diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index af32c5b..1fdf723 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -39,6 +39,7 @@ helm.sh/chart: {{ include "chart.chart" . }} {{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} +application.giantswarm.io/team: {{ index .Chart.Annotations "application.giantswarm.io/team" | quote }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end }} @@ -75,3 +76,16 @@ Return the target Kubernetes version {{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} {{- end -}} {{- end -}} + +{{- define "resource.vpa.enabled" -}} +{{- if and (.Capabilities.APIVersions.Has "autoscaling.k8s.io/v1") (.Values.giantswarm.resources.vpa.enabled) }}true{{ else }}false{{ end }} +{{- end -}} + +{{- define "deployment.resources" -}} +requests: +{{ toYaml .Values.giantswarm.resources.server.requests | indent 2 -}} +{{ if eq (include "resource.vpa.enabled" .) "false" }} +limits: +{{ toYaml .Values.giantswarm.resources.server.limits | indent 2 -}} +{{- end -}} +{{- end -}} diff --git a/templates/admin-user-roles.yaml b/templates/admin-user-roles.yaml index 74a1844..c0fa72c 100644 --- a/templates/admin-user-roles.yaml +++ b/templates/admin-user-roles.yaml @@ -30,8 +30,8 @@ rules: resources: ["terraforms"] verbs: [ "get", "list", "watch", "patch" ] -{{- if gt (len $.Values.rbac.additionalRules) 0 -}} -{{- toYaml $.Values.rbac.additionalRules | nindent 2 -}} +{{- if gt (len $.Values.giantswarm.rbac.additionalRules) 0 -}} +{{- toYaml $.Values.giantswarm.rbac.additionalRules | nindent 2 -}} {{- end }} {{- if .Values.adminUser.createClusterRole }} --- @@ -72,8 +72,8 @@ rules: resources: [ "providers", "alerts" ] verbs: [ "get", "list", "watch", "patch" ] -{{- if gt (len $.Values.rbac.additionalRules) 0 -}} -{{- toYaml $.Values.rbac.additionalRules | nindent 2 -}} +{{- if gt (len $.Values.giantswarm.rbac.additionalRules) 0 -}} +{{- toYaml $.Values.giantswarm.rbac.additionalRules | nindent 2 -}} {{- end -}} {{- end }} {{- end }} diff --git a/templates/deployment.yaml b/templates/deployment.yaml index a54c37c..a498259 100644 --- a/templates/deployment.yaml +++ b/templates/deployment.yaml @@ -36,8 +36,8 @@ spec: - name: {{ .Chart.Name }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} + image: "{{ .Values.image.registry }}/{{ .Values.giantswarm.images.server.image }}:{{ .Values.giantswarm.images.server.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.giantswarm.images.server.pullPolicy }} args: - "--log-level" - "{{ .Values.logLevel }}" @@ -88,7 +88,7 @@ spec: {{- end }} {{- end }} resources: - {{- toYaml .Values.resources | nindent 12 }} + {{- include "deployment.resources" . | nindent 12 }} {{- if or .Values.serverTLS.enable .Values.extraVolumeMounts }} volumeMounts: {{- end }} diff --git a/templates/role.yaml b/templates/role.yaml index b292176..5a55339 100644 --- a/templates/role.yaml +++ b/templates/role.yaml @@ -1,4 +1,4 @@ -{{- if .Values.rbac.create -}} +{{- if .Values.giantswarm.rbac.create -}} {{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}} apiVersion: rbac.authorization.k8s.io/v1beta1 {{- else }} @@ -6,32 +6,39 @@ apiVersion: rbac.authorization.k8s.io/v1 {{- end }} kind: ClusterRole metadata: - name: {{ include "chart.fullname" . }} + name: {{ include "chart.fullname" . }} rules: # impersonation rules for ui calls + {{- if .Values.giantswarm.rbac.impersonation.users.enabled }} - apiGroups: [""] - resources: {{ .Values.rbac.impersonationResources | toJson }} + resources: ["users"] verbs: [ "impersonate" ] - {{- with .Values.rbac.impersonationResourceNames }} + {{- with .Values.giantswarm.rbac.impersonation.users.resourceNames }} resourceNames: {{ . | toJson }} {{- end }} + {{- end }} + {{- if .Values.giantswarm.rbac.impersonation.groups.enabled }} + {{- if and .Values.giantswarm.rbac.impersonation.groups.enabled (not .Values.giantswarm.rbac.impersonation.users.enabled) }} + {{- fail "Enabling impersonation for groups requires users impersonation permissions, see https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation" }} + {{- end }} + - apiGroups: [""] + resources: ["groups"] + verbs: [ "impersonate" ] + {{- with .Values.giantswarm.rbac.impersonation.groups.resourceNames }} + resourceNames: {{ . | toJson }} + {{- end }} + {{- end }} # Access to enterprise entitlement - apiGroups: [""] resources: [ "secrets" ] verbs: [ "get", "list" ] - {{- if and .Values.rbac.viewSecrets .Values.rbac.viewSecretsResourceNames }} - {{- fail "You've supplied both rbac.viewSecrets and rbac.viewSecretsResourceNames. Please only use rbac.viewSecretsResourceNames" }} - {{- end }} - # or should return the first non-falsy result - {{- with (or .Values.rbac.viewSecretsResourceNames .Values.rbac.viewSecrets) }} + {{- with .Values.giantswarm.rbac.viewSecretsResourceNames }} resourceNames: {{ . | toJson }} {{- end }} - # The service account needs to read namespaces to know where it can query - apiGroups: [ "" ] resources: [ "namespaces" ] verbs: [ "get", "list", "watch" ] - # The service account needs to list custom resources to query if given feature # is available or not. - apiGroups: [ "apiextensions.k8s.io" ] diff --git a/templates/rolebinding.yaml b/templates/rolebinding.yaml index b8756fe..df718ff 100644 --- a/templates/rolebinding.yaml +++ b/templates/rolebinding.yaml @@ -1,4 +1,4 @@ -{{- if .Values.rbac.create -}} +{{- if .Values.giantswarm.rbac.create -}} {{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}} apiVersion: rbac.authorization.k8s.io/v1beta1 {{- else }} @@ -9,7 +9,7 @@ metadata: name: {{ include "chart.fullname" . }} labels: {{- include "chart.labels" . | nindent 4 }} - {{- with .Values.rbac.annotations }} + {{- with .Values.giantswarm.rbac.annotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} diff --git a/values.yaml b/values.yaml index 374ad32..7b3b35f 100644 --- a/values.yaml +++ b/values.yaml @@ -1,16 +1,57 @@ -# Default values for chart. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. +giantswarm: + images: + server: + image: giantswarm/weaveworks-wego-app + pullPolicy: IfNotPresent + tag: v0.18.0 + test: + image: giantswarm/busybox + pullPolicy: IfNotPresent + tag: 1.36.0 + resources: + vpa: + enabled: true + server: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 100m + memory: 128Mi + test: + requests: + cpu: 10m + memory: 2Mi + limits: + cpu: 10m + memory: 4Mi + rbac: + create: true + impersonation: + users: + enabled: true + # -- If non-empty, this limits the users names that the service account + # can impersonate, e.g. `['user1@corporation.com', 'user2@corporation.com']` + resourceNames: [] + groups: + enabled: true + # -- If non-empty, this limits the groups names that the service account + # can impersonate, e.g. `['admins', 'operations', 'devops']` + resourceNames: [] + # -- If non-empty, this limits the secrets that can be accessed by + # the service account to the specified ones, e.g. `['weave-gitops-enterprise-credentials']` + viewSecretsResourceNames: ["cluster-user-auth", "oidc-auth"] + # -- If non-empty, these additional rules will be appended to the RBAC role and the cluster role. + # for example, + # additionalRules: + # - apiGroups: ["infra.contrib.fluxcd.io"] + # resources: ["terraforms"] + # verbs: [ "get", "list", "patch" ] + additionalRules: [] -# Note: paragraphs starting with `# --` will end up in our manual - -# see https://github.com/norwoodj/helm-docs replicaCount: 1 image: - # FIXME check the app name - repository: ghcr.io/weaveworks/wego-app - pullPolicy: IfNotPresent - # Overrides the image tag whose default is the chart appVersion. - tag: "v0.18.0" + registry: gsoci.azurecr.io imagePullSecrets: [] nameOverride: "" fullnameOverride: "" @@ -43,28 +84,9 @@ serviceAccount: # -- The name of the service account to use. # If not set and create is true, a name is generated using the fullname template name: "" -rbac: - # -- Specifies whether the clusterRole & binding to the service account should be created - create: true - # -- If non-empty, this limits the resources that the service - # account can impersonate. This applies to both users and groups, e.g. - # `['user1@corporation.com', 'user2@corporation.com', 'operations']` - impersonationResourceNames: [] - # -- Limit the type of principal that can be impersonated - impersonationResources: ["users", "groups"] - # -- If non-empty, this limits the secrets that can be accessed by - # the service account to the specified ones, e.g. `['weave-gitops-enterprise-credentials']` - viewSecretsResourceNames: ["cluster-user-auth", "oidc-auth"] - # -- If non-empty, these additional rules will be appended to the RBAC role and the cluster role. - # for example, - # additionalRules: - # - apiGroups: ["infra.contrib.fluxcd.io"] - # resources: ["terraforms"] - # verbs: [ "get", "list", "patch" ] - additionalRules: [] adminUser: # -- Whether the local admin user should be created. - # If you use this make sure you add it to `rbac.impersonationResourceNames`. + # If you use this make sure you add it to `giantswarm.rbac.impersonation.users.resourceNames`. create: false # -- Specifies whether the clusterRole & binding to the admin user should be created. # Will be created only if `adminUser.create` is enabled. Without this, @@ -82,7 +104,7 @@ adminUser: # -- (string) Set the password for local admin user. Requires `adminUser.create` and `adminUser.createSecret` # This needs to have been hashed using bcrypt. # You can do this via our CLI with `gitops get bcrypt-hash`. - passwordHash: + passwordHash: "" podAnnotations: {} podLabels: {} # aadpodidbinding: identity @@ -111,7 +133,7 @@ ingress: annotations: {} # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" - hosts: + hosts: [] # - host: chart-example.local # paths: # - path: / @@ -123,8 +145,8 @@ ingress: # - chart-example.local extraVolumes: [] extraVolumeMounts: [] -# Example using extraVolumes and extraVolumeMounts to load 'oidc-auth' secret -# with a secrets store CSI driver. Specify the secretName 'oidc-auth' in the +# Example using extraVolumes and extraVolumeMounts to load 'oidc-auth' secret +# with a secrets store CSI driver. Specify the secretName 'oidc-auth' in the # secretProviderClass so this will be created by the secrets store CSI driver. # See https://secrets-store-csi-driver.sigs.k8s.io/topics/sync-as-kubernetes-secret.html # extraVolumeMounts: @@ -138,17 +160,6 @@ extraVolumeMounts: [] # readOnly: true # volumeAttributes: # secretProviderClass: ww-gitops-oauth-provider -resources: {} -# We usually recommend not to specify default resources and to leave this as a conscious -# choice for the user. This also increases chances charts run on environments with little -# resources, such as Minikube. If you do want to specify resources, uncomment the following -# lines, adjust them as necessary, and remove the curly braces after 'resources:'. -# limits: -# cpu: 100m -# memory: 128Mi -# requests: -# cpu: 100m -# memory: 128Mi networkPolicy: # -- Specifies whether default network policies should be created.