From bed523d182bbff38c06ccf95a71b4902cbf86b50 Mon Sep 17 00:00:00 2001 From: YianZong <63342088+YianZong@users.noreply.github.com> Date: Tue, 17 Jan 2023 11:48:19 +0800 Subject: [PATCH 01/27] add support for pmax topology (#168) --- charts/karavi-observability/Chart.yaml | 4 ++-- charts/karavi-observability/values.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/karavi-observability/Chart.yaml b/charts/karavi-observability/Chart.yaml index aed1e78d..409d26e5 100644 --- a/charts/karavi-observability/Chart.yaml +++ b/charts/karavi-observability/Chart.yaml @@ -1,9 +1,9 @@ apiVersion: v2 -appVersion: "1.4.0" +appVersion: "1.5.0" name: karavi-observability description: CSM for Observability is part of the [Container Storage Modules](https://github.com/dell/csm) open source suite of Kubernetes storage enablers for Dell EMC storage products. CSM for Observability provides Kubernetes administrators with visibility into metrics and topology data related to containerized storage. type: application -version: 1.4.0 +version: 1.5.0 dependencies: - name: cert-manager version: 1.10.0 diff --git a/charts/karavi-observability/values.yaml b/charts/karavi-observability/values.yaml index 9afa1ea4..877dcdeb 100644 --- a/charts/karavi-observability/values.yaml +++ b/charts/karavi-observability/values.yaml @@ -2,7 +2,7 @@ karaviTopology: image: dellemc/csm-topology:v1.4.0 enabled: true # comma separated list of provisioner names (ex: csi-vxflexos.dellemc.com) - provisionerNames: csi-vxflexos.dellemc.com,csi-powerstore.dellemc.com,csi-isilon.dellemc.com + provisionerNames: csi-vxflexos.dellemc.com,csi-powerstore.dellemc.com,csi-isilon.dellemc.com,csi-powermax.dellemc.com service: type: ClusterIP logLevel: INFO From c79f12f34c384a1dfa66b1bbde0fd614939cc3b7 Mon Sep 17 00:00:00 2001 From: baoy1 <105041111+baoy1@users.noreply.github.com> Date: Tue, 17 Jan 2023 18:58:25 -0800 Subject: [PATCH 02/27] Support Observability for PowerMax (#166) --- .../karavi-observability/templates/NOTES.txt | 12 ++ ...ravi-metrics-powermax-service-account.yaml | 45 ++++++ .../templates/karavi-metrics-powermax.yaml | 137 ++++++++++++++++++ .../karavi-observability-configmap.yaml | 22 +++ charts/karavi-observability/values.yaml | 39 ++++- 5 files changed, 254 insertions(+), 1 deletion(-) create mode 100644 charts/karavi-observability/templates/karavi-metrics-powermax-service-account.yaml create mode 100644 charts/karavi-observability/templates/karavi-metrics-powermax.yaml diff --git a/charts/karavi-observability/templates/NOTES.txt b/charts/karavi-observability/templates/NOTES.txt index 4dd10391..0a9aef0e 100644 --- a/charts/karavi-observability/templates/NOTES.txt +++ b/charts/karavi-observability/templates/NOTES.txt @@ -49,3 +49,15 @@ CSM Metrics for PowerScale From inside the Kubernetes cluster: otel-collector:8443 {{- end}} + +{{ if .Values.karaviMetricsPowermax.enabled -}} + +CSM Metrics for PowerMax + + The CSM Metrics for PowerMax deployment has been successfully installed. + + Provisioner Names: {{ .Values.karaviMetricsPowermax.provisionerNames }} + Prometheus Scrape Target: + From inside the Kubernetes cluster: otel-collector:8443 + +{{- end}} \ No newline at end of file diff --git a/charts/karavi-observability/templates/karavi-metrics-powermax-service-account.yaml b/charts/karavi-observability/templates/karavi-metrics-powermax-service-account.yaml new file mode 100644 index 00000000..d4042faa --- /dev/null +++ b/charts/karavi-observability/templates/karavi-metrics-powermax-service-account.yaml @@ -0,0 +1,45 @@ +{{ if .Values.karaviMetricsPowermax.enabled }} + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Release.Name }}-metrics-powermax-controller + namespace: {{ .Release.Namespace }} + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Release.Name }}-metrics-powermax-controller +rules: + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes", "storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumes", "nodes"] + verbs: ["list"] + - apiGroups: [""] + resources: ["endpoints"] + verbs: ["*"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["list", "watch", "get"] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Release.Name }}-metrics-powermax-controller +subjects: + - kind: ServiceAccount + name: {{ .Release.Name }}-metrics-powermax-controller + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Release.Name }}-metrics-powermax-controller + apiGroup: rbac.authorization.k8s.io + +{{ end }} + diff --git a/charts/karavi-observability/templates/karavi-metrics-powermax.yaml b/charts/karavi-observability/templates/karavi-metrics-powermax.yaml new file mode 100644 index 00000000..63cf0c8b --- /dev/null +++ b/charts/karavi-observability/templates/karavi-metrics-powermax.yaml @@ -0,0 +1,137 @@ +{{ if .Values.karaviMetricsPowermax.enabled }} + +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: karavi-metrics-powermax + app.kubernetes.io/instance: {{ .Release.Name }} + name: karavi-metrics-powermax +spec: + type: {{ .Values.karaviMetricsPowermax.service.type }} + ports: + - name: karavi-metrics-powermax + port: 8081 + targetPort: 8081 + selector: + app.kubernetes.io/name: karavi-metrics-powermax + app.kubernetes.io/instance: {{ .Release.Name }} + +--- + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: karavi-metrics-powermax + labels: + app.kubernetes.io/name: karavi-metrics-powermax + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if hasKey .Values "karaviMetricsPowermax.authorization" }} + {{- if eq .Values.karaviMetricsPowermax.authorization.enabled true }} + annotations: + com.dell.karavi-authorization-proxy: "true" + {{ end }} + {{ end }} +spec: + selector: + matchLabels: + app.kubernetes.io/name: karavi-metrics-powermax + app.kubernetes.io/instance: {{ .Release.Name }} + replicas: 1 + strategy: {} + template: + metadata: + labels: + app.kubernetes.io/name: karavi-metrics-powermax + app.kubernetes.io/instance: {{ .Release.Name }} + spec: + serviceAccount: {{ .Release.Name }}-metrics-powermax-controller + containers: + - name: karavi-metrics-powermax + image: {{ .Values.karaviMetricsPowermax.image }} + resources: {} + env: + - name: POWERMAX_METRICS_ENDPOINT + value: "{{ .Values.karaviMetricsPowermax.endpoint }}" + - name: POWERMAX_METRICS_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: TLS_ENABLED + value: "true" + - name: SSL_CERT_DIR + value: /certs + volumeMounts: + - name: powermax-reverseproxy-config + mountPath: /etc/reverseproxy + - name: tls-secret + mountPath: /etc/ssl/certs + readOnly: true + - name: karavi-metrics-powermax-configmap + mountPath: /etc/config + - name: certs + mountPath: /certs + {{- if hasKey .Values.karaviMetricsPowermax "authorization" }} + {{- if eq .Values.karaviMetricsPowermax.authorization.enabled true }} + - name: karavi-authorization-proxy + imagePullPolicy: IfNotPresent + image: {{ required "Must provide the authorization sidecar container image." .Values.karaviMetricsPowermax.authorization.sidecarProxyImage }} + env: + - name: PROXY_HOST + value: "{{ .Values.karaviMetricsPowermax.authorization.proxyHost }}" + - name: SKIP_CERTIFICATE_VALIDATION + value: "{{ .Values.karaviMetricsPowermax.authorization.skipCertificateValidation }}" + - name: PLUGIN_IDENTIFIER + value: powermax + - name: ACCESS_TOKEN + valueFrom: + secretKeyRef: + name: powermax-proxy-authz-tokens + key: access + - name: REFRESH_TOKEN + valueFrom: + secretKeyRef: + name: powermax-proxy-authz-tokens + key: refresh + volumeMounts: + - name: karavi-authorization-config + mountPath: /etc/karavi-authorization/config + - name: proxy-server-root-certificate + mountPath: /etc/karavi-authorization/root-certificates + - name: powermax-config-params + mountPath: /etc/karavi-authorization + {{ end }} + {{ end }} + volumes: + - name: powermax-reverseproxy-config + configMap: + name: powermax-reverseproxy-config + - name: tls-secret + secret: + secretName: otel-collector-tls + items: + - key: tls.crt + path: cert.crt + - name: certs + emptyDir: { } + - name: karavi-metrics-powermax-configmap + configMap: + name: karavi-metrics-powermax-configmap + {{- if hasKey .Values.karaviMetricsPowermax "authorization" }} + {{- if eq .Values.karaviMetricsPowermax.authorization.enabled true }} + - name: karavi-authorization-config + secret: + secretName: powermax-karavi-authorization-config + - name: proxy-server-root-certificate + secret: + secretName: powermax-proxy-server-root-certificate + - name: powermax-config-params + configMap: + name: powermax-config-params + {{ end }} + {{ end }} + restartPolicy: Always +status: {} + +{{ end }} + diff --git a/charts/karavi-observability/templates/karavi-observability-configmap.yaml b/charts/karavi-observability/templates/karavi-observability-configmap.yaml index 2c61b29a..67c95385 100644 --- a/charts/karavi-observability/templates/karavi-observability-configmap.yaml +++ b/charts/karavi-observability/templates/karavi-observability-configmap.yaml @@ -90,3 +90,25 @@ data: LOG_FORMAT: "{{ .Values.karaviMetricsPowerscale.logFormat }}" {{ end }} + +--- + +{{ if .Values.karaviMetricsPowermax.enabled }} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: karavi-metrics-powermax-configmap +data: + karavi-metrics-powermax.yaml : | + COLLECTOR_ADDR: {{ .Values.karaviMetricsPowermax.collectorAddr }} + PROVISIONER_NAMES: {{ .Values.karaviMetricsPowermax.provisionerNames }} + POWERMAX_MAX_CONCURRENT_QUERIES: "{{ .Values.karaviMetricsPowermax.concurrentPowermaxQueries }}" + POWERMAX_CAPACITY_METRICS_ENABLED: "{{ .Values.karaviMetricsPowermax.capacityMetricsEnabled }}" + POWERMAX_PERFORMANCE_METRICS_ENABLED: "{{ .Values.karaviMetricsPowermax.performanceMetricsEnabled }}" + POWERMAX_ARRAY_CAPACITY_POLL_FREQUENCY: "{{ .Values.karaviMetricsPowermax.arrayCapacityPollFrequencySeconds }}" + POWERMAX_ARRAY_PERFORMANCE_POLL_FREQUENCY: "{{ .Values.karaviMetricsPowermax.arrayPerformancePollFrequencySeconds }}" + LOG_LEVEL: "{{ .Values.karaviMetricsPowermax.logLevel }}" + LOG_FORMAT: "{{ .Values.karaviMetricsPowermax.logFormat }}" + +{{ end }} diff --git a/charts/karavi-observability/values.yaml b/charts/karavi-observability/values.yaml index 877dcdeb..1a7e2001 100644 --- a/charts/karavi-observability/values.yaml +++ b/charts/karavi-observability/values.yaml @@ -94,7 +94,7 @@ karaviMetricsPowerscale: clusterPerformancePollFrequencySeconds: 20 # set polling frequency to get quota capacity metrics data quotaCapacityPollFrequencySeconds: 30 - # set the the default max concurrent queries to PowerScale + # set the default max concurrent queries to PowerScale concurrentPowerscaleQueries: 10 # set the default endpoint for PowerScale service endpoint: karavi-metrics-powerscale @@ -128,6 +128,43 @@ karaviMetricsPowerscale: # Default value: "true" skipCertificateValidation: true +karaviMetricsPowermax: + image: dellemc/csm-metrics-powermax:v1.0.0 + enabled: true + collectorAddr: otel-collector:55680 + # comma separated list of provisioner names (ex: csi-powermax.dellemc.com) + provisionerNames: csi-powermax.dellemc.com + # set capacityMetricsEnabled to "false" to disable collection of capacity metrics + capacityMetricsEnabled: "true" + # set performanceMetricsEnabled to "false" to disable collection of performance metrics + performanceMetricsEnabled: "true" + # set polling frequency to get array capacity metrics data + arrayCapacityPollFrequencySeconds: 20 + # set polling frequency to get cluster performance data + arrayPerformancePollFrequencySeconds: 20 + # set the default max concurrent queries to PowerMax + concurrentPowermaxQueries: 10 + # set the default endpoint for PowerMax service + endpoint: karavi-metrics-powermax + service: + type: ClusterIP + logLevel: INFO + logFormat: text + authorization: + enabled: false + # sidecarProxyImage: the container image used for the csm-authorization-sidecar. + # Default value: dellemc/csm-authorization-sidecar:v1.4.0 + sidecarProxyImage: dellemc/csm-authorization-sidecar:v1.4.0 + # proxyHost: hostname of the csm-authorization server + # Default value: None + proxyHost: + # skipCertificateValidation: certificate validation of the csm-authorization server + # Allowed Values: + # "true" - TLS certificate verification will be skipped + # "false" - TLS certificate will be verified + # Default value: "true" + skipCertificateValidation: true + otelCollector: image: otel/opentelemetry-collector:0.42.0 service: From 7b865c49acbe3d30763745bb1b534b1a3c9f1bab Mon Sep 17 00:00:00 2001 From: chaganti-rajitha <111744573+chaganti-rajitha@users.noreply.github.com> Date: Fri, 20 Jan 2023 15:41:23 +0530 Subject: [PATCH 03/27] Helm chart changes for CSM installation Wizard (#167) * added the custom namespace * Edited the copyright year * removed charts and addressed the review comments * removed charts and chart.lock * renamed the chart and addressed review comments for observability * Addressed review comments for authorization and renamed csm chart * updated replication module chart version * reverted replicator version * deleted authorization chart --- .../.helmignore | 0 charts/container-storage-modules/Chart.yaml | 75 + .../templates/_helpers.tpl | 9 + charts/container-storage-modules/values.yaml | 127 + charts/csi-powerstore/Chart.yaml | 36 + charts/csi-powerstore/templates/_helpers.tpl | 71 + .../csi-powerstore/templates/controller.yaml | 396 ++ .../csi-powerstore/templates/csidriver.yaml | 27 + .../templates/driver-config-params.yaml | 25 + charts/csi-powerstore/templates/node.yaml | 257 + charts/csi-powerstore/values.yaml | 282 ++ .../templates/_helpers.tpl | 11 + ...bility-mutating-webhook-configuration.yaml | 4 +- ...lity-validating-webhook-configuration.yaml | 4 +- ...ion_backups.mobility.storage.dell.com.yaml | 4 +- ...yment_app-mobility-controller-manager.yaml | 4 +- ...certificate_app-mobility-serving-cert.yaml | 6 +- ...issuer_app-mobility-selfsigned-issuer.yaml | 2 +- ...ding_app-mobility-manager-rolebinding.yaml | 2 +- ...inding_app-mobility-proxy-rolebinding.yaml | 2 +- ...ole_app-mobility-leader-election-role.yaml | 2 +- ....io_v1_role_app-mobility-manager-role.yaml | 2 +- ...-mobility-leader-election-rolebinding.yaml | 4 +- ...ding_app-mobility-manager-rolebinding.yaml | 4 +- ...configmap_app-mobility-manager-config.yaml | 2 +- ...ty-controller-manager-metrics-service.yaml | 2 +- ..._service_app-mobility-webhook-service.yaml | 2 +- ...count_app-mobility-controller-manager.yaml | 2 +- charts/csm-application-mobility/values.yaml | 2 + charts/csm-authorization/.gitignore | 2 - charts/csm-authorization/Chart.yaml | 15 - charts/csm-authorization/README.md | 19 - .../csm-authorization/charts/redis/Chart.yaml | 6 - .../charts/redis/templates/redis.yaml | 128 - .../charts/redis/values.yaml | 0 charts/csm-authorization/policies/common.rego | 4 - .../policies/powermax-url.rego | 47 - .../policies/powerscale-url.rego | 42 - .../csm-authorization/policies/url-test.rego | 63 - charts/csm-authorization/policies/url.rego | 39 - .../policies/volumes-create-test.rego | 117 - .../policies/volumes-create.rego | 74 - .../policies/volumes-delete.rego | 48 - .../policies/volumes-map.rego | 42 - .../policies/volumes-powermax-create.rego | 74 - .../policies/volumes-powerscale-create.rego | 60 - .../policies/volumes-unmap.rego | 42 - charts/csm-authorization/templates/NOTES.txt | 23 - .../templates/certificate.yaml | 82 - .../templates/csm-config-params.yaml | 12 - .../csm-authorization/templates/ingress.yaml | 207 - .../templates/karavi-storage-secret.yaml | 8 - .../csm-authorization/templates/policies.yaml | 79 - .../templates/proxy-server.yaml | 115 - .../templates/role-service.yaml | 79 - .../templates/storage-service.yaml | 81 - .../templates/tenant-service.yaml | 51 - charts/csm-authorization/values.yaml | 89 - .../.helmignore | 1 - charts/csm-replication/Chart.yaml | 5 + .../crds/replicationcrds.all.yaml | 171 + charts/csm-replication/templates/_helpers.tpl | 72 + .../csm-replication/templates/controller.yaml | 297 ++ charts/csm-replication/values.yaml | 39 + charts/karavi-observability/Chart.yaml | 1 + .../crds/cert-manager.crds.yaml | 4414 +++++++++++++++++ .../templates/_helpers.tpl | 9 + .../templates/cert-manager.yaml | 20 +- ...avi-metrics-powerflex-service-account.yaml | 4 +- .../templates/karavi-metrics-powerflex.yaml | 2 + ...vi-metrics-powerscale-service-account.yaml | 4 +- .../templates/karavi-metrics-powerscale.yaml | 2 + ...vi-metrics-powerstore-service-account.yaml | 4 +- .../templates/karavi-metrics-powerstore.yaml | 2 + .../karavi-observability-configmap.yaml | 4 + .../karavi-topology-service-account.yaml | 4 +- .../templates/karavi-topology.yaml | 2 + .../templates/otel-collector.yaml | 4 + charts/karavi-observability/values.yaml | 4 +- 79 files changed, 6387 insertions(+), 1692 deletions(-) rename charts/{csm-authorization/charts/redis => container-storage-modules}/.helmignore (100%) create mode 100644 charts/container-storage-modules/Chart.yaml create mode 100644 charts/container-storage-modules/templates/_helpers.tpl create mode 100644 charts/container-storage-modules/values.yaml create mode 100644 charts/csi-powerstore/Chart.yaml create mode 100644 charts/csi-powerstore/templates/_helpers.tpl create mode 100644 charts/csi-powerstore/templates/controller.yaml create mode 100644 charts/csi-powerstore/templates/csidriver.yaml create mode 100644 charts/csi-powerstore/templates/driver-config-params.yaml create mode 100644 charts/csi-powerstore/templates/node.yaml create mode 100644 charts/csi-powerstore/values.yaml delete mode 100644 charts/csm-authorization/.gitignore delete mode 100644 charts/csm-authorization/Chart.yaml delete mode 100644 charts/csm-authorization/README.md delete mode 100644 charts/csm-authorization/charts/redis/Chart.yaml delete mode 100644 charts/csm-authorization/charts/redis/templates/redis.yaml delete mode 100644 charts/csm-authorization/charts/redis/values.yaml delete mode 100644 charts/csm-authorization/policies/common.rego delete mode 100644 charts/csm-authorization/policies/powermax-url.rego delete mode 100644 charts/csm-authorization/policies/powerscale-url.rego delete mode 100644 charts/csm-authorization/policies/url-test.rego delete mode 100644 charts/csm-authorization/policies/url.rego delete mode 100644 charts/csm-authorization/policies/volumes-create-test.rego delete mode 100644 charts/csm-authorization/policies/volumes-create.rego delete mode 100644 charts/csm-authorization/policies/volumes-delete.rego delete mode 100644 charts/csm-authorization/policies/volumes-map.rego delete mode 100644 charts/csm-authorization/policies/volumes-powermax-create.rego delete mode 100644 charts/csm-authorization/policies/volumes-powerscale-create.rego delete mode 100644 charts/csm-authorization/policies/volumes-unmap.rego delete mode 100644 charts/csm-authorization/templates/NOTES.txt delete mode 100644 charts/csm-authorization/templates/certificate.yaml delete mode 100644 charts/csm-authorization/templates/csm-config-params.yaml delete mode 100644 charts/csm-authorization/templates/ingress.yaml delete mode 100644 charts/csm-authorization/templates/karavi-storage-secret.yaml delete mode 100644 charts/csm-authorization/templates/policies.yaml delete mode 100644 charts/csm-authorization/templates/proxy-server.yaml delete mode 100644 charts/csm-authorization/templates/role-service.yaml delete mode 100644 charts/csm-authorization/templates/storage-service.yaml delete mode 100644 charts/csm-authorization/templates/tenant-service.yaml delete mode 100644 charts/csm-authorization/values.yaml rename charts/{csm-authorization => csm-replication}/.helmignore (96%) create mode 100644 charts/csm-replication/Chart.yaml create mode 100644 charts/csm-replication/crds/replicationcrds.all.yaml create mode 100644 charts/csm-replication/templates/_helpers.tpl create mode 100644 charts/csm-replication/templates/controller.yaml create mode 100644 charts/csm-replication/values.yaml create mode 100644 charts/karavi-observability/crds/cert-manager.crds.yaml create mode 100644 charts/karavi-observability/templates/_helpers.tpl diff --git a/charts/csm-authorization/charts/redis/.helmignore b/charts/container-storage-modules/.helmignore similarity index 100% rename from charts/csm-authorization/charts/redis/.helmignore rename to charts/container-storage-modules/.helmignore diff --git a/charts/container-storage-modules/Chart.yaml b/charts/container-storage-modules/Chart.yaml new file mode 100644 index 00000000..c7babc1e --- /dev/null +++ b/charts/container-storage-modules/Chart.yaml @@ -0,0 +1,75 @@ +# +# +# Copyright © 2023 Dell Inc. or its subsidiaries. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# +apiVersion: v2 +name: container-storage-modules +description: Container Storage Modules(https://github.com/dell/csm) open source suite of Kubernetes storage enablers for Dell Technologies storage products. + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.16.0" + +dependencies: +- name: csi-powerstore + version: 2.5.0 + repository: file://../csi-powerstore + condition: csi-powerstore.enabled + +- name: csm-replication + version: 1.3.1 + repository: file://../csm-replication + condition: csm-replication.enabled + +- name: karavi-observability + version: 1.4.0 + repository: file://../karavi-observability + condition: karavi-observability.enabled + +- name: cert-manager + version: 1.10.0 + repository: https://charts.jetstack.io + condition: cert-manager.enabled + +- name: csm-application-mobility + version: 0.2.0 + repository: file://../csm-application-mobility + condition: csm-application-mobility.enabled + +- name: csm-authorization + version: 1.5.0 + repository: file://../csm-authorization + condition: csm-authorization.enabled + +#- name: csi-powermax + #version: 2.5.0 + #repository: file://../csi-powermax + #condition: csi-powermax.enabled \ No newline at end of file diff --git a/charts/container-storage-modules/templates/_helpers.tpl b/charts/container-storage-modules/templates/_helpers.tpl new file mode 100644 index 00000000..000bd372 --- /dev/null +++ b/charts/container-storage-modules/templates/_helpers.tpl @@ -0,0 +1,9 @@ +{{/* +Namespace for all resources to be installed into +If not defined in values file then the helm release namespace is used +By default this is not set so the helm release namespace will be used +*/}} + +{{- define "custom.namespace" -}} + {{ .Values.namespace | default .Release.Namespace }} +{{- end -}} \ No newline at end of file diff --git a/charts/container-storage-modules/values.yaml b/charts/container-storage-modules/values.yaml new file mode 100644 index 00000000..60fcbd51 --- /dev/null +++ b/charts/container-storage-modules/values.yaml @@ -0,0 +1,127 @@ +# +# +# Copyright © 2023 Dell Inc. or its subsidiaries. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# +## K8S/DRIVER ATTRIBUTES +######################## +csi-powerstore: + enabled: false + namespace: + version: "v2.5.0" + images: + driverRepository: dellemc + ## Controller ATTRIBUTES + controller: + controllerCount: 1 + healthMonitor: + enabled: false + nodeSelector: + replication: + enabled: false + image: dellemc/dell-csi-replicator:v1.3.0 + vgsnapshot: + enabled: false + image: dellemc/csi-volumegroup-snapshotter:v1.1.0 + snapshot: + enabled: false + resizer: + enabled: false + ## Node ATTRIBUTES + node: + healthMonitor: + enabled: false + nodeSelector: + +## K8S/Replication Module ATTRIBUTES +########################################## +csm-replication: + enabled: false + namespace: + +## K8S/Observability Module ATTRIBUTES +########################################## +karavi-observability: + enabled: false + namespace: + karaviMetricsPowerstore: + enabled: false + karaviMetricsPowerflex: + enabled: false + karaviMetricsPowerscale: + enabled: false + cert-manager: + enabled: false + +## K8S/Application-mobility Module ATTRIBUTES +########################################## +csm-application-mobility: + enabled: false + namespace: + + # csm-application-mobility requires velero. If velero is already installed on the cluster, specify the namespace in which velero is deployed. Default value is "velero" + veleroNamespace: velero + # csm-application-mobility requires velero. If velero is not already present in cluster, set enabled to true to install it too. + velero: + enabled: false + credentials: + secretContents: + cloud: | + [default] + aws_access_key_id=access_key + aws_secret_access_key=secret_access_key + configuration: + provider: aws + backupStorageLocation: + name: default + bucket: velero-bucket + config: {} + #region: + #s3ForcePathStyle: + #s3Url: + #publicUrl: + initContainers: + - name: dell-custom-velero-plugin + image: dellemc/csm-application-mobility-velero-plugin:v0.2.0 + volumeMounts: + - mountPath: /target + name: plugins + #- name: velero-plugin-for-aws + #image: velero/velero-plugin-for-aws:v1.5.0 + #volumeMounts: + #- mountPath: /target + #name: plugins + +## K8S/Authorization Module ATTRIBUTES +########################################## +csm-authorization: + enabled: false + namespace: + cert-manager: + enabled: false + redis: + namespace: + storageClass: + +## K8S/Cert-manager ATTRIBUTES +########################################## +cert-manager: + enabled: false + namespace: + +## K8S/Powermax ATTRIBUTES +########################################## +#csi-powermax: + #enabled: false + #namespace: + diff --git a/charts/csi-powerstore/Chart.yaml b/charts/csi-powerstore/Chart.yaml new file mode 100644 index 00000000..be3c8fe8 --- /dev/null +++ b/charts/csi-powerstore/Chart.yaml @@ -0,0 +1,36 @@ +# +# +# Copyright © 2020-2023 Dell Inc. or its subsidiaries. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# + +name: csi-powerstore +apiVersion: v2 +version: 2.5.0 +appVersion: "2.5.0" +kubeVersion: ">= 1.21.0 < 1.26.0" +#If you are using a complex K8s version like "v1.22.3-mirantis-1", use this kubeVersion check instead +#WARNING: this version of the check will allow the use of alpha and beta versions, which is NOT SUPPORTED +#kubeVersion: ">= 1.21.0-0 < 1.26.0-0" +description: | + PowerStore CSI (Container Storage Interface) driver Kubernetes + integration. This chart includes everything required to provision via CSI as + well as a PowerStore StorageClass. +keywords: +- csi +- storage +home: https://github.com/dell/csi-powerstore +sources: +- https://github.com/dell/csi-powerstore +maintainers: +- name: DellEMC diff --git a/charts/csi-powerstore/templates/_helpers.tpl b/charts/csi-powerstore/templates/_helpers.tpl new file mode 100644 index 00000000..fba3d04c --- /dev/null +++ b/charts/csi-powerstore/templates/_helpers.tpl @@ -0,0 +1,71 @@ +{{/* +Return the appropriate sidecar images based on k8s version +*/}} +{{- define "csi-powerstore.attacherImage" -}} + {{- if eq .Capabilities.KubeVersion.Major "1" }} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "21") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "25") -}} + {{- print "k8s.gcr.io/sig-storage/csi-attacher:v4.0.0" -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{- define "csi-powerstore.provisionerImage" -}} + {{- if eq .Capabilities.KubeVersion.Major "1" }} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "21") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "25") -}} + {{- print "k8s.gcr.io/sig-storage/csi-provisioner:v3.3.0" -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{- define "csi-powerstore.snapshotterImage" -}} + {{- if eq .Capabilities.KubeVersion.Major "1" }} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "21") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "25") -}} + {{- print "k8s.gcr.io/sig-storage/csi-snapshotter:v6.1.0" -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{- define "csi-powerstore.resizerImage" -}} + {{- if eq .Capabilities.KubeVersion.Major "1" }} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "21") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "25") -}} + {{- print "k8s.gcr.io/sig-storage/csi-resizer:v1.6.0" -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{- define "csi-powerstore.registrarImage" -}} + {{- if eq .Capabilities.KubeVersion.Major "1" }} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "21") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "25") -}} + {{- print "k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.6.0" -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{- define "csi-powerstore.healthmonitorImage" -}} + {{- if eq .Capabilities.KubeVersion.Major "1" }} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "21") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "25") -}} + {{- print "gcr.io/k8s-staging-sig-storage/csi-external-health-monitor-controller:v0.7.0" -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{/* +Return true if storage capacity tracking is enabled and is supported based on k8s version +*/}} +{{- define "csi-powerstore.isStorageCapacitySupported" -}} +{{- if eq .Values.storageCapacity.enabled true -}} + {{- if and (eq .Capabilities.KubeVersion.Major "1") (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "24") -}} + {{- true -}} + {{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Namespace for all resources to be installed into +If not defined in values file then the helm release namespace is used +By default this is not set so the helm release namespace will be used +*/}} + +{{- define "custom.namespace" -}} + {{ .Values.namespace | default .Release.Namespace }} +{{- end -}} diff --git a/charts/csi-powerstore/templates/controller.yaml b/charts/csi-powerstore/templates/controller.yaml new file mode 100644 index 00000000..9cc64eb9 --- /dev/null +++ b/charts/csi-powerstore/templates/controller.yaml @@ -0,0 +1,396 @@ +# +# +# Copyright © 2020-2023 Dell Inc. or its subsidiaries. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Release.Name }}-controller + namespace: {{ include "custom.namespace" . }} + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-controller +rules: + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "delete", "update", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list"] + {{- if hasKey .Values.controller "vgsnapshot" }} + {{- if eq .Values.controller.vgsnapshot.enabled true }} + - apiGroups: ["volumegroup.storage.dell.com"] + resources: ["dellcsivolumegroupsnapshots","dellcsivolumegroupsnapshots/status"] + verbs: ["create", "list", "watch", "delete", "update"] + {{- end }} + {{- end }} + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots", "volumesnapshots/status"] + {{- if hasKey .Values.controller "vgsnapshot" }} + {{- if eq .Values.controller.vgsnapshot.enabled true }} + verbs: ["get", "list", "watch", "update", "create", "delete"] + {{- else }} + verbs: ["get", "list", "watch", "update"] + {{- end }} + {{- end }} + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["patch"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["create", "list", "watch", "delete"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + # below for resizer + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["update", "patch"] + # below for dell-csi-replicator + {{- if hasKey .Values.controller "replication" }} + {{- if eq .Values.controller.replication.enabled true}} + - apiGroups: ["replication.storage.dell.com"] + resources: ["dellcsireplicationgroups"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] + - apiGroups: ["replication.storage.dell.com"] + resources: ["dellcsireplicationgroups/status"] + verbs: ["get", "patch", "update"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "delete", "get", "list", "watch", "update", "patch"] + {{- end}} + {{- end}} + # Permissions for CSIStorageCapacity + {{- if eq (include "csi-powerstore.isStorageCapacitySupported" .) "true" }} + - apiGroups: ["storage.k8s.io"] + resources: ["csistoragecapacities"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["get"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get"] + {{- end }} +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-controller +subjects: + - kind: ServiceAccount + name: {{ .Release.Name }}-controller + namespace: {{ include "custom.namespace" . }} +roleRef: + kind: ClusterRole + name: {{ .Release.Name }}-controller + apiGroup: rbac.authorization.k8s.io + +--- + +kind: Deployment +apiVersion: apps/v1 +metadata: + name: {{ .Release.Name }}-controller + namespace: {{ include "custom.namespace" . }} +spec: + selector: + matchLabels: + name: {{ .Release.Name }}-controller + {{- if lt (.Values.controller.controllerCount | toString | atoi ) 1 -}} + {{- fail "value for .Values.controller.controllerCount should be atleast 1" }} + {{- else }} + replicas: {{ required "Must provide the number of controller instances to create." .Values.controller.controllerCount }} + {{- end }} + template: + metadata: + labels: + name: {{ .Release.Name }}-controller + spec: + {{ if .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml .Values.controller.nodeSelector | nindent 8 }} + {{ end }} + {{ if .Values.controller.tolerations }} + tolerations: + {{- toYaml .Values.controller.tolerations | nindent 6 }} + {{ end }} + serviceAccountName: {{ .Release.Name }}-controller + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: "name" + operator: In + values: + - {{ .Release.Name }}-controller + topologyKey: "kubernetes.io/hostname" + containers: + {{- if hasKey .Values "dev" }} + {{ if .Values.dev.enableTracing }}{{- include "pstore.tracing" . | nindent 8 }}{{ end }} + {{- end }} + - name: attacher + image: {{ required "Must provide the CSI attacher container image." ( include "csi-powerstore.attacherImage" . ) }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + - "--csi-address=$(ADDRESS)" + - "--v=5" + - "--leader-election" + - "--worker-threads=130" + - "--resync=10s" + - "--timeout=130s" + env: + - name: ADDRESS + value: /var/run/csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + {{- if hasKey .Values.controller "resizer" }} + {{- if eq .Values.controller.resizer.enabled true }} + - name: resizer + image: {{ required "Must provide the CSI resizer container image." ( include "csi-powerstore.resizerImage" . ) }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + - "--csi-address=$(ADDRESS)" + - "--v=5" + - "--leader-election" + env: + - name: ADDRESS + value: /var/run/csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + {{end}} + {{end}} + - name: provisioner + image: {{ required "Must provide the CSI provisioner container image." ( include "csi-powerstore.provisionerImage" . ) }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + - "--csi-address=$(ADDRESS)" + - "--volume-name-prefix={{ required "Must provide a value to prefix to driver created volume names" .Values.controller.volumeNamePrefix }}" + - "--volume-name-uuid-length=10" + - "--v=5" + - "--leader-election" + - "--default-fstype={{ .Values.defaultFsType | default "ext4" }}" + - "--extra-create-metadata" + - "--feature-gates=Topology=true" + - "--enable-capacity={{ (include "csi-powerstore.isStorageCapacitySupported" .) | default false }}" + - "--capacity-ownerref-level=2" + - "--capacity-poll-interval={{ .Values.storageCapacity.pollInterval | default "5m" }}" + env: + - name: ADDRESS + value: /var/run/csi/csi.sock + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + {{- if hasKey .Values.controller "snapshot" }} + {{- if eq .Values.controller.snapshot.enabled true }} + - name: snapshotter + image: {{ required "Must provide the CSI snapshotter container image." ( include "csi-powerstore.snapshotterImage" . ) }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + - "--csi-address=$(ADDRESS)" + - "--v=5" + - "--leader-election" + - "--snapshot-name-prefix={{ required "Must privided a Snapshot Name Prefix" .Values.controller.snapshot.snapNamePrefix }}" + env: + - name: ADDRESS + value: /var/run/csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + {{end}} + {{end}} + {{- if hasKey .Values.controller "vgsnapshot" }} + {{- if eq .Values.controller.vgsnapshot.enabled true }} + - name: vg-snapshotter + image: {{ required "Must provide the vgsnapshotter container image." .Values.controller.vgsnapshot.image }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + env: + - name: ADDRESS + value: /var/run/csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + {{- end }} + {{- end }} + {{- if hasKey .Values.controller "replication" }} + {{- if eq .Values.controller.replication.enabled true}} + - name: dell-csi-replicator + image: {{ required "Must provide the Dell CSI Replicator image." .Values.controller.replication.image}} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + - "--csi-address=$(ADDRESS)" + - "--leader-election=true" + - "--worker-threads=2" + - "--retry-interval-start=1s" + - "--retry-interval-max=300s" + - "--timeout=300s" + - "--context-prefix={{ .Values.controller.replication.replicationContextPrefix}}" + - "--prefix={{ .Values.controller.replication.replicationPrefix}}" + env: + - name: ADDRESS + value: /var/run/csi/csi.sock + - name: X_CSI_REPLICATION_CONFIG_DIR + value: /powerstore-config-params + - name: X_CSI_REPLICATION_CONFIG_FILE_NAME + value: driver-config-params.yaml + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + - name: powerstore-config-params + mountPath: /powerstore-config-params + {{- end }} + {{- end }} + {{- if hasKey .Values.controller "healthMonitor" }} + {{- if eq .Values.controller.healthMonitor.enabled true}} + - name: csi-external-health-monitor-controller + image: {{ required "Must provide the CSI external health monitor controller image." ( include "csi-powerstore.healthmonitorImage" . ) }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + - "--v=5" + - "--csi-address=$(ADDRESS)" + - "--leader-election" + - "--http-endpoint=:8080" + - "--enable-node-watcher=true" + - "--monitor-interval={{ .Values.controller.healthMonitor.interval | default "60s" }}" + - "--timeout=180s" + env: + - name: ADDRESS + value: /var/run/csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + {{- end }} + {{- end }} + - name: csi-metadata-retriever + image: {{ required "Must provide the CSI Metadata retriever container image." .Values.controller.metadataretriever }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + command: [ "/csi-metadata-retriever" ] + env: + {{- if hasKey .Values "dev" }} + - name: ENABLE_TRACING + value: {{ .Values.dev.enableTracing | quote }} + {{ if .Values.dev.enableTracing }}{{- include "pstore.tracingenvvars" . | nindent 12 }}{{ end }} + {{- end }} + - name: CSI_RETRIEVER_ENDPOINT + value: /var/run/csi/csi_retriever.sock + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + - name: driver + image: {{ required "Must provide the PowerStore driver image repository." .Values.images.driverRepository }}/{{ .Chart.Name }}:{{ .Values.version }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + command: [ "/csi-powerstore" ] + env: + {{- if hasKey .Values "dev" }} + - name: ENABLE_TRACING + value: {{ .Values.dev.enableTracing | quote }} + {{ if .Values.dev.enableTracing }}{{- include "pstore.tracingenvvars" . | nindent 12 }}{{ end }} + {{- end }} + - name: CSI_ENDPOINT + value: /var/run/csi/csi.sock + - name: CSI_RETRIEVER_ENDPOINT + value: /var/run/csi/csi_retriever.sock + - name: X_CSI_MODE + value: controller + - name: X_CSI_DRIVER_NAME + value: {{ .Values.driverName }} + - name: X_CSI_POWERSTORE_EXTERNAL_ACCESS + value: {{ .Values.externalAccess }} + - name: X_CSI_NFS_ACLS + value: "{{ .Values.nfsAcls }}" + - name: X_CSI_POWERSTORE_CONFIG_PATH + value: /powerstore-config/config + - name: X_CSI_POWERSTORE_CONFIG_PARAMS_PATH + value: /powerstore-config-params/driver-config-params.yaml + {{- if hasKey .Values.controller "replication" }} + {{- if eq .Values.controller.replication.enabled true}} + - name: X_CSI_REPLICATION_CONTEXT_PREFIX + value: {{ .Values.controller.replication.replicationContextPrefix | default "powerstore"}} + - name: X_CSI_REPLICATION_PREFIX + value: {{ .Values.controller.replication.replicationPrefix | default "replication.storage.dell.com"}} + {{- end }} + {{- end }} + {{- if hasKey .Values.controller "healthMonitor" }} + {{- if eq .Values.controller.healthMonitor.enabled true}} + - name: X_CSI_HEALTH_MONITOR_ENABLED + value: "{{ .Values.controller.healthMonitor.enabled }}" + {{- end }} + {{- end }} + - name: GOPOWERSTORE_DEBUG + value: "true" + - name: CSI_AUTO_ROUND_OFF_FILESYSTEM_SIZE + value: "{{ .Values.allowAutoRoundOffFilesystemSize | default false }}" + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + - name: powerstore-config + mountPath: /powerstore-config + - name: powerstore-config-params + mountPath: /powerstore-config-params + volumes: + - name: socket-dir + emptyDir: + - name: powerstore-config-params + configMap: + name: {{ .Release.Name }}-config-params + - name: powerstore-config + secret: + secretName: {{ .Release.Name }}-config diff --git a/charts/csi-powerstore/templates/csidriver.yaml b/charts/csi-powerstore/templates/csidriver.yaml new file mode 100644 index 00000000..9f5ad9be --- /dev/null +++ b/charts/csi-powerstore/templates/csidriver.yaml @@ -0,0 +1,27 @@ +# +# +# Copyright © 2020-2023 Dell Inc. or its subsidiaries. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# + +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: {{ .Values.driverName }} +spec: + storageCapacity: {{ (include "csi-powerstore.isStorageCapacitySupported" .) | default false }} + podInfoOnMount: true + fsGroupPolicy: {{ .Values.fsGroupPolicy }} + volumeLifecycleModes: + - Persistent + - Ephemeral diff --git a/charts/csi-powerstore/templates/driver-config-params.yaml b/charts/csi-powerstore/templates/driver-config-params.yaml new file mode 100644 index 00000000..d979f262 --- /dev/null +++ b/charts/csi-powerstore/templates/driver-config-params.yaml @@ -0,0 +1,25 @@ +# +# +# Copyright © 2021-2023 Dell Inc. or its subsidiaries. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-config-params + namespace: {{ include "custom.namespace" . }} +data: + driver-config-params.yaml: | + CSI_LOG_LEVEL: "{{ .Values.logLevel }}" + CSI_LOG_FORMAT: "{{ .Values.logFormat }}" \ No newline at end of file diff --git a/charts/csi-powerstore/templates/node.yaml b/charts/csi-powerstore/templates/node.yaml new file mode 100644 index 00000000..5bc814ac --- /dev/null +++ b/charts/csi-powerstore/templates/node.yaml @@ -0,0 +1,257 @@ +# +# +# Copyright © 2020-2023 Dell Inc. or its subsidiaries. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Release.Name }}-node + namespace: {{ include "custom.namespace" . }} + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-node +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["create", "delete", "get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["persistentvolumesclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["security.openshift.io"] + resourceNames: ["privileged"] + resources: ["securitycontextconstraints"] + verbs: ["use"] + + +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-node +subjects: + - kind: ServiceAccount + name: {{ .Release.Name }}-node + namespace: {{ include "custom.namespace" . }} +roleRef: + kind: ClusterRole + name: {{ .Release.Name }}-node + apiGroup: rbac.authorization.k8s.io + +--- + +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: {{ .Release.Name }}-node + namespace: {{ include "custom.namespace" . }} +spec: + selector: + matchLabels: + app: {{ .Release.Name }}-node + template: + metadata: + labels: + app: {{ .Release.Name }}-node + spec: + {{ if .Values.node.nodeSelector }} + nodeSelector: + {{- toYaml .Values.node.nodeSelector | nindent 8 }} + {{ end }} + {{ if .Values.node.tolerations }} + tolerations: + {{- toYaml .Values.node.tolerations | nindent 6 }} + {{ end }} + serviceAccount: {{ .Release.Name }}-node + dnsPolicy: ClusterFirstWithHostNet + hostNetwork: true + hostIPC: true + containers: + {{- if hasKey .Values "dev" }} + {{ if .Values.dev.enableTracing }}{{- include "pstore.tracing" . | nindent 8 }}{{ end }} + {{- end}} + - name: driver + securityContext: + privileged: true + capabilities: + add: ["SYS_ADMIN"] + allowPrivilegeEscalation: true + image: {{ required "Must provide the Powerstore driver image repository." .Values.images.driverRepository }}/{{ .Chart.Name }}:{{ .Values.version }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + command: [ "/csi-powerstore" ] + env: + {{- if hasKey .Values "dev" }} + - name: ENABLE_TRACING + value: {{ .Values.dev.enableTracing | quote}} + {{ if .Values.dev.enableTracing }}{{- include "pstore.tracingenvvars" . | nindent 12 }}{{ end }} + {{- end}} + - name: CSI_ENDPOINT + value: unix://{{ .Values.kubeletConfigDir }}/plugins/{{ .Values.driverName }}/csi_sock + - name: X_CSI_MODE + value: node + - name: X_CSI_POWERSTORE_KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: X_CSI_POWERSTORE_NODE_NAME_PREFIX + value: {{ .Values.node.nodeNamePrefix }} + - name: X_CSI_POWERSTORE_NODE_ID_PATH + value: /node-id + - name: X_CSI_POWERSTORE_NODE_CHROOT_PATH + value: /noderoot + - name: X_CSI_POWERSTORE_TMP_DIR + value: {{ .Values.kubeletConfigDir }}/plugins/{{ .Values.driverName }}/tmp + - name: X_CSI_DRIVER_NAME + value: {{ .Values.driverName }} + - name: X_CSI_FC_PORTS_FILTER_FILE_PATH + value: {{ .Values.nodeFCPortsFilterFile }} + - name: X_CSI_DRIVER_NAME + value: {{ .Values.driverName }} + {{- if eq .Values.connection.enableCHAP true }} + - name: X_CSI_POWERSTORE_ENABLE_CHAP + value: "true" + {{- else }} + - name: X_CSI_POWERSTORE_ENABLE_CHAP + value: "false" + {{- end }} + - name: X_CSI_POWERSTORE_CONFIG_PATH + value: /powerstore-config/config + - name: X_CSI_POWERSTORE_CONFIG_PARAMS_PATH + value: /powerstore-config-params/driver-config-params.yaml + - name: GOPOWERSTORE_DEBUG + value: "true" + {{- if hasKey .Values.node "healthMonitor" }} + {{- if eq .Values.node.healthMonitor.enabled true}} + - name: X_CSI_HEALTH_MONITOR_ENABLED + value: "{{ .Values.controller.healthMonitor.enabled }}" + {{- end }} + {{- end }} + volumeMounts: + - name: driver-path + mountPath: {{ .Values.kubeletConfigDir }}/plugins/{{ .Values.driverName }} + - name: csi-path + mountPath: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi + mountPropagation: "Bidirectional" + - name: pods-path + mountPath: {{ .Values.kubeletConfigDir }}/pods + mountPropagation: "Bidirectional" + - name: dev + mountPath: /dev + - name: sys + mountPath: /sys + - name: run + mountPath: /run + - name: node-id + mountPath: /node-id + - name: etciscsi + mountPath: /etc/iscsi + - name: mpath + mountPath: /etc/multipath.conf + - name: noderoot + mountPath: /noderoot + - name: powerstore-config + mountPath: /powerstore-config + - name: powerstore-config-params + mountPath: /powerstore-config-params + - name: registrar + image: {{ required "Must provide the CSI node registrar container image." ( include "csi-powerstore.registrarImage" . ) }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + - "--v=5" + - "--csi-address=$(ADDRESS)" + - --kubelet-registration-path={{ .Values.kubeletConfigDir }}/plugins/{{ .Values.driverName }}/csi_sock + env: + - name: ADDRESS + value: /csi/csi_sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + volumeMounts: + - name: registration-dir + mountPath: /registration + - name: driver-path + mountPath: /csi + volumes: + - name: registration-dir + hostPath: + path: {{ .Values.kubeletConfigDir }}/plugins_registry/ + type: DirectoryOrCreate + - name: driver-path + hostPath: + path: {{ .Values.kubeletConfigDir }}/plugins/{{ .Values.driverName }} + type: DirectoryOrCreate + - name: csi-path + hostPath: + path: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi + - name: pods-path + hostPath: + path: {{ .Values.kubeletConfigDir }}/pods + type: Directory + - name: dev + hostPath: + path: /dev + type: Directory + - name: node-id + hostPath: + path: {{ required "Must provide the path to file with node identifier." .Values.node.nodeIDPath }} + type: File + - name: etciscsi + hostPath: + path: /etc/iscsi + type: DirectoryOrCreate + - name: mpath + hostPath: + path: /etc/multipath.conf + type: FileOrCreate + - name: noderoot + hostPath: + path: / + type: Directory + - name: sys + hostPath: + path: /sys + type: Directory + - name: run + hostPath: + path: /run + type: Directory + - name: powerstore-config-params + configMap: + name: {{ .Release.Name }}-config-params + - name: powerstore-config + secret: + secretName: {{ .Release.Name }}-config diff --git a/charts/csi-powerstore/values.yaml b/charts/csi-powerstore/values.yaml new file mode 100644 index 00000000..639b9716 --- /dev/null +++ b/charts/csi-powerstore/values.yaml @@ -0,0 +1,282 @@ +# +# +# Copyright © 2020-2023 Dell Inc. or its subsidiaries. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# + +## K8S/DRIVER ATTRIBUTES +######################## + +# driverName: defines the name of driver +# Allowed values: string +# Default value: None +driverName: "csi-powerstore.dellemc.com" + +# Driver version required to pull the latest driver image +version: "v2.5.0" + +# Specify kubelet config dir path. +# Ensure that the config.yaml file is present at this path. +# Default value: None +kubeletConfigDir: /var/lib/kubelet + +# nodeFCPortsFilterFile: It is the name of the environment variable which store path to the file which +# provide list of WWPN which should be used by the driver for FC connection on this node +# If file not exist or empty or in invalid format, then the driver will use all available FC ports +# Allowed Values: string +# Default Value: None +# Example: +# content of the file: +# 21:00:00:29:ff:48:9f:6e,21:00:00:29:ff:48:9f:6e +nodeFCPortsFilterFile: /etc/fc-ports-filter + +# externalAccess: allows to specify additional entries for hostAccess of NFS volumes. Both single IP address and subnet are valid entries. +# Allowed Values: x.x.x.x/xx or x.x.x.x +# Default Value: None +externalAccess: + +# imagePullPolicy: Policy to determine if the image should be pulled prior to starting the container. +# Allowed values: +# Always: Always pull the image. +# IfNotPresent: Only pull the image if it does not already exist on the node. +# Never: Never pull the image. +# Default value: None +imagePullPolicy: IfNotPresent + +# nfsAcls: enables setting permissions on NFS mount directory +# This value acts as default value for NFS ACL (nfsAcls), if not specified for an array config in secret +# Permissions can be specified in two formats: +# 1) Unix mode (NFSv3) +# 2) NFSv4 ACLs (NFSv4) +# NFSv4 ACLs are supported on NFSv4 share only. +# Allowed values: +# 1) Unix mode: valid octal mode number +# Examples: "0777", "777", "0755" +# 2) NFSv4 acls: valid NFSv4 acls, seperated by comma +# Examples: "A::OWNER@:RWX,A::GROUP@:RWX", "A::OWNER@:rxtncy" +# Optional: true +# Default value: "0777" +nfsAcls: "0777" + +# controller: configure controller specific parameters +controller: + # controllerCount: defines the number of csi-powerstore controller pods to deploy to + # the Kubernetes release. + # Allowed values: n, where n > 0 + # Default value: None + controllerCount: 2 + + # volumeNamePrefix: defines a string prepended to each volume created by the CSI driver. + # Allowed values: string + # Default value: None + volumeNamePrefix: csivol + + # vgsnapshot: allows to configure volume-group-snapshot + # volume-group-snapshot CRDs must be installed before installing driver + vgsnapshot: + # enabled: Enable/Disable volume-group-snapshot feature + # Allowed values: + # true: enable volume-group-snapshot feature(install vg-snapshotter sidecar) + # false: disable volume-group-snapshot feature(do not install vg-snapshotter sidecar) + # Default value: false + enabled: false + # image: Image to use for volume-group-snapshotter. This shouldn't be changed + # Allowed values: string + # Default value: dellemc/csi-volumegroup-snapshotter:v1.1.0 + image: dellemc/csi-volumegroup-snapshotter:v1.1.0 + + # snapshot: allows to enable/disable snapshot feature + # snapshot CRDs needs to be installed before enabling this feature + snapshot: + # enabled: Enable/Disable volume snapshot feature + # Allowed values: + # true: enable volume snapshot feature(install snapshotter sidecar) + # false: disable volume snapshot feature(do not install snapshotter sidecar) + # Default value: None + enabled: true + + # snapNamePrefix: Prefix to apply to the names of a created snapshots + # Allowed values: string + # Default value: None + snapNamePrefix: csisnap + # resizer: allows to enable/disable resizer feature + resizer: + # enabled: Enable/Disable volume expansion feature + # Allowed values: + # true: enable volume expansion feature(install resizer sidecar) + # false: disable volume expansion feature(do not install resizer sidecar) + # Default value: true + enabled: true + + healthMonitor: + # enabled: Enable/Disable health monitor of CSI volumes + # Allowed values: + # true: enable checking of health condition of CSI volumes + # false: disable checking of health condition of CSI volumes + # Default value: false + enabled: false + + # interval: Interval of monitoring volume health condition + # Allowed values: Number followed by unit (s,m,h) + # Examples: 60s, 5m, 1h + # Default value: 60s + interval: 60s + + # replication: allows to configure replication + # Replication CRDs must be installed before installing driver + replication: + # enabled: Enable/Disable replication feature + # Allowed values: + # true: enable replication feature(install dell-csi-replicator sidecar) + # false: disable replication feature(do not install dell-csi-replicator sidecar) + # Default value: false + enabled: false + + # image: Image to use for dell-csi-replicator. This shouldn't be changed + # Allowed values: string + # Default value: None + image: dellemc/dell-csi-replicator:v1.3.0 + + # replicationContextPrefix: prefix to use for naming of resources created by replication feature + # Allowed values: string + # Default value: powerstore + replicationContextPrefix: "powerstore" + + # replicationPrefix: prefix to prepend to storage classes parameters + # Allowed values: string + # Default value: replication.storage.dell.com + replicationPrefix: "replication.storage.dell.com" + + # Image for csi-metadata-retriever + metadataretriever: dellemc/csi-metadata-retriever:v1.2.0 + + # nodeSelector: Define node selection constraints for controller pods. + # For the pod to be eligible to run on a node, the node must have each + # of the indicated key-value pairs as labels. + # Leave as blank to consider all nodes + # Allowed values: map of key-value pairs + # Default value: None + nodeSelector: + # Uncomment if nodes you wish to use have the node-role.kubernetes.io/master taint + # node-role.kubernetes.io/master + # Uncomment if nodes you wish to use have the node-role.kubernetes.io/control-plane taint + # node-role.kubernetes.io/control-plane + + # tolerations: Define tolerations for the controllers, if required. + # Leave as blank to install controller on worker nodes + # Default value: None + tolerations: + # Uncomment if nodes you wish to use have the node-role.kubernetes.io/master taint + # - key: "node-role.kubernetes.io/master" + # operator: "Exists" + # effect: "NoSchedule" + # Uncomment if nodes you wish to use have the node-role.kubernetes.io/control-plane taint + # tolerations: + # - key: "node-role.kubernetes.io/control-plane" + # operator: "Exists" + # effect: "NoSchedule" + +# node: configure node pod specific parameters +node: + # nodeNamePrefix: defines a string prepended to each node registered by the CSI driver. + # Allowed values: string + # Default value: None + nodeNamePrefix: csi-node + + # nodeIDPath: defines the path to file with node identifier (e.g. /etc/machine-id, /etc/hostname). + # Allowed values: string + # Default value: None + nodeIDPath: /etc/machine-id + + healthMonitor: + # enabled: Enable/Disable health monitor of CSI volumes- volume usage, volume condition + # Allowed values: + # true: enable checking of health condition of CSI volumes + # false: disable checking of health condition of CSI volumes + # Default value: None + enabled: false + + # nodeSelector: Define node selection constraints for node pods. + # For the pod to be eligible to run on a node, the node must have each + # of the indicated key-value pairs as labels. + # Leave as blank to consider all nodes + # Allowed values: map of key-value pairs + # Default value: None + nodeSelector: + # Uncomment if nodes you wish to use have the node-role.kubernetes.io/master taint + # node-role.kubernetes.io/master + # Uncomment if nodes you wish to use have the node-role.kubernetes.io/control-plane taint + # node-role.kubernetes.io/control-plane + + # tolerations: Define tolerations for the node pods, if required. + # Leave as blank to consider all worker nodes + # Default value: None + tolerations: + # Uncomment if nodes you wish to use have the node-role.kubernetes.io/master taint + # - key: "node-role.kubernetes.io/master" + # operator: "Exists" + # effect: "NoSchedule" + # Uncomment if nodes you wish to use have the node-role.kubernetes.io/control-plane taint + # tolerations: + # - key: "node-role.kubernetes.io/control-plane" + # operator: "Exists" + # effect: "NoSchedule" + +## PLATFORM ATTRIBUTES +###################### + +# connection: allows to configure connection to storage array +connection: + # connection.enableCHAP: allows to enable CHAP for iSCSI connections + # CHAP password will be autogenerated by driver + # Allowed values: + # true : enable CHAP + # false: disable CHAP + # Default value: false + enableCHAP: false + +# CSI driver log level +# Allowed values: "error", "warn"/"warning", "info", "debug", "error" +# Default value: "debug" +logLevel: "debug" + +# CSI driver log format +# Allowed values: "TEXT" or "JSON" +# Default value: "JSON" +logFormat: "JSON" + +# Following modes are supported: None, File and ReadWriteOnceWithFSType +fsGroupPolicy: ReadWriteOnceWithFSType + +# Allows the controller to round off filesystem to 3Gi which is the minimum supported value +allowAutoRoundOffFilesystemSize: false + +# Storage Capacity Tracking +# Note: Capacity tracking is supported in kubernetes v1.24 and above, this feature will be automatically disabled in older versions. +storageCapacity: + # enabled : Enable/Disable storage capacity tracking + # Allowed values: + # true: enable storage capacity tracking + # false: disable storage capacity tracking + # Default value: true + enabled: true + # pollInterval : Configure how often external-provisioner polls the driver to detect changed capacity + # Allowed values: 1m,2m,3m,...,10m,...,60m etc + # Default value: 5m + pollInterval: 5m + +images: + # "driver" defines the container image, used for the driver container. + driverRepository: dellemc + +# namespace: powerstore-ns \ No newline at end of file diff --git a/charts/csm-application-mobility/templates/_helpers.tpl b/charts/csm-application-mobility/templates/_helpers.tpl index da46389d..cc6f0e48 100644 --- a/charts/csm-application-mobility/templates/_helpers.tpl +++ b/charts/csm-application-mobility/templates/_helpers.tpl @@ -120,3 +120,14 @@ https://github.com/vmware-tanzu/helm-charts/blob/main/charts/velero/templates/_h {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} {{- end -}} {{- end -}} + + +{{/* +Namespace for all resources to be installed into +If not defined in values file then the helm release namespace is used +By default this is not set so the helm release namespace will be used +*/}} + +{{- define "custom.namespace" -}} + {{ .Values.namespace | default .Release.Namespace }} +{{- end -}} \ No newline at end of file diff --git a/charts/csm-application-mobility/templates/admissionregistration.k8s.io_v1_mutatingwebhookconfiguration_app-mobility-mutating-webhook-configuration.yaml b/charts/csm-application-mobility/templates/admissionregistration.k8s.io_v1_mutatingwebhookconfiguration_app-mobility-mutating-webhook-configuration.yaml index 67770b2a..d5773ec3 100644 --- a/charts/csm-application-mobility/templates/admissionregistration.k8s.io_v1_mutatingwebhookconfiguration_app-mobility-mutating-webhook-configuration.yaml +++ b/charts/csm-application-mobility/templates/admissionregistration.k8s.io_v1_mutatingwebhookconfiguration_app-mobility-mutating-webhook-configuration.yaml @@ -2,7 +2,7 @@ apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: annotations: - cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Release.Name }}-serving-cert + cert-manager.io/inject-ca-from: {{ include "custom.namespace" . }}/{{ .Release.Name }}-serving-cert name: {{ .Release.Name }}-mutating-webhook-configuration webhooks: - admissionReviewVersions: @@ -10,7 +10,7 @@ webhooks: clientConfig: service: name: {{ .Release.Name }}-webhook-service - namespace: {{ .Release.Namespace }} + namespace: {{ include "custom.namespace" . }} path: /mutate-mobility-storage-dell-com-v1alpha1-backup failurePolicy: Fail name: mbackup.mobility.storage.dell.com diff --git a/charts/csm-application-mobility/templates/admissionregistration.k8s.io_v1_validatingwebhookconfiguration_app-mobility-validating-webhook-configuration.yaml b/charts/csm-application-mobility/templates/admissionregistration.k8s.io_v1_validatingwebhookconfiguration_app-mobility-validating-webhook-configuration.yaml index 9889433d..20b16bdc 100644 --- a/charts/csm-application-mobility/templates/admissionregistration.k8s.io_v1_validatingwebhookconfiguration_app-mobility-validating-webhook-configuration.yaml +++ b/charts/csm-application-mobility/templates/admissionregistration.k8s.io_v1_validatingwebhookconfiguration_app-mobility-validating-webhook-configuration.yaml @@ -2,7 +2,7 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: annotations: - cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Release.Name }}-serving-cert + cert-manager.io/inject-ca-from: {{ include "custom.namespace" . }}/{{ .Release.Name }}-serving-cert name: {{ .Release.Name }}-validating-webhook-configuration webhooks: - admissionReviewVersions: @@ -10,7 +10,7 @@ webhooks: clientConfig: service: name: {{ .Release.Name }}-webhook-service - namespace: {{ .Release.Namespace }} + namespace: {{ include "custom.namespace" . }} path: /validate-mobility-storage-dell-com-v1alpha1-backup failurePolicy: Fail name: vbackup.mobility.storage.dell.com diff --git a/charts/csm-application-mobility/templates/apiextensions.k8s.io_v1_customresourcedefinition_backups.mobility.storage.dell.com.yaml b/charts/csm-application-mobility/templates/apiextensions.k8s.io_v1_customresourcedefinition_backups.mobility.storage.dell.com.yaml index 6eb7665b..f1d825f5 100644 --- a/charts/csm-application-mobility/templates/apiextensions.k8s.io_v1_customresourcedefinition_backups.mobility.storage.dell.com.yaml +++ b/charts/csm-application-mobility/templates/apiextensions.k8s.io_v1_customresourcedefinition_backups.mobility.storage.dell.com.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Release.Name }}-serving-cert + cert-manager.io/inject-ca-from: {{ include "custom.namespace" . }}/{{ .Release.Name }}-serving-cert controller-gen.kubebuilder.io/version: v0.7.0 name: backups.mobility.storage.dell.com spec: @@ -12,7 +12,7 @@ spec: clientConfig: service: name: {{ .Release.Name }}-webhook-service - namespace: {{ .Release.Namespace }} + namespace: {{ include "custom.namespace" . }} path: /convert conversionReviewVersions: - v1 diff --git a/charts/csm-application-mobility/templates/apps_v1_deployment_app-mobility-controller-manager.yaml b/charts/csm-application-mobility/templates/apps_v1_deployment_app-mobility-controller-manager.yaml index 2144d06a..ec4f9ddc 100644 --- a/charts/csm-application-mobility/templates/apps_v1_deployment_app-mobility-controller-manager.yaml +++ b/charts/csm-application-mobility/templates/apps_v1_deployment_app-mobility-controller-manager.yaml @@ -4,7 +4,7 @@ metadata: labels: control-plane: controller-manager name: {{ .Release.Name }}-controller-manager - namespace: {{ .Release.Namespace }} + namespace: {{ include "custom.namespace" . }} spec: replicas: 1 selector: @@ -33,7 +33,7 @@ spec: - --health-probe-bind-address=:8081 - --metrics-bind-address=127.0.0.1:8080 - --leader-elect - - --app-mobility-namespace={{ .Release.Namespace }} + - --app-mobility-namespace={{ include "custom.namespace" . }} - --velero-namespace={{ include "velero.namespace" . }} - --secret-name={{ include "objectstore.secretname" . }} - --license-name={{ .Values.licenseName }} diff --git a/charts/csm-application-mobility/templates/cert-manager.io_v1_certificate_app-mobility-serving-cert.yaml b/charts/csm-application-mobility/templates/cert-manager.io_v1_certificate_app-mobility-serving-cert.yaml index 2c2b9d1d..28c0387d 100644 --- a/charts/csm-application-mobility/templates/cert-manager.io_v1_certificate_app-mobility-serving-cert.yaml +++ b/charts/csm-application-mobility/templates/cert-manager.io_v1_certificate_app-mobility-serving-cert.yaml @@ -2,11 +2,11 @@ apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: {{ .Release.Name }}-serving-cert - namespace: {{ .Release.Namespace }} + namespace: {{ include "custom.namespace" . }} spec: dnsNames: - - {{ .Release.Name }}-webhook-service.{{ .Release.Namespace }}.svc - - {{ .Release.Name }}-webhook-service.{{ .Release.Namespace }}.svc.cluster.local + - {{ .Release.Name }}-webhook-service.{{ include "custom.namespace" . }}.svc + - {{ .Release.Name }}-webhook-service.{{ include "custom.namespace" . }}.svc.cluster.local issuerRef: kind: Issuer name: {{ .Release.Name }}-selfsigned-issuer diff --git a/charts/csm-application-mobility/templates/cert-manager.io_v1_issuer_app-mobility-selfsigned-issuer.yaml b/charts/csm-application-mobility/templates/cert-manager.io_v1_issuer_app-mobility-selfsigned-issuer.yaml index f63e9ed8..95422408 100644 --- a/charts/csm-application-mobility/templates/cert-manager.io_v1_issuer_app-mobility-selfsigned-issuer.yaml +++ b/charts/csm-application-mobility/templates/cert-manager.io_v1_issuer_app-mobility-selfsigned-issuer.yaml @@ -2,6 +2,6 @@ apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: {{ .Release.Name }}-selfsigned-issuer - namespace: {{ .Release.Namespace }} + namespace: {{ include "custom.namespace" . }} spec: selfSigned: {} diff --git a/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_clusterrolebinding_app-mobility-manager-rolebinding.yaml b/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_clusterrolebinding_app-mobility-manager-rolebinding.yaml index 7197fe85..d9016c4e 100644 --- a/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_clusterrolebinding_app-mobility-manager-rolebinding.yaml +++ b/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_clusterrolebinding_app-mobility-manager-rolebinding.yaml @@ -9,4 +9,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ .Release.Name }}-controller-manager - namespace: {{ .Release.Namespace }} + namespace: {{ include "custom.namespace" . }} diff --git a/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_clusterrolebinding_app-mobility-proxy-rolebinding.yaml b/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_clusterrolebinding_app-mobility-proxy-rolebinding.yaml index 82ab64f6..75a3b458 100644 --- a/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_clusterrolebinding_app-mobility-proxy-rolebinding.yaml +++ b/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_clusterrolebinding_app-mobility-proxy-rolebinding.yaml @@ -9,4 +9,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ .Release.Name }}-controller-manager - namespace: {{ .Release.Namespace }} + namespace: {{ include "custom.namespace" . }} diff --git a/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_role_app-mobility-leader-election-role.yaml b/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_role_app-mobility-leader-election-role.yaml index 67a85721..e833ca8a 100644 --- a/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_role_app-mobility-leader-election-role.yaml +++ b/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_role_app-mobility-leader-election-role.yaml @@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ .Release.Name }}-leader-election-role - namespace: {{ .Release.Namespace }} + namespace: {{ include "custom.namespace" . }} rules: - apiGroups: - "" diff --git a/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_role_app-mobility-manager-role.yaml b/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_role_app-mobility-manager-role.yaml index b354d241..b476ae28 100644 --- a/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_role_app-mobility-manager-role.yaml +++ b/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_role_app-mobility-manager-role.yaml @@ -3,7 +3,7 @@ kind: Role metadata: creationTimestamp: null name: {{ .Release.Name }}-manager-role - namespace: {{ .Release.Namespace }} + namespace: {{ include "custom.namespace" . }} rules: - apiGroups: - "" diff --git a/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_rolebinding_app-mobility-leader-election-rolebinding.yaml b/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_rolebinding_app-mobility-leader-election-rolebinding.yaml index d9d77338..3f7e1e75 100644 --- a/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_rolebinding_app-mobility-leader-election-rolebinding.yaml +++ b/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_rolebinding_app-mobility-leader-election-rolebinding.yaml @@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ .Release.Name }}-leader-election-rolebinding - namespace: {{ .Release.Namespace }} + namespace: {{ include "custom.namespace" . }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -10,4 +10,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ .Release.Name }}-controller-manager - namespace: {{ .Release.Namespace }} + namespace: {{ include "custom.namespace" . }} diff --git a/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_rolebinding_app-mobility-manager-rolebinding.yaml b/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_rolebinding_app-mobility-manager-rolebinding.yaml index 70607248..35e377e4 100644 --- a/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_rolebinding_app-mobility-manager-rolebinding.yaml +++ b/charts/csm-application-mobility/templates/rbac.authorization.k8s.io_v1_rolebinding_app-mobility-manager-rolebinding.yaml @@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ .Release.Name }}-manager-rolebinding - namespace: {{ .Release.Namespace }} + namespace: {{ include "custom.namespace" . }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -10,4 +10,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ .Release.Name }}-controller-manager - namespace: {{ .Release.Namespace }} + namespace: {{ include "custom.namespace" . }} diff --git a/charts/csm-application-mobility/templates/v1_configmap_app-mobility-manager-config.yaml b/charts/csm-application-mobility/templates/v1_configmap_app-mobility-manager-config.yaml index 04c4031c..98ab504b 100644 --- a/charts/csm-application-mobility/templates/v1_configmap_app-mobility-manager-config.yaml +++ b/charts/csm-application-mobility/templates/v1_configmap_app-mobility-manager-config.yaml @@ -4,4 +4,4 @@ data: kind: ConfigMap metadata: name: {{ .Release.Name }}-manager-config - namespace: {{ .Release.Namespace }} + namespace: {{ include "custom.namespace" . }} diff --git a/charts/csm-application-mobility/templates/v1_service_app-mobility-controller-manager-metrics-service.yaml b/charts/csm-application-mobility/templates/v1_service_app-mobility-controller-manager-metrics-service.yaml index fd424e34..e52d5ce1 100644 --- a/charts/csm-application-mobility/templates/v1_service_app-mobility-controller-manager-metrics-service.yaml +++ b/charts/csm-application-mobility/templates/v1_service_app-mobility-controller-manager-metrics-service.yaml @@ -4,7 +4,7 @@ metadata: labels: control-plane: controller-manager name: {{ .Release.Name }}-controller-manager-metrics-service - namespace: {{ .Release.Namespace }} + namespace: {{ include "custom.namespace" . }} spec: ports: - name: https diff --git a/charts/csm-application-mobility/templates/v1_service_app-mobility-webhook-service.yaml b/charts/csm-application-mobility/templates/v1_service_app-mobility-webhook-service.yaml index 9e57aab9..d2ee221f 100644 --- a/charts/csm-application-mobility/templates/v1_service_app-mobility-webhook-service.yaml +++ b/charts/csm-application-mobility/templates/v1_service_app-mobility-webhook-service.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Service metadata: name: {{ .Release.Name }}-webhook-service - namespace: {{ .Release.Namespace }} + namespace: {{ include "custom.namespace" . }} spec: ports: - port: 443 diff --git a/charts/csm-application-mobility/templates/v1_serviceaccount_app-mobility-controller-manager.yaml b/charts/csm-application-mobility/templates/v1_serviceaccount_app-mobility-controller-manager.yaml index 9221d90a..a9c52060 100644 --- a/charts/csm-application-mobility/templates/v1_serviceaccount_app-mobility-controller-manager.yaml +++ b/charts/csm-application-mobility/templates/v1_serviceaccount_app-mobility-controller-manager.yaml @@ -2,4 +2,4 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ .Release.Name }}-controller-manager - namespace: {{ .Release.Namespace }} + namespace: {{ include "custom.namespace" . }} diff --git a/charts/csm-application-mobility/values.yaml b/charts/csm-application-mobility/values.yaml index 143013ed..3c3e7593 100644 --- a/charts/csm-application-mobility/values.yaml +++ b/charts/csm-application-mobility/values.yaml @@ -79,3 +79,5 @@ velero: # volumeMounts: # - mountPath: /target # name: plugins + +# namespace: app-mobility \ No newline at end of file diff --git a/charts/csm-authorization/.gitignore b/charts/csm-authorization/.gitignore deleted file mode 100644 index a4d58c62..00000000 --- a/charts/csm-authorization/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -Chart.lock -charts/*tgz diff --git a/charts/csm-authorization/Chart.yaml b/charts/csm-authorization/Chart.yaml deleted file mode 100644 index 93366519..00000000 --- a/charts/csm-authorization/Chart.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v2 -name: csm-authorization -version: 1.5.0 -appVersion: 1.5.0 -type: application -description: CSM for Authorization is part of the [Container Storage Modules](https://github.com/dell/csm) open source suite of Kubernetes storage enablers for Dell EMC storage products. CSM for Authorization provides storage and Kubernetes administrators the ability to apply RBAC for Dell CSI Drivers. -dependencies: -- name: cert-manager - version: 1.6.1 - repository: https://charts.jetstack.io - condition: cert-manager.enabled -- name: ingress-nginx - version: 4.0.19 - repository: https://kubernetes.github.io/ingress-nginx - condition: ingress-nginx.enabled diff --git a/charts/csm-authorization/README.md b/charts/csm-authorization/README.md deleted file mode 100644 index 1b5eed59..00000000 --- a/charts/csm-authorization/README.md +++ /dev/null @@ -1,19 +0,0 @@ - - -# Container Storage Modules (CSM) for Authorization Dell Community Helm Chart - -CSM for Authorization can be deployed using Helm. - -For complete deployment instructions, refer to the [Container Storage Modules documentation](https://dell.github.io/csm-docs/docs/authorization/deployment/helm). - -## Helm Chart Versioning - -For an explanation and examples on versioning/releasing the CSM for Authorization Helm chart, please see the [contributing guide](../../docs/CONTRIBUTING.md#helm-chart-release-strategy). diff --git a/charts/csm-authorization/charts/redis/Chart.yaml b/charts/csm-authorization/charts/redis/Chart.yaml deleted file mode 100644 index 30b032ee..00000000 --- a/charts/csm-authorization/charts/redis/Chart.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v2 -name: redis -description: A Helm chart for Redis -type: application -version: 0.1.0 -appVersion: 0.1.0 diff --git a/charts/csm-authorization/charts/redis/templates/redis.yaml b/charts/csm-authorization/charts/redis/templates/redis.yaml deleted file mode 100644 index fdc9dc70..00000000 --- a/charts/csm-authorization/charts/redis/templates/redis.yaml +++ /dev/null @@ -1,128 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: redis-primary - namespace: {{ .Release.Namespace }} - labels: - app: redis -spec: - selector: - matchLabels: - app: redis - role: primary - tier: backend - replicas: 1 - template: - metadata: - labels: - app: redis - role: primary - tier: backend - spec: - containers: - - name: primary - image: {{ .Values.images.redis }} - imagePullPolicy: IfNotPresent - args: ["--appendonly", "yes", "--appendfsync", "always"] - resources: - requests: - cpu: 100m - memory: 100Mi - ports: - - containerPort: 6379 - volumeMounts: - - name: redis-primary-volume - mountPath: /data - volumes: - - name: redis-primary-volume - persistentVolumeClaim: - claimName: redis-primary-pv-claim ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: redis-primary-pv-claim - namespace: {{ .Release.Namespace }} - labels: - app: redis-primary -spec: - accessModes: - - ReadWriteOnce - {{- if (.Values.storageClass) }} - storageClassName: {{.Values.storageClass }} - {{- end}} - resources: - requests: - storage: 8Gi ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: redis-commander - namespace: {{ .Release.Namespace }} -spec: - replicas: 1 - selector: - matchLabels: - app: redis-commander - template: - metadata: - labels: - app: redis-commander - tier: backend - spec: - containers: - - name: redis-commander - image: {{ .Values.images.commander }} - imagePullPolicy: IfNotPresent - env: - - name: REDIS_HOSTS - value: "rbac:redis.{{ .Release.Namespace }}.svc.cluster.local:6379" - - name: K8S_SIGTERM - value: "1" - ports: - - name: redis-commander - containerPort: 8081 - livenessProbe: - httpGet: - path: /favicon.png - port: 8081 - initialDelaySeconds: 10 - timeoutSeconds: 5 - resources: - limits: - cpu: "500m" - memory: "512M" - securityContext: - runAsNonRoot: true - readOnlyRootFilesystem: false - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL ---- -apiVersion: v1 -kind: Service -metadata: - name: redis - namespace: {{ .Release.Namespace }} -spec: - selector: - app: redis - ports: - - protocol: TCP - port: 6379 - targetPort: 6379 ---- -apiVersion: v1 -kind: Service -metadata: - name: redis-commander - namespace: {{ .Release.Namespace }} -spec: - selector: - app: redis-commander - ports: - - protocol: TCP - port: 8081 - targetPort: 8081 diff --git a/charts/csm-authorization/charts/redis/values.yaml b/charts/csm-authorization/charts/redis/values.yaml deleted file mode 100644 index e69de29b..00000000 diff --git a/charts/csm-authorization/policies/common.rego b/charts/csm-authorization/policies/common.rego deleted file mode 100644 index 99709c9a..00000000 --- a/charts/csm-authorization/policies/common.rego +++ /dev/null @@ -1,4 +0,0 @@ -package karavi.common -default roles = {} -roles = {} - diff --git a/charts/csm-authorization/policies/powermax-url.rego b/charts/csm-authorization/policies/powermax-url.rego deleted file mode 100644 index 25cd3f6e..00000000 --- a/charts/csm-authorization/policies/powermax-url.rego +++ /dev/null @@ -1,47 +0,0 @@ -# Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http:#www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -package karavi.authz.powermax.url - -allowlist = [ - "GET /univmax/restapi/version", - "GET /univmax/restapi/(90|91)/system/symmetrix/[a-f0-9A-F]+", - "GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/srp", - "GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/storagegroup", - "POST /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/storagegroup", - "GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/storagegroup/(.+)", - "PUT /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/storagegroup/(.+)", - "GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/volume", - "GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/volume/[a-f0-9A-F]+", - "PUT /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/volume/[a-f0-9A-F]+", - "DELETE /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/volume/[a-f0-9A-F]+", - "DELETE /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/storagegroup/[a-f0-9A-F]+", - "GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/volume/[a-f0-9A-F]+/snapshot", - "GET /univmax/restapi/91/sloprovisioning/symmetrix/[a-f0-9A-F]+/portgroup/(.+)", - "GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/initiator", - "GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/host/(.+)", - "GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/maskingview/(.+)", - "GET /univmax/restapi/(90|91)/system/symmetrix", - "GET /univmax/restapi/private/(90|91)/replication/symmetrix/[a-f0-9A-F]+/volume/[a-f0-9A-F]+/snapshot", - "GET /univmax/restapi/private/(90|91)/replication/symmetrix/[a-f0-9A-F]+/volume/", - "DELETE /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/maskingview/(.+)", - "GET /univmax/restapi/(90|91)/replication/capabilities/symmetrix/", - "POST /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/maskingview", -] - -default allow = true - -allow { - regex.match(allowlist[_], sprintf("%s %s", [input.method, input.url])) -} diff --git a/charts/csm-authorization/policies/powerscale-url.rego b/charts/csm-authorization/policies/powerscale-url.rego deleted file mode 100644 index 4a3032bd..00000000 --- a/charts/csm-authorization/policies/powerscale-url.rego +++ /dev/null @@ -1,42 +0,0 @@ -# Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http:#www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -package karavi.authz.powerscale.url - -allowlist = [ - "GET /platform/latest/", - "GET /platform/[0-9]/cluster/config/", - "GET /namespace/(.+)", - "GET /platform/[0-9]/protocols/nfs/exports/?(.+)", - "PUT /namespace/(.+)", - "GET /platform/[0-9]/quota/license/", - "POST /platform/[0-9]/quota/quotas/", - "POST /platform/[0-9]/protocols/nfs/exports/?(.+)", - "GET /platform/[0-9]/protocols/nfs/exports/[0-9]+?(.+)", - "PUT /platform/[0-9]/protocols/nfs/exports/[0-9]+?(.+)", - "DELETE /platform/[0-9]/quota/quotas/[a-z0-9A-Z]+/", - "DELETE /platform/[0-9]/protocols/nfs/exports/[0-9]+?(.+)", - "DELETE /namespace/(.+)", - "GET /platform/[0-9]/snapshot/snapshots/(.+)", - "POST /platform/[0-9]/snapshot/snapshots", - "DELETE /platform/[0-9]/snapshot/snapshots/(.+)", - "POST /session/[0-9]/session/", - "GET /session/[0-9]/session/", - "POST /proxy/refresh-token/" -] - -default allow = true -allow { - regex.match(allowlist[_], sprintf("%s %s", [input.method, input.url])) -} diff --git a/charts/csm-authorization/policies/url-test.rego b/charts/csm-authorization/policies/url-test.rego deleted file mode 100644 index ed849eb4..00000000 --- a/charts/csm-authorization/policies/url-test.rego +++ /dev/null @@ -1,63 +0,0 @@ -# Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http:#www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -package karavi.authz.url - -test_get_api_login_allowed { - allow with input as {"method": "GET", "url": "/api/login/"} -} - -test_post_proxy_refresh_token_allowed { - allow with input as {"method": "POST", "url": "/proxy/refresh-token/"} -} - -test_get_api_version_allowed { - allow with input as {"method": "GET", "url": "/api/version/"} -} - -test_get_system_instances_allowed { - allow with input as {"method": "GET", "url": "/api/types/System/instances/"} -} - -test_get_storagpool_instances_allowed { - allow with input as {"method": "GET", "url": "/api/types/StoragePool/instances/"} -} - -test_post_volume_instances_allowed { - allow with input as {"method": "POST", "url": "/api/types/Volume/instances/"} -} - -test_get_volume_instance_allowed { - allow with input as {"method": "GET", "url": "/api/instances/Volume::2a3814c600000003/"} -} - -test_post_volume_instances_queryIdByKey_allowed { - allow with input as {"method": "POST", "url": "/api/types/Volume/instances/action/queryIdByKey/"} -} - -test_get_system_sdc_allowed { - allow with input as {"method": "GET", "url": "/api/instances/System::7045c4cc20dffc0f/relationships/Sdc/"} -} - -test_post_volume_add_sdc_allowed { - allow with input as {"method": "POST", "url": "/api/instances/Volume::2a3814c600000003/action/addMappedSdc/"} -} - -test_post_volume_remove_sdc_allowed { - allow with input as {"method": "POST", "url": "/api/instances/Volume::2a3814c600000003/action/removeMappedSdc/"} -} - -test_post_volume_remove_allowed { - allow with input as {"method": "POST", "url": "/api/instances/Volume::2a3814c600000003/action/removeVolume/"} -} diff --git a/charts/csm-authorization/policies/url.rego b/charts/csm-authorization/policies/url.rego deleted file mode 100644 index 071638ae..00000000 --- a/charts/csm-authorization/policies/url.rego +++ /dev/null @@ -1,39 +0,0 @@ -# Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http:#www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -package karavi.authz.url - -allowlist = [ - "GET /api/login/", - "POST /proxy/refresh-token/", - "GET /api/version/", - "GET /api/types/System/instances/", - "GET /api/types/StoragePool/instances/", - "POST /api/types/Volume/instances/", - "GET /api/instances/Volume::[a-f0-9]+/$", - "POST /api/types/Volume/instances/action/queryIdByKey/", - "GET /api/instances/System::[a-f0-9]+/relationships/Sdc/", - "GET /api/instances/Sdc::[a-f0-9]+/relationships/Statistics/", - "GET /api/instances/Sdc::[a-f0-9]+/relationships/Volume/", - "GET /api/instances/Volume::[a-f0-9]+/relationships/Statistics/", - "GET /api/instances/StoragePool::[a-f0-9]+/relationships/Statistics/", - "POST /api/instances/Volume::[a-f0-9]+/action/addMappedSdc/", - "POST /api/instances/Volume::[a-f0-9]+/action/removeMappedSdc/", - "POST /api/instances/Volume::[a-f0-9]+/action/removeVolume/" -] - -default allow = true -allow { - regex.match(allowlist[_], sprintf("%s %s", [input.method, input.url])) -} diff --git a/charts/csm-authorization/policies/volumes-create-test.rego b/charts/csm-authorization/policies/volumes-create-test.rego deleted file mode 100644 index 619e5a8d..00000000 --- a/charts/csm-authorization/policies/volumes-create-test.rego +++ /dev/null @@ -1,117 +0,0 @@ -# Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http:#www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -package karavi.volumes.create - -roles = { - "us-east-1": { - "system_types": { - "powerflex": { - "system_ids": { - "2222": { - "pool_quotas": { - "bronze": "44000000" - } - } - } - } - } - }, - "us-west-1": { - "system_types": { - "powerflex": { - "system_ids": { - "1111": { - "pool_quotas": { - "bronze": 83886080 - } - } - } - } - } - }, - "us-west-2-small": { - "system_types": { - "powerflex": { - "system_ids": { - "2222": { - "pool_quotas": { - "bronze": 83886080 - } - } - } - } - } - }, - "us-west-2-large": { - "system_types": { - "powerflex": { - "system_ids": { - "2222": { - "pool_quotas": { - "bronze": 838860800, - "silver": 93886080000 - } - } - } - } - } - } - } - -test_small_request_allowed { - allow with input as { - "claims": { - "aud": "karavi", - "exp": 1615426023, - "group": "DevOpsGroup1", - "iss":"com.dell.karavi", - "roles":"us-east-1", - "sub":"karavi-tenant" - }, - "request": { - "name":"k8s-0fc0695995", - "protectionDomainId":"6b2ffe6c00000000", - "storagePoolId":"ae376b0300000000", - "volumeSizeInKb":"8388608", - "volumeType":"ThinProvisioned" - }, - "storagepool":"bronze", - "storagesystemid":"2222", - "systemtype": "powerflex" - } with data.karavi.common.roles as roles -} - -test_large_request_not_allowed { - not allow with input as { - "claims": { - "aud": "karavi", - "exp": 1615426023, - "group": "DevOpsGroup1", - "iss":"com.dell.karavi", - "roles":"us-west-2-small,us-west-2-large", - "sub":"karavi-tenant" - }, - "request": { - "name":"k8s-0fc0695995", - "protectionDomainId":"6b2ffe6c00000000", - "storagePoolId":"ae376b0300000000", - "volumeSizeInKb":"9999999999", - "volumeType":"ThinProvisioned" - }, - "storagepool":"bronze", - "storagesystemid":"2222", - "storagetype": "powerflex" - } with data.karavi.common.roles as roles -} diff --git a/charts/csm-authorization/policies/volumes-create.rego b/charts/csm-authorization/policies/volumes-create.rego deleted file mode 100644 index ee506874..00000000 --- a/charts/csm-authorization/policies/volumes-create.rego +++ /dev/null @@ -1,74 +0,0 @@ -# Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http:#www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -package karavi.volumes.create - -import data.karavi.common - -# Deny requests by default. -default allow = false - -# -# Allows the request if one of the claimed roles matches -# a role configured to allow the storage request. -# -allow { - count(permitted_roles) != 0 - count(deny) == 0 -} - -# -# Deny if there are no roles found. -# -deny[msg] { - common.roles == {} - msg := sprintf("no configured roles", []) -} - -# -# Deny if claimed roles has no match for the request. -# -deny[msg] { - count(permitted_roles) == 0 - msg := sprintf("no roles in [%s] allow the %s Kb request on %s/%s/%s", - [input.claims.roles, - input.request.volumeSizeInKb, - input.systemtype, - input.storagesystemid, - input.storagepool]) -} - -# -# These are permitted roles that are configured -# with the requested storage system, mapped to -# the allowable quota for the request storage -# pool. -# -# Example: { "role-1": 800000 } -# -permitted_roles[v] = y { - # Split the claimed roles by comma into an array. - claimed_roles := split(input.claims.roles, ",") - - # This block filters 'a' to contain only roles - # that are found in 'common.roles'. - some i - a := claimed_roles[i] - common.roles[a] - - # v will contain permitted roles that match the storage request. - v := claimed_roles[i] - common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool] >= to_number(input.request.volumeSizeInKb) - y := to_number(common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool]) -} diff --git a/charts/csm-authorization/policies/volumes-delete.rego b/charts/csm-authorization/policies/volumes-delete.rego deleted file mode 100644 index 2ee0938c..00000000 --- a/charts/csm-authorization/policies/volumes-delete.rego +++ /dev/null @@ -1,48 +0,0 @@ -# Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http:#www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -package karavi.volumes.delete - -import data.karavi.common - -default response = { - "allowed": true -} -response = { - "allowed": false, - "status": { - "reason": reason, - }, -} { - reason = concat(", ", deny) - reason != "" -} - -# -# Ensure there are roles configured. -# -deny[msg] { - common.roles == {} - msg := sprintf("no role data found", []) -} - -# -# Validate input: claims. -# -default claims = {} -claims = input.claims -deny[msg] { - claims == {} - msg := sprintf("missing claims", []) -} diff --git a/charts/csm-authorization/policies/volumes-map.rego b/charts/csm-authorization/policies/volumes-map.rego deleted file mode 100644 index 15fb172e..00000000 --- a/charts/csm-authorization/policies/volumes-map.rego +++ /dev/null @@ -1,42 +0,0 @@ -# Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http:#www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -package karavi.volumes.map - -import data.karavi.common - -default response = { - "allowed": true -} -response = { - "allowed": false, - "status": { - "reason": reason, - }, -} { - reason = concat(", ", deny) - reason != "" -} - -deny[msg] { - common.roles == {} - msg := sprintf("no role data found", []) -} - -default claims = {} -claims = input.claims -deny[msg] { - claims == {} - msg := sprintf("missing claims", []) -} diff --git a/charts/csm-authorization/policies/volumes-powermax-create.rego b/charts/csm-authorization/policies/volumes-powermax-create.rego deleted file mode 100644 index 96eb8894..00000000 --- a/charts/csm-authorization/policies/volumes-powermax-create.rego +++ /dev/null @@ -1,74 +0,0 @@ -# Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http:#www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -package karavi.volumes.powermax.create - -import data.karavi.common - -# Deny requests by default. -default allow = false - -# -# Allows the request if one of the claimed roles matches -# a role configured to allow the storage request. -# -allow { - count(permitted_roles) != 0 - count(deny) == 0 -} - -# -# Deny if there are no roles found. -# -deny[msg] { - common.roles == {} - msg := sprintf("no configured roles", []) -} - -# -# Deny if claimed roles has no match for the request. -# -deny[msg] { - count(permitted_roles) == 0 - msg := sprintf("no roles in [%s] allow the %v Kb request on %s/%s/%s", - [input.claims.roles, - input.request.volumeSizeInKb, - input.systemtype, - input.storagesystemid, - input.storagepool]) -} - -# -# These are permitted roles that are configured -# with the requested storage system, mapped to -# the allowable quota for the request storage -# pool. -# -# Example: { "role-1": 800000 } -# -permitted_roles[v] = y { - # Split the claimed roles by comma into an array. - claimed_roles := split(input.claims.roles, ",") - - # This block filters 'a' to contain only roles - # that are found in 'common.roles'. - some i - a := claimed_roles[i] - common.roles[a] - - # v will contain permitted roles that match the storage request. - v := claimed_roles[i] - common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool] >= to_number(input.request.volumeSizeInKb) - y := to_number(common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool]) -} diff --git a/charts/csm-authorization/policies/volumes-powerscale-create.rego b/charts/csm-authorization/policies/volumes-powerscale-create.rego deleted file mode 100644 index 47a6fe12..00000000 --- a/charts/csm-authorization/policies/volumes-powerscale-create.rego +++ /dev/null @@ -1,60 +0,0 @@ -# Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http:#www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -package karavi.volumes.powerscale.create - -import data.karavi.common - -# Deny requests by default. -default allow = false - -# -# Allows the request if one of the claimed roles matches -# a role configured to allow the storage request. -# -allow { - count(deny) == 0 -} - -# -# Deny if there are no roles found. -# -deny[msg] { - common.roles == {} - msg := sprintf("no configured roles", []) -} - -# -# These are permitted roles that are configured -# with the requested storage system, mapped to -# the allowable quota for the request storage -# pool. -# -# Example: { "role-1": 800000 } -# -permitted_roles[v] = y { - # Split the claimed roles by comma into an array. - claimed_roles := split(input.claims.roles, ",") - - # This block filters 'a' to contain only roles - # that are found in 'common.roles'. - some i - a := claimed_roles[i] - common.roles[a] - - # v will contain permitted roles that match the storage request. - v := claimed_roles[i] - common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool] >= to_number(input.request.volumeSizeInKb) - y := to_number(common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool]) -} diff --git a/charts/csm-authorization/policies/volumes-unmap.rego b/charts/csm-authorization/policies/volumes-unmap.rego deleted file mode 100644 index f4a85f1f..00000000 --- a/charts/csm-authorization/policies/volumes-unmap.rego +++ /dev/null @@ -1,42 +0,0 @@ -# Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http:#www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -package karavi.volumes.unmap - -import data.karavi.common - -default response = { - "allowed": true -} -response = { - "allowed": false, - "status": { - "reason": reason, - }, -} { - reason = concat(", ", deny) - reason != "" -} - -deny[msg] { - common.roles == {} - msg := sprintf("no role data found", []) -} - -default claims = {} -claims = input.claims -deny[msg] { - claims == {} - msg := sprintf("missing claims", []) -} diff --git a/charts/csm-authorization/templates/NOTES.txt b/charts/csm-authorization/templates/NOTES.txt deleted file mode 100644 index 531c1aae..00000000 --- a/charts/csm-authorization/templates/NOTES.txt +++ /dev/null @@ -1,23 +0,0 @@ -The CSM Authorization deployment has been successfully installed. - -Execute the following commands in your shell to print the URL of the CSM Authorization NodePort LoadBalancer: - -export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[1].nodePort}" service {{ .Release.Namespace }}-ingress-nginx-controller) -export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") -echo https://$NODE_IP:$NODE_PORT - -LoadBalancer host rules for proxy-server: -- {{ .Values.authorization.hostname }} -- {{ .Release.Name }}-ingress-nginx-controller.{{ .Release.Namespace }}.svc.cluster.local - -LoadBalancer host rules for tenant-service: -- tenant.{{ .Values.authorization.hostname }} - -LoadBalancer host rules for role-service: -- role.{{ .Values.authorization.hostname }} - -LoadBalancer host rules for storage-service: -- storage.{{ .Values.authorization.hostname }} - -authorization.proxyHost value for a CSI Driver examples: -- {{ .Release.Name }}-ingress-nginx-controller.{{ .Release.Namespace }}.svc.cluster.local:443 (CSI Driver in the same cluster as CSM Authorization) diff --git a/charts/csm-authorization/templates/certificate.yaml b/charts/csm-authorization/templates/certificate.yaml deleted file mode 100644 index 956ca260..00000000 --- a/charts/csm-authorization/templates/certificate.yaml +++ /dev/null @@ -1,82 +0,0 @@ -# If the cert and key are provided, use them to create a tls secret -{{- if and (.Values.authorization.certificate) (.Values.authorization.privateKey) }} -{{- $certificateFileContents := .Values.authorization.certificate }} -{{- $privateKeyFileContents := .Values.authorization.privateKey }} -apiVersion: v1 -data: - tls.crt: {{ $certificateFileContents | b64enc }} - tls.key: {{ $privateKeyFileContents | b64enc }} -kind: Secret -type: kubernetes.io/tls -metadata: - name: user-provided-tls - namespace: {{ .Release.Namespace }} - ---- -{{- end }} - - -# If the cert and key are not provided, user cert-manager to create a self-signed tls secret -{{- if or (not .Values.authorization.certificate) (not .Values.authorization.privateKey) }} -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: selfsigned - namespace: {{ .Release.Namespace }} -spec: - selfSigned: {} - ---- - -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: karavi-auth - namespace: {{ .Release.Namespace }} -spec: - secretName: karavi-selfsigned-tls - duration: 2160h # 90d - renewBefore: 360h # 15d - subject: - organizations: - - dellemc - isCA: false - privateKey: - algorithm: RSA - encoding: PKCS1 - size: 2048 - usages: - - server auth - - client auth - dnsNames: - - karavi-auth - - karavi-auth.{{ .Release.Namespace }}.svc.kubernetes.local - - {{ .Values.authorization.hostname }} - - tenant.{{ .Values.authorization.hostname }} - - role.{{ .Values.authorization.hostname }} - - storage.{{ .Values.authorization.hostname }} - {{- if .Values.authorization.proxyServerIngress.hosts }} - {{- range .Values.authorization.proxyServerIngress.hosts }} - - {{ tpl . $}} - {{- end }} - {{- end}} - {{- if .Values.authorization.tenantServiceIngress.hosts }} - {{- range .Values.authorization.tenantServiceIngress.hosts }} - - {{ tpl . $}} - {{- end }} - {{- end}} - {{- if .Values.authorization.roleServiceIngress.hosts }} - {{- range .Values.authorization.roleServiceIngress.hosts }} - - {{ tpl . $}} - {{- end }} - {{- end}} - {{- if .Values.authorization.storageServiceIngress.hosts }} - {{- range .Values.authorization.storageServiceIngress.hosts }} - - {{ tpl . $}} - {{- end }} - {{- end}} - issuerRef: - name: selfsigned - kind: Issuer - group: cert-manager.io -{{- end }} diff --git a/charts/csm-authorization/templates/csm-config-params.yaml b/charts/csm-authorization/templates/csm-config-params.yaml deleted file mode 100644 index 7ea7f66f..00000000 --- a/charts/csm-authorization/templates/csm-config-params.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: csm-config-params - namespace: {{ .Release.Namespace }} -data: - csm-config-params.yaml: | - LOG_LEVEL: {{ .Values.authorization.logLevel }} - {{- if (.Values.authorization.zipkin.collectoruri) }} - zipkin.collectoruri: {{ .Values.authorization.zipkin.collectoruri }} - zipkin.probability: {{ .Values.authorization.zipkin.probability }} - {{- end }} diff --git a/charts/csm-authorization/templates/ingress.yaml b/charts/csm-authorization/templates/ingress.yaml deleted file mode 100644 index b36fa5f4..00000000 --- a/charts/csm-authorization/templates/ingress.yaml +++ /dev/null @@ -1,207 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: proxy-server - namespace: {{ .Release.Namespace }} - {{- if .Values.authorization.proxyServerIngress.annotations }} - annotations: - {{- range $key, $value := .Values.authorization.proxyServerIngress.annotations }} - {{ $key }}: {{ tpl $value $ | quote }} - {{- end }} - {{- end }} -spec: - ingressClassName: {{ .Values.authorization.proxyServerIngress.ingressClassName }} - tls: - - hosts: - - {{ .Values.authorization.hostname }} - {{- if .Values.authorization.proxyServerIngress.hosts }} - {{- range .Values.authorization.proxyServerIngress.hosts }} - - {{ tpl . $}} - {{- end }} - {{- end}} - {{- if and (.Values.authorization.certificate) (.Values.authorization.privateKey) }} - secretName: user-provided-tls - {{- else }} - secretName: karavi-selfsigned-tls - {{- end}} - rules: - - host: {{ .Values.authorization.hostname }} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: proxy-server - port: - number: 8080 - {{- if .Values.authorization.proxyServerIngress.hosts }} - {{- range .Values.authorization.proxyServerIngress.hosts }} - - host: {{ tpl . $}} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: proxy-server - port: - number: 8080 - {{- end }} - {{- end}} ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: tenant-service - namespace: {{ .Release.Namespace }} - annotations: - {{- if .Values.authorization.tenantServiceIngress.annotations }} - {{- range $key, $value := .Values.authorization.tenantServiceIngress.annotations }} - {{ $key }}: {{ tpl $value $ | quote }} - {{- end }} - {{- end }} -spec: - ingressClassName: {{ .Values.authorization.tenantServiceIngress.ingressClassName }} - tls: - - hosts: - - tenant.{{ .Values.authorization.hostname }} - {{- if .Values.authorization.tenantServiceIngress.hosts }} - {{- range .Values.authorization.tenantServiceIngress.hosts }} - - {{ tpl . $}} - {{- end }} - {{- end}} - {{- if and (.Values.authorization.certificate) (.Values.authorization.privateKey) }} - secretName: user-provided-tls - {{- else }} - secretName: karavi-selfsigned-tls - {{- end}} - rules: - - host: tenant.{{ .Values.authorization.hostname }} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: tenant-service - port: - number: 50051 - {{- if .Values.authorization.tenantServiceIngress.hosts }} - {{- range .Values.authorization.tenantServiceIngress.hosts }} - - host: {{ tpl . $}} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: tenant-service - port: - number: 50051 - {{- end }} - {{- end}} ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: role-service - namespace: {{ .Release.Namespace }} - annotations: - {{- if .Values.authorization.roleServiceIngress.annotations }} - {{- range $key, $value := .Values.authorization.roleServiceIngress.annotations }} - {{ $key }}: {{ tpl $value $ | quote }} - {{- end }} - {{- end }} -spec: - ingressClassName: {{ .Values.authorization.roleServiceIngress.ingressClassName }} - tls: - - hosts: - - role.{{ .Values.authorization.hostname }} - {{- if .Values.authorization.roleServiceIngress.hosts }} - {{- range .Values.authorization.roleServiceIngress.hosts }} - - {{ tpl . $}} - {{- end }} - {{- end}} - {{- if and (.Values.authorization.certificate) (.Values.authorization.privateKey) }} - secretName: user-provided-tls - {{- else }} - secretName: karavi-selfsigned-tls - {{- end}} - rules: - - host: role.{{ .Values.authorization.hostname }} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: role-service - port: - number: 50051 - {{- if .Values.authorization.roleServiceIngress.hosts }} - {{- range .Values.authorization.roleServiceIngress.hosts }} - - host: {{ tpl . $}} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: role-service - port: - number: 50051 - {{- end}} - {{- end}} ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: storage-service - namespace: {{ .Release.Namespace }} - annotations: - {{- if .Values.authorization.storageServiceIngress.annotations }} - {{- range $key, $value := .Values.authorization.storageServiceIngress.annotations }} - {{ $key }}: {{ tpl $value $ | quote }} - {{- end }} - {{- end }} -spec: - ingressClassName: {{ .Values.authorization.storageServiceIngress.ingressClassName }} - tls: - - hosts: - - storage.{{ .Values.authorization.hostname }} - {{- if .Values.authorization.storageServiceIngress.hosts }} - {{- range .Values.authorization.storageServiceIngress.hosts }} - - {{ tpl . $}} - {{- end }} - {{- end}} - {{- if and (.Values.authorization.certificate) (.Values.authorization.privateKey) }} - secretName: user-provided-tls - {{- else }} - secretName: karavi-selfsigned-tls - {{- end}} - rules: - - host: storage.{{ .Values.authorization.hostname }} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: storage-service - port: - number: 50051 - {{- if .Values.authorization.storageServiceIngress.hosts }} - {{- range .Values.authorization.storageServiceIngress.hosts }} - - host: {{ tpl . $}} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: storage-service - port: - number: 50051 - {{- end}} - {{- end}} diff --git a/charts/csm-authorization/templates/karavi-storage-secret.yaml b/charts/csm-authorization/templates/karavi-storage-secret.yaml deleted file mode 100644 index 4aa41669..00000000 --- a/charts/csm-authorization/templates/karavi-storage-secret.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Secret -type: Opaque -metadata: - name: karavi-storage-secret - namespace: {{ .Release.Namespace }} -data: - storage-systems.yaml: c3RvcmFnZToK diff --git a/charts/csm-authorization/templates/policies.yaml b/charts/csm-authorization/templates/policies.yaml deleted file mode 100644 index 00ae3143..00000000 --- a/charts/csm-authorization/templates/policies.yaml +++ /dev/null @@ -1,79 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: common - namespace: {{ .Release.Namespace }} -data: - {{- (.Files.Glob "policies/common.rego").AsConfig | nindent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: powermax-urls - namespace: {{ .Release.Namespace }} -data: - {{- (.Files.Glob "policies/powermax-url.rego").AsConfig | nindent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: powerscale-urls - namespace: {{ .Release.Namespace }} -data: - {{- (.Files.Glob "policies/powerscale-url.rego").AsConfig | nindent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: powerflex-urls - namespace: {{ .Release.Namespace }} -data: - {{- (.Files.Glob "policies/url.rego").AsConfig | nindent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: volumes-create - namespace: {{ .Release.Namespace }} -data: - {{- (.Files.Glob "policies/volumes-create.rego").AsConfig | nindent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: volumes-delete - namespace: {{ .Release.Namespace }} -data: - {{- (.Files.Glob "policies/volumes-delete.rego").AsConfig | nindent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: volumes-map - namespace: {{ .Release.Namespace }} -data: - {{- (.Files.Glob "policies/volumes-map.rego").AsConfig | nindent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: powermax-volumes-create - namespace: {{ .Release.Namespace }} -data: - {{- (.Files.Glob "policies/volumes-powermax-create.rego").AsConfig | nindent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: powerscale-volumes-create - namespace: {{ .Release.Namespace }} -data: - {{- (.Files.Glob "policies/volumes-powerscale-create.rego").AsConfig | nindent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: volumes-unmap - namespace: {{ .Release.Namespace }} -data: - {{- (.Files.Glob "policies/volumes-unmap.rego").AsConfig | nindent 2 }} \ No newline at end of file diff --git a/charts/csm-authorization/templates/proxy-server.yaml b/charts/csm-authorization/templates/proxy-server.yaml deleted file mode 100644 index 0cd76539..00000000 --- a/charts/csm-authorization/templates/proxy-server.yaml +++ /dev/null @@ -1,115 +0,0 @@ -# Grant OPA/kube-mgmt read-only access to resources. This lets kube-mgmt -# list configmaps to be loaded into OPA as policies. -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: opa-viewer -roleRef: - kind: ClusterRole - name: view - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: Group - name: system:serviceaccounts:{{ .Release.Namespace }} - apiGroup: rbac.authorization.k8s.io ---- -# Define role for OPA/kube-mgmt to update configmaps with policy status. -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - namespace: {{ .Release.Namespace }} - name: configmap-modifier -rules: -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["update", "patch"] ---- -# Grant OPA/kube-mgmt role defined above. -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - namespace: {{ .Release.Namespace }} - name: opa-configmap-modifier -roleRef: - kind: Role - name: configmap-modifier - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: Group - name: system:serviceaccounts:{{ .Release.Namespace }} - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: proxy-server - namespace: {{ .Release.Namespace }} - labels: - app: proxy-server -spec: - replicas: 1 - selector: - matchLabels: - app: proxy-server - template: - metadata: - labels: - app: proxy-server - spec: - containers: - - name: proxy-server - image: {{ required "Must provide the proxy-server image." .Values.authorization.images.proxyService }} - imagePullPolicy: Always - args: - - "--redis-host=redis.{{ .Release.Namespace }}.svc.cluster.local:6379" - - "--tenant-service=tenant-service.{{ .Release.Namespace }}.svc.cluster.local:50051" - ports: - - containerPort: 8080 - volumeMounts: - - name: config-volume - mountPath: /etc/karavi-authorization/config - - name: storage-volume - mountPath: /etc/karavi-authorization/storage - - name: csm-config-params - mountPath: /etc/karavi-authorization/csm-config-params - - name: opa - image: {{ required "Must provide the openpolicyagent image." .Values.authorization.images.opa }} - imagePullPolicy: IfNotPresent - args: - - "run" - - "--ignore=." - - "--server" - - "--log-level=debug" - ports: - - name: http - containerPort: 8181 - - name: kube-mgmt - image: {{ required "Must provide the opaKubeMgmt image." .Values.authorization.images.opaKubeMgmt }} - imagePullPolicy: IfNotPresent - args: - - "--policies={{ .Release.Namespace }}" - - "--enable-data" - volumes: - - name: config-volume - secret: - secretName: karavi-config-secret - - name: storage-volume - secret: - secretName: karavi-storage-secret - - name: csm-config-params - configMap: - name: csm-config-params ---- -apiVersion: v1 -kind: Service -metadata: - name: proxy-server - namespace: {{ .Release.Namespace }} -spec: - selector: - app: proxy-server - ports: - - name: http - protocol: TCP - port: 8080 - targetPort: 8080 diff --git a/charts/csm-authorization/templates/role-service.yaml b/charts/csm-authorization/templates/role-service.yaml deleted file mode 100644 index 180586b9..00000000 --- a/charts/csm-authorization/templates/role-service.yaml +++ /dev/null @@ -1,79 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: role-service - namespace: {{ .Release.Namespace }} ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: role-service -rules: - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get", "patch"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: role-service -subjects: - - kind: ServiceAccount - name: role-service - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: role-service - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: role-service - namespace: {{ .Release.Namespace }} - labels: - app: role-service -spec: - replicas: 1 - selector: - matchLabels: - app: role-service - template: - metadata: - labels: - app: role-service - spec: - serviceAccountName: role-service - containers: - - name: role-service - image: {{ required "Must provide the role-service image." .Values.authorization.images.roleService }} - imagePullPolicy: Always - ports: - - containerPort: 50051 - name: grpc - env: - - name: NAMESPACE - value: {{ .Release.Namespace }} - volumeMounts: - - name: csm-config-params - mountPath: /etc/karavi-authorization/csm-config-params - volumes: - - name: csm-config-params - configMap: - name: csm-config-params ---- -apiVersion: v1 -kind: Service -metadata: - name: role-service - namespace: {{ .Release.Namespace }} -spec: - selector: - app: role-service - ports: - - port: 50051 - targetPort: 50051 - name: grpc diff --git a/charts/csm-authorization/templates/storage-service.yaml b/charts/csm-authorization/templates/storage-service.yaml deleted file mode 100644 index 3df96faa..00000000 --- a/charts/csm-authorization/templates/storage-service.yaml +++ /dev/null @@ -1,81 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: storage-service - namespace: {{ .Release.Namespace }} ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: storage-service -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "patch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: storage-service -subjects: - - kind: ServiceAccount - name: storage-service - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: storage-service - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: storage-service - namespace: {{ .Release.Namespace }} - labels: - app: storage-service -spec: - replicas: 1 - selector: - matchLabels: - app: storage-service - template: - metadata: - labels: - app: storage-service - spec: - serviceAccountName: storage-service - containers: - - name: storage-service - image: {{ required "Must provide the storage-service image." .Values.authorization.images.storageService }} - imagePullPolicy: Always - ports: - - containerPort: 50051 - name: grpc - env: - - name: NAMESPACE - value: {{ .Release.Namespace }} - volumeMounts: - - name: storage-volume - mountPath: /etc/karavi-authorization/storage - - name: csm-config-params - mountPath: /etc/karavi-authorization/csm-config-params - volumes: - - name: storage-volume - secret: - secretName: karavi-storage-secret - - name: csm-config-params - configMap: - name: csm-config-params ---- -apiVersion: v1 -kind: Service -metadata: - name: storage-service - namespace: {{ .Release.Namespace }} -spec: - selector: - app: storage-service - ports: - - port: 50051 - targetPort: 50051 - name: grpc diff --git a/charts/csm-authorization/templates/tenant-service.yaml b/charts/csm-authorization/templates/tenant-service.yaml deleted file mode 100644 index a526a763..00000000 --- a/charts/csm-authorization/templates/tenant-service.yaml +++ /dev/null @@ -1,51 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tenant-service - namespace: {{ .Release.Namespace }} - labels: - app: tenant-service -spec: - replicas: 1 - selector: - matchLabels: - app: tenant-service - template: - metadata: - labels: - app: tenant-service - spec: - containers: - - name: tenant-service - image: {{ required "Must provide the tenant-service image." .Values.authorization.images.tenantService }} - imagePullPolicy: Always - args: - - "--redis-host=redis.{{ .Release.Namespace }}.svc.cluster.local:6379" - ports: - - containerPort: 50051 - name: grpc - volumeMounts: - - name: config-volume - mountPath: /etc/karavi-authorization/config - - name: csm-config-params - mountPath: /etc/karavi-authorization/csm-config-params - volumes: - - name: config-volume - secret: - secretName: karavi-config-secret - - name: csm-config-params - configMap: - name: csm-config-params ---- -apiVersion: v1 -kind: Service -metadata: - name: tenant-service - namespace: {{ .Release.Namespace }} -spec: - selector: - app: tenant-service - ports: - - port: 50051 - targetPort: 50051 - name: grpc diff --git a/charts/csm-authorization/values.yaml b/charts/csm-authorization/values.yaml deleted file mode 100644 index a3cfa820..00000000 --- a/charts/csm-authorization/values.yaml +++ /dev/null @@ -1,89 +0,0 @@ -# if enabled, nginx ingress controller will be deployed -# if you have your own ingress controller, keep this false and set the appropriate annotations for the ingresses in the authorization section -ingress-nginx: - enabled: true - -# if enabled, cert-manager will be deployed -# if cert-manager is already deployed, keep this false -cert-manager: - enabled: true - -authorization: - # images to use in installation - images: - proxyService: dellemc/csm-authorization-proxy:v1.5.0 - tenantService: dellemc/csm-authorization-tenant:v1.5.0 - roleService: dellemc/csm-authorization-role:v1.5.0 - storageService: dellemc/csm-authorization-storage:v1.5.0 - opa: openpolicyagent/opa - opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 - - # base hostname for the ingress rules that expose the services - # the proxy-server ingress will use this hostname - # the tenant-service ingress will use tenant.hostname - # the role-service ingress will use role.hostname - hostname: csm-authorization.com - - # log level for csm-authorization - logLevel: debug - - # tracing configuration - # this can be updated on the fly via the csm-config-params configMap - zipkin: {} - # collectoruri: http://DNS-hostname:9411/api/v2/spans - # probability: 1 - - # proxy-server ingress configuration - proxyServerIngress: - ingressClassName: nginx - - # additional host rules for the proxy-server ingress - hosts: [] - # - application-ingress-nginx-controller.namespace.svc.cluster.local - - # additional annotations for the proxy-server ingress - annotations: {} - - # tenant-service ingress configuration - tenantServiceIngress: - ingressClassName: nginx - - # additional host rules for the tenant-service ingress - hosts: [] - - # additional annotations for the tenant-service ingress - # if applicable, an annotation supporting grpc for your ingress controller must be supplied - annotations: - nginx.ingress.kubernetes.io/backend-protocol: "GRPC" - - # role-service ingress configuration - roleServiceIngress: - ingressClassName: nginx - - # additional host rules for the role-service ingress - hosts: [] - - # additional annotations for the role-service ingress - # an annotation supporting grpc for your ingress controller must be supplied, if applicable - annotations: - nginx.ingress.kubernetes.io/backend-protocol: "GRPC" - - # storage-service ingress configuration - storageServiceIngress: - ingressClassName: nginx - - # additional host rules for the storage-service ingress - hosts: [] - - # additional annotations for the storage-service ingress - # an annotation supporting grpc for your ingress controller must be supplied, if applicable - annotations: - nginx.ingress.kubernetes.io/backend-protocol: "GRPC" - -redis: - images: - redis: redis:6.0.8-alpine - commander: rediscommander/redis-commander:latest - - # set the storageClass for redis to use. otherwise, the default storage class is used - # storageClass: local-storage diff --git a/charts/csm-authorization/.helmignore b/charts/csm-replication/.helmignore similarity index 96% rename from charts/csm-authorization/.helmignore rename to charts/csm-replication/.helmignore index 9d56613f..0e8a0eb3 100644 --- a/charts/csm-authorization/.helmignore +++ b/charts/csm-replication/.helmignore @@ -21,4 +21,3 @@ .idea/ *.tmproj .vscode/ -installer/ diff --git a/charts/csm-replication/Chart.yaml b/charts/csm-replication/Chart.yaml new file mode 100644 index 00000000..7708293b --- /dev/null +++ b/charts/csm-replication/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v2 +name: csm-replication +type: application +version: 1.3.1 +appVersion: "1.3.1" diff --git a/charts/csm-replication/crds/replicationcrds.all.yaml b/charts/csm-replication/crds/replicationcrds.all.yaml new file mode 100644 index 00000000..e7e72e8b --- /dev/null +++ b/charts/csm-replication/crds/replicationcrds.all.yaml @@ -0,0 +1,171 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.1 + creationTimestamp: null + name: dellcsireplicationgroups.replication.storage.dell.com +spec: + group: replication.storage.dell.com + names: + kind: DellCSIReplicationGroup + listKind: DellCSIReplicationGroupList + plural: dellcsireplicationgroups + shortNames: + - rg + singular: dellcsireplicationgroup + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + - description: State of the CR + jsonPath: .status.state + name: State + type: string + - description: Protection Group ID + jsonPath: .spec.protectionGroupId + name: PG ID + type: string + - description: Replication Link State + jsonPath: .status.replicationLinkState.state + name: Link State + type: string + - description: Replication Link State + jsonPath: .status.replicationLinkState.lastSuccessfulUpdate + name: Last LinkState Update + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: DellCSIReplicationGroup is the Schema for the dellcsireplicationgroups + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: DellCSIReplicationGroupSpec defines the desired state of + DellCSIReplicationGroup + properties: + action: + type: string + driverName: + type: string + protectionGroupAttributes: + additionalProperties: + type: string + type: object + protectionGroupId: + type: string + remoteClusterId: + type: string + remoteProtectionGroupAttributes: + additionalProperties: + type: string + type: object + remoteProtectionGroupId: + type: string + requestParametersClass: + type: string + required: + - action + - driverName + - protectionGroupId + - remoteClusterId + - remoteProtectionGroupId + type: object + status: + description: DellCSIReplicationGroupStatus defines the observed state + of DellCSIReplicationGroup + properties: + conditions: + items: + description: LastAction - Stores the last updated action + properties: + condition: + description: Condition is the last known condition of the Custom + Resource + type: string + errorMessage: + description: ErrorMessage is the last error message associated + with the condition + type: string + firstFailure: + description: FirstFailure is the first time this action failed + format: date-time + type: string + time: + description: Time is the time stamp for the last action update + format: date-time + type: string + type: object + type: array + lastAction: + description: LastAction - Stores the last updated action + properties: + condition: + description: Condition is the last known condition of the Custom + Resource + type: string + errorMessage: + description: ErrorMessage is the last error message associated + with the condition + type: string + firstFailure: + description: FirstFailure is the first time this action failed + format: date-time + type: string + time: + description: Time is the time stamp for the last action update + format: date-time + type: string + type: object + remoteState: + type: string + replicationLinkState: + description: ReplicationLinkState - Stores the Replication Link State + properties: + errorMessage: + description: ErrorMessage is the last error message associated + with the link state + type: string + isSource: + description: IsSource indicates if this site is primary + type: boolean + lastSuccessfulUpdate: + description: LastSuccessfulUpdate is the time stamp for the last + state update + format: date-time + type: string + state: + description: State is the last reported state of the Replication + Link + type: string + required: + - isSource + type: object + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/charts/csm-replication/templates/_helpers.tpl b/charts/csm-replication/templates/_helpers.tpl new file mode 100644 index 00000000..5525732a --- /dev/null +++ b/charts/csm-replication/templates/_helpers.tpl @@ -0,0 +1,72 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "csm-replication.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "csm-replication.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "csm-replication.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "csm-replication.labels" -}} +helm.sh/chart: {{ include "csm-replication.chart" . }} +{{ include "csm-replication.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "csm-replication.selectorLabels" -}} +app.kubernetes.io/name: {{ include "csm-replication.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "csm-replication.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "csm-replication.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Namespace for all resources to be installed into +If not defined in values file then the helm release namespace is used +By default this is not set so the helm release namespace will be used +*/}} + +{{- define "custom.namespace" -}} + {{ .Values.namespace | default .Release.Namespace }} +{{- end -}} diff --git a/charts/csm-replication/templates/controller.yaml b/charts/csm-replication/templates/controller.yaml new file mode 100644 index 00000000..a7b2b2c1 --- /dev/null +++ b/charts/csm-replication/templates/controller.yaml @@ -0,0 +1,297 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: dell-replication-controller-sa + namespace: {{ include "custom.namespace" . }} +secrets: +- name: replication-secret +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: dell-replication-manager-role +rules: +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - delete + - get + - list + - update + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - persistentvolumeclaims/status + verbs: + - get + - patch + - update +- apiGroups: + - "" + resources: + - persistentvolumes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - replication.storage.dell.com + resources: + - dellcsireplicationgroups + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - replication.storage.dell.com + resources: + - dellcsireplicationgroups/status + verbs: + - get + - patch + - update +- apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: dell-replication-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: dell-replication-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: v1 +kind: Secret +metadata: + name: replication-secret + namespace: {{ include "custom.namespace" . }} + annotations: + kubernetes.io/service-account.name: dell-replication-controller-sa + kubernetes.io/service-account.namespace: {{ include "custom.namespace" . }} +type: kubernetes.io/service-account-token +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: dell-replication-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dell-replication-manager-role +subjects: +- kind: ServiceAccount + name: dell-replication-controller-sa + namespace: {{ include "custom.namespace" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: dell-replication-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dell-replication-proxy-role +subjects: +- kind: ServiceAccount + name: dell-replication-controller-sa + namespace: {{ include "custom.namespace" . }} +--- +{{- $secret := (lookup "v1" "ConfigMap" "{{ include custom.namespace . }}" "dell-replication-controller-config").data -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: dell-replication-controller-config + namespace: {{ include "custom.namespace" . }} +{{ if $secret -}} +data: + {{- range $key, $value := $secret }} + {{ $key }}: {{ toYaml $value }} + {{ end }} +{{ else -}} +data: + config.yaml: | + clusterId: "" + targets: [] + CSI_LOG_LEVEL: {{ .Values.logLevel }} +{{ end }} +--- +apiVersion: v1 +kind: Service +metadata: + labels: + control-plane: controller-manager + name: dell-replication-controller-manager-metrics-service + namespace: {{ include "custom.namespace" . }} +spec: + ports: + - name: https + port: 8443 + targetPort: https + selector: + control-plane: controller-manager +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + control-plane: controller-manager + name: dell-replication-controller-manager + namespace: {{ include "custom.namespace" . }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + control-plane: controller-manager + template: + metadata: + labels: + control-plane: controller-manager + spec: + {{- if hasKey .Values "hostAliases" }} + hostAliases: + {{- toYaml .Values.hostAliases | nindent 6 }} + {{- end }} + serviceAccountName: dell-replication-controller-sa + containers: + - args: + - prefix=replication.storage.dell.com + {{- if eq .Values.leaderElection "true" }} + - enable-leader-election + {{ end }} + - retry-interval-start {{ .Values.retryIntervalMin }} + - retry-interval-max {{ .Values.retryIntervalMax }} + command: + - /dell-replication-controller + env: + - name: X_CSI_REPLICATION_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: X_CSI_REPLICATION_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: X_CSI_REPLICATION_IN_CLUSTER + value: "true" + - name: X_CSI_REPLICATION_WATCH_NAMESPACE + value: {{ include "custom.namespace" . }} + - name: X_CSI_REPLICATION_CONFIG_DIR + value: /app/config + - name: X_CSI_REPLICATION_CERT_DIR + value: /app/certs + - name: X_CSI_REPLICATION_CONFIG_FILE_NAME + value: config + image: {{ .Values.image }} + imagePullPolicy: Always + name: manager + resources: + requests: + cpu: 100m + memory: 100Mi + volumeMounts: + - mountPath: /app/config + name: configmap-volume + - mountPath: /app/certs + name: cert-dir + terminationGracePeriodSeconds: 10 + volumes: + - emptyDir: null + name: cert-dir + - configMap: + name: dell-replication-controller-config + optional: true + name: configmap-volume diff --git a/charts/csm-replication/values.yaml b/charts/csm-replication/values.yaml new file mode 100644 index 00000000..96655062 --- /dev/null +++ b/charts/csm-replication/values.yaml @@ -0,0 +1,39 @@ +# replicas: Defines number of controller replicas +# Allowed values: int +# Default value: 1 +replicas: 1 + +# image: Defines controller image. This shouldn't be changed +# Allowed values: string +image: dellemc/dell-replication-controller:v1.3.1 + +# logLevel: Defines initial log level for controller. This can be changed in runtime +# Allowed values: "debug", "info", "warn", "error", "panic" +# Default value: "info" +logLevel: "info" + +# leaderElection: Enable leader election for dell-replication-controller manager. +# Enabling this will ensure there is only one active dell-replication-controller manager. +# Allowed values: "true", "false" +# Default value: "true" +leaderElection: "true" + +# retryIntervalMin: Initial retry interval of failed reconcile request. +# It doubles with each failure, upto retry-interval-max +# Allowed values: time +retryIntervalMin: 1s + +# retryIntervalMax: Maximum retry interval of failed reconcile request +# Allowed values: time +retryIntervalMax: 5m + +# HostAliases: Optional features that allows entries injection into pod's /etc/hosts file +#hostAliases: +# - ip: "10.10.10.10" +# hostnames: +# - "foo.bar" +# - ip: "10.10.10.11" +# hostnames: +# - "foo.baz" + +# namespace: replication-ns \ No newline at end of file diff --git a/charts/karavi-observability/Chart.yaml b/charts/karavi-observability/Chart.yaml index 409d26e5..12e90a1a 100644 --- a/charts/karavi-observability/Chart.yaml +++ b/charts/karavi-observability/Chart.yaml @@ -8,3 +8,4 @@ dependencies: - name: cert-manager version: 1.10.0 repository: https://charts.jetstack.io + condition: cert-manager.enabled diff --git a/charts/karavi-observability/crds/cert-manager.crds.yaml b/charts/karavi-observability/crds/cert-manager.crds.yaml new file mode 100644 index 00000000..62f42682 --- /dev/null +++ b/charts/karavi-observability/crds/cert-manager.crds.yaml @@ -0,0 +1,4414 @@ +# Copyright 2022 The cert-manager Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Source: cert-manager/templates/crds.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterissuers.cert-manager.io + labels: + app: 'cert-manager' + app.kubernetes.io/name: 'cert-manager' + app.kubernetes.io/instance: 'cert-manager' + # Generated labels + app.kubernetes.io/version: "v1.10.0" +spec: + group: cert-manager.io + names: + kind: ClusterIssuer + listKind: ClusterIssuerList + plural: clusterissuers + singular: clusterissuer + categories: + - cert-manager + scope: Cluster + versions: + - name: v1 + subresources: + status: {} + additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - jsonPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + name: Age + type: date + schema: + openAPIV3Schema: + description: A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent. + type: object + required: + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Desired state of the ClusterIssuer resource. + type: object + properties: + acme: + description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates. + type: object + required: + - privateKeySecretRef + - server + properties: + disableAccountKeyGeneration: + description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false. + type: boolean + email: + description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. + type: string + enableDurationFeature: + description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. + type: boolean + externalAccountBinding: + description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. + type: object + required: + - keyID + - keySecretRef + properties: + keyAlgorithm: + description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.' + type: string + enum: + - HS256 + - HS384 + - HS512 + keyID: + description: keyID is the ID of the CA key that the External Account is bound to. + type: string + keySecretRef: + description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + preferredChain: + description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN' + type: string + maxLength: 64 + privateKeySecretRef: + description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + server: + description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' + type: string + skipTLSVerify: + description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false. + type: boolean + solvers: + description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' + type: array + items: + description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided. + type: object + properties: + dns01: + description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow. + type: object + properties: + acmeDNS: + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records. + type: object + required: + - accountSecretRef + - host + properties: + accountSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + host: + type: string + akamai: + description: Use the Akamai DNS zone management API to manage DNS01 challenge records. + type: object + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + properties: + accessTokenSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + clientSecretSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + clientTokenSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + serviceConsumerDomain: + type: string + azureDNS: + description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. + type: object + required: + - resourceGroupName + - subscriptionID + properties: + clientID: + description: if both this and ClientSecret are left unset MSI will be used + type: string + clientSecretSecretRef: + description: if both this and ClientID are left unset MSI will be used + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + environment: + description: name of the Azure environment (default AzurePublicCloud) + type: string + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + hostedZoneName: + description: name of the DNS zone that should be used + type: string + managedIdentity: + description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID + type: object + properties: + clientID: + description: client ID of the managed identity, can not be used at the same time as resourceID + type: string + resourceID: + description: resource ID of the managed identity, can not be used at the same time as clientID + type: string + resourceGroupName: + description: resource group the DNS zone is located in + type: string + subscriptionID: + description: ID of the Azure subscription + type: string + tenantID: + description: when specifying ClientID and ClientSecret then this field is also needed + type: string + cloudDNS: + description: Use the Google Cloud DNS API to manage DNS01 challenge records. + type: object + required: + - project + properties: + hostedZoneName: + description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone. + type: string + project: + type: string + serviceAccountSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + cloudflare: + description: Use the Cloudflare API to manage DNS01 challenge records. + type: object + properties: + apiKeySecretRef: + description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.' + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + apiTokenSecretRef: + description: API token used to authenticate with Cloudflare. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + email: + description: Email of the account, only required when using API key based authentication. + type: string + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones. + type: string + enum: + - None + - Follow + digitalocean: + description: Use the DigitalOcean DNS API to manage DNS01 challenge records. + type: object + required: + - tokenSecretRef + properties: + tokenSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + rfc2136: + description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records. + type: object + required: + - nameserver + properties: + nameserver: + description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required. + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' + type: string + tsigKeyName: + description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + route53: + description: Use the AWS Route53 API to manage DNS01 challenge records. + type: object + required: + - region + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + accessKeyIDSecretRef: + description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + hostedZoneID: + description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + webhook: + description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records. + type: object + required: + - groupName + - solverName + properties: + config: + description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation. + type: string + solverName: + description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'. + type: string + http01: + description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism. + type: object + properties: + gatewayHTTPRoute: + description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future. + type: object + properties: + labels: + description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges. + type: object + additionalProperties: + type: string + parentRefs: + description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways' + type: array + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + type: object + required: + - name + properties: + group: + description: "Group is the group of the referent. \n Support: Core" + type: string + default: gateway.networking.k8s.io + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + kind: + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Custom (Other Resources)" + type: string + default: Gateway + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + name: + description: "Name is the name of the referent. \n Support: Core" + type: string + maxLength: 253 + minLength: 1 + namespace: + description: "Namespace is the namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. \n Support: Core" + type: string + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + type: integer + format: int32 + maximum: 65535 + minimum: 1 + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + type: string + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + serviceType: + description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. + type: string + ingress: + description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. + type: object + properties: + class: + description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified. + type: string + ingressTemplate: + description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges. + type: object + properties: + metadata: + description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. + type: object + properties: + annotations: + description: Annotations that should be added to the created ACME HTTP01 solver ingress. + type: object + additionalProperties: + type: string + labels: + description: Labels that should be added to the created ACME HTTP01 solver ingress. + type: object + additionalProperties: + type: string + name: + description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. + type: string + podTemplate: + description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges. + type: object + properties: + metadata: + description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. + type: object + properties: + annotations: + description: Annotations that should be added to the create ACME HTTP01 solver pods. + type: object + additionalProperties: + type: string + labels: + description: Labels that should be added to the created ACME HTTP01 solver pods. + type: object + additionalProperties: + type: string + spec: + description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored. + type: object + properties: + affinity: + description: If specified, the pod's scheduling constraints + type: object + properties: + nodeAffinity: + description: Describes node affinity scheduling rules for the pod. + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. + type: array + items: + description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + type: object + required: + - preference + - weight + properties: + preference: + description: A node selector term, associated with the corresponding weight. + type: object + properties: + matchExpressions: + description: A list of node selector requirements by node's labels. + type: array + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchFields: + description: A list of node selector requirements by node's fields. + type: array + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + type: array + items: + type: string + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. + type: object + required: + - nodeSelectorTerms + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. The terms are ORed. + type: array + items: + description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + type: object + properties: + matchExpressions: + description: A list of node selector requirements by node's labels. + type: array + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchFields: + description: A list of node selector requirements by node's fields. + type: array + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + type: array + items: + type: string + x-kubernetes-map-type: atomic + x-kubernetes-map-type: atomic + podAffinity: + description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. + type: array + items: + description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) + type: object + required: + - podAffinityTerm + - weight + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated with the corresponding weight. + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + weight: + description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. + type: array + items: + description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. + type: array + items: + description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) + type: object + required: + - podAffinityTerm + - weight + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated with the corresponding weight. + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + weight: + description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. + type: array + items: + description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + nodeSelector: + description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + additionalProperties: + type: string + priorityClassName: + description: If specified, the pod's priorityClassName. + type: string + serviceAccountName: + description: If specified, the pod's service account + type: string + tolerations: + description: If specified, the pod's tolerations. + type: array + items: + description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . + type: object + properties: + effect: + description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. + type: integer + format: int64 + value: + description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + serviceType: + description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. + type: string + selector: + description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. + type: object + properties: + dnsNames: + description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. + type: array + items: + type: string + dnsZones: + description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. + type: array + items: + type: string + matchLabels: + description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. + type: object + additionalProperties: + type: string + ca: + description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager. + type: object + required: + - secretName + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set. + type: array + items: + type: string + ocspServers: + description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". + type: array + items: + type: string + secretName: + description: SecretName is the name of the secret used to sign Certificates issued by this Issuer. + type: string + selfSigned: + description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object. + type: object + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings. + type: array + items: + type: string + vault: + description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend. + type: object + required: + - auth + - path + - server + properties: + auth: + description: Auth configures how cert-manager authenticates with the Vault server. + type: object + properties: + appRole: + description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + type: object + required: + - path + - roleId + - secretRef + properties: + path: + description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + type: string + roleId: + description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + type: string + secretRef: + description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + kubernetes: + description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + type: object + required: + - role + - secretRef + properties: + mountPath: + description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used. + type: string + role: + description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + type: string + secretRef: + description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + tokenSecretRef: + description: TokenSecretRef authenticates with Vault by presenting a token. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + caBundle: + description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. Mutually exclusive with CABundleSecretRef. If neither CABundle nor CABundleSecretRef are defined, the cert-manager controller system root certificates are used to validate the TLS connection. + type: string + format: byte + caBundleSecretRef: + description: CABundleSecretRef is a reference to a Secret which contains the CABundle which will be used when connecting to Vault when using HTTPS. Mutually exclusive with CABundle. If neither CABundleSecretRef nor CABundle are defined, the cert-manager controller system root certificates are used to validate the TLS connection. If no key for the Secret is specified, cert-manager will default to 'ca.crt'. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + type: string + path: + description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' + type: string + server: + description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' + type: string + venafi: + description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone. + type: object + required: + - zone + properties: + cloud: + description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified. + type: object + required: + - apiTokenSecretRef + properties: + apiTokenSecretRef: + description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + url: + description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1". + type: string + tpp: + description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified. + type: object + required: + - credentialsRef + - url + properties: + caBundle: + description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates. + type: string + format: byte + credentialsRef: + description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'. + type: object + required: + - name + properties: + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + url: + description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' + type: string + zone: + description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required. + type: string + status: + description: Status of the ClusterIssuer. This is set and managed automatically. + type: object + properties: + acme: + description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates. + type: object + properties: + lastRegisteredEmail: + description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer + type: string + uri: + description: URI is the unique account identifier, which can also be used to retrieve account details from the CA + type: string + conditions: + description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`. + type: array + items: + description: IssuerCondition contains condition information for an Issuer. + type: object + required: + - status + - type + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. + type: string + format: date-time + message: + description: Message is a human readable description of the details of the last transition, complementing reason. + type: string + observedGeneration: + description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer. + type: integer + format: int64 + reason: + description: Reason is a brief machine readable explanation for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, `Unknown`). + type: string + enum: + - "True" + - "False" + - Unknown + type: + description: Type of the condition, known values are (`Ready`). + type: string + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + served: true + storage: true +--- +# Source: cert-manager/templates/crds.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: challenges.acme.cert-manager.io + labels: + app: 'cert-manager' + app.kubernetes.io/name: 'cert-manager' + app.kubernetes.io/instance: 'cert-manager' + # Generated labels + app.kubernetes.io/version: "v1.10.0" +spec: + group: acme.cert-manager.io + names: + kind: Challenge + listKind: ChallengeList + plural: challenges + singular: challenge + categories: + - cert-manager + - cert-manager-acme + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.dnsName + name: Domain + type: string + - jsonPath: .status.reason + name: Reason + priority: 1 + type: string + - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: Challenge is a type to represent a Challenge request with an ACME server + type: object + required: + - metadata + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + type: object + required: + - authorizationURL + - dnsName + - issuerRef + - key + - solver + - token + - type + - url + properties: + authorizationURL: + description: The URL to the ACME Authorization resource that this challenge is a part of. + type: string + dnsName: + description: dnsName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`. + type: string + issuerRef: + description: References a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed. + type: object + required: + - name + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + key: + description: 'The ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `.`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `.` text that must be set as the TXT record content.' + type: string + solver: + description: Contains the domain solving configuration that should be used to solve this challenge resource. + type: object + properties: + dns01: + description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow. + type: object + properties: + acmeDNS: + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records. + type: object + required: + - accountSecretRef + - host + properties: + accountSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + host: + type: string + akamai: + description: Use the Akamai DNS zone management API to manage DNS01 challenge records. + type: object + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + properties: + accessTokenSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + clientSecretSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + clientTokenSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + serviceConsumerDomain: + type: string + azureDNS: + description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. + type: object + required: + - resourceGroupName + - subscriptionID + properties: + clientID: + description: if both this and ClientSecret are left unset MSI will be used + type: string + clientSecretSecretRef: + description: if both this and ClientID are left unset MSI will be used + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + environment: + description: name of the Azure environment (default AzurePublicCloud) + type: string + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + hostedZoneName: + description: name of the DNS zone that should be used + type: string + managedIdentity: + description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID + type: object + properties: + clientID: + description: client ID of the managed identity, can not be used at the same time as resourceID + type: string + resourceID: + description: resource ID of the managed identity, can not be used at the same time as clientID + type: string + resourceGroupName: + description: resource group the DNS zone is located in + type: string + subscriptionID: + description: ID of the Azure subscription + type: string + tenantID: + description: when specifying ClientID and ClientSecret then this field is also needed + type: string + cloudDNS: + description: Use the Google Cloud DNS API to manage DNS01 challenge records. + type: object + required: + - project + properties: + hostedZoneName: + description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone. + type: string + project: + type: string + serviceAccountSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + cloudflare: + description: Use the Cloudflare API to manage DNS01 challenge records. + type: object + properties: + apiKeySecretRef: + description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.' + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + apiTokenSecretRef: + description: API token used to authenticate with Cloudflare. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + email: + description: Email of the account, only required when using API key based authentication. + type: string + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones. + type: string + enum: + - None + - Follow + digitalocean: + description: Use the DigitalOcean DNS API to manage DNS01 challenge records. + type: object + required: + - tokenSecretRef + properties: + tokenSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + rfc2136: + description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records. + type: object + required: + - nameserver + properties: + nameserver: + description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required. + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' + type: string + tsigKeyName: + description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + route53: + description: Use the AWS Route53 API to manage DNS01 challenge records. + type: object + required: + - region + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + accessKeyIDSecretRef: + description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + hostedZoneID: + description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + webhook: + description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records. + type: object + required: + - groupName + - solverName + properties: + config: + description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation. + type: string + solverName: + description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'. + type: string + http01: + description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism. + type: object + properties: + gatewayHTTPRoute: + description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future. + type: object + properties: + labels: + description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges. + type: object + additionalProperties: + type: string + parentRefs: + description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways' + type: array + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + type: object + required: + - name + properties: + group: + description: "Group is the group of the referent. \n Support: Core" + type: string + default: gateway.networking.k8s.io + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + kind: + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Custom (Other Resources)" + type: string + default: Gateway + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + name: + description: "Name is the name of the referent. \n Support: Core" + type: string + maxLength: 253 + minLength: 1 + namespace: + description: "Namespace is the namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. \n Support: Core" + type: string + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + type: integer + format: int32 + maximum: 65535 + minimum: 1 + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + type: string + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + serviceType: + description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. + type: string + ingress: + description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. + type: object + properties: + class: + description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified. + type: string + ingressTemplate: + description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges. + type: object + properties: + metadata: + description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. + type: object + properties: + annotations: + description: Annotations that should be added to the created ACME HTTP01 solver ingress. + type: object + additionalProperties: + type: string + labels: + description: Labels that should be added to the created ACME HTTP01 solver ingress. + type: object + additionalProperties: + type: string + name: + description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. + type: string + podTemplate: + description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges. + type: object + properties: + metadata: + description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. + type: object + properties: + annotations: + description: Annotations that should be added to the create ACME HTTP01 solver pods. + type: object + additionalProperties: + type: string + labels: + description: Labels that should be added to the created ACME HTTP01 solver pods. + type: object + additionalProperties: + type: string + spec: + description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored. + type: object + properties: + affinity: + description: If specified, the pod's scheduling constraints + type: object + properties: + nodeAffinity: + description: Describes node affinity scheduling rules for the pod. + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. + type: array + items: + description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + type: object + required: + - preference + - weight + properties: + preference: + description: A node selector term, associated with the corresponding weight. + type: object + properties: + matchExpressions: + description: A list of node selector requirements by node's labels. + type: array + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchFields: + description: A list of node selector requirements by node's fields. + type: array + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + type: array + items: + type: string + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. + type: object + required: + - nodeSelectorTerms + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. The terms are ORed. + type: array + items: + description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + type: object + properties: + matchExpressions: + description: A list of node selector requirements by node's labels. + type: array + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchFields: + description: A list of node selector requirements by node's fields. + type: array + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + type: array + items: + type: string + x-kubernetes-map-type: atomic + x-kubernetes-map-type: atomic + podAffinity: + description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. + type: array + items: + description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) + type: object + required: + - podAffinityTerm + - weight + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated with the corresponding weight. + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + weight: + description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. + type: array + items: + description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. + type: array + items: + description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) + type: object + required: + - podAffinityTerm + - weight + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated with the corresponding weight. + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + weight: + description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. + type: array + items: + description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + nodeSelector: + description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + additionalProperties: + type: string + priorityClassName: + description: If specified, the pod's priorityClassName. + type: string + serviceAccountName: + description: If specified, the pod's service account + type: string + tolerations: + description: If specified, the pod's tolerations. + type: array + items: + description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . + type: object + properties: + effect: + description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. + type: integer + format: int64 + value: + description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + serviceType: + description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. + type: string + selector: + description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. + type: object + properties: + dnsNames: + description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. + type: array + items: + type: string + dnsZones: + description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. + type: array + items: + type: string + matchLabels: + description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. + type: object + additionalProperties: + type: string + token: + description: The ACME challenge token for this challenge. This is the raw value returned from the ACME server. + type: string + type: + description: The type of ACME challenge this resource represents. One of "HTTP-01" or "DNS-01". + type: string + enum: + - HTTP-01 + - DNS-01 + url: + description: The URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge. + type: string + wildcard: + description: wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'. + type: boolean + status: + type: object + properties: + presented: + description: presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured). + type: boolean + processing: + description: Used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action. + type: boolean + reason: + description: Contains human readable information on why the Challenge is in the current state. + type: string + state: + description: Contains the current 'state' of the challenge. If not set, the state of the challenge is unknown. + type: string + enum: + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + served: true + storage: true + subresources: + status: {} +--- +# Source: cert-manager/templates/crds.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: certificaterequests.cert-manager.io + labels: + app: 'cert-manager' + app.kubernetes.io/name: 'cert-manager' + app.kubernetes.io/instance: 'cert-manager' + # Generated labels + app.kubernetes.io/version: "v1.10.0" +spec: + group: cert-manager.io + names: + kind: CertificateRequest + listKind: CertificateRequestList + plural: certificaterequests + shortNames: + - cr + - crs + singular: certificaterequest + categories: + - cert-manager + scope: Namespaced + versions: + - name: v1 + subresources: + status: {} + additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Approved")].status + name: Approved + type: string + - jsonPath: .status.conditions[?(@.type=="Denied")].status + name: Denied + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .spec.issuerRef.name + name: Issuer + type: string + - jsonPath: .spec.username + name: Requestor + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - jsonPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + name: Age + type: date + schema: + openAPIV3Schema: + description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used." + type: object + required: + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Desired state of the CertificateRequest resource. + type: object + required: + - issuerRef + - request + properties: + duration: + description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. + type: string + extra: + description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. + type: object + additionalProperties: + type: array + items: + type: string + groups: + description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. + type: array + items: + type: string + x-kubernetes-list-type: atomic + isCA: + description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`. + type: boolean + issuerRef: + description: IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty. + type: object + required: + - name + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + request: + description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing. + type: string + format: byte + uid: + description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. + type: string + usages: + description: Usages is the set of x509 usages that are requested for the certificate. If usages are set they SHOULD be encoded inside the CSR spec Defaults to `digital signature` and `key encipherment` if not specified. + type: array + items: + description: "KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 \n Valid KeyUsage values are as follows: \"signing\", \"digital signature\", \"content commitment\", \"key encipherment\", \"key agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", \"encipher only\", \"decipher only\", \"any\", \"server auth\", \"client auth\", \"code signing\", \"email protection\", \"s/mime\", \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\"" + type: string + enum: + - signing + - digital signature + - content commitment + - key encipherment + - key agreement + - data encipherment + - cert sign + - crl sign + - encipher only + - decipher only + - any + - server auth + - client auth + - code signing + - email protection + - s/mime + - ipsec end system + - ipsec tunnel + - ipsec user + - timestamping + - ocsp signing + - microsoft sgc + - netscape sgc + username: + description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. + type: string + status: + description: Status of the CertificateRequest. This is set and managed automatically. + type: object + properties: + ca: + description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available. + type: string + format: byte + certificate: + description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field. + type: string + format: byte + conditions: + description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`. + type: array + items: + description: CertificateRequestCondition contains condition information for a CertificateRequest. + type: object + required: + - status + - type + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. + type: string + format: date-time + message: + description: Message is a human readable description of the details of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, `Unknown`). + type: string + enum: + - "True" + - "False" + - Unknown + type: + description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`). + type: string + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + failureTime: + description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off. + type: string + format: date-time + served: true + storage: true +--- +# Source: cert-manager/templates/crds.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: issuers.cert-manager.io + labels: + app: 'cert-manager' + app.kubernetes.io/name: 'cert-manager' + app.kubernetes.io/instance: 'cert-manager' + # Generated labels + app.kubernetes.io/version: "v1.10.0" +spec: + group: cert-manager.io + names: + kind: Issuer + listKind: IssuerList + plural: issuers + singular: issuer + categories: + - cert-manager + scope: Namespaced + versions: + - name: v1 + subresources: + status: {} + additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - jsonPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + name: Age + type: date + schema: + openAPIV3Schema: + description: An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace. + type: object + required: + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Desired state of the Issuer resource. + type: object + properties: + acme: + description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates. + type: object + required: + - privateKeySecretRef + - server + properties: + disableAccountKeyGeneration: + description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false. + type: boolean + email: + description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. + type: string + enableDurationFeature: + description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. + type: boolean + externalAccountBinding: + description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. + type: object + required: + - keyID + - keySecretRef + properties: + keyAlgorithm: + description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.' + type: string + enum: + - HS256 + - HS384 + - HS512 + keyID: + description: keyID is the ID of the CA key that the External Account is bound to. + type: string + keySecretRef: + description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + preferredChain: + description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN' + type: string + maxLength: 64 + privateKeySecretRef: + description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + server: + description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' + type: string + skipTLSVerify: + description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false. + type: boolean + solvers: + description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' + type: array + items: + description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided. + type: object + properties: + dns01: + description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow. + type: object + properties: + acmeDNS: + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records. + type: object + required: + - accountSecretRef + - host + properties: + accountSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + host: + type: string + akamai: + description: Use the Akamai DNS zone management API to manage DNS01 challenge records. + type: object + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + properties: + accessTokenSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + clientSecretSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + clientTokenSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + serviceConsumerDomain: + type: string + azureDNS: + description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. + type: object + required: + - resourceGroupName + - subscriptionID + properties: + clientID: + description: if both this and ClientSecret are left unset MSI will be used + type: string + clientSecretSecretRef: + description: if both this and ClientID are left unset MSI will be used + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + environment: + description: name of the Azure environment (default AzurePublicCloud) + type: string + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + hostedZoneName: + description: name of the DNS zone that should be used + type: string + managedIdentity: + description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID + type: object + properties: + clientID: + description: client ID of the managed identity, can not be used at the same time as resourceID + type: string + resourceID: + description: resource ID of the managed identity, can not be used at the same time as clientID + type: string + resourceGroupName: + description: resource group the DNS zone is located in + type: string + subscriptionID: + description: ID of the Azure subscription + type: string + tenantID: + description: when specifying ClientID and ClientSecret then this field is also needed + type: string + cloudDNS: + description: Use the Google Cloud DNS API to manage DNS01 challenge records. + type: object + required: + - project + properties: + hostedZoneName: + description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone. + type: string + project: + type: string + serviceAccountSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + cloudflare: + description: Use the Cloudflare API to manage DNS01 challenge records. + type: object + properties: + apiKeySecretRef: + description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.' + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + apiTokenSecretRef: + description: API token used to authenticate with Cloudflare. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + email: + description: Email of the account, only required when using API key based authentication. + type: string + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones. + type: string + enum: + - None + - Follow + digitalocean: + description: Use the DigitalOcean DNS API to manage DNS01 challenge records. + type: object + required: + - tokenSecretRef + properties: + tokenSecretRef: + description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + rfc2136: + description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records. + type: object + required: + - nameserver + properties: + nameserver: + description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required. + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' + type: string + tsigKeyName: + description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + route53: + description: Use the AWS Route53 API to manage DNS01 challenge records. + type: object + required: + - region + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + accessKeyIDSecretRef: + description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + hostedZoneID: + description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + webhook: + description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records. + type: object + required: + - groupName + - solverName + properties: + config: + description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation. + type: string + solverName: + description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'. + type: string + http01: + description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism. + type: object + properties: + gatewayHTTPRoute: + description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future. + type: object + properties: + labels: + description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges. + type: object + additionalProperties: + type: string + parentRefs: + description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways' + type: array + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + type: object + required: + - name + properties: + group: + description: "Group is the group of the referent. \n Support: Core" + type: string + default: gateway.networking.k8s.io + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + kind: + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Custom (Other Resources)" + type: string + default: Gateway + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + name: + description: "Name is the name of the referent. \n Support: Core" + type: string + maxLength: 253 + minLength: 1 + namespace: + description: "Namespace is the namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. \n Support: Core" + type: string + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + type: integer + format: int32 + maximum: 65535 + minimum: 1 + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + type: string + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + serviceType: + description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. + type: string + ingress: + description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. + type: object + properties: + class: + description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified. + type: string + ingressTemplate: + description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges. + type: object + properties: + metadata: + description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. + type: object + properties: + annotations: + description: Annotations that should be added to the created ACME HTTP01 solver ingress. + type: object + additionalProperties: + type: string + labels: + description: Labels that should be added to the created ACME HTTP01 solver ingress. + type: object + additionalProperties: + type: string + name: + description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. + type: string + podTemplate: + description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges. + type: object + properties: + metadata: + description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. + type: object + properties: + annotations: + description: Annotations that should be added to the create ACME HTTP01 solver pods. + type: object + additionalProperties: + type: string + labels: + description: Labels that should be added to the created ACME HTTP01 solver pods. + type: object + additionalProperties: + type: string + spec: + description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored. + type: object + properties: + affinity: + description: If specified, the pod's scheduling constraints + type: object + properties: + nodeAffinity: + description: Describes node affinity scheduling rules for the pod. + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. + type: array + items: + description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + type: object + required: + - preference + - weight + properties: + preference: + description: A node selector term, associated with the corresponding weight. + type: object + properties: + matchExpressions: + description: A list of node selector requirements by node's labels. + type: array + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchFields: + description: A list of node selector requirements by node's fields. + type: array + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + type: array + items: + type: string + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. + type: object + required: + - nodeSelectorTerms + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. The terms are ORed. + type: array + items: + description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + type: object + properties: + matchExpressions: + description: A list of node selector requirements by node's labels. + type: array + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchFields: + description: A list of node selector requirements by node's fields. + type: array + items: + description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + type: array + items: + type: string + x-kubernetes-map-type: atomic + x-kubernetes-map-type: atomic + podAffinity: + description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. + type: array + items: + description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) + type: object + required: + - podAffinityTerm + - weight + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated with the corresponding weight. + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + weight: + description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. + type: array + items: + description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. + type: array + items: + description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) + type: object + required: + - podAffinityTerm + - weight + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated with the corresponding weight. + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + weight: + description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. + type: array + items: + description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over a set of resources, in this case pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + topologyKey: + description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + type: string + nodeSelector: + description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + additionalProperties: + type: string + priorityClassName: + description: If specified, the pod's priorityClassName. + type: string + serviceAccountName: + description: If specified, the pod's service account + type: string + tolerations: + description: If specified, the pod's tolerations. + type: array + items: + description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . + type: object + properties: + effect: + description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. + type: integer + format: int64 + value: + description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + serviceType: + description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. + type: string + selector: + description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. + type: object + properties: + dnsNames: + description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. + type: array + items: + type: string + dnsZones: + description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. + type: array + items: + type: string + matchLabels: + description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. + type: object + additionalProperties: + type: string + ca: + description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager. + type: object + required: + - secretName + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set. + type: array + items: + type: string + ocspServers: + description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". + type: array + items: + type: string + secretName: + description: SecretName is the name of the secret used to sign Certificates issued by this Issuer. + type: string + selfSigned: + description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object. + type: object + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings. + type: array + items: + type: string + vault: + description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend. + type: object + required: + - auth + - path + - server + properties: + auth: + description: Auth configures how cert-manager authenticates with the Vault server. + type: object + properties: + appRole: + description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + type: object + required: + - path + - roleId + - secretRef + properties: + path: + description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + type: string + roleId: + description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + type: string + secretRef: + description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + kubernetes: + description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + type: object + required: + - role + - secretRef + properties: + mountPath: + description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used. + type: string + role: + description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + type: string + secretRef: + description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + tokenSecretRef: + description: TokenSecretRef authenticates with Vault by presenting a token. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + caBundle: + description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. Mutually exclusive with CABundleSecretRef. If neither CABundle nor CABundleSecretRef are defined, the cert-manager controller system root certificates are used to validate the TLS connection. + type: string + format: byte + caBundleSecretRef: + description: CABundleSecretRef is a reference to a Secret which contains the CABundle which will be used when connecting to Vault when using HTTPS. Mutually exclusive with CABundle. If neither CABundleSecretRef nor CABundle are defined, the cert-manager controller system root certificates are used to validate the TLS connection. If no key for the Secret is specified, cert-manager will default to 'ca.crt'. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + type: string + path: + description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' + type: string + server: + description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' + type: string + venafi: + description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone. + type: object + required: + - zone + properties: + cloud: + description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified. + type: object + required: + - apiTokenSecretRef + properties: + apiTokenSecretRef: + description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + url: + description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1". + type: string + tpp: + description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified. + type: object + required: + - credentialsRef + - url + properties: + caBundle: + description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates. + type: string + format: byte + credentialsRef: + description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'. + type: object + required: + - name + properties: + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + url: + description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' + type: string + zone: + description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required. + type: string + status: + description: Status of the Issuer. This is set and managed automatically. + type: object + properties: + acme: + description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates. + type: object + properties: + lastRegisteredEmail: + description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer + type: string + uri: + description: URI is the unique account identifier, which can also be used to retrieve account details from the CA + type: string + conditions: + description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`. + type: array + items: + description: IssuerCondition contains condition information for an Issuer. + type: object + required: + - status + - type + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. + type: string + format: date-time + message: + description: Message is a human readable description of the details of the last transition, complementing reason. + type: string + observedGeneration: + description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer. + type: integer + format: int64 + reason: + description: Reason is a brief machine readable explanation for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, `Unknown`). + type: string + enum: + - "True" + - "False" + - Unknown + type: + description: Type of the condition, known values are (`Ready`). + type: string + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + served: true + storage: true +--- +# Source: cert-manager/templates/crds.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: certificates.cert-manager.io + labels: + app: 'cert-manager' + app.kubernetes.io/name: 'cert-manager' + app.kubernetes.io/instance: 'cert-manager' + # Generated labels + app.kubernetes.io/version: "v1.10.0" +spec: + group: cert-manager.io + names: + kind: Certificate + listKind: CertificateList + plural: certificates + shortNames: + - cert + - certs + singular: certificate + categories: + - cert-manager + scope: Namespaced + versions: + - name: v1 + subresources: + status: {} + additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .spec.secretName + name: Secret + type: string + - jsonPath: .spec.issuerRef.name + name: Issuer + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - jsonPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + name: Age + type: date + schema: + openAPIV3Schema: + description: "A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)." + type: object + required: + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Desired state of the Certificate resource. + type: object + required: + - issuerRef + - secretName + properties: + additionalOutputFormats: + description: AdditionalOutputFormats defines extra output formats of the private key and signed certificate chain to be written to this Certificate's target Secret. This is an Alpha Feature and is only enabled with the `--feature-gates=AdditionalCertificateOutputFormats=true` option on both the controller and webhook components. + type: array + items: + description: CertificateAdditionalOutputFormat defines an additional output format of a Certificate resource. These contain supplementary data formats of the signed certificate chain and paired private key. + type: object + required: + - type + properties: + type: + description: Type is the name of the format type that should be written to the Certificate's target Secret. + type: string + enum: + - DER + - CombinedPEM + commonName: + description: 'CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs. This value is ignored by TLS clients when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4' + type: string + dnsNames: + description: DNSNames is a list of DNS subjectAltNames to be set on the Certificate. + type: array + items: + type: string + duration: + description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. If unset this defaults to 90 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration + type: string + emailAddresses: + description: EmailAddresses is a list of email subjectAltNames to be set on the Certificate. + type: array + items: + type: string + encodeUsagesInRequest: + description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest + type: boolean + ipAddresses: + description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate. + type: array + items: + type: string + isCA: + description: IsCA will mark this Certificate as valid for certificate signing. This will automatically add the `cert sign` usage to the list of `usages`. + type: boolean + issuerRef: + description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the Certificate will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. + type: object + required: + - name + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + keystores: + description: Keystores configures additional keystore output formats stored in the `secretName` Secret resource. + type: object + properties: + jks: + description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource. + type: object + required: + - create + - passwordSecretRef + properties: + create: + description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.jks` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority + type: boolean + passwordSecretRef: + description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + pkcs12: + description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource. + type: object + required: + - create + - passwordSecretRef + properties: + create: + description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority + type: boolean + passwordSecretRef: + description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + literalSubject: + description: LiteralSubject is an LDAP formatted string that represents the [X.509 Subject field](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6). Use this *instead* of the Subject field if you need to ensure the correct ordering of the RDN sequence, such as when issuing certs for LDAP authentication. See https://github.com/cert-manager/cert-manager/issues/3203, https://github.com/cert-manager/cert-manager/issues/4424. This field is alpha level and is only supported by cert-manager installations where LiteralCertificateSubject feature gate is enabled on both cert-manager controller and webhook. + type: string + privateKey: + description: Options to control private keys used for the Certificate. + type: object + properties: + algorithm: + description: Algorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `RSA`,`Ed25519` or `ECDSA` If `algorithm` is specified and `size` is not provided, key size of 256 will be used for `ECDSA` key algorithm and key size of 2048 will be used for `RSA` key algorithm. key size is ignored when using the `Ed25519` key algorithm. + type: string + enum: + - RSA + - ECDSA + - Ed25519 + encoding: + description: The private key cryptography standards (PKCS) encoding for this certificate's private key to be encoded in. If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if not specified. + type: string + enum: + - PKCS1 + - PKCS8 + rotationPolicy: + description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility. + type: string + enum: + - Never + - Always + size: + description: Size is the key bit size of the corresponding private key for this certificate. If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. If `algorithm` is set to `Ed25519`, Size is ignored. No other values are allowed. + type: integer + renewBefore: + description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration + type: string + revisionHistoryLimit: + description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`. + type: integer + format: int32 + secretName: + description: SecretName is the name of the secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer. + type: string + secretTemplate: + description: SecretTemplate defines annotations and labels to be copied to the Certificate's Secret. Labels and annotations on the Secret will be changed as they appear on the SecretTemplate when added or removed. SecretTemplate annotations are added in conjunction with, and cannot overwrite, the base set of annotations cert-manager sets on the Certificate's Secret. + type: object + properties: + annotations: + description: Annotations is a key value map to be copied to the target Kubernetes Secret. + type: object + additionalProperties: + type: string + labels: + description: Labels is a key value map to be copied to the target Kubernetes Secret. + type: object + additionalProperties: + type: string + subject: + description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). + type: object + properties: + countries: + description: Countries to be used on the Certificate. + type: array + items: + type: string + localities: + description: Cities to be used on the Certificate. + type: array + items: + type: string + organizationalUnits: + description: Organizational Units to be used on the Certificate. + type: array + items: + type: string + organizations: + description: Organizations to be used on the Certificate. + type: array + items: + type: string + postalCodes: + description: Postal codes to be used on the Certificate. + type: array + items: + type: string + provinces: + description: State/Provinces to be used on the Certificate. + type: array + items: + type: string + serialNumber: + description: Serial number to be used on the Certificate. + type: string + streetAddresses: + description: Street addresses to be used on the Certificate. + type: array + items: + type: string + uris: + description: URIs is a list of URI subjectAltNames to be set on the Certificate. + type: array + items: + type: string + usages: + description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified. + type: array + items: + description: "KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 \n Valid KeyUsage values are as follows: \"signing\", \"digital signature\", \"content commitment\", \"key encipherment\", \"key agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", \"encipher only\", \"decipher only\", \"any\", \"server auth\", \"client auth\", \"code signing\", \"email protection\", \"s/mime\", \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\"" + type: string + enum: + - signing + - digital signature + - content commitment + - key encipherment + - key agreement + - data encipherment + - cert sign + - crl sign + - encipher only + - decipher only + - any + - server auth + - client auth + - code signing + - email protection + - s/mime + - ipsec end system + - ipsec tunnel + - ipsec user + - timestamping + - ocsp signing + - microsoft sgc + - netscape sgc + status: + description: Status of the Certificate. This is set and managed automatically. + type: object + properties: + conditions: + description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`. + type: array + items: + description: CertificateCondition contains condition information for an Certificate. + type: object + required: + - status + - type + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. + type: string + format: date-time + message: + description: Message is a human readable description of the details of the last transition, complementing reason. + type: string + observedGeneration: + description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate. + type: integer + format: int64 + reason: + description: Reason is a brief machine readable explanation for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, `Unknown`). + type: string + enum: + - "True" + - "False" + - Unknown + type: + description: Type of the condition, known values are (`Ready`, `Issuing`). + type: string + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + failedIssuanceAttempts: + description: The number of continuous failed issuance attempts up till now. This field gets removed (if set) on a successful issuance and gets set to 1 if unset and an issuance has failed. If an issuance has failed, the delay till the next issuance will be calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1). + type: integer + lastFailureTime: + description: LastFailureTime is the time as recorded by the Certificate controller of the most recent failure to complete a CertificateRequest for this Certificate resource. If set, cert-manager will not re-request another Certificate until 1 hour has elapsed from this time. + type: string + format: date-time + nextPrivateKeySecretName: + description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False. + type: string + notAfter: + description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`. + type: string + format: date-time + notBefore: + description: The time after which the certificate stored in the secret named by this resource in spec.secretName is valid. + type: string + format: date-time + renewalTime: + description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled. + type: string + format: date-time + revision: + description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field." + type: integer + served: true + storage: true +--- +# Source: cert-manager/templates/crds.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: orders.acme.cert-manager.io + labels: + app: 'cert-manager' + app.kubernetes.io/name: 'cert-manager' + app.kubernetes.io/instance: 'cert-manager' + # Generated labels + app.kubernetes.io/version: "v1.10.0" +spec: + group: acme.cert-manager.io + names: + kind: Order + listKind: OrderList + plural: orders + singular: order + categories: + - cert-manager + - cert-manager-acme + scope: Namespaced + versions: + - name: v1 + subresources: + status: {} + additionalPrinterColumns: + - jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.issuerRef.name + name: Issuer + priority: 1 + type: string + - jsonPath: .status.reason + name: Reason + priority: 1 + type: string + - jsonPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + name: Age + type: date + schema: + openAPIV3Schema: + description: Order is a type to represent an Order with an ACME server + type: object + required: + - metadata + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + type: object + required: + - issuerRef + - request + properties: + commonName: + description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR. + type: string + dnsNames: + description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR. + type: array + items: + type: string + duration: + description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec. + type: string + ipAddresses: + description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR. + type: array + items: + type: string + issuerRef: + description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed. + type: object + required: + - name + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + request: + description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order. + type: string + format: byte + status: + type: object + properties: + authorizations: + description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order. + type: array + items: + description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource. + type: object + required: + - url + properties: + challenges: + description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process. + type: array + items: + description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process. + type: object + required: + - token + - type + - url + properties: + token: + description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented. + type: string + type: + description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored. + type: string + url: + description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server. + type: string + identifier: + description: Identifier is the DNS name to be validated as part of this authorization + type: string + initialState: + description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created. + type: string + enum: + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + url: + description: URL is the URL of the Authorization that must be completed + type: string + wildcard: + description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'. + type: boolean + certificate: + description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state. + type: string + format: byte + failureTime: + description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off. + type: string + format: date-time + finalizeURL: + description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed. + type: string + reason: + description: Reason optionally provides more information about a why the order is in the current state. + type: string + state: + description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final' + type: string + enum: + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + url: + description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set. + type: string + served: true + storage: true diff --git a/charts/karavi-observability/templates/_helpers.tpl b/charts/karavi-observability/templates/_helpers.tpl new file mode 100644 index 00000000..000bd372 --- /dev/null +++ b/charts/karavi-observability/templates/_helpers.tpl @@ -0,0 +1,9 @@ +{{/* +Namespace for all resources to be installed into +If not defined in values file then the helm release namespace is used +By default this is not set so the helm release namespace will be used +*/}} + +{{- define "custom.namespace" -}} + {{ .Values.namespace | default .Release.Namespace }} +{{- end -}} \ No newline at end of file diff --git a/charts/karavi-observability/templates/cert-manager.yaml b/charts/karavi-observability/templates/cert-manager.yaml index a17200e6..f6097097 100644 --- a/charts/karavi-observability/templates/cert-manager.yaml +++ b/charts/karavi-observability/templates/cert-manager.yaml @@ -10,7 +10,7 @@ kind: Secret type: kubernetes.io/tls metadata: name: karavi-topology-secret - namespace: {{ .Release.Namespace }} + namespace: {{ include "custom.namespace" . }} --- @@ -18,7 +18,7 @@ apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: karavi-topology-issuer - namespace: {{ .Release.Namespace }} + namespace: {{ include "custom.namespace" . }} spec: ca: secretName: karavi-topology-secret @@ -38,7 +38,7 @@ kind: Secret type: kubernetes.io/tls metadata: name: karavi-metrics-powerstore-secret - namespace: {{ .Release.Namespace }} + namespace: {{ include "custom.namespace" . }} --- @@ -46,7 +46,7 @@ apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: karavi-metrics-powerstore-issuer - namespace: {{ .Release.Namespace }} + namespace: {{ include "custom.namespace" . }} spec: ca: secretName: karavi-metrics-powerstore-secret @@ -63,7 +63,7 @@ kind: Secret type: kubernetes.io/tls metadata: name: otel-collector-secret - namespace: {{ .Release.Namespace }} + namespace: {{ include "custom.namespace" . }} data: tls.crt: {{ $certificateFileContents | b64enc }} tls.key: {{ $privateKeyFileContents | b64enc }} @@ -74,7 +74,7 @@ apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: otel-collector-issuer - namespace: {{ .Release.Namespace }} + namespace: {{ include "custom.namespace" . }} spec: ca: secretName: otel-collector-secret @@ -88,7 +88,7 @@ apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: selfsigned-issuer - namespace: {{ .Release.Namespace }} + namespace: {{ include "custom.namespace" . }} spec: selfSigned: {} @@ -99,7 +99,7 @@ apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: otel-collector - namespace: {{ .Release.Namespace }} + namespace: {{ include "custom.namespace" . }} spec: secretName: otel-collector-tls duration: 2160h # 90d @@ -133,7 +133,7 @@ apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: karavi-topology - namespace: {{ .Release.Namespace }} + namespace: {{ include "custom.namespace" . }} spec: secretName: karavi-topology-tls duration: 2160h # 90d @@ -167,7 +167,7 @@ apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: karavi-metrics-powerstore - namespace: {{ .Release.Namespace }} + namespace: {{ include "custom.namespace" . }} spec: secretName: karavi-metrics-powerstore-tls duration: 2160h # 90d diff --git a/charts/karavi-observability/templates/karavi-metrics-powerflex-service-account.yaml b/charts/karavi-observability/templates/karavi-metrics-powerflex-service-account.yaml index 80bfdb01..0168734f 100644 --- a/charts/karavi-observability/templates/karavi-metrics-powerflex-service-account.yaml +++ b/charts/karavi-observability/templates/karavi-metrics-powerflex-service-account.yaml @@ -4,7 +4,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ .Release.Name }}-metrics-powerflex-controller - namespace: {{ .Release.Namespace }} + namespace: {{ include "custom.namespace" . }} --- @@ -32,7 +32,7 @@ metadata: subjects: - kind: ServiceAccount name: {{ .Release.Name }}-metrics-powerflex-controller - namespace: {{ .Release.Namespace }} + namespace: {{ include "custom.namespace" . }} roleRef: kind: ClusterRole name: {{ .Release.Name }}-metrics-powerflex-controller diff --git a/charts/karavi-observability/templates/karavi-metrics-powerflex.yaml b/charts/karavi-observability/templates/karavi-metrics-powerflex.yaml index 8e8a8ae4..177b3d1c 100644 --- a/charts/karavi-observability/templates/karavi-metrics-powerflex.yaml +++ b/charts/karavi-observability/templates/karavi-metrics-powerflex.yaml @@ -7,6 +7,7 @@ metadata: app.kubernetes.io/name: karavi-metrics-powerflex app.kubernetes.io/instance: {{ .Release.Name }} name: karavi-metrics-powerflex + namespace: {{ include "custom.namespace" . }} spec: type: {{ .Values.karaviMetricsPowerflex.service.type }} ports: @@ -23,6 +24,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: karavi-metrics-powerflex + namespace: {{ include "custom.namespace" . }} labels: app.kubernetes.io/name: karavi-metrics-powerflex app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/charts/karavi-observability/templates/karavi-metrics-powerscale-service-account.yaml b/charts/karavi-observability/templates/karavi-metrics-powerscale-service-account.yaml index 7f8a5bad..5998d872 100644 --- a/charts/karavi-observability/templates/karavi-metrics-powerscale-service-account.yaml +++ b/charts/karavi-observability/templates/karavi-metrics-powerscale-service-account.yaml @@ -4,7 +4,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ .Release.Name }}-metrics-powerscale-controller - namespace: {{ .Release.Namespace }} + namespace: {{ include "custom.namespace" . }} --- @@ -32,7 +32,7 @@ metadata: subjects: - kind: ServiceAccount name: {{ .Release.Name }}-metrics-powerscale-controller - namespace: {{ .Release.Namespace }} + namespace: {{ include "custom.namespace" . }} roleRef: kind: ClusterRole name: {{ .Release.Name }}-metrics-powerscale-controller diff --git a/charts/karavi-observability/templates/karavi-metrics-powerscale.yaml b/charts/karavi-observability/templates/karavi-metrics-powerscale.yaml index 1caf0682..510e9460 100644 --- a/charts/karavi-observability/templates/karavi-metrics-powerscale.yaml +++ b/charts/karavi-observability/templates/karavi-metrics-powerscale.yaml @@ -7,6 +7,7 @@ metadata: app.kubernetes.io/name: karavi-metrics-powerscale app.kubernetes.io/instance: {{ .Release.Name }} name: karavi-metrics-powerscale + namespace: {{ include "custom.namespace" . }} spec: type: {{ .Values.karaviMetricsPowerscale.service.type }} ports: @@ -23,6 +24,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: karavi-metrics-powerscale + namespace: {{ include "custom.namespace" . }} labels: app.kubernetes.io/name: karavi-metrics-powerscale app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/charts/karavi-observability/templates/karavi-metrics-powerstore-service-account.yaml b/charts/karavi-observability/templates/karavi-metrics-powerstore-service-account.yaml index 67b1d8f6..ab16d674 100644 --- a/charts/karavi-observability/templates/karavi-metrics-powerstore-service-account.yaml +++ b/charts/karavi-observability/templates/karavi-metrics-powerstore-service-account.yaml @@ -4,7 +4,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ .Release.Name }}-metrics-powerstore-controller - namespace: {{ .Release.Namespace }} + namespace: {{ include "custom.namespace" . }} --- @@ -29,7 +29,7 @@ metadata: subjects: - kind: ServiceAccount name: {{ .Release.Name }}-metrics-powerstore-controller - namespace: {{ .Release.Namespace }} + namespace: {{ include "custom.namespace" . }} roleRef: kind: ClusterRole name: {{ .Release.Name }}-metrics-powerstore-controller diff --git a/charts/karavi-observability/templates/karavi-metrics-powerstore.yaml b/charts/karavi-observability/templates/karavi-metrics-powerstore.yaml index 9579add2..a54d1d5a 100644 --- a/charts/karavi-observability/templates/karavi-metrics-powerstore.yaml +++ b/charts/karavi-observability/templates/karavi-metrics-powerstore.yaml @@ -7,6 +7,7 @@ metadata: app.kubernetes.io/name: karavi-metrics-powerstore app.kubernetes.io/instance: {{ .Release.Name }} name: karavi-metrics-powerstore + namespace: {{ include "custom.namespace" . }} spec: type: {{ .Values.karaviMetricsPowerstore.service.type }} ports: @@ -23,6 +24,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: karavi-metrics-powerstore + namespace: {{ include "custom.namespace" . }} labels: app.kubernetes.io/name: karavi-metrics-powerstore app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/charts/karavi-observability/templates/karavi-observability-configmap.yaml b/charts/karavi-observability/templates/karavi-observability-configmap.yaml index 67c95385..c4304422 100644 --- a/charts/karavi-observability/templates/karavi-observability-configmap.yaml +++ b/charts/karavi-observability/templates/karavi-observability-configmap.yaml @@ -4,6 +4,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: karavi-metrics-powerflex-configmap + namespace: {{ include "custom.namespace" . }} data: karavi-metrics-powerflex.yaml : | COLLECTOR_ADDR: {{ .Values.karaviMetricsPowerflex.collectorAddr }} @@ -28,6 +29,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: karavi-topology-configmap + namespace: {{ include "custom.namespace" . }} data: karavi-topology.yaml: | PROVISIONER_NAMES: {{ .Values.karaviTopology.provisionerNames }} @@ -47,6 +49,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: karavi-metrics-powerstore-configmap + namespace: {{ include "custom.namespace" . }} data: karavi-metrics-powerstore.yaml : | COLLECTOR_ADDR: {{ .Values.karaviMetricsPowerstore.collectorAddr }} @@ -73,6 +76,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: karavi-metrics-powerscale-configmap + namespace: {{ include "custom.namespace" . }} data: karavi-metrics-powerscale.yaml : | COLLECTOR_ADDR: {{ .Values.karaviMetricsPowerscale.collectorAddr }} diff --git a/charts/karavi-observability/templates/karavi-topology-service-account.yaml b/charts/karavi-observability/templates/karavi-topology-service-account.yaml index c5ca9520..71e3ad09 100644 --- a/charts/karavi-observability/templates/karavi-topology-service-account.yaml +++ b/charts/karavi-observability/templates/karavi-topology-service-account.yaml @@ -4,7 +4,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ .Release.Name }}-topology-controller - namespace: {{ .Release.Namespace }} + namespace: {{ include "custom.namespace" . }} --- @@ -26,7 +26,7 @@ metadata: subjects: - kind: ServiceAccount name: {{ .Release.Name }}-topology-controller - namespace: {{ .Release.Namespace }} + namespace: {{ include "custom.namespace" . }} roleRef: kind: ClusterRole name: {{ .Release.Name }}-topology-controller diff --git a/charts/karavi-observability/templates/karavi-topology.yaml b/charts/karavi-observability/templates/karavi-topology.yaml index 968a96e5..68b4b199 100644 --- a/charts/karavi-observability/templates/karavi-topology.yaml +++ b/charts/karavi-observability/templates/karavi-topology.yaml @@ -7,6 +7,7 @@ metadata: app.kubernetes.io/name: karavi-topology app.kubernetes.io/instance: {{ .Release.Name }} name: karavi-topology + namespace: {{ include "custom.namespace" . }} spec: type: {{ .Values.karaviTopology.service.type }} ports: @@ -23,6 +24,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: karavi-topology + namespace: {{ include "custom.namespace" . }} labels: app.kubernetes.io/name: karavi-topology app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/charts/karavi-observability/templates/otel-collector.yaml b/charts/karavi-observability/templates/otel-collector.yaml index b833d345..093bf924 100644 --- a/charts/karavi-observability/templates/otel-collector.yaml +++ b/charts/karavi-observability/templates/otel-collector.yaml @@ -5,6 +5,7 @@ data: kind: ConfigMap metadata: name: otel-collector-config + namespace: {{ include "custom.namespace" . }} --- @@ -15,6 +16,7 @@ data: kind: ConfigMap metadata: name: nginx-config + namespace: {{ include "custom.namespace" . }} --- @@ -22,6 +24,7 @@ apiVersion: v1 kind: Service metadata: name: otel-collector + namespace: {{ include "custom.namespace" . }} labels: app.kubernetes.io/name: otel-collector app.kubernetes.io/instance: {{ .Release.Name }} @@ -44,6 +47,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: otel-collector + namespace: {{ include "custom.namespace" . }} labels: app.kubernetes.io/name: otel-collector app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/charts/karavi-observability/values.yaml b/charts/karavi-observability/values.yaml index 1a7e2001..535a13e5 100644 --- a/charts/karavi-observability/values.yaml +++ b/charts/karavi-observability/values.yaml @@ -171,9 +171,11 @@ otelCollector: type: ClusterIP nginxProxy: image: nginxinc/nginx-unprivileged:1.20 - +# Karavi-observability requires cert-manager. If cert-manager is already present in cluster, set enabled to false not to install it. cert-manager: + enabled: true startupapicheck: enabled: false serviceAccount: create: false +# namespace: observability-ns \ No newline at end of file From 8d4295d6fa854763020e29f44c0bf257d9ae4e1e Mon Sep 17 00:00:00 2001 From: taohe1012 <88763781+taohe1012@users.noreply.github.com> Date: Mon, 6 Feb 2023 15:28:51 +0800 Subject: [PATCH 04/27] Rename arrayCapacityPollFrequencySeconds to capacityPollFrequencySeconds (#172) --- .../templates/karavi-observability-configmap.yaml | 2 +- charts/karavi-observability/values.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/karavi-observability/templates/karavi-observability-configmap.yaml b/charts/karavi-observability/templates/karavi-observability-configmap.yaml index c4304422..ab17f62d 100644 --- a/charts/karavi-observability/templates/karavi-observability-configmap.yaml +++ b/charts/karavi-observability/templates/karavi-observability-configmap.yaml @@ -110,7 +110,7 @@ data: POWERMAX_MAX_CONCURRENT_QUERIES: "{{ .Values.karaviMetricsPowermax.concurrentPowermaxQueries }}" POWERMAX_CAPACITY_METRICS_ENABLED: "{{ .Values.karaviMetricsPowermax.capacityMetricsEnabled }}" POWERMAX_PERFORMANCE_METRICS_ENABLED: "{{ .Values.karaviMetricsPowermax.performanceMetricsEnabled }}" - POWERMAX_ARRAY_CAPACITY_POLL_FREQUENCY: "{{ .Values.karaviMetricsPowermax.arrayCapacityPollFrequencySeconds }}" + POWERMAX_CAPACITY_POLL_FREQUENCY: "{{ .Values.karaviMetricsPowermax.capacityPollFrequencySeconds }}" POWERMAX_ARRAY_PERFORMANCE_POLL_FREQUENCY: "{{ .Values.karaviMetricsPowermax.arrayPerformancePollFrequencySeconds }}" LOG_LEVEL: "{{ .Values.karaviMetricsPowermax.logLevel }}" LOG_FORMAT: "{{ .Values.karaviMetricsPowermax.logFormat }}" diff --git a/charts/karavi-observability/values.yaml b/charts/karavi-observability/values.yaml index 535a13e5..a35a01b8 100644 --- a/charts/karavi-observability/values.yaml +++ b/charts/karavi-observability/values.yaml @@ -138,8 +138,8 @@ karaviMetricsPowermax: capacityMetricsEnabled: "true" # set performanceMetricsEnabled to "false" to disable collection of performance metrics performanceMetricsEnabled: "true" - # set polling frequency to get array capacity metrics data - arrayCapacityPollFrequencySeconds: 20 + # set polling frequency to get capacity metrics data for volume, storagegroup, srp and array + capacityPollFrequencySeconds: 20 # set polling frequency to get cluster performance data arrayPerformancePollFrequencySeconds: 20 # set the default max concurrent queries to PowerMax From 9c24724cc3b1012efc9d6fcbab44e4ac9ed333c7 Mon Sep 17 00:00:00 2001 From: P-Cao <105041254+P-Cao@users.noreply.github.com> Date: Tue, 7 Feb 2023 20:30:29 +0800 Subject: [PATCH 05/27] Rename the performance poll frequency (#173) --- .../templates/karavi-observability-configmap.yaml | 2 +- charts/karavi-observability/values.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/karavi-observability/templates/karavi-observability-configmap.yaml b/charts/karavi-observability/templates/karavi-observability-configmap.yaml index ab17f62d..67b8f62d 100644 --- a/charts/karavi-observability/templates/karavi-observability-configmap.yaml +++ b/charts/karavi-observability/templates/karavi-observability-configmap.yaml @@ -111,7 +111,7 @@ data: POWERMAX_CAPACITY_METRICS_ENABLED: "{{ .Values.karaviMetricsPowermax.capacityMetricsEnabled }}" POWERMAX_PERFORMANCE_METRICS_ENABLED: "{{ .Values.karaviMetricsPowermax.performanceMetricsEnabled }}" POWERMAX_CAPACITY_POLL_FREQUENCY: "{{ .Values.karaviMetricsPowermax.capacityPollFrequencySeconds }}" - POWERMAX_ARRAY_PERFORMANCE_POLL_FREQUENCY: "{{ .Values.karaviMetricsPowermax.arrayPerformancePollFrequencySeconds }}" + POWERMAX_PERFORMANCE_POLL_FREQUENCY: "{{ .Values.karaviMetricsPowermax.performancePollFrequencySeconds }}" LOG_LEVEL: "{{ .Values.karaviMetricsPowermax.logLevel }}" LOG_FORMAT: "{{ .Values.karaviMetricsPowermax.logFormat }}" diff --git a/charts/karavi-observability/values.yaml b/charts/karavi-observability/values.yaml index a35a01b8..ce9e8f70 100644 --- a/charts/karavi-observability/values.yaml +++ b/charts/karavi-observability/values.yaml @@ -140,8 +140,8 @@ karaviMetricsPowermax: performanceMetricsEnabled: "true" # set polling frequency to get capacity metrics data for volume, storagegroup, srp and array capacityPollFrequencySeconds: 20 - # set polling frequency to get cluster performance data - arrayPerformancePollFrequencySeconds: 20 + # set polling frequency to get performance metrics data for volume, storagegroup + performancePollFrequencySeconds: 20 # set the default max concurrent queries to PowerMax concurrentPowermaxQueries: 10 # set the default endpoint for PowerMax service From 210a9cbcc6fbd06b9236ba401ab0f909e7d05391 Mon Sep 17 00:00:00 2001 From: chaganti-rajitha <111744573+chaganti-rajitha@users.noreply.github.com> Date: Tue, 21 Feb 2023 22:11:00 +0530 Subject: [PATCH 06/27] Powerstore, Powermax and their supported modules chart changes for CSM installation Wizard (#174) * Added powermax, authorization and updated charts with latest changes * changed kubeversion in powerstore * Updated charts with latest changes * updated the charts with latest changes from respective repos * updated the charts with latest changes * updated the charts with latest changes * updated charts with new versions * updated powermax, replication with latest changes and removed authorization from csm chart --- charts/container-storage-modules/Chart.yaml | 19 +- charts/container-storage-modules/values.yaml | 146 +++++- charts/csi-powermax/Chart.yaml | 27 + .../charts/csireverseproxy/Chart.yaml | 9 + .../charts/csireverseproxy/conf/config.yaml | 82 +++ .../csireverseproxy/templates/_helpers.tpl | 9 + .../csireverseproxy/templates/configmap.yaml | 7 + .../templates/reverseproxy-rbac.yaml | 25 + .../templates/reverseproxy.yaml | 50 ++ .../csireverseproxy/templates/service.yaml | 17 + .../templates/serviceaccount.yaml | 7 + .../charts/csireverseproxy/values.yaml | 7 + charts/csi-powermax/templates/_helpers.tpl | 60 +++ charts/csi-powermax/templates/controller.yaml | 484 ++++++++++++++++++ charts/csi-powermax/templates/csidriver.yaml | 11 + .../templates/driver-config-params.yaml | 9 + charts/csi-powermax/templates/node.yaml | 392 ++++++++++++++ charts/csi-powermax/values.yaml | 440 ++++++++++++++++ charts/csi-powerstore/Chart.yaml | 12 +- charts/csi-powerstore/templates/_helpers.tpl | 26 +- .../csi-powerstore/templates/controller.yaml | 59 +++ .../csi-powerstore/templates/csidriver.yaml | 2 +- .../templates/driver-config-params.yaml | 8 +- charts/csi-powerstore/templates/node.yaml | 96 +++- charts/csi-powerstore/values.yaml | 74 ++- charts/csm-application-mobility/values.yaml | 5 +- charts/csm-authorization/.gitignore | 2 + charts/csm-authorization/.helmignore | 24 + charts/csm-authorization/Chart.yaml | 15 + charts/csm-authorization/README.md | 19 + .../charts/redis}/.helmignore | 0 .../csm-authorization/charts/redis/Chart.yaml | 6 + .../charts/redis/templates/redis.yaml | 128 +++++ .../charts/redis/values.yaml | 0 charts/csm-authorization/policies/common.rego | 4 + .../policies/powermax-url.rego | 47 ++ .../policies/powerscale-url.rego | 42 ++ .../csm-authorization/policies/url-test.rego | 63 +++ charts/csm-authorization/policies/url.rego | 39 ++ .../policies/volumes-create-test.rego | 117 +++++ .../policies/volumes-create.rego | 74 +++ .../policies/volumes-delete.rego | 48 ++ .../policies/volumes-map.rego | 42 ++ .../policies/volumes-powermax-create.rego | 74 +++ .../policies/volumes-powerscale-create.rego | 60 +++ .../policies/volumes-unmap.rego | 42 ++ charts/csm-authorization/templates/NOTES.txt | 23 + .../csm-authorization/templates/_helpers.tpl | 9 + .../templates/certificate.yaml | 82 +++ .../templates/csm-config-params.yaml | 13 + .../csm-authorization/templates/ingress.yaml | 207 ++++++++ .../templates/karavi-storage-secret.yaml | 8 + .../csm-authorization/templates/policies.yaml | 79 +++ .../templates/proxy-server.yaml | 117 +++++ .../templates/role-service.yaml | 79 +++ .../templates/storage-service.yaml | 81 +++ .../templates/tenant-service.yaml | 51 ++ charts/csm-authorization/values.yaml | 98 ++++ charts/csm-replication/Chart.yaml | 4 +- .../crds/replicationcrds.all.yaml | 100 +++- .../csm-replication/templates/controller.yaml | 28 +- charts/csm-replication/values.yaml | 9 +- ...ravi-metrics-powermax-service-account.yaml | 5 +- .../templates/karavi-metrics-powermax.yaml | 3 +- .../karavi-observability-configmap.yaml | 3 +- charts/karavi-observability/values.yaml | 3 +- 66 files changed, 3850 insertions(+), 81 deletions(-) create mode 100644 charts/csi-powermax/Chart.yaml create mode 100644 charts/csi-powermax/charts/csireverseproxy/Chart.yaml create mode 100644 charts/csi-powermax/charts/csireverseproxy/conf/config.yaml create mode 100644 charts/csi-powermax/charts/csireverseproxy/templates/_helpers.tpl create mode 100644 charts/csi-powermax/charts/csireverseproxy/templates/configmap.yaml create mode 100644 charts/csi-powermax/charts/csireverseproxy/templates/reverseproxy-rbac.yaml create mode 100644 charts/csi-powermax/charts/csireverseproxy/templates/reverseproxy.yaml create mode 100644 charts/csi-powermax/charts/csireverseproxy/templates/service.yaml create mode 100644 charts/csi-powermax/charts/csireverseproxy/templates/serviceaccount.yaml create mode 100644 charts/csi-powermax/charts/csireverseproxy/values.yaml create mode 100644 charts/csi-powermax/templates/_helpers.tpl create mode 100644 charts/csi-powermax/templates/controller.yaml create mode 100644 charts/csi-powermax/templates/csidriver.yaml create mode 100644 charts/csi-powermax/templates/driver-config-params.yaml create mode 100644 charts/csi-powermax/templates/node.yaml create mode 100644 charts/csi-powermax/values.yaml create mode 100644 charts/csm-authorization/.gitignore create mode 100644 charts/csm-authorization/.helmignore create mode 100644 charts/csm-authorization/Chart.yaml create mode 100644 charts/csm-authorization/README.md rename charts/{container-storage-modules => csm-authorization/charts/redis}/.helmignore (100%) create mode 100644 charts/csm-authorization/charts/redis/Chart.yaml create mode 100644 charts/csm-authorization/charts/redis/templates/redis.yaml create mode 100644 charts/csm-authorization/charts/redis/values.yaml create mode 100644 charts/csm-authorization/policies/common.rego create mode 100644 charts/csm-authorization/policies/powermax-url.rego create mode 100644 charts/csm-authorization/policies/powerscale-url.rego create mode 100644 charts/csm-authorization/policies/url-test.rego create mode 100644 charts/csm-authorization/policies/url.rego create mode 100644 charts/csm-authorization/policies/volumes-create-test.rego create mode 100644 charts/csm-authorization/policies/volumes-create.rego create mode 100644 charts/csm-authorization/policies/volumes-delete.rego create mode 100644 charts/csm-authorization/policies/volumes-map.rego create mode 100644 charts/csm-authorization/policies/volumes-powermax-create.rego create mode 100644 charts/csm-authorization/policies/volumes-powerscale-create.rego create mode 100644 charts/csm-authorization/policies/volumes-unmap.rego create mode 100644 charts/csm-authorization/templates/NOTES.txt create mode 100644 charts/csm-authorization/templates/_helpers.tpl create mode 100644 charts/csm-authorization/templates/certificate.yaml create mode 100644 charts/csm-authorization/templates/csm-config-params.yaml create mode 100644 charts/csm-authorization/templates/ingress.yaml create mode 100644 charts/csm-authorization/templates/karavi-storage-secret.yaml create mode 100644 charts/csm-authorization/templates/policies.yaml create mode 100644 charts/csm-authorization/templates/proxy-server.yaml create mode 100644 charts/csm-authorization/templates/role-service.yaml create mode 100644 charts/csm-authorization/templates/storage-service.yaml create mode 100644 charts/csm-authorization/templates/tenant-service.yaml create mode 100644 charts/csm-authorization/values.yaml diff --git a/charts/container-storage-modules/Chart.yaml b/charts/container-storage-modules/Chart.yaml index c7babc1e..57eadf78 100644 --- a/charts/container-storage-modules/Chart.yaml +++ b/charts/container-storage-modules/Chart.yaml @@ -40,17 +40,17 @@ appVersion: "1.16.0" dependencies: - name: csi-powerstore - version: 2.5.0 + version: 2.6.0 repository: file://../csi-powerstore condition: csi-powerstore.enabled - name: csm-replication - version: 1.3.1 + version: 1.4.0 repository: file://../csm-replication condition: csm-replication.enabled - name: karavi-observability - version: 1.4.0 + version: 1.5.0 repository: file://../karavi-observability condition: karavi-observability.enabled @@ -63,13 +63,8 @@ dependencies: version: 0.2.0 repository: file://../csm-application-mobility condition: csm-application-mobility.enabled - -- name: csm-authorization - version: 1.5.0 - repository: file://../csm-authorization - condition: csm-authorization.enabled -#- name: csi-powermax - #version: 2.5.0 - #repository: file://../csi-powermax - #condition: csi-powermax.enabled \ No newline at end of file +- name: csi-powermax + version: 2.6.0 + repository: file://../csi-powermax + condition: csi-powermax.enabled \ No newline at end of file diff --git a/charts/container-storage-modules/values.yaml b/charts/container-storage-modules/values.yaml index 60fcbd51..f7320c4b 100644 --- a/charts/container-storage-modules/values.yaml +++ b/charts/container-storage-modules/values.yaml @@ -18,31 +18,85 @@ csi-powerstore: enabled: false namespace: - version: "v2.5.0" + version: "v2.6.0" images: driverRepository: dellemc ## Controller ATTRIBUTES controller: - controllerCount: 1 + controllerCount: 2 healthMonitor: enabled: false nodeSelector: replication: enabled: false - image: dellemc/dell-csi-replicator:v1.3.0 + image: dellemc/dell-csi-replicator:v1.4.0 vgsnapshot: enabled: false - image: dellemc/csi-volumegroup-snapshotter:v1.1.0 + image: dellemc/csi-volumegroup-snapshotter:v1.2.0 snapshot: - enabled: false + enabled: true resizer: - enabled: false + enabled: true ## Node ATTRIBUTES node: healthMonitor: enabled: false nodeSelector: - + # Uncomment if CSM for Resiliency and CSI Driver pods monitor are enabled + # tolerations: + # - key: "offline.vxflexos.storage.dell.com" + # operator: "Exists" + # effect: "NoSchedule" + # - key: "vxflexos.podmon.storage.dell.com" + # operator: "Exists" + # effect: "NoSchedule" + # - key: "offline.unity.storage.dell.com" + # operator: "Exists" + # effect: "NoSchedule" + # - key: "unity.podmon.storage.dell.com" + # operator: "Exists" + # effect: "NoSchedule" + # - key: "offline.isilon.storage.dell.com" + # operator: "Exists" + # effect: "NoSchedule" + # - key: "isilon.podmon.storage.dell.com" + # operator: "Exists" + # effect: "NoSchedule" + # - key: "offline.powerstore.storage.dell.com" + # operator: "Exists" + # effect: "NoSchedule" + # - key: "powerstore.podmon.storage.dell.com" + # operator: "Exists" + # effect: "NoSchedule" + storageCapacity: + enabled: true + # Enable this feature only after contact support for additional information + podmon: + enabled: false + image: dellemc/podmon:v1.4.0 + controller: + args: + - "--csisock=unix:/var/run/csi/csi.sock" + - "--labelvalue=csi-powerstore" + - "--arrayConnectivityPollRate=60" + - "--driverPath=csi-powerstore.dellemc.com" + - "--mode=controller" + - "--skipArrayConnectionValidation=false" + - "--driver-config-params=/powerstore-config-params/driver-config-params.yaml" + - "--driverPodLabelValue=dell-storage" + - "--ignoreVolumelessPods=false" + node: + args: + - "--csisock=unix:/var/lib/kubelet/plugins/csi-powerstore.dellemc.com/csi_sock" + - "--labelvalue=csi-powerstore" + - "--arrayConnectivityPollRate=60" + - "--driverPath=csi-powerstore.dellemc.com" + - "--mode=node" + - "--leaderelection=false" + - "--driver-config-params=/powerstore-config-params/driver-config-params.yaml" + - "--driverPodLabelValue=dell-storage" + - "--ignoreVolumelessPods=false" + ## K8S/Replication Module ATTRIBUTES ########################################## csm-replication: @@ -60,6 +114,8 @@ karavi-observability: enabled: false karaviMetricsPowerscale: enabled: false + karaviMetricsPowermax: + enabled: false cert-manager: enabled: false @@ -67,13 +123,12 @@ karavi-observability: ########################################## csm-application-mobility: enabled: false - namespace: - + namespace: # csm-application-mobility requires velero. If velero is already installed on the cluster, specify the namespace in which velero is deployed. Default value is "velero" veleroNamespace: velero # csm-application-mobility requires velero. If velero is not already present in cluster, set enabled to true to install it too. velero: - enabled: false + enabled: true credentials: secretContents: cloud: | @@ -102,17 +157,6 @@ csm-application-mobility: #- mountPath: /target #name: plugins -## K8S/Authorization Module ATTRIBUTES -########################################## -csm-authorization: - enabled: false - namespace: - cert-manager: - enabled: false - redis: - namespace: - storageClass: - ## K8S/Cert-manager ATTRIBUTES ########################################## cert-manager: @@ -121,7 +165,59 @@ cert-manager: ## K8S/Powermax ATTRIBUTES ########################################## -#csi-powermax: - #enabled: false - #namespace: - +csi-powermax: + enabled: false + namespace: + global: + storageArrays: + - storageArrayId: "000000000001" + endpoint: https://primary-1.unisphe.re:8443 + backupEndpoint: https://backup-1.unisphe.re:8443 + # - storageArrayId: "000000000002" + # endpoint: https://primary-2.unisphe.re:8443 + # backupEndpoint: https://backup-2.unisphe.re:8443 + managementServers: + - endpoint: https://primary-1.unisphe.re:8443 + - endpoint: https://backup-1.unisphe.re:8443 + # - endpoint: https://primary-2.unisphe.re:8443 + # - endpoint: https://backup-2.unisphe.re:8443 + version: "v2.6.0" + images: + driverRepository: "dellemc" + clusterPrefix: ABC + portGroups: PortGroup1, PortGroup2, PortGroup3 + controller: + controllerCount: 2 + snapshot: + enabled: true + resizer: + enabled: true + healthMonitor: + enabled: false + nodeSelector: + node: + healthMonitor: + enabled: false + nodeSelector: + csireverseproxy: + image: dellemc/csipowermax-reverseproxy:v2.5.0 + deployAsSidecar: true + namespace: + replication: + enabled: false + image: dellemc/dell-csi-replicator:v1.4.0 + migration: + enabled: false + image: dellemc/dell-csi-migrator:v1.1.0 + nodeRescanSidecarImage: dellemc/dell-csi-node-sidecar:v1.0.0 + authorization: + enabled: false + sidecarProxyImage: dellemc/csm-authorization-sidecar:v1.5.0 + proxyHost: + vSphere: + enabled: false + fcPortGroup: "csi-vsphere-VC-PG" + fcHostName: "csi-vsphere-VC-HN" + vCenterHost: "00.000.000.00" + vCenterUserName: "user" + vCenterPassword: "pwd" diff --git a/charts/csi-powermax/Chart.yaml b/charts/csi-powermax/Chart.yaml new file mode 100644 index 00000000..e456a382 --- /dev/null +++ b/charts/csi-powermax/Chart.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +name: csi-powermax +version: 2.6.0 +appVersion: "2.6.0" +kubeVersion: ">= 1.23.0 < 1.27.0" +#If you are using a complex K8s version like "v1.23.3-mirantis-1", use this kubeVersion check instead +#WARNING: this version of the check will allow the use of alpha and beta versions, which is NOT SUPPORTED +#kubeVersion: ">= 1.23.0-0 < 1.27.0-0" +description: | + PowerMax CSI (Container Storage Interface) driver Kubernetes + integration. This chart includes everything required to provision via CSI as + well as a PowerMax StorageClass. +keywords: +- csi +- storage +dependencies: + - name: csireverseproxy + version: 2.5.0 + condition: required +home: https://github.com/dell/csi-powermax +icon: https://avatars1.githubusercontent.com/u/20958494?s=200&v=4 +sources: +- https://github.com/dell/csi-powermax +maintainers: +- name: DellEMC +sources: +- https://github.com/dell/csi-powermax diff --git a/charts/csi-powermax/charts/csireverseproxy/Chart.yaml b/charts/csi-powermax/charts/csireverseproxy/Chart.yaml new file mode 100644 index 00000000..e27e2ad8 --- /dev/null +++ b/charts/csi-powermax/charts/csireverseproxy/Chart.yaml @@ -0,0 +1,9 @@ +apiVersion: v2 +name: csireverseproxy +description: A Helm chart for CSI PowerMax ReverseProxy + +type: application + +version: 2.5.0 + +appVersion: 2.5.0 \ No newline at end of file diff --git a/charts/csi-powermax/charts/csireverseproxy/conf/config.yaml b/charts/csi-powermax/charts/csireverseproxy/conf/config.yaml new file mode 100644 index 00000000..3f6419f1 --- /dev/null +++ b/charts/csi-powermax/charts/csireverseproxy/conf/config.yaml @@ -0,0 +1,82 @@ +mode: {{ .Values.mode }} +port: {{ .Values.port }} +logLevel: {{ .Values.global.logLevel | default "debug" }} +logFormat: {{ .Values.global.logFormat | default "TEXT" }} + {{- if eq .Values.mode "Linked" }} +linkConfig: + primary: + {{- $primary := first .Values.global.managementServers }} + url: {{ required "Must provide a primary Unisphere HTTPS endpoint." $primary.endpoint }} + {{- if $primary.certSecret }} + {{- $check := toString $primary.skipCertificateValidation }} + skipCertificateValidation: {{ ternary $primary.skipCertificateValidation true (or (eq $check "true") (eq $check "false")) }} + {{- else }} + skipCertificateValidation: true + {{- end }} + certSecret: {{ $primary.certSecret | default "" }} + {{- if $primary.limits }} + {{- $limits := $primary.limits }} + limits: + maxActiveRead: {{ $limits.maxActiveRead | default 0 }} + maxActiveWrite: {{ $limits.maxActiveWrite | default 0 }} + maxOutStandingRead: {{ $limits.maxOutStandingRead | default 0 }} + maxOutStandingWrite: {{ $limits.maxOutStandingWrite | default 0 }} + {{- end }} + {{- if first (rest .Values.global.managementServers) }} + {{- $backup := first (rest .Values.global.managementServers) }} + backup: + url: {{ required "Must provide a primary Unisphere HTTPS endpoint." $backup.endpoint }} + {{- if $backup.certSecret }} + {{- $check := toString $backup.skipCertificateValidation }} + skipCertificateValidation: {{ ternary $backup.skipCertificateValidation true (or (eq $check "true") (eq $check "false")) }} + {{- else }} + skipCertificateValidation: true + {{- end }} + certSecret: {{ $backup.certSecret | default "" }} + {{- if $backup.limits }} + {{- $limits := $backup.limits }} + limits: + maxActiveRead: {{ $limits.maxActiveRead | default 0 }} + maxActiveWrite: {{ $limits.maxActiveWrite | default 0 }} + maxOutStandingRead: {{ $limits.maxOutStandingRead | default 0 }} + maxOutStandingWrite: {{ $limits.maxOutStandingWrite | default 0 }} + {{- end }} + {{- end }} + {{- end }} +{{- if eq .Values.mode "StandAlone" }} +standAloneConfig: + {{- $defaultProxyCreds := .Values.global.defaultCredentialsSecret }} + storageArrays: + {{- $_ := first .Values.global.storageArrays }} + {{- range $index, $value := .Values.global.storageArrays }} + - storageArrayId: {{ required "Must provide a storage array id." $value.storageArrayId | toJson }} + primaryURL: {{ required "Must provide a primary Unisphere HTTPS endpoint." $value.endpoint }} + backupURL: {{ $value.backupEndpoint | default "" }} + proxyCredentialSecrets: + - {{ required "Must provide secret for proxy credentials" $defaultProxyCreds }} + {{- end }} + managementServers: + {{- $_ := first .Values.global.managementServers }} + {{- range $index, $value := .Values.global.managementServers }} + - url: {{required "Must provide a Unisphere HTTPS endpoint." $value.endpoint }} + {{- if empty $value.credentialsSecret }} + arrayCredentialSecret: {{ required "Must provide an array credential secret" $defaultProxyCreds }} + {{- else }} + arrayCredentialSecret: {{ required "Must provide an array credential secret" $value.credentialsSecret }} + {{- end }} + {{- if $value.certSecret }} + {{- $check := toString $value.skipCertificateValidation }} + skipCertificateValidation: {{ ternary $value.skipCertificateValidation true (or (eq $check "true") (eq $check "false")) }} + {{- else }} + skipCertificateValidation: true + {{- end }} + certSecret: {{ $value.certSecret | default "" }} + {{- if $value.limits }} + limits: + maxActiveRead: {{ $value.limits.maxActiveRead | default 0 }} + maxActiveWrite: {{ $value.limits.maxActiveWrite | default 0 }} + maxOutStandingRead: {{ $value.limits.maxOutStandingRead | default 0 }} + maxOutStandingWrite: {{ $value.limits.maxOutStandingWrite | default 0 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/csi-powermax/charts/csireverseproxy/templates/_helpers.tpl b/charts/csi-powermax/charts/csireverseproxy/templates/_helpers.tpl new file mode 100644 index 00000000..000bd372 --- /dev/null +++ b/charts/csi-powermax/charts/csireverseproxy/templates/_helpers.tpl @@ -0,0 +1,9 @@ +{{/* +Namespace for all resources to be installed into +If not defined in values file then the helm release namespace is used +By default this is not set so the helm release namespace will be used +*/}} + +{{- define "custom.namespace" -}} + {{ .Values.namespace | default .Release.Namespace }} +{{- end -}} \ No newline at end of file diff --git a/charts/csi-powermax/charts/csireverseproxy/templates/configmap.yaml b/charts/csi-powermax/charts/csireverseproxy/templates/configmap.yaml new file mode 100644 index 00000000..f33e26e2 --- /dev/null +++ b/charts/csi-powermax/charts/csireverseproxy/templates/configmap.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-reverseproxy-config + namespace: {{ include "custom.namespace" . }} +data: +{{ tpl (.Files.Glob "conf/config.yaml").AsConfig . | indent 2 }} diff --git a/charts/csi-powermax/charts/csireverseproxy/templates/reverseproxy-rbac.yaml b/charts/csi-powermax/charts/csireverseproxy/templates/reverseproxy-rbac.yaml new file mode 100644 index 00000000..3de519e6 --- /dev/null +++ b/charts/csi-powermax/charts/csireverseproxy/templates/reverseproxy-rbac.yaml @@ -0,0 +1,25 @@ +{{- if ne .Values.deployAsSidecar true }} +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-reverseproxy + namespace: {{ include "custom.namespace" . }} +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["list", "watch", "get"] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-reverseproxy + namespace: {{ include "custom.namespace" . }} +subjects: + - kind: ServiceAccount + name: {{ .Release.Name }}-reverseproxy + namespace: {{ include "custom.namespace" . }} +roleRef: + kind: Role + name: {{ .Release.Name }}-reverseproxy + apiGroup: rbac.authorization.k8s.io +{{- end }} \ No newline at end of file diff --git a/charts/csi-powermax/charts/csireverseproxy/templates/reverseproxy.yaml b/charts/csi-powermax/charts/csireverseproxy/templates/reverseproxy.yaml new file mode 100644 index 00000000..2c39b851 --- /dev/null +++ b/charts/csi-powermax/charts/csireverseproxy/templates/reverseproxy.yaml @@ -0,0 +1,50 @@ +{{- if ne .Values.deployAsSidecar true }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Release.Name }}-reverseproxy + namespace: {{ include "custom.namespace" . }} +spec: + replicas: 1 + selector: + matchLabels: + name: {{ .Release.Name }}-reverseproxy + template: + metadata: + labels: + name: {{ .Release.Name }}-reverseproxy + spec: + serviceAccountName: {{ .Release.Name }}-reverseproxy + containers: + - name: csireverseproxy + image: {{ required "Must provided an image for reverseproxy container." .Values.image }} + imagePullPolicy: Always + env: + - name: X_CSI_REVPROXY_CONFIG_DIR + value: /etc/config/configmap + - name: X_CSI_REVPROXY_CONFIG_FILE_NAME + value: config.yaml + - name: X_CSI_REVRPOXY_IN_CLUSTER + value: "true" + - name: X_CSI_REVPROXY_TLS_CERT_DIR + value: /app/tls + - name: X_CSI_REVPROXY_WATCH_NAMESPACE + value: {{ include "custom.namespace" . }} + volumeMounts: + - name: configmap-volume + mountPath: /etc/config/configmap + - name: tls-secret + mountPath: /app/tls + - name: cert-dir + mountPath: /app/certs + volumes: + - name: configmap-volume + configMap: + name: {{ .Release.Name }}-reverseproxy-config + optional: true + - name: tls-secret + secret: + secretName: {{ .Values.tlsSecret }} + - name: cert-dir + emptyDir: +{{- end }} \ No newline at end of file diff --git a/charts/csi-powermax/charts/csireverseproxy/templates/service.yaml b/charts/csi-powermax/charts/csireverseproxy/templates/service.yaml new file mode 100644 index 00000000..503ca314 --- /dev/null +++ b/charts/csi-powermax/charts/csireverseproxy/templates/service.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Release.Name }}-reverseproxy + namespace: {{ include "custom.namespace" . }} +spec: + ports: + - port: {{ .Values.port }} + protocol: TCP + targetPort: 2222 + selector: + {{- if eq .Values.deployAsSidecar true}} + name: {{ .Release.Name }}-controller + {{- else }} + name: {{ .Release.Name }}-reverseproxy + {{- end }} + type: ClusterIP diff --git a/charts/csi-powermax/charts/csireverseproxy/templates/serviceaccount.yaml b/charts/csi-powermax/charts/csireverseproxy/templates/serviceaccount.yaml new file mode 100644 index 00000000..ddc5e865 --- /dev/null +++ b/charts/csi-powermax/charts/csireverseproxy/templates/serviceaccount.yaml @@ -0,0 +1,7 @@ +{{- if ne .Values.deployAsSidecar true }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Release.Name }}-reverseproxy + namespace: {{ include "custom.namespace" . }} +{{- end }} \ No newline at end of file diff --git a/charts/csi-powermax/charts/csireverseproxy/values.yaml b/charts/csi-powermax/charts/csireverseproxy/values.yaml new file mode 100644 index 00000000..f017be39 --- /dev/null +++ b/charts/csi-powermax/charts/csireverseproxy/values.yaml @@ -0,0 +1,7 @@ +image: dellemc/csipowermax-reverseproxy:v2.5.0 +port: 2222 + +# TLS secret which is used for setting up the proxy HTTPS server +# Don't change this value unless really necessary +# If this value is modified, then the installation script will have to be modified +tlsSecret: "csirevproxy-tls-secret" diff --git a/charts/csi-powermax/templates/_helpers.tpl b/charts/csi-powermax/templates/_helpers.tpl new file mode 100644 index 00000000..c7cd1ba5 --- /dev/null +++ b/charts/csi-powermax/templates/_helpers.tpl @@ -0,0 +1,60 @@ +{{/* +Return the appropriate sidecar images based on k8s version +*/}} +{{- define "csi-powermax.attacherImage" -}} + {{- if eq .Capabilities.KubeVersion.Major "1" }} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "23") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "26") -}} + {{- print "k8s.gcr.io/sig-storage/csi-attacher:v4.2.0" -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{- define "csi-powermax.provisionerImage" -}} + {{- if eq .Capabilities.KubeVersion.Major "1" }} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "23") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "26") -}} + {{- print "k8s.gcr.io/sig-storage/csi-provisioner:v3.4.0" -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{- define "csi-powermax.snapshotterImage" -}} + {{- if eq .Capabilities.KubeVersion.Major "1" }} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "23") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "26") -}} + {{- print "k8s.gcr.io/sig-storage/csi-snapshotter:v6.2.1" -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{- define "csi-powermax.resizerImage" -}} + {{- if eq .Capabilities.KubeVersion.Major "1" }} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "23") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "26") -}} + {{- print "k8s.gcr.io/sig-storage/csi-resizer:v1.7.0" -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{- define "csi-powermax.registrarImage" -}} + {{- if eq .Capabilities.KubeVersion.Major "1" }} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "23") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "26") -}} + {{- print "k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.6.3" -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{- define "csi-powermax.healthmonitorImage" -}} + {{- if eq .Capabilities.KubeVersion.Major "1" }} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "23") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "26") -}} + {{- print "gcr.io/k8s-staging-sig-storage/csi-external-health-monitor-controller:v0.8.0" -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{/* +Namespace for all resources to be installed into +If not defined in values file then the helm release namespace is used +By default this is not set so the helm release namespace will be used +*/}} + +{{- define "custom.namespace" -}} + {{ .Values.namespace | default .Release.Namespace }} +{{- end -}} \ No newline at end of file diff --git a/charts/csi-powermax/templates/controller.yaml b/charts/csi-powermax/templates/controller.yaml new file mode 100644 index 00000000..f6678b85 --- /dev/null +++ b/charts/csi-powermax/templates/controller.yaml @@ -0,0 +1,484 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{.Release.Name}}-controller + namespace: {{ include "custom.namespace" . }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + {{- if eq .Values.customDriverName.enabled true}} + name: {{printf "%s-%s-controller" ( include "custom.namespace" . ) .Values.customDriverName.value}} + {{- else }} + name: {{ .Release.Name }}-controller + {{- end }} +rules: + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "delete", "update", "patch" ] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["create", "delete", "get", "list", "watch", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update", "patch" ] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["patch"] + - apiGroups: ["csi.storage.k8s.io"] + resources: ["csinodeinfos"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch"] +# below for snapshotter + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["get", "list", "watch", "update", "create", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots", "volumesnapshots/status"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["create", "list", "watch", "delete"] +# below for dell-csi-replicator + {{- if eq .Values.replication.enabled true}} + - apiGroups: ["replication.storage.dell.com"] + resources: ["dellcsireplicationgroups"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] + - apiGroups: ["replication.storage.dell.com"] + resources: ["dellcsireplicationgroups/status"] + verbs: ["get", "patch", "update"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "delete", "get", "list", "watch", "update", "patch"] + {{- end}} + # below for dell-csi-migrator + {{- if eq .Values.migration.enabled true}} + - apiGroups: [ "replication.storage.dell.com" ] + resources: [ "dellcsimigrationgroups" ] + verbs: [ "create", "delete", "get", "list", "patch", "update", "watch" ] + - apiGroups: [ "replication.storage.dell.com" ] + resources: [ "dellcsimigrationgroups/status" ] + verbs: [ "get", "patch", "update" ] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "delete", "get", "list", "watch", "update", "patch"] + {{- end}} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + {{- if eq .Values.customDriverName.enabled true}} + name: {{ printf "%s-%s-controller" ( include "custom.namespace" . ) .Values.customDriverName.value }} + {{- else }} + name: {{ .Release.Name }}-controller + {{- end }} +subjects: + - kind: ServiceAccount + name: {{ .Release.Name }}-controller + namespace: {{ include "custom.namespace" . }} +roleRef: + kind: ClusterRole + {{- if eq .Values.customDriverName.enabled true}} + name: {{ printf "%s-%s-controller" ( include "custom.namespace" . ) .Values.customDriverName.value }} + {{- else }} + name: {{ .Release.Name }}-controller + {{- end }} + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Release.Name }}-controller + namespace: {{ include "custom.namespace" . }} + {{- if hasKey .Values "authorization" }} + {{- if eq .Values.authorization.enabled true }} + annotations: + com.dell.karavi-authorization-proxy: "true" + {{ end }} + {{ end }} +spec: + replicas: {{ required "Must provide the number of controller instances to create." .Values.controller.controllerCount }} + selector: + matchLabels: + name: {{ .Release.Name }}-controller + template: + metadata: + labels: + name: {{ .Release.Name }}-controller + spec: + {{ if .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml .Values.controller.nodeSelector | nindent 8 }} + {{ end }} + {{ if .Values.controller.tolerations }} + tolerations: + {{- toYaml .Values.controller.tolerations | nindent 6 }} + {{ end }} + serviceAccountName: {{ .Release.Name }}-controller + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: name + operator: In + values: + - {{ .Release.Name }}-controller + topologyKey: kubernetes.io/hostname + containers: + - name: attacher + image: {{ required "Must provide the CSI attacher container image." ( include "csi-powermax.attacherImage" . ) }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + - "--csi-address=$(ADDRESS)" + - "--v=5" + - "--timeout=180s" + - "--worker-threads=6" + - "--leader-election" + env: + - name: ADDRESS + value: /var/run/csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + - name: provisioner + image: {{ required "Must provide the CSI provisioner container image." ( include "csi-powermax.provisionerImage" . ) }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + - "--csi-address=$(ADDRESS)" + - "--volume-name-prefix={{ required "Must provide a Volume Name Prefix." .Values.controller.volumeNamePrefix }}" + - "--volume-name-uuid-length=10" + - "--timeout=180s" + - "--worker-threads=6" + - "--v=5" + - "--default-fstype={{ .Values.defaultFsType | default "ext4" }}" + - "--leader-election" + - "--extra-create-metadata" + - "--feature-gates=Topology=true" + env: + - name: ADDRESS + value: /var/run/csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + {{- if hasKey .Values.controller "snapshot" }} + {{- if eq .Values.controller.snapshot.enabled true }} + - name: snapshotter + image: {{ required "Must provide the CSI snapshotter container image." ( include "csi-powermax.snapshotterImage" . ) }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + - "--csi-address=$(ADDRESS)" + - "--v=5" + - "--snapshot-name-prefix={{ required "Must provide a Snapshot Name Prefix" .Values.controller.snapshot.snapNamePrefix }}" + - "--snapshot-name-uuid-length=10" + - "--timeout=180s" + - "--leader-election" + env: + - name: ADDRESS + value: /var/run/csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + {{- end }} + {{- end }} + {{- if eq .Values.replication.enabled true}} + - name: dell-csi-replicator + image: {{ required "Must provide the Dell CSI Replicator Resizer image." .Values.replication.image}} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + - "--csi-address=$(ADDRESS)" + - "--leader-election=true" + - "--worker-threads=2" + - "--retry-interval-start=1s" + - "--retry-interval-max=300s" + - "--timeout=300s" + - "--context-prefix={{ .Values.replication.replicationContextPrefix}}" + - "--prefix={{ .Values.replication.replicationPrefix}}" + env: + - name: ADDRESS + value: /var/run/csi/csi.sock + - name: X_CSI_REPLICATION_CONFIG_DIR + value: /powermax-config-params + - name: X_CSI_REPLICATION_CONFIG_FILE_NAME + value: driver-config-params.yaml + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + - name: powermax-config-params + mountPath: /powermax-config-params + {{- end }} + {{- if eq .Values.migration.enabled true}} + - name: dell-csi-migrator + image: {{ required "Must provide the Dell CSI Migrator Resizer image." .Values.migration.image}} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + - "--csi-address=$(ADDRESS)" + - "--leader-election=true" + - "--worker-threads=2" + - "--retry-interval-start=1s" + - "--retry-interval-max=300s" + - "--timeout=300s" + - "--prefix={{ .Values.migration.migrationPrefix}}" + env: + - name: ADDRESS + value: /var/run/csi/csi.sock + - name: X_CSI_REPLICATION_CONFIG_DIR + value: /powermax-config-params + - name: X_CSI_REPLICATION_CONFIG_FILE_NAME + value: driver-config-params.yaml + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + - name: powermax-config-params + mountPath: /powermax-config-params + {{- end }} + {{- if hasKey .Values.controller "resizer" }} + {{- if eq .Values.controller.resizer.enabled true }} + - name: resizer + image: {{ required "Must provide the CSI resizer container image." ( include "csi-powermax.resizerImage" . ) }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + - "--csi-address=$(ADDRESS)" + - "--timeout=180s" + - "--v=5" + - "--leader-election" + env: + - name: ADDRESS + value: /var/run/csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + {{- end }} + {{- end }} + {{- if hasKey .Values "authorization" }} + {{- if eq .Values.authorization.enabled true }} + - name: karavi-authorization-proxy + imagePullPolicy: {{ .Values.imagePullPolicy }} + image: {{ required "Must provide the authorization sidecar container image." .Values.authorization.sidecarProxyImage }} + env: + - name: PROXY_HOST + value: "{{ .Values.authorization.proxyHost }}" + - name: SKIP_CERTIFICATE_VALIDATION + value: "{{ .Values.authorization.skipCertificateValidation }}" + - name: PLUGIN_IDENTIFIER + value: powermax + - name: ACCESS_TOKEN + valueFrom: + secretKeyRef: + name: proxy-authz-tokens + key: access + - name: REFRESH_TOKEN + valueFrom: + secretKeyRef: + name: proxy-authz-tokens + key: refresh + volumeMounts: + - name: karavi-authorization-config + mountPath: /etc/karavi-authorization/config + - name: proxy-server-root-certificate + mountPath: /etc/karavi-authorization/root-certificates + - name: powermax-config-params + mountPath: /etc/karavi-authorization + {{- end }} + {{- end }} + {{- if hasKey .Values.controller "healthMonitor" }} + {{- if eq .Values.controller.healthMonitor.enabled true }} + - name: csi-external-health-monitor-controller + imagePullPolicy: {{ .Values.imagePullPolicy }} + image: {{ required "Must provide the CSI external health monitor controller image." ( include "csi-powermax.healthmonitorImage" . ) }} + args: + - "--v=5" + - "--csi-address=$(ADDRESS)" + - "--leader-election" + - "--http-endpoint=:8080" + - "--enable-node-watcher=true" + - "--monitor-interval={{ .Values.controller.healthMonitor.interval | default "60s" }}" + - "--timeout=180s" + env: + - name: ADDRESS + value: /var/run/csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + {{- end }} + {{- end }} + - name: driver + image: {{ required "Must provide the PowerMax driver image repository." .Values.images.driverRepository }}/{{ .Chart.Name }}:{{ .Values.version }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + command: [ "/csi-powermax.sh" ] + args: + - "--leader-election" + env: + {{- $_ := first .Values.global.storageArrays }} + {{- $arraysStr := "" }} + {{- range $i, $array := .Values.global.storageArrays }} + {{- $arraysStr = trim (cat $arraysStr $array.storageArrayId) }} + {{- end }} + - name: X_CSI_POWERMAX_DRIVER_NAME + {{- if eq .Values.customDriverName.enabled true}} + value: {{ required "Must provide a driver name" (printf "%s.%s.dellemc.com" ( include "custom.namespace" . ) .Values.customDriverName.value) }} + {{- else }} + value: csi-powermax.dellemc.com + {{- end }} + - name: CSI_ENDPOINT + value: /var/run/csi/csi.sock + - name: X_CSI_MODE + value: controller + - name: X_CSI_MANAGED_ARRAYS + value: {{ $arraysStr | replace " " "," | quote }} + - name: X_CSI_POWERMAX_USER + valueFrom: + secretKeyRef: + name: {{ .Values.global.defaultCredentialsSecret }} + key: username + - name: X_CSI_POWERMAX_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.global.defaultCredentialsSecret }} + key: password + - name: X_CSI_POWERMAX_CONFIG_PATH + value: /powermax-config-params/driver-config-params.yaml + - name: X_CSI_POWERMAX_DEBUG + value: {{ .Values.powerMaxDebug | default "false" | lower | quote }} + - name: X_CSI_POWERMAX_SKIP_CERTIFICATE_VALIDATION + value: {{ .Values.skipCertificateValidation | default "true" | lower | quote }} + {{- if eq .Values.csireverseproxy.deployAsSidecar true }} + - name: X_CSI_POWERMAX_SIDECAR_PROXY_PORT + value: {{ .Values.csireverseproxy.port | quote }} + {{- else }} + - name: X_CSI_POWERMAX_PROXY_SERVICE_NAME + value: {{ .Release.Name }}-reverseproxy + {{- end }} + - name: X_CSI_POWERMAX_PORTGROUPS + value: {{ .Values.portGroups | toJson }} + - name: X_CSI_K8S_CLUSTER_PREFIX + value: {{ required "Must provide a Cluster Prefix." .Values.clusterPrefix }} + - name: X_CSI_GRPC_MAX_THREADS + value: "50" + - name: X_CSI_TRANSPORT_PROTOCOL + value: {{ .Values.transportProtocol | default "" }} + - name: SSL_CERT_DIR + value: /certs + - name: X_CSI_IG_NODENAME_TEMPLATE + value: {{ .Values.nodeNameTemplate | default "" }} + - name: X_CSI_IG_MODIFY_HOSTNAME + value: {{ .Values.modifyHostName | default "false" | lower | quote }} + - name: X_CSI_REPLICATION_CONTEXT_PREFIX + value: {{ .Values.replication.replicationContextPrefix | default "powermax"}} + - name: X_CSI_REPLICATION_PREFIX + value: {{ .Values.replication.replicationPrefix | default "replication.storage.dell.com"}} + - name: X_CSI_MIGRATION_PREFIX + value: {{ .Values.migration.migrationPrefix | default "migration.storage.dell.com"}} + - name: X_CSI_UNISPHERE_TIMEOUT + value: {{.Values.unisphereTimeout | default "5m"}} + {{- if hasKey .Values.controller "healthMonitor" }} + {{- if eq .Values.controller.healthMonitor.enabled true }} + - name: X_CSI_HEALTH_MONITOR_ENABLED + value: "{{ .Values.controller.healthMonitor.enabled }}" + {{- end }} + {{- end }} + - name: X_CSI_VSPHERE_ENABLED + value: "{{ .Values.vSphere.enabled }}" + {{- if eq .Values.vSphere.enabled true }} + - name: X_CSI_VSPHERE_PORTGROUP + value: {{ required "Must provide portgroup for vsphere" .Values.vSphere.fcPortGroup }} + - name: X_CSI_VSPHERE_HOSTNAME + value: {{ required "Must provide host group for vsphere" .Values.vSphere.fcHostName }} + - name: X_CSI_VCENTER_HOST + value: {{ required "Must provide host url for vsphere" .Values.vSphere.vCenterHost }} + - name: X_CSI_VCENTER_USERNAME + value: {{ required "Must provide username for vsphere" .Values.vSphere.vCenterUserName }} + - name: X_CSI_VCENTER_PWD + value: {{ required "Must provide password for vsphere" .Values.vSphere.vCenterPassword }} + {{- end }} + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + - name: certs + mountPath: /certs + readOnly: true + - name: powermax-config-params + mountPath: /powermax-config-params + {{- if eq .Values.csireverseproxy.deployAsSidecar true }} + - name: reverseproxy + image: {{ required "Must provided an image for reverseproxy container." .Values.csireverseproxy.image }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + env: + - name: X_CSI_REVPROXY_CONFIG_DIR + value: /etc/config/configmap + - name: X_CSI_REVPROXY_CONFIG_FILE_NAME + value: config.yaml + - name: X_CSI_REVRPOXY_IN_CLUSTER + value: "true" + - name: X_CSI_REVPROXY_TLS_CERT_DIR + value: /app/tls + - name: X_CSI_REVPROXY_WATCH_NAMESPACE + value: {{ include "custom.namespace" . }} + - name: X_CSI_REVPROXY_IS_LEADER_ENABLED + value: "true" + volumeMounts: + - name: configmap-volume + mountPath: /etc/config/configmap + - name: tls-secret + mountPath: /app/tls + - name: cert-dir + mountPath: /app/certs + {{- end }} + volumes: + - name: socket-dir + emptyDir: + - name: certs + secret: + secretName: {{ .Release.Name }}-certs + optional: true + - name: configmap-volume + configMap: + name: {{ .Release.Name }}-reverseproxy-config + optional: true + - name: tls-secret + secret: + secretName: {{ .Values.csireverseproxy.tlsSecret }} + - name: cert-dir + emptyDir: + - name: powermax-config-params + configMap: + name: {{ .Release.Name }}-config-params + {{- if hasKey .Values "authorization" }} + {{- if eq .Values.authorization.enabled true }} + - name: karavi-authorization-config + secret: + secretName: karavi-authorization-config + - name: proxy-server-root-certificate + secret: + secretName: proxy-server-root-certificate + {{ end }} + {{ end }} \ No newline at end of file diff --git a/charts/csi-powermax/templates/csidriver.yaml b/charts/csi-powermax/templates/csidriver.yaml new file mode 100644 index 00000000..f7c10425 --- /dev/null +++ b/charts/csi-powermax/templates/csidriver.yaml @@ -0,0 +1,11 @@ +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + {{- if eq .Values.customDriverName.enabled true}} + name: {{ printf "%s-%s" ( include "custom.namespace" . ) .Values.customDriverName.value }} + {{- else }} + name: csi-powermax + {{- end }} +spec: + attachRequired: true + fsGroupPolicy: {{ .Values.fsGroupPolicy }} diff --git a/charts/csi-powermax/templates/driver-config-params.yaml b/charts/csi-powermax/templates/driver-config-params.yaml new file mode 100644 index 00000000..d543d707 --- /dev/null +++ b/charts/csi-powermax/templates/driver-config-params.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-config-params + namespace: {{ include "custom.namespace" . }} +data: + driver-config-params.yaml: | + CSI_LOG_LEVEL: {{ .Values.global.logLevel | default "debug" }} + CSI_LOG_FORMAT: {{ .Values.global.logFormat | default "TEXT" }} diff --git a/charts/csi-powermax/templates/node.yaml b/charts/csi-powermax/templates/node.yaml new file mode 100644 index 00000000..b288436a --- /dev/null +++ b/charts/csi-powermax/templates/node.yaml @@ -0,0 +1,392 @@ +{{- if or (eq .Values.migration.enabled true) (eq .Values.openshift true) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Release.Name }}-node + namespace: {{ include "custom.namespace" . }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + {{- if eq .Values.customDriverName.enabled true}} + name: {{ printf "%s-%s-node" ( include "custom.namespace" . ) .Values.customDriverName.value }} + {{- else }} + name: {{ .Release.Name }}-node + {{- end }} +rules: + {{- if eq .Values.openshift true }} + - apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["privileged"] + verbs: ["use"] + {{- end }} + #below for node rescan sidecar + {{- if eq .Values.migration.enabled true}} + - apiGroups: ["replication.storage.dell.com"] + resources: ["dellcsimigrationgroups"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] + - apiGroups: ["replication.storage.dell.com"] + resources: ["dellcsimigrationgroups/status"] + verbs: ["get", "patch", "update"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "delete", "get", "list", "watch", "update", "patch"] + - apiGroups: [ "" ] + resources: [ "events" ] + verbs: [ "list", "watch", "create", "update", "patch" ] + - apiGroups: [ "" ] + resources: [ "pods" ] + verbs: [ "get", "list", "watch", "update", "patch" ] + {{- end}} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + {{- if eq .Values.customDriverName.enabled true}} + name: {{ printf "%s-%s-node" ( include "custom.namespace" . ) .Values.customDriverName.value }} + {{- else }} + name: {{ .Release.Name }}-node + {{- end }} +subjects: + - kind: ServiceAccount + name: {{ .Release.Name }}-node + namespace: {{ include "custom.namespace" . }} +roleRef: + kind: ClusterRole + {{- if eq .Values.customDriverName.enabled true}} + name: {{ printf "%s-%s-node" ( include "custom.namespace" . ) .Values.customDriverName.value }} + {{- else }} + name: {{ .Release.Name }}-node + {{- end }} + apiGroup: rbac.authorization.k8s.io +--- +{{ end }} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: {{ .Release.Name }}-node + namespace: {{ include "custom.namespace" . }} + {{- if hasKey .Values "authorization" }} + {{- if eq .Values.authorization.enabled true }} + annotations: + com.dell.karavi-authorization-proxy: "true" + {{ end }} + {{ end }} +spec: + selector: + matchLabels: + app: {{ .Release.Name }}-node + template: + metadata: + labels: + app: {{ .Release.Name }}-node + spec: + {{- if or (eq .Values.migration.enabled true) (eq .Values.openshift true) }} + serviceAccountName: {{ .Release.Name }}-node + {{ end }} + {{ if .Values.node.nodeSelector }} + nodeSelector: + {{- toYaml .Values.node.nodeSelector | nindent 8 }} + {{ end }} + {{ if .Values.node.tolerations }} + tolerations: + {{- toYaml .Values.node.tolerations | nindent 6 }} + {{ end }} + hostIPC: true + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + containers: + {{- $_ := first .Values.global.storageArrays }} + {{- $arraysStr := "" }} + {{- range $i, $array := .Values.global.storageArrays }} + {{- $arraysStr = trim (cat $arraysStr $array.storageArrayId) }} + {{- end }} + - name: driver + securityContext: + privileged: true + capabilities: + add: ["SYS_ADMIN"] + allowPrivilegeEscalation: true + image: {{ required "Must provide the PowerMax driver image repository." .Values.images.driverRepository }}/{{ .Chart.Name }}:{{ .Values.version }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + command: [ "/csi-powermax.sh" ] + env: + - name: X_CSI_POWERMAX_DRIVER_NAME + {{- if eq .Values.customDriverName.enabled true }} + value: {{ required "Must provide a driver name" (printf "%s.%s.dellemc.com" ( include "custom.namespace" . ) .Values.customDriverName.value) }} + {{- else }} + value: csi-powermax.dellemc.com + {{- end }} + - name: CSI_ENDPOINT + value: unix://{{ .Values.kubeletConfigDir }}/plugins/powermax.emc.dell.com/csi_sock + - name: X_CSI_MODE + value: node + - name: X_CSI_PRIVATE_MOUNT_DIR + value: "{{ .Values.kubeletConfigDir }}/plugins/powermax.emc.dell.com/disks" + - name: X_CSI_MANAGED_ARRAYS + value: {{ $arraysStr | replace " " "," | quote }} + {{- $managementServer := first .Values.global.managementServers }} + - name: X_CSI_POWERMAX_ENDPOINT + value: {{ required "Must provide a Unisphere HTTPS endpoint." $managementServer.endpoint }} + - name: X_CSI_POWERMAX_DEBUG + value: {{ .Values.powerMaxDebug | default "false" | lower | quote }} + - name: X_CSI_POWERMAX_SKIP_CERTIFICATE_VALIDATION + value: {{ .Values.skipCertificateValidation | default "true" | lower | quote }} + - name: X_CSI_K8S_CLUSTER_PREFIX + value: {{ required "Must provide a Cluster Prefix." .Values.clusterPrefix }} + - name: X_CSI_POWERMAX_USER + valueFrom: + secretKeyRef: + name: {{ .Values.global.defaultCredentialsSecret }} + key: username + - name: X_CSI_POWERMAX_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.global.defaultCredentialsSecret }} + key: password + - name: X_CSI_POWERMAX_NODENAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + {{- if eq .Values.enableCHAP true }} + - name: X_CSI_POWERMAX_ISCSI_ENABLE_CHAP + value: "true" + - name: X_CSI_POWERMAX_ISCSI_CHAP_USERNAME + value: "" + - name: X_CSI_POWERMAX_ISCSI_CHAP_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-creds + key: chapsecret + {{- else }} + - name: X_CSI_POWERMAX_ISCSI_ENABLE_CHAP + value: "false" + {{- end }} + - name: X_CSI_POWERMAX_PROXY_SERVICE_NAME + value: {{ .Release.Name }}-reverseproxy + - name: X_CSI_ISCSI_CHROOT + value: {{ .Values.ISCSIChroot | default "/noderoot" }} + - name: X_CSI_GRPC_MAX_THREADS + value: "50" + - name: X_CSI_TRANSPORT_PROTOCOL + value: {{ .Values.transportProtocol | default "" }} + - name: SSL_CERT_DIR + value: /certs + - name: X_CSI_POWERMAX_CONFIG_PATH + value: /powermax-config-params/driver-config-params.yaml + - name: X_CSI_POWERMAX_TOPOLOGY_CONFIG_PATH + value: /node-topology-config/topologyConfig.yaml + - name: X_CSI_IG_NODENAME_TEMPLATE + value: {{ .Values.nodeNameTemplate | default "" }} + - name: X_CSI_IG_MODIFY_HOSTNAME + value: {{ .Values.modifyHostName | default "false" | lower | quote }} + - name: X_CSI_POWERMAX_PORTGROUPS + value: {{ .Values.portGroups | toJson }} + {{- if hasKey .Values.node "healthMonitor" }} + {{- if eq .Values.node.healthMonitor.enabled true }} + - name: X_CSI_HEALTH_MONITOR_ENABLED + value: "{{ .Values.node.healthMonitor.enabled }}" + {{- end }} + {{- end }} + {{- if hasKey .Values.node "topologyControl" }} + {{- if eq .Values.node.topologyControl.enabled true }} + - name: X_CSI_TOPOLOGY_CONTROL_ENABLED + value: "{{ .Values.node.topologyControl.enabled }}" + {{- end }} + {{- end }} + - name: X_CSI_VSPHERE_ENABLED + value: "{{ .Values.vSphere.enabled }}" + {{- if eq .Values.vSphere.enabled true }} + - name: X_CSI_VSPHERE_PORTGROUP + value: {{ required "Must provide portgroup for vsphere" .Values.vSphere.fcPortGroup }} + - name: X_CSI_VSPHERE_HOSTNAME + value: {{ required "Must provide host group for vsphere" .Values.vSphere.fcHostName }} + - name: X_CSI_VCENTER_HOST + value: {{ required "Must provide hosr url for vsphere" .Values.vSphere.vCenterHost }} + - name: X_CSI_VCENTER_USERNAME + value: {{ required "Must provide username for vsphere" .Values.vSphere.vCenterUserName }} + - name: X_CSI_VCENTER_PWD + value: {{ required "Must provide password for vsphere" .Values.vSphere.vCenterPassword }} + {{- end }} + volumeMounts: + - name: driver-path + mountPath: {{ .Values.kubeletConfigDir }}/plugins/powermax.emc.dell.com + - name: volumedevices-path + mountPath: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi/volumeDevices + mountPropagation: "Bidirectional" + - name: pods-path + mountPath: {{ .Values.kubeletConfigDir }}/pods + mountPropagation: "Bidirectional" + - name: dev + mountPath: /dev + - name: sys + mountPath: /sys + - name: noderoot + mountPath: {{ .Values.ISCSIChroot | default "/noderoot" }} + - name: certs + mountPath: /certs + readOnly: true + - name: dbus-socket + mountPath: /run/dbus/system_bus_socket + - name: powermax-config-params + mountPath: /powermax-config-params + {{- if hasKey .Values.node "topologyControl" }} + {{- if eq .Values.node.topologyControl.enabled true }} + - name: node-topology-config + mountPath: /node-topology-config + {{- end }} + {{- end }} + - name: registrar + image: {{ required "Must provide the CSI node registrar container image." ( include "csi-powermax.registrarImage" . ) }} + args: + - "--v=5" + - "--csi-address=$(ADDRESS)" + #- --mode=node-register + #- --driver-requires-attachment=true + #- --pod-info-mount-version=v1 + - --kubelet-registration-path={{ .Values.kubeletConfigDir }}/plugins/powermax.emc.dell.com/csi_sock + env: + - name: ADDRESS + value: /csi/csi_sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + volumeMounts: + - name: registration-dir + mountPath: /registration + - name: driver-path + mountPath: /csi + {{- if hasKey .Values "migration" }} + {{- if eq .Values.migration.enabled true }} + - name: csi-node-rescanner + securityContext: + privileged: true + capabilities: + add: [ "SYS_ADMIN" ] + allowPrivilegeEscalation: true + imagePullPolicy: {{ .Values.imagePullPolicy }} + image: {{ required "Must provide the node rescanner sidecar container image." .Values.migration.nodeRescanSidecarImage }} + args: + - "--csi-address=$(ADDRESS)" + - "--retry-interval-start=1s" + - "--retry-interval-max=300s" + - "--timeout=300s" + - "--prefix={{ .Values.migration.migrationPrefix}}" + env: + - name: ADDRESS + value: /csi/csi_sock + - name: X_CSI_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + volumeMounts: + - name: registration-dir + mountPath: /registration + - name: driver-path + mountPath: /csi + - name: dev + mountPath: /dev + - name: sys + mountPath: /sys + - name: noderoot + mountPath: {{ .Values.ISCSIChroot | default "/noderoot" }} + - name: volumedevices-path + mountPath: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi/volumeDevices + mountPropagation: "Bidirectional" + - name: pods-path + mountPath: {{ .Values.kubeletConfigDir }}/pods + mountPropagation: "Bidirectional" + {{ end }} + {{ end }} + {{- if hasKey .Values "authorization" }} + {{- if eq .Values.authorization.enabled true }} + - name: karavi-authorization-proxy + imagePullPolicy: {{ .Values.imagePullPolicy }} + image: {{ required "Must provide the authorization sidecar container image." .Values.authorization.sidecarProxyImage }} + env: + - name: PROXY_HOST + value: "{{ .Values.authorization.proxyHost }}" + - name: SKIP_CERTIFICATE_VALIDATION + value: "{{ .Values.authorization.skipCertificateValidation }}" + - name: PLUGIN_IDENTIFIER + value: powermax + - name: ACCESS_TOKEN + valueFrom: + secretKeyRef: + name: proxy-authz-tokens + key: access + - name: REFRESH_TOKEN + valueFrom: + secretKeyRef: + name: proxy-authz-tokens + key: refresh + volumeMounts: + - name: karavi-authorization-config + mountPath: /etc/karavi-authorization/config + - name: proxy-server-root-certificate + mountPath: /etc/karavi-authorization/root-certificates + - name: powermax-config-params + mountPath: /etc/karavi-authorization + {{ end }} + {{ end }} + volumes: + - name: registration-dir + hostPath: + path: {{ .Values.kubeletConfigDir }}/plugins_registry/ + type: DirectoryOrCreate + - name: driver-path + hostPath: + path: {{ .Values.kubeletConfigDir }}/plugins/powermax.emc.dell.com + type: DirectoryOrCreate + - name: volumedevices-path + hostPath: + path: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi/volumeDevices + type: DirectoryOrCreate + - name: pods-path + hostPath: + path: {{ .Values.kubeletConfigDir }}/pods + type: Directory + - name: dev + hostPath: + path: /dev + type: Directory + - name: sys + hostPath: + path: /sys + type: Directory + - name: noderoot + hostPath: + path: / + type: Directory + - name: dbus-socket + hostPath: + path: /run/dbus/system_bus_socket + type: Socket + - name: powermax-config-params + configMap: + name: {{ .Release.Name }}-config-params + {{- if hasKey .Values.node "topologyControl" }} + {{- if eq .Values.node.topologyControl.enabled true }} + - name: node-topology-config + configMap: + name: node-topology-config + {{- end }} + {{- end }} + - name: certs + secret: + secretName: {{ .Release.Name }}-certs + optional: true + {{- if hasKey .Values "authorization" }} + {{- if eq .Values.authorization.enabled true }} + - name: karavi-authorization-config + secret: + secretName: karavi-authorization-config + - name: proxy-server-root-certificate + secret: + secretName: proxy-server-root-certificate + {{ end }} + {{ end }} \ No newline at end of file diff --git a/charts/csi-powermax/values.yaml b/charts/csi-powermax/values.yaml new file mode 100644 index 00000000..4eb8fc43 --- /dev/null +++ b/charts/csi-powermax/values.yaml @@ -0,0 +1,440 @@ +--- +global: + # CSI driver log level + # Allowed values: "error", "warn"/"warning", "info", "debug" + # Default value: "debug" + logLevel: "debug" + + # CSI driver log format + # Allowed values: "TEXT" or "JSON" + # Default value: "TEXT" + logFormat: "TEXT" + + ########################## + # PLATFORM ATTRIBUTES + ########################## + # The CSI PowerMax ReverseProxy section to fill out the required configuration + # Please refer to the doc website about a + # detailed explanation of each configuration parameter + # and the various ReverseProxy modes + + defaultCredentialsSecret: powermax-creds + storageArrays: + - storageArrayId: "000000000001" + endpoint: https://primary-1.unisphe.re:8443 + backupEndpoint: https://backup-1.unisphe.re:8443 +# - storageArrayId: "000000000002" +# endpoint: https://primary-2.unisphe.re:8443 +# backupEndpoint: https://backup-2.unisphe.re:8443 + managementServers: + - endpoint: https://primary-1.unisphe.re:8443 + credentialsSecret: primary-1-secret + skipCertificateValidation: false + certSecret: primary-cert + limits: + maxActiveRead: 5 + maxActiveWrite: 4 + maxOutStandingRead: 50 + maxOutStandingWrite: 50 + - endpoint: https://backup-1.unisphe.re:8443 + credentialsSecret: backup-1-secret + skipCertificateValidation: false +# - endpoint: https://primary-2.unisphe.re:8443 +# credentialsSecret: primary-2-secret +# skipCertificateValidation: true +# certSecret: no-secret +# - endpoint: https://backup-2.unisphe.re:8443 +# credentialsSecret: backup-2-secret +# skipCertificateValidation: true + +# Current version of the driver +# Don't modify this value as this value will be used by the install script +version: "v2.6.0" + +images: + # "driver" defines the container image, used for the driver container. + driverRepository: dellemc +## K8S/DRIVER ATTRIBUTES +######################## +# customDriverName: If enabled, sets the driver name to the +# value provided to its value field with namespace prefixed to it. + +# e.g, namespace.csi-powermax +# Default value: None +# Examples: "namespace.dellemc-array", "namespace.powermaxarray" +customDriverName: + value: csi-powermax + # Allowed values: + # "true" - Custom driver name is enabled + # "false" - Custom driver name is disabled + # Default value: "false" + enabled: false + +# defaultFsType: Sets the default FS type which will be used +# for mount volumes if FsType is not specified in the storage class +# Allowed values: +# "ext4" - EXT4 File system +# "xfs" - XFS File system +# Default value: "ext4" +defaultFsType: ext4 + +# imagePullPolicy: Policy to determine if the image should be pulled prior to starting the container. +# Allowed values: +# Always: Always pull the image. +# IfNotPresent: Only pull the image if it does not already exist on the node. +# Never: Never pull the image. +# Default value: None +imagePullPolicy: IfNotPresent + +# Specify kubelet config dir path. +# Ensure that the config.yaml file is present at this path. +# Default value: None +kubeletConfigDir: /var/lib/kubelet + +# fsGroupPolicy: Defines if the underlying volume supports changing ownership and permission of the volume before being mounted. +# Allowed values: +# ReadWriteOnceWithFSType: supports volume ownership and permissions change only if the fsType is defined +# and the volume's accessModes contains ReadWriteOnce. +# File: kubernetes may use fsGroup to change permissions and ownership of the volume +# to match user requested fsGroup in the pod's security policy regardless of fstype or access mode. +# None: volumes will be mounted with no modifications. +# Default value: ReadWriteOnceWithFSType +fsGroupPolicy: ReadWriteOnceWithFSType + +# controller: configure controller specific parameters +controller: + # controllerCount: Define the number of PowerMax controller nodes + # to deploy to the Kubernetes release + # Allowed values: n, where n > 0 + # Default value: None + controllerCount: 2 + + # volumeNamePrefix: Define a prefix that is prepended to volumes. + # THIS MUST BE ALL LOWER CASE. + # Default value: None + # Examples: "volumes", "vol" + volumeNamePrefix: pmax + + snapshot: + # enabled: Enable/Disable volume snapshot feature + # Allowed values: + # true: enable volume snapshot feature(install snapshotter sidecar) + # false: disable volume snapshot feature(do not install snapshotter sidecar) + # Default value: None + enabled: true + # snapNamePrefix: Define a prefix that is prepended to snapshots. + # THIS MUST BE ALL LOWER CASE. + # Default value: None + # Examples: "snap", "snapshot" + snapNamePrefix: pmsn + + resizer: + # enabled: Enable/Disable volume expansion feature + # Allowed values: + # true: enable volume expansion feature(install resizer sidecar) + # false: disable volume snapshot feature(do not install resizer sidecar) + # Default value: None + enabled: true + + # nodeSelector: Define node selection constraints for controller pods. + # For the pod to be eligible to run on a node, the node must have each + # of the indicated key-value pairs as labels. + # Leave as blank to consider all nodes + # Allowed values: map of key-value pairs + # Default value: None + # Examples: + # Uncomment if nodes you wish to use have the node-role.kubernetes.io/master taint + # node-role.kubernetes.io/master + # Uncomment if nodes you wish to use have the node-role.kubernetes.io/control-plane taint + # node-role.kubernetes.io/control-plane + nodeSelector: + # Uncomment if nodes you wish to use have the node-role.kubernetes.io/master taint + # node-role.kubernetes.io/master: "" + # Uncomment if nodes you wish to use have the node-role.kubernetes.io/control-plane taint + # node-role.kubernetes.io/control-plane: "" + + # tolerations: Define tolerations that would be applied to controller deployment + # Leave as blank to install controller on worker nodes + # Allowed values: map of key-value pairs + # Default value: None + tolerations: + # Uncomment if nodes you wish to use have the node-role.kubernetes.io/master taint + # - key: "node-role.kubernetes.io/master" + # Uncomment if nodes you wish to use have the node-role.kubernetes.io/control-plane taint + # - key: "node-role.kubernetes.io/control-plane" + # operator: "Exists" + # effect: "NoSchedule" + + # health monitor showcase the volume usage and volume condition + healthMonitor: + # enabled: Enable/Disable health monitor of CSI volumes- volume status, volume condition + # Allowed values: + # true: enable checking of health condition of CSI volumes + # false: disable checking of health condition of CSI volumes + # Default value: None + enabled: false + + # interval: Interval of monitoring volume health condition + # Allowed values: Number followed by unit of time (s,m,h) + # Default value: 60s + interval: 60s + +# node: configure node specific parameters +node: + # nodeSelector: Define node selection constraints for node pods. + # For the pod to be eligible to run on a node, the node must have each + # of the indicated key-value pairs as labels. + # Leave as blank to consider all nodes + # Allowed values: map of key-value pairs + # Default value: None + # Examples: + # Uncomment if nodes you wish to use have the node-role.kubernetes.io/master taint + # node-role.kubernetes.io/master + # Uncomment if nodes you wish to use have the node-role.kubernetes.io/control-plane taint + # node-role.kubernetes.io/control-plane + nodeSelector: + # Uncomment if nodes you wish to use have the node-role.kubernetes.io/master taint + # node-role.kubernetes.io/master: "" + # Uncomment if nodes you wish to use have the node-role.kubernetes.io/control-plane taint + # node-role.kubernetes.io/control-plane: "" + + # tolerations: Define tolerations that would be applied to node daemonset + # Add/Remove tolerations as per requirement + # Leave as blank if you wish to not apply any tolerations + # Allowed values: map of key-value pairs + # Default value: None + tolerations: + - key: "node.kubernetes.io/memory-pressure" + operator: "Exists" + effect: "NoExecute" + - key: "node.kubernetes.io/disk-pressure" + operator: "Exists" + effect: "NoExecute" + - key: "node.kubernetes.io/network-unavailable" + operator: "Exists" + effect: "NoExecute" + + # health monitor showcase the volume usage and volume condition + healthMonitor: + # enabled: Enable/Disable health monitor of CSI volumes- volume usage, volume condition + # Allowed values: + # true: enable checking of health condition of CSI volumes + # false: disable checking of health condition of CSI volumes + # Default value: false + enabled: false + + # Topology control provides a way to filter topology keys + # Please refer to the doc website about a detailed explanation on its configuration and usage + topologyControl: + # enabled: Enable/Disable Topology Control + # Allowed values: + # true: enable the filtration based on config map + # false: disable the filtration based on config map + # Default value: false + enabled: false + +# enableCHAP: Determine if the driver is going to configure +# ISCSI node databases on the nodes with the CHAP credentials +# If enabled, the CHAP secret must be provided in the credentials secret +# and set to the key "chapsecret" +# Allowed values: +# "true" - CHAP is enabled +# "false" - CHAP is disabled +# Default value: "false" +enableCHAP: false + +# Use of this param is depreciated; +# setting this to any value will have no effect. +# "unisphere" defines the Unisphere endpoint, +# with full URL, typically leveraging HTTPS. +# This should include the port number as well (the default is 8443) +# You must set this for your Unisphere instance. +# unisphere: https://127.0.0.1:8443 + +# csireverseproxy: Refers to the subchart csireverseproxy +csireverseproxy: + # image: Define the container images used for the reverse proxy + # Default value: None + # Example: "csipowermax-reverseproxy:v2.5.0" + image: dellemc/csipowermax-reverseproxy:v2.5.0 + # "tlsSecret" defines the TLS secret that is created with certificate + # and its associated key + # Default value: None + # Example: "tls-secret" + tlsSecret: csirevproxy-tls-secret + # Set enabled to true if you want to deploy csireverseproxy as sidecar + # Allowed values: + # "true" - CSI reverse proxy will be deployed as a sidecar + # "false" - CSI reverse proxy will be deployed along with driver + # Default value: "true" + deployAsSidecar: true + # Port number for csireverseproxy to listen + # Default value: None + # Examples: "1111", "8080" + port: 2222 + # Mode of CSI reverse proxy - this is a standalone API + # it doesn't belong to kubernetes cluster API + # Default value: None + # Example: "StandAlone" + mode: StandAlone + # Optionally, uncomment and specify the name of the pre-created namespace to install the sidecar in it + # namespace: + +# clusterPrefix: Define a prefix that is appended onto +# all resources created in the Array +# This should be unique per K8s/CSI deployment +# maximum length of this value is 3 characters +# Default value: None +# Examples: "XYZ" +clusterPrefix: ABC + +# portGroups: Define the set of existing port groups that the driver will use. +# It is a comma separated list of portgroup names. +# Required only in case of iSCSI port groups +# Allowed values: iSCSI Port Group names +# Default value: None +# Examples: "pg1, pg2, pg3", "pg1" + +portGroups: PortGroup1, PortGroup2, PortGroup3 + +# "skipCertificateValidation" determines if driver is going to skip verification +# of TLS certificates while connecting to Unisphere RESTAPI interface +# If it is set to false, +# then a secret powermax-certs has to be created with a X.509 certificate of CA +# which signed the Unisphere certificate +# Allowed values: +# "true" - TLS certificates verification will be skipped +# "false" - TLS certificates will be verified +# Default value: "true" +skipCertificateValidation: "true" + +# "transportProtocol" can be "FC" or "FIBRE" for fibrechannel, +# "ISCSI" for iSCSI, or "" for autoselection. +# Allowed values: +# "FC" - Fiber Channel protocol +# "FIBER" - Fiber Channel protocol +# "ISCSI" - iSCSI protocol +# "" - Automatic selection of transport protocol +# Default value: "" +transportProtocol: "" + +# "powerMaxDebug" enables low level and http traffic logging +# between the CSI driver and Unisphere. +# Do not enable this unless asked to do so by the support team. +# Allowed values: +# "true" - Traffic between the CSI driver and Unisphere is logged +# "false" - Traffic between the CSI driver and Unisphere will not be logged +# Default value: "false" +powerMaxDebug: "false" + +# nodeNameTemplate: Provide a template for the CSI driver to use +# while creating the Host/IG on the array for the nodes in the cluster. +# It is of the format a-b-c-%foo%-xyz +# where foo will be replaced by host name of each node in the cluster. +# For e.g. - If a node in the cluster has a hostname - worker1 +# then the host name with the above template would be a-b-c-worker1-xyz +# Default value: "" +# Examples: "a-b-c-worker1-xyz" , "a-b-c-workernode-xyz" +nodeNameTemplate: "" + +# modifyHostName: Change any existing host names. +# When nodenametemplate is set, +# it changes the name to the specified format +# else it uses driver default host name format. +# Allowed values: +# "true" - Host name will be modified +# "false" - Driver default host name format will be used +# Default value: "false" +modifyHostName: "false" + +# openshift: Define that the installation +# is being done on a Red Hat OpenShift cluster in the Helm Chart +# Don't modify this value as this value is overridden by the install script +openshift: false + +# CSM module attributes +# Set this to true to enable replication +# Replication CRDs must be installed before installing driver +# Allowed values: +# "true" - replication is enabled +# "false" - replication is disabled +# Default value: "false" +replication: + enabled: false + # Change this to use any specific version of the dell-csi-replicator sidecar + # Default value: None + image: dellemc/dell-csi-replicator:v1.4.0 + # replicationContextPrefix enables side cars to read + # required information from the volume context + # Default value: "powermax" + # Examples: "powermax-replication", "replication" + replicationContextPrefix: "powermax" + # replicationPrefix: Determine if replication is enabled + # Default value: "replication.storage.dell.com" + # Examples: "replication.storage.dell.com", "rdf.storage.dell.com" + replicationPrefix: "replication.storage.dell.com" + +# CSM module attributes +# Set this to true to enable migration +# Allowed values: +# "true" - migration is enabled +# "false" - migration is disabled +# Default value: "false" +migration: + enabled: false + # Change this to use any specific version of the dell-csi-migrator sidecar + # Default value: None + image: dellemc/dell-csi-migrator:v1.1.0 + nodeRescanSidecarImage: dellemc/dell-csi-node-sidecar:v1.0.0 + # migrationPrefix: Determine if migration is enabled + # Default value: "migration.storage.dell.com" + # Examples: "migration.storage.dell.com" + migrationPrefix: "migration.storage.dell.com" + +# CSM module attributes +# authorization: enable csm-authorization for RBAC +# Deploy and configure authorization before installing driver +# Allowed values: +# "true" - authorization is enabled +# "false" - authorization is disabled +# Default value: "false" +authorization: + enabled: false + # sidecarProxyImage: the container image used for the csm-authorization-sidecar. + # Default value: dellemc/csm-authorization-sidecar:v1.5.0 + sidecarProxyImage: dellemc/csm-authorization-sidecar:v1.5.0 + # proxyHost: hostname of the csm-authorization server + # Default value: None + proxyHost: + # skipCertificateValidation: certificate validation of the csm-authorization server + # Allowed Values: + # "true" - TLS certificate verification will be skipped + # "false" - TLS certificate will be verified + # Default value: "true" + skipCertificateValidation: true + +# VMware/vSphere virtualization support +# set enable to true, if you to enable VMware virtualized environment support via RDM +# Allowed Values: +# "true" - vSphere volumes are enabled +# "false" - vSphere volumes are disabled +# Default value: "false" +vSphere: + enabled: false + # fcPortGroup: an existing portGroup that driver will use for vSphere + # recommended format: csi-x-VC-PG, x can be anything of user choice + fcPortGroup: "csi-vsphere-VC-PG" + # fcHostName: an existing host(initiator group) that driver will use for vSphere + # this host should contain initiators from all the ESXs/ESXi host + # where the cluster is deployed + # recommended format: csi-x-VC-HN, x can be anything of user choice + fcHostName: "csi-vsphere-VC-HN" + # vCenterHost: URL/endpoint of the vCenter where all the ESX are present + vCenterHost: "00.000.000.00" + # vCenterUserName: username from the vCenter credentials + vCenterUserName: "user" + # vCenterPassword: password from the vCenter credentials + vCenterPassword: "pwd" + +# Optionally, uncomment and specify the name of the pre-created namespace to install the driver in it +# namespace: \ No newline at end of file diff --git a/charts/csi-powerstore/Chart.yaml b/charts/csi-powerstore/Chart.yaml index be3c8fe8..e68db37d 100644 --- a/charts/csi-powerstore/Chart.yaml +++ b/charts/csi-powerstore/Chart.yaml @@ -16,12 +16,12 @@ name: csi-powerstore apiVersion: v2 -version: 2.5.0 -appVersion: "2.5.0" -kubeVersion: ">= 1.21.0 < 1.26.0" -#If you are using a complex K8s version like "v1.22.3-mirantis-1", use this kubeVersion check instead +version: 2.6.0 +appVersion: "2.6.0" +kubeVersion: ">= 1.23.0 < 1.27.0" +#If you are using a complex K8s version like "v1.23.3-mirantis-1", use this kubeVersion check instead #WARNING: this version of the check will allow the use of alpha and beta versions, which is NOT SUPPORTED -#kubeVersion: ">= 1.21.0-0 < 1.26.0-0" +#kubeVersion: ">= 1.23.0-0 < 1.27.0-0" description: | PowerStore CSI (Container Storage Interface) driver Kubernetes integration. This chart includes everything required to provision via CSI as @@ -33,4 +33,4 @@ home: https://github.com/dell/csi-powerstore sources: - https://github.com/dell/csi-powerstore maintainers: -- name: DellEMC +- name: DellEMC \ No newline at end of file diff --git a/charts/csi-powerstore/templates/_helpers.tpl b/charts/csi-powerstore/templates/_helpers.tpl index fba3d04c..dee68849 100644 --- a/charts/csi-powerstore/templates/_helpers.tpl +++ b/charts/csi-powerstore/templates/_helpers.tpl @@ -3,48 +3,48 @@ Return the appropriate sidecar images based on k8s version */}} {{- define "csi-powerstore.attacherImage" -}} {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "21") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "25") -}} - {{- print "k8s.gcr.io/sig-storage/csi-attacher:v4.0.0" -}} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "23") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "26") -}} + {{- print "k8s.gcr.io/sig-storage/csi-attacher:v4.2.0" -}} {{- end -}} {{- end -}} {{- end -}} {{- define "csi-powerstore.provisionerImage" -}} {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "21") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "25") -}} - {{- print "k8s.gcr.io/sig-storage/csi-provisioner:v3.3.0" -}} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "23") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "26") -}} + {{- print "k8s.gcr.io/sig-storage/csi-provisioner:v3.4.0" -}} {{- end -}} {{- end -}} {{- end -}} {{- define "csi-powerstore.snapshotterImage" -}} {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "21") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "25") -}} - {{- print "k8s.gcr.io/sig-storage/csi-snapshotter:v6.1.0" -}} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "23") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "26") -}} + {{- print "k8s.gcr.io/sig-storage/csi-snapshotter:v6.2.1" -}} {{- end -}} {{- end -}} {{- end -}} {{- define "csi-powerstore.resizerImage" -}} {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "21") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "25") -}} - {{- print "k8s.gcr.io/sig-storage/csi-resizer:v1.6.0" -}} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "23") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "26") -}} + {{- print "k8s.gcr.io/sig-storage/csi-resizer:v1.7.0" -}} {{- end -}} {{- end -}} {{- end -}} {{- define "csi-powerstore.registrarImage" -}} {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "21") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "25") -}} - {{- print "k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.6.0" -}} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "23") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "26") -}} + {{- print "k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.6.3" -}} {{- end -}} {{- end -}} {{- end -}} {{- define "csi-powerstore.healthmonitorImage" -}} {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "21") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "25") -}} - {{- print "gcr.io/k8s-staging-sig-storage/csi-external-health-monitor-controller:v0.7.0" -}} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "23") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "26") -}} + {{- print "gcr.io/k8s-staging-sig-storage/csi-external-health-monitor-controller:v0.8.0" -}} {{- end -}} {{- end -}} {{- end -}} @@ -68,4 +68,4 @@ By default this is not set so the helm release namespace will be used {{- define "custom.namespace" -}} {{ .Values.namespace | default .Release.Namespace }} -{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/csi-powerstore/templates/controller.yaml b/charts/csi-powerstore/templates/controller.yaml index 9cc64eb9..48d43764 100644 --- a/charts/csi-powerstore/templates/controller.yaml +++ b/charts/csi-powerstore/templates/controller.yaml @@ -35,7 +35,13 @@ rules: verbs: ["list", "watch", "create", "update", "patch"] - apiGroups: [""] resources: ["nodes"] + {{- if hasKey .Values "podmon" }} + {{- if eq .Values.podmon.enabled true }} + verbs: ["get", "list", "watch", "patch"] + {{- else }} verbs: ["get", "list", "watch"] + {{- end }} + {{- end }} - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "create", "delete", "update", "patch"] @@ -47,7 +53,13 @@ rules: verbs: ["get", "list", "watch"] - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments"] + {{- if hasKey .Values "podmon" }} + {{- if eq .Values.podmon.enabled true }} + verbs: ["get", "list", "watch", "update", "patch", "delete"] + {{- else }} verbs: ["get", "list", "watch", "update", "patch"] + {{- end }} + {{- end }} - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list"] @@ -81,7 +93,13 @@ rules: verbs: ["patch"] - apiGroups: [""] resources: ["pods"] + {{- if hasKey .Values "podmon" }} + {{- if eq .Values.podmon.enabled true }} + verbs: ["get", "list", "watch", "update", "delete"] + {{- else }} verbs: ["get", "list", "watch"] + {{- end }} + {{- end }} - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["create", "list", "watch", "delete"] @@ -174,6 +192,33 @@ spec: - {{ .Release.Name }}-controller topologyKey: "kubernetes.io/hostname" containers: + {{- if hasKey .Values "podmon" }} + {{- if eq .Values.podmon.enabled true }} + - name: podmon + image: {{ required "Must provide the podmon container image." .Values.podmon.image }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + {{- toYaml .Values.podmon.controller.args | nindent 12 }} + env: + - name: MY_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + - name: powerstore-config-params + mountPath: /powerstore-config-params + {{- end }} + {{- end }} {{- if hasKey .Values "dev" }} {{ if .Values.dev.enableTracing }}{{- include "pstore.tracing" . | nindent 8 }}{{ end }} {{- end }} @@ -360,6 +405,20 @@ spec: value: /powerstore-config/config - name: X_CSI_POWERSTORE_CONFIG_PARAMS_PATH value: /powerstore-config-params/driver-config-params.yaml + {{- if hasKey .Values "podmon" }} + - name: X_CSI_PODMON_ENABLED + value: "{{ .Values.podmon.enabled }}" + {{- if eq .Values.podmon.enabled true }} + {{- range $key, $value := .Values.podmon.controller.args }} + {{- if contains "--arrayConnectivityPollRate" $value }} + - name: X_CSI_PODMON_ARRAY_CONNECTIVITY_POLL_RATE + value: "{{ (split "=" $value)._1 }}" + {{- end }} + {{- end }} + {{- end }} + {{- end }} + - name: X_CSI_PODMON_API_PORT + value: "{{ .Values.podmonAPIPort }}" {{- if hasKey .Values.controller "replication" }} {{- if eq .Values.controller.replication.enabled true}} - name: X_CSI_REPLICATION_CONTEXT_PREFIX diff --git a/charts/csi-powerstore/templates/csidriver.yaml b/charts/csi-powerstore/templates/csidriver.yaml index 9f5ad9be..ecf17723 100644 --- a/charts/csi-powerstore/templates/csidriver.yaml +++ b/charts/csi-powerstore/templates/csidriver.yaml @@ -24,4 +24,4 @@ spec: fsGroupPolicy: {{ .Values.fsGroupPolicy }} volumeLifecycleModes: - Persistent - - Ephemeral + - Ephemeral \ No newline at end of file diff --git a/charts/csi-powerstore/templates/driver-config-params.yaml b/charts/csi-powerstore/templates/driver-config-params.yaml index d979f262..5e4cd28d 100644 --- a/charts/csi-powerstore/templates/driver-config-params.yaml +++ b/charts/csi-powerstore/templates/driver-config-params.yaml @@ -22,4 +22,10 @@ metadata: data: driver-config-params.yaml: | CSI_LOG_LEVEL: "{{ .Values.logLevel }}" - CSI_LOG_FORMAT: "{{ .Values.logFormat }}" \ No newline at end of file + CSI_LOG_FORMAT: "{{ .Values.logFormat }}" + {{ if .Values.podmon.enabled }} + PODMON_CONTROLLER_LOG_LEVEL: "{{ .Values.logLevel }}" + PODMON_CONTROLLER_LOG_FORMAT: "{{ .Values.logFormat }}" + PODMON_NODE_LOG_LEVEL: "{{ .Values.logLevel }}" + PODMON_NODE_LOG_FORMAT: "{{ .Values.logFormat }}" + {{ end }} \ No newline at end of file diff --git a/charts/csi-powerstore/templates/node.yaml b/charts/csi-powerstore/templates/node.yaml index 5bc814ac..724bdcd9 100644 --- a/charts/csi-powerstore/templates/node.yaml +++ b/charts/csi-powerstore/templates/node.yaml @@ -52,7 +52,16 @@ rules: resourceNames: ["privileged"] resources: ["securitycontextconstraints"] verbs: ["use"] - + {{- if hasKey .Values "podmon" }} + {{- if eq .Values.podmon.enabled true }} + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch", "update", "delete"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] + {{ end }} + {{ end }} --- @@ -84,6 +93,9 @@ spec: metadata: labels: app: {{ .Release.Name }}-node + {{- if .Values.podmon.enabled }} + driver.dellemc.com: dell-storage + {{- end }} spec: {{ if .Values.node.nodeSelector }} nodeSelector: @@ -98,6 +110,58 @@ spec: hostNetwork: true hostIPC: true containers: + {{- if hasKey .Values "podmon" }} + {{- if eq .Values.podmon.enabled true }} + - name: podmon + securityContext: + privileged: true + capabilities: + add: ["SYS_ADMIN"] + allowPrivilegeEscalation: true + image: {{ required "Must provide the podmon container image." .Values.podmon.image }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + {{- toYaml .Values.podmon.node.args | nindent 12 }} + env: + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: X_CSI_PRIVATE_MOUNT_DIR + value: {{ .Values.kubeletConfigDir }} + - name: MY_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: kubelet-pods + mountPath: {{ .Values.kubeletConfigDir }}/pods + mountPropagation: "Bidirectional" + - name: driver-path + mountPath: {{ .Values.kubeletConfigDir }}/plugins/{{ .Values.driverName }} + mountPropagation: "Bidirectional" + - name: csi-path + mountPath: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi + mountPropagation: "Bidirectional" + - name: dev + mountPath: /dev + - name: usr-bin + mountPath: /usr-bin + - name: var-run + mountPath: /var/run + - name: powerstore-config-params + mountPath: /powerstore-config-params + {{- end }} + {{- end }} {{- if hasKey .Values "dev" }} {{ if .Values.dev.enableTracing }}{{- include "pstore.tracing" . | nindent 8 }}{{ end }} {{- end}} @@ -158,6 +222,20 @@ spec: value: "{{ .Values.controller.healthMonitor.enabled }}" {{- end }} {{- end }} + {{- if hasKey .Values "podmon" }} + - name: X_CSI_PODMON_ENABLED + value: "{{ .Values.podmon.enabled }}" + {{- if eq .Values.podmon.enabled true }} + {{- range $key, $value := .Values.podmon.node.args }} + {{- if contains "--arrayConnectivityPollRate" $value }} + - name: X_CSI_PODMON_ARRAY_CONNECTIVITY_POLL_RATE + value: "{{ (split "=" $value)._1 }}" + {{- end }} + {{- end }} + {{- end }} + {{- end }} + - name: X_CSI_PODMON_API_PORT + value: "{{ .Values.podmonAPIPort }}" volumeMounts: - name: driver-path mountPath: {{ .Values.kubeletConfigDir }}/plugins/{{ .Values.driverName }} @@ -255,3 +333,19 @@ spec: - name: powerstore-config secret: secretName: {{ .Release.Name }}-config + {{- if hasKey .Values "podmon" }} + {{- if eq .Values.podmon.enabled true }} + - name: usr-bin + hostPath: + path: /usr/bin + type: Directory + - name: kubelet-pods + hostPath: + path: /var/lib/kubelet/pods + type: Directory + - name: var-run + hostPath: + path: /var/run + type: Directory + {{ end }} + {{ end }} \ No newline at end of file diff --git a/charts/csi-powerstore/values.yaml b/charts/csi-powerstore/values.yaml index 639b9716..411b722c 100644 --- a/charts/csi-powerstore/values.yaml +++ b/charts/csi-powerstore/values.yaml @@ -23,7 +23,7 @@ driverName: "csi-powerstore.dellemc.com" # Driver version required to pull the latest driver image -version: "v2.5.0" +version: "v2.6.0" # Specify kubelet config dir path. # Ensure that the config.yaml file is present at this path. @@ -68,6 +68,12 @@ imagePullPolicy: IfNotPresent # Default value: "0777" nfsAcls: "0777" +# podmonAPIPort: Defines the port to be used within the kubernetes cluster +# Allowed values: +# Any valid and free port. +# Default value: 8083 +podmonAPIPort: 8083 + # controller: configure controller specific parameters controller: # controllerCount: defines the number of csi-powerstore controller pods to deploy to @@ -92,8 +98,8 @@ controller: enabled: false # image: Image to use for volume-group-snapshotter. This shouldn't be changed # Allowed values: string - # Default value: dellemc/csi-volumegroup-snapshotter:v1.1.0 - image: dellemc/csi-volumegroup-snapshotter:v1.1.0 + # Default value: dellemc/csi-volumegroup-snapshotter:v1.2.0 + image: dellemc/csi-volumegroup-snapshotter:v1.2.0 # snapshot: allows to enable/disable snapshot feature # snapshot CRDs needs to be installed before enabling this feature @@ -145,7 +151,7 @@ controller: # image: Image to use for dell-csi-replicator. This shouldn't be changed # Allowed values: string # Default value: None - image: dellemc/dell-csi-replicator:v1.3.0 + image: dellemc/dell-csi-replicator:v1.4.0 # replicationContextPrefix: prefix to use for naming of resources created by replication feature # Allowed values: string @@ -232,6 +238,33 @@ node: # operator: "Exists" # effect: "NoSchedule" + # Uncomment if CSM for Resiliency and CSI Driver pods monitor are enabled + #tolerations: + # - key: "offline.vxflexos.storage.dell.com" + # operator: "Exists" + # effect: "NoSchedule" + # - key: "vxflexos.podmon.storage.dell.com" + # operator: "Exists" + # effect: "NoSchedule" + # - key: "offline.unity.storage.dell.com" + # operator: "Exists" + # effect: "NoSchedule" + # - key: "unity.podmon.storage.dell.com" + # operator: "Exists" + # effect: "NoSchedule" + # - key: "offline.isilon.storage.dell.com" + # operator: "Exists" + # effect: "NoSchedule" + # - key: "isilon.podmon.storage.dell.com" + # operator: "Exists" + # effect: "NoSchedule" + # - key: "offline.powerstore.storage.dell.com" + # operator: "Exists" + # effect: "NoSchedule" + # - key: "powerstore.podmon.storage.dell.com" + # operator: "Exists" + # effect: "NoSchedule" + ## PLATFORM ATTRIBUTES ###################### @@ -275,8 +308,37 @@ storageCapacity: # Default value: 5m pollInterval: 5m +# Enable this feature only after contact support for additional information +podmon: + enabled: false + image: dellemc/podmon:v1.4.0 + controller: + args: + - "--csisock=unix:/var/run/csi/csi.sock" + - "--labelvalue=csi-powerstore" + - "--arrayConnectivityPollRate=60" + - "--driverPath=csi-powerstore.dellemc.com" + - "--mode=controller" + - "--skipArrayConnectionValidation=false" + - "--driver-config-params=/powerstore-config-params/driver-config-params.yaml" + - "--driverPodLabelValue=dell-storage" + - "--ignoreVolumelessPods=false" + + node: + args: + - "--csisock=unix:/var/lib/kubelet/plugins/csi-powerstore.dellemc.com/csi_sock" + - "--labelvalue=csi-powerstore" + - "--arrayConnectivityPollRate=60" + - "--driverPath=csi-powerstore.dellemc.com" + - "--mode=node" + - "--leaderelection=false" + - "--driver-config-params=/powerstore-config-params/driver-config-params.yaml" + - "--driverPodLabelValue=dell-storage" + - "--ignoreVolumelessPods=false" + images: # "driver" defines the container image, used for the driver container. driverRepository: dellemc - -# namespace: powerstore-ns \ No newline at end of file + +# Optionally, uncomment and specify the name of the pre-created namespace to install the driver in it +# namespace: \ No newline at end of file diff --git a/charts/csm-application-mobility/values.yaml b/charts/csm-application-mobility/values.yaml index 3c3e7593..1734b4fb 100644 --- a/charts/csm-application-mobility/values.yaml +++ b/charts/csm-application-mobility/values.yaml @@ -79,5 +79,6 @@ velero: # volumeMounts: # - mountPath: /target # name: plugins - -# namespace: app-mobility \ No newline at end of file + +# Optionally, uncomment and specify the name of the pre-created namespace to install the module in it +# namespace: \ No newline at end of file diff --git a/charts/csm-authorization/.gitignore b/charts/csm-authorization/.gitignore new file mode 100644 index 00000000..a4d58c62 --- /dev/null +++ b/charts/csm-authorization/.gitignore @@ -0,0 +1,2 @@ +Chart.lock +charts/*tgz diff --git a/charts/csm-authorization/.helmignore b/charts/csm-authorization/.helmignore new file mode 100644 index 00000000..9d56613f --- /dev/null +++ b/charts/csm-authorization/.helmignore @@ -0,0 +1,24 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ +installer/ diff --git a/charts/csm-authorization/Chart.yaml b/charts/csm-authorization/Chart.yaml new file mode 100644 index 00000000..f1736a0f --- /dev/null +++ b/charts/csm-authorization/Chart.yaml @@ -0,0 +1,15 @@ +apiVersion: v2 +name: csm-authorization +version: 1.5.1 +appVersion: 1.5.1 +type: application +description: CSM for Authorization is part of the [Container Storage Modules](https://github.com/dell/csm) open source suite of Kubernetes storage enablers for Dell EMC storage products. CSM for Authorization provides storage and Kubernetes administrators the ability to apply RBAC for Dell CSI Drivers. +dependencies: +- name: cert-manager + version: 1.6.1 + repository: https://charts.jetstack.io + condition: cert-manager.enabled +- name: ingress-nginx + version: 4.0.19 + repository: https://kubernetes.github.io/ingress-nginx + condition: ingress-nginx.enabled \ No newline at end of file diff --git a/charts/csm-authorization/README.md b/charts/csm-authorization/README.md new file mode 100644 index 00000000..1b5eed59 --- /dev/null +++ b/charts/csm-authorization/README.md @@ -0,0 +1,19 @@ + + +# Container Storage Modules (CSM) for Authorization Dell Community Helm Chart + +CSM for Authorization can be deployed using Helm. + +For complete deployment instructions, refer to the [Container Storage Modules documentation](https://dell.github.io/csm-docs/docs/authorization/deployment/helm). + +## Helm Chart Versioning + +For an explanation and examples on versioning/releasing the CSM for Authorization Helm chart, please see the [contributing guide](../../docs/CONTRIBUTING.md#helm-chart-release-strategy). diff --git a/charts/container-storage-modules/.helmignore b/charts/csm-authorization/charts/redis/.helmignore similarity index 100% rename from charts/container-storage-modules/.helmignore rename to charts/csm-authorization/charts/redis/.helmignore diff --git a/charts/csm-authorization/charts/redis/Chart.yaml b/charts/csm-authorization/charts/redis/Chart.yaml new file mode 100644 index 00000000..30b032ee --- /dev/null +++ b/charts/csm-authorization/charts/redis/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +name: redis +description: A Helm chart for Redis +type: application +version: 0.1.0 +appVersion: 0.1.0 diff --git a/charts/csm-authorization/charts/redis/templates/redis.yaml b/charts/csm-authorization/charts/redis/templates/redis.yaml new file mode 100644 index 00000000..8bc75899 --- /dev/null +++ b/charts/csm-authorization/charts/redis/templates/redis.yaml @@ -0,0 +1,128 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: redis-primary + namespace: {{ include "custom.namespace" . }} + labels: + app: redis +spec: + selector: + matchLabels: + app: redis + role: primary + tier: backend + replicas: 1 + template: + metadata: + labels: + app: redis + role: primary + tier: backend + spec: + containers: + - name: primary + image: {{ .Values.images.redis }} + imagePullPolicy: IfNotPresent + args: ["--appendonly", "yes", "--appendfsync", "always"] + resources: + requests: + cpu: 100m + memory: 100Mi + ports: + - containerPort: 6379 + volumeMounts: + - name: redis-primary-volume + mountPath: /data + volumes: + - name: redis-primary-volume + persistentVolumeClaim: + claimName: redis-primary-pv-claim +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: redis-primary-pv-claim + namespace: {{ include "custom.namespace" . }} + labels: + app: redis-primary +spec: + accessModes: + - ReadWriteOnce + {{- if (.Values.storageClass) }} + storageClassName: {{.Values.storageClass }} + {{- end}} + resources: + requests: + storage: 8Gi +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: redis-commander + namespace: {{ include "custom.namespace" . }} +spec: + replicas: 1 + selector: + matchLabels: + app: redis-commander + template: + metadata: + labels: + app: redis-commander + tier: backend + spec: + containers: + - name: redis-commander + image: {{ .Values.images.commander }} + imagePullPolicy: IfNotPresent + env: + - name: REDIS_HOSTS + value: "rbac:redis.{{ include "custom.namespace" . }}.svc.cluster.local:6379" + - name: K8S_SIGTERM + value: "1" + ports: + - name: redis-commander + containerPort: 8081 + livenessProbe: + httpGet: + path: /favicon.png + port: 8081 + initialDelaySeconds: 10 + timeoutSeconds: 5 + resources: + limits: + cpu: "500m" + memory: "512M" + securityContext: + runAsNonRoot: true + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL +--- +apiVersion: v1 +kind: Service +metadata: + name: redis + namespace: {{ include "custom.namespace" . }} +spec: + selector: + app: redis + ports: + - protocol: TCP + port: 6379 + targetPort: 6379 +--- +apiVersion: v1 +kind: Service +metadata: + name: redis-commander + namespace: {{ include "custom.namespace" . }} +spec: + selector: + app: redis-commander + ports: + - protocol: TCP + port: 8081 + targetPort: 8081 diff --git a/charts/csm-authorization/charts/redis/values.yaml b/charts/csm-authorization/charts/redis/values.yaml new file mode 100644 index 00000000..e69de29b diff --git a/charts/csm-authorization/policies/common.rego b/charts/csm-authorization/policies/common.rego new file mode 100644 index 00000000..99709c9a --- /dev/null +++ b/charts/csm-authorization/policies/common.rego @@ -0,0 +1,4 @@ +package karavi.common +default roles = {} +roles = {} + diff --git a/charts/csm-authorization/policies/powermax-url.rego b/charts/csm-authorization/policies/powermax-url.rego new file mode 100644 index 00000000..25cd3f6e --- /dev/null +++ b/charts/csm-authorization/policies/powermax-url.rego @@ -0,0 +1,47 @@ +# Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http:#www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +package karavi.authz.powermax.url + +allowlist = [ + "GET /univmax/restapi/version", + "GET /univmax/restapi/(90|91)/system/symmetrix/[a-f0-9A-F]+", + "GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/srp", + "GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/storagegroup", + "POST /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/storagegroup", + "GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/storagegroup/(.+)", + "PUT /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/storagegroup/(.+)", + "GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/volume", + "GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/volume/[a-f0-9A-F]+", + "PUT /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/volume/[a-f0-9A-F]+", + "DELETE /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/volume/[a-f0-9A-F]+", + "DELETE /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/storagegroup/[a-f0-9A-F]+", + "GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/volume/[a-f0-9A-F]+/snapshot", + "GET /univmax/restapi/91/sloprovisioning/symmetrix/[a-f0-9A-F]+/portgroup/(.+)", + "GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/initiator", + "GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/host/(.+)", + "GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/maskingview/(.+)", + "GET /univmax/restapi/(90|91)/system/symmetrix", + "GET /univmax/restapi/private/(90|91)/replication/symmetrix/[a-f0-9A-F]+/volume/[a-f0-9A-F]+/snapshot", + "GET /univmax/restapi/private/(90|91)/replication/symmetrix/[a-f0-9A-F]+/volume/", + "DELETE /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/maskingview/(.+)", + "GET /univmax/restapi/(90|91)/replication/capabilities/symmetrix/", + "POST /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/maskingview", +] + +default allow = true + +allow { + regex.match(allowlist[_], sprintf("%s %s", [input.method, input.url])) +} diff --git a/charts/csm-authorization/policies/powerscale-url.rego b/charts/csm-authorization/policies/powerscale-url.rego new file mode 100644 index 00000000..4a3032bd --- /dev/null +++ b/charts/csm-authorization/policies/powerscale-url.rego @@ -0,0 +1,42 @@ +# Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http:#www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +package karavi.authz.powerscale.url + +allowlist = [ + "GET /platform/latest/", + "GET /platform/[0-9]/cluster/config/", + "GET /namespace/(.+)", + "GET /platform/[0-9]/protocols/nfs/exports/?(.+)", + "PUT /namespace/(.+)", + "GET /platform/[0-9]/quota/license/", + "POST /platform/[0-9]/quota/quotas/", + "POST /platform/[0-9]/protocols/nfs/exports/?(.+)", + "GET /platform/[0-9]/protocols/nfs/exports/[0-9]+?(.+)", + "PUT /platform/[0-9]/protocols/nfs/exports/[0-9]+?(.+)", + "DELETE /platform/[0-9]/quota/quotas/[a-z0-9A-Z]+/", + "DELETE /platform/[0-9]/protocols/nfs/exports/[0-9]+?(.+)", + "DELETE /namespace/(.+)", + "GET /platform/[0-9]/snapshot/snapshots/(.+)", + "POST /platform/[0-9]/snapshot/snapshots", + "DELETE /platform/[0-9]/snapshot/snapshots/(.+)", + "POST /session/[0-9]/session/", + "GET /session/[0-9]/session/", + "POST /proxy/refresh-token/" +] + +default allow = true +allow { + regex.match(allowlist[_], sprintf("%s %s", [input.method, input.url])) +} diff --git a/charts/csm-authorization/policies/url-test.rego b/charts/csm-authorization/policies/url-test.rego new file mode 100644 index 00000000..ed849eb4 --- /dev/null +++ b/charts/csm-authorization/policies/url-test.rego @@ -0,0 +1,63 @@ +# Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http:#www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +package karavi.authz.url + +test_get_api_login_allowed { + allow with input as {"method": "GET", "url": "/api/login/"} +} + +test_post_proxy_refresh_token_allowed { + allow with input as {"method": "POST", "url": "/proxy/refresh-token/"} +} + +test_get_api_version_allowed { + allow with input as {"method": "GET", "url": "/api/version/"} +} + +test_get_system_instances_allowed { + allow with input as {"method": "GET", "url": "/api/types/System/instances/"} +} + +test_get_storagpool_instances_allowed { + allow with input as {"method": "GET", "url": "/api/types/StoragePool/instances/"} +} + +test_post_volume_instances_allowed { + allow with input as {"method": "POST", "url": "/api/types/Volume/instances/"} +} + +test_get_volume_instance_allowed { + allow with input as {"method": "GET", "url": "/api/instances/Volume::2a3814c600000003/"} +} + +test_post_volume_instances_queryIdByKey_allowed { + allow with input as {"method": "POST", "url": "/api/types/Volume/instances/action/queryIdByKey/"} +} + +test_get_system_sdc_allowed { + allow with input as {"method": "GET", "url": "/api/instances/System::7045c4cc20dffc0f/relationships/Sdc/"} +} + +test_post_volume_add_sdc_allowed { + allow with input as {"method": "POST", "url": "/api/instances/Volume::2a3814c600000003/action/addMappedSdc/"} +} + +test_post_volume_remove_sdc_allowed { + allow with input as {"method": "POST", "url": "/api/instances/Volume::2a3814c600000003/action/removeMappedSdc/"} +} + +test_post_volume_remove_allowed { + allow with input as {"method": "POST", "url": "/api/instances/Volume::2a3814c600000003/action/removeVolume/"} +} diff --git a/charts/csm-authorization/policies/url.rego b/charts/csm-authorization/policies/url.rego new file mode 100644 index 00000000..071638ae --- /dev/null +++ b/charts/csm-authorization/policies/url.rego @@ -0,0 +1,39 @@ +# Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http:#www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +package karavi.authz.url + +allowlist = [ + "GET /api/login/", + "POST /proxy/refresh-token/", + "GET /api/version/", + "GET /api/types/System/instances/", + "GET /api/types/StoragePool/instances/", + "POST /api/types/Volume/instances/", + "GET /api/instances/Volume::[a-f0-9]+/$", + "POST /api/types/Volume/instances/action/queryIdByKey/", + "GET /api/instances/System::[a-f0-9]+/relationships/Sdc/", + "GET /api/instances/Sdc::[a-f0-9]+/relationships/Statistics/", + "GET /api/instances/Sdc::[a-f0-9]+/relationships/Volume/", + "GET /api/instances/Volume::[a-f0-9]+/relationships/Statistics/", + "GET /api/instances/StoragePool::[a-f0-9]+/relationships/Statistics/", + "POST /api/instances/Volume::[a-f0-9]+/action/addMappedSdc/", + "POST /api/instances/Volume::[a-f0-9]+/action/removeMappedSdc/", + "POST /api/instances/Volume::[a-f0-9]+/action/removeVolume/" +] + +default allow = true +allow { + regex.match(allowlist[_], sprintf("%s %s", [input.method, input.url])) +} diff --git a/charts/csm-authorization/policies/volumes-create-test.rego b/charts/csm-authorization/policies/volumes-create-test.rego new file mode 100644 index 00000000..619e5a8d --- /dev/null +++ b/charts/csm-authorization/policies/volumes-create-test.rego @@ -0,0 +1,117 @@ +# Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http:#www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +package karavi.volumes.create + +roles = { + "us-east-1": { + "system_types": { + "powerflex": { + "system_ids": { + "2222": { + "pool_quotas": { + "bronze": "44000000" + } + } + } + } + } + }, + "us-west-1": { + "system_types": { + "powerflex": { + "system_ids": { + "1111": { + "pool_quotas": { + "bronze": 83886080 + } + } + } + } + } + }, + "us-west-2-small": { + "system_types": { + "powerflex": { + "system_ids": { + "2222": { + "pool_quotas": { + "bronze": 83886080 + } + } + } + } + } + }, + "us-west-2-large": { + "system_types": { + "powerflex": { + "system_ids": { + "2222": { + "pool_quotas": { + "bronze": 838860800, + "silver": 93886080000 + } + } + } + } + } + } + } + +test_small_request_allowed { + allow with input as { + "claims": { + "aud": "karavi", + "exp": 1615426023, + "group": "DevOpsGroup1", + "iss":"com.dell.karavi", + "roles":"us-east-1", + "sub":"karavi-tenant" + }, + "request": { + "name":"k8s-0fc0695995", + "protectionDomainId":"6b2ffe6c00000000", + "storagePoolId":"ae376b0300000000", + "volumeSizeInKb":"8388608", + "volumeType":"ThinProvisioned" + }, + "storagepool":"bronze", + "storagesystemid":"2222", + "systemtype": "powerflex" + } with data.karavi.common.roles as roles +} + +test_large_request_not_allowed { + not allow with input as { + "claims": { + "aud": "karavi", + "exp": 1615426023, + "group": "DevOpsGroup1", + "iss":"com.dell.karavi", + "roles":"us-west-2-small,us-west-2-large", + "sub":"karavi-tenant" + }, + "request": { + "name":"k8s-0fc0695995", + "protectionDomainId":"6b2ffe6c00000000", + "storagePoolId":"ae376b0300000000", + "volumeSizeInKb":"9999999999", + "volumeType":"ThinProvisioned" + }, + "storagepool":"bronze", + "storagesystemid":"2222", + "storagetype": "powerflex" + } with data.karavi.common.roles as roles +} diff --git a/charts/csm-authorization/policies/volumes-create.rego b/charts/csm-authorization/policies/volumes-create.rego new file mode 100644 index 00000000..ee506874 --- /dev/null +++ b/charts/csm-authorization/policies/volumes-create.rego @@ -0,0 +1,74 @@ +# Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http:#www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +package karavi.volumes.create + +import data.karavi.common + +# Deny requests by default. +default allow = false + +# +# Allows the request if one of the claimed roles matches +# a role configured to allow the storage request. +# +allow { + count(permitted_roles) != 0 + count(deny) == 0 +} + +# +# Deny if there are no roles found. +# +deny[msg] { + common.roles == {} + msg := sprintf("no configured roles", []) +} + +# +# Deny if claimed roles has no match for the request. +# +deny[msg] { + count(permitted_roles) == 0 + msg := sprintf("no roles in [%s] allow the %s Kb request on %s/%s/%s", + [input.claims.roles, + input.request.volumeSizeInKb, + input.systemtype, + input.storagesystemid, + input.storagepool]) +} + +# +# These are permitted roles that are configured +# with the requested storage system, mapped to +# the allowable quota for the request storage +# pool. +# +# Example: { "role-1": 800000 } +# +permitted_roles[v] = y { + # Split the claimed roles by comma into an array. + claimed_roles := split(input.claims.roles, ",") + + # This block filters 'a' to contain only roles + # that are found in 'common.roles'. + some i + a := claimed_roles[i] + common.roles[a] + + # v will contain permitted roles that match the storage request. + v := claimed_roles[i] + common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool] >= to_number(input.request.volumeSizeInKb) + y := to_number(common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool]) +} diff --git a/charts/csm-authorization/policies/volumes-delete.rego b/charts/csm-authorization/policies/volumes-delete.rego new file mode 100644 index 00000000..2ee0938c --- /dev/null +++ b/charts/csm-authorization/policies/volumes-delete.rego @@ -0,0 +1,48 @@ +# Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http:#www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +package karavi.volumes.delete + +import data.karavi.common + +default response = { + "allowed": true +} +response = { + "allowed": false, + "status": { + "reason": reason, + }, +} { + reason = concat(", ", deny) + reason != "" +} + +# +# Ensure there are roles configured. +# +deny[msg] { + common.roles == {} + msg := sprintf("no role data found", []) +} + +# +# Validate input: claims. +# +default claims = {} +claims = input.claims +deny[msg] { + claims == {} + msg := sprintf("missing claims", []) +} diff --git a/charts/csm-authorization/policies/volumes-map.rego b/charts/csm-authorization/policies/volumes-map.rego new file mode 100644 index 00000000..15fb172e --- /dev/null +++ b/charts/csm-authorization/policies/volumes-map.rego @@ -0,0 +1,42 @@ +# Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http:#www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +package karavi.volumes.map + +import data.karavi.common + +default response = { + "allowed": true +} +response = { + "allowed": false, + "status": { + "reason": reason, + }, +} { + reason = concat(", ", deny) + reason != "" +} + +deny[msg] { + common.roles == {} + msg := sprintf("no role data found", []) +} + +default claims = {} +claims = input.claims +deny[msg] { + claims == {} + msg := sprintf("missing claims", []) +} diff --git a/charts/csm-authorization/policies/volumes-powermax-create.rego b/charts/csm-authorization/policies/volumes-powermax-create.rego new file mode 100644 index 00000000..96eb8894 --- /dev/null +++ b/charts/csm-authorization/policies/volumes-powermax-create.rego @@ -0,0 +1,74 @@ +# Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http:#www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +package karavi.volumes.powermax.create + +import data.karavi.common + +# Deny requests by default. +default allow = false + +# +# Allows the request if one of the claimed roles matches +# a role configured to allow the storage request. +# +allow { + count(permitted_roles) != 0 + count(deny) == 0 +} + +# +# Deny if there are no roles found. +# +deny[msg] { + common.roles == {} + msg := sprintf("no configured roles", []) +} + +# +# Deny if claimed roles has no match for the request. +# +deny[msg] { + count(permitted_roles) == 0 + msg := sprintf("no roles in [%s] allow the %v Kb request on %s/%s/%s", + [input.claims.roles, + input.request.volumeSizeInKb, + input.systemtype, + input.storagesystemid, + input.storagepool]) +} + +# +# These are permitted roles that are configured +# with the requested storage system, mapped to +# the allowable quota for the request storage +# pool. +# +# Example: { "role-1": 800000 } +# +permitted_roles[v] = y { + # Split the claimed roles by comma into an array. + claimed_roles := split(input.claims.roles, ",") + + # This block filters 'a' to contain only roles + # that are found in 'common.roles'. + some i + a := claimed_roles[i] + common.roles[a] + + # v will contain permitted roles that match the storage request. + v := claimed_roles[i] + common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool] >= to_number(input.request.volumeSizeInKb) + y := to_number(common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool]) +} diff --git a/charts/csm-authorization/policies/volumes-powerscale-create.rego b/charts/csm-authorization/policies/volumes-powerscale-create.rego new file mode 100644 index 00000000..47a6fe12 --- /dev/null +++ b/charts/csm-authorization/policies/volumes-powerscale-create.rego @@ -0,0 +1,60 @@ +# Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http:#www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +package karavi.volumes.powerscale.create + +import data.karavi.common + +# Deny requests by default. +default allow = false + +# +# Allows the request if one of the claimed roles matches +# a role configured to allow the storage request. +# +allow { + count(deny) == 0 +} + +# +# Deny if there are no roles found. +# +deny[msg] { + common.roles == {} + msg := sprintf("no configured roles", []) +} + +# +# These are permitted roles that are configured +# with the requested storage system, mapped to +# the allowable quota for the request storage +# pool. +# +# Example: { "role-1": 800000 } +# +permitted_roles[v] = y { + # Split the claimed roles by comma into an array. + claimed_roles := split(input.claims.roles, ",") + + # This block filters 'a' to contain only roles + # that are found in 'common.roles'. + some i + a := claimed_roles[i] + common.roles[a] + + # v will contain permitted roles that match the storage request. + v := claimed_roles[i] + common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool] >= to_number(input.request.volumeSizeInKb) + y := to_number(common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool]) +} diff --git a/charts/csm-authorization/policies/volumes-unmap.rego b/charts/csm-authorization/policies/volumes-unmap.rego new file mode 100644 index 00000000..f4a85f1f --- /dev/null +++ b/charts/csm-authorization/policies/volumes-unmap.rego @@ -0,0 +1,42 @@ +# Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http:#www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +package karavi.volumes.unmap + +import data.karavi.common + +default response = { + "allowed": true +} +response = { + "allowed": false, + "status": { + "reason": reason, + }, +} { + reason = concat(", ", deny) + reason != "" +} + +deny[msg] { + common.roles == {} + msg := sprintf("no role data found", []) +} + +default claims = {} +claims = input.claims +deny[msg] { + claims == {} + msg := sprintf("missing claims", []) +} diff --git a/charts/csm-authorization/templates/NOTES.txt b/charts/csm-authorization/templates/NOTES.txt new file mode 100644 index 00000000..a364e366 --- /dev/null +++ b/charts/csm-authorization/templates/NOTES.txt @@ -0,0 +1,23 @@ +The CSM Authorization deployment has been successfully installed. + +Execute the following commands in your shell to print the URL of the CSM Authorization NodePort LoadBalancer: + +export NODE_PORT=$(kubectl get --namespace {{ include "custom.namespace" . }} -o jsonpath="{.spec.ports[1].nodePort}" service {{ include "custom.namespace" . }}-ingress-nginx-controller) +export NODE_IP=$(kubectl get nodes --namespace {{ include "custom.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") +echo https://$NODE_IP:$NODE_PORT + +LoadBalancer host rules for proxy-server: +- {{ .Values.authorization.hostname }} +- {{ .Release.Name }}-ingress-nginx-controller.{{ include "custom.namespace" . }}.svc.cluster.local + +LoadBalancer host rules for tenant-service: +- tenant.{{ .Values.authorization.hostname }} + +LoadBalancer host rules for role-service: +- role.{{ .Values.authorization.hostname }} + +LoadBalancer host rules for storage-service: +- storage.{{ .Values.authorization.hostname }} + +authorization.proxyHost value for a CSI Driver examples: +- {{ .Release.Name }}-ingress-nginx-controller.{{ include "custom.namespace" . }}.svc.cluster.local:443 (CSI Driver in the same cluster as CSM Authorization) diff --git a/charts/csm-authorization/templates/_helpers.tpl b/charts/csm-authorization/templates/_helpers.tpl new file mode 100644 index 00000000..000bd372 --- /dev/null +++ b/charts/csm-authorization/templates/_helpers.tpl @@ -0,0 +1,9 @@ +{{/* +Namespace for all resources to be installed into +If not defined in values file then the helm release namespace is used +By default this is not set so the helm release namespace will be used +*/}} + +{{- define "custom.namespace" -}} + {{ .Values.namespace | default .Release.Namespace }} +{{- end -}} \ No newline at end of file diff --git a/charts/csm-authorization/templates/certificate.yaml b/charts/csm-authorization/templates/certificate.yaml new file mode 100644 index 00000000..95dbef5b --- /dev/null +++ b/charts/csm-authorization/templates/certificate.yaml @@ -0,0 +1,82 @@ +# If the cert and key are provided, use them to create a tls secret +{{- if and (.Values.authorization.certificate) (.Values.authorization.privateKey) }} +{{- $certificateFileContents := .Values.authorization.certificate }} +{{- $privateKeyFileContents := .Values.authorization.privateKey }} +apiVersion: v1 +data: + tls.crt: {{ $certificateFileContents | b64enc }} + tls.key: {{ $privateKeyFileContents | b64enc }} +kind: Secret +type: kubernetes.io/tls +metadata: + name: user-provided-tls + namespace: {{ include "custom.namespace" . }} + +--- +{{- end }} + + +# If the cert and key are not provided, user cert-manager to create a self-signed tls secret +{{- if or (not .Values.authorization.certificate) (not .Values.authorization.privateKey) }} +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigned + namespace: {{ include "custom.namespace" . }} +spec: + selfSigned: {} + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: karavi-auth + namespace: {{ include "custom.namespace" . }} +spec: + secretName: karavi-selfsigned-tls + duration: 2160h # 90d + renewBefore: 360h # 15d + subject: + organizations: + - dellemc + isCA: false + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + usages: + - server auth + - client auth + dnsNames: + - karavi-auth + - karavi-auth.{{ include "custom.namespace" . }}.svc.kubernetes.local + - {{ .Values.authorization.hostname }} + - tenant.{{ .Values.authorization.hostname }} + - role.{{ .Values.authorization.hostname }} + - storage.{{ .Values.authorization.hostname }} + {{- if .Values.authorization.proxyServerIngress.hosts }} + {{- range .Values.authorization.proxyServerIngress.hosts }} + - {{ tpl . $}} + {{- end }} + {{- end}} + {{- if .Values.authorization.tenantServiceIngress.hosts }} + {{- range .Values.authorization.tenantServiceIngress.hosts }} + - {{ tpl . $}} + {{- end }} + {{- end}} + {{- if .Values.authorization.roleServiceIngress.hosts }} + {{- range .Values.authorization.roleServiceIngress.hosts }} + - {{ tpl . $}} + {{- end }} + {{- end}} + {{- if .Values.authorization.storageServiceIngress.hosts }} + {{- range .Values.authorization.storageServiceIngress.hosts }} + - {{ tpl . $}} + {{- end }} + {{- end}} + issuerRef: + name: selfsigned + kind: Issuer + group: cert-manager.io +{{- end }} diff --git a/charts/csm-authorization/templates/csm-config-params.yaml b/charts/csm-authorization/templates/csm-config-params.yaml new file mode 100644 index 00000000..aaf64a5b --- /dev/null +++ b/charts/csm-authorization/templates/csm-config-params.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: csm-config-params + namespace: {{ include "custom.namespace" . }} +data: + csm-config-params.yaml: | + CONCURRENT_POWERFLEX_REQUESTS: {{ .Values.authorization.concurrentPowerFlexRequests }} + LOG_LEVEL: {{ .Values.authorization.logLevel }} + {{- if (.Values.authorization.zipkin.collectoruri) }} + zipkin.collectoruri: {{ .Values.authorization.zipkin.collectoruri }} + zipkin.probability: {{ .Values.authorization.zipkin.probability }} + {{- end }} \ No newline at end of file diff --git a/charts/csm-authorization/templates/ingress.yaml b/charts/csm-authorization/templates/ingress.yaml new file mode 100644 index 00000000..b10cfbe1 --- /dev/null +++ b/charts/csm-authorization/templates/ingress.yaml @@ -0,0 +1,207 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: proxy-server + namespace: {{ include "custom.namespace" . }} + {{- if .Values.authorization.proxyServerIngress.annotations }} + annotations: + {{- range $key, $value := .Values.authorization.proxyServerIngress.annotations }} + {{ $key }}: {{ tpl $value $ | quote }} + {{- end }} + {{- end }} +spec: + ingressClassName: {{ .Values.authorization.proxyServerIngress.ingressClassName }} + tls: + - hosts: + - {{ .Values.authorization.hostname }} + {{- if .Values.authorization.proxyServerIngress.hosts }} + {{- range .Values.authorization.proxyServerIngress.hosts }} + - {{ tpl . $}} + {{- end }} + {{- end}} + {{- if and (.Values.authorization.certificate) (.Values.authorization.privateKey) }} + secretName: user-provided-tls + {{- else }} + secretName: karavi-selfsigned-tls + {{- end}} + rules: + - host: {{ .Values.authorization.hostname }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: proxy-server + port: + number: 8080 + {{- if .Values.authorization.proxyServerIngress.hosts }} + {{- range .Values.authorization.proxyServerIngress.hosts }} + - host: {{ tpl . $}} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: proxy-server + port: + number: 8080 + {{- end }} + {{- end}} +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: tenant-service + namespace: {{ include "custom.namespace" . }} + annotations: + {{- if .Values.authorization.tenantServiceIngress.annotations }} + {{- range $key, $value := .Values.authorization.tenantServiceIngress.annotations }} + {{ $key }}: {{ tpl $value $ | quote }} + {{- end }} + {{- end }} +spec: + ingressClassName: {{ .Values.authorization.tenantServiceIngress.ingressClassName }} + tls: + - hosts: + - tenant.{{ .Values.authorization.hostname }} + {{- if .Values.authorization.tenantServiceIngress.hosts }} + {{- range .Values.authorization.tenantServiceIngress.hosts }} + - {{ tpl . $}} + {{- end }} + {{- end}} + {{- if and (.Values.authorization.certificate) (.Values.authorization.privateKey) }} + secretName: user-provided-tls + {{- else }} + secretName: karavi-selfsigned-tls + {{- end}} + rules: + - host: tenant.{{ .Values.authorization.hostname }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: tenant-service + port: + number: 50051 + {{- if .Values.authorization.tenantServiceIngress.hosts }} + {{- range .Values.authorization.tenantServiceIngress.hosts }} + - host: {{ tpl . $}} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: tenant-service + port: + number: 50051 + {{- end }} + {{- end}} +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: role-service + namespace: {{ include "custom.namespace" . }} + annotations: + {{- if .Values.authorization.roleServiceIngress.annotations }} + {{- range $key, $value := .Values.authorization.roleServiceIngress.annotations }} + {{ $key }}: {{ tpl $value $ | quote }} + {{- end }} + {{- end }} +spec: + ingressClassName: {{ .Values.authorization.roleServiceIngress.ingressClassName }} + tls: + - hosts: + - role.{{ .Values.authorization.hostname }} + {{- if .Values.authorization.roleServiceIngress.hosts }} + {{- range .Values.authorization.roleServiceIngress.hosts }} + - {{ tpl . $}} + {{- end }} + {{- end}} + {{- if and (.Values.authorization.certificate) (.Values.authorization.privateKey) }} + secretName: user-provided-tls + {{- else }} + secretName: karavi-selfsigned-tls + {{- end}} + rules: + - host: role.{{ .Values.authorization.hostname }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: role-service + port: + number: 50051 + {{- if .Values.authorization.roleServiceIngress.hosts }} + {{- range .Values.authorization.roleServiceIngress.hosts }} + - host: {{ tpl . $}} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: role-service + port: + number: 50051 + {{- end}} + {{- end}} +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: storage-service + namespace: {{ include "custom.namespace" . }} + annotations: + {{- if .Values.authorization.storageServiceIngress.annotations }} + {{- range $key, $value := .Values.authorization.storageServiceIngress.annotations }} + {{ $key }}: {{ tpl $value $ | quote }} + {{- end }} + {{- end }} +spec: + ingressClassName: {{ .Values.authorization.storageServiceIngress.ingressClassName }} + tls: + - hosts: + - storage.{{ .Values.authorization.hostname }} + {{- if .Values.authorization.storageServiceIngress.hosts }} + {{- range .Values.authorization.storageServiceIngress.hosts }} + - {{ tpl . $}} + {{- end }} + {{- end}} + {{- if and (.Values.authorization.certificate) (.Values.authorization.privateKey) }} + secretName: user-provided-tls + {{- else }} + secretName: karavi-selfsigned-tls + {{- end}} + rules: + - host: storage.{{ .Values.authorization.hostname }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: storage-service + port: + number: 50051 + {{- if .Values.authorization.storageServiceIngress.hosts }} + {{- range .Values.authorization.storageServiceIngress.hosts }} + - host: {{ tpl . $}} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: storage-service + port: + number: 50051 + {{- end}} + {{- end}} diff --git a/charts/csm-authorization/templates/karavi-storage-secret.yaml b/charts/csm-authorization/templates/karavi-storage-secret.yaml new file mode 100644 index 00000000..5a08b592 --- /dev/null +++ b/charts/csm-authorization/templates/karavi-storage-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: karavi-storage-secret + namespace: {{ include "custom.namespace" . }} +data: + storage-systems.yaml: c3RvcmFnZToK diff --git a/charts/csm-authorization/templates/policies.yaml b/charts/csm-authorization/templates/policies.yaml new file mode 100644 index 00000000..77f1c510 --- /dev/null +++ b/charts/csm-authorization/templates/policies.yaml @@ -0,0 +1,79 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: common + namespace: {{ include "custom.namespace" . }} +data: + {{- (.Files.Glob "policies/common.rego").AsConfig | nindent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: powermax-urls + namespace: {{ include "custom.namespace" . }} +data: + {{- (.Files.Glob "policies/powermax-url.rego").AsConfig | nindent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: powerscale-urls + namespace: {{ include "custom.namespace" . }} +data: + {{- (.Files.Glob "policies/powerscale-url.rego").AsConfig | nindent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: powerflex-urls + namespace: {{ include "custom.namespace" . }} +data: + {{- (.Files.Glob "policies/url.rego").AsConfig | nindent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: volumes-create + namespace: {{ include "custom.namespace" . }} +data: + {{- (.Files.Glob "policies/volumes-create.rego").AsConfig | nindent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: volumes-delete + namespace: {{ include "custom.namespace" . }} +data: + {{- (.Files.Glob "policies/volumes-delete.rego").AsConfig | nindent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: volumes-map + namespace: {{ include "custom.namespace" . }} +data: + {{- (.Files.Glob "policies/volumes-map.rego").AsConfig | nindent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: powermax-volumes-create + namespace: {{ include "custom.namespace" . }} +data: + {{- (.Files.Glob "policies/volumes-powermax-create.rego").AsConfig | nindent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: powerscale-volumes-create + namespace: {{ include "custom.namespace" . }} +data: + {{- (.Files.Glob "policies/volumes-powerscale-create.rego").AsConfig | nindent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: volumes-unmap + namespace: {{ include "custom.namespace" . }} +data: + {{- (.Files.Glob "policies/volumes-unmap.rego").AsConfig | nindent 2 }} \ No newline at end of file diff --git a/charts/csm-authorization/templates/proxy-server.yaml b/charts/csm-authorization/templates/proxy-server.yaml new file mode 100644 index 00000000..2e76dcf7 --- /dev/null +++ b/charts/csm-authorization/templates/proxy-server.yaml @@ -0,0 +1,117 @@ +# Grant OPA/kube-mgmt read-only access to resources. This lets kube-mgmt +# list configmaps to be loaded into OPA as policies. +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: opa-viewer +roleRef: + kind: ClusterRole + name: view + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: Group + name: system:serviceaccounts:{{ include "custom.namespace" . }} + apiGroup: rbac.authorization.k8s.io +--- +# Define role for OPA/kube-mgmt to update configmaps with policy status. +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: {{ include "custom.namespace" . }} + name: configmap-modifier +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["update", "patch"] +--- +# Grant OPA/kube-mgmt role defined above. +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: {{ include "custom.namespace" . }} + name: opa-configmap-modifier +roleRef: + kind: Role + name: configmap-modifier + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: Group + name: system:serviceaccounts:{{ include "custom.namespace" . }} + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: proxy-server + namespace: {{ include "custom.namespace" . }} + labels: + app: proxy-server +spec: + replicas: 1 + selector: + matchLabels: + app: proxy-server + template: + metadata: + labels: + app: proxy-server + spec: + containers: + - name: proxy-server + image: {{ required "Must provide the proxy-server image." .Values.authorization.images.proxyService }} + imagePullPolicy: Always + args: + - "--redis-host=redis.{{ include "custom.namespace" . }}.svc.cluster.local:6379" + - "--tenant-service=tenant-service.{{ include "custom.namespace" . }}.svc.cluster.local:50051" + - "--role-service=role-service.{{ include "custom.namespace" . }}.svc.cluster.local:50051" + - "--storage-service=storage-service.{{ include "custom.namespace" . }}.svc.cluster.local:50051" + ports: + - containerPort: 8080 + volumeMounts: + - name: config-volume + mountPath: /etc/karavi-authorization/config + - name: storage-volume + mountPath: /etc/karavi-authorization/storage + - name: csm-config-params + mountPath: /etc/karavi-authorization/csm-config-params + - name: opa + image: {{ required "Must provide the openpolicyagent image." .Values.authorization.images.opa }} + imagePullPolicy: IfNotPresent + args: + - "run" + - "--ignore=." + - "--server" + - "--log-level=debug" + ports: + - name: http + containerPort: 8181 + - name: kube-mgmt + image: {{ required "Must provide the opaKubeMgmt image." .Values.authorization.images.opaKubeMgmt }} + imagePullPolicy: IfNotPresent + args: + - "--policies={{ include "custom.namespace" . }}" + - "--enable-data" + volumes: + - name: config-volume + secret: + secretName: karavi-config-secret + - name: storage-volume + secret: + secretName: karavi-storage-secret + - name: csm-config-params + configMap: + name: csm-config-params +--- +apiVersion: v1 +kind: Service +metadata: + name: proxy-server + namespace: {{ include "custom.namespace" . }} +spec: + selector: + app: proxy-server + ports: + - name: http + protocol: TCP + port: 8080 + targetPort: 8080 \ No newline at end of file diff --git a/charts/csm-authorization/templates/role-service.yaml b/charts/csm-authorization/templates/role-service.yaml new file mode 100644 index 00000000..1774b2c8 --- /dev/null +++ b/charts/csm-authorization/templates/role-service.yaml @@ -0,0 +1,79 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: role-service + namespace: {{ include "custom.namespace" . }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: role-service +rules: + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "patch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: role-service +subjects: + - kind: ServiceAccount + name: role-service + namespace: {{ include "custom.namespace" . }} +roleRef: + kind: ClusterRole + name: role-service + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: role-service + namespace: {{ include "custom.namespace" . }} + labels: + app: role-service +spec: + replicas: 1 + selector: + matchLabels: + app: role-service + template: + metadata: + labels: + app: role-service + spec: + serviceAccountName: role-service + containers: + - name: role-service + image: {{ required "Must provide the role-service image." .Values.authorization.images.roleService }} + imagePullPolicy: Always + ports: + - containerPort: 50051 + name: grpc + env: + - name: NAMESPACE + value: {{ include "custom.namespace" . }} + volumeMounts: + - name: csm-config-params + mountPath: /etc/karavi-authorization/csm-config-params + volumes: + - name: csm-config-params + configMap: + name: csm-config-params +--- +apiVersion: v1 +kind: Service +metadata: + name: role-service + namespace: {{ include "custom.namespace" . }} +spec: + selector: + app: role-service + ports: + - port: 50051 + targetPort: 50051 + name: grpc diff --git a/charts/csm-authorization/templates/storage-service.yaml b/charts/csm-authorization/templates/storage-service.yaml new file mode 100644 index 00000000..88a6e932 --- /dev/null +++ b/charts/csm-authorization/templates/storage-service.yaml @@ -0,0 +1,81 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: storage-service + namespace: {{ include "custom.namespace" . }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: storage-service +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "patch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: storage-service +subjects: + - kind: ServiceAccount + name: storage-service + namespace: {{ include "custom.namespace" . }} +roleRef: + kind: ClusterRole + name: storage-service + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: storage-service + namespace: {{ include "custom.namespace" . }} + labels: + app: storage-service +spec: + replicas: 1 + selector: + matchLabels: + app: storage-service + template: + metadata: + labels: + app: storage-service + spec: + serviceAccountName: storage-service + containers: + - name: storage-service + image: {{ required "Must provide the storage-service image." .Values.authorization.images.storageService }} + imagePullPolicy: Always + ports: + - containerPort: 50051 + name: grpc + env: + - name: NAMESPACE + value: {{ include "custom.namespace" . }} + volumeMounts: + - name: storage-volume + mountPath: /etc/karavi-authorization/storage + - name: csm-config-params + mountPath: /etc/karavi-authorization/csm-config-params + volumes: + - name: storage-volume + secret: + secretName: karavi-storage-secret + - name: csm-config-params + configMap: + name: csm-config-params +--- +apiVersion: v1 +kind: Service +metadata: + name: storage-service + namespace: {{ include "custom.namespace" . }} +spec: + selector: + app: storage-service + ports: + - port: 50051 + targetPort: 50051 + name: grpc diff --git a/charts/csm-authorization/templates/tenant-service.yaml b/charts/csm-authorization/templates/tenant-service.yaml new file mode 100644 index 00000000..b54a7f13 --- /dev/null +++ b/charts/csm-authorization/templates/tenant-service.yaml @@ -0,0 +1,51 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tenant-service + namespace: {{ include "custom.namespace" . }} + labels: + app: tenant-service +spec: + replicas: 1 + selector: + matchLabels: + app: tenant-service + template: + metadata: + labels: + app: tenant-service + spec: + containers: + - name: tenant-service + image: {{ required "Must provide the tenant-service image." .Values.authorization.images.tenantService }} + imagePullPolicy: Always + args: + - "--redis-host=redis.{{ include "custom.namespace" . }}.svc.cluster.local:6379" + ports: + - containerPort: 50051 + name: grpc + volumeMounts: + - name: config-volume + mountPath: /etc/karavi-authorization/config + - name: csm-config-params + mountPath: /etc/karavi-authorization/csm-config-params + volumes: + - name: config-volume + secret: + secretName: karavi-config-secret + - name: csm-config-params + configMap: + name: csm-config-params +--- +apiVersion: v1 +kind: Service +metadata: + name: tenant-service + namespace: {{ include "custom.namespace" . }} +spec: + selector: + app: tenant-service + ports: + - port: 50051 + targetPort: 50051 + name: grpc diff --git a/charts/csm-authorization/values.yaml b/charts/csm-authorization/values.yaml new file mode 100644 index 00000000..f7e59b14 --- /dev/null +++ b/charts/csm-authorization/values.yaml @@ -0,0 +1,98 @@ +# if enabled, nginx ingress controller will be deployed +# if you have your own ingress controller, keep this false and set the appropriate annotations for the ingresses in the authorization section +ingress-nginx: + enabled: true + +# if enabled, cert-manager will be deployed +# if cert-manager is already deployed, keep this false +cert-manager: + enabled: true + +authorization: + # images to use in installation + images: + proxyService: dellemc/csm-authorization-proxy:v1.5.1 + tenantService: dellemc/csm-authorization-tenant:v1.5.1 + roleService: dellemc/csm-authorization-role:v1.5.1 + storageService: dellemc/csm-authorization-storage:v1.5.1 + opa: openpolicyagent/opa + opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 + + # base hostname for the ingress rules that expose the services + # the proxy-server ingress will use this hostname + # the tenant-service ingress will use tenant.hostname + # the role-service ingress will use role.hostname + hostname: csm-authorization.com + + # log level for csm-authorization + logLevel: debug + + # number, as a string, of concurrent requests for the storage-service to make to PowerFlex + # currently only used with dellctl to list tenant volumes + concurrentPowerFlexRequests: "10" + + # tracing configuration + # this can be updated on the fly via the csm-config-params configMap + zipkin: {} + # collectoruri: http://DNS-hostname:9411/api/v2/spans + # probability: 1 + + # proxy-server ingress configuration + proxyServerIngress: + ingressClassName: nginx + + # additional host rules for the proxy-server ingress + hosts: [] + # - application-ingress-nginx-controller.namespace.svc.cluster.local + + # additional annotations for the proxy-server ingress + annotations: {} + + # tenant-service ingress configuration + tenantServiceIngress: + ingressClassName: nginx + + # additional host rules for the tenant-service ingress + hosts: [] + + # additional annotations for the tenant-service ingress + # if applicable, an annotation supporting grpc for your ingress controller must be supplied + annotations: + nginx.ingress.kubernetes.io/backend-protocol: "GRPC" + + # role-service ingress configuration + roleServiceIngress: + ingressClassName: nginx + + # additional host rules for the role-service ingress + hosts: [] + + # additional annotations for the role-service ingress + # an annotation supporting grpc for your ingress controller must be supplied, if applicable + annotations: + nginx.ingress.kubernetes.io/backend-protocol: "GRPC" + + # storage-service ingress configuration + storageServiceIngress: + ingressClassName: nginx + + # additional host rules for the storage-service ingress + hosts: [] + + # additional annotations for the storage-service ingress + # an annotation supporting grpc for your ingress controller must be supplied, if applicable + annotations: + nginx.ingress.kubernetes.io/backend-protocol: "GRPC" + +redis: + images: + redis: redis:6.0.8-alpine + commander: rediscommander/redis-commander:latest + + # set the storageClass for redis to use. otherwise, the default storage class is used + # storageClass: local-storage + # Optionally, uncomment and specify the name of the pre-created namespace to install the redis in it + # namespace: + +# Optionally, uncomment and specify the name of the pre-created namespace to install the module in it +# namespace: \ No newline at end of file diff --git a/charts/csm-replication/Chart.yaml b/charts/csm-replication/Chart.yaml index 7708293b..6ca7d296 100644 --- a/charts/csm-replication/Chart.yaml +++ b/charts/csm-replication/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 name: csm-replication type: application -version: 1.3.1 -appVersion: "1.3.1" +version: 1.4.0 +appVersion: "1.4.0" \ No newline at end of file diff --git a/charts/csm-replication/crds/replicationcrds.all.yaml b/charts/csm-replication/crds/replicationcrds.all.yaml index e7e72e8b..a77903aa 100644 --- a/charts/csm-replication/crds/replicationcrds.all.yaml +++ b/charts/csm-replication/crds/replicationcrds.all.yaml @@ -2,7 +2,91 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.4.1 + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: dellcsimigrationgroups.replication.storage.dell.com +spec: + group: replication.storage.dell.com + names: + kind: DellCSIMigrationGroup + listKind: DellCSIMigrationGroupList + plural: dellcsimigrationgroups + shortNames: + - mg + singular: dellcsimigrationgroup + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + - description: State of the CR + jsonPath: .status.state + name: State + type: string + - description: Source ID + jsonPath: .spec.sourceID + name: Source ID + type: string + - description: Target ID + jsonPath: .spec.targetID + name: Target ID + type: string + name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: DellCSIMigrationGroupSpec defines the desired state of DellCSIMigrationGroup + properties: + driverName: + type: string + migrationGroupAttributes: + additionalProperties: + type: string + type: object + sourceID: + type: string + targetID: + type: string + required: + - driverName + - migrationGroupAttributes + - sourceID + - targetID + type: object + status: + description: DellCSIMigrationGroupStatus defines the observed state of + DellCSIMigrationGroup + properties: + lastAction: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 creationTimestamp: null name: dellcsireplicationgroups.replication.storage.dell.com spec: @@ -36,7 +120,7 @@ spec: jsonPath: .status.replicationLinkState.lastSuccessfulUpdate name: Last LinkState Update type: string - name: v1alpha1 + name: v1 schema: openAPIV3Schema: description: DellCSIReplicationGroup is the Schema for the dellcsireplicationgroups @@ -109,6 +193,11 @@ spec: description: Time is the time stamp for the last action update format: date-time type: string + actionAttributes: + description: ActionAttributes content unique on response to an action + additionalProperties: + type: string + type: object type: object type: array lastAction: @@ -130,6 +219,11 @@ spec: description: Time is the time stamp for the last action update format: date-time type: string + actionAttributes: + description: ActionAttributes content unique on response to an action + additionalProperties: + type: string + type: object type: object remoteState: type: string @@ -168,4 +262,4 @@ status: kind: "" plural: "" conditions: [] - storedVersions: [] + storedVersions: [] \ No newline at end of file diff --git a/charts/csm-replication/templates/controller.yaml b/charts/csm-replication/templates/controller.yaml index a7b2b2c1..b1b72873 100644 --- a/charts/csm-replication/templates/controller.yaml +++ b/charts/csm-replication/templates/controller.yaml @@ -19,6 +19,16 @@ rules: verbs: - get - list + - update + - watch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions/status + verbs: + - get + - list + - patch - watch - apiGroups: - coordination.k8s.io @@ -46,6 +56,7 @@ rules: resources: - namespaces verbs: + - create - get - list - watch @@ -125,6 +136,15 @@ rules: - get - list - watch +- apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] +- apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] +- apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list", "watch", "update", "create", "delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -246,6 +266,12 @@ spec: {{- toYaml .Values.hostAliases | nindent 6 }} {{- end }} serviceAccountName: dell-replication-controller-sa + initContainers: + - name: init-rg-migration + imagePullPolicy: Always + image: {{ .Values.initImage }} + command: + - /upgrade/migrate_rg.sh containers: - args: - prefix=replication.storage.dell.com @@ -294,4 +320,4 @@ spec: - configMap: name: dell-replication-controller-config optional: true - name: configmap-volume + name: configmap-volume \ No newline at end of file diff --git a/charts/csm-replication/values.yaml b/charts/csm-replication/values.yaml index 96655062..571c1069 100644 --- a/charts/csm-replication/values.yaml +++ b/charts/csm-replication/values.yaml @@ -5,7 +5,11 @@ replicas: 1 # image: Defines controller image. This shouldn't be changed # Allowed values: string -image: dellemc/dell-replication-controller:v1.3.1 +image: dellemc/dell-replication-controller:v1.4.0 + +# image: Defines controller's init container image. This shouldn't be changed +# Allowed values: string +initImage: dellemc/dell-replication-init:v1.0.0 # logLevel: Defines initial log level for controller. This can be changed in runtime # Allowed values: "debug", "info", "warn", "error", "panic" @@ -36,4 +40,5 @@ retryIntervalMax: 5m # hostnames: # - "foo.baz" -# namespace: replication-ns \ No newline at end of file +# Optionally, uncomment and specify the name of the pre-created namespace to install the module in it +# namespace: \ No newline at end of file diff --git a/charts/karavi-observability/templates/karavi-metrics-powermax-service-account.yaml b/charts/karavi-observability/templates/karavi-metrics-powermax-service-account.yaml index d4042faa..6f50d613 100644 --- a/charts/karavi-observability/templates/karavi-metrics-powermax-service-account.yaml +++ b/charts/karavi-observability/templates/karavi-metrics-powermax-service-account.yaml @@ -4,7 +4,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ .Release.Name }}-metrics-powermax-controller - namespace: {{ .Release.Namespace }} + namespace: {{ include "custom.namespace" . }} --- @@ -35,11 +35,10 @@ metadata: subjects: - kind: ServiceAccount name: {{ .Release.Name }}-metrics-powermax-controller - namespace: {{ .Release.Namespace }} + namespace: {{ include "custom.namespace" . }} roleRef: kind: ClusterRole name: {{ .Release.Name }}-metrics-powermax-controller apiGroup: rbac.authorization.k8s.io {{ end }} - diff --git a/charts/karavi-observability/templates/karavi-metrics-powermax.yaml b/charts/karavi-observability/templates/karavi-metrics-powermax.yaml index 63cf0c8b..31891ab8 100644 --- a/charts/karavi-observability/templates/karavi-metrics-powermax.yaml +++ b/charts/karavi-observability/templates/karavi-metrics-powermax.yaml @@ -7,6 +7,7 @@ metadata: app.kubernetes.io/name: karavi-metrics-powermax app.kubernetes.io/instance: {{ .Release.Name }} name: karavi-metrics-powermax + namespace: {{ include "custom.namespace" . }} spec: type: {{ .Values.karaviMetricsPowermax.service.type }} ports: @@ -23,6 +24,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: karavi-metrics-powermax + namespace: {{ include "custom.namespace" . }} labels: app.kubernetes.io/name: karavi-metrics-powermax app.kubernetes.io/instance: {{ .Release.Name }} @@ -134,4 +136,3 @@ spec: status: {} {{ end }} - diff --git a/charts/karavi-observability/templates/karavi-observability-configmap.yaml b/charts/karavi-observability/templates/karavi-observability-configmap.yaml index 67b8f62d..87ae451e 100644 --- a/charts/karavi-observability/templates/karavi-observability-configmap.yaml +++ b/charts/karavi-observability/templates/karavi-observability-configmap.yaml @@ -103,6 +103,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: karavi-metrics-powermax-configmap + namespace: {{ include "custom.namespace" . }} data: karavi-metrics-powermax.yaml : | COLLECTOR_ADDR: {{ .Values.karaviMetricsPowermax.collectorAddr }} @@ -115,4 +116,4 @@ data: LOG_LEVEL: "{{ .Values.karaviMetricsPowermax.logLevel }}" LOG_FORMAT: "{{ .Values.karaviMetricsPowermax.logFormat }}" -{{ end }} +{{ end }} \ No newline at end of file diff --git a/charts/karavi-observability/values.yaml b/charts/karavi-observability/values.yaml index ce9e8f70..20f70d1b 100644 --- a/charts/karavi-observability/values.yaml +++ b/charts/karavi-observability/values.yaml @@ -178,4 +178,5 @@ cert-manager: enabled: false serviceAccount: create: false -# namespace: observability-ns \ No newline at end of file +# Optionally, uncomment and specify the name of the pre-created namespace to install the module in it +# namespace: \ No newline at end of file From 459caac979610dcf7311705f87a63d4a36597629 Mon Sep 17 00:00:00 2001 From: Aaron Tye Date: Tue, 21 Feb 2023 19:23:40 -0500 Subject: [PATCH 07/27] [charts/csm-authorization]: Remove URL policies (#176) * Update mailing list (#169) * update mailing list * upgrade checkout action to v3 because of node 12 deprecation * remove url policies * remove powerscale volume create --------- Co-authored-by: shaynafinocchiaro <66699024+shaynafinocchiaro@users.noreply.github.com> --- .github/ISSUE_TEMPLATE/config.yml | 4 +- .github/workflows/charts-release-action.yml | 2 +- .github/workflows/helm-validations.yml | 6 +- charts/csm-authorization/Chart.yaml | 4 +- .../policies/powermax-url.rego | 47 -------------- .../policies/powerscale-url.rego | 42 ------------- .../csm-authorization/policies/url-test.rego | 63 ------------------- charts/csm-authorization/policies/url.rego | 39 ------------ .../policies/volumes-powerscale-create.rego | 60 ------------------ .../csm-authorization/templates/policies.yaml | 32 ---------- 10 files changed, 8 insertions(+), 291 deletions(-) delete mode 100644 charts/csm-authorization/policies/powermax-url.rego delete mode 100644 charts/csm-authorization/policies/powerscale-url.rego delete mode 100644 charts/csm-authorization/policies/url-test.rego delete mode 100644 charts/csm-authorization/policies/url.rego delete mode 100644 charts/csm-authorization/policies/volumes-powerscale-create.rego diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml index 2b2a2a03..77a7ffaa 100644 --- a/.github/ISSUE_TEMPLATE/config.yml +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -1,5 +1,5 @@ blank_issues_enabled: false contact_links: - - name: Karavi mailing list - alias: karavi@dell.com + - name: CSM mailing list + alias: container.storage.modules@dell.com about: Please ask and answer usage questions and report security issues here. \ No newline at end of file diff --git a/.github/workflows/charts-release-action.yml b/.github/workflows/charts-release-action.yml index be7c9b3c..6a2f85d6 100644 --- a/.github/workflows/charts-release-action.yml +++ b/.github/workflows/charts-release-action.yml @@ -14,7 +14,7 @@ jobs: steps: # Check out code - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: fetch-depth: 0 diff --git a/.github/workflows/helm-validations.yml b/.github/workflows/helm-validations.yml index bd318268..b021f0bd 100644 --- a/.github/workflows/helm-validations.yml +++ b/.github/workflows/helm-validations.yml @@ -16,7 +16,7 @@ jobs: outputs: run_tests: ${{ steps.diff.outputs.run_tests }} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Check for files changed id: diff run: | @@ -33,7 +33,7 @@ jobs: steps: # Check out the repo - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: fetch-depth: "0" @@ -54,7 +54,7 @@ jobs: steps: # Check out the repo - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: fetch-depth: "0" diff --git a/charts/csm-authorization/Chart.yaml b/charts/csm-authorization/Chart.yaml index f1736a0f..b1a34ab8 100644 --- a/charts/csm-authorization/Chart.yaml +++ b/charts/csm-authorization/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: csm-authorization -version: 1.5.1 -appVersion: 1.5.1 +version: 1.6.0 +appVersion: 1.6.0 type: application description: CSM for Authorization is part of the [Container Storage Modules](https://github.com/dell/csm) open source suite of Kubernetes storage enablers for Dell EMC storage products. CSM for Authorization provides storage and Kubernetes administrators the ability to apply RBAC for Dell CSI Drivers. dependencies: diff --git a/charts/csm-authorization/policies/powermax-url.rego b/charts/csm-authorization/policies/powermax-url.rego deleted file mode 100644 index 25cd3f6e..00000000 --- a/charts/csm-authorization/policies/powermax-url.rego +++ /dev/null @@ -1,47 +0,0 @@ -# Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http:#www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -package karavi.authz.powermax.url - -allowlist = [ - "GET /univmax/restapi/version", - "GET /univmax/restapi/(90|91)/system/symmetrix/[a-f0-9A-F]+", - "GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/srp", - "GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/storagegroup", - "POST /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/storagegroup", - "GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/storagegroup/(.+)", - "PUT /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/storagegroup/(.+)", - "GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/volume", - "GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/volume/[a-f0-9A-F]+", - "PUT /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/volume/[a-f0-9A-F]+", - "DELETE /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/volume/[a-f0-9A-F]+", - "DELETE /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/storagegroup/[a-f0-9A-F]+", - "GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/volume/[a-f0-9A-F]+/snapshot", - "GET /univmax/restapi/91/sloprovisioning/symmetrix/[a-f0-9A-F]+/portgroup/(.+)", - "GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/initiator", - "GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/host/(.+)", - "GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/maskingview/(.+)", - "GET /univmax/restapi/(90|91)/system/symmetrix", - "GET /univmax/restapi/private/(90|91)/replication/symmetrix/[a-f0-9A-F]+/volume/[a-f0-9A-F]+/snapshot", - "GET /univmax/restapi/private/(90|91)/replication/symmetrix/[a-f0-9A-F]+/volume/", - "DELETE /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/maskingview/(.+)", - "GET /univmax/restapi/(90|91)/replication/capabilities/symmetrix/", - "POST /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/maskingview", -] - -default allow = true - -allow { - regex.match(allowlist[_], sprintf("%s %s", [input.method, input.url])) -} diff --git a/charts/csm-authorization/policies/powerscale-url.rego b/charts/csm-authorization/policies/powerscale-url.rego deleted file mode 100644 index 4a3032bd..00000000 --- a/charts/csm-authorization/policies/powerscale-url.rego +++ /dev/null @@ -1,42 +0,0 @@ -# Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http:#www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -package karavi.authz.powerscale.url - -allowlist = [ - "GET /platform/latest/", - "GET /platform/[0-9]/cluster/config/", - "GET /namespace/(.+)", - "GET /platform/[0-9]/protocols/nfs/exports/?(.+)", - "PUT /namespace/(.+)", - "GET /platform/[0-9]/quota/license/", - "POST /platform/[0-9]/quota/quotas/", - "POST /platform/[0-9]/protocols/nfs/exports/?(.+)", - "GET /platform/[0-9]/protocols/nfs/exports/[0-9]+?(.+)", - "PUT /platform/[0-9]/protocols/nfs/exports/[0-9]+?(.+)", - "DELETE /platform/[0-9]/quota/quotas/[a-z0-9A-Z]+/", - "DELETE /platform/[0-9]/protocols/nfs/exports/[0-9]+?(.+)", - "DELETE /namespace/(.+)", - "GET /platform/[0-9]/snapshot/snapshots/(.+)", - "POST /platform/[0-9]/snapshot/snapshots", - "DELETE /platform/[0-9]/snapshot/snapshots/(.+)", - "POST /session/[0-9]/session/", - "GET /session/[0-9]/session/", - "POST /proxy/refresh-token/" -] - -default allow = true -allow { - regex.match(allowlist[_], sprintf("%s %s", [input.method, input.url])) -} diff --git a/charts/csm-authorization/policies/url-test.rego b/charts/csm-authorization/policies/url-test.rego deleted file mode 100644 index ed849eb4..00000000 --- a/charts/csm-authorization/policies/url-test.rego +++ /dev/null @@ -1,63 +0,0 @@ -# Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http:#www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -package karavi.authz.url - -test_get_api_login_allowed { - allow with input as {"method": "GET", "url": "/api/login/"} -} - -test_post_proxy_refresh_token_allowed { - allow with input as {"method": "POST", "url": "/proxy/refresh-token/"} -} - -test_get_api_version_allowed { - allow with input as {"method": "GET", "url": "/api/version/"} -} - -test_get_system_instances_allowed { - allow with input as {"method": "GET", "url": "/api/types/System/instances/"} -} - -test_get_storagpool_instances_allowed { - allow with input as {"method": "GET", "url": "/api/types/StoragePool/instances/"} -} - -test_post_volume_instances_allowed { - allow with input as {"method": "POST", "url": "/api/types/Volume/instances/"} -} - -test_get_volume_instance_allowed { - allow with input as {"method": "GET", "url": "/api/instances/Volume::2a3814c600000003/"} -} - -test_post_volume_instances_queryIdByKey_allowed { - allow with input as {"method": "POST", "url": "/api/types/Volume/instances/action/queryIdByKey/"} -} - -test_get_system_sdc_allowed { - allow with input as {"method": "GET", "url": "/api/instances/System::7045c4cc20dffc0f/relationships/Sdc/"} -} - -test_post_volume_add_sdc_allowed { - allow with input as {"method": "POST", "url": "/api/instances/Volume::2a3814c600000003/action/addMappedSdc/"} -} - -test_post_volume_remove_sdc_allowed { - allow with input as {"method": "POST", "url": "/api/instances/Volume::2a3814c600000003/action/removeMappedSdc/"} -} - -test_post_volume_remove_allowed { - allow with input as {"method": "POST", "url": "/api/instances/Volume::2a3814c600000003/action/removeVolume/"} -} diff --git a/charts/csm-authorization/policies/url.rego b/charts/csm-authorization/policies/url.rego deleted file mode 100644 index 071638ae..00000000 --- a/charts/csm-authorization/policies/url.rego +++ /dev/null @@ -1,39 +0,0 @@ -# Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http:#www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -package karavi.authz.url - -allowlist = [ - "GET /api/login/", - "POST /proxy/refresh-token/", - "GET /api/version/", - "GET /api/types/System/instances/", - "GET /api/types/StoragePool/instances/", - "POST /api/types/Volume/instances/", - "GET /api/instances/Volume::[a-f0-9]+/$", - "POST /api/types/Volume/instances/action/queryIdByKey/", - "GET /api/instances/System::[a-f0-9]+/relationships/Sdc/", - "GET /api/instances/Sdc::[a-f0-9]+/relationships/Statistics/", - "GET /api/instances/Sdc::[a-f0-9]+/relationships/Volume/", - "GET /api/instances/Volume::[a-f0-9]+/relationships/Statistics/", - "GET /api/instances/StoragePool::[a-f0-9]+/relationships/Statistics/", - "POST /api/instances/Volume::[a-f0-9]+/action/addMappedSdc/", - "POST /api/instances/Volume::[a-f0-9]+/action/removeMappedSdc/", - "POST /api/instances/Volume::[a-f0-9]+/action/removeVolume/" -] - -default allow = true -allow { - regex.match(allowlist[_], sprintf("%s %s", [input.method, input.url])) -} diff --git a/charts/csm-authorization/policies/volumes-powerscale-create.rego b/charts/csm-authorization/policies/volumes-powerscale-create.rego deleted file mode 100644 index 47a6fe12..00000000 --- a/charts/csm-authorization/policies/volumes-powerscale-create.rego +++ /dev/null @@ -1,60 +0,0 @@ -# Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http:#www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -package karavi.volumes.powerscale.create - -import data.karavi.common - -# Deny requests by default. -default allow = false - -# -# Allows the request if one of the claimed roles matches -# a role configured to allow the storage request. -# -allow { - count(deny) == 0 -} - -# -# Deny if there are no roles found. -# -deny[msg] { - common.roles == {} - msg := sprintf("no configured roles", []) -} - -# -# These are permitted roles that are configured -# with the requested storage system, mapped to -# the allowable quota for the request storage -# pool. -# -# Example: { "role-1": 800000 } -# -permitted_roles[v] = y { - # Split the claimed roles by comma into an array. - claimed_roles := split(input.claims.roles, ",") - - # This block filters 'a' to contain only roles - # that are found in 'common.roles'. - some i - a := claimed_roles[i] - common.roles[a] - - # v will contain permitted roles that match the storage request. - v := claimed_roles[i] - common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool] >= to_number(input.request.volumeSizeInKb) - y := to_number(common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool]) -} diff --git a/charts/csm-authorization/templates/policies.yaml b/charts/csm-authorization/templates/policies.yaml index 77f1c510..475b2307 100644 --- a/charts/csm-authorization/templates/policies.yaml +++ b/charts/csm-authorization/templates/policies.yaml @@ -8,30 +8,6 @@ data: --- apiVersion: v1 kind: ConfigMap -metadata: - name: powermax-urls - namespace: {{ include "custom.namespace" . }} -data: - {{- (.Files.Glob "policies/powermax-url.rego").AsConfig | nindent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: powerscale-urls - namespace: {{ include "custom.namespace" . }} -data: - {{- (.Files.Glob "policies/powerscale-url.rego").AsConfig | nindent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: powerflex-urls - namespace: {{ include "custom.namespace" . }} -data: - {{- (.Files.Glob "policies/url.rego").AsConfig | nindent 2 }} ---- -apiVersion: v1 -kind: ConfigMap metadata: name: volumes-create namespace: {{ include "custom.namespace" . }} @@ -64,14 +40,6 @@ data: --- apiVersion: v1 kind: ConfigMap -metadata: - name: powerscale-volumes-create - namespace: {{ include "custom.namespace" . }} -data: - {{- (.Files.Glob "policies/volumes-powerscale-create.rego").AsConfig | nindent 2 }} ---- -apiVersion: v1 -kind: ConfigMap metadata: name: volumes-unmap namespace: {{ include "custom.namespace" . }} From ed2278cb60d54102d0342e8f3ae4d608564ae5f2 Mon Sep 17 00:00:00 2001 From: Aaron Tye Date: Wed, 22 Feb 2023 08:31:50 -0500 Subject: [PATCH 08/27] update policies for zero quota (#182) --- .../policies/volumes-create.rego | 19 +++++++++++++++++++ .../policies/volumes-powermax-create.rego | 19 +++++++++++++++++++ 2 files changed, 38 insertions(+) diff --git a/charts/csm-authorization/policies/volumes-create.rego b/charts/csm-authorization/policies/volumes-create.rego index ee506874..8015b82f 100644 --- a/charts/csm-authorization/policies/volumes-create.rego +++ b/charts/csm-authorization/policies/volumes-create.rego @@ -72,3 +72,22 @@ permitted_roles[v] = y { common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool] >= to_number(input.request.volumeSizeInKb) y := to_number(common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool]) } + +# These are the permitted roles that are configured +# with zero quota, meaning infinite capacity. +# +permitted_roles[v] = y { + # Split the claimed roles by comma into an array. + claimed_roles := split(input.claims.roles, ",") + + # This block filters 'a' to contain only roles + # that are found in 'common.roles'. + some i + a := claimed_roles[i] + common.roles[a] + + # v will contain permitted roles that match the storage request. + v := claimed_roles[i] + common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool] == 0 + y := to_number(common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool]) +} diff --git a/charts/csm-authorization/policies/volumes-powermax-create.rego b/charts/csm-authorization/policies/volumes-powermax-create.rego index 96eb8894..0046f48b 100644 --- a/charts/csm-authorization/policies/volumes-powermax-create.rego +++ b/charts/csm-authorization/policies/volumes-powermax-create.rego @@ -72,3 +72,22 @@ permitted_roles[v] = y { common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool] >= to_number(input.request.volumeSizeInKb) y := to_number(common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool]) } + +# These are the permitted roles that are configured +# with zero quota, meaning infinite capacity. +# +permitted_roles[v] = y { + # Split the claimed roles by comma into an array. + claimed_roles := split(input.claims.roles, ",") + + # This block filters 'a' to contain only roles + # that are found in 'common.roles'. + some i + a := claimed_roles[i] + common.roles[a] + + # v will contain permitted roles that match the storage request. + v := claimed_roles[i] + common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool] == 0 + y := to_number(common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool]) +} From 01123dda2d8b47e27b35d0148058ceb7e9311df3 Mon Sep 17 00:00:00 2001 From: ashleyvjoy <110008193+ashleyvjoy@users.noreply.github.com> Date: Mon, 27 Feb 2023 13:43:26 +0530 Subject: [PATCH 09/27] support for sdc-approve policy (#180) * Update mailing list (#169) * update mailing list * upgrade checkout action to v3 because of node 12 deprecation * support for sdc-approve policy * removed url.rego and url_test.rego --------- Co-authored-by: shaynafinocchiaro <66699024+shaynafinocchiaro@users.noreply.github.com> --- .../policies/sdc-approve.rego | 40 +++++++++++++++++++ .../csm-authorization/templates/policies.yaml | 10 ++++- 2 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 charts/csm-authorization/policies/sdc-approve.rego diff --git a/charts/csm-authorization/policies/sdc-approve.rego b/charts/csm-authorization/policies/sdc-approve.rego new file mode 100644 index 00000000..2a816056 --- /dev/null +++ b/charts/csm-authorization/policies/sdc-approve.rego @@ -0,0 +1,40 @@ +# Copyright © 2023 Dell Inc., or its subsidiaries. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http:#www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +package karavi.sdc.approve + +import data.karavi.common + +# Allow requests by default. +default allow = true + +default response = { + "allowed": true +} +response = { + "allowed": false, + "status": { + "reason": reason, + }, +} { + reason = concat(", ", deny) + reason != "" +} + +default claims = {} +claims = input.claims +deny[msg] { + claims == {} + msg := sprintf("missing claims", []) +} \ No newline at end of file diff --git a/charts/csm-authorization/templates/policies.yaml b/charts/csm-authorization/templates/policies.yaml index 475b2307..e0af3a8b 100644 --- a/charts/csm-authorization/templates/policies.yaml +++ b/charts/csm-authorization/templates/policies.yaml @@ -44,4 +44,12 @@ metadata: name: volumes-unmap namespace: {{ include "custom.namespace" . }} data: - {{- (.Files.Glob "policies/volumes-unmap.rego").AsConfig | nindent 2 }} \ No newline at end of file + {{- (.Files.Glob "policies/volumes-unmap.rego").AsConfig | nindent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: sdc-approve + namespace: {{ include "custom.namespace" . }} +data: + {{- (.Files.Glob "policies/sdc-approve.rego").AsConfig | nindent 2 }} \ No newline at end of file From acc8928904d685ca62b76db716caa7392c191611 Mon Sep 17 00:00:00 2001 From: chaganti-rajitha <111744573+chaganti-rajitha@users.noreply.github.com> Date: Fri, 3 Mar 2023 12:33:29 +0530 Subject: [PATCH 10/27] sidecar version updates in powermax, powerstore and csm (#183) --- charts/container-storage-modules/values.yaml | 7 +++---- charts/csi-powermax/templates/controller.yaml | 10 ++++++++-- charts/csi-powermax/templates/csidriver.yaml | 2 +- .../csi-powermax/templates/driver-config-params.yaml | 2 +- charts/csi-powermax/templates/node.yaml | 10 ++++++++-- charts/csi-powermax/values.yaml | 10 ++++------ charts/csi-powerstore/templates/controller.yaml | 2 +- charts/csi-powerstore/values.yaml | 2 +- charts/csm-replication/templates/_helpers.tpl | 2 +- 9 files changed, 28 insertions(+), 19 deletions(-) diff --git a/charts/container-storage-modules/values.yaml b/charts/container-storage-modules/values.yaml index f7320c4b..a43d089b 100644 --- a/charts/container-storage-modules/values.yaml +++ b/charts/container-storage-modules/values.yaml @@ -73,7 +73,7 @@ csi-powerstore: # Enable this feature only after contact support for additional information podmon: enabled: false - image: dellemc/podmon:v1.4.0 + image: dellemc/podmon:v1.5.0 controller: args: - "--csisock=unix:/var/run/csi/csi.sock" @@ -212,12 +212,11 @@ csi-powermax: nodeRescanSidecarImage: dellemc/dell-csi-node-sidecar:v1.0.0 authorization: enabled: false - sidecarProxyImage: dellemc/csm-authorization-sidecar:v1.5.0 + sidecarProxyImage: dellemc/csm-authorization-sidecar:v1.6.0 proxyHost: vSphere: enabled: false fcPortGroup: "csi-vsphere-VC-PG" fcHostName: "csi-vsphere-VC-HN" vCenterHost: "00.000.000.00" - vCenterUserName: "user" - vCenterPassword: "pwd" + vCenterCredSecret: vcenter-creds diff --git a/charts/csi-powermax/templates/controller.yaml b/charts/csi-powermax/templates/controller.yaml index f6678b85..4e6d4e73 100644 --- a/charts/csi-powermax/templates/controller.yaml +++ b/charts/csi-powermax/templates/controller.yaml @@ -416,9 +416,15 @@ spec: - name: X_CSI_VCENTER_HOST value: {{ required "Must provide host url for vsphere" .Values.vSphere.vCenterHost }} - name: X_CSI_VCENTER_USERNAME - value: {{ required "Must provide username for vsphere" .Values.vSphere.vCenterUserName }} + valueFrom: + secretKeyRef: + name: {{ .Values.vSphere.vCenterCredSecret }} + key: username - name: X_CSI_VCENTER_PWD - value: {{ required "Must provide password for vsphere" .Values.vSphere.vCenterPassword }} + valueFrom: + secretKeyRef: + name: {{ .Values.vSphere.vCenterCredSecret }} + key: password {{- end }} volumeMounts: - name: socket-dir diff --git a/charts/csi-powermax/templates/csidriver.yaml b/charts/csi-powermax/templates/csidriver.yaml index f7c10425..0160ef76 100644 --- a/charts/csi-powermax/templates/csidriver.yaml +++ b/charts/csi-powermax/templates/csidriver.yaml @@ -8,4 +8,4 @@ metadata: {{- end }} spec: attachRequired: true - fsGroupPolicy: {{ .Values.fsGroupPolicy }} + fsGroupPolicy: {{ .Values.fsGroupPolicy }} \ No newline at end of file diff --git a/charts/csi-powermax/templates/driver-config-params.yaml b/charts/csi-powermax/templates/driver-config-params.yaml index d543d707..2068da2a 100644 --- a/charts/csi-powermax/templates/driver-config-params.yaml +++ b/charts/csi-powermax/templates/driver-config-params.yaml @@ -6,4 +6,4 @@ metadata: data: driver-config-params.yaml: | CSI_LOG_LEVEL: {{ .Values.global.logLevel | default "debug" }} - CSI_LOG_FORMAT: {{ .Values.global.logFormat | default "TEXT" }} + CSI_LOG_FORMAT: {{ .Values.global.logFormat | default "TEXT" }} \ No newline at end of file diff --git a/charts/csi-powermax/templates/node.yaml b/charts/csi-powermax/templates/node.yaml index b288436a..6d70d614 100644 --- a/charts/csi-powermax/templates/node.yaml +++ b/charts/csi-powermax/templates/node.yaml @@ -205,9 +205,15 @@ spec: - name: X_CSI_VCENTER_HOST value: {{ required "Must provide hosr url for vsphere" .Values.vSphere.vCenterHost }} - name: X_CSI_VCENTER_USERNAME - value: {{ required "Must provide username for vsphere" .Values.vSphere.vCenterUserName }} + valueFrom: + secretKeyRef: + name: {{ .Values.vSphere.vCenterCredSecret }} + key: username - name: X_CSI_VCENTER_PWD - value: {{ required "Must provide password for vsphere" .Values.vSphere.vCenterPassword }} + valueFrom: + secretKeyRef: + name: {{ .Values.vSphere.vCenterCredSecret }} + key: password {{- end }} volumeMounts: - name: driver-path diff --git a/charts/csi-powermax/values.yaml b/charts/csi-powermax/values.yaml index 4eb8fc43..601db459 100644 --- a/charts/csi-powermax/values.yaml +++ b/charts/csi-powermax/values.yaml @@ -401,8 +401,8 @@ migration: authorization: enabled: false # sidecarProxyImage: the container image used for the csm-authorization-sidecar. - # Default value: dellemc/csm-authorization-sidecar:v1.5.0 - sidecarProxyImage: dellemc/csm-authorization-sidecar:v1.5.0 + # Default value: dellemc/csm-authorization-sidecar:v1.6.0 + sidecarProxyImage: dellemc/csm-authorization-sidecar:v1.6.0 # proxyHost: hostname of the csm-authorization server # Default value: None proxyHost: @@ -431,10 +431,8 @@ vSphere: fcHostName: "csi-vsphere-VC-HN" # vCenterHost: URL/endpoint of the vCenter where all the ESX are present vCenterHost: "00.000.000.00" - # vCenterUserName: username from the vCenter credentials - vCenterUserName: "user" - # vCenterPassword: password from the vCenter credentials - vCenterPassword: "pwd" + # vCenterCredSecret: secret name for the vCenter credentials + vCenterCredSecret: vcenter-creds # Optionally, uncomment and specify the name of the pre-created namespace to install the driver in it # namespace: \ No newline at end of file diff --git a/charts/csi-powerstore/templates/controller.yaml b/charts/csi-powerstore/templates/controller.yaml index 48d43764..da8b9d09 100644 --- a/charts/csi-powerstore/templates/controller.yaml +++ b/charts/csi-powerstore/templates/controller.yaml @@ -452,4 +452,4 @@ spec: name: {{ .Release.Name }}-config-params - name: powerstore-config secret: - secretName: {{ .Release.Name }}-config + secretName: {{ .Release.Name }}-config \ No newline at end of file diff --git a/charts/csi-powerstore/values.yaml b/charts/csi-powerstore/values.yaml index 411b722c..6a766041 100644 --- a/charts/csi-powerstore/values.yaml +++ b/charts/csi-powerstore/values.yaml @@ -311,7 +311,7 @@ storageCapacity: # Enable this feature only after contact support for additional information podmon: enabled: false - image: dellemc/podmon:v1.4.0 + image: dellemc/podmon:v1.5.0 controller: args: - "--csisock=unix:/var/run/csi/csi.sock" diff --git a/charts/csm-replication/templates/_helpers.tpl b/charts/csm-replication/templates/_helpers.tpl index 5525732a..309ada37 100644 --- a/charts/csm-replication/templates/_helpers.tpl +++ b/charts/csm-replication/templates/_helpers.tpl @@ -69,4 +69,4 @@ By default this is not set so the helm release namespace will be used {{- define "custom.namespace" -}} {{ .Values.namespace | default .Release.Namespace }} -{{- end -}} +{{- end -}} \ No newline at end of file From 6b8529ccaa6fca053ae753c1df57d635b79efff3 Mon Sep 17 00:00:00 2001 From: Trevor Dawe Date: Mon, 6 Mar 2023 11:43:01 -0400 Subject: [PATCH 11/27] Update Application Mobility chart with new image and chart versions (#185) --- charts/csm-application-mobility/Chart.yaml | 4 ++-- charts/csm-application-mobility/values.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/csm-application-mobility/Chart.yaml b/charts/csm-application-mobility/Chart.yaml index c82f01eb..f1f62677 100644 --- a/charts/csm-application-mobility/Chart.yaml +++ b/charts/csm-application-mobility/Chart.yaml @@ -6,13 +6,13 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.2.0 +version: 0.3.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "0.2.0" +appVersion: "0.3.0" dependencies: - name: cert-manager diff --git a/charts/csm-application-mobility/values.yaml b/charts/csm-application-mobility/values.yaml index 1734b4fb..4741af51 100644 --- a/charts/csm-application-mobility/values.yaml +++ b/charts/csm-application-mobility/values.yaml @@ -8,7 +8,7 @@ image: pullPolicy: IfNotPresent controller: - image: dellemc/csm-application-mobility-controller:v0.2.0 + image: dellemc/csm-application-mobility-controller:v0.3.0 # csm-application-mobility requires cert-manager. If cert-manager is not already present in cluster, set enabled to true to install it too. cert-manager: @@ -70,7 +70,7 @@ velero: initContainers: - name: dell-custom-velero-plugin - image: dellemc/csm-application-mobility-velero-plugin:v0.2.0 + image: dellemc/csm-application-mobility-velero-plugin:v0.3.0 volumeMounts: - mountPath: /target name: plugins From cbca6de00069bd0822c8f367e6c43c1299cd1c53 Mon Sep 17 00:00:00 2001 From: chaganti-rajitha <111744573+chaganti-rajitha@users.noreply.github.com> Date: Tue, 7 Mar 2023 10:23:15 +0530 Subject: [PATCH 12/27] Updated Powerstore, Powermax and Replication charts with latest changes (#184) --- charts/container-storage-modules/Chart.yaml | 2 +- charts/container-storage-modules/values.yaml | 2 +- charts/csi-powermax/values.yaml | 4 +++- charts/csi-powerstore/Chart.yaml | 6 +++--- charts/csi-powerstore/templates/_helpers.tpl | 12 ++++++------ charts/csm-replication/templates/controller.yaml | 1 + 6 files changed, 15 insertions(+), 12 deletions(-) diff --git a/charts/container-storage-modules/Chart.yaml b/charts/container-storage-modules/Chart.yaml index 57eadf78..fdddedb4 100644 --- a/charts/container-storage-modules/Chart.yaml +++ b/charts/container-storage-modules/Chart.yaml @@ -36,7 +36,7 @@ version: 0.1.0 # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "1.16.0" +appVersion: "0.1.0" dependencies: - name: csi-powerstore diff --git a/charts/container-storage-modules/values.yaml b/charts/container-storage-modules/values.yaml index a43d089b..eb99190e 100644 --- a/charts/container-storage-modules/values.yaml +++ b/charts/container-storage-modules/values.yaml @@ -209,7 +209,7 @@ csi-powermax: migration: enabled: false image: dellemc/dell-csi-migrator:v1.1.0 - nodeRescanSidecarImage: dellemc/dell-csi-node-sidecar:v1.0.0 + nodeRescanSidecarImage: dellemc/dell-csi-node-rescanner:v1.0.0 authorization: enabled: false sidecarProxyImage: dellemc/csm-authorization-sidecar:v1.6.0 diff --git a/charts/csi-powermax/values.yaml b/charts/csi-powermax/values.yaml index 601db459..fe19ff86 100644 --- a/charts/csi-powermax/values.yaml +++ b/charts/csi-powermax/values.yaml @@ -385,7 +385,9 @@ migration: # Change this to use any specific version of the dell-csi-migrator sidecar # Default value: None image: dellemc/dell-csi-migrator:v1.1.0 - nodeRescanSidecarImage: dellemc/dell-csi-node-sidecar:v1.0.0 + # Node rescan sidecar does a rescan on nodes for identifying new paths + # Default value: dellemc/dell-csi-node-rescanner:v1.0.0 + nodeRescanSidecarImage: dellemc/dell-csi-node-rescanner:v1.0.0 # migrationPrefix: Determine if migration is enabled # Default value: "migration.storage.dell.com" # Examples: "migration.storage.dell.com" diff --git a/charts/csi-powerstore/Chart.yaml b/charts/csi-powerstore/Chart.yaml index e68db37d..42ff9a36 100644 --- a/charts/csi-powerstore/Chart.yaml +++ b/charts/csi-powerstore/Chart.yaml @@ -18,10 +18,10 @@ name: csi-powerstore apiVersion: v2 version: 2.6.0 appVersion: "2.6.0" -kubeVersion: ">= 1.23.0 < 1.27.0" -#If you are using a complex K8s version like "v1.23.3-mirantis-1", use this kubeVersion check instead +kubeVersion: ">= 1.22.0 < 1.27.0" +#If you are using a complex K8s version like "v1.22.3-mirantis-1", use this kubeVersion check instead #WARNING: this version of the check will allow the use of alpha and beta versions, which is NOT SUPPORTED -#kubeVersion: ">= 1.23.0-0 < 1.27.0-0" +#kubeVersion: ">= 1.22.0-0 < 1.27.0-0" description: | PowerStore CSI (Container Storage Interface) driver Kubernetes integration. This chart includes everything required to provision via CSI as diff --git a/charts/csi-powerstore/templates/_helpers.tpl b/charts/csi-powerstore/templates/_helpers.tpl index dee68849..0de84a7c 100644 --- a/charts/csi-powerstore/templates/_helpers.tpl +++ b/charts/csi-powerstore/templates/_helpers.tpl @@ -3,7 +3,7 @@ Return the appropriate sidecar images based on k8s version */}} {{- define "csi-powerstore.attacherImage" -}} {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "23") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "26") -}} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "22") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "26") -}} {{- print "k8s.gcr.io/sig-storage/csi-attacher:v4.2.0" -}} {{- end -}} {{- end -}} @@ -11,7 +11,7 @@ Return the appropriate sidecar images based on k8s version {{- define "csi-powerstore.provisionerImage" -}} {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "23") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "26") -}} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "22") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "26") -}} {{- print "k8s.gcr.io/sig-storage/csi-provisioner:v3.4.0" -}} {{- end -}} {{- end -}} @@ -19,7 +19,7 @@ Return the appropriate sidecar images based on k8s version {{- define "csi-powerstore.snapshotterImage" -}} {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "23") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "26") -}} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "22") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "26") -}} {{- print "k8s.gcr.io/sig-storage/csi-snapshotter:v6.2.1" -}} {{- end -}} {{- end -}} @@ -27,7 +27,7 @@ Return the appropriate sidecar images based on k8s version {{- define "csi-powerstore.resizerImage" -}} {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "23") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "26") -}} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "22") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "26") -}} {{- print "k8s.gcr.io/sig-storage/csi-resizer:v1.7.0" -}} {{- end -}} {{- end -}} @@ -35,7 +35,7 @@ Return the appropriate sidecar images based on k8s version {{- define "csi-powerstore.registrarImage" -}} {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "23") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "26") -}} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "22") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "26") -}} {{- print "k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.6.3" -}} {{- end -}} {{- end -}} @@ -43,7 +43,7 @@ Return the appropriate sidecar images based on k8s version {{- define "csi-powerstore.healthmonitorImage" -}} {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "23") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "26") -}} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "22") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "26") -}} {{- print "gcr.io/k8s-staging-sig-storage/csi-external-health-monitor-controller:v0.8.0" -}} {{- end -}} {{- end -}} diff --git a/charts/csm-replication/templates/controller.yaml b/charts/csm-replication/templates/controller.yaml index b1b72873..e52c3191 100644 --- a/charts/csm-replication/templates/controller.yaml +++ b/charts/csm-replication/templates/controller.yaml @@ -17,6 +17,7 @@ rules: resources: - customresourcedefinitions verbs: + - create - get - list - update From 4a6b8af57e0beafb7cdee46004c472e57c57871a Mon Sep 17 00:00:00 2001 From: chaganti-rajitha <111744573+chaganti-rajitha@users.noreply.github.com> Date: Tue, 7 Mar 2023 11:30:19 +0530 Subject: [PATCH 13/27] updated chart version for app-mobility in CSM charts (#189) --- charts/container-storage-modules/Chart.yaml | 2 +- charts/container-storage-modules/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/container-storage-modules/Chart.yaml b/charts/container-storage-modules/Chart.yaml index fdddedb4..f5af25dd 100644 --- a/charts/container-storage-modules/Chart.yaml +++ b/charts/container-storage-modules/Chart.yaml @@ -60,7 +60,7 @@ dependencies: condition: cert-manager.enabled - name: csm-application-mobility - version: 0.2.0 + version: 0.3.0 repository: file://../csm-application-mobility condition: csm-application-mobility.enabled diff --git a/charts/container-storage-modules/values.yaml b/charts/container-storage-modules/values.yaml index eb99190e..c8d52efd 100644 --- a/charts/container-storage-modules/values.yaml +++ b/charts/container-storage-modules/values.yaml @@ -147,7 +147,7 @@ csm-application-mobility: #publicUrl: initContainers: - name: dell-custom-velero-plugin - image: dellemc/csm-application-mobility-velero-plugin:v0.2.0 + image: dellemc/csm-application-mobility-velero-plugin:v0.3.0 volumeMounts: - mountPath: /target name: plugins From 9d88008e41e8c1ce85c18227a4a69e7d2f100d2a Mon Sep 17 00:00:00 2001 From: chaganti-rajitha <111744573+chaganti-rajitha@users.noreply.github.com> Date: Tue, 7 Mar 2023 20:15:24 +0530 Subject: [PATCH 14/27] updated Powerstore helm charts (#190) --- charts/csi-powerstore/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/csi-powerstore/values.yaml b/charts/csi-powerstore/values.yaml index 6a766041..0187c54d 100644 --- a/charts/csi-powerstore/values.yaml +++ b/charts/csi-powerstore/values.yaml @@ -164,7 +164,7 @@ controller: replicationPrefix: "replication.storage.dell.com" # Image for csi-metadata-retriever - metadataretriever: dellemc/csi-metadata-retriever:v1.2.0 + metadataretriever: dellemc/csi-metadata-retriever:v1.3.0 # nodeSelector: Define node selection constraints for controller pods. # For the pod to be eligible to run on a node, the node must have each From 0325e994362a307f6a6769df42ca98d496669b1c Mon Sep 17 00:00:00 2001 From: alexemc <32580729+alexemc@users.noreply.github.com> Date: Tue, 7 Mar 2023 09:32:06 -0600 Subject: [PATCH 15/27] Image and chart version bumped up. (#186) --- charts/csm-encryption-rekey-controller/Chart.yaml | 4 ++-- charts/csm-encryption-rekey-controller/values.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/csm-encryption-rekey-controller/Chart.yaml b/charts/csm-encryption-rekey-controller/Chart.yaml index 6a4ec6f9..ec6a82eb 100644 --- a/charts/csm-encryption-rekey-controller/Chart.yaml +++ b/charts/csm-encryption-rekey-controller/Chart.yaml @@ -6,10 +6,10 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.0 +version: 0.2.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "0.1.0" +appVersion: "0.2.0" diff --git a/charts/csm-encryption-rekey-controller/values.yaml b/charts/csm-encryption-rekey-controller/values.yaml index 3ca18b7a..c7701b2a 100644 --- a/charts/csm-encryption-rekey-controller/values.yaml +++ b/charts/csm-encryption-rekey-controller/values.yaml @@ -1,5 +1,5 @@ # Rekey controller image name. -image: dellemc/csm-encryption-rekey-controller:v0.1.0 +image: dellemc/csm-encryption-rekey-controller:v0.2.0 # Rekey controller image pull policy. # Allowed values: From 1f027a9a728c5f0d831441619de748bfd4b346fd Mon Sep 17 00:00:00 2001 From: aqu-dell <108017114+arnchiequ-dell@users.noreply.github.com> Date: Tue, 7 Mar 2023 11:24:36 -0500 Subject: [PATCH 16/27] Update release to 1.6.0 for auth (#188) Signed-off-by: arnchiequ-dell --- charts/csm-authorization/values.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/csm-authorization/values.yaml b/charts/csm-authorization/values.yaml index f7e59b14..b3ef10ec 100644 --- a/charts/csm-authorization/values.yaml +++ b/charts/csm-authorization/values.yaml @@ -11,10 +11,10 @@ cert-manager: authorization: # images to use in installation images: - proxyService: dellemc/csm-authorization-proxy:v1.5.1 - tenantService: dellemc/csm-authorization-tenant:v1.5.1 - roleService: dellemc/csm-authorization-role:v1.5.1 - storageService: dellemc/csm-authorization-storage:v1.5.1 + proxyService: dellemc/csm-authorization-proxy:v1.6.0 + tenantService: dellemc/csm-authorization-tenant:v1.6.0 + roleService: dellemc/csm-authorization-role:v1.6.0 + storageService: dellemc/csm-authorization-storage:v1.6.0 opa: openpolicyagent/opa opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 From 8b64fbfabcf78287f6e662d32c5604ae69179c15 Mon Sep 17 00:00:00 2001 From: baoy1 <105041111+baoy1@users.noreply.github.com> Date: Tue, 7 Mar 2023 18:27:58 -0800 Subject: [PATCH 17/27] Bump up images for Observability (#191) --- charts/karavi-observability/README.md | 2 +- charts/karavi-observability/values.yaml | 20 ++++++++++---------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/charts/karavi-observability/README.md b/charts/karavi-observability/README.md index 53bca230..edac243d 100644 --- a/charts/karavi-observability/README.md +++ b/charts/karavi-observability/README.md @@ -1,5 +1,5 @@