: {{ include "chainloop.controlplane.image" . }} imagePullPolicy: {{ .Values.controlplane.image.pullPolicy }} ports: - name: http @@ -79,10 +82,14 @@ spec: mountPath: /tmp - name: jwt-cas-private-key mountPath: /secrets - {{- if .Values.controlplane.keylessSigning.enabled }} + {{- if and .Values.controlplane.keylessSigning.enabled (eq "fileCA" .Values.controlplane.keylessSigning.backend) }} - name: file-ca-cert mountPath: /ca_secrets {{- end }} + {{- if and .Values.controlplane.keylessSigning.enabled (eq "ejbcaCA" .Values.controlplane.keylessSigning.backend) }} + - name: ejbca-ca-client + mountPath: /ca_secrets + {{- end }} {{- if .Values.controlplane.tlsConfig.secret.name }} - name: server-certs mountPath: /data/server-certs @@ -91,6 +98,13 @@ spec: - name: gcp-secretmanager-serviceaccountkey mountPath: /gcp-secrets {{- end }} + {{- if (not (empty .Values.controlplane.customCAs)) }} + - name: custom-cas + # NOTE: /etc/ssl/certs already contains the system CA certs + # Let's use another known path https://go.dev/src/crypto/x509/root_linux.go + mountPath: /etc/pki/tls/certs + readOnly: true + {{- end }} volumes: - name: config projected: @@ -99,6 +113,13 @@ spec: name: {{ include "chainloop.controlplane.fullname" . }} - configMap: name: {{ include "chainloop.controlplane.fullname" . }} + {{- if (not (empty .Values.controlplane.customCAs)) }} + - name: custom-cas + projected: + sources: + - secret: + name: {{ include "chainloop.controlplane.fullname" . }}-custom-cas + {{- end }} # required for the plugins to store the socket files - name: tmp emptyDir: {} @@ -115,8 +136,13 @@ spec: secret: secretName: {{ include "chainloop.controlplane.fullname" . }}-gcp-secretmanager-serviceaccountkey {{- end }} - {{- if .Values.controlplane.keylessSigning.enabled }} + {{- if and .Values.controlplane.keylessSigning.enabled (eq "fileCA" .Values.controlplane.keylessSigning.backend) }} - name: file-ca-cert secret: secretName: {{ include "chainloop.controlplane.fullname" . }}-keyless-file-ca + {{- end }} + {{- if and .Values.controlplane.keylessSigning.enabled (eq "ejbcaCA" .Values.controlplane.keylessSigning.backend) }} + - name: ejbca-ca-client + secret: + secretName: {{ include "chainloop.controlplane.fullname" . }}-keyless-ejbca-ca {{- end }} \ No newline at end of file diff --git a/bitnami/chainloop/templates/controlplane/ejbca_ca.secret.yaml b/bitnami/chainloop/templates/controlplane/ejbca_ca.secret.yaml new file mode 100644 index 00000000000000..ef792d19d466cc --- /dev/null +++ b/bitnami/chainloop/templates/controlplane/ejbca_ca.secret.yaml @@ -0,0 +1,17 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.controlplane.keylessSigning.enabled (eq "ejbcaCA" .Values.controlplane.keylessSigning.backend) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "chainloop.controlplane.fullname" . }}-keyless-ejbca-ca + labels: + {{- include "chainloop.controlplane.labels" . | nindent 4 }} +type: Opaque +data: + ejbca_client.cert: {{ .Values.controlplane.keylessSigning.ejbcaCA.clientCert | b64enc | quote }} + ejbca_client.key: {{ .Values.controlplane.keylessSigning.ejbcaCA.clientKey | b64enc | quote }} +{{- end }} \ No newline at end of file diff --git a/bitnami/chainloop/templates/dex/config.configmap.yaml b/bitnami/chainloop/templates/dex/config.configmap.yaml deleted file mode 100644 index 39aeebe8ba7e5d..00000000000000 --- a/bitnami/chainloop/templates/dex/config.configmap.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.development }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: chainloop-dex-config - namespace: {{ include "common.names.namespace" . | quote }} -data: - config.yaml: | - issuer: http://0.0.0.0:5556/dex - - storage: - type: memory - - web: - http: 0.0.0.0:5556 - - staticClients: - - id: chainloop-dev - redirectURIs: - - "http://0.0.0.0:8000/auth/callback" - - "http://localhost:8000/auth/callback" - name: "Chainloop Dev" - secret: ZXhhbXBsZS1hcHAtc2VjcmV0 - - # required to enable static passwords - enablePasswordDB: true - - staticPasswords: - - email: "john@chainloop.local" - # password: "password" - hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" - - email: "sarah@chainloop.local" - # password: "password" - hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" -{{- end }} \ No newline at end of file diff --git a/bitnami/chainloop/values.yaml b/bitnami/chainloop/values.yaml index 8e57b04d7b7291..c1b6fb7ef3c531 100644 --- a/bitnami/chainloop/values.yaml +++ b/bitnami/chainloop/values.yaml @@ -3,8 +3,21 @@ ## Default values for Chainloop Helm Chart -## @skip global -global: {} +## @section Global parameters +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass + +## @param global.imageRegistry Global Docker image registry +## @param global.imagePullSecrets Global Docker registry secret names as an array +## +global: + imageRegistry: "" + ## E.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] ## @section Common parameters ## @@ -69,13 +82,13 @@ secretsBackend: ## @section Authentication ## -## ECDSA (ES512) key-pair used for Controlplane <-> CAS Authentication +## ECDSA (ES512) key-pair used for Controlplane to; CAS Authentication ## The controlplane will use the private key to generate a JWT at user request ## The CAS will use the public key to verify the authenticity of that token ## If development=true is set, a development key will be configured automatically ## otherwise you'll need to provide new keys via .Values.casJWTPrivateKey and .Values.cas.casJWTPublicKey -## @param casJWTPrivateKey ECDSA (ES512) private key used for Controlplane <-> CAS Authentication +## @param casJWTPrivateKey ECDSA (ES512) private key used for Controlplane to CAS Authentication ## ## To generate one ## openssl ecparam -name secp521r1 -genkey -noout -out private.ec.key @@ -101,12 +114,13 @@ controlplane: ## @param controlplane.replicaCount Number of replicas replicaCount: 2 - ## @param controlplane.image.repository FQDN uri for the image - ## @extra controlplane.image.tag Image tag (immutable tags are recommended). If no set chart.appVersion will be used + ## @param controlplane.image.registry Image registry + ## @param controlplane.image.repository Image repository + ## @skip controlplane.image.tag image: - repository: ghcr.io/chainloop-dev/chainloop/control-plane - # Overrides the image tag whose default is the chart appVersion. - # tag: latest + registry: ghcr.io + repository: chainloop-dev/chainloop/control-plane + tag: "v0.94.2" ## @param controlplane.tlsConfig.secret.name name of a secret containing TLS certificate to be used by the controlplane grpc server. tlsConfig: @@ -124,13 +138,26 @@ controlplane: enabled: false allowedOrgs: [] + ## @extra controlplane.onboarding.name Name of the organization to onboard + ## @extra controlplane.onboarding.role Role of the organization to onboard + # onboarding: + # - name: "read-only-demo" + # role: "MEMBERSHIP_ROLE_ORG_VIEWER" + + ## @extra controlplane.prometheus_org_metrics List of organizations to expose metrics for using Prometheus + # prometheus_org_metrics: + # - org_name: "read-only-demo" + # Database migration - ## @skip controlplane.migration + ## @param controlplane.migration.image.registry Image registry + ## @param controlplane.migration.image.repository Image repository + ## @param controlplane.migration.ssl Connect to the database using SSL (required fro AWS RDS, etc) + ## @skip controlplane.migration.image.tag migration: image: - repository: ghcr.io/chainloop-dev/chainloop/control-plane-migrations - # Overrides the image tag whose default is the chart appVersion. - # tag: latest + registry: ghcr.io + repository: chainloop-dev/chainloop/control-plane-migrations + tag: "v0.94.2" # Run the migration job forcing SSL, required in AWS RDS for PostgreSQL 15 ssl: false @@ -175,12 +202,24 @@ controlplane: passphrase: "" ## @param controlplane.auth.oidc.url Full authentication path, it should match the issuer URL of the Identity provider (IDp) - ## @param controlplane.auth.oidc.clientID OIDC IDp clientID - ## @param controlplane.auth.oidc.clientSecret OIDC IDp clientSecret + ## @param controlplane.auth.oidc.clientID OIDC IDp clientID + ## @param controlplane.auth.oidc.clientSecret OIDC IDp clientSecret + ## @extra controlplane.auth.oidc.loginURLOverride Optional OIDC login URL override, useful to point to custom login pages + ## @extra controlplane.auth.oidc.externalURL Optional External URL for the controlplane to the outside world oidc: url: "" clientID: "" clientSecret: "" + # loginURLOverride: "" + # externalURL: "" + + ## @extra controlplane.auth.allowList.rules List of domains or emails to allow + ## @extra controlplane.auth.allowList.selectedRoutes List of selected routes to allow. If not set it applies to all routes + ## @extra controlplane.auth.allowList.customMessage Custom message to display when a user is not allowed + # allowList: + # rules: [] + # selectedRoutes: [] + # customMessage: "" ## @section Control Plane Networking service: @@ -190,7 +229,7 @@ controlplane: port: 80 ## @param controlplane.service.targetPort Service target Port targetPort: http - ## @extra controlplane.service.nodePorts.http Node port for HTTP. NOTE: choose port between <30000-32767> + ## @extra controlplane.service.nodePorts.http Node port for HTTP. NOTE: choose port between [30000-32767] # nodePorts: # http: "30800" annotations: @@ -209,7 +248,7 @@ controlplane: ## @skip controlplane.serviceAPI.annotations.traefik.ingress.kubernetes.io/service.serversscheme traefik.ingress.kubernetes.io/service.serversscheme: h2c - ## @extra controlplane.serviceAPI.nodePorts.http Node port for HTTP. NOTE: choose port between <30000-32767> + ## @extra controlplane.serviceAPI.nodePorts.http Node port for HTTP. NOTE: choose port between [30000-32767] # nodePorts: # http: "30900" @@ -455,9 +494,11 @@ controlplane: dsn: "" environment: production + ## @section Keyless signing configuration + ## Configuration for keyless signing using one of the supported providers - ## @param controlplane.keylessSigning.enabled Activates or deactivates de feature - ## @param controlplane.keylessSigning.backend The backend to use. Currently only "fileCA" is supported + ## @param controlplane.keylessSigning.enabled Activates or deactivates the feature + ## @param controlplane.keylessSigning.backend The backend to use. Currently only "fileCA" and "ejbcaCA" are supported ## @param controlplane.keylessSigning.fileCA.cert The PEM-encoded certificate of the file based CA ## -----BEGIN CERTIFICATE----- ## ... @@ -467,6 +508,12 @@ controlplane: ## ... ## -----END RSA PRIVATE KEY----- ## @param controlplane.keylessSigning.fileCA.keyPass The secret key pass + ## @param controlplane.keylessSigning.ejbcaCA.serverURL The url of the EJBCA service (https://host/ejbca) + ## @param controlplane.keylessSigning.ejbcaCA.clientKey PEM-encoded the private key for EJBCA cert authentication + ## @param controlplane.keylessSigning.ejbcaCA.clientCert PEM-encoded certificate for EJBCA cert authentication + ## @param controlplane.keylessSigning.ejbcaCA.certProfileName Name of the certificate profile to use in EJBCA + ## @param controlplane.keylessSigning.ejbcaCA.endEntityProfileName Name of the Entity Profile to use in EJBCA + ## @param controlplane.keylessSigning.ejbcaCA.caName Name of the CA issuer to use in EJBCA keylessSigning: enabled: false backend: fileCA @@ -474,6 +521,17 @@ controlplane: cert: "" key: "" keyPass: "" + ejbcaCA: + serverURL: "" + clientKey: "" + clientCert: "" + certProfileName: "" + endEntityProfileName: "" + caName: "" + + ## Inject custom CA certificates to the controlplane container + ## @param controlplane.customCAs List of custom CA certificates content + customCAs: [] ## @section Artifact Content Addressable (CAS) API ################################## @@ -483,12 +541,13 @@ cas: ## @param cas.replicaCount Number of replicas replicaCount: 2 - ## @param cas.image.repository FQDN uri for the image - ## @extra cas.image.tag Image tag (immutable tags are recommended). If no set chart.appVersion will be used + ## @param cas.image.registry Image registry + ## @param cas.image.repository Image repository + ## @skip cas.image.tag image: - repository: ghcr.io/chainloop-dev/chainloop/artifact-cas - # Overrides the image tag whose default is the chart appVersion. - # tag: latest + registry: ghcr.io + repository: chainloop-dev/chainloop/artifact-cas + tag: "v0.94.2" ## @param cas.tlsConfig.secret.name name of a secret containing TLS certificate to be used by the controlplane grpc server. tlsConfig: @@ -514,7 +573,7 @@ cas: port: 80 ## @param cas.service.targetPort Service target Port targetPort: http - ## @extra cas.service.nodePorts.http Node port for HTTP. NOTE: choose port between <30000-32767> + ## @extra cas.service.nodePorts.http Node port for HTTP. NOTE: choose port between [30000-32767] # nodePorts: # http: "30800" annotations: @@ -533,7 +592,7 @@ cas: ## @skip cas.serviceAPI.annotations.traefik.ingress.kubernetes.io/service.serversscheme traefik.ingress.kubernetes.io/service.serversscheme: h2c - ## @extra cas.serviceAPI.nodePorts.http Node port for HTTP. NOTE: choose port between <30000-32767> + ## @extra cas.serviceAPI.nodePorts.http Node port for HTTP. NOTE: choose port between [30000-32767] # nodePorts: # http: "30901" @@ -787,6 +846,10 @@ cas: dsn: "" environment: production + ## Inject custom CA certificates to the CAS container + ## @param cas.customCAs List of custom CA certificates content + customCAs: [] + ## @section Dependencies # ################################## # # Dependencies # From fcef25e343bff85d9bad0436eeb4aee5fd67b1b1 Mon Sep 17 00:00:00 2001 From: Miguel Date: Wed, 24 Jul 2024 15:46:38 +0200 Subject: [PATCH 16/37] chore: update chart Signed-off-by: Miguel --- bitnami/chainloop/README.md | 2 +- bitnami/chainloop/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/bitnami/chainloop/README.md b/bitnami/chainloop/README.md index 5f1c27c3a7606a..eaeb9fc80f5c85 100644 --- a/bitnami/chainloop/README.md +++ b/bitnami/chainloop/README.md @@ -631,7 +631,7 @@ chainloop config save \ | `controlplane.keylessSigning.fileCA.cert` | The PEM-encoded certificate of the file based CA | `""` | | `controlplane.keylessSigning.fileCA.key` | The PEM-encoded private key of the file based CA | `""` | | `controlplane.keylessSigning.fileCA.keyPass` | The secret key pass | `""` | -| `controlplane.keylessSigning.ejbcaCA.serverURL` | The url of the EJBCA service (https://host/ejbca) | `""` | +| `controlplane.keylessSigning.ejbcaCA.serverURL` | The url of the EJBCA service ("https://host/ejbca") | `""` | | `controlplane.keylessSigning.ejbcaCA.clientKey` | PEM-encoded the private key for EJBCA cert authentication | `""` | | `controlplane.keylessSigning.ejbcaCA.clientCert` | PEM-encoded certificate for EJBCA cert authentication | `""` | | `controlplane.keylessSigning.ejbcaCA.certProfileName` | Name of the certificate profile to use in EJBCA | `""` | diff --git a/bitnami/chainloop/values.yaml b/bitnami/chainloop/values.yaml index c1b6fb7ef3c531..860ff1547a7240 100644 --- a/bitnami/chainloop/values.yaml +++ b/bitnami/chainloop/values.yaml @@ -508,7 +508,7 @@ controlplane: ## ... ## -----END RSA PRIVATE KEY----- ## @param controlplane.keylessSigning.fileCA.keyPass The secret key pass - ## @param controlplane.keylessSigning.ejbcaCA.serverURL The url of the EJBCA service (https://host/ejbca) + ## @param controlplane.keylessSigning.ejbcaCA.serverURL The url of the EJBCA service ("https://host/ejbca") ## @param controlplane.keylessSigning.ejbcaCA.clientKey PEM-encoded the private key for EJBCA cert authentication ## @param controlplane.keylessSigning.ejbcaCA.clientCert PEM-encoded certificate for EJBCA cert authentication ## @param controlplane.keylessSigning.ejbcaCA.certProfileName Name of the certificate profile to use in EJBCA From 535814f07d604fd5a094c9e7e6e555da93df2e83 Mon Sep 17 00:00:00 2001 From: Miguel Date: Wed, 24 Jul 2024 16:04:56 +0200 Subject: [PATCH 17/37] chore: update chart Signed-off-by: Miguel --- bitnami/chainloop/CHANGELOG.md | 2 +- bitnami/chainloop/README.md | 44 +++++++++++++++++----------------- bitnami/chainloop/values.yaml | 12 +++++----- 3 files changed, 29 insertions(+), 29 deletions(-) diff --git a/bitnami/chainloop/CHANGELOG.md b/bitnami/chainloop/CHANGELOG.md index dbe7b227ca2e74..381b9bf7c58efc 100644 --- a/bitnami/chainloop/CHANGELOG.md +++ b/bitnami/chainloop/CHANGELOG.md @@ -1,5 +1,5 @@ # Changelog -## 1.56.1 (2024-06-14) +## 1.81.0 (2024-07-24) * New chart: Chainloop ([#27100](https://github.com/bitnami/charts/pull/27100)) diff --git a/bitnami/chainloop/README.md b/bitnami/chainloop/README.md index eaeb9fc80f5c85..28686b771501d4 100644 --- a/bitnami/chainloop/README.md +++ b/bitnami/chainloop/README.md @@ -520,22 +520,22 @@ chainloop config save \ ### Control Plane -| Name | Description | Value | -| ---------------------------------------------- | ----------------------------------------------------------------------------------------------- | -------------------------------------------------- | -| `controlplane.replicaCount` | Number of replicas | `2` | -| `controlplane.image.registry` | Image registry | `ghcr.io` | -| `controlplane.image.repository` | Image repository | `chainloop-dev/chainloop/control-plane` | -| `controlplane.tlsConfig.secret.name` | name of a secret containing TLS certificate to be used by the controlplane grpc server. | `""` | -| `controlplane.pluginsDir` | Directory where to look for plugins | `/plugins` | -| `controlplane.referrerSharedIndex` | Configure the shared, public index API endpoint that can be used to discover metadata referrers | | -| `controlplane.referrerSharedIndex.enabled` | Enable index API endpoint | `false` | -| `controlplane.referrerSharedIndex.allowedOrgs` | List of UUIDs of organizations that are allowed to publish to the shared index | `[]` | -| `controlplane.onboarding.name` | Name of the organization to onboard | | -| `controlplane.onboarding.role` | Role of the organization to onboard | | -| `controlplane.prometheus_org_metrics` | List of organizations to expose metrics for using Prometheus | | -| `controlplane.migration.image.registry` | Image registry | `ghcr.io` | -| `controlplane.migration.image.repository` | Image repository | `chainloop-dev/chainloop/control-plane-migrations` | -| `controlplane.migration.ssl` | Connect to the database using SSL (required fro AWS RDS, etc) | `false` | +| Name | Description | Value | +| ---------------------------------------------- | ----------------------------------------------------------------------------------------------- | ----------------- | +| `controlplane.replicaCount` | Number of replicas | `2` | +| `controlplane.image.registry` | Image registry | `REGISTRY_NAME` | +| `controlplane.image.repository` | Image repository | `REPOSITORY_NAME` | +| `controlplane.tlsConfig.secret.name` | name of a secret containing TLS certificate to be used by the controlplane grpc server. | `""` | +| `controlplane.pluginsDir` | Directory where to look for plugins | `/plugins` | +| `controlplane.referrerSharedIndex` | Configure the shared, public index API endpoint that can be used to discover metadata referrers | | +| `controlplane.referrerSharedIndex.enabled` | Enable index API endpoint | `false` | +| `controlplane.referrerSharedIndex.allowedOrgs` | List of UUIDs of organizations that are allowed to publish to the shared index | `[]` | +| `controlplane.onboarding.name` | Name of the organization to onboard | | +| `controlplane.onboarding.role` | Role of the organization to onboard | | +| `controlplane.prometheus_org_metrics` | List of organizations to expose metrics for using Prometheus | | +| `controlplane.migration.image.registry` | Image registry | `REGISTRY_NAME` | +| `controlplane.migration.image.repository` | Image repository | `REPOSITORY_NAME` | +| `controlplane.migration.ssl` | Connect to the database using SSL (required fro AWS RDS, etc) | `false` | ### Control Plane Database @@ -641,12 +641,12 @@ chainloop config save \ ### Artifact Content Addressable (CAS) API -| Name | Description | Value | -| --------------------------- | --------------------------------------------------------------------------------------- | -------------------------------------- | -| `cas.replicaCount` | Number of replicas | `2` | -| `cas.image.registry` | Image registry | `ghcr.io` | -| `cas.image.repository` | Image repository | `chainloop-dev/chainloop/artifact-cas` | -| `cas.tlsConfig.secret.name` | name of a secret containing TLS certificate to be used by the controlplane grpc server. | `""` | +| Name | Description | Value | +| --------------------------- | --------------------------------------------------------------------------------------- | ----------------- | +| `cas.replicaCount` | Number of replicas | `2` | +| `cas.image.registry` | Image registry | `REGISTRY_NAME` | +| `cas.image.repository` | Image repository | `REPOSITORY_NAME` | +| `cas.tlsConfig.secret.name` | name of a secret containing TLS certificate to be used by the controlplane grpc server. | `""` | ### CAS Networking diff --git a/bitnami/chainloop/values.yaml b/bitnami/chainloop/values.yaml index 860ff1547a7240..a7a40769ee6af3 100644 --- a/bitnami/chainloop/values.yaml +++ b/bitnami/chainloop/values.yaml @@ -114,8 +114,8 @@ controlplane: ## @param controlplane.replicaCount Number of replicas replicaCount: 2 - ## @param controlplane.image.registry Image registry - ## @param controlplane.image.repository Image repository + ## @param controlplane.image.registry [default: REGISTRY_NAME] Image registry + ## @param controlplane.image.repository [default: REPOSITORY_NAME] Image repository ## @skip controlplane.image.tag image: registry: ghcr.io @@ -149,8 +149,8 @@ controlplane: # - org_name: "read-only-demo" # Database migration - ## @param controlplane.migration.image.registry Image registry - ## @param controlplane.migration.image.repository Image repository + ## @param controlplane.migration.image.registry [default: REGISTRY_NAME] Image registry + ## @param controlplane.migration.image.repository [default: REPOSITORY_NAME] Image repository ## @param controlplane.migration.ssl Connect to the database using SSL (required fro AWS RDS, etc) ## @skip controlplane.migration.image.tag migration: @@ -541,8 +541,8 @@ cas: ## @param cas.replicaCount Number of replicas replicaCount: 2 - ## @param cas.image.registry Image registry - ## @param cas.image.repository Image repository + ## @param cas.image.registry [default: REGISTRY_NAME] Image registry + ## @param cas.image.repository [default: REPOSITORY_NAME] Image repository ## @skip cas.image.tag image: registry: ghcr.io From 86f51c82c7e118000093c464fcc4e3d82c06421a Mon Sep 17 00:00:00 2001 From: Javier Rodriguez Date: Mon, 5 Aug 2024 12:25:34 +0200 Subject: [PATCH 18/37] Update chart with bitnami standards Signed-off-by: Javier Rodriguez --- .vib/chainloop/ginkgo/chainloop_suite_test.go | 46 - .vib/chainloop/ginkgo/chainloop_test.go | 30 +- bitnami/chainloop/CHANGELOG.md | 4 + bitnami/chainloop/Chart.lock | 14 +- bitnami/chainloop/Chart.yaml | 20 +- bitnami/chainloop/README.md | 492 ++++++---- bitnami/chainloop/charts/dex/Chart.lock | 6 + bitnami/chainloop/charts/dex/Chart.yaml | 24 + bitnami/chainloop/charts/dex/README.md | 143 +++ .../charts/dex/templates/_helpers.tpl | 42 + .../charts/dex/templates/deployment.yaml | 193 ++++ .../charts/dex/templates/metrics-svc.yaml | 53 ++ .../chainloop/charts/dex/templates/pdb.yaml | 28 + .../chainloop/charts/dex/templates/role.yaml | 28 + .../charts/dex/templates/rolebinding.yaml | 25 + .../charts/dex/templates/secret.yaml | 38 + .../charts/dex/templates/service-account.yaml | 21 + .../charts/dex/templates/service.yaml | 63 ++ .../charts/dex/templates/servicemonitor.yaml | 49 + bitnami/chainloop/charts/dex/values.yaml | 574 ++++++++++++ bitnami/chainloop/templates/NOTES.txt | 37 +- bitnami/chainloop/templates/_helpers.tpl | 132 ++- .../{config.configmap.yaml => configmap.yaml} | 7 +- .../chainloop/templates/cas/deployment.yaml | 120 ++- .../templates/cas/gke_monitoring.yaml | 18 - bitnami/chainloop/templates/cas/hpa.yaml | 37 +- .../{ingress_grpc.yaml => ingress-grpc.yaml} | 0 ...{config.secret.yaml => secret-config.yaml} | 7 +- ...mcas.secret.yaml => secret-customcas.yaml} | 0 ...et.yaml => secret-gcp-secret-manager.yaml} | 0 ...secret.yaml => secret-jwt-public-key.yaml} | 0 .../templates/cas/service-account.yaml | 17 + .../chainloop/templates/cas/service-grpc.yaml | 52 ++ .../chainloop/templates/cas/service-http.yaml | 52 ++ .../chainloop/templates/cas/service_grpc.yaml | 25 - .../chainloop/templates/cas/service_http.yaml | 24 - .../templates/cas/serviceaccount.yaml | 17 - .../{config.configmap.yaml => configmap.yaml} | 9 +- .../templates/controlplane/deployment.yaml | 115 ++- .../controlplane/deployment_sqlproxy.yaml | 61 -- .../controlplane/gke_monitoring.yaml | 18 - .../chainloop/templates/controlplane/hpa.yaml | 39 +- .../{ingress_grpc.yaml => ingress-grpc.yaml} | 0 ...{config.secret.yaml => secret-config.yaml} | 18 +- ...mcas.secret.yaml => secret-customcas.yaml} | 0 ...ca_ca.secret.yaml => secret-ejbca-ca.yaml} | 0 ...ile_ca.secret.yaml => secret-file-ca.yaml} | 0 ...et.yaml => secret-gcp-secret-manager.yaml} | 0 ...t.yaml => secret-jwt-cas-private-key.yaml} | 0 .../controlplane/service-account.yaml | 17 + .../templates/controlplane/service-grpc.yaml | 52 ++ .../templates/controlplane/service-http.yaml | 53 ++ .../templates/controlplane/service_grpc.yaml | 25 - .../templates/controlplane/service_http.yaml | 24 - .../controlplane/service_sql-proxy.yaml | 22 - .../controlplane/serviceaccount.yaml | 17 - bitnami/chainloop/templates/extra-list.yaml | 9 + bitnami/chainloop/values.yaml | 866 ++++++++++++++---- 58 files changed, 2924 insertions(+), 859 deletions(-) create mode 100644 bitnami/chainloop/charts/dex/Chart.lock create mode 100644 bitnami/chainloop/charts/dex/Chart.yaml create mode 100644 bitnami/chainloop/charts/dex/README.md create mode 100644 bitnami/chainloop/charts/dex/templates/_helpers.tpl create mode 100644 bitnami/chainloop/charts/dex/templates/deployment.yaml create mode 100644 bitnami/chainloop/charts/dex/templates/metrics-svc.yaml create mode 100644 bitnami/chainloop/charts/dex/templates/pdb.yaml create mode 100644 bitnami/chainloop/charts/dex/templates/role.yaml create mode 100644 bitnami/chainloop/charts/dex/templates/rolebinding.yaml create mode 100644 bitnami/chainloop/charts/dex/templates/secret.yaml create mode 100644 bitnami/chainloop/charts/dex/templates/service-account.yaml create mode 100644 bitnami/chainloop/charts/dex/templates/service.yaml create mode 100644 bitnami/chainloop/charts/dex/templates/servicemonitor.yaml create mode 100644 bitnami/chainloop/charts/dex/values.yaml rename bitnami/chainloop/templates/cas/{config.configmap.yaml => configmap.yaml} (72%) delete mode 100644 bitnami/chainloop/templates/cas/gke_monitoring.yaml rename bitnami/chainloop/templates/cas/{ingress_grpc.yaml => ingress-grpc.yaml} (100%) rename bitnami/chainloop/templates/cas/{config.secret.yaml => secret-config.yaml} (71%) rename bitnami/chainloop/templates/cas/{customcas.secret.yaml => secret-customcas.yaml} (100%) rename bitnami/chainloop/templates/cas/{gcp_secret_manager.secret.yaml => secret-gcp-secret-manager.yaml} (100%) rename bitnami/chainloop/templates/cas/{jwt_public_key.secret.yaml => secret-jwt-public-key.yaml} (100%) create mode 100644 bitnami/chainloop/templates/cas/service-account.yaml create mode 100644 bitnami/chainloop/templates/cas/service-grpc.yaml create mode 100644 bitnami/chainloop/templates/cas/service-http.yaml delete mode 100644 bitnami/chainloop/templates/cas/service_grpc.yaml delete mode 100644 bitnami/chainloop/templates/cas/service_http.yaml delete mode 100644 bitnami/chainloop/templates/cas/serviceaccount.yaml rename bitnami/chainloop/templates/controlplane/{config.configmap.yaml => configmap.yaml} (79%) delete mode 100644 bitnami/chainloop/templates/controlplane/deployment_sqlproxy.yaml delete mode 100644 bitnami/chainloop/templates/controlplane/gke_monitoring.yaml rename bitnami/chainloop/templates/controlplane/{ingress_grpc.yaml => ingress-grpc.yaml} (100%) rename bitnami/chainloop/templates/controlplane/{config.secret.yaml => secret-config.yaml} (84%) rename bitnami/chainloop/templates/controlplane/{customcas.secret.yaml => secret-customcas.yaml} (100%) rename bitnami/chainloop/templates/controlplane/{ejbca_ca.secret.yaml => secret-ejbca-ca.yaml} (100%) rename bitnami/chainloop/templates/controlplane/{file_ca.secret.yaml => secret-file-ca.yaml} (100%) rename bitnami/chainloop/templates/controlplane/{gcp_secret_manager.secret.yaml => secret-gcp-secret-manager.yaml} (100%) rename bitnami/chainloop/templates/controlplane/{jwt_cas_private_key.secret.yaml => secret-jwt-cas-private-key.yaml} (100%) create mode 100644 bitnami/chainloop/templates/controlplane/service-account.yaml create mode 100644 bitnami/chainloop/templates/controlplane/service-grpc.yaml create mode 100644 bitnami/chainloop/templates/controlplane/service-http.yaml delete mode 100644 bitnami/chainloop/templates/controlplane/service_grpc.yaml delete mode 100644 bitnami/chainloop/templates/controlplane/service_http.yaml delete mode 100644 bitnami/chainloop/templates/controlplane/service_sql-proxy.yaml delete mode 100644 bitnami/chainloop/templates/controlplane/serviceaccount.yaml create mode 100644 bitnami/chainloop/templates/extra-list.yaml diff --git a/.vib/chainloop/ginkgo/chainloop_suite_test.go b/.vib/chainloop/ginkgo/chainloop_suite_test.go index af04d87bfeab54..3878b5f435c062 100644 --- a/.vib/chainloop/ginkgo/chainloop_suite_test.go +++ b/.vib/chainloop/ginkgo/chainloop_suite_test.go @@ -1,16 +1,11 @@ package chainloop_test import ( - "context" "flag" "testing" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" - batchv1 "k8s.io/api/batch/v1" - v1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/client-go/kubernetes" ) var ( @@ -31,44 +26,3 @@ func TestChainloop(t *testing.T) { RegisterFailHandler(Fail) RunSpecs(t, "Chainloop Persistence Test Suite") } - -func createJob(ctx context.Context, c kubernetes.Interface, name, image string) error { - securityContext := &v1.SecurityContext{ - Privileged: &[]bool{false}[0], - AllowPrivilegeEscalation: &[]bool{false}[0], - RunAsNonRoot: &[]bool{true}[0], - Capabilities: &v1.Capabilities{ - Drop: []v1.Capability{"ALL"}, - }, - SeccompProfile: &v1.SeccompProfile{ - Type: "RuntimeDefault", - }, - } - job := &batchv1.Job{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - }, - TypeMeta: metav1.TypeMeta{ - Kind: "Job", - }, - Spec: batchv1.JobSpec{ - Template: v1.PodTemplateSpec{ - Spec: v1.PodSpec{ - RestartPolicy: "Never", - Containers: []v1.Container{ - { - Name: "chainloop-cli", - Image: image, - Command: []string{"chainloop", "version"}, - SecurityContext: securityContext, - }, - }, - }, - }, - }, - } - - _, err := c.BatchV1().Jobs(namespace).Create(ctx, job, metav1.CreateOptions{}) - - return err -} diff --git a/.vib/chainloop/ginkgo/chainloop_test.go b/.vib/chainloop/ginkgo/chainloop_test.go index 6c2b32b6cc32ed..a311baaf3da046 100644 --- a/.vib/chainloop/ginkgo/chainloop_test.go +++ b/.vib/chainloop/ginkgo/chainloop_test.go @@ -3,8 +3,6 @@ package chainloop_test import ( "context" "fmt" - "time" - utils "github.com/bitnami/charts/.vib/common-tests/ginkgo-utils" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" @@ -12,10 +10,7 @@ import ( "k8s.io/client-go/kubernetes" ) -const ( - PollingInterval = 1 * time.Second -) - +// portDefinition is a struct to define a port in a service type portDefinition struct { name string number string @@ -96,6 +91,18 @@ var _ = Describe("Chainloop", Ordered, func() { }, }, }, + { + name: "dex", + ports: []portDefinition{ + { + name: "http", + number: "5556", + }, { + name: "grpc", + number: "5557", + }, + }, + }, } for _, inSvc := range svcs { @@ -121,6 +128,17 @@ var _ = Describe("Chainloop", Ordered, func() { Expect(err).NotTo(HaveOccurred()) } }) + + It("all deployments are running", func() { + dpls := []string{"cas", "controlplane", "dex", "vault-injector"} + + for _, dplName := range dpls { + dpl, err := c.AppsV1().Deployments(namespace).Get(ctx, fmt.Sprintf("%v-%v", releaseName, dplName), metav1.GetOptions{}) + Expect(err).NotTo(HaveOccurred()) + + Expect(dpl.Status.ReadyReplicas).To(Equal(*dpl.Spec.Replicas)) + } + }) }) AfterEach(func() { diff --git a/bitnami/chainloop/CHANGELOG.md b/bitnami/chainloop/CHANGELOG.md index 381b9bf7c58efc..76a38ffc6b1485 100644 --- a/bitnami/chainloop/CHANGELOG.md +++ b/bitnami/chainloop/CHANGELOG.md @@ -1,5 +1,9 @@ # Changelog +## 1.86.9 (2024-08-05) + +* Changes have been applied to comply with Bitnami standards [Chainloop issue](https://github.com/chainloop-dev/chainloop/issues/1151) + ## 1.81.0 (2024-07-24) * New chart: Chainloop ([#27100](https://github.com/bitnami/charts/pull/27100)) diff --git a/bitnami/chainloop/Chart.lock b/bitnami/chainloop/Chart.lock index c7db09d9c57877..edac71a2ada65f 100644 --- a/bitnami/chainloop/Chart.lock +++ b/bitnami/chainloop/Chart.lock @@ -1,15 +1,15 @@ dependencies: - name: common repository: https://charts.bitnami.com/bitnami - version: 2.20.4 + version: 2.20.5 - name: postgresql repository: https://charts.bitnami.com/bitnami - version: 15.5.16 + version: 15.5.20 - name: vault repository: https://charts.bitnami.com/bitnami - version: 1.4.11 + version: 1.4.16 - name: dex - repository: https://charts.dexidp.io - version: 0.18.0 -digest: sha256:94515adbbfef1d109d520d44ef61cd0f07681afd5f14d4f104b68e9a9e1bec87 -generated: "2024-07-13T08:52:36.287808567+02:00" + repository: file://charts/dex + version: 0.0.1 +digest: sha256:856d6ca9a125209c6aeb718bdbaa14d61eb542d009d1b7e6f004d5d5d2efd898 +generated: "2024-08-02T13:56:45.701274+02:00" diff --git a/bitnami/chainloop/Chart.yaml b/bitnami/chainloop/Chart.yaml index 33ffb587e022df..1630cc21f432ac 100644 --- a/bitnami/chainloop/Chart.yaml +++ b/bitnami/chainloop/Chart.yaml @@ -7,9 +7,9 @@ description: Chainloop is an open source software supply chain control plane, a type: application # Bump the patch (not minor, not major) version on each change in the Chart Source code -version: 1.81.0 +version: 1.86.9 # Do not update appVersion, this is handled automatically by the release process -appVersion: v0.94.2 +appVersion: v0.95.3 dependencies: - name: common @@ -25,16 +25,16 @@ dependencies: name: vault repository: https://charts.bitnami.com/bitnami version: 1.4.x - - name: dex - condition: development - repository: https://charts.dexidp.io - version: 0.18.0 + - condition: development + repository: file://charts/dex + name: dex + version: 0.0.1 annotations: images: | - - image: ghcr.io/chainloop-dev/chainloop/artifact-cas:v0.94.2 + - image: ghcr.io/chainloop-dev/chainloop/artifact-cas:v0.95.3 name: artifact-cas - - image: ghcr.io/chainloop-dev/chainloop/control-plane:v0.94.2 + - image: ghcr.io/chainloop-dev/chainloop/control-plane:v0.95.3 name: control-plane - - image: ghcr.io/chainloop-dev/chainloop/control-plane-migrations:v0.94.2 - name: control-plane-migrations \ No newline at end of file + - image: ghcr.io/chainloop-dev/chainloop/control-plane-migrations:v0.95.3 + name: control-plane-migrations diff --git a/bitnami/chainloop/README.md b/bitnami/chainloop/README.md index 28686b771501d4..8e15423d37271e 100644 --- a/bitnami/chainloop/README.md +++ b/bitnami/chainloop/README.md @@ -22,11 +22,7 @@ Compatibility with the following Ingress Controllers has been verified, other co Deploy Chainloop in [development mode](#development) by running ```console -helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \ - --set development=true \ - --set controlplane.auth.oidc.url=[OIDC URL] \ - --set controlplane.auth.oidc.clientID=[clientID] \ - --set controlplane.auth.oidc.clientSecret=[clientSecret] +helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop --set development=true ``` > **CAUTION**: Do not use this mode in production, for that, use the [standard mode](#standard-default) instead. @@ -152,25 +148,27 @@ The Helm Chart in this mode includes - Chainloop [Artifact proxy](https://github.com/chainloop-dev/chainloop/tree/main/app/artifact-cas) - A PostgreSQL dependency enabled by default - **A pre-configured Hashicorp Vault instance running in development mode (unsealed, in-memory, insecure)** +- **A pre-configured Dex OIDC instance.** -> **CAUTION**: Do not use this mode in production, for that, use the [standard mode](#standard-default) instead. +The pre-setup users configuration on the Chart include two users, the information is as follows: +```text +username: sarah@chainloop.local +password: password -During installation, you'll need to provide +username: john@chainloop.local +password: password +``` -- Open ID Connect Identity Provider (IDp) settings i.e [Auth0 settings](https://auth0.com/docs/get-started/applications/application-settings#basic-information) -- ~~Connection settings for a secrets storage backend, either [Hashicorp Vault](https://www.vaultproject.io/) or [AWS Secrets Manager](https://aws.amazon.com/secrets-manager)~~ -- ~~ECDSA (ES512) key-pair used for Controlplane to CAS Authentication~~ +The overall OIDC configuration can be found at [dex-values.yaml](./charts/dex/values.yaml) + +> **CAUTION**: Do not use this mode in production, for that, use the [standard mode](#standard-default) instead. #### Installation examples for development mode Deploy by leveraging built-in Vault and PostgreSQL instances ```console -helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \ - --set development=true \ - --set controlplane.auth.oidc.url=[OIDC URL] \ - --set controlplane.auth.oidc.clientID=[clientID] \ - --set controlplane.auth.oidc.clientSecret=[clientSecret] +helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop --set development=true ``` ## AirGap and Relocation Support @@ -480,18 +478,20 @@ chainloop config save \ ### Global parameters -| Name | Description | Value | -| ------------------------- | ----------------------------------------------- | ----- | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| Name | Description | Value | +| ------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `development` | Deploys Chainloop pre-configured FOR DEVELOPMENT ONLY. It includes a Vault instance in development mode and pre-configured authentication certificates and passphrases | `false` | ### Common parameters -| Name | Description | Value | -| ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -| `kubeVersion` | Override Kubernetes version | `""` | -| `development` | Deploys Chainloop pre-configured FOR DEVELOPMENT ONLY. It includes a Vault instance in development mode and pre-configured authentication certificates and passphrases | `false` | -| `GKEMonitoring.enabled` | Enable GKE podMonitoring (prometheus.io scrape) to scrape the controlplane and CAS /metrics endpoints | `false` | +| Name | Description | Value | +| ------------------- | ------------------------------------------------- | ----- | +| `kubeVersion` | Override Kubernetes version | `""` | +| `commonAnnotations` | Annotations to add to all deployed objects | `{}` | +| `commonLabels` | Labels to add to all deployed objects | `{}` | +| `extraDeploy` | Array of extra objects to deploy with the release | `[]` | ### Secrets Backend @@ -525,6 +525,9 @@ chainloop config save \ | `controlplane.replicaCount` | Number of replicas | `2` | | `controlplane.image.registry` | Image registry | `REGISTRY_NAME` | | `controlplane.image.repository` | Image repository | `REPOSITORY_NAME` | +| `controlplane.containerPorts.http` | controlplane HTTP container port | `8000` | +| `controlplane.containerPorts.grpc` | controlplane gRPC container port | `9000` | +| `controlplane.containerPorts.metrics` | controlplane prometheus metrics container port | `5000` | | `controlplane.tlsConfig.secret.name` | name of a secret containing TLS certificate to be used by the controlplane grpc server. | `""` | | `controlplane.pluginsDir` | Directory where to look for plugins | `/plugins` | | `controlplane.referrerSharedIndex` | Configure the shared, public index API endpoint that can be used to discover metadata referrers | | @@ -539,17 +542,14 @@ chainloop config save \ ### Control Plane Database -| Name | Description | Value | -| ---------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------- | -| `controlplane.externalDatabase` | External PostgreSQL configuration. These values are only used when postgresql.enabled is set to false | | -| `controlplane.externalDatabase.host` | Database host | `""` | -| `controlplane.externalDatabase.port` | Database port number | `5432` | -| `controlplane.externalDatabase.user` | Non-root username | `""` | -| `controlplane.externalDatabase.database` | Database name | `""` | -| `controlplane.externalDatabase.password` | Password for the non-root username | `""` | -| `controlplane.sqlProxy.enabled` | Enable sidecar to connect to DB via Google Cloud SQL proxy | `false` | -| `controlplane.sqlProxy.connectionName` | Google Cloud SQL connection name | `""` | -| `controlplane.sqlProxy.resources` | Sidecar container resources | `{}` | +| Name | Description | Value | +| ---------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------ | +| `controlplane.externalDatabase` | External PostgreSQL configuration. These values are only used when postgresql.enabled is set to false | | +| `controlplane.externalDatabase.host` | Database host | `""` | +| `controlplane.externalDatabase.port` | Database port number | `5432` | +| `controlplane.externalDatabase.user` | Non-root username | `""` | +| `controlplane.externalDatabase.database` | Database name | `""` | +| `controlplane.externalDatabase.password` | Password for the non-root username | `""` | ### Control Plane Authentication @@ -567,176 +567,300 @@ chainloop config save \ ### Control Plane Networking -| Name | Description | Value | -| ------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | -| `controlplane.service.type` | Service type | `ClusterIP` | -| `controlplane.service.port` | Service port | `80` | -| `controlplane.service.targetPort` | Service target Port | `http` | -| `controlplane.service.nodePorts.http` | Node port for HTTP. NOTE: choose port between [30000-32767] | | -| `controlplane.serviceAPI.type` | Service type | `ClusterIP` | -| `controlplane.serviceAPI.port` | Service port | `80` | -| `controlplane.serviceAPI.targetPort` | Service target Port | `grpc` | -| `controlplane.serviceAPI.annotations` | Service annotations | | -| `controlplane.serviceAPI.nodePorts.http` | Node port for HTTP. NOTE: choose port between [30000-32767] | | -| `controlplane.ingress.enabled` | Enable ingress record generation for %%MAIN_CONTAINER_NAME%% | `false` | -| `controlplane.ingress.pathType` | Ingress path type | `ImplementationSpecific` | -| `controlplane.ingress.hostname` | Default host for the ingress record | `cp.dev.local` | -| `controlplane.ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | -| `controlplane.ingress.path` | Default path for the ingress record | `/` | -| `controlplane.ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` | -| `controlplane.ingress.tls` | Enable TLS configuration for the host defined at `controlplane.ingress.hostname` parameter | `false` | -| `controlplane.ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | -| `controlplane.ingress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` | -| `controlplane.ingress.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` | -| `controlplane.ingress.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` | -| `controlplane.ingress.secrets` | Custom TLS certificates as secrets | `[]` | -| `controlplane.ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` | -| `controlplane.ingressAPI.enabled` | Enable ingress record generation for %%MAIN_CONTAINER_NAME%% | `false` | -| `controlplane.ingressAPI.pathType` | Ingress path type | `ImplementationSpecific` | -| `controlplane.ingressAPI.hostname` | Default host for the ingress record | `api.cp.dev.local` | -| `controlplane.ingressAPI.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | -| `controlplane.ingressAPI.path` | Default path for the ingress record | `/` | -| `controlplane.ingressAPI.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | | -| `controlplane.ingressAPI.tls` | Enable TLS configuration for the host defined at `controlplane.ingress.hostname` parameter | `false` | -| `controlplane.ingressAPI.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | -| `controlplane.ingressAPI.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` | -| `controlplane.ingressAPI.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` | -| `controlplane.ingressAPI.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` | -| `controlplane.ingressAPI.secrets` | Custom TLS certificates as secrets | `[]` | -| `controlplane.ingressAPI.extraRules` | Additional rules to be covered with this ingress record | `[]` | +| Name | Description | Value | +| -------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | +| `controlplane.service.type` | Service type | `ClusterIP` | +| `controlplane.service.ports.http` | controlplane service HTTP port | `80` | +| `controlplane.service.ports.https` | controlplane service HTTPS port | `443` | +| `controlplane.service.nodePorts.http` | Node port for HTTP | `""` | +| `controlplane.service.nodePorts.https` | Node port for HTTPS | `""` | +| `controlplane.service.clusterIP` | controlplane service Cluster IP | `""` | +| `controlplane.service.loadBalancerIP` | controlplane service Load Balancer IP | `""` | +| `controlplane.service.loadBalancerSourceRanges` | controlplane service Load Balancer sources | `[]` | +| `controlplane.service.externalTrafficPolicy` | controlplane service external traffic policy | `Cluster` | +| `controlplane.service.annotations` | Additional custom annotations for controlplane service | `{}` | +| `controlplane.service.extraPorts` | Extra ports to expose in controlplane service (normally used with the `sidecars` value) | `[]` | +| `controlplane.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `controlplane.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `controlplane.serviceAPI.type` | Service type | `ClusterIP` | +| `controlplane.serviceAPI.ports.http` | controlplane service HTTP port | `80` | +| `controlplane.serviceAPI.ports.https` | controlplane service HTTPS port | `443` | +| `controlplane.serviceAPI.nodePorts.http` | Node port for HTTP | `""` | +| `controlplane.serviceAPI.nodePorts.https` | Node port for HTTPS | `""` | +| `controlplane.serviceAPI.clusterIP` | controlplane service Cluster IP | `""` | +| `controlplane.serviceAPI.loadBalancerIP` | controlplane service Load Balancer IP | `""` | +| `controlplane.serviceAPI.loadBalancerSourceRanges` | controlplane service Load Balancer sources | `[]` | +| `controlplane.serviceAPI.externalTrafficPolicy` | controlplane service external traffic policy | `Cluster` | +| `controlplane.serviceAPI.annotations` | Additional custom annotations for controlplane service | | +| `controlplane.serviceAPI.extraPorts` | Extra ports to expose in controlplane service (normally used with the `sidecars` value) | `[]` | +| `controlplane.serviceAPI.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `controlplane.serviceAPI.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `controlplane.ingress.enabled` | Enable ingress record generation for controlplane | `false` | +| `controlplane.ingress.pathType` | Ingress path type | `ImplementationSpecific` | +| `controlplane.ingress.hostname` | Default host for the ingress record | `cp.dev.local` | +| `controlplane.ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | +| `controlplane.ingress.path` | Default path for the ingress record | `/` | +| `controlplane.ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` | +| `controlplane.ingress.tls` | Enable TLS configuration for the host defined at `controlplane.ingress.hostname` parameter | `false` | +| `controlplane.ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | +| `controlplane.ingress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` | +| `controlplane.ingress.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` | +| `controlplane.ingress.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` | +| `controlplane.ingress.secrets` | Custom TLS certificates as secrets | `[]` | +| `controlplane.ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` | +| `controlplane.ingressAPI.enabled` | Enable ingress record generation for controlplane | `false` | +| `controlplane.ingressAPI.pathType` | Ingress path type | `ImplementationSpecific` | +| `controlplane.ingressAPI.hostname` | Default host for the ingress record | `api.cp.dev.local` | +| `controlplane.ingressAPI.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | +| `controlplane.ingressAPI.path` | Default path for the ingress record | `/` | +| `controlplane.ingressAPI.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | | +| `controlplane.ingressAPI.tls` | Enable TLS configuration for the host defined at `controlplane.ingress.hostname` parameter | `false` | +| `controlplane.ingressAPI.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | +| `controlplane.ingressAPI.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` | +| `controlplane.ingressAPI.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` | +| `controlplane.ingressAPI.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` | +| `controlplane.ingressAPI.secrets` | Custom TLS certificates as secrets | `[]` | +| `controlplane.ingressAPI.extraRules` | Additional rules to be covered with this ingress record | `[]` | ### Controlplane Misc -| Name | Description | Value | -| ------------------------------------------------------------ | ---------------------------------- | ------------ | -| `controlplane.resources.limits.cpu` | Container resource limits CPU | `250m` | -| `controlplane.resources.limits.memory` | Container resource limits memory | `512Mi` | -| `controlplane.resources.requests.cpu` | Container resource requests CPU | `250m` | -| `controlplane.resources.requests.memory` | Container resource requests memory | `512Mi` | -| `controlplane.autoscaling.enabled` | Enable deployment autoscaling | `false` | -| `controlplane.autoscaling.minReplicas` | Minimum number of replicas | `1` | -| `controlplane.autoscaling.maxReplicas` | Maximum number of replicas | `100` | -| `controlplane.autoscaling.targetCPUUtilizationPercentage` | Target CPU percentage | `80` | -| `controlplane.autoscaling.targetMemoryUtilizationPercentage` | Target CPU memory | `80` | -| `controlplane.sentry.enabled` | Enable sentry.io alerting | `false` | -| `controlplane.sentry.dsn` | DSN endpoint | `""` | -| `controlplane.sentry.environment` | Environment tag | `production` | +| Name | Description | Value | +| ---------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | +| `controlplane.resourcesPreset` | Set init container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `micro` | +| `controlplane.resources` | Set controlplane container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `controlplane.podSecurityContext.enabled` | Enable controlplane pods' Security Context | `true` | +| `controlplane.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy for controlplane pods | `Always` | +| `controlplane.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface for controlplane pods | `[]` | +| `controlplane.podSecurityContext.supplementalGroups` | Set filesystem extra groups for controlplane pods | `[]` | +| `controlplane.podSecurityContext.fsGroup` | Set fsGroup in controlplane pods' Security Context | `1001` | +| `controlplane.containerSecurityContext.enabled` | Enabled controlplane container' Security Context | `true` | +| `controlplane.containerSecurityContext.seLinuxOptions` | Set SELinux options in controlplane container | `{}` | +| `controlplane.containerSecurityContext.runAsUser` | Set runAsUser in controlplane container' Security Context | `1001` | +| `controlplane.containerSecurityContext.runAsGroup` | Set runAsGroup in controlplane container' Security Context | `1001` | +| `controlplane.containerSecurityContext.runAsNonRoot` | Set runAsNonRoot in controlplane container' Security Context | `true` | +| `controlplane.containerSecurityContext.readOnlyRootFilesystem` | Set readOnlyRootFilesystem in controlplane container' Security Context | `true` | +| `controlplane.containerSecurityContext.privileged` | Set privileged in controlplane container' Security Context | `false` | +| `controlplane.containerSecurityContext.allowPrivilegeEscalation` | Set allowPrivilegeEscalation in controlplane container' Security Context | `false` | +| `controlplane.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped in controlplane container | `["ALL"]` | +| `controlplane.containerSecurityContext.seccompProfile.type` | Set seccomp profile in controlplane container | `RuntimeDefault` | +| `controlplane.sentry.enabled` | Enable sentry.io alerting | `false` | +| `controlplane.sentry.dsn` | DSN endpoint | `""` | +| `controlplane.sentry.environment` | Environment tag | `production` | ### Keyless signing configuration -| Name | Description | Value | -| ---------------------------------------------------------- | ----------------------------------------------------------------------- | -------- | -| `controlplane.keylessSigning.enabled` | Activates or deactivates the feature | `false` | -| `controlplane.keylessSigning.backend` | The backend to use. Currently only "fileCA" and "ejbcaCA" are supported | `fileCA` | -| `controlplane.keylessSigning.fileCA.cert` | The PEM-encoded certificate of the file based CA | `""` | -| `controlplane.keylessSigning.fileCA.key` | The PEM-encoded private key of the file based CA | `""` | -| `controlplane.keylessSigning.fileCA.keyPass` | The secret key pass | `""` | -| `controlplane.keylessSigning.ejbcaCA.serverURL` | The url of the EJBCA service ("https://host/ejbca") | `""` | -| `controlplane.keylessSigning.ejbcaCA.clientKey` | PEM-encoded the private key for EJBCA cert authentication | `""` | -| `controlplane.keylessSigning.ejbcaCA.clientCert` | PEM-encoded certificate for EJBCA cert authentication | `""` | -| `controlplane.keylessSigning.ejbcaCA.certProfileName` | Name of the certificate profile to use in EJBCA | `""` | -| `controlplane.keylessSigning.ejbcaCA.endEntityProfileName` | Name of the Entity Profile to use in EJBCA | `""` | -| `controlplane.keylessSigning.ejbcaCA.caName` | Name of the CA issuer to use in EJBCA | `""` | -| `controlplane.customCAs` | List of custom CA certificates content | `[]` | +| Name | Description | Value | +| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------- | +| `controlplane.keylessSigning.enabled` | Activates or deactivates the feature | `false` | +| `controlplane.keylessSigning.backend` | The backend to use. Currently only "fileCA" and "ejbcaCA" are supported | `fileCA` | +| `controlplane.keylessSigning.fileCA.cert` | The PEM-encoded certificate of the file based CA | `""` | +| `controlplane.keylessSigning.fileCA.key` | The PEM-encoded private key of the file based CA | `""` | +| `controlplane.keylessSigning.fileCA.keyPass` | The secret key pass | `""` | +| `controlplane.keylessSigning.ejbcaCA.serverURL` | The url of the EJBCA service ("https://host/ejbca") | `""` | +| `controlplane.keylessSigning.ejbcaCA.clientKey` | PEM-encoded the private key for EJBCA cert authentication | `""` | +| `controlplane.keylessSigning.ejbcaCA.clientCert` | PEM-encoded certificate for EJBCA cert authentication | `""` | +| `controlplane.keylessSigning.ejbcaCA.certProfileName` | Name of the certificate profile to use in EJBCA | `""` | +| `controlplane.keylessSigning.ejbcaCA.endEntityProfileName` | Name of the Entity Profile to use in EJBCA | `""` | +| `controlplane.keylessSigning.ejbcaCA.caName` | Name of the CA issuer to use in EJBCA | `""` | +| `controlplane.customCAs` | List of custom CA certificates content | `[]` | +| `controlplane.automountServiceAccountToken` | Mount Service Account token in controlplane pods | `false` | +| `controlplane.hostAliases` | controlplane pods host aliases | `[]` | +| `controlplane.deploymentAnnotations` | Annotations for controlplane deployment | `{}` | +| `controlplane.podLabels` | Extra labels for controlplane pods | `{}` | +| `controlplane.podAffinityPreset` | Pod affinity preset. Ignored if `controlplane.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `controlplane.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `controlplane.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `controlplane.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `controlplane.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `controlplane.nodeAffinityPreset.key` | Node label key to match. Ignored if `controlplane.affinity` is set | `""` | +| `controlplane.nodeAffinityPreset.values` | Node label values to match. Ignored if `controlplane.affinity` is set | `[]` | +| `controlplane.affinity` | Affinity for controlplane pods assignment | `{}` | +| `controlplane.nodeSelector` | Node labels for controlplane pods assignment | `{}` | +| `controlplane.tolerations` | Tolerations for controlplane pods assignment | `[]` | +| `controlplane.updateStrategy.type` | controlplane deployment strategy type | `RollingUpdate` | +| `controlplane.priorityClassName` | controlplane pods' priorityClassName | `""` | +| `controlplane.topologySpreadConstraints` | Topology Spread Constraints for controlplane pod assignment spread across your cluster among failure-domains | `[]` | +| `controlplane.schedulerName` | Name of the k8s scheduler (other than default) for controlplane pods | `""` | +| `controlplane.terminationGracePeriodSeconds` | Seconds controlplane pods need to terminate gracefully | `""` | +| `controlplane.lifecycleHooks` | for controlplane containers to automate configuration before or after startup | `{}` | +| `controlplane.extraEnvVars` | Array with extra environment variables to add to controlplane containers | `[]` | +| `controlplane.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for controlplane containers | `""` | +| `controlplane.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for controlplane containers | `""` | +| `controlplane.extraVolumes` | Optionally specify extra list of additional volumes for the controlplane pods | `[]` | +| `controlplane.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the controlplane containers | `[]` | +| `controlplane.sidecars` | Add additional sidecar containers to the controlplane pods | `[]` | +| `controlplane.initContainers` | Add additional init containers to the controlplane pods | `[]` | +| `controlplane.pdb.create` | Enable/disable a Pod Disruption Budget creation | `true` | +| `controlplane.pdb.minAvailable` | Minimum number/percentage of pods that should remain scheduled | `""` | +| `controlplane.pdb.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `controlplane.pdb.minAvailable` and `controlplane.pdb.maxUnavailable` are empty. | `""` | +| `controlplane.autoscaling.vpa.enabled` | Enable VPA for controlplane pods | `false` | +| `controlplane.autoscaling.vpa.annotations` | Annotations for VPA resource | `{}` | +| `controlplane.autoscaling.vpa.controlledResources` | VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory | `[]` | +| `controlplane.autoscaling.vpa.maxAllowed` | VPA Max allowed resources for the pod | `{}` | +| `controlplane.autoscaling.vpa.minAllowed` | VPA Min allowed resources for the pod | `{}` | +| `controlplane.autoscaling.vpa.updatePolicy.updateMode` | Autoscaling update policy | `Auto` | +| `controlplane.autoscaling.hpa.enabled` | Enable HPA for controlplane pods | `false` | +| `controlplane.autoscaling.hpa.minReplicas` | Minimum number of replicas | `""` | +| `controlplane.autoscaling.hpa.maxReplicas` | Maximum number of replicas | `""` | +| `controlplane.autoscaling.hpa.targetCPU` | Target CPU utilization percentage | `""` | +| `controlplane.autoscaling.hpa.targetMemory` | Target Memory utilization percentage | `""` | ### Artifact Content Addressable (CAS) API -| Name | Description | Value | -| --------------------------- | --------------------------------------------------------------------------------------- | ----------------- | -| `cas.replicaCount` | Number of replicas | `2` | -| `cas.image.registry` | Image registry | `REGISTRY_NAME` | -| `cas.image.repository` | Image repository | `REPOSITORY_NAME` | -| `cas.tlsConfig.secret.name` | name of a secret containing TLS certificate to be used by the controlplane grpc server. | `""` | +| Name | Description | Value | +| ---------------------------- | --------------------------------------------------------------------------------------- | ----------------- | +| `cas.replicaCount` | Number of replicas | `2` | +| `cas.image.registry` | Image registry | `REGISTRY_NAME` | +| `cas.image.repository` | Image repository | `REPOSITORY_NAME` | +| `cas.containerPorts.http` | controlplane HTTP container port | `8000` | +| `cas.containerPorts.grpc` | controlplane gRPC container port | `9000` | +| `cas.containerPorts.metrics` | controlplane prometheus metrics container port | `5000` | +| `cas.tlsConfig.secret.name` | name of a secret containing TLS certificate to be used by the controlplane grpc server. | `""` | ### CAS Networking -| Name | Description | Value | -| --------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | -| `cas.service.type` | Service type | `ClusterIP` | -| `cas.service.port` | Service port | `80` | -| `cas.service.targetPort` | Service target Port | `http` | -| `cas.service.nodePorts.http` | Node port for HTTP. NOTE: choose port between [30000-32767] | | -| `cas.serviceAPI.type` | Service type | `ClusterIP` | -| `cas.serviceAPI.port` | Service port | `80` | -| `cas.serviceAPI.targetPort` | Service target Port | `grpc` | -| `cas.serviceAPI.annotations` | Service annotations | | -| `cas.serviceAPI.nodePorts.http` | Node port for HTTP. NOTE: choose port between [30000-32767] | | -| `cas.ingress.enabled` | Enable ingress record generation for %%MAIN_CONTAINER_NAME%% | `false` | -| `cas.ingress.pathType` | Ingress path type | `ImplementationSpecific` | -| `cas.ingress.hostname` | Default host for the ingress record | `cas.dev.local` | -| `cas.ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | -| `cas.ingress.path` | Default path for the ingress record | `/` | -| `cas.ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` | -| `cas.ingress.tls` | Enable TLS configuration for the host defined at `controlplane.ingress.hostname` parameter | `false` | -| `cas.ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | -| `cas.ingress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` | -| `cas.ingress.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` | -| `cas.ingress.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` | -| `cas.ingress.secrets` | Custom TLS certificates as secrets | `[]` | -| `cas.ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` | -| `cas.ingressAPI.enabled` | Enable ingress record generation for %%MAIN_CONTAINER_NAME%% | `false` | -| `cas.ingressAPI.pathType` | Ingress path type | `ImplementationSpecific` | -| `cas.ingressAPI.hostname` | Default host for the ingress record | `api.cas.dev.local` | -| `cas.ingressAPI.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | -| `cas.ingressAPI.path` | Default path for the ingress record | `/` | -| `cas.ingressAPI.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | | -| `cas.ingressAPI.tls` | Enable TLS configuration for the host defined at `controlplane.ingress.hostname` parameter | `false` | -| `cas.ingressAPI.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | -| `cas.ingressAPI.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` | -| `cas.ingressAPI.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` | -| `cas.ingressAPI.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` | -| `cas.ingressAPI.secrets` | Custom TLS certificates as secrets | `[]` | -| `cas.ingressAPI.extraRules` | Additional rules to be covered with this ingress record | `[]` | +| Name | Description | Value | +| ----------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | +| `cas.service.type` | Service type | `ClusterIP` | +| `cas.service.ports.http` | cas service HTTP port | `80` | +| `cas.service.ports.https` | cas service HTTPS port | `443` | +| `cas.service.nodePorts.http` | Node port for HTTP | `""` | +| `cas.service.nodePorts.https` | Node port for HTTPS | `""` | +| `cas.service.clusterIP` | cas service Cluster IP | `""` | +| `cas.service.loadBalancerIP` | cas service Load Balancer IP | `""` | +| `cas.service.loadBalancerSourceRanges` | cas service Load Balancer sources | `[]` | +| `cas.service.externalTrafficPolicy` | cas service external traffic policy | `Cluster` | +| `cas.service.annotations` | Additional custom annotations for cas service | `{}` | +| `cas.service.extraPorts` | Extra ports to expose in cas service (normally used with the `sidecars` value) | `[]` | +| `cas.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `cas.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `cas.serviceAPI.type` | Service type | `ClusterIP` | +| `cas.serviceAPI.ports.http` | cas service HTTP port | `80` | +| `cas.serviceAPI.ports.https` | cas service HTTPS port | `443` | +| `cas.serviceAPI.nodePorts.http` | Node port for HTTP | `""` | +| `cas.serviceAPI.nodePorts.https` | Node port for HTTPS | `""` | +| `cas.serviceAPI.clusterIP` | cas service Cluster IP | `""` | +| `cas.serviceAPI.loadBalancerIP` | cas service Load Balancer IP | `""` | +| `cas.serviceAPI.loadBalancerSourceRanges` | cas service Load Balancer sources | `[]` | +| `cas.serviceAPI.externalTrafficPolicy` | cas service external traffic policy | `Cluster` | +| `cas.serviceAPI.annotations` | Additional custom annotations for cas service | | +| `cas.serviceAPI.extraPorts` | Extra ports to expose in cas service (normally used with the `sidecars` value) | `[]` | +| `cas.serviceAPI.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `cas.serviceAPI.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `cas.ingress.enabled` | Enable ingress record generation for controlplane | `false` | +| `cas.ingress.pathType` | Ingress path type | `ImplementationSpecific` | +| `cas.ingress.hostname` | Default host for the ingress record | `cas.dev.local` | +| `cas.ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | +| `cas.ingress.path` | Default path for the ingress record | `/` | +| `cas.ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` | +| `cas.ingress.tls` | Enable TLS configuration for the host defined at `controlplane.ingress.hostname` parameter | `false` | +| `cas.ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | +| `cas.ingress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` | +| `cas.ingress.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` | +| `cas.ingress.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` | +| `cas.ingress.secrets` | Custom TLS certificates as secrets | `[]` | +| `cas.ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` | +| `cas.ingressAPI.enabled` | Enable ingress record generation for controlplane | `false` | +| `cas.ingressAPI.pathType` | Ingress path type | `ImplementationSpecific` | +| `cas.ingressAPI.hostname` | Default host for the ingress record | `api.cas.dev.local` | +| `cas.ingressAPI.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | +| `cas.ingressAPI.path` | Default path for the ingress record | `/` | +| `cas.ingressAPI.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | | +| `cas.ingressAPI.tls` | Enable TLS configuration for the host defined at `controlplane.ingress.hostname` parameter | `false` | +| `cas.ingressAPI.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | +| `cas.ingressAPI.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` | +| `cas.ingressAPI.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` | +| `cas.ingressAPI.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` | +| `cas.ingressAPI.secrets` | Custom TLS certificates as secrets | `[]` | +| `cas.ingressAPI.extraRules` | Additional rules to be covered with this ingress record | `[]` | + +### CAS Misc + +| Name | Description | Value | +| ------------------------ | -------------------------------------- | ------------ | +| `cas.sentry.enabled` | Enable sentry.io alerting | `false` | +| `cas.sentry.dsn` | DSN endpoint | `""` | +| `cas.sentry.environment` | Environment tag | `production` | +| `cas.customCAs` | List of custom CA certificates content | `[]` | ### CAS Misc -| Name | Description | Value | -| --------------------------------------------------- | -------------------------------------- | ------------ | -| `cas.resources.limits.cpu` | Container resource limits CPU | `250m` | -| `cas.resources.limits.memory` | Container resource limits memory | `512Mi` | -| `cas.resources.requests.cpu` | Container resource requests CPU | `250m` | -| `cas.resources.requests.memory` | Container resource requests memory | `512Mi` | -| `cas.autoscaling.enabled` | Enable deployment autoscaling | `false` | -| `cas.autoscaling.minReplicas` | Minimum number of replicas | `1` | -| `cas.autoscaling.maxReplicas` | Maximum number of replicas | `100` | -| `cas.autoscaling.targetCPUUtilizationPercentage` | Target CPU percentage | `80` | -| `cas.autoscaling.targetMemoryUtilizationPercentage` | Target CPU memory | `80` | -| `cas.sentry.enabled` | Enable sentry.io alerting | `false` | -| `cas.sentry.dsn` | DSN endpoint | `""` | -| `cas.sentry.environment` | Environment tag | `production` | -| `cas.customCAs` | List of custom CA certificates content | `[]` | +| Name | Description | Value | +| ------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | +| `cas.resourcesPreset` | Set init container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `micro` | +| `cas.resources` | Set cas container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `cas.podSecurityContext.enabled` | Enable cas pods' Security Context | `true` | +| `cas.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy for cas pods | `Always` | +| `cas.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface for cas pods | `[]` | +| `cas.podSecurityContext.supplementalGroups` | Set filesystem extra groups for cas pods | `[]` | +| `cas.podSecurityContext.fsGroup` | Set fsGroup in cas pods' Security Context | `1001` | +| `cas.containerSecurityContext.enabled` | Enabled cas container' Security Context | `true` | +| `cas.containerSecurityContext.seLinuxOptions` | Set SELinux options in cas container | `{}` | +| `cas.containerSecurityContext.runAsUser` | Set runAsUser in cas container' Security Context | `1001` | +| `cas.containerSecurityContext.runAsGroup` | Set runAsGroup in cas container' Security Context | `1001` | +| `cas.containerSecurityContext.runAsNonRoot` | Set runAsNonRoot in cas container' Security Context | `true` | +| `cas.containerSecurityContext.readOnlyRootFilesystem` | Set readOnlyRootFilesystem in cas container' Security Context | `true` | +| `cas.containerSecurityContext.privileged` | Set privileged in cas container' Security Context | `false` | +| `cas.containerSecurityContext.allowPrivilegeEscalation` | Set allowPrivilegeEscalation in cas container' Security Context | `false` | +| `cas.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped in cas container | `["ALL"]` | +| `cas.containerSecurityContext.seccompProfile.type` | Set seccomp profile in cas container | `RuntimeDefault` | +| `cas.automountServiceAccountToken` | Mount Service Account token in cas pods | `false` | +| `cas.hostAliases` | cas pods host aliases | `[]` | +| `cas.deploymentAnnotations` | Annotations for cas deployment | `{}` | +| `cas.podLabels` | Extra labels for cas pods | `{}` | +| `cas.podAffinityPreset` | Pod affinity preset. Ignored if `cas.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `cas.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `cas.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `cas.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `cas.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `cas.nodeAffinityPreset.key` | Node label key to match. Ignored if `cas.affinity` is set | `""` | +| `cas.nodeAffinityPreset.values` | Node label values to match. Ignored if `cas.affinity` is set | `[]` | +| `cas.affinity` | Affinity for cas pods assignment | `{}` | +| `cas.nodeSelector` | Node labels for cas pods assignment | `{}` | +| `cas.tolerations` | Tolerations for cas pods assignment | `[]` | +| `cas.updateStrategy.type` | cas deployment strategy type | `RollingUpdate` | +| `cas.priorityClassName` | cas pods' priorityClassName | `""` | +| `cas.topologySpreadConstraints` | Topology Spread Constraints for cas pod assignment spread across your cluster among failure-domains | `[]` | +| `cas.schedulerName` | Name of the k8s scheduler (other than default) for cas pods | `""` | +| `cas.terminationGracePeriodSeconds` | Seconds cas pods need to terminate gracefully | `""` | +| `cas.lifecycleHooks` | for cas containers to automate configuration before or after startup | `{}` | +| `cas.extraEnvVars` | Array with extra environment variables to add to cas containers | `[]` | +| `cas.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for cas containers | `""` | +| `cas.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for cas containers | `""` | +| `cas.extraVolumes` | Optionally specify extra list of additional volumes for the cas pods | `[]` | +| `cas.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the cas containers | `[]` | +| `cas.sidecars` | Add additional sidecar containers to the cas pods | `[]` | +| `cas.initContainers` | Add additional init containers to the cas pods | `[]` | +| `cas.pdb.create` | Enable/disable a Pod Disruption Budget creation | `true` | +| `cas.pdb.minAvailable` | Minimum number/percentage of pods that should remain scheduled | `""` | +| `cas.pdb.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `cas.pdb.minAvailable` and `cas.pdb.maxUnavailable` are empty. | `""` | +| `cas.autoscaling.vpa.enabled` | Enable VPA for cas pods | `false` | +| `cas.autoscaling.vpa.annotations` | Annotations for VPA resource | `{}` | +| `cas.autoscaling.vpa.controlledResources` | VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory | `[]` | +| `cas.autoscaling.vpa.maxAllowed` | VPA Max allowed resources for the pod | `{}` | +| `cas.autoscaling.vpa.minAllowed` | VPA Min allowed resources for the pod | `{}` | +| `cas.autoscaling.vpa.updatePolicy.updateMode` | Autoscaling update policy | `Auto` | +| `cas.autoscaling.hpa.enabled` | Enable HPA for cas pods | `false` | +| `cas.autoscaling.hpa.minReplicas` | Minimum number of replicas | `""` | +| `cas.autoscaling.hpa.maxReplicas` | Maximum number of replicas | `""` | +| `cas.autoscaling.hpa.targetCPU` | Target CPU utilization percentage | `""` | +| `cas.autoscaling.hpa.targetMemory` | Target Memory utilization percentage | `""` | ### Dependencies -| Name | Description | Value | -| ------------------------------------------ | ------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------- | -| `postgresql.enabled` | Switch to enable or disable the PostgreSQL helm chart | `true` | -| `postgresql.auth.enablePostgresUser` | Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user | `false` | -| `postgresql.auth.username` | Name for a custom user to create | `chainloop` | -| `postgresql.auth.password` | Password for the custom user to create | `chainlooppwd` | -| `postgresql.auth.database` | Name for a custom database to create | `chainloop-cp` | -| `postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials | `""` | -| `vault.server.args` | Arguments to pass to the vault server. This is useful for setting the server in development mode | `["server","-dev"]` | -| `vault.server.config` | Configuration for the vault server. Small override of default Bitnami configuration | `storage "inmem" {} +| Name | Description | Value | +| ------------------------------------ | ------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------- | +| `postgresql.enabled` | Switch to enable or disable the PostgreSQL helm chart | `true` | +| `postgresql.auth.enablePostgresUser` | Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user | `false` | +| `postgresql.auth.username` | Name for a custom user to create | `chainloop` | +| `postgresql.auth.password` | Password for the custom user to create | `chainlooppwd` | +| `postgresql.auth.database` | Name for a custom database to create | `chainloop-cp` | +| `postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials | `""` | +| `vault.server.args` | Arguments to pass to the vault server. This is useful for setting the server in development mode | `["server","-dev"]` | +| `vault.server.config` | Configuration for the vault server. Small override of default Bitnami configuration | `storage "inmem" {} disable_mlock = true ui = true service_registration "kubernetes" {}` | -| `vault.server.extraEnvVars[0].name` | Root token for the vault server | `VAULT_DEV_ROOT_TOKEN_ID` | -| `vault.server.extraEnvVars[0].value` | The value of the root token. Default: notasecret | `notasecret` | -| `vault.server.extraEnvVars[1].name` | Address to listen on development mode | `VAULT_DEV_LISTEN_ADDRESS` | -| `vault.server.extraEnvVars[1].value` | The address to listen on. Default: [::]:8200 | `[::]:8200` | -| `dex.config.issuer` | The issuer URL of the Identity provider (IDp) | `http://chainloop-dex:5556/dex` | -| `dex.config.storage.type` | Storage type for the dex server | `memory` | -| `dex.config.web.http` | HTTP address for the dex server | `0.0.0.0:5556` | -| `dex.config.staticClients[0].id` | Client ID for the static client | `chainloop-dev` | -| `dex.config.staticClients[0].redirectURIs` | Redirect URIs for the static client | `["http://0.0.0.0:8000/auth/callback","http://localhost:8000/auth/callback"]` | -| `dex.config.staticClients[0].name` | Name for the static client | `Chainloop Dev` | -| `dex.config.staticClients[0].secret` | Secret for the static client | `ZXhhbXBsZS1hcHAtc2VjcmV0` | -| `dex.config.enablePasswordDB` | Enable static passwords | `true` | -| `dex.config.staticPasswords[0].email` | Email for the static password | `john@chainloop.local` | -| `dex.config.staticPasswords[0].hash` | Hash for the static password | `$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W` | -| `dex.config.staticPasswords[1].email` | Email for the static password | `sarah@chainloop.local` | -| `dex.config.staticPasswords[1].hash` | Hash for the static password | `$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W` | +| `vault.server.extraEnvVars[0].name` | Root token for the vault server | `VAULT_DEV_ROOT_TOKEN_ID` | +| `vault.server.extraEnvVars[0].value` | The value of the root token. Default: notasecret | `notasecret` | +| `vault.server.extraEnvVars[1].name` | Address to listen on development mode | `VAULT_DEV_LISTEN_ADDRESS` | +| `vault.server.extraEnvVars[1].value` | The address to listen on. Default: [::]:8200 | `[::]:8200` | ## License diff --git a/bitnami/chainloop/charts/dex/Chart.lock b/bitnami/chainloop/charts/dex/Chart.lock new file mode 100644 index 00000000000000..84ec4027c190fd --- /dev/null +++ b/bitnami/chainloop/charts/dex/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: common + repository: https://charts.bitnami.com/bitnami + version: 2.20.5 +digest: sha256:d887f4d52c98e9524f9eb8be04f987acc240288a9c1cf2653cc1b7c221230ee7 +generated: "2024-08-02T13:53:43.065552+02:00" diff --git a/bitnami/chainloop/charts/dex/Chart.yaml b/bitnami/chainloop/charts/dex/Chart.yaml new file mode 100644 index 00000000000000..7cce4b32e58747 --- /dev/null +++ b/bitnami/chainloop/charts/dex/Chart.yaml @@ -0,0 +1,24 @@ +# Copyright Broadcom, Inc. All Rights Reserved. +# SPDX-License-Identifier: APACHE-2.0 + +apiVersion: v2 +name: dex +description: Dex is an identity service that uses OpenID Connect to drive authentication for other apps. + +type: application +# Bump the patch (not minor, not major) version on each change in the Chart Source code +version: 0.0.1 +# Do not update appVersion, this is handled automatically by the release process +appVersion: v0.0.1 + +dependencies: + - name: common + repository: https://charts.bitnami.com/bitnami + tags: + - bitnami-common + version: 2.x.x + +annotations: + images: | + - image: docker.io/bitnami/dex:2.40.0-debian-12-r1 + name: dex \ No newline at end of file diff --git a/bitnami/chainloop/charts/dex/README.md b/bitnami/chainloop/charts/dex/README.md new file mode 100644 index 00000000000000..15a096978f42b1 --- /dev/null +++ b/bitnami/chainloop/charts/dex/README.md @@ -0,0 +1,143 @@ +# Dex Helm Chart +Helper Dex Helm Chart to deploy Chainloop on Kubernetes using the development mode. + +## Parameters + +### Common parameters + +| Name | Description | Value | +| ------------------- | ------------------------------------------ | ----- | +| `kubeVersion` | Override Kubernetes version | `""` | +| `commonAnnotations` | Annotations to add to all deployed objects | `{}` | +| `commonLabels` | Labels to add to all deployed objects | `{}` | + +### Secrets Backend + +| Name | Description | Value | +| ------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- | +| `rbac.create` | Specifies whether RBAC resources should be created | `false` | +| `rbac.rules` | Custom RBAC rules to set | `[]` | +| `dex.image.registry` | Dex image registry | `REGISTRY_NAME` | +| `dex.image.repository` | Dex image repository | `REPOSITORY_NAME/dex` | +| `dex.image.pullPolicy` | Dex image pull policy | `IfNotPresent` | +| `dex.image.pullSecrets` | Dex image pull secrets | `[]` | +| `dex.image.debug` | Enable Dex image debug mode | `false` | +| `dex.replicaCount` | Number of Dex replicas to deploy | `1` | +| `dex.startupProbe.enabled` | Enable startupProbe on Dex nodes | `true` | +| `dex.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | +| `dex.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `dex.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | +| `dex.startupProbe.failureThreshold` | Failure threshold for startupProbe | `3` | +| `dex.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `dex.livenessProbe.enabled` | Enable livenessProbe on Dex nodes | `true` | +| `dex.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `10` | +| `dex.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `dex.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` | +| `dex.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | +| `dex.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `dex.readinessProbe.enabled` | Enable readinessProbe on Dex nodes | `true` | +| `dex.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `10` | +| `dex.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `dex.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `dex.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `dex.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `dex.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `dex.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `dex.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `dex.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if dex.resources is set (dex.resources is recommended for production). | `nano` | +| `dex.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `dex.podSecurityContext.enabled` | Enabled Dex pods' Security Context | `true` | +| `dex.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `dex.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `dex.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `dex.podSecurityContext.fsGroup` | Set Dex pod's Security Context fsGroup | `1001` | +| `dex.containerSecurityContext.enabled` | Enabled Dex containers' Security Context | `true` | +| `dex.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `dex.containerSecurityContext.runAsUser` | Set Dex containers' Security Context runAsUser | `1001` | +| `dex.containerSecurityContext.runAsGroup` | Set Dex containers' Security Context runAsGroup | `1001` | +| `dex.containerSecurityContext.allowPrivilegeEscalation` | Set Dex containers' Security Context allowPrivilegeEscalation | `false` | +| `dex.containerSecurityContext.readOnlyRootFilesystem` | Set Dex containers' server Security Context readOnlyRootFilesystem | `true` | +| `dex.containerSecurityContext.runAsNonRoot` | Set Dex containers' Security Context runAsNonRoot | `true` | +| `dex.containerSecurityContext.capabilities.drop` | Set Argo CD containers' repo server Security Context capabilities to be dropped | `["ALL"]` | +| `dex.containerSecurityContext.privileged` | Set dex container's Security Context privileged | `false` | +| `dex.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `dex.service.type` | Dex service type | `ClusterIP` | +| `dex.service.ports.http` | Dex HTTP service port | `5556` | +| `dex.service.ports.grpc` | Dex grpc service port | `5557` | +| `dex.service.nodePorts.http` | HTTP node port for the Dex service | `""` | +| `dex.service.nodePorts.grpc` | gRPC node port for the Dex service | `""` | +| `dex.service.clusterIP` | Dex service Cluster IP | `""` | +| `dex.service.loadBalancerIP` | Dex service Load Balancer IP | `""` | +| `dex.service.loadBalancerSourceRanges` | Dex service Load Balancer sources | `[]` | +| `dex.service.externalTrafficPolicy` | Dex service external traffic policy | `Cluster` | +| `dex.service.annotations` | Additional custom annotations for Dex service | `{}` | +| `dex.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `dex.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `dex.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `dex.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `dex.networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `dex.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `dex.networkPolicy.kubeAPIServerPorts` | List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) | `[]` | +| `dex.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `dex.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true) | `[]` | +| `dex.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `dex.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | +| `dex.containerPorts.http` | Dex container HTTP port | `5556` | +| `dex.containerPorts.grpc` | Dex gRPC port | `5557` | +| `dex.containerPorts.metrics` | Dex metrics port | `5558` | +| `dex.metrics.enabled` | Enable metrics service for Dex | `false` | +| `dex.metrics.service.type` | Dex service type | `ClusterIP` | +| `dex.metrics.service.ports.metrics` | Dex metrics service port | `5558` | +| `dex.metrics.service.nodePorts.metrics` | Node port for the Dex service | `""` | +| `dex.metrics.service.clusterIP` | Dex service metrics service Cluster IP | `""` | +| `dex.metrics.service.loadBalancerIP` | Dex service Load Balancer IP | `""` | +| `dex.metrics.service.loadBalancerSourceRanges` | Dex service Load Balancer sources | `[]` | +| `dex.metrics.service.externalTrafficPolicy` | Dex service external traffic policy | `Cluster` | +| `dex.metrics.service.annotations` | Additional custom annotations for Dex service | `{}` | +| `dex.metrics.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `dex.metrics.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `dex.metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using PrometheusOperator | `false` | +| `dex.metrics.serviceMonitor.namespace` | Namespace which Prometheus is running in | `""` | +| `dex.metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | +| `dex.metrics.serviceMonitor.interval` | Interval at which metrics should be scraped | `30s` | +| `dex.metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `10s` | +| `dex.metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` | +| `dex.metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` | +| `dex.metrics.serviceMonitor.selector` | ServiceMonitor selector labels | `{}` | +| `dex.metrics.serviceMonitor.honorLabels` | honorLabels chooses the metric's labels on collisions with target labels | `false` | +| `dex.serviceAccount.create` | Specifies whether a ServiceAccount should be created for Dex | `true` | +| `dex.serviceAccount.name` | The name of the ServiceAccount to use. | `""` | +| `dex.serviceAccount.automountServiceAccountToken` | Automount service account token for the Dex service account | `false` | +| `dex.serviceAccount.annotations` | Annotations for service account. Evaluated as a template. Only used if `create` is `true`. | `{}` | +| `dex.command` | Override default container command (useful when using custom images) | `[]` | +| `dex.args` | Override default container args (useful when using custom images) | `[]` | +| `dex.extraArgs` | Add extra args to the default args for Dex | `[]` | +| `dex.automountServiceAccountToken` | Mount Service Account token in pod | `true` | +| `dex.hostAliases` | Dex pods host aliases | `[]` | +| `dex.podLabels` | Extra labels for Dex pods | `{}` | +| `dex.podAnnotations` | Annotations for Dex pods | `{}` | +| `dex.podAffinityPreset` | Pod affinity preset. Ignored if `dex.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `dex.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `dex.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `dex.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `dex.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `dex.nodeAffinityPreset.key` | Node label key to match. Ignored if `dex.affinity` is set | `""` | +| `dex.nodeAffinityPreset.values` | Node label values to match. Ignored if `dex.affinity` is set | `[]` | +| `dex.affinity` | Affinity for Dex pods assignment | `{}` | +| `dex.nodeSelector` | Node labels for Dex pods assignment | `{}` | +| `dex.tolerations` | Tolerations for Dex pods assignment | `[]` | +| `dex.schedulerName` | Name of the k8s scheduler (other than default) | `""` | +| `dex.shareProcessNamespace` | Enable shared process namespace in a pod. | `false` | +| `dex.topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` | +| `dex.updateStrategy.type` | Dex statefulset strategy type | `RollingUpdate` | +| `dex.priorityClassName` | Dex pods' priorityClassName | `""` | +| `dex.runtimeClassName` | Name of the runtime class to be used by pod(s) | `""` | +| `dex.lifecycleHooks` | for the Dex container(s) to automate configuration before or after startup | `{}` | +| `dex.extraEnvVars` | Array with extra environment variables to add to Dex nodes | `[]` | +| `dex.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Dex nodes | `""` | +| `dex.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Dex nodes | `""` | +| `dex.extraVolumes` | Optionally specify extra list of additional volumes for the Dex pod(s) | `[]` | +| `dex.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Dex container(s) | `[]` | +| `dex.sidecars` | Add additional sidecar containers to the Dex pod(s) | `[]` | +| `dex.initContainers` | Add additional init containers to the Dex pod(s) | `[]` | +| `dex.pdb.create` | Enable/disable a Pod Disruption Budget creation | `true` | +| `dex.pdb.minAvailable` | Minimum number/percentage of pods that should remain scheduled | `""` | +| `dex.pdb.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `dex.pdb.minAvailable` and `dex.pdb.maxUnavailable` are empty. | `""` | diff --git a/bitnami/chainloop/charts/dex/templates/_helpers.tpl b/bitnami/chainloop/charts/dex/templates/_helpers.tpl new file mode 100644 index 00000000000000..952f3087da58a6 --- /dev/null +++ b/bitnami/chainloop/charts/dex/templates/_helpers.tpl @@ -0,0 +1,42 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* +############################################################################## +Dex helpers +############################################################################## +*/}} + +{{/* +Return the proper Dex image name +*/}} +{{- define "chainloop.dex.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.dex.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper service name for Dex +*/}} +{{- define "chainloop.dex" -}} + {{- printf "%s" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} +{{- end -}} + +{{/* +Create the name of the service account to use for Dex +*/}} +{{- define "chainloop.dex.serviceAccountName" -}} +{{- if .Values.dex.serviceAccount.create -}} + {{ default (printf "%s" (include "common.names.fullname" .)) .Values.dex.serviceAccount.name | trunc 63 | trimSuffix "-" }} +{{- else -}} + {{ default "default" .Values.dex.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Chainloop Dex release name +*/}} +{{- define "chainloop.dex.fullname" -}} +{{- printf "%s-%s" (include "common.names.fullname" .) "dex" | trunc 63 | trimSuffix "-" -}} +{{- end -}} \ No newline at end of file diff --git a/bitnami/chainloop/charts/dex/templates/deployment.yaml b/bitnami/chainloop/charts/dex/templates/deployment.yaml new file mode 100644 index 00000000000000..bcce5e9a1d05b2 --- /dev/null +++ b/bitnami/chainloop/charts/dex/templates/deployment.yaml @@ -0,0 +1,193 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} +kind: Deployment +metadata: + name: {{ include "chainloop.dex" . }} + namespace: {{ include "common.names.namespace" . | quote }} + {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dex.image "chart" .Chart ) ) }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: dex + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.dex.replicaCount }} + {{- if .Values.dex.updateStrategy }} + strategy: {{- toYaml .Values.dex.updateStrategy | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.dex.podLabels .Values.commonLabels $versionLabel ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: dex + template: + metadata: + {{- if .Values.dex.podAnnotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" .Values.dex.podAnnotations "context" $) | nindent 8 }} + {{- end }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} + app.kubernetes.io/component: dex + spec: + serviceAccountName: {{ include "chainloop.dex.serviceAccountName" . }} + {{- include "common.images.renderPullSecrets" (dict "images" (list .Values.dex.image) "context" $) | nindent 6 }} + automountServiceAccountToken: {{ .Values.dex.automountServiceAccountToken }} + {{- if .Values.dex.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.dex.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.dex.affinity }} + affinity: {{- include "common.tplvalues.render" ( dict "value" .Values.dex.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.dex.podAffinityPreset "component" "dex" "customLabels" $podLabels "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.dex.podAntiAffinityPreset "component" "dex" "customLabels" $podLabels "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.dex.nodeAffinityPreset.type "key" .Values.dex.nodeAffinityPreset.key "values" .Values.dex.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.dex.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.dex.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.dex.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.dex.tolerations "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.dex.schedulerName }} + schedulerName: {{ .Values.dex.schedulerName }} + {{- end }} + {{- if .Values.dex.shareProcessNamespace }} + shareProcessNamespace: {{ .Values.dex.shareProcessNamespace }} + {{- end }} + {{- if .Values.dex.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.controller.topologySpreadConstraints "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.dex.priorityClassName }} + priorityClassName: {{ .Values.dex.priorityClassName | quote }} + {{- end }} + {{- if .Values.dex.runtimeClassName }} + runtimeClassName: {{ .Values.dex.runtimeClassName }} + {{- end }} + {{- if .Values.dex.podSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.dex.podSecurityContext "context" $) | nindent 8 }} + {{- end }} + initContainers: + {{- if .Values.dex.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.dex.initContainers "context" $) | nindent 8 }} + {{- end }} + containers: + - name: dex + image: {{ include "chainloop.dex.image" . }} + imagePullPolicy: {{ .Values.dex.image.pullPolicy }} + {{- if .Values.dex.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.dex.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.dex.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.dex.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.dex.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.dex.command "context" $) | nindent 12 }} + {{- else }} + command: + - /opt/bitnami/dex/bin/dex + - serve + {{- end }} + {{- if .Values.dex.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.dex.args "context" $) | nindent 12 }} + {{- else }} + args: + - /data/conf/config.yaml + {{- if .Values.dex.extraArgs }} + {{- include "common.tplvalues.render" (dict "value" .Values.dex.extraArgs "context" $) | nindent 12 }} + {{- end }} + {{- end }} + ports: + - name: http + containerPort: {{ .Values.dex.containerPorts.http }} + protocol: TCP + - name: grpc + containerPort: {{ .Values.dex.containerPorts.grpc }} + protocol: TCP + - name: metrics + containerPort: {{ .Values.dex.containerPorts.metrics }} + protocol: TCP + env: + {{- if .Values.dex.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.dex.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + envFrom: + {{- if .Values.dex.extraEnvVarsCM }} + - configMapRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.dex.extraEnvVarsCM "context" $) }} + {{- end }} + {{- if .Values.dex.extraEnvVarsSecret }} + - secretRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.dex.extraEnvVarsSecret "context" $) }} + {{- end }} + {{- if .Values.dex.resources }} + resources: {{- toYaml .Values.dex.resources | nindent 12 }} + {{- else if ne .Values.dex.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.dex.resourcesPreset) | nindent 12 }} + {{- end }} + {{- if .Values.dex.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.dex.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.dex.startupProbe.enabled }} + startupProbe: + httpGet: + path: /dex/.well-known/openid-configuration + port: http + initialDelaySeconds: {{ .Values.dex.startupProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.dex.startupProbe.periodSeconds }} + timeoutSeconds: {{ .Values.dex.startupProbe.timeoutSeconds }} + successThreshold: {{ .Values.dex.startupProbe.successThreshold }} + failureThreshold: {{ .Values.dex.startupProbe.failureThreshold }} + {{- end }} + {{- if .Values.dex.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.dex.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.dex.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: /dex/.well-known/openid-configuration + port: http + initialDelaySeconds: {{ .Values.dex.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.dex.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.dex.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.dex.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.dex.livenessProbe.failureThreshold }} + {{- end }} + {{- if .Values.dex.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.dex.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.dex.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: /dex/.well-known/openid-configuration + port: http + initialDelaySeconds: {{ .Values.dex.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.dex.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.dex.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.dex.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.dex.readinessProbe.failureThreshold }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /shared + subPath: app-static-dir + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: config + mountPath: /data/conf + {{- if .Values.dex.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.dex.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.dex.sidecars }} + {{- include "common.tplvalues.render" ( dict "value" .Values.dex.sidecars "context" $) | nindent 8 }} + {{- end }} + volumes: + - name: empty-dir + emptyDir: {} + - name: config + secret: + secretName: {{ include "chainloop.dex.fullname" . }}-config + {{- if .Values.dex.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.dex.extraVolumes "context" $) | nindent 8 }} + {{- end }} diff --git a/bitnami/chainloop/charts/dex/templates/metrics-svc.yaml b/bitnami/chainloop/charts/dex/templates/metrics-svc.yaml new file mode 100644 index 00000000000000..0761c4ba8ed697 --- /dev/null +++ b/bitnami/chainloop/charts/dex/templates/metrics-svc.yaml @@ -0,0 +1,53 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.dex.metrics.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "chainloop.dex" . }}-metrics + namespace: {{ include "common.names.namespace" . | quote }} + {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dex.image "chart" .Chart ) ) }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: dex + {{- if or .Values.commonAnnotations .Values.dex.metrics.service.annotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.dex.metrics.service.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.dex.metrics.service.type }} + {{- if and .Values.dex.metrics.service.clusterIP (eq .Values.dex.metrics.service.type "ClusterIP") }} + clusterIP: {{ .Values.dex.metrics.service.clusterIP }} + {{- end }} + {{- if (or (eq .Values.dex.metrics.service.type "LoadBalancer") (eq .Values.dex.metrics.service.type "NodePort")) }} + externalTrafficPolicy: {{ .Values.dex.metrics.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if eq .Values.dex.metrics.service.type "LoadBalancer" }} + loadBalancerSourceRanges: {{ .Values.dex.metrics.service.loadBalancerSourceRanges }} + {{- end }} + {{- if (and (eq .Values.dex.metrics.service.type "LoadBalancer") (not (empty .Values.dex.metrics.service.loadBalancerIP))) }} + loadBalancerIP: {{ .Values.dex.metrics.service.loadBalancerIP }} + {{- end }} + {{- if .Values.dex.metrics.service.sessionAffinity }} + sessionAffinity: {{ .Values.dex.metrics.service.sessionAffinity }} + {{- end }} + {{- if .Values.dex.metrics.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.dex.metrics.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + ports: + - name: metrics + port: {{ coalesce .Values.dex.metrics.service.port .Values.dex.metrics.service.ports.metrics }} + targetPort: metrics + protocol: TCP + {{- if (and (or (eq .Values.dex.service.type "NodePort") (eq .Values.dex.service.type "LoadBalancer")) (not (empty (coalesce .Values.dex.metrics.service.nodePort .Values.dex.metrics.service.nodePorts.metrics)))) }} + nodePort: {{ coalesce .Values.dex.metrics.service.nodePort .Values.dex.metrics.service.nodePorts.metrics }} + {{- else if eq .Values.dex.metrics.service.type "ClusterIP" }} + nodePort: null + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.dex.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: dex +{{- end }} diff --git a/bitnami/chainloop/charts/dex/templates/pdb.yaml b/bitnami/chainloop/charts/dex/templates/pdb.yaml new file mode 100644 index 00000000000000..556c5b3bbdbdb5 --- /dev/null +++ b/bitnami/chainloop/charts/dex/templates/pdb.yaml @@ -0,0 +1,28 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.dex.pdb.create }} +apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ include "chainloop.dex" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: dex + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.dex.pdb.minAvailable }} + minAvailable: {{ .Values.dex.pdb.minAvailable }} + {{- end }} + {{- if or .Values.dex.pdb.maxUnavailable (not .Values.dex.pdb.minAvailable) }} + maxUnavailable: {{ .Values.dex.pdb.maxUnavailable | default 1 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" (dict "values" (list .Values.dex.podLabels .Values.commonLabels) "context" .) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: dex +{{- end }} diff --git a/bitnami/chainloop/charts/dex/templates/role.yaml b/bitnami/chainloop/charts/dex/templates/role.yaml new file mode 100644 index 00000000000000..69719361610047 --- /dev/null +++ b/bitnami/chainloop/charts/dex/templates/role.yaml @@ -0,0 +1,28 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.rbac.create }} +kind: Role +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +metadata: + name: {{ include "chainloop.dex" . }} + namespace: {{ include "common.names.namespace" . | quote }} + {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dex.image "chart" .Chart ) ) }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +rules: + - apiGroups: + - "" + resources: + - secrets + - configmaps + verbs: + - get + - list + - watch +{{- end }} diff --git a/bitnami/chainloop/charts/dex/templates/rolebinding.yaml b/bitnami/chainloop/charts/dex/templates/rolebinding.yaml new file mode 100644 index 00000000000000..8c4f874ebce0fc --- /dev/null +++ b/bitnami/chainloop/charts/dex/templates/rolebinding.yaml @@ -0,0 +1,25 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.dex.serviceAccount.create .Values.rbac.create }} +kind: RoleBinding +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +metadata: + name: {{ include "chainloop.dex" . }} + namespace: {{ include "common.names.namespace" . | quote }} + {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dex.image "chart" .Chart ) ) }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +subjects: + - kind: ServiceAccount + name: {{ include "chainloop.dex.serviceAccountName" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "chainloop.dex" . }} +{{- end }} diff --git a/bitnami/chainloop/charts/dex/templates/secret.yaml b/bitnami/chainloop/charts/dex/templates/secret.yaml new file mode 100644 index 00000000000000..d473b9869aca72 --- /dev/null +++ b/bitnami/chainloop/charts/dex/templates/secret.yaml @@ -0,0 +1,38 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "chainloop.dex.fullname" . }}-config + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: dex + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: Opaque +stringData: + config.yaml: | + issuer: http://chainloop-dex:5556/dex + + storage: + type: memory + + web: + http: 0.0.0.0:5556 + + staticClients: + - id: chainloop-dev + name: "Chainloop Dev" + secret: ZXhhbXBsZS1hcHAtc2VjcmV0 + redirectURIs: + - "http://0.0.0.0:8000/auth/callback" + - "http://localhost:8000/auth/callback" + + # required to enable static passwords + enablePasswordDB: true + + staticPasswords: {{- include "common.tplvalues.render" ( dict "value" .Values.dex.staticUsers "context" $ ) | nindent 6 }} diff --git a/bitnami/chainloop/charts/dex/templates/service-account.yaml b/bitnami/chainloop/charts/dex/templates/service-account.yaml new file mode 100644 index 00000000000000..4314ce4b0e9139 --- /dev/null +++ b/bitnami/chainloop/charts/dex/templates/service-account.yaml @@ -0,0 +1,21 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.dex.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "chainloop.dex.serviceAccountName" . }} + namespace: {{ include "common.names.namespace" . | quote }} + {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dex.image "chart" .Chart ) ) }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: dex + {{- if or .Values.dex.serviceAccount.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.dex.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.dex.serviceAccount.automountServiceAccountToken }} +{{- end }} diff --git a/bitnami/chainloop/charts/dex/templates/service.yaml b/bitnami/chainloop/charts/dex/templates/service.yaml new file mode 100644 index 00000000000000..12ef2137cdecbe --- /dev/null +++ b/bitnami/chainloop/charts/dex/templates/service.yaml @@ -0,0 +1,63 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +apiVersion: v1 +kind: Service +metadata: + name: {{ include "chainloop.dex" . }} + namespace: {{ include "common.names.namespace" . | quote }} + {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dex.image "chart" .Chart ) ) }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: dex + {{- if or .Values.commonAnnotations .Values.dex.service.annotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.dex.service.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.dex.service.type }} + {{- if and .Values.dex.service.clusterIP (eq .Values.dex.service.type "ClusterIP") }} + clusterIP: {{ .Values.dex.service.clusterIP }} + {{- end }} + {{- if (or (eq .Values.dex.service.type "LoadBalancer") (eq .Values.dex.service.type "NodePort")) }} + externalTrafficPolicy: {{ .Values.dex.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if eq .Values.dex.service.type "LoadBalancer" }} + loadBalancerSourceRanges: {{ .Values.dex.service.loadBalancerSourceRanges }} + {{- end }} + {{- if (and (eq .Values.dex.service.type "LoadBalancer") (not (empty .Values.dex.service.loadBalancerIP))) }} + loadBalancerIP: {{ .Values.dex.service.loadBalancerIP }} + {{- end }} + {{- if .Values.dex.service.sessionAffinity }} + sessionAffinity: {{ .Values.dex.service.sessionAffinity }} + {{- end }} + {{- if .Values.dex.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.dex.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + ports: + - name: http + port: {{ .Values.dex.service.ports.http }} + targetPort: http + protocol: TCP + {{- if (and (or (eq .Values.dex.service.type "NodePort") (eq .Values.dex.service.type "LoadBalancer")) (not (empty .Values.dex.service.nodePorts.http))) }} + nodePort: {{ .Values.dex.service.nodePorts.http }} + {{- else if eq .Values.dex.service.type "ClusterIP" }} + nodePort: null + {{- end }} + - name: grpc + port: {{ .Values.dex.service.ports.grpc }} + targetPort: grpc + protocol: TCP + {{- if (and (or (eq .Values.dex.service.type "NodePort") (eq .Values.dex.service.type "LoadBalancer")) (not (empty .Values.dex.service.nodePorts.grpc))) }} + nodePort: {{ .Values.dex.service.nodePorts.grpc }} + {{- else if eq .Values.dex.service.type "ClusterIP" }} + nodePort: null + {{- end }} + {{- if .Values.dex.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.dex.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.dex.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: dex \ No newline at end of file diff --git a/bitnami/chainloop/charts/dex/templates/servicemonitor.yaml b/bitnami/chainloop/charts/dex/templates/servicemonitor.yaml new file mode 100644 index 00000000000000..ebe274a951d561 --- /dev/null +++ b/bitnami/chainloop/charts/dex/templates/servicemonitor.yaml @@ -0,0 +1,49 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.dex.metrics.enabled .Values.dex.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "chainloop.dex" . }} + namespace: {{ default include ( "common.names.namespace" . ) .Values.dex.metrics.serviceMonitor.namespace | quote }} + {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dex.image "chart" .Chart ) ) }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + {{- if .Values.dex.metrics.serviceMonitor.selector }} + {{- include "common.tplvalues.render" (dict "value" .Values.dex.metrics.serviceMonitor.selector "context" $) | nindent 4 }} + {{- end }} + app.kubernetes.io/component: dex + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" .Values.commonAnnotations "context" $) | nindent 4 }} + {{- end }} +spec: + jobLabel: {{ .Values.dex.metrics.serviceMonitor.jobLabel | quote }} + endpoints: + - port: http-metrics + path: /metrics + {{- if .Values.dex.metrics.serviceMonitor.interval }} + interval: {{ .Values.dex.metrics.serviceMonitor.interval }} + {{- end }} + {{- if .Values.dex.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.dex.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} + {{- if .Values.dex.metrics.serviceMonitor.honorLabels }} + honorLabels: {{ .Values.dex.metrics.serviceMonitor.honorLabels }} + {{- end }} + {{- if .Values.dex.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.dex.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.dex.metrics.serviceMonitor.relabelings }} + relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.dex.metrics.serviceMonitor.relabelings "context" $) | nindent 8 }} + {{- end }} + namespaceSelector: + matchNames: + - {{ include "common.names.namespace" . }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: dex +{{- end }} + diff --git a/bitnami/chainloop/charts/dex/values.yaml b/bitnami/chainloop/charts/dex/values.yaml new file mode 100644 index 00000000000000..5cce405837c1fb --- /dev/null +++ b/bitnami/chainloop/charts/dex/values.yaml @@ -0,0 +1,574 @@ +## @section Common parameters +## +## @param kubeVersion Override Kubernetes version +## +kubeVersion: "" + +## @param commonAnnotations Annotations to add to all deployed objects +## +commonAnnotations: {} + +## @param commonLabels Labels to add to all deployed objects +## +commonLabels: {} + +## @section Secrets Backend +## + +## RBAC configuration +## +rbac: + ## @param rbac.create Specifies whether RBAC resources should be created + ## + create: false + ## @param rbac.rules Custom RBAC rules to set + ## e.g: + ## rules: + ## - apiGroups: + ## - "" + ## resources: + ## - pods + ## verbs: + ## - get + ## - list + ## + rules: [] + +# IMPORTANT: This is not meant to run in production +# Dex server +## Dex configuration running in development mode --set development=true +## +dex: + ## Bitnami Dex image + ## ref: https://hub.docker.com/r/bitnami/argo-cd/tags/ + ## @skip dex.staticUsers[0].email + ## @skip dex.staticUsers[0].hash + ## @skip dex.staticUsers[1].email + ## @skip dex.staticUsers[1].hash + staticUsers: + - email: "john@chainloop.local" + # password: "password" + hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" + - email: "sarah@chainloop.local" + # password: "password" + hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" + ## @param dex.image.registry [default: REGISTRY_NAME] Dex image registry + ## @param dex.image.repository [default: REPOSITORY_NAME/dex] Dex image repository + ## @skip dex.image.tag Dex image tag (immutable tags are recommended) + ## @param dex.image.pullPolicy Dex image pull policy + ## @param dex.image.pullSecrets Dex image pull secrets + ## @param dex.image.debug Enable Dex image debug mode + ## + image: + registry: docker.io + repository: bitnami/dex + tag: 2.40.0-debian-12-r1 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Enable debug mode + ## + debug: false + ## @param dex.replicaCount Number of Dex replicas to deploy + ## + replicaCount: 1 + ## Configure extra options for Dex containers' liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param dex.startupProbe.enabled Enable startupProbe on Dex nodes + ## @param dex.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param dex.startupProbe.periodSeconds Period seconds for startupProbe + ## @param dex.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param dex.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param dex.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: true + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## @param dex.livenessProbe.enabled Enable livenessProbe on Dex nodes + ## @param dex.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param dex.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param dex.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param dex.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param dex.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## @param dex.readinessProbe.enabled Enable readinessProbe on Dex nodes + ## @param dex.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param dex.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param dex.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param dex.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param dex.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## @param dex.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param dex.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param dex.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## Dex resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param dex.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if dex.resources is set (dex.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param dex.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Configure Pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param dex.podSecurityContext.enabled Enabled Dex pods' Security Context + ## @param dex.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param dex.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param dex.podSecurityContext.supplementalGroups Set filesystem extra groups + ## @param dex.podSecurityContext.fsGroup Set Dex pod's Security Context fsGroup + ## + podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param dex.containerSecurityContext.enabled Enabled Dex containers' Security Context + ## @param dex.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param dex.containerSecurityContext.runAsUser Set Dex containers' Security Context runAsUser + ## @param dex.containerSecurityContext.runAsGroup Set Dex containers' Security Context runAsGroup + ## @param dex.containerSecurityContext.allowPrivilegeEscalation Set Dex containers' Security Context allowPrivilegeEscalation + ## @param dex.containerSecurityContext.readOnlyRootFilesystem Set Dex containers' server Security Context readOnlyRootFilesystem + ## @param dex.containerSecurityContext.runAsNonRoot Set Dex containers' Security Context runAsNonRoot + ## @param dex.containerSecurityContext.capabilities.drop Set Argo CD containers' repo server Security Context capabilities to be dropped + ## @param dex.containerSecurityContext.privileged Set dex container's Security Context privileged + ## @param dex.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + privileged: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## Dex service parameters + ## + service: + ## @param dex.service.type Dex service type + ## + type: ClusterIP + ## @param dex.service.ports.http Dex HTTP service port + ## @param dex.service.ports.grpc Dex grpc service port + ## + ports: + http: 5556 + grpc: 5557 + ## Node ports to expose + ## @param dex.service.nodePorts.http HTTP node port for the Dex service + ## @param dex.service.nodePorts.grpc gRPC node port for the Dex service + ## NOTE: choose port between <30000-32767> + ## + nodePorts: + http: "" + grpc: "" + ## @param dex.service.clusterIP Dex service Cluster IP + ## e.g.: + ## clusterIP: None + ## + clusterIP: "" + ## @param dex.service.loadBalancerIP Dex service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerIP: "" + ## @param dex.service.loadBalancerSourceRanges Dex service Load Balancer sources + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param dex.service.externalTrafficPolicy Dex service external traffic policy + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param dex.service.annotations Additional custom annotations for Dex service + ## + annotations: {} + ## @param dex.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param dex.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param dex.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + sessionAffinityConfig: {} + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param dex.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param dex.networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param dex.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param dex.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) + ## + kubeAPIServerPorts: [443, 6443, 8443] + ## @param dex.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param dex.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true) + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param dex.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param dex.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} + ## Dex container ports + ## @param dex.containerPorts.http Dex container HTTP port + ## @param dex.containerPorts.grpc Dex gRPC port + ## @param dex.containerPorts.metrics Dex metrics port + ## + containerPorts: + http: 5556 + grpc: 5557 + metrics: 5558 + ## Metrics configuration for Dex + ## + metrics: + ## Enable metrics for Argo Dex + ## @param dex.metrics.enabled Enable metrics service for Dex + ## + enabled: false + service: + ## @param dex.metrics.service.type Dex service type + ## + type: ClusterIP + ## @param dex.metrics.service.ports.metrics Dex metrics service port + ## + ports: + metrics: 5558 + ## Node ports to expose + ## @param dex.metrics.service.nodePorts.metrics Node port for the Dex service + ## NOTE: choose port between <30000-32767> + ## + nodePorts: + metrics: "" + ## @param dex.metrics.service.clusterIP Dex service metrics service Cluster IP + ## e.g.: + ## clusterIP: None + ## + clusterIP: "" + ## @param dex.metrics.service.loadBalancerIP Dex service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerIP: "" + ## @param dex.metrics.service.loadBalancerSourceRanges Dex service Load Balancer sources + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param dex.metrics.service.externalTrafficPolicy Dex service external traffic policy + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param dex.metrics.service.annotations Additional custom annotations for Dex service + ## + annotations: {} + ## @param dex.metrics.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param dex.metrics.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + sessionAffinityConfig: {} + ## Dex metrics service monitor configuration + ## + serviceMonitor: + ## @param dex.metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator + ## + enabled: false + ## @param dex.metrics.serviceMonitor.namespace Namespace which Prometheus is running in + ## e.g: + ## namespace: monitoring + ## + namespace: "" + ## @param dex.metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. + ## + jobLabel: "" + ## @param dex.metrics.serviceMonitor.interval Interval at which metrics should be scraped + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + interval: 30s + ## @param dex.metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + scrapeTimeout: 10s + ## @param dex.metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## + relabelings: [] + ## @param dex.metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## + metricRelabelings: [] + ## @param dex.metrics.serviceMonitor.selector ServiceMonitor selector labels + ## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration + ## + ## selector: + ## prometheus: my-prometheus + ## + selector: {} + ## @param dex.metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels + ## + honorLabels: false + ## ServiceAccount configuration for the Dex + ## + serviceAccount: + ## @param dex.serviceAccount.create Specifies whether a ServiceAccount should be created for Dex + ## + create: true + ## @param dex.serviceAccount.name The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the common.names.fullname template + ## + name: "" + ## @param dex.serviceAccount.automountServiceAccountToken Automount service account token for the Dex service account + ## + automountServiceAccountToken: false + ## @param dex.serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`. + ## + annotations: {} + ## @param dex.command Override default container command (useful when using custom images) + ## + command: [] + ## @param dex.args Override default container args (useful when using custom images) + ## + args: [] + ## @param dex.extraArgs Add extra args to the default args for Dex + ## + extraArgs: [] + ## @param dex.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: true + ## @param dex.hostAliases Dex pods host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param dex.podLabels Extra labels for Dex pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param dex.podAnnotations Annotations for Dex pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param dex.podAffinityPreset Pod affinity preset. Ignored if `dex.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param dex.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `dex.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node dex.affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param dex.nodeAffinityPreset.type Node affinity preset type. Ignored if `dex.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param dex.nodeAffinityPreset.key Node label key to match. Ignored if `dex.affinity` is set + ## + key: "" + ## @param dex.nodeAffinityPreset.values Node label values to match. Ignored if `dex.affinity` is set + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param dex.affinity Affinity for Dex pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## NOTE: `dex.podAffinityPreset`, `dex.podAntiAffinityPreset`, and `dex.nodeAffinityPreset` will be ignored when it's set + ## + affinity: {} + ## @param dex.nodeSelector Node labels for Dex pods assignment + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + ## + nodeSelector: {} + ## @param dex.tolerations Tolerations for Dex pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param dex.schedulerName Name of the k8s scheduler (other than default) + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param dex.shareProcessNamespace Enable shared process namespace in a pod. + ## If set to false (default), each container will run in separate namespace, dex will have PID=1. + ## If set to true, the /pause will run as init process and will reap any zombie PIDs, + ## for example, generated by a custom exec probe running longer than a probe timeoutSeconds. + ## Enable this only if customLivenessProbe or customReadinessProbe is used and zombie PIDs are accumulating. + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/ + ## + shareProcessNamespace: false + ## @param dex.topologySpreadConstraints Topology Spread Constraints for pod assignment + ## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## The value is evaluated as a template + ## + topologySpreadConstraints: [] + ## @param dex.updateStrategy.type Dex statefulset strategy type + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + ## StrategyType + ## Can be set to RollingUpdate or OnDelete + ## + type: RollingUpdate + ## @param dex.priorityClassName Dex pods' priorityClassName + ## + priorityClassName: "" + ## @param dex.runtimeClassName Name of the runtime class to be used by pod(s) + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + ## + runtimeClassName: "" + ## @param dex.lifecycleHooks for the Dex container(s) to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param dex.extraEnvVars Array with extra environment variables to add to Dex nodes + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param dex.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Dex nodes + ## + extraEnvVarsCM: "" + ## @param dex.extraEnvVarsSecret Name of existing Secret containing extra env vars for Dex nodes + ## + extraEnvVarsSecret: "" + ## @param dex.extraVolumes Optionally specify extra list of additional volumes for the Dex pod(s) + ## + extraVolumes: [] + ## @param dex.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Dex container(s) + ## + extraVolumeMounts: [] + ## @param dex.sidecars Add additional sidecar containers to the Dex pod(s) + ## e.g: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param dex.initContainers Add additional init containers to the Dex pod(s) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + ## e.g: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## command: ['sh', '-c', 'echo "hello world"'] + ## + initContainers: [] + ## Pod Disruption Budget configuration + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb + ## @param dex.pdb.create Enable/disable a Pod Disruption Budget creation + ## @param dex.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled + ## @param dex.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `dex.pdb.minAvailable` and `dex.pdb.maxUnavailable` are empty. + ## + pdb: + create: true + minAvailable: "" + maxUnavailable: "" \ No newline at end of file diff --git a/bitnami/chainloop/templates/NOTES.txt b/bitnami/chainloop/templates/NOTES.txt index 2285f5513653a5..837ac3ed89326b 100644 --- a/bitnami/chainloop/templates/NOTES.txt +++ b/bitnami/chainloop/templates/NOTES.txt @@ -1,28 +1,9 @@ +CHART NAME: {{ .Chart.Name }} +CHART VERSION: {{ .Chart.Version }} +APP VERSION: {{ .Chart.AppVersion }} ** Please be patient while the chart is being deployed ** -{{- if .Values.development }} - -########################################################################### - DEVELOPMENT MODE -########################################################################### - -██████╗ ███████╗██╗ ██╗ █████╗ ██████╗ ███████╗ -██╔══██╗██╔════╝██║ ██║██╔══██╗██╔══██╗██╔════╝ -██████╔╝█████╗ ██║ █╗ ██║███████║██████╔╝█████╗ -██╔══██╗██╔══╝ ██║███╗██║██╔══██║██╔══██╗██╔══╝ -██████╔╝███████╗╚███╔███╔╝██║ ██║██║ ██║███████╗ -╚═════╝ ╚══════╝ ╚══╝╚══╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝ - -Instance running in development mode! - -Development mode, by default - -- Runs an insecure, unsealed, non-persistent instance of Vault -- Is configured with development authentication keys - -DO NOT USE IT FOR PRODUCTION PURPOSES - ########################################################################### CONFIGURE CLI ########################################################################### @@ -34,14 +15,18 @@ Configure the CLI to point to this instance, for example --artifact-cas cas.acme.com:80 Refer to this link for more information -https://docs.chainloop.dev/getting-started/installation#configure-cli-optional +https://docs.chainloop.dev/getting-started/installation#configure-cli-optional ########################################################################### USEFUL LINKS ########################################################################### - GitHub repository: https://github.com/chainloop-dev/chainloop -- Documentation: https://docs.chainloop.dev +- Documentation: https://docs.chainloop.dev + -{{- end }} - +{{- include "common.warnings.rollingTag" .Values.controlplane.image }} +{{- include "common.warnings.rollingTag" .Values.cas.image }} +{{- include "common.warnings.rollingTag" .Values.controlplane.migration.image }} +{{- include "chainloop.validateValues" . }} +{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.controlplane.image .Values.cas.image .Values.controlplane.migration.image) "context" $) }} diff --git a/bitnami/chainloop/templates/_helpers.tpl b/bitnami/chainloop/templates/_helpers.tpl index 6558ce784bb6ba..b9e1fc23cc4e70 100644 --- a/bitnami/chainloop/templates/_helpers.tpl +++ b/bitnami/chainloop/templates/_helpers.tpl @@ -144,8 +144,16 @@ Chainloop Controlplane Chart fullname Common labels */}} {{- define "chainloop.controlplane.labels" -}} -{{- include "common.labels.standard" . }} -app.kubernetes.io/part-of: chainloop +{{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" .) }} +app.kubernetes.io/component: controlplane +{{- end }} + +-{{/* +-Selector labels +-*/}} +{{- define "chainloop.controlplane.selectorLabels" -}} +{{- $podLabels := include "common.tplvalues.merge" (dict "values" (list .Values.controlplane.podLabels .Values.commonLabels) "context" .) }} +{{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" . ) }} app.kubernetes.io/component: controlplane {{- end }} @@ -158,16 +166,33 @@ Migration labels */}} {{- define "chainloop.controlplane.migration.labels" -}} {{- include "common.labels.standard" . }} -app.kubernetes.io/part-of: chainloop app.kubernetes.io/component: controlplane-migration {{- end }} + {{/* -Selector labels +OIDC settings, will fallback to development settings if needed */}} -{{- define "chainloop.controlplane.selectorLabels" -}} -{{- include "common.labels.matchLabels" .}} -app.kubernetes.io/component: controlplane +{{- define "controlplane.oidc_settings" -}} + {{- if .Values.development }} + {{- with .Values.controlplane.auth }} + domain: "{{ coalesce .oidc.url "http://chainloop-dex:5556/dex" }}" + client_id: "{{ coalesce .oidc.clientID "chainloop-dev" }}" + client_secret: "{{ coalesce .oidc.clientSecret "ZXhhbXBsZS1hcHAtc2VjcmV0" }}" + {{- if .oidc.loginURLOverride }} + login_url_override: "{{ .oidc.loginURLOverride }}" + {{- end }} + {{- end }} + {{- else }} + {{- with .Values.controlplane.auth }} + domain: "{{ required "oidc URL endpoint required" .oidc.url }}" + client_id: "{{ required "oidc clientID required" .oidc.clientID }}" + client_secret: "{{ required "oidc clientSecret required" .oidc.clientSecret }}" + {{- if .oidc.loginURLOverride }} + login_url_override: "{{ .oidc.loginURLOverride }}" + {{- end }} + {{- end }} + {{- end }} {{- end }} {{/* @@ -200,22 +225,14 @@ Return the Postgresql connection string for Atlas migration Return the Postgresql hostname */}} {{- define "controlplane.database.host" -}} -{{- if .Values.controlplane.sqlProxy.enabled }} - {{- include "chainloop.sql-proxy.fullname" . -}} -{{- else -}} - {{- ternary (include "chainloop.postgresql.fullname" .) .Values.controlplane.externalDatabase.host .Values.postgresql.enabled -}} -{{- end -}} +{{- ternary (include "chainloop.postgresql.fullname" .) .Values.controlplane.externalDatabase.host .Values.postgresql.enabled -}} {{- end -}} {{/* Return the Postgresql port */}} {{- define "controlplane.database.port" -}} -{{- if .Values.controlplane.sqlProxy.enabled }} - {{- 5432 -}} -{{- else -}} - {{- ternary 5432 .Values.controlplane.externalDatabase.port .Values.postgresql.enabled -}} -{{- end -}} +{{- ternary 5432 .Values.controlplane.externalDatabase.port .Values.postgresql.enabled -}} {{- end -}} {{/* @@ -310,52 +327,6 @@ observability: environment: {{ required "Sentry environment required" .environment | quote }} {{- end -}} -{{/* -############################################################################## -sql-proxy helpers -############################################################################## -*/}} - -{{/* -Chainloop sql-proxy release name -*/}} -{{- define "chainloop.sql-proxy.fullname" -}} -{{- printf "%s-%s" (include "common.names.fullname" .) "sql-proxy" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Chainloop sql-proxy Chart fullname -*/}} -{{- define "chainloop.sql-proxy.name" -}} -{{- printf "%s-%s" (include "common.names.name" .) "sql-proxy" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Common labels -*/}} -{{- define "chainloop.sql-proxy.labels" -}} -{{- include "common.labels.standard" . }} -app.kubernetes.io/part-of: chainloop -app.kubernetes.io/component: sql-proxy -{{- end }} - -{{/* -Migration labels -*/}} -{{- define "chainloop.sql-proxy.migration.labels" -}} -{{- include "common.labels.standard" . }} -app.kubernetes.io/part-of: chainloop -app.kubernetes.io/component: sql-proxy-migration -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "chainloop.sql-proxy.selectorLabels" -}} -{{- include "common.labels.matchLabels" .}} -app.kubernetes.io/component: sql-proxy -{{- end }} - {{/* ############################################################################## CAS Helpers @@ -384,16 +355,16 @@ Chainloop CAS Chart fullname Common labels */}} {{- define "chainloop.cas.labels" -}} -{{- include "common.labels.standard" . }} -app.kubernetes.io/part-of: chainloop +{{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" .) }} app.kubernetes.io/component: cas {{- end }} -{{/* -Selector labels -*/}} +-{{/* +-Selector labels +-*/}} {{- define "chainloop.cas.selectorLabels" -}} -{{- include "common.labels.matchLabels" .}} +{{- $podLabels := include "common.tplvalues.merge" (dict "values" (list .Values.cas.podLabels .Values.commonLabels) "context" .) }} +{{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" . ) }} app.kubernetes.io/component: cas {{- end }} @@ -423,3 +394,26 @@ NOTE: Load balancer service type is not supported {{- printf "http://localhost:%s" $service.nodePorts.http }} {{- end -}} {{- end -}} + +{{/* +Check for Development mode +*/}} +{{- define "chainloop.validateValues.development" -}} +{{- if .Values.development }} +{{- printf "###########################################################################\n DEVELOPMENT MODE\n###########################################################################\n\n██████╗ ███████╗██╗ ██╗ █████╗ ██████╗ ███████╗\n██╔══██╗██╔════╝██║ ██║██╔══██╗██╔══██╗██╔════╝\n██████╔╝█████╗ ██║ █╗ ██║███████║██████╔╝█████╗\n██╔══██╗██╔══╝ ██║███╗██║██╔══██║██╔══██╗██╔══╝\n██████╔╝███████╗╚███╔███╔╝██║ ██║██║ ██║███████╗\n╚═════╝ ╚══════╝ ╚══╝╚══╝ ╚═╝ ╚═╝╚═╝ ╚══════╝\n\nInstance running in development mode!\n\nDevelopment mode, by default\n\n- Runs an insecure, unsealed, non-persistent instance of Vault\n- Is configured with development authentication keys\n\n###########################################################################\nPre-configured static users\n###########################################################################\n\nDevelopment configuration comes with two pre-setup users:\n- username: sarah@chainloop.local\n- password: password\n\n- username: john@chainloop.local\n- password: password\n\nDO NOT USE IT FOR PRODUCTION PURPOSES" -}} +{{- end -}} +{{- end -}} + +{{/* +Compile all warning messages into a single one +*/}} +{{- define "chainloop.validateValues" -}} +{{- $messages := list -}} +{{- $messages := append $messages (include "chainloop.validateValues.development" .) -}} +{{- $messages := without $messages "" -}} +{{- $message := join "\n" $messages -}} + +{{- if $message -}} +{{- printf "\n\nVALUES VALIDATION:\n%s" $message -}} +{{- end -}} +{{- end -}} diff --git a/bitnami/chainloop/templates/cas/config.configmap.yaml b/bitnami/chainloop/templates/cas/configmap.yaml similarity index 72% rename from bitnami/chainloop/templates/cas/config.configmap.yaml rename to bitnami/chainloop/templates/cas/configmap.yaml index 80e9e9616f57c4..08dc5f15a8f85e 100644 --- a/bitnami/chainloop/templates/cas/config.configmap.yaml +++ b/bitnami/chainloop/templates/cas/configmap.yaml @@ -7,8 +7,11 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ include "chainloop.cas.fullname" . }} - labels: - {{- include "chainloop.cas.labels" . | nindent 4 }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{ include "chainloop.cas.labels" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} data: server.yaml: | server: diff --git a/bitnami/chainloop/templates/cas/deployment.yaml b/bitnami/chainloop/templates/cas/deployment.yaml index 27a955a4367053..202cd2131b7675 100644 --- a/bitnami/chainloop/templates/cas/deployment.yaml +++ b/bitnami/chainloop/templates/cas/deployment.yaml @@ -3,48 +3,90 @@ Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} -apiVersion: apps/v1 +apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} kind: Deployment metadata: name: {{ include "chainloop.cas.fullname" . }} - labels: - {{- include "chainloop.cas.labels" . | nindent 4 }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{ include "chainloop.cas.labels" . | nindent 4 }} + {{- if or .Values.cas.deploymentAnnotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.cas.deploymentAnnotations .Values.commonAnnotations) "context" .) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }} + {{- end }} spec: - {{- if not .Values.cas.autoscaling.enabled }} + {{- if not .Values.cas.autoscaling.hpa.enabled }} replicas: {{ .Values.cas.replicaCount }} {{- end }} + {{- if .Values.cas.updateStrategy }} + strategy: {{- toYaml .Values.cas.updateStrategy | nindent 4 }} + {{- end }} selector: - matchLabels: - {{- include "chainloop.cas.selectorLabels" . | nindent 6 }} + matchLabels: {{ include "chainloop.cas.selectorLabels" . | nindent 6 }} template: metadata: annotations: - checksum/config: {{ include (print $.Template.BasePath "/cas" "/config.configmap.yaml") . | sha256sum }} - checksum/config-secret: {{ include (print $.Template.BasePath "/cas" "/config.secret.yaml") . | sha256sum }} - checksum/public-key-secret: {{ include (print $.Template.BasePath "/cas" "/jwt_public_key.secret.yaml") . | sha256sum }} - labels: - {{- include "chainloop.cas.selectorLabels" . | nindent 8 }} + checksum/config: {{ include (print $.Template.BasePath "/cas" "/configmap.yaml") . | sha256sum }} + checksum/config-secret: {{ include (print $.Template.BasePath "/cas" "/secret-config.yaml") . | sha256sum }} + checksum/public-key-secret: {{ include (print $.Template.BasePath "/cas" "/secret-jwt-public-key.yaml") . | sha256sum }} + labels: {{ include "chainloop.cas.labels" . | nindent 8 }} spec: {{- include "common.images.renderPullSecrets" (dict "images" (list .Values.cas.image) "context" $) | nindent 6 }} serviceAccountName: {{ include "chainloop.cas.serviceAccountName" . }} - securityContext: - {{- toYaml .Values.cas.podSecurityContext | nindent 8 }} + automountServiceAccountToken: {{ .Values.cas.automountServiceAccountToken }} + {{- if .Values.cas.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.cas.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.cas.affinity }} + affinity: {{- include "common.tplvalues.render" ( dict "value" .Values.cas.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + {{- $podLabels := include "common.tplvalues.merge" (dict "values" (list .Values.cas.podLabels .Values.commonLabels) "context" .) }} + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.cas.podAffinityPreset "component" "cas" "customLabels" $podLabels "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.cas.podAntiAffinityPreset "component" "cas" "customLabels" $podLabels "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.cas.nodeAffinityPreset.type "key" .Values.cas.nodeAffinityPreset.key "values" .Values.cas.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.cas.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.cas.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.cas.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.cas.tolerations "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.cas.priorityClassName }} + priorityClassName: {{ .Values.cas.priorityClassName | quote }} + {{- end }} + {{- if .Values.cas.schedulerName }} + schedulerName: {{ .Values.cas.schedulerName | quote }} + {{- end }} + {{- if .Values.cas.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.cas.topologySpreadConstraints "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.cas.podSecurityContext.enabled }} + securityContext: {{- omit .Values.cas.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + {{- if .Values.cas.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.cas.terminationGracePeriodSeconds }} + {{- end }} + initContainers: + {{- if .Values.cas.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.cas.initContainers "context" $) | nindent 8 }} + {{- end }} containers: - name: {{ .Chart.Name }} - securityContext: - {{- toYaml .Values.cas.securityContext | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.cas.containerSecurityContext "context" $) | nindent 12 }} image: {{ include "chainloop.cas.image" . }} imagePullPolicy: {{ .Values.cas.image.pullPolicy }} ports: - name: http - containerPort: 8000 - protocol: TCP - - name: grpc - containerPort: 9000 - protocol: TCP + containerPort: {{ .Values.cas.containerPorts.http }} - name: metrics - containerPort: 5000 - protocol: TCP + containerPort: {{ .Values.cas.containerPorts.metrics }} + - name: grpc + containerPort: {{ .Values.cas.containerPorts.grpc }} + startupProbe: + httpGet: + path: /statusz + port: http + periodSeconds: 5 livenessProbe: httpGet: path: /statusz @@ -53,8 +95,27 @@ spec: httpGet: path: /statusz?readiness=1 port: http - resources: - {{- toYaml .Values.cas.resources | nindent 12 }} + {{- if .Values.cas.resources }} + resources: {{- toYaml .Values.cas.resources | nindent 12 }} + {{- else if ne .Values.cas.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.cas.resourcesPreset) | nindent 12 }} + {{- end }} + {{- if .Values.cas.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.cas.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + env: + {{- if .Values.cas.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.cas.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + envFrom: + {{- if .Values.cas.extraEnvVarsCM }} + - configMapRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.cas.extraEnvVarsCM "context" $) }} + {{- end }} + {{- if .Values.cas.extraEnvVarsSecret }} + - secretRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.cas.extraEnvVarsSecret "context" $) }} + {{- end }} volumeMounts: - name: config mountPath: "/data/conf" @@ -75,6 +136,12 @@ spec: mountPath: /etc/pki/tls/certs readOnly: true {{- end }} + {{- if .Values.cas.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.cas.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.cas.sidecars }} + {{- include "common.tplvalues.render" ( dict "value" .Values.cas.sidecars "context" $) | nindent 8 }} + {{- end }} volumes: - name: config projected: @@ -94,7 +161,7 @@ spec: {{- if eq "gcpSecretManager" .Values.secretsBackend.backend }} - name: gcp-secretmanager-serviceaccountkey secret: - secretName: {{ include "chainloop.controlplane.fullname" . }}-gcp-secretmanager-serviceaccountkey + secretName: {{ include "chainloop.cas.fullname" . }}-gcp-secretmanager-serviceaccountkey {{- end }} {{- if (not (empty .Values.cas.customCAs)) }} - name: custom-cas @@ -103,3 +170,6 @@ spec: - secret: name: {{ include "chainloop.cas.fullname" . }}-custom-cas {{- end }} + {{- if .Values.cas.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.cas.extraVolumes "context" $) | nindent 8 }} + {{- end }} \ No newline at end of file diff --git a/bitnami/chainloop/templates/cas/gke_monitoring.yaml b/bitnami/chainloop/templates/cas/gke_monitoring.yaml deleted file mode 100644 index 0599ebc1cd6ccc..00000000000000 --- a/bitnami/chainloop/templates/cas/gke_monitoring.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if .Values.GKEMonitoring.enabled -}} -apiVersion: monitoring.googleapis.com/v1 -kind: PodMonitoring -metadata: - name: {{ include "chainloop.cas.fullname" . }} -spec: - selector: - matchLabels: - {{- include "chainloop.cas.selectorLabels" . | nindent 6 }} - endpoints: - - port: metrics - interval: 30s -{{- end }} \ No newline at end of file diff --git a/bitnami/chainloop/templates/cas/hpa.yaml b/bitnami/chainloop/templates/cas/hpa.yaml index 95dc30af6497a9..93bfecadcc9a56 100644 --- a/bitnami/chainloop/templates/cas/hpa.yaml +++ b/bitnami/chainloop/templates/cas/hpa.yaml @@ -3,43 +3,46 @@ Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} -{{- if .Values.cas.autoscaling.enabled }} -apiVersion: {{ include "common.capabilities.hpa.apiVersion" ( dict "context" $ ) }} +{{- if .Values.cas.autoscaling.hpa.enabled }} +apiVersion: {{ include "common.capabilities.hpa.apiVersion" ( dict "context" $ )}} kind: HorizontalPodAutoscaler metadata: - name: {{ include "chainloop.cas.fullname" . }} - labels: - {{- include "chainloop.cas.labels" . | nindent 4 }} + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{ include "chainloop.cas.labels" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} spec: scaleTargetRef: apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} kind: Deployment - name: {{ include "chainloop.cas.fullname" . }} - minReplicas: {{ .Values.cas.autoscaling.minReplicas }} - maxReplicas: {{ .Values.cas.autoscaling.maxReplicas }} + name: {{ include "common.names.fullname" . }} + minReplicas: {{ .Values.cas.autoscaling.hpa.minReplicas }} + maxReplicas: {{ .Values.cas.autoscaling.hpa.maxReplicas }} metrics: - {{- if .Values.cas.autoscaling.targetCPUUtilizationPercentage }} + {{- if .Values.cas.autoscaling.hpa.targetMemory }} - type: Resource resource: - name: cpu + name: memory {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }} - targetAverageUtilization: {{ .Values.cas.autoscaling.targetCPUUtilizationPercentage }} + targetAverageUtilization: {{ .Values.cas.autoscaling.hpa.targetMemory }} {{- else }} target: type: Utilization - averageUtilization: {{ .Values.cas.autoscaling.targetCPUUtilizationPercentage }} + averageUtilization: {{ .Values.worker.autoscaling.hpa.targetMemory }} {{- end }} {{- end }} - {{- if .Values.cas.autoscaling.targetMemoryUtilizationPercentage }} + {{- if .Values.cas.autoscaling.hpa.targetCPU }} - type: Resource resource: - name: memory + name: cpu {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }} - targetAverageUtilization: {{ .Values.cas.autoscaling.targetMemoryUtilizationPercentage }} + targetAverageUtilization: {{ .Values.cas.autoscaling.hpa.targetCPU }} {{- else }} target: type: Utilization - averageUtilization: {{ .Values.cas.autoscaling.targetMemoryUtilizationPercentage }} + averageUtilization: {{ .Values.worker.autoscaling.hpa.targetCPU }} {{- end }} {{- end }} -{{- end }} +{{- end }} \ No newline at end of file diff --git a/bitnami/chainloop/templates/cas/ingress_grpc.yaml b/bitnami/chainloop/templates/cas/ingress-grpc.yaml similarity index 100% rename from bitnami/chainloop/templates/cas/ingress_grpc.yaml rename to bitnami/chainloop/templates/cas/ingress-grpc.yaml diff --git a/bitnami/chainloop/templates/cas/config.secret.yaml b/bitnami/chainloop/templates/cas/secret-config.yaml similarity index 71% rename from bitnami/chainloop/templates/cas/config.secret.yaml rename to bitnami/chainloop/templates/cas/secret-config.yaml index 57fb8c4aaec264..98f5f2717d0bea 100644 --- a/bitnami/chainloop/templates/cas/config.secret.yaml +++ b/bitnami/chainloop/templates/cas/secret-config.yaml @@ -7,8 +7,11 @@ apiVersion: v1 kind: Secret metadata: name: {{ include "chainloop.cas.fullname" . }} - labels: - {{- include "chainloop.cas.labels" . | nindent 4 }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{ include "chainloop.cas.labels" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} type: Opaque stringData: {{- if and .Values.cas.sentry .Values.cas.sentry.enabled }} diff --git a/bitnami/chainloop/templates/cas/customcas.secret.yaml b/bitnami/chainloop/templates/cas/secret-customcas.yaml similarity index 100% rename from bitnami/chainloop/templates/cas/customcas.secret.yaml rename to bitnami/chainloop/templates/cas/secret-customcas.yaml diff --git a/bitnami/chainloop/templates/cas/gcp_secret_manager.secret.yaml b/bitnami/chainloop/templates/cas/secret-gcp-secret-manager.yaml similarity index 100% rename from bitnami/chainloop/templates/cas/gcp_secret_manager.secret.yaml rename to bitnami/chainloop/templates/cas/secret-gcp-secret-manager.yaml diff --git a/bitnami/chainloop/templates/cas/jwt_public_key.secret.yaml b/bitnami/chainloop/templates/cas/secret-jwt-public-key.yaml similarity index 100% rename from bitnami/chainloop/templates/cas/jwt_public_key.secret.yaml rename to bitnami/chainloop/templates/cas/secret-jwt-public-key.yaml diff --git a/bitnami/chainloop/templates/cas/service-account.yaml b/bitnami/chainloop/templates/cas/service-account.yaml new file mode 100644 index 00000000000000..d8a5df92c2b791 --- /dev/null +++ b/bitnami/chainloop/templates/cas/service-account.yaml @@ -0,0 +1,17 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.cas.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "chainloop.cas.serviceAccountName" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{ include "chainloop.cas.labels" . | nindent 4 }} + {{- if or .Values.cas.serviceAccount.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.cas.serviceAccount.annotations .Values.commonAnnotations) "context" .) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} diff --git a/bitnami/chainloop/templates/cas/service-grpc.yaml b/bitnami/chainloop/templates/cas/service-grpc.yaml new file mode 100644 index 00000000000000..f2b72b7b852282 --- /dev/null +++ b/bitnami/chainloop/templates/cas/service-grpc.yaml @@ -0,0 +1,52 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +apiVersion: v1 +kind: Service +metadata: + name: {{ include "chainloop.cas.fullname" . }}-api + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{ include "chainloop.cas.labels" . | nindent 4 }} + {{- if or .Values.cas.serviceAPI.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.cas.serviceAPI.annotations .Values.commonAnnotations) "context" .) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.cas.serviceAPI.type }} + {{- if and .Values.cas.serviceAPI.clusterIP (eq .Values.cas.serviceAPI.type "ClusterIP") }} + clusterIP: {{ .Values.cas.serviceAPI.clusterIP }} + {{- end }} + {{- if .Values.cas.serviceAPI.sessionAffinity }} + sessionAffinity: {{ .Values.cas.serviceAPI.sessionAffinity }} + {{- end }} + {{- if .Values.cas.serviceAPI.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.cas.serviceAPI.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + {{- if or (eq .Values.cas.serviceAPI.type "LoadBalancer") (eq .Values.cas.serviceAPI.type "NodePort") }} + externalTrafficPolicy: {{ .Values.cas.serviceAPI.externalTrafficPolicy | quote }} + {{- end }} + {{- if and (eq .Values.cas.serviceAPI.type "LoadBalancer") (not (empty .Values.cas.serviceAPI.loadBalancerSourceRanges)) }} + loadBalancerSourceRanges: {{ .Values.cas.serviceAPI.loadBalancerSourceRanges }} + {{- end }} + {{- if and (eq .Values.cas.serviceAPI.type "LoadBalancer") (not (empty .Values.cas.serviceAPI.loadBalancerIP)) }} + loadBalancerIP: {{ .Values.cas.serviceAPI.loadBalancerIP }} + {{- end }} + ports: + - name: grpc + {{- $port := coalesce .Values.cas.serviceAPI.port .Values.cas.serviceAPI.ports.http }} + port: {{ $port }} + {{- if not (eq $port .Values.cas.containerPorts.grpc) }} + targetPort: {{ .Values.cas.containerPorts.grpc }} + {{- end }} + protocol: TCP + {{- if and (or (eq .Values.cas.serviceAPI.type "NodePort") (eq .Values.cas.serviceAPI.type "LoadBalancer")) (not (empty .Values.cas.serviceAPI.nodePorts.http)) }} + nodePort: {{ .Values.cas.serviceAPI.nodePorts.http }} + {{- else if eq .Values.cas.serviceAPI.type "ClusterIP" }} + nodePort: null + {{- end }} + {{- if .Values.cas.serviceAPI.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.cas.serviceAPI.extraPorts "context" $) | nindent 4 }} + {{- end }} + selector: {{ include "chainloop.cas.selectorLabels" . | nindent 4 }} \ No newline at end of file diff --git a/bitnami/chainloop/templates/cas/service-http.yaml b/bitnami/chainloop/templates/cas/service-http.yaml new file mode 100644 index 00000000000000..3526e3917fa238 --- /dev/null +++ b/bitnami/chainloop/templates/cas/service-http.yaml @@ -0,0 +1,52 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +apiVersion: v1 +kind: Service +metadata: + name: {{ include "chainloop.cas.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{ include "chainloop.cas.labels" . | nindent 4 }} + {{- if or .Values.cas.service.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.cas.service.annotations .Values.commonAnnotations) "context" .) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.cas.service.type }} + {{- if and .Values.cas.service.clusterIP (eq .Values.cas.service.type "ClusterIP") }} + clusterIP: {{ .Values.cas.service.clusterIP }} + {{- end }} + {{- if .Values.cas.service.sessionAffinity }} + sessionAffinity: {{ .Values.cas.service.sessionAffinity }} + {{- end }} + {{- if .Values.cas.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.cas.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + {{- if or (eq .Values.cas.service.type "LoadBalancer") (eq .Values.cas.service.type "NodePort") }} + externalTrafficPolicy: {{ .Values.cas.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if and (eq .Values.cas.service.type "LoadBalancer") (not (empty .Values.cas.service.loadBalancerSourceRanges)) }} + loadBalancerSourceRanges: {{ .Values.cas.service.loadBalancerSourceRanges }} + {{- end }} + {{- if and (eq .Values.cas.service.type "LoadBalancer") (not (empty .Values.cas.service.loadBalancerIP)) }} + loadBalancerIP: {{ .Values.cas.service.loadBalancerIP }} + {{- end }} + ports: + - name: http + {{- $port := coalesce .Values.cas.service.port .Values.cas.service.ports.http }} + port: {{ $port }} + {{- if not (eq $port .Values.cas.containerPorts.http) }} + targetPort: {{ .Values.cas.containerPorts.http }} + {{- end }} + protocol: TCP + {{- if and (or (eq .Values.cas.service.type "NodePort") (eq .Values.cas.service.type "LoadBalancer")) (not (empty .Values.cas.service.nodePorts.http)) }} + nodePort: {{ .Values.cas.service.nodePorts.http }} + {{- else if eq .Values.cas.service.type "ClusterIP" }} + nodePort: null + {{- end }} + {{- if .Values.cas.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.cas.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + selector: {{ include "chainloop.cas.selectorLabels" . | nindent 4 }} diff --git a/bitnami/chainloop/templates/cas/service_grpc.yaml b/bitnami/chainloop/templates/cas/service_grpc.yaml deleted file mode 100644 index f8605df1c1e12e..00000000000000 --- a/bitnami/chainloop/templates/cas/service_grpc.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "chainloop.cas.fullname" . }}-api - labels: - {{- include "chainloop.cas.labels" . | nindent 4 }} - {{- with .Values.cas.serviceAPI.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - type: {{ .Values.cas.serviceAPI.type }} - ports: - - port: {{ .Values.cas.serviceAPI.port }} - targetPort: {{ .Values.cas.serviceAPI.targetPort }} - protocol: TCP - name: grpc - nodePort: {{ include "chainloop.node_port" .Values.cas.serviceAPI }} - selector: - {{- include "chainloop.cas.selectorLabels" . | nindent 4 }} diff --git a/bitnami/chainloop/templates/cas/service_http.yaml b/bitnami/chainloop/templates/cas/service_http.yaml deleted file mode 100644 index 51c16c26429fcb..00000000000000 --- a/bitnami/chainloop/templates/cas/service_http.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "chainloop.cas.fullname" . }} - labels: - {{- include "chainloop.cas.labels" . | nindent 4 }} - {{- with .Values.cas.service.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - type: {{ .Values.cas.service.type }} - ports: - - port: {{ .Values.cas.service.port }} - targetPort: {{ .Values.cas.service.targetPort }} - protocol: TCP - name: http - nodePort: {{ include "chainloop.node_port" .Values.cas.service }} - selector: {{- include "chainloop.cas.selectorLabels" . | nindent 4 }} diff --git a/bitnami/chainloop/templates/cas/serviceaccount.yaml b/bitnami/chainloop/templates/cas/serviceaccount.yaml deleted file mode 100644 index adfa3d9e78a08e..00000000000000 --- a/bitnami/chainloop/templates/cas/serviceaccount.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if .Values.cas.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "chainloop.cas.serviceAccountName" . }} - labels: - {{- include "chainloop.cas.labels" . | nindent 4 }} - {{- with .Values.cas.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/bitnami/chainloop/templates/controlplane/config.configmap.yaml b/bitnami/chainloop/templates/controlplane/configmap.yaml similarity index 79% rename from bitnami/chainloop/templates/controlplane/config.configmap.yaml rename to bitnami/chainloop/templates/controlplane/configmap.yaml index 8cca05b8ff9cda..582e734a3e3cd3 100644 --- a/bitnami/chainloop/templates/controlplane/config.configmap.yaml +++ b/bitnami/chainloop/templates/controlplane/configmap.yaml @@ -7,8 +7,11 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ include "chainloop.controlplane.fullname" . }} - labels: - {{- include "chainloop.controlplane.labels" . | nindent 4 }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "chainloop.controlplane.labels" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} data: {{- if .Values.controlplane.auth.allowList }} allow_list.yaml: | @@ -34,7 +37,7 @@ data: {{- end }} cas_server: grpc: - addr: {{ printf "%s-api:%.0f" (include "chainloop.cas.fullname" .) .Values.cas.serviceAPI.port }} + addr: {{ printf "%s-api:%.0f" (include "chainloop.cas.fullname" .) (coalesce .Values.cas.serviceAPI.port .Values.cas.serviceAPI.ports.http) }} insecure: {{ empty .Values.cas.tlsConfig.secret.name }} download_url: {{ include "chainloop.cas.external_url" . }}/download plugins_dir: {{ .Values.controlplane.pluginsDir }} diff --git a/bitnami/chainloop/templates/controlplane/deployment.yaml b/bitnami/chainloop/templates/controlplane/deployment.yaml index 5186328aca7141..6cb0f8cc349f66 100644 --- a/bitnami/chainloop/templates/controlplane/deployment.yaml +++ b/bitnami/chainloop/templates/controlplane/deployment.yaml @@ -3,34 +3,74 @@ Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} -apiVersion: apps/v1 +apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} kind: Deployment metadata: name: {{ include "chainloop.controlplane.fullname" . }} - labels: - {{- include "chainloop.controlplane.labels" . | nindent 4 }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "chainloop.controlplane.labels" . | nindent 4 }} + {{- if or .Values.controlplane.deploymentAnnotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.controlplane.deploymentAnnotations .Values.commonAnnotations) "context" .) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }} + {{- end }} spec: - {{- if not .Values.controlplane.autoscaling.enabled }} + {{- if not .Values.controlplane.autoscaling.hpa.enabled }} replicas: {{ .Values.controlplane.replicaCount }} {{- end }} + {{- if .Values.controlplane.updateStrategy }} + strategy: {{- toYaml .Values.controlplane.updateStrategy | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" (dict "values" (list .Values.controlplane.podLabels .Values.commonLabels) "context" .) }} selector: - matchLabels: - {{- include "chainloop.controlplane.selectorLabels" . | nindent 6 }} + matchLabels: {{ include "chainloop.controlplane.selectorLabels" . | nindent 6 }} template: metadata: annotations: - checksum/config: {{ include (print $.Template.BasePath "/controlplane" "/config.configmap.yaml") . | sha256sum }} - checksum/secret-config: {{ include (print $.Template.BasePath "/controlplane" "/config.secret.yaml") . | sha256sum }} - checksum/cas-private-key: {{ include (print $.Template.BasePath "/controlplane" "/jwt_cas_private_key.secret.yaml") . | sha256sum }} + checksum/config: {{ include (print $.Template.BasePath "/controlplane" "/configmap.yaml") . | sha256sum }} + checksum/secret-config: {{ include (print $.Template.BasePath "/controlplane" "/secret-config.yaml") . | sha256sum }} + checksum/cas-private-key: {{ include (print $.Template.BasePath "/controlplane" "/secret-jwt-cas-private-key.yaml") . | sha256sum }} kubectl.kubernetes.io/default-container: controlplane - labels: - {{- include "chainloop.controlplane.selectorLabels" . | nindent 8 }} + labels: {{- include "chainloop.controlplane.labels" . | nindent 8 }} spec: {{- include "common.images.renderPullSecrets" (dict "images" (list .Values.controlplane.image .Values.controlplane.migration.image) "context" $) | nindent 6 }} serviceAccountName: {{ include "controlplane.serviceAccountName" . }} - securityContext: - {{- toYaml .Values.controlplane.podSecurityContext | nindent 8 }} + automountServiceAccountToken: {{ .Values.controlplane.automountServiceAccountToken }} + {{- if .Values.controlplane.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.controlplane.affinity }} + affinity: {{- include "common.tplvalues.render" ( dict "value" .Values.controlplane.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.controlplane.podAffinityPreset "component" "controlplane" "customLabels" $podLabels "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.controlplane.podAntiAffinityPreset "component" "controlplane" "customLabels" $podLabels "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.controlplane.nodeAffinityPreset.type "key" .Values.controlplane.nodeAffinityPreset.key "values" .Values.controlplane.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.controlplane.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.controlplane.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.controlplane.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.tolerations "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.controlplane.priorityClassName }} + priorityClassName: {{ .Values.controlplane.priorityClassName | quote }} + {{- end }} + {{- if .Values.controlplane.schedulerName }} + schedulerName: {{ .Values.controlplane.schedulerName | quote }} + {{- end }} + {{- if .Values.controlplane.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.topologySpreadConstraints "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.controlplane.podSecurityContext.enabled }} + securityContext: {{- omit .Values.controlplane.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + {{- if .Values.controlplane.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.controlplane.terminationGracePeriodSeconds }} + {{- end }} initContainers: + {{- if .Values.controlplane.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.initContainers "context" $) | nindent 8 }} + {{- end }} - name: migrate image: {{ include "chainloop.controlplane.migration.image" . }} imagePullPolicy: {{ .Values.controlplane.image.pullPolicy }} @@ -49,20 +89,21 @@ spec: key: db_migrate_source containers: - name: {{ .Chart.Name }} - securityContext: - {{- toYaml .Values.controlplane.securityContext | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.controlplane.containerSecurityContext "context" $) | nindent 12 }} image: {{ include "chainloop.controlplane.image" . }} imagePullPolicy: {{ .Values.controlplane.image.pullPolicy }} ports: - name: http - containerPort: 8000 - protocol: TCP + containerPort: {{ .Values.controlplane.containerPorts.http }} - name: metrics - containerPort: 5000 - protocol: TCP + containerPort: {{ .Values.controlplane.containerPorts.metrics }} - name: grpc - containerPort: 9000 - protocol: TCP + containerPort: {{ .Values.controlplane.containerPorts.grpc }} + startupProbe: + httpGet: + path: /statusz + port: http + periodSeconds: 5 livenessProbe: httpGet: path: /statusz @@ -73,8 +114,27 @@ spec: path: /statusz?readiness=1 port: http periodSeconds: 5 - resources: - {{- toYaml .Values.controlplane.resources | nindent 12 }} + {{- if .Values.controlplane.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + env: + {{- if .Values.controlplane.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + envFrom: + {{- if .Values.controlplane.extraEnvVarsCM }} + - configMapRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.controlplane.extraEnvVarsCM "context" $) }} + {{- end }} + {{- if .Values.controlplane.extraEnvVarsSecret }} + - secretRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.controlplane.extraEnvVarsSecret "context" $) }} + {{- end }} + {{- if .Values.controlplane.resources }} + resources: {{- toYaml .Values.controlplane.resources | nindent 12 }} + {{- else if ne .Values.controlplane.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.controlplane.resourcesPreset) | nindent 12 }} + {{- end }} volumeMounts: - name: config mountPath: /data/conf @@ -105,6 +165,12 @@ spec: mountPath: /etc/pki/tls/certs readOnly: true {{- end }} + {{- if .Values.controlplane.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.controlplane.sidecars }} + {{- include "common.tplvalues.render" ( dict "value" .Values.controlplane.sidecars "context" $) | nindent 8 }} + {{- end }} volumes: - name: config projected: @@ -145,4 +211,7 @@ spec: - name: ejbca-ca-client secret: secretName: {{ include "chainloop.controlplane.fullname" . }}-keyless-ejbca-ca + {{- end }} + {{- if .Values.controlplane.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.extraVolumes "context" $) | nindent 8 }} {{- end }} \ No newline at end of file diff --git a/bitnami/chainloop/templates/controlplane/deployment_sqlproxy.yaml b/bitnami/chainloop/templates/controlplane/deployment_sqlproxy.yaml deleted file mode 100644 index dca85b4cc0bb37..00000000000000 --- a/bitnami/chainloop/templates/controlplane/deployment_sqlproxy.yaml +++ /dev/null @@ -1,61 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{ if .Values.controlplane.sqlProxy.enabled }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "chainloop.sql-proxy.fullname" . }} - labels: - {{- include "chainloop.sql-proxy.labels" . | nindent 4 }} -spec: - replicas: 1 - selector: - matchLabels: - {{- include "chainloop.sql-proxy.selectorLabels" . | nindent 6 }} - template: - metadata: - annotations: - kubectl.kubernetes.io/default-container: cloud-sql-proxy - labels: - {{- include "chainloop.sql-proxy.selectorLabels" . | nindent 8 }} - spec: - affinity: - podAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app.kubernetes.io/component: controlplane - topologyKey: kubernetes.io/hostname - {{- with .Values.controlplane.image.pullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "controlplane.serviceAccountName" . }} - securityContext: - {{- toYaml .Values.controlplane.podSecurityContext | nindent 8 }} - containers: - - - name: cloud-sql-proxy - # It is recommended to use the latest version of the Cloud SQL proxy - # Make sure to update on a regular schedule! - image: gcr.io/cloudsql-docker/gce-proxy:1.33.10 # make sure the use the latest version - command: - - "/cloud_sql_proxy" - # If connecting from a VPC-native GKE cluster, you can use the - # following flag to have the proxy connect over private IP - # - "-ip_address_types=PRIVATE" - - # By default, the proxy will write all logs to stderr. In some - # environments, anything printed to stderr is consider an error. To - # disable this behavior and write all logs to stdout (except errors - # which will still go to stderr), use: - - "-log_debug_stdout" - - "-instances={{ .Values.controlplane.sqlProxy.connectionName }}=tcp:0.0.0.0:5432" - securityContext: - runAsNonRoot: true - resources: - {{- toYaml .Values.controlplane.sqlProxy.resources | nindent 12 }} -{{- end }} \ No newline at end of file diff --git a/bitnami/chainloop/templates/controlplane/gke_monitoring.yaml b/bitnami/chainloop/templates/controlplane/gke_monitoring.yaml deleted file mode 100644 index 1d9c34c4e174ac..00000000000000 --- a/bitnami/chainloop/templates/controlplane/gke_monitoring.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if .Values.GKEMonitoring.enabled -}} -apiVersion: monitoring.googleapis.com/v1 -kind: PodMonitoring -metadata: - name: {{ include "chainloop.controlplane.fullname" . }} -spec: - selector: - matchLabels: - {{- include "chainloop.controlplane.selectorLabels" . | nindent 6 }} - endpoints: - - port: metrics - interval: 30s -{{- end }} \ No newline at end of file diff --git a/bitnami/chainloop/templates/controlplane/hpa.yaml b/bitnami/chainloop/templates/controlplane/hpa.yaml index 4125f007cf3b71..6d2608ebfad4c3 100644 --- a/bitnami/chainloop/templates/controlplane/hpa.yaml +++ b/bitnami/chainloop/templates/controlplane/hpa.yaml @@ -3,43 +3,46 @@ Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} -{{- if .Values.controlplane.autoscaling.enabled }} -apiVersion: {{ include "common.capabilities.hpa.apiVersion" ( dict "context" $ ) }} +{{- if .Values.controlplane.autoscaling.hpa.enabled }} +apiVersion: {{ include "common.capabilities.hpa.apiVersion" ( dict "context" $ )}} kind: HorizontalPodAutoscaler metadata: - name: {{ include "chainloop.controlplane.fullname" . }} - labels: - {{- include "chainloop.controlplane.labels" . | nindent 4 }} + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "chainloop.controlplane.labels" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} spec: scaleTargetRef: - apiVersion: apps/v1 + apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} kind: Deployment - name: {{ include "chainloop.controlplane.fullname" . }} - minReplicas: {{ .Values.controlplane.autoscaling.minReplicas }} - maxReplicas: {{ .Values.controlplane.autoscaling.maxReplicas }} + name: {{ include "common.names.fullname" . }} + minReplicas: {{ .Values.controlplane.autoscaling.hpa.minReplicas }} + maxReplicas: {{ .Values.controlplane.autoscaling.hpa.maxReplicas }} metrics: - {{- if .Values.controlplane.autoscaling.targetCPUUtilizationPercentage }} + {{- if .Values.controlplane.autoscaling.hpa.targetMemory }} - type: Resource resource: - name: cpu + name: memory {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }} - targetAverageUtilization: {{ .Values.controlplane.autoscaling.targetCPUUtilizationPercentage }} + targetAverageUtilization: {{ .Values.controlplane.autoscaling.hpa.targetMemory }} {{- else }} target: type: Utilization - averageUtilization: {{ .Values.controlplane.autoscaling.targetCPUUtilizationPercentage }} + averageUtilization: {{ .Values.worker.autoscaling.hpa.targetMemory }} {{- end }} {{- end }} - {{- if .Values.controlplane.autoscaling.targetMemoryUtilizationPercentage }} + {{- if .Values.controlplane.autoscaling.hpa.targetCPU }} - type: Resource resource: - name: memory + name: cpu {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }} - targetAverageUtilization: {{ .Values.controlplane.autoscaling.targetMemoryUtilizationPercentage }} + targetAverageUtilization: {{ .Values.controlplane.autoscaling.hpa.targetCPU }} {{- else }} target: type: Utilization - averageUtilization: {{ .Values.controlplane.autoscaling.targetMemoryUtilizationPercentage }} + averageUtilization: {{ .Values.worker.autoscaling.hpa.targetCPU }} {{- end }} {{- end }} -{{- end }} +{{- end }} \ No newline at end of file diff --git a/bitnami/chainloop/templates/controlplane/ingress_grpc.yaml b/bitnami/chainloop/templates/controlplane/ingress-grpc.yaml similarity index 100% rename from bitnami/chainloop/templates/controlplane/ingress_grpc.yaml rename to bitnami/chainloop/templates/controlplane/ingress-grpc.yaml diff --git a/bitnami/chainloop/templates/controlplane/config.secret.yaml b/bitnami/chainloop/templates/controlplane/secret-config.yaml similarity index 84% rename from bitnami/chainloop/templates/controlplane/config.secret.yaml rename to bitnami/chainloop/templates/controlplane/secret-config.yaml index d8d0637ccf4be9..39a3bea2b703e1 100644 --- a/bitnami/chainloop/templates/controlplane/config.secret.yaml +++ b/bitnami/chainloop/templates/controlplane/secret-config.yaml @@ -7,8 +7,11 @@ apiVersion: v1 kind: Secret metadata: name: {{ include "chainloop.controlplane.fullname" . }} - labels: - {{- include "chainloop.controlplane.labels" . | nindent 4 }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "chainloop.controlplane.labels" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} type: Opaque {{- $hmacpass := include "common.secrets.passwords.manage" (dict "secret" (include "chainloop.controlplane.fullname" .) "key" "generated_jws_hmac_secret" "providedValues" (list "controlplane.auth.passphrase") "context" $) }} data: @@ -55,16 +58,7 @@ stringData: credentials_service: {{- include "chainloop.credentials_service_settings" . | indent 6 }} auth: - oidc: - {{- with .Values.controlplane.auth }} - redirect_url_scheme: {{ .redirectURLScheme }} - domain: "{{ required "oidc URL endpoint required" .oidc.url }}" - client_id: "{{ required "oidc clientID required" .oidc.clientID }}" - client_secret: "{{ required "oidc clientSecret required" .oidc.clientSecret }}" - {{- if .oidc.loginURLOverride }} - login_url_override: "{{ .oidc.loginURLOverride }}" - {{- end }} - {{- end }} + oidc: {{- include "controlplane.oidc_settings" . | indent 4 }} # HMAC key used to sign the JWTs generated by the controlplane # The helper returns the base64 quoted value of the secret diff --git a/bitnami/chainloop/templates/controlplane/customcas.secret.yaml b/bitnami/chainloop/templates/controlplane/secret-customcas.yaml similarity index 100% rename from bitnami/chainloop/templates/controlplane/customcas.secret.yaml rename to bitnami/chainloop/templates/controlplane/secret-customcas.yaml diff --git a/bitnami/chainloop/templates/controlplane/ejbca_ca.secret.yaml b/bitnami/chainloop/templates/controlplane/secret-ejbca-ca.yaml similarity index 100% rename from bitnami/chainloop/templates/controlplane/ejbca_ca.secret.yaml rename to bitnami/chainloop/templates/controlplane/secret-ejbca-ca.yaml diff --git a/bitnami/chainloop/templates/controlplane/file_ca.secret.yaml b/bitnami/chainloop/templates/controlplane/secret-file-ca.yaml similarity index 100% rename from bitnami/chainloop/templates/controlplane/file_ca.secret.yaml rename to bitnami/chainloop/templates/controlplane/secret-file-ca.yaml diff --git a/bitnami/chainloop/templates/controlplane/gcp_secret_manager.secret.yaml b/bitnami/chainloop/templates/controlplane/secret-gcp-secret-manager.yaml similarity index 100% rename from bitnami/chainloop/templates/controlplane/gcp_secret_manager.secret.yaml rename to bitnami/chainloop/templates/controlplane/secret-gcp-secret-manager.yaml diff --git a/bitnami/chainloop/templates/controlplane/jwt_cas_private_key.secret.yaml b/bitnami/chainloop/templates/controlplane/secret-jwt-cas-private-key.yaml similarity index 100% rename from bitnami/chainloop/templates/controlplane/jwt_cas_private_key.secret.yaml rename to bitnami/chainloop/templates/controlplane/secret-jwt-cas-private-key.yaml diff --git a/bitnami/chainloop/templates/controlplane/service-account.yaml b/bitnami/chainloop/templates/controlplane/service-account.yaml new file mode 100644 index 00000000000000..15410971e77bc7 --- /dev/null +++ b/bitnami/chainloop/templates/controlplane/service-account.yaml @@ -0,0 +1,17 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.controlplane.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "controlplane.serviceAccountName" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "chainloop.controlplane.labels" . | nindent 4 }} + {{- if or .Values.controlplane.serviceAccount.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.controlplane.serviceAccount.annotations .Values.commonAnnotations) "context" .) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} diff --git a/bitnami/chainloop/templates/controlplane/service-grpc.yaml b/bitnami/chainloop/templates/controlplane/service-grpc.yaml new file mode 100644 index 00000000000000..5111ddd4be5f0c --- /dev/null +++ b/bitnami/chainloop/templates/controlplane/service-grpc.yaml @@ -0,0 +1,52 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +apiVersion: v1 +kind: Service +metadata: + name: {{ include "chainloop.controlplane.fullname" . }}-api + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "chainloop.controlplane.labels" . | nindent 4 }} + {{- if or .Values.controlplane.serviceAPI.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.controlplane.serviceAPI.annotations .Values.commonAnnotations) "context" .) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.controlplane.serviceAPI.type }} + {{- if and .Values.controlplane.serviceAPI.clusterIP (eq .Values.controlplane.serviceAPI.type "ClusterIP") }} + clusterIP: {{ .Values.controlplane.serviceAPI.clusterIP }} + {{- end }} + {{- if .Values.controlplane.serviceAPI.sessionAffinity }} + sessionAffinity: {{ .Values.controlplane.serviceAPI.sessionAffinity }} + {{- end }} + {{- if .Values.controlplane.serviceAPI.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.serviceAPI.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + {{- if or (eq .Values.controlplane.serviceAPI.type "LoadBalancer") (eq .Values.controlplane.serviceAPI.type "NodePort") }} + externalTrafficPolicy: {{ .Values.controlplane.serviceAPI.externalTrafficPolicy | quote }} + {{- end }} + {{- if and (eq .Values.controlplane.serviceAPI.type "LoadBalancer") (not (empty .Values.controlplane.serviceAPI.loadBalancerSourceRanges)) }} + loadBalancerSourceRanges: {{ .Values.controlplane.serviceAPI.loadBalancerSourceRanges }} + {{- end }} + {{- if and (eq .Values.controlplane.serviceAPI.type "LoadBalancer") (not (empty .Values.controlplane.serviceAPI.loadBalancerIP)) }} + loadBalancerIP: {{ .Values.controlplane.serviceAPI.loadBalancerIP }} + {{- end }} + ports: + - name: grpc + {{- $port := coalesce .Values.controlplane.serviceAPI.port .Values.controlplane.serviceAPI.ports.http }} + port: {{ $port }} + {{- if not (eq $port .Values.controlplane.containerPorts.grpc) }} + targetPort: {{ .Values.controlplane.containerPorts.grpc }} + {{- end }} + protocol: TCP + {{- if and (or (eq .Values.controlplane.serviceAPI.type "NodePort") (eq .Values.controlplane.serviceAPI.type "LoadBalancer")) (not (empty .Values.controlplane.serviceAPI.nodePorts.http)) }} + nodePort: {{ .Values.controlplane.serviceAPI.nodePorts.http }} + {{- else if eq .Values.controlplane.serviceAPI.type "ClusterIP" }} + nodePort: null + {{- end }} + {{- if .Values.controlplane.serviceAPI.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.serviceAPI.extraPorts "context" $) | nindent 4 }} + {{- end }} + selector: {{ include "chainloop.controlplane.selectorLabels" . | nindent 4 }} diff --git a/bitnami/chainloop/templates/controlplane/service-http.yaml b/bitnami/chainloop/templates/controlplane/service-http.yaml new file mode 100644 index 00000000000000..1b1a6ad67cb739 --- /dev/null +++ b/bitnami/chainloop/templates/controlplane/service-http.yaml @@ -0,0 +1,53 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +apiVersion: v1 +kind: Service +metadata: + name: {{ include "chainloop.controlplane.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "chainloop.controlplane.labels" . | nindent 4 }} + {{- if or .Values.controlplane.service.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.controlplane.service.annotations .Values.commonAnnotations) "context" .) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.controlplane.service.type }} + {{- if and .Values.controlplane.service.clusterIP (eq .Values.controlplane.service.type "ClusterIP") }} + clusterIP: {{ .Values.controlplane.service.clusterIP }} + {{- end }} + {{- if .Values.controlplane.service.sessionAffinity }} + sessionAffinity: {{ .Values.controlplane.service.sessionAffinity }} + {{- end }} + {{- if .Values.controlplane.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + {{- if or (eq .Values.controlplane.service.type "LoadBalancer") (eq .Values.controlplane.service.type "NodePort") }} + externalTrafficPolicy: {{ .Values.controlplane.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if and (eq .Values.controlplane.service.type "LoadBalancer") (not (empty .Values.controlplane.service.loadBalancerSourceRanges)) }} + loadBalancerSourceRanges: {{ .Values.controlplane.service.loadBalancerSourceRanges }} + {{- end }} + {{- if and (eq .Values.controlplane.service.type "LoadBalancer") (not (empty .Values.controlplane.service.loadBalancerIP)) }} + loadBalancerIP: {{ .Values.controlplane.service.loadBalancerIP }} + {{- end }} + ports: + - name: http + {{- $port := coalesce .Values.controlplane.service.port .Values.controlplane.service.ports.http }} + port: {{ $port }} + {{- if not (eq $port .Values.controlplane.containerPorts.http) }} + targetPort: {{ .Values.controlplane.containerPorts.http }} + {{- end }} + protocol: TCP + {{- if and (or (eq .Values.controlplane.service.type "NodePort") (eq .Values.controlplane.service.type "LoadBalancer")) (not (empty .Values.controlplane.service.nodePorts.http)) }} + nodePort: {{ .Values.controlplane.service.nodePorts.http }} + {{- else if eq .Values.controlplane.service.type "ClusterIP" }} + nodePort: null + {{- end }} + {{- if .Values.controlplane.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" (dict "values" (list .Values.controlplane.podLabels .Values.commonLabels) "context" .) | fromYaml }} + selector: {{ include "chainloop.controlplane.selectorLabels" . | nindent 4 }} diff --git a/bitnami/chainloop/templates/controlplane/service_grpc.yaml b/bitnami/chainloop/templates/controlplane/service_grpc.yaml deleted file mode 100644 index 880d58002dc562..00000000000000 --- a/bitnami/chainloop/templates/controlplane/service_grpc.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "chainloop.controlplane.fullname" . }}-api - labels: - {{- include "chainloop.controlplane.labels" . | nindent 4 }} - {{- with .Values.controlplane.serviceAPI.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - type: {{ .Values.controlplane.serviceAPI.type }} - ports: - - port: {{ .Values.controlplane.serviceAPI.port }} - targetPort: {{ .Values.controlplane.serviceAPI.targetPort }} - protocol: TCP - name: grpc - nodePort: {{ include "chainloop.node_port" .Values.controlplane.serviceAPI }} - selector: - {{- include "chainloop.controlplane.selectorLabels" . | nindent 4 }} diff --git a/bitnami/chainloop/templates/controlplane/service_http.yaml b/bitnami/chainloop/templates/controlplane/service_http.yaml deleted file mode 100644 index 8a65b952c4abd0..00000000000000 --- a/bitnami/chainloop/templates/controlplane/service_http.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "chainloop.controlplane.fullname" . }} - labels: - {{- include "chainloop.controlplane.labels" . | nindent 4 }} - {{- with .Values.controlplane.service.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - type: {{ .Values.controlplane.service.type }} - ports: - - port: {{ .Values.controlplane.service.port }} - targetPort: {{ .Values.controlplane.service.targetPort }} - protocol: TCP - name: http - nodePort: {{ include "chainloop.node_port" .Values.controlplane.service }} - selector: {{- include "chainloop.controlplane.selectorLabels" . | nindent 4 }} diff --git a/bitnami/chainloop/templates/controlplane/service_sql-proxy.yaml b/bitnami/chainloop/templates/controlplane/service_sql-proxy.yaml deleted file mode 100644 index 681b69da365af1..00000000000000 --- a/bitnami/chainloop/templates/controlplane/service_sql-proxy.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{ if .Values.controlplane.sqlProxy.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "chainloop.sql-proxy.fullname" . }} - labels: - {{- include "chainloop.sql-proxy.labels" . | nindent 4 }} -spec: - type: ClusterIP - ports: - - port: {{ .Values.controlplane.externalDatabase.port }} - targetPort: {{ .Values.controlplane.externalDatabase.port }} - protocol: TCP - name: tpc - selector: - {{- include "chainloop.sql-proxy.selectorLabels" . | nindent 4 }} -{{- end }} \ No newline at end of file diff --git a/bitnami/chainloop/templates/controlplane/serviceaccount.yaml b/bitnami/chainloop/templates/controlplane/serviceaccount.yaml deleted file mode 100644 index 425ef00fe6154d..00000000000000 --- a/bitnami/chainloop/templates/controlplane/serviceaccount.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if .Values.controlplane.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "controlplane.serviceAccountName" . }} - labels: - {{- include "chainloop.controlplane.labels" . | nindent 4 }} - {{- with .Values.controlplane.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/bitnami/chainloop/templates/extra-list.yaml b/bitnami/chainloop/templates/extra-list.yaml new file mode 100644 index 00000000000000..2dcd26f306bb8d --- /dev/null +++ b/bitnami/chainloop/templates/extra-list.yaml @@ -0,0 +1,9 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- range .Values.extraDeploy }} +--- +{{ include "common.tplvalues.render" (dict "value" . "context" $) }} +{{- end }} \ No newline at end of file diff --git a/bitnami/chainloop/values.yaml b/bitnami/chainloop/values.yaml index a7a40769ee6af3..50ff3384ceadd0 100644 --- a/bitnami/chainloop/values.yaml +++ b/bitnami/chainloop/values.yaml @@ -1,4 +1,4 @@ -# Copyright Broadcom, Inc. All Rights Reserved. +# Copyright Broadcom Inc. All Rights Reserved. # SPDX-License-Identifier: APACHE-2.0 ## Default values for Chainloop Helm Chart @@ -19,19 +19,27 @@ global: ## imagePullSecrets: [] +## @param development Deploys Chainloop pre-configured FOR DEVELOPMENT ONLY. It includes a Vault instance in development mode and pre-configured authentication certificates and passphrases +## +development: false + ## @section Common parameters ## ## @param kubeVersion Override Kubernetes version ## kubeVersion: "" -## @param development Deploys Chainloop pre-configured FOR DEVELOPMENT ONLY. It includes a Vault instance in development mode and pre-configured authentication certificates and passphrases +## @param commonAnnotations Annotations to add to all deployed objects ## -development: false +commonAnnotations: {} -## @param GKEMonitoring.enabled Enable GKE podMonitoring (prometheus.io scrape) to scrape the controlplane and CAS /metrics endpoints -GKEMonitoring: - enabled: false +## @param commonLabels Labels to add to all deployed objects +## +commonLabels: {} + +## @param extraDeploy Array of extra objects to deploy with the release +## +extraDeploy: [] ## @section Secrets Backend ## @@ -120,7 +128,17 @@ controlplane: image: registry: ghcr.io repository: chainloop-dev/chainloop/control-plane - tag: "v0.94.2" + tag: "v0.95.3" + + + ## @param controlplane.containerPorts.http controlplane HTTP container port + ## @param controlplane.containerPorts.grpc controlplane gRPC container port + ## @param controlplane.containerPorts.metrics controlplane prometheus metrics container port + ## + containerPorts: + http: 8000 + grpc: 9000 + metrics: 5000 ## @param controlplane.tlsConfig.secret.name name of a secret containing TLS certificate to be used by the controlplane grpc server. tlsConfig: @@ -157,7 +175,7 @@ controlplane: image: registry: ghcr.io repository: chainloop-dev/chainloop/control-plane-migrations - tag: "v0.94.2" + tag: "v0.95.3" # Run the migration job forcing SSL, required in AWS RDS for PostgreSQL 15 ssl: false @@ -187,14 +205,6 @@ controlplane: database: "" password: "" - sqlProxy: - ## @param controlplane.sqlProxy.enabled Enable sidecar to connect to DB via Google Cloud SQL proxy - enabled: false - ## @param controlplane.sqlProxy.connectionName Google Cloud SQL connection name - connectionName: "" - ## @param controlplane.sqlProxy.resources Sidecar container resources - resources: {} - ## @section Control Plane Authentication auth: ## @param controlplane.auth.passphrase Passphrase used to sign the Auth Tokens generated by the controlplane. Leave empty for auto-generation @@ -225,36 +235,120 @@ controlplane: service: ## @param controlplane.service.type Service type type: ClusterIP - ## @param controlplane.service.port Service port - port: 80 - ## @param controlplane.service.targetPort Service target Port - targetPort: http - ## @extra controlplane.service.nodePorts.http Node port for HTTP. NOTE: choose port between [30000-32767] - # nodePorts: - # http: "30800" - annotations: - {} - ## @skip controlplane.service.annotations + + ## @param controlplane.service.ports.http controlplane service HTTP port + ## @param controlplane.service.ports.https controlplane service HTTPS port + ## + ports: + http: 80 + https: 443 + ## Node ports to expose + ## @param controlplane.service.nodePorts.http Node port for HTTP + ## @param controlplane.service.nodePorts.https Node port for HTTPS + ## NOTE: choose port between <30000-32767> + ## + nodePorts: + http: "" + https: "" + ## @param controlplane.service.clusterIP controlplane service Cluster IP + ## e.g.: + ## clusterIP: None + ## + clusterIP: "" + ## @param controlplane.service.loadBalancerIP controlplane service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerIP: "" + ## @param controlplane.service.loadBalancerSourceRanges controlplane service Load Balancer sources + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param controlplane.service.externalTrafficPolicy controlplane service external traffic policy + ## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param controlplane.service.annotations Additional custom annotations for controlplane service + ## + annotations: {} + ## @param controlplane.service.extraPorts Extra ports to expose in controlplane service (normally used with the `sidecars` value) + ## + extraPorts: [] + ## @param controlplane.service.sessionAffinity Control where client requests go, to the same pod or round-robin + ## Values: ClientIP or None + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## + sessionAffinity: None + ## @param controlplane.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} serviceAPI: ## @param controlplane.serviceAPI.type Service type type: ClusterIP - ## @param controlplane.serviceAPI.port Service port - port: 80 - ## @param controlplane.serviceAPI.targetPort Service target Port - targetPort: grpc - ## @extra controlplane.serviceAPI.annotations Service annotations + + ## @param controlplane.serviceAPI.ports.http controlplane service HTTP port + ## @param controlplane.serviceAPI.ports.https controlplane service HTTPS port + ## + ports: + http: 80 + https: 443 + ## Node ports to expose + ## @param controlplane.serviceAPI.nodePorts.http Node port for HTTP + ## @param controlplane.serviceAPI.nodePorts.https Node port for HTTPS + ## NOTE: choose port between <30000-32767> + ## + nodePorts: + http: "" + https: "" + ## @param controlplane.serviceAPI.clusterIP controlplane service Cluster IP + ## e.g.: + ## clusterIP: None + ## + clusterIP: "" + ## @param controlplane.serviceAPI.loadBalancerIP controlplane service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerIP: "" + ## @param controlplane.serviceAPI.loadBalancerSourceRanges controlplane service Load Balancer sources + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param controlplane.serviceAPI.externalTrafficPolicy controlplane service external traffic policy + ## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @extra controlplane.serviceAPI.annotations Additional custom annotations for controlplane service + ## annotations: ## @skip controlplane.serviceAPI.annotations.traefik.ingress.kubernetes.io/service.serversscheme - traefik.ingress.kubernetes.io/service.serversscheme: h2c - - ## @extra controlplane.serviceAPI.nodePorts.http Node port for HTTP. NOTE: choose port between [30000-32767] - # nodePorts: - # http: "30900" + traefik.ingress.kubernetes.io/service.serversscheme: h2c + ## @param controlplane.serviceAPI.extraPorts Extra ports to expose in controlplane service (normally used with the `sidecars` value) + ## + extraPorts: [] + ## @param controlplane.serviceAPI.sessionAffinity Control where client requests go, to the same pod or round-robin + ## Values: ClientIP or None + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## + sessionAffinity: None + ## @param controlplane.serviceAPI.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} ## ref: http://kubernetes.io/docs/user-guide/ingress/ ingress: - ## @param controlplane.ingress.enabled Enable ingress record generation for %%MAIN_CONTAINER_NAME%% + ## @param controlplane.ingress.enabled Enable ingress record generation for controlplane ## enabled: false ## @param controlplane.ingress.pathType Ingress path type @@ -354,7 +448,7 @@ controlplane: ## ref: http://kubernetes.io/docs/user-guide/ingress/ ingressAPI: - ## @param controlplane.ingressAPI.enabled Enable ingress record generation for %%MAIN_CONTAINER_NAME%% + ## @param controlplane.ingressAPI.enabled Enable ingress record generation for controlplane ## enabled: false ## @param controlplane.ingressAPI.pathType Ingress path type @@ -458,33 +552,64 @@ controlplane: ## @section Controlplane Misc - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ - ## @param controlplane.resources.limits.cpu Container resource limits CPU - ## @param controlplane.resources.limits.memory Container resource limits memory - ## @param controlplane.resources.requests.cpu Container resource requests CPU - ## @param controlplane.resources.requests.memory Container resource requests memory - resources: - # GKE auto-pilot min - # https://cloud.google.com/kubernetes-engine/docs/concepts/autopilot-resource-requests#min-max-requests - requests: - cpu: 250m - memory: 512Mi - limits: - cpu: 250m - memory: 512Mi - - ## Deployment autoscaling - ## @param controlplane.autoscaling.enabled Enable deployment autoscaling - ## @param controlplane.autoscaling.minReplicas Minimum number of replicas - ## @param controlplane.autoscaling.maxReplicas Maximum number of replicas - ## @param controlplane.autoscaling.targetCPUUtilizationPercentage Target CPU percentage - ## @param controlplane.autoscaling.targetMemoryUtilizationPercentage Target CPU memory - autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 100 - targetCPUUtilizationPercentage: 80 - targetMemoryUtilizationPercentage: 80 + ## Init container's resource requests and limits + ## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param controlplane.resourcesPreset Set init container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "micro" + ## @param controlplane.resources Set controlplane container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Configure Pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param controlplane.podSecurityContext.enabled Enable controlplane pods' Security Context + ## @param controlplane.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy for controlplane pods + ## @param controlplane.podSecurityContext.sysctls Set kernel settings using the sysctl interface for controlplane pods + ## @param controlplane.podSecurityContext.supplementalGroups Set filesystem extra groups for controlplane pods + ## @param controlplane.podSecurityContext.fsGroup Set fsGroup in controlplane pods' Security Context + ## + podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 + + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param controlplane.containerSecurityContext.enabled Enabled controlplane container' Security Context + ## @param controlplane.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in controlplane container + ## @param controlplane.containerSecurityContext.runAsUser Set runAsUser in controlplane container' Security Context + ## @param controlplane.containerSecurityContext.runAsGroup Set runAsGroup in controlplane container' Security Context + ## @param controlplane.containerSecurityContext.runAsNonRoot Set runAsNonRoot in controlplane container' Security Context + ## @param controlplane.containerSecurityContext.readOnlyRootFilesystem Set readOnlyRootFilesystem in controlplane container' Security Context + ## @param controlplane.containerSecurityContext.privileged Set privileged in controlplane container' Security Context + ## @param controlplane.containerSecurityContext.allowPrivilegeEscalation Set allowPrivilegeEscalation in controlplane container' Security Context + ## @param controlplane.containerSecurityContext.capabilities.drop List of capabilities to be dropped in controlplane container + ## @param controlplane.containerSecurityContext.seccompProfile.type Set seccomp profile in controlplane container + ## + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + readOnlyRootFilesystem: true + privileged: false + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" ## @param controlplane.sentry.enabled Enable sentry.io alerting ## @param controlplane.sentry.dsn DSN endpoint @@ -533,6 +658,176 @@ controlplane: ## @param controlplane.customCAs List of custom CA certificates content customCAs: [] + ## @param controlplane.automountServiceAccountToken Mount Service Account token in controlplane pods + ## + automountServiceAccountToken: false + + ## @param controlplane.hostAliases controlplane pods host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + + ## @param controlplane.deploymentAnnotations Annotations for controlplane deployment + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + deploymentAnnotations: {} + + ## @param controlplane.podLabels Extra labels for controlplane pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + + ## @param controlplane.podAffinityPreset Pod affinity preset. Ignored if `controlplane.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param controlplane.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `controlplane.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node controlplane.affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + + ## Node controlplane.affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param controlplane.nodeAffinityPreset.type Node affinity preset type. Ignored if `controlplane.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param controlplane.nodeAffinityPreset.key Node label key to match. Ignored if `controlplane.affinity` is set + ## + key: "" + ## @param controlplane.nodeAffinityPreset.values Node label values to match. Ignored if `controlplane.affinity` is set + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param controlplane.affinity Affinity for controlplane pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## NOTE: `controlplane.podAffinityPreset`, `controlplane.podAntiAffinityPreset`, and `controlplane.nodeAffinityPreset` will be ignored when it's set + ## + affinity: {} + ## @param controlplane.nodeSelector Node labels for controlplane pods assignment + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + ## + nodeSelector: {} + ## @param controlplane.tolerations Tolerations for controlplane pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + + ## @param controlplane.updateStrategy.type controlplane deployment strategy type + updateStrategy: + ## Can be set to RollingUpdate or Recreate + type: RollingUpdate + ## @param controlplane.priorityClassName controlplane pods' priorityClassName + ## + priorityClassName: "" + ## @param controlplane.topologySpreadConstraints Topology Spread Constraints for controlplane pod assignment spread across your cluster among failure-domains + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods + ## + topologySpreadConstraints: [] + ## @param controlplane.schedulerName Name of the k8s scheduler (other than default) for controlplane pods + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param controlplane.terminationGracePeriodSeconds Seconds controlplane pods need to terminate gracefully + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods + ## + terminationGracePeriodSeconds: "" + ## @param controlplane.lifecycleHooks for controlplane containers to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param controlplane.extraEnvVars Array with extra environment variables to add to controlplane containers + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param controlplane.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for controlplane containers + ## + extraEnvVarsCM: "" + ## @param controlplane.extraEnvVarsSecret Name of existing Secret containing extra env vars for controlplane containers + ## + extraEnvVarsSecret: "" + ## @param controlplane.extraVolumes Optionally specify extra list of additional volumes for the controlplane pods + ## + extraVolumes: [] + ## @param controlplane.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the controlplane containers + ## + extraVolumeMounts: [] + ## @param controlplane.sidecars Add additional sidecar containers to the controlplane pods + ## e.g: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + + ## @param controlplane.initContainers Add additional init containers to the controlplane pods + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + ## e.g: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## command: ['sh', '-c', 'echo "hello world"'] + ## + initContainers: [] + ## Pod Disruption Budget configuration + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb + ## @param controlplane.pdb.create Enable/disable a Pod Disruption Budget creation + ## @param controlplane.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled + ## @param controlplane.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `controlplane.pdb.minAvailable` and `controlplane.pdb.maxUnavailable` are empty. + ## + pdb: + create: true + minAvailable: "" + maxUnavailable: "" + ## Autoscaling configuration + ## ref: https://kubernetes.io/docs/concepts/workloads/autoscaling/ + ## + autoscaling: + ## @param controlplane.autoscaling.vpa.enabled Enable VPA for controlplane pods + ## @param controlplane.autoscaling.vpa.annotations Annotations for VPA resource + ## @param controlplane.autoscaling.vpa.controlledResources VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory + ## @param controlplane.autoscaling.vpa.maxAllowed VPA Max allowed resources for the pod + ## @param controlplane.autoscaling.vpa.minAllowed VPA Min allowed resources for the pod + ## + vpa: + enabled: false + annotations: {} + controlledResources: [] + maxAllowed: {} + minAllowed: {} + ## @param controlplane.autoscaling.vpa.updatePolicy.updateMode Autoscaling update policy + ## Specifies whether recommended updates are applied when a Pod is started and whether recommended updates are applied during the life of a Pod + ## Possible values are "Off", "Initial", "Recreate", and "Auto". + ## + updatePolicy: + updateMode: Auto + ## @param controlplane.autoscaling.hpa.enabled Enable HPA for controlplane pods + ## @param controlplane.autoscaling.hpa.minReplicas Minimum number of replicas + ## @param controlplane.autoscaling.hpa.maxReplicas Maximum number of replicas + ## @param controlplane.autoscaling.hpa.targetCPU Target CPU utilization percentage + ## @param controlplane.autoscaling.hpa.targetMemory Target Memory utilization percentage + ## + hpa: + enabled: false + minReplicas: "" + maxReplicas: "" + targetCPU: "" + targetMemory: "" + ## @section Artifact Content Addressable (CAS) API ################################## # Artifacts CAS # @@ -547,7 +842,16 @@ cas: image: registry: ghcr.io repository: chainloop-dev/chainloop/artifact-cas - tag: "v0.94.2" + tag: "v0.95.3" + + ## @param cas.containerPorts.http controlplane HTTP container port + ## @param cas.containerPorts.grpc controlplane gRPC container port + ## @param cas.containerPorts.metrics controlplane prometheus metrics container port + ## + containerPorts: + http: 8000 + grpc: 9000 + metrics: 5000 ## @param cas.tlsConfig.secret.name name of a secret containing TLS certificate to be used by the controlplane grpc server. tlsConfig: @@ -569,36 +873,121 @@ cas: service: ## @param cas.service.type Service type type: ClusterIP - ## @param cas.service.port Service port - port: 80 - ## @param cas.service.targetPort Service target Port - targetPort: http - ## @extra cas.service.nodePorts.http Node port for HTTP. NOTE: choose port between [30000-32767] - # nodePorts: - # http: "30800" - annotations: - {} - ## @skip cas.service.annotations + + ## @param cas.service.ports.http cas service HTTP port + ## @param cas.service.ports.https cas service HTTPS port + ## + ports: + http: 80 + https: 443 + ## Node ports to expose + ## @param cas.service.nodePorts.http Node port for HTTP + ## @param cas.service.nodePorts.https Node port for HTTPS + ## NOTE: choose port between <30000-32767> + ## + nodePorts: + http: "" + https: "" + ## @param cas.service.clusterIP cas service Cluster IP + ## e.g.: + ## clusterIP: None + ## + clusterIP: "" + ## @param cas.service.loadBalancerIP cas service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerIP: "" + ## @param cas.service.loadBalancerSourceRanges cas service Load Balancer sources + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param cas.service.externalTrafficPolicy cas service external traffic policy + ## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param cas.service.annotations Additional custom annotations for cas service + ## + annotations: {} + ## @param cas.service.extraPorts Extra ports to expose in cas service (normally used with the `sidecars` value) + ## + extraPorts: [] + ## @param cas.service.sessionAffinity Control where client requests go, to the same pod or round-robin + ## Values: ClientIP or None + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## + sessionAffinity: None + ## @param cas.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} serviceAPI: ## @param cas.serviceAPI.type Service type type: ClusterIP - ## @param cas.serviceAPI.port Service port - port: 80 - ## @param cas.serviceAPI.targetPort Service target Port - targetPort: grpc - ## @extra cas.serviceAPI.annotations Service annotations + + ## @param cas.serviceAPI.ports.http cas service HTTP port + ## @param cas.serviceAPI.ports.https cas service HTTPS port + ## + ports: + http: 80 + https: 443 + ## Node ports to expose + ## @param cas.serviceAPI.nodePorts.http Node port for HTTP + ## @param cas.serviceAPI.nodePorts.https Node port for HTTPS + ## NOTE: choose port between <30000-32767> + ## + nodePorts: + http: "" + https: "" + ## @param cas.serviceAPI.clusterIP cas service Cluster IP + ## e.g.: + ## clusterIP: None + ## + clusterIP: "" + ## @param cas.serviceAPI.loadBalancerIP cas service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerIP: "" + ## @param cas.serviceAPI.loadBalancerSourceRanges cas service Load Balancer sources + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param cas.serviceAPI.externalTrafficPolicy cas service external traffic policy + ## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @extra cas.serviceAPI.annotations Additional custom annotations for cas service + ## annotations: ## @skip cas.serviceAPI.annotations.traefik.ingress.kubernetes.io/service.serversscheme - traefik.ingress.kubernetes.io/service.serversscheme: h2c + traefik.ingress.kubernetes.io/service.serversscheme: h2c + ## @param cas.serviceAPI.extraPorts Extra ports to expose in cas service (normally used with the `sidecars` value) + ## + extraPorts: [] + ## @param cas.serviceAPI.sessionAffinity Control where client requests go, to the same pod or round-robin + ## Values: ClientIP or None + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## + sessionAffinity: None + ## @param cas.serviceAPI.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} - ## @extra cas.serviceAPI.nodePorts.http Node port for HTTP. NOTE: choose port between [30000-32767] - # nodePorts: - # http: "30901" ## ref: http://kubernetes.io/docs/user-guide/ingress/ ingress: - ## @param cas.ingress.enabled Enable ingress record generation for %%MAIN_CONTAINER_NAME%% + ## @param cas.ingress.enabled Enable ingress record generation for controlplane ## enabled: false ## @param cas.ingress.pathType Ingress path type @@ -698,7 +1087,7 @@ cas: ## ref: http://kubernetes.io/docs/user-guide/ingress/ ingressAPI: - ## @param cas.ingressAPI.enabled Enable ingress record generation for %%MAIN_CONTAINER_NAME%% + ## @param cas.ingressAPI.enabled Enable ingress record generation for controlplane ## enabled: false ## @param cas.ingressAPI.pathType Ingress path type @@ -810,34 +1199,6 @@ cas: extraRules: [] ## @section CAS Misc - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ - ## @param cas.resources.limits.cpu Container resource limits CPU - ## @param cas.resources.limits.memory Container resource limits memory - ## @param cas.resources.requests.cpu Container resource requests CPU - ## @param cas.resources.requests.memory Container resource requests memory - resources: - # GKE auto-pilot min - # https://cloud.google.com/kubernetes-engine/docs/concepts/autopilot-resource-requests#min-max-requests - requests: - cpu: 250m - memory: 512Mi - limits: - cpu: 250m - memory: 512Mi - - ## Deployment autoscaling - ## @param cas.autoscaling.enabled Enable deployment autoscaling - ## @param cas.autoscaling.minReplicas Minimum number of replicas - ## @param cas.autoscaling.maxReplicas Maximum number of replicas - ## @param cas.autoscaling.targetCPUUtilizationPercentage Target CPU percentage - ## @param cas.autoscaling.targetMemoryUtilizationPercentage Target CPU memory - autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 100 - targetCPUUtilizationPercentage: 80 - targetMemoryUtilizationPercentage: 80 - ## @param cas.sentry.enabled Enable sentry.io alerting ## @param cas.sentry.dsn DSN endpoint ## @param cas.sentry.environment Environment tag @@ -850,6 +1211,238 @@ cas: ## @param cas.customCAs List of custom CA certificates content customCAs: [] + ## @section CAS Misc + + ## Init container's resource requests and limits + ## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param cas.resourcesPreset Set init container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "micro" + ## @param cas.resources Set cas container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Configure Pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param cas.podSecurityContext.enabled Enable cas pods' Security Context + ## @param cas.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy for cas pods + ## @param cas.podSecurityContext.sysctls Set kernel settings using the sysctl interface for cas pods + ## @param cas.podSecurityContext.supplementalGroups Set filesystem extra groups for cas pods + ## @param cas.podSecurityContext.fsGroup Set fsGroup in cas pods' Security Context + ## + podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 + + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param cas.containerSecurityContext.enabled Enabled cas container' Security Context + ## @param cas.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in cas container + ## @param cas.containerSecurityContext.runAsUser Set runAsUser in cas container' Security Context + ## @param cas.containerSecurityContext.runAsGroup Set runAsGroup in cas container' Security Context + ## @param cas.containerSecurityContext.runAsNonRoot Set runAsNonRoot in cas container' Security Context + ## @param cas.containerSecurityContext.readOnlyRootFilesystem Set readOnlyRootFilesystem in cas container' Security Context + ## @param cas.containerSecurityContext.privileged Set privileged in cas container' Security Context + ## @param cas.containerSecurityContext.allowPrivilegeEscalation Set allowPrivilegeEscalation in cas container' Security Context + ## @param cas.containerSecurityContext.capabilities.drop List of capabilities to be dropped in cas container + ## @param cas.containerSecurityContext.seccompProfile.type Set seccomp profile in cas container + ## + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + readOnlyRootFilesystem: true + privileged: false + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + + ## @param cas.automountServiceAccountToken Mount Service Account token in cas pods + ## + automountServiceAccountToken: false + + ## @param cas.hostAliases cas pods host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + + ## @param cas.deploymentAnnotations Annotations for cas deployment + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + deploymentAnnotations: {} + + ## @param cas.podLabels Extra labels for cas pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + + ## @param cas.podAffinityPreset Pod affinity preset. Ignored if `cas.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param cas.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `cas.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node cas.affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + + ## Node cas.affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param cas.nodeAffinityPreset.type Node affinity preset type. Ignored if `cas.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param cas.nodeAffinityPreset.key Node label key to match. Ignored if `cas.affinity` is set + ## + key: "" + ## @param cas.nodeAffinityPreset.values Node label values to match. Ignored if `cas.affinity` is set + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param cas.affinity Affinity for cas pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## NOTE: `cas.podAffinityPreset`, `cas.podAntiAffinityPreset`, and `cas.nodeAffinityPreset` will be ignored when it's set + ## + affinity: {} + ## @param cas.nodeSelector Node labels for cas pods assignment + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + ## + nodeSelector: {} + ## @param cas.tolerations Tolerations for cas pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + + ## @param cas.updateStrategy.type cas deployment strategy type + updateStrategy: + ## Can be set to RollingUpdate or Recreate + type: RollingUpdate + ## @param cas.priorityClassName cas pods' priorityClassName + ## + priorityClassName: "" + ## @param cas.topologySpreadConstraints Topology Spread Constraints for cas pod assignment spread across your cluster among failure-domains + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods + ## + topologySpreadConstraints: [] + ## @param cas.schedulerName Name of the k8s scheduler (other than default) for cas pods + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param cas.terminationGracePeriodSeconds Seconds cas pods need to terminate gracefully + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods + ## + terminationGracePeriodSeconds: "" + ## @param cas.lifecycleHooks for cas containers to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param cas.extraEnvVars Array with extra environment variables to add to cas containers + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param cas.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for cas containers + ## + extraEnvVarsCM: "" + ## @param cas.extraEnvVarsSecret Name of existing Secret containing extra env vars for cas containers + ## + extraEnvVarsSecret: "" + ## @param cas.extraVolumes Optionally specify extra list of additional volumes for the cas pods + ## + extraVolumes: [] + ## @param cas.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the cas containers + ## + extraVolumeMounts: [] + ## @param cas.sidecars Add additional sidecar containers to the cas pods + ## e.g: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + + ## @param cas.initContainers Add additional init containers to the cas pods + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + ## e.g: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## command: ['sh', '-c', 'echo "hello world"'] + ## + initContainers: [] + ## Pod Disruption Budget configuration + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb + ## @param cas.pdb.create Enable/disable a Pod Disruption Budget creation + ## @param cas.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled + ## @param cas.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `cas.pdb.minAvailable` and `cas.pdb.maxUnavailable` are empty. + ## + pdb: + create: true + minAvailable: "" + maxUnavailable: "" + ## Autoscaling configuration + ## ref: https://kubernetes.io/docs/concepts/workloads/autoscaling/ + ## + autoscaling: + ## @param cas.autoscaling.vpa.enabled Enable VPA for cas pods + ## @param cas.autoscaling.vpa.annotations Annotations for VPA resource + ## @param cas.autoscaling.vpa.controlledResources VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory + ## @param cas.autoscaling.vpa.maxAllowed VPA Max allowed resources for the pod + ## @param cas.autoscaling.vpa.minAllowed VPA Min allowed resources for the pod + ## + vpa: + enabled: false + annotations: {} + controlledResources: [] + maxAllowed: {} + minAllowed: {} + ## @param cas.autoscaling.vpa.updatePolicy.updateMode Autoscaling update policy + ## Specifies whether recommended updates are applied when a Pod is started and whether recommended updates are applied during the life of a Pod + ## Possible values are "Off", "Initial", "Recreate", and "Auto". + ## + updatePolicy: + updateMode: Auto + ## @param cas.autoscaling.hpa.enabled Enable HPA for cas pods + ## @param cas.autoscaling.hpa.minReplicas Minimum number of replicas + ## @param cas.autoscaling.hpa.maxReplicas Maximum number of replicas + ## @param cas.autoscaling.hpa.targetCPU Target CPU utilization percentage + ## @param cas.autoscaling.hpa.targetMemory Target Memory utilization percentage + ## + hpa: + enabled: false + minReplicas: "" + maxReplicas: "" + targetCPU: "" + targetMemory: "" + + ## @section Dependencies # ################################## # # Dependencies # @@ -895,46 +1488,3 @@ vault: - name: VAULT_DEV_LISTEN_ADDRESS value: "[::]:8200" config: "storage \"inmem\" {}\ndisable_mlock = true\nui = true\nservice_registration \"kubernetes\" {}" - -# Dex server running in development mode --set development=true -# IMPORTANT: This is not meant to run in production -## @param dex.config.issuer The issuer URL of the Identity provider (IDp) -## @param dex.config.storage.type Storage type for the dex server -## @param dex.config.web.http HTTP address for the dex server -## @param dex.config.staticClients[0].id Client ID for the static client -## @param dex.config.staticClients[0].redirectURIs Redirect URIs for the static client -## @param dex.config.staticClients[0].name Name for the static client -## @param dex.config.staticClients[0].secret Secret for the static client -## @param dex.config.enablePasswordDB Enable static passwords -## @param dex.config.staticPasswords[0].email Email for the static password -## @param dex.config.staticPasswords[0].hash Hash for the static password -## @param dex.config.staticPasswords[1].email Email for the static password -## @param dex.config.staticPasswords[1].hash Hash for the static password -dex: - config: - issuer: http://chainloop-dex:5556/dex - - storage: - type: memory - - web: - http: 0.0.0.0:5556 - - staticClients: - - id: chainloop-dev - redirectURIs: - - "http://0.0.0.0:8000/auth/callback" - - "http://localhost:8000/auth/callback" - name: "Chainloop Dev" - secret: ZXhhbXBsZS1hcHAtc2VjcmV0 - - # required to enable static passwords - enablePasswordDB: true - - staticPasswords: - - email: "john@chainloop.local" - # password: "password" - hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" - - email: "sarah@chainloop.local" - # password: "password" - hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" \ No newline at end of file From 1bc19ce3582f7f9b362e00046bb2b5c67839f3a6 Mon Sep 17 00:00:00 2001 From: Javier Rodriguez Date: Mon, 5 Aug 2024 12:41:01 +0200 Subject: [PATCH 19/37] Fix linter Signed-off-by: Javier Rodriguez --- bitnami/chainloop/Chart.lock | 6 +++--- bitnami/chainloop/Chart.yaml | 2 +- bitnami/chainloop/README.md | 2 +- bitnami/chainloop/charts/dex/Chart.yaml | 2 +- bitnami/chainloop/charts/dex/values.yaml | 3 +++ bitnami/chainloop/values.yaml | 2 +- 6 files changed, 10 insertions(+), 7 deletions(-) diff --git a/bitnami/chainloop/Chart.lock b/bitnami/chainloop/Chart.lock index edac71a2ada65f..3ce7ee8d8ba942 100644 --- a/bitnami/chainloop/Chart.lock +++ b/bitnami/chainloop/Chart.lock @@ -10,6 +10,6 @@ dependencies: version: 1.4.16 - name: dex repository: file://charts/dex - version: 0.0.1 -digest: sha256:856d6ca9a125209c6aeb718bdbaa14d61eb542d009d1b7e6f004d5d5d2efd898 -generated: "2024-08-02T13:56:45.701274+02:00" + version: 0.0.2 +digest: sha256:186b6a8e2395bc52b78f521048030c77df132274848d321b60991c8fee3e575a +generated: "2024-08-05T12:32:20.172363+02:00" diff --git a/bitnami/chainloop/Chart.yaml b/bitnami/chainloop/Chart.yaml index 1630cc21f432ac..8dd2f9dbe300e6 100644 --- a/bitnami/chainloop/Chart.yaml +++ b/bitnami/chainloop/Chart.yaml @@ -28,7 +28,7 @@ dependencies: - condition: development repository: file://charts/dex name: dex - version: 0.0.1 + version: 0.0.2 annotations: images: | diff --git a/bitnami/chainloop/README.md b/bitnami/chainloop/README.md index 8e15423d37271e..98bd47fb7b1100 100644 --- a/bitnami/chainloop/README.md +++ b/bitnami/chainloop/README.md @@ -159,7 +159,7 @@ username: john@chainloop.local password: password ``` -The overall OIDC configuration can be found at [dex-values.yaml](./charts/dex/values.yaml) +The overall OIDC configuration can be found at `charts/dex/values.yaml`. > **CAUTION**: Do not use this mode in production, for that, use the [standard mode](#standard-default) instead. diff --git a/bitnami/chainloop/charts/dex/Chart.yaml b/bitnami/chainloop/charts/dex/Chart.yaml index 7cce4b32e58747..fe2ef23579eaf6 100644 --- a/bitnami/chainloop/charts/dex/Chart.yaml +++ b/bitnami/chainloop/charts/dex/Chart.yaml @@ -7,7 +7,7 @@ description: Dex is an identity service that uses OpenID Connect to drive authen type: application # Bump the patch (not minor, not major) version on each change in the Chart Source code -version: 0.0.1 +version: 0.0.2 # Do not update appVersion, this is handled automatically by the release process appVersion: v0.0.1 diff --git a/bitnami/chainloop/charts/dex/values.yaml b/bitnami/chainloop/charts/dex/values.yaml index 5cce405837c1fb..2bff693aaab379 100644 --- a/bitnami/chainloop/charts/dex/values.yaml +++ b/bitnami/chainloop/charts/dex/values.yaml @@ -1,3 +1,6 @@ +# Copyright Broadcom, Inc. All Rights Reserved. +# SPDX-License-Identifier: APACHE-2.0 + ## @section Common parameters ## ## @param kubeVersion Override Kubernetes version diff --git a/bitnami/chainloop/values.yaml b/bitnami/chainloop/values.yaml index 50ff3384ceadd0..b9b48393498c1f 100644 --- a/bitnami/chainloop/values.yaml +++ b/bitnami/chainloop/values.yaml @@ -1,4 +1,4 @@ -# Copyright Broadcom Inc. All Rights Reserved. +# Copyright Broadcom, Inc. All Rights Reserved. # SPDX-License-Identifier: APACHE-2.0 ## Default values for Chainloop Helm Chart From 06edb70fcbeeea38365e24d3e68f34d5202fb32f Mon Sep 17 00:00:00 2001 From: Javier Rodriguez Date: Mon, 5 Aug 2024 12:45:27 +0200 Subject: [PATCH 20/37] Fix README and values.yaml Signed-off-by: Javier Rodriguez --- bitnami/chainloop/README.md | 14 +++++--------- bitnami/chainloop/charts/dex/README.md | 2 ++ bitnami/chainloop/values.yaml | 2 -- 3 files changed, 7 insertions(+), 11 deletions(-) diff --git a/bitnami/chainloop/README.md b/bitnami/chainloop/README.md index 98bd47fb7b1100..24eed4024fa5a4 100644 --- a/bitnami/chainloop/README.md +++ b/bitnami/chainloop/README.md @@ -151,6 +151,7 @@ The Helm Chart in this mode includes - **A pre-configured Dex OIDC instance.** The pre-setup users configuration on the Chart include two users, the information is as follows: + ```text username: sarah@chainloop.local password: password @@ -774,17 +775,12 @@ chainloop config save \ ### CAS Misc -| Name | Description | Value | -| ------------------------ | -------------------------------------- | ------------ | -| `cas.sentry.enabled` | Enable sentry.io alerting | `false` | -| `cas.sentry.dsn` | DSN endpoint | `""` | -| `cas.sentry.environment` | Environment tag | `production` | -| `cas.customCAs` | List of custom CA certificates content | `[]` | - -### CAS Misc - | Name | Description | Value | | ------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | +| `cas.sentry.enabled` | Enable sentry.io alerting | `false` | +| `cas.sentry.dsn` | DSN endpoint | `""` | +| `cas.sentry.environment` | Environment tag | `production` | +| `cas.customCAs` | List of custom CA certificates content | `[]` | | `cas.resourcesPreset` | Set init container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `micro` | | `cas.resources` | Set cas container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `cas.podSecurityContext.enabled` | Enable cas pods' Security Context | `true` | diff --git a/bitnami/chainloop/charts/dex/README.md b/bitnami/chainloop/charts/dex/README.md index 15a096978f42b1..c0759bbc879352 100644 --- a/bitnami/chainloop/charts/dex/README.md +++ b/bitnami/chainloop/charts/dex/README.md @@ -1,4 +1,6 @@ + # Dex Helm Chart + Helper Dex Helm Chart to deploy Chainloop on Kubernetes using the development mode. ## Parameters diff --git a/bitnami/chainloop/values.yaml b/bitnami/chainloop/values.yaml index b9b48393498c1f..16ec969d26d708 100644 --- a/bitnami/chainloop/values.yaml +++ b/bitnami/chainloop/values.yaml @@ -1211,8 +1211,6 @@ cas: ## @param cas.customCAs List of custom CA certificates content customCAs: [] - ## @section CAS Misc - ## Init container's resource requests and limits ## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param cas.resourcesPreset Set init container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). From af4b080fa8efdf9d0ea0e4a39954c50244e5b5f1 Mon Sep 17 00:00:00 2001 From: Javier Rodriguez Date: Mon, 5 Aug 2024 16:31:16 +0200 Subject: [PATCH 21/37] Remove dex subchart and push it one level up Signed-off-by: Javier Rodriguez --- bitnami/chainloop/Chart.lock | 7 +- bitnami/chainloop/Chart.yaml | 6 +- bitnami/chainloop/README.md | 166 ++++- bitnami/chainloop/charts/dex/Chart.lock | 6 - bitnami/chainloop/charts/dex/Chart.yaml | 24 - bitnami/chainloop/charts/dex/README.md | 145 ----- bitnami/chainloop/charts/dex/values.yaml | 577 ------------------ .../templates => templates/dex}/_helpers.tpl | 4 +- .../dex}/deployment.yaml | 2 + .../dex}/metrics-svc.yaml | 2 +- .../dex/templates => templates/dex}/pdb.yaml | 2 +- .../dex/templates => templates/dex}/role.yaml | 2 +- .../dex}/rolebinding.yaml | 2 +- .../templates => templates/dex}/secret.yaml | 8 +- .../dex}/service-account.yaml | 2 +- .../templates => templates/dex}/service.yaml | 4 +- .../dex}/servicemonitor.yaml | 2 +- bitnami/chainloop/values.yaml | 558 +++++++++++++++++ 18 files changed, 728 insertions(+), 791 deletions(-) delete mode 100644 bitnami/chainloop/charts/dex/Chart.lock delete mode 100644 bitnami/chainloop/charts/dex/Chart.yaml delete mode 100644 bitnami/chainloop/charts/dex/README.md delete mode 100644 bitnami/chainloop/charts/dex/values.yaml rename bitnami/chainloop/{charts/dex/templates => templates/dex}/_helpers.tpl (81%) rename bitnami/chainloop/{charts/dex/templates => templates/dex}/deployment.yaml (99%) rename bitnami/chainloop/{charts/dex/templates => templates/dex}/metrics-svc.yaml (98%) rename bitnami/chainloop/{charts/dex/templates => templates/dex}/pdb.yaml (95%) rename bitnami/chainloop/{charts/dex/templates => templates/dex}/role.yaml (94%) rename bitnami/chainloop/{charts/dex/templates => templates/dex}/rolebinding.yaml (92%) rename bitnami/chainloop/{charts/dex/templates => templates/dex}/secret.yaml (78%) rename bitnami/chainloop/{charts/dex/templates => templates/dex}/service-account.yaml (94%) rename bitnami/chainloop/{charts/dex/templates => templates/dex}/service.yaml (97%) rename bitnami/chainloop/{charts/dex/templates => templates/dex}/servicemonitor.yaml (95%) diff --git a/bitnami/chainloop/Chart.lock b/bitnami/chainloop/Chart.lock index 3ce7ee8d8ba942..194257b4f83733 100644 --- a/bitnami/chainloop/Chart.lock +++ b/bitnami/chainloop/Chart.lock @@ -8,8 +8,5 @@ dependencies: - name: vault repository: https://charts.bitnami.com/bitnami version: 1.4.16 -- name: dex - repository: file://charts/dex - version: 0.0.2 -digest: sha256:186b6a8e2395bc52b78f521048030c77df132274848d321b60991c8fee3e575a -generated: "2024-08-05T12:32:20.172363+02:00" +digest: sha256:75494ecf8834d4799490dd6879e073bcf1228967025d7f93abe08d3458f11859 +generated: "2024-08-05T16:18:36.486565+02:00" diff --git a/bitnami/chainloop/Chart.yaml b/bitnami/chainloop/Chart.yaml index 8dd2f9dbe300e6..8e6d0cadffc194 100644 --- a/bitnami/chainloop/Chart.yaml +++ b/bitnami/chainloop/Chart.yaml @@ -25,10 +25,6 @@ dependencies: name: vault repository: https://charts.bitnami.com/bitnami version: 1.4.x - - condition: development - repository: file://charts/dex - name: dex - version: 0.0.2 annotations: images: | @@ -38,3 +34,5 @@ annotations: name: control-plane - image: ghcr.io/chainloop-dev/chainloop/control-plane-migrations:v0.95.3 name: control-plane-migrations + - image: docker.io/bitnami/dex:2.40.0-debian-12-r1 + name: dex diff --git a/bitnami/chainloop/README.md b/bitnami/chainloop/README.md index 24eed4024fa5a4..140506d4346ca0 100644 --- a/bitnami/chainloop/README.md +++ b/bitnami/chainloop/README.md @@ -487,12 +487,14 @@ chainloop config save \ ### Common parameters -| Name | Description | Value | -| ------------------- | ------------------------------------------------- | ----- | -| `kubeVersion` | Override Kubernetes version | `""` | -| `commonAnnotations` | Annotations to add to all deployed objects | `{}` | -| `commonLabels` | Labels to add to all deployed objects | `{}` | -| `extraDeploy` | Array of extra objects to deploy with the release | `[]` | +| Name | Description | Value | +| ------------------- | -------------------------------------------------- | ------- | +| `kubeVersion` | Override Kubernetes version | `""` | +| `commonAnnotations` | Annotations to add to all deployed objects | `{}` | +| `commonLabels` | Labels to add to all deployed objects | `{}` | +| `extraDeploy` | Array of extra objects to deploy with the release | `[]` | +| `rbac.create` | Specifies whether RBAC resources should be created | `false` | +| `rbac.rules` | Custom RBAC rules to set | `[]` | ### Secrets Backend @@ -840,23 +842,147 @@ chainloop config save \ ### Dependencies -| Name | Description | Value | -| ------------------------------------ | ------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------- | -| `postgresql.enabled` | Switch to enable or disable the PostgreSQL helm chart | `true` | -| `postgresql.auth.enablePostgresUser` | Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user | `false` | -| `postgresql.auth.username` | Name for a custom user to create | `chainloop` | -| `postgresql.auth.password` | Password for the custom user to create | `chainlooppwd` | -| `postgresql.auth.database` | Name for a custom database to create | `chainloop-cp` | -| `postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials | `""` | -| `vault.server.args` | Arguments to pass to the vault server. This is useful for setting the server in development mode | `["server","-dev"]` | -| `vault.server.config` | Configuration for the vault server. Small override of default Bitnami configuration | `storage "inmem" {} +| Name | Description | Value | +| ------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------- | +| `postgresql.enabled` | Switch to enable or disable the PostgreSQL helm chart | `true` | +| `postgresql.auth.enablePostgresUser` | Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user | `false` | +| `postgresql.auth.username` | Name for a custom user to create | `chainloop` | +| `postgresql.auth.password` | Password for the custom user to create | `chainlooppwd` | +| `postgresql.auth.database` | Name for a custom database to create | `chainloop-cp` | +| `postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials | `""` | +| `vault.server.args` | Arguments to pass to the vault server. This is useful for setting the server in development mode | `["server","-dev"]` | +| `vault.server.config` | Configuration for the vault server. Small override of default Bitnami configuration | `storage "inmem" {} disable_mlock = true ui = true service_registration "kubernetes" {}` | -| `vault.server.extraEnvVars[0].name` | Root token for the vault server | `VAULT_DEV_ROOT_TOKEN_ID` | -| `vault.server.extraEnvVars[0].value` | The value of the root token. Default: notasecret | `notasecret` | -| `vault.server.extraEnvVars[1].name` | Address to listen on development mode | `VAULT_DEV_LISTEN_ADDRESS` | -| `vault.server.extraEnvVars[1].value` | The address to listen on. Default: [::]:8200 | `[::]:8200` | +| `vault.server.extraEnvVars[0].name` | Root token for the vault server | `VAULT_DEV_ROOT_TOKEN_ID` | +| `vault.server.extraEnvVars[0].value` | The value of the root token. Default: notasecret | `notasecret` | +| `vault.server.extraEnvVars[1].name` | Address to listen on development mode | `VAULT_DEV_LISTEN_ADDRESS` | +| `vault.server.extraEnvVars[1].value` | The address to listen on. Default: [::]:8200 | `[::]:8200` | +| `dex.image.registry` | Dex image registry | `REGISTRY_NAME` | +| `dex.image.repository` | Dex image repository | `REPOSITORY_NAME/dex` | +| `dex.image.pullPolicy` | Dex image pull policy | `IfNotPresent` | +| `dex.image.pullSecrets` | Dex image pull secrets | `[]` | +| `dex.image.debug` | Enable Dex image debug mode | `false` | +| `dex.replicaCount` | Number of Dex replicas to deploy | `1` | +| `dex.startupProbe.enabled` | Enable startupProbe on Dex nodes | `true` | +| `dex.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | +| `dex.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `dex.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | +| `dex.startupProbe.failureThreshold` | Failure threshold for startupProbe | `3` | +| `dex.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `dex.livenessProbe.enabled` | Enable livenessProbe on Dex nodes | `true` | +| `dex.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `10` | +| `dex.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `dex.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` | +| `dex.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | +| `dex.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `dex.readinessProbe.enabled` | Enable readinessProbe on Dex nodes | `true` | +| `dex.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `10` | +| `dex.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `dex.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `dex.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `dex.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `dex.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `dex.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `dex.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `dex.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if dex.resources is set (dex.resources is recommended for production). | `nano` | +| `dex.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `dex.podSecurityContext.enabled` | Enabled Dex pods' Security Context | `true` | +| `dex.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `dex.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `dex.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `dex.podSecurityContext.fsGroup` | Set Dex pod's Security Context fsGroup | `1001` | +| `dex.containerSecurityContext.enabled` | Enabled Dex containers' Security Context | `true` | +| `dex.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `dex.containerSecurityContext.runAsUser` | Set Dex containers' Security Context runAsUser | `1001` | +| `dex.containerSecurityContext.runAsGroup` | Set Dex containers' Security Context runAsGroup | `1001` | +| `dex.containerSecurityContext.allowPrivilegeEscalation` | Set Dex containers' Security Context allowPrivilegeEscalation | `false` | +| `dex.containerSecurityContext.readOnlyRootFilesystem` | Set Dex containers' server Security Context readOnlyRootFilesystem | `true` | +| `dex.containerSecurityContext.runAsNonRoot` | Set Dex containers' Security Context runAsNonRoot | `true` | +| `dex.containerSecurityContext.capabilities.drop` | Set Argo CD containers' repo server Security Context capabilities to be dropped | `["ALL"]` | +| `dex.containerSecurityContext.privileged` | Set dex container's Security Context privileged | `false` | +| `dex.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `dex.service.type` | Dex service type | `ClusterIP` | +| `dex.service.ports.http` | Dex HTTP service port | `5556` | +| `dex.service.ports.grpc` | Dex grpc service port | `5557` | +| `dex.service.nodePorts.http` | HTTP node port for the Dex service | `""` | +| `dex.service.nodePorts.grpc` | gRPC node port for the Dex service | `""` | +| `dex.service.clusterIP` | Dex service Cluster IP | `""` | +| `dex.service.loadBalancerIP` | Dex service Load Balancer IP | `""` | +| `dex.service.loadBalancerSourceRanges` | Dex service Load Balancer sources | `[]` | +| `dex.service.externalTrafficPolicy` | Dex service external traffic policy | `Cluster` | +| `dex.service.annotations` | Additional custom annotations for Dex service | `{}` | +| `dex.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `dex.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `dex.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `dex.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `dex.networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `dex.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `dex.networkPolicy.kubeAPIServerPorts` | List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) | `[]` | +| `dex.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `dex.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true) | `[]` | +| `dex.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `dex.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | +| `dex.containerPorts.http` | Dex container HTTP port | `5556` | +| `dex.containerPorts.grpc` | Dex gRPC port | `5557` | +| `dex.containerPorts.metrics` | Dex metrics port | `5558` | +| `dex.metrics.enabled` | Enable metrics service for Dex | `false` | +| `dex.metrics.service.type` | Dex service type | `ClusterIP` | +| `dex.metrics.service.ports.metrics` | Dex metrics service port | `5558` | +| `dex.metrics.service.nodePorts.metrics` | Node port for the Dex service | `""` | +| `dex.metrics.service.clusterIP` | Dex service metrics service Cluster IP | `""` | +| `dex.metrics.service.loadBalancerIP` | Dex service Load Balancer IP | `""` | +| `dex.metrics.service.loadBalancerSourceRanges` | Dex service Load Balancer sources | `[]` | +| `dex.metrics.service.externalTrafficPolicy` | Dex service external traffic policy | `Cluster` | +| `dex.metrics.service.annotations` | Additional custom annotations for Dex service | `{}` | +| `dex.metrics.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `dex.metrics.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `dex.metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using PrometheusOperator | `false` | +| `dex.metrics.serviceMonitor.namespace` | Namespace which Prometheus is running in | `""` | +| `dex.metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | +| `dex.metrics.serviceMonitor.interval` | Interval at which metrics should be scraped | `30s` | +| `dex.metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `10s` | +| `dex.metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` | +| `dex.metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` | +| `dex.metrics.serviceMonitor.selector` | ServiceMonitor selector labels | `{}` | +| `dex.metrics.serviceMonitor.honorLabels` | honorLabels chooses the metric's labels on collisions with target labels | `false` | +| `dex.serviceAccount.create` | Specifies whether a ServiceAccount should be created for Dex | `true` | +| `dex.serviceAccount.name` | The name of the ServiceAccount to use. | `""` | +| `dex.serviceAccount.automountServiceAccountToken` | Automount service account token for the Dex service account | `false` | +| `dex.serviceAccount.annotations` | Annotations for service account. Evaluated as a template. Only used if `create` is `true`. | `{}` | +| `dex.command` | Override default container command (useful when using custom images) | `[]` | +| `dex.args` | Override default container args (useful when using custom images) | `[]` | +| `dex.extraArgs` | Add extra args to the default args for Dex | `[]` | +| `dex.automountServiceAccountToken` | Mount Service Account token in pod | `true` | +| `dex.hostAliases` | Dex pods host aliases | `[]` | +| `dex.podLabels` | Extra labels for Dex pods | `{}` | +| `dex.podAnnotations` | Annotations for Dex pods | `{}` | +| `dex.podAffinityPreset` | Pod affinity preset. Ignored if `dex.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `dex.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `dex.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `dex.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `dex.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `dex.nodeAffinityPreset.key` | Node label key to match. Ignored if `dex.affinity` is set | `""` | +| `dex.nodeAffinityPreset.values` | Node label values to match. Ignored if `dex.affinity` is set | `[]` | +| `dex.affinity` | Affinity for Dex pods assignment | `{}` | +| `dex.nodeSelector` | Node labels for Dex pods assignment | `{}` | +| `dex.tolerations` | Tolerations for Dex pods assignment | `[]` | +| `dex.schedulerName` | Name of the k8s scheduler (other than default) | `""` | +| `dex.shareProcessNamespace` | Enable shared process namespace in a pod. | `false` | +| `dex.topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` | +| `dex.updateStrategy.type` | Dex statefulset strategy type | `RollingUpdate` | +| `dex.priorityClassName` | Dex pods' priorityClassName | `""` | +| `dex.runtimeClassName` | Name of the runtime class to be used by pod(s) | `""` | +| `dex.lifecycleHooks` | for the Dex container(s) to automate configuration before or after startup | `{}` | +| `dex.extraEnvVars` | Array with extra environment variables to add to Dex nodes | `[]` | +| `dex.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Dex nodes | `""` | +| `dex.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Dex nodes | `""` | +| `dex.extraVolumes` | Optionally specify extra list of additional volumes for the Dex pod(s) | `[]` | +| `dex.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Dex container(s) | `[]` | +| `dex.sidecars` | Add additional sidecar containers to the Dex pod(s) | `[]` | +| `dex.initContainers` | Add additional init containers to the Dex pod(s) | `[]` | +| `dex.pdb.create` | Enable/disable a Pod Disruption Budget creation | `true` | +| `dex.pdb.minAvailable` | Minimum number/percentage of pods that should remain scheduled | `""` | +| `dex.pdb.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `dex.pdb.minAvailable` and `dex.pdb.maxUnavailable` are empty. | `""` | ## License diff --git a/bitnami/chainloop/charts/dex/Chart.lock b/bitnami/chainloop/charts/dex/Chart.lock deleted file mode 100644 index 84ec4027c190fd..00000000000000 --- a/bitnami/chainloop/charts/dex/Chart.lock +++ /dev/null @@ -1,6 +0,0 @@ -dependencies: -- name: common - repository: https://charts.bitnami.com/bitnami - version: 2.20.5 -digest: sha256:d887f4d52c98e9524f9eb8be04f987acc240288a9c1cf2653cc1b7c221230ee7 -generated: "2024-08-02T13:53:43.065552+02:00" diff --git a/bitnami/chainloop/charts/dex/Chart.yaml b/bitnami/chainloop/charts/dex/Chart.yaml deleted file mode 100644 index fe2ef23579eaf6..00000000000000 --- a/bitnami/chainloop/charts/dex/Chart.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# Copyright Broadcom, Inc. All Rights Reserved. -# SPDX-License-Identifier: APACHE-2.0 - -apiVersion: v2 -name: dex -description: Dex is an identity service that uses OpenID Connect to drive authentication for other apps. - -type: application -# Bump the patch (not minor, not major) version on each change in the Chart Source code -version: 0.0.2 -# Do not update appVersion, this is handled automatically by the release process -appVersion: v0.0.1 - -dependencies: - - name: common - repository: https://charts.bitnami.com/bitnami - tags: - - bitnami-common - version: 2.x.x - -annotations: - images: | - - image: docker.io/bitnami/dex:2.40.0-debian-12-r1 - name: dex \ No newline at end of file diff --git a/bitnami/chainloop/charts/dex/README.md b/bitnami/chainloop/charts/dex/README.md deleted file mode 100644 index c0759bbc879352..00000000000000 --- a/bitnami/chainloop/charts/dex/README.md +++ /dev/null @@ -1,145 +0,0 @@ - -# Dex Helm Chart - -Helper Dex Helm Chart to deploy Chainloop on Kubernetes using the development mode. - -## Parameters - -### Common parameters - -| Name | Description | Value | -| ------------------- | ------------------------------------------ | ----- | -| `kubeVersion` | Override Kubernetes version | `""` | -| `commonAnnotations` | Annotations to add to all deployed objects | `{}` | -| `commonLabels` | Labels to add to all deployed objects | `{}` | - -### Secrets Backend - -| Name | Description | Value | -| ------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- | -| `rbac.create` | Specifies whether RBAC resources should be created | `false` | -| `rbac.rules` | Custom RBAC rules to set | `[]` | -| `dex.image.registry` | Dex image registry | `REGISTRY_NAME` | -| `dex.image.repository` | Dex image repository | `REPOSITORY_NAME/dex` | -| `dex.image.pullPolicy` | Dex image pull policy | `IfNotPresent` | -| `dex.image.pullSecrets` | Dex image pull secrets | `[]` | -| `dex.image.debug` | Enable Dex image debug mode | `false` | -| `dex.replicaCount` | Number of Dex replicas to deploy | `1` | -| `dex.startupProbe.enabled` | Enable startupProbe on Dex nodes | `true` | -| `dex.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | -| `dex.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `dex.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | -| `dex.startupProbe.failureThreshold` | Failure threshold for startupProbe | `3` | -| `dex.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `dex.livenessProbe.enabled` | Enable livenessProbe on Dex nodes | `true` | -| `dex.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `10` | -| `dex.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `dex.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` | -| `dex.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | -| `dex.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `dex.readinessProbe.enabled` | Enable readinessProbe on Dex nodes | `true` | -| `dex.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `10` | -| `dex.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `dex.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | -| `dex.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | -| `dex.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `dex.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `dex.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `dex.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `dex.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if dex.resources is set (dex.resources is recommended for production). | `nano` | -| `dex.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | -| `dex.podSecurityContext.enabled` | Enabled Dex pods' Security Context | `true` | -| `dex.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | -| `dex.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | -| `dex.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | -| `dex.podSecurityContext.fsGroup` | Set Dex pod's Security Context fsGroup | `1001` | -| `dex.containerSecurityContext.enabled` | Enabled Dex containers' Security Context | `true` | -| `dex.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | -| `dex.containerSecurityContext.runAsUser` | Set Dex containers' Security Context runAsUser | `1001` | -| `dex.containerSecurityContext.runAsGroup` | Set Dex containers' Security Context runAsGroup | `1001` | -| `dex.containerSecurityContext.allowPrivilegeEscalation` | Set Dex containers' Security Context allowPrivilegeEscalation | `false` | -| `dex.containerSecurityContext.readOnlyRootFilesystem` | Set Dex containers' server Security Context readOnlyRootFilesystem | `true` | -| `dex.containerSecurityContext.runAsNonRoot` | Set Dex containers' Security Context runAsNonRoot | `true` | -| `dex.containerSecurityContext.capabilities.drop` | Set Argo CD containers' repo server Security Context capabilities to be dropped | `["ALL"]` | -| `dex.containerSecurityContext.privileged` | Set dex container's Security Context privileged | `false` | -| `dex.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | -| `dex.service.type` | Dex service type | `ClusterIP` | -| `dex.service.ports.http` | Dex HTTP service port | `5556` | -| `dex.service.ports.grpc` | Dex grpc service port | `5557` | -| `dex.service.nodePorts.http` | HTTP node port for the Dex service | `""` | -| `dex.service.nodePorts.grpc` | gRPC node port for the Dex service | `""` | -| `dex.service.clusterIP` | Dex service Cluster IP | `""` | -| `dex.service.loadBalancerIP` | Dex service Load Balancer IP | `""` | -| `dex.service.loadBalancerSourceRanges` | Dex service Load Balancer sources | `[]` | -| `dex.service.externalTrafficPolicy` | Dex service external traffic policy | `Cluster` | -| `dex.service.annotations` | Additional custom annotations for Dex service | `{}` | -| `dex.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | -| `dex.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | -| `dex.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `dex.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | -| `dex.networkPolicy.allowExternal` | Don't require server label for connections | `true` | -| `dex.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | -| `dex.networkPolicy.kubeAPIServerPorts` | List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) | `[]` | -| `dex.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | -| `dex.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true) | `[]` | -| `dex.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | -| `dex.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | -| `dex.containerPorts.http` | Dex container HTTP port | `5556` | -| `dex.containerPorts.grpc` | Dex gRPC port | `5557` | -| `dex.containerPorts.metrics` | Dex metrics port | `5558` | -| `dex.metrics.enabled` | Enable metrics service for Dex | `false` | -| `dex.metrics.service.type` | Dex service type | `ClusterIP` | -| `dex.metrics.service.ports.metrics` | Dex metrics service port | `5558` | -| `dex.metrics.service.nodePorts.metrics` | Node port for the Dex service | `""` | -| `dex.metrics.service.clusterIP` | Dex service metrics service Cluster IP | `""` | -| `dex.metrics.service.loadBalancerIP` | Dex service Load Balancer IP | `""` | -| `dex.metrics.service.loadBalancerSourceRanges` | Dex service Load Balancer sources | `[]` | -| `dex.metrics.service.externalTrafficPolicy` | Dex service external traffic policy | `Cluster` | -| `dex.metrics.service.annotations` | Additional custom annotations for Dex service | `{}` | -| `dex.metrics.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | -| `dex.metrics.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `dex.metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using PrometheusOperator | `false` | -| `dex.metrics.serviceMonitor.namespace` | Namespace which Prometheus is running in | `""` | -| `dex.metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | -| `dex.metrics.serviceMonitor.interval` | Interval at which metrics should be scraped | `30s` | -| `dex.metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `10s` | -| `dex.metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` | -| `dex.metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` | -| `dex.metrics.serviceMonitor.selector` | ServiceMonitor selector labels | `{}` | -| `dex.metrics.serviceMonitor.honorLabels` | honorLabels chooses the metric's labels on collisions with target labels | `false` | -| `dex.serviceAccount.create` | Specifies whether a ServiceAccount should be created for Dex | `true` | -| `dex.serviceAccount.name` | The name of the ServiceAccount to use. | `""` | -| `dex.serviceAccount.automountServiceAccountToken` | Automount service account token for the Dex service account | `false` | -| `dex.serviceAccount.annotations` | Annotations for service account. Evaluated as a template. Only used if `create` is `true`. | `{}` | -| `dex.command` | Override default container command (useful when using custom images) | `[]` | -| `dex.args` | Override default container args (useful when using custom images) | `[]` | -| `dex.extraArgs` | Add extra args to the default args for Dex | `[]` | -| `dex.automountServiceAccountToken` | Mount Service Account token in pod | `true` | -| `dex.hostAliases` | Dex pods host aliases | `[]` | -| `dex.podLabels` | Extra labels for Dex pods | `{}` | -| `dex.podAnnotations` | Annotations for Dex pods | `{}` | -| `dex.podAffinityPreset` | Pod affinity preset. Ignored if `dex.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `dex.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `dex.affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `dex.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `dex.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `dex.nodeAffinityPreset.key` | Node label key to match. Ignored if `dex.affinity` is set | `""` | -| `dex.nodeAffinityPreset.values` | Node label values to match. Ignored if `dex.affinity` is set | `[]` | -| `dex.affinity` | Affinity for Dex pods assignment | `{}` | -| `dex.nodeSelector` | Node labels for Dex pods assignment | `{}` | -| `dex.tolerations` | Tolerations for Dex pods assignment | `[]` | -| `dex.schedulerName` | Name of the k8s scheduler (other than default) | `""` | -| `dex.shareProcessNamespace` | Enable shared process namespace in a pod. | `false` | -| `dex.topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` | -| `dex.updateStrategy.type` | Dex statefulset strategy type | `RollingUpdate` | -| `dex.priorityClassName` | Dex pods' priorityClassName | `""` | -| `dex.runtimeClassName` | Name of the runtime class to be used by pod(s) | `""` | -| `dex.lifecycleHooks` | for the Dex container(s) to automate configuration before or after startup | `{}` | -| `dex.extraEnvVars` | Array with extra environment variables to add to Dex nodes | `[]` | -| `dex.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Dex nodes | `""` | -| `dex.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Dex nodes | `""` | -| `dex.extraVolumes` | Optionally specify extra list of additional volumes for the Dex pod(s) | `[]` | -| `dex.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Dex container(s) | `[]` | -| `dex.sidecars` | Add additional sidecar containers to the Dex pod(s) | `[]` | -| `dex.initContainers` | Add additional init containers to the Dex pod(s) | `[]` | -| `dex.pdb.create` | Enable/disable a Pod Disruption Budget creation | `true` | -| `dex.pdb.minAvailable` | Minimum number/percentage of pods that should remain scheduled | `""` | -| `dex.pdb.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `dex.pdb.minAvailable` and `dex.pdb.maxUnavailable` are empty. | `""` | diff --git a/bitnami/chainloop/charts/dex/values.yaml b/bitnami/chainloop/charts/dex/values.yaml deleted file mode 100644 index 2bff693aaab379..00000000000000 --- a/bitnami/chainloop/charts/dex/values.yaml +++ /dev/null @@ -1,577 +0,0 @@ -# Copyright Broadcom, Inc. All Rights Reserved. -# SPDX-License-Identifier: APACHE-2.0 - -## @section Common parameters -## -## @param kubeVersion Override Kubernetes version -## -kubeVersion: "" - -## @param commonAnnotations Annotations to add to all deployed objects -## -commonAnnotations: {} - -## @param commonLabels Labels to add to all deployed objects -## -commonLabels: {} - -## @section Secrets Backend -## - -## RBAC configuration -## -rbac: - ## @param rbac.create Specifies whether RBAC resources should be created - ## - create: false - ## @param rbac.rules Custom RBAC rules to set - ## e.g: - ## rules: - ## - apiGroups: - ## - "" - ## resources: - ## - pods - ## verbs: - ## - get - ## - list - ## - rules: [] - -# IMPORTANT: This is not meant to run in production -# Dex server -## Dex configuration running in development mode --set development=true -## -dex: - ## Bitnami Dex image - ## ref: https://hub.docker.com/r/bitnami/argo-cd/tags/ - ## @skip dex.staticUsers[0].email - ## @skip dex.staticUsers[0].hash - ## @skip dex.staticUsers[1].email - ## @skip dex.staticUsers[1].hash - staticUsers: - - email: "john@chainloop.local" - # password: "password" - hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" - - email: "sarah@chainloop.local" - # password: "password" - hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" - ## @param dex.image.registry [default: REGISTRY_NAME] Dex image registry - ## @param dex.image.repository [default: REPOSITORY_NAME/dex] Dex image repository - ## @skip dex.image.tag Dex image tag (immutable tags are recommended) - ## @param dex.image.pullPolicy Dex image pull policy - ## @param dex.image.pullSecrets Dex image pull secrets - ## @param dex.image.debug Enable Dex image debug mode - ## - image: - registry: docker.io - repository: bitnami/dex - tag: 2.40.0-debian-12-r1 - ## Specify a imagePullPolicy - ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images - ## - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## e.g: - ## pullSecrets: - ## - myRegistryKeySecretName - ## - pullSecrets: [] - ## Enable debug mode - ## - debug: false - ## @param dex.replicaCount Number of Dex replicas to deploy - ## - replicaCount: 1 - ## Configure extra options for Dex containers' liveness and readiness probes - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes - ## @param dex.startupProbe.enabled Enable startupProbe on Dex nodes - ## @param dex.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe - ## @param dex.startupProbe.periodSeconds Period seconds for startupProbe - ## @param dex.startupProbe.timeoutSeconds Timeout seconds for startupProbe - ## @param dex.startupProbe.failureThreshold Failure threshold for startupProbe - ## @param dex.startupProbe.successThreshold Success threshold for startupProbe - ## - startupProbe: - enabled: true - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - failureThreshold: 3 - successThreshold: 1 - ## @param dex.livenessProbe.enabled Enable livenessProbe on Dex nodes - ## @param dex.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe - ## @param dex.livenessProbe.periodSeconds Period seconds for livenessProbe - ## @param dex.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe - ## @param dex.livenessProbe.failureThreshold Failure threshold for livenessProbe - ## @param dex.livenessProbe.successThreshold Success threshold for livenessProbe - ## - livenessProbe: - enabled: true - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - failureThreshold: 3 - successThreshold: 1 - ## @param dex.readinessProbe.enabled Enable readinessProbe on Dex nodes - ## @param dex.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe - ## @param dex.readinessProbe.periodSeconds Period seconds for readinessProbe - ## @param dex.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe - ## @param dex.readinessProbe.failureThreshold Failure threshold for readinessProbe - ## @param dex.readinessProbe.successThreshold Success threshold for readinessProbe - ## - readinessProbe: - enabled: true - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - failureThreshold: 3 - successThreshold: 1 - ## @param dex.customStartupProbe Custom startupProbe that overrides the default one - ## - customStartupProbe: {} - ## @param dex.customLivenessProbe Custom livenessProbe that overrides the default one - ## - customLivenessProbe: {} - ## @param dex.customReadinessProbe Custom readinessProbe that overrides the default one - ## - customReadinessProbe: {} - ## Dex resource requests and limits - ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - ## @param dex.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if dex.resources is set (dex.resources is recommended for production). - ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 - ## - resourcesPreset: "nano" - ## @param dex.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) - ## Example: - ## resources: - ## requests: - ## cpu: 2 - ## memory: 512Mi - ## limits: - ## cpu: 3 - ## memory: 1024Mi - ## - resources: {} - ## Configure Pods Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod - ## @param dex.podSecurityContext.enabled Enabled Dex pods' Security Context - ## @param dex.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy - ## @param dex.podSecurityContext.sysctls Set kernel settings using the sysctl interface - ## @param dex.podSecurityContext.supplementalGroups Set filesystem extra groups - ## @param dex.podSecurityContext.fsGroup Set Dex pod's Security Context fsGroup - ## - podSecurityContext: - enabled: true - fsGroupChangePolicy: Always - sysctls: [] - supplementalGroups: [] - fsGroup: 1001 - ## Configure Container Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod - ## @param dex.containerSecurityContext.enabled Enabled Dex containers' Security Context - ## @param dex.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container - ## @param dex.containerSecurityContext.runAsUser Set Dex containers' Security Context runAsUser - ## @param dex.containerSecurityContext.runAsGroup Set Dex containers' Security Context runAsGroup - ## @param dex.containerSecurityContext.allowPrivilegeEscalation Set Dex containers' Security Context allowPrivilegeEscalation - ## @param dex.containerSecurityContext.readOnlyRootFilesystem Set Dex containers' server Security Context readOnlyRootFilesystem - ## @param dex.containerSecurityContext.runAsNonRoot Set Dex containers' Security Context runAsNonRoot - ## @param dex.containerSecurityContext.capabilities.drop Set Argo CD containers' repo server Security Context capabilities to be dropped - ## @param dex.containerSecurityContext.privileged Set dex container's Security Context privileged - ## @param dex.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile - ## - containerSecurityContext: - enabled: true - seLinuxOptions: {} - runAsUser: 1001 - runAsGroup: 1001 - runAsNonRoot: true - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - privileged: false - capabilities: - drop: ["ALL"] - seccompProfile: - type: "RuntimeDefault" - ## Dex service parameters - ## - service: - ## @param dex.service.type Dex service type - ## - type: ClusterIP - ## @param dex.service.ports.http Dex HTTP service port - ## @param dex.service.ports.grpc Dex grpc service port - ## - ports: - http: 5556 - grpc: 5557 - ## Node ports to expose - ## @param dex.service.nodePorts.http HTTP node port for the Dex service - ## @param dex.service.nodePorts.grpc gRPC node port for the Dex service - ## NOTE: choose port between <30000-32767> - ## - nodePorts: - http: "" - grpc: "" - ## @param dex.service.clusterIP Dex service Cluster IP - ## e.g.: - ## clusterIP: None - ## - clusterIP: "" - ## @param dex.service.loadBalancerIP Dex service Load Balancer IP - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer - ## - loadBalancerIP: "" - ## @param dex.service.loadBalancerSourceRanges Dex service Load Balancer sources - ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service - ## e.g: - ## loadBalancerSourceRanges: - ## - 10.10.10.0/24 - ## - loadBalancerSourceRanges: [] - ## @param dex.service.externalTrafficPolicy Dex service external traffic policy - ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - ## - externalTrafficPolicy: Cluster - ## @param dex.service.annotations Additional custom annotations for Dex service - ## - annotations: {} - ## @param dex.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) - ## - extraPorts: [] - ## @param dex.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" - ## If "ClientIP", consecutive client requests will be directed to the same Pod - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - ## - sessionAffinity: None - ## @param dex.service.sessionAffinityConfig Additional settings for the sessionAffinity - ## sessionAffinityConfig: - ## clientIP: - ## timeoutSeconds: 300 - sessionAffinityConfig: {} - ## Network Policies - ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ - ## - networkPolicy: - ## @param dex.networkPolicy.enabled Specifies whether a NetworkPolicy should be created - ## - enabled: true - ## @param dex.networkPolicy.allowExternal Don't require server label for connections - ## The Policy model to apply. When set to false, only pods with the correct - ## server label will have network access to the ports server is listening - ## on. When true, server will accept connections from any source - ## (with the correct destination port). - ## - allowExternal: true - ## @param dex.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. - ## - allowExternalEgress: true - ## @param dex.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) - ## - kubeAPIServerPorts: [443, 6443, 8443] - ## @param dex.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy - ## e.g: - ## extraIngress: - ## - ports: - ## - port: 1234 - ## from: - ## - podSelector: - ## - matchLabels: - ## - role: frontend - ## - podSelector: - ## - matchExpressions: - ## - key: role - ## operator: In - ## values: - ## - frontend - extraIngress: [] - ## @param dex.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true) - ## e.g: - ## extraEgress: - ## - ports: - ## - port: 1234 - ## to: - ## - podSelector: - ## - matchLabels: - ## - role: frontend - ## - podSelector: - ## - matchExpressions: - ## - key: role - ## operator: In - ## values: - ## - frontend - ## - extraEgress: [] - ## @param dex.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces - ## @param dex.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces - ## - ingressNSMatchLabels: {} - ingressNSPodMatchLabels: {} - ## Dex container ports - ## @param dex.containerPorts.http Dex container HTTP port - ## @param dex.containerPorts.grpc Dex gRPC port - ## @param dex.containerPorts.metrics Dex metrics port - ## - containerPorts: - http: 5556 - grpc: 5557 - metrics: 5558 - ## Metrics configuration for Dex - ## - metrics: - ## Enable metrics for Argo Dex - ## @param dex.metrics.enabled Enable metrics service for Dex - ## - enabled: false - service: - ## @param dex.metrics.service.type Dex service type - ## - type: ClusterIP - ## @param dex.metrics.service.ports.metrics Dex metrics service port - ## - ports: - metrics: 5558 - ## Node ports to expose - ## @param dex.metrics.service.nodePorts.metrics Node port for the Dex service - ## NOTE: choose port between <30000-32767> - ## - nodePorts: - metrics: "" - ## @param dex.metrics.service.clusterIP Dex service metrics service Cluster IP - ## e.g.: - ## clusterIP: None - ## - clusterIP: "" - ## @param dex.metrics.service.loadBalancerIP Dex service Load Balancer IP - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer - ## - loadBalancerIP: "" - ## @param dex.metrics.service.loadBalancerSourceRanges Dex service Load Balancer sources - ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service - ## e.g: - ## loadBalancerSourceRanges: - ## - 10.10.10.0/24 - ## - loadBalancerSourceRanges: [] - ## @param dex.metrics.service.externalTrafficPolicy Dex service external traffic policy - ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - ## - externalTrafficPolicy: Cluster - ## @param dex.metrics.service.annotations Additional custom annotations for Dex service - ## - annotations: {} - ## @param dex.metrics.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" - ## If "ClientIP", consecutive client requests will be directed to the same Pod - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - ## - sessionAffinity: None - ## @param dex.metrics.service.sessionAffinityConfig Additional settings for the sessionAffinity - ## sessionAffinityConfig: - ## clientIP: - ## timeoutSeconds: 300 - sessionAffinityConfig: {} - ## Dex metrics service monitor configuration - ## - serviceMonitor: - ## @param dex.metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator - ## - enabled: false - ## @param dex.metrics.serviceMonitor.namespace Namespace which Prometheus is running in - ## e.g: - ## namespace: monitoring - ## - namespace: "" - ## @param dex.metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. - ## - jobLabel: "" - ## @param dex.metrics.serviceMonitor.interval Interval at which metrics should be scraped - ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint - ## - interval: 30s - ## @param dex.metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended - ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint - ## - scrapeTimeout: 10s - ## @param dex.metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping - ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig - ## - relabelings: [] - ## @param dex.metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion - ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig - ## - metricRelabelings: [] - ## @param dex.metrics.serviceMonitor.selector ServiceMonitor selector labels - ## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration - ## - ## selector: - ## prometheus: my-prometheus - ## - selector: {} - ## @param dex.metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels - ## - honorLabels: false - ## ServiceAccount configuration for the Dex - ## - serviceAccount: - ## @param dex.serviceAccount.create Specifies whether a ServiceAccount should be created for Dex - ## - create: true - ## @param dex.serviceAccount.name The name of the ServiceAccount to use. - ## If not set and create is true, a name is generated using the common.names.fullname template - ## - name: "" - ## @param dex.serviceAccount.automountServiceAccountToken Automount service account token for the Dex service account - ## - automountServiceAccountToken: false - ## @param dex.serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`. - ## - annotations: {} - ## @param dex.command Override default container command (useful when using custom images) - ## - command: [] - ## @param dex.args Override default container args (useful when using custom images) - ## - args: [] - ## @param dex.extraArgs Add extra args to the default args for Dex - ## - extraArgs: [] - ## @param dex.automountServiceAccountToken Mount Service Account token in pod - ## - automountServiceAccountToken: true - ## @param dex.hostAliases Dex pods host aliases - ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ - ## - hostAliases: [] - ## @param dex.podLabels Extra labels for Dex pods - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ - ## - podLabels: {} - ## @param dex.podAnnotations Annotations for Dex pods - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - ## - podAnnotations: {} - ## @param dex.podAffinityPreset Pod affinity preset. Ignored if `dex.affinity` is set. Allowed values: `soft` or `hard` - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - ## - podAffinityPreset: "" - ## @param dex.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `dex.affinity` is set. Allowed values: `soft` or `hard` - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - ## - podAntiAffinityPreset: soft - ## Node dex.affinity preset - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity - ## - nodeAffinityPreset: - ## @param dex.nodeAffinityPreset.type Node affinity preset type. Ignored if `dex.affinity` is set. Allowed values: `soft` or `hard` - ## - type: "" - ## @param dex.nodeAffinityPreset.key Node label key to match. Ignored if `dex.affinity` is set - ## - key: "" - ## @param dex.nodeAffinityPreset.values Node label values to match. Ignored if `dex.affinity` is set - ## E.g. - ## values: - ## - e2e-az1 - ## - e2e-az2 - ## - values: [] - ## @param dex.affinity Affinity for Dex pods assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - ## NOTE: `dex.podAffinityPreset`, `dex.podAntiAffinityPreset`, and `dex.nodeAffinityPreset` will be ignored when it's set - ## - affinity: {} - ## @param dex.nodeSelector Node labels for Dex pods assignment - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ - ## - nodeSelector: {} - ## @param dex.tolerations Tolerations for Dex pods assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - ## - tolerations: [] - ## @param dex.schedulerName Name of the k8s scheduler (other than default) - ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ - ## - schedulerName: "" - ## @param dex.shareProcessNamespace Enable shared process namespace in a pod. - ## If set to false (default), each container will run in separate namespace, dex will have PID=1. - ## If set to true, the /pause will run as init process and will reap any zombie PIDs, - ## for example, generated by a custom exec probe running longer than a probe timeoutSeconds. - ## Enable this only if customLivenessProbe or customReadinessProbe is used and zombie PIDs are accumulating. - ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/ - ## - shareProcessNamespace: false - ## @param dex.topologySpreadConstraints Topology Spread Constraints for pod assignment - ## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ - ## The value is evaluated as a template - ## - topologySpreadConstraints: [] - ## @param dex.updateStrategy.type Dex statefulset strategy type - ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies - ## - updateStrategy: - ## StrategyType - ## Can be set to RollingUpdate or OnDelete - ## - type: RollingUpdate - ## @param dex.priorityClassName Dex pods' priorityClassName - ## - priorityClassName: "" - ## @param dex.runtimeClassName Name of the runtime class to be used by pod(s) - ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ - ## - runtimeClassName: "" - ## @param dex.lifecycleHooks for the Dex container(s) to automate configuration before or after startup - ## - lifecycleHooks: {} - ## @param dex.extraEnvVars Array with extra environment variables to add to Dex nodes - ## e.g: - ## extraEnvVars: - ## - name: FOO - ## value: "bar" - ## - extraEnvVars: [] - ## @param dex.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Dex nodes - ## - extraEnvVarsCM: "" - ## @param dex.extraEnvVarsSecret Name of existing Secret containing extra env vars for Dex nodes - ## - extraEnvVarsSecret: "" - ## @param dex.extraVolumes Optionally specify extra list of additional volumes for the Dex pod(s) - ## - extraVolumes: [] - ## @param dex.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Dex container(s) - ## - extraVolumeMounts: [] - ## @param dex.sidecars Add additional sidecar containers to the Dex pod(s) - ## e.g: - ## sidecars: - ## - name: your-image-name - ## image: your-image - ## imagePullPolicy: Always - ## ports: - ## - name: portname - ## containerPort: 1234 - ## - sidecars: [] - ## @param dex.initContainers Add additional init containers to the Dex pod(s) - ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ - ## e.g: - ## initContainers: - ## - name: your-image-name - ## image: your-image - ## imagePullPolicy: Always - ## command: ['sh', '-c', 'echo "hello world"'] - ## - initContainers: [] - ## Pod Disruption Budget configuration - ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb - ## @param dex.pdb.create Enable/disable a Pod Disruption Budget creation - ## @param dex.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled - ## @param dex.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `dex.pdb.minAvailable` and `dex.pdb.maxUnavailable` are empty. - ## - pdb: - create: true - minAvailable: "" - maxUnavailable: "" \ No newline at end of file diff --git a/bitnami/chainloop/charts/dex/templates/_helpers.tpl b/bitnami/chainloop/templates/dex/_helpers.tpl similarity index 81% rename from bitnami/chainloop/charts/dex/templates/_helpers.tpl rename to bitnami/chainloop/templates/dex/_helpers.tpl index 952f3087da58a6..fabd7db3f34cf6 100644 --- a/bitnami/chainloop/charts/dex/templates/_helpers.tpl +++ b/bitnami/chainloop/templates/dex/_helpers.tpl @@ -20,7 +20,7 @@ Return the proper Dex image name Return the proper service name for Dex */}} {{- define "chainloop.dex" -}} - {{- printf "%s" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} +{{- printf "%s-dex" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} {{- end -}} {{/* @@ -28,7 +28,7 @@ Create the name of the service account to use for Dex */}} {{- define "chainloop.dex.serviceAccountName" -}} {{- if .Values.dex.serviceAccount.create -}} - {{ default (printf "%s" (include "common.names.fullname" .)) .Values.dex.serviceAccount.name | trunc 63 | trimSuffix "-" }} + {{ default (printf "%s-dex" (include "common.names.fullname" .)) .Values.dex.serviceAccount.name | trunc 63 | trimSuffix "-" }} {{- else -}} {{ default "default" .Values.dex.serviceAccount.name }} {{- end -}} diff --git a/bitnami/chainloop/charts/dex/templates/deployment.yaml b/bitnami/chainloop/templates/dex/deployment.yaml similarity index 99% rename from bitnami/chainloop/charts/dex/templates/deployment.yaml rename to bitnami/chainloop/templates/dex/deployment.yaml index bcce5e9a1d05b2..f5fc78f2df0ed3 100644 --- a/bitnami/chainloop/charts/dex/templates/deployment.yaml +++ b/bitnami/chainloop/templates/dex/deployment.yaml @@ -3,6 +3,7 @@ Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} +{{- if .Values.development }} apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} kind: Deployment metadata: @@ -191,3 +192,4 @@ spec: {{- if .Values.dex.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.dex.extraVolumes "context" $) | nindent 8 }} {{- end }} +{{- end }} diff --git a/bitnami/chainloop/charts/dex/templates/metrics-svc.yaml b/bitnami/chainloop/templates/dex/metrics-svc.yaml similarity index 98% rename from bitnami/chainloop/charts/dex/templates/metrics-svc.yaml rename to bitnami/chainloop/templates/dex/metrics-svc.yaml index 0761c4ba8ed697..75ddd1101bd9e4 100644 --- a/bitnami/chainloop/charts/dex/templates/metrics-svc.yaml +++ b/bitnami/chainloop/templates/dex/metrics-svc.yaml @@ -3,7 +3,7 @@ Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} -{{- if .Values.dex.metrics.enabled }} +{{- if and .Values.development .Values.dex.metrics.enabled }} apiVersion: v1 kind: Service metadata: diff --git a/bitnami/chainloop/charts/dex/templates/pdb.yaml b/bitnami/chainloop/templates/dex/pdb.yaml similarity index 95% rename from bitnami/chainloop/charts/dex/templates/pdb.yaml rename to bitnami/chainloop/templates/dex/pdb.yaml index 556c5b3bbdbdb5..37ac53fee2c1c5 100644 --- a/bitnami/chainloop/charts/dex/templates/pdb.yaml +++ b/bitnami/chainloop/templates/dex/pdb.yaml @@ -3,7 +3,7 @@ Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} -{{- if .Values.dex.pdb.create }} +{{- if and .Values.development .Values.dex.pdb.create }} apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} kind: PodDisruptionBudget metadata: diff --git a/bitnami/chainloop/charts/dex/templates/role.yaml b/bitnami/chainloop/templates/dex/role.yaml similarity index 94% rename from bitnami/chainloop/charts/dex/templates/role.yaml rename to bitnami/chainloop/templates/dex/role.yaml index 69719361610047..5011e79ffa7a61 100644 --- a/bitnami/chainloop/charts/dex/templates/role.yaml +++ b/bitnami/chainloop/templates/dex/role.yaml @@ -3,7 +3,7 @@ Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} -{{- if .Values.rbac.create }} +{{- if and .Values.development .Values.rbac.create }} kind: Role apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} metadata: diff --git a/bitnami/chainloop/charts/dex/templates/rolebinding.yaml b/bitnami/chainloop/templates/dex/rolebinding.yaml similarity index 92% rename from bitnami/chainloop/charts/dex/templates/rolebinding.yaml rename to bitnami/chainloop/templates/dex/rolebinding.yaml index 8c4f874ebce0fc..48a11198c867aa 100644 --- a/bitnami/chainloop/charts/dex/templates/rolebinding.yaml +++ b/bitnami/chainloop/templates/dex/rolebinding.yaml @@ -3,7 +3,7 @@ Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} -{{- if and .Values.dex.serviceAccount.create .Values.rbac.create }} +{{- if and .Values.development .Values.dex.serviceAccount.create .Values.rbac.create }} kind: RoleBinding apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} metadata: diff --git a/bitnami/chainloop/charts/dex/templates/secret.yaml b/bitnami/chainloop/templates/dex/secret.yaml similarity index 78% rename from bitnami/chainloop/charts/dex/templates/secret.yaml rename to bitnami/chainloop/templates/dex/secret.yaml index d473b9869aca72..2d011790c8a928 100644 --- a/bitnami/chainloop/charts/dex/templates/secret.yaml +++ b/bitnami/chainloop/templates/dex/secret.yaml @@ -3,6 +3,7 @@ Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} +{{- if .Values.development }} apiVersion: v1 kind: Secret metadata: @@ -16,7 +17,7 @@ metadata: type: Opaque stringData: config.yaml: | - issuer: http://chainloop-dex:5556/dex + issuer: http://{{ include "chainloop.dex" . }}:5556/dex storage: type: memory @@ -31,8 +32,13 @@ stringData: redirectURIs: - "http://0.0.0.0:8000/auth/callback" - "http://localhost:8000/auth/callback" + {{ $controlPlaneUrl := include "chainloop.controlplane.external_url" . }} + {{- if not (eq $controlPlaneUrl "null") -}} + - "{{ $controlPlaneUrl }}/auth/callback" + {{- end -}} # required to enable static passwords enablePasswordDB: true staticPasswords: {{- include "common.tplvalues.render" ( dict "value" .Values.dex.staticUsers "context" $ ) | nindent 6 }} +{{- end }} diff --git a/bitnami/chainloop/charts/dex/templates/service-account.yaml b/bitnami/chainloop/templates/dex/service-account.yaml similarity index 94% rename from bitnami/chainloop/charts/dex/templates/service-account.yaml rename to bitnami/chainloop/templates/dex/service-account.yaml index 4314ce4b0e9139..0d5cfa5bfa955b 100644 --- a/bitnami/chainloop/charts/dex/templates/service-account.yaml +++ b/bitnami/chainloop/templates/dex/service-account.yaml @@ -3,7 +3,7 @@ Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} -{{- if .Values.dex.serviceAccount.create -}} +{{- if and .Values.development .Values.dex.serviceAccount.create -}} apiVersion: v1 kind: ServiceAccount metadata: diff --git a/bitnami/chainloop/charts/dex/templates/service.yaml b/bitnami/chainloop/templates/dex/service.yaml similarity index 97% rename from bitnami/chainloop/charts/dex/templates/service.yaml rename to bitnami/chainloop/templates/dex/service.yaml index 12ef2137cdecbe..c0e116e56473bb 100644 --- a/bitnami/chainloop/charts/dex/templates/service.yaml +++ b/bitnami/chainloop/templates/dex/service.yaml @@ -3,6 +3,7 @@ Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} +{{- if .Values.development }} apiVersion: v1 kind: Service metadata: @@ -60,4 +61,5 @@ spec: {{- end }} {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.dex.podLabels .Values.commonLabels ) "context" . ) }} selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} - app.kubernetes.io/component: dex \ No newline at end of file + app.kubernetes.io/component: dex +{{- end }} diff --git a/bitnami/chainloop/charts/dex/templates/servicemonitor.yaml b/bitnami/chainloop/templates/dex/servicemonitor.yaml similarity index 95% rename from bitnami/chainloop/charts/dex/templates/servicemonitor.yaml rename to bitnami/chainloop/templates/dex/servicemonitor.yaml index ebe274a951d561..1bca7af9de213c 100644 --- a/bitnami/chainloop/charts/dex/templates/servicemonitor.yaml +++ b/bitnami/chainloop/templates/dex/servicemonitor.yaml @@ -3,7 +3,7 @@ Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} -{{- if and .Values.dex.metrics.enabled .Values.dex.metrics.serviceMonitor.enabled }} +{{- if and .Values.development .Values.dex.metrics.enabled .Values.dex.metrics.serviceMonitor.enabled }} apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: diff --git a/bitnami/chainloop/values.yaml b/bitnami/chainloop/values.yaml index 16ec969d26d708..6fab3fdf67b86b 100644 --- a/bitnami/chainloop/values.yaml +++ b/bitnami/chainloop/values.yaml @@ -41,6 +41,25 @@ commonLabels: {} ## extraDeploy: [] +## RBAC configuration +## +rbac: + ## @param rbac.create Specifies whether RBAC resources should be created + ## + create: false + ## @param rbac.rules Custom RBAC rules to set + ## e.g: + ## rules: + ## - apiGroups: + ## - "" + ## resources: + ## - pods + ## verbs: + ## - get + ## - list + ## + rules: [] + ## @section Secrets Backend ## @@ -1486,3 +1505,542 @@ vault: - name: VAULT_DEV_LISTEN_ADDRESS value: "[::]:8200" config: "storage \"inmem\" {}\ndisable_mlock = true\nui = true\nservice_registration \"kubernetes\" {}" + +# IMPORTANT: This is not meant to run in production +# Dex server +## Dex configuration running in development mode --set development=true +## +dex: + ## Bitnami Dex image + ## ref: https://hub.docker.com/r/bitnami/argo-cd/tags/ + ## @skip dex.staticUsers[0].email + ## @skip dex.staticUsers[0].hash + ## @skip dex.staticUsers[1].email + ## @skip dex.staticUsers[1].hash + staticUsers: + - email: "john@chainloop.local" + # password: "password" + hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" + - email: "sarah@chainloop.local" + # password: "password" + hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" + ## @param dex.image.registry [default: REGISTRY_NAME] Dex image registry + ## @param dex.image.repository [default: REPOSITORY_NAME/dex] Dex image repository + ## @skip dex.image.tag Dex image tag (immutable tags are recommended) + ## @param dex.image.pullPolicy Dex image pull policy + ## @param dex.image.pullSecrets Dex image pull secrets + ## @param dex.image.debug Enable Dex image debug mode + ## + image: + registry: docker.io + repository: bitnami/dex + tag: 2.40.0-debian-12-r1 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Enable debug mode + ## + debug: false + ## @param dex.replicaCount Number of Dex replicas to deploy + ## + replicaCount: 1 + ## Configure extra options for Dex containers' liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param dex.startupProbe.enabled Enable startupProbe on Dex nodes + ## @param dex.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param dex.startupProbe.periodSeconds Period seconds for startupProbe + ## @param dex.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param dex.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param dex.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: true + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## @param dex.livenessProbe.enabled Enable livenessProbe on Dex nodes + ## @param dex.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param dex.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param dex.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param dex.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param dex.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## @param dex.readinessProbe.enabled Enable readinessProbe on Dex nodes + ## @param dex.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param dex.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param dex.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param dex.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param dex.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## @param dex.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param dex.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param dex.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## Dex resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param dex.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if dex.resources is set (dex.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param dex.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Configure Pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param dex.podSecurityContext.enabled Enabled Dex pods' Security Context + ## @param dex.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param dex.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param dex.podSecurityContext.supplementalGroups Set filesystem extra groups + ## @param dex.podSecurityContext.fsGroup Set Dex pod's Security Context fsGroup + ## + podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param dex.containerSecurityContext.enabled Enabled Dex containers' Security Context + ## @param dex.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param dex.containerSecurityContext.runAsUser Set Dex containers' Security Context runAsUser + ## @param dex.containerSecurityContext.runAsGroup Set Dex containers' Security Context runAsGroup + ## @param dex.containerSecurityContext.allowPrivilegeEscalation Set Dex containers' Security Context allowPrivilegeEscalation + ## @param dex.containerSecurityContext.readOnlyRootFilesystem Set Dex containers' server Security Context readOnlyRootFilesystem + ## @param dex.containerSecurityContext.runAsNonRoot Set Dex containers' Security Context runAsNonRoot + ## @param dex.containerSecurityContext.capabilities.drop Set Argo CD containers' repo server Security Context capabilities to be dropped + ## @param dex.containerSecurityContext.privileged Set dex container's Security Context privileged + ## @param dex.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + privileged: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## Dex service parameters + ## + service: + ## @param dex.service.type Dex service type + ## + type: ClusterIP + ## @param dex.service.ports.http Dex HTTP service port + ## @param dex.service.ports.grpc Dex grpc service port + ## + ports: + http: 5556 + grpc: 5557 + ## Node ports to expose + ## @param dex.service.nodePorts.http HTTP node port for the Dex service + ## @param dex.service.nodePorts.grpc gRPC node port for the Dex service + ## NOTE: choose port between <30000-32767> + ## + nodePorts: + http: "" + grpc: "" + ## @param dex.service.clusterIP Dex service Cluster IP + ## e.g.: + ## clusterIP: None + ## + clusterIP: "" + ## @param dex.service.loadBalancerIP Dex service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerIP: "" + ## @param dex.service.loadBalancerSourceRanges Dex service Load Balancer sources + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param dex.service.externalTrafficPolicy Dex service external traffic policy + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param dex.service.annotations Additional custom annotations for Dex service + ## + annotations: {} + ## @param dex.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param dex.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param dex.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + sessionAffinityConfig: {} + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param dex.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param dex.networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param dex.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param dex.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) + ## + kubeAPIServerPorts: [443, 6443, 8443] + ## @param dex.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param dex.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true) + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param dex.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param dex.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} + ## Dex container ports + ## @param dex.containerPorts.http Dex container HTTP port + ## @param dex.containerPorts.grpc Dex gRPC port + ## @param dex.containerPorts.metrics Dex metrics port + ## + containerPorts: + http: 5556 + grpc: 5557 + metrics: 5558 + ## Metrics configuration for Dex + ## + metrics: + ## Enable metrics for Argo Dex + ## @param dex.metrics.enabled Enable metrics service for Dex + ## + enabled: false + service: + ## @param dex.metrics.service.type Dex service type + ## + type: ClusterIP + ## @param dex.metrics.service.ports.metrics Dex metrics service port + ## + ports: + metrics: 5558 + ## Node ports to expose + ## @param dex.metrics.service.nodePorts.metrics Node port for the Dex service + ## NOTE: choose port between <30000-32767> + ## + nodePorts: + metrics: "" + ## @param dex.metrics.service.clusterIP Dex service metrics service Cluster IP + ## e.g.: + ## clusterIP: None + ## + clusterIP: "" + ## @param dex.metrics.service.loadBalancerIP Dex service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerIP: "" + ## @param dex.metrics.service.loadBalancerSourceRanges Dex service Load Balancer sources + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param dex.metrics.service.externalTrafficPolicy Dex service external traffic policy + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param dex.metrics.service.annotations Additional custom annotations for Dex service + ## + annotations: {} + ## @param dex.metrics.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param dex.metrics.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + sessionAffinityConfig: {} + ## Dex metrics service monitor configuration + ## + serviceMonitor: + ## @param dex.metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator + ## + enabled: false + ## @param dex.metrics.serviceMonitor.namespace Namespace which Prometheus is running in + ## e.g: + ## namespace: monitoring + ## + namespace: "" + ## @param dex.metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. + ## + jobLabel: "" + ## @param dex.metrics.serviceMonitor.interval Interval at which metrics should be scraped + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + interval: 30s + ## @param dex.metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + scrapeTimeout: 10s + ## @param dex.metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## + relabelings: [] + ## @param dex.metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## + metricRelabelings: [] + ## @param dex.metrics.serviceMonitor.selector ServiceMonitor selector labels + ## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration + ## + ## selector: + ## prometheus: my-prometheus + ## + selector: {} + ## @param dex.metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels + ## + honorLabels: false + ## ServiceAccount configuration for the Dex + ## + serviceAccount: + ## @param dex.serviceAccount.create Specifies whether a ServiceAccount should be created for Dex + ## + create: true + ## @param dex.serviceAccount.name The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the common.names.fullname template + ## + name: "" + ## @param dex.serviceAccount.automountServiceAccountToken Automount service account token for the Dex service account + ## + automountServiceAccountToken: false + ## @param dex.serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`. + ## + annotations: {} + ## @param dex.command Override default container command (useful when using custom images) + ## + command: [] + ## @param dex.args Override default container args (useful when using custom images) + ## + args: [] + ## @param dex.extraArgs Add extra args to the default args for Dex + ## + extraArgs: [] + ## @param dex.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: true + ## @param dex.hostAliases Dex pods host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param dex.podLabels Extra labels for Dex pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param dex.podAnnotations Annotations for Dex pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param dex.podAffinityPreset Pod affinity preset. Ignored if `dex.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param dex.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `dex.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node dex.affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param dex.nodeAffinityPreset.type Node affinity preset type. Ignored if `dex.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param dex.nodeAffinityPreset.key Node label key to match. Ignored if `dex.affinity` is set + ## + key: "" + ## @param dex.nodeAffinityPreset.values Node label values to match. Ignored if `dex.affinity` is set + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param dex.affinity Affinity for Dex pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## NOTE: `dex.podAffinityPreset`, `dex.podAntiAffinityPreset`, and `dex.nodeAffinityPreset` will be ignored when it's set + ## + affinity: {} + ## @param dex.nodeSelector Node labels for Dex pods assignment + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + ## + nodeSelector: {} + ## @param dex.tolerations Tolerations for Dex pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param dex.schedulerName Name of the k8s scheduler (other than default) + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param dex.shareProcessNamespace Enable shared process namespace in a pod. + ## If set to false (default), each container will run in separate namespace, dex will have PID=1. + ## If set to true, the /pause will run as init process and will reap any zombie PIDs, + ## for example, generated by a custom exec probe running longer than a probe timeoutSeconds. + ## Enable this only if customLivenessProbe or customReadinessProbe is used and zombie PIDs are accumulating. + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/ + ## + shareProcessNamespace: false + ## @param dex.topologySpreadConstraints Topology Spread Constraints for pod assignment + ## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## The value is evaluated as a template + ## + topologySpreadConstraints: [] + ## @param dex.updateStrategy.type Dex statefulset strategy type + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + ## StrategyType + ## Can be set to RollingUpdate or OnDelete + ## + type: RollingUpdate + ## @param dex.priorityClassName Dex pods' priorityClassName + ## + priorityClassName: "" + ## @param dex.runtimeClassName Name of the runtime class to be used by pod(s) + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + ## + runtimeClassName: "" + ## @param dex.lifecycleHooks for the Dex container(s) to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param dex.extraEnvVars Array with extra environment variables to add to Dex nodes + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param dex.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Dex nodes + ## + extraEnvVarsCM: "" + ## @param dex.extraEnvVarsSecret Name of existing Secret containing extra env vars for Dex nodes + ## + extraEnvVarsSecret: "" + ## @param dex.extraVolumes Optionally specify extra list of additional volumes for the Dex pod(s) + ## + extraVolumes: [] + ## @param dex.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Dex container(s) + ## + extraVolumeMounts: [] + ## @param dex.sidecars Add additional sidecar containers to the Dex pod(s) + ## e.g: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param dex.initContainers Add additional init containers to the Dex pod(s) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + ## e.g: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## command: ['sh', '-c', 'echo "hello world"'] + ## + initContainers: [] + ## Pod Disruption Budget configuration + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb + ## @param dex.pdb.create Enable/disable a Pod Disruption Budget creation + ## @param dex.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled + ## @param dex.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `dex.pdb.minAvailable` and `dex.pdb.maxUnavailable` are empty. + ## + pdb: + create: true + minAvailable: "" + maxUnavailable: "" \ No newline at end of file From 792c2d8a8f5f3b08de6660346e1bb289e4a6b59b Mon Sep 17 00:00:00 2001 From: Bitnami Containers Date: Mon, 5 Aug 2024 14:33:14 +0000 Subject: [PATCH 22/37] Update CHANGELOG.md Signed-off-by: Bitnami Containers --- bitnami/chainloop/CHANGELOG.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/bitnami/chainloop/CHANGELOG.md b/bitnami/chainloop/CHANGELOG.md index 76a38ffc6b1485..8a613d8df10f99 100644 --- a/bitnami/chainloop/CHANGELOG.md +++ b/bitnami/chainloop/CHANGELOG.md @@ -2,8 +2,4 @@ ## 1.86.9 (2024-08-05) -* Changes have been applied to comply with Bitnami standards [Chainloop issue](https://github.com/chainloop-dev/chainloop/issues/1151) - -## 1.81.0 (2024-07-24) - * New chart: Chainloop ([#27100](https://github.com/bitnami/charts/pull/27100)) From 8d6f98ba05ee63155aeb06b3b24e6e5c962017a0 Mon Sep 17 00:00:00 2001 From: Javier Rodriguez Date: Mon, 5 Aug 2024 16:52:33 +0200 Subject: [PATCH 23/37] change readme Signed-off-by: Javier Rodriguez --- bitnami/chainloop/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bitnami/chainloop/README.md b/bitnami/chainloop/README.md index 140506d4346ca0..2c670c52417c1a 100644 --- a/bitnami/chainloop/README.md +++ b/bitnami/chainloop/README.md @@ -160,7 +160,7 @@ username: john@chainloop.local password: password ``` -The overall OIDC configuration can be found at `charts/dex/values.yaml`. +The overall OIDC configuration can be found at the `values.yaml` file. > **CAUTION**: Do not use this mode in production, for that, use the [standard mode](#standard-default) instead. From f74a6e26e2615ee0698817b540935ba9fc3c8de0 Mon Sep 17 00:00:00 2001 From: Javier Rodriguez Date: Wed, 7 Aug 2024 13:31:31 +0200 Subject: [PATCH 24/37] templates and values.yaml feedback Signed-off-by: Javier Rodriguez --- .vib/chainloop/vib-publish.json | 38 ++++ .vib/chainloop/vib-verify.json | 18 +- bitnami/chainloop/Chart.yaml | 68 ++++-- bitnami/chainloop/LICENSE.md | 201 ---------------- bitnami/chainloop/README.md | 192 ++++++++-------- bitnami/chainloop/templates/NOTES.txt | 36 ++- bitnami/chainloop/templates/_helpers.tpl | 71 +++++- .../chainloop/templates/cas/configmap.yaml | 10 +- .../chainloop/templates/cas/deployment.yaml | 8 +- bitnami/chainloop/templates/cas/hpa.yaml | 6 +- .../chainloop/templates/cas/ingress-grpc.yaml | 2 +- bitnami/chainloop/templates/cas/ingress.yaml | 2 +- .../templates/cas/secret-config.yaml | 2 +- .../cas/secret-gcp-secret-manager.yaml | 2 +- .../templates/cas/secret-jwt-public-key.yaml | 2 +- .../templates/cas/service-account.yaml | 1 + .../chainloop/templates/cas/service-grpc.yaml | 2 +- .../templates/controlplane/configmap.yaml | 12 +- .../templates/controlplane/deployment.yaml | 10 +- .../chainloop/templates/controlplane/hpa.yaml | 6 +- .../templates/controlplane/ingress-grpc.yaml | 2 +- .../templates/controlplane/ingress.yaml | 2 +- .../templates/controlplane/secret-config.yaml | 2 +- .../controlplane/secret-ejbca-ca.yaml | 2 +- .../controlplane/secret-file-ca.yaml | 2 +- .../secret-gcp-secret-manager.yaml | 2 +- .../controlplane/service-account.yaml | 1 + bitnami/chainloop/templates/dex/_helpers.tpl | 42 ---- .../chainloop/templates/dex/deployment.yaml | 2 +- bitnami/chainloop/templates/dex/secret.yaml | 4 +- bitnami/chainloop/values.yaml | 215 ++++++++++-------- 31 files changed, 462 insertions(+), 503 deletions(-) create mode 100644 .vib/chainloop/vib-publish.json delete mode 100644 bitnami/chainloop/LICENSE.md delete mode 100644 bitnami/chainloop/templates/dex/_helpers.tpl diff --git a/.vib/chainloop/vib-publish.json b/.vib/chainloop/vib-publish.json new file mode 100644 index 00000000000000..bcd64c92a36dcb --- /dev/null +++ b/.vib/chainloop/vib-publish.json @@ -0,0 +1,38 @@ +{ + "phases": { + "package": { + "context": { + "resources": { + "url": "{SHA_ARCHIVE}", + "path": "/bitnami/chainloop" + } + }, + "actions": [ + { + "action_id": "helm-package" + }, + { + "action_id": "helm-lint" + } + ] + }, + "publish": { + "actions": [ + { + "action_id": "helm-publish", + "params": { + "repository": { + "kind": "S3", + "url": "{VIB_ENV_S3_URL}", + "authn": { + "access_key_id": "{VIB_ENV_S3_ACCESS_KEY_ID}", + "secret_access_key": "{VIB_ENV_S3_SECRET_ACCESS_KEY}", + "role": "{VIB_ENV_S3_ROLE_ARN}" + } + } + } + } + ] + } + } +} \ No newline at end of file diff --git a/.vib/chainloop/vib-verify.json b/.vib/chainloop/vib-verify.json index 0344ad978dc8c6..ba27cd61c05b46 100644 --- a/.vib/chainloop/vib-verify.json +++ b/.vib/chainloop/vib-verify.json @@ -1,5 +1,21 @@ { "phases": { + "package": { + "context": { + "resources": { + "url": "{SHA_ARCHIVE}", + "path": "/bitnami/chainloop" + } + }, + "actions": [ + { + "action_id": "helm-package" + }, + { + "action_id": "helm-lint" + } + ] + }, "verify": { "context": { "resources": { @@ -29,4 +45,4 @@ ] } } -} +} \ No newline at end of file diff --git a/bitnami/chainloop/Chart.yaml b/bitnami/chainloop/Chart.yaml index 8e6d0cadffc194..fe933f76d66e4b 100644 --- a/bitnami/chainloop/Chart.yaml +++ b/bitnami/chainloop/Chart.yaml @@ -1,16 +1,20 @@ # Copyright Broadcom, Inc. All Rights Reserved. # SPDX-License-Identifier: APACHE-2.0 +annotations: + category: DeveloperTools + license: Apache-2.0 + images: | + - image: ghcr.io/chainloop-dev/chainloop/artifact-cas:v0.95.3 + name: artifact-cas + - image: ghcr.io/chainloop-dev/chainloop/control-plane:v0.95.3 + name: control-plane + - image: ghcr.io/chainloop-dev/chainloop/control-plane-migrations:v0.95.3 + name: control-plane-migrations + - image: docker.io/bitnami/dex:2.40.0-debian-12-r1 + name: dex apiVersion: v2 -name: chainloop -description: Chainloop is an open source software supply chain control plane, a single source of truth for artifacts plus a declarative attestation crafting process. - -type: application -# Bump the patch (not minor, not major) version on each change in the Chart Source code -version: 1.86.9 -# Do not update appVersion, this is handled automatically by the release process -appVersion: v0.95.3 - +appVersion: 0.95.3 dependencies: - name: common repository: https://charts.bitnami.com/bitnami @@ -25,14 +29,38 @@ dependencies: name: vault repository: https://charts.bitnami.com/bitnami version: 1.4.x - -annotations: - images: | - - image: ghcr.io/chainloop-dev/chainloop/artifact-cas:v0.95.3 - name: artifact-cas - - image: ghcr.io/chainloop-dev/chainloop/control-plane:v0.95.3 - name: control-plane - - image: ghcr.io/chainloop-dev/chainloop/control-plane-migrations:v0.95.3 - name: control-plane-migrations - - image: docker.io/bitnami/dex:2.40.0-debian-12-r1 - name: dex +description: Chainloop is an open source software supply chain control plane, a single source of truth for artifacts plus a declarative attestation crafting process. +home: https://bitnami.com +icon: https://bitnami.com/assets/stacks/chainloop-control-plane/img/chainloop-control-plane-stack-220x234.png +keywords: + - chainloop + - evidence-store + - supply-chain-security + - devops + - devsecops + - security + - compliance + - cyclonedx + - spdx + - sbom + - attestation + - oss-compliance + - in-toto + - slsa + - sbom-distribution + - open-source-licensing + - slsa-provenance + - metadata-platform + - sbom-discovery + - regulated-industry +maintainers: + - name: Broadcom, Inc. All Rights Reserved. + url: https://github.com/bitnami/charts +name: chainloop +sources: + - https://github.com/bitnami/charts/tree/main/bitnami/chainloop + - https://github.com/bitnami/containers/tree/main/bitnami/chainloop-control-plane + - https://github.com/bitnami/containers/tree/main/bitnami/chainloop-control-plane-migrations + - https://github.com/bitnami/containers/tree/main/bitnami/chainloop-artifact-cas + - https://github.com/chainloop-dev/chainloop +version: 0.1.0 diff --git a/bitnami/chainloop/LICENSE.md b/bitnami/chainloop/LICENSE.md deleted file mode 100644 index 261eeb9e9f8b2b..00000000000000 --- a/bitnami/chainloop/LICENSE.md +++ /dev/null @@ -1,201 +0,0 @@ - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. diff --git a/bitnami/chainloop/README.md b/bitnami/chainloop/README.md index 2c670c52417c1a..94abb198fdd2ae 100644 --- a/bitnami/chainloop/README.md +++ b/bitnami/chainloop/README.md @@ -479,11 +479,12 @@ chainloop config save \ ### Global parameters -| Name | Description | Value | -| ------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `development` | Deploys Chainloop pre-configured FOR DEVELOPMENT ONLY. It includes a Vault instance in development mode and pre-configured authentication certificates and passphrases | `false` | +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | +| `development` | Deploys Chainloop pre-configured FOR DEVELOPMENT ONLY. It includes a Vault instance in development mode and pre-configured authentication certificates and passphrases | `false` | ### Common parameters @@ -523,25 +524,36 @@ chainloop config save \ ### Control Plane -| Name | Description | Value | -| ---------------------------------------------- | ----------------------------------------------------------------------------------------------- | ----------------- | -| `controlplane.replicaCount` | Number of replicas | `2` | -| `controlplane.image.registry` | Image registry | `REGISTRY_NAME` | -| `controlplane.image.repository` | Image repository | `REPOSITORY_NAME` | -| `controlplane.containerPorts.http` | controlplane HTTP container port | `8000` | -| `controlplane.containerPorts.grpc` | controlplane gRPC container port | `9000` | -| `controlplane.containerPorts.metrics` | controlplane prometheus metrics container port | `5000` | -| `controlplane.tlsConfig.secret.name` | name of a secret containing TLS certificate to be used by the controlplane grpc server. | `""` | -| `controlplane.pluginsDir` | Directory where to look for plugins | `/plugins` | -| `controlplane.referrerSharedIndex` | Configure the shared, public index API endpoint that can be used to discover metadata referrers | | -| `controlplane.referrerSharedIndex.enabled` | Enable index API endpoint | `false` | -| `controlplane.referrerSharedIndex.allowedOrgs` | List of UUIDs of organizations that are allowed to publish to the shared index | `[]` | -| `controlplane.onboarding.name` | Name of the organization to onboard | | -| `controlplane.onboarding.role` | Role of the organization to onboard | | -| `controlplane.prometheus_org_metrics` | List of organizations to expose metrics for using Prometheus | | -| `controlplane.migration.image.registry` | Image registry | `REGISTRY_NAME` | -| `controlplane.migration.image.repository` | Image repository | `REPOSITORY_NAME` | -| `controlplane.migration.ssl` | Connect to the database using SSL (required fro AWS RDS, etc) | `false` | +| Name | Description | Value | +| ---------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------- | +| `controlplane.replicaCount` | Number of replicas | `2` | +| `controlplane.image.registry` | image registry | `REGISTRY_NAME` | +| `controlplane.image.repository` | image repository | `REPOSITORY_NAME/chainloop-control-plane` | +| `controlplane.image.digest` | image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `controlplane.image.pullPolicy` | image pull policy | `IfNotPresent` | +| `controlplane.image.pullSecrets` | image pull secrets | `[]` | +| `controlplane.containerPorts.http` | controlplane HTTP container port | `8000` | +| `controlplane.containerPorts.grpc` | controlplane gRPC container port | `9000` | +| `controlplane.containerPorts.metrics` | controlplane prometheus metrics container port | `5000` | +| `controlplane.tls.existingSecret` | Existing secret with TLS certificates. The secret must contains 2 keys: tls.crt and tls.key respectively containing the certificate and private key. | `""` | +| `controlplane.existingConfigMap` | | `""` | +| `controlplane.pluginsDir` | Directory where to look for plugins | `/plugins` | +| `controlplane.referrerSharedIndex` | Configure the shared, public index API endpoint that can be used to discover metadata referrers | | +| `controlplane.referrerSharedIndex.enabled` | Enable index API endpoint | `false` | +| `controlplane.referrerSharedIndex.allowedOrgs` | List of UUIDs of organizations that are allowed to publish to the shared index | `[]` | +| `controlplane.onboarding.name` | Name of the organization to onboard | | +| `controlplane.onboarding.role` | Role of the organization to onboard | | +| `controlplane.prometheus_org_metrics` | List of organizations to expose metrics for using Prometheus | | +| `controlplane.migration.ssl` | Connect to the database using SSL (required fro AWS RDS, etc) | `false` | +| `controlplane.migration.image.registry` | image registry | `REGISTRY_NAME` | +| `controlplane.migration.image.repository` | image repository | `REPOSITORY_NAME/chainloop-control-plane-migrations` | +| `controlplane.migration.image.digest` | image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `controlplane.migration.image.pullPolicy` | image pull policy | `IfNotPresent` | +| `controlplane.migration.image.pullSecrets` | image pull secrets | `[]` | +| `controlplane.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | +| `controlplane.serviceAccount.annotations` | Annotations for service account. Evaluated as a template. Only used if `create` is `true`. | `{}` | +| `controlplane.serviceAccount.name` | Name of the service account to use. If not set and create is true, a name is generated using the fullname template. | `""` | +| `controlplane.serviceAccount.automountServiceAccountToken` | Mount Service Account token in controlplane pods | `false` | ### Control Plane Database @@ -652,71 +664,70 @@ chainloop config save \ ### Keyless signing configuration -| Name | Description | Value | -| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------- | -| `controlplane.keylessSigning.enabled` | Activates or deactivates the feature | `false` | -| `controlplane.keylessSigning.backend` | The backend to use. Currently only "fileCA" and "ejbcaCA" are supported | `fileCA` | -| `controlplane.keylessSigning.fileCA.cert` | The PEM-encoded certificate of the file based CA | `""` | -| `controlplane.keylessSigning.fileCA.key` | The PEM-encoded private key of the file based CA | `""` | -| `controlplane.keylessSigning.fileCA.keyPass` | The secret key pass | `""` | -| `controlplane.keylessSigning.ejbcaCA.serverURL` | The url of the EJBCA service ("https://host/ejbca") | `""` | -| `controlplane.keylessSigning.ejbcaCA.clientKey` | PEM-encoded the private key for EJBCA cert authentication | `""` | -| `controlplane.keylessSigning.ejbcaCA.clientCert` | PEM-encoded certificate for EJBCA cert authentication | `""` | -| `controlplane.keylessSigning.ejbcaCA.certProfileName` | Name of the certificate profile to use in EJBCA | `""` | -| `controlplane.keylessSigning.ejbcaCA.endEntityProfileName` | Name of the Entity Profile to use in EJBCA | `""` | -| `controlplane.keylessSigning.ejbcaCA.caName` | Name of the CA issuer to use in EJBCA | `""` | -| `controlplane.customCAs` | List of custom CA certificates content | `[]` | -| `controlplane.automountServiceAccountToken` | Mount Service Account token in controlplane pods | `false` | -| `controlplane.hostAliases` | controlplane pods host aliases | `[]` | -| `controlplane.deploymentAnnotations` | Annotations for controlplane deployment | `{}` | -| `controlplane.podLabels` | Extra labels for controlplane pods | `{}` | -| `controlplane.podAffinityPreset` | Pod affinity preset. Ignored if `controlplane.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `controlplane.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `controlplane.affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `controlplane.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `controlplane.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `controlplane.nodeAffinityPreset.key` | Node label key to match. Ignored if `controlplane.affinity` is set | `""` | -| `controlplane.nodeAffinityPreset.values` | Node label values to match. Ignored if `controlplane.affinity` is set | `[]` | -| `controlplane.affinity` | Affinity for controlplane pods assignment | `{}` | -| `controlplane.nodeSelector` | Node labels for controlplane pods assignment | `{}` | -| `controlplane.tolerations` | Tolerations for controlplane pods assignment | `[]` | -| `controlplane.updateStrategy.type` | controlplane deployment strategy type | `RollingUpdate` | -| `controlplane.priorityClassName` | controlplane pods' priorityClassName | `""` | -| `controlplane.topologySpreadConstraints` | Topology Spread Constraints for controlplane pod assignment spread across your cluster among failure-domains | `[]` | -| `controlplane.schedulerName` | Name of the k8s scheduler (other than default) for controlplane pods | `""` | -| `controlplane.terminationGracePeriodSeconds` | Seconds controlplane pods need to terminate gracefully | `""` | -| `controlplane.lifecycleHooks` | for controlplane containers to automate configuration before or after startup | `{}` | -| `controlplane.extraEnvVars` | Array with extra environment variables to add to controlplane containers | `[]` | -| `controlplane.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for controlplane containers | `""` | -| `controlplane.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for controlplane containers | `""` | -| `controlplane.extraVolumes` | Optionally specify extra list of additional volumes for the controlplane pods | `[]` | -| `controlplane.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the controlplane containers | `[]` | -| `controlplane.sidecars` | Add additional sidecar containers to the controlplane pods | `[]` | -| `controlplane.initContainers` | Add additional init containers to the controlplane pods | `[]` | -| `controlplane.pdb.create` | Enable/disable a Pod Disruption Budget creation | `true` | -| `controlplane.pdb.minAvailable` | Minimum number/percentage of pods that should remain scheduled | `""` | -| `controlplane.pdb.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `controlplane.pdb.minAvailable` and `controlplane.pdb.maxUnavailable` are empty. | `""` | -| `controlplane.autoscaling.vpa.enabled` | Enable VPA for controlplane pods | `false` | -| `controlplane.autoscaling.vpa.annotations` | Annotations for VPA resource | `{}` | -| `controlplane.autoscaling.vpa.controlledResources` | VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory | `[]` | -| `controlplane.autoscaling.vpa.maxAllowed` | VPA Max allowed resources for the pod | `{}` | -| `controlplane.autoscaling.vpa.minAllowed` | VPA Min allowed resources for the pod | `{}` | -| `controlplane.autoscaling.vpa.updatePolicy.updateMode` | Autoscaling update policy | `Auto` | -| `controlplane.autoscaling.hpa.enabled` | Enable HPA for controlplane pods | `false` | -| `controlplane.autoscaling.hpa.minReplicas` | Minimum number of replicas | `""` | -| `controlplane.autoscaling.hpa.maxReplicas` | Maximum number of replicas | `""` | -| `controlplane.autoscaling.hpa.targetCPU` | Target CPU utilization percentage | `""` | -| `controlplane.autoscaling.hpa.targetMemory` | Target Memory utilization percentage | `""` | +| Name | Description | Value | +| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | --------------- | +| `controlplane.keylessSigning.enabled` | Activates or deactivates the feature | `false` | +| `controlplane.keylessSigning.backend` | The backend to use. Currently only "fileCA" and "ejbcaCA" are supported | `fileCA` | +| `controlplane.keylessSigning.fileCA.cert` | The PEM-encoded certificate of the file based CA | `""` | +| `controlplane.keylessSigning.fileCA.key` | The PEM-encoded private key of the file based CA | `""` | +| `controlplane.keylessSigning.fileCA.keyPass` | The secret key pass | `""` | +| `controlplane.keylessSigning.ejbcaCA.serverURL` | The url of the EJBCA service ("https://host/ejbca") | `""` | +| `controlplane.keylessSigning.ejbcaCA.clientKey` | PEM-encoded the private key for EJBCA cert authentication | `""` | +| `controlplane.keylessSigning.ejbcaCA.clientCert` | PEM-encoded certificate for EJBCA cert authentication | `""` | +| `controlplane.keylessSigning.ejbcaCA.certProfileName` | Name of the certificate profile to use in EJBCA | `""` | +| `controlplane.keylessSigning.ejbcaCA.endEntityProfileName` | Name of the Entity Profile to use in EJBCA | `""` | +| `controlplane.keylessSigning.ejbcaCA.caName` | Name of the CA issuer to use in EJBCA | `""` | +| `controlplane.customCAs` | List of custom CA certificates content | `[]` | +| `controlplane.automountServiceAccountToken` | Mount Service Account token in controlplane pods | `false` | +| `controlplane.hostAliases` | controlplane pods host aliases | `[]` | +| `controlplane.deploymentAnnotations` | Annotations for controlplane deployment | `{}` | +| `controlplane.podLabels` | Extra labels for controlplane pods | `{}` | +| `controlplane.podAffinityPreset` | Pod affinity preset. Ignored if `controlplane.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `controlplane.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `controlplane.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `controlplane.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `controlplane.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `controlplane.nodeAffinityPreset.key` | Node label key to match. Ignored if `controlplane.affinity` is set | `""` | +| `controlplane.nodeAffinityPreset.values` | Node label values to match. Ignored if `controlplane.affinity` is set | `[]` | +| `controlplane.affinity` | Affinity for controlplane pods assignment | `{}` | +| `controlplane.nodeSelector` | Node labels for controlplane pods assignment | `{}` | +| `controlplane.tolerations` | Tolerations for controlplane pods assignment | `[]` | +| `controlplane.updateStrategy.type` | controlplane deployment strategy type | `RollingUpdate` | +| `controlplane.priorityClassName` | controlplane pods' priorityClassName | `""` | +| `controlplane.topologySpreadConstraints` | Topology Spread Constraints for controlplane pod assignment spread across your cluster among failure-domains | `[]` | +| `controlplane.schedulerName` | Name of the k8s scheduler (other than default) for controlplane pods | `""` | +| `controlplane.terminationGracePeriodSeconds` | Seconds controlplane pods need to terminate gracefully | `""` | +| `controlplane.lifecycleHooks` | for controlplane containers to automate configuration before or after startup | `{}` | +| `controlplane.extraEnvVars` | Array with extra environment variables to add to controlplane containers | `[]` | +| `controlplane.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for controlplane containers | `""` | +| `controlplane.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for controlplane containers | `""` | +| `controlplane.extraVolumes` | Optionally specify extra list of additional volumes for the controlplane pods | `[]` | +| `controlplane.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the controlplane containers | `[]` | +| `controlplane.sidecars` | Add additional sidecar containers to the controlplane pods | `[]` | +| `controlplane.initContainers` | Add additional init containers to the controlplane pods | `[]` | +| `controlplane.autoscaling.hpa.enabled` | Enable HPA for controlplane pods | `false` | +| `controlplane.autoscaling.hpa.minReplicas` | Minimum number of replicas | `""` | +| `controlplane.autoscaling.hpa.maxReplicas` | Maximum number of replicas | `""` | +| `controlplane.autoscaling.hpa.targetCPU` | Target CPU utilization percentage | `""` | +| `controlplane.autoscaling.hpa.targetMemory` | Target Memory utilization percentage | `""` | ### Artifact Content Addressable (CAS) API -| Name | Description | Value | -| ---------------------------- | --------------------------------------------------------------------------------------- | ----------------- | -| `cas.replicaCount` | Number of replicas | `2` | -| `cas.image.registry` | Image registry | `REGISTRY_NAME` | -| `cas.image.repository` | Image repository | `REPOSITORY_NAME` | -| `cas.containerPorts.http` | controlplane HTTP container port | `8000` | -| `cas.containerPorts.grpc` | controlplane gRPC container port | `9000` | -| `cas.containerPorts.metrics` | controlplane prometheus metrics container port | `5000` | -| `cas.tlsConfig.secret.name` | name of a secret containing TLS certificate to be used by the controlplane grpc server. | `""` | +| Name | Description | Value | +| ------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------- | +| `cas.replicaCount` | Number of replicas | `2` | +| `cas.image.registry` | image registry | `REGISTRY_NAME` | +| `cas.image.repository` | image repository | `REPOSITORY_NAME/chainloop-artifact-cas` | +| `cas.image.digest` | image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `cas.image.pullPolicy` | image pull policy | `IfNotPresent` | +| `cas.image.pullSecrets` | image pull secrets | `[]` | +| `cas.containerPorts.http` | controlplane HTTP container port | `8000` | +| `cas.containerPorts.grpc` | controlplane gRPC container port | `9000` | +| `cas.containerPorts.metrics` | controlplane prometheus metrics container port | `5000` | +| `cas.tls.existingSecret` | Existing secret with TLS certificates. The secret must contains 2 keys: tls.crt and tls.key respectively containing the certificate and private key. | `""` | +| `cas.existingConfigMap` | | `""` | +| `cas.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | +| `cas.serviceAccount.annotations` | Annotations for service account. Evaluated as a template. Only used if `create` is `true`. | `{}` | +| `cas.serviceAccount.name` | Name of the service account to use. If not set and create is true, a name is generated using the fullname template. | `""` | +| `cas.serviceAccount.automountServiceAccountToken` | Mount Service Account token in controlplane pods | `false` | ### CAS Networking @@ -825,15 +836,6 @@ chainloop config save \ | `cas.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the cas containers | `[]` | | `cas.sidecars` | Add additional sidecar containers to the cas pods | `[]` | | `cas.initContainers` | Add additional init containers to the cas pods | `[]` | -| `cas.pdb.create` | Enable/disable a Pod Disruption Budget creation | `true` | -| `cas.pdb.minAvailable` | Minimum number/percentage of pods that should remain scheduled | `""` | -| `cas.pdb.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `cas.pdb.minAvailable` and `cas.pdb.maxUnavailable` are empty. | `""` | -| `cas.autoscaling.vpa.enabled` | Enable VPA for cas pods | `false` | -| `cas.autoscaling.vpa.annotations` | Annotations for VPA resource | `{}` | -| `cas.autoscaling.vpa.controlledResources` | VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory | `[]` | -| `cas.autoscaling.vpa.maxAllowed` | VPA Max allowed resources for the pod | `{}` | -| `cas.autoscaling.vpa.minAllowed` | VPA Min allowed resources for the pod | `{}` | -| `cas.autoscaling.vpa.updatePolicy.updateMode` | Autoscaling update policy | `Auto` | | `cas.autoscaling.hpa.enabled` | Enable HPA for cas pods | `false` | | `cas.autoscaling.hpa.minReplicas` | Minimum number of replicas | `""` | | `cas.autoscaling.hpa.maxReplicas` | Maximum number of replicas | `""` | diff --git a/bitnami/chainloop/templates/NOTES.txt b/bitnami/chainloop/templates/NOTES.txt index 837ac3ed89326b..d1e3fe5cdb49bd 100644 --- a/bitnami/chainloop/templates/NOTES.txt +++ b/bitnami/chainloop/templates/NOTES.txt @@ -4,6 +4,37 @@ APP VERSION: {{ .Chart.AppVersion }} ** Please be patient while the chart is being deployed ** +########################################################################### + DEVELOPMENT MODE +########################################################################### + +██████╗ ███████╗██╗ ██╗ █████╗ ██████╗ ███████╗ +██╔══██╗██╔════╝██║ ██║██╔══██╗██╔══██╗██╔════╝ +██████╔╝█████╗ ██║ █╗ ██║███████║██████╔╝█████╗ +██╔══██╗██╔══╝ ██║███╗██║██╔══██║██╔══██╗██╔══╝ +██████╔╝███████╗╚███╔███╔╝██║ ██║██║ ██║███████╗ +╚═════╝ ╚══════╝ ╚══╝╚══╝ ╚═╝ ╚═╝╚═╝ ╚══════╝ + +Instance running in development mode! + +Development mode, by default + +- Runs an insecure, unsealed, non-persistent instance of Vault +- Is configured with development authentication keys + +########################################################################### +Pre-configured static users +########################################################################### + +Development configuration comes with two pre-setup users: +- username: sarah@chainloop.local +- password: password + +- username: john@chainloop.local +- password: password + +DO NOT USE IT FOR PRODUCTION PURPOSES + ########################################################################### CONFIGURE CLI ########################################################################### @@ -11,8 +42,8 @@ APP VERSION: {{ .Chart.AppVersion }} Configure the CLI to point to this instance, for example chainloop --insecure config save \ - --control-plane my-controlplane.acme.com:80 \ - --artifact-cas cas.acme.com:80 + --control-plane {{ include "chainloop.controlplane.grpc_url" . }} \ + --artifact-cas {{ include "chainloop.cas.grpc_url" . }} Refer to this link for more information https://docs.chainloop.dev/getting-started/installation#configure-cli-optional @@ -28,5 +59,4 @@ https://docs.chainloop.dev/getting-started/installation#configure-cli-optional {{- include "common.warnings.rollingTag" .Values.controlplane.image }} {{- include "common.warnings.rollingTag" .Values.cas.image }} {{- include "common.warnings.rollingTag" .Values.controlplane.migration.image }} -{{- include "chainloop.validateValues" . }} {{- include "common.warnings.modifiedImages" (dict "images" (list .Values.controlplane.image .Values.cas.image .Values.controlplane.migration.image) "context" $) }} diff --git a/bitnami/chainloop/templates/_helpers.tpl b/bitnami/chainloop/templates/_helpers.tpl index b9e1fc23cc4e70..6430041db7ef1d 100644 --- a/bitnami/chainloop/templates/_helpers.tpl +++ b/bitnami/chainloop/templates/_helpers.tpl @@ -320,6 +320,22 @@ null {{- end -}} {{- end -}} +{{/* +Figure out the gRPC URL the controlplane can be reached at +*/}} +{{- define "chainloop.controlplane.grpc_url" -}} +{{- $service := .Values.controlplane.serviceAPI }} +{{- $ingress := .Values.controlplane.ingress }} + +{{- if (and $ingress $ingress.enabled $ingress.hostname) }} +{{- printf "api.%s" $ingress.hostname }} +{{- else if (not (empty $service.ports.https)) }} +{{- printf "localhost:%d" ($service.ports.https | int) }} +{{- else }} +{{- printf "localhost:%d" ($service.ports.http | int) }} +{{- end -}} +{{- end -}} + {{- define "chainloop.sentry" -}} observability: sentry: @@ -396,24 +412,55 @@ NOTE: Load balancer service type is not supported {{- end -}} {{/* -Check for Development mode +Figure out the gRPC URL the cas can be reached at */}} -{{- define "chainloop.validateValues.development" -}} -{{- if .Values.development }} -{{- printf "###########################################################################\n DEVELOPMENT MODE\n###########################################################################\n\n██████╗ ███████╗██╗ ██╗ █████╗ ██████╗ ███████╗\n██╔══██╗██╔════╝██║ ██║██╔══██╗██╔══██╗██╔════╝\n██████╔╝█████╗ ██║ █╗ ██║███████║██████╔╝█████╗\n██╔══██╗██╔══╝ ██║███╗██║██╔══██║██╔══██╗██╔══╝\n██████╔╝███████╗╚███╔███╔╝██║ ██║██║ ██║███████╗\n╚═════╝ ╚══════╝ ╚══╝╚══╝ ╚═╝ ╚═╝╚═╝ ╚══════╝\n\nInstance running in development mode!\n\nDevelopment mode, by default\n\n- Runs an insecure, unsealed, non-persistent instance of Vault\n- Is configured with development authentication keys\n\n###########################################################################\nPre-configured static users\n###########################################################################\n\nDevelopment configuration comes with two pre-setup users:\n- username: sarah@chainloop.local\n- password: password\n\n- username: john@chainloop.local\n- password: password\n\nDO NOT USE IT FOR PRODUCTION PURPOSES" -}} +{{- define "chainloop.cas.grpc_url" -}} +{{- $service := .Values.cas.serviceAPI }} +{{- $ingress := .Values.cas.ingress }} + +{{- if (and $ingress $ingress.enabled $ingress.hostname) }} +{{- printf "api.%s" $ingress.hostname }} +{{- else if (not (empty $service.ports.https)) }} +{{- printf "localhost:%d" ($service.ports.https | int) }} +{{- else }} +{{- printf "localhost:%d" ($service.ports.http | int) }} {{- end -}} {{- end -}} {{/* -Compile all warning messages into a single one +############################################################################## +Dex helpers +############################################################################## +*/}} + +{{/* +Return the proper Dex image name +*/}} +{{- define "chainloop.dex.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.dex.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper service name for Dex */}} -{{- define "chainloop.validateValues" -}} -{{- $messages := list -}} -{{- $messages := append $messages (include "chainloop.validateValues.development" .) -}} -{{- $messages := without $messages "" -}} -{{- $message := join "\n" $messages -}} +{{- define "chainloop.dex" -}} +{{- printf "%s-dex" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} +{{- end -}} -{{- if $message -}} -{{- printf "\n\nVALUES VALIDATION:\n%s" $message -}} +{{/* +Create the name of the service account to use for Dex +*/}} +{{- define "chainloop.dex.serviceAccountName" -}} +{{- if .Values.dex.serviceAccount.create -}} + {{ default (printf "%s-dex" (include "common.names.fullname" .)) .Values.dex.serviceAccount.name | trunc 63 | trimSuffix "-" }} +{{- else -}} + {{ default "default" .Values.dex.serviceAccount.name }} +{{- end -}} {{- end -}} + +{{/* +Chainloop Dex release name +*/}} +{{- define "chainloop.dex.fullname" -}} +{{- printf "%s-%s" (include "common.names.fullname" .) "dex" | trunc 63 | trimSuffix "-" -}} {{- end -}} diff --git a/bitnami/chainloop/templates/cas/configmap.yaml b/bitnami/chainloop/templates/cas/configmap.yaml index 08dc5f15a8f85e..1849b5037f7b1f 100644 --- a/bitnami/chainloop/templates/cas/configmap.yaml +++ b/bitnami/chainloop/templates/cas/configmap.yaml @@ -3,6 +3,7 @@ Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} +{{- if (empty .Values.cas.existingConfigMap) }} apiVersion: v1 kind: ConfigMap metadata: @@ -16,18 +17,19 @@ data: server.yaml: | server: http: - addr: 0.0.0.0:8000 + addr: "0.0.0.0:{{ .Values.cas.containerPorts.http }}" # Timeouts for http downloads # grpc downloads/uploads don't require this because they don't have timeouts timeout: 300s grpc: - {{- if .Values.cas.tlsConfig.secret.name }} + {{- if .Values.cas.tls.existingSecret }} tls_config: certificate: /data/server-certs/tls.crt private_key: /data/server-certs/tls.key {{- end }} - addr: 0.0.0.0:9000 + addr: "0.0.0.0:{{ .Values.cas.containerPorts.grpc }}" # Some unary RPCs are slow, so we need to increase the timeout timeout: 5s http_metrics: - addr: 0.0.0.0:5000 + addr: "0.0.0.0:{{ .Values.cas.containerPorts.metrics}}" +{{- end }} diff --git a/bitnami/chainloop/templates/cas/deployment.yaml b/bitnami/chainloop/templates/cas/deployment.yaml index 202cd2131b7675..f342d77eeae7dd 100644 --- a/bitnami/chainloop/templates/cas/deployment.yaml +++ b/bitnami/chainloop/templates/cas/deployment.yaml @@ -125,7 +125,7 @@ spec: - name: gcp-secretmanager-serviceaccountkey mountPath: /gcp-secrets {{- end }} - {{- if .Values.cas.tlsConfig.secret.name }} + {{- if .Values.cas.tls.existingSecret }} - name: server-certs mountPath: /data/server-certs {{- end }} @@ -153,10 +153,10 @@ spec: - name: jwt-public-key secret: secretName: {{ include "chainloop.cas.fullname" . }}-jwt-public-key - {{- if .Values.cas.tlsConfig.secret.name }} + {{- if .Values.cas.tls.existingSecret }} - name: server-certs secret: - secretName: {{ .Values.cas.tlsConfig.secret.name }} + secretName: {{ .Values.cas.tls.existingSecret }} {{- end }} {{- if eq "gcpSecretManager" .Values.secretsBackend.backend }} - name: gcp-secretmanager-serviceaccountkey @@ -172,4 +172,4 @@ spec: {{- end }} {{- if .Values.cas.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.cas.extraVolumes "context" $) | nindent 8 }} - {{- end }} \ No newline at end of file + {{- end }} diff --git a/bitnami/chainloop/templates/cas/hpa.yaml b/bitnami/chainloop/templates/cas/hpa.yaml index 93bfecadcc9a56..c0fe8c9ccadfe8 100644 --- a/bitnami/chainloop/templates/cas/hpa.yaml +++ b/bitnami/chainloop/templates/cas/hpa.yaml @@ -30,7 +30,7 @@ spec: {{- else }} target: type: Utilization - averageUtilization: {{ .Values.worker.autoscaling.hpa.targetMemory }} + averageUtilization: {{ .Values.cas.autoscaling.hpa.targetMemory }} {{- end }} {{- end }} {{- if .Values.cas.autoscaling.hpa.targetCPU }} @@ -42,7 +42,7 @@ spec: {{- else }} target: type: Utilization - averageUtilization: {{ .Values.worker.autoscaling.hpa.targetCPU }} + averageUtilization: {{ .Values.cas.autoscaling.hpa.targetCPU }} {{- end }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/bitnami/chainloop/templates/cas/ingress-grpc.yaml b/bitnami/chainloop/templates/cas/ingress-grpc.yaml index 6316776aa4c19f..53f0c74cbbcac2 100644 --- a/bitnami/chainloop/templates/cas/ingress-grpc.yaml +++ b/bitnami/chainloop/templates/cas/ingress-grpc.yaml @@ -62,4 +62,4 @@ spec: {{- include "common.tplvalues.render" (dict "value" .Values.cas.ingressAPI.extraTls "context" $) | nindent 4 }} {{- end }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/bitnami/chainloop/templates/cas/ingress.yaml b/bitnami/chainloop/templates/cas/ingress.yaml index c6db3b0df69052..053e7cff87c7e2 100644 --- a/bitnami/chainloop/templates/cas/ingress.yaml +++ b/bitnami/chainloop/templates/cas/ingress.yaml @@ -62,4 +62,4 @@ spec: {{- include "common.tplvalues.render" (dict "value" .Values.cas.ingress.extraTls "context" $) | nindent 4 }} {{- end }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/bitnami/chainloop/templates/cas/secret-config.yaml b/bitnami/chainloop/templates/cas/secret-config.yaml index 98f5f2717d0bea..e1bb7f2f912a8e 100644 --- a/bitnami/chainloop/templates/cas/secret-config.yaml +++ b/bitnami/chainloop/templates/cas/secret-config.yaml @@ -24,4 +24,4 @@ stringData: public_key_path: "/tmp/cas.public.pem" # Deprecated, use public_key_path instead. Remove option once release of the app 0.15+ is out. robot_account_public_key_path: "/tmp/cas.public.pem" - # TODO: add observability \ No newline at end of file + # TODO: add observability diff --git a/bitnami/chainloop/templates/cas/secret-gcp-secret-manager.yaml b/bitnami/chainloop/templates/cas/secret-gcp-secret-manager.yaml index 7d17c91f3cf15b..59b8c0af0187d9 100644 --- a/bitnami/chainloop/templates/cas/secret-gcp-secret-manager.yaml +++ b/bitnami/chainloop/templates/cas/secret-gcp-secret-manager.yaml @@ -13,4 +13,4 @@ metadata: type: Opaque data: serviceAccountKey.json: {{ .Values.secretsBackend.gcpSecretManager.serviceAccountKey | b64enc | quote }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/bitnami/chainloop/templates/cas/secret-jwt-public-key.yaml b/bitnami/chainloop/templates/cas/secret-jwt-public-key.yaml index cc74fd28a433df..bcd18afb1e86e9 100644 --- a/bitnami/chainloop/templates/cas/secret-jwt-public-key.yaml +++ b/bitnami/chainloop/templates/cas/secret-jwt-public-key.yaml @@ -11,4 +11,4 @@ metadata: {{- include "chainloop.cas.labels" . | nindent 4 }} type: Opaque data: - cas.public.pem: {{ include "chainloop.casjwt.public_key" . | b64enc | quote }} \ No newline at end of file + cas.public.pem: {{ include "chainloop.casjwt.public_key" . | b64enc | quote }} diff --git a/bitnami/chainloop/templates/cas/service-account.yaml b/bitnami/chainloop/templates/cas/service-account.yaml index d8a5df92c2b791..afa0775bc6dbd9 100644 --- a/bitnami/chainloop/templates/cas/service-account.yaml +++ b/bitnami/chainloop/templates/cas/service-account.yaml @@ -14,4 +14,5 @@ metadata: {{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.cas.serviceAccount.annotations .Values.commonAnnotations) "context" .) }} annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }} {{- end }} +automountServiceAccountToken: {{ .Values.cas.serviceAccount.automountServiceAccountToken }} {{- end }} diff --git a/bitnami/chainloop/templates/cas/service-grpc.yaml b/bitnami/chainloop/templates/cas/service-grpc.yaml index f2b72b7b852282..4d2794df293886 100644 --- a/bitnami/chainloop/templates/cas/service-grpc.yaml +++ b/bitnami/chainloop/templates/cas/service-grpc.yaml @@ -49,4 +49,4 @@ spec: {{- if .Values.cas.serviceAPI.extraPorts }} {{- include "common.tplvalues.render" (dict "value" .Values.cas.serviceAPI.extraPorts "context" $) | nindent 4 }} {{- end }} - selector: {{ include "chainloop.cas.selectorLabels" . | nindent 4 }} \ No newline at end of file + selector: {{ include "chainloop.cas.selectorLabels" . | nindent 4 }} diff --git a/bitnami/chainloop/templates/controlplane/configmap.yaml b/bitnami/chainloop/templates/controlplane/configmap.yaml index 582e734a3e3cd3..3856a9970919e8 100644 --- a/bitnami/chainloop/templates/controlplane/configmap.yaml +++ b/bitnami/chainloop/templates/controlplane/configmap.yaml @@ -3,6 +3,7 @@ Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} +{{- if (empty .Values.controlplane.existingConfigMap) }} apiVersion: v1 kind: ConfigMap metadata: @@ -22,15 +23,15 @@ data: config.yaml: | server: http: - addr: 0.0.0.0:8000 + addr: "0.0.0.0:{{ .Values.controlplane.containerPorts.http }}" timeout: 10s external_url: {{ include "chainloop.controlplane.external_url" . }} http_metrics: - addr: 0.0.0.0:5000 + addr: "0.0.0.0:{{ .Values.controlplane.containerPorts.metrics }}" grpc: - addr: 0.0.0.0:9000 + addr: "0.0.0.0:{{ .Values.controlplane.containerPorts.grpc }}" timeout: 10s - {{- if .Values.controlplane.tlsConfig.secret.name }} + {{- if .Values.controlplane.tls.existingSecret }} tls_config: certificate: /data/server-certs/tls.crt private_key: /data/server-certs/tls.key @@ -38,7 +39,7 @@ data: cas_server: grpc: addr: {{ printf "%s-api:%.0f" (include "chainloop.cas.fullname" .) (coalesce .Values.cas.serviceAPI.port .Values.cas.serviceAPI.ports.http) }} - insecure: {{ empty .Values.cas.tlsConfig.secret.name }} + insecure: {{ empty .Values.cas.tls.existingSecret }} download_url: {{ include "chainloop.cas.external_url" . }}/download plugins_dir: {{ .Values.controlplane.pluginsDir }} referrer_shared_index: @@ -51,3 +52,4 @@ data: prometheus_integration: {{- toYaml .Values.controlplane.prometheus_org_metrics | nindent 6 }} {{- end }} +{{- end }} diff --git a/bitnami/chainloop/templates/controlplane/deployment.yaml b/bitnami/chainloop/templates/controlplane/deployment.yaml index 6cb0f8cc349f66..e87cbb089d8709 100644 --- a/bitnami/chainloop/templates/controlplane/deployment.yaml +++ b/bitnami/chainloop/templates/controlplane/deployment.yaml @@ -88,7 +88,7 @@ spec: name: {{ include "chainloop.controlplane.fullname" . }} key: db_migrate_source containers: - - name: {{ .Chart.Name }} + - name: controlplane securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.controlplane.containerSecurityContext "context" $) | nindent 12 }} image: {{ include "chainloop.controlplane.image" . }} imagePullPolicy: {{ .Values.controlplane.image.pullPolicy }} @@ -150,7 +150,7 @@ spec: - name: ejbca-ca-client mountPath: /ca_secrets {{- end }} - {{- if .Values.controlplane.tlsConfig.secret.name }} + {{- if .Values.controlplane.tls.existingSecret }} - name: server-certs mountPath: /data/server-certs {{- end }} @@ -192,10 +192,10 @@ spec: - name: jwt-cas-private-key secret: secretName: {{ include "chainloop.controlplane.fullname" . }}-jwt-cas - {{- if .Values.controlplane.tlsConfig.secret.name }} + {{- if .Values.controlplane.tls.existingSecret }} - name: server-certs secret: - secretName: {{ .Values.controlplane.tlsConfig.secret.name }} + secretName: {{ .Values.controlplane.tls.existingSecret }} {{- end }} {{- if eq "gcpSecretManager" .Values.secretsBackend.backend }} - name: gcp-secretmanager-serviceaccountkey @@ -214,4 +214,4 @@ spec: {{- end }} {{- if .Values.controlplane.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.extraVolumes "context" $) | nindent 8 }} - {{- end }} \ No newline at end of file + {{- end }} diff --git a/bitnami/chainloop/templates/controlplane/hpa.yaml b/bitnami/chainloop/templates/controlplane/hpa.yaml index 6d2608ebfad4c3..6e66ca01e7d8be 100644 --- a/bitnami/chainloop/templates/controlplane/hpa.yaml +++ b/bitnami/chainloop/templates/controlplane/hpa.yaml @@ -30,7 +30,7 @@ spec: {{- else }} target: type: Utilization - averageUtilization: {{ .Values.worker.autoscaling.hpa.targetMemory }} + averageUtilization: {{ .Values.controlplane.autoscaling.hpa.targetMemory }} {{- end }} {{- end }} {{- if .Values.controlplane.autoscaling.hpa.targetCPU }} @@ -42,7 +42,7 @@ spec: {{- else }} target: type: Utilization - averageUtilization: {{ .Values.worker.autoscaling.hpa.targetCPU }} + averageUtilization: {{ .Values.controlplane.autoscaling.hpa.targetCPU }} {{- end }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/bitnami/chainloop/templates/controlplane/ingress-grpc.yaml b/bitnami/chainloop/templates/controlplane/ingress-grpc.yaml index 9d36b72fba4a45..b0cf6b35ab02a9 100644 --- a/bitnami/chainloop/templates/controlplane/ingress-grpc.yaml +++ b/bitnami/chainloop/templates/controlplane/ingress-grpc.yaml @@ -62,4 +62,4 @@ spec: {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.ingressAPI.extraTls "context" $) | nindent 4 }} {{- end }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/bitnami/chainloop/templates/controlplane/ingress.yaml b/bitnami/chainloop/templates/controlplane/ingress.yaml index 3c8d5e47fafbef..68c21a2104d925 100644 --- a/bitnami/chainloop/templates/controlplane/ingress.yaml +++ b/bitnami/chainloop/templates/controlplane/ingress.yaml @@ -62,4 +62,4 @@ spec: {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.ingress.extraTls "context" $) | nindent 4 }} {{- end }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/bitnami/chainloop/templates/controlplane/secret-config.yaml b/bitnami/chainloop/templates/controlplane/secret-config.yaml index 39a3bea2b703e1..62b9c78f17494c 100644 --- a/bitnami/chainloop/templates/controlplane/secret-config.yaml +++ b/bitnami/chainloop/templates/controlplane/secret-config.yaml @@ -19,7 +19,7 @@ data: generated_jws_hmac_secret: {{ $hmacpass }} db_migrate_source: {{include "controlplane.database.atlas_connection_string" . | b64enc | quote }} stringData: - {{- if and .Values.sentry .Values.sentry.enabled }} + {{- if and .Values.controlplane.sentry .Values.controlplane.sentry.enabled }} {{- fail "configuring sentry at the top level is no longer supported. Add the configuration to the controlplane section in the values.yaml file" }} {{- end -}} {{- if and .Values.controlplane.sentry .Values.controlplane.sentry.enabled }} diff --git a/bitnami/chainloop/templates/controlplane/secret-ejbca-ca.yaml b/bitnami/chainloop/templates/controlplane/secret-ejbca-ca.yaml index ef792d19d466cc..92350a017ac845 100644 --- a/bitnami/chainloop/templates/controlplane/secret-ejbca-ca.yaml +++ b/bitnami/chainloop/templates/controlplane/secret-ejbca-ca.yaml @@ -14,4 +14,4 @@ type: Opaque data: ejbca_client.cert: {{ .Values.controlplane.keylessSigning.ejbcaCA.clientCert | b64enc | quote }} ejbca_client.key: {{ .Values.controlplane.keylessSigning.ejbcaCA.clientKey | b64enc | quote }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/bitnami/chainloop/templates/controlplane/secret-file-ca.yaml b/bitnami/chainloop/templates/controlplane/secret-file-ca.yaml index f0c7d5cd83b6fb..dac8173f603432 100644 --- a/bitnami/chainloop/templates/controlplane/secret-file-ca.yaml +++ b/bitnami/chainloop/templates/controlplane/secret-file-ca.yaml @@ -14,4 +14,4 @@ type: Opaque data: file_ca.cert: {{ .Values.controlplane.keylessSigning.fileCA.cert | b64enc | quote }} file_ca.key: {{ .Values.controlplane.keylessSigning.fileCA.key | b64enc | quote }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/bitnami/chainloop/templates/controlplane/secret-gcp-secret-manager.yaml b/bitnami/chainloop/templates/controlplane/secret-gcp-secret-manager.yaml index 6038871b47c0b7..30462001ba44d8 100644 --- a/bitnami/chainloop/templates/controlplane/secret-gcp-secret-manager.yaml +++ b/bitnami/chainloop/templates/controlplane/secret-gcp-secret-manager.yaml @@ -13,4 +13,4 @@ metadata: type: Opaque data: serviceAccountKey.json: {{ .Values.secretsBackend.gcpSecretManager.serviceAccountKey | b64enc | quote }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/bitnami/chainloop/templates/controlplane/service-account.yaml b/bitnami/chainloop/templates/controlplane/service-account.yaml index 15410971e77bc7..2973e245e7b27f 100644 --- a/bitnami/chainloop/templates/controlplane/service-account.yaml +++ b/bitnami/chainloop/templates/controlplane/service-account.yaml @@ -14,4 +14,5 @@ metadata: {{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.controlplane.serviceAccount.annotations .Values.commonAnnotations) "context" .) }} annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }} {{- end }} +automountServiceAccountToken: {{ .Values.controlplane.serviceAccount.automountServiceAccountToken }} {{- end }} diff --git a/bitnami/chainloop/templates/dex/_helpers.tpl b/bitnami/chainloop/templates/dex/_helpers.tpl deleted file mode 100644 index fabd7db3f34cf6..00000000000000 --- a/bitnami/chainloop/templates/dex/_helpers.tpl +++ /dev/null @@ -1,42 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* -############################################################################## -Dex helpers -############################################################################## -*/}} - -{{/* -Return the proper Dex image name -*/}} -{{- define "chainloop.dex.image" -}} -{{ include "common.images.image" (dict "imageRoot" .Values.dex.image "global" .Values.global) }} -{{- end -}} - -{{/* -Return the proper service name for Dex -*/}} -{{- define "chainloop.dex" -}} -{{- printf "%s-dex" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} -{{- end -}} - -{{/* -Create the name of the service account to use for Dex -*/}} -{{- define "chainloop.dex.serviceAccountName" -}} -{{- if .Values.dex.serviceAccount.create -}} - {{ default (printf "%s-dex" (include "common.names.fullname" .)) .Values.dex.serviceAccount.name | trunc 63 | trimSuffix "-" }} -{{- else -}} - {{ default "default" .Values.dex.serviceAccount.name }} -{{- end -}} -{{- end -}} - -{{/* -Chainloop Dex release name -*/}} -{{- define "chainloop.dex.fullname" -}} -{{- printf "%s-%s" (include "common.names.fullname" .) "dex" | trunc 63 | trimSuffix "-" -}} -{{- end -}} \ No newline at end of file diff --git a/bitnami/chainloop/templates/dex/deployment.yaml b/bitnami/chainloop/templates/dex/deployment.yaml index f5fc78f2df0ed3..acd1971cb01bad 100644 --- a/bitnami/chainloop/templates/dex/deployment.yaml +++ b/bitnami/chainloop/templates/dex/deployment.yaml @@ -60,7 +60,7 @@ spec: shareProcessNamespace: {{ .Values.dex.shareProcessNamespace }} {{- end }} {{- if .Values.dex.topologySpreadConstraints }} - topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.controller.topologySpreadConstraints "context" .) | nindent 8 }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.dex.topologySpreadConstraints "context" .) | nindent 8 }} {{- end }} {{- if .Values.dex.priorityClassName }} priorityClassName: {{ .Values.dex.priorityClassName | quote }} diff --git a/bitnami/chainloop/templates/dex/secret.yaml b/bitnami/chainloop/templates/dex/secret.yaml index 2d011790c8a928..cb2f444d29d58c 100644 --- a/bitnami/chainloop/templates/dex/secret.yaml +++ b/bitnami/chainloop/templates/dex/secret.yaml @@ -17,13 +17,13 @@ metadata: type: Opaque stringData: config.yaml: | - issuer: http://{{ include "chainloop.dex" . }}:5556/dex + issuer: http://{{ include "chainloop.dex" . }}:{{ .Values.dex.containerPorts.http }}/dex storage: type: memory web: - http: 0.0.0.0:5556 + http: 0.0.0.0:{{ .Values.dex.containerPorts.http }} staticClients: - id: chainloop-dev diff --git a/bitnami/chainloop/values.yaml b/bitnami/chainloop/values.yaml index 6fab3fdf67b86b..e05e51482d091f 100644 --- a/bitnami/chainloop/values.yaml +++ b/bitnami/chainloop/values.yaml @@ -19,6 +19,16 @@ global: ## imagePullSecrets: [] + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: auto + ## @param development Deploys Chainloop pre-configured FOR DEVELOPMENT ONLY. It includes a Vault instance in development mode and pre-configured authentication certificates and passphrases ## development: false @@ -63,7 +73,8 @@ rbac: ## @section Secrets Backend ## -## Location where to store sensitive data. If development.true? and no overrides provided, the setup will connect to a development instance of Vault +## Location where to store sensitive data. If development=true and no overrides are provided, the setup will connect to a development instance of Vault +## secretsBackend: ## @param secretsBackend.backend Secrets backend type ("vault", "awsSecretManager" or "gcpSecretManager", "azureKeyVault") ## @@ -141,14 +152,33 @@ controlplane: ## @param controlplane.replicaCount Number of replicas replicaCount: 2 - ## @param controlplane.image.registry [default: REGISTRY_NAME] Image registry - ## @param controlplane.image.repository [default: REPOSITORY_NAME] Image repository - ## @skip controlplane.image.tag + ## Bitnami Chainloop Controlplane image + ## ref: https://hub.docker.com/r/bitnami/chainloop-control-plane/tags/ + ## @param controlplane.image.registry [default: REGISTRY_NAME] image registry + ## @param controlplane.image.repository [default: REPOSITORY_NAME/chainloop-control-plane] image repository + ## @skip controlplane.image.tag image tag (immutable tags are recommended) + ## @param controlplane.image.digest image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param controlplane.image.pullPolicy image pull policy + ## @param controlplane.image.pullSecrets image pull secrets + ## image: registry: ghcr.io repository: chainloop-dev/chainloop/control-plane - tag: "v0.95.3" - + tag: v0.95.3 + digest: "" + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [ ] ## @param controlplane.containerPorts.http controlplane HTTP container port ## @param controlplane.containerPorts.grpc controlplane gRPC container port @@ -159,11 +189,19 @@ controlplane: grpc: 9000 metrics: 5000 - ## @param controlplane.tlsConfig.secret.name name of a secret containing TLS certificate to be used by the controlplane grpc server. - tlsConfig: - secret: - # the secret must contains 2 keys: tls.crt and tls.key respectively containing the certificate and private key. - name: "" + ## + ## TLS configuration + ## + tls: + ## @param controlplane.tls.existingSecret Existing secret with TLS certificates. The secret must contains 2 keys: tls.crt and tls.key respectively containing the certificate and private key. + ## NOTE: When it's set it will disable secret creation. + ## + existingSecret: "" + + ## Use an existing configmap instead of creating a configmap with the specified parameters + ## @param controlplane.existingConfigMap + ## + existingConfigMap: "" ## @param controlplane.pluginsDir Directory where to look for plugins pluginsDir: /plugins @@ -186,27 +224,50 @@ controlplane: # - org_name: "read-only-demo" # Database migration - ## @param controlplane.migration.image.registry [default: REGISTRY_NAME] Image registry - ## @param controlplane.migration.image.repository [default: REPOSITORY_NAME] Image repository ## @param controlplane.migration.ssl Connect to the database using SSL (required fro AWS RDS, etc) ## @skip controlplane.migration.image.tag migration: + ## Bitnami Chainloop Controlplane migration image + ## ref: https://hub.docker.com/r/bitnami/chainloop-control-plane-migrations/tags/ + ## @param controlplane.migration.image.registry [default: REGISTRY_NAME] image registry + ## @param controlplane.migration.image.repository [default: REPOSITORY_NAME/chainloop-control-plane-migrations] image repository + ## @skip controlplane.migration.image.tag image tag (immutable tags are recommended) + ## @param controlplane.migration.image.digest image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param controlplane.migration.image.pullPolicy image pull policy + ## @param controlplane.migration.image.pullSecrets image pull secrets + ## image: registry: ghcr.io repository: chainloop-dev/chainloop/control-plane-migrations - tag: "v0.95.3" + tag: v0.95.3 + digest: "" + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [ ] # Run the migration job forcing SSL, required in AWS RDS for PostgreSQL 15 ssl: false - ## @skip controlplane.serviceAccount + ## ServiceAccount configuration for the Controlplane Migration + ## + ## @param controlplane.serviceAccount.create Specifies whether a ServiceAccount should be created + ## @param controlplane.serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`. + ## @param controlplane.serviceAccount.name Name of the service account to use. If not set and create is true, a name is generated using the fullname template. + ## @param controlplane.serviceAccount.automountServiceAccountToken Mount Service Account token in controlplane pods serviceAccount: - # Specifies whether a service account should be created create: true - # Annotations to add to the service account annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template name: "" + automountServiceAccountToken: false ## @section Control Plane Database @@ -802,38 +863,10 @@ controlplane: ## command: ['sh', '-c', 'echo "hello world"'] ## initContainers: [] - ## Pod Disruption Budget configuration - ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb - ## @param controlplane.pdb.create Enable/disable a Pod Disruption Budget creation - ## @param controlplane.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled - ## @param controlplane.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `controlplane.pdb.minAvailable` and `controlplane.pdb.maxUnavailable` are empty. - ## - pdb: - create: true - minAvailable: "" - maxUnavailable: "" ## Autoscaling configuration ## ref: https://kubernetes.io/docs/concepts/workloads/autoscaling/ ## autoscaling: - ## @param controlplane.autoscaling.vpa.enabled Enable VPA for controlplane pods - ## @param controlplane.autoscaling.vpa.annotations Annotations for VPA resource - ## @param controlplane.autoscaling.vpa.controlledResources VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory - ## @param controlplane.autoscaling.vpa.maxAllowed VPA Max allowed resources for the pod - ## @param controlplane.autoscaling.vpa.minAllowed VPA Min allowed resources for the pod - ## - vpa: - enabled: false - annotations: {} - controlledResources: [] - maxAllowed: {} - minAllowed: {} - ## @param controlplane.autoscaling.vpa.updatePolicy.updateMode Autoscaling update policy - ## Specifies whether recommended updates are applied when a Pod is started and whether recommended updates are applied during the life of a Pod - ## Possible values are "Off", "Initial", "Recreate", and "Auto". - ## - updatePolicy: - updateMode: Auto ## @param controlplane.autoscaling.hpa.enabled Enable HPA for controlplane pods ## @param controlplane.autoscaling.hpa.minReplicas Minimum number of replicas ## @param controlplane.autoscaling.hpa.maxReplicas Maximum number of replicas @@ -855,13 +888,33 @@ cas: ## @param cas.replicaCount Number of replicas replicaCount: 2 - ## @param cas.image.registry [default: REGISTRY_NAME] Image registry - ## @param cas.image.repository [default: REPOSITORY_NAME] Image repository - ## @skip cas.image.tag + ## Bitnami Chainloop Artifact CAS image + ## ref: https://hub.docker.com/r/bitnami/chainloop-artifact-cas/tags/ + ## @param cas.image.registry [default: REGISTRY_NAME] image registry + ## @param cas.image.repository [default: REPOSITORY_NAME/chainloop-artifact-cas] image repository + ## @skip cas.image.tag image tag (immutable tags are recommended) + ## @param cas.image.digest image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param cas.image.pullPolicy image pull policy + ## @param cas.image.pullSecrets image pull secrets + ## image: registry: ghcr.io repository: chainloop-dev/chainloop/artifact-cas - tag: "v0.95.3" + tag: v0.95.3 + digest: "" + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [ ] ## @param cas.containerPorts.http controlplane HTTP container port ## @param cas.containerPorts.grpc controlplane gRPC container port @@ -872,21 +925,31 @@ cas: grpc: 9000 metrics: 5000 - ## @param cas.tlsConfig.secret.name name of a secret containing TLS certificate to be used by the controlplane grpc server. - tlsConfig: - secret: - # the secret must contains 2 keys: tls.crt and tls.key respectively containing the certificate and private key. - name: "" + ## + ## TLS configuration + ## + tls: + ## @param cas.tls.existingSecret Existing secret with TLS certificates. The secret must contains 2 keys: tls.crt and tls.key respectively containing the certificate and private key. + ## NOTE: When it's set it will disable secret creation. + ## + existingSecret: "" - ## @skip cas.serviceAccount + ## Use an existing configmap instead of creating a configmap with the specified parameters + ## @param cas.existingConfigMap + ## + existingConfigMap: "" + + ## ServiceAccount configuration for the Controlplane Artifact CAS + ## + ## @param cas.serviceAccount.create Specifies whether a ServiceAccount should be created + ## @param cas.serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`. + ## @param cas.serviceAccount.name Name of the service account to use. If not set and create is true, a name is generated using the fullname template. + ## @param cas.serviceAccount.automountServiceAccountToken Mount Service Account token in controlplane pods serviceAccount: - # Specifies whether a service account should be created create: true - # Annotations to add to the service account annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template name: "" + automountServiceAccountToken: false ## @section CAS Networking service: @@ -1414,38 +1477,10 @@ cas: ## command: ['sh', '-c', 'echo "hello world"'] ## initContainers: [] - ## Pod Disruption Budget configuration - ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb - ## @param cas.pdb.create Enable/disable a Pod Disruption Budget creation - ## @param cas.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled - ## @param cas.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `cas.pdb.minAvailable` and `cas.pdb.maxUnavailable` are empty. - ## - pdb: - create: true - minAvailable: "" - maxUnavailable: "" ## Autoscaling configuration ## ref: https://kubernetes.io/docs/concepts/workloads/autoscaling/ ## autoscaling: - ## @param cas.autoscaling.vpa.enabled Enable VPA for cas pods - ## @param cas.autoscaling.vpa.annotations Annotations for VPA resource - ## @param cas.autoscaling.vpa.controlledResources VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory - ## @param cas.autoscaling.vpa.maxAllowed VPA Max allowed resources for the pod - ## @param cas.autoscaling.vpa.minAllowed VPA Min allowed resources for the pod - ## - vpa: - enabled: false - annotations: {} - controlledResources: [] - maxAllowed: {} - minAllowed: {} - ## @param cas.autoscaling.vpa.updatePolicy.updateMode Autoscaling update policy - ## Specifies whether recommended updates are applied when a Pod is started and whether recommended updates are applied during the life of a Pod - ## Possible values are "Off", "Initial", "Recreate", and "Auto". - ## - updatePolicy: - updateMode: Auto ## @param cas.autoscaling.hpa.enabled Enable HPA for cas pods ## @param cas.autoscaling.hpa.minReplicas Minimum number of replicas ## @param cas.autoscaling.hpa.maxReplicas Maximum number of replicas @@ -2043,4 +2078,4 @@ dex: pdb: create: true minAvailable: "" - maxUnavailable: "" \ No newline at end of file + maxUnavailable: "" From 7cdb1b45ed3339ad1709c5f997fd576183a1850e Mon Sep 17 00:00:00 2001 From: Bitnami Containers Date: Wed, 7 Aug 2024 11:33:29 +0000 Subject: [PATCH 25/37] Update CHANGELOG.md Signed-off-by: Bitnami Containers --- bitnami/chainloop/CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bitnami/chainloop/CHANGELOG.md b/bitnami/chainloop/CHANGELOG.md index 8a613d8df10f99..29ed61c4e2ed13 100644 --- a/bitnami/chainloop/CHANGELOG.md +++ b/bitnami/chainloop/CHANGELOG.md @@ -1,5 +1,5 @@ # Changelog -## 1.86.9 (2024-08-05) +## 0.1.0 (2024-08-07) * New chart: Chainloop ([#27100](https://github.com/bitnami/charts/pull/27100)) From 894086197c30d8eff97534f58bfbfeb7df8bd142 Mon Sep 17 00:00:00 2001 From: Javier Rodriguez Date: Wed, 7 Aug 2024 14:35:45 +0200 Subject: [PATCH 26/37] Include chainloop bitnami images Signed-off-by: Javier Rodriguez --- bitnami/chainloop/Chart.yaml | 6 +++--- .../chainloop/templates/cas/deployment.yaml | 2 ++ .../templates/controlplane/deployment.yaml | 3 +++ bitnami/chainloop/values.yaml | 18 +++++++++--------- 4 files changed, 17 insertions(+), 12 deletions(-) diff --git a/bitnami/chainloop/Chart.yaml b/bitnami/chainloop/Chart.yaml index fe933f76d66e4b..98ae874566b9b7 100644 --- a/bitnami/chainloop/Chart.yaml +++ b/bitnami/chainloop/Chart.yaml @@ -5,11 +5,11 @@ annotations: category: DeveloperTools license: Apache-2.0 images: | - - image: ghcr.io/chainloop-dev/chainloop/artifact-cas:v0.95.3 + - image: docker.io/bitnami/chainloop-artifact-cas:0.95.3-debian-12-r0 name: artifact-cas - - image: ghcr.io/chainloop-dev/chainloop/control-plane:v0.95.3 + - image: docker.io/bitnami/chainloop-control-plane:0.95.3-debian-12-r0 name: control-plane - - image: ghcr.io/chainloop-dev/chainloop/control-plane-migrations:v0.95.3 + - image: docker.io/bitnami/chainloop-control-plane-migrations:0.95.3-debian-12-r0 name: control-plane-migrations - image: docker.io/bitnami/dex:2.40.0-debian-12-r1 name: dex diff --git a/bitnami/chainloop/templates/cas/deployment.yaml b/bitnami/chainloop/templates/cas/deployment.yaml index f342d77eeae7dd..91eccd4840cae1 100644 --- a/bitnami/chainloop/templates/cas/deployment.yaml +++ b/bitnami/chainloop/templates/cas/deployment.yaml @@ -75,6 +75,8 @@ spec: securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.cas.containerSecurityContext "context" $) | nindent 12 }} image: {{ include "chainloop.cas.image" . }} imagePullPolicy: {{ .Values.cas.image.pullPolicy }} + command: [ "./artifact-cas" ] + args: [ "--conf", "/data/conf" ] ports: - name: http containerPort: {{ .Values.cas.containerPorts.http }} diff --git a/bitnami/chainloop/templates/controlplane/deployment.yaml b/bitnami/chainloop/templates/controlplane/deployment.yaml index e87cbb089d8709..d21c2590744ddc 100644 --- a/bitnami/chainloop/templates/controlplane/deployment.yaml +++ b/bitnami/chainloop/templates/controlplane/deployment.yaml @@ -74,6 +74,7 @@ spec: - name: migrate image: {{ include "chainloop.controlplane.migration.image" . }} imagePullPolicy: {{ .Values.controlplane.image.pullPolicy }} + command: [ "./atlas" ] args: - migrate - apply @@ -92,6 +93,8 @@ spec: securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.controlplane.containerSecurityContext "context" $) | nindent 12 }} image: {{ include "chainloop.controlplane.image" . }} imagePullPolicy: {{ .Values.controlplane.image.pullPolicy }} + command: [ "./control-plane" ] + args: [ "--conf", "/data/conf" ] ports: - name: http containerPort: {{ .Values.controlplane.containerPorts.http }} diff --git a/bitnami/chainloop/values.yaml b/bitnami/chainloop/values.yaml index e05e51482d091f..8a88ba4f964a32 100644 --- a/bitnami/chainloop/values.yaml +++ b/bitnami/chainloop/values.yaml @@ -162,9 +162,9 @@ controlplane: ## @param controlplane.image.pullSecrets image pull secrets ## image: - registry: ghcr.io - repository: chainloop-dev/chainloop/control-plane - tag: v0.95.3 + registry: docker.io + repository: bitnami/chainloop-control-plane + tag: 0.95.3-debian-12-r0 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -237,9 +237,9 @@ controlplane: ## @param controlplane.migration.image.pullSecrets image pull secrets ## image: - registry: ghcr.io - repository: chainloop-dev/chainloop/control-plane-migrations - tag: v0.95.3 + registry: docker.io + repository: bitnami/chainloop-control-plane-migrations + tag: 0.95.3-debian-12-r0 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -898,9 +898,9 @@ cas: ## @param cas.image.pullSecrets image pull secrets ## image: - registry: ghcr.io - repository: chainloop-dev/chainloop/artifact-cas - tag: v0.95.3 + registry: docker.io + repository: bitnami/chainloop-artifact-cas + tag: 0.95.3-debian-12-r0 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' From 00fb1ad8dc8bf8f5ff354aeefc94de3429201aa0 Mon Sep 17 00:00:00 2001 From: Javier Rodriguez Date: Wed, 7 Aug 2024 14:40:53 +0200 Subject: [PATCH 27/37] Update readme Signed-off-by: Javier Rodriguez --- bitnami/chainloop/README.md | 28 ++++++++++------------------ 1 file changed, 10 insertions(+), 18 deletions(-) diff --git a/bitnami/chainloop/README.md b/bitnami/chainloop/README.md index 94abb198fdd2ae..2189ce4bea0e69 100644 --- a/bitnami/chainloop/README.md +++ b/bitnami/chainloop/README.md @@ -1,3 +1,5 @@ + + # Chainloop Helm Chart [Chainloop](https://github.com/chainloop-dev/chainloop) is an open-source software supply chain control plane, a single source of truth for artifacts plus a declarative attestation crafting process. @@ -17,19 +19,9 @@ Compatibility with the following Ingress Controllers has been verified, other co - [Nginx Ingress Controller](https://kubernetes.github.io/ingress-nginx/) - [Traefik](https://doc.traefik.io/traefik/providers/kubernetes-ingress/) -## TL;DR - -Deploy Chainloop in [development mode](#development) by running - -```console -helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop --set development=true -``` - -> **CAUTION**: Do not use this mode in production, for that, use the [standard mode](#standard-default) instead. - ## Installing the Chart -This chart comes in **two flavors**, `standard` and [`development`](#development). +This chart comes in **two flavors**, [`standard`](#standard-default) and [`development`](#development). ### Standard (default) @@ -58,7 +50,7 @@ Instructions on how to create the ECDSA keypair can be found [here](#generate-a- Deploy Chainloop configured to talk to the bundled PostgreSQL an external OIDC IDp and a Vault instance. ```console -helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \ +helm install [RELEASE_NAME] oci://REGISTRY_NAME/REPOSITORY_NAME/chainloop \ # Open ID Connect (OIDC) --set controlplane.auth.oidc.url=[OIDC URL] \ --set controlplane.auth.oidc.clientID=[clientID] \ @@ -74,7 +66,7 @@ helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \ Deploy using AWS Secrets Manager instead of Vault ```console -helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \ +helm install [RELEASE_NAME] oci://REGISTRY_NAME/REPOSITORY_NAME/chainloop \ # Open ID Connect (OIDC) # ... # Secrets backend @@ -89,7 +81,7 @@ helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \ or using GCP Secret Manager ```console -helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \ +helm install [RELEASE_NAME] oci://REGISTRY_NAME/REPOSITORY_NAME/chainloop \ # Open ID Connect (OIDC) # ... # Secrets backend @@ -103,7 +95,7 @@ helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \ or Azure KeyVault ```console -helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \ +helm install [RELEASE_NAME] oci://REGISTRY_NAME/REPOSITORY_NAME/chainloop \ # Open ID Connect (OIDC) # ... # Secrets backend @@ -119,7 +111,7 @@ helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \ Connect to an external PostgreSQL database instead ```console -helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \ +helm install [RELEASE_NAME] oci://REGISTRY_NAME/REPOSITORY_NAME/chainloop \ # Open ID Connect (OIDC) # ... # Secrets backend @@ -169,7 +161,7 @@ The overall OIDC configuration can be found at the `values.yaml` file. Deploy by leveraging built-in Vault and PostgreSQL instances ```console -helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop --set development=true +helm install [RELEASE_NAME] oci://REGISTRY_NAME/REPOSITORY_NAME/chainloop --set development=true ``` ## AirGap and Relocation Support @@ -184,7 +176,7 @@ This is a two-step process (wrap -> unwrap) For example: to relocate to an Azure Container Registry ```sh -helm dt wrap oci://ghcr.io/chainloop-dev/charts/chainloop +helm dt wrap oci://REGISTRY_NAME/REPOSITORY_NAME/chainloop # 🎉 Helm chart wrapped into "chainloop-1.77.0.wrap.tgz" # Now you can take the tarball to an air-gapped environment and unwrap it like this From 167bb645407560c2ad1c078b312564b57abf0938 Mon Sep 17 00:00:00 2001 From: Javier Rodriguez Date: Wed, 7 Aug 2024 18:04:59 +0200 Subject: [PATCH 28/37] add networkpolicies and reduce number of extra and skip params Signed-off-by: Javier Rodriguez --- bitnami/chainloop/Chart.yaml | 2 +- bitnami/chainloop/README.md | 47 +++-- bitnami/chainloop/templates/NOTES.txt | 4 + bitnami/chainloop/templates/_helpers.tpl | 2 +- .../templates/cas/networkpolicy.yaml | 74 +++++++ .../templates/controlplane/networkpolicy.yaml | 74 +++++++ bitnami/chainloop/values.yaml | 191 ++++++++++++++---- 7 files changed, 338 insertions(+), 56 deletions(-) create mode 100644 bitnami/chainloop/templates/cas/networkpolicy.yaml create mode 100644 bitnami/chainloop/templates/controlplane/networkpolicy.yaml diff --git a/bitnami/chainloop/Chart.yaml b/bitnami/chainloop/Chart.yaml index 98ae874566b9b7..4cb2a889c16123 100644 --- a/bitnami/chainloop/Chart.yaml +++ b/bitnami/chainloop/Chart.yaml @@ -31,7 +31,7 @@ dependencies: version: 1.4.x description: Chainloop is an open source software supply chain control plane, a single source of truth for artifacts plus a declarative attestation crafting process. home: https://bitnami.com -icon: https://bitnami.com/assets/stacks/chainloop-control-plane/img/chainloop-control-plane-stack-220x234.png +icon: https://bitnami.com/assets/stacks/chainloop/img/chainloop-stack-220x234.png keywords: - chainloop - evidence-store diff --git a/bitnami/chainloop/README.md b/bitnami/chainloop/README.md index 2189ce4bea0e69..3b83a404336d82 100644 --- a/bitnami/chainloop/README.md +++ b/bitnami/chainloop/README.md @@ -495,17 +495,17 @@ chainloop config save \ | --------------------------------------------------- | ----------------------------------------------------------------------------------------- | ----------- | | `secretsBackend.backend` | Secrets backend type ("vault", "awsSecretManager" or "gcpSecretManager", "azureKeyVault") | `vault` | | `secretsBackend.secretPrefix` | Prefix that will be pre-pended to all secrets in the storage backend | `chainloop` | -| `secretsBackend.vault.address` | Vault address | | -| `secretsBackend.vault.token` | Vault authentication token | | -| `secretsBackend.awsSecretManager.accessKey` | AWS Access KEY ID | | -| `secretsBackend.awsSecretManager.secretKey` | AWS Secret Key | | -| `secretsBackend.awsSecretManager.region` | AWS Secrets Manager Region | | -| `secretsBackend.gcpSecretManager.projectId` | GCP Project ID | | -| `secretsBackend.gcpSecretManager.serviceAccountKey` | GCP Auth Key | | -| `secretsBackend.azureKeyVault.tenantID` | Active Directory Tenant ID | | -| `secretsBackend.azureKeyVault.clientID` | Registered application / service principal client ID | | -| `secretsBackend.azureKeyVault.clientSecret` | Service principal client secret | | -| `secretsBackend.azureKeyVault.vaultURI` | Azure Key Vault URL | | +| `secretsBackend.vault.address` | Vault address | `""` | +| `secretsBackend.vault.token` | Vault authentication token | `""` | +| `secretsBackend.awsSecretManager.accessKey` | AWS Access KEY ID | `""` | +| `secretsBackend.awsSecretManager.secretKey` | AWS Secret Key | `""` | +| `secretsBackend.awsSecretManager.region` | AWS Secrets Manager Region | `""` | +| `secretsBackend.gcpSecretManager.projectId` | GCP Project ID | `""` | +| `secretsBackend.gcpSecretManager.serviceAccountKey` | GCP Auth Key | `""` | +| `secretsBackend.azureKeyVault.tenantID` | Active Directory Tenant ID | `""` | +| `secretsBackend.azureKeyVault.clientID` | Registered application / service principal client ID | `""` | +| `secretsBackend.azureKeyVault.clientSecret` | Service principal client secret | `""` | +| `secretsBackend.azureKeyVault.vaultURI` | Azure Key Vault URL | `""` | ### Authentication @@ -533,12 +533,13 @@ chainloop config save \ | `controlplane.referrerSharedIndex` | Configure the shared, public index API endpoint that can be used to discover metadata referrers | | | `controlplane.referrerSharedIndex.enabled` | Enable index API endpoint | `false` | | `controlplane.referrerSharedIndex.allowedOrgs` | List of UUIDs of organizations that are allowed to publish to the shared index | `[]` | -| `controlplane.onboarding.name` | Name of the organization to onboard | | -| `controlplane.onboarding.role` | Role of the organization to onboard | | +| `controlplane.onboarding` | List of organizations to automatically onboard when a user logs in | | | `controlplane.prometheus_org_metrics` | List of organizations to expose metrics for using Prometheus | | | `controlplane.migration.ssl` | Connect to the database using SSL (required fro AWS RDS, etc) | `false` | +| `controlplane.migration.image.tag` | | `0.95.3-debian-12-r0` | | `controlplane.migration.image.registry` | image registry | `REGISTRY_NAME` | | `controlplane.migration.image.repository` | image repository | `REPOSITORY_NAME/chainloop-control-plane-migrations` | +| `controlplane.migration.image.tag` | image tag (immutable tags are recommended) | `0.95.3-debian-12-r0` | | `controlplane.migration.image.digest` | image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `controlplane.migration.image.pullPolicy` | image pull policy | `IfNotPresent` | | `controlplane.migration.image.pullSecrets` | image pull secrets | `[]` | @@ -566,8 +567,8 @@ chainloop config save \ | `controlplane.auth.oidc.url` | Full authentication path, it should match the issuer URL of the Identity provider (IDp) | `""` | | `controlplane.auth.oidc.clientID` | OIDC IDp clientID | `""` | | `controlplane.auth.oidc.clientSecret` | OIDC IDp clientSecret | `""` | -| `controlplane.auth.oidc.loginURLOverride` | Optional OIDC login URL override, useful to point to custom login pages | | -| `controlplane.auth.oidc.externalURL` | Optional External URL for the controlplane to the outside world | | +| `controlplane.auth.oidc.loginURLOverride` | Optional OIDC login URL override, useful to point to custom login pages | `""` | +| `controlplane.auth.oidc.externalURL` | Optional External URL for the controlplane to the outside world | `""` | | `controlplane.auth.allowList.rules` | List of domains or emails to allow | | | `controlplane.auth.allowList.selectedRoutes` | List of selected routes to allow. If not set it applies to all routes | | | `controlplane.auth.allowList.customMessage` | Custom message to display when a user is not allowed | | @@ -694,6 +695,13 @@ chainloop config save \ | `controlplane.extraVolumes` | Optionally specify extra list of additional volumes for the controlplane pods | `[]` | | `controlplane.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the controlplane containers | `[]` | | `controlplane.sidecars` | Add additional sidecar containers to the controlplane pods | `[]` | +| `controlplane.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `controlplane.networkPolicy.allowExternal` | Don't require client label for connections | `true` | +| `controlplane.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `controlplane.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `controlplane.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `controlplane.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `controlplane.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | | `controlplane.initContainers` | Add additional init containers to the controlplane pods | `[]` | | `controlplane.autoscaling.hpa.enabled` | Enable HPA for controlplane pods | `false` | | `controlplane.autoscaling.hpa.minReplicas` | Minimum number of replicas | `""` | @@ -708,6 +716,7 @@ chainloop config save \ | `cas.replicaCount` | Number of replicas | `2` | | `cas.image.registry` | image registry | `REGISTRY_NAME` | | `cas.image.repository` | image repository | `REPOSITORY_NAME/chainloop-artifact-cas` | +| `cas.image.tag` | image tag (immutable tags are recommended) | `0.95.3-debian-12-r0` | | `cas.image.digest` | image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `cas.image.pullPolicy` | image pull policy | `IfNotPresent` | | `cas.image.pullSecrets` | image pull secrets | `[]` | @@ -827,6 +836,13 @@ chainloop config save \ | `cas.extraVolumes` | Optionally specify extra list of additional volumes for the cas pods | `[]` | | `cas.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the cas containers | `[]` | | `cas.sidecars` | Add additional sidecar containers to the cas pods | `[]` | +| `cas.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `cas.networkPolicy.allowExternal` | Don't require client label for connections | `true` | +| `cas.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `cas.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `cas.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `cas.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `cas.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | | `cas.initContainers` | Add additional init containers to the cas pods | `[]` | | `cas.autoscaling.hpa.enabled` | Enable HPA for cas pods | `false` | | `cas.autoscaling.hpa.minReplicas` | Minimum number of replicas | `""` | @@ -855,6 +871,7 @@ service_registration "kubernetes" {}` | | `vault.server.extraEnvVars[1].value` | The address to listen on. Default: [::]:8200 | `[::]:8200` | | `dex.image.registry` | Dex image registry | `REGISTRY_NAME` | | `dex.image.repository` | Dex image repository | `REPOSITORY_NAME/dex` | +| `dex.image.tag` | Dex image tag (immutable tags are recommended) | `2.40.0-debian-12-r1` | | `dex.image.pullPolicy` | Dex image pull policy | `IfNotPresent` | | `dex.image.pullSecrets` | Dex image pull secrets | `[]` | | `dex.image.debug` | Enable Dex image debug mode | `false` | diff --git a/bitnami/chainloop/templates/NOTES.txt b/bitnami/chainloop/templates/NOTES.txt index d1e3fe5cdb49bd..5504f2d54f41b9 100644 --- a/bitnami/chainloop/templates/NOTES.txt +++ b/bitnami/chainloop/templates/NOTES.txt @@ -4,6 +4,8 @@ APP VERSION: {{ .Chart.AppVersion }} ** Please be patient while the chart is being deployed ** +{{- if .Values.development }} + ########################################################################### DEVELOPMENT MODE ########################################################################### @@ -35,6 +37,8 @@ Development configuration comes with two pre-setup users: DO NOT USE IT FOR PRODUCTION PURPOSES +{{- end }} + ########################################################################### CONFIGURE CLI ########################################################################### diff --git a/bitnami/chainloop/templates/_helpers.tpl b/bitnami/chainloop/templates/_helpers.tpl index 6430041db7ef1d..9ae28f17080a66 100644 --- a/bitnami/chainloop/templates/_helpers.tpl +++ b/bitnami/chainloop/templates/_helpers.tpl @@ -72,7 +72,7 @@ secretPrefix: {{ required "secret prefix required" .secretPrefix | quote }} {{- end }} {{- end }} vault: - {{- if and $.Values.development (or (not .vault) not .vault.address) }} + {{- if and $.Values.development (or (not .vault) (not .vault.address)) }} address: {{ printf "http://%s-server:8200" (include "chainloop.vault.fullname" $) | quote }} {{- if $tokenEnvVar }} token: {{ $tokenEnvVar | quote }} diff --git a/bitnami/chainloop/templates/cas/networkpolicy.yaml b/bitnami/chainloop/templates/cas/networkpolicy.yaml new file mode 100644 index 00000000000000..e409cf438339a6 --- /dev/null +++ b/bitnami/chainloop/templates/cas/networkpolicy.yaml @@ -0,0 +1,74 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.cas.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ printf "%s-cas" (include "common.names.fullname" .) }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: web + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.cas.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: web + policyTypes: + - Ingress + - Egress + {{- if .Values.cas.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow outbound connections to other cluster pods + - ports: + - port: {{ .Values.controlplane.containerPorts.http }} + - port: {{ .Values.controlplane.containerPorts.grpc }} + - port: {{ .Values.controlplane.containerPorts.metrics }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + {{- if .Values.cas.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.cas.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.cas.containerPorts.http }} + {{- if not .Values.cas.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: + {{ printf "%s-web" (include "common.names.fullname" .) }}-client: "true" + {{- if .Values.cas.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.cas.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.cas.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.cas.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.cas.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.cas.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/bitnami/chainloop/templates/controlplane/networkpolicy.yaml b/bitnami/chainloop/templates/controlplane/networkpolicy.yaml new file mode 100644 index 00000000000000..baf781ef8fff05 --- /dev/null +++ b/bitnami/chainloop/templates/controlplane/networkpolicy.yaml @@ -0,0 +1,74 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.controlplane.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ printf "%s-controlplane" (include "common.names.fullname" .) }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: web + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.controlplane.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: web + policyTypes: + - Ingress + - Egress + {{- if .Values.controlplane.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow outbound connections to other cluster pods + - ports: + - port: {{ .Values.controlplane.containerPorts.http }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + {{- if .Values.controlplane.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.controlplane.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.controlplane.containerPorts.http }} + - port: {{ .Values.controlplane.containerPorts.grpc }} + - port: {{ .Values.controlplane.containerPorts.metrics }} + {{- if not .Values.controlplane.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: + {{ printf "%s-web" (include "common.names.fullname" .) }}-client: "true" + {{- if .Values.controlplane.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.controlplane.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.controlplane.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.controlplane.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.controlplane.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.controlplane.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/bitnami/chainloop/values.yaml b/bitnami/chainloop/values.yaml index 8a88ba4f964a32..78788132e0a04a 100644 --- a/bitnami/chainloop/values.yaml +++ b/bitnami/chainloop/values.yaml @@ -83,39 +83,39 @@ secretsBackend: ## secretPrefix: "chainloop" - ## @extra secretsBackend.vault.address Vault address - ## @extra secretsBackend.vault.token Vault authentication token + ## @param secretsBackend.vault.address Vault address + ## @param secretsBackend.vault.token Vault authentication token ## - # vault: - # address: "" - # token: "" + vault: + address: "" + token: "" - ## @extra secretsBackend.awsSecretManager.accessKey AWS Access KEY ID - ## @extra secretsBackend.awsSecretManager.secretKey AWS Secret Key - ## @extra secretsBackend.awsSecretManager.region AWS Secrets Manager Region + ## @param secretsBackend.awsSecretManager.accessKey AWS Access KEY ID + ## @param secretsBackend.awsSecretManager.secretKey AWS Secret Key + ## @param secretsBackend.awsSecretManager.region AWS Secrets Manager Region ## - # awsSecretManager: - # accessKey: "" - # secretKey: "" - # region: "" + awsSecretManager: + accessKey: "" + secretKey: "" + region: "" - ## @extra secretsBackend.gcpSecretManager.projectId GCP Project ID - ## @extra secretsBackend.gcpSecretManager.serviceAccountKey GCP Auth Key + ## @param secretsBackend.gcpSecretManager.projectId GCP Project ID + ## @param secretsBackend.gcpSecretManager.serviceAccountKey GCP Auth Key ## - # gcpSecretManager: - # projectId: "" - # serviceAccountKey: "" + gcpSecretManager: + projectId: "" + serviceAccountKey: "" - ## @extra secretsBackend.azureKeyVault.tenantID Active Directory Tenant ID - ## @extra secretsBackend.azureKeyVault.clientID Registered application / service principal client ID - ## @extra secretsBackend.azureKeyVault.clientSecret Service principal client secret - ## @extra secretsBackend.azureKeyVault.vaultURI Azure Key Vault URL + ## @param secretsBackend.azureKeyVault.tenantID Active Directory Tenant ID + ## @param secretsBackend.azureKeyVault.clientID Registered application / service principal client ID + ## @param secretsBackend.azureKeyVault.clientSecret Service principal client secret + ## @param secretsBackend.azureKeyVault.vaultURI Azure Key Vault URL ## - # azureKeyVault: - # tenantID: "" - # clientID: "" - # clientSecret: "" - # vaultURI: "" + azureKeyVault: + tenantID: "" + clientID: "" + clientSecret: "" + vaultURI: "" ## @section Authentication ## @@ -213,11 +213,12 @@ controlplane: enabled: false allowedOrgs: [] - ## @extra controlplane.onboarding.name Name of the organization to onboard - ## @extra controlplane.onboarding.role Role of the organization to onboard + ## @extra controlplane.onboarding List of organizations to automatically onboard when a user logs in + ## @skip controlplane.onboarding[0].name Name of the organization to onboard + ## @skip controlplane.onboarding[0].role Role of the organization to onboard # onboarding: - # - name: "read-only-demo" - # role: "MEMBERSHIP_ROLE_ORG_VIEWER" + # - name: "" + # role: "" ## @extra controlplane.prometheus_org_metrics List of organizations to expose metrics for using Prometheus # prometheus_org_metrics: @@ -225,13 +226,13 @@ controlplane: # Database migration ## @param controlplane.migration.ssl Connect to the database using SSL (required fro AWS RDS, etc) - ## @skip controlplane.migration.image.tag + ## @param controlplane.migration.image.tag migration: ## Bitnami Chainloop Controlplane migration image ## ref: https://hub.docker.com/r/bitnami/chainloop-control-plane-migrations/tags/ ## @param controlplane.migration.image.registry [default: REGISTRY_NAME] image registry ## @param controlplane.migration.image.repository [default: REPOSITORY_NAME/chainloop-control-plane-migrations] image repository - ## @skip controlplane.migration.image.tag image tag (immutable tags are recommended) + ## @param controlplane.migration.image.tag image tag (immutable tags are recommended) ## @param controlplane.migration.image.digest image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag ## @param controlplane.migration.image.pullPolicy image pull policy ## @param controlplane.migration.image.pullSecrets image pull secrets @@ -294,14 +295,14 @@ controlplane: ## @param controlplane.auth.oidc.url Full authentication path, it should match the issuer URL of the Identity provider (IDp) ## @param controlplane.auth.oidc.clientID OIDC IDp clientID ## @param controlplane.auth.oidc.clientSecret OIDC IDp clientSecret - ## @extra controlplane.auth.oidc.loginURLOverride Optional OIDC login URL override, useful to point to custom login pages - ## @extra controlplane.auth.oidc.externalURL Optional External URL for the controlplane to the outside world + ## @param controlplane.auth.oidc.loginURLOverride Optional OIDC login URL override, useful to point to custom login pages + ## @param controlplane.auth.oidc.externalURL Optional External URL for the controlplane to the outside world oidc: url: "" clientID: "" clientSecret: "" - # loginURLOverride: "" - # externalURL: "" + loginURLOverride: "" + externalURL: "" ## @extra controlplane.auth.allowList.rules List of domains or emails to allow ## @extra controlplane.auth.allowList.selectedRoutes List of selected routes to allow. If not set it applies to all routes @@ -410,7 +411,7 @@ controlplane: ## annotations: ## @skip controlplane.serviceAPI.annotations.traefik.ingress.kubernetes.io/service.serversscheme - traefik.ingress.kubernetes.io/service.serversscheme: h2c + traefik.ingress.kubernetes.io/service.serversscheme: h2c ## @param controlplane.serviceAPI.extraPorts Extra ports to expose in controlplane service (normally used with the `sidecars` value) ## extraPorts: [] @@ -853,6 +854,62 @@ controlplane: ## sidecars: [] + ## Controlplane Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param controlplane.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param controlplane.networkPolicy.allowExternal Don't require client label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## client label will have network access to the ports Web is listening + ## on. When true, Web will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param controlplane.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param controlplane.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [ ] + ## @param controlplane.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [ ] + ## @param controlplane.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param controlplane.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: { } + ingressNSPodMatchLabels: { } + ## @param controlplane.initContainers Add additional init containers to the controlplane pods ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ ## e.g: @@ -892,7 +949,7 @@ cas: ## ref: https://hub.docker.com/r/bitnami/chainloop-artifact-cas/tags/ ## @param cas.image.registry [default: REGISTRY_NAME] image registry ## @param cas.image.repository [default: REPOSITORY_NAME/chainloop-artifact-cas] image repository - ## @skip cas.image.tag image tag (immutable tags are recommended) + ## @param cas.image.tag image tag (immutable tags are recommended) ## @param cas.image.digest image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag ## @param cas.image.pullPolicy image pull policy ## @param cas.image.pullSecrets image pull secrets @@ -1467,6 +1524,62 @@ cas: ## sidecars: [] + ## Web Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param cas.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param cas.networkPolicy.allowExternal Don't require client label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## client label will have network access to the ports Web is listening + ## on. When true, Web will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param cas.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param cas.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [ ] + ## @param cas.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [ ] + ## @param cas.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param cas.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: { } + ingressNSPodMatchLabels: { } + ## @param cas.initContainers Add additional init containers to the cas pods ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ ## e.g: @@ -1561,7 +1674,7 @@ dex: hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" ## @param dex.image.registry [default: REGISTRY_NAME] Dex image registry ## @param dex.image.repository [default: REPOSITORY_NAME/dex] Dex image repository - ## @skip dex.image.tag Dex image tag (immutable tags are recommended) + ## @param dex.image.tag Dex image tag (immutable tags are recommended) ## @param dex.image.pullPolicy Dex image pull policy ## @param dex.image.pullSecrets Dex image pull secrets ## @param dex.image.debug Enable Dex image debug mode From ff7d98e194a60d0acdfe808a505ca98123a2a59b Mon Sep 17 00:00:00 2001 From: Javier Rodriguez Date: Wed, 7 Aug 2024 18:10:31 +0200 Subject: [PATCH 29/37] skip .tag params Signed-off-by: Javier Rodriguez --- bitnami/chainloop/README.md | 4 ---- bitnami/chainloop/values.yaml | 8 ++++---- 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/bitnami/chainloop/README.md b/bitnami/chainloop/README.md index 3b83a404336d82..27ef4a4db2211d 100644 --- a/bitnami/chainloop/README.md +++ b/bitnami/chainloop/README.md @@ -536,10 +536,8 @@ chainloop config save \ | `controlplane.onboarding` | List of organizations to automatically onboard when a user logs in | | | `controlplane.prometheus_org_metrics` | List of organizations to expose metrics for using Prometheus | | | `controlplane.migration.ssl` | Connect to the database using SSL (required fro AWS RDS, etc) | `false` | -| `controlplane.migration.image.tag` | | `0.95.3-debian-12-r0` | | `controlplane.migration.image.registry` | image registry | `REGISTRY_NAME` | | `controlplane.migration.image.repository` | image repository | `REPOSITORY_NAME/chainloop-control-plane-migrations` | -| `controlplane.migration.image.tag` | image tag (immutable tags are recommended) | `0.95.3-debian-12-r0` | | `controlplane.migration.image.digest` | image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `controlplane.migration.image.pullPolicy` | image pull policy | `IfNotPresent` | | `controlplane.migration.image.pullSecrets` | image pull secrets | `[]` | @@ -716,7 +714,6 @@ chainloop config save \ | `cas.replicaCount` | Number of replicas | `2` | | `cas.image.registry` | image registry | `REGISTRY_NAME` | | `cas.image.repository` | image repository | `REPOSITORY_NAME/chainloop-artifact-cas` | -| `cas.image.tag` | image tag (immutable tags are recommended) | `0.95.3-debian-12-r0` | | `cas.image.digest` | image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `cas.image.pullPolicy` | image pull policy | `IfNotPresent` | | `cas.image.pullSecrets` | image pull secrets | `[]` | @@ -871,7 +868,6 @@ service_registration "kubernetes" {}` | | `vault.server.extraEnvVars[1].value` | The address to listen on. Default: [::]:8200 | `[::]:8200` | | `dex.image.registry` | Dex image registry | `REGISTRY_NAME` | | `dex.image.repository` | Dex image repository | `REPOSITORY_NAME/dex` | -| `dex.image.tag` | Dex image tag (immutable tags are recommended) | `2.40.0-debian-12-r1` | | `dex.image.pullPolicy` | Dex image pull policy | `IfNotPresent` | | `dex.image.pullSecrets` | Dex image pull secrets | `[]` | | `dex.image.debug` | Enable Dex image debug mode | `false` | diff --git a/bitnami/chainloop/values.yaml b/bitnami/chainloop/values.yaml index 78788132e0a04a..6ceb6fd309c70f 100644 --- a/bitnami/chainloop/values.yaml +++ b/bitnami/chainloop/values.yaml @@ -226,13 +226,13 @@ controlplane: # Database migration ## @param controlplane.migration.ssl Connect to the database using SSL (required fro AWS RDS, etc) - ## @param controlplane.migration.image.tag + ## @skip controlplane.migration.image.tag migration: ## Bitnami Chainloop Controlplane migration image ## ref: https://hub.docker.com/r/bitnami/chainloop-control-plane-migrations/tags/ ## @param controlplane.migration.image.registry [default: REGISTRY_NAME] image registry ## @param controlplane.migration.image.repository [default: REPOSITORY_NAME/chainloop-control-plane-migrations] image repository - ## @param controlplane.migration.image.tag image tag (immutable tags are recommended) + ## @skip controlplane.migration.image.tag image tag (immutable tags are recommended) ## @param controlplane.migration.image.digest image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag ## @param controlplane.migration.image.pullPolicy image pull policy ## @param controlplane.migration.image.pullSecrets image pull secrets @@ -949,7 +949,7 @@ cas: ## ref: https://hub.docker.com/r/bitnami/chainloop-artifact-cas/tags/ ## @param cas.image.registry [default: REGISTRY_NAME] image registry ## @param cas.image.repository [default: REPOSITORY_NAME/chainloop-artifact-cas] image repository - ## @param cas.image.tag image tag (immutable tags are recommended) + ## @skip cas.image.tag image tag (immutable tags are recommended) ## @param cas.image.digest image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag ## @param cas.image.pullPolicy image pull policy ## @param cas.image.pullSecrets image pull secrets @@ -1674,7 +1674,7 @@ dex: hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" ## @param dex.image.registry [default: REGISTRY_NAME] Dex image registry ## @param dex.image.repository [default: REPOSITORY_NAME/dex] Dex image repository - ## @param dex.image.tag Dex image tag (immutable tags are recommended) + ## @skip dex.image.tag Dex image tag (immutable tags are recommended) ## @param dex.image.pullPolicy Dex image pull policy ## @param dex.image.pullSecrets Dex image pull secrets ## @param dex.image.debug Enable Dex image debug mode From 7ecedad8ef1203549c78114affe5b4e3384da626 Mon Sep 17 00:00:00 2001 From: Javier Rodriguez Date: Wed, 7 Aug 2024 18:39:46 +0200 Subject: [PATCH 30/37] fix tests Signed-off-by: Javier Rodriguez --- .vib/chainloop/ginkgo/chainloop_suite_test.go | 5 +- .vib/chainloop/ginkgo/chainloop_test.go | 118 ++++++++++-------- .../chainloop/templates/cas/deployment.yaml | 2 +- 3 files changed, 70 insertions(+), 55 deletions(-) diff --git a/.vib/chainloop/ginkgo/chainloop_suite_test.go b/.vib/chainloop/ginkgo/chainloop_suite_test.go index 3878b5f435c062..2aa7374bb063af 100644 --- a/.vib/chainloop/ginkgo/chainloop_suite_test.go +++ b/.vib/chainloop/ginkgo/chainloop_suite_test.go @@ -3,6 +3,7 @@ package chainloop_test import ( "flag" "testing" + "time" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" @@ -13,13 +14,15 @@ var ( releaseName string namespace string timeoutSeconds int + timeout time.Duration ) func init() { flag.StringVar(&kubeconfig, "kubeconfig", "", "absolute path to the kubeconfig file") flag.StringVar(&releaseName, "name", "", "name of the primary statefulset") flag.StringVar(&namespace, "namespace", "", "namespace where the application is running") - flag.IntVar(&timeoutSeconds, "timeout", 180, "timeout in seconds") + flag.IntVar(&timeoutSeconds, "timeout", 300, "timeout in seconds") + timeout = time.Duration(timeoutSeconds) * time.Second } func TestChainloop(t *testing.T) { diff --git a/.vib/chainloop/ginkgo/chainloop_test.go b/.vib/chainloop/ginkgo/chainloop_test.go index a311baaf3da046..88ea6fc79b02f3 100644 --- a/.vib/chainloop/ginkgo/chainloop_test.go +++ b/.vib/chainloop/ginkgo/chainloop_test.go @@ -3,13 +3,20 @@ package chainloop_test import ( "context" "fmt" + "time" + utils "github.com/bitnami/charts/.vib/common-tests/ginkgo-utils" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" + appsv1 "k8s.io/api/apps/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/kubernetes" ) +const ( + PollingInterval = 1 * time.Second +) + // portDefinition is a struct to define a port in a service type portDefinition struct { name string @@ -29,7 +36,22 @@ var _ = Describe("Chainloop", Ordered, func() { }) When("Chainloop chart is fully deployed", func() { - It("all services exposes expected ports", func() { + It("cas deployment is running", func() { + getReadyReplicas := func(ss *appsv1.Deployment) int32 { return ss.Status.ReadyReplicas } + getOpts := metav1.GetOptions{} + + By("checking all the replicas are available") + stsName := fmt.Sprintf("%s-cas", releaseName) + dpl, err := c.AppsV1().Deployments(namespace).Get(ctx, stsName, getOpts) + Expect(err).NotTo(HaveOccurred()) + Expect(dpl.Status.Replicas).NotTo(BeZero()) + origReplicas := *dpl.Spec.Replicas + + Eventually(func() (*appsv1.Deployment, error) { + return c.AppsV1().Deployments(namespace).Get(ctx, stsName, getOpts) + }, timeout, PollingInterval).Should(WithTransform(getReadyReplicas, Equal(origReplicas))) + + By("checking all the services are available") svcs := []struct { name string ports []portDefinition @@ -52,6 +74,46 @@ var _ = Describe("Chainloop", Ordered, func() { }, }, }, + } + + for _, inSvc := range svcs { + svcName := fmt.Sprintf("%v-%v", releaseName, inSvc.name) + svc, err := c.CoreV1().Services(namespace).Get(ctx, svcName, metav1.GetOptions{}) + Expect(err).NotTo(HaveOccurred()) + + for _, port := range inSvc.ports { + outPort, err := utils.SvcGetPortByName(svc, port.name) + Expect(err).NotTo(HaveOccurred()) + Expect(outPort).NotTo(BeNil()) + Expect(outPort).To(Equal(port.number)) + } + } + + By("checking main container image is running") + _, err = utils.DplGetContainerImage(dpl, "cas") + Expect(err).NotTo(HaveOccurred()) + }) + + It("controlplane deployment is running", func() { + getReadyReplicas := func(ss *appsv1.Deployment) int32 { return ss.Status.ReadyReplicas } + getOpts := metav1.GetOptions{} + + By("checking all the replicas are available") + stsName := fmt.Sprintf("%s-controlplane", releaseName) + dpl, err := c.AppsV1().Deployments(namespace).Get(ctx, stsName, getOpts) + Expect(err).NotTo(HaveOccurred()) + Expect(dpl.Status.Replicas).NotTo(BeZero()) + origReplicas := *dpl.Spec.Replicas + + Eventually(func() (*appsv1.Deployment, error) { + return c.AppsV1().Deployments(namespace).Get(ctx, stsName, getOpts) + }, timeout, PollingInterval).Should(WithTransform(getReadyReplicas, Equal(origReplicas))) + + By("checking all the services are available") + svcs := []struct { + name string + ports []portDefinition + }{ { name: "controlplane", ports: []portDefinition{ @@ -70,39 +132,6 @@ var _ = Describe("Chainloop", Ordered, func() { }, }, }, - { - name: "postgresql", - ports: []portDefinition{ - { - name: "tcp-postgresql", - number: "5432", - }, - }, - }, - { - name: "vault-server", - ports: []portDefinition{ - { - name: "http", - number: "8200", - }, { - name: "https-internal", - number: "8201", - }, - }, - }, - { - name: "dex", - ports: []portDefinition{ - { - name: "http", - number: "5556", - }, { - name: "grpc", - number: "5557", - }, - }, - }, } for _, inSvc := range svcs { @@ -117,27 +146,10 @@ var _ = Describe("Chainloop", Ordered, func() { Expect(outPort).To(Equal(port.number)) } } - }) - It("all pods are running", func() { - pods, err := c.CoreV1().Pods(namespace).List(ctx, metav1.ListOptions{}) + By("checking main container image is running") + _, err = utils.DplGetContainerImage(dpl, "controlplane") Expect(err).NotTo(HaveOccurred()) - - for _, pod := range pods.Items { - _, err := utils.IsPodRunning(ctx, c.CoreV1(), namespace, pod.Name) - Expect(err).NotTo(HaveOccurred()) - } - }) - - It("all deployments are running", func() { - dpls := []string{"cas", "controlplane", "dex", "vault-injector"} - - for _, dplName := range dpls { - dpl, err := c.AppsV1().Deployments(namespace).Get(ctx, fmt.Sprintf("%v-%v", releaseName, dplName), metav1.GetOptions{}) - Expect(err).NotTo(HaveOccurred()) - - Expect(dpl.Status.ReadyReplicas).To(Equal(*dpl.Spec.Replicas)) - } }) }) diff --git a/bitnami/chainloop/templates/cas/deployment.yaml b/bitnami/chainloop/templates/cas/deployment.yaml index 91eccd4840cae1..86ae57c76e26e1 100644 --- a/bitnami/chainloop/templates/cas/deployment.yaml +++ b/bitnami/chainloop/templates/cas/deployment.yaml @@ -71,7 +71,7 @@ spec: {{- include "common.tplvalues.render" (dict "value" .Values.cas.initContainers "context" $) | nindent 8 }} {{- end }} containers: - - name: {{ .Chart.Name }} + - name: cas securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.cas.containerSecurityContext "context" $) | nindent 12 }} image: {{ include "chainloop.cas.image" . }} imagePullPolicy: {{ .Values.cas.image.pullPolicy }} From a5f8ff034b17872c82e6d1c3c6581fd59969e823 Mon Sep 17 00:00:00 2001 From: Javier Rodriguez Date: Wed, 7 Aug 2024 19:00:41 +0200 Subject: [PATCH 31/37] fix networkpolicy and add pdb Signed-off-by: Javier Rodriguez --- .../templates/cas/networkpolicy.yaml | 6 ++--- bitnami/chainloop/templates/cas/pdb.yaml | 26 +++++++++++++++++++ .../templates/controlplane/networkpolicy.yaml | 6 ++--- .../chainloop/templates/controlplane/pdb.yaml | 26 +++++++++++++++++++ bitnami/chainloop/values.yaml | 22 ++++++++++++++++ 5 files changed, 80 insertions(+), 6 deletions(-) create mode 100644 bitnami/chainloop/templates/cas/pdb.yaml create mode 100644 bitnami/chainloop/templates/controlplane/pdb.yaml diff --git a/bitnami/chainloop/templates/cas/networkpolicy.yaml b/bitnami/chainloop/templates/cas/networkpolicy.yaml index e409cf438339a6..9d2153160fb25e 100644 --- a/bitnami/chainloop/templates/cas/networkpolicy.yaml +++ b/bitnami/chainloop/templates/cas/networkpolicy.yaml @@ -10,7 +10,7 @@ metadata: name: {{ printf "%s-cas" (include "common.names.fullname" .) }} namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - app.kubernetes.io/component: web + app.kubernetes.io/component: cas {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} @@ -18,7 +18,7 @@ spec: {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.cas.podLabels .Values.commonLabels ) "context" . ) }} podSelector: matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} - app.kubernetes.io/component: web + app.kubernetes.io/component: cas policyTypes: - Ingress - Egress @@ -52,7 +52,7 @@ spec: from: - podSelector: matchLabels: - {{ printf "%s-web" (include "common.names.fullname" .) }}-client: "true" + {{ printf "%s-cas" (include "common.names.fullname" .) }}: "true" {{- if .Values.cas.networkPolicy.ingressNSMatchLabels }} - namespaceSelector: matchLabels: diff --git a/bitnami/chainloop/templates/cas/pdb.yaml b/bitnami/chainloop/templates/cas/pdb.yaml new file mode 100644 index 00000000000000..827c03b40df307 --- /dev/null +++ b/bitnami/chainloop/templates/cas/pdb.yaml @@ -0,0 +1,26 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.cas.pdb.enabled }} +apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.cas.pdb.minAvailable }} + minAvailable: {{ .Values.cas.pdb.minAvailable }} + {{- end }} + {{- if or .Values.cas.pdb.maxUnavailable ( not .Values.cas.pdb.minAvailable ) }} + maxUnavailable: {{ .Values.cas.pdb.maxUnavailable | default 1 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.cas.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} +{{- end }} diff --git a/bitnami/chainloop/templates/controlplane/networkpolicy.yaml b/bitnami/chainloop/templates/controlplane/networkpolicy.yaml index baf781ef8fff05..d1452093a9e75b 100644 --- a/bitnami/chainloop/templates/controlplane/networkpolicy.yaml +++ b/bitnami/chainloop/templates/controlplane/networkpolicy.yaml @@ -10,7 +10,7 @@ metadata: name: {{ printf "%s-controlplane" (include "common.names.fullname" .) }} namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - app.kubernetes.io/component: web + app.kubernetes.io/component: controlplane {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} @@ -18,7 +18,7 @@ spec: {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.controlplane.podLabels .Values.commonLabels ) "context" . ) }} podSelector: matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} - app.kubernetes.io/component: web + app.kubernetes.io/component: controlplane policyTypes: - Ingress - Egress @@ -52,7 +52,7 @@ spec: from: - podSelector: matchLabels: - {{ printf "%s-web" (include "common.names.fullname" .) }}-client: "true" + {{ printf "%s-controlplane" (include "common.names.fullname" .) }}: "true" {{- if .Values.controlplane.networkPolicy.ingressNSMatchLabels }} - namespaceSelector: matchLabels: diff --git a/bitnami/chainloop/templates/controlplane/pdb.yaml b/bitnami/chainloop/templates/controlplane/pdb.yaml new file mode 100644 index 00000000000000..79af838e3dd97b --- /dev/null +++ b/bitnami/chainloop/templates/controlplane/pdb.yaml @@ -0,0 +1,26 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.controlplane.pdb.enabled }} +apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.controlplane.pdb.minAvailable }} + minAvailable: {{ .Values.controlplane.pdb.minAvailable }} + {{- end }} + {{- if or .Values.controlplane.pdb.maxUnavailable ( not .Values.controlplane.pdb.minAvailable ) }} + maxUnavailable: {{ .Values.controlplane.pdb.maxUnavailable | default 1 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.controlplane.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} +{{- end }} diff --git a/bitnami/chainloop/values.yaml b/bitnami/chainloop/values.yaml index 6ceb6fd309c70f..74b692de05a9c0 100644 --- a/bitnami/chainloop/values.yaml +++ b/bitnami/chainloop/values.yaml @@ -937,6 +937,17 @@ controlplane: targetCPU: "" targetMemory: "" + ## Pod disruption budget configuration + ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + ## @param server.pdb.enabled Create Pod Disruption Budget for the server component + ## @param server.pdb.minAvailable Sets the min number of pods availables for the Pod Disruption Budget + ## @param server.pdb.maxUnavailable Sets the max number of pods unavailable for the Pod Disruption Budget + ## + pdb: + enabled: true + minAvailable: "" + maxUnavailable: "" + ## @section Artifact Content Addressable (CAS) API ################################## # Artifacts CAS # @@ -1607,6 +1618,17 @@ cas: targetCPU: "" targetMemory: "" + ## Pod disruption budget configuration + ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + ## @param server.pdb.enabled Create Pod Disruption Budget for the server component + ## @param server.pdb.minAvailable Sets the min number of pods availables for the Pod Disruption Budget + ## @param server.pdb.maxUnavailable Sets the max number of pods unavailable for the Pod Disruption Budget + ## + pdb: + enabled: true + minAvailable: "" + maxUnavailable: "" + ## @section Dependencies # ################################## From d17f27572b2a6964c28799145461a67b5d0c9df2 Mon Sep 17 00:00:00 2001 From: Javier Rodriguez Date: Wed, 7 Aug 2024 19:03:52 +0200 Subject: [PATCH 32/37] fix readme Signed-off-by: Javier Rodriguez --- bitnami/chainloop/README.md | 6 ++++++ bitnami/chainloop/values.yaml | 12 ++++++------ 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/bitnami/chainloop/README.md b/bitnami/chainloop/README.md index 27ef4a4db2211d..b4658881bc179e 100644 --- a/bitnami/chainloop/README.md +++ b/bitnami/chainloop/README.md @@ -706,6 +706,9 @@ chainloop config save \ | `controlplane.autoscaling.hpa.maxReplicas` | Maximum number of replicas | `""` | | `controlplane.autoscaling.hpa.targetCPU` | Target CPU utilization percentage | `""` | | `controlplane.autoscaling.hpa.targetMemory` | Target Memory utilization percentage | `""` | +| `controlplane.pdb.enabled` | Create Pod Disruption Budget for the server component | `true` | +| `controlplane.pdb.minAvailable` | Sets the min number of pods availables for the Pod Disruption Budget | `""` | +| `controlplane.pdb.maxUnavailable` | Sets the max number of pods unavailable for the Pod Disruption Budget | `""` | ### Artifact Content Addressable (CAS) API @@ -846,6 +849,9 @@ chainloop config save \ | `cas.autoscaling.hpa.maxReplicas` | Maximum number of replicas | `""` | | `cas.autoscaling.hpa.targetCPU` | Target CPU utilization percentage | `""` | | `cas.autoscaling.hpa.targetMemory` | Target Memory utilization percentage | `""` | +| `cas.pdb.enabled` | Create Pod Disruption Budget for the server component | `true` | +| `cas.pdb.minAvailable` | Sets the min number of pods availables for the Pod Disruption Budget | `""` | +| `cas.pdb.maxUnavailable` | Sets the max number of pods unavailable for the Pod Disruption Budget | `""` | ### Dependencies diff --git a/bitnami/chainloop/values.yaml b/bitnami/chainloop/values.yaml index 74b692de05a9c0..60602d5302f1db 100644 --- a/bitnami/chainloop/values.yaml +++ b/bitnami/chainloop/values.yaml @@ -939,9 +939,9 @@ controlplane: ## Pod disruption budget configuration ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ - ## @param server.pdb.enabled Create Pod Disruption Budget for the server component - ## @param server.pdb.minAvailable Sets the min number of pods availables for the Pod Disruption Budget - ## @param server.pdb.maxUnavailable Sets the max number of pods unavailable for the Pod Disruption Budget + ## @param controlplane.pdb.enabled Create Pod Disruption Budget for the server component + ## @param controlplane.pdb.minAvailable Sets the min number of pods availables for the Pod Disruption Budget + ## @param controlplane.pdb.maxUnavailable Sets the max number of pods unavailable for the Pod Disruption Budget ## pdb: enabled: true @@ -1620,9 +1620,9 @@ cas: ## Pod disruption budget configuration ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ - ## @param server.pdb.enabled Create Pod Disruption Budget for the server component - ## @param server.pdb.minAvailable Sets the min number of pods availables for the Pod Disruption Budget - ## @param server.pdb.maxUnavailable Sets the max number of pods unavailable for the Pod Disruption Budget + ## @param cas.pdb.enabled Create Pod Disruption Budget for the server component + ## @param cas.pdb.minAvailable Sets the min number of pods availables for the Pod Disruption Budget + ## @param cas.pdb.maxUnavailable Sets the max number of pods unavailable for the Pod Disruption Budget ## pdb: enabled: true From a42e0e1a6640a05553fabfc9983c0601db2fcbac Mon Sep 17 00:00:00 2001 From: Javier Rodriguez Date: Wed, 7 Aug 2024 19:15:10 +0200 Subject: [PATCH 33/37] increase test time Signed-off-by: Javier Rodriguez --- .vib/chainloop/ginkgo/chainloop_suite_test.go | 2 +- bitnami/chainloop/README.md | 6 +++--- bitnami/chainloop/values.yaml | 10 +++++----- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.vib/chainloop/ginkgo/chainloop_suite_test.go b/.vib/chainloop/ginkgo/chainloop_suite_test.go index 2aa7374bb063af..bc5d43bcd52f4c 100644 --- a/.vib/chainloop/ginkgo/chainloop_suite_test.go +++ b/.vib/chainloop/ginkgo/chainloop_suite_test.go @@ -21,7 +21,7 @@ func init() { flag.StringVar(&kubeconfig, "kubeconfig", "", "absolute path to the kubeconfig file") flag.StringVar(&releaseName, "name", "", "name of the primary statefulset") flag.StringVar(&namespace, "namespace", "", "namespace where the application is running") - flag.IntVar(&timeoutSeconds, "timeout", 300, "timeout in seconds") + flag.IntVar(&timeoutSeconds, "timeout", 500, "timeout in seconds") timeout = time.Duration(timeoutSeconds) * time.Second } diff --git a/bitnami/chainloop/README.md b/bitnami/chainloop/README.md index b4658881bc179e..8e4903384bc2f3 100644 --- a/bitnami/chainloop/README.md +++ b/bitnami/chainloop/README.md @@ -706,7 +706,7 @@ chainloop config save \ | `controlplane.autoscaling.hpa.maxReplicas` | Maximum number of replicas | `""` | | `controlplane.autoscaling.hpa.targetCPU` | Target CPU utilization percentage | `""` | | `controlplane.autoscaling.hpa.targetMemory` | Target Memory utilization percentage | `""` | -| `controlplane.pdb.enabled` | Create Pod Disruption Budget for the server component | `true` | +| `controlplane.pdb.enabled` | Create Pod Disruption Budget for the controlplane component | `false` | | `controlplane.pdb.minAvailable` | Sets the min number of pods availables for the Pod Disruption Budget | `""` | | `controlplane.pdb.maxUnavailable` | Sets the max number of pods unavailable for the Pod Disruption Budget | `""` | @@ -849,8 +849,8 @@ chainloop config save \ | `cas.autoscaling.hpa.maxReplicas` | Maximum number of replicas | `""` | | `cas.autoscaling.hpa.targetCPU` | Target CPU utilization percentage | `""` | | `cas.autoscaling.hpa.targetMemory` | Target Memory utilization percentage | `""` | -| `cas.pdb.enabled` | Create Pod Disruption Budget for the server component | `true` | -| `cas.pdb.minAvailable` | Sets the min number of pods availables for the Pod Disruption Budget | `""` | +| `cas.pdb.enabled` | Create Pod Disruption Budget for the cas component | `false` | +| `cas.pdb.minAvailable` | Sets the min number of pods available for the Pod Disruption Budget | `""` | | `cas.pdb.maxUnavailable` | Sets the max number of pods unavailable for the Pod Disruption Budget | `""` | ### Dependencies diff --git a/bitnami/chainloop/values.yaml b/bitnami/chainloop/values.yaml index 60602d5302f1db..ffd834dc974827 100644 --- a/bitnami/chainloop/values.yaml +++ b/bitnami/chainloop/values.yaml @@ -939,12 +939,12 @@ controlplane: ## Pod disruption budget configuration ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ - ## @param controlplane.pdb.enabled Create Pod Disruption Budget for the server component + ## @param controlplane.pdb.enabled Create Pod Disruption Budget for the controlplane component ## @param controlplane.pdb.minAvailable Sets the min number of pods availables for the Pod Disruption Budget ## @param controlplane.pdb.maxUnavailable Sets the max number of pods unavailable for the Pod Disruption Budget ## pdb: - enabled: true + enabled: false minAvailable: "" maxUnavailable: "" @@ -1620,12 +1620,12 @@ cas: ## Pod disruption budget configuration ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ - ## @param cas.pdb.enabled Create Pod Disruption Budget for the server component - ## @param cas.pdb.minAvailable Sets the min number of pods availables for the Pod Disruption Budget + ## @param cas.pdb.enabled Create Pod Disruption Budget for the cas component + ## @param cas.pdb.minAvailable Sets the min number of pods available for the Pod Disruption Budget ## @param cas.pdb.maxUnavailable Sets the max number of pods unavailable for the Pod Disruption Budget ## pdb: - enabled: true + enabled: false minAvailable: "" maxUnavailable: "" From e186f24bb6755398c0085a9e8d73df733740e818 Mon Sep 17 00:00:00 2001 From: Javier Rodriguez Date: Wed, 7 Aug 2024 19:35:30 +0200 Subject: [PATCH 34/37] add missing parameter to verify step Signed-off-by: Javier Rodriguez --- .vib/chainloop/vib-verify.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.vib/chainloop/vib-verify.json b/.vib/chainloop/vib-verify.json index ba27cd61c05b46..ea0e422d929209 100644 --- a/.vib/chainloop/vib-verify.json +++ b/.vib/chainloop/vib-verify.json @@ -38,7 +38,8 @@ }, "params": { "kubeconfig": "{{kubeconfig}}", - "namespace": "{{namespace}}" + "namespace": "{{namespace}}", + "name": "chainloop" } } } From 16d8fceb4aadd4b1492b1b81434b834605366d3f Mon Sep 17 00:00:00 2001 From: Javier Rodriguez Date: Thu, 8 Aug 2024 10:38:26 +0200 Subject: [PATCH 35/37] add vpa to cas and controlplane Signed-off-by: Javier Rodriguez --- bitnami/chainloop/README.md | 12 +++++ bitnami/chainloop/templates/cas/vpa.yaml | 44 +++++++++++++++++++ .../chainloop/templates/controlplane/vpa.yaml | 44 +++++++++++++++++++ bitnami/chainloop/values.yaml | 38 ++++++++++++++++ 4 files changed, 138 insertions(+) create mode 100644 bitnami/chainloop/templates/cas/vpa.yaml create mode 100644 bitnami/chainloop/templates/controlplane/vpa.yaml diff --git a/bitnami/chainloop/README.md b/bitnami/chainloop/README.md index 8e4903384bc2f3..9a751ae4e8377b 100644 --- a/bitnami/chainloop/README.md +++ b/bitnami/chainloop/README.md @@ -701,6 +701,12 @@ chainloop config save \ | `controlplane.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | | `controlplane.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | | `controlplane.initContainers` | Add additional init containers to the controlplane pods | `[]` | +| `controlplane.autoscaling.vpa.enabled` | Enable VPA for %%MAIN_CONTAINER_NAME%% pods | `false` | +| `controlplane.autoscaling.vpa.annotations` | Annotations for VPA resource | `{}` | +| `controlplane.autoscaling.vpa.controlledResources` | VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory | `[]` | +| `controlplane.autoscaling.vpa.maxAllowed` | VPA Max allowed resources for the pod | `{}` | +| `controlplane.autoscaling.vpa.minAllowed` | VPA Min allowed resources for the pod | `{}` | +| `controlplane.autoscaling.vpa.updatePolicy.updateMode` | Autoscaling update policy | `Auto` | | `controlplane.autoscaling.hpa.enabled` | Enable HPA for controlplane pods | `false` | | `controlplane.autoscaling.hpa.minReplicas` | Minimum number of replicas | `""` | | `controlplane.autoscaling.hpa.maxReplicas` | Maximum number of replicas | `""` | @@ -844,6 +850,12 @@ chainloop config save \ | `cas.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | | `cas.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | | `cas.initContainers` | Add additional init containers to the cas pods | `[]` | +| `cas.autoscaling.vpa.enabled` | Enable VPA for %%MAIN_CONTAINER_NAME%% pods | `false` | +| `cas.autoscaling.vpa.annotations` | Annotations for VPA resource | `{}` | +| `cas.autoscaling.vpa.controlledResources` | VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory | `[]` | +| `cas.autoscaling.vpa.maxAllowed` | VPA Max allowed resources for the pod | `{}` | +| `cas.autoscaling.vpa.minAllowed` | VPA Min allowed resources for the pod | `{}` | +| `cas.autoscaling.vpa.updatePolicy.updateMode` | Autoscaling update policy | `Auto` | | `cas.autoscaling.hpa.enabled` | Enable HPA for cas pods | `false` | | `cas.autoscaling.hpa.minReplicas` | Minimum number of replicas | `""` | | `cas.autoscaling.hpa.maxReplicas` | Maximum number of replicas | `""` | diff --git a/bitnami/chainloop/templates/cas/vpa.yaml b/bitnami/chainloop/templates/cas/vpa.yaml new file mode 100644 index 00000000000000..30deaee6bf67e2 --- /dev/null +++ b/bitnami/chainloop/templates/cas/vpa.yaml @@ -0,0 +1,44 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and (.Capabilities.APIVersions.Has "autoscaling.k8s.io/v1/VerticalPodAutoscaler") .Values.cas.autoscaling.vpa.enabled }} +apiVersion: autoscaling.k8s.io/v1 +kind: VerticalPodAutoscaler +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: cas + {{- if or .Values.cas.autoscaling.vpa.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.cas.autoscaling.vpa.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + resourcePolicy: + containerPolicies: + - containerName: cas + {{- with .Values.cas.autoscaling.vpa.controlledResources }} + controlledResources: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.cas.autoscaling.vpa.maxAllowed }} + maxAllowed: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.cas.autoscaling.vpa.minAllowed }} + minAllowed: + {{- toYaml . | nindent 8 }} + {{- end }} + targetRef: + apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} + kind: Deployment + name: {{ include "common.names.fullname" . }} + {{- if .Values.cas.autoscaling.vpa.updatePolicy }} + updatePolicy: + {{- with .Values.cas.autoscaling.vpa.updatePolicy.updateMode }} + updateMode: {{ . }} + {{- end }} + {{- end }} +{{- end }} diff --git a/bitnami/chainloop/templates/controlplane/vpa.yaml b/bitnami/chainloop/templates/controlplane/vpa.yaml new file mode 100644 index 00000000000000..3b501856ed3558 --- /dev/null +++ b/bitnami/chainloop/templates/controlplane/vpa.yaml @@ -0,0 +1,44 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and (.Capabilities.APIVersions.Has "autoscaling.k8s.io/v1/VerticalPodAutoscaler") .Values.controlplane.autoscaling.vpa.enabled }} +apiVersion: autoscaling.k8s.io/v1 +kind: VerticalPodAutoscaler +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: controlplane + {{- if or .Values.controlplane.autoscaling.vpa.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.controlplane.autoscaling.vpa.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + resourcePolicy: + containerPolicies: + - containerName: controlplane + {{- with .Values.controlplane.autoscaling.vpa.controlledResources }} + controlledResources: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controlplane.autoscaling.vpa.maxAllowed }} + maxAllowed: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controlplane.autoscaling.vpa.minAllowed }} + minAllowed: + {{- toYaml . | nindent 8 }} + {{- end }} + targetRef: + apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} + kind: Deployment + name: {{ include "common.names.fullname" . }} + {{- if .Values.controlplane.autoscaling.vpa.updatePolicy }} + updatePolicy: + {{- with .Values.controlplane.autoscaling.vpa.updatePolicy.updateMode }} + updateMode: {{ . }} + {{- end }} + {{- end }} +{{- end }} diff --git a/bitnami/chainloop/values.yaml b/bitnami/chainloop/values.yaml index ffd834dc974827..bef14215ba88b7 100644 --- a/bitnami/chainloop/values.yaml +++ b/bitnami/chainloop/values.yaml @@ -924,6 +924,25 @@ controlplane: ## ref: https://kubernetes.io/docs/concepts/workloads/autoscaling/ ## autoscaling: + ## @param controlplane.autoscaling.vpa.enabled Enable VPA for %%MAIN_CONTAINER_NAME%% pods + ## @param controlplane.autoscaling.vpa.annotations Annotations for VPA resource + ## @param controlplane.autoscaling.vpa.controlledResources VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory + ## @param controlplane.autoscaling.vpa.maxAllowed VPA Max allowed resources for the pod + ## @param controlplane.autoscaling.vpa.minAllowed VPA Min allowed resources for the pod + ## + vpa: + enabled: false + annotations: { } + controlledResources: [ ] + maxAllowed: { } + minAllowed: { } + ## @param controlplane.autoscaling.vpa.updatePolicy.updateMode Autoscaling update policy + ## Specifies whether recommended updates are applied when a Pod is started and whether recommended updates are applied during the life of a Pod + ## Possible values are "Off", "Initial", "Recreate", and "Auto". + ## + updatePolicy: + updateMode: Auto + ## @param controlplane.autoscaling.hpa.enabled Enable HPA for controlplane pods ## @param controlplane.autoscaling.hpa.minReplicas Minimum number of replicas ## @param controlplane.autoscaling.hpa.maxReplicas Maximum number of replicas @@ -1605,6 +1624,25 @@ cas: ## ref: https://kubernetes.io/docs/concepts/workloads/autoscaling/ ## autoscaling: + ## @param cas.autoscaling.vpa.enabled Enable VPA for %%MAIN_CONTAINER_NAME%% pods + ## @param cas.autoscaling.vpa.annotations Annotations for VPA resource + ## @param cas.autoscaling.vpa.controlledResources VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory + ## @param cas.autoscaling.vpa.maxAllowed VPA Max allowed resources for the pod + ## @param cas.autoscaling.vpa.minAllowed VPA Min allowed resources for the pod + ## + vpa: + enabled: false + annotations: { } + controlledResources: [ ] + maxAllowed: { } + minAllowed: { } + ## @param cas.autoscaling.vpa.updatePolicy.updateMode Autoscaling update policy + ## Specifies whether recommended updates are applied when a Pod is started and whether recommended updates are applied during the life of a Pod + ## Possible values are "Off", "Initial", "Recreate", and "Auto". + ## + updatePolicy: + updateMode: Auto + ## @param cas.autoscaling.hpa.enabled Enable HPA for cas pods ## @param cas.autoscaling.hpa.minReplicas Minimum number of replicas ## @param cas.autoscaling.hpa.maxReplicas Maximum number of replicas From de6a5096c64f14291306f103e59e0d4f1aab609a Mon Sep 17 00:00:00 2001 From: Bitnami Containers Date: Thu, 8 Aug 2024 08:40:12 +0000 Subject: [PATCH 36/37] Update CHANGELOG.md Signed-off-by: Bitnami Containers --- bitnami/chainloop/CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bitnami/chainloop/CHANGELOG.md b/bitnami/chainloop/CHANGELOG.md index 29ed61c4e2ed13..a45fbebed24e7e 100644 --- a/bitnami/chainloop/CHANGELOG.md +++ b/bitnami/chainloop/CHANGELOG.md @@ -1,5 +1,5 @@ # Changelog -## 0.1.0 (2024-08-07) +## 0.1.0 (2024-08-08) * New chart: Chainloop ([#27100](https://github.com/bitnami/charts/pull/27100)) From e8d2383a22a33fc27704a919823af2c4fc56bd1a Mon Sep 17 00:00:00 2001 From: Javier Rodriguez Date: Thu, 8 Aug 2024 18:07:32 +0200 Subject: [PATCH 37/37] tackle feedback Signed-off-by: Javier Rodriguez --- bitnami/chainloop/Chart.lock | 14 +-- bitnami/chainloop/Chart.yaml | 6 +- bitnami/chainloop/README.md | 8 +- .../chainloop/templates/cas/deployment.yaml | 4 +- .../templates/controlplane/deployment.yaml | 4 +- .../templates/dex/networkpolicy.yaml | 88 +++++++++++++++++++ bitnami/chainloop/values.yaml | 40 +++++---- 7 files changed, 129 insertions(+), 35 deletions(-) create mode 100644 bitnami/chainloop/templates/dex/networkpolicy.yaml diff --git a/bitnami/chainloop/Chart.lock b/bitnami/chainloop/Chart.lock index 194257b4f83733..1e85c2651b3275 100644 --- a/bitnami/chainloop/Chart.lock +++ b/bitnami/chainloop/Chart.lock @@ -1,12 +1,12 @@ dependencies: - name: common - repository: https://charts.bitnami.com/bitnami - version: 2.20.5 + repository: oci://registry-1.docker.io/bitnamicharts + version: 2.21.0 - name: postgresql - repository: https://charts.bitnami.com/bitnami + repository: oci://registry-1.docker.io/bitnamicharts version: 15.5.20 - name: vault - repository: https://charts.bitnami.com/bitnami - version: 1.4.16 -digest: sha256:75494ecf8834d4799490dd6879e073bcf1228967025d7f93abe08d3458f11859 -generated: "2024-08-05T16:18:36.486565+02:00" + repository: oci://registry-1.docker.io/bitnamicharts + version: 1.4.18 +digest: sha256:3c8f91b4005b34cdb16f4e4603cc641d4f8c1b2107be8b8499af72ff6a540015 +generated: "2024-08-08T18:05:43.024689+02:00" diff --git a/bitnami/chainloop/Chart.yaml b/bitnami/chainloop/Chart.yaml index 4cb2a889c16123..414f7208b7bfcc 100644 --- a/bitnami/chainloop/Chart.yaml +++ b/bitnami/chainloop/Chart.yaml @@ -17,17 +17,17 @@ apiVersion: v2 appVersion: 0.95.3 dependencies: - name: common - repository: https://charts.bitnami.com/bitnami + repository: oci://registry-1.docker.io/bitnamicharts tags: - bitnami-common version: 2.x.x - condition: postgresql.enabled name: postgresql - repository: https://charts.bitnami.com/bitnami + repository: oci://registry-1.docker.io/bitnamicharts version: 15.x.x - condition: development name: vault - repository: https://charts.bitnami.com/bitnami + repository: oci://registry-1.docker.io/bitnamicharts version: 1.4.x description: Chainloop is an open source software supply chain control plane, a single source of truth for artifacts plus a declarative attestation crafting process. home: https://bitnami.com diff --git a/bitnami/chainloop/README.md b/bitnami/chainloop/README.md index 9a751ae4e8377b..65537f0e192e7b 100644 --- a/bitnami/chainloop/README.md +++ b/bitnami/chainloop/README.md @@ -533,8 +533,8 @@ chainloop config save \ | `controlplane.referrerSharedIndex` | Configure the shared, public index API endpoint that can be used to discover metadata referrers | | | `controlplane.referrerSharedIndex.enabled` | Enable index API endpoint | `false` | | `controlplane.referrerSharedIndex.allowedOrgs` | List of UUIDs of organizations that are allowed to publish to the shared index | `[]` | -| `controlplane.onboarding` | List of organizations to automatically onboard when a user logs in | | -| `controlplane.prometheus_org_metrics` | List of organizations to expose metrics for using Prometheus | | +| `controlplane.onboarding` | List of organizations to automatically onboard when a user logs in | `[]` | +| `controlplane.prometheus_org_metrics` | List of organizations to expose metrics for using Prometheus | `[]` | | `controlplane.migration.ssl` | Connect to the database using SSL (required fro AWS RDS, etc) | `false` | | `controlplane.migration.image.registry` | image registry | `REGISTRY_NAME` | | `controlplane.migration.image.repository` | image repository | `REPOSITORY_NAME/chainloop-control-plane-migrations` | @@ -567,6 +567,7 @@ chainloop config save \ | `controlplane.auth.oidc.clientSecret` | OIDC IDp clientSecret | `""` | | `controlplane.auth.oidc.loginURLOverride` | Optional OIDC login URL override, useful to point to custom login pages | `""` | | `controlplane.auth.oidc.externalURL` | Optional External URL for the controlplane to the outside world | `""` | +| `controlplane.auth.allowList` | Content of the allow_list.yaml config file | `{}` | | `controlplane.auth.allowList.rules` | List of domains or emails to allow | | | `controlplane.auth.allowList.selectedRoutes` | List of selected routes to allow. If not set it applies to all routes | | | `controlplane.auth.allowList.customMessage` | Custom message to display when a user is not allowed | | @@ -577,7 +578,6 @@ chainloop config save \ | -------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | | `controlplane.service.type` | Service type | `ClusterIP` | | `controlplane.service.ports.http` | controlplane service HTTP port | `80` | -| `controlplane.service.ports.https` | controlplane service HTTPS port | `443` | | `controlplane.service.nodePorts.http` | Node port for HTTP | `""` | | `controlplane.service.nodePorts.https` | Node port for HTTPS | `""` | | `controlplane.service.clusterIP` | controlplane service Cluster IP | `""` | @@ -925,7 +925,7 @@ service_registration "kubernetes" {}` | | `dex.containerSecurityContext.allowPrivilegeEscalation` | Set Dex containers' Security Context allowPrivilegeEscalation | `false` | | `dex.containerSecurityContext.readOnlyRootFilesystem` | Set Dex containers' server Security Context readOnlyRootFilesystem | `true` | | `dex.containerSecurityContext.runAsNonRoot` | Set Dex containers' Security Context runAsNonRoot | `true` | -| `dex.containerSecurityContext.capabilities.drop` | Set Argo CD containers' repo server Security Context capabilities to be dropped | `["ALL"]` | +| `dex.containerSecurityContext.capabilities.drop` | Set Chainloop containers' Security Context capabilities to be dropped | `["ALL"]` | | `dex.containerSecurityContext.privileged` | Set dex container's Security Context privileged | `false` | | `dex.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | | `dex.service.type` | Dex service type | `ClusterIP` | diff --git a/bitnami/chainloop/templates/cas/deployment.yaml b/bitnami/chainloop/templates/cas/deployment.yaml index 86ae57c76e26e1..c92a31a8fe9d89 100644 --- a/bitnami/chainloop/templates/cas/deployment.yaml +++ b/bitnami/chainloop/templates/cas/deployment.yaml @@ -61,7 +61,7 @@ spec: topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.cas.topologySpreadConstraints "context" .) | nindent 8 }} {{- end }} {{- if .Values.cas.podSecurityContext.enabled }} - securityContext: {{- omit .Values.cas.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.cas.podSecurityContext "context" $) | nindent 8 }} {{- end }} {{- if .Values.cas.terminationGracePeriodSeconds }} terminationGracePeriodSeconds: {{ .Values.cas.terminationGracePeriodSeconds }} @@ -72,7 +72,9 @@ spec: {{- end }} containers: - name: cas + {{- if .Values.cas.containerSecurityContext.enabled }} securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.cas.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} image: {{ include "chainloop.cas.image" . }} imagePullPolicy: {{ .Values.cas.image.pullPolicy }} command: [ "./artifact-cas" ] diff --git a/bitnami/chainloop/templates/controlplane/deployment.yaml b/bitnami/chainloop/templates/controlplane/deployment.yaml index d21c2590744ddc..0cc018a51a970c 100644 --- a/bitnami/chainloop/templates/controlplane/deployment.yaml +++ b/bitnami/chainloop/templates/controlplane/deployment.yaml @@ -62,7 +62,7 @@ spec: topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.topologySpreadConstraints "context" .) | nindent 8 }} {{- end }} {{- if .Values.controlplane.podSecurityContext.enabled }} - securityContext: {{- omit .Values.controlplane.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.controlplane.podSecurityContext "context" $) | nindent 8 }} {{- end }} {{- if .Values.controlplane.terminationGracePeriodSeconds }} terminationGracePeriodSeconds: {{ .Values.controlplane.terminationGracePeriodSeconds }} @@ -90,7 +90,9 @@ spec: key: db_migrate_source containers: - name: controlplane + {{- if .Values.controlplane.containerSecurityContext.enabled }} securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.controlplane.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} image: {{ include "chainloop.controlplane.image" . }} imagePullPolicy: {{ .Values.controlplane.image.pullPolicy }} command: [ "./control-plane" ] diff --git a/bitnami/chainloop/templates/dex/networkpolicy.yaml b/bitnami/chainloop/templates/dex/networkpolicy.yaml new file mode 100644 index 00000000000000..678b2e1ba9bb2e --- /dev/null +++ b/bitnami/chainloop/templates/dex/networkpolicy.yaml @@ -0,0 +1,88 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.development .Values.dex.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ include "chainloop.dex" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: dex + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.dex.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: dex + policyTypes: + - Ingress + - Egress + {{- if .Values.dex.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + - ports: + # Allow dns resolution + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow access to kube-apicontroller + {{- range $port := .Values.dex.networkPolicy.kubeAPIServerPorts }} + - port: {{ $port }} + {{- end }} + # Allow outbound connections to repo server + - ports: + - port: {{ .Values.controlplane.containerPorts.grpc }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/component: repo-server + # Allow outbound connections to server + - ports: + - port: {{ .Values.controlplane.containerPorts.http }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/component: server + {{- if .Values.dex.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.dex.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.dex.containerPorts.http }} + - port: {{ .Values.dex.containerPorts.grpc }} + - port: {{ .Values.dex.containerPorts.metrics }} + {{- if not .Values.dex.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + - podSelector: + matchLabels: + {{ include "chainloop.dex" . }}-client: "true" + {{- if .Values.dex.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.dex.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.dex.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.dex.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.dex.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.dex.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/bitnami/chainloop/values.yaml b/bitnami/chainloop/values.yaml index bef14215ba88b7..637617043d2f2b 100644 --- a/bitnami/chainloop/values.yaml +++ b/bitnami/chainloop/values.yaml @@ -213,16 +213,18 @@ controlplane: enabled: false allowedOrgs: [] - ## @extra controlplane.onboarding List of organizations to automatically onboard when a user logs in - ## @skip controlplane.onboarding[0].name Name of the organization to onboard - ## @skip controlplane.onboarding[0].role Role of the organization to onboard - # onboarding: - # - name: "" - # role: "" - - ## @extra controlplane.prometheus_org_metrics List of organizations to expose metrics for using Prometheus - # prometheus_org_metrics: - # - org_name: "read-only-demo" + ## @param controlplane.onboarding List of organizations to automatically onboard when a user logs in + ## e.g: + ## onboarding: + ## - name: "" + ## role: "" + onboarding: [] + + ## @param controlplane.prometheus_org_metrics List of organizations to expose metrics for using Prometheus + ## e.g.: + ## prometheus_org_metrics: + ## - org_name: "read-only-demo" + prometheus_org_metrics: [] # Database migration ## @param controlplane.migration.ssl Connect to the database using SSL (required fro AWS RDS, etc) @@ -304,13 +306,16 @@ controlplane: loginURLOverride: "" externalURL: "" + ## @param controlplane.auth.allowList Content of the allow_list.yaml config file ## @extra controlplane.auth.allowList.rules List of domains or emails to allow ## @extra controlplane.auth.allowList.selectedRoutes List of selected routes to allow. If not set it applies to all routes ## @extra controlplane.auth.allowList.customMessage Custom message to display when a user is not allowed - # allowList: - # rules: [] - # selectedRoutes: [] - # customMessage: "" + ## e.g. + ## allowList: + ## rules: [] + ## selectedRoutes: [] + ## customMessage: "" + allowList: {} ## @section Control Plane Networking service: @@ -318,11 +323,9 @@ controlplane: type: ClusterIP ## @param controlplane.service.ports.http controlplane service HTTP port - ## @param controlplane.service.ports.https controlplane service HTTPS port ## ports: http: 80 - https: 443 ## Node ports to expose ## @param controlplane.service.nodePorts.http Node port for HTTP ## @param controlplane.service.nodePorts.https Node port for HTTPS @@ -1720,7 +1723,6 @@ vault: ## dex: ## Bitnami Dex image - ## ref: https://hub.docker.com/r/bitnami/argo-cd/tags/ ## @skip dex.staticUsers[0].email ## @skip dex.staticUsers[0].hash ## @skip dex.staticUsers[1].email @@ -1855,7 +1857,7 @@ dex: ## @param dex.containerSecurityContext.allowPrivilegeEscalation Set Dex containers' Security Context allowPrivilegeEscalation ## @param dex.containerSecurityContext.readOnlyRootFilesystem Set Dex containers' server Security Context readOnlyRootFilesystem ## @param dex.containerSecurityContext.runAsNonRoot Set Dex containers' Security Context runAsNonRoot - ## @param dex.containerSecurityContext.capabilities.drop Set Argo CD containers' repo server Security Context capabilities to be dropped + ## @param dex.containerSecurityContext.capabilities.drop Set Chainloop containers' Security Context capabilities to be dropped ## @param dex.containerSecurityContext.privileged Set dex container's Security Context privileged ## @param dex.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile ## @@ -1998,7 +2000,7 @@ dex: ## Metrics configuration for Dex ## metrics: - ## Enable metrics for Argo Dex + ## Enable metrics for Chainloop Dex ## @param dex.metrics.enabled Enable metrics service for Dex ## enabled: false