From 4b20832584752fb01cfce60b2c81a9dac3009db4 Mon Sep 17 00:00:00 2001 From: Rakshit Menpara <205111+deltasquare4@users.noreply.github.com> Date: Thu, 7 Jul 2022 19:33:03 +0530 Subject: [PATCH] Re-add freeipa chart with new updates --- charts/freeipa/Chart.lock | 6 + charts/freeipa/Chart.yaml | 12 +- charts/freeipa/templates/deployment.yaml | 125 ----------- charts/freeipa/templates/hpa.yaml | 28 --- charts/freeipa/templates/ingress.yaml | 88 +++++--- charts/freeipa/templates/pvc.yaml | 13 -- charts/freeipa/templates/service.yaml | 49 ++++- charts/freeipa/templates/serviceaccount.yaml | 12 -- charts/freeipa/templates/statefulset.yaml | 177 ++++++++++++++++ charts/freeipa/values.yaml | 206 ++++++++++++++++--- 10 files changed, 469 insertions(+), 247 deletions(-) create mode 100644 charts/freeipa/Chart.lock delete mode 100644 charts/freeipa/templates/deployment.yaml delete mode 100644 charts/freeipa/templates/hpa.yaml delete mode 100644 charts/freeipa/templates/pvc.yaml delete mode 100644 charts/freeipa/templates/serviceaccount.yaml create mode 100644 charts/freeipa/templates/statefulset.yaml diff --git a/charts/freeipa/Chart.lock b/charts/freeipa/Chart.lock new file mode 100644 index 0000000..b6650d8 --- /dev/null +++ b/charts/freeipa/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: common + repository: https://charts.bitnami.com/bitnami + version: 1.16.0 +digest: sha256:f41cb9ff725b7c9fa2725634196a6813566d630342f86a74903ed114b282c8c0 +generated: "2022-07-07T18:36:26.440625049+05:30" diff --git a/charts/freeipa/Chart.yaml b/charts/freeipa/Chart.yaml index 3164e68..4487f15 100644 --- a/charts/freeipa/Chart.yaml +++ b/charts/freeipa/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: freeipa -description: A Helm chart for Kubernetes +description: FreeIPA is an integrated security information management solution combining Linux (Fedora), 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag (Certificate System). maintainers: - name: improwised # A chart can be either an 'application' or a 'library' chart. @@ -15,8 +15,14 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.2.0 +version: 0.3.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. -appVersion: 1.16.0 +appVersion: 4.9.10 +dependencies: + - name: common + repository: https://charts.bitnami.com/bitnami + tags: + - bitnami-common + version: 1.x.x diff --git a/charts/freeipa/templates/deployment.yaml b/charts/freeipa/templates/deployment.yaml deleted file mode 100644 index be52411..0000000 --- a/charts/freeipa/templates/deployment.yaml +++ /dev/null @@ -1,125 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "freeipa.fullname" . }} - labels: - {{- include "freeipa.labels" . | nindent 4 }} -spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} - {{- end }} - selector: - matchLabels: - {{- include "freeipa.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "freeipa.selectorLabels" . | nindent 8 }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "freeipa.serviceAccountName" . }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} - volumes: - - name: freeipa-server-data - persistentVolumeClaim: - claimName: freeipa-data-pvc - - name: cgroups - hostPath: - path: /sys/fs/cgroup - containers: - - name: {{ .Chart.Name }} - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - args: - - -U - - --realm={{ default "localhost.com" .Values.args.realm }} - - --domain={{ default "localhost" .Values.args.domain }} - - --ds-password={{ default "freeipa" .Values.args.dspassword }} - - --admin-password={{ default "freeipa" .Values.args.adminpassword }} - - --unattended - {{- if .Values.args.nohostdns }} - - --no-host-dns - {{- end }} - {{- if .Values.args.nontp }} - - --no-ntp - {{- end }} - {{- if .Values.args.setupdns }} - - --setup-dns - {{- end }} - {{- if and (eq .Values.args.setupdns true) (eq .Values.args.autoforwarders true) }} - - --auto-forwarders - {{- end }} - {{- if and (eq .Values.args.setupdns true) (eq .Values.args.allowzoneoverlap true) }} - - --allow-zone-overlap - {{- end }} - {{- if .Values.args.sshtrustdns }} - - --ssh-trust-dns - {{- end }} - ports: - - containerPort: 636 - protocol: TCP - - containerPort: 80 - protocol: TCP - - containerPort: 443 - protocol: TCP - {{- if .Values.args.setupdns }} - - containerPort: 53 - protocol: UDP - {{- end }} - - containerPort: 88 - protocol: TCP - - containerPort: 88 - protocol: UDP - # ports: - # - name: http - # containerPort: 80 - # protocol: TCP - volumeMounts: - - name: freeipa-server-data - mountPath: /data - - name: cgroups - mountPath: /sys/fs/cgroup - readOnly: true - env: - - name: IPA_SERVER_HOSTNAME - value: {{ default "localhost" .Values.hostname }} - readinessProbe: - exec: - command: [ "/usr/bin/systemctl", "status", "ipa" ] - initialDelaySeconds: 300 - timeoutSeconds: 10 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - # livenessProbe: - # httpGet: - # path: / - # port: http - # readinessProbe: - # httpGet: - # path: / - # port: http - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: -{{- toYaml . | indent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/charts/freeipa/templates/hpa.yaml b/charts/freeipa/templates/hpa.yaml deleted file mode 100644 index 1b13b62..0000000 --- a/charts/freeipa/templates/hpa.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.autoscaling.enabled }} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "freeipa.fullname" . }} - labels: - {{- include "freeipa.labels" . | nindent 4 }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ include "freeipa.fullname" . }} - minReplicas: {{ .Values.autoscaling.minReplicas }} - maxReplicas: {{ .Values.autoscaling.maxReplicas }} - metrics: - {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} - {{- end }} - {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} - - type: Resource - resource: - name: memory - targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} - {{- end }} -{{- end }} diff --git a/charts/freeipa/templates/ingress.yaml b/charts/freeipa/templates/ingress.yaml index 00146aa..3cbdd4e 100644 --- a/charts/freeipa/templates/ingress.yaml +++ b/charts/freeipa/templates/ingress.yaml @@ -1,41 +1,67 @@ -{{- if .Values.ingress.enabled -}} -{{- $fullName := include "freeipa.fullname" . -}} -{{- $svcPort := .Values.service.port -}} -{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} -apiVersion: networking.k8s.io/v1beta1 -{{- else -}} -apiVersion: extensions/v1beta1 -{{- end }} +{{- if .Values.ingress.enabled }} +apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} kind: Ingress metadata: - name: {{ $fullName }} - labels: - {{- include "freeipa.labels" . | nindent 4 }} - {{- with .Values.ingress.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - {{- if .Values.ingress.tls }} - tls: - {{- range .Values.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} + name: {{ include "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} {{- end }} + annotations: + {{- if .Values.ingress.certManager }} + kubernetes.io/tls-acme: "true" + {{- end }} + {{- if .Values.ingress.annotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.ingress.annotations "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }} + ingressClassName: {{ .Values.ingress.ingressClassName | quote }} {{- end }} rules: - {{- range .Values.ingress.hosts }} - - host: {{ .host | quote }} + {{- if .Values.ingress.hostname }} + - host: {{ .Values.ingress.hostname }} http: paths: - {{- range .paths }} - - path: {{ .path }} - backend: - serviceName: {{ $fullName }} - servicePort: {{ $svcPort }} + {{- if .Values.ingress.extraPaths }} + {{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraPaths "context" $) | nindent 10 }} {{- end }} + - path: {{ .Values.ingress.path }} + {{- if eq "true" (include "common.ingress.supportsPathType" .) }} + pathType: {{ .Values.ingress.pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" (printf "%s" (include "common.names.fullname" .)) "servicePort" "http" "context" $) | nindent 14 }} + {{- end }} + {{- range .Values.ingress.extraHosts }} + - host: {{ .name }} + http: + paths: + - path: {{ default "/" .path }} + {{- if eq "true" (include "common.ingress.supportsPathType" $) }} + pathType: {{ default "ImplementationSpecific" .pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" (printf "%s-ui" (include "common.names.fullname" $)) "servicePort" "http" "context" $) | nindent 14 }} + {{- end }} + {{- if .Values.ingress.extraRules }} + {{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraRules "context" $) | nindent 4 }} + {{- end }} + {{- if or (and .Values.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.ingress.annotations )) .Values.ingress.selfSigned)) .Values.ingress.extraTls }} + tls: + {{- if and .Values.ingress.tls (or .Values.ingress.existingSecret (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.ingress.annotations )) .Values.ingress.selfSigned) }} + - hosts: + - {{ .Values.ingress.hostname | quote }} + {{- if .Values.ingress.existingSecret }} + secretName: {{ .Values.ingress.existingSecret }} + {{- else }} + secretName: {{ printf "%s-tls" .Values.ingress.hostname }} + {{- end }} + {{- end }} + {{- if .Values.ingress.extraTls }} + {{- toYaml .Values.ingress.extraTls | nindent 4 }} {{- end }} {{- end }} +{{- end }} diff --git a/charts/freeipa/templates/pvc.yaml b/charts/freeipa/templates/pvc.yaml deleted file mode 100644 index 6a2b730..0000000 --- a/charts/freeipa/templates/pvc.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: freeipa-data-pvc -spec: - accessModes: - - ReadWriteOnce - {{- if .Values.storageClassName }} - storageClassName: {{ .Values.storageClassName }} - {{- end }} - resources: - requests: - storage: {{ .Values.volumestorage }} diff --git a/charts/freeipa/templates/service.yaml b/charts/freeipa/templates/service.yaml index 7acda64..f16ea4e 100644 --- a/charts/freeipa/templates/service.yaml +++ b/charts/freeipa/templates/service.yaml @@ -1,12 +1,41 @@ apiVersion: v1 kind: Service metadata: - name: {{ include "freeipa.fullname" . }} - labels: - {{- include "freeipa.labels" . | nindent 4 }} + name: {{ include "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.commonAnnotations .Values.service.annotations }} + annotations: + {{- if .Values.service.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.service.annotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} spec: type: {{ .Values.service.type }} - #clusterIP: {{ .Values.service.clusterIP }} + {{- if and .Values.service.clusterIP (eq .Values.service.type "ClusterIP") }} + clusterIP: {{ .Values.service.clusterIP }} + {{- end }} + {{- if or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort") }} + externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if .Values.service.sessionAffinity }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- end }} + {{- if .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- toYaml .Values.service.loadBalancerSourceRanges | nindent 4 }} + {{- end }} + {{- if (and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerIP))) }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} ports: - name: ldaps port: 636 @@ -32,10 +61,8 @@ spec: port: 88 protocol: UDP targetPort: 88 - # ports: - # - port: {{ .Values.service.port }} - # targetPort: http - # protocol: TCP - # name: http - selector: - {{- include "freeipa.selectorLabels" . | nindent 4 }} + {{- if .Values.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + ports: diff --git a/charts/freeipa/templates/serviceaccount.yaml b/charts/freeipa/templates/serviceaccount.yaml deleted file mode 100644 index 160d673..0000000 --- a/charts/freeipa/templates/serviceaccount.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{- if .Values.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "freeipa.serviceAccountName" . }} - labels: - {{- include "freeipa.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/charts/freeipa/templates/statefulset.yaml b/charts/freeipa/templates/statefulset.yaml new file mode 100644 index 0000000..4d08924 --- /dev/null +++ b/charts/freeipa/templates/statefulset.yaml @@ -0,0 +1,177 @@ +--- +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + replicas: 1 + podManagementPolicy: OrderedReady + serviceName: {{ include "common.names.fullname" . }} + template: + metadata: + labels: {{- include "common.labels.standard" . | nindent 8 }} + {{- if .Values.podLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.podLabels "context" $ ) | nindent 8 }} + {{- end }} + spec: + {{- if .Values.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + {{- end }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + containers: + - name: freeipa + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }} + {{- end }} + args: + - -U + - --realm={{ default "localhost.com" .Values.args.realm }} + - --domain={{ default "localhost" .Values.args.domain }} + - --ds-password={{ default "freeipa" .Values.args.dspassword }} + - --admin-password={{ default "freeipa" .Values.args.adminpassword }} + - --unattended + {{- if .Values.args.nohostdns }} + - --no-host-dns + {{- end }} + {{- if .Values.args.nontp }} + - --no-ntp + {{- end }} + {{- if .Values.args.setupdns }} + - --setup-dns + {{- end }} + {{- if and (eq .Values.args.setupdns true) (eq .Values.args.autoforwarders true) }} + - --auto-forwarders + {{- end }} + {{- if and (eq .Values.args.setupdns true) (eq .Values.args.allowzoneoverlap true) }} + - --allow-zone-overlap + {{- end }} + {{- if .Values.args.sshtrustdns }} + - --ssh-trust-dns + {{- end }} + ports: + {{- if .Values.args.setupdns }} + - containerPort: 53 + protocol: TCP + - containerPort: 53 + protocol: UDP + {{- end }} + - containerPort: 80 + protocol: TCP + - containerPort: 88 + protocol: TCP + - containerPort: 88 + protocol: UDP + - containerPort: 123 + protocol: UDP + - containerPort: 389 + protocol: TCP + - containerPort: 443 + protocol: TCP + - containerPort: 464 + protocol: TCP + - containerPort: 464 + protocol: UDP + - containerPort: 636 + protocol: TCP + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + env: + - name: IPA_SERVER_HOSTNAME + value: {{ default "localhost" .Values.hostname }} + - name: IPA_SERVER_IP + value: "" + # - name: IPA_SERVER_INSTALL_OPTS + # value: {{ .Values.install_opts }} {{ .Values.realm }} + # - name: PASSWORD + # valueFrom: + # secretKeyRef: + # name: {{ include "common.names.fullname" . }}-password + # key: admin.password + envFrom: + {{- if .Values.extraEnvVarsCM }} + - configMapRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsCM "context" $) }} + {{- end }} + {{- if .Values.extraEnvVarsSecret }} + - secretRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsSecret "context" $) }} + {{- end }} + {{- if not .Values.diagnosticMode.enabled }} + readinessProbe: + exec: + command: + - "/usr/bin/systemctl" + - status + - ipa + initialDelaySeconds: 60 + timeoutSeconds: 10 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + {{- end }} + volumeMounts: + - name: {{ include "common.names.fullname" . }}-data + mountPath: "/data" + - name: {{ include "common.names.fullname" . }}-run + mountPath: "/run" + - name: {{ include "common.names.fullname" . }}-tmp + mountPath: "/tmp" + - name: {{ include "common.names.fullname" . }}-journal + mountPath: "/var/log/journal" + - name: cgroups + mountPath: /sys/fs/cgroup + readOnly: true + + volumes: + - name: {{ include "common.names.fullname" . }}-run + emptyDir: {} + - name: {{ include "common.names.fullname" . }}-tmp + emptyDir: {} + - name: {{ include "common.names.fullname" . }}-journal + emptyDir: {} + - name: cgroups + hostPath: + path: /sys/fs/cgroup + {{- if not .Values.persistence.enabled }} + - name: data + emptyDir: {} + {{- else }} + volumeClaimTemplates: + - metadata: + name: {{ include "common.names.fullname" . }}-data + {{- if .Values.persistence.annotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.annotations "context" $) | nindent 10 }} + {{- end }} + spec: + accessModes: + {{- range .Values.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{ include "common.storage.class" (dict "persistence" .Values.persistence "global" .Values.global) }} + {{- end }} diff --git a/charts/freeipa/values.yaml b/charts/freeipa/values.yaml index 4573a96..6be38fe 100644 --- a/charts/freeipa/values.yaml +++ b/charts/freeipa/values.yaml @@ -4,17 +4,44 @@ replicaCount: 1 -hostname: freeipa.example.testy +hostname: freeipa.example.org image: repository: freeipa/freeipa-server pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: "centos-8" + tag: "fedora-36-4.9.10" + +# # IPA Server must know it's own hostname to work properly.... +# # These values will probs need to be overwritten or could use lookup function? +# app_domain: apps.mycluster.example.com +# admin_password: Passw0rd +# realm: "-r redhatlabs.dev" + +# # sensible defaults +# install_opts: "-U --setup-dns --no-forwarders --no-ntp" +# container_args: "ipa-server-install" +# volume: 5Gi + +# # this can be used if not using helm install to set the correct ns +# # namespaceOverride: ipa + +# # this example is using the ldap admin user and password as the bind creds +# # and expects a group in ldap called `student` +# # disabled by default so as to not overwrite existing oauth configs in openshift-config ns +# ocp_auth: +# enabled: false +# bind_dn: "uid=admin,cn=users,cn=accounts,dc=redhatlabs,dc=dev" +# bind_password: Passw0rd +# base: "cn=student,cn=groups,cn=accounts,dc=redhatlabs,dc=dev" +# domain: "dc=redhatlabs,dc=dev" + +# machineconfig: +# ignition_version: 3.1.0 args: - realm: EXAMPLE.TESTY - domain: example.testy + realm: EXAMPLE.ORG + domain: example.org dspassword: ASDF1poiu2QWER3mnbv4 #pragma: allowlist secret adminpassword: ASDF1poiu2QWER3mnbv4 #pragma: allowlist secret nohostdns: true @@ -24,51 +51,166 @@ args: allowzoneoverlap: true # if setup dns is true thiw will be applicable sshtrustdns: false -volumestorage: 1Gi +## Enable persistence using Persistent Volume Claims +## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ +## +persistence: + ## @param persistence.enabled Enable HashiCorp Consul data persistence using PVC, use a Persistent Volume Claim, If false, use emptyDir + ## + enabled: true + ## @param persistence.storageClass Persistent Volume storage class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: "" + ## @param persistence.annotations Persistent Volume Claim annotations + ## + annotations: {} + ## @param persistence.accessModes Persistent Volume Access Mode + ## + accessModes: + - ReadWriteOnce + ## @param persistence.size PVC Storage Request for HashiCorp Consul data volume + ## + size: 5Gi imagePullSecrets: [] nameOverride: "" fullnameOverride: "" -serviceAccount: - # Specifies whether a service account should be created - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - podAnnotations: {} podSecurityContext: {} # fsGroup: 2000 -securityContext: {} +containerSecurityContext: {} # capabilities: # drop: # - ALL # readOnlyRootFilesystem: true # runAsNonRoot: true # runAsUser: 1000 + ## Container security context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param metrics.containerSecurityContext.enabled HashiCorp Consul Prometheus Exporter securityContext + ## @param metrics.containerSecurityContext.runAsUser User ID for the HashiCorp Consul Prometheus Exporter + ## @param metrics.containerSecurityContext.runAsNonRoot Force the container to be run as non root + ## service: type: ClusterIP #clusterIP: 10.43.201.201 port: 80 +## Configure the ingress resource that allows you to access the Consul UI +## ref: https://kubernetes.io/docs/user-guide/ingress/ +## ingress: + ## @param ingress.enabled Enable ingress resource for Management console + ## enabled: false + ## @param ingress.path Path for the default host + ## + path: / + ## @param ingress.apiVersion Override API Version (automatically detected if not set) + ## + apiVersion: "" + ## @param ingress.pathType Ingress path type + ## + pathType: ImplementationSpecific + ## DEPRECATED: Use ingress.annotations instead of ingress.certManager + ## certManager: false + ## + + ## @param ingress.hostname Default host for the ingress resource, a host pointing to this will be created + ## + hostname: example.org + ## @param ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. + ## For a full list of possible ingress annotations, please see + ## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## + ## e.g: + ## annotations: + ## kubernetes.io/ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - host: chart-example.local - paths: [] - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local + ## @param ingress.ingressClassName Set the ingerssClassName on the ingress record for k8s 1.18+ + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + ingressClassName: "" + ## @param ingress.tls Enable TLS configuration for the hostname defined at ingress.hostname parameter + ## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.ingress.hostname }} + ## or a custom one if you use the tls.existingSecret parameter + ## You can use the ingress.secrets parameter to create this TLS secret or relay on cert-manager to create it + ## Example: + ## existingSecret: name-of-existing-secret + ## + tls: false + ## @param ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record + ## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array + ## extraHosts: + ## - name: consul-ui.local + ## path: / + ## + extraHosts: [] + ## @param ingress.extraPaths Any additional arbitrary paths that may need to be added to the ingress under the main host. + ## For example: The ALB ingress controller requires a special rule for handling SSL redirection. + ## extraPaths: + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + extraPaths: [] + ## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm + ## + selfSigned: false + ## @param ingress.extraTls TLS configuration for additional hostname(s) to be covered with this ingress record + ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## extraTls: + ## - hosts: + ## - consul-ui.local + ## secretName: rconsul-ui.local-tls + ## + extraTls: [] + ## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets + ## key and certificate should start with -----BEGIN CERTIFICATE----- or + ## -----BEGIN RSA PRIVATE KEY----- + ## + ## name should line up with a tlsSecret set further up + ## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set + ## + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + ## Example: + ## - name: consul-ui.local-tls + ## key: + ## certificate: + ## + secrets: [] + ## @param ingress.existingSecret It is you own the certificate as secret. + existingSecret: "" + ## @param ingress.extraRules Additional rules to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules + ## e.g: + ## extraRules: + ## - host: example.local + ## http: + ## path: / + ## backend: + ## service: + ## name: example-svc + ## port: + ## name: http + ## + extraRules: [] resources: {} # We usually recommend not to specify default resources and to leave this as a conscious @@ -94,3 +236,19 @@ nodeSelector: {} tolerations: [] affinity: {} + +## Enable diagnostic mode in the deployment +## +diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## + enabled: false + ## @param diagnosticMode.command Command to override all containers in the deployment + ## + command: + - sleep + ## @param diagnosticMode.args Args to override all containers in the deployment + ## + args: + - infinity +