diff --git a/incubator/tencent-infrastructure-automation-for-crossplane/Chart.yaml b/incubator/tencent-infrastructure-automation-for-crossplane/Chart.yaml new file mode 100644 index 0000000..8c27293 --- /dev/null +++ b/incubator/tencent-infrastructure-automation-for-crossplane/Chart.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +appVersion: 1.0.0 +description: Tencent Infrastructure Automation for Crossplane is a Tencent Cloud product developed based on the popular multi-cloud management open-source tool, Crossplane. + It aims to provide users with the ability to automate deployment, implementation, and management of cloud resources. +home: https://marketplace.upbound.io/providers/crossplane-contrib/provider-tencentcloud +icon: https://cloudcache.tencent-cloud.com/qcloud/ui/static/Industry_tke/e73076df-c87a-4112-b1cd-2c95099984d0.png +keywords: +- cloud +- infrastructure +- services +- application +- kubernetes +maintainers: +- email: hellertang@tencent.com + name: hellertang +name: crossplane +version: 1.0.0 diff --git a/incubator/tencent-infrastructure-automation-for-crossplane/LICENSE b/incubator/tencent-infrastructure-automation-for-crossplane/LICENSE new file mode 100644 index 0000000..ef10385 --- /dev/null +++ b/incubator/tencent-infrastructure-automation-for-crossplane/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2016 The Crossplane Authors. All rights reserved. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/incubator/tencent-infrastructure-automation-for-crossplane/README.md b/incubator/tencent-infrastructure-automation-for-crossplane/README.md new file mode 100644 index 0000000..1153621 --- /dev/null +++ b/incubator/tencent-infrastructure-automation-for-crossplane/README.md @@ -0,0 +1,165 @@ + +Crossplane can be easily installed into any existing Kubernetes cluster using +the regularly published Helm chart. The Helm chart contains all the custom +resources and controllers needed to deploy and configure Crossplane. + +## Pre-requisites + +* [Kubernetes cluster], minimum version `v1.16.0+` +* [Helm], minimum version `v3.0.0+`. + +## Installation + +Helm charts for Crossplane are currently published to the `stable` and `master` +channels. + +### Stable + +The stable channel is the most recent release of Crossplane that is considered +ready for the community. + +```console +kubectl create namespace crossplane-system + +helm repo add crossplane-stable https://charts.crossplane.io/stable +helm repo update + +helm install crossplane --namespace crossplane-system crossplane-stable/crossplane +``` + +### Master + +The `master` channel contains the latest commits, with all automated tests +passing. `master` is subject to instability, incompatibility, and features may +be added or removed without much prior notice. It is recommended to use one of +the more stable channels, but if you want the absolute newest Crossplane +installed, then you can use the `master` channel. + +To install the Helm chart from master, you will need to pass the specific +version returned by the `search` command: + +```console +kubectl create namespace crossplane-system +helm repo add crossplane-master https://charts.crossplane.io/master/ +helm repo update +helm search repo crossplane-master --devel + +helm install crossplane --namespace crossplane-system crossplane-master/crossplane --devel --version +``` + +## Uninstalling the Chart + +To uninstall/delete the `crossplane` deployment: + +```console +helm delete crossplane --namespace crossplane-system +``` + +That command removes all Kubernetes components associated with Crossplane, +including all the custom resources and controllers. + +## Configuration + +The following tables lists the configurable parameters of the Crossplane chart +and their default values. + +| Parameter | Description | Default | +| --- | --- | --- | +| `affinity` | Add `affinities` to the Crossplane pod deployment. | `{}` | +| `args` | Add custom arguments to the Crossplane pod. | `[]` | +| `configuration.packages` | A list of Configuration packages to install. | `[]` | +| `customAnnotations` | Add custom `annotations` to the Crossplane pod deployment. | `{}` | +| `customLabels` | Add custom `labels` to the Crossplane pod deployment. | `{}` | +| `deploymentStrategy` | The deployment strategy for the Crossplane and RBAC Manager pods. | `"RollingUpdate"` | +| `dnsPolicy` | Specify the `dnsPolicy` to be used by the Crossplane pod. | `""` | +| `extraEnvVarsCrossplane` | Add custom environmental variables to the Crossplane pod deployment. Replaces any `.` in a variable name with `_`. For example, `SAMPLE.KEY=value1` becomes `SAMPLE_KEY=value1`. | `{}` | +| `extraEnvVarsRBACManager` | Add custom environmental variables to the RBAC Manager pod deployment. Replaces any `.` in a variable name with `_`. For example, `SAMPLE.KEY=value1` becomes `SAMPLE_KEY=value1`. | `{}` | +| `extraObjects` | To add arbitrary Kubernetes Objects during a Helm Install | `[]` | +| `extraVolumeMountsCrossplane` | Add custom `volumeMounts` to the Crossplane pod. | `{}` | +| `extraVolumesCrossplane` | Add custom `volumes` to the Crossplane pod. | `{}` | +| `hostNetwork` | Enable `hostNetwork` for the Crossplane deployment. Caution: enabling `hostNetwork` grants the Crossplane Pod access to the host network namespace. Consider setting `dnsPolicy` to `ClusterFirstWithHostNet`. | `false` | +| `image.pullPolicy` | The image pull policy used for Crossplane and RBAC Manager pods. | `"IfNotPresent"` | +| `image.repository` | Repository for the Crossplane pod image. | `"xpkg.upbound.io/crossplane/crossplane"` | +| `image.tag` | The Crossplane image tag. Defaults to the value of `appVersion` in `Chart.yaml`. | `""` | +| `imagePullSecrets` | The imagePullSecret names to add to the Crossplane ServiceAccount. | `{}` | +| `leaderElection` | Enable [leader election](https://docs.crossplane.io/latest/concepts/pods/#leader-election) for the Crossplane pod. | `true` | +| `metrics.enabled` | Enable Prometheus path, port and scrape annotations and expose port 8080 for both the Crossplane and RBAC Manager pods. | `false` | +| `nodeSelector` | Add `nodeSelectors` to the Crossplane pod deployment. | `{}` | +| `packageCache.configMap` | The name of a ConfigMap to use as the package cache. Disables the default package cache `emptyDir` Volume. | `""` | +| `packageCache.medium` | Set to `Memory` to hold the package cache in a RAM backed file system. Useful for Crossplane development. | `""` | +| `packageCache.pvc` | The name of a PersistentVolumeClaim to use as the package cache. Disables the default package cache `emptyDir` Volume. | `""` | +| `packageCache.sizeLimit` | The size limit for the package cache. If medium is `Memory` the `sizeLimit` can't exceed Node memory. | `"20Mi"` | +| `podSecurityContextCrossplane` | Add a custom `securityContext` to the Crossplane pod. | `{}` | +| `podSecurityContextRBACManager` | Add a custom `securityContext` to the RBAC Manager pod. | `{}` | +| `priorityClassName` | The PriorityClass name to apply to the Crossplane and RBAC Manager pods. | `""` | +| `provider.packages` | A list of Provider packages to install. | `[]` | +| `rbacManager.affinity` | Add `affinities` to the RBAC Manager pod deployment. | `{}` | +| `rbacManager.args` | Add custom arguments to the RBAC Manager pod. | `[]` | +| `rbacManager.deploy` | Deploy the RBAC Manager pod and its required roles. | `true` | +| `rbacManager.leaderElection` | Enable [leader election](https://docs.crossplane.io/latest/concepts/pods/#leader-election) for the RBAC Manager pod. | `true` | +| `rbacManager.nodeSelector` | Add `nodeSelectors` to the RBAC Manager pod deployment. | `{}` | +| `rbacManager.replicas` | The number of RBAC Manager pod `replicas` to deploy. | `1` | +| `rbacManager.skipAggregatedClusterRoles` | Don't install aggregated Crossplane ClusterRoles. | `false` | +| `rbacManager.tolerations` | Add `tolerations` to the RBAC Manager pod deployment. | `[]` | +| `registryCaBundleConfig.key` | The ConfigMap key containing a custom CA bundle to enable fetching packages from registries with unknown or untrusted certificates. | `""` | +| `registryCaBundleConfig.name` | The ConfigMap name containing a custom CA bundle to enable fetching packages from registries with unknown or untrusted certificates. | `""` | +| `replicas` | The number of Crossplane pod `replicas` to deploy. | `1` | +| `resourcesCrossplane.limits.cpu` | CPU resource limits for the Crossplane pod. | `"500m"` | +| `resourcesCrossplane.limits.memory` | Memory resource limits for the Crossplane pod. | `"1024Mi"` | +| `resourcesCrossplane.requests.cpu` | CPU resource requests for the Crossplane pod. | `"100m"` | +| `resourcesCrossplane.requests.memory` | Memory resource requests for the Crossplane pod. | `"256Mi"` | +| `resourcesRBACManager.limits.cpu` | CPU resource limits for the RBAC Manager pod. | `"100m"` | +| `resourcesRBACManager.limits.memory` | Memory resource limits for the RBAC Manager pod. | `"512Mi"` | +| `resourcesRBACManager.requests.cpu` | CPU resource requests for the RBAC Manager pod. | `"100m"` | +| `resourcesRBACManager.requests.memory` | Memory resource requests for the RBAC Manager pod. | `"256Mi"` | +| `securityContextCrossplane.allowPrivilegeEscalation` | Enable `allowPrivilegeEscalation` for the Crossplane pod. | `false` | +| `securityContextCrossplane.readOnlyRootFilesystem` | Set the Crossplane pod root file system as read-only. | `true` | +| `securityContextCrossplane.runAsGroup` | The group ID used by the Crossplane pod. | `65532` | +| `securityContextCrossplane.runAsUser` | The user ID used by the Crossplane pod. | `65532` | +| `securityContextRBACManager.allowPrivilegeEscalation` | Enable `allowPrivilegeEscalation` for the RBAC Manager pod. | `false` | +| `securityContextRBACManager.readOnlyRootFilesystem` | Set the RBAC Manager pod root file system as read-only. | `true` | +| `securityContextRBACManager.runAsGroup` | The group ID used by the RBAC Manager pod. | `65532` | +| `securityContextRBACManager.runAsUser` | The user ID used by the RBAC Manager pod. | `65532` | +| `serviceAccount.customAnnotations` | Add custom `annotations` to the Crossplane ServiceAccount. | `{}` | +| `tolerations` | Add `tolerations` to the Crossplane pod deployment. | `[]` | +| `webhooks.enabled` | Enable webhooks for Crossplane and installed Provider packages. | `true` | + +### Command Line + +You can pass the settings with helm command line parameters. Specify each +parameter using the `--set key=value[,key=value]` argument to `helm install`. +For example, the following command will install Crossplane with an image pull +policy of `IfNotPresent`. + +```console +helm install --namespace crossplane-system crossplane-stable/crossplane --set image.pullPolicy=IfNotPresent +``` + +### Settings File + +Alternatively, a yaml file that specifies the values for the above parameters +(`values.yaml`) can be provided while installing the chart. + +```console +helm install crossplane --namespace crossplane-system crossplane-stable/crossplane -f values.yaml +``` + +Here are the sample settings to get you started. + +```yaml +replicas: 1 + +deploymentStrategy: RollingUpdate + +image: + repository: xpkg.upbound.io/crossplane/crossplane + tag: alpha + pullPolicy: Always +``` + + + +[Kubernetes cluster]: https://kubernetes.io/docs/setup/ +[Minikube]: https://kubernetes.io/docs/tasks/tools/install-minikube/ +[Helm]: https://docs.helm.sh/using_helm/ + diff --git a/incubator/tencent-infrastructure-automation-for-crossplane/README.md.gotmpl b/incubator/tencent-infrastructure-automation-for-crossplane/README.md.gotmpl new file mode 100644 index 0000000..262fa70 --- /dev/null +++ b/incubator/tencent-infrastructure-automation-for-crossplane/README.md.gotmpl @@ -0,0 +1,112 @@ + +Crossplane can be easily installed into any existing Kubernetes cluster using +the regularly published Helm chart. The Helm chart contains all the custom +resources and controllers needed to deploy and configure Crossplane. + +## Pre-requisites + +* [Kubernetes cluster], minimum version `v1.16.0+` +* [Helm], minimum version `v3.0.0+`. + +## Installation + +Helm charts for Crossplane are currently published to the `stable` and `master` +channels. + +### Stable + +The stable channel is the most recent release of Crossplane that is considered +ready for the community. + +```console +kubectl create namespace crossplane-system + +helm repo add crossplane-stable https://charts.crossplane.io/stable +helm repo update + +helm install crossplane --namespace crossplane-system crossplane-stable/crossplane +``` + +### Master + +The `master` channel contains the latest commits, with all automated tests +passing. `master` is subject to instability, incompatibility, and features may +be added or removed without much prior notice. It is recommended to use one of +the more stable channels, but if you want the absolute newest Crossplane +installed, then you can use the `master` channel. + +To install the Helm chart from master, you will need to pass the specific +version returned by the `search` command: + +```console +kubectl create namespace crossplane-system +helm repo add crossplane-master https://charts.crossplane.io/master/ +helm repo update +helm search repo crossplane-master --devel + +helm install crossplane --namespace crossplane-system crossplane-master/crossplane --devel --version +``` + +## Uninstalling the Chart + +To uninstall/delete the `crossplane` deployment: + +```console +helm delete crossplane --namespace crossplane-system +``` + +That command removes all Kubernetes components associated with Crossplane, +including all the custom resources and controllers. + +## Configuration + +The following tables lists the configurable parameters of the Crossplane chart +and their default values. + +{{ template "chart.valuesTable" . }} + +### Command Line + +You can pass the settings with helm command line parameters. Specify each +parameter using the `--set key=value[,key=value]` argument to `helm install`. +For example, the following command will install Crossplane with an image pull +policy of `IfNotPresent`. + +```console +helm install --namespace crossplane-system crossplane-stable/crossplane --set image.pullPolicy=IfNotPresent +``` + +### Settings File + +Alternatively, a yaml file that specifies the values for the above parameters +(`values.yaml`) can be provided while installing the chart. + +```console +helm install crossplane --namespace crossplane-system crossplane-stable/crossplane -f values.yaml +``` + +Here are the sample settings to get you started. + +```yaml +replicas: 1 + +deploymentStrategy: RollingUpdate + +image: + repository: xpkg.upbound.io/crossplane/crossplane + tag: alpha + pullPolicy: Always +``` + + + +[Kubernetes cluster]: https://kubernetes.io/docs/setup/ +[Minikube]: https://kubernetes.io/docs/tasks/tools/install-minikube/ +[Helm]: https://docs.helm.sh/using_helm/ +{{ define "chart.valuesTable" }} +| Parameter | Description | Default | +| --- | --- | --- | + {{- range .Values }} +| `{{ .Key }}` | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | + {{- end }} +{{ end }} diff --git a/incubator/tencent-infrastructure-automation-for-crossplane/templates/NOTES.txt b/incubator/tencent-infrastructure-automation-for-crossplane/templates/NOTES.txt new file mode 100644 index 0000000..f1c8a0c --- /dev/null +++ b/incubator/tencent-infrastructure-automation-for-crossplane/templates/NOTES.txt @@ -0,0 +1,8 @@ +Release: {{.Release.Name}} + +Chart Name: {{.Chart.Name}} +Chart Description: {{.Chart.Description}} +Chart Version: {{.Chart.Version}} +Chart Application Version: {{.Chart.AppVersion}} + +Kube Version: {{.Capabilities.KubeVersion}} diff --git a/incubator/tencent-infrastructure-automation-for-crossplane/templates/_helpers.tpl b/incubator/tencent-infrastructure-automation-for-crossplane/templates/_helpers.tpl new file mode 100644 index 0000000..ef1c0d4 --- /dev/null +++ b/incubator/tencent-infrastructure-automation-for-crossplane/templates/_helpers.tpl @@ -0,0 +1,43 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "crossplane.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "crossplane.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Generate basic labels +*/}} +{{- define "crossplane.labels" }} +helm.sh/chart: {{ include "crossplane.chart" . }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/component: cloud-infrastructure-controller +app.kubernetes.io/part-of: {{ template "crossplane.name" . }} +app.kubernetes.io/name: {{ include "crossplane.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if .Values.customLabels }} +{{ toYaml .Values.customLabels }} +{{- end }} +{{- end }} + +{{/* +Define ExternalSecretStoreEnabled Feature Flag +*/}} +{{- define "crossplane.externalSecretStoresEnabled" -}} +{{- if has "--enable-external-secret-stores" .Values.args -}} +true +{{- else -}} +false +{{- end -}} +{{- end -}} diff --git a/incubator/tencent-infrastructure-automation-for-crossplane/templates/clusterrole.yaml b/incubator/tencent-infrastructure-automation-for-crossplane/templates/clusterrole.yaml new file mode 100644 index 0000000..5559ae3 --- /dev/null +++ b/incubator/tencent-infrastructure-automation-for-crossplane/templates/clusterrole.yaml @@ -0,0 +1,107 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "crossplane.name" . }} + labels: + app: {{ template "crossplane.name" . }} + {{- include "crossplane.labels" . | indent 4 }} +{{- if .Values.rbacManager.deploy }} +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.crossplane.io/aggregate-to-crossplane: "true" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "crossplane.name" . }}:system:aggregate-to-crossplane + labels: + app: {{ template "crossplane.name" . }} + {{- include "crossplane.labels" . | indent 4 }} + crossplane.io/scope: "system" + rbac.crossplane.io/aggregate-to-crossplane: "true" +{{- end }} +rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - update + - patch + - delete +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + - customresourcedefinitions/status + verbs: + - "*" +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - serviceaccounts + - services + verbs: + - "*" +- apiGroups: + - apiextensions.crossplane.io + - pkg.crossplane.io + - secrets.crossplane.io + resources: + - "*" + verbs: + - "*" +- apiGroups: + - extensions + - apps + resources: + - deployments + verbs: + - get + - list + - create + - update + - patch + - delete + - watch +- apiGroups: + - "" + - coordination.k8s.io + resources: + - configmaps + - leases + verbs: + - get + - list + - create + - update + - patch + - watch + - delete +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + - mutatingwebhookconfigurations + verbs: + - get + - list + - create + - update + - patch + - watch + - delete diff --git a/incubator/tencent-infrastructure-automation-for-crossplane/templates/clusterrolebinding.yaml b/incubator/tencent-infrastructure-automation-for-crossplane/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..695603a --- /dev/null +++ b/incubator/tencent-infrastructure-automation-for-crossplane/templates/clusterrolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "crossplane.name" . }} + labels: + app: {{ template "crossplane.name" . }} + {{- include "crossplane.labels" . | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "crossplane.name" . }} +subjects: +- kind: ServiceAccount + name: {{ template "crossplane.name" . }} + namespace: {{ .Release.Namespace }} diff --git a/incubator/tencent-infrastructure-automation-for-crossplane/templates/deployment.yaml b/incubator/tencent-infrastructure-automation-for-crossplane/templates/deployment.yaml new file mode 100644 index 0000000..d6e31a7 --- /dev/null +++ b/incubator/tencent-infrastructure-automation-for-crossplane/templates/deployment.yaml @@ -0,0 +1,244 @@ +{{- $externalSecretStoresEnabled := include "crossplane.externalSecretStoresEnabled" . | eq "true" -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "crossplane.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "crossplane.name" . }} + release: {{ .Release.Name }} + {{- include "crossplane.labels" . | indent 4 }} + {{- with .Values.customAnnotations }} + annotations: {{ toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ template "crossplane.name" . }} + release: {{ .Release.Name }} + strategy: + type: {{ .Values.deploymentStrategy }} + template: + metadata: + {{- if or .Values.metrics.enabled .Values.customAnnotations }} + annotations: + {{- end }} + {{- if .Values.metrics.enabled }} + prometheus.io/path: /metrics + prometheus.io/port: "8080" + prometheus.io/scrape: "true" + {{- end }} + {{- with .Values.customAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + app: {{ template "crossplane.name" . }} + release: {{ .Release.Name }} + {{- include "crossplane.labels" . | indent 8 }} + spec: + {{- with .Values.podSecurityContextCrossplane }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName | quote }} + {{- end }} + serviceAccountName: {{ template "crossplane.name" . }} + hostNetwork: {{ .Values.hostNetwork }} + initContainers: + - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }}" + args: + - core + - init + {{- range $arg := .Values.provider.packages }} + - --provider + - "{{ $arg }}" + {{- end }} + {{- range $arg := .Values.configuration.packages }} + - --configuration + - "{{ $arg }}" + {{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + name: {{ .Chart.Name }}-init + resources: + {{- toYaml .Values.resourcesCrossplane | nindent 12 }} + {{- with .Values.securityContextCrossplane }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + env: + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + containerName: {{ .Chart.Name }}-init + resource: limits.cpu + divisor: "1" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + containerName: {{ .Chart.Name }}-init + resource: limits.memory + divisor: "1" + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + {{- if .Values.webhooks.enabled }} + - name: "WEBHOOK_SERVICE_NAME" + value: {{ template "crossplane.name" . }}-webhooks + - name: "WEBHOOK_SERVICE_NAMESPACE" + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: "WEBHOOK_SERVICE_PORT" + value: "9443" + {{- else }} + - name: "WEBHOOK_ENABLED" + value: "false" + {{- end }} + {{- if $externalSecretStoresEnabled }} + - name: "ESS_TLS_SERVER_SECRET_NAME" + value: ess-server-certs + {{- end }} + - name: "TLS_CA_SECRET_NAME" + value: crossplane-root-ca + - name: "TLS_SERVER_SECRET_NAME" + value: crossplane-tls-server + - name: "TLS_CLIENT_SECRET_NAME" + value: crossplane-tls-client + containers: + - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }}" + args: + - core + - start + {{- range $arg := .Values.args }} + - {{ $arg }} + {{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + name: {{ .Chart.Name }} + resources: + {{- toYaml .Values.resourcesCrossplane | nindent 12 }} + startupProbe: + failureThreshold: 30 + periodSeconds: 2 + tcpSocket: + port: readyz + ports: + - name: readyz + containerPort: 8081 + {{- if .Values.metrics.enabled }} + - name: metrics + containerPort: 8080 + {{- end }} + {{- if .Values.webhooks.enabled }} + - name: webhooks + containerPort: 9443 + {{- end }} + {{- with .Values.securityContextCrossplane }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + env: + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + containerName: {{ .Chart.Name }} + resource: limits.cpu + divisor: "1" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + containerName: {{ .Chart.Name }} + resource: limits.memory + divisor: "1" + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: LEADER_ELECTION + value: "{{ .Values.leaderElection }}" + {{- if .Values.registryCaBundleConfig.key }} + - name: CA_BUNDLE_PATH + value: "/certs/{{ .Values.registryCaBundleConfig.key }}" + {{- end}} + {{- if not .Values.webhooks.enabled }} + - name: "WEBHOOK_ENABLED" + value: "false" + {{- end }} + - name: "TLS_SERVER_SECRET_NAME" + value: crossplane-tls-server + - name: "TLS_SERVER_CERTS_DIR" + value: /tls/server + - name: "TLS_CLIENT_SECRET_NAME" + value: crossplane-tls-client + - name: "TLS_CLIENT_CERTS_DIR" + value: /tls/client + {{- range $key, $value := .Values.extraEnvVarsCrossplane }} + - name: {{ $key | replace "." "_" }} + value: {{ $value | quote }} + {{- end}} + volumeMounts: + - mountPath: /cache + name: package-cache + {{- if .Values.registryCaBundleConfig.name }} + - mountPath: /certs + name: ca-certs + {{- end }} + {{- if .Values.extraVolumeMountsCrossplane }} + {{- toYaml .Values.extraVolumeMountsCrossplane | nindent 10 }} + {{- end }} + - mountPath: /tls/server + name: tls-server-certs + - mountPath: /tls/client + name: tls-client-certs + volumes: + - name: package-cache + {{- if .Values.packageCache.pvc }} + persistentVolumeClaim: + claimName: {{ .Values.packageCache.pvc }} + {{- else if .Values.packageCache.configMap }} + configMap: + name: {{ .Values.packageCache.configMap }} + {{- else }} + emptyDir: + medium: {{ .Values.packageCache.medium }} + sizeLimit: {{ .Values.packageCache.sizeLimit }} + {{- end }} + {{- if .Values.registryCaBundleConfig.name }} + - name: ca-certs + configMap: + name: {{ .Values.registryCaBundleConfig.name }} + items: + - key: {{ .Values.registryCaBundleConfig.key }} + path: {{ .Values.registryCaBundleConfig.key }} + {{- end }} + - name: tls-server-certs + secret: + secretName: crossplane-tls-server + - name: tls-client-certs + secret: + secretName: crossplane-tls-client + {{- if .Values.extraVolumesCrossplane }} + {{- toYaml .Values.extraVolumesCrossplane | nindent 6 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{ toYaml .Values.tolerations | nindent 6 }} + {{- end }} + {{- if .Values.affinity }} + affinity: {{ toYaml .Values.affinity | nindent 8 }} + {{- end }} + {{- with .Values.dnsPolicy }} + dnsPolicy: {{ . }} + {{- end }} diff --git a/incubator/tencent-infrastructure-automation-for-crossplane/templates/extra-objects.yaml b/incubator/tencent-infrastructure-automation-for-crossplane/templates/extra-objects.yaml new file mode 100644 index 0000000..a9bb3b6 --- /dev/null +++ b/incubator/tencent-infrastructure-automation-for-crossplane/templates/extra-objects.yaml @@ -0,0 +1,4 @@ +{{ range .Values.extraObjects }} +--- +{{ tpl (toYaml .) $ }} +{{ end }} diff --git a/incubator/tencent-infrastructure-automation-for-crossplane/templates/rbac-manager-allowed-provider-permissions.yaml b/incubator/tencent-infrastructure-automation-for-crossplane/templates/rbac-manager-allowed-provider-permissions.yaml new file mode 100644 index 0000000..9a373ff --- /dev/null +++ b/incubator/tencent-infrastructure-automation-for-crossplane/templates/rbac-manager-allowed-provider-permissions.yaml @@ -0,0 +1,14 @@ +{{- if .Values.rbacManager.deploy }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "crossplane.name" . }}:allowed-provider-permissions + labels: + app: {{ template "crossplane.name" . }} + {{- include "crossplane.labels" . | indent 4 }} +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.crossplane.io/aggregate-to-allowed-provider-permissions: "true" +{{- end}} \ No newline at end of file diff --git a/incubator/tencent-infrastructure-automation-for-crossplane/templates/rbac-manager-clusterrole.yaml b/incubator/tencent-infrastructure-automation-for-crossplane/templates/rbac-manager-clusterrole.yaml new file mode 100644 index 0000000..8943b5f --- /dev/null +++ b/incubator/tencent-infrastructure-automation-for-crossplane/templates/rbac-manager-clusterrole.yaml @@ -0,0 +1,135 @@ +{{- if .Values.rbacManager.deploy }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "crossplane.name" . }}-rbac-manager + labels: + app: {{ template "crossplane.name" . }} + {{- include "crossplane.labels" . | indent 4 }} +rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch +# The RBAC manager creates a series of RBAC roles for each namespace it sees. +# These RBAC roles are controlled (in the owner reference sense) by the namespace. +# The RBAC manager needs permission to set finalizers on Namespaces in order to +# create resources that block their deletion when the +# OwnerReferencesPermissionEnforcement admission controller is enabled. +# See https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement +- apiGroups: + - "" + resources: + - namespaces/finalizers + verbs: + - update +- apiGroups: + - apiextensions.crossplane.io + resources: + - compositeresourcedefinitions + verbs: + - get + - list + - watch +# The RBAC manager creates a series of RBAC cluster roles for each XRD it sees. +# These cluster roles are controlled (in the owner reference sense) by the XRD. +# The RBAC manager needs permission to set finalizers on XRDs in order to +# create resources that block their deletion when the +# OwnerReferencesPermissionEnforcement admission controller is enabled. +# See https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement +- apiGroups: + - apiextensions.crossplane.io + resources: + - compositeresourcedefinitions/finalizers + verbs: + - update +- apiGroups: + - pkg.crossplane.io + resources: + - providerrevisions + verbs: + - get + - list + - watch +# The RBAC manager creates a series of RBAC cluster roles for each ProviderRevision +# it sees. These cluster roles are controlled (in the owner reference sense) by the +# ProviderRevision. The RBAC manager needs permission to set finalizers on +# ProviderRevisions in order to create resources that block their deletion when the +# OwnerReferencesPermissionEnforcement admission controller is enabled. +# See https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement +- apiGroups: + - pkg.crossplane.io + resources: + - providerrevisions/finalizers + verbs: + - update +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + - roles + verbs: + - get + - list + - watch + - create + - update + - patch + # The RBAC manager may grant access it does not have. + - escalate +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + verbs: + - bind +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + verbs: + - "*" +- apiGroups: + - "" + - coordination.k8s.io + resources: + - configmaps + - leases + verbs: + - get + - list + - create + - update + - patch + - watch + - delete +{{- end}} diff --git a/incubator/tencent-infrastructure-automation-for-crossplane/templates/rbac-manager-clusterrolebinding.yaml b/incubator/tencent-infrastructure-automation-for-crossplane/templates/rbac-manager-clusterrolebinding.yaml new file mode 100644 index 0000000..56e0300 --- /dev/null +++ b/incubator/tencent-infrastructure-automation-for-crossplane/templates/rbac-manager-clusterrolebinding.yaml @@ -0,0 +1,17 @@ +{{- if .Values.rbacManager.deploy }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "crossplane.name" . }}-rbac-manager + labels: + app: {{ template "crossplane.name" . }} + {{- include "crossplane.labels" . | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "crossplane.name" . }}-rbac-manager +subjects: +- kind: ServiceAccount + name: rbac-manager + namespace: {{ .Release.Namespace }} +{{- end}} \ No newline at end of file diff --git a/incubator/tencent-infrastructure-automation-for-crossplane/templates/rbac-manager-deployment.yaml b/incubator/tencent-infrastructure-automation-for-crossplane/templates/rbac-manager-deployment.yaml new file mode 100644 index 0000000..c94915d --- /dev/null +++ b/incubator/tencent-infrastructure-automation-for-crossplane/templates/rbac-manager-deployment.yaml @@ -0,0 +1,120 @@ +{{- if .Values.rbacManager.deploy }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "crossplane.name" . }}-rbac-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "crossplane.name" . }}-rbac-manager + release: {{ .Release.Name }} + {{- include "crossplane.labels" . | indent 4 }} + {{- with .Values.customAnnotations }} + annotations: {{ toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.rbacManager.replicas }} + selector: + matchLabels: + app: {{ template "crossplane.name" . }}-rbac-manager + release: {{ .Release.Name }} + strategy: + type: {{ .Values.deploymentStrategy }} + template: + metadata: + {{- if or .Values.metrics.enabled .Values.customAnnotations }} + annotations: + {{- end }} + {{- if .Values.metrics.enabled }} + prometheus.io/path: /metrics + prometheus.io/port: "8080" + prometheus.io/scrape: "true" + {{- end }} + {{- with .Values.customAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + app: {{ template "crossplane.name" . }}-rbac-manager + release: {{ .Release.Name }} + {{- include "crossplane.labels" . | indent 8 }} + spec: + {{- with .Values.podSecurityContextRBACManager }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName | quote }} + {{- end }} + serviceAccountName: rbac-manager + initContainers: + - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }}" + args: + - rbac + - init + imagePullPolicy: {{ .Values.image.pullPolicy }} + name: {{ .Chart.Name }}-init + resources: + {{- toYaml .Values.resourcesRBACManager | nindent 12 }} + {{- with .Values.securityContextRBACManager }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + env: + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + containerName: {{ .Chart.Name }}-init + resource: limits.cpu + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + containerName: {{ .Chart.Name }}-init + resource: limits.memory + containers: + - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }}" + args: + - rbac + - start + {{- range $arg := .Values.rbacManager.args }} + - {{ $arg }} + {{- end }} + - --provider-clusterrole={{ template "crossplane.name" . }}:allowed-provider-permissions + imagePullPolicy: {{ .Values.image.pullPolicy }} + name: {{ .Chart.Name }} + resources: + {{- toYaml .Values.resourcesRBACManager | nindent 12 }} + {{- if .Values.metrics.enabled }} + ports: + - name: metrics + containerPort: 8080 + {{- end }} + {{- with .Values.securityContextRBACManager }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + env: + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + containerName: {{ .Chart.Name }} + resource: limits.cpu + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + containerName: {{ .Chart.Name }} + resource: limits.memory + - name: LEADER_ELECTION + value: "{{ .Values.rbacManager.leaderElection }}" + {{- range $key, $value := .Values.extraEnvVarsRBACManager }} + - name: {{ $key | replace "." "_" }} + value: {{ $value | quote }} + {{- end}} + {{- if .Values.rbacManager.nodeSelector }} + nodeSelector: {{ toYaml .Values.rbacManager.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.rbacManager.tolerations }} + tolerations: {{ toYaml .Values.rbacManager.tolerations | nindent 6 }} + {{- end }} + {{- if .Values.rbacManager.affinity }} + affinity: {{ toYaml .Values.rbacManager.affinity | nindent 8 }} + {{- end }} +{{- end}} diff --git a/incubator/tencent-infrastructure-automation-for-crossplane/templates/rbac-manager-managed-clusterroles.yaml b/incubator/tencent-infrastructure-automation-for-crossplane/templates/rbac-manager-managed-clusterroles.yaml new file mode 100644 index 0000000..2ddd200 --- /dev/null +++ b/incubator/tencent-infrastructure-automation-for-crossplane/templates/rbac-manager-managed-clusterroles.yaml @@ -0,0 +1,191 @@ +{{- if .Values.rbacManager.deploy }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "crossplane.name" . }}-admin + labels: + app: {{ template "crossplane.name" . }} + {{- include "crossplane.labels" . | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "crossplane.name" . }}-admin +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: {{ template "crossplane.name" . }}:masters +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "crossplane.name" . }}-admin + labels: + app: {{ template "crossplane.name" . }} + {{- include "crossplane.labels" . | indent 4 }} +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.crossplane.io/aggregate-to-admin: "true" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "crossplane.name" . }}-edit + labels: + app: {{ template "crossplane.name" . }} + {{- include "crossplane.labels" . | indent 4 }} +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.crossplane.io/aggregate-to-edit: "true" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "crossplane.name" . }}-view + labels: + app: {{ template "crossplane.name" . }} + {{- include "crossplane.labels" . | indent 4 }} +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.crossplane.io/aggregate-to-view: "true" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "crossplane.name" . }}-browse + labels: + app: {{ template "crossplane.name" . }} + {{- include "crossplane.labels" . | indent 4 }} +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.crossplane.io/aggregate-to-browse: "true" +{{- if not .Values.rbacManager.skipAggregatedClusterRoles }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "crossplane.name" . }}:aggregate-to-admin + labels: + rbac.crossplane.io/aggregate-to-admin: "true" + app: {{ template "crossplane.name" . }} + {{- include "crossplane.labels" . | indent 4 }} +rules: +# Crossplane administrators have access to view events. +- apiGroups: [""] + resources: [events] + verbs: [get, list, watch] +# Crossplane administrators must create provider credential secrets, and may +# need to read or otherwise interact with connection secrets. They may also need +# to create or annotate namespaces. +- apiGroups: [""] + resources: [secrets, namespaces] + verbs: ["*"] +# Crossplane administrators have access to view the roles that they may be able +# to grant to other subjects. +- apiGroups: [rbac.authorization.k8s.io] + resources: [clusterroles, roles] + verbs: [get, list, watch] +# Crossplane administrators have access to grant the access they have to other +# subjects. +- apiGroups: [rbac.authorization.k8s.io] + resources: [clusterrolebindings, rolebindings] + verbs: ["*"] +# Crossplane administrators have full access to built in Crossplane types. +- apiGroups: + - apiextensions.crossplane.io + resources: ["*"] + verbs: ["*"] +- apiGroups: + - pkg.crossplane.io + resources: ["*"] + verbs: ["*"] +# Crossplane administrators have access to view CRDs in order to debug XRDs. +- apiGroups: [apiextensions.k8s.io] + resources: [customresourcedefinitions] + verbs: [get, list, watch] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "crossplane.name" . }}:aggregate-to-edit + labels: + rbac.crossplane.io/aggregate-to-edit: "true" + app: {{ template "crossplane.name" . }} + {{- include "crossplane.labels" . | indent 4 }} +rules: +# Crossplane editors have access to view events. +- apiGroups: [""] + resources: [events] + verbs: [get, list, watch] +# Crossplane editors must create provider credential secrets, and may need to +# read or otherwise interact with connection secrets. +- apiGroups: [""] + resources: [secrets] + verbs: ["*"] +# Crossplane editors may see which namespaces exist, but not edit them. +- apiGroups: [""] + resources: [namespaces] + verbs: [get, list, watch] +# Crossplane editors have full access to built in Crossplane types. +- apiGroups: + - apiextensions.crossplane.io + resources: ["*"] + verbs: ["*"] +- apiGroups: + - pkg.crossplane.io + resources: ["*"] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "crossplane.name" . }}:aggregate-to-view + labels: + rbac.crossplane.io/aggregate-to-view: "true" + app: {{ template "crossplane.name" . }} + {{- include "crossplane.labels" . | indent 4 }} +rules: +# Crossplane viewers have access to view events. +- apiGroups: [""] + resources: [events] + verbs: [get, list, watch] +# Crossplane viewers may see which namespaces exist. +- apiGroups: [""] + resources: [namespaces] + verbs: [get, list, watch] +# Crossplane viewers have read-only access to built in Crossplane types. +- apiGroups: + - apiextensions.crossplane.io + resources: ["*"] + verbs: [get, list, watch] +- apiGroups: + - pkg.crossplane.io + resources: ["*"] + verbs: [get, list, watch] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "crossplane.name" . }}:aggregate-to-browse + labels: + rbac.crossplane.io/aggregate-to-browse: "true" + app: {{ template "crossplane.name" . }} + {{- include "crossplane.labels" . | indent 4 }} +rules: +# Crossplane browsers have access to view events. +- apiGroups: [""] + resources: [events] + verbs: [get, list, watch] +# Crossplane browsers have read-only access to compositions and XRDs. This +# allows them to discover and select an appropriate composition when creating a +# resource claim. +- apiGroups: + - apiextensions.crossplane.io + resources: ["*"] + verbs: [get, list, watch] +{{- end }} +{{- end }} diff --git a/incubator/tencent-infrastructure-automation-for-crossplane/templates/rbac-manager-serviceaccount.yaml b/incubator/tencent-infrastructure-automation-for-crossplane/templates/rbac-manager-serviceaccount.yaml new file mode 100644 index 0000000..ae00f94 --- /dev/null +++ b/incubator/tencent-infrastructure-automation-for-crossplane/templates/rbac-manager-serviceaccount.yaml @@ -0,0 +1,16 @@ +{{- if .Values.rbacManager.deploy }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: rbac-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "crossplane.name" . }} + {{- include "crossplane.labels" . | indent 4 }} +{{- if .Values.imagePullSecrets }} +imagePullSecrets: +{{- range $index, $secret := .Values.imagePullSecrets }} +- name: {{ $secret }} +{{- end }} +{{- end }} +{{- end}} \ No newline at end of file diff --git a/incubator/tencent-infrastructure-automation-for-crossplane/templates/secret.yaml b/incubator/tencent-infrastructure-automation-for-crossplane/templates/secret.yaml new file mode 100644 index 0000000..78d05eb --- /dev/null +++ b/incubator/tencent-infrastructure-automation-for-crossplane/templates/secret.yaml @@ -0,0 +1,43 @@ +{{- $externalSecretStoresEnabled := include "crossplane.externalSecretStoresEnabled" . | eq "true" -}} +{{- if $externalSecretStoresEnabled }} +--- +# The reason this is created empty and filled by the init container is we want +# to manage the lifecycle of the secret via Helm. This way whenever Crossplane +# is deleted, the secret is deleted as well. +apiVersion: v1 +kind: Secret +metadata: + name: ess-server-certs + namespace: {{ .Release.Namespace }} +type: Opaque +{{- end }} +--- +# The reason this is created empty and filled by the init container is we want +# to manage the lifecycle of the secret via Helm. This way whenever Crossplane +# is deleted, the secret is deleted as well. +apiVersion: v1 +kind: Secret +metadata: + name: crossplane-root-ca + namespace: {{ .Release.Namespace }} +type: Opaque +--- +# The reason this is created empty and filled by the init container is we want +# to manage the lifecycle of the secret via Helm. This way whenever Crossplane +# is deleted, the secret is deleted as well. +apiVersion: v1 +kind: Secret +metadata: + name: crossplane-tls-server + namespace: {{ .Release.Namespace }} +type: Opaque +--- +# The reason this is created empty and filled by the init container is we want +# to manage the lifecycle of the secret via Helm. This way whenever Crossplane +# is deleted, the secret is deleted as well. +apiVersion: v1 +kind: Secret +metadata: + name: crossplane-tls-client + namespace: {{ .Release.Namespace }} +type: Opaque \ No newline at end of file diff --git a/incubator/tencent-infrastructure-automation-for-crossplane/templates/service.yaml b/incubator/tencent-infrastructure-automation-for-crossplane/templates/service.yaml new file mode 100644 index 0000000..d4ca47a --- /dev/null +++ b/incubator/tencent-infrastructure-automation-for-crossplane/templates/service.yaml @@ -0,0 +1,19 @@ +{{- if .Values.webhooks.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "crossplane.name" . }}-webhooks + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "crossplane.name" . }} + release: {{ .Release.Name }} + {{- include "crossplane.labels" . | indent 4 }} +spec: + selector: + app: {{ template "crossplane.name" . }} + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: 9443 + targetPort: 9443 +{{- end }} diff --git a/incubator/tencent-infrastructure-automation-for-crossplane/templates/serviceaccount.yaml b/incubator/tencent-infrastructure-automation-for-crossplane/templates/serviceaccount.yaml new file mode 100644 index 0000000..66d948c --- /dev/null +++ b/incubator/tencent-infrastructure-automation-for-crossplane/templates/serviceaccount.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "crossplane.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "crossplane.name" . }} + {{- include "crossplane.labels" . | indent 4 }} + {{- with .Values.serviceAccount.customAnnotations }} + annotations: {{ toYaml . | nindent 4 }} + {{- end }} +{{- if .Values.imagePullSecrets }} +imagePullSecrets: +{{- range $index, $secret := .Values.imagePullSecrets }} +- name: {{ $secret }} +{{- end }} +{{ end }} diff --git a/incubator/tencent-infrastructure-automation-for-crossplane/values.yaml b/incubator/tencent-infrastructure-automation-for-crossplane/values.yaml new file mode 100644 index 0000000..51fc3b3 --- /dev/null +++ b/incubator/tencent-infrastructure-automation-for-crossplane/values.yaml @@ -0,0 +1,177 @@ +# helm-docs renders these comments into markdown. Use markdown formatting where +# appropiate. +# +# -- The number of Crossplane pod `replicas` to deploy. +replicas: 1 + +# -- The deployment strategy for the Crossplane and RBAC Manager pods. +deploymentStrategy: RollingUpdate + +image: + # -- Repository for the Crossplane pod image. + repository: ccr.ccs.tencentyun.com/tke-market/crossplane + # -- The Crossplane image tag. Defaults to the value of `appVersion` in `Chart.yaml`. + tag: "v1.15.2" + # -- The image pull policy used for Crossplane and RBAC Manager pods. + pullPolicy: IfNotPresent + +# -- Add `nodeSelectors` to the Crossplane pod deployment. +nodeSelector: {} +# -- Add `tolerations` to the Crossplane pod deployment. +tolerations: [] +# -- Add `affinities` to the Crossplane pod deployment. +affinity: {} + +# -- Enable `hostNetwork` for the Crossplane deployment. Caution: enabling `hostNetwork` grants the Crossplane Pod access to the host network namespace. Consider setting `dnsPolicy` to `ClusterFirstWithHostNet`. +hostNetwork: false + +# -- Specify the `dnsPolicy` to be used by the Crossplane pod. +dnsPolicy: "" + +# -- Add custom `labels` to the Crossplane pod deployment. +customLabels: {} + +# -- Add custom `annotations` to the Crossplane pod deployment. +customAnnotations: {} + +serviceAccount: + # -- Add custom `annotations` to the Crossplane ServiceAccount. + customAnnotations: {} + +# -- Enable [leader election](https://docs.crossplane.io/latest/concepts/pods/#leader-election) for the Crossplane pod. +leaderElection: true +# -- Add custom arguments to the Crossplane pod. +args: [] + +provider: + # -- A list of Provider packages to install. + packages: [] + +configuration: + # -- A list of Configuration packages to install. + packages: [] + +# -- The imagePullSecret names to add to the Crossplane ServiceAccount. +imagePullSecrets: {} + +registryCaBundleConfig: + # -- The ConfigMap name containing a custom CA bundle to enable fetching packages from registries with unknown or untrusted certificates. + name: "" + # -- The ConfigMap key containing a custom CA bundle to enable fetching packages from registries with unknown or untrusted certificates. + key: "" + +webhooks: + # -- Enable webhooks for Crossplane and installed Provider packages. + enabled: true + +rbacManager: + # -- Deploy the RBAC Manager pod and its required roles. + deploy: true + # -- Don't install aggregated Crossplane ClusterRoles. + skipAggregatedClusterRoles: false + # -- The number of RBAC Manager pod `replicas` to deploy. + replicas: 1 + # -- Enable [leader election](https://docs.crossplane.io/latest/concepts/pods/#leader-election) for the RBAC Manager pod. + leaderElection: true + # -- Add custom arguments to the RBAC Manager pod. + args: [] + # -- Add `nodeSelectors` to the RBAC Manager pod deployment. + nodeSelector: {} + # -- Add `tolerations` to the RBAC Manager pod deployment. + tolerations: [] + # -- Add `affinities` to the RBAC Manager pod deployment. + affinity: {} + +# -- The PriorityClass name to apply to the Crossplane and RBAC Manager pods. +priorityClassName: "" + +resourcesCrossplane: + limits: + # -- CPU resource limits for the Crossplane pod. + cpu: 500m + # -- Memory resource limits for the Crossplane pod. + memory: 1024Mi + requests: + # -- CPU resource requests for the Crossplane pod. + cpu: 100m + # -- Memory resource requests for the Crossplane pod. + memory: 256Mi + +securityContextCrossplane: + # -- The user ID used by the Crossplane pod. + runAsUser: 65532 + # -- The group ID used by the Crossplane pod. + runAsGroup: 65532 + # -- Enable `allowPrivilegeEscalation` for the Crossplane pod. + allowPrivilegeEscalation: false + # -- Set the Crossplane pod root file system as read-only. + readOnlyRootFilesystem: true + +packageCache: + # -- Set to `Memory` to hold the package cache in a RAM backed file system. Useful for Crossplane development. + medium: "" + # -- The size limit for the package cache. If medium is `Memory` the `sizeLimit` can't exceed Node memory. + sizeLimit: 20Mi + # -- The name of a PersistentVolumeClaim to use as the package cache. Disables the default package cache `emptyDir` Volume. + pvc: "" + # -- The name of a ConfigMap to use as the package cache. Disables the default package cache `emptyDir` Volume. + configMap: "" + +resourcesRBACManager: + limits: + # -- CPU resource limits for the RBAC Manager pod. + cpu: 100m + # -- Memory resource limits for the RBAC Manager pod. + memory: 512Mi + requests: + # -- CPU resource requests for the RBAC Manager pod. + cpu: 100m + # -- Memory resource requests for the RBAC Manager pod. + memory: 256Mi + +securityContextRBACManager: + # -- The user ID used by the RBAC Manager pod. + runAsUser: 65532 + # -- The group ID used by the RBAC Manager pod. + runAsGroup: 65532 + # -- Enable `allowPrivilegeEscalation` for the RBAC Manager pod. + allowPrivilegeEscalation: false + # -- Set the RBAC Manager pod root file system as read-only. + readOnlyRootFilesystem: true + +metrics: + # -- Enable Prometheus path, port and scrape annotations and expose port 8080 for both the Crossplane and RBAC Manager pods. + enabled: false + +# -- Add custom environmental variables to the Crossplane pod deployment. +# Replaces any `.` in a variable name with `_`. For example, `SAMPLE.KEY=value1` becomes `SAMPLE_KEY=value1`. +extraEnvVarsCrossplane: {} + +# -- Add custom environmental variables to the RBAC Manager pod deployment. +# Replaces any `.` in a variable name with `_`. For example, `SAMPLE.KEY=value1` becomes `SAMPLE_KEY=value1`. +extraEnvVarsRBACManager: {} + +# -- Add a custom `securityContext` to the Crossplane pod. +podSecurityContextCrossplane: {} + +# -- Add a custom `securityContext` to the RBAC Manager pod. +podSecurityContextRBACManager: {} + +# -- Add custom `volumes` to the Crossplane pod. +extraVolumesCrossplane: {} + +# -- Add custom `volumeMounts` to the Crossplane pod. +extraVolumeMountsCrossplane: {} + +# -- To add arbitrary Kubernetes Objects during a Helm Install +extraObjects: [] + # - apiVersion: pkg.crossplane.io/v1alpha1 + # kind: ControllerConfig + # metadata: + # name: aws-config + # annotations: + # eks.amazonaws.com/role-arn: arn:aws:iam::123456789101:role/example + # helm.sh/hook: post-install + # spec: + # podSecurityContext: + # fsGroup: 2000