308 lines
12 KiB
Diff
308 lines
12 KiB
Diff
diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
|
|
index af32c5b..1fdf723 100644
|
|
--- a/templates/_helpers.tpl
|
|
+++ b/templates/_helpers.tpl
|
|
@@ -39,6 +39,7 @@ helm.sh/chart: {{ include "chart.chart" . }}
|
|
{{- if .Chart.AppVersion }}
|
|
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
|
|
{{- end }}
|
|
+application.giantswarm.io/team: {{ index .Chart.Annotations "application.giantswarm.io/team" | quote }}
|
|
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
|
{{- end }}
|
|
|
|
@@ -75,3 +76,16 @@ Return the target Kubernetes version
|
|
{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}}
|
|
{{- end -}}
|
|
{{- end -}}
|
|
+
|
|
+{{- define "resource.vpa.enabled" -}}
|
|
+{{- if and (.Capabilities.APIVersions.Has "autoscaling.k8s.io/v1") (.Values.giantswarm.resources.vpa.enabled) }}true{{ else }}false{{ end }}
|
|
+{{- end -}}
|
|
+
|
|
+{{- define "deployment.resources" -}}
|
|
+requests:
|
|
+{{ toYaml .Values.giantswarm.resources.server.requests | indent 2 -}}
|
|
+{{ if eq (include "resource.vpa.enabled" .) "false" }}
|
|
+limits:
|
|
+{{ toYaml .Values.giantswarm.resources.server.limits | indent 2 -}}
|
|
+{{- end -}}
|
|
+{{- end -}}
|
|
diff --git a/templates/admin-user-roles.yaml b/templates/admin-user-roles.yaml
|
|
index 74a1844..c0fa72c 100644
|
|
--- a/templates/admin-user-roles.yaml
|
|
+++ b/templates/admin-user-roles.yaml
|
|
@@ -30,8 +30,8 @@ rules:
|
|
resources: ["terraforms"]
|
|
verbs: [ "get", "list", "watch", "patch" ]
|
|
|
|
-{{- if gt (len $.Values.rbac.additionalRules) 0 -}}
|
|
-{{- toYaml $.Values.rbac.additionalRules | nindent 2 -}}
|
|
+{{- if gt (len $.Values.giantswarm.rbac.additionalRules) 0 -}}
|
|
+{{- toYaml $.Values.giantswarm.rbac.additionalRules | nindent 2 -}}
|
|
{{- end }}
|
|
{{- if .Values.adminUser.createClusterRole }}
|
|
---
|
|
@@ -72,8 +72,8 @@ rules:
|
|
resources: [ "providers", "alerts" ]
|
|
verbs: [ "get", "list", "watch", "patch" ]
|
|
|
|
-{{- if gt (len $.Values.rbac.additionalRules) 0 -}}
|
|
-{{- toYaml $.Values.rbac.additionalRules | nindent 2 -}}
|
|
+{{- if gt (len $.Values.giantswarm.rbac.additionalRules) 0 -}}
|
|
+{{- toYaml $.Values.giantswarm.rbac.additionalRules | nindent 2 -}}
|
|
{{- end -}}
|
|
{{- end }}
|
|
{{- end }}
|
|
diff --git a/templates/deployment.yaml b/templates/deployment.yaml
|
|
index a54c37c..a498259 100644
|
|
--- a/templates/deployment.yaml
|
|
+++ b/templates/deployment.yaml
|
|
@@ -36,8 +36,8 @@ spec:
|
|
- name: {{ .Chart.Name }}
|
|
securityContext:
|
|
{{- toYaml .Values.securityContext | nindent 12 }}
|
|
- image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
|
|
- imagePullPolicy: {{ .Values.image.pullPolicy }}
|
|
+ image: "{{ .Values.image.registry }}/{{ .Values.giantswarm.images.server.image }}:{{ .Values.giantswarm.images.server.tag | default .Chart.AppVersion }}"
|
|
+ imagePullPolicy: {{ .Values.giantswarm.images.server.pullPolicy }}
|
|
args:
|
|
- "--log-level"
|
|
- "{{ .Values.logLevel }}"
|
|
@@ -88,7 +88,7 @@ spec:
|
|
{{- end }}
|
|
{{- end }}
|
|
resources:
|
|
- {{- toYaml .Values.resources | nindent 12 }}
|
|
+ {{- include "deployment.resources" . | nindent 12 }}
|
|
{{- if or .Values.serverTLS.enable .Values.extraVolumeMounts }}
|
|
volumeMounts:
|
|
{{- end }}
|
|
diff --git a/templates/role.yaml b/templates/role.yaml
|
|
index b292176..5a55339 100644
|
|
--- a/templates/role.yaml
|
|
+++ b/templates/role.yaml
|
|
@@ -1,4 +1,4 @@
|
|
-{{- if .Values.rbac.create -}}
|
|
+{{- if .Values.giantswarm.rbac.create -}}
|
|
{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}}
|
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
{{- else }}
|
|
@@ -6,32 +6,39 @@ apiVersion: rbac.authorization.k8s.io/v1
|
|
{{- end }}
|
|
kind: ClusterRole
|
|
metadata:
|
|
- name: {{ include "chart.fullname" . }}
|
|
+ name: {{ include "chart.fullname" . }}
|
|
rules:
|
|
# impersonation rules for ui calls
|
|
+ {{- if .Values.giantswarm.rbac.impersonation.users.enabled }}
|
|
- apiGroups: [""]
|
|
- resources: {{ .Values.rbac.impersonationResources | toJson }}
|
|
+ resources: ["users"]
|
|
verbs: [ "impersonate" ]
|
|
- {{- with .Values.rbac.impersonationResourceNames }}
|
|
+ {{- with .Values.giantswarm.rbac.impersonation.users.resourceNames }}
|
|
resourceNames: {{ . | toJson }}
|
|
{{- end }}
|
|
+ {{- end }}
|
|
+ {{- if .Values.giantswarm.rbac.impersonation.groups.enabled }}
|
|
+ {{- if and .Values.giantswarm.rbac.impersonation.groups.enabled (not .Values.giantswarm.rbac.impersonation.users.enabled) }}
|
|
+ {{- fail "Enabling impersonation for groups requires users impersonation permissions, see https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation" }}
|
|
+ {{- end }}
|
|
+ - apiGroups: [""]
|
|
+ resources: ["groups"]
|
|
+ verbs: [ "impersonate" ]
|
|
+ {{- with .Values.giantswarm.rbac.impersonation.groups.resourceNames }}
|
|
+ resourceNames: {{ . | toJson }}
|
|
+ {{- end }}
|
|
+ {{- end }}
|
|
# Access to enterprise entitlement
|
|
- apiGroups: [""]
|
|
resources: [ "secrets" ]
|
|
verbs: [ "get", "list" ]
|
|
- {{- if and .Values.rbac.viewSecrets .Values.rbac.viewSecretsResourceNames }}
|
|
- {{- fail "You've supplied both rbac.viewSecrets and rbac.viewSecretsResourceNames. Please only use rbac.viewSecretsResourceNames" }}
|
|
- {{- end }}
|
|
- # or should return the first non-falsy result
|
|
- {{- with (or .Values.rbac.viewSecretsResourceNames .Values.rbac.viewSecrets) }}
|
|
+ {{- with .Values.giantswarm.rbac.viewSecretsResourceNames }}
|
|
resourceNames: {{ . | toJson }}
|
|
{{- end }}
|
|
-
|
|
# The service account needs to read namespaces to know where it can query
|
|
- apiGroups: [ "" ]
|
|
resources: [ "namespaces" ]
|
|
verbs: [ "get", "list", "watch" ]
|
|
-
|
|
# The service account needs to list custom resources to query if given feature
|
|
# is available or not.
|
|
- apiGroups: [ "apiextensions.k8s.io" ]
|
|
diff --git a/templates/rolebinding.yaml b/templates/rolebinding.yaml
|
|
index b8756fe..df718ff 100644
|
|
--- a/templates/rolebinding.yaml
|
|
+++ b/templates/rolebinding.yaml
|
|
@@ -1,4 +1,4 @@
|
|
-{{- if .Values.rbac.create -}}
|
|
+{{- if .Values.giantswarm.rbac.create -}}
|
|
{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}}
|
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
{{- else }}
|
|
@@ -9,7 +9,7 @@ metadata:
|
|
name: {{ include "chart.fullname" . }}
|
|
labels:
|
|
{{- include "chart.labels" . | nindent 4 }}
|
|
- {{- with .Values.rbac.annotations }}
|
|
+ {{- with .Values.giantswarm.rbac.annotations }}
|
|
annotations:
|
|
{{- toYaml . | nindent 4 }}
|
|
{{- end }}
|
|
diff --git a/values.yaml b/values.yaml
|
|
index 374ad32..7b3b35f 100644
|
|
--- a/values.yaml
|
|
+++ b/values.yaml
|
|
@@ -1,16 +1,57 @@
|
|
-# Default values for chart.
|
|
-# This is a YAML-formatted file.
|
|
-# Declare variables to be passed into your templates.
|
|
+giantswarm:
|
|
+ images:
|
|
+ server:
|
|
+ image: giantswarm/weaveworks-wego-app
|
|
+ pullPolicy: IfNotPresent
|
|
+ tag: v0.18.0
|
|
+ test:
|
|
+ image: giantswarm/busybox
|
|
+ pullPolicy: IfNotPresent
|
|
+ tag: 1.36.0
|
|
+ resources:
|
|
+ vpa:
|
|
+ enabled: true
|
|
+ server:
|
|
+ limits:
|
|
+ cpu: 200m
|
|
+ memory: 256Mi
|
|
+ requests:
|
|
+ cpu: 100m
|
|
+ memory: 128Mi
|
|
+ test:
|
|
+ requests:
|
|
+ cpu: 10m
|
|
+ memory: 2Mi
|
|
+ limits:
|
|
+ cpu: 10m
|
|
+ memory: 4Mi
|
|
+ rbac:
|
|
+ create: true
|
|
+ impersonation:
|
|
+ users:
|
|
+ enabled: true
|
|
+ # -- If non-empty, this limits the users names that the service account
|
|
+ # can impersonate, e.g. `['user1@corporation.com', 'user2@corporation.com']`
|
|
+ resourceNames: []
|
|
+ groups:
|
|
+ enabled: true
|
|
+ # -- If non-empty, this limits the groups names that the service account
|
|
+ # can impersonate, e.g. `['admins', 'operations', 'devops']`
|
|
+ resourceNames: []
|
|
+ # -- If non-empty, this limits the secrets that can be accessed by
|
|
+ # the service account to the specified ones, e.g. `['weave-gitops-enterprise-credentials']`
|
|
+ viewSecretsResourceNames: ["cluster-user-auth", "oidc-auth"]
|
|
+ # -- If non-empty, these additional rules will be appended to the RBAC role and the cluster role.
|
|
+ # for example,
|
|
+ # additionalRules:
|
|
+ # - apiGroups: ["infra.contrib.fluxcd.io"]
|
|
+ # resources: ["terraforms"]
|
|
+ # verbs: [ "get", "list", "patch" ]
|
|
+ additionalRules: []
|
|
|
|
-# Note: paragraphs starting with `# --` will end up in our manual -
|
|
-# see https://github.com/norwoodj/helm-docs
|
|
replicaCount: 1
|
|
image:
|
|
- # FIXME check the app name
|
|
- repository: ghcr.io/weaveworks/wego-app
|
|
- pullPolicy: IfNotPresent
|
|
- # Overrides the image tag whose default is the chart appVersion.
|
|
- tag: "v0.18.0"
|
|
+ registry: gsoci.azurecr.io
|
|
imagePullSecrets: []
|
|
nameOverride: ""
|
|
fullnameOverride: ""
|
|
@@ -43,28 +84,9 @@ serviceAccount:
|
|
# -- The name of the service account to use.
|
|
# If not set and create is true, a name is generated using the fullname template
|
|
name: ""
|
|
-rbac:
|
|
- # -- Specifies whether the clusterRole & binding to the service account should be created
|
|
- create: true
|
|
- # -- If non-empty, this limits the resources that the service
|
|
- # account can impersonate. This applies to both users and groups, e.g.
|
|
- # `['user1@corporation.com', 'user2@corporation.com', 'operations']`
|
|
- impersonationResourceNames: []
|
|
- # -- Limit the type of principal that can be impersonated
|
|
- impersonationResources: ["users", "groups"]
|
|
- # -- If non-empty, this limits the secrets that can be accessed by
|
|
- # the service account to the specified ones, e.g. `['weave-gitops-enterprise-credentials']`
|
|
- viewSecretsResourceNames: ["cluster-user-auth", "oidc-auth"]
|
|
- # -- If non-empty, these additional rules will be appended to the RBAC role and the cluster role.
|
|
- # for example,
|
|
- # additionalRules:
|
|
- # - apiGroups: ["infra.contrib.fluxcd.io"]
|
|
- # resources: ["terraforms"]
|
|
- # verbs: [ "get", "list", "patch" ]
|
|
- additionalRules: []
|
|
adminUser:
|
|
# -- Whether the local admin user should be created.
|
|
- # If you use this make sure you add it to `rbac.impersonationResourceNames`.
|
|
+ # If you use this make sure you add it to `giantswarm.rbac.impersonation.users.resourceNames`.
|
|
create: false
|
|
# -- Specifies whether the clusterRole & binding to the admin user should be created.
|
|
# Will be created only if `adminUser.create` is enabled. Without this,
|
|
@@ -82,7 +104,7 @@ adminUser:
|
|
# -- (string) Set the password for local admin user. Requires `adminUser.create` and `adminUser.createSecret`
|
|
# This needs to have been hashed using bcrypt.
|
|
# You can do this via our CLI with `gitops get bcrypt-hash`.
|
|
- passwordHash:
|
|
+ passwordHash: ""
|
|
podAnnotations: {}
|
|
podLabels: {}
|
|
# aadpodidbinding: identity
|
|
@@ -111,7 +133,7 @@ ingress:
|
|
annotations: {}
|
|
# kubernetes.io/ingress.class: nginx
|
|
# kubernetes.io/tls-acme: "true"
|
|
- hosts:
|
|
+ hosts: []
|
|
# - host: chart-example.local
|
|
# paths:
|
|
# - path: /
|
|
@@ -123,8 +145,8 @@ ingress:
|
|
# - chart-example.local
|
|
extraVolumes: []
|
|
extraVolumeMounts: []
|
|
-# Example using extraVolumes and extraVolumeMounts to load 'oidc-auth' secret
|
|
-# with a secrets store CSI driver. Specify the secretName 'oidc-auth' in the
|
|
+# Example using extraVolumes and extraVolumeMounts to load 'oidc-auth' secret
|
|
+# with a secrets store CSI driver. Specify the secretName 'oidc-auth' in the
|
|
# secretProviderClass so this will be created by the secrets store CSI driver.
|
|
# See https://secrets-store-csi-driver.sigs.k8s.io/topics/sync-as-kubernetes-secret.html
|
|
# extraVolumeMounts:
|
|
@@ -138,17 +160,6 @@ extraVolumeMounts: []
|
|
# readOnly: true
|
|
# volumeAttributes:
|
|
# secretProviderClass: ww-gitops-oauth-provider
|
|
-resources: {}
|
|
-# We usually recommend not to specify default resources and to leave this as a conscious
|
|
-# choice for the user. This also increases chances charts run on environments with little
|
|
-# resources, such as Minikube. If you do want to specify resources, uncomment the following
|
|
-# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
|
|
-# limits:
|
|
-# cpu: 100m
|
|
-# memory: 128Mi
|
|
-# requests:
|
|
-# cpu: 100m
|
|
-# memory: 128Mi
|
|
|
|
networkPolicy:
|
|
# -- Specifies whether default network policies should be created.
|