From 50f2bb2e9c86ac78b4a7d65f2986bc1627b82cb4 Mon Sep 17 00:00:00 2001 From: Jerome Guionnet Date: Tue, 24 Oct 2023 13:32:02 -0700 Subject: [PATCH 1/6] Adding Remote repo support for Helm --- examples/helm-keda/.helmignore | 23 + examples/helm-keda/Chart.yaml | 29 + examples/helm-keda/README.md | 351 + examples/helm-keda/README.md.gotmpl | 176 + examples/helm-keda/templates/NOTES.txt | 65 + examples/helm-keda/templates/_helpers.tpl | 25 + .../templates/cert-manager/keda-issuer.yaml | 14 + .../cert-manager/keda-tls-certificate.yaml | 34 + .../templates/cert-manager/self-ca.yaml | 22 + .../templates/cert-manager/self-issuer.yaml | 13 + .../crd-clustertriggerauthentications.yaml | 275 + .../templates/crds/crd-scaledjobs.yaml | 8378 +++++++++++++++++ .../templates/crds/crd-scaledobjects.yaml | 406 + .../crds/crd-triggerauthentications.yaml | 274 + .../extensibility/extra-manifests.yaml | 4 + .../templates/manager/clusterrole.yaml | 180 + .../templates/manager/clusterrolebinding.yaml | 21 + .../templates/manager/deployment.yaml | 216 + .../manager/poddisruptionbudget.yaml | 32 + .../templates/manager/podmonitor.yaml | 39 + .../templates/manager/prometheusrules.yaml | 24 + .../helm-keda/templates/manager/role.yaml | 31 + .../templates/manager/rolebinding.yaml | 24 + .../helm-keda/templates/manager/service.yaml | 38 + .../templates/manager/servicemonitor.yaml | 60 + .../templates/metrics-server/apiservice.yaml | 30 + .../templates/metrics-server/clusterrole.yaml | 20 + .../metrics-server/clusterrolebinding.yaml | 62 + .../templates/metrics-server/deployment.yaml | 201 + .../metrics-server/poddisruptionbudget.yaml | 33 + .../templates/metrics-server/podmonitor.yaml | 39 + .../templates/metrics-server/service.yaml | 39 + .../metrics-server/servicemonitor.yaml | 60 + .../helm-keda/templates/serviceaccount.yaml | 49 + .../templates/webhooks/deployment.yaml | 169 + .../webhooks/poddisruptionbudget.yaml | 34 + .../templates/webhooks/prometheusrules.yaml | 26 + .../helm-keda/templates/webhooks/service.yaml | 41 + .../templates/webhooks/servicemonitor.yaml | 62 + .../webhooks/validatingconfiguration.yaml | 47 + examples/helm-keda/values.yaml | 690 ++ modules/helm/template.go | 41 + test/helm_keda_example_template_test.go | 80 + .../helm_keda_remote_example_template_test.go | 154 + 44 files changed, 12631 insertions(+) create mode 100644 examples/helm-keda/.helmignore create mode 100644 examples/helm-keda/Chart.yaml create mode 100644 examples/helm-keda/README.md create mode 100644 examples/helm-keda/README.md.gotmpl create mode 100644 examples/helm-keda/templates/NOTES.txt create mode 100644 examples/helm-keda/templates/_helpers.tpl create mode 100644 examples/helm-keda/templates/cert-manager/keda-issuer.yaml create mode 100644 examples/helm-keda/templates/cert-manager/keda-tls-certificate.yaml create mode 100644 examples/helm-keda/templates/cert-manager/self-ca.yaml create mode 100644 examples/helm-keda/templates/cert-manager/self-issuer.yaml create mode 100644 examples/helm-keda/templates/crds/crd-clustertriggerauthentications.yaml create mode 100644 examples/helm-keda/templates/crds/crd-scaledjobs.yaml create mode 100644 examples/helm-keda/templates/crds/crd-scaledobjects.yaml create mode 100644 examples/helm-keda/templates/crds/crd-triggerauthentications.yaml create mode 100644 examples/helm-keda/templates/extensibility/extra-manifests.yaml create mode 100644 examples/helm-keda/templates/manager/clusterrole.yaml create mode 100644 examples/helm-keda/templates/manager/clusterrolebinding.yaml create mode 100644 examples/helm-keda/templates/manager/deployment.yaml create mode 100644 examples/helm-keda/templates/manager/poddisruptionbudget.yaml create mode 100644 examples/helm-keda/templates/manager/podmonitor.yaml create mode 100644 examples/helm-keda/templates/manager/prometheusrules.yaml create mode 100644 examples/helm-keda/templates/manager/role.yaml create mode 100644 examples/helm-keda/templates/manager/rolebinding.yaml create mode 100644 examples/helm-keda/templates/manager/service.yaml create mode 100644 examples/helm-keda/templates/manager/servicemonitor.yaml create mode 100644 examples/helm-keda/templates/metrics-server/apiservice.yaml create mode 100644 examples/helm-keda/templates/metrics-server/clusterrole.yaml create mode 100644 examples/helm-keda/templates/metrics-server/clusterrolebinding.yaml create mode 100644 examples/helm-keda/templates/metrics-server/deployment.yaml create mode 100644 examples/helm-keda/templates/metrics-server/poddisruptionbudget.yaml create mode 100644 examples/helm-keda/templates/metrics-server/podmonitor.yaml create mode 100644 examples/helm-keda/templates/metrics-server/service.yaml create mode 100644 examples/helm-keda/templates/metrics-server/servicemonitor.yaml create mode 100644 examples/helm-keda/templates/serviceaccount.yaml create mode 100644 examples/helm-keda/templates/webhooks/deployment.yaml create mode 100644 examples/helm-keda/templates/webhooks/poddisruptionbudget.yaml create mode 100644 examples/helm-keda/templates/webhooks/prometheusrules.yaml create mode 100644 examples/helm-keda/templates/webhooks/service.yaml create mode 100644 examples/helm-keda/templates/webhooks/servicemonitor.yaml create mode 100644 examples/helm-keda/templates/webhooks/validatingconfiguration.yaml create mode 100644 examples/helm-keda/values.yaml create mode 100644 test/helm_keda_example_template_test.go create mode 100644 test/helm_keda_remote_example_template_test.go diff --git a/examples/helm-keda/.helmignore b/examples/helm-keda/.helmignore new file mode 100644 index 000000000..a9f39f791 --- /dev/null +++ b/examples/helm-keda/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ +*.gotmpl diff --git a/examples/helm-keda/Chart.yaml b/examples/helm-keda/Chart.yaml new file mode 100644 index 000000000..33134cef8 --- /dev/null +++ b/examples/helm-keda/Chart.yaml @@ -0,0 +1,29 @@ +apiVersion: v2 +name: keda +description: Event-based autoscaler for workloads on Kubernetes + +# Specify the Kubernetes version range that we support. +# We allow pre-release versions for cloud-specific Kubernetes versions such as v1.21.5-gke.1302 or v1.18.9-eks-d1db3c +kubeVersion: ">=v1.23.0-0" + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +version: 2.12.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. +appVersion: 2.12.0 + +home: https://github.com/kedacore/keda +icon: https://raw.githubusercontent.com/kedacore/keda/main/images/keda-logo-500x500-white.png +sources: + - https://github.com/kedacore/keda +maintainers: + - name: Ahmed ElSayed + email: ahmels@microsoft.com + - name: Jorge Turrado + email: jorge_turrado@hotmail.es + - name: Tom Kerkhove + email: kerkhove.tom@gmail.com + - name: Zbynek Roubalik + email: zbynek@kedify.io diff --git a/examples/helm-keda/README.md b/examples/helm-keda/README.md new file mode 100644 index 000000000..3e85ca0a0 --- /dev/null +++ b/examples/helm-keda/README.md @@ -0,0 +1,351 @@ +

+

Kubernetes-based Event Driven Autoscaling

+ +KEDA allows for fine grained autoscaling (including to/from zero) for event driven Kubernetes workloads. KEDA serves as a Kubernetes Metrics Server and allows users to define autoscaling rules using a dedicated Kubernetes custom resource definition. + +KEDA can run on both the cloud and the edge, integrates natively with Kubernetes components such as the Horizontal Pod Autoscaler, and has no external dependencies. + +--- +

+We are a Cloud Native Computing Foundation (CNCF) graduated project. + + +

+ +--- + +## TL;DR + +```console +helm repo add kedacore https://kedacore.github.io/charts +helm repo update + +kubectl create namespace keda +helm install keda kedacore/keda --namespace keda --version 2.12.0 +``` + +## Introduction + +This chart bootstraps KEDA infrastructure on a Kubernetes cluster using the Helm package manager. + +As part of that, it will install all the required Custom Resource Definitions (CRD). + +## Installing the Chart + +To install the chart with the release name `keda`: + +```console +$ kubectl create namespace keda +$ helm install keda kedacore/keda --namespace keda --version 2.12.0 +``` + +## Uninstalling the Chart + +To uninstall/delete the `keda` Helm chart: + +```console +helm uninstall keda +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Configuration + +The following table lists the configurable parameters of the KEDA chart and +their default values. + +### General parameters + +| Parameter | Type | Default | Description | +|-----------|------|---------|-------------| +| `additionalAnnotations` | object | `{}` | Custom annotations to add into metadata | +| `additionalLabels` | object | `{}` | Custom labels to add into metadata | +| `affinity` | object | `{}` | [Affinity] for pod scheduling for both KEDA operator and Metrics API Server | +| `asciiArt` | bool | `true` | Capability to turn on/off ASCII art in Helm installation notes | +| `certificates.autoGenerated` | bool | `true` | Enables the self generation for KEDA TLS certificates inside KEDA operator | +| `certificates.certManager.caSecretName` | string | `"kedaorg-ca"` | Secret name where the CA is stored (generatedby cert-manager or user given) | +| `certificates.certManager.enabled` | bool | `false` | Enables Cert-manager for certificate management | +| `certificates.certManager.generateCA` | bool | `true` | Generates a self-signed CA with Cert-manager. If generateCA is false, the secret with the CA has to be annotated with `cert-manager.io/allow-direct-injection: "true"` | +| `certificates.certManager.secretTemplate` | object | `{}` | Add labels/annotations to secrets created by Certificate resources [docs](https://cert-manager.io/docs/usage/certificate/#creating-certificate-resources) | +| `certificates.mountPath` | string | `"/certs"` | Path where KEDA TLS certificates are mounted | +| `certificates.secretName` | string | `"kedaorg-certs"` | Secret name to be mounted with KEDA TLS certificates | +| `clusterDomain` | string | `"cluster.local"` | Kubernetes cluster domain | +| `crds.install` | bool | `true` | Defines whether the KEDA CRDs have to be installed or not. | +| `env` | list | `[]` | Additional environment variables that will be passed onto all KEDA components | +| `extraObjects` | list | `[]` | Array of extra K8s manifests to deploy | +| `grpcTLSCertsSecret` | string | `""` | Set this if you are using an external scaler and want to communicate over TLS (recommended). This variable holds the name of the secret that will be mounted to the /grpccerts path on the Pod | +| `hashiCorpVaultTLS` | string | `""` | Set this if you are using HashiCorp Vault and want to communicate over TLS (recommended). This variable holds the name of the secret that will be mounted to the /vault path on the Pod | +| `http.keepAlive.enabled` | bool | `true` | Enable HTTP connection keep alive | +| `http.minTlsVersion` | string | `"TLS12"` | The minimum TLS version to use for all scalers that use raw HTTP clients (some scalers use SDKs to access target services. These have built-in HTTP clients, and this value does not necessarily apply to them) | +| `http.timeout` | int | `3000` | The default HTTP timeout to use for all scalers that use raw HTTP clients (some scalers use SDKs to access target services. These have built-in HTTP clients, and the timeout does not necessarily apply to them) | +| `image.pullPolicy` | string | `"Always"` | Image pullPolicy for all KEDA components | +| `imagePullSecrets` | list | `[]` | Name of secret to use to pull images to use to pull Docker images | +| `nodeSelector` | object | `{}` | Node selector for pod scheduling ([docs](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/)) | +| `podIdentity.activeDirectory.identity` | string | `""` | Identity in Azure Active Directory to use for Azure pod identity | +| `podIdentity.aws.irsa.audience` | string | `"sts.amazonaws.com"` | Sets the token audience for IRSA. This will be set as an annotation on the KEDA service account. | +| `podIdentity.aws.irsa.enabled` | bool | `false` | Specifies whether [AWS IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) is to be enabled or not. | +| `podIdentity.aws.irsa.roleArn` | string | `""` | Set to the value of the ARN of an IAM role with a web identity provider. This will be set as an annotation on the KEDA service account. | +| `podIdentity.aws.irsa.stsRegionalEndpoints` | string | `"true"` | Sets the use of an STS regional endpoint instead of global. Recommended to use regional endpoint in almost all cases. This will be set as an annotation on the KEDA service account. | +| `podIdentity.aws.irsa.tokenExpiration` | int | `86400` | Set to the value of the service account token expiration duration. This will be set as an annotation on the KEDA service account. | +| `podIdentity.azureWorkload.clientId` | string | `""` | Id of Azure Active Directory Client to use for authentication with Azure Workload Identity. ([docs](https://keda.sh/docs/concepts/authentication/#azure-workload-identity)) | +| `podIdentity.azureWorkload.enabled` | bool | `false` | Set to true to enable Azure Workload Identity usage. See https://keda.sh/docs/concepts/authentication/#azure-workload-identity This will be set as a label on the KEDA service account. | +| `podIdentity.azureWorkload.tenantId` | string | `""` | Id Azure Active Directory Tenant to use for authentication with for Azure Workload Identity. ([docs](https://keda.sh/docs/concepts/authentication/#azure-workload-identity)) | +| `podIdentity.azureWorkload.tokenExpiration` | int | `3600` | Duration in seconds to automatically expire tokens for the service account. ([docs](https://keda.sh/docs/concepts/authentication/#azure-workload-identity)) | +| `podIdentity.gcp.enabled` | bool | `false` | Set to true to enable GCP Workload Identity. See https://keda.sh/docs/2.10/authentication-providers/gcp-workload-identity/ This will be set as a annotation on the KEDA service account. | +| `podIdentity.gcp.gcpIAMServiceAccount` | string | `""` | GCP IAM Service Account Email which you would like to use for workload identity. | +| `podSecurityContext` | object | [See below](#KEDA-is-secure-by-default) | [Pod security context] for all pods | +| `priorityClassName` | string | `""` | priorityClassName for all KEDA components | +| `rbac.aggregateToDefaultRoles` | bool | `false` | Specifies whether RBAC for CRDs should be [aggregated](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles) to default roles (view, edit, admin) | +| `rbac.create` | bool | `true` | Specifies whether RBAC should be used | +| `securityContext` | object | [See below](#KEDA-is-secure-by-default) | [Security context] for all containers | +| `serviceAccount.annotations` | object | `{}` | Annotations to add to the service account | +| `serviceAccount.automountServiceAccountToken` | bool | `true` | Specifies whether a service account should automount API-Credentials | +| `serviceAccount.create` | bool | `true` | Specifies whether a service account should be created | +| `serviceAccount.name` | string | `"keda-operator"` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | +| `tolerations` | list | `[]` | Tolerations for pod scheduling ([docs](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)) | +| `watchNamespace` | string | `""` | Defines Kubernetes namespaces to watch to scale their workloads. Default watches all namespaces | + +### Operator + +| Parameter | Type | Default | Description | +|-----------|------|---------|-------------| +| `extraArgs.keda` | object | `{}` | Additional KEDA Operator container arguments | +| `image.keda.repository` | string | `"ghcr.io/kedacore/keda"` | Image name of KEDA operator | +| `image.keda.tag` | string | `""` | Image tag of KEDA operator. Optional, given app version of Helm chart is used by default | +| `logging.operator.format` | string | `"console"` | Logging format for KEDA Operator. allowed values: `json` or `console` | +| `logging.operator.level` | string | `"info"` | Logging level for KEDA Operator. allowed values: `debug`, `info`, `error`, or an integer value greater than 0, specified as string | +| `logging.operator.timeEncoding` | string | `"rfc3339"` | Logging time encoding for KEDA Operator. allowed values are `epoch`, `millis`, `nano`, `iso8601`, `rfc3339` or `rfc3339nano` | +| `operator.affinity` | object | `{}` | [Affinity] for pod scheduling for KEDA operator. Takes precedence over the `affinity` field | +| `operator.livenessProbe` | object | `{"failureThreshold":3,"initialDelaySeconds":25,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":1}` | Liveness probes for operator ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/)) | +| `operator.name` | string | `"keda-operator"` | Name of the KEDA operator | +| `operator.readinessProbe` | object | `{"failureThreshold":3,"initialDelaySeconds":20,"periodSeconds":3,"successThreshold":1,"timeoutSeconds":1}` | Readiness probes for operator ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-readiness-probes)) | +| `operator.replicaCount` | int | `1` | Capability to configure the number of replicas for KEDA operator. While you can run more replicas of our operator, only one operator instance will be the leader and serving traffic. You can run multiple replicas, but they will not improve the performance of KEDA, it could only reduce downtime during a failover. Learn more in [our documentation](https://keda.sh/docs/latest/operate/cluster/#high-availability). | +| `operator.revisionHistoryLimit` | int | `10` | ReplicaSets for this Deployment you want to retain (Default: 10) | +| `permissions.operator.restrict.secret` | bool | `false` | Restrict Secret Access for KEDA operator | +| `podAnnotations.keda` | object | `{}` | Pod annotations for KEDA operator | +| `podDisruptionBudget.operator` | object | `{}` | Capability to configure [Pod Disruption Budget] | +| `podLabels.keda` | object | `{}` | Pod labels for KEDA operator | +| `podSecurityContext.operator` | object | [See below](#KEDA-is-secure-by-default) | [Pod security context] of the KEDA operator pod | +| `resources.operator` | object | `{"limits":{"cpu":1,"memory":"1000Mi"},"requests":{"cpu":"100m","memory":"100Mi"}}` | Manage [resource request & limits] of KEDA operator pod | +| `securityContext.operator` | object | [See below](#KEDA-is-secure-by-default) | [Security context] of the operator container | +| `topologySpreadConstraints.operator` | list | `[]` | [Pod Topology Constraints] of KEDA operator pod | +| `upgradeStrategy.operator` | object | `{}` | Capability to configure [Deployment upgrade strategy] for operator | +| `volumes.keda.extraVolumeMounts` | list | `[]` | Extra volume mounts for KEDA deployment | +| `volumes.keda.extraVolumes` | list | `[]` | Extra volumes for KEDA deployment | + +### Metrics server + +| Parameter | Type | Default | Description | +|-----------|------|---------|-------------| +| `extraArgs.metricsAdapter` | object | `{}` | Additional Metrics Adapter container arguments | +| `image.metricsApiServer.repository` | string | `"ghcr.io/kedacore/keda-metrics-apiserver"` | Image name of KEDA Metrics API Server | +| `image.metricsApiServer.tag` | string | `""` | Image tag of KEDA Metrics API Server. Optional, given app version of Helm chart is used by default | +| `logging.metricServer.level` | int | `0` | Logging level for Metrics Server. allowed values: `0` for info, `4` for debug, or an integer value greater than 0, specified as string | +| `metricsServer.affinity` | object | `{}` | [Affinity] for pod scheduling for Metrics API Server. Takes precedence over the `affinity` field | +| `metricsServer.dnsPolicy` | string | `"ClusterFirst"` | Defined the DNS policy for the metric server | +| `metricsServer.livenessProbe` | object | `{"failureThreshold":3,"initialDelaySeconds":5,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":1}` | Liveness probes for Metrics API Server ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/)) | +| `metricsServer.readinessProbe` | object | `{"failureThreshold":3,"initialDelaySeconds":5,"periodSeconds":3,"successThreshold":1,"timeoutSeconds":1}` | Readiness probes for Metrics API Server ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-readiness-probes)) | +| `metricsServer.replicaCount` | int | `1` | Capability to configure the number of replicas for KEDA metric server. While you can run more replicas of our metric server, only one instance will used and serve traffic. You can run multiple replicas, but they will not improve the performance of KEDA, it could only reduce downtime during a failover. Learn more in [our documentation](https://keda.sh/docs/latest/operate/cluster/#high-availability). | +| `metricsServer.revisionHistoryLimit` | int | `10` | ReplicaSets for this Deployment you want to retain (Default: 10) | +| `metricsServer.useHostNetwork` | bool | `false` | Enable metric server to use host network | +| `permissions.metricServer.restrict.secret` | bool | `false` | Restrict Secret Access for Metrics Server | +| `podAnnotations.metricsAdapter` | object | `{}` | Pod annotations for KEDA Metrics Adapter | +| `podDisruptionBudget.metricServer` | object | `{}` | Capability to configure [Pod Disruption Budget] | +| `podLabels.metricsAdapter` | object | `{}` | Pod labels for KEDA Metrics Adapter | +| `podSecurityContext.metricServer` | object | [See below](#KEDA-is-secure-by-default) | [Pod security context] of the KEDA metrics apiserver pod | +| `resources.metricServer` | object | `{"limits":{"cpu":1,"memory":"1000Mi"},"requests":{"cpu":"100m","memory":"100Mi"}}` | Manage [resource request & limits] of KEDA metrics apiserver pod | +| `securityContext.metricServer` | object | [See below](#KEDA-is-secure-by-default) | [Security context] of the metricServer container | +| `service.annotations` | object | `{}` | Annotations to add the KEDA Metric Server service | +| `service.portHttps` | int | `443` | HTTPS port for KEDA Metric Server service | +| `service.portHttpsTarget` | int | `6443` | HTTPS port for KEDA Metric Server container | +| `service.type` | string | `"ClusterIP"` | KEDA Metric Server service type | +| `topologySpreadConstraints.metricsServer` | list | `[]` | [Pod Topology Constraints] of KEDA metrics apiserver pod | +| `upgradeStrategy.metricsApiServer` | object | `{}` | Capability to configure [Deployment upgrade strategy] for Metrics Api Server | +| `volumes.metricsApiServer.extraVolumeMounts` | list | `[]` | Extra volume mounts for metric server deployment | +| `volumes.metricsApiServer.extraVolumes` | list | `[]` | Extra volumes for metric server deployment | + +### Operations + +| Parameter | Type | Default | Description | +|-----------|------|---------|-------------| +| `opentelemetry.collector.uri` | string | `""` | Uri of OpenTelemetry Collector to push telemetry to | +| `opentelemetry.operator.enabled` | bool | `false` | Enable pushing metrics to an OpenTelemetry Collector for operator | +| `prometheus.metricServer.enabled` | bool | `false` | Enable metric server Prometheus metrics expose | +| `prometheus.metricServer.podMonitor.additionalLabels` | object | `{}` | Additional labels to add for metric server using podMonitor crd (prometheus operator) | +| `prometheus.metricServer.podMonitor.enabled` | bool | `false` | Enables PodMonitor creation for the Prometheus Operator | +| `prometheus.metricServer.podMonitor.interval` | string | `""` | Scraping interval for metric server using podMonitor crd (prometheus operator) | +| `prometheus.metricServer.podMonitor.namespace` | string | `""` | Scraping namespace for metric server using podMonitor crd (prometheus operator) | +| `prometheus.metricServer.podMonitor.relabelings` | list | `[]` | List of expressions that define custom relabeling rules for metric server podMonitor crd (prometheus operator) | +| `prometheus.metricServer.podMonitor.scrapeTimeout` | string | `""` | Scraping timeout for metric server using podMonitor crd (prometheus operator) | +| `prometheus.metricServer.port` | int | `8080` | HTTP port used for exposing metrics server prometheus metrics | +| `prometheus.metricServer.portName` | string | `"metrics"` | HTTP port name for exposing metrics server prometheus metrics | +| `prometheus.metricServer.serviceMonitor.additionalLabels` | object | `{}` | Additional labels to add for metric server using ServiceMonitor crd (prometheus operator) | +| `prometheus.metricServer.serviceMonitor.enabled` | bool | `false` | Enables ServiceMonitor creation for the Prometheus Operator | +| `prometheus.metricServer.serviceMonitor.interval` | string | `""` | Interval at which metrics should be scraped If not specified Prometheus’ global scrape interval is used. | +| `prometheus.metricServer.serviceMonitor.jobLabel` | string | `""` | JobLabel selects the label from the associated Kubernetes service which will be used as the job label for all metrics. [ServiceMonitor Spec] | +| `prometheus.metricServer.serviceMonitor.podTargetLabels` | list | `[]` | PodTargetLabels transfers labels on the Kubernetes `Pod` onto the created metrics | +| `prometheus.metricServer.serviceMonitor.port` | string | `"metrics"` | Name of the service port this endpoint refers to. Mutually exclusive with targetPort | +| `prometheus.metricServer.serviceMonitor.relabelings` | list | `[]` | List of expressions that define custom relabeling rules for metric server ServiceMonitor crd (prometheus operator). [RelabelConfig Spec] | +| `prometheus.metricServer.serviceMonitor.relabellings` | list | `[]` | DEPRECATED. List of expressions that define custom relabeling rules for metric server ServiceMonitor crd (prometheus operator). [RelabelConfig Spec] | +| `prometheus.metricServer.serviceMonitor.scrapeTimeout` | string | `""` | Timeout after which the scrape is ended If not specified, the Prometheus global scrape timeout is used unless it is less than Interval in which the latter is used | +| `prometheus.metricServer.serviceMonitor.targetLabels` | list | `[]` | TargetLabels transfers labels from the Kubernetes `Service` onto the created metrics | +| `prometheus.metricServer.serviceMonitor.targetPort` | string | `""` | Name or number of the target port of the Pod behind the Service, the port must be specified with container port property. Mutually exclusive with port | +| `prometheus.operator.enabled` | bool | `false` | Enable KEDA Operator prometheus metrics expose | +| `prometheus.operator.podMonitor.additionalLabels` | object | `{}` | Additional labels to add for KEDA Operator using podMonitor crd (prometheus operator) | +| `prometheus.operator.podMonitor.enabled` | bool | `false` | Enables PodMonitor creation for the Prometheus Operator | +| `prometheus.operator.podMonitor.interval` | string | `""` | Scraping interval for KEDA Operator using podMonitor crd (prometheus operator) | +| `prometheus.operator.podMonitor.namespace` | string | `""` | Scraping namespace for KEDA Operator using podMonitor crd (prometheus operator) | +| `prometheus.operator.podMonitor.relabelings` | list | `[]` | List of expressions that define custom relabeling rules for KEDA Operator podMonitor crd (prometheus operator) | +| `prometheus.operator.podMonitor.scrapeTimeout` | string | `""` | Scraping timeout for KEDA Operator using podMonitor crd (prometheus operator) | +| `prometheus.operator.port` | int | `8080` | Port used for exposing KEDA Operator prometheus metrics | +| `prometheus.operator.prometheusRules.additionalLabels` | object | `{}` | Additional labels to add for KEDA Operator using prometheusRules crd (prometheus operator) | +| `prometheus.operator.prometheusRules.alerts` | list | `[]` | Additional alerts to add for KEDA Operator using prometheusRules crd (prometheus operator) | +| `prometheus.operator.prometheusRules.enabled` | bool | `false` | Enables PrometheusRules creation for the Prometheus Operator | +| `prometheus.operator.prometheusRules.namespace` | string | `""` | Scraping namespace for KEDA Operator using prometheusRules crd (prometheus operator) | +| `prometheus.operator.serviceMonitor.additionalLabels` | object | `{}` | Additional labels to add for metric server using ServiceMonitor crd (prometheus operator) | +| `prometheus.operator.serviceMonitor.enabled` | bool | `false` | Enables ServiceMonitor creation for the Prometheus Operator | +| `prometheus.operator.serviceMonitor.interval` | string | `""` | Interval at which metrics should be scraped If not specified Prometheus’ global scrape interval is used. | +| `prometheus.operator.serviceMonitor.jobLabel` | string | `""` | JobLabel selects the label from the associated Kubernetes service which will be used as the job label for all metrics. [ServiceMonitor Spec] | +| `prometheus.operator.serviceMonitor.podTargetLabels` | list | `[]` | PodTargetLabels transfers labels on the Kubernetes `Pod` onto the created metrics | +| `prometheus.operator.serviceMonitor.port` | string | `"metrics"` | Name of the service port this endpoint refers to. Mutually exclusive with targetPort | +| `prometheus.operator.serviceMonitor.relabelings` | list | `[]` | List of expressions that define custom relabeling rules for metric server ServiceMonitor crd (prometheus operator). [RelabelConfig Spec] | +| `prometheus.operator.serviceMonitor.relabellings` | list | `[]` | DEPRECATED. List of expressions that define custom relabeling rules for metric server ServiceMonitor crd (prometheus operator). [RelabelConfig Spec] | +| `prometheus.operator.serviceMonitor.scrapeTimeout` | string | `""` | Timeout after which the scrape is ended If not specified, the Prometheus global scrape timeout is used unless it is less than Interval in which the latter is used | +| `prometheus.operator.serviceMonitor.targetLabels` | list | `[]` | TargetLabels transfers labels from the Kubernetes `Service` onto the created metrics | +| `prometheus.operator.serviceMonitor.targetPort` | string | `""` | Name or number of the target port of the Pod behind the Service, the port must be specified with container port property. Mutually exclusive with port | +| `prometheus.webhooks.enabled` | bool | `false` | Enable KEDA admission webhooks prometheus metrics expose | +| `prometheus.webhooks.port` | int | `8080` | Port used for exposing KEDA admission webhooks prometheus metrics | +| `prometheus.webhooks.prometheusRules.additionalLabels` | object | `{}` | Additional labels to add for KEDA admission webhooks using prometheusRules crd (prometheus operator) | +| `prometheus.webhooks.prometheusRules.alerts` | list | `[]` | Additional alerts to add for KEDA admission webhooks using prometheusRules crd (prometheus operator) | +| `prometheus.webhooks.prometheusRules.enabled` | bool | `false` | Enables PrometheusRules creation for the Prometheus Operator | +| `prometheus.webhooks.prometheusRules.namespace` | string | `""` | Scraping namespace for KEDA admission webhooks using prometheusRules crd (prometheus operator) | +| `prometheus.webhooks.serviceMonitor.additionalLabels` | object | `{}` | Additional labels to add for metric server using ServiceMonitor crd (prometheus operator) | +| `prometheus.webhooks.serviceMonitor.enabled` | bool | `false` | Enables ServiceMonitor creation for the Prometheus webhooks | +| `prometheus.webhooks.serviceMonitor.interval` | string | `""` | Interval at which metrics should be scraped If not specified Prometheus’ global scrape interval is used. | +| `prometheus.webhooks.serviceMonitor.jobLabel` | string | `""` | jobLabel selects the label from the associated Kubernetes service which will be used as the job label for all metrics. [ServiceMonitor Spec] | +| `prometheus.webhooks.serviceMonitor.podTargetLabels` | list | `[]` | PodTargetLabels transfers labels on the Kubernetes `Pod` onto the created metrics | +| `prometheus.webhooks.serviceMonitor.port` | string | `"metrics"` | Name of the service port this endpoint refers to. Mutually exclusive with targetPort | +| `prometheus.webhooks.serviceMonitor.relabelings` | list | `[]` | List of expressions that define custom relabeling rules for metric server ServiceMonitor crd (prometheus operator). [RelabelConfig Spec] | +| `prometheus.webhooks.serviceMonitor.relabellings` | list | `[]` | DEPRECATED. List of expressions that define custom relabeling rules for metric server ServiceMonitor crd (prometheus operator). [RelabelConfig Spec] | +| `prometheus.webhooks.serviceMonitor.scrapeTimeout` | string | `""` | Timeout after which the scrape is ended If not specified, the Prometheus global scrape timeout is used unless it is less than Interval in which the latter is used | +| `prometheus.webhooks.serviceMonitor.targetLabels` | list | `[]` | TargetLabels transfers labels from the Kubernetes `Service` onto the created metrics | +| `prometheus.webhooks.serviceMonitor.targetPort` | string | `""` | Name or number of the target port of the Pod behind the Service, the port must be specified with container port property. Mutually exclusive with port | + +### Admission Webhooks + +| Parameter | Type | Default | Description | +|-----------|------|---------|-------------| +| `image.webhooks.repository` | string | `"ghcr.io/kedacore/keda-admission-webhooks"` | Image name of KEDA admission-webhooks | +| `image.webhooks.tag` | string | `""` | Image tag of KEDA admission-webhooks . Optional, given app version of Helm chart is used by default | +| `logging.webhooks.format` | string | `"console"` | Logging format for KEDA Admission webhooks. allowed values: `json` or `console` | +| `logging.webhooks.level` | string | `"info"` | Logging level for KEDA Operator. allowed values: `debug`, `info`, `error`, or an integer value greater than 0, specified as string | +| `logging.webhooks.timeEncoding` | string | `"rfc3339"` | Logging time encoding for KEDA Operator. allowed values are `epoch`, `millis`, `nano`, `iso8601`, `rfc3339` or `rfc3339nano` | +| `podAnnotations.webhooks` | object | `{}` | Pod annotations for KEDA Admission webhooks | +| `podDisruptionBudget.webhooks` | object | `{}` | Capability to configure [Pod Disruption Budget] | +| `podLabels.webhooks` | object | `{}` | Pod labels for KEDA Admission webhooks | +| `podSecurityContext.webhooks` | object | [See below](#KEDA-is-secure-by-default) | [Pod security context] of the KEDA admission webhooks | +| `prometheus.webhooks.enabled` | bool | `false` | Enable KEDA admission webhooks prometheus metrics expose | +| `prometheus.webhooks.port` | int | `8080` | Port used for exposing KEDA admission webhooks prometheus metrics | +| `prometheus.webhooks.prometheusRules.additionalLabels` | object | `{}` | Additional labels to add for KEDA admission webhooks using prometheusRules crd (prometheus operator) | +| `prometheus.webhooks.prometheusRules.alerts` | list | `[]` | Additional alerts to add for KEDA admission webhooks using prometheusRules crd (prometheus operator) | +| `prometheus.webhooks.prometheusRules.enabled` | bool | `false` | Enables PrometheusRules creation for the Prometheus Operator | +| `prometheus.webhooks.prometheusRules.namespace` | string | `""` | Scraping namespace for KEDA admission webhooks using prometheusRules crd (prometheus operator) | +| `prometheus.webhooks.serviceMonitor.additionalLabels` | object | `{}` | Additional labels to add for metric server using ServiceMonitor crd (prometheus operator) | +| `prometheus.webhooks.serviceMonitor.enabled` | bool | `false` | Enables ServiceMonitor creation for the Prometheus webhooks | +| `prometheus.webhooks.serviceMonitor.interval` | string | `""` | Interval at which metrics should be scraped If not specified Prometheus’ global scrape interval is used. | +| `prometheus.webhooks.serviceMonitor.jobLabel` | string | `""` | jobLabel selects the label from the associated Kubernetes service which will be used as the job label for all metrics. [ServiceMonitor Spec] | +| `prometheus.webhooks.serviceMonitor.podTargetLabels` | list | `[]` | PodTargetLabels transfers labels on the Kubernetes `Pod` onto the created metrics | +| `prometheus.webhooks.serviceMonitor.port` | string | `"metrics"` | Name of the service port this endpoint refers to. Mutually exclusive with targetPort | +| `prometheus.webhooks.serviceMonitor.relabelings` | list | `[]` | List of expressions that define custom relabeling rules for metric server ServiceMonitor crd (prometheus operator). [RelabelConfig Spec] | +| `prometheus.webhooks.serviceMonitor.relabellings` | list | `[]` | DEPRECATED. List of expressions that define custom relabeling rules for metric server ServiceMonitor crd (prometheus operator). [RelabelConfig Spec] | +| `prometheus.webhooks.serviceMonitor.scrapeTimeout` | string | `""` | Timeout after which the scrape is ended If not specified, the Prometheus global scrape timeout is used unless it is less than Interval in which the latter is used | +| `prometheus.webhooks.serviceMonitor.targetLabels` | list | `[]` | TargetLabels transfers labels from the Kubernetes `Service` onto the created metrics | +| `prometheus.webhooks.serviceMonitor.targetPort` | string | `""` | Name or number of the target port of the Pod behind the Service, the port must be specified with container port property. Mutually exclusive with port | +| `resources.webhooks` | object | `{"limits":{"cpu":"50m","memory":"100Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}` | Manage [resource request & limits] of KEDA admission webhooks pod | +| `securityContext.webhooks` | object | [See below](#KEDA-is-secure-by-default) | [Security context] of the admission webhooks container | +| `topologySpreadConstraints.webhooks` | list | `[]` | [Pod Topology Constraints] of KEDA admission webhooks pod | +| `upgradeStrategy.webhooks` | object | `{}` | Capability to configure [Deployment upgrade strategy] for Admission webhooks | +| `volumes.webhooks.extraVolumeMounts` | list | `[]` | Extra volume mounts for admission webhooks deployment | +| `volumes.webhooks.extraVolumes` | list | `[]` | Extra volumes for admission webhooks deployment | +| `webhooks.affinity` | object | `{}` | [Affinity] for pod scheduling for KEDA admission webhooks. Takes precedence over the `affinity` field | +| `webhooks.enabled` | bool | `true` | Enable admission webhooks (this feature option will be removed in v2.12) | +| `webhooks.failurePolicy` | string | `"Ignore"` | [Failure policy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy) to use with KEDA admission webhooks | +| `webhooks.healthProbePort` | int | `8081` | Port number to use for KEDA admission webhooks health probe | +| `webhooks.livenessProbe` | object | `{"failureThreshold":3,"initialDelaySeconds":25,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":1}` | Liveness probes for admission webhooks ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/)) | +| `webhooks.name` | string | `"keda-admission-webhooks"` | Name of the KEDA admission webhooks | +| `webhooks.port` | string | `""` | Port number to use for KEDA admission webhooks. Default is 9443. | +| `webhooks.readinessProbe` | object | `{"failureThreshold":3,"initialDelaySeconds":20,"periodSeconds":3,"successThreshold":1,"timeoutSeconds":1}` | Readiness probes for admission webhooks ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-readiness-probes)) | +| `webhooks.replicaCount` | int | `1` | Capability to configure the number of replicas for KEDA admission webhooks | +| `webhooks.revisionHistoryLimit` | int | `10` | ReplicaSets for this Deployment you want to retain (Default: 10) | +| `webhooks.useHostNetwork` | bool | `false` | Enable webhook to use host network, this is required on EKS with custom CNI | + +Specify each parameter using the `--set key=value[,key=value]` argument to +`helm install`. For example: + +```console +$ helm install keda kedacore/keda --namespace keda \ + --set image.keda.tag= \ + --set image.metricsApiServer.tag= \ + --set image.webhooks.tag= +``` + +Alternatively, a YAML file that specifies the values for the above parameters can +be provided while installing the chart. For example, + +```console +helm install keda kedacore/keda --namespace keda -f values.yaml +``` + +## KEDA is secure by default + +Our default configuration strives to be as secure as possible. Because of that, KEDA will run as non-root and be secure-by-default: +```yaml +securityContext: + operator: + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + metricServer: + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + ## Metrics server needs to write the self-signed cert. See FAQ for discussion of options. + # readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + webhooks: + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + +podSecurityContext: + operator: + runAsNonRoot: true + metricServer: + runAsNonRoot: true + webhooks: + runAsNonRoot: true +``` + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs) + +[Affinity]: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/ +[Deployment upgrade strategy]: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy +[GCP Workload Identity]: https://keda.sh/docs/2.10/authentication-providers/gcp-workload-identity/ +[Pod Disruption Budget]: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ +[Pod security context]: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +[Security context]: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container +[Pod Topology Constraints]: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +[RelabelConfig Spec]: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.RelabelConfig +[resource request & limits]: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +[ServiceMonitor Spec]: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.ServiceMonitor diff --git a/examples/helm-keda/README.md.gotmpl b/examples/helm-keda/README.md.gotmpl new file mode 100644 index 000000000..ba7073b2e --- /dev/null +++ b/examples/helm-keda/README.md.gotmpl @@ -0,0 +1,176 @@ +

+

Kubernetes-based Event Driven Autoscaling

+ +KEDA allows for fine grained autoscaling (including to/from zero) for event driven Kubernetes workloads. KEDA serves as a Kubernetes Metrics Server and allows users to define autoscaling rules using a dedicated Kubernetes custom resource definition. + +KEDA can run on both the cloud and the edge, integrates natively with Kubernetes components such as the Horizontal Pod Autoscaler, and has no external dependencies. + +--- +

+We are a Cloud Native Computing Foundation (CNCF) graduated project. + + +

+ +--- + +## TL;DR + +```console +helm repo add kedacore https://kedacore.github.io/charts +helm repo update + +kubectl create namespace keda +helm install keda kedacore/keda --namespace keda --version {{ template "chart.appVersion" . }} +``` + +## Introduction + +This chart bootstraps KEDA infrastructure on a Kubernetes cluster using the Helm package manager. + +As part of that, it will install all the required Custom Resource Definitions (CRD). + +## Installing the Chart + +To install the chart with the release name `keda`: + +```console +$ kubectl create namespace keda +$ helm install keda kedacore/keda --namespace keda --version {{ template "chart.appVersion" . }} +``` + +## Uninstalling the Chart + +To uninstall/delete the `keda` Helm chart: + +```console +helm uninstall keda +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Configuration + +The following table lists the configurable parameters of the KEDA chart and +their default values. + +### General parameters + +| Parameter | Type | Default | Description | +|-----------|------|---------|-------------| +{{- range .Values }} + {{- if not (or (contains "operator" .Key) (contains "keda" .Key) (contains "opentelemetry" .Key) (contains "prometheus" .Key) (contains "metricServer" .Key) (contains "metricsServer" .Key) (contains "metricsApiServer" .Key) (contains "metricsAdapter" .Key) (contains "webhooks" .Key) (hasPrefix "service." .Key) ) }} +| `{{ .Key }}` | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | + {{- end }} +{{- end }} + +### Operator + +| Parameter | Type | Default | Description | +|-----------|------|---------|-------------| +{{- range .Values }} + {{- if and (or (contains "operator" .Key) (contains "keda" .Key)) (not (or (contains "opentelemetry" .Key) (contains "prometheus" .Key))) }} +| `{{ .Key }}` | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | + {{- end }} +{{- end }} + +### Metrics server + +| Parameter | Type | Default | Description | +|-----------|------|---------|-------------| +{{- range .Values }} + {{- if and (or (contains "metricServer" .Key) (contains "metricsServer" .Key) (contains "metricsApiServer" .Key) (contains "metricsAdapter" .Key) (hasPrefix "service." .Key)) (not (or (contains "opentelemetry" .Key) (contains "prometheus" .Key)))}} +| `{{ .Key }}` | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | + {{- end }} +{{- end }} + +### Operations + +| Parameter | Type | Default | Description | +|-----------|------|---------|-------------| +{{- range .Values }} + {{- if or (contains "opentelemetry" .Key) (contains "prometheus" .Key) }} +| `{{ .Key }}` | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | + {{- end }} +{{- end }} + +### Admission Webhooks + +| Parameter | Type | Default | Description | +|-----------|------|---------|-------------| +{{- range .Values }} + {{- if contains "webhooks" .Key }} +| `{{ .Key }}` | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | + {{- end }} +{{- end }} + +Specify each parameter using the `--set key=value[,key=value]` argument to +`helm install`. For example: + +```console +$ helm install keda kedacore/keda --namespace keda \ + --set image.keda.tag= \ + --set image.metricsApiServer.tag= \ + --set image.webhooks.tag= +``` + +Alternatively, a YAML file that specifies the values for the above parameters can +be provided while installing the chart. For example, + +```console +helm install keda kedacore/keda --namespace keda -f values.yaml +``` + +## KEDA is secure by default + +Our default configuration strives to be as secure as possible. Because of that, KEDA will run as non-root and be secure-by-default: +```yaml +securityContext: + operator: + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + metricServer: + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + ## Metrics server needs to write the self-signed cert. See FAQ for discussion of options. + # readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + webhooks: + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + +podSecurityContext: + operator: + runAsNonRoot: true + metricServer: + runAsNonRoot: true + webhooks: + runAsNonRoot: true +``` + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs) + +[Affinity]: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/ +[Deployment upgrade strategy]: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy +[GCP Workload Identity]: https://keda.sh/docs/2.10/authentication-providers/gcp-workload-identity/ +[Pod Disruption Budget]: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ +[Pod security context]: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +[Security context]: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container +[Pod Topology Constraints]: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +[RelabelConfig Spec]: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.RelabelConfig +[resource request & limits]: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +[ServiceMonitor Spec]: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.ServiceMonitor diff --git a/examples/helm-keda/templates/NOTES.txt b/examples/helm-keda/templates/NOTES.txt new file mode 100644 index 000000000..0e4c8e0a5 --- /dev/null +++ b/examples/helm-keda/templates/NOTES.txt @@ -0,0 +1,65 @@ +{{- if .Values.asciiArt }} +:::^. .::::^: ::::::::::::::: .:::::::::. .^. +7???~ .^7????~. 7??????????????. :?????????77!^. .7?7. +7???~ ^7???7~. ~!!!!!!!!!!!!!!. :????!!!!7????7~. .7???7. +7???~^7????~. :????: :~7???7. :7?????7. +7???7????!. ::::::::::::. :????: .7???! :7??77???7. +7????????7: 7???????????~ :????: :????: :???7?5????7. +7????!~????^ !77777777777^ :????: :????: ^???7?#P7????7. +7???~ ^????~ :????: :7???! ^???7J#@J7?????7. +7???~ :7???!. :????: .:~7???!. ~???7Y&@#7777????7. +7???~ .7???7: !!!!!!!!!!!!!!! :????7!!77????7^ ~??775@@@GJJYJ?????7. +7???~ .!????^ 7?????????????7. :?????????7!~: !????G@@@@@@@@5??????7: +::::. ::::: ::::::::::::::: .::::::::.. .::::JGGGB@@@&7::::::::: + ?@@#~ + P@B^ + :&G: + !5. + . +{{- end -}} + +Kubernetes Event-driven Autoscaling (KEDA) - Application autoscaling made simple. + +Get started by deploying Scaled Objects to your cluster: + - Information about Scaled Objects : https://keda.sh/docs/latest/concepts/ + - Samples: https://github.com/kedacore/samples + +Get information about the deployed ScaledObjects: + kubectl get scaledobject [--namespace ] + +Get details about a deployed ScaledObject: + kubectl describe scaledobject [--namespace ] + +Get information about the deployed ScaledObjects: + kubectl get triggerauthentication [--namespace ] + +Get details about a deployed ScaledObject: + kubectl describe triggerauthentication [--namespace ] + +Get an overview of the Horizontal Pod Autoscalers (HPA) that KEDA is using behind the scenes: + kubectl get hpa [--all-namespaces] [--namespace ] + +{{- if .Values.prometheus.operator.serviceMonitor.relabellings}} +------------------------------------------------------------------------------------- +WARNING - prometheus.operator.serviceMonitor.relabellings is deprecated, please migrate to prometheus.operator.serviceMonitor.relabelings instead. +------------------------------------------------------------------------------------- +{{- end }} +{{- if .Values.prometheus.metricServer.serviceMonitor.relabellings}} +WARNING - prometheus.metricServer.serviceMonitor.relabellings is deprecated, please migrate to prometheus.metricServer.serviceMonitor.relabelings instead. +{{- end }} +{{- if .Values.prometheus.webhooks.serviceMonitor.relabellings}} +------------------------------------------------------------------------------------- +WARNING - prometheus.webhooks.serviceMonitor.relabellings is deprecated, please migrate to prometheus.webhooks.serviceMonitor.relabelings instead. +------------------------------------------------------------------------------------- +{{- end }} + +{{- if lt .Capabilities.KubeVersion.Minor "26" }} +------------------------------------------------------------------------------------- +WARNING - Running on unsupported Kubernetes version "1.{{.Capabilities.KubeVersion.Minor}}". KEDA 2.12 is supported and tested on Kubernetes "1.26" or higher. See https://keda.sh/docs/2.12/operate/cluster/ for details. +------------------------------------------------------------------------------------- +{{- end }} + +Learn more about KEDA: +- Documentation: https://keda.sh/ +- Support: https://keda.sh/support/ +- File an issue: https://github.com/kedacore/keda/issues/new/choose diff --git a/examples/helm-keda/templates/_helpers.tpl b/examples/helm-keda/templates/_helpers.tpl new file mode 100644 index 000000000..1fb210c78 --- /dev/null +++ b/examples/helm-keda/templates/_helpers.tpl @@ -0,0 +1,25 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "keda.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Generate basic labels +*/}} +{{- define "keda.labels" }} +helm.sh/chart: {{ include "keda.chart" . }} +app.kubernetes.io/component: operator +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/part-of: {{ .Values.operator.name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels }} +{{- end }} +{{- end }} diff --git a/examples/helm-keda/templates/cert-manager/keda-issuer.yaml b/examples/helm-keda/templates/cert-manager/keda-issuer.yaml new file mode 100644 index 000000000..3840f2761 --- /dev/null +++ b/examples/helm-keda/templates/cert-manager/keda-issuer.yaml @@ -0,0 +1,14 @@ +{{- if .Values.certificates.certManager.enabled }} +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ .Values.operator.name }}-issuer + namespace: {{ .Release.Namespace }} +spec: + ca: + secretName: {{ .Values.certificates.certManager.caSecretName }} +{{- end }} \ No newline at end of file diff --git a/examples/helm-keda/templates/cert-manager/keda-tls-certificate.yaml b/examples/helm-keda/templates/cert-manager/keda-tls-certificate.yaml new file mode 100644 index 000000000..8b4e210fd --- /dev/null +++ b/examples/helm-keda/templates/cert-manager/keda-tls-certificate.yaml @@ -0,0 +1,34 @@ +{{- if .Values.certificates.certManager.enabled }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .Values.operator.name }}-tls-certificates + namespace: {{ .Release.Namespace }} +spec: + commonName: {{ .Values.operator.name }} + dnsNames: + - {{ .Values.operator.name }}.{{ .Release.Namespace }} + - {{ .Values.operator.name }}.{{ .Release.Namespace }}.svc + - {{ .Values.operator.name }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} + - {{ .Values.operator.name }}-metrics-apiserver.{{ .Release.Namespace }} + - {{ .Values.operator.name }}-metrics-apiserver.{{ .Release.Namespace }}.svc + - {{ .Values.operator.name }}-metrics-apiserver.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} + - {{ .Values.webhooks.name }}.{{ .Release.Namespace }} + - {{ .Values.webhooks.name }}.{{ .Release.Namespace }}.svc + - {{ .Values.webhooks.name }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} + secretName: {{ .Values.certificates.secretName }} + secretTemplate: + {{- toYaml .Values.certificates.certManager.secretTemplate | nindent 4 }} + usages: + - server auth + - client auth + privateKey: + algorithm: RSA + size: 2048 + duration: 8760h0m0s # 1 year + renewBefore: 5840h0m0s # 8 months + issuerRef: + name: {{ .Values.operator.name }}-issuer + kind: Issuer + group: cert-manager.io +{{- end }} diff --git a/examples/helm-keda/templates/cert-manager/self-ca.yaml b/examples/helm-keda/templates/cert-manager/self-ca.yaml new file mode 100644 index 000000000..7bde59bcd --- /dev/null +++ b/examples/helm-keda/templates/cert-manager/self-ca.yaml @@ -0,0 +1,22 @@ +{{- if and .Values.certificates.certManager.enabled .Values.certificates.certManager.generateCA }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .Values.operator.name }}-ca + namespace: {{ .Release.Namespace }} +spec: + isCA: true + commonName: {{ .Values.operator.name }} + secretName: {{ .Values.certificates.certManager.caSecretName }} + secretTemplate: + {{- toYaml .Values.certificates.certManager.secretTemplate | nindent 4 }} + privateKey: + algorithm: RSA + size: 2048 + duration: 8760h0m0s # 1 year + renewBefore: 5840h0m0s # 8 months + issuerRef: + name: {{ .Values.operator.name }}-selfsigned-issuer + kind: Issuer + group: cert-manager.io +{{- end }} \ No newline at end of file diff --git a/examples/helm-keda/templates/cert-manager/self-issuer.yaml b/examples/helm-keda/templates/cert-manager/self-issuer.yaml new file mode 100644 index 000000000..b2ce2a559 --- /dev/null +++ b/examples/helm-keda/templates/cert-manager/self-issuer.yaml @@ -0,0 +1,13 @@ +{{- if and .Values.certificates.certManager.enabled .Values.certificates.certManager.generateCA }} +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ .Values.operator.name }}-selfsigned-issuer + namespace: {{ .Release.Namespace }} +spec: + selfSigned: {} +{{- end }} \ No newline at end of file diff --git a/examples/helm-keda/templates/crds/crd-clustertriggerauthentications.yaml b/examples/helm-keda/templates/crds/crd-clustertriggerauthentications.yaml new file mode 100644 index 000000000..792a7d183 --- /dev/null +++ b/examples/helm-keda/templates/crds/crd-clustertriggerauthentications.yaml @@ -0,0 +1,275 @@ +{{- if .Values.crds.install }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + {{- if .Values.additionalAnnotations }} + {{- toYaml .Values.additionalAnnotations | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }} + {{- include "keda.labels" . | indent 4 }} + name: clustertriggerauthentications.keda.sh +spec: + group: keda.sh + names: + kind: ClusterTriggerAuthentication + listKind: ClusterTriggerAuthenticationList + plural: clustertriggerauthentications + shortNames: + - cta + - clustertriggerauth + singular: clustertriggerauthentication + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.podIdentity.provider + name: PodIdentity + type: string + - jsonPath: .spec.secretTargetRef[*].name + name: Secret + type: string + - jsonPath: .spec.env[*].name + name: Env + type: string + - jsonPath: .spec.hashiCorpVault.address + name: VaultAddress + type: string + - jsonPath: .status.scaledobjects + name: ScaledObjects + priority: 1 + type: string + - jsonPath: .status.scaledjobs + name: ScaledJobs + priority: 1 + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterTriggerAuthentication defines how a trigger can authenticate + globally + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TriggerAuthenticationSpec defines the various ways to authenticate + properties: + azureKeyVault: + description: AzureKeyVault is used to authenticate using Azure Key + Vault + properties: + cloud: + properties: + activeDirectoryEndpoint: + type: string + keyVaultResourceURL: + type: string + type: + type: string + required: + - type + type: object + credentials: + properties: + clientId: + type: string + clientSecret: + properties: + valueFrom: + properties: + secretKeyRef: + properties: + key: + type: string + name: + type: string + required: + - key + - name + type: object + required: + - secretKeyRef + type: object + required: + - valueFrom + type: object + tenantId: + type: string + required: + - clientId + - clientSecret + - tenantId + type: object + podIdentity: + description: AuthPodIdentity allows users to select the platform + native identity mechanism + properties: + identityId: + type: string + provider: + description: PodIdentityProvider contains the list of providers + type: string + required: + - provider + type: object + secrets: + items: + properties: + name: + type: string + parameter: + type: string + version: + type: string + required: + - name + - parameter + type: object + type: array + vaultUri: + type: string + required: + - secrets + - vaultUri + type: object + env: + items: + description: AuthEnvironment is used to authenticate using environment + variables in the destination ScaleTarget spec + properties: + containerName: + type: string + name: + type: string + parameter: + type: string + required: + - name + - parameter + type: object + type: array + hashiCorpVault: + description: HashiCorpVault is used to authenticate using Hashicorp + Vault + properties: + address: + type: string + authentication: + description: VaultAuthentication contains the list of Hashicorp + Vault authentication methods + type: string + credential: + description: Credential defines the Hashicorp Vault credentials + depending on the authentication method + properties: + serviceAccount: + type: string + token: + type: string + type: object + mount: + type: string + namespace: + type: string + role: + type: string + secrets: + items: + description: VaultSecret defines the mapping between the path + of the secret in Vault to the parameter + properties: + key: + type: string + parameter: + type: string + path: + type: string + pkiData: + properties: + altNames: + type: string + commonName: + type: string + format: + type: string + ipSans: + type: string + otherSans: + type: string + ttl: + type: string + uriSans: + type: string + type: object + type: + description: VaultSecretType defines the type of vault secret + type: string + required: + - key + - parameter + - path + type: object + type: array + required: + - address + - authentication + - secrets + type: object + podIdentity: + description: AuthPodIdentity allows users to select the platform native + identity mechanism + properties: + identityId: + type: string + provider: + description: PodIdentityProvider contains the list of providers + type: string + required: + - provider + type: object + secretTargetRef: + items: + description: AuthSecretTargetRef is used to authenticate using a + reference to a secret + properties: + key: + type: string + name: + type: string + parameter: + type: string + required: + - key + - name + - parameter + type: object + type: array + type: object + status: + description: TriggerAuthenticationStatus defines the observed state of + TriggerAuthentication + properties: + scaledjobs: + type: string + scaledobjects: + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +{{- end -}} diff --git a/examples/helm-keda/templates/crds/crd-scaledjobs.yaml b/examples/helm-keda/templates/crds/crd-scaledjobs.yaml new file mode 100644 index 000000000..8473b6f89 --- /dev/null +++ b/examples/helm-keda/templates/crds/crd-scaledjobs.yaml @@ -0,0 +1,8378 @@ +{{- if .Values.crds.install }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + {{- if .Values.additionalAnnotations }} + {{- toYaml .Values.additionalAnnotations | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }} + {{- include "keda.labels" . | indent 4 }} + name: scaledjobs.keda.sh +spec: + group: keda.sh + names: + kind: ScaledJob + listKind: ScaledJobList + plural: scaledjobs + shortNames: + - sj + singular: scaledjob + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.minReplicaCount + name: Min + type: integer + - jsonPath: .spec.maxReplicaCount + name: Max + type: integer + - jsonPath: .spec.triggers[*].type + name: Triggers + type: string + - jsonPath: .spec.triggers[*].authenticationRef.name + name: Authentication + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Active")].status + name: Active + type: string + - jsonPath: .status.conditions[?(@.type=="Paused")].status + name: Paused + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ScaledJob is the Schema for the scaledjobs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ScaledJobSpec defines the desired state of ScaledJob + properties: + envSourceContainerName: + type: string + failedJobsHistoryLimit: + format: int32 + type: integer + jobTargetRef: + description: JobSpec describes how the job execution will look like. + properties: + activeDeadlineSeconds: + description: Specifies the duration in seconds relative to the + startTime that the job may be continuously active before the + system tries to terminate it; value must be positive integer. + If a Job is suspended (at creation or through an update), this + timer will effectively be stopped and reset when the Job is + resumed again. + format: int64 + type: integer + backoffLimit: + description: Specifies the number of retries before marking this + job failed. Defaults to 6 + format: int32 + type: integer + backoffLimitPerIndex: + description: Specifies the limit for the number of retries within + an index before marking this index as failed. When enabled the + number of failures per index is kept in the pod's batch.kubernetes.io/job-index-failure-count + annotation. It can only be set when Job's completionMode=Indexed, + and the Pod's restart policy is Never. The field is immutable. + This field is alpha-level. It can be used when the `JobBackoffLimitPerIndex` + feature gate is enabled (disabled by default). + format: int32 + type: integer + completionMode: + description: "completionMode specifies how Pod completions are + tracked. It can be `NonIndexed` (default) or `Indexed`. \n `NonIndexed` + means that the Job is considered complete when there have been + .spec.completions successfully completed Pods. Each Pod completion + is homologous to each other. \n `Indexed` means that the Pods + of a Job get an associated completion index from 0 to (.spec.completions + - 1), available in the annotation batch.kubernetes.io/job-completion-index. + The Job is considered complete when there is one successfully + completed Pod for each index. When value is `Indexed`, .spec.completions + must be specified and `.spec.parallelism` must be less than + or equal to 10^5. In addition, The Pod name takes the form `$(job-name)-$(index)-$(random-string)`, + the Pod hostname takes the form `$(job-name)-$(index)`. \n More + completion modes can be added in the future. If the Job controller + observes a mode that it doesn't recognize, which is possible + during upgrades due to version skew, the controller skips updates + for the Job." + type: string + completions: + description: 'Specifies the desired number of successfully finished + pods the job should be run with. Setting to null means that + the success of any pod signals the success of all pods, and + allows parallelism to have any positive value. Setting to 1 + means that parallelism is limited to 1 and the success of that + pod signals the success of the job. More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/' + format: int32 + type: integer + manualSelector: + description: 'manualSelector controls generation of pod labels + and pod selectors. Leave `manualSelector` unset unless you are + certain what you are doing. When false or unset, the system + pick labels unique to this job and appends those labels to the + pod template. When true, the user is responsible for picking + unique labels and specifying the selector. Failure to pick + a unique label may cause this and other jobs to not function + correctly. However, You may see `manualSelector=true` in jobs + that were created with the old `extensions/v1beta1` API. More + info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/#specifying-your-own-pod-selector' + type: boolean + maxFailedIndexes: + description: Specifies the maximal number of failed indexes before + marking the Job as failed, when backoffLimitPerIndex is set. + Once the number of failed indexes exceeds this number the entire + Job is marked as Failed and its execution is terminated. When + left as null the job continues execution of all of its indexes + and is marked with the `Complete` Job condition. It can only + be specified when backoffLimitPerIndex is set. It can be null + or up to completions. It is required and must be less than or + equal to 10^4 when is completions greater than 10^5. This field + is alpha-level. It can be used when the `JobBackoffLimitPerIndex` + feature gate is enabled (disabled by default). + format: int32 + type: integer + parallelism: + description: 'Specifies the maximum desired number of pods the + job should run at any given time. The actual number of pods + running in steady state will be less than this number when ((.spec.completions + - .status.successful) < .spec.parallelism), i.e. when the work + left to do is less than max parallelism. More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/' + format: int32 + type: integer + podFailurePolicy: + description: "Specifies the policy of handling failed pods. In + particular, it allows to specify the set of actions and conditions + which need to be satisfied to take the associated action. If + empty, the default behaviour applies - the counter of failed + pods, represented by the jobs's .status.failed field, is incremented + and it is checked against the backoffLimit. This field cannot + be used in combination with restartPolicy=OnFailure. \n This + field is beta-level. It can be used when the `JobPodFailurePolicy` + feature gate is enabled (enabled by default)." + properties: + rules: + description: A list of pod failure policy rules. The rules + are evaluated in order. Once a rule matches a Pod failure, + the remaining of the rules are ignored. When no rule matches + the Pod failure, the default handling applies - the counter + of pod failures is incremented and it is checked against + the backoffLimit. At most 20 elements are allowed. + items: + description: PodFailurePolicyRule describes how a pod failure + is handled when the requirements are met. One of onExitCodes + and onPodConditions, but not both, can be used in each + rule. + properties: + action: + description: "Specifies the action taken on a pod failure + when the requirements are satisfied. Possible values + are: \n - FailJob: indicates that the pod's job is + marked as Failed and all running pods are terminated. + - FailIndex: indicates that the pod's index is marked + as Failed and will not be restarted. This value is + alpha-level. It can be used when the `JobBackoffLimitPerIndex` + feature gate is enabled (disabled by default). - Ignore: + indicates that the counter towards the .backoffLimit + is not incremented and a replacement pod is created. + - Count: indicates that the pod is handled in the + default way - the counter towards the .backoffLimit + is incremented. Additional values are considered to + be added in the future. Clients should react to an + unknown action by skipping the rule." + type: string + onExitCodes: + description: Represents the requirement on the container + exit codes. + properties: + containerName: + description: Restricts the check for exit codes + to the container with the specified name. When + null, the rule applies to all containers. When + specified, it should match one the container or + initContainer names in the pod template. + type: string + operator: + description: "Represents the relationship between + the container exit code(s) and the specified values. + Containers completed with success (exit code 0) + are excluded from the requirement check. Possible + values are: \n - In: the requirement is satisfied + if at least one container exit code (might be + multiple if there are multiple containers not + restricted by the 'containerName' field) is in + the set of specified values. - NotIn: the requirement + is satisfied if at least one container exit code + (might be multiple if there are multiple containers + not restricted by the 'containerName' field) is + not in the set of specified values. Additional + values are considered to be added in the future. + Clients should react to an unknown operator by + assuming the requirement is not satisfied." + type: string + values: + description: Specifies the set of values. Each returned + container exit code (might be multiple in case + of multiple containers) is checked against this + set of values with respect to the operator. The + list of values must be ordered and must not contain + duplicates. Value '0' cannot be used for the In + operator. At least one element is required. At + most 255 elements are allowed. + items: + format: int32 + type: integer + type: array + x-kubernetes-list-type: set + required: + - operator + - values + type: object + onPodConditions: + description: Represents the requirement on the pod conditions. + The requirement is represented as a list of pod condition + patterns. The requirement is satisfied if at least + one pattern matches an actual pod condition. At most + 20 elements are allowed. + items: + description: PodFailurePolicyOnPodConditionsPattern + describes a pattern for matching an actual pod condition + type. + properties: + status: + description: Specifies the required Pod condition + status. To match a pod condition it is required + that the specified status equals the pod condition + status. Defaults to True. + type: string + type: + description: Specifies the required Pod condition + type. To match a pod condition it is required + that specified type equals the pod condition + type. + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-type: atomic + required: + - action + type: object + type: array + x-kubernetes-list-type: atomic + required: + - rules + type: object + podReplacementPolicy: + description: "podReplacementPolicy specifies when to create replacement + Pods. Possible values are: - TerminatingOrFailed means that + we recreate pods when they are terminating (has a metadata.deletionTimestamp) + or failed. - Failed means to wait until a previously created + Pod is fully terminated (has phase Failed or Succeeded) before + creating a replacement Pod. \n When using podFailurePolicy, + Failed is the the only allowed value. TerminatingOrFailed and + Failed are allowed values when podFailurePolicy is not in use. + This is an alpha field. Enable JobPodReplacementPolicy to be + able to use this field." + type: string + selector: + description: 'A label query over pods that should match the pod + count. Normally, the system sets this field for you. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors' + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If + the operator is In or NotIn, the values array must + be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A + single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is "key", + the operator is "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + suspend: + description: suspend specifies whether the Job controller should + create Pods or not. If a Job is created with suspend set to + true, no Pods are created by the Job controller. If a Job is + suspended after creation (i.e. the flag goes from false to true), + the Job controller will delete all active Pods associated with + this Job. Users must design their workload to gracefully handle + this. Suspending a Job will reset the StartTime field of the + Job, effectively resetting the ActiveDeadlineSeconds timer too. + Defaults to false. + type: boolean + template: + description: 'Describes the pod that will be created when executing + a job. The only allowed template.spec.restartPolicy values are + "Never" or "OnFailure". More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/' + properties: + metadata: + description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata' + type: object + x-kubernetes-preserve-unknown-fields: true + spec: + description: 'Specification of the desired behavior of the + pod. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + properties: + activeDeadlineSeconds: + description: Optional duration in seconds the pod may + be active on the node relative to StartTime before the + system will actively try to mark it failed and kill + associated containers. Value must be a positive integer. + format: int64 + type: integer + affinity: + description: If specified, the pod's scheduling constraints + properties: + nodeAffinity: + description: Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the affinity expressions + specified by this field, but it may choose a + node that violates one or more of the expressions. + The node that is most preferred is the one with + the greatest sum of weights, i.e. for each node + that meets all of the scheduling requirements + (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a sum by + iterating through the elements of this field + and adding "weight" to the sum if the node matches + the corresponding matchExpressions; the node(s) + with the highest sum are the most preferred. + items: + description: An empty preferred scheduling term + matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling + term matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated + with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: Represents a key's + relationship to a set of values. + Valid operators are In, NotIn, + Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string + values. If the operator is In + or NotIn, the values array must + be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + If the operator is Gt or Lt, + the values array must have a + single element, which will be + interpreted as an integer. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: Represents a key's + relationship to a set of values. + Valid operators are In, NotIn, + Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string + values. If the operator is In + or NotIn, the values array must + be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + If the operator is Gt or Lt, + the values array must have a + single element, which will be + interpreted as an integer. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching + the corresponding nodeSelectorTerm, in + the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified + by this field are not met at scheduling time, + the pod will not be scheduled onto the node. + If the affinity requirements specified by this + field cease to be met at some point during pod + execution (e.g. due to an update), the system + may or may not try to eventually evict the pod + from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector + terms. The terms are ORed. + items: + description: A null or empty node selector + term matches no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: Represents a key's + relationship to a set of values. + Valid operators are In, NotIn, + Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string + values. If the operator is In + or NotIn, the values array must + be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + If the operator is Gt or Lt, + the values array must have a + single element, which will be + interpreted as an integer. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: Represents a key's + relationship to a set of values. + Valid operators are In, NotIn, + Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string + values. If the operator is In + or NotIn, the values array must + be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + If the operator is Gt or Lt, + the values array must have a + single element, which will be + interpreted as an integer. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + type: array + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules + (e.g. co-locate this pod in the same node, zone, + etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the affinity expressions + specified by this field, but it may choose a + node that violates one or more of the expressions. + The node that is most preferred is the one with + the greatest sum of weights, i.e. for each node + that meets all of the scheduling requirements + (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a sum by + iterating through the elements of this field + and adding "weight" to the sum if the node has + pods which matches the corresponding podAffinityTerm; + the node(s) with the highest sum are the most + preferred. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added per-node + to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: A label query over a set + of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector + requirement is a selector that + contains values, a key, and + an operator that relates the + key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In or + NotIn, the values array + must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be + empty. This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single + {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator is + "In", and the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the + set of namespaces that the term applies + to. The term is applied to the union + of the namespaces selected by this + field and the ones listed in the namespaces + field. null selector and null or empty + namespaces list means "this pod's + namespace". An empty selector ({}) + matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector + requirement is a selector that + contains values, a key, and + an operator that relates the + key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In or + NotIn, the values array + must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be + empty. This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single + {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator is + "In", and the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a + static list of namespace names that + the term applies to. The term is applied + to the union of the namespaces listed + in this field and the ones selected + by namespaceSelector. null or empty + namespaces list and null namespaceSelector + means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where + co-located is defined as running on + a node whose value of the label with + key topologyKey matches that of any + node on which any of the selected + pods is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching + the corresponding podAffinityTerm, in + the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified + by this field are not met at scheduling time, + the pod will not be scheduled onto the node. + If the affinity requirements specified by this + field cease to be met at some point during pod + execution (e.g. due to a pod label update), + the system may or may not try to eventually + evict the pod from its node. When there are + multiple elements, the lists of nodes corresponding + to each podAffinityTerm are intersected, i.e. + all terms must be satisfied. + items: + description: Defines a set of pods (namely those + matching the labelSelector relative to the + given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) + with, where co-located is defined as running + on a node whose value of the label with key + matches that of any node on + which a pod of the set of pods is running + properties: + labelSelector: + description: A label query over a set of + resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set + of namespaces that the term applies to. + The term is applied to the union of the + namespaces selected by this field and + the ones listed in the namespaces field. + null selector and null or empty namespaces + list means "this pod's namespace". An + empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose + value of the label with key topologyKey + matches that of any node on which any + of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the same node, + zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the anti-affinity + expressions specified by this field, but it + may choose a node that violates one or more + of the expressions. The node that is most preferred + is the one with the greatest sum of weights, + i.e. for each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + anti-affinity expressions, etc.), compute a + sum by iterating through the elements of this + field and adding "weight" to the sum if the + node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest + sum are the most preferred. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added per-node + to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: A label query over a set + of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector + requirement is a selector that + contains values, a key, and + an operator that relates the + key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In or + NotIn, the values array + must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be + empty. This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single + {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator is + "In", and the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the + set of namespaces that the term applies + to. The term is applied to the union + of the namespaces selected by this + field and the ones listed in the namespaces + field. null selector and null or empty + namespaces list means "this pod's + namespace". An empty selector ({}) + matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector + requirement is a selector that + contains values, a key, and + an operator that relates the + key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In or + NotIn, the values array + must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be + empty. This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single + {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator is + "In", and the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a + static list of namespace names that + the term applies to. The term is applied + to the union of the namespaces listed + in this field and the ones selected + by namespaceSelector. null or empty + namespaces list and null namespaceSelector + means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where + co-located is defined as running on + a node whose value of the label with + key topologyKey matches that of any + node on which any of the selected + pods is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching + the corresponding podAffinityTerm, in + the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements + specified by this field are not met at scheduling + time, the pod will not be scheduled onto the + node. If the anti-affinity requirements specified + by this field cease to be met at some point + during pod execution (e.g. due to a pod label + update), the system may or may not try to eventually + evict the pod from its node. When there are + multiple elements, the lists of nodes corresponding + to each podAffinityTerm are intersected, i.e. + all terms must be satisfied. + items: + description: Defines a set of pods (namely those + matching the labelSelector relative to the + given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) + with, where co-located is defined as running + on a node whose value of the label with key + matches that of any node on + which a pod of the set of pods is running + properties: + labelSelector: + description: A label query over a set of + resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set + of namespaces that the term applies to. + The term is applied to the union of the + namespaces selected by this field and + the ones listed in the namespaces field. + null selector and null or empty namespaces + list means "this pod's namespace". An + empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose + value of the label with key topologyKey + matches that of any node on which any + of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + automountServiceAccountToken: + description: AutomountServiceAccountToken indicates whether + a service account token should be automatically mounted. + type: boolean + containers: + description: List of containers belonging to the pod. + Containers cannot currently be added or removed. There + must be at least one container in a Pod. Cannot be updated. + items: + description: A single application container that you + want to run within a pod. + properties: + args: + description: 'Arguments to the entrypoint. The container + image''s CMD is used if this is not provided. + Variable references $(VAR_NAME) are expanded using + the container''s environment. If a variable cannot + be resolved, the reference in the input string + will be unchanged. Double $$ are reduced to a + single $, which allows for escaping the $(VAR_NAME) + syntax: i.e. "$$(VAR_NAME)" will produce the string + literal "$(VAR_NAME)". Escaped references will + never be expanded, regardless of whether the variable + exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within + a shell. The container image''s ENTRYPOINT is + used if this is not provided. Variable references + $(VAR_NAME) are expanded using the container''s + environment. If a variable cannot be resolved, + the reference in the input string will be unchanged. + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Cannot + be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + env: + description: List of environment variables to set + in the container. Cannot be updated. + items: + description: EnvVar represents an environment + variable present in a Container. + properties: + name: + description: Name of the environment variable. + Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) + are expanded using the previously defined + environment variables in the container and + any service environment variables. If a + variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal + "$(VAR_NAME)". Escaped references will never + be expanded, regardless of whether the variable + exists or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's + value. Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the pod: + supports metadata.name, metadata.namespace, + `metadata.labels['''']`, `metadata.annotations['''']`, + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema + the FieldPath is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to + select in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of the + container: only resources limits and + requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to + select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret + in the pod's namespace + properties: + key: + description: The key of the secret + to select from. Must be a valid + secret key. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment + variables in the container. The keys defined within + a source must be a C_IDENTIFIER. All invalid keys + will be reported as an event when the container + is starting. When a key exists in multiple sources, + the value associated with the last source will + take precedence. Values defined by an Env with + a duplicate key will take precedence. Cannot be + updated. + items: + description: EnvFromSource represents the source + of a set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend + to each key in the ConfigMap. Must be a + C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + description: 'Container image name. More info: https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level config + management to default or override container images + in workload controllers like Deployments and StatefulSets.' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, + Never, IfNotPresent. Defaults to Always if :latest + tag is specified, or IfNotPresent otherwise. Cannot + be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Actions that the management system + should take in response to container lifecycle + events. Cannot be updated. + properties: + postStart: + description: 'PostStart is called immediately + after a container is created. If the handler + fails, the container is terminated and restarted + according to its restart policy. Other management + of the container blocks until the hook completes. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in HTTP + probes + properties: + name: + description: The header field + name. This will be canonicalized + upon output, so case-variant + names will be understood as + the same header. + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number + must be in the range 1 to 65535. Name + must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is NOT + supported as a LifecycleHandler and kept + for the backward compatibility. There + are no validation of this field and lifecycle + hooks will fail in runtime when tcp handler + is specified. + properties: + host: + description: 'Optional: Host name to + connect to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number + must be in the range 1 to 65535. Name + must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: 'PreStop is called immediately + before a container is terminated due to an + API request or management event such as liveness/startup + probe failure, preemption, resource contention, + etc. The handler is not called if the container + crashes or exits. The Pod''s termination grace + period countdown begins before the PreStop + hook is executed. Regardless of the outcome + of the handler, the container will eventually + terminate within the Pod''s termination grace + period (unless delayed by finalizers). Other + management of the container blocks until the + hook completes or until the termination grace + period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in HTTP + probes + properties: + name: + description: The header field + name. This will be canonicalized + upon output, so case-variant + names will be understood as + the same header. + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number + must be in the range 1 to 65535. Name + must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is NOT + supported as a LifecycleHandler and kept + for the backward compatibility. There + are no validation of this field and lifecycle + hooks will fail in runtime when tcp handler + is specified. + properties: + host: + description: 'Optional: Host name to + connect to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number + must be in the range 1 to 65535. Name + must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: 'Periodic probe of container liveness. + Container will be restarted if the probe fails. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line + to execute inside the container, the working + directory for the command is root ('/') + in the container's filesystem. The command + is simply exec'd, it is not run inside + a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, + you need to explicitly call out to that + shell. Exit status of 0 is treated as + live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for + the probe to be considered failed after having + succeeded. Defaults to 3. Minimum value is + 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the + request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name. + This will be canonicalized upon + output, so case-variant names will + be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for + the probe to be considered successful after + having failed. Defaults to 1. Must be 1 for + liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the + pod needs to terminate gracefully upon probe + failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly halted + with a kill signal. Set this value longer + than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value + must be non-negative integer. The value zero + indicates stop immediately via the kill signal + (no opportunity to shut down). This is a beta + field and requires enabling ProbeTerminationGracePeriod + feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the container specified as + a DNS_LABEL. Each container in a pod must have + a unique name (DNS_LABEL). Cannot be updated. + type: string + ports: + description: List of ports to expose from the container. + Not specifying a port here DOES NOT prevent that + port from being exposed. Any port which is listening + on the default "0.0.0.0" address inside a container + will be accessible from the network. Modifying + this array with strategic merge patch may corrupt + the data. For more information See https://github.com/kubernetes/kubernetes/issues/108255. + Cannot be updated. + items: + description: ContainerPort represents a network + port in a single container. + properties: + containerPort: + description: Number of port to expose on the + pod's IP address. This must be a valid port + number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external + port to. + type: string + hostPort: + description: Number of port to expose on the + host. If specified, this must be a valid + port number, 0 < x < 65536. If HostNetwork + is specified, this must match ContainerPort. + Most containers do not need this. + format: int32 + type: integer + name: + description: If specified, this must be an + IANA_SVC_NAME and unique within the pod. + Each named port in a pod must have a unique + name. Name for the port that can be referred + to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be UDP, + TCP, or SCTP. Defaults to "TCP". + type: string + required: + - containerPort + - protocol + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: 'Periodic probe of container service + readiness. Container will be removed from service + endpoints if the probe fails. Cannot be updated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line + to execute inside the container, the working + directory for the command is root ('/') + in the container's filesystem. The command + is simply exec'd, it is not run inside + a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, + you need to explicitly call out to that + shell. Exit status of 0 is treated as + live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for + the probe to be considered failed after having + succeeded. Defaults to 3. Minimum value is + 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the + request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name. + This will be canonicalized upon + output, so case-variant names will + be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for + the probe to be considered successful after + having failed. Defaults to 1. Must be 1 for + liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the + pod needs to terminate gracefully upon probe + failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly halted + with a kill signal. Set this value longer + than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value + must be non-negative integer. The value zero + indicates stop immediately via the kill signal + (no opportunity to shut down). This is a beta + field and requires enabling ProbeTerminationGracePeriod + feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resizePolicy: + description: Resources resize policy for the container. + items: + description: ContainerResizePolicy represents + resource resize policy for the container. + properties: + resourceName: + description: 'Name of the resource to which + this resource resize policy applies. Supported + values: cpu, memory.' + type: string + restartPolicy: + description: Restart policy to apply when + specified resource is resized. If not specified, + it defaults to NotRequired. + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic + resources: + description: 'Compute Resources required by this + container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + properties: + claims: + description: "Claims lists the names of resources, + defined in spec.resourceClaims, that are used + by this container. \n This is an alpha field + and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. + It can only be set for containers." + items: + description: ResourceClaim references one + entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name + of one entry in pod.spec.resourceClaims + of the Pod where this field is used. + It makes that resource available inside + a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount + of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum + amount of compute resources required. If Requests + is omitted for a container, it defaults to + Limits if that is explicitly specified, otherwise + to an implementation-defined value. Requests + cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + restartPolicy: + description: 'RestartPolicy defines the restart + behavior of individual containers in a pod. This + field may only be set for init containers, and + the only allowed value is "Always". For non-init + containers or when this field is not specified, + the restart behavior is defined by the Pod''s + restart policy and the container type. Setting + the RestartPolicy as "Always" for the init container + will have the following effect: this init container + will be continually restarted on exit until all + regular containers have terminated. Once all regular + containers have completed, all init containers + with restartPolicy "Always" will be shut down. + This lifecycle differs from normal init containers + and is often referred to as a "sidecar" container. + Although this init container still starts in the + init container sequence, it does not wait for + the container to complete before proceeding to + the next init container. Instead, the next init + container starts immediately after this init container + is started, or after any startupProbe has successfully + completed.' + type: string + securityContext: + description: 'SecurityContext defines the security + options the container should be run with. If set, + the fields of SecurityContext override the equivalent + fields of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls + whether a process can gain more privileges + than its parent process. This bool directly + controls if the no_new_privs flag will be + set on the container process. AllowPrivilegeEscalation + is true always when the container is: 1) run + as Privileged 2) has CAP_SYS_ADMIN Note that + this field cannot be set when spec.os.name + is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop when + running containers. Defaults to the default + set of capabilities granted by the container + runtime. Note that this field cannot be set + when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. + Processes in privileged containers are essentially + equivalent to root on the host. Defaults to + false. Note that this field cannot be set + when spec.os.name is windows. + type: boolean + procMount: + description: procMount denotes the type of proc + mount to use for the containers. The default + is DefaultProcMount which uses the container + runtime defaults for readonly paths and masked + paths. This requires the ProcMountType feature + flag to be enabled. Note that this field cannot + be set when spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a read-only + root filesystem. Default is false. Note that + this field cannot be set when spec.os.name + is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint of + the container process. Uses runtime default + if unset. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot be + set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must + run as a non-root user. If true, the Kubelet + will validate the image at runtime to ensure + that it does not run as UID 0 (root) and fail + to start the container if it does. If unset + or false, no such validation will be performed. + May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of + the container process. Defaults to user specified + in image metadata if unspecified. May also + be set in PodSecurityContext. If set in both + SecurityContext and PodSecurityContext, the + value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied + to the container. If unspecified, the container + runtime will allocate a random SELinux context + for each container. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot be + set when spec.os.name is windows. + properties: + level: + description: Level is SELinux level label + that applies to the container. + type: string + role: + description: Role is a SELinux role label + that applies to the container. + type: string + type: + description: Type is a SELinux type label + that applies to the container. + type: string + user: + description: User is a SELinux user label + that applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by this + container. If seccomp options are provided + at both the pod & container level, the container + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. + properties: + localhostProfile: + description: localhostProfile indicates + a profile defined in a file on the node + should be used. The profile must be preconfigured + on the node to work. Must be a descending + path, relative to the kubelet's configured + seccomp profile location. Must be set + if type is "Localhost". Must NOT be set + for any other type. + type: string + type: + description: "type indicates which kind + of seccomp profile will be applied. Valid + options are: \n Localhost - a profile + defined in a file on the node should be + used. RuntimeDefault - the container runtime + default profile should be used. Unconfined + - no profile should be applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings applied + to all containers. If unspecified, the options + from the PodSecurityContext will be used. + If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot be + set when spec.os.name is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where + the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName + field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the + name of the GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a + container should be run as a 'Host Process' + container. All of a Pod's containers must + have the same effective HostProcess value + (it is not allowed to have a mix of HostProcess + containers and non-HostProcess containers). + In addition, if HostProcess is true then + HostNetwork must also be set to true. + type: boolean + runAsUserName: + description: The UserName in Windows to + run the entrypoint of the container process. + Defaults to the user specified in image + metadata if unspecified. May also be set + in PodSecurityContext. If set in both + SecurityContext and PodSecurityContext, + the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + startupProbe: + description: 'StartupProbe indicates that the Pod + has successfully initialized. If specified, no + other probes are executed until this completes + successfully. If this probe fails, the Pod will + be restarted, just as if the livenessProbe failed. + This can be used to provide different probe parameters + at the beginning of a Pod''s lifecycle, when it + might take a long time to load data or warm a + cache, than during steady-state operation. This + cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line + to execute inside the container, the working + directory for the command is root ('/') + in the container's filesystem. The command + is simply exec'd, it is not run inside + a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, + you need to explicitly call out to that + shell. Exit status of 0 is treated as + live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for + the probe to be considered failed after having + succeeded. Defaults to 3. Minimum value is + 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the + request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name. + This will be canonicalized upon + output, so case-variant names will + be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for + the probe to be considered successful after + having failed. Defaults to 1. Must be 1 for + liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the + pod needs to terminate gracefully upon probe + failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly halted + with a kill signal. Set this value longer + than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value + must be non-negative integer. The value zero + indicates stop immediately via the kill signal + (no opportunity to shut down). This is a beta + field and requires enabling ProbeTerminationGracePeriod + feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate + a buffer for stdin in the container runtime. If + this is not set, reads from stdin in the container + will always result in EOF. Default is false. + type: boolean + stdinOnce: + description: Whether the container runtime should + close the stdin channel after it has been opened + by a single attach. When stdin is true the stdin + stream will remain open across multiple attach + sessions. If stdinOnce is set to true, stdin is + opened on container start, is empty until the + first client attaches to stdin, and then remains + open and accepts data until the client disconnects, + at which time stdin is closed and remains closed + until the container is restarted. If this flag + is false, a container processes that reads from + stdin will never receive an EOF. Default is false + type: boolean + terminationMessagePath: + description: 'Optional: Path at which the file to + which the container''s termination message will + be written is mounted into the container''s filesystem. + Message written is intended to be brief final + status, such as an assertion failure message. + Will be truncated by the node if greater than + 4096 bytes. The total message length across all + containers will be limited to 12kb. Defaults to + /dev/termination-log. Cannot be updated.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message + should be populated. File will use the contents + of terminationMessagePath to populate the container + status message on both success and failure. FallbackToLogsOnError + will use the last chunk of container log output + if the termination message file is empty and the + container exited with an error. The log output + is limited to 2048 bytes or 80 lines, whichever + is smaller. Defaults to File. Cannot be updated. + type: string + tty: + description: Whether this container should allocate + a TTY for itself, also requires 'stdin' to be + true. Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block + devices to be used by the container. + items: + description: volumeDevice describes a mapping + of a raw block device within a container. + properties: + devicePath: + description: devicePath is the path inside + of the container that the device will be + mapped to. + type: string + name: + description: name must match the name of a + persistentVolumeClaim in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's + filesystem. Cannot be updated. + items: + description: VolumeMount describes a mounting + of a Volume within a container. + properties: + mountPath: + description: Path within the container at + which the volume should be mounted. Must + not contain ':'. + type: string + mountPropagation: + description: mountPropagation determines how + mounts are propagated from the host to container + and the other way around. When not set, + MountPropagationNone is used. This field + is beta in 1.10. + type: string + name: + description: This must match the Name of a + Volume. + type: string + readOnly: + description: Mounted read-only if true, read-write + otherwise (false or unspecified). Defaults + to false. + type: boolean + subPath: + description: Path within the volume from which + the container's volume should be mounted. + Defaults to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume + from which the container's volume should + be mounted. Behaves similarly to SubPath + but environment variable references $(VAR_NAME) + are expanded using the container's environment. + Defaults to "" (volume's root). SubPathExpr + and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If not + specified, the container runtime's default will + be used, which might be configured in the container + image. Cannot be updated. + type: string + required: + - name + type: object + type: array + dnsConfig: + description: Specifies the DNS parameters of a pod. Parameters + specified here will be merged to the generated DNS configuration + based on DNSPolicy. + properties: + nameservers: + description: A list of DNS name server IP addresses. + This will be appended to the base nameservers generated + from DNSPolicy. Duplicated nameservers will be removed. + items: + type: string + type: array + options: + description: A list of DNS resolver options. This + will be merged with the base options generated from + DNSPolicy. Duplicated entries will be removed. Resolution + options given in Options will override those that + appear in the base DNSPolicy. + items: + description: PodDNSConfigOption defines DNS resolver + options of a pod. + properties: + name: + description: Required. + type: string + value: + type: string + type: object + type: array + searches: + description: A list of DNS search domains for host-name + lookup. This will be appended to the base search + paths generated from DNSPolicy. Duplicated search + paths will be removed. + items: + type: string + type: array + type: object + dnsPolicy: + description: Set DNS policy for the pod. Defaults to "ClusterFirst". + Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', + 'Default' or 'None'. DNS parameters given in DNSConfig + will be merged with the policy selected with DNSPolicy. + To have DNS options set along with hostNetwork, you + have to specify DNS policy explicitly to 'ClusterFirstWithHostNet'. + type: string + enableServiceLinks: + description: 'EnableServiceLinks indicates whether information + about services should be injected into pod''s environment + variables, matching the syntax of Docker links. Optional: + Defaults to true.' + type: boolean + ephemeralContainers: + description: List of ephemeral containers run in this + pod. Ephemeral containers may be run in an existing + pod to perform user-initiated actions such as debugging. + This list cannot be specified when creating a pod, and + it cannot be modified by updating the pod spec. In order + to add an ephemeral container to an existing pod, use + the pod's ephemeralcontainers subresource. + items: + description: "An EphemeralContainer is a temporary container + that you may add to an existing Pod for user-initiated + activities such as debugging. Ephemeral containers + have no resource or scheduling guarantees, and they + will not be restarted when they exit or when a Pod + is removed or restarted. The kubelet may evict a Pod + if an ephemeral container causes the Pod to exceed + its resource allocation. \n To add an ephemeral container, + use the ephemeralcontainers subresource of an existing + Pod. Ephemeral containers may not be removed or restarted." + properties: + args: + description: 'Arguments to the entrypoint. The image''s + CMD is used if this is not provided. Variable + references $(VAR_NAME) are expanded using the + container''s environment. If a variable cannot + be resolved, the reference in the input string + will be unchanged. Double $$ are reduced to a + single $, which allows for escaping the $(VAR_NAME) + syntax: i.e. "$$(VAR_NAME)" will produce the string + literal "$(VAR_NAME)". Escaped references will + never be expanded, regardless of whether the variable + exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within + a shell. The image''s ENTRYPOINT is used if this + is not provided. Variable references $(VAR_NAME) + are expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for + escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Cannot + be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + env: + description: List of environment variables to set + in the container. Cannot be updated. + items: + description: EnvVar represents an environment + variable present in a Container. + properties: + name: + description: Name of the environment variable. + Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) + are expanded using the previously defined + environment variables in the container and + any service environment variables. If a + variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal + "$(VAR_NAME)". Escaped references will never + be expanded, regardless of whether the variable + exists or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's + value. Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the pod: + supports metadata.name, metadata.namespace, + `metadata.labels['''']`, `metadata.annotations['''']`, + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema + the FieldPath is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to + select in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of the + container: only resources limits and + requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to + select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret + in the pod's namespace + properties: + key: + description: The key of the secret + to select from. Must be a valid + secret key. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment + variables in the container. The keys defined within + a source must be a C_IDENTIFIER. All invalid keys + will be reported as an event when the container + is starting. When a key exists in multiple sources, + the value associated with the last source will + take precedence. Values defined by an Env with + a duplicate key will take precedence. Cannot be + updated. + items: + description: EnvFromSource represents the source + of a set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend + to each key in the ConfigMap. Must be a + C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + description: 'Container image name. More info: https://kubernetes.io/docs/concepts/containers/images' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, + Never, IfNotPresent. Defaults to Always if :latest + tag is specified, or IfNotPresent otherwise. Cannot + be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Lifecycle is not allowed for ephemeral + containers. + properties: + postStart: + description: 'PostStart is called immediately + after a container is created. If the handler + fails, the container is terminated and restarted + according to its restart policy. Other management + of the container blocks until the hook completes. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in HTTP + probes + properties: + name: + description: The header field + name. This will be canonicalized + upon output, so case-variant + names will be understood as + the same header. + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number + must be in the range 1 to 65535. Name + must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is NOT + supported as a LifecycleHandler and kept + for the backward compatibility. There + are no validation of this field and lifecycle + hooks will fail in runtime when tcp handler + is specified. + properties: + host: + description: 'Optional: Host name to + connect to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number + must be in the range 1 to 65535. Name + must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: 'PreStop is called immediately + before a container is terminated due to an + API request or management event such as liveness/startup + probe failure, preemption, resource contention, + etc. The handler is not called if the container + crashes or exits. The Pod''s termination grace + period countdown begins before the PreStop + hook is executed. Regardless of the outcome + of the handler, the container will eventually + terminate within the Pod''s termination grace + period (unless delayed by finalizers). Other + management of the container blocks until the + hook completes or until the termination grace + period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in HTTP + probes + properties: + name: + description: The header field + name. This will be canonicalized + upon output, so case-variant + names will be understood as + the same header. + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number + must be in the range 1 to 65535. Name + must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is NOT + supported as a LifecycleHandler and kept + for the backward compatibility. There + are no validation of this field and lifecycle + hooks will fail in runtime when tcp handler + is specified. + properties: + host: + description: 'Optional: Host name to + connect to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number + must be in the range 1 to 65535. Name + must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: Probes are not allowed for ephemeral + containers. + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line + to execute inside the container, the working + directory for the command is root ('/') + in the container's filesystem. The command + is simply exec'd, it is not run inside + a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, + you need to explicitly call out to that + shell. Exit status of 0 is treated as + live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for + the probe to be considered failed after having + succeeded. Defaults to 3. Minimum value is + 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the + request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name. + This will be canonicalized upon + output, so case-variant names will + be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for + the probe to be considered successful after + having failed. Defaults to 1. Must be 1 for + liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the + pod needs to terminate gracefully upon probe + failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly halted + with a kill signal. Set this value longer + than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value + must be non-negative integer. The value zero + indicates stop immediately via the kill signal + (no opportunity to shut down). This is a beta + field and requires enabling ProbeTerminationGracePeriod + feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the ephemeral container specified + as a DNS_LABEL. This name must be unique among + all containers, init containers and ephemeral + containers. + type: string + ports: + description: Ports are not allowed for ephemeral + containers. + items: + description: ContainerPort represents a network + port in a single container. + properties: + containerPort: + description: Number of port to expose on the + pod's IP address. This must be a valid port + number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external + port to. + type: string + hostPort: + description: Number of port to expose on the + host. If specified, this must be a valid + port number, 0 < x < 65536. If HostNetwork + is specified, this must match ContainerPort. + Most containers do not need this. + format: int32 + type: integer + name: + description: If specified, this must be an + IANA_SVC_NAME and unique within the pod. + Each named port in a pod must have a unique + name. Name for the port that can be referred + to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be UDP, + TCP, or SCTP. Defaults to "TCP". + type: string + required: + - containerPort + - protocol + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: Probes are not allowed for ephemeral + containers. + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line + to execute inside the container, the working + directory for the command is root ('/') + in the container's filesystem. The command + is simply exec'd, it is not run inside + a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, + you need to explicitly call out to that + shell. Exit status of 0 is treated as + live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for + the probe to be considered failed after having + succeeded. Defaults to 3. Minimum value is + 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the + request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name. + This will be canonicalized upon + output, so case-variant names will + be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for + the probe to be considered successful after + having failed. Defaults to 1. Must be 1 for + liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the + pod needs to terminate gracefully upon probe + failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly halted + with a kill signal. Set this value longer + than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value + must be non-negative integer. The value zero + indicates stop immediately via the kill signal + (no opportunity to shut down). This is a beta + field and requires enabling ProbeTerminationGracePeriod + feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resizePolicy: + description: Resources resize policy for the container. + items: + description: ContainerResizePolicy represents + resource resize policy for the container. + properties: + resourceName: + description: 'Name of the resource to which + this resource resize policy applies. Supported + values: cpu, memory.' + type: string + restartPolicy: + description: Restart policy to apply when + specified resource is resized. If not specified, + it defaults to NotRequired. + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic + resources: + description: Resources are not allowed for ephemeral + containers. Ephemeral containers use spare resources + already allocated to the pod. + properties: + claims: + description: "Claims lists the names of resources, + defined in spec.resourceClaims, that are used + by this container. \n This is an alpha field + and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. + It can only be set for containers." + items: + description: ResourceClaim references one + entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name + of one entry in pod.spec.resourceClaims + of the Pod where this field is used. + It makes that resource available inside + a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount + of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum + amount of compute resources required. If Requests + is omitted for a container, it defaults to + Limits if that is explicitly specified, otherwise + to an implementation-defined value. Requests + cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + restartPolicy: + description: Restart policy for the container to + manage the restart behavior of each container + within a pod. This may only be set for init containers. + You cannot set this field on ephemeral containers. + type: string + securityContext: + description: 'Optional: SecurityContext defines + the security options the ephemeral container should + be run with. If set, the fields of SecurityContext + override the equivalent fields of PodSecurityContext.' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls + whether a process can gain more privileges + than its parent process. This bool directly + controls if the no_new_privs flag will be + set on the container process. AllowPrivilegeEscalation + is true always when the container is: 1) run + as Privileged 2) has CAP_SYS_ADMIN Note that + this field cannot be set when spec.os.name + is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop when + running containers. Defaults to the default + set of capabilities granted by the container + runtime. Note that this field cannot be set + when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. + Processes in privileged containers are essentially + equivalent to root on the host. Defaults to + false. Note that this field cannot be set + when spec.os.name is windows. + type: boolean + procMount: + description: procMount denotes the type of proc + mount to use for the containers. The default + is DefaultProcMount which uses the container + runtime defaults for readonly paths and masked + paths. This requires the ProcMountType feature + flag to be enabled. Note that this field cannot + be set when spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a read-only + root filesystem. Default is false. Note that + this field cannot be set when spec.os.name + is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint of + the container process. Uses runtime default + if unset. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot be + set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must + run as a non-root user. If true, the Kubelet + will validate the image at runtime to ensure + that it does not run as UID 0 (root) and fail + to start the container if it does. If unset + or false, no such validation will be performed. + May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of + the container process. Defaults to user specified + in image metadata if unspecified. May also + be set in PodSecurityContext. If set in both + SecurityContext and PodSecurityContext, the + value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied + to the container. If unspecified, the container + runtime will allocate a random SELinux context + for each container. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot be + set when spec.os.name is windows. + properties: + level: + description: Level is SELinux level label + that applies to the container. + type: string + role: + description: Role is a SELinux role label + that applies to the container. + type: string + type: + description: Type is a SELinux type label + that applies to the container. + type: string + user: + description: User is a SELinux user label + that applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by this + container. If seccomp options are provided + at both the pod & container level, the container + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. + properties: + localhostProfile: + description: localhostProfile indicates + a profile defined in a file on the node + should be used. The profile must be preconfigured + on the node to work. Must be a descending + path, relative to the kubelet's configured + seccomp profile location. Must be set + if type is "Localhost". Must NOT be set + for any other type. + type: string + type: + description: "type indicates which kind + of seccomp profile will be applied. Valid + options are: \n Localhost - a profile + defined in a file on the node should be + used. RuntimeDefault - the container runtime + default profile should be used. Unconfined + - no profile should be applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings applied + to all containers. If unspecified, the options + from the PodSecurityContext will be used. + If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot be + set when spec.os.name is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where + the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName + field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the + name of the GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a + container should be run as a 'Host Process' + container. All of a Pod's containers must + have the same effective HostProcess value + (it is not allowed to have a mix of HostProcess + containers and non-HostProcess containers). + In addition, if HostProcess is true then + HostNetwork must also be set to true. + type: boolean + runAsUserName: + description: The UserName in Windows to + run the entrypoint of the container process. + Defaults to the user specified in image + metadata if unspecified. May also be set + in PodSecurityContext. If set in both + SecurityContext and PodSecurityContext, + the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + startupProbe: + description: Probes are not allowed for ephemeral + containers. + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line + to execute inside the container, the working + directory for the command is root ('/') + in the container's filesystem. The command + is simply exec'd, it is not run inside + a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, + you need to explicitly call out to that + shell. Exit status of 0 is treated as + live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for + the probe to be considered failed after having + succeeded. Defaults to 3. Minimum value is + 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the + request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name. + This will be canonicalized upon + output, so case-variant names will + be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for + the probe to be considered successful after + having failed. Defaults to 1. Must be 1 for + liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the + pod needs to terminate gracefully upon probe + failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly halted + with a kill signal. Set this value longer + than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value + must be non-negative integer. The value zero + indicates stop immediately via the kill signal + (no opportunity to shut down). This is a beta + field and requires enabling ProbeTerminationGracePeriod + feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate + a buffer for stdin in the container runtime. If + this is not set, reads from stdin in the container + will always result in EOF. Default is false. + type: boolean + stdinOnce: + description: Whether the container runtime should + close the stdin channel after it has been opened + by a single attach. When stdin is true the stdin + stream will remain open across multiple attach + sessions. If stdinOnce is set to true, stdin is + opened on container start, is empty until the + first client attaches to stdin, and then remains + open and accepts data until the client disconnects, + at which time stdin is closed and remains closed + until the container is restarted. If this flag + is false, a container processes that reads from + stdin will never receive an EOF. Default is false + type: boolean + targetContainerName: + description: "If set, the name of the container + from PodSpec that this ephemeral container targets. + The ephemeral container will be run in the namespaces + (IPC, PID, etc) of this container. If not set + then the ephemeral container uses the namespaces + configured in the Pod spec. \n The container runtime + must implement support for this feature. If the + runtime does not support namespace targeting then + the result of setting this field is undefined." + type: string + terminationMessagePath: + description: 'Optional: Path at which the file to + which the container''s termination message will + be written is mounted into the container''s filesystem. + Message written is intended to be brief final + status, such as an assertion failure message. + Will be truncated by the node if greater than + 4096 bytes. The total message length across all + containers will be limited to 12kb. Defaults to + /dev/termination-log. Cannot be updated.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message + should be populated. File will use the contents + of terminationMessagePath to populate the container + status message on both success and failure. FallbackToLogsOnError + will use the last chunk of container log output + if the termination message file is empty and the + container exited with an error. The log output + is limited to 2048 bytes or 80 lines, whichever + is smaller. Defaults to File. Cannot be updated. + type: string + tty: + description: Whether this container should allocate + a TTY for itself, also requires 'stdin' to be + true. Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block + devices to be used by the container. + items: + description: volumeDevice describes a mapping + of a raw block device within a container. + properties: + devicePath: + description: devicePath is the path inside + of the container that the device will be + mapped to. + type: string + name: + description: name must match the name of a + persistentVolumeClaim in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's + filesystem. Subpath mounts are not allowed for + ephemeral containers. Cannot be updated. + items: + description: VolumeMount describes a mounting + of a Volume within a container. + properties: + mountPath: + description: Path within the container at + which the volume should be mounted. Must + not contain ':'. + type: string + mountPropagation: + description: mountPropagation determines how + mounts are propagated from the host to container + and the other way around. When not set, + MountPropagationNone is used. This field + is beta in 1.10. + type: string + name: + description: This must match the Name of a + Volume. + type: string + readOnly: + description: Mounted read-only if true, read-write + otherwise (false or unspecified). Defaults + to false. + type: boolean + subPath: + description: Path within the volume from which + the container's volume should be mounted. + Defaults to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume + from which the container's volume should + be mounted. Behaves similarly to SubPath + but environment variable references $(VAR_NAME) + are expanded using the container's environment. + Defaults to "" (volume's root). SubPathExpr + and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If not + specified, the container runtime's default will + be used, which might be configured in the container + image. Cannot be updated. + type: string + required: + - name + type: object + type: array + hostAliases: + description: HostAliases is an optional list of hosts + and IPs that will be injected into the pod's hosts file + if specified. This is only valid for non-hostNetwork + pods. + items: + description: HostAlias holds the mapping between IP + and hostnames that will be injected as an entry in + the pod's hosts file. + properties: + hostnames: + description: Hostnames for the above IP address. + items: + type: string + type: array + ip: + description: IP address of the host file entry. + type: string + type: object + type: array + hostIPC: + description: 'Use the host''s ipc namespace. Optional: + Default to false.' + type: boolean + hostNetwork: + description: Host networking requested for this pod. Use + the host's network namespace. If this option is set, + the ports that will be used must be specified. Default + to false. + type: boolean + hostPID: + description: 'Use the host''s pid namespace. Optional: + Default to false.' + type: boolean + hostUsers: + description: 'Use the host''s user namespace. Optional: + Default to true. If set to true or not present, the + pod will be run in the host user namespace, useful for + when the pod needs a feature only available to the host + user namespace, such as loading a kernel module with + CAP_SYS_MODULE. When set to false, a new userns is created + for the pod. Setting false is useful for mitigating + container breakout vulnerabilities even allowing users + to run their containers as root without actually having + root privileges on the host. This field is alpha-level + and is only honored by servers that enable the UserNamespacesSupport + feature.' + type: boolean + hostname: + description: Specifies the hostname of the Pod If not + specified, the pod's hostname will be set to a system-defined + value. + type: string + imagePullSecrets: + description: 'ImagePullSecrets is an optional list of + references to secrets in the same namespace to use for + pulling any of the images used by this PodSpec. If specified, + these secrets will be passed to individual puller implementations + for them to use. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' + items: + description: LocalObjectReference contains enough information + to let you locate the referenced object inside the + same namespace. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: array + initContainers: + description: 'List of initialization containers belonging + to the pod. Init containers are executed in order prior + to containers being started. If any init container fails, + the pod is considered to have failed and is handled + according to its restartPolicy. The name for an init + container or normal container must be unique among all + containers. Init containers may not have Lifecycle actions, + Readiness probes, Liveness probes, or Startup probes. + The resourceRequirements of an init container are taken + into account during scheduling by finding the highest + request/limit for each resource type, and then using + the max of of that value or the sum of the normal containers. + Limits are applied to init containers in a similar fashion. + Init containers cannot currently be added or removed. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/' + items: + description: A single application container that you + want to run within a pod. + properties: + args: + description: 'Arguments to the entrypoint. The container + image''s CMD is used if this is not provided. + Variable references $(VAR_NAME) are expanded using + the container''s environment. If a variable cannot + be resolved, the reference in the input string + will be unchanged. Double $$ are reduced to a + single $, which allows for escaping the $(VAR_NAME) + syntax: i.e. "$$(VAR_NAME)" will produce the string + literal "$(VAR_NAME)". Escaped references will + never be expanded, regardless of whether the variable + exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within + a shell. The container image''s ENTRYPOINT is + used if this is not provided. Variable references + $(VAR_NAME) are expanded using the container''s + environment. If a variable cannot be resolved, + the reference in the input string will be unchanged. + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Cannot + be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + env: + description: List of environment variables to set + in the container. Cannot be updated. + items: + description: EnvVar represents an environment + variable present in a Container. + properties: + name: + description: Name of the environment variable. + Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) + are expanded using the previously defined + environment variables in the container and + any service environment variables. If a + variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal + "$(VAR_NAME)". Escaped references will never + be expanded, regardless of whether the variable + exists or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's + value. Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the pod: + supports metadata.name, metadata.namespace, + `metadata.labels['''']`, `metadata.annotations['''']`, + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema + the FieldPath is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to + select in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of the + container: only resources limits and + requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to + select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret + in the pod's namespace + properties: + key: + description: The key of the secret + to select from. Must be a valid + secret key. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment + variables in the container. The keys defined within + a source must be a C_IDENTIFIER. All invalid keys + will be reported as an event when the container + is starting. When a key exists in multiple sources, + the value associated with the last source will + take precedence. Values defined by an Env with + a duplicate key will take precedence. Cannot be + updated. + items: + description: EnvFromSource represents the source + of a set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend + to each key in the ConfigMap. Must be a + C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + description: 'Container image name. More info: https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level config + management to default or override container images + in workload controllers like Deployments and StatefulSets.' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, + Never, IfNotPresent. Defaults to Always if :latest + tag is specified, or IfNotPresent otherwise. Cannot + be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Actions that the management system + should take in response to container lifecycle + events. Cannot be updated. + properties: + postStart: + description: 'PostStart is called immediately + after a container is created. If the handler + fails, the container is terminated and restarted + according to its restart policy. Other management + of the container blocks until the hook completes. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in HTTP + probes + properties: + name: + description: The header field + name. This will be canonicalized + upon output, so case-variant + names will be understood as + the same header. + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number + must be in the range 1 to 65535. Name + must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is NOT + supported as a LifecycleHandler and kept + for the backward compatibility. There + are no validation of this field and lifecycle + hooks will fail in runtime when tcp handler + is specified. + properties: + host: + description: 'Optional: Host name to + connect to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number + must be in the range 1 to 65535. Name + must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: 'PreStop is called immediately + before a container is terminated due to an + API request or management event such as liveness/startup + probe failure, preemption, resource contention, + etc. The handler is not called if the container + crashes or exits. The Pod''s termination grace + period countdown begins before the PreStop + hook is executed. Regardless of the outcome + of the handler, the container will eventually + terminate within the Pod''s termination grace + period (unless delayed by finalizers). Other + management of the container blocks until the + hook completes or until the termination grace + period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in HTTP + probes + properties: + name: + description: The header field + name. This will be canonicalized + upon output, so case-variant + names will be understood as + the same header. + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number + must be in the range 1 to 65535. Name + must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is NOT + supported as a LifecycleHandler and kept + for the backward compatibility. There + are no validation of this field and lifecycle + hooks will fail in runtime when tcp handler + is specified. + properties: + host: + description: 'Optional: Host name to + connect to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number + must be in the range 1 to 65535. Name + must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: 'Periodic probe of container liveness. + Container will be restarted if the probe fails. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line + to execute inside the container, the working + directory for the command is root ('/') + in the container's filesystem. The command + is simply exec'd, it is not run inside + a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, + you need to explicitly call out to that + shell. Exit status of 0 is treated as + live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for + the probe to be considered failed after having + succeeded. Defaults to 3. Minimum value is + 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the + request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name. + This will be canonicalized upon + output, so case-variant names will + be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for + the probe to be considered successful after + having failed. Defaults to 1. Must be 1 for + liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the + pod needs to terminate gracefully upon probe + failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly halted + with a kill signal. Set this value longer + than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value + must be non-negative integer. The value zero + indicates stop immediately via the kill signal + (no opportunity to shut down). This is a beta + field and requires enabling ProbeTerminationGracePeriod + feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the container specified as + a DNS_LABEL. Each container in a pod must have + a unique name (DNS_LABEL). Cannot be updated. + type: string + ports: + description: List of ports to expose from the container. + Not specifying a port here DOES NOT prevent that + port from being exposed. Any port which is listening + on the default "0.0.0.0" address inside a container + will be accessible from the network. Modifying + this array with strategic merge patch may corrupt + the data. For more information See https://github.com/kubernetes/kubernetes/issues/108255. + Cannot be updated. + items: + description: ContainerPort represents a network + port in a single container. + properties: + containerPort: + description: Number of port to expose on the + pod's IP address. This must be a valid port + number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external + port to. + type: string + hostPort: + description: Number of port to expose on the + host. If specified, this must be a valid + port number, 0 < x < 65536. If HostNetwork + is specified, this must match ContainerPort. + Most containers do not need this. + format: int32 + type: integer + name: + description: If specified, this must be an + IANA_SVC_NAME and unique within the pod. + Each named port in a pod must have a unique + name. Name for the port that can be referred + to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be UDP, + TCP, or SCTP. Defaults to "TCP". + type: string + required: + - containerPort + - protocol + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: 'Periodic probe of container service + readiness. Container will be removed from service + endpoints if the probe fails. Cannot be updated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line + to execute inside the container, the working + directory for the command is root ('/') + in the container's filesystem. The command + is simply exec'd, it is not run inside + a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, + you need to explicitly call out to that + shell. Exit status of 0 is treated as + live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for + the probe to be considered failed after having + succeeded. Defaults to 3. Minimum value is + 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the + request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name. + This will be canonicalized upon + output, so case-variant names will + be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for + the probe to be considered successful after + having failed. Defaults to 1. Must be 1 for + liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the + pod needs to terminate gracefully upon probe + failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly halted + with a kill signal. Set this value longer + than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value + must be non-negative integer. The value zero + indicates stop immediately via the kill signal + (no opportunity to shut down). This is a beta + field and requires enabling ProbeTerminationGracePeriod + feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resizePolicy: + description: Resources resize policy for the container. + items: + description: ContainerResizePolicy represents + resource resize policy for the container. + properties: + resourceName: + description: 'Name of the resource to which + this resource resize policy applies. Supported + values: cpu, memory.' + type: string + restartPolicy: + description: Restart policy to apply when + specified resource is resized. If not specified, + it defaults to NotRequired. + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic + resources: + description: 'Compute Resources required by this + container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + properties: + claims: + description: "Claims lists the names of resources, + defined in spec.resourceClaims, that are used + by this container. \n This is an alpha field + and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. + It can only be set for containers." + items: + description: ResourceClaim references one + entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name + of one entry in pod.spec.resourceClaims + of the Pod where this field is used. + It makes that resource available inside + a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount + of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum + amount of compute resources required. If Requests + is omitted for a container, it defaults to + Limits if that is explicitly specified, otherwise + to an implementation-defined value. Requests + cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + restartPolicy: + description: 'RestartPolicy defines the restart + behavior of individual containers in a pod. This + field may only be set for init containers, and + the only allowed value is "Always". For non-init + containers or when this field is not specified, + the restart behavior is defined by the Pod''s + restart policy and the container type. Setting + the RestartPolicy as "Always" for the init container + will have the following effect: this init container + will be continually restarted on exit until all + regular containers have terminated. Once all regular + containers have completed, all init containers + with restartPolicy "Always" will be shut down. + This lifecycle differs from normal init containers + and is often referred to as a "sidecar" container. + Although this init container still starts in the + init container sequence, it does not wait for + the container to complete before proceeding to + the next init container. Instead, the next init + container starts immediately after this init container + is started, or after any startupProbe has successfully + completed.' + type: string + securityContext: + description: 'SecurityContext defines the security + options the container should be run with. If set, + the fields of SecurityContext override the equivalent + fields of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls + whether a process can gain more privileges + than its parent process. This bool directly + controls if the no_new_privs flag will be + set on the container process. AllowPrivilegeEscalation + is true always when the container is: 1) run + as Privileged 2) has CAP_SYS_ADMIN Note that + this field cannot be set when spec.os.name + is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop when + running containers. Defaults to the default + set of capabilities granted by the container + runtime. Note that this field cannot be set + when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. + Processes in privileged containers are essentially + equivalent to root on the host. Defaults to + false. Note that this field cannot be set + when spec.os.name is windows. + type: boolean + procMount: + description: procMount denotes the type of proc + mount to use for the containers. The default + is DefaultProcMount which uses the container + runtime defaults for readonly paths and masked + paths. This requires the ProcMountType feature + flag to be enabled. Note that this field cannot + be set when spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a read-only + root filesystem. Default is false. Note that + this field cannot be set when spec.os.name + is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint of + the container process. Uses runtime default + if unset. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot be + set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must + run as a non-root user. If true, the Kubelet + will validate the image at runtime to ensure + that it does not run as UID 0 (root) and fail + to start the container if it does. If unset + or false, no such validation will be performed. + May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of + the container process. Defaults to user specified + in image metadata if unspecified. May also + be set in PodSecurityContext. If set in both + SecurityContext and PodSecurityContext, the + value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied + to the container. If unspecified, the container + runtime will allocate a random SELinux context + for each container. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot be + set when spec.os.name is windows. + properties: + level: + description: Level is SELinux level label + that applies to the container. + type: string + role: + description: Role is a SELinux role label + that applies to the container. + type: string + type: + description: Type is a SELinux type label + that applies to the container. + type: string + user: + description: User is a SELinux user label + that applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by this + container. If seccomp options are provided + at both the pod & container level, the container + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. + properties: + localhostProfile: + description: localhostProfile indicates + a profile defined in a file on the node + should be used. The profile must be preconfigured + on the node to work. Must be a descending + path, relative to the kubelet's configured + seccomp profile location. Must be set + if type is "Localhost". Must NOT be set + for any other type. + type: string + type: + description: "type indicates which kind + of seccomp profile will be applied. Valid + options are: \n Localhost - a profile + defined in a file on the node should be + used. RuntimeDefault - the container runtime + default profile should be used. Unconfined + - no profile should be applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings applied + to all containers. If unspecified, the options + from the PodSecurityContext will be used. + If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot be + set when spec.os.name is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where + the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName + field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the + name of the GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a + container should be run as a 'Host Process' + container. All of a Pod's containers must + have the same effective HostProcess value + (it is not allowed to have a mix of HostProcess + containers and non-HostProcess containers). + In addition, if HostProcess is true then + HostNetwork must also be set to true. + type: boolean + runAsUserName: + description: The UserName in Windows to + run the entrypoint of the container process. + Defaults to the user specified in image + metadata if unspecified. May also be set + in PodSecurityContext. If set in both + SecurityContext and PodSecurityContext, + the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + startupProbe: + description: 'StartupProbe indicates that the Pod + has successfully initialized. If specified, no + other probes are executed until this completes + successfully. If this probe fails, the Pod will + be restarted, just as if the livenessProbe failed. + This can be used to provide different probe parameters + at the beginning of a Pod''s lifecycle, when it + might take a long time to load data or warm a + cache, than during steady-state operation. This + cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line + to execute inside the container, the working + directory for the command is root ('/') + in the container's filesystem. The command + is simply exec'd, it is not run inside + a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, + you need to explicitly call out to that + shell. Exit status of 0 is treated as + live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for + the probe to be considered failed after having + succeeded. Defaults to 3. Minimum value is + 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, defaults + to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the + request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: The header field name. + This will be canonicalized upon + output, so case-variant names will + be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for + the probe to be considered successful after + having failed. Defaults to 1. Must be 1 for + liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the + pod needs to terminate gracefully upon probe + failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly halted + with a kill signal. Set this value longer + than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value + must be non-negative integer. The value zero + indicates stop immediately via the kill signal + (no opportunity to shut down). This is a beta + field and requires enabling ProbeTerminationGracePeriod + feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate + a buffer for stdin in the container runtime. If + this is not set, reads from stdin in the container + will always result in EOF. Default is false. + type: boolean + stdinOnce: + description: Whether the container runtime should + close the stdin channel after it has been opened + by a single attach. When stdin is true the stdin + stream will remain open across multiple attach + sessions. If stdinOnce is set to true, stdin is + opened on container start, is empty until the + first client attaches to stdin, and then remains + open and accepts data until the client disconnects, + at which time stdin is closed and remains closed + until the container is restarted. If this flag + is false, a container processes that reads from + stdin will never receive an EOF. Default is false + type: boolean + terminationMessagePath: + description: 'Optional: Path at which the file to + which the container''s termination message will + be written is mounted into the container''s filesystem. + Message written is intended to be brief final + status, such as an assertion failure message. + Will be truncated by the node if greater than + 4096 bytes. The total message length across all + containers will be limited to 12kb. Defaults to + /dev/termination-log. Cannot be updated.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message + should be populated. File will use the contents + of terminationMessagePath to populate the container + status message on both success and failure. FallbackToLogsOnError + will use the last chunk of container log output + if the termination message file is empty and the + container exited with an error. The log output + is limited to 2048 bytes or 80 lines, whichever + is smaller. Defaults to File. Cannot be updated. + type: string + tty: + description: Whether this container should allocate + a TTY for itself, also requires 'stdin' to be + true. Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block + devices to be used by the container. + items: + description: volumeDevice describes a mapping + of a raw block device within a container. + properties: + devicePath: + description: devicePath is the path inside + of the container that the device will be + mapped to. + type: string + name: + description: name must match the name of a + persistentVolumeClaim in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's + filesystem. Cannot be updated. + items: + description: VolumeMount describes a mounting + of a Volume within a container. + properties: + mountPath: + description: Path within the container at + which the volume should be mounted. Must + not contain ':'. + type: string + mountPropagation: + description: mountPropagation determines how + mounts are propagated from the host to container + and the other way around. When not set, + MountPropagationNone is used. This field + is beta in 1.10. + type: string + name: + description: This must match the Name of a + Volume. + type: string + readOnly: + description: Mounted read-only if true, read-write + otherwise (false or unspecified). Defaults + to false. + type: boolean + subPath: + description: Path within the volume from which + the container's volume should be mounted. + Defaults to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume + from which the container's volume should + be mounted. Behaves similarly to SubPath + but environment variable references $(VAR_NAME) + are expanded using the container's environment. + Defaults to "" (volume's root). SubPathExpr + and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If not + specified, the container runtime's default will + be used, which might be configured in the container + image. Cannot be updated. + type: string + required: + - name + type: object + type: array + nodeName: + description: NodeName is a request to schedule this pod + onto a specific node. If it is non-empty, the scheduler + simply schedules this pod onto that node, assuming that + it fits resource requirements. + type: string + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which must be + true for the pod to fit on a node. Selector which must + match a node''s labels for the pod to be scheduled on + that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + x-kubernetes-map-type: atomic + os: + description: "Specifies the OS of the containers in the + pod. Some pod and container fields are restricted if + this is set. \n If the OS field is set to linux, the + following fields must be unset: -securityContext.windowsOptions + \n If the OS field is set to windows, following fields + must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers + - spec.securityContext.seLinuxOptions - spec.securityContext.seccompProfile + - spec.securityContext.fsGroup - spec.securityContext.fsGroupChangePolicy + - spec.securityContext.sysctls - spec.shareProcessNamespace + - spec.securityContext.runAsUser - spec.securityContext.runAsGroup + - spec.securityContext.supplementalGroups - spec.containers[*].securityContext.seLinuxOptions + - spec.containers[*].securityContext.seccompProfile + - spec.containers[*].securityContext.capabilities - + spec.containers[*].securityContext.readOnlyRootFilesystem + - spec.containers[*].securityContext.privileged - spec.containers[*].securityContext.allowPrivilegeEscalation + - spec.containers[*].securityContext.procMount - spec.containers[*].securityContext.runAsUser + - spec.containers[*].securityContext.runAsGroup" + properties: + name: + description: 'Name is the name of the operating system. + The currently supported values are linux and windows. + Additional value may be defined in future and can + be one of: https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration + Clients should expect to handle additional values + and treat unrecognized values in this field as os: + null' + type: string + required: + - name + type: object + overhead: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Overhead represents the resource overhead + associated with running a pod for a given RuntimeClass. + This field will be autopopulated at admission time by + the RuntimeClass admission controller. If the RuntimeClass + admission controller is enabled, overhead must not be + set in Pod create requests. The RuntimeClass admission + controller will reject Pod create requests which have + the overhead already set. If RuntimeClass is configured + and selected in the PodSpec, Overhead will be set to + the value defined in the corresponding RuntimeClass, + otherwise it will remain unset and treated as zero. + More info: https://git.k8s.io/enhancements/keps/sig-node/688-pod-overhead/README.md' + type: object + preemptionPolicy: + description: PreemptionPolicy is the Policy for preempting + pods with lower priority. One of Never, PreemptLowerPriority. + Defaults to PreemptLowerPriority if unset. + type: string + priority: + description: The priority value. Various system components + use this field to find the priority of the pod. When + Priority Admission Controller is enabled, it prevents + users from setting this field. The admission controller + populates this field from PriorityClassName. The higher + the value, the higher the priority. + format: int32 + type: integer + priorityClassName: + description: If specified, indicates the pod's priority. + "system-node-critical" and "system-cluster-critical" + are two special keywords which indicate the highest + priorities with the former being the highest priority. + Any other name must be defined by creating a PriorityClass + object with that name. If not specified, the pod priority + will be default or zero if there is no default. + type: string + readinessGates: + description: 'If specified, all readiness gates will be + evaluated for pod readiness. A pod is ready when all + its containers are ready AND all conditions specified + in the readiness gates have status equal to "True" More + info: https://git.k8s.io/enhancements/keps/sig-network/580-pod-readiness-gates' + items: + description: PodReadinessGate contains the reference + to a pod condition + properties: + conditionType: + description: ConditionType refers to a condition + in the pod's condition list with matching type. + type: string + required: + - conditionType + type: object + type: array + resourceClaims: + description: "ResourceClaims defines which ResourceClaims + must be allocated and reserved before the Pod is allowed + to start. The resources will be made available to those + containers which consume them by name. \n This is an + alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable." + items: + description: PodResourceClaim references exactly one + ResourceClaim through a ClaimSource. It adds a name + to it that uniquely identifies the ResourceClaim inside + the Pod. Containers that need access to the ResourceClaim + reference it with this name. + properties: + name: + description: Name uniquely identifies this resource + claim inside the pod. This must be a DNS_LABEL. + type: string + source: + description: Source describes where to find the + ResourceClaim. + properties: + resourceClaimName: + description: ResourceClaimName is the name of + a ResourceClaim object in the same namespace + as this pod. + type: string + resourceClaimTemplateName: + description: "ResourceClaimTemplateName is the + name of a ResourceClaimTemplate object in + the same namespace as this pod. \n The template + will be used to create a new ResourceClaim, + which will be bound to this pod. When this + pod is deleted, the ResourceClaim will also + be deleted. The pod name and resource name, + along with a generated component, will be + used to form a unique name for the ResourceClaim, + which will be recorded in pod.status.resourceClaimStatuses. + \n This field is immutable and no changes + will be made to the corresponding ResourceClaim + by the control plane after creating the ResourceClaim." + type: string + type: object + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + restartPolicy: + description: 'Restart policy for all containers within + the pod. One of Always, OnFailure, Never. In some contexts, + only a subset of those values may be permitted. Default + to Always. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy' + type: string + runtimeClassName: + description: 'RuntimeClassName refers to a RuntimeClass + object in the node.k8s.io group, which should be used + to run this pod. If no RuntimeClass resource matches + the named class, the pod will not be run. If unset or + empty, the "legacy" RuntimeClass will be used, which + is an implicit class with an empty definition that uses + the default runtime handler. More info: https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class' + type: string + schedulerName: + description: If specified, the pod will be dispatched + by specified scheduler. If not specified, the pod will + be dispatched by default scheduler. + type: string + schedulingGates: + description: "SchedulingGates is an opaque list of values + that if specified will block scheduling the pod. If + schedulingGates is not empty, the pod will stay in the + SchedulingGated state and the scheduler will not attempt + to schedule the pod. \n SchedulingGates can only be + set at pod creation time, and be removed only afterwards. + \n This is a beta feature enabled by the PodSchedulingReadiness + feature gate." + items: + description: PodSchedulingGate is associated to a Pod + to guard its scheduling. + properties: + name: + description: Name of the scheduling gate. Each scheduling + gate must have a unique name field. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + securityContext: + description: 'SecurityContext holds pod-level security + attributes and common container settings. Optional: + Defaults to empty. See type description for default + values of each field.' + properties: + fsGroup: + description: "A special supplemental group that applies + to all containers in a pod. Some volume types allow + the Kubelet to change the ownership of that volume + to be owned by the pod: \n 1. The owning GID will + be the FSGroup 2. The setgid bit is set (new files + created in the volume will be owned by FSGroup) + 3. The permission bits are OR'd with rw-rw---- \n + If unset, the Kubelet will not modify the ownership + and permissions of any volume. Note that this field + cannot be set when spec.os.name is windows." + format: int64 + type: integer + fsGroupChangePolicy: + description: 'fsGroupChangePolicy defines behavior + of changing ownership and permission of the volume + before being exposed inside Pod. This field will + only apply to volume types which support fsGroup + based ownership(and permissions). It will have no + effect on ephemeral volume types such as: secret, + configmaps and emptydir. Valid values are "OnRootMismatch" + and "Always". If not specified, "Always" is used. + Note that this field cannot be set when spec.os.name + is windows.' + type: string + runAsGroup: + description: The GID to run the entrypoint of the + container process. Uses runtime default if unset. + May also be set in SecurityContext. If set in both + SecurityContext and PodSecurityContext, the value + specified in SecurityContext takes precedence for + that container. Note that this field cannot be set + when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run + as a non-root user. If true, the Kubelet will validate + the image at runtime to ensure that it does not + run as UID 0 (root) and fail to start the container + if it does. If unset or false, no such validation + will be performed. May also be set in SecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the + container process. Defaults to user specified in + image metadata if unspecified. May also be set in + SecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence for that container. Note that this + field cannot be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied to + all containers. If unspecified, the container runtime + will allocate a random SELinux context for each + container. May also be set in SecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence + for that container. Note that this field cannot + be set when spec.os.name is windows. + properties: + level: + description: Level is SELinux level label that + applies to the container. + type: string + role: + description: Role is a SELinux role label that + applies to the container. + type: string + type: + description: Type is a SELinux type label that + applies to the container. + type: string + user: + description: User is a SELinux user label that + applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by the containers + in this pod. Note that this field cannot be set + when spec.os.name is windows. + properties: + localhostProfile: + description: localhostProfile indicates a profile + defined in a file on the node should be used. + The profile must be preconfigured on the node + to work. Must be a descending path, relative + to the kubelet's configured seccomp profile + location. Must be set if type is "Localhost". + Must NOT be set for any other type. + type: string + type: + description: "type indicates which kind of seccomp + profile will be applied. Valid options are: + \n Localhost - a profile defined in a file on + the node should be used. RuntimeDefault - the + container runtime default profile should be + used. Unconfined - no profile should be applied." + type: string + required: + - type + type: object + supplementalGroups: + description: A list of groups applied to the first + process run in each container, in addition to the + container's primary GID, the fsGroup (if specified), + and group memberships defined in the container image + for the uid of the container process. If unspecified, + no additional groups are added to any container. + Note that group memberships defined in the container + image for the uid of the container process are still + effective, even if they are not included in this + list. Note that this field cannot be set when spec.os.name + is windows. + items: + format: int64 + type: integer + type: array + sysctls: + description: Sysctls hold a list of namespaced sysctls + used for the pod. Pods with unsupported sysctls + (by the container runtime) might fail to launch. + Note that this field cannot be set when spec.os.name + is windows. + items: + description: Sysctl defines a kernel parameter to + be set + properties: + name: + description: Name of a property to set + type: string + value: + description: Value of a property to set + type: string + required: + - name + - value + type: object + type: array + windowsOptions: + description: The Windows specific settings applied + to all containers. If unspecified, the options within + a container's SecurityContext will be used. If set + in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the GMSA + admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name + of the GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a container + should be run as a 'Host Process' container. + All of a Pod's containers must have the same + effective HostProcess value (it is not allowed + to have a mix of HostProcess containers and + non-HostProcess containers). In addition, if + HostProcess is true then HostNetwork must also + be set to true. + type: boolean + runAsUserName: + description: The UserName in Windows to run the + entrypoint of the container process. Defaults + to the user specified in image metadata if unspecified. + May also be set in PodSecurityContext. If set + in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. + type: string + type: object + type: object + serviceAccount: + description: 'DeprecatedServiceAccount is a depreciated + alias for ServiceAccountName. Deprecated: Use serviceAccountName + instead.' + type: string + serviceAccountName: + description: 'ServiceAccountName is the name of the ServiceAccount + to use to run this pod. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/' + type: string + setHostnameAsFQDN: + description: If true the pod's hostname will be configured + as the pod's FQDN, rather than the leaf name (the default). + In Linux containers, this means setting the FQDN in + the hostname field of the kernel (the nodename field + of struct utsname). In Windows containers, this means + setting the registry value of hostname for the registry + key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters + to FQDN. If a pod does not have FQDN, this has no effect. + Default to false. + type: boolean + shareProcessNamespace: + description: 'Share a single process namespace between + all of the containers in a pod. When this is set containers + will be able to view and signal processes from other + containers in the same pod, and the first process in + each container will not be assigned PID 1. HostPID and + ShareProcessNamespace cannot both be set. Optional: + Default to false.' + type: boolean + subdomain: + description: If specified, the fully qualified Pod hostname + will be "...svc.". If not specified, the pod will not have a + domainname at all. + type: string + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod needs + to terminate gracefully. May be decreased in delete + request. Value must be non-negative integer. The value + zero indicates stop immediately via the kill signal + (no opportunity to shut down). If this value is nil, + the default grace period will be used instead. The grace + period is the duration in seconds after the processes + running in the pod are sent a termination signal and + the time when the processes are forcibly halted with + a kill signal. Set this value longer than the expected + cleanup time for your process. Defaults to 30 seconds. + format: int64 + type: integer + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is attached to + tolerates any taint that matches the triple + using the matching operator . + properties: + effect: + description: Effect indicates the taint effect to + match. Empty means match all taint effects. When + specified, allowed values are NoSchedule, PreferNoSchedule + and NoExecute. + type: string + key: + description: Key is the taint key that the toleration + applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; + this combination means to match all values and + all keys. + type: string + operator: + description: Operator represents a key's relationship + to the value. Valid operators are Exists and Equal. + Defaults to Equal. Exists is equivalent to wildcard + for value, so that a pod can tolerate all taints + of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period + of time the toleration (which must be of effect + NoExecute, otherwise this field is ignored) tolerates + the taint. By default, it is not set, which means + tolerate the taint forever (do not evict). Zero + and negative values will be treated as 0 (evict + immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration + matches to. If the operator is Exists, the value + should be empty, otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: TopologySpreadConstraints describes how a + group of pods ought to spread across topology domains. + Scheduler will schedule pods in a way which abides by + the constraints. All topologySpreadConstraints are ANDed. + items: + description: TopologySpreadConstraint specifies how + to spread matching pods among the given topology. + properties: + labelSelector: + description: LabelSelector is used to find matching + pods. Pods that match this label selector are + counted to determine the number of pods in their + corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: "MatchLabelKeys is a set of pod label + keys to select the pods over which spreading will + be calculated. The keys are used to lookup values + from the incoming pod labels, those key-value + labels are ANDed with labelSelector to select + the group of existing pods over which spreading + will be calculated for the incoming pod. The same + key is forbidden to exist in both MatchLabelKeys + and LabelSelector. MatchLabelKeys cannot be set + when LabelSelector isn't set. Keys that don't + exist in the incoming pod labels will be ignored. + A null or empty list means only match against + labelSelector. \n This is a beta field and requires + the MatchLabelKeysInPodTopologySpread feature + gate to be enabled (enabled by default)." + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: 'MaxSkew describes the degree to which + pods may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, + it is the maximum permitted difference between + the number of matching pods in the target topology + and the global minimum. The global minimum is + the minimum number of matching pods in an eligible + domain or zero if the number of eligible domains + is less than MinDomains. For example, in a 3-zone + cluster, MaxSkew is set to 1, and pods with the + same labelSelector spread as 2/2/1: In this case, + the global minimum is 1. | zone1 | zone2 | zone3 + | | P P | P P | P | - if MaxSkew is 1, + incoming pod can only be scheduled to zone3 to + become 2/2/2; scheduling it onto zone1(zone2) + would make the ActualSkew(3-1) on zone1(zone2) + violate MaxSkew(1). - if MaxSkew is 2, incoming + pod can be scheduled onto any zone. When `whenUnsatisfiable=ScheduleAnyway`, + it is used to give higher precedence to topologies + that satisfy it. It''s a required field. Default + value is 1 and 0 is not allowed.' + format: int32 + type: integer + minDomains: + description: "MinDomains indicates a minimum number + of eligible domains. When the number of eligible + domains with matching topology keys is less than + minDomains, Pod Topology Spread treats \"global + minimum\" as 0, and then the calculation of Skew + is performed. And when the number of eligible + domains with matching topology keys equals or + greater than minDomains, this value has no effect + on scheduling. As a result, when the number of + eligible domains is less than minDomains, scheduler + won't schedule more than maxSkew Pods to those + domains. If value is nil, the constraint behaves + as if MinDomains is equal to 1. Valid values are + integers greater than 0. When value is not nil, + WhenUnsatisfiable must be DoNotSchedule. \n For + example, in a 3-zone cluster, MaxSkew is set to + 2, MinDomains is set to 5 and pods with the same + labelSelector spread as 2/2/2: | zone1 | zone2 + | zone3 | | P P | P P | P P | The number + of domains is less than 5(MinDomains), so \"global + minimum\" is treated as 0. In this situation, + new pod with the same labelSelector cannot be + scheduled, because computed skew will be 3(3 - + 0) if new Pod is scheduled to any of the three + zones, it will violate MaxSkew. \n This is a beta + field and requires the MinDomainsInPodTopologySpread + feature gate to be enabled (enabled by default)." + format: int32 + type: integer + nodeAffinityPolicy: + description: "NodeAffinityPolicy indicates how we + will treat Pod's nodeAffinity/nodeSelector when + calculating pod topology spread skew. Options + are: - Honor: only nodes matching nodeAffinity/nodeSelector + are included in the calculations. - Ignore: nodeAffinity/nodeSelector + are ignored. All nodes are included in the calculations. + \n If this value is nil, the behavior is equivalent + to the Honor policy. This is a beta-level feature + default enabled by the NodeInclusionPolicyInPodTopologySpread + feature flag." + type: string + nodeTaintsPolicy: + description: "NodeTaintsPolicy indicates how we + will treat node taints when calculating pod topology + spread skew. Options are: - Honor: nodes without + taints, along with tainted nodes for which the + incoming pod has a toleration, are included. - + Ignore: node taints are ignored. All nodes are + included. \n If this value is nil, the behavior + is equivalent to the Ignore policy. This is a + beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread + feature flag." + type: string + topologyKey: + description: TopologyKey is the key of node labels. + Nodes that have a label with this key and identical + values are considered to be in the same topology. + We consider each as a "bucket", and + try to put balanced number of pods into each bucket. + We define a domain as a particular instance of + a topology. Also, we define an eligible domain + as a domain whose nodes meet the requirements + of nodeAffinityPolicy and nodeTaintsPolicy. e.g. + If TopologyKey is "kubernetes.io/hostname", each + Node is a domain of that topology. And, if TopologyKey + is "topology.kubernetes.io/zone", each zone is + a domain of that topology. It's a required field. + type: string + whenUnsatisfiable: + description: 'WhenUnsatisfiable indicates how to + deal with a pod if it doesn''t satisfy the spread + constraint. - DoNotSchedule (default) tells the + scheduler not to schedule it. - ScheduleAnyway + tells the scheduler to schedule the pod in any + location, but giving higher precedence to topologies + that would help reduce the skew. A constraint + is considered "Unsatisfiable" for an incoming + pod if and only if every possible node assignment + for that pod would violate "MaxSkew" on some topology. + For example, in a 3-zone cluster, MaxSkew is set + to 1, and pods with the same labelSelector spread + as 3/1/1: | zone1 | zone2 | zone3 | | P P P | P | P | + If WhenUnsatisfiable is set to DoNotSchedule, + incoming pod can only be scheduled to zone2(zone3) + to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) + satisfies MaxSkew(1). In other words, the cluster + can still be imbalanced, but scheduler won''t + make it *more* imbalanced. It''s a required field.' + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + x-kubernetes-list-map-keys: + - topologyKey + - whenUnsatisfiable + x-kubernetes-list-type: map + volumes: + description: 'List of volumes that can be mounted by containers + belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes' + items: + description: Volume represents a named volume in a pod + that may be accessed by any container in the pod. + properties: + awsElasticBlockStore: + description: 'awsElasticBlockStore represents an + AWS Disk resource that is attached to a kubelet''s + host machine and then exposed to the pod. More + info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + properties: + fsType: + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: "ext4", + "xfs", "ntfs". Implicitly inferred to be "ext4" + if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + partition: + description: 'partition is the partition in + the volume that you want to mount. If omitted, + the default is to mount by volume name. Examples: + For volume /dev/sda1, you specify the partition + as "1". Similarly, the volume partition for + /dev/sda is "0" (or you can leave the property + empty).' + format: int32 + type: integer + readOnly: + description: 'readOnly value true will force + the readOnly setting in VolumeMounts. More + info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + type: boolean + volumeID: + description: 'volumeID is unique ID of the persistent + disk resource in AWS (Amazon EBS volume). + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + type: string + required: + - volumeID + type: object + azureDisk: + description: azureDisk represents an Azure Data + Disk mount on the host and bind mount to the pod. + properties: + cachingMode: + description: 'cachingMode is the Host Caching + mode: None, Read Only, Read Write.' + type: string + diskName: + description: diskName is the Name of the data + disk in the blob storage + type: string + diskURI: + description: diskURI is the URI of data disk + in the blob storage + type: string + fsType: + description: fsType is Filesystem type to mount. + Must be a filesystem type supported by the + host operating system. Ex. "ext4", "xfs", + "ntfs". Implicitly inferred to be "ext4" if + unspecified. + type: string + kind: + description: 'kind expected values are Shared: + multiple blob disks per storage account Dedicated: + single blob disk per storage account Managed: + azure managed data disk (only in managed availability + set). defaults to shared' + type: string + readOnly: + description: readOnly Defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + description: azureFile represents an Azure File + Service mount on the host and bind mount to the + pod. + properties: + readOnly: + description: readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + secretName: + description: secretName is the name of secret + that contains Azure Storage Account Name and + Key + type: string + shareName: + description: shareName is the azure share Name + type: string + required: + - secretName + - shareName + type: object + cephfs: + description: cephFS represents a Ceph FS mount on + the host that shares a pod's lifetime + properties: + monitors: + description: 'monitors is Required: Monitors + is a collection of Ceph monitors More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + items: + type: string + type: array + path: + description: 'path is Optional: Used as the + mounted root, rather than the full Ceph tree, + default is /' + type: string + readOnly: + description: 'readOnly is Optional: Defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + type: boolean + secretFile: + description: 'secretFile is Optional: SecretFile + is the path to key ring for User, default + is /etc/ceph/user.secret More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + type: string + secretRef: + description: 'secretRef is Optional: SecretRef + is reference to the authentication secret + for User, default is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: 'user is optional: User is the + rados user name, default is admin More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + type: string + required: + - monitors + type: object + cinder: + description: 'cinder represents a cinder volume + attached and mounted on kubelets host machine. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + properties: + fsType: + description: 'fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Examples: "ext4", + "xfs", "ntfs". Implicitly inferred to be "ext4" + if unspecified. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + type: string + readOnly: + description: 'readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + type: boolean + secretRef: + description: 'secretRef is optional: points + to a secret object containing parameters used + to connect to OpenStack.' + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + description: 'volumeID used to identify the + volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + type: string + required: + - volumeID + type: object + configMap: + description: configMap represents a configMap that + should populate this volume + properties: + defaultMode: + description: 'defaultMode is optional: mode + bits used to set permissions on created files + by default. Must be an octal value between + 0000 and 0777 or a decimal value between 0 + and 511. YAML accepts both octal and decimal + values, JSON requires decimal values for mode + bits. Defaults to 0644. Directories within + the path are not affected by this setting. + This might be in conflict with other options + that affect the file mode, like fsGroup, and + the result can be other mode bits set.' + format: int32 + type: integer + items: + description: items if unspecified, each key-value + pair in the Data field of the referenced ConfigMap + will be projected into the volume as a file + whose name is the key and content is the value. + If specified, the listed keys will be projected + into the specified paths, and unlisted keys + will not be present. If a key is specified + which is not present in the ConfigMap, the + volume setup will error unless it is marked + optional. Paths must be relative and may not + contain the '..' path or start with '..'. + items: + description: Maps a string key to a path within + a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode bits + used to set permissions on this file. + Must be an octal value between 0000 + and 0777 or a decimal value between + 0 and 511. YAML accepts both octal and + decimal values, JSON requires decimal + values for mode bits. If not specified, + the volume defaultMode will be used. + This might be in conflict with other + options that affect the file mode, like + fsGroup, and the result can be other + mode bits set.' + format: int32 + type: integer + path: + description: path is the relative path + of the file to map the key to. May not + be an absolute path. May not contain + the path element '..'. May not start + with the string '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: optional specify whether the ConfigMap + or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + description: csi (Container Storage Interface) represents + ephemeral storage that is handled by certain external + CSI drivers (Beta feature). + properties: + driver: + description: driver is the name of the CSI driver + that handles this volume. Consult with your + admin for the correct name as registered in + the cluster. + type: string + fsType: + description: fsType to mount. Ex. "ext4", "xfs", + "ntfs". If not provided, the empty value is + passed to the associated CSI driver which + will determine the default filesystem to apply. + type: string + nodePublishSecretRef: + description: nodePublishSecretRef is a reference + to the secret object containing sensitive + information to pass to the CSI driver to complete + the CSI NodePublishVolume and NodeUnpublishVolume + calls. This field is optional, and may be + empty if no secret is required. If the secret + object contains more than one secret, all + secret references are passed. + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + description: readOnly specifies a read-only + configuration for the volume. Defaults to + false (read/write). + type: boolean + volumeAttributes: + additionalProperties: + type: string + description: volumeAttributes stores driver-specific + properties that are passed to the CSI driver. + Consult your driver's documentation for supported + values. + type: object + required: + - driver + type: object + downwardAPI: + description: downwardAPI represents downward API + about the pod that should populate this volume + properties: + defaultMode: + description: 'Optional: mode bits to use on + created files by default. Must be a Optional: + mode bits used to set permissions on created + files by default. Must be an octal value between + 0000 and 0777 or a decimal value between 0 + and 511. YAML accepts both octal and decimal + values, JSON requires decimal values for mode + bits. Defaults to 0644. Directories within + the path are not affected by this setting. + This might be in conflict with other options + that affect the file mode, like fsGroup, and + the result can be other mode bits set.' + format: int32 + type: integer + items: + description: Items is a list of downward API + volume file + items: + description: DownwardAPIVolumeFile represents + information to create the file containing + the pod field + properties: + fieldRef: + description: 'Required: Selects a field + of the pod: only annotations, labels, + name and namespace are supported.' + properties: + apiVersion: + description: Version of the schema + the FieldPath is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to + select in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: 'Optional: mode bits used + to set permissions on this file, must + be an octal value between 0000 and 0777 + or a decimal value between 0 and 511. + YAML accepts both octal and decimal + values, JSON requires decimal values + for mode bits. If not specified, the + volume defaultMode will be used. This + might be in conflict with other options + that affect the file mode, like fsGroup, + and the result can be other mode bits + set.' + format: int32 + type: integer + path: + description: 'Required: Path is the relative + path name of the file to be created. + Must not be absolute or contain the + ''..'' path. Must be utf-8 encoded. + The first item of the relative path + must not start with ''..''' + type: string + resourceFieldRef: + description: 'Selects a resource of the + container: only resources limits and + requests (limits.cpu, limits.memory, + requests.cpu and requests.memory) are + currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to + select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + type: object + emptyDir: + description: 'emptyDir represents a temporary directory + that shares a pod''s lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + properties: + medium: + description: 'medium represents what type of + storage medium should back this directory. + The default is "" which means to use the node''s + default medium. Must be an empty string (default) + or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + description: 'sizeLimit is the total amount + of local storage required for this EmptyDir + volume. The size limit is also applicable + for memory medium. The maximum usage on memory + medium EmptyDir would be the minimum value + between the SizeLimit specified here and the + sum of memory limits of all containers in + a pod. The default is nil which means that + the limit is undefined. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + description: "ephemeral represents a volume that + is handled by a cluster storage driver. The volume's + lifecycle is tied to the pod that defines it - + it will be created before the pod starts, and + deleted when the pod is removed. \n Use this if: + a) the volume is only needed while the pod runs, + b) features of normal volumes like restoring from + snapshot or capacity tracking are needed, c) the + storage driver is specified through a storage + class, and d) the storage driver supports dynamic + volume provisioning through a PersistentVolumeClaim + (see EphemeralVolumeSource for more information + on the connection between this volume type and + PersistentVolumeClaim). \n Use PersistentVolumeClaim + or one of the vendor-specific APIs for volumes + that persist for longer than the lifecycle of + an individual pod. \n Use CSI for light-weight + local ephemeral volumes if the CSI driver is meant + to be used that way - see the documentation of + the driver for more information. \n A pod can + use both types of ephemeral volumes and persistent + volumes at the same time." + properties: + volumeClaimTemplate: + description: "Will be used to create a stand-alone + PVC to provision the volume. The pod in which + this EphemeralVolumeSource is embedded will + be the owner of the PVC, i.e. the PVC will + be deleted together with the pod. The name + of the PVC will be `-` + where `` is the name from the + `PodSpec.Volumes` array entry. Pod validation + will reject the pod if the concatenated name + is not valid for a PVC (for example, too long). + \n An existing PVC with that name that is + not owned by the pod will *not* be used for + the pod to avoid using an unrelated volume + by mistake. Starting the pod is then blocked + until the unrelated PVC is removed. If such + a pre-created PVC is meant to be used by the + pod, the PVC has to updated with an owner + reference to the pod once the pod exists. + Normally this should not be necessary, but + it may be useful when manually reconstructing + a broken cluster. \n This field is read-only + and no changes will be made by Kubernetes + to the PVC after it has been created. \n Required, + must not be nil." + properties: + metadata: + description: May contain labels and annotations + that will be copied into the PVC when + creating it. No other fields are allowed + and will be rejected during validation. + type: object + spec: + description: The specification for the PersistentVolumeClaim. + The entire content is copied unchanged + into the PVC that gets created from this + template. The same fields as in a PersistentVolumeClaim + are also valid here. + properties: + accessModes: + description: 'accessModes contains the + desired access modes the volume should + have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' + items: + type: string + type: array + dataSource: + description: 'dataSource field can be + used to specify either: * An existing + VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) + If the provisioner or an external + controller can support the specified + data source, it will create a new + volume based on the contents of the + specified data source. When the AnyVolumeDataSource + feature gate is enabled, dataSource + contents will be copied to dataSourceRef, + and dataSourceRef contents will be + copied to dataSource when dataSourceRef.namespace + is not specified. If the namespace + is specified, then dataSourceRef will + not be copied to dataSource.' + properties: + apiGroup: + description: APIGroup is the group + for the resource being referenced. + If APIGroup is not specified, + the specified Kind must be in + the core API group. For any other + third-party types, APIGroup is + required. + type: string + kind: + description: Kind is the type of + resource being referenced + type: string + name: + description: Name is the name of + resource being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: 'dataSourceRef specifies + the object from which to populate + the volume with data, if a non-empty + volume is desired. This may be any + object from a non-empty API group + (non core object) or a PersistentVolumeClaim + object. When this field is specified, + volume binding will only succeed if + the type of the specified object matches + some installed volume populator or + dynamic provisioner. This field will + replace the functionality of the dataSource + field and as such if both fields are + non-empty, they must have the same + value. For backwards compatibility, + when namespace isn''t specified in + dataSourceRef, both fields (dataSource + and dataSourceRef) will be set to + the same value automatically if one + of them is empty and the other is + non-empty. When namespace is specified + in dataSourceRef, dataSource isn''t + set to the same value and must be + empty. There are three important differences + between dataSource and dataSourceRef: + * While dataSource only allows two + specific types of objects, dataSourceRef + allows any non-core object, as well + as PersistentVolumeClaim objects. + * While dataSource ignores disallowed + values (dropping them), dataSourceRef + preserves all values, and generates + an error if a disallowed value is + specified. * While dataSource only + allows local objects, dataSourceRef + allows objects in any namespaces. + (Beta) Using this field requires the + AnyVolumeDataSource feature gate to + be enabled. (Alpha) Using the namespace + field of dataSourceRef requires the + CrossNamespaceVolumeDataSource feature + gate to be enabled.' + properties: + apiGroup: + description: APIGroup is the group + for the resource being referenced. + If APIGroup is not specified, + the specified Kind must be in + the core API group. For any other + third-party types, APIGroup is + required. + type: string + kind: + description: Kind is the type of + resource being referenced + type: string + name: + description: Name is the name of + resource being referenced + type: string + namespace: + description: Namespace is the namespace + of resource being referenced Note + that when a namespace is specified, + a gateway.networking.k8s.io/ReferenceGrant + object is required in the referent + namespace to allow that namespace's + owner to accept the reference. + See the ReferenceGrant documentation + for details. (Alpha) This field + requires the CrossNamespaceVolumeDataSource + feature gate to be enabled. + type: string + required: + - kind + - name + type: object + resources: + description: 'resources represents the + minimum resources the volume should + have. If RecoverVolumeExpansionFailure + feature is enabled users are allowed + to specify resource requirements that + are lower than previous value but + must still be higher than capacity + recorded in the status field of the + claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' + properties: + claims: + description: "Claims lists the names + of resources, defined in spec.resourceClaims, + that are used by this container. + \n This is an alpha field and + requires enabling the DynamicResourceAllocation + feature gate. \n This field is + immutable. It can only be set + for containers." + items: + description: ResourceClaim references + one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match + the name of one entry in + pod.spec.resourceClaims + of the Pod where this field + is used. It makes that resource + available inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the + maximum amount of compute resources + allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes + the minimum amount of compute + resources required. If Requests + is omitted for a container, it + defaults to Limits if that is + explicitly specified, otherwise + to an implementation-defined value. + Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + selector: + description: selector is a label query + over volumes to consider for binding. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector + requirement is a selector that + contains values, a key, and + an operator that relates the + key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In or + NotIn, the values array + must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be + empty. This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single + {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator is + "In", and the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: 'storageClassName is the + name of the StorageClass required + by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' + type: string + volumeMode: + description: volumeMode defines what + type of volume is required by the + claim. Value of Filesystem is implied + when not included in claim spec. + type: string + volumeName: + description: volumeName is the binding + reference to the PersistentVolume + backing this claim. + type: string + type: object + required: + - spec + type: object + type: object + fc: + description: fc represents a Fibre Channel resource + that is attached to a kubelet's host machine and + then exposed to the pod. + properties: + fsType: + description: 'fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be "ext4" + if unspecified. TODO: how do we prevent errors + in the filesystem from compromising the machine' + type: string + lun: + description: 'lun is Optional: FC target lun + number' + format: int32 + type: integer + readOnly: + description: 'readOnly is Optional: Defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts.' + type: boolean + targetWWNs: + description: 'targetWWNs is Optional: FC target + worldwide names (WWNs)' + items: + type: string + type: array + wwids: + description: 'wwids Optional: FC volume world + wide identifiers (wwids) Either wwids or combination + of targetWWNs and lun must be set, but not + both simultaneously.' + items: + type: string + type: array + type: object + flexVolume: + description: flexVolume represents a generic volume + resource that is provisioned/attached using an + exec based plugin. + properties: + driver: + description: driver is the name of the driver + to use for this volume. + type: string + fsType: + description: fsType is the filesystem type to + mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". The default filesystem depends + on FlexVolume script. + type: string + options: + additionalProperties: + type: string + description: 'options is Optional: this field + holds extra command options if any.' + type: object + readOnly: + description: 'readOnly is Optional: defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts.' + type: boolean + secretRef: + description: 'secretRef is Optional: secretRef + is reference to the secret object containing + sensitive information to pass to the plugin + scripts. This may be empty if no secret object + is specified. If the secret object contains + more than one secret, all secrets are passed + to the plugin scripts.' + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + description: flocker represents a Flocker volume + attached to a kubelet's host machine. This depends + on the Flocker control service being running + properties: + datasetName: + description: datasetName is Name of the dataset + stored as metadata -> name on the dataset + for Flocker should be considered as deprecated + type: string + datasetUUID: + description: datasetUUID is the UUID of the + dataset. This is unique identifier of a Flocker + dataset + type: string + type: object + gcePersistentDisk: + description: 'gcePersistentDisk represents a GCE + Disk resource that is attached to a kubelet''s + host machine and then exposed to the pod. More + info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + properties: + fsType: + description: 'fsType is filesystem type of the + volume that you want to mount. Tip: Ensure + that the filesystem type is supported by the + host operating system. Examples: "ext4", "xfs", + "ntfs". Implicitly inferred to be "ext4" if + unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + partition: + description: 'partition is the partition in + the volume that you want to mount. If omitted, + the default is to mount by volume name. Examples: + For volume /dev/sda1, you specify the partition + as "1". Similarly, the volume partition for + /dev/sda is "0" (or you can leave the property + empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + format: int32 + type: integer + pdName: + description: 'pdName is unique name of the PD + resource in GCE. Used to identify the disk + in GCE. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + type: string + readOnly: + description: 'readOnly here will force the ReadOnly + setting in VolumeMounts. Defaults to false. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + type: boolean + required: + - pdName + type: object + gitRepo: + description: 'gitRepo represents a git repository + at a particular revision. DEPRECATED: GitRepo + is deprecated. To provision a container with a + git repo, mount an EmptyDir into an InitContainer + that clones the repo using git, then mount the + EmptyDir into the Pod''s container.' + properties: + directory: + description: directory is the target directory + name. Must not contain or start with '..'. If + '.' is supplied, the volume directory will + be the git repository. Otherwise, if specified, + the volume will contain the git repository + in the subdirectory with the given name. + type: string + repository: + description: repository is the URL + type: string + revision: + description: revision is the commit hash for + the specified revision. + type: string + required: + - repository + type: object + glusterfs: + description: 'glusterfs represents a Glusterfs mount + on the host that shares a pod''s lifetime. More + info: https://examples.k8s.io/volumes/glusterfs/README.md' + properties: + endpoints: + description: 'endpoints is the endpoint name + that details Glusterfs topology. More info: + https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + type: string + path: + description: 'path is the Glusterfs volume path. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + type: string + readOnly: + description: 'readOnly here will force the Glusterfs + volume to be mounted with read-only permissions. + Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + type: boolean + required: + - endpoints + - path + type: object + hostPath: + description: 'hostPath represents a pre-existing + file or directory on the host machine that is + directly exposed to the container. This is generally + used for system agents or other privileged things + that are allowed to see the host machine. Most + containers will NOT need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + --- TODO(jonesdl) We need to restrict who can + use host directory mounts and who can/can not + mount host directories as read/write.' + properties: + path: + description: 'path of the directory on the host. + If the path is a symlink, it will follow the + link to the real path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' + type: string + type: + description: 'type for HostPath Volume Defaults + to "" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' + type: string + required: + - path + type: object + iscsi: + description: 'iscsi represents an ISCSI Disk resource + that is attached to a kubelet''s host machine + and then exposed to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md' + properties: + chapAuthDiscovery: + description: chapAuthDiscovery defines whether + support iSCSI Discovery CHAP authentication + type: boolean + chapAuthSession: + description: chapAuthSession defines whether + support iSCSI Session CHAP authentication + type: boolean + fsType: + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: "ext4", + "xfs", "ntfs". Implicitly inferred to be "ext4" + if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + initiatorName: + description: initiatorName is the custom iSCSI + Initiator Name. If initiatorName is specified + with iscsiInterface simultaneously, new iSCSI + interface : will + be created for the connection. + type: string + iqn: + description: iqn is the target iSCSI Qualified + Name. + type: string + iscsiInterface: + description: iscsiInterface is the interface + Name that uses an iSCSI transport. Defaults + to 'default' (tcp). + type: string + lun: + description: lun represents iSCSI Target Lun + number. + format: int32 + type: integer + portals: + description: portals is the iSCSI Target Portal + List. The portal is either an IP or ip_addr:port + if the port is other than default (typically + TCP ports 860 and 3260). + items: + type: string + type: array + readOnly: + description: readOnly here will force the ReadOnly + setting in VolumeMounts. Defaults to false. + type: boolean + secretRef: + description: secretRef is the CHAP Secret for + iSCSI target and initiator authentication + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + description: targetPortal is iSCSI Target Portal. + The Portal is either an IP or ip_addr:port + if the port is other than default (typically + TCP ports 860 and 3260). + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + description: 'name of the volume. Must be a DNS_LABEL + and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + nfs: + description: 'nfs represents an NFS mount on the + host that shares a pod''s lifetime More info: + https://kubernetes.io/docs/concepts/storage/volumes#nfs' + properties: + path: + description: 'path that is exported by the NFS + server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + type: string + readOnly: + description: 'readOnly here will force the NFS + export to be mounted with read-only permissions. + Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + type: boolean + server: + description: 'server is the hostname or IP address + of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + description: 'persistentVolumeClaimVolumeSource + represents a reference to a PersistentVolumeClaim + in the same namespace. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + properties: + claimName: + description: 'claimName is the name of a PersistentVolumeClaim + in the same namespace as the pod using this + volume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + type: string + readOnly: + description: readOnly Will force the ReadOnly + setting in VolumeMounts. Default false. + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + description: photonPersistentDisk represents a PhotonController + persistent disk attached and mounted on kubelets + host machine + properties: + fsType: + description: fsType is the filesystem type to + mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be "ext4" + if unspecified. + type: string + pdID: + description: pdID is the ID that identifies + Photon Controller persistent disk + type: string + required: + - pdID + type: object + portworxVolume: + description: portworxVolume represents a portworx + volume attached and mounted on kubelets host machine + properties: + fsType: + description: fSType represents the filesystem + type to mount Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs". Implicitly inferred to be "ext4" if + unspecified. + type: string + readOnly: + description: readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + volumeID: + description: volumeID uniquely identifies a + Portworx volume + type: string + required: + - volumeID + type: object + projected: + description: projected items for all in one resources + secrets, configmaps, and downward API + properties: + defaultMode: + description: defaultMode are the mode bits used + to set permissions on created files by default. + Must be an octal value between 0000 and 0777 + or a decimal value between 0 and 511. YAML + accepts both octal and decimal values, JSON + requires decimal values for mode bits. Directories + within the path are not affected by this setting. + This might be in conflict with other options + that affect the file mode, like fsGroup, and + the result can be other mode bits set. + format: int32 + type: integer + sources: + description: sources is the list of volume projections + items: + description: Projection that may be projected + along with other supported volume types + properties: + configMap: + description: configMap information about + the configMap data to project + properties: + items: + description: items if unspecified, + each key-value pair in the Data + field of the referenced ConfigMap + will be projected into the volume + as a file whose name is the key + and content is the value. If specified, + the listed keys will be projected + into the specified paths, and unlisted + keys will not be present. If a key + is specified which is not present + in the ConfigMap, the volume setup + will error unless it is marked optional. + Paths must be relative and may not + contain the '..' path or start with + '..'. + items: + description: Maps a string key to + a path within a volume. + properties: + key: + description: key is the key + to project. + type: string + mode: + description: 'mode is Optional: + mode bits used to set permissions + on this file. Must be an octal + value between 0000 and 0777 + or a decimal value between + 0 and 511. YAML accepts both + octal and decimal values, + JSON requires decimal values + for mode bits. If not specified, + the volume defaultMode will + be used. This might be in + conflict with other options + that affect the file mode, + like fsGroup, and the result + can be other mode bits set.' + format: int32 + type: integer + path: + description: path is the relative + path of the file to map the + key to. May not be an absolute + path. May not contain the + path element '..'. May not + start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: optional specify whether + the ConfigMap or its keys must be + defined + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + description: downwardAPI information about + the downwardAPI data to project + properties: + items: + description: Items is a list of DownwardAPIVolume + file + items: + description: DownwardAPIVolumeFile + represents information to create + the file containing the pod field + properties: + fieldRef: + description: 'Required: Selects + a field of the pod: only annotations, + labels, name and namespace + are supported.' + properties: + apiVersion: + description: Version of + the schema the FieldPath + is written in terms of, + defaults to "v1". + type: string + fieldPath: + description: Path of the + field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: 'Optional: mode + bits used to set permissions + on this file, must be an octal + value between 0000 and 0777 + or a decimal value between + 0 and 511. YAML accepts both + octal and decimal values, + JSON requires decimal values + for mode bits. If not specified, + the volume defaultMode will + be used. This might be in + conflict with other options + that affect the file mode, + like fsGroup, and the result + can be other mode bits set.' + format: int32 + type: integer + path: + description: 'Required: Path + is the relative path name + of the file to be created. + Must not be absolute or contain + the ''..'' path. Must be utf-8 + encoded. The first item of + the relative path must not + start with ''..''' + type: string + resourceFieldRef: + description: 'Selects a resource + of the container: only resources + limits and requests (limits.cpu, + limits.memory, requests.cpu + and requests.memory) are currently + supported.' + properties: + containerName: + description: 'Container + name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the + output format of the exposed + resources, defaults to + "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: + resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + type: object + secret: + description: secret information about + the secret data to project + properties: + items: + description: items if unspecified, + each key-value pair in the Data + field of the referenced Secret will + be projected into the volume as + a file whose name is the key and + content is the value. If specified, + the listed keys will be projected + into the specified paths, and unlisted + keys will not be present. If a key + is specified which is not present + in the Secret, the volume setup + will error unless it is marked optional. + Paths must be relative and may not + contain the '..' path or start with + '..'. + items: + description: Maps a string key to + a path within a volume. + properties: + key: + description: key is the key + to project. + type: string + mode: + description: 'mode is Optional: + mode bits used to set permissions + on this file. Must be an octal + value between 0000 and 0777 + or a decimal value between + 0 and 511. YAML accepts both + octal and decimal values, + JSON requires decimal values + for mode bits. If not specified, + the volume defaultMode will + be used. This might be in + conflict with other options + that affect the file mode, + like fsGroup, and the result + can be other mode bits set.' + format: int32 + type: integer + path: + description: path is the relative + path of the file to map the + key to. May not be an absolute + path. May not contain the + path element '..'. May not + start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: optional field specify + whether the Secret or its key must + be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + description: serviceAccountToken is information + about the serviceAccountToken data to + project + properties: + audience: + description: audience is the intended + audience of the token. A recipient + of a token must identify itself + with an identifier specified in + the audience of the token, and otherwise + should reject the token. The audience + defaults to the identifier of the + apiserver. + type: string + expirationSeconds: + description: expirationSeconds is + the requested duration of validity + of the service account token. As + the token approaches expiration, + the kubelet volume plugin will proactively + rotate the service account token. + The kubelet will start trying to + rotate the token if the token is + older than 80 percent of its time + to live or if the token is older + than 24 hours.Defaults to 1 hour + and must be at least 10 minutes. + format: int64 + type: integer + path: + description: path is the path relative + to the mount point of the file to + project the token into. + type: string + required: + - path + type: object + type: object + type: array + type: object + quobyte: + description: quobyte represents a Quobyte mount + on the host that shares a pod's lifetime + properties: + group: + description: group to map volume access to Default + is no group + type: string + readOnly: + description: readOnly here will force the Quobyte + volume to be mounted with read-only permissions. + Defaults to false. + type: boolean + registry: + description: registry represents a single or + multiple Quobyte Registry services specified + as a string as host:port pair (multiple entries + are separated with commas) which acts as the + central registry for volumes + type: string + tenant: + description: tenant owning the given Quobyte + volume in the Backend Used with dynamically + provisioned Quobyte volumes, value is set + by the plugin + type: string + user: + description: user to map volume access to Defaults + to serivceaccount user + type: string + volume: + description: volume is a string that references + an already created Quobyte volume by name. + type: string + required: + - registry + - volume + type: object + rbd: + description: 'rbd represents a Rados Block Device + mount on the host that shares a pod''s lifetime. + More info: https://examples.k8s.io/volumes/rbd/README.md' + properties: + fsType: + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: "ext4", + "xfs", "ntfs". Implicitly inferred to be "ext4" + if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + image: + description: 'image is the rados image name. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + keyring: + description: 'keyring is the path to key ring + for RBDUser. Default is /etc/ceph/keyring. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + monitors: + description: 'monitors is a collection of Ceph + monitors. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + items: + type: string + type: array + pool: + description: 'pool is the rados pool name. Default + is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + readOnly: + description: 'readOnly here will force the ReadOnly + setting in VolumeMounts. Defaults to false. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: boolean + secretRef: + description: 'secretRef is name of the authentication + secret for RBDUser. If provided overrides + keyring. Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: 'user is the rados user name. Default + is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + required: + - image + - monitors + type: object + scaleIO: + description: scaleIO represents a ScaleIO persistent + volume attached and mounted on Kubernetes nodes. + properties: + fsType: + description: fsType is the filesystem type to + mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Default is "xfs". + type: string + gateway: + description: gateway is the host address of + the ScaleIO API Gateway. + type: string + protectionDomain: + description: protectionDomain is the name of + the ScaleIO Protection Domain for the configured + storage. + type: string + readOnly: + description: readOnly Defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + secretRef: + description: secretRef references to the secret + for ScaleIO user and other sensitive information. + If this is not provided, Login operation will + fail. + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + description: sslEnabled Flag enable/disable + SSL communication with Gateway, default false + type: boolean + storageMode: + description: storageMode indicates whether the + storage for a volume should be ThickProvisioned + or ThinProvisioned. Default is ThinProvisioned. + type: string + storagePool: + description: storagePool is the ScaleIO Storage + Pool associated with the protection domain. + type: string + system: + description: system is the name of the storage + system as configured in ScaleIO. + type: string + volumeName: + description: volumeName is the name of a volume + already created in the ScaleIO system that + is associated with this volume source. + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + description: 'secret represents a secret that should + populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + properties: + defaultMode: + description: 'defaultMode is Optional: mode + bits used to set permissions on created files + by default. Must be an octal value between + 0000 and 0777 or a decimal value between 0 + and 511. YAML accepts both octal and decimal + values, JSON requires decimal values for mode + bits. Defaults to 0644. Directories within + the path are not affected by this setting. + This might be in conflict with other options + that affect the file mode, like fsGroup, and + the result can be other mode bits set.' + format: int32 + type: integer + items: + description: items If unspecified, each key-value + pair in the Data field of the referenced Secret + will be projected into the volume as a file + whose name is the key and content is the value. + If specified, the listed keys will be projected + into the specified paths, and unlisted keys + will not be present. If a key is specified + which is not present in the Secret, the volume + setup will error unless it is marked optional. + Paths must be relative and may not contain + the '..' path or start with '..'. + items: + description: Maps a string key to a path within + a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode bits + used to set permissions on this file. + Must be an octal value between 0000 + and 0777 or a decimal value between + 0 and 511. YAML accepts both octal and + decimal values, JSON requires decimal + values for mode bits. If not specified, + the volume defaultMode will be used. + This might be in conflict with other + options that affect the file mode, like + fsGroup, and the result can be other + mode bits set.' + format: int32 + type: integer + path: + description: path is the relative path + of the file to map the key to. May not + be an absolute path. May not contain + the path element '..'. May not start + with the string '..'. + type: string + required: + - key + - path + type: object + type: array + optional: + description: optional field specify whether + the Secret or its keys must be defined + type: boolean + secretName: + description: 'secretName is the name of the + secret in the pod''s namespace to use. More + info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + type: string + type: object + storageos: + description: storageOS represents a StorageOS volume + attached and mounted on Kubernetes nodes. + properties: + fsType: + description: fsType is the filesystem type to + mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be "ext4" + if unspecified. + type: string + readOnly: + description: readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + secretRef: + description: secretRef specifies the secret + to use for obtaining the StorageOS API credentials. If + not specified, default values will be attempted. + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + description: volumeName is the human-readable + name of the StorageOS volume. Volume names + are only unique within a namespace. + type: string + volumeNamespace: + description: volumeNamespace specifies the scope + of the volume within StorageOS. If no namespace + is specified then the Pod's namespace will + be used. This allows the Kubernetes name + scoping to be mirrored within StorageOS for + tighter integration. Set VolumeName to any + name to override the default behaviour. Set + to "default" if you are not using namespaces + within StorageOS. Namespaces that do not pre-exist + within StorageOS will be created. + type: string + type: object + vsphereVolume: + description: vsphereVolume represents a vSphere + volume attached and mounted on kubelets host machine + properties: + fsType: + description: fsType is filesystem type to mount. + Must be a filesystem type supported by the + host operating system. Ex. "ext4", "xfs", + "ntfs". Implicitly inferred to be "ext4" if + unspecified. + type: string + storagePolicyID: + description: storagePolicyID is the storage + Policy Based Management (SPBM) profile ID + associated with the StoragePolicyName. + type: string + storagePolicyName: + description: storagePolicyName is the storage + Policy Based Management (SPBM) profile name. + type: string + volumePath: + description: volumePath is the path that identifies + vSphere volume vmdk + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + required: + - containers + type: object + type: object + ttlSecondsAfterFinished: + description: ttlSecondsAfterFinished limits the lifetime of a + Job that has finished execution (either Complete or Failed). + If this field is set, ttlSecondsAfterFinished after the Job + finishes, it is eligible to be automatically deleted. When the + Job is being deleted, its lifecycle guarantees (e.g. finalizers) + will be honored. If this field is unset, the Job won't be automatically + deleted. If this field is set to zero, the Job becomes eligible + to be deleted immediately after it finishes. + format: int32 + type: integer + required: + - template + type: object + maxReplicaCount: + format: int32 + type: integer + minReplicaCount: + format: int32 + type: integer + pollingInterval: + format: int32 + type: integer + rollout: + description: Rollout defines the strategy for job rollouts + properties: + propagationPolicy: + type: string + strategy: + type: string + type: object + rolloutStrategy: + type: string + scalingStrategy: + description: ScalingStrategy defines the strategy of Scaling + properties: + customScalingQueueLengthDeduction: + format: int32 + type: integer + customScalingRunningJobPercentage: + type: string + multipleScalersCalculation: + type: string + pendingPodConditions: + items: + type: string + type: array + strategy: + type: string + type: object + successfulJobsHistoryLimit: + format: int32 + type: integer + triggers: + items: + description: ScaleTriggers reference the scaler that will be used + properties: + authenticationRef: + description: AuthenticationRef points to the TriggerAuthentication + or ClusterTriggerAuthentication object that is used to authenticate + the scaler with the environment + properties: + kind: + description: Kind of the resource being referred to. Defaults + to TriggerAuthentication. + type: string + name: + type: string + required: + - name + type: object + metadata: + additionalProperties: + type: string + type: object + name: + type: string + type: + type: string + useCachedMetrics: + type: boolean + required: + - metadata + - type + type: object + type: array + required: + - jobTargetRef + - triggers + type: object + status: + description: ScaledJobStatus defines the observed state of ScaledJob + properties: + Paused: + type: string + conditions: + description: Conditions an array representation to store multiple + Conditions + items: + description: Condition to store the condition state + properties: + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition + type: string + required: + - status + - type + type: object + type: array + lastActiveTime: + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end -}} diff --git a/examples/helm-keda/templates/crds/crd-scaledobjects.yaml b/examples/helm-keda/templates/crds/crd-scaledobjects.yaml new file mode 100644 index 000000000..05f98ce1b --- /dev/null +++ b/examples/helm-keda/templates/crds/crd-scaledobjects.yaml @@ -0,0 +1,406 @@ +{{- if .Values.crds.install }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + {{- if .Values.additionalAnnotations }} + {{- toYaml .Values.additionalAnnotations | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }} + {{- include "keda.labels" . | indent 4 }} + name: scaledobjects.keda.sh +spec: + group: keda.sh + names: + kind: ScaledObject + listKind: ScaledObjectList + plural: scaledobjects + shortNames: + - so + singular: scaledobject + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.scaleTargetKind + name: ScaleTargetKind + type: string + - jsonPath: .spec.scaleTargetRef.name + name: ScaleTargetName + type: string + - jsonPath: .spec.minReplicaCount + name: Min + type: integer + - jsonPath: .spec.maxReplicaCount + name: Max + type: integer + - jsonPath: .spec.triggers[*].type + name: Triggers + type: string + - jsonPath: .spec.triggers[*].authenticationRef.name + name: Authentication + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Active")].status + name: Active + type: string + - jsonPath: .status.conditions[?(@.type=="Fallback")].status + name: Fallback + type: string + - jsonPath: .status.conditions[?(@.type=="Paused")].status + name: Paused + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ScaledObject is a specification for a ScaledObject resource + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ScaledObjectSpec is the spec for a ScaledObject resource + properties: + advanced: + description: AdvancedConfig specifies advance scaling options + properties: + horizontalPodAutoscalerConfig: + description: HorizontalPodAutoscalerConfig specifies horizontal + scale config + properties: + behavior: + description: HorizontalPodAutoscalerBehavior configures the + scaling behavior of the target in both Up and Down directions + (scaleUp and scaleDown fields respectively). + properties: + scaleDown: + description: scaleDown is scaling policy for scaling Down. + If not set, the default value is to allow to scale down + to minReplicas pods, with a 300 second stabilization + window (i.e., the highest recommendation for the last + 300sec is used). + properties: + policies: + description: policies is a list of potential scaling + polices which can be used during scaling. At least + one policy must be specified, otherwise the HPAScalingRules + will be discarded as invalid + items: + description: HPAScalingPolicy is a single policy + which must hold true for a specified past interval. + properties: + periodSeconds: + description: periodSeconds specifies the window + of time for which the policy should hold true. + PeriodSeconds must be greater than zero and + less than or equal to 1800 (30 min). + format: int32 + type: integer + type: + description: type is used to specify the scaling + policy. + type: string + value: + description: value contains the amount of change + which is permitted by the policy. It must + be greater than zero + format: int32 + type: integer + required: + - periodSeconds + - type + - value + type: object + type: array + x-kubernetes-list-type: atomic + selectPolicy: + description: selectPolicy is used to specify which + policy should be used. If not set, the default value + Max is used. + type: string + stabilizationWindowSeconds: + description: 'stabilizationWindowSeconds is the number + of seconds for which past recommendations should + be considered while scaling up or scaling down. + StabilizationWindowSeconds must be greater than + or equal to zero and less than or equal to 3600 + (one hour). If not set, use the default values: + - For scale up: 0 (i.e. no stabilization is done). + - For scale down: 300 (i.e. the stabilization window + is 300 seconds long).' + format: int32 + maximum: 3600 + minimum: 0 + type: integer + type: object + scaleUp: + description: 'scaleUp is scaling policy for scaling Up. + If not set, the default value is the higher of: * increase + no more than 4 pods per 60 seconds * double the number + of pods per 60 seconds No stabilization is used.' + properties: + policies: + description: policies is a list of potential scaling + polices which can be used during scaling. At least + one policy must be specified, otherwise the HPAScalingRules + will be discarded as invalid + items: + description: HPAScalingPolicy is a single policy + which must hold true for a specified past interval. + properties: + periodSeconds: + description: periodSeconds specifies the window + of time for which the policy should hold true. + PeriodSeconds must be greater than zero and + less than or equal to 1800 (30 min). + format: int32 + type: integer + type: + description: type is used to specify the scaling + policy. + type: string + value: + description: value contains the amount of change + which is permitted by the policy. It must + be greater than zero + format: int32 + type: integer + required: + - periodSeconds + - type + - value + type: object + type: array + x-kubernetes-list-type: atomic + selectPolicy: + description: selectPolicy is used to specify which + policy should be used. If not set, the default value + Max is used. + type: string + stabilizationWindowSeconds: + description: 'stabilizationWindowSeconds is the number + of seconds for which past recommendations should + be considered while scaling up or scaling down. + StabilizationWindowSeconds must be greater than + or equal to zero and less than or equal to 3600 + (one hour). If not set, use the default values: + - For scale up: 0 (i.e. no stabilization is done). + - For scale down: 300 (i.e. the stabilization window + is 300 seconds long).' + format: int32 + maximum: 3600 + minimum: 0 + type: integer + type: object + type: object + name: + type: string + type: object + restoreToOriginalReplicaCount: + type: boolean + scalingModifiers: + description: ScalingModifiers describes advanced scaling logic + options like formula + properties: + activationTarget: + type: string + formula: + type: string + metricType: + description: MetricTargetType specifies the type of metric + being targeted, and should be either "Value", "AverageValue", + or "Utilization" + type: string + target: + type: string + type: object + type: object + cooldownPeriod: + format: int32 + type: integer + fallback: + description: Fallback is the spec for fallback options + properties: + failureThreshold: + format: int32 + type: integer + replicas: + format: int32 + type: integer + required: + - failureThreshold + - replicas + type: object + idleReplicaCount: + format: int32 + type: integer + maxReplicaCount: + format: int32 + type: integer + minReplicaCount: + format: int32 + type: integer + pollingInterval: + format: int32 + type: integer + scaleTargetRef: + description: ScaleTarget holds the reference to the scale target Object + properties: + apiVersion: + type: string + envSourceContainerName: + type: string + kind: + type: string + name: + type: string + required: + - name + type: object + triggers: + items: + description: ScaleTriggers reference the scaler that will be used + properties: + authenticationRef: + description: AuthenticationRef points to the TriggerAuthentication + or ClusterTriggerAuthentication object that is used to authenticate + the scaler with the environment + properties: + kind: + description: Kind of the resource being referred to. Defaults + to TriggerAuthentication. + type: string + name: + type: string + required: + - name + type: object + metadata: + additionalProperties: + type: string + type: object + metricType: + description: MetricTargetType specifies the type of metric being + targeted, and should be either "Value", "AverageValue", or + "Utilization" + type: string + name: + type: string + type: + type: string + useCachedMetrics: + type: boolean + required: + - metadata + - type + type: object + type: array + required: + - scaleTargetRef + - triggers + type: object + status: + description: ScaledObjectStatus is the status for a ScaledObject resource + properties: + compositeScalerName: + type: string + conditions: + description: Conditions an array representation to store multiple + Conditions + items: + description: Condition to store the condition state + properties: + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition + type: string + required: + - status + - type + type: object + type: array + externalMetricNames: + items: + type: string + type: array + health: + additionalProperties: + description: HealthStatus is the status for a ScaledObject's health + properties: + numberOfFailures: + format: int32 + type: integer + status: + description: HealthStatusType is an indication of whether the + health status is happy or failing + type: string + type: object + type: object + hpaName: + type: string + lastActiveTime: + format: date-time + type: string + originalReplicaCount: + format: int32 + type: integer + pausedReplicaCount: + format: int32 + type: integer + resourceMetricNames: + items: + type: string + type: array + scaleTargetGVKR: + description: GroupVersionKindResource provides unified structure for + schema.GroupVersionKind and Resource + properties: + group: + type: string + kind: + type: string + resource: + type: string + version: + type: string + required: + - group + - kind + - resource + - version + type: object + scaleTargetKind: + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +{{- end -}} diff --git a/examples/helm-keda/templates/crds/crd-triggerauthentications.yaml b/examples/helm-keda/templates/crds/crd-triggerauthentications.yaml new file mode 100644 index 000000000..4facbdbaa --- /dev/null +++ b/examples/helm-keda/templates/crds/crd-triggerauthentications.yaml @@ -0,0 +1,274 @@ +{{- if .Values.crds.install }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + {{- if .Values.additionalAnnotations }} + {{- toYaml .Values.additionalAnnotations | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }} + {{- include "keda.labels" . | indent 4 }} + name: triggerauthentications.keda.sh +spec: + group: keda.sh + names: + kind: TriggerAuthentication + listKind: TriggerAuthenticationList + plural: triggerauthentications + shortNames: + - ta + - triggerauth + singular: triggerauthentication + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.podIdentity.provider + name: PodIdentity + type: string + - jsonPath: .spec.secretTargetRef[*].name + name: Secret + type: string + - jsonPath: .spec.env[*].name + name: Env + type: string + - jsonPath: .spec.hashiCorpVault.address + name: VaultAddress + type: string + - jsonPath: .status.scaledobjects + name: ScaledObjects + priority: 1 + type: string + - jsonPath: .status.scaledjobs + name: ScaledJobs + priority: 1 + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: TriggerAuthentication defines how a trigger can authenticate + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TriggerAuthenticationSpec defines the various ways to authenticate + properties: + azureKeyVault: + description: AzureKeyVault is used to authenticate using Azure Key + Vault + properties: + cloud: + properties: + activeDirectoryEndpoint: + type: string + keyVaultResourceURL: + type: string + type: + type: string + required: + - type + type: object + credentials: + properties: + clientId: + type: string + clientSecret: + properties: + valueFrom: + properties: + secretKeyRef: + properties: + key: + type: string + name: + type: string + required: + - key + - name + type: object + required: + - secretKeyRef + type: object + required: + - valueFrom + type: object + tenantId: + type: string + required: + - clientId + - clientSecret + - tenantId + type: object + podIdentity: + description: AuthPodIdentity allows users to select the platform + native identity mechanism + properties: + identityId: + type: string + provider: + description: PodIdentityProvider contains the list of providers + type: string + required: + - provider + type: object + secrets: + items: + properties: + name: + type: string + parameter: + type: string + version: + type: string + required: + - name + - parameter + type: object + type: array + vaultUri: + type: string + required: + - secrets + - vaultUri + type: object + env: + items: + description: AuthEnvironment is used to authenticate using environment + variables in the destination ScaleTarget spec + properties: + containerName: + type: string + name: + type: string + parameter: + type: string + required: + - name + - parameter + type: object + type: array + hashiCorpVault: + description: HashiCorpVault is used to authenticate using Hashicorp + Vault + properties: + address: + type: string + authentication: + description: VaultAuthentication contains the list of Hashicorp + Vault authentication methods + type: string + credential: + description: Credential defines the Hashicorp Vault credentials + depending on the authentication method + properties: + serviceAccount: + type: string + token: + type: string + type: object + mount: + type: string + namespace: + type: string + role: + type: string + secrets: + items: + description: VaultSecret defines the mapping between the path + of the secret in Vault to the parameter + properties: + key: + type: string + parameter: + type: string + path: + type: string + pkiData: + properties: + altNames: + type: string + commonName: + type: string + format: + type: string + ipSans: + type: string + otherSans: + type: string + ttl: + type: string + uriSans: + type: string + type: object + type: + description: VaultSecretType defines the type of vault secret + type: string + required: + - key + - parameter + - path + type: object + type: array + required: + - address + - authentication + - secrets + type: object + podIdentity: + description: AuthPodIdentity allows users to select the platform native + identity mechanism + properties: + identityId: + type: string + provider: + description: PodIdentityProvider contains the list of providers + type: string + required: + - provider + type: object + secretTargetRef: + items: + description: AuthSecretTargetRef is used to authenticate using a + reference to a secret + properties: + key: + type: string + name: + type: string + parameter: + type: string + required: + - key + - name + - parameter + type: object + type: array + type: object + status: + description: TriggerAuthenticationStatus defines the observed state of + TriggerAuthentication + properties: + scaledjobs: + type: string + scaledobjects: + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +{{- end -}} diff --git a/examples/helm-keda/templates/extensibility/extra-manifests.yaml b/examples/helm-keda/templates/extensibility/extra-manifests.yaml new file mode 100644 index 000000000..2855904ec --- /dev/null +++ b/examples/helm-keda/templates/extensibility/extra-manifests.yaml @@ -0,0 +1,4 @@ +{{ range .Values.extraObjects }} +--- +{{ tpl (toYaml .) $ }} +{{ end }} \ No newline at end of file diff --git a/examples/helm-keda/templates/manager/clusterrole.yaml b/examples/helm-keda/templates/manager/clusterrole.yaml new file mode 100644 index 000000000..0242a03fb --- /dev/null +++ b/examples/helm-keda/templates/manager/clusterrole.yaml @@ -0,0 +1,180 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }} + {{- include "keda.labels" . | indent 4 }} + name: {{ .Values.operator.name }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - configmaps/status + - events + verbs: + - '*' +- apiGroups: + - "" + resources: + - external + - pods + {{- if eq .Values.permissions.operator.restrict.secret false }} + - secrets + {{- end }} + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - list + - watch +- apiGroups: + - '*' + resources: + - '*' + verbs: + - get +- apiGroups: + - '*' + resources: + - '*/scale' + verbs: + - '*' + {{- if and .Values.certificates.autoGenerated ( not .Values.certificates.certManager.enabled ) }} +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - apiregistration.k8s.io + resources: + - apiservices + verbs: + - get + - list + - patch + - update + - watch + {{- end }} +- apiGroups: + - apps + resources: + - deployments + - statefulsets + verbs: + - list + - watch +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - '*' +- apiGroups: + - batch + resources: + - jobs + verbs: + - '*' +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - '*' +- apiGroups: + - keda.sh + resources: + - clustertriggerauthentications + - clustertriggerauthentications/status + verbs: + - '*' +- apiGroups: + - keda.sh + resources: + - scaledjobs + - scaledjobs/finalizers + - scaledjobs/status + verbs: + - '*' +- apiGroups: + - keda.sh + resources: + - scaledobjects + - scaledobjects/finalizers + - scaledobjects/status + verbs: + - '*' +- apiGroups: + - keda.sh + resources: + - triggerauthentications + - triggerauthentications/status + verbs: + - '*' +{{- if .Values.rbac.aggregateToDefaultRoles }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: keda:edit + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + app.kubernetes.io/name: {{ .Values.operator.name }} + {{- include "keda.labels" . | indent 4 }} +rules: +- apiGroups: + - keda.sh + resources: + - clustertriggerauthentications + - scaledjobs + - scaledobjects + - triggerauthentications + verbs: + - create + - delete + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: keda:view + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-view: "true" + app.kubernetes.io/name: {{ .Values.operator.name }} + {{- include "keda.labels" . | indent 4 }} +rules: +- apiGroups: + - keda.sh + resources: + - clustertriggerauthentications + - scaledjobs + - scaledobjects + - triggerauthentications + verbs: + - get + - list + - watch +{{- end -}} +{{- end -}} diff --git a/examples/helm-keda/templates/manager/clusterrolebinding.yaml b/examples/helm-keda/templates/manager/clusterrolebinding.yaml new file mode 100644 index 000000000..5d13f80ad --- /dev/null +++ b/examples/helm-keda/templates/manager/clusterrolebinding.yaml @@ -0,0 +1,21 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }} + {{- include "keda.labels" . | indent 4 }} + name: {{ .Values.operator.name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.operator.name }} +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount.name }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/examples/helm-keda/templates/manager/deployment.yaml b/examples/helm-keda/templates/manager/deployment.yaml new file mode 100644 index 000000000..b993ae94c --- /dev/null +++ b/examples/helm-keda/templates/manager/deployment.yaml @@ -0,0 +1,216 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Values.operator.name }} + namespace: {{ .Release.Namespace }} + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app: {{ .Values.operator.name }} + name: {{ .Values.operator.name }} + app.kubernetes.io/name: {{ .Values.operator.name }} + {{- include "keda.labels" . | indent 4 }} +spec: + revisionHistoryLimit: {{ .Values.operator.revisionHistoryLimit}} + replicas: {{ .Values.operator.replicaCount}} + {{- with .Values.upgradeStrategy.operator }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app: {{ .Values.operator.name }} + template: + metadata: + labels: + app: {{ .Values.operator.name }} + name: {{ .Values.operator.name }} + app.kubernetes.io/name: {{ .Values.operator.name }} + {{- include "keda.labels" . | indent 8 }} + {{- if .Values.podIdentity.activeDirectory.identity }} + aadpodidbinding: {{ .Values.podIdentity.activeDirectory.identity }} + {{- end }} + {{- if .Values.podLabels.keda }} + {{- toYaml .Values.podLabels.keda | nindent 8 }} + {{- end }} + {{- if .Values.podIdentity.azureWorkload.enabled }} + azure.workload.identity/use: "true" + {{- end }} + {{- if or .Values.podAnnotations.keda .Values.additionalAnnotations }} + annotations: + {{- if .Values.podAnnotations.keda }} + {{- toYaml .Values.podAnnotations.keda | nindent 8 }} + {{- end }} + {{- if .Values.additionalAnnotations }} + {{- toYaml .Values.additionalAnnotations | nindent 8 }} + {{- end }} + {{- end }} + spec: + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName | quote }} + {{- end }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ .Values.serviceAccount.name }} + automountServiceAccountToken: true + securityContext: + {{- if .Values.podSecurityContext.operator }} + {{- toYaml .Values.podSecurityContext.operator | nindent 8 }} + {{- else }} + {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- end }} + containers: + - name: {{ .Values.operator.name }} + securityContext: + {{- if .Values.securityContext.operator }} + {{- toYaml .Values.securityContext.operator | nindent 12 }} + {{- else }} + {{- toYaml .Values.securityContext | nindent 12 }} + {{- end }} + image: "{{ .Values.image.keda.repository }}:{{ .Values.image.keda.tag | default .Chart.AppVersion }}" + command: + - "/keda" + args: + - "--leader-elect" + - "--zap-log-level={{ .Values.logging.operator.level }}" + - "--zap-encoder={{ .Values.logging.operator.format }}" + - "--zap-time-encoding={{ .Values.logging.operator.timeEncoding }}" + - "--cert-dir={{ .Values.certificates.mountPath }}" + - "--enable-cert-rotation={{ and .Values.certificates.autoGenerated ( not .Values.certificates.certManager.enabled ) }}" + - "--cert-secret-name={{ .Values.certificates.secretName }}" + - "--operator-service-name={{ .Values.operator.name }}" + - "--metrics-server-service-name={{ .Values.operator.name }}-metrics-apiserver" + - "--webhooks-service-name={{ .Values.webhooks.name }}" + - "--k8s-cluster-domain={{ .Values.clusterDomain }}" + {{- if .Values.prometheus.operator.enabled }} + - "--metrics-bind-address=:{{ .Values.prometheus.operator.port }}" + - "--enable-prometheus-metrics={{ .Values.prometheus.operator.enabled }}" + {{- end }} + {{- if .Values.opentelemetry.operator.enabled }} + - "--enable-opentelemetry-metrics={{ .Values.opentelemetry.operator.enabled}}" + {{- end }} + {{- range $key, $value := .Values.extraArgs.keda }} + - "--{{ $key }}={{ $value }}" + {{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: {{ .Values.operator.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.operator.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.operator.livenessProbe.timeoutSeconds }} + failureThreshold: {{ .Values.operator.livenessProbe.failureThreshold }} + successThreshold: {{ .Values.operator.livenessProbe.successThreshold }} + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: {{ .Values.operator.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.operator.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.operator.readinessProbe.timeoutSeconds }} + failureThreshold: {{ .Values.operator.readinessProbe.failureThreshold }} + successThreshold: {{ .Values.operator.readinessProbe.successThreshold }} + ports: + - containerPort: 8080 + name: http + protocol: TCP + env: + - name: WATCH_NAMESPACE + value: {{ .Values.watchNamespace | quote }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: OPERATOR_NAME + value: {{ .Values.operator.name }} + - name: KEDA_HTTP_DEFAULT_TIMEOUT + value: {{ .Values.http.timeout | quote }} + - name: KEDA_HTTP_MIN_TLS_VERSION + value: {{ .Values.http.minTlsVersion }} + {{- if ( not .Values.http.keepAlive.enabled ) }} + - name: KEDA_HTTP_DISABLE_KEEP_ALIVE + value: "true" + {{- end }} + {{- if .Values.permissions.operator.restrict.secret }} + - name: KEDA_RESTRICT_SECRET_ACCESS + value: {{ .Values.permissions.operator.restrict.secret | quote }} + {{- end }} + {{- if .Values.opentelemetry.collector.uri }} + - name: OTEL_EXPORTER_OTLP_ENDPOINT + value: {{ .Values.opentelemetry.collector.uri | quote }} + {{- end }} + {{- if .Values.env }} + {{- toYaml .Values.env | nindent 12 -}} + {{- end }} + volumeMounts: + - mountPath: {{ .Values.certificates.mountPath }} + name: certificates + readOnly: true + {{- if .Values.grpcTLSCertsSecret }} + - name: grpc-certs + mountPath: /grpccerts + {{- end }} + {{- if .Values.hashiCorpVaultTLS }} + - name: hashicorp-vault-certs + mountPath: /hashicorp-vaultcerts + {{- end }} + {{- if .Values.volumes.keda.extraVolumeMounts }} + {{- toYaml .Values.volumes.keda.extraVolumeMounts | nindent 10 }} + {{- end }} + resources: + {{- if .Values.resources.operator }} + {{- toYaml .Values.resources.operator | nindent 12 }} + {{- else }} + {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumes: + - name: certificates + secret: + defaultMode: 420 + secretName: {{ .Values.certificates.secretName }} + optional: {{ and .Values.certificates.autoGenerated ( not .Values.certificates.certManager.enabled ) }} + {{- if .Values.grpcTLSCertsSecret }} + - name: grpc-certs + secret: + secretName: {{ .Values.grpcTLSCertsSecret }} + {{- end }} + {{- if .Values.hashiCorpVaultTLS }} + - name: hashicorp-vault-certs + secret: + secretName: {{ .Values.hashiCorpVaultTLS }} + {{- end }} + {{- if .Values.volumes.keda.extraVolumes }} + {{- toYaml .Values.volumes.keda.extraVolumes | nindent 6 }} + {{- end }} + nodeSelector: + kubernetes.io/os: linux + {{- with .Values.nodeSelector }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.podIdentity.gcp.enabled }} + iam.gke.io/gke-metadata-server-enabled: "true" + {{- end }} + {{- if .Values.operator.affinity }} + affinity: + {{- toYaml .Values.operator.affinity | nindent 8 }} + {{- else if .Values.affinity }} + affinity: + {{- toYaml .Values.affinity | nindent 8 }} + {{- end }} + {{- with .Values.topologySpreadConstraints.operator }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/examples/helm-keda/templates/manager/poddisruptionbudget.yaml b/examples/helm-keda/templates/manager/poddisruptionbudget.yaml new file mode 100644 index 000000000..4d087c630 --- /dev/null +++ b/examples/helm-keda/templates/manager/poddisruptionbudget.yaml @@ -0,0 +1,32 @@ +{{- if or (or .Values.podDisruptionBudget.minAvailable .Values.podDisruptionBudget.maxUnavailable) .Values.podDisruptionBudget.operator }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + namespace: {{ .Release.Namespace }} + name: {{ .Values.operator.name }} + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.serviceAccount.name }} + {{- include "keda.labels" . | indent 4 }} +spec: + {{- if .Values.podDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} + {{- end }} + {{- if .Values.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} + {{- end }} + {{- if .Values.podDisruptionBudget.operator }} + {{- if .Values.podDisruptionBudget.operator.minAvailable }} + minAvailable: {{ .Values.podDisruptionBudget.operator.minAvailable }} + {{- end }} + {{- if .Values.podDisruptionBudget.operator.maxUnavailable }} + maxUnavailable: {{ .Values.podDisruptionBudget.operator.maxUnavailable }} + {{- end }} + {{- end }} + selector: + matchLabels: + app: {{ .Values.operator.name }} +{{- end }} diff --git a/examples/helm-keda/templates/manager/podmonitor.yaml b/examples/helm-keda/templates/manager/podmonitor.yaml new file mode 100644 index 000000000..7304828f8 --- /dev/null +++ b/examples/helm-keda/templates/manager/podmonitor.yaml @@ -0,0 +1,39 @@ +{{- if and .Values.prometheus.operator.enabled .Values.prometheus.operator.podMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: {{ .Values.operator.name }} + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }} + {{- include "keda.labels" . | indent 4 }} + {{- range $key, $value := .Values.prometheus.operator.podMonitor.additionalLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- with .Values.prometheus.operator.podMonitor.namespace }} + namespace: {{ . }} + {{- end }} +spec: + podMetricsEndpoints: + - port: http + path: /metrics + {{- with .Values.prometheus.operator.podMonitor.interval }} + interval: {{ . }} + {{- end }} + {{- with .Values.prometheus.operator.podMonitor.scrapeTimeout }} + scrapeTimeout: {{ . }} + {{- end }} + {{- with .Values.prometheus.operator.podMonitor.relabelings }} + relabelings: +{{ toYaml . | indent 4 }} + {{- end }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + app: {{ .Values.operator.name }} +{{- end }} diff --git a/examples/helm-keda/templates/manager/prometheusrules.yaml b/examples/helm-keda/templates/manager/prometheusrules.yaml new file mode 100644 index 000000000..d117ca139 --- /dev/null +++ b/examples/helm-keda/templates/manager/prometheusrules.yaml @@ -0,0 +1,24 @@ +{{- if and .Values.prometheus.operator.enabled .Values.prometheus.operator.prometheusRules.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ .Values.operator.name }} + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }} + {{- include "keda.labels" . | indent 4 }} + {{- range $key, $value := .Values.prometheus.operator.prometheusRules.additionalLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- with .Values.prometheus.operator.prometheusRules.namespace }} + namespace: {{ . }} + {{- end }} +spec: + groups: + - name: {{ .Values.operator.name }} + rules: +{{ toYaml .Values.prometheus.operator.prometheusRules.alerts | indent 6 }} +{{- end }} diff --git a/examples/helm-keda/templates/manager/role.yaml b/examples/helm-keda/templates/manager/role.yaml new file mode 100644 index 000000000..e2cd4eca8 --- /dev/null +++ b/examples/helm-keda/templates/manager/role.yaml @@ -0,0 +1,31 @@ +{{- if .Values.rbac.create }} +{{- if or (and .Values.certificates.autoGenerated (not .Values.certificates.certManager.enabled)) (.Values.permissions.operator.restrict.secret) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }} + {{- include "keda.labels" . | indent 4 }} + name: {{ .Values.operator.name }} + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + {{- if and .Values.certificates.autoGenerated (not .Values.certificates.certManager.enabled) }} + - create + - delete + - patch + - update + {{- end }} + - watch + - get + - list +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/examples/helm-keda/templates/manager/rolebinding.yaml b/examples/helm-keda/templates/manager/rolebinding.yaml new file mode 100644 index 000000000..0d1381ab5 --- /dev/null +++ b/examples/helm-keda/templates/manager/rolebinding.yaml @@ -0,0 +1,24 @@ +{{- if .Values.rbac.create }} +{{- if or (and .Values.certificates.autoGenerated (not .Values.certificates.certManager.enabled)) (.Values.permissions.operator.restrict.secret) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }} + {{- include "keda.labels" . | indent 4 }} + name: {{ .Values.operator.name }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Values.operator.name }} +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount.name }} + namespace: {{ .Release.Namespace }} +{{- end -}} +{{- end -}} diff --git a/examples/helm-keda/templates/manager/service.yaml b/examples/helm-keda/templates/manager/service.yaml new file mode 100644 index 000000000..599289eaa --- /dev/null +++ b/examples/helm-keda/templates/manager/service.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Service +metadata: + {{- if or .Values.additionalAnnotations .Values.service.annotations (and .Values.prometheus.operator.enabled ( not (or .Values.prometheus.operator.podMonitor.enabled .Values.prometheus.operator.serviceMonitor.enabled ))) }} + annotations: + {{- if and .Values.prometheus.operator.enabled ( not (or .Values.prometheus.operator.podMonitor.enabled .Values.prometheus.operator.serviceMonitor.enabled )) }} + prometheus.io/scrape: "true" + prometheus.io/port: {{ .Values.prometheus.operator.port | quote }} + prometheus.io/path: "/metrics" + {{- end }} + {{- with .Values.additionalAnnotations }} + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- with .Values.service.annotations }} + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }} + {{- include "keda.labels" . | indent 4 }} + name: {{ .Values.operator.name }} + namespace: {{ .Release.Namespace }} +spec: + ports: + - name: metricsservice + port: 9666 + targetPort: 9666 + {{- if .Values.prometheus.operator.enabled }} + - name: metrics + port: {{ .Values.prometheus.operator.port }} + targetPort: {{ .Values.prometheus.operator.port }} + {{- end }} + selector: + app: {{ .Values.operator.name }} diff --git a/examples/helm-keda/templates/manager/servicemonitor.yaml b/examples/helm-keda/templates/manager/servicemonitor.yaml new file mode 100644 index 000000000..727601cb9 --- /dev/null +++ b/examples/helm-keda/templates/manager/servicemonitor.yaml @@ -0,0 +1,60 @@ +{{- if and .Values.prometheus.operator.enabled .Values.prometheus.operator.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ .Values.operator.name }} + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }} + {{- include "keda.labels" . | indent 4 }} + {{- range $key, $value := .Values.prometheus.operator.serviceMonitor.additionalLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- with .Values.prometheus.operator.serviceMonitor.namespace }} + namespace: {{ . }} + {{- end }} +spec: + {{- with .Values.prometheus.operator.serviceMonitor.jobLabel }} + jobLabel: {{ . }} + {{- end }} + {{- with .Values.prometheus.operator.serviceMonitor.targetLabels }} + targetLabels: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.prometheus.operator.serviceMonitor.podTargetLabels }} + podTargetLabels: + {{- toYaml . | nindent 4 }} + {{- end }} + endpoints: + - port: {{ .Values.prometheus.operator.serviceMonitor.port }} + {{- with .Values.prometheus.operator.serviceMonitor.targetPort }} + targetPort: {{ . }} + {{- end }} + path: /metrics + {{- with .Values.prometheus.operator.serviceMonitor.interval }} + interval: {{ . }} + {{- end }} + {{- with .Values.prometheus.operator.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ . }} + {{- end }} + {{- if .Values.prometheus.operator.serviceMonitor.relabelings}} + {{- with .Values.prometheus.operator.serviceMonitor.relabelings }} + relabelings: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- else }} + {{- with .Values.prometheus.operator.serviceMonitor.relabellings }} + relabelings: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- end}} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + app.kubernetes.io/name: {{ .Values.operator.name }} +{{- end }} diff --git a/examples/helm-keda/templates/metrics-server/apiservice.yaml b/examples/helm-keda/templates/metrics-server/apiservice.yaml new file mode 100644 index 000000000..0568f08aa --- /dev/null +++ b/examples/helm-keda/templates/metrics-server/apiservice.yaml @@ -0,0 +1,30 @@ +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + {{- if or .Values.certificates.certManager.enabled .Values.additionalAnnotations }} + annotations: + {{- if .Values.certificates.certManager.enabled }} + {{- if .Values.certificates.certManager.generateCA }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Values.operator.name }}-ca + {{- else }} + cert-manager.io/inject-ca-from-secret: {{ .Release.Namespace }}/{{ .Values.certificates.certManager.caSecretName }} + {{- end }} + {{- end }} + {{- if .Values.additionalAnnotations }} + {{- toYaml .Values.additionalAnnotations | nindent 4 }} + {{- end }} + {{- end }} + labels: + app.kubernetes.io/name: v1beta1.external.metrics.k8s.io + {{- include "keda.labels" . | indent 4 }} + name: v1beta1.external.metrics.k8s.io +spec: + service: + name: {{ .Values.operator.name }}-metrics-apiserver + namespace: {{ .Release.Namespace }} + port: {{ .Values.service.portHttps }} + group: external.metrics.k8s.io + version: v1beta1 + groupPriorityMinimum: 100 + versionPriority: 100 + insecureSkipTLSVerify: false diff --git a/examples/helm-keda/templates/metrics-server/clusterrole.yaml b/examples/helm-keda/templates/metrics-server/clusterrole.yaml new file mode 100644 index 000000000..4036b292c --- /dev/null +++ b/examples/helm-keda/templates/metrics-server/clusterrole.yaml @@ -0,0 +1,20 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }}-external-metrics-reader + {{- include "keda.labels" . | indent 4 }} + name: {{ .Values.operator.name }}-external-metrics-reader +rules: +- apiGroups: + - external.metrics.k8s.io + resources: + - '*' + verbs: + - '*' +{{- end -}} diff --git a/examples/helm-keda/templates/metrics-server/clusterrolebinding.yaml b/examples/helm-keda/templates/metrics-server/clusterrolebinding.yaml new file mode 100644 index 000000000..af00d4244 --- /dev/null +++ b/examples/helm-keda/templates/metrics-server/clusterrolebinding.yaml @@ -0,0 +1,62 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }}-system-auth-delegator + {{- include "keda.labels" . | indent 4 }} + name: {{ .Values.operator.name }}-system-auth-delegator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount.name }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }}-auth-reader + {{- include "keda.labels" . | indent 4 }} + name: {{ .Values.operator.name }}-auth-reader + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount.name }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }}-hpa-controller-external-metrics + {{- include "keda.labels" . | indent 4 }} + name: {{ .Values.operator.name }}-hpa-controller-external-metrics +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.operator.name }}-external-metrics-reader +subjects: +- kind: ServiceAccount + name: horizontal-pod-autoscaler + namespace: kube-system +{{- end -}} diff --git a/examples/helm-keda/templates/metrics-server/deployment.yaml b/examples/helm-keda/templates/metrics-server/deployment.yaml new file mode 100644 index 000000000..3965e3ff6 --- /dev/null +++ b/examples/helm-keda/templates/metrics-server/deployment.yaml @@ -0,0 +1,201 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Values.operator.name }}-metrics-apiserver + namespace: {{ .Release.Namespace }} + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app: {{ .Values.operator.name }}-metrics-apiserver + app.kubernetes.io/name: {{ .Values.operator.name }}-metrics-apiserver + {{- include "keda.labels" . | indent 4 }} +spec: + revisionHistoryLimit: {{ .Values.metricsServer.revisionHistoryLimit}} + replicas: {{ .Values.metricsServer.replicaCount }} + {{- with .Values.upgradeStrategy.metricsApiServer }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app: {{ .Values.operator.name }}-metrics-apiserver + template: + metadata: + labels: + app: {{ .Values.operator.name }}-metrics-apiserver + app.kubernetes.io/name: {{ .Values.operator.name }}-metrics-apiserver + {{- include "keda.labels" . | indent 8 }} + {{- if .Values.podIdentity.activeDirectory.identity }} + aadpodidbinding: {{ .Values.podIdentity.activeDirectory.identity }} + {{- end }} + {{- if .Values.podLabels.metricsAdapter }} + {{- toYaml .Values.podLabels.metricsAdapter | nindent 8}} + {{- end }} + {{- if .Values.podIdentity.azureWorkload.enabled }} + azure.workload.identity/use: "true" + {{- end }} + {{- if or .Values.additionalAnnotations .Values.podAnnotations.metricsAdapter (and .Values.prometheus.metricServer.enabled ( not (or .Values.prometheus.metricServer.podMonitor.enabled .Values.prometheus.metricServer.serviceMonitor.enabled )) )}} + annotations: + {{- if .Values.additionalAnnotations }} + {{- toYaml .Values.additionalAnnotations | nindent 8 }} + {{- end }} + {{- if and .Values.prometheus.metricServer.enabled ( not (or .Values.prometheus.metricServer.podMonitor.enabled .Values.prometheus.metricServer.serviceMonitor.enabled )) }} + prometheus.io/scrape: "true" + prometheus.io/port: {{ .Values.prometheus.metricServer.port | quote }} + {{- end }} + {{- if .Values.podAnnotations.metricsAdapter }} + {{- toYaml .Values.podAnnotations.metricsAdapter | nindent 8}} + {{- end }} + {{- end }} + spec: + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName | quote }} + {{- end }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ .Values.serviceAccount.name }} + automountServiceAccountToken: true + securityContext: + {{- if .Values.podSecurityContext.metricServer }} + {{- toYaml .Values.podSecurityContext.metricServer | nindent 8 }} + {{- else }} + {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- end }} + containers: + - name: {{ .Values.operator.name }}-metrics-apiserver + securityContext: + {{- if .Values.securityContext.metricServer }} + {{- toYaml .Values.securityContext.metricServer | nindent 12 }} + {{- else }} + {{- toYaml .Values.securityContext | nindent 12 }} + {{- end }} + image: "{{ .Values.image.metricsApiServer.repository }}:{{ .Values.image.metricsApiServer.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + livenessProbe: + httpGet: + path: /healthz + port: {{ .Values.service.portHttpsTarget }} + scheme: HTTPS + initialDelaySeconds: {{ .Values.metricsServer.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.metricsServer.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.metricsServer.livenessProbe.timeoutSeconds }} + failureThreshold: {{ .Values.metricsServer.livenessProbe.failureThreshold }} + successThreshold: {{ .Values.metricsServer.livenessProbe.successThreshold }} + readinessProbe: + httpGet: + path: /readyz + port: {{ .Values.service.portHttpsTarget }} + scheme: HTTPS + initialDelaySeconds: {{ .Values.metricsServer.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.metricsServer.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.metricsServer.readinessProbe.timeoutSeconds }} + failureThreshold: {{ .Values.metricsServer.readinessProbe.failureThreshold }} + successThreshold: {{ .Values.metricsServer.readinessProbe.successThreshold }} + env: + - name: WATCH_NAMESPACE + value: {{ .Values.watchNamespace | quote }} + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: KEDA_HTTP_DEFAULT_TIMEOUT + value: {{ .Values.http.timeout | quote }} + - name: KEDA_HTTP_MIN_TLS_VERSION + value: {{ .Values.http.minTlsVersion }} + {{- if ( not .Values.http.keepAlive.enabled ) }} + - name: KEDA_HTTP_DISABLE_KEEP_ALIVE + value: "true" + {{- end }} + {{- if .Values.permissions.metricServer.restrict.secret }} + - name: KEDA_RESTRICT_SECRET_ACCESS + value: {{ .Values.permissions.metricServer.restrict.secret | quote }} + {{- end }} + {{- if .Values.env }} + {{- toYaml .Values.env | nindent 12 -}} + {{- end }} + args: + - /usr/local/bin/keda-adapter + - --port={{ .Values.prometheus.metricServer.port }} + - --secure-port={{ .Values.service.portHttpsTarget }} + - --logtostderr=true + - --metrics-service-address={{ .Values.operator.name }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}:9666 + - --client-ca-file={{ .Values.certificates.mountPath }}/ca.crt + - --tls-cert-file={{ .Values.certificates.mountPath }}/tls.crt + - --tls-private-key-file={{ .Values.certificates.mountPath }}/tls.key + - --cert-dir={{ .Values.certificates.mountPath }} + - --v={{ .Values.logging.metricServer.level }} + {{- range $key, $value := .Values.extraArgs.metricsAdapter }} + - --{{ $key }}={{ $value }} + {{- end }} + ports: + - containerPort: {{ .Values.service.portHttpsTarget }} + name: https + protocol: TCP + - containerPort: {{ .Values.prometheus.metricServer.port }} + name: {{ .Values.prometheus.metricServer.portName }} + protocol: TCP + volumeMounts: + - mountPath: {{ .Values.certificates.mountPath }} + name: certificates + readOnly: true + {{- if .Values.grpcTLSCertsSecret }} + - name: grpc-certs + mountPath: /grpccerts + {{- end }} + {{- if .Values.hashiCorpVaultTLS }} + - name: hashicorp-vault-certs + mountPath: /hashicorp-vaultcerts + {{- end }} + {{- if .Values.volumes.metricsApiServer.extraVolumeMounts }} + {{- toYaml .Values.volumes.metricsApiServer.extraVolumeMounts | nindent 10 }} + {{- end }} + resources: + {{- if .Values.resources.metricServer }} + {{- toYaml .Values.resources.metricServer | nindent 12 }} + {{- else }} + {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumes: + - name: certificates + secret: + defaultMode: 420 + secretName: {{ .Values.certificates.secretName }} + {{- if .Values.grpcTLSCertsSecret }} + - name: grpc-certs + secret: + secretName: {{ .Values.grpcTLSCertsSecret }} + {{- end }} + {{- if .Values.hashiCorpVaultTLS }} + - name: hashicorp-vault-certs + secret: + secretName: {{ .Values.hashiCorpVaultTLS }} + {{- end }} + {{- if .Values.volumes.metricsApiServer.extraVolumes }} + {{- toYaml .Values.volumes.metricsApiServer.extraVolumes | nindent 6 }} + {{- end }} + dnsPolicy: {{ .Values.metricsServer.dnsPolicy }} + hostNetwork: {{ .Values.metricsServer.useHostNetwork }} + nodeSelector: + kubernetes.io/os: linux + {{- with .Values.nodeSelector }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.metricsServer.affinity }} + affinity: + {{- toYaml .Values.metricsServer.affinity | nindent 8 }} + {{- else if .Values.affinity }} + affinity: + {{- toYaml .Values.affinity | nindent 8 }} + {{- end }} + {{- with .Values.topologySpreadConstraints.metricsServer}} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/examples/helm-keda/templates/metrics-server/poddisruptionbudget.yaml b/examples/helm-keda/templates/metrics-server/poddisruptionbudget.yaml new file mode 100644 index 000000000..c71ab124a --- /dev/null +++ b/examples/helm-keda/templates/metrics-server/poddisruptionbudget.yaml @@ -0,0 +1,33 @@ +{{- if or (or .Values.podDisruptionBudget.minAvailable .Values.podDisruptionBudget.maxUnavailable) .Values.podDisruptionBudget.metricServer }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + namespace: {{ .Release.Namespace }} + name: {{ .Values.operator.name }}-metrics-apiserver + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }}-metrics-apiserver + {{- include "keda.labels" . | indent 4 }} +spec: + {{- if .Values.podDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} + {{- end }} + {{- if .Values.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} + {{- end }} + {{- if .Values.podDisruptionBudget.metricServer }} + {{- if .Values.podDisruptionBudget.metricServer.minAvailable }} + minAvailable: {{ .Values.podDisruptionBudget.metricServer.minAvailable }} + {{- end }} + {{- if .Values.podDisruptionBudget.metricServer.maxUnavailable }} + maxUnavailable: {{ .Values.podDisruptionBudget.metricServer.maxUnavailable }} + {{- end }} + {{- end }} + selector: + matchLabels: + app: {{ .Values.operator.name }}-metrics-apiserver +{{- end }} + diff --git a/examples/helm-keda/templates/metrics-server/podmonitor.yaml b/examples/helm-keda/templates/metrics-server/podmonitor.yaml new file mode 100644 index 000000000..b639cd6d8 --- /dev/null +++ b/examples/helm-keda/templates/metrics-server/podmonitor.yaml @@ -0,0 +1,39 @@ +{{- if and .Values.prometheus.metricServer.enabled .Values.prometheus.metricServer.podMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: {{ .Values.operator.name }}-metrics-apiserver + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }} + {{- include "keda.labels" . | indent 4 }} + {{- range $key, $value := .Values.prometheus.metricServer.podMonitor.additionalLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- with .Values.prometheus.metricServer.podMonitor.namespace }} + namespace: {{ . }} + {{- end }} +spec: + podMetricsEndpoints: + - port: {{ .Values.prometheus.metricServer.portName }} + path: /metrics + {{- with .Values.prometheus.metricServer.podMonitor.interval }} + interval: {{ . }} + {{- end }} + {{- with .Values.prometheus.metricServer.podMonitor.scrapeTimeout }} + scrapeTimeout: {{ . }} + {{- end }} + {{- with .Values.prometheus.metricServer.podMonitor.relabelings }} + relabelings: +{{ toYaml . | indent 4 }} + {{- end }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + app: {{ .Values.operator.name }}-metrics-apiserver +{{- end }} diff --git a/examples/helm-keda/templates/metrics-server/service.yaml b/examples/helm-keda/templates/metrics-server/service.yaml new file mode 100644 index 000000000..cf6f69665 --- /dev/null +++ b/examples/helm-keda/templates/metrics-server/service.yaml @@ -0,0 +1,39 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: {{ .Values.operator.name }}-metrics-apiserver + app: {{ .Values.operator.name }}-metrics-apiserver + {{- include "keda.labels" . | indent 4 }} + name: {{ .Values.operator.name }}-metrics-apiserver + namespace: {{ .Release.Namespace }} + {{- if or .Values.additionalAnnotations .Values.service.annotations (and .Values.prometheus.metricServer.enabled ( not (or .Values.prometheus.metricServer.podMonitor.enabled .Values.prometheus.metricServer.serviceMonitor.enabled )))}} + annotations: + {{- if and .Values.prometheus.metricServer.enabled ( not (or .Values.prometheus.metricServer.podMonitor.enabled .Values.prometheus.metricServer.serviceMonitor.enabled )) }} + prometheus.io/scrape: "true" + prometheus.io/port: {{ .Values.prometheus.metricServer.port | quote }} + prometheus.io/path: "/metrics" + {{- end }} + {{- with .Values.additionalAnnotations }} + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- with .Values.service.annotations }} + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} +spec: + ports: + - name: https + port: {{ .Values.service.portHttps }} + targetPort: {{ .Values.service.portHttpsTarget }} + protocol: TCP + - name: {{ .Values.prometheus.metricServer.portName }} + port: {{ .Values.prometheus.metricServer.port }} + targetPort: {{ .Values.prometheus.metricServer.port }} + protocol: TCP + selector: + app: {{ .Values.operator.name }}-metrics-apiserver diff --git a/examples/helm-keda/templates/metrics-server/servicemonitor.yaml b/examples/helm-keda/templates/metrics-server/servicemonitor.yaml new file mode 100644 index 000000000..a2a0dfc71 --- /dev/null +++ b/examples/helm-keda/templates/metrics-server/servicemonitor.yaml @@ -0,0 +1,60 @@ +{{- if and .Values.prometheus.metricServer.enabled .Values.prometheus.metricServer.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ .Values.operator.name }}-metrics-apiserver + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }} + {{- include "keda.labels" . | indent 4 }} + {{- range $key, $value := .Values.prometheus.metricServer.serviceMonitor.additionalLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- with .Values.prometheus.metricServer.serviceMonitor.namespace }} + namespace: {{ . }} + {{- end }} +spec: + {{- with .Values.prometheus.metricServer.serviceMonitor.jobLabel }} + jobLabel: {{ . }} + {{- end }} + {{- with .Values.prometheus.metricServer.serviceMonitor.targetLabels }} + targetLabels: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.prometheus.metricServer.serviceMonitor.podTargetLabels }} + podTargetLabels: + {{- toYaml . | nindent 4 }} + {{- end }} + endpoints: + - port: {{ .Values.prometheus.metricServer.portName }} + {{- with .Values.prometheus.metricServer.serviceMonitor.targetPort }} + targetPort: {{ . }} + {{- end }} + path: /metrics + {{- with .Values.prometheus.metricServer.serviceMonitor.interval }} + interval: {{ . }} + {{- end }} + {{- with .Values.prometheus.metricServer.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ . }} + {{- end }} + {{- if .Values.prometheus.metricServer.serviceMonitor.relabelings}} + {{- with .Values.prometheus.metricServer.serviceMonitor.relabelings }} + relabelings: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- else }} + {{- with .Values.prometheus.metricServer.serviceMonitor.relabellings }} + relabelings: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- end}} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + app.kubernetes.io/name: {{ .Values.operator.name }}-metrics-apiserver +{{- end }} diff --git a/examples/helm-keda/templates/serviceaccount.yaml b/examples/helm-keda/templates/serviceaccount.yaml new file mode 100644 index 000000000..d93d1b7e5 --- /dev/null +++ b/examples/helm-keda/templates/serviceaccount.yaml @@ -0,0 +1,49 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/name: {{ .Values.serviceAccount.name }} + {{- if .Values.podIdentity.azureWorkload.enabled }} + azure.workload.identity/use: "true" + {{- end }} + {{- include "keda.labels" . | nindent 4 }} + {{- if or .Values.podIdentity.azureWorkload.enabled .Values.podIdentity.aws.irsa.enabled .Values.serviceAccount.annotations .Values.podIdentity.gcp.enabled }} + annotations: + {{- if .Values.additionalAnnotations }} + {{- toYaml .Values.additionalAnnotations | nindent 4 }} + {{- end }} + {{- if .Values.podIdentity.azureWorkload.enabled }} + {{- if .Values.podIdentity.azureWorkload.clientId }} + azure.workload.identity/client-id: {{ .Values.podIdentity.azureWorkload.clientId | quote }} + {{- end }} + {{- if .Values.podIdentity.azureWorkload.tenantId }} + azure.workload.identity/tenant-id: {{ .Values.podIdentity.azureWorkload.tenantId | quote }} + {{- end }} + azure.workload.identity/service-account-token-expiration: {{ .Values.podIdentity.azureWorkload.tokenExpiration | quote }} + {{- end }} + {{- if .Values.podIdentity.aws.irsa.enabled }} + {{- if .Values.podIdentity.aws.irsa.audience }} + eks.amazonaws.com/audience: {{ .Values.podIdentity.aws.irsa.audience | quote }} + {{- end }} + {{- if .Values.podIdentity.aws.irsa.roleArn }} + eks.amazonaws.com/role-arn: {{ .Values.podIdentity.aws.irsa.roleArn | quote }} + {{- end }} + {{- if .Values.podIdentity.aws.irsa.stsRegionalEndpoints }} + eks.amazonaws.com/sts-regional-endpoints: {{ .Values.podIdentity.aws.irsa.stsRegionalEndpoints | quote }} + {{- end }} + eks.amazonaws.com/token-expiration: {{ .Values.podIdentity.aws.irsa.tokenExpiration | quote }} + {{- end }} + {{- if .Values.podIdentity.gcp.enabled }} + {{- if .Values.podIdentity.gcp.gcpIAMServiceAccount }} + iam.gke.io/gcp-service-account: {{ .Values.podIdentity.gcp.gcpIAMServiceAccount }} + {{- end }} + {{- end }} + {{- if .Values.serviceAccount.annotations }} + {{- toYaml .Values.serviceAccount.annotations | nindent 4}} + {{- end }} + {{- end }} + name: {{ .Values.serviceAccount.name }} + namespace: {{ .Release.Namespace }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end -}} diff --git a/examples/helm-keda/templates/webhooks/deployment.yaml b/examples/helm-keda/templates/webhooks/deployment.yaml new file mode 100644 index 000000000..c47c62106 --- /dev/null +++ b/examples/helm-keda/templates/webhooks/deployment.yaml @@ -0,0 +1,169 @@ +{{- if and .Values.webhooks.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Values.webhooks.name }} + namespace: {{ .Release.Namespace }} + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app: {{ .Values.webhooks.name }} + name: {{ .Values.webhooks.name }} + app.kubernetes.io/name: {{ .Values.webhooks.name }} + {{- include "keda.labels" . | indent 4 }} +spec: + revisionHistoryLimit: {{ .Values.webhooks.revisionHistoryLimit}} + replicas: {{ .Values.webhooks.replicaCount}} + {{- with .Values.upgradeStrategy.webhooks }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app: {{ .Values.webhooks.name }} + template: + metadata: + labels: + app: {{ .Values.webhooks.name }} + name: {{ .Values.webhooks.name }} + app.kubernetes.io/name: {{ .Values.webhooks.name }} + {{- include "keda.labels" . | indent 8 }} + {{- if .Values.podLabels.webhooks }} + {{- toYaml .Values.podLabels.webhooks | nindent 8 }} + {{- end }} + {{- if or .Values.podAnnotations.webhooks .Values.additionalAnnotations }} + annotations: + {{- if .Values.podAnnotations.webhooks }} + {{- toYaml .Values.podAnnotations.webhooks | nindent 8 }} + {{- end }} + {{- if .Values.additionalAnnotations }} + {{- toYaml .Values.additionalAnnotations | nindent 8 }} + {{- end }} + {{- end }} + spec: + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName | quote }} + {{- end }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ .Values.serviceAccount.name }} + automountServiceAccountToken: true + securityContext: + {{- if .Values.podSecurityContext.webhooks }} + {{- toYaml .Values.podSecurityContext.webhooks | nindent 8 }} + {{- else }} + {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- end }} + containers: + - name: {{ .Values.webhooks.name }} + securityContext: + {{- if .Values.securityContext.webhooks }} + {{- toYaml .Values.securityContext.webhooks | nindent 12 }} + {{- else }} + {{- toYaml .Values.securityContext | nindent 12 }} + {{- end }} + image: "{{ .Values.image.webhooks.repository }}:{{ .Values.image.webhooks.tag | default .Chart.AppVersion }}" + command: + - /keda-admission-webhooks + args: + - "--zap-log-level={{ .Values.logging.webhooks.level }}" + - "--zap-encoder={{ .Values.logging.webhooks.format }}" + - "--zap-time-encoding={{ .Values.logging.webhooks.timeEncoding }}" + - "--cert-dir={{ .Values.certificates.mountPath }}" + - "--health-probe-bind-address=:{{ .Values.webhooks.healthProbePort }}" + {{- if .Values.webhooks.port }} + - "--port={{ .Values.webhooks.port }}" + {{- end }} + - --metrics-bind-address=:{{ .Values.prometheus.webhooks.port }} + {{- range $key, $value := .Values.extraArgs.webhooks }} + - --{{ $key }}={{ $value }} + {{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + livenessProbe: + httpGet: + path: /healthz + port: {{ .Values.webhooks.healthProbePort }} + initialDelaySeconds: {{ .Values.webhooks.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.webhooks.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.webhooks.livenessProbe.timeoutSeconds }} + failureThreshold: {{ .Values.webhooks.livenessProbe.failureThreshold }} + successThreshold: {{ .Values.webhooks.livenessProbe.successThreshold }} + readinessProbe: + httpGet: + path: /readyz + port: {{ .Values.webhooks.healthProbePort }} + initialDelaySeconds: {{ .Values.webhooks.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.webhooks.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.webhooks.readinessProbe.timeoutSeconds }} + failureThreshold: {{ .Values.webhooks.readinessProbe.failureThreshold }} + successThreshold: {{ .Values.webhooks.readinessProbe.successThreshold }} + ports: + - containerPort: {{ .Values.webhooks.port | default 9443 }} + name: http + protocol: TCP + {{- if .Values.prometheus.webhooks.enabled }} + - containerPort: {{ .Values.prometheus.webhooks.port }} + name: metrics + protocol: TCP + {{- end }} + env: + - name: WATCH_NAMESPACE + value: {{ .Values.watchNamespace | quote }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if .Values.env }} + {{- toYaml .Values.env | nindent 12 -}} + {{- end }} + volumeMounts: + - mountPath: {{ .Values.certificates.mountPath }} + name: certificates + readOnly: true + {{- if .Values.volumes.webhooks.extraVolumeMounts }} + {{- toYaml .Values.volumes.webhooks.extraVolumeMounts | nindent 12 }} + {{- end }} + resources: + {{- if .Values.resources.webhooks }} + {{- toYaml .Values.resources.webhooks | nindent 12 }} + {{- else }} + {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumes: + - name: certificates + secret: + defaultMode: 420 + secretName: {{ .Values.certificates.secretName }} + {{- if .Values.volumes.webhooks.extraVolumes }} + {{- toYaml .Values.volumes.webhooks.extraVolumes | nindent 8 }} + {{- end }} + hostNetwork: {{ .Values.webhooks.useHostNetwork }} + nodeSelector: + kubernetes.io/os: linux + {{- with .Values.nodeSelector }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.webhooks.affinity }} + affinity: + {{- toYaml .Values.webhooks.affinity | nindent 8 }} + {{- else if .Values.affinity }} + affinity: + {{- toYaml .Values.affinity | nindent 8 }} + {{- end }} + {{- with .Values.topologySpreadConstraints.webhooks }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/examples/helm-keda/templates/webhooks/poddisruptionbudget.yaml b/examples/helm-keda/templates/webhooks/poddisruptionbudget.yaml new file mode 100644 index 000000000..3e43c2a73 --- /dev/null +++ b/examples/helm-keda/templates/webhooks/poddisruptionbudget.yaml @@ -0,0 +1,34 @@ +{{- if and .Values.webhooks.enabled }} +{{- if or (or .Values.podDisruptionBudget.minAvailable .Values.podDisruptionBudget.maxUnavailable) .Values.podDisruptionBudget.webhooks }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + namespace: {{ .Release.Namespace }} + name: {{ .Values.webhooks.name }} + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.serviceAccount.name }} + {{- include "keda.labels" . | indent 4 }} +spec: + {{- if .Values.podDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} + {{- end }} + {{- if .Values.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} + {{- end }} + {{- if .Values.podDisruptionBudget.webhooks }} + {{- if .Values.podDisruptionBudget.webhooks.minAvailable }} + minAvailable: {{ .Values.podDisruptionBudget.webhooks.minAvailable }} + {{- end }} + {{- if .Values.podDisruptionBudget.webhooks.maxUnavailable }} + maxUnavailable: {{ .Values.podDisruptionBudget.webhooks.maxUnavailable }} + {{- end }} + {{- end }} + selector: + matchLabels: + app: {{ .Values.webhooks.name }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/examples/helm-keda/templates/webhooks/prometheusrules.yaml b/examples/helm-keda/templates/webhooks/prometheusrules.yaml new file mode 100644 index 000000000..d434348f8 --- /dev/null +++ b/examples/helm-keda/templates/webhooks/prometheusrules.yaml @@ -0,0 +1,26 @@ +{{- if and .Values.webhooks.enabled }} +{{- if and .Values.prometheus.webhooks.enabled .Values.prometheus.webhooks.prometheusRules.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ .Values.webhooks.name }} + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.webhooks.name }} + {{- include "keda.labels" . | indent 4 }} + {{- range $key, $value := .Values.prometheus.webhooks.prometheusRules.additionalLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- with .Values.prometheus.webhooks.prometheusRules.namespace }} + namespace: {{ . }} + {{- end }} +spec: + groups: + - name: {{ .Values.webhooks.name }} + rules: +{{ toYaml .Values.prometheus.webhooks.prometheusRules.alerts | indent 6 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/examples/helm-keda/templates/webhooks/service.yaml b/examples/helm-keda/templates/webhooks/service.yaml new file mode 100644 index 000000000..d7b784195 --- /dev/null +++ b/examples/helm-keda/templates/webhooks/service.yaml @@ -0,0 +1,41 @@ +{{- if and .Values.webhooks.enabled }} +apiVersion: v1 +kind: Service +metadata: + {{- if or .Values.prometheus.webhooks.enabled .Values.additionalAnnotations .Values.service.annotations }} + annotations: + {{- if and .Values.prometheus.webhooks.enabled ( not .Values.prometheus.webhooks.serviceMonitor.enabled ) }} + prometheus.io/scrape: "true" + prometheus.io/port: {{ .Values.prometheus.webhooks.port | quote }} + prometheus.io/path: "/metrics" + {{- end }} + {{- with .Values.additionalAnnotations }} + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- with .Values.service.annotations }} + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.webhooks.name }} + {{- include "keda.labels" . | indent 4 }} + name: {{ .Values.webhooks.name }} + namespace: {{ .Release.Namespace }} +spec: + ports: + - name: http + port: 443 + protocol: TCP + targetPort: {{ .Values.webhooks.port | default 9443 }} + {{- if .Values.prometheus.webhooks.enabled }} + - name: {{ .Values.prometheus.webhooks.serviceMonitor.port }} + port: {{ .Values.prometheus.webhooks.port }} + targetPort: {{ .Values.prometheus.webhooks.port }} + {{- end }} + selector: + app: {{ .Values.webhooks.name }} +{{- end }} diff --git a/examples/helm-keda/templates/webhooks/servicemonitor.yaml b/examples/helm-keda/templates/webhooks/servicemonitor.yaml new file mode 100644 index 000000000..48b5223d7 --- /dev/null +++ b/examples/helm-keda/templates/webhooks/servicemonitor.yaml @@ -0,0 +1,62 @@ +{{- if and .Values.webhooks.enabled }} +{{- if and .Values.prometheus.webhooks.enabled .Values.prometheus.webhooks.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ .Values.webhooks.name }} + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.webhooks.name }} + {{- include "keda.labels" . | indent 4 }} + {{- range $key, $value := .Values.prometheus.webhooks.serviceMonitor.additionalLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- with .Values.prometheus.webhooks.serviceMonitor.namespace }} + namespace: {{ . }} + {{- end }} +spec: + {{- with .Values.prometheus.webhooks.serviceMonitor.jobLabel }} + jobLabel: {{ . }} + {{- end }} + {{- with .Values.prometheus.webhooks.serviceMonitor.targetLabels }} + targetLabels: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.prometheus.webhooks.serviceMonitor.podTargetLabels }} + podTargetLabels: + {{- toYaml . | nindent 4 }} + {{- end }} + endpoints: + - port: {{ .Values.prometheus.webhooks.serviceMonitor.port }} + {{- with .Values.prometheus.webhooks.serviceMonitor.targetPort }} + targetPort: {{ . }} + {{- end }} + path: /metrics + {{- with .Values.prometheus.webhooks.serviceMonitor.interval }} + interval: {{ . }} + {{- end }} + {{- with .Values.prometheus.webhooks.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ . }} + {{- end }} + {{- if .Values.prometheus.webhooks.serviceMonitor.relabelings}} + {{- with .Values.prometheus.webhooks.serviceMonitor.relabelings }} + relabelings: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- else }} + {{- with .Values.prometheus.webhooks.serviceMonitor.relabellings }} + relabelings: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- end}} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + app.kubernetes.io/name: {{ .Values.webhooks.name }} +{{- end }} +{{- end }} diff --git a/examples/helm-keda/templates/webhooks/validatingconfiguration.yaml b/examples/helm-keda/templates/webhooks/validatingconfiguration.yaml new file mode 100644 index 000000000..5e2cde6b5 --- /dev/null +++ b/examples/helm-keda/templates/webhooks/validatingconfiguration.yaml @@ -0,0 +1,47 @@ +{{- if and .Values.webhooks.enabled }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + {{- if or .Values.certificates.certManager.enabled .Values.additionalAnnotations }} + annotations: + {{- if .Values.certificates.certManager.enabled }} + {{- if .Values.certificates.certManager.generateCA }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Values.operator.name }}-ca + {{- else }} + cert-manager.io/inject-ca-from-secret: {{ .Release.Namespace }}/{{ .Values.certificates.certManager.caSecretName }} + {{- end }} + {{- end }} + {{- if .Values.additionalAnnotations }} + {{- toYaml .Values.additionalAnnotations | nindent 4 }} + {{- end }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.webhooks.name }} + {{- include "keda.labels" . | indent 4 }} + name: keda-admission +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ .Values.webhooks.name }} + namespace: {{ .Release.Namespace }} + path: /validate-keda-sh-v1alpha1-scaledobject + failurePolicy: {{ .Values.webhooks.failurePolicy }} + matchPolicy: Equivalent + name: vscaledobject.kb.io + namespaceSelector: {} + objectSelector: {} + rules: + - apiGroups: + - keda.sh + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - scaledobjects + sideEffects: None + timeoutSeconds: 10 +{{- end }} diff --git a/examples/helm-keda/values.yaml b/examples/helm-keda/values.yaml new file mode 100644 index 000000000..45f866cb4 --- /dev/null +++ b/examples/helm-keda/values.yaml @@ -0,0 +1,690 @@ +# Default values for keda. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +image: + keda: + # -- Image name of KEDA operator + repository: ghcr.io/kedacore/keda + # -- Image tag of KEDA operator. Optional, given app version of Helm chart is used by default + tag: "" + metricsApiServer: + # -- Image name of KEDA Metrics API Server + repository: ghcr.io/kedacore/keda-metrics-apiserver + # -- Image tag of KEDA Metrics API Server. Optional, given app version of Helm chart is used by default + tag: "" + webhooks: + # -- Image name of KEDA admission-webhooks + repository: ghcr.io/kedacore/keda-admission-webhooks + # -- Image tag of KEDA admission-webhooks . Optional, given app version of Helm chart is used by default + tag: "" + # -- Image pullPolicy for all KEDA components + pullPolicy: Always + +# -- Kubernetes cluster domain +clusterDomain: cluster.local + +crds: + # -- Defines whether the KEDA CRDs have to be installed or not. + install: true + +# -- Defines Kubernetes namespaces to watch to scale their workloads. Default watches all namespaces +watchNamespace: "" + +# -- Name of secret to use to pull images to use to pull Docker images +imagePullSecrets: [] + +operator: + # -- Name of the KEDA operator + name: keda-operator + # -- ReplicaSets for this Deployment you want to retain (Default: 10) + revisionHistoryLimit: 10 + # -- Capability to configure the number of replicas for KEDA operator. + # While you can run more replicas of our operator, only one operator instance will be the leader and serving traffic. + # You can run multiple replicas, but they will not improve the performance of KEDA, it could only reduce downtime during a failover. + # Learn more in [our documentation](https://keda.sh/docs/latest/operate/cluster/#high-availability). + replicaCount: 1 + # -- [Affinity] for pod scheduling for KEDA operator. Takes precedence over the `affinity` field + affinity: {} + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchExpressions: + # - key: app + # operator: In + # values: + # - keda-operator + # topologyKey: "kubernetes.io/hostname" + # -- Liveness probes for operator ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/)) + livenessProbe: + initialDelaySeconds: 25 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + # -- Readiness probes for operator ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-readiness-probes)) + readinessProbe: + initialDelaySeconds: 20 + periodSeconds: 3 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + +metricsServer: + # -- ReplicaSets for this Deployment you want to retain (Default: 10) + revisionHistoryLimit: 10 + # -- Capability to configure the number of replicas for KEDA metric server. + # While you can run more replicas of our metric server, only one instance will used and serve traffic. + # You can run multiple replicas, but they will not improve the performance of KEDA, it could only reduce downtime during a failover. + # Learn more in [our documentation](https://keda.sh/docs/latest/operate/cluster/#high-availability). + replicaCount: 1 + # use ClusterFirstWithHostNet if `useHostNetwork: true` https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + # -- Defined the DNS policy for the metric server + dnsPolicy: ClusterFirst + # -- Enable metric server to use host network + useHostNetwork: false + # -- [Affinity] for pod scheduling for Metrics API Server. Takes precedence over the `affinity` field + affinity: {} + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchExpressions: + # - key: app + # operator: In + # values: + # - keda-operator-metrics-apiserver + # topologyKey: "kubernetes.io/hostname" + # -- Liveness probes for Metrics API Server ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/)) + livenessProbe: + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + # -- Readiness probes for Metrics API Server ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-readiness-probes)) + readinessProbe: + initialDelaySeconds: 5 + periodSeconds: 3 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + +webhooks: + # -- Enable admission webhooks (this feature option will be removed in v2.12) + enabled: true + # -- Port number to use for KEDA admission webhooks. Default is 9443. + port: "" + # -- Port number to use for KEDA admission webhooks health probe + healthProbePort: 8081 + # -- Liveness probes for admission webhooks ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/)) + livenessProbe: + initialDelaySeconds: 25 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + # -- Readiness probes for admission webhooks ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-readiness-probes)) + readinessProbe: + initialDelaySeconds: 20 + periodSeconds: 3 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + # -- Enable webhook to use host network, this is required on EKS with custom CNI + useHostNetwork: false + # -- Name of the KEDA admission webhooks + name: keda-admission-webhooks + # -- ReplicaSets for this Deployment you want to retain (Default: 10) + revisionHistoryLimit: 10 + # -- Capability to configure the number of replicas for KEDA admission webhooks + replicaCount: 1 + # -- [Affinity] for pod scheduling for KEDA admission webhooks. Takes precedence over the `affinity` field + affinity: {} + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchExpressions: + # - key: app + # operator: In + # values: + # - keda-operator + # topologyKey: "kubernetes.io/hostname" + + # -- [Failure policy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy) to use with KEDA admission webhooks + failurePolicy: Ignore + +upgradeStrategy: + # -- Capability to configure [Deployment upgrade strategy] for operator + operator: {} + # type: RollingUpdate + # rollingUpdate: + # maxUnavailable: 1 + # maxSurge: 1 + + # -- Capability to configure [Deployment upgrade strategy] for Metrics Api Server + metricsApiServer: {} + # type: RollingUpdate + # rollingUpdate: + # maxUnavailable: 1 + # maxSurge: 1 + + # -- Capability to configure [Deployment upgrade strategy] for Admission webhooks + webhooks: {} + # type: RollingUpdate + # rollingUpdate: + # maxUnavailable: 1 + # maxSurge: 1 + +podDisruptionBudget: + # -- Capability to configure [Pod Disruption Budget] + operator: {} + # minAvailable: 1 + # maxUnavailable: 1 + + # -- Capability to configure [Pod Disruption Budget] + metricServer: {} + # minAvailable: 1 + # maxUnavailable: 1 + + # -- Capability to configure [Pod Disruption Budget] + webhooks: {} + # minAvailable: 1 + # maxUnavailable: 1 + +# -- Custom labels to add into metadata +additionalLabels: + {} + # foo: bar + +# -- Custom annotations to add into metadata +additionalAnnotations: + {} + # foo: bar + +podAnnotations: + # -- Pod annotations for KEDA operator + keda: {} + # -- Pod annotations for KEDA Metrics Adapter + metricsAdapter: {} + # -- Pod annotations for KEDA Admission webhooks + webhooks: {} +podLabels: + # -- Pod labels for KEDA operator + keda: {} + # -- Pod labels for KEDA Metrics Adapter + metricsAdapter: {} + # -- Pod labels for KEDA Admission webhooks + webhooks: {} + +rbac: + # -- Specifies whether RBAC should be used + create: true + # -- Specifies whether RBAC for CRDs should be [aggregated](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles) to default roles (view, edit, admin) + aggregateToDefaultRoles: false + +serviceAccount: + # -- Specifies whether a service account should be created + create: true + # -- The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: keda-operator + # -- Specifies whether a service account should automount API-Credentials + automountServiceAccountToken: true + # -- Annotations to add to the service account + annotations: {} + +podIdentity: + activeDirectory: + # Set to the value of the Azure Active Directory Pod Identity + # See https://keda.sh/docs/concepts/authentication/#azure-pod-identity + # This will be set as a label on the KEDA Pod(s) + # -- Identity in Azure Active Directory to use for Azure pod identity + identity: "" + azureWorkload: + # -- Set to true to enable Azure Workload Identity usage. + # See https://keda.sh/docs/concepts/authentication/#azure-workload-identity + # This will be set as a label on the KEDA service account. + enabled: false + # Set to the value of the Azure Active Directory Client and Tenant Ids + # respectively. These will be set as annotations on the KEDA service account. + # -- Id of Azure Active Directory Client to use for authentication with Azure Workload Identity. ([docs](https://keda.sh/docs/concepts/authentication/#azure-workload-identity)) + clientId: "" + # -- Id Azure Active Directory Tenant to use for authentication with for Azure Workload Identity. ([docs](https://keda.sh/docs/concepts/authentication/#azure-workload-identity)) + tenantId: "" + # Set to the value of the service account token expiration duration. + # This will be set as an annotation on the KEDA service account. + # -- Duration in seconds to automatically expire tokens for the service account. ([docs](https://keda.sh/docs/concepts/authentication/#azure-workload-identity)) + tokenExpiration: 3600 + aws: + irsa: + # -- Specifies whether [AWS IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) is to be enabled or not. + enabled: false + # -- Sets the token audience for IRSA. + # This will be set as an annotation on the KEDA service account. + audience: "sts.amazonaws.com" + # -- Set to the value of the ARN of an IAM role with a web identity provider. + # This will be set as an annotation on the KEDA service account. + roleArn: "" + # -- Sets the use of an STS regional endpoint instead of global. + # Recommended to use regional endpoint in almost all cases. + # This will be set as an annotation on the KEDA service account. + stsRegionalEndpoints: "true" + # -- Set to the value of the service account token expiration duration. + # This will be set as an annotation on the KEDA service account. + tokenExpiration: 86400 + gcp: + # -- Set to true to enable GCP Workload Identity. + # See https://keda.sh/docs/2.10/authentication-providers/gcp-workload-identity/ + # This will be set as a annotation on the KEDA service account. + enabled: false + # -- GCP IAM Service Account Email which you would like to use for workload identity. + gcpIAMServiceAccount: "" + +# -- Set this if you are using an external scaler and want to communicate +# over TLS (recommended). This variable holds the name of the secret that +# will be mounted to the /grpccerts path on the Pod +grpcTLSCertsSecret: "" + +# -- Set this if you are using HashiCorp Vault and want to communicate +# over TLS (recommended). This variable holds the name of the secret that +# will be mounted to the /vault path on the Pod +hashiCorpVaultTLS: "" + +logging: + operator: + # -- Logging level for KEDA Operator. + # allowed values: `debug`, `info`, `error`, or an integer value greater than 0, specified as string + level: info + # -- Logging format for KEDA Operator. + # allowed values: `json` or `console` + format: console + # -- Logging time encoding for KEDA Operator. + # allowed values are `epoch`, `millis`, `nano`, `iso8601`, `rfc3339` or `rfc3339nano` + timeEncoding: rfc3339 + metricServer: + # -- Logging level for Metrics Server. + # allowed values: `0` for info, `4` for debug, or an integer value greater than 0, specified as string + level: 0 + + webhooks: + # -- Logging level for KEDA Operator. + # allowed values: `debug`, `info`, `error`, or an integer value greater than 0, specified as string + level: info + # -- Logging format for KEDA Admission webhooks. + # allowed values: `json` or `console` + format: console + # -- Logging time encoding for KEDA Operator. + # allowed values are `epoch`, `millis`, `nano`, `iso8601`, `rfc3339` or `rfc3339nano` + timeEncoding: rfc3339 + +# -- [Security context] for all containers +# @default -- [See below](#KEDA-is-secure-by-default) +securityContext: + # -- [Security context] of the operator container + # @default -- [See below](#KEDA-is-secure-by-default) + operator: + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + # -- [Security context] of the metricServer container + # @default -- [See below](#KEDA-is-secure-by-default) + metricServer: + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + # -- [Security context] of the admission webhooks container + # @default -- [See below](#KEDA-is-secure-by-default) + webhooks: + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + +# -- [Pod security context] for all pods +# @default -- [See below](#KEDA-is-secure-by-default) +podSecurityContext: + # -- [Pod security context] of the KEDA operator pod + # @default -- [See below](#KEDA-is-secure-by-default) + operator: + runAsNonRoot: true + # runAsUser: 1000 + # runAsGroup: 1000 + # fsGroup: 1000 + + # -- [Pod security context] of the KEDA metrics apiserver pod + # @default -- [See below](#KEDA-is-secure-by-default) + metricServer: + runAsNonRoot: true + # runAsUser: 1000 + # runAsGroup: 1000 + # fsGroup: 1000 + + # -- [Pod security context] of the KEDA admission webhooks + # @default -- [See below](#KEDA-is-secure-by-default) + webhooks: + runAsNonRoot: true + # runAsUser: 1000 + # runAsGroup: 1000 + # fsGroup: 1000 + +service: + # -- KEDA Metric Server service type + type: ClusterIP + # -- HTTPS port for KEDA Metric Server service + portHttps: 443 + # -- HTTPS port for KEDA Metric Server container + portHttpsTarget: 6443 + # -- Annotations to add the KEDA Metric Server service + annotations: {} + +# We provides the default values that we describe in our docs: +# https://keda.sh/docs/latest/operate/cluster/ +# If you want to specify the resources (or totally remove the defaults), change or comment the following +# lines, adjust them as necessary, or simply add the curly braces after 'operator' and/or 'metricServer' +# and remove/comment the default values +resources: + # -- Manage [resource request & limits] of KEDA operator pod + operator: + limits: + cpu: 1 + memory: 1000Mi + requests: + cpu: 100m + memory: 100Mi + # -- Manage [resource request & limits] of KEDA metrics apiserver pod + metricServer: + limits: + cpu: 1 + memory: 1000Mi + requests: + cpu: 100m + memory: 100Mi + # -- Manage [resource request & limits] of KEDA admission webhooks pod + webhooks: + limits: + cpu: 50m + memory: 100Mi + requests: + cpu: 10m + memory: 10Mi +# -- Node selector for pod scheduling ([docs](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/)) +nodeSelector: {} +# -- Tolerations for pod scheduling ([docs](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)) +tolerations: [] + +topologySpreadConstraints: + # -- [Pod Topology Constraints] of KEDA operator pod + operator: [] + # -- [Pod Topology Constraints] of KEDA metrics apiserver pod + metricsServer: [] + # -- [Pod Topology Constraints] of KEDA admission webhooks pod + webhooks: [] + +# -- [Affinity] for pod scheduling for both KEDA operator and Metrics API Server +affinity: {} + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchExpressions: + # - key: app + # operator: In + # values: + # - keda-operator + # - keda-operator-metrics-apiserver + # topologyKey: "kubernetes.io/hostname" + +# -- priorityClassName for all KEDA components +priorityClassName: "" + +## The default HTTP timeout in milliseconds that KEDA should use +## when making requests to external services. Removing this defaults to a +## reasonable default +http: + # -- The default HTTP timeout to use for all scalers that use raw HTTP clients (some scalers use SDKs to access target services. These have built-in HTTP clients, and the timeout does not necessarily apply to them) + timeout: 3000 + keepAlive: + # -- Enable HTTP connection keep alive + enabled: true + # -- The minimum TLS version to use for all scalers that use raw HTTP clients (some scalers use SDKs to access target services. These have built-in HTTP clients, and this value does not necessarily apply to them) + minTlsVersion: TLS12 + +## Extra KEDA Operator and Metrics Adapter container arguments +extraArgs: + # -- Additional KEDA Operator container arguments + keda: {} + # -- Additional Metrics Adapter container arguments + metricsAdapter: {} + +# -- Additional environment variables that will be passed onto all KEDA components +env: [] +# - name: ENV_NAME +# value: 'ENV-VALUE' + +# Extra volumes and volume mounts for the deployment. Optional. +volumes: + keda: + # -- Extra volumes for KEDA deployment + extraVolumes: [] + # -- Extra volume mounts for KEDA deployment + extraVolumeMounts: [] + + metricsApiServer: + # -- Extra volumes for metric server deployment + extraVolumes: [] + # -- Extra volume mounts for metric server deployment + extraVolumeMounts: [] + + webhooks: + # -- Extra volumes for admission webhooks deployment + extraVolumes: [] + # -- Extra volume mounts for admission webhooks deployment + extraVolumeMounts: [] + +prometheus: + metricServer: + # -- Enable metric server Prometheus metrics expose + enabled: false + # -- HTTP port used for exposing metrics server prometheus metrics + port: 8080 + # -- HTTP port name for exposing metrics server prometheus metrics + portName: metrics + serviceMonitor: + # -- Enables ServiceMonitor creation for the Prometheus Operator + enabled: false + # -- JobLabel selects the label from the associated Kubernetes service which will be used as the job label for all metrics. [ServiceMonitor Spec] + jobLabel: "" + # -- TargetLabels transfers labels from the Kubernetes `Service` onto the created metrics + targetLabels: [] + # -- PodTargetLabels transfers labels on the Kubernetes `Pod` onto the created metrics + podTargetLabels: [] + # -- Name of the service port this endpoint refers to. Mutually exclusive with targetPort + port: metrics + # -- Name or number of the target port of the Pod behind the Service, the port must be specified with container port property. Mutually exclusive with port + targetPort: "" + # -- Interval at which metrics should be scraped If not specified Prometheus’ global scrape interval is used. + interval: "" + # -- Timeout after which the scrape is ended If not specified, the Prometheus global scrape timeout is used unless it is less than Interval in which the latter is used + scrapeTimeout: "" + # -- DEPRECATED. List of expressions that define custom relabeling rules for metric server ServiceMonitor crd (prometheus operator). [RelabelConfig Spec] + relabellings: [] + # -- List of expressions that define custom relabeling rules for metric server ServiceMonitor crd (prometheus operator). [RelabelConfig Spec] + relabelings: [] + # -- Additional labels to add for metric server using ServiceMonitor crd (prometheus operator) + additionalLabels: {} + podMonitor: + # -- Enables PodMonitor creation for the Prometheus Operator + enabled: false + # -- Scraping interval for metric server using podMonitor crd (prometheus operator) + interval: "" + # -- Scraping timeout for metric server using podMonitor crd (prometheus operator) + scrapeTimeout: "" + # -- Scraping namespace for metric server using podMonitor crd (prometheus operator) + namespace: "" + # -- Additional labels to add for metric server using podMonitor crd (prometheus operator) + additionalLabels: {} + # -- List of expressions that define custom relabeling rules for metric server podMonitor crd (prometheus operator) + relabelings: [] + operator: + # -- Enable KEDA Operator prometheus metrics expose + enabled: false + # -- Port used for exposing KEDA Operator prometheus metrics + port: 8080 + serviceMonitor: + # -- Enables ServiceMonitor creation for the Prometheus Operator + enabled: false + # -- JobLabel selects the label from the associated Kubernetes service which will be used as the job label for all metrics. [ServiceMonitor Spec] + jobLabel: "" + # -- TargetLabels transfers labels from the Kubernetes `Service` onto the created metrics + targetLabels: [] + # -- PodTargetLabels transfers labels on the Kubernetes `Pod` onto the created metrics + podTargetLabels: [] + # -- Name of the service port this endpoint refers to. Mutually exclusive with targetPort + port: metrics + # -- Name or number of the target port of the Pod behind the Service, + # the port must be specified with container port property. Mutually exclusive with port + targetPort: "" + # -- Interval at which metrics should be scraped If not specified Prometheus’ global scrape interval is used. + interval: "" + # -- Timeout after which the scrape is ended If not specified, the Prometheus global scrape timeout is used unless it is less than Interval in which the latter is used + scrapeTimeout: "" + # -- DEPRECATED. List of expressions that define custom relabeling rules for metric server ServiceMonitor crd (prometheus operator). [RelabelConfig Spec] + relabellings: [] + # -- List of expressions that define custom relabeling rules for metric server ServiceMonitor crd (prometheus operator). [RelabelConfig Spec] + relabelings: [] + # -- Additional labels to add for metric server using ServiceMonitor crd (prometheus operator) + additionalLabels: {} + podMonitor: + # -- Enables PodMonitor creation for the Prometheus Operator + enabled: false + # -- Scraping interval for KEDA Operator using podMonitor crd (prometheus operator) + interval: "" + # -- Scraping timeout for KEDA Operator using podMonitor crd (prometheus operator) + scrapeTimeout: "" + # -- Scraping namespace for KEDA Operator using podMonitor crd (prometheus operator) + namespace: "" + # -- Additional labels to add for KEDA Operator using podMonitor crd (prometheus operator) + additionalLabels: {} + # -- List of expressions that define custom relabeling rules for KEDA Operator podMonitor crd (prometheus operator) + relabelings: [] + prometheusRules: + # -- Enables PrometheusRules creation for the Prometheus Operator + enabled: false + # -- Scraping namespace for KEDA Operator using prometheusRules crd (prometheus operator) + namespace: "" + # -- Additional labels to add for KEDA Operator using prometheusRules crd (prometheus operator) + additionalLabels: {} + # -- Additional alerts to add for KEDA Operator using prometheusRules crd (prometheus operator) + alerts: + [] + # - alert: KedaScalerErrors + # annotations: + # description: Keda scaledObject {{ $labels.scaledObject }} is experiencing errors with {{ $labels.scaler }} scaler + # summary: Keda Scaler {{ $labels.scaler }} Errors + # expr: sum by ( scaledObject , scaler) (rate(keda_metrics_adapter_scaler_errors[2m])) > 0 + # for: 2m + # labels: + webhooks: + # -- Enable KEDA admission webhooks prometheus metrics expose + enabled: false + # -- Port used for exposing KEDA admission webhooks prometheus metrics + port: 8080 + serviceMonitor: + # -- Enables ServiceMonitor creation for the Prometheus webhooks + enabled: false + # -- jobLabel selects the label from the associated Kubernetes service which will be used as the job label for all metrics. [ServiceMonitor Spec] + jobLabel: "" + # -- TargetLabels transfers labels from the Kubernetes `Service` onto the created metrics + targetLabels: [] + # -- PodTargetLabels transfers labels on the Kubernetes `Pod` onto the created metrics + podTargetLabels: [] + # -- Name of the service port this endpoint refers to. Mutually exclusive with targetPort + port: metrics + # -- Name or number of the target port of the Pod behind the Service, the port must be specified with container port property. Mutually exclusive with port + targetPort: "" + # -- Interval at which metrics should be scraped If not specified Prometheus’ global scrape interval is used. + interval: "" + # -- Timeout after which the scrape is ended If not specified, the Prometheus global scrape timeout is used unless it is less than Interval in which the latter is used + scrapeTimeout: "" + # -- DEPRECATED. List of expressions that define custom relabeling rules for metric server ServiceMonitor crd (prometheus operator). [RelabelConfig Spec] + relabellings: [] + # -- List of expressions that define custom relabeling rules for metric server ServiceMonitor crd (prometheus operator). [RelabelConfig Spec] + relabelings: [] + # -- Additional labels to add for metric server using ServiceMonitor crd (prometheus operator) + additionalLabels: {} + prometheusRules: + # -- Enables PrometheusRules creation for the Prometheus Operator + enabled: false + # -- Scraping namespace for KEDA admission webhooks using prometheusRules crd (prometheus operator) + namespace: "" + # -- Additional labels to add for KEDA admission webhooks using prometheusRules crd (prometheus operator) + additionalLabels: {} + # -- Additional alerts to add for KEDA admission webhooks using prometheusRules crd (prometheus operator) + alerts: [] + +opentelemetry: + collector: + # -- Uri of OpenTelemetry Collector to push telemetry to + uri: "" + operator: + # -- Enable pushing metrics to an OpenTelemetry Collector for operator + enabled: false + +certificates: + # -- Enables the self generation for KEDA TLS certificates inside KEDA operator + autoGenerated: true + # -- Secret name to be mounted with KEDA TLS certificates + secretName: kedaorg-certs + # -- Path where KEDA TLS certificates are mounted + mountPath: /certs + certManager: + # -- Enables Cert-manager for certificate management + enabled: false + # -- Generates a self-signed CA with Cert-manager. + # If generateCA is false, the secret with the CA + # has to be annotated with `cert-manager.io/allow-direct-injection: "true"` + generateCA: true + # -- Secret name where the CA is stored (generatedby cert-manager or user given) + caSecretName: "kedaorg-ca" + # -- Add labels/annotations to secrets created by Certificate resources + # [docs](https://cert-manager.io/docs/usage/certificate/#creating-certificate-resources) + secretTemplate: {} + # annotations: + # my-secret-annotation-1: "foo" + # my-secret-annotation-2: "bar" + # labels: + # my-secret-label: foo + +permissions: + metricServer: + restrict: + # -- Restrict Secret Access for Metrics Server + secret: false + operator: + restrict: + # -- Restrict Secret Access for KEDA operator + secret: false + +# -- Array of extra K8s manifests to deploy +extraObjects: [] + # - apiVersion: keda.sh/v1alpha1 + # kind: ClusterTriggerAuthentication + # metadata: + # name: aws-credentials + # namespace: keda + # spec: + # podIdentity: + # provider: aws-eks + +# -- Capability to turn on/off ASCII art in Helm installation notes +asciiArt: true \ No newline at end of file diff --git a/modules/helm/template.go b/modules/helm/template.go index f6b3624cf..f313da8f3 100644 --- a/modules/helm/template.go +++ b/modules/helm/template.go @@ -72,6 +72,47 @@ func RenderTemplateE(t testing.TestingT, options *Options, chartDir string, rele return RunHelmCommandAndGetStdOutE(t, options, "template", args...) } +func RenderRemoteTemplate(t testing.TestingT, options *Options, chartURL string, releaseName string, templateFiles []string, extraHelmArgs ...string) string { + out, err := RenderRemoteTemplateE(t, options, chartURL, releaseName, templateFiles, extraHelmArgs...) + require.NoError(t, err) + return out +} + +// RenderTemplateE runs `helm template` to render the template given the provided options and returns stdout/stderr from +// the template command. If you pass in templateFiles, this will only render those templates. +func RenderRemoteTemplateE(t testing.TestingT, options *Options, chartURL string, releaseName string, templateFiles []string, extraHelmArgs ...string) (string, error) { + // TODO: verify the charts exists and verify dependencies + // Now construct the args + // We first construct the template args + args := []string{} + if options.KubectlOptions != nil && options.KubectlOptions.Namespace != "" { + args = append(args, "--namespace", options.KubectlOptions.Namespace) + } + args, err := getValuesArgsE(t, options, args...) + if err != nil { + return "", err + } + // for _, templateFile := range templateFiles { + // // validate this is a valid template file + // absTemplateFile := filepath.Join(absChartDir, templateFile) + // if !strings.HasPrefix(templateFile, "charts") && !files.FileExists(absTemplateFile) { + // return "", errors.WithStackTrace(TemplateFileNotFoundError{Path: templateFile, ChartDir: absChartDir}) + // } + + // // Note: we only get the abs template file path to check it actually exists, but the `helm template` command + // // expects the relative path from the chart. + // args = append(args, "--show-only", templateFile) + // } + // deal extraHelmArgs + args = append(args, extraHelmArgs...) + + // ... and add the name and chart at the end as the command expects + args = append(args, chartURL, releaseName) + + // Finally, call out to helm template command + return RunHelmCommandAndGetStdOutE(t, options, "template", args...) +} + // UnmarshalK8SYaml is the same as UnmarshalK8SYamlE, but will fail the test if there is an error. func UnmarshalK8SYaml(t testing.TestingT, yamlData string, destinationObj interface{}) { require.NoError(t, UnmarshalK8SYamlE(t, yamlData, destinationObj)) diff --git a/test/helm_keda_example_template_test.go b/test/helm_keda_example_template_test.go new file mode 100644 index 000000000..4c4a8f709 --- /dev/null +++ b/test/helm_keda_example_template_test.go @@ -0,0 +1,80 @@ +//go:build kubeall || helm +// +build kubeall helm + +// **NOTE**: we have build tags to differentiate kubernetes tests from non-kubernetes tests, and further differentiate helm +// tests. This is done because minikube is heavy and can interfere with docker related tests in terratest. Similarly, helm +// can overload the minikube system and thus interfere with the other kubernetes tests. Specifically, many of the tests +// start to fail with `connection refused` errors from `minikube`. To avoid overloading the system, we run the kubernetes +// tests and helm tests separately from the others. This may not be necessary if you have a sufficiently powerful machine. +// We recommend at least 4 cores and 16GB of RAM if you want to run all the tests together. + +package test + +import ( + "path/filepath" + "strings" + "testing" + + "github.com/stretchr/testify/require" + appsv1 "k8s.io/api/apps/v1" + + "github.com/gruntwork-io/terratest/modules/helm" + "github.com/gruntwork-io/terratest/modules/k8s" + "github.com/gruntwork-io/terratest/modules/logger" + "github.com/gruntwork-io/terratest/modules/random" +) + +// This file contains examples of how to use terratest to test helm chart template logic by rendering the templates +// using `helm template`, and then reading in the rendered templates. +// There are two tests: +// - TestHelmBasicExampleTemplateRenderedDeployment: An example of how to read in the rendered object and check the +// computed values. +// - TestHelmBasicExampleTemplateRequiredTemplateArgs: An example of how to check that the required args are indeed +// required for the template to render. + +// An example of how to verify the rendered template object of a Helm Chart given various inputs. +func TestHelmKedaLocalExampleTemplateRenderedDeployment(t *testing.T) { + t.Parallel() + + // Path to the helm chart we will test + helmChartPath, err := filepath.Abs("../examples/helm-keda") + releaseName := "keda" + require.NoError(t, err) + + // Since we aren't deploying any resources, there is no need to setup kubectl authentication or helm home. + + // Set up the namespace; confirm that the template renders the expected value for the namespace. + namespaceName := "medieval-" + strings.ToLower(random.UniqueId()) + logger.Logf(t, "Namespace: %s\n", namespaceName) + + // Setup the args. For this test, we will set the following input values: + // - containerImageRepo=nginx + // - containerImageTag=1.15.8 + options := &helm.Options{ + SetValues: map[string]string{ + "metricsServer.replicaCount": "999", + "resources.metricServer.limits.memory": "1234Mi", + }, + KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName), + } + + // Run RenderTemplate to render the template and capture the output. Note that we use the version without `E`, since + // we want to assert that the template renders without any errors. + // Additionally, although we know there is only one yaml file in the template, we deliberately path a templateFiles + // arg to demonstrate how to select individual templates to render. + output := helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/metrics-server/deployment.yaml"}) + + // Now we use kubernetes/client-go library to render the template output into the Deployment struct. This will + // ensure the Deployment resource is rendered correctly. + var deployment appsv1.Deployment + helm.UnmarshalK8SYaml(t, output, &deployment) + + // Verify the namespace matches the expected supplied namespace. + require.Equal(t, namespaceName, deployment.Namespace) + + // Finally, we verify the deployment pod template spec is set to the expected container image value + var expectedMetricsServerReplica int32 + expectedMetricsServerReplica = 999 + deploymentMetricsServerReplica := *deployment.Spec.Replicas + require.Equal(t, expectedMetricsServerReplica, deploymentMetricsServerReplica) +} diff --git a/test/helm_keda_remote_example_template_test.go b/test/helm_keda_remote_example_template_test.go new file mode 100644 index 000000000..4d72e44d3 --- /dev/null +++ b/test/helm_keda_remote_example_template_test.go @@ -0,0 +1,154 @@ +//go:build kubeall || helm +// +build kubeall helm + +// **NOTE**: we have build tags to differentiate kubernetes tests from non-kubernetes tests, and further differentiate helm +// tests. This is done because minikube is heavy and can interfere with docker related tests in terratest. Similarly, helm +// can overload the minikube system and thus interfere with the other kubernetes tests. Specifically, many of the tests +// start to fail with `connection refused` errors from `minikube`. To avoid overloading the system, we run the kubernetes +// tests and helm tests separately from the others. This may not be necessary if you have a sufficiently powerful machine. +// We recommend at least 4 cores and 16GB of RAM if you want to run all the tests together. + +package test + +import ( + "strings" + "testing" + + "github.com/stretchr/testify/require" + appsv1 "k8s.io/api/apps/v1" + + "github.com/gruntwork-io/terratest/modules/helm" + "github.com/gruntwork-io/terratest/modules/k8s" + "github.com/gruntwork-io/terratest/modules/logger" + "github.com/gruntwork-io/terratest/modules/random" +) + +// This file contains examples of how to use terratest to test helm chart template logic by rendering the templates +// using `helm template`, and then reading in the rendered templates. +// There are two tests: +// - TestHelmKedaExampleTemplateRenderedDeployment: An example of how to read in the rendered object and check the +// computed values. +// - TestHelmKedaExampleTemplateRequiredTemplateArgs: An example of how to check that the required args are indeed +// required for the template to render. + +// An example of how to verify the rendered template object of a Helm Chart given various inputs. +func TestHelmKedaRemoteExampleTemplateRenderedDeployment(t *testing.T) { + t.Parallel() + + // Path to the helm chart we will test + // helmChartPath, err := filepath.Abs("../examples/helm-basic-example") + releaseName := "keda" + // require.NoError(t, err) + + // Since we aren't deploying any resources, there is no need to setup kubectl authentication or helm home. + + // Set up the namespace; confirm that the template renders the expected value for the namespace. + namespaceName := "medieval-" + strings.ToLower(random.UniqueId()) + logger.Logf(t, "Namespace: %s\n", namespaceName) + + // Setup the args. For this test, we will set the following input values: + // - containerImageRepo=nginx + // - containerImageTag=1.15.8 + options := &helm.Options{ + SetValues: map[string]string{ + "metricsServer.replicaCount": "999", + "resources.metricServer.limits.memory": "1234Mi", + }, + KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName), + } + + // Run RenderTemplate to render the template and capture the output. Note that we use the version without `E`, since + // we want to assert that the template renders without any errors. + // Additionally, although we know there is only one yaml file in the template, we deliberately path a templateFiles + // arg to demonstrate how to select individual templates to render. + output := helm.RenderRemoteTemplate(t, options, "--repo https://kedacore.github.io/charts", releaseName, []string{"templates/metrics-server/deployment.yamll"}) + + // Now we use kubernetes/client-go library to render the template output into the Deployment struct. This will + // ensure the Deployment resource is rendered correctly. + var deployment appsv1.Deployment + helm.UnmarshalK8SYaml(t, output, &deployment) + + // Verify the namespace matches the expected supplied namespace. + require.Equal(t, namespaceName, deployment.Namespace) + + // Finally, we verify the deployment pod template spec is set to the expected container image value + var expectedMetricsServerReplica int32 + expectedMetricsServerReplica = 999 + deploymentMetricsServerReplica := *deployment.Spec.Replicas + require.Equal(t, expectedMetricsServerReplica, deploymentMetricsServerReplica) + + // # Source: keda/templates/metrics-server/deployment.yaml + // apiVersion: apps/v1 + // kind: Deployment + // metadata: + // name: keda-operator-metrics-apiserver + // namespace: medieval-38bl76 + // labels: + // app: keda-operator-metrics-apiserver + // app.kubernetes.io/name: keda-operator-metrics-apiserver + // helm.sh/chart: keda-2.12.0 + // app.kubernetes.io/component: operator + // app.kubernetes.io/managed-by: Helm + // app.kubernetes.io/instance: release-name + // app.kubernetes.io/part-of: keda-operator + // app.kubernetes.io/version: 2.12.0 + // spec: + // revisionHistoryLimit: 10 + // replicas: 1 +} + +// An example of how to verify required values for a helm chart. +// func TestHelmKedaExampleTemplateRequiredTemplateArgs(t *testing.T) { +// t.Parallel() + +// // Path to the helm chart we will test +// helmChartPath, err := filepath.Abs("../examples/helm-basic-example") +// releaseName := "helm-basic" +// require.NoError(t, err) + +// // Since we aren't deploying any resources, there is no need to setup kubectl authentication, helm home, or +// // namespaces + +// // Here, we use a table driven test to iterate through all the required values as subtests. You can learn more about +// // go subtests here: https://blog.golang.org/subtests +// // The struct captures the inputs that we will pass to helm template and a human friendly name so we can identify it +// // in the test output. In this case, each test case will be a complete values input except for one of the required +// // values missing, to test that neglecting a required value will cause the template rendering to fail. +// testCases := []struct { +// name string +// values map[string]string +// }{ +// { +// "MissingContainerImageRepo", +// map[string]string{"containerImageTag": "1.15.8"}, +// }, +// { +// "MissingContainerImageTag", +// map[string]string{"containerImageRepo": "nginx"}, +// }, +// // { +// // "NotMissing", +// // map[string]string{"containerImageRepo": "nginx", "containerImageTag": "1.15.8"}, +// // }, +// } + +// // Now we iterate over each test case and spawn a sub test +// for _, testCase := range testCases { +// // Here, we capture the range variable and force it into the scope of this block. If we don't do this, when the +// // subtest switches contexts (because of t.Parallel), the testCase value will have been updated by the for loop +// // and will be the next testCase! +// testCase := testCase + +// // The actual sub test spawning. We name the sub test using the human friendly name. Note that we name the sub +// // test T struct to subT to make it clear which T struct corresponds to which test. However, in most cases you +// // will not reference the main test T so you can name it the same. +// t.Run(testCase.name, func(subT *testing.T) { +// subT.Parallel() + +// // Now we try rendering the template, but verify we get an error +// options := &helm.Options{SetValues: testCase.values} +// _, err := helm.RenderTemplateE(t, options, helmChartPath, releaseName, []string{}) +// require.Error(t, err) +// }) +// } +// } From 2e57203181e76f2921b243d7abc22b2221976c78 Mon Sep 17 00:00:00 2001 From: Anoop Gopalakrishnan Date: Wed, 25 Oct 2023 15:17:18 -0700 Subject: [PATCH 2/6] Fix: the helm command runner --- modules/helm/template.go | 2 +- test/helm_keda_remote_example_template_test.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/helm/template.go b/modules/helm/template.go index f313da8f3..55a4ca7c4 100644 --- a/modules/helm/template.go +++ b/modules/helm/template.go @@ -107,7 +107,7 @@ func RenderRemoteTemplateE(t testing.TestingT, options *Options, chartURL string args = append(args, extraHelmArgs...) // ... and add the name and chart at the end as the command expects - args = append(args, chartURL, releaseName) + args = append(args, releaseName, "--repo", chartURL) // Finally, call out to helm template command return RunHelmCommandAndGetStdOutE(t, options, "template", args...) diff --git a/test/helm_keda_remote_example_template_test.go b/test/helm_keda_remote_example_template_test.go index 4d72e44d3..ab3fcb003 100644 --- a/test/helm_keda_remote_example_template_test.go +++ b/test/helm_keda_remote_example_template_test.go @@ -61,7 +61,7 @@ func TestHelmKedaRemoteExampleTemplateRenderedDeployment(t *testing.T) { // we want to assert that the template renders without any errors. // Additionally, although we know there is only one yaml file in the template, we deliberately path a templateFiles // arg to demonstrate how to select individual templates to render. - output := helm.RenderRemoteTemplate(t, options, "--repo https://kedacore.github.io/charts", releaseName, []string{"templates/metrics-server/deployment.yamll"}) + output := helm.RenderRemoteTemplate(t, options, "https://kedacore.github.io/charts", releaseName, []string{"templates/metrics-server/deployment.yamll"}) // Now we use kubernetes/client-go library to render the template output into the Deployment struct. This will // ensure the Deployment resource is rendered correctly. From 3af4232be92cf52d6603f325fed1da07db01db1b Mon Sep 17 00:00:00 2001 From: Jerome Guionnet Date: Wed, 25 Oct 2023 15:59:57 -0700 Subject: [PATCH 3/6] ReAdding template file filtering --- modules/helm/template.go | 22 +++++++++---------- .../helm_keda_remote_example_template_test.go | 2 +- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/modules/helm/template.go b/modules/helm/template.go index 55a4ca7c4..95a727125 100644 --- a/modules/helm/template.go +++ b/modules/helm/template.go @@ -92,17 +92,17 @@ func RenderRemoteTemplateE(t testing.TestingT, options *Options, chartURL string if err != nil { return "", err } - // for _, templateFile := range templateFiles { - // // validate this is a valid template file - // absTemplateFile := filepath.Join(absChartDir, templateFile) - // if !strings.HasPrefix(templateFile, "charts") && !files.FileExists(absTemplateFile) { - // return "", errors.WithStackTrace(TemplateFileNotFoundError{Path: templateFile, ChartDir: absChartDir}) - // } - - // // Note: we only get the abs template file path to check it actually exists, but the `helm template` command - // // expects the relative path from the chart. - // args = append(args, "--show-only", templateFile) - // } + for _, templateFile := range templateFiles { + // validate this is a valid template file + // absTemplateFile := filepath.Join(absChartDir, templateFile) + // if !strings.HasPrefix(templateFile, "charts") && !files.FileExists(absTemplateFile) { + // return "", errors.WithStackTrace(TemplateFileNotFoundError{Path: templateFile, ChartDir: absChartDir}) + // } + + // Note: we only get the abs template file path to check it actually exists, but the `helm template` command + // expects the relative path from the chart. + args = append(args, "--show-only", templateFile) + } // deal extraHelmArgs args = append(args, extraHelmArgs...) diff --git a/test/helm_keda_remote_example_template_test.go b/test/helm_keda_remote_example_template_test.go index ab3fcb003..645fd633e 100644 --- a/test/helm_keda_remote_example_template_test.go +++ b/test/helm_keda_remote_example_template_test.go @@ -61,7 +61,7 @@ func TestHelmKedaRemoteExampleTemplateRenderedDeployment(t *testing.T) { // we want to assert that the template renders without any errors. // Additionally, although we know there is only one yaml file in the template, we deliberately path a templateFiles // arg to demonstrate how to select individual templates to render. - output := helm.RenderRemoteTemplate(t, options, "https://kedacore.github.io/charts", releaseName, []string{"templates/metrics-server/deployment.yamll"}) + output := helm.RenderRemoteTemplate(t, options, "https://kedacore.github.io/charts", releaseName, []string{"templates/metrics-server/deployment.yaml"}) // Now we use kubernetes/client-go library to render the template output into the Deployment struct. This will // ensure the Deployment resource is rendered correctly. From c961d9b3f8a12994bfcfed46445e39b150456c16 Mon Sep 17 00:00:00 2001 From: Jerome Guionnet Date: Mon, 30 Oct 2023 16:13:05 -0700 Subject: [PATCH 4/6] adding test for template --- modules/helm/template_test.go | 68 +++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 modules/helm/template_test.go diff --git a/modules/helm/template_test.go b/modules/helm/template_test.go new file mode 100644 index 000000000..209eab690 --- /dev/null +++ b/modules/helm/template_test.go @@ -0,0 +1,68 @@ +//go:build kubeall || helm +// +build kubeall helm + +// NOTE: we have build tags to differentiate kubernetes tests from non-kubernetes tests, and further differentiate helm +// tests. This is done because minikube is heavy and can interfere with docker related tests in terratest. Similarly, +// helm can overload the minikube system and thus interfere with the other kubernetes tests. To avoid overloading the +// system, we run the kubernetes tests and helm tests separately from the others. + +package helm + +import ( + "fmt" + "strings" + "testing" + + "github.com/stretchr/testify/require" + appsv1 "k8s.io/api/apps/v1" + + "github.com/gruntwork-io/terratest/modules/k8s" + "github.com/gruntwork-io/terratest/modules/random" +) + +const ( + remote2ChartSource = "https://charts.bitnami.com/bitnami" + remote2ChartName = "nginx" + remote2ChartVersion = "13.2.23" +) + +// Test that we can render locally a remote chart (e.g bitnami/nginx) +func TestRemoteChartRender(t *testing.T) { + t.Parallel() + + namespaceName := fmt.Sprintf( + "%s-%s", + strings.ToLower(t.Name()), + strings.ToLower(random.UniqueId()), + ) + + releaseName := "keda" + + options := &Options{ + SetValues: map[string]string{ + "metricsServer.replicaCount": "999", + "resources.metricServer.limits.memory": "1234Mi", + }, + KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName), + } + + // Run RenderTemplate to render the template and capture the output. Note that we use the version without `E`, since + // we want to assert that the template renders without any errors. + // Additionally, although we know there is only one yaml file in the template, we deliberately path a templateFiles + // arg to demonstrate how to select individual templates to render. + output := RenderRemoteTemplate(t, options, "https://kedacore.github.io/charts", releaseName, []string{"templates/metrics-server/deployment.yaml"}) + + // Now we use kubernetes/client-go library to render the template output into the Deployment struct. This will + // ensure the Deployment resource is rendered correctly. + var deployment appsv1.Deployment + UnmarshalK8SYaml(t, output, &deployment) + + // Verify the namespace matches the expected supplied namespace. + require.Equal(t, namespaceName, deployment.Namespace) + + // Finally, we verify the deployment pod template spec is set to the expected container image value + var expectedMetricsServerReplica int32 + expectedMetricsServerReplica = 999 + deploymentMetricsServerReplica := *deployment.Spec.Replicas + require.Equal(t, expectedMetricsServerReplica, deploymentMetricsServerReplica) +} From 8ac7de77a4c29421e285fad4746bbfb25b7973e7 Mon Sep 17 00:00:00 2001 From: Jerome Guionnet Date: Wed, 1 Nov 2023 11:51:48 -0700 Subject: [PATCH 5/6] clean up --- examples/helm-keda/.helmignore | 23 - examples/helm-keda/Chart.yaml | 29 - examples/helm-keda/README.md | 351 - examples/helm-keda/README.md.gotmpl | 176 - examples/helm-keda/templates/NOTES.txt | 65 - examples/helm-keda/templates/_helpers.tpl | 25 - .../templates/cert-manager/keda-issuer.yaml | 14 - .../cert-manager/keda-tls-certificate.yaml | 34 - .../templates/cert-manager/self-ca.yaml | 22 - .../templates/cert-manager/self-issuer.yaml | 13 - .../crd-clustertriggerauthentications.yaml | 275 - .../templates/crds/crd-scaledjobs.yaml | 8378 ----------------- .../templates/crds/crd-scaledobjects.yaml | 406 - .../crds/crd-triggerauthentications.yaml | 274 - .../extensibility/extra-manifests.yaml | 4 - .../templates/manager/clusterrole.yaml | 180 - .../templates/manager/clusterrolebinding.yaml | 21 - .../templates/manager/deployment.yaml | 216 - .../manager/poddisruptionbudget.yaml | 32 - .../templates/manager/podmonitor.yaml | 39 - .../templates/manager/prometheusrules.yaml | 24 - .../helm-keda/templates/manager/role.yaml | 31 - .../templates/manager/rolebinding.yaml | 24 - .../helm-keda/templates/manager/service.yaml | 38 - .../templates/manager/servicemonitor.yaml | 60 - .../templates/metrics-server/apiservice.yaml | 30 - .../templates/metrics-server/clusterrole.yaml | 20 - .../metrics-server/clusterrolebinding.yaml | 62 - .../templates/metrics-server/deployment.yaml | 201 - .../metrics-server/poddisruptionbudget.yaml | 33 - .../templates/metrics-server/podmonitor.yaml | 39 - .../templates/metrics-server/service.yaml | 39 - .../metrics-server/servicemonitor.yaml | 60 - .../helm-keda/templates/serviceaccount.yaml | 49 - .../templates/webhooks/deployment.yaml | 169 - .../webhooks/poddisruptionbudget.yaml | 34 - .../templates/webhooks/prometheusrules.yaml | 26 - .../helm-keda/templates/webhooks/service.yaml | 41 - .../templates/webhooks/servicemonitor.yaml | 62 - .../webhooks/validatingconfiguration.yaml | 47 - examples/helm-keda/values.yaml | 690 -- modules/helm/template.go | 19 +- modules/helm/template_test.go | 31 +- 43 files changed, 23 insertions(+), 12383 deletions(-) delete mode 100644 examples/helm-keda/.helmignore delete mode 100644 examples/helm-keda/Chart.yaml delete mode 100644 examples/helm-keda/README.md delete mode 100644 examples/helm-keda/README.md.gotmpl delete mode 100644 examples/helm-keda/templates/NOTES.txt delete mode 100644 examples/helm-keda/templates/_helpers.tpl delete mode 100644 examples/helm-keda/templates/cert-manager/keda-issuer.yaml delete mode 100644 examples/helm-keda/templates/cert-manager/keda-tls-certificate.yaml delete mode 100644 examples/helm-keda/templates/cert-manager/self-ca.yaml delete mode 100644 examples/helm-keda/templates/cert-manager/self-issuer.yaml delete mode 100644 examples/helm-keda/templates/crds/crd-clustertriggerauthentications.yaml delete mode 100644 examples/helm-keda/templates/crds/crd-scaledjobs.yaml delete mode 100644 examples/helm-keda/templates/crds/crd-scaledobjects.yaml delete mode 100644 examples/helm-keda/templates/crds/crd-triggerauthentications.yaml delete mode 100644 examples/helm-keda/templates/extensibility/extra-manifests.yaml delete mode 100644 examples/helm-keda/templates/manager/clusterrole.yaml delete mode 100644 examples/helm-keda/templates/manager/clusterrolebinding.yaml delete mode 100644 examples/helm-keda/templates/manager/deployment.yaml delete mode 100644 examples/helm-keda/templates/manager/poddisruptionbudget.yaml delete mode 100644 examples/helm-keda/templates/manager/podmonitor.yaml delete mode 100644 examples/helm-keda/templates/manager/prometheusrules.yaml delete mode 100644 examples/helm-keda/templates/manager/role.yaml delete mode 100644 examples/helm-keda/templates/manager/rolebinding.yaml delete mode 100644 examples/helm-keda/templates/manager/service.yaml delete mode 100644 examples/helm-keda/templates/manager/servicemonitor.yaml delete mode 100644 examples/helm-keda/templates/metrics-server/apiservice.yaml delete mode 100644 examples/helm-keda/templates/metrics-server/clusterrole.yaml delete mode 100644 examples/helm-keda/templates/metrics-server/clusterrolebinding.yaml delete mode 100644 examples/helm-keda/templates/metrics-server/deployment.yaml delete mode 100644 examples/helm-keda/templates/metrics-server/poddisruptionbudget.yaml delete mode 100644 examples/helm-keda/templates/metrics-server/podmonitor.yaml delete mode 100644 examples/helm-keda/templates/metrics-server/service.yaml delete mode 100644 examples/helm-keda/templates/metrics-server/servicemonitor.yaml delete mode 100644 examples/helm-keda/templates/serviceaccount.yaml delete mode 100644 examples/helm-keda/templates/webhooks/deployment.yaml delete mode 100644 examples/helm-keda/templates/webhooks/poddisruptionbudget.yaml delete mode 100644 examples/helm-keda/templates/webhooks/prometheusrules.yaml delete mode 100644 examples/helm-keda/templates/webhooks/service.yaml delete mode 100644 examples/helm-keda/templates/webhooks/servicemonitor.yaml delete mode 100644 examples/helm-keda/templates/webhooks/validatingconfiguration.yaml delete mode 100644 examples/helm-keda/values.yaml diff --git a/examples/helm-keda/.helmignore b/examples/helm-keda/.helmignore deleted file mode 100644 index a9f39f791..000000000 --- a/examples/helm-keda/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ -*.gotmpl diff --git a/examples/helm-keda/Chart.yaml b/examples/helm-keda/Chart.yaml deleted file mode 100644 index 33134cef8..000000000 --- a/examples/helm-keda/Chart.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: v2 -name: keda -description: Event-based autoscaler for workloads on Kubernetes - -# Specify the Kubernetes version range that we support. -# We allow pre-release versions for cloud-specific Kubernetes versions such as v1.21.5-gke.1302 or v1.18.9-eks-d1db3c -kubeVersion: ">=v1.23.0-0" - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -version: 2.12.0 - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. -appVersion: 2.12.0 - -home: https://github.com/kedacore/keda -icon: https://raw.githubusercontent.com/kedacore/keda/main/images/keda-logo-500x500-white.png -sources: - - https://github.com/kedacore/keda -maintainers: - - name: Ahmed ElSayed - email: ahmels@microsoft.com - - name: Jorge Turrado - email: jorge_turrado@hotmail.es - - name: Tom Kerkhove - email: kerkhove.tom@gmail.com - - name: Zbynek Roubalik - email: zbynek@kedify.io diff --git a/examples/helm-keda/README.md b/examples/helm-keda/README.md deleted file mode 100644 index 3e85ca0a0..000000000 --- a/examples/helm-keda/README.md +++ /dev/null @@ -1,351 +0,0 @@ -

-

Kubernetes-based Event Driven Autoscaling

- -KEDA allows for fine grained autoscaling (including to/from zero) for event driven Kubernetes workloads. KEDA serves as a Kubernetes Metrics Server and allows users to define autoscaling rules using a dedicated Kubernetes custom resource definition. - -KEDA can run on both the cloud and the edge, integrates natively with Kubernetes components such as the Horizontal Pod Autoscaler, and has no external dependencies. - ---- -

-We are a Cloud Native Computing Foundation (CNCF) graduated project. - - -

- ---- - -## TL;DR - -```console -helm repo add kedacore https://kedacore.github.io/charts -helm repo update - -kubectl create namespace keda -helm install keda kedacore/keda --namespace keda --version 2.12.0 -``` - -## Introduction - -This chart bootstraps KEDA infrastructure on a Kubernetes cluster using the Helm package manager. - -As part of that, it will install all the required Custom Resource Definitions (CRD). - -## Installing the Chart - -To install the chart with the release name `keda`: - -```console -$ kubectl create namespace keda -$ helm install keda kedacore/keda --namespace keda --version 2.12.0 -``` - -## Uninstalling the Chart - -To uninstall/delete the `keda` Helm chart: - -```console -helm uninstall keda -``` - -The command removes all the Kubernetes components associated with the chart and deletes the release. - -## Configuration - -The following table lists the configurable parameters of the KEDA chart and -their default values. - -### General parameters - -| Parameter | Type | Default | Description | -|-----------|------|---------|-------------| -| `additionalAnnotations` | object | `{}` | Custom annotations to add into metadata | -| `additionalLabels` | object | `{}` | Custom labels to add into metadata | -| `affinity` | object | `{}` | [Affinity] for pod scheduling for both KEDA operator and Metrics API Server | -| `asciiArt` | bool | `true` | Capability to turn on/off ASCII art in Helm installation notes | -| `certificates.autoGenerated` | bool | `true` | Enables the self generation for KEDA TLS certificates inside KEDA operator | -| `certificates.certManager.caSecretName` | string | `"kedaorg-ca"` | Secret name where the CA is stored (generatedby cert-manager or user given) | -| `certificates.certManager.enabled` | bool | `false` | Enables Cert-manager for certificate management | -| `certificates.certManager.generateCA` | bool | `true` | Generates a self-signed CA with Cert-manager. If generateCA is false, the secret with the CA has to be annotated with `cert-manager.io/allow-direct-injection: "true"` | -| `certificates.certManager.secretTemplate` | object | `{}` | Add labels/annotations to secrets created by Certificate resources [docs](https://cert-manager.io/docs/usage/certificate/#creating-certificate-resources) | -| `certificates.mountPath` | string | `"/certs"` | Path where KEDA TLS certificates are mounted | -| `certificates.secretName` | string | `"kedaorg-certs"` | Secret name to be mounted with KEDA TLS certificates | -| `clusterDomain` | string | `"cluster.local"` | Kubernetes cluster domain | -| `crds.install` | bool | `true` | Defines whether the KEDA CRDs have to be installed or not. | -| `env` | list | `[]` | Additional environment variables that will be passed onto all KEDA components | -| `extraObjects` | list | `[]` | Array of extra K8s manifests to deploy | -| `grpcTLSCertsSecret` | string | `""` | Set this if you are using an external scaler and want to communicate over TLS (recommended). This variable holds the name of the secret that will be mounted to the /grpccerts path on the Pod | -| `hashiCorpVaultTLS` | string | `""` | Set this if you are using HashiCorp Vault and want to communicate over TLS (recommended). This variable holds the name of the secret that will be mounted to the /vault path on the Pod | -| `http.keepAlive.enabled` | bool | `true` | Enable HTTP connection keep alive | -| `http.minTlsVersion` | string | `"TLS12"` | The minimum TLS version to use for all scalers that use raw HTTP clients (some scalers use SDKs to access target services. These have built-in HTTP clients, and this value does not necessarily apply to them) | -| `http.timeout` | int | `3000` | The default HTTP timeout to use for all scalers that use raw HTTP clients (some scalers use SDKs to access target services. These have built-in HTTP clients, and the timeout does not necessarily apply to them) | -| `image.pullPolicy` | string | `"Always"` | Image pullPolicy for all KEDA components | -| `imagePullSecrets` | list | `[]` | Name of secret to use to pull images to use to pull Docker images | -| `nodeSelector` | object | `{}` | Node selector for pod scheduling ([docs](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/)) | -| `podIdentity.activeDirectory.identity` | string | `""` | Identity in Azure Active Directory to use for Azure pod identity | -| `podIdentity.aws.irsa.audience` | string | `"sts.amazonaws.com"` | Sets the token audience for IRSA. This will be set as an annotation on the KEDA service account. | -| `podIdentity.aws.irsa.enabled` | bool | `false` | Specifies whether [AWS IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) is to be enabled or not. | -| `podIdentity.aws.irsa.roleArn` | string | `""` | Set to the value of the ARN of an IAM role with a web identity provider. This will be set as an annotation on the KEDA service account. | -| `podIdentity.aws.irsa.stsRegionalEndpoints` | string | `"true"` | Sets the use of an STS regional endpoint instead of global. Recommended to use regional endpoint in almost all cases. This will be set as an annotation on the KEDA service account. | -| `podIdentity.aws.irsa.tokenExpiration` | int | `86400` | Set to the value of the service account token expiration duration. This will be set as an annotation on the KEDA service account. | -| `podIdentity.azureWorkload.clientId` | string | `""` | Id of Azure Active Directory Client to use for authentication with Azure Workload Identity. ([docs](https://keda.sh/docs/concepts/authentication/#azure-workload-identity)) | -| `podIdentity.azureWorkload.enabled` | bool | `false` | Set to true to enable Azure Workload Identity usage. See https://keda.sh/docs/concepts/authentication/#azure-workload-identity This will be set as a label on the KEDA service account. | -| `podIdentity.azureWorkload.tenantId` | string | `""` | Id Azure Active Directory Tenant to use for authentication with for Azure Workload Identity. ([docs](https://keda.sh/docs/concepts/authentication/#azure-workload-identity)) | -| `podIdentity.azureWorkload.tokenExpiration` | int | `3600` | Duration in seconds to automatically expire tokens for the service account. ([docs](https://keda.sh/docs/concepts/authentication/#azure-workload-identity)) | -| `podIdentity.gcp.enabled` | bool | `false` | Set to true to enable GCP Workload Identity. See https://keda.sh/docs/2.10/authentication-providers/gcp-workload-identity/ This will be set as a annotation on the KEDA service account. | -| `podIdentity.gcp.gcpIAMServiceAccount` | string | `""` | GCP IAM Service Account Email which you would like to use for workload identity. | -| `podSecurityContext` | object | [See below](#KEDA-is-secure-by-default) | [Pod security context] for all pods | -| `priorityClassName` | string | `""` | priorityClassName for all KEDA components | -| `rbac.aggregateToDefaultRoles` | bool | `false` | Specifies whether RBAC for CRDs should be [aggregated](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles) to default roles (view, edit, admin) | -| `rbac.create` | bool | `true` | Specifies whether RBAC should be used | -| `securityContext` | object | [See below](#KEDA-is-secure-by-default) | [Security context] for all containers | -| `serviceAccount.annotations` | object | `{}` | Annotations to add to the service account | -| `serviceAccount.automountServiceAccountToken` | bool | `true` | Specifies whether a service account should automount API-Credentials | -| `serviceAccount.create` | bool | `true` | Specifies whether a service account should be created | -| `serviceAccount.name` | string | `"keda-operator"` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | -| `tolerations` | list | `[]` | Tolerations for pod scheduling ([docs](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)) | -| `watchNamespace` | string | `""` | Defines Kubernetes namespaces to watch to scale their workloads. Default watches all namespaces | - -### Operator - -| Parameter | Type | Default | Description | -|-----------|------|---------|-------------| -| `extraArgs.keda` | object | `{}` | Additional KEDA Operator container arguments | -| `image.keda.repository` | string | `"ghcr.io/kedacore/keda"` | Image name of KEDA operator | -| `image.keda.tag` | string | `""` | Image tag of KEDA operator. Optional, given app version of Helm chart is used by default | -| `logging.operator.format` | string | `"console"` | Logging format for KEDA Operator. allowed values: `json` or `console` | -| `logging.operator.level` | string | `"info"` | Logging level for KEDA Operator. allowed values: `debug`, `info`, `error`, or an integer value greater than 0, specified as string | -| `logging.operator.timeEncoding` | string | `"rfc3339"` | Logging time encoding for KEDA Operator. allowed values are `epoch`, `millis`, `nano`, `iso8601`, `rfc3339` or `rfc3339nano` | -| `operator.affinity` | object | `{}` | [Affinity] for pod scheduling for KEDA operator. Takes precedence over the `affinity` field | -| `operator.livenessProbe` | object | `{"failureThreshold":3,"initialDelaySeconds":25,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":1}` | Liveness probes for operator ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/)) | -| `operator.name` | string | `"keda-operator"` | Name of the KEDA operator | -| `operator.readinessProbe` | object | `{"failureThreshold":3,"initialDelaySeconds":20,"periodSeconds":3,"successThreshold":1,"timeoutSeconds":1}` | Readiness probes for operator ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-readiness-probes)) | -| `operator.replicaCount` | int | `1` | Capability to configure the number of replicas for KEDA operator. While you can run more replicas of our operator, only one operator instance will be the leader and serving traffic. You can run multiple replicas, but they will not improve the performance of KEDA, it could only reduce downtime during a failover. Learn more in [our documentation](https://keda.sh/docs/latest/operate/cluster/#high-availability). | -| `operator.revisionHistoryLimit` | int | `10` | ReplicaSets for this Deployment you want to retain (Default: 10) | -| `permissions.operator.restrict.secret` | bool | `false` | Restrict Secret Access for KEDA operator | -| `podAnnotations.keda` | object | `{}` | Pod annotations for KEDA operator | -| `podDisruptionBudget.operator` | object | `{}` | Capability to configure [Pod Disruption Budget] | -| `podLabels.keda` | object | `{}` | Pod labels for KEDA operator | -| `podSecurityContext.operator` | object | [See below](#KEDA-is-secure-by-default) | [Pod security context] of the KEDA operator pod | -| `resources.operator` | object | `{"limits":{"cpu":1,"memory":"1000Mi"},"requests":{"cpu":"100m","memory":"100Mi"}}` | Manage [resource request & limits] of KEDA operator pod | -| `securityContext.operator` | object | [See below](#KEDA-is-secure-by-default) | [Security context] of the operator container | -| `topologySpreadConstraints.operator` | list | `[]` | [Pod Topology Constraints] of KEDA operator pod | -| `upgradeStrategy.operator` | object | `{}` | Capability to configure [Deployment upgrade strategy] for operator | -| `volumes.keda.extraVolumeMounts` | list | `[]` | Extra volume mounts for KEDA deployment | -| `volumes.keda.extraVolumes` | list | `[]` | Extra volumes for KEDA deployment | - -### Metrics server - -| Parameter | Type | Default | Description | -|-----------|------|---------|-------------| -| `extraArgs.metricsAdapter` | object | `{}` | Additional Metrics Adapter container arguments | -| `image.metricsApiServer.repository` | string | `"ghcr.io/kedacore/keda-metrics-apiserver"` | Image name of KEDA Metrics API Server | -| `image.metricsApiServer.tag` | string | `""` | Image tag of KEDA Metrics API Server. Optional, given app version of Helm chart is used by default | -| `logging.metricServer.level` | int | `0` | Logging level for Metrics Server. allowed values: `0` for info, `4` for debug, or an integer value greater than 0, specified as string | -| `metricsServer.affinity` | object | `{}` | [Affinity] for pod scheduling for Metrics API Server. Takes precedence over the `affinity` field | -| `metricsServer.dnsPolicy` | string | `"ClusterFirst"` | Defined the DNS policy for the metric server | -| `metricsServer.livenessProbe` | object | `{"failureThreshold":3,"initialDelaySeconds":5,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":1}` | Liveness probes for Metrics API Server ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/)) | -| `metricsServer.readinessProbe` | object | `{"failureThreshold":3,"initialDelaySeconds":5,"periodSeconds":3,"successThreshold":1,"timeoutSeconds":1}` | Readiness probes for Metrics API Server ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-readiness-probes)) | -| `metricsServer.replicaCount` | int | `1` | Capability to configure the number of replicas for KEDA metric server. While you can run more replicas of our metric server, only one instance will used and serve traffic. You can run multiple replicas, but they will not improve the performance of KEDA, it could only reduce downtime during a failover. Learn more in [our documentation](https://keda.sh/docs/latest/operate/cluster/#high-availability). | -| `metricsServer.revisionHistoryLimit` | int | `10` | ReplicaSets for this Deployment you want to retain (Default: 10) | -| `metricsServer.useHostNetwork` | bool | `false` | Enable metric server to use host network | -| `permissions.metricServer.restrict.secret` | bool | `false` | Restrict Secret Access for Metrics Server | -| `podAnnotations.metricsAdapter` | object | `{}` | Pod annotations for KEDA Metrics Adapter | -| `podDisruptionBudget.metricServer` | object | `{}` | Capability to configure [Pod Disruption Budget] | -| `podLabels.metricsAdapter` | object | `{}` | Pod labels for KEDA Metrics Adapter | -| `podSecurityContext.metricServer` | object | [See below](#KEDA-is-secure-by-default) | [Pod security context] of the KEDA metrics apiserver pod | -| `resources.metricServer` | object | `{"limits":{"cpu":1,"memory":"1000Mi"},"requests":{"cpu":"100m","memory":"100Mi"}}` | Manage [resource request & limits] of KEDA metrics apiserver pod | -| `securityContext.metricServer` | object | [See below](#KEDA-is-secure-by-default) | [Security context] of the metricServer container | -| `service.annotations` | object | `{}` | Annotations to add the KEDA Metric Server service | -| `service.portHttps` | int | `443` | HTTPS port for KEDA Metric Server service | -| `service.portHttpsTarget` | int | `6443` | HTTPS port for KEDA Metric Server container | -| `service.type` | string | `"ClusterIP"` | KEDA Metric Server service type | -| `topologySpreadConstraints.metricsServer` | list | `[]` | [Pod Topology Constraints] of KEDA metrics apiserver pod | -| `upgradeStrategy.metricsApiServer` | object | `{}` | Capability to configure [Deployment upgrade strategy] for Metrics Api Server | -| `volumes.metricsApiServer.extraVolumeMounts` | list | `[]` | Extra volume mounts for metric server deployment | -| `volumes.metricsApiServer.extraVolumes` | list | `[]` | Extra volumes for metric server deployment | - -### Operations - -| Parameter | Type | Default | Description | -|-----------|------|---------|-------------| -| `opentelemetry.collector.uri` | string | `""` | Uri of OpenTelemetry Collector to push telemetry to | -| `opentelemetry.operator.enabled` | bool | `false` | Enable pushing metrics to an OpenTelemetry Collector for operator | -| `prometheus.metricServer.enabled` | bool | `false` | Enable metric server Prometheus metrics expose | -| `prometheus.metricServer.podMonitor.additionalLabels` | object | `{}` | Additional labels to add for metric server using podMonitor crd (prometheus operator) | -| `prometheus.metricServer.podMonitor.enabled` | bool | `false` | Enables PodMonitor creation for the Prometheus Operator | -| `prometheus.metricServer.podMonitor.interval` | string | `""` | Scraping interval for metric server using podMonitor crd (prometheus operator) | -| `prometheus.metricServer.podMonitor.namespace` | string | `""` | Scraping namespace for metric server using podMonitor crd (prometheus operator) | -| `prometheus.metricServer.podMonitor.relabelings` | list | `[]` | List of expressions that define custom relabeling rules for metric server podMonitor crd (prometheus operator) | -| `prometheus.metricServer.podMonitor.scrapeTimeout` | string | `""` | Scraping timeout for metric server using podMonitor crd (prometheus operator) | -| `prometheus.metricServer.port` | int | `8080` | HTTP port used for exposing metrics server prometheus metrics | -| `prometheus.metricServer.portName` | string | `"metrics"` | HTTP port name for exposing metrics server prometheus metrics | -| `prometheus.metricServer.serviceMonitor.additionalLabels` | object | `{}` | Additional labels to add for metric server using ServiceMonitor crd (prometheus operator) | -| `prometheus.metricServer.serviceMonitor.enabled` | bool | `false` | Enables ServiceMonitor creation for the Prometheus Operator | -| `prometheus.metricServer.serviceMonitor.interval` | string | `""` | Interval at which metrics should be scraped If not specified Prometheus’ global scrape interval is used. | -| `prometheus.metricServer.serviceMonitor.jobLabel` | string | `""` | JobLabel selects the label from the associated Kubernetes service which will be used as the job label for all metrics. [ServiceMonitor Spec] | -| `prometheus.metricServer.serviceMonitor.podTargetLabels` | list | `[]` | PodTargetLabels transfers labels on the Kubernetes `Pod` onto the created metrics | -| `prometheus.metricServer.serviceMonitor.port` | string | `"metrics"` | Name of the service port this endpoint refers to. Mutually exclusive with targetPort | -| `prometheus.metricServer.serviceMonitor.relabelings` | list | `[]` | List of expressions that define custom relabeling rules for metric server ServiceMonitor crd (prometheus operator). [RelabelConfig Spec] | -| `prometheus.metricServer.serviceMonitor.relabellings` | list | `[]` | DEPRECATED. List of expressions that define custom relabeling rules for metric server ServiceMonitor crd (prometheus operator). [RelabelConfig Spec] | -| `prometheus.metricServer.serviceMonitor.scrapeTimeout` | string | `""` | Timeout after which the scrape is ended If not specified, the Prometheus global scrape timeout is used unless it is less than Interval in which the latter is used | -| `prometheus.metricServer.serviceMonitor.targetLabels` | list | `[]` | TargetLabels transfers labels from the Kubernetes `Service` onto the created metrics | -| `prometheus.metricServer.serviceMonitor.targetPort` | string | `""` | Name or number of the target port of the Pod behind the Service, the port must be specified with container port property. Mutually exclusive with port | -| `prometheus.operator.enabled` | bool | `false` | Enable KEDA Operator prometheus metrics expose | -| `prometheus.operator.podMonitor.additionalLabels` | object | `{}` | Additional labels to add for KEDA Operator using podMonitor crd (prometheus operator) | -| `prometheus.operator.podMonitor.enabled` | bool | `false` | Enables PodMonitor creation for the Prometheus Operator | -| `prometheus.operator.podMonitor.interval` | string | `""` | Scraping interval for KEDA Operator using podMonitor crd (prometheus operator) | -| `prometheus.operator.podMonitor.namespace` | string | `""` | Scraping namespace for KEDA Operator using podMonitor crd (prometheus operator) | -| `prometheus.operator.podMonitor.relabelings` | list | `[]` | List of expressions that define custom relabeling rules for KEDA Operator podMonitor crd (prometheus operator) | -| `prometheus.operator.podMonitor.scrapeTimeout` | string | `""` | Scraping timeout for KEDA Operator using podMonitor crd (prometheus operator) | -| `prometheus.operator.port` | int | `8080` | Port used for exposing KEDA Operator prometheus metrics | -| `prometheus.operator.prometheusRules.additionalLabels` | object | `{}` | Additional labels to add for KEDA Operator using prometheusRules crd (prometheus operator) | -| `prometheus.operator.prometheusRules.alerts` | list | `[]` | Additional alerts to add for KEDA Operator using prometheusRules crd (prometheus operator) | -| `prometheus.operator.prometheusRules.enabled` | bool | `false` | Enables PrometheusRules creation for the Prometheus Operator | -| `prometheus.operator.prometheusRules.namespace` | string | `""` | Scraping namespace for KEDA Operator using prometheusRules crd (prometheus operator) | -| `prometheus.operator.serviceMonitor.additionalLabels` | object | `{}` | Additional labels to add for metric server using ServiceMonitor crd (prometheus operator) | -| `prometheus.operator.serviceMonitor.enabled` | bool | `false` | Enables ServiceMonitor creation for the Prometheus Operator | -| `prometheus.operator.serviceMonitor.interval` | string | `""` | Interval at which metrics should be scraped If not specified Prometheus’ global scrape interval is used. | -| `prometheus.operator.serviceMonitor.jobLabel` | string | `""` | JobLabel selects the label from the associated Kubernetes service which will be used as the job label for all metrics. [ServiceMonitor Spec] | -| `prometheus.operator.serviceMonitor.podTargetLabels` | list | `[]` | PodTargetLabels transfers labels on the Kubernetes `Pod` onto the created metrics | -| `prometheus.operator.serviceMonitor.port` | string | `"metrics"` | Name of the service port this endpoint refers to. Mutually exclusive with targetPort | -| `prometheus.operator.serviceMonitor.relabelings` | list | `[]` | List of expressions that define custom relabeling rules for metric server ServiceMonitor crd (prometheus operator). [RelabelConfig Spec] | -| `prometheus.operator.serviceMonitor.relabellings` | list | `[]` | DEPRECATED. List of expressions that define custom relabeling rules for metric server ServiceMonitor crd (prometheus operator). [RelabelConfig Spec] | -| `prometheus.operator.serviceMonitor.scrapeTimeout` | string | `""` | Timeout after which the scrape is ended If not specified, the Prometheus global scrape timeout is used unless it is less than Interval in which the latter is used | -| `prometheus.operator.serviceMonitor.targetLabels` | list | `[]` | TargetLabels transfers labels from the Kubernetes `Service` onto the created metrics | -| `prometheus.operator.serviceMonitor.targetPort` | string | `""` | Name or number of the target port of the Pod behind the Service, the port must be specified with container port property. Mutually exclusive with port | -| `prometheus.webhooks.enabled` | bool | `false` | Enable KEDA admission webhooks prometheus metrics expose | -| `prometheus.webhooks.port` | int | `8080` | Port used for exposing KEDA admission webhooks prometheus metrics | -| `prometheus.webhooks.prometheusRules.additionalLabels` | object | `{}` | Additional labels to add for KEDA admission webhooks using prometheusRules crd (prometheus operator) | -| `prometheus.webhooks.prometheusRules.alerts` | list | `[]` | Additional alerts to add for KEDA admission webhooks using prometheusRules crd (prometheus operator) | -| `prometheus.webhooks.prometheusRules.enabled` | bool | `false` | Enables PrometheusRules creation for the Prometheus Operator | -| `prometheus.webhooks.prometheusRules.namespace` | string | `""` | Scraping namespace for KEDA admission webhooks using prometheusRules crd (prometheus operator) | -| `prometheus.webhooks.serviceMonitor.additionalLabels` | object | `{}` | Additional labels to add for metric server using ServiceMonitor crd (prometheus operator) | -| `prometheus.webhooks.serviceMonitor.enabled` | bool | `false` | Enables ServiceMonitor creation for the Prometheus webhooks | -| `prometheus.webhooks.serviceMonitor.interval` | string | `""` | Interval at which metrics should be scraped If not specified Prometheus’ global scrape interval is used. | -| `prometheus.webhooks.serviceMonitor.jobLabel` | string | `""` | jobLabel selects the label from the associated Kubernetes service which will be used as the job label for all metrics. [ServiceMonitor Spec] | -| `prometheus.webhooks.serviceMonitor.podTargetLabels` | list | `[]` | PodTargetLabels transfers labels on the Kubernetes `Pod` onto the created metrics | -| `prometheus.webhooks.serviceMonitor.port` | string | `"metrics"` | Name of the service port this endpoint refers to. Mutually exclusive with targetPort | -| `prometheus.webhooks.serviceMonitor.relabelings` | list | `[]` | List of expressions that define custom relabeling rules for metric server ServiceMonitor crd (prometheus operator). [RelabelConfig Spec] | -| `prometheus.webhooks.serviceMonitor.relabellings` | list | `[]` | DEPRECATED. List of expressions that define custom relabeling rules for metric server ServiceMonitor crd (prometheus operator). [RelabelConfig Spec] | -| `prometheus.webhooks.serviceMonitor.scrapeTimeout` | string | `""` | Timeout after which the scrape is ended If not specified, the Prometheus global scrape timeout is used unless it is less than Interval in which the latter is used | -| `prometheus.webhooks.serviceMonitor.targetLabels` | list | `[]` | TargetLabels transfers labels from the Kubernetes `Service` onto the created metrics | -| `prometheus.webhooks.serviceMonitor.targetPort` | string | `""` | Name or number of the target port of the Pod behind the Service, the port must be specified with container port property. Mutually exclusive with port | - -### Admission Webhooks - -| Parameter | Type | Default | Description | -|-----------|------|---------|-------------| -| `image.webhooks.repository` | string | `"ghcr.io/kedacore/keda-admission-webhooks"` | Image name of KEDA admission-webhooks | -| `image.webhooks.tag` | string | `""` | Image tag of KEDA admission-webhooks . Optional, given app version of Helm chart is used by default | -| `logging.webhooks.format` | string | `"console"` | Logging format for KEDA Admission webhooks. allowed values: `json` or `console` | -| `logging.webhooks.level` | string | `"info"` | Logging level for KEDA Operator. allowed values: `debug`, `info`, `error`, or an integer value greater than 0, specified as string | -| `logging.webhooks.timeEncoding` | string | `"rfc3339"` | Logging time encoding for KEDA Operator. allowed values are `epoch`, `millis`, `nano`, `iso8601`, `rfc3339` or `rfc3339nano` | -| `podAnnotations.webhooks` | object | `{}` | Pod annotations for KEDA Admission webhooks | -| `podDisruptionBudget.webhooks` | object | `{}` | Capability to configure [Pod Disruption Budget] | -| `podLabels.webhooks` | object | `{}` | Pod labels for KEDA Admission webhooks | -| `podSecurityContext.webhooks` | object | [See below](#KEDA-is-secure-by-default) | [Pod security context] of the KEDA admission webhooks | -| `prometheus.webhooks.enabled` | bool | `false` | Enable KEDA admission webhooks prometheus metrics expose | -| `prometheus.webhooks.port` | int | `8080` | Port used for exposing KEDA admission webhooks prometheus metrics | -| `prometheus.webhooks.prometheusRules.additionalLabels` | object | `{}` | Additional labels to add for KEDA admission webhooks using prometheusRules crd (prometheus operator) | -| `prometheus.webhooks.prometheusRules.alerts` | list | `[]` | Additional alerts to add for KEDA admission webhooks using prometheusRules crd (prometheus operator) | -| `prometheus.webhooks.prometheusRules.enabled` | bool | `false` | Enables PrometheusRules creation for the Prometheus Operator | -| `prometheus.webhooks.prometheusRules.namespace` | string | `""` | Scraping namespace for KEDA admission webhooks using prometheusRules crd (prometheus operator) | -| `prometheus.webhooks.serviceMonitor.additionalLabels` | object | `{}` | Additional labels to add for metric server using ServiceMonitor crd (prometheus operator) | -| `prometheus.webhooks.serviceMonitor.enabled` | bool | `false` | Enables ServiceMonitor creation for the Prometheus webhooks | -| `prometheus.webhooks.serviceMonitor.interval` | string | `""` | Interval at which metrics should be scraped If not specified Prometheus’ global scrape interval is used. | -| `prometheus.webhooks.serviceMonitor.jobLabel` | string | `""` | jobLabel selects the label from the associated Kubernetes service which will be used as the job label for all metrics. [ServiceMonitor Spec] | -| `prometheus.webhooks.serviceMonitor.podTargetLabels` | list | `[]` | PodTargetLabels transfers labels on the Kubernetes `Pod` onto the created metrics | -| `prometheus.webhooks.serviceMonitor.port` | string | `"metrics"` | Name of the service port this endpoint refers to. Mutually exclusive with targetPort | -| `prometheus.webhooks.serviceMonitor.relabelings` | list | `[]` | List of expressions that define custom relabeling rules for metric server ServiceMonitor crd (prometheus operator). [RelabelConfig Spec] | -| `prometheus.webhooks.serviceMonitor.relabellings` | list | `[]` | DEPRECATED. List of expressions that define custom relabeling rules for metric server ServiceMonitor crd (prometheus operator). [RelabelConfig Spec] | -| `prometheus.webhooks.serviceMonitor.scrapeTimeout` | string | `""` | Timeout after which the scrape is ended If not specified, the Prometheus global scrape timeout is used unless it is less than Interval in which the latter is used | -| `prometheus.webhooks.serviceMonitor.targetLabels` | list | `[]` | TargetLabels transfers labels from the Kubernetes `Service` onto the created metrics | -| `prometheus.webhooks.serviceMonitor.targetPort` | string | `""` | Name or number of the target port of the Pod behind the Service, the port must be specified with container port property. Mutually exclusive with port | -| `resources.webhooks` | object | `{"limits":{"cpu":"50m","memory":"100Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}` | Manage [resource request & limits] of KEDA admission webhooks pod | -| `securityContext.webhooks` | object | [See below](#KEDA-is-secure-by-default) | [Security context] of the admission webhooks container | -| `topologySpreadConstraints.webhooks` | list | `[]` | [Pod Topology Constraints] of KEDA admission webhooks pod | -| `upgradeStrategy.webhooks` | object | `{}` | Capability to configure [Deployment upgrade strategy] for Admission webhooks | -| `volumes.webhooks.extraVolumeMounts` | list | `[]` | Extra volume mounts for admission webhooks deployment | -| `volumes.webhooks.extraVolumes` | list | `[]` | Extra volumes for admission webhooks deployment | -| `webhooks.affinity` | object | `{}` | [Affinity] for pod scheduling for KEDA admission webhooks. Takes precedence over the `affinity` field | -| `webhooks.enabled` | bool | `true` | Enable admission webhooks (this feature option will be removed in v2.12) | -| `webhooks.failurePolicy` | string | `"Ignore"` | [Failure policy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy) to use with KEDA admission webhooks | -| `webhooks.healthProbePort` | int | `8081` | Port number to use for KEDA admission webhooks health probe | -| `webhooks.livenessProbe` | object | `{"failureThreshold":3,"initialDelaySeconds":25,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":1}` | Liveness probes for admission webhooks ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/)) | -| `webhooks.name` | string | `"keda-admission-webhooks"` | Name of the KEDA admission webhooks | -| `webhooks.port` | string | `""` | Port number to use for KEDA admission webhooks. Default is 9443. | -| `webhooks.readinessProbe` | object | `{"failureThreshold":3,"initialDelaySeconds":20,"periodSeconds":3,"successThreshold":1,"timeoutSeconds":1}` | Readiness probes for admission webhooks ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-readiness-probes)) | -| `webhooks.replicaCount` | int | `1` | Capability to configure the number of replicas for KEDA admission webhooks | -| `webhooks.revisionHistoryLimit` | int | `10` | ReplicaSets for this Deployment you want to retain (Default: 10) | -| `webhooks.useHostNetwork` | bool | `false` | Enable webhook to use host network, this is required on EKS with custom CNI | - -Specify each parameter using the `--set key=value[,key=value]` argument to -`helm install`. For example: - -```console -$ helm install keda kedacore/keda --namespace keda \ - --set image.keda.tag= \ - --set image.metricsApiServer.tag= \ - --set image.webhooks.tag= -``` - -Alternatively, a YAML file that specifies the values for the above parameters can -be provided while installing the chart. For example, - -```console -helm install keda kedacore/keda --namespace keda -f values.yaml -``` - -## KEDA is secure by default - -Our default configuration strives to be as secure as possible. Because of that, KEDA will run as non-root and be secure-by-default: -```yaml -securityContext: - operator: - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - seccompProfile: - type: RuntimeDefault - metricServer: - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - ## Metrics server needs to write the self-signed cert. See FAQ for discussion of options. - # readOnlyRootFilesystem: true - seccompProfile: - type: RuntimeDefault - webhooks: - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - seccompProfile: - type: RuntimeDefault - -podSecurityContext: - operator: - runAsNonRoot: true - metricServer: - runAsNonRoot: true - webhooks: - runAsNonRoot: true -``` - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs) - -[Affinity]: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/ -[Deployment upgrade strategy]: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy -[GCP Workload Identity]: https://keda.sh/docs/2.10/authentication-providers/gcp-workload-identity/ -[Pod Disruption Budget]: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ -[Pod security context]: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -[Security context]: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container -[Pod Topology Constraints]: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ -[RelabelConfig Spec]: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.RelabelConfig -[resource request & limits]: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ -[ServiceMonitor Spec]: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.ServiceMonitor diff --git a/examples/helm-keda/README.md.gotmpl b/examples/helm-keda/README.md.gotmpl deleted file mode 100644 index ba7073b2e..000000000 --- a/examples/helm-keda/README.md.gotmpl +++ /dev/null @@ -1,176 +0,0 @@ -

-

Kubernetes-based Event Driven Autoscaling

- -KEDA allows for fine grained autoscaling (including to/from zero) for event driven Kubernetes workloads. KEDA serves as a Kubernetes Metrics Server and allows users to define autoscaling rules using a dedicated Kubernetes custom resource definition. - -KEDA can run on both the cloud and the edge, integrates natively with Kubernetes components such as the Horizontal Pod Autoscaler, and has no external dependencies. - ---- -

-We are a Cloud Native Computing Foundation (CNCF) graduated project. - - -

- ---- - -## TL;DR - -```console -helm repo add kedacore https://kedacore.github.io/charts -helm repo update - -kubectl create namespace keda -helm install keda kedacore/keda --namespace keda --version {{ template "chart.appVersion" . }} -``` - -## Introduction - -This chart bootstraps KEDA infrastructure on a Kubernetes cluster using the Helm package manager. - -As part of that, it will install all the required Custom Resource Definitions (CRD). - -## Installing the Chart - -To install the chart with the release name `keda`: - -```console -$ kubectl create namespace keda -$ helm install keda kedacore/keda --namespace keda --version {{ template "chart.appVersion" . }} -``` - -## Uninstalling the Chart - -To uninstall/delete the `keda` Helm chart: - -```console -helm uninstall keda -``` - -The command removes all the Kubernetes components associated with the chart and deletes the release. - -## Configuration - -The following table lists the configurable parameters of the KEDA chart and -their default values. - -### General parameters - -| Parameter | Type | Default | Description | -|-----------|------|---------|-------------| -{{- range .Values }} - {{- if not (or (contains "operator" .Key) (contains "keda" .Key) (contains "opentelemetry" .Key) (contains "prometheus" .Key) (contains "metricServer" .Key) (contains "metricsServer" .Key) (contains "metricsApiServer" .Key) (contains "metricsAdapter" .Key) (contains "webhooks" .Key) (hasPrefix "service." .Key) ) }} -| `{{ .Key }}` | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | - {{- end }} -{{- end }} - -### Operator - -| Parameter | Type | Default | Description | -|-----------|------|---------|-------------| -{{- range .Values }} - {{- if and (or (contains "operator" .Key) (contains "keda" .Key)) (not (or (contains "opentelemetry" .Key) (contains "prometheus" .Key))) }} -| `{{ .Key }}` | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | - {{- end }} -{{- end }} - -### Metrics server - -| Parameter | Type | Default | Description | -|-----------|------|---------|-------------| -{{- range .Values }} - {{- if and (or (contains "metricServer" .Key) (contains "metricsServer" .Key) (contains "metricsApiServer" .Key) (contains "metricsAdapter" .Key) (hasPrefix "service." .Key)) (not (or (contains "opentelemetry" .Key) (contains "prometheus" .Key)))}} -| `{{ .Key }}` | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | - {{- end }} -{{- end }} - -### Operations - -| Parameter | Type | Default | Description | -|-----------|------|---------|-------------| -{{- range .Values }} - {{- if or (contains "opentelemetry" .Key) (contains "prometheus" .Key) }} -| `{{ .Key }}` | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | - {{- end }} -{{- end }} - -### Admission Webhooks - -| Parameter | Type | Default | Description | -|-----------|------|---------|-------------| -{{- range .Values }} - {{- if contains "webhooks" .Key }} -| `{{ .Key }}` | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | - {{- end }} -{{- end }} - -Specify each parameter using the `--set key=value[,key=value]` argument to -`helm install`. For example: - -```console -$ helm install keda kedacore/keda --namespace keda \ - --set image.keda.tag= \ - --set image.metricsApiServer.tag= \ - --set image.webhooks.tag= -``` - -Alternatively, a YAML file that specifies the values for the above parameters can -be provided while installing the chart. For example, - -```console -helm install keda kedacore/keda --namespace keda -f values.yaml -``` - -## KEDA is secure by default - -Our default configuration strives to be as secure as possible. Because of that, KEDA will run as non-root and be secure-by-default: -```yaml -securityContext: - operator: - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - seccompProfile: - type: RuntimeDefault - metricServer: - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - ## Metrics server needs to write the self-signed cert. See FAQ for discussion of options. - # readOnlyRootFilesystem: true - seccompProfile: - type: RuntimeDefault - webhooks: - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - seccompProfile: - type: RuntimeDefault - -podSecurityContext: - operator: - runAsNonRoot: true - metricServer: - runAsNonRoot: true - webhooks: - runAsNonRoot: true -``` - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs) - -[Affinity]: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/ -[Deployment upgrade strategy]: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy -[GCP Workload Identity]: https://keda.sh/docs/2.10/authentication-providers/gcp-workload-identity/ -[Pod Disruption Budget]: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ -[Pod security context]: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -[Security context]: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container -[Pod Topology Constraints]: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ -[RelabelConfig Spec]: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.RelabelConfig -[resource request & limits]: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ -[ServiceMonitor Spec]: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.ServiceMonitor diff --git a/examples/helm-keda/templates/NOTES.txt b/examples/helm-keda/templates/NOTES.txt deleted file mode 100644 index 0e4c8e0a5..000000000 --- a/examples/helm-keda/templates/NOTES.txt +++ /dev/null @@ -1,65 +0,0 @@ -{{- if .Values.asciiArt }} -:::^. .::::^: ::::::::::::::: .:::::::::. .^. -7???~ .^7????~. 7??????????????. :?????????77!^. .7?7. -7???~ ^7???7~. ~!!!!!!!!!!!!!!. :????!!!!7????7~. .7???7. -7???~^7????~. :????: :~7???7. :7?????7. -7???7????!. ::::::::::::. :????: .7???! :7??77???7. -7????????7: 7???????????~ :????: :????: :???7?5????7. -7????!~????^ !77777777777^ :????: :????: ^???7?#P7????7. -7???~ ^????~ :????: :7???! ^???7J#@J7?????7. -7???~ :7???!. :????: .:~7???!. ~???7Y&@#7777????7. -7???~ .7???7: !!!!!!!!!!!!!!! :????7!!77????7^ ~??775@@@GJJYJ?????7. -7???~ .!????^ 7?????????????7. :?????????7!~: !????G@@@@@@@@5??????7: -::::. ::::: ::::::::::::::: .::::::::.. .::::JGGGB@@@&7::::::::: - ?@@#~ - P@B^ - :&G: - !5. - . -{{- end -}} - -Kubernetes Event-driven Autoscaling (KEDA) - Application autoscaling made simple. - -Get started by deploying Scaled Objects to your cluster: - - Information about Scaled Objects : https://keda.sh/docs/latest/concepts/ - - Samples: https://github.com/kedacore/samples - -Get information about the deployed ScaledObjects: - kubectl get scaledobject [--namespace ] - -Get details about a deployed ScaledObject: - kubectl describe scaledobject [--namespace ] - -Get information about the deployed ScaledObjects: - kubectl get triggerauthentication [--namespace ] - -Get details about a deployed ScaledObject: - kubectl describe triggerauthentication [--namespace ] - -Get an overview of the Horizontal Pod Autoscalers (HPA) that KEDA is using behind the scenes: - kubectl get hpa [--all-namespaces] [--namespace ] - -{{- if .Values.prometheus.operator.serviceMonitor.relabellings}} -------------------------------------------------------------------------------------- -WARNING - prometheus.operator.serviceMonitor.relabellings is deprecated, please migrate to prometheus.operator.serviceMonitor.relabelings instead. -------------------------------------------------------------------------------------- -{{- end }} -{{- if .Values.prometheus.metricServer.serviceMonitor.relabellings}} -WARNING - prometheus.metricServer.serviceMonitor.relabellings is deprecated, please migrate to prometheus.metricServer.serviceMonitor.relabelings instead. -{{- end }} -{{- if .Values.prometheus.webhooks.serviceMonitor.relabellings}} -------------------------------------------------------------------------------------- -WARNING - prometheus.webhooks.serviceMonitor.relabellings is deprecated, please migrate to prometheus.webhooks.serviceMonitor.relabelings instead. -------------------------------------------------------------------------------------- -{{- end }} - -{{- if lt .Capabilities.KubeVersion.Minor "26" }} -------------------------------------------------------------------------------------- -WARNING - Running on unsupported Kubernetes version "1.{{.Capabilities.KubeVersion.Minor}}". KEDA 2.12 is supported and tested on Kubernetes "1.26" or higher. See https://keda.sh/docs/2.12/operate/cluster/ for details. -------------------------------------------------------------------------------------- -{{- end }} - -Learn more about KEDA: -- Documentation: https://keda.sh/ -- Support: https://keda.sh/support/ -- File an issue: https://github.com/kedacore/keda/issues/new/choose diff --git a/examples/helm-keda/templates/_helpers.tpl b/examples/helm-keda/templates/_helpers.tpl deleted file mode 100644 index 1fb210c78..000000000 --- a/examples/helm-keda/templates/_helpers.tpl +++ /dev/null @@ -1,25 +0,0 @@ -{{/* vim: set filetype=mustache: */}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "keda.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Generate basic labels -*/}} -{{- define "keda.labels" }} -helm.sh/chart: {{ include "keda.chart" . }} -app.kubernetes.io/component: operator -app.kubernetes.io/managed-by: {{ .Release.Service }} -app.kubernetes.io/instance: {{ .Release.Name }} -app.kubernetes.io/part-of: {{ .Values.operator.name }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion }} -{{- end }} -{{- if .Values.additionalLabels }} -{{ toYaml .Values.additionalLabels }} -{{- end }} -{{- end }} diff --git a/examples/helm-keda/templates/cert-manager/keda-issuer.yaml b/examples/helm-keda/templates/cert-manager/keda-issuer.yaml deleted file mode 100644 index 3840f2761..000000000 --- a/examples/helm-keda/templates/cert-manager/keda-issuer.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if .Values.certificates.certManager.enabled }} -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - {{- with .Values.additionalAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - name: {{ .Values.operator.name }}-issuer - namespace: {{ .Release.Namespace }} -spec: - ca: - secretName: {{ .Values.certificates.certManager.caSecretName }} -{{- end }} \ No newline at end of file diff --git a/examples/helm-keda/templates/cert-manager/keda-tls-certificate.yaml b/examples/helm-keda/templates/cert-manager/keda-tls-certificate.yaml deleted file mode 100644 index 8b4e210fd..000000000 --- a/examples/helm-keda/templates/cert-manager/keda-tls-certificate.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{- if .Values.certificates.certManager.enabled }} -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: {{ .Values.operator.name }}-tls-certificates - namespace: {{ .Release.Namespace }} -spec: - commonName: {{ .Values.operator.name }} - dnsNames: - - {{ .Values.operator.name }}.{{ .Release.Namespace }} - - {{ .Values.operator.name }}.{{ .Release.Namespace }}.svc - - {{ .Values.operator.name }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} - - {{ .Values.operator.name }}-metrics-apiserver.{{ .Release.Namespace }} - - {{ .Values.operator.name }}-metrics-apiserver.{{ .Release.Namespace }}.svc - - {{ .Values.operator.name }}-metrics-apiserver.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} - - {{ .Values.webhooks.name }}.{{ .Release.Namespace }} - - {{ .Values.webhooks.name }}.{{ .Release.Namespace }}.svc - - {{ .Values.webhooks.name }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} - secretName: {{ .Values.certificates.secretName }} - secretTemplate: - {{- toYaml .Values.certificates.certManager.secretTemplate | nindent 4 }} - usages: - - server auth - - client auth - privateKey: - algorithm: RSA - size: 2048 - duration: 8760h0m0s # 1 year - renewBefore: 5840h0m0s # 8 months - issuerRef: - name: {{ .Values.operator.name }}-issuer - kind: Issuer - group: cert-manager.io -{{- end }} diff --git a/examples/helm-keda/templates/cert-manager/self-ca.yaml b/examples/helm-keda/templates/cert-manager/self-ca.yaml deleted file mode 100644 index 7bde59bcd..000000000 --- a/examples/helm-keda/templates/cert-manager/self-ca.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if and .Values.certificates.certManager.enabled .Values.certificates.certManager.generateCA }} -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: {{ .Values.operator.name }}-ca - namespace: {{ .Release.Namespace }} -spec: - isCA: true - commonName: {{ .Values.operator.name }} - secretName: {{ .Values.certificates.certManager.caSecretName }} - secretTemplate: - {{- toYaml .Values.certificates.certManager.secretTemplate | nindent 4 }} - privateKey: - algorithm: RSA - size: 2048 - duration: 8760h0m0s # 1 year - renewBefore: 5840h0m0s # 8 months - issuerRef: - name: {{ .Values.operator.name }}-selfsigned-issuer - kind: Issuer - group: cert-manager.io -{{- end }} \ No newline at end of file diff --git a/examples/helm-keda/templates/cert-manager/self-issuer.yaml b/examples/helm-keda/templates/cert-manager/self-issuer.yaml deleted file mode 100644 index b2ce2a559..000000000 --- a/examples/helm-keda/templates/cert-manager/self-issuer.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if and .Values.certificates.certManager.enabled .Values.certificates.certManager.generateCA }} -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - {{- with .Values.additionalAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - name: {{ .Values.operator.name }}-selfsigned-issuer - namespace: {{ .Release.Namespace }} -spec: - selfSigned: {} -{{- end }} \ No newline at end of file diff --git a/examples/helm-keda/templates/crds/crd-clustertriggerauthentications.yaml b/examples/helm-keda/templates/crds/crd-clustertriggerauthentications.yaml deleted file mode 100644 index 792a7d183..000000000 --- a/examples/helm-keda/templates/crds/crd-clustertriggerauthentications.yaml +++ /dev/null @@ -1,275 +0,0 @@ -{{- if .Values.crds.install }} -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.13.0 - {{- if .Values.additionalAnnotations }} - {{- toYaml .Values.additionalAnnotations | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/name: {{ .Values.operator.name }} - {{- include "keda.labels" . | indent 4 }} - name: clustertriggerauthentications.keda.sh -spec: - group: keda.sh - names: - kind: ClusterTriggerAuthentication - listKind: ClusterTriggerAuthenticationList - plural: clustertriggerauthentications - shortNames: - - cta - - clustertriggerauth - singular: clustertriggerauthentication - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.podIdentity.provider - name: PodIdentity - type: string - - jsonPath: .spec.secretTargetRef[*].name - name: Secret - type: string - - jsonPath: .spec.env[*].name - name: Env - type: string - - jsonPath: .spec.hashiCorpVault.address - name: VaultAddress - type: string - - jsonPath: .status.scaledobjects - name: ScaledObjects - priority: 1 - type: string - - jsonPath: .status.scaledjobs - name: ScaledJobs - priority: 1 - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterTriggerAuthentication defines how a trigger can authenticate - globally - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: TriggerAuthenticationSpec defines the various ways to authenticate - properties: - azureKeyVault: - description: AzureKeyVault is used to authenticate using Azure Key - Vault - properties: - cloud: - properties: - activeDirectoryEndpoint: - type: string - keyVaultResourceURL: - type: string - type: - type: string - required: - - type - type: object - credentials: - properties: - clientId: - type: string - clientSecret: - properties: - valueFrom: - properties: - secretKeyRef: - properties: - key: - type: string - name: - type: string - required: - - key - - name - type: object - required: - - secretKeyRef - type: object - required: - - valueFrom - type: object - tenantId: - type: string - required: - - clientId - - clientSecret - - tenantId - type: object - podIdentity: - description: AuthPodIdentity allows users to select the platform - native identity mechanism - properties: - identityId: - type: string - provider: - description: PodIdentityProvider contains the list of providers - type: string - required: - - provider - type: object - secrets: - items: - properties: - name: - type: string - parameter: - type: string - version: - type: string - required: - - name - - parameter - type: object - type: array - vaultUri: - type: string - required: - - secrets - - vaultUri - type: object - env: - items: - description: AuthEnvironment is used to authenticate using environment - variables in the destination ScaleTarget spec - properties: - containerName: - type: string - name: - type: string - parameter: - type: string - required: - - name - - parameter - type: object - type: array - hashiCorpVault: - description: HashiCorpVault is used to authenticate using Hashicorp - Vault - properties: - address: - type: string - authentication: - description: VaultAuthentication contains the list of Hashicorp - Vault authentication methods - type: string - credential: - description: Credential defines the Hashicorp Vault credentials - depending on the authentication method - properties: - serviceAccount: - type: string - token: - type: string - type: object - mount: - type: string - namespace: - type: string - role: - type: string - secrets: - items: - description: VaultSecret defines the mapping between the path - of the secret in Vault to the parameter - properties: - key: - type: string - parameter: - type: string - path: - type: string - pkiData: - properties: - altNames: - type: string - commonName: - type: string - format: - type: string - ipSans: - type: string - otherSans: - type: string - ttl: - type: string - uriSans: - type: string - type: object - type: - description: VaultSecretType defines the type of vault secret - type: string - required: - - key - - parameter - - path - type: object - type: array - required: - - address - - authentication - - secrets - type: object - podIdentity: - description: AuthPodIdentity allows users to select the platform native - identity mechanism - properties: - identityId: - type: string - provider: - description: PodIdentityProvider contains the list of providers - type: string - required: - - provider - type: object - secretTargetRef: - items: - description: AuthSecretTargetRef is used to authenticate using a - reference to a secret - properties: - key: - type: string - name: - type: string - parameter: - type: string - required: - - key - - name - - parameter - type: object - type: array - type: object - status: - description: TriggerAuthenticationStatus defines the observed state of - TriggerAuthentication - properties: - scaledjobs: - type: string - scaledobjects: - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} -{{- end -}} diff --git a/examples/helm-keda/templates/crds/crd-scaledjobs.yaml b/examples/helm-keda/templates/crds/crd-scaledjobs.yaml deleted file mode 100644 index 8473b6f89..000000000 --- a/examples/helm-keda/templates/crds/crd-scaledjobs.yaml +++ /dev/null @@ -1,8378 +0,0 @@ -{{- if .Values.crds.install }} -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.13.0 - {{- if .Values.additionalAnnotations }} - {{- toYaml .Values.additionalAnnotations | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/name: {{ .Values.operator.name }} - {{- include "keda.labels" . | indent 4 }} - name: scaledjobs.keda.sh -spec: - group: keda.sh - names: - kind: ScaledJob - listKind: ScaledJobList - plural: scaledjobs - shortNames: - - sj - singular: scaledjob - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.minReplicaCount - name: Min - type: integer - - jsonPath: .spec.maxReplicaCount - name: Max - type: integer - - jsonPath: .spec.triggers[*].type - name: Triggers - type: string - - jsonPath: .spec.triggers[*].authenticationRef.name - name: Authentication - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Active")].status - name: Active - type: string - - jsonPath: .status.conditions[?(@.type=="Paused")].status - name: Paused - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: ScaledJob is the Schema for the scaledjobs API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ScaledJobSpec defines the desired state of ScaledJob - properties: - envSourceContainerName: - type: string - failedJobsHistoryLimit: - format: int32 - type: integer - jobTargetRef: - description: JobSpec describes how the job execution will look like. - properties: - activeDeadlineSeconds: - description: Specifies the duration in seconds relative to the - startTime that the job may be continuously active before the - system tries to terminate it; value must be positive integer. - If a Job is suspended (at creation or through an update), this - timer will effectively be stopped and reset when the Job is - resumed again. - format: int64 - type: integer - backoffLimit: - description: Specifies the number of retries before marking this - job failed. Defaults to 6 - format: int32 - type: integer - backoffLimitPerIndex: - description: Specifies the limit for the number of retries within - an index before marking this index as failed. When enabled the - number of failures per index is kept in the pod's batch.kubernetes.io/job-index-failure-count - annotation. It can only be set when Job's completionMode=Indexed, - and the Pod's restart policy is Never. The field is immutable. - This field is alpha-level. It can be used when the `JobBackoffLimitPerIndex` - feature gate is enabled (disabled by default). - format: int32 - type: integer - completionMode: - description: "completionMode specifies how Pod completions are - tracked. It can be `NonIndexed` (default) or `Indexed`. \n `NonIndexed` - means that the Job is considered complete when there have been - .spec.completions successfully completed Pods. Each Pod completion - is homologous to each other. \n `Indexed` means that the Pods - of a Job get an associated completion index from 0 to (.spec.completions - - 1), available in the annotation batch.kubernetes.io/job-completion-index. - The Job is considered complete when there is one successfully - completed Pod for each index. When value is `Indexed`, .spec.completions - must be specified and `.spec.parallelism` must be less than - or equal to 10^5. In addition, The Pod name takes the form `$(job-name)-$(index)-$(random-string)`, - the Pod hostname takes the form `$(job-name)-$(index)`. \n More - completion modes can be added in the future. If the Job controller - observes a mode that it doesn't recognize, which is possible - during upgrades due to version skew, the controller skips updates - for the Job." - type: string - completions: - description: 'Specifies the desired number of successfully finished - pods the job should be run with. Setting to null means that - the success of any pod signals the success of all pods, and - allows parallelism to have any positive value. Setting to 1 - means that parallelism is limited to 1 and the success of that - pod signals the success of the job. More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/' - format: int32 - type: integer - manualSelector: - description: 'manualSelector controls generation of pod labels - and pod selectors. Leave `manualSelector` unset unless you are - certain what you are doing. When false or unset, the system - pick labels unique to this job and appends those labels to the - pod template. When true, the user is responsible for picking - unique labels and specifying the selector. Failure to pick - a unique label may cause this and other jobs to not function - correctly. However, You may see `manualSelector=true` in jobs - that were created with the old `extensions/v1beta1` API. More - info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/#specifying-your-own-pod-selector' - type: boolean - maxFailedIndexes: - description: Specifies the maximal number of failed indexes before - marking the Job as failed, when backoffLimitPerIndex is set. - Once the number of failed indexes exceeds this number the entire - Job is marked as Failed and its execution is terminated. When - left as null the job continues execution of all of its indexes - and is marked with the `Complete` Job condition. It can only - be specified when backoffLimitPerIndex is set. It can be null - or up to completions. It is required and must be less than or - equal to 10^4 when is completions greater than 10^5. This field - is alpha-level. It can be used when the `JobBackoffLimitPerIndex` - feature gate is enabled (disabled by default). - format: int32 - type: integer - parallelism: - description: 'Specifies the maximum desired number of pods the - job should run at any given time. The actual number of pods - running in steady state will be less than this number when ((.spec.completions - - .status.successful) < .spec.parallelism), i.e. when the work - left to do is less than max parallelism. More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/' - format: int32 - type: integer - podFailurePolicy: - description: "Specifies the policy of handling failed pods. In - particular, it allows to specify the set of actions and conditions - which need to be satisfied to take the associated action. If - empty, the default behaviour applies - the counter of failed - pods, represented by the jobs's .status.failed field, is incremented - and it is checked against the backoffLimit. This field cannot - be used in combination with restartPolicy=OnFailure. \n This - field is beta-level. It can be used when the `JobPodFailurePolicy` - feature gate is enabled (enabled by default)." - properties: - rules: - description: A list of pod failure policy rules. The rules - are evaluated in order. Once a rule matches a Pod failure, - the remaining of the rules are ignored. When no rule matches - the Pod failure, the default handling applies - the counter - of pod failures is incremented and it is checked against - the backoffLimit. At most 20 elements are allowed. - items: - description: PodFailurePolicyRule describes how a pod failure - is handled when the requirements are met. One of onExitCodes - and onPodConditions, but not both, can be used in each - rule. - properties: - action: - description: "Specifies the action taken on a pod failure - when the requirements are satisfied. Possible values - are: \n - FailJob: indicates that the pod's job is - marked as Failed and all running pods are terminated. - - FailIndex: indicates that the pod's index is marked - as Failed and will not be restarted. This value is - alpha-level. It can be used when the `JobBackoffLimitPerIndex` - feature gate is enabled (disabled by default). - Ignore: - indicates that the counter towards the .backoffLimit - is not incremented and a replacement pod is created. - - Count: indicates that the pod is handled in the - default way - the counter towards the .backoffLimit - is incremented. Additional values are considered to - be added in the future. Clients should react to an - unknown action by skipping the rule." - type: string - onExitCodes: - description: Represents the requirement on the container - exit codes. - properties: - containerName: - description: Restricts the check for exit codes - to the container with the specified name. When - null, the rule applies to all containers. When - specified, it should match one the container or - initContainer names in the pod template. - type: string - operator: - description: "Represents the relationship between - the container exit code(s) and the specified values. - Containers completed with success (exit code 0) - are excluded from the requirement check. Possible - values are: \n - In: the requirement is satisfied - if at least one container exit code (might be - multiple if there are multiple containers not - restricted by the 'containerName' field) is in - the set of specified values. - NotIn: the requirement - is satisfied if at least one container exit code - (might be multiple if there are multiple containers - not restricted by the 'containerName' field) is - not in the set of specified values. Additional - values are considered to be added in the future. - Clients should react to an unknown operator by - assuming the requirement is not satisfied." - type: string - values: - description: Specifies the set of values. Each returned - container exit code (might be multiple in case - of multiple containers) is checked against this - set of values with respect to the operator. The - list of values must be ordered and must not contain - duplicates. Value '0' cannot be used for the In - operator. At least one element is required. At - most 255 elements are allowed. - items: - format: int32 - type: integer - type: array - x-kubernetes-list-type: set - required: - - operator - - values - type: object - onPodConditions: - description: Represents the requirement on the pod conditions. - The requirement is represented as a list of pod condition - patterns. The requirement is satisfied if at least - one pattern matches an actual pod condition. At most - 20 elements are allowed. - items: - description: PodFailurePolicyOnPodConditionsPattern - describes a pattern for matching an actual pod condition - type. - properties: - status: - description: Specifies the required Pod condition - status. To match a pod condition it is required - that the specified status equals the pod condition - status. Defaults to True. - type: string - type: - description: Specifies the required Pod condition - type. To match a pod condition it is required - that specified type equals the pod condition - type. - type: string - required: - - status - - type - type: object - type: array - x-kubernetes-list-type: atomic - required: - - action - type: object - type: array - x-kubernetes-list-type: atomic - required: - - rules - type: object - podReplacementPolicy: - description: "podReplacementPolicy specifies when to create replacement - Pods. Possible values are: - TerminatingOrFailed means that - we recreate pods when they are terminating (has a metadata.deletionTimestamp) - or failed. - Failed means to wait until a previously created - Pod is fully terminated (has phase Failed or Succeeded) before - creating a replacement Pod. \n When using podFailurePolicy, - Failed is the the only allowed value. TerminatingOrFailed and - Failed are allowed values when podFailurePolicy is not in use. - This is an alpha field. Enable JobPodReplacementPolicy to be - able to use this field." - type: string - selector: - description: 'A label query over pods that should match the pod - count. Normally, the system sets this field for you. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors' - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - suspend: - description: suspend specifies whether the Job controller should - create Pods or not. If a Job is created with suspend set to - true, no Pods are created by the Job controller. If a Job is - suspended after creation (i.e. the flag goes from false to true), - the Job controller will delete all active Pods associated with - this Job. Users must design their workload to gracefully handle - this. Suspending a Job will reset the StartTime field of the - Job, effectively resetting the ActiveDeadlineSeconds timer too. - Defaults to false. - type: boolean - template: - description: 'Describes the pod that will be created when executing - a job. The only allowed template.spec.restartPolicy values are - "Never" or "OnFailure". More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/' - properties: - metadata: - description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata' - type: object - x-kubernetes-preserve-unknown-fields: true - spec: - description: 'Specification of the desired behavior of the - pod. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' - properties: - activeDeadlineSeconds: - description: Optional duration in seconds the pod may - be active on the node relative to StartTime before the - system will actively try to mark it failed and kill - associated containers. Value must be a positive integer. - format: int64 - type: integer - affinity: - description: If specified, the pod's scheduling constraints - properties: - nodeAffinity: - description: Describes node affinity scheduling rules - for the pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule - pods to nodes that satisfy the affinity expressions - specified by this field, but it may choose a - node that violates one or more of the expressions. - The node that is most preferred is the one with - the greatest sum of weights, i.e. for each node - that meets all of the scheduling requirements - (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by - iterating through the elements of this field - and adding "weight" to the sum if the node matches - the corresponding matchExpressions; the node(s) - with the highest sum are the most preferred. - items: - description: An empty preferred scheduling term - matches all objects with implicit weight 0 - (i.e. it's a no-op). A null preferred scheduling - term matches no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, associated - with the corresponding weight. - properties: - matchExpressions: - description: A list of node selector - requirements by node's labels. - items: - description: A node selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: The label key that - the selector applies to. - type: string - operator: - description: Represents a key's - relationship to a set of values. - Valid operators are In, NotIn, - Exists, DoesNotExist. Gt, and - Lt. - type: string - values: - description: An array of string - values. If the operator is In - or NotIn, the values array must - be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. - If the operator is Gt or Lt, - the values array must have a - single element, which will be - interpreted as an integer. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: A list of node selector - requirements by node's fields. - items: - description: A node selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: The label key that - the selector applies to. - type: string - operator: - description: Represents a key's - relationship to a set of values. - Valid operators are In, NotIn, - Exists, DoesNotExist. Gt, and - Lt. - type: string - values: - description: An array of string - values. If the operator is In - or NotIn, the values array must - be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. - If the operator is Gt or Lt, - the values array must have a - single element, which will be - interpreted as an integer. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching - the corresponding nodeSelectorTerm, in - the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified - by this field are not met at scheduling time, - the pod will not be scheduled onto the node. - If the affinity requirements specified by this - field cease to be met at some point during pod - execution (e.g. due to an update), the system - may or may not try to eventually evict the pod - from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node selector - terms. The terms are ORed. - items: - description: A null or empty node selector - term matches no objects. The requirements - of them are ANDed. The TopologySelectorTerm - type implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector - requirements by node's labels. - items: - description: A node selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: The label key that - the selector applies to. - type: string - operator: - description: Represents a key's - relationship to a set of values. - Valid operators are In, NotIn, - Exists, DoesNotExist. Gt, and - Lt. - type: string - values: - description: An array of string - values. If the operator is In - or NotIn, the values array must - be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. - If the operator is Gt or Lt, - the values array must have a - single element, which will be - interpreted as an integer. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: A list of node selector - requirements by node's fields. - items: - description: A node selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: The label key that - the selector applies to. - type: string - operator: - description: Represents a key's - relationship to a set of values. - Valid operators are In, NotIn, - Exists, DoesNotExist. Gt, and - Lt. - type: string - values: - description: An array of string - values. If the operator is In - or NotIn, the values array must - be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. - If the operator is Gt or Lt, - the values array must have a - single element, which will be - interpreted as an integer. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - x-kubernetes-map-type: atomic - type: array - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - description: Describes pod affinity scheduling rules - (e.g. co-locate this pod in the same node, zone, - etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule - pods to nodes that satisfy the affinity expressions - specified by this field, but it may choose a - node that violates one or more of the expressions. - The node that is most preferred is the one with - the greatest sum of weights, i.e. for each node - that meets all of the scheduling requirements - (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by - iterating through the elements of this field - and adding "weight" to the sum if the node has - pods which matches the corresponding podAffinityTerm; - the node(s) with the highest sum are the most - preferred. - items: - description: The weights of all of the matched - WeightedPodAffinityTerm fields are added per-node - to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, - associated with the corresponding weight. - properties: - labelSelector: - description: A label query over a set - of resources, in this case pods. - properties: - matchExpressions: - description: matchExpressions is - a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector - requirement is a selector that - contains values, a key, and - an operator that relates the - key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: operator represents - a key's relationship to - a set of values. Valid operators - are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an - array of string values. - If the operator is In or - NotIn, the values array - must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be - empty. This array is replaced - during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map - of {key,value} pairs. A single - {key,value} in the matchLabels - map is equivalent to an element - of matchExpressions, whose key - field is "key", the operator is - "In", and the values array contains - only "value". The requirements - are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaceSelector: - description: A label query over the - set of namespaces that the term applies - to. The term is applied to the union - of the namespaces selected by this - field and the ones listed in the namespaces - field. null selector and null or empty - namespaces list means "this pod's - namespace". An empty selector ({}) - matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is - a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector - requirement is a selector that - contains values, a key, and - an operator that relates the - key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: operator represents - a key's relationship to - a set of values. Valid operators - are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an - array of string values. - If the operator is In or - NotIn, the values array - must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be - empty. This array is replaced - during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map - of {key,value} pairs. A single - {key,value} in the matchLabels - map is equivalent to an element - of matchExpressions, whose key - field is "key", the operator is - "In", and the values array contains - only "value". The requirements - are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: namespaces specifies a - static list of namespace names that - the term applies to. The term is applied - to the union of the namespaces listed - in this field and the ones selected - by namespaceSelector. null or empty - namespaces list and null namespaceSelector - means "this pod's namespace". - items: - type: string - type: array - topologyKey: - description: This pod should be co-located - (affinity) or not co-located (anti-affinity) - with the pods matching the labelSelector - in the specified namespaces, where - co-located is defined as running on - a node whose value of the label with - key topologyKey matches that of any - node on which any of the selected - pods is running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: weight associated with matching - the corresponding podAffinityTerm, in - the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified - by this field are not met at scheduling time, - the pod will not be scheduled onto the node. - If the affinity requirements specified by this - field cease to be met at some point during pod - execution (e.g. due to a pod label update), - the system may or may not try to eventually - evict the pod from its node. When there are - multiple elements, the lists of nodes corresponding - to each podAffinityTerm are intersected, i.e. - all terms must be satisfied. - items: - description: Defines a set of pods (namely those - matching the labelSelector relative to the - given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) - with, where co-located is defined as running - on a node whose value of the label with key - matches that of any node on - which a pod of the set of pods is running - properties: - labelSelector: - description: A label query over a set of - resources, in this case pods. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. - This array is replaced during - a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of - {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent - to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are - ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaceSelector: - description: A label query over the set - of namespaces that the term applies to. - The term is applied to the union of the - namespaces selected by this field and - the ones listed in the namespaces field. - null selector and null or empty namespaces - list means "this pod's namespace". An - empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. - This array is replaced during - a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of - {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent - to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are - ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: namespaces specifies a static - list of namespace names that the term - applies to. The term is applied to the - union of the namespaces listed in this - field and the ones selected by namespaceSelector. - null or empty namespaces list and null - namespaceSelector means "this pod's namespace". - items: - type: string - type: array - topologyKey: - description: This pod should be co-located - (affinity) or not co-located (anti-affinity) - with the pods matching the labelSelector - in the specified namespaces, where co-located - is defined as running on a node whose - value of the label with key topologyKey - matches that of any node on which any - of the selected pods is running. Empty - topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling - rules (e.g. avoid putting this pod in the same node, - zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule - pods to nodes that satisfy the anti-affinity - expressions specified by this field, but it - may choose a node that violates one or more - of the expressions. The node that is most preferred - is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - anti-affinity expressions, etc.), compute a - sum by iterating through the elements of this - field and adding "weight" to the sum if the - node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest - sum are the most preferred. - items: - description: The weights of all of the matched - WeightedPodAffinityTerm fields are added per-node - to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, - associated with the corresponding weight. - properties: - labelSelector: - description: A label query over a set - of resources, in this case pods. - properties: - matchExpressions: - description: matchExpressions is - a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector - requirement is a selector that - contains values, a key, and - an operator that relates the - key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: operator represents - a key's relationship to - a set of values. Valid operators - are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an - array of string values. - If the operator is In or - NotIn, the values array - must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be - empty. This array is replaced - during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map - of {key,value} pairs. A single - {key,value} in the matchLabels - map is equivalent to an element - of matchExpressions, whose key - field is "key", the operator is - "In", and the values array contains - only "value". The requirements - are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaceSelector: - description: A label query over the - set of namespaces that the term applies - to. The term is applied to the union - of the namespaces selected by this - field and the ones listed in the namespaces - field. null selector and null or empty - namespaces list means "this pod's - namespace". An empty selector ({}) - matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is - a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector - requirement is a selector that - contains values, a key, and - an operator that relates the - key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: operator represents - a key's relationship to - a set of values. Valid operators - are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an - array of string values. - If the operator is In or - NotIn, the values array - must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be - empty. This array is replaced - during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map - of {key,value} pairs. A single - {key,value} in the matchLabels - map is equivalent to an element - of matchExpressions, whose key - field is "key", the operator is - "In", and the values array contains - only "value". The requirements - are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: namespaces specifies a - static list of namespace names that - the term applies to. The term is applied - to the union of the namespaces listed - in this field and the ones selected - by namespaceSelector. null or empty - namespaces list and null namespaceSelector - means "this pod's namespace". - items: - type: string - type: array - topologyKey: - description: This pod should be co-located - (affinity) or not co-located (anti-affinity) - with the pods matching the labelSelector - in the specified namespaces, where - co-located is defined as running on - a node whose value of the label with - key topologyKey matches that of any - node on which any of the selected - pods is running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: weight associated with matching - the corresponding podAffinityTerm, in - the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements - specified by this field are not met at scheduling - time, the pod will not be scheduled onto the - node. If the anti-affinity requirements specified - by this field cease to be met at some point - during pod execution (e.g. due to a pod label - update), the system may or may not try to eventually - evict the pod from its node. When there are - multiple elements, the lists of nodes corresponding - to each podAffinityTerm are intersected, i.e. - all terms must be satisfied. - items: - description: Defines a set of pods (namely those - matching the labelSelector relative to the - given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) - with, where co-located is defined as running - on a node whose value of the label with key - matches that of any node on - which a pod of the set of pods is running - properties: - labelSelector: - description: A label query over a set of - resources, in this case pods. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. - This array is replaced during - a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of - {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent - to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are - ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaceSelector: - description: A label query over the set - of namespaces that the term applies to. - The term is applied to the union of the - namespaces selected by this field and - the ones listed in the namespaces field. - null selector and null or empty namespaces - list means "this pod's namespace". An - empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. - This array is replaced during - a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of - {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent - to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are - ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: namespaces specifies a static - list of namespace names that the term - applies to. The term is applied to the - union of the namespaces listed in this - field and the ones selected by namespaceSelector. - null or empty namespaces list and null - namespaceSelector means "this pod's namespace". - items: - type: string - type: array - topologyKey: - description: This pod should be co-located - (affinity) or not co-located (anti-affinity) - with the pods matching the labelSelector - in the specified namespaces, where co-located - is defined as running on a node whose - value of the label with key topologyKey - matches that of any node on which any - of the selected pods is running. Empty - topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - automountServiceAccountToken: - description: AutomountServiceAccountToken indicates whether - a service account token should be automatically mounted. - type: boolean - containers: - description: List of containers belonging to the pod. - Containers cannot currently be added or removed. There - must be at least one container in a Pod. Cannot be updated. - items: - description: A single application container that you - want to run within a pod. - properties: - args: - description: 'Arguments to the entrypoint. The container - image''s CMD is used if this is not provided. - Variable references $(VAR_NAME) are expanded using - the container''s environment. If a variable cannot - be resolved, the reference in the input string - will be unchanged. Double $$ are reduced to a - single $, which allows for escaping the $(VAR_NAME) - syntax: i.e. "$$(VAR_NAME)" will produce the string - literal "$(VAR_NAME)". Escaped references will - never be expanded, regardless of whether the variable - exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' - items: - type: string - type: array - command: - description: 'Entrypoint array. Not executed within - a shell. The container image''s ENTRYPOINT is - used if this is not provided. Variable references - $(VAR_NAME) are expanded using the container''s - environment. If a variable cannot be resolved, - the reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' - items: - type: string - type: array - env: - description: List of environment variables to set - in the container. Cannot be updated. - items: - description: EnvVar represents an environment - variable present in a Container. - properties: - name: - description: Name of the environment variable. - Must be a C_IDENTIFIER. - type: string - value: - description: 'Variable references $(VAR_NAME) - are expanded using the previously defined - environment variables in the container and - any service environment variables. If a - variable cannot be resolved, the reference - in the input string will be unchanged. Double - $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal - "$(VAR_NAME)". Escaped references will never - be expanded, regardless of whether the variable - exists or not. Defaults to "".' - type: string - valueFrom: - description: Source for the environment variable's - value. Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: 'Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: 'Selects a field of the pod: - supports metadata.name, metadata.namespace, - `metadata.labels['''']`, `metadata.annotations['''']`, - spec.nodeName, spec.serviceAccountName, - status.hostIP, status.podIP, status.podIPs.' - properties: - apiVersion: - description: Version of the schema - the FieldPath is written in terms - of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to - select in the specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - description: 'Selects a resource of the - container: only resources limits and - requests (limits.cpu, limits.memory, - limits.ephemeral-storage, requests.cpu, - requests.memory and requests.ephemeral-storage) - are currently supported.' - properties: - containerName: - description: 'Container name: required - for volumes, optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output - format of the exposed resources, - defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to - select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret - in the pod's namespace - properties: - key: - description: The key of the secret - to select from. Must be a valid - secret key. - type: string - name: - description: 'Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - envFrom: - description: List of sources to populate environment - variables in the container. The keys defined within - a source must be a C_IDENTIFIER. All invalid keys - will be reported as an event when the container - is starting. When a key exists in multiple sources, - the value associated with the last source will - take precedence. Values defined by an Env with - a duplicate key will take precedence. Cannot be - updated. - items: - description: EnvFromSource represents the source - of a set of ConfigMaps - properties: - configMapRef: - description: The ConfigMap to select from - properties: - name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap - must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - prefix: - description: An optional identifier to prepend - to each key in the ConfigMap. Must be a - C_IDENTIFIER. - type: string - secretRef: - description: The Secret to select from - properties: - name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - optional: - description: Specify whether the Secret - must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - type: object - type: array - image: - description: 'Container image name. More info: https://kubernetes.io/docs/concepts/containers/images - This field is optional to allow higher level config - management to default or override container images - in workload controllers like Deployments and StatefulSets.' - type: string - imagePullPolicy: - description: 'Image pull policy. One of Always, - Never, IfNotPresent. Defaults to Always if :latest - tag is specified, or IfNotPresent otherwise. Cannot - be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' - type: string - lifecycle: - description: Actions that the management system - should take in response to container lifecycle - events. Cannot be updated. - properties: - postStart: - description: 'PostStart is called immediately - after a container is created. If the handler - fails, the container is terminated and restarted - according to its restart policy. Other management - of the container blocks until the hook completes. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' - properties: - exec: - description: Exec specifies the action to - take. - properties: - command: - description: Command is the command - line to execute inside the container, - the working directory for the command is - root ('/') in the container's filesystem. - The command is simply exec'd, it is - not run inside a shell, so traditional - shell instructions ('|', etc) won't - work. To use a shell, you need to - explicitly call out to that shell. - Exit status of 0 is treated as live/healthy - and non-zero is unhealthy. - items: - type: string - type: array - type: object - httpGet: - description: HTTPGet specifies the http - request to perform. - properties: - host: - description: Host name to connect to, - defaults to the pod IP. You probably - want to set "Host" in httpHeaders - instead. - type: string - httpHeaders: - description: Custom headers to set in - the request. HTTP allows repeated - headers. - items: - description: HTTPHeader describes - a custom header to be used in HTTP - probes - properties: - name: - description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. - type: string - value: - description: The header field - value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP - server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port - to access on the container. Number - must be in the range 1 to 65535. Name - must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting - to the host. Defaults to HTTP. - type: string - required: - - port - type: object - tcpSocket: - description: Deprecated. TCPSocket is NOT - supported as a LifecycleHandler and kept - for the backward compatibility. There - are no validation of this field and lifecycle - hooks will fail in runtime when tcp handler - is specified. - properties: - host: - description: 'Optional: Host name to - connect to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port - to access on the container. Number - must be in the range 1 to 65535. Name - must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - preStop: - description: 'PreStop is called immediately - before a container is terminated due to an - API request or management event such as liveness/startup - probe failure, preemption, resource contention, - etc. The handler is not called if the container - crashes or exits. The Pod''s termination grace - period countdown begins before the PreStop - hook is executed. Regardless of the outcome - of the handler, the container will eventually - terminate within the Pod''s termination grace - period (unless delayed by finalizers). Other - management of the container blocks until the - hook completes or until the termination grace - period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' - properties: - exec: - description: Exec specifies the action to - take. - properties: - command: - description: Command is the command - line to execute inside the container, - the working directory for the command is - root ('/') in the container's filesystem. - The command is simply exec'd, it is - not run inside a shell, so traditional - shell instructions ('|', etc) won't - work. To use a shell, you need to - explicitly call out to that shell. - Exit status of 0 is treated as live/healthy - and non-zero is unhealthy. - items: - type: string - type: array - type: object - httpGet: - description: HTTPGet specifies the http - request to perform. - properties: - host: - description: Host name to connect to, - defaults to the pod IP. You probably - want to set "Host" in httpHeaders - instead. - type: string - httpHeaders: - description: Custom headers to set in - the request. HTTP allows repeated - headers. - items: - description: HTTPHeader describes - a custom header to be used in HTTP - probes - properties: - name: - description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. - type: string - value: - description: The header field - value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP - server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port - to access on the container. Number - must be in the range 1 to 65535. Name - must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting - to the host. Defaults to HTTP. - type: string - required: - - port - type: object - tcpSocket: - description: Deprecated. TCPSocket is NOT - supported as a LifecycleHandler and kept - for the backward compatibility. There - are no validation of this field and lifecycle - hooks will fail in runtime when tcp handler - is specified. - properties: - host: - description: 'Optional: Host name to - connect to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port - to access on the container. Number - must be in the range 1 to 65535. Name - must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - type: object - livenessProbe: - description: 'Periodic probe of container liveness. - Container will be restarted if the probe fails. - Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: Command is the command line - to execute inside the container, the working - directory for the command is root ('/') - in the container's filesystem. The command - is simply exec'd, it is not run inside - a shell, so traditional shell instructions - ('|', etc) won't work. To use a shell, - you need to explicitly call out to that - shell. Exit status of 0 is treated as - live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for - the probe to be considered failed after having - succeeded. Defaults to 3. Minimum value is - 1. - format: int32 - type: integer - grpc: - description: GRPC specifies an action involving - a GRPC port. - properties: - port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. - format: int32 - type: integer - service: - description: "Service is the name of the - service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default - behavior is defined by gRPC." - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies the http request - to perform. - properties: - host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the - request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom - header to be used in HTTP probes - properties: - name: - description: The header field name. - This will be canonicalized upon - output, so case-variant names will - be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP - server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting - to the host. Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform - the probe. Default to 10 seconds. Minimum - value is 1. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for - the probe to be considered successful after - having failed. Defaults to 1. Must be 1 for - liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. - properties: - host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: Optional duration in seconds the - pod needs to terminate gracefully upon probe - failure. The grace period is the duration - in seconds after the processes running in - the pod are sent a termination signal and - the time when the processes are forcibly halted - with a kill signal. Set this value longer - than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds - will be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value zero - indicates stop immediately via the kill signal - (no opportunity to shut down). This is a beta - field and requires enabling ProbeTerminationGracePeriod - feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: 'Number of seconds after which - the probe times out. Defaults to 1 second. - Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - type: object - name: - description: Name of the container specified as - a DNS_LABEL. Each container in a pod must have - a unique name (DNS_LABEL). Cannot be updated. - type: string - ports: - description: List of ports to expose from the container. - Not specifying a port here DOES NOT prevent that - port from being exposed. Any port which is listening - on the default "0.0.0.0" address inside a container - will be accessible from the network. Modifying - this array with strategic merge patch may corrupt - the data. For more information See https://github.com/kubernetes/kubernetes/issues/108255. - Cannot be updated. - items: - description: ContainerPort represents a network - port in a single container. - properties: - containerPort: - description: Number of port to expose on the - pod's IP address. This must be a valid port - number, 0 < x < 65536. - format: int32 - type: integer - hostIP: - description: What host IP to bind the external - port to. - type: string - hostPort: - description: Number of port to expose on the - host. If specified, this must be a valid - port number, 0 < x < 65536. If HostNetwork - is specified, this must match ContainerPort. - Most containers do not need this. - format: int32 - type: integer - name: - description: If specified, this must be an - IANA_SVC_NAME and unique within the pod. - Each named port in a pod must have a unique - name. Name for the port that can be referred - to by services. - type: string - protocol: - default: TCP - description: Protocol for port. Must be UDP, - TCP, or SCTP. Defaults to "TCP". - type: string - required: - - containerPort - - protocol - type: object - type: array - x-kubernetes-list-map-keys: - - containerPort - - protocol - x-kubernetes-list-type: map - readinessProbe: - description: 'Periodic probe of container service - readiness. Container will be removed from service - endpoints if the probe fails. Cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: Command is the command line - to execute inside the container, the working - directory for the command is root ('/') - in the container's filesystem. The command - is simply exec'd, it is not run inside - a shell, so traditional shell instructions - ('|', etc) won't work. To use a shell, - you need to explicitly call out to that - shell. Exit status of 0 is treated as - live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for - the probe to be considered failed after having - succeeded. Defaults to 3. Minimum value is - 1. - format: int32 - type: integer - grpc: - description: GRPC specifies an action involving - a GRPC port. - properties: - port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. - format: int32 - type: integer - service: - description: "Service is the name of the - service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default - behavior is defined by gRPC." - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies the http request - to perform. - properties: - host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the - request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom - header to be used in HTTP probes - properties: - name: - description: The header field name. - This will be canonicalized upon - output, so case-variant names will - be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP - server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting - to the host. Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform - the probe. Default to 10 seconds. Minimum - value is 1. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for - the probe to be considered successful after - having failed. Defaults to 1. Must be 1 for - liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. - properties: - host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: Optional duration in seconds the - pod needs to terminate gracefully upon probe - failure. The grace period is the duration - in seconds after the processes running in - the pod are sent a termination signal and - the time when the processes are forcibly halted - with a kill signal. Set this value longer - than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds - will be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value zero - indicates stop immediately via the kill signal - (no opportunity to shut down). This is a beta - field and requires enabling ProbeTerminationGracePeriod - feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: 'Number of seconds after which - the probe times out. Defaults to 1 second. - Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - type: object - resizePolicy: - description: Resources resize policy for the container. - items: - description: ContainerResizePolicy represents - resource resize policy for the container. - properties: - resourceName: - description: 'Name of the resource to which - this resource resize policy applies. Supported - values: cpu, memory.' - type: string - restartPolicy: - description: Restart policy to apply when - specified resource is resized. If not specified, - it defaults to NotRequired. - type: string - required: - - resourceName - - restartPolicy - type: object - type: array - x-kubernetes-list-type: atomic - resources: - description: 'Compute Resources required by this - container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - properties: - claims: - description: "Claims lists the names of resources, - defined in spec.resourceClaims, that are used - by this container. \n This is an alpha field - and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable. - It can only be set for containers." - items: - description: ResourceClaim references one - entry in PodSpec.ResourceClaims. - properties: - name: - description: Name must match the name - of one entry in pod.spec.resourceClaims - of the Pod where this field is used. - It makes that resource available inside - a container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount - of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum - amount of compute resources required. If Requests - is omitted for a container, it defaults to - Limits if that is explicitly specified, otherwise - to an implementation-defined value. Requests - cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - restartPolicy: - description: 'RestartPolicy defines the restart - behavior of individual containers in a pod. This - field may only be set for init containers, and - the only allowed value is "Always". For non-init - containers or when this field is not specified, - the restart behavior is defined by the Pod''s - restart policy and the container type. Setting - the RestartPolicy as "Always" for the init container - will have the following effect: this init container - will be continually restarted on exit until all - regular containers have terminated. Once all regular - containers have completed, all init containers - with restartPolicy "Always" will be shut down. - This lifecycle differs from normal init containers - and is often referred to as a "sidecar" container. - Although this init container still starts in the - init container sequence, it does not wait for - the container to complete before proceeding to - the next init container. Instead, the next init - container starts immediately after this init container - is started, or after any startupProbe has successfully - completed.' - type: string - securityContext: - description: 'SecurityContext defines the security - options the container should be run with. If set, - the fields of SecurityContext override the equivalent - fields of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' - properties: - allowPrivilegeEscalation: - description: 'AllowPrivilegeEscalation controls - whether a process can gain more privileges - than its parent process. This bool directly - controls if the no_new_privs flag will be - set on the container process. AllowPrivilegeEscalation - is true always when the container is: 1) run - as Privileged 2) has CAP_SYS_ADMIN Note that - this field cannot be set when spec.os.name - is windows.' - type: boolean - capabilities: - description: The capabilities to add/drop when - running containers. Defaults to the default - set of capabilities granted by the container - runtime. Note that this field cannot be set - when spec.os.name is windows. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX - capabilities type - type: string - type: array - drop: - description: Removed capabilities - items: - description: Capability represent POSIX - capabilities type - type: string - type: array - type: object - privileged: - description: Run container in privileged mode. - Processes in privileged containers are essentially - equivalent to root on the host. Defaults to - false. Note that this field cannot be set - when spec.os.name is windows. - type: boolean - procMount: - description: procMount denotes the type of proc - mount to use for the containers. The default - is DefaultProcMount which uses the container - runtime defaults for readonly paths and masked - paths. This requires the ProcMountType feature - flag to be enabled. Note that this field cannot - be set when spec.os.name is windows. - type: string - readOnlyRootFilesystem: - description: Whether this container has a read-only - root filesystem. Default is false. Note that - this field cannot be set when spec.os.name - is windows. - type: boolean - runAsGroup: - description: The GID to run the entrypoint of - the container process. Uses runtime default - if unset. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. Note that this field cannot be - set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: Indicates that the container must - run as a non-root user. If true, the Kubelet - will validate the image at runtime to ensure - that it does not run as UID 0 (root) and fail - to start the container if it does. If unset - or false, no such validation will be performed. - May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. - type: boolean - runAsUser: - description: The UID to run the entrypoint of - the container process. Defaults to user specified - in image metadata if unspecified. May also - be set in PodSecurityContext. If set in both - SecurityContext and PodSecurityContext, the - value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name - is windows. - format: int64 - type: integer - seLinuxOptions: - description: The SELinux context to be applied - to the container. If unspecified, the container - runtime will allocate a random SELinux context - for each container. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. Note that this field cannot be - set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label - that applies to the container. - type: string - role: - description: Role is a SELinux role label - that applies to the container. - type: string - type: - description: Type is a SELinux type label - that applies to the container. - type: string - user: - description: User is a SELinux user label - that applies to the container. - type: string - type: object - seccompProfile: - description: The seccomp options to use by this - container. If seccomp options are provided - at both the pod & container level, the container - options override the pod options. Note that - this field cannot be set when spec.os.name - is windows. - properties: - localhostProfile: - description: localhostProfile indicates - a profile defined in a file on the node - should be used. The profile must be preconfigured - on the node to work. Must be a descending - path, relative to the kubelet's configured - seccomp profile location. Must be set - if type is "Localhost". Must NOT be set - for any other type. - type: string - type: - description: "type indicates which kind - of seccomp profile will be applied. Valid - options are: \n Localhost - a profile - defined in a file on the node should be - used. RuntimeDefault - the container runtime - default profile should be used. Unconfined - - no profile should be applied." - type: string - required: - - type - type: object - windowsOptions: - description: The Windows specific settings applied - to all containers. If unspecified, the options - from the PodSecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. Note that this field cannot be - set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: GMSACredentialSpec is where - the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) - inlines the contents of the GMSA credential - spec named by the GMSACredentialSpecName - field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the - name of the GMSA credential spec to use. - type: string - hostProcess: - description: HostProcess determines if a - container should be run as a 'Host Process' - container. All of a Pod's containers must - have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess - containers and non-HostProcess containers). - In addition, if HostProcess is true then - HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: The UserName in Windows to - run the entrypoint of the container process. - Defaults to the user specified in image - metadata if unspecified. May also be set - in PodSecurityContext. If set in both - SecurityContext and PodSecurityContext, - the value specified in SecurityContext - takes precedence. - type: string - type: object - type: object - startupProbe: - description: 'StartupProbe indicates that the Pod - has successfully initialized. If specified, no - other probes are executed until this completes - successfully. If this probe fails, the Pod will - be restarted, just as if the livenessProbe failed. - This can be used to provide different probe parameters - at the beginning of a Pod''s lifecycle, when it - might take a long time to load data or warm a - cache, than during steady-state operation. This - cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: Command is the command line - to execute inside the container, the working - directory for the command is root ('/') - in the container's filesystem. The command - is simply exec'd, it is not run inside - a shell, so traditional shell instructions - ('|', etc) won't work. To use a shell, - you need to explicitly call out to that - shell. Exit status of 0 is treated as - live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for - the probe to be considered failed after having - succeeded. Defaults to 3. Minimum value is - 1. - format: int32 - type: integer - grpc: - description: GRPC specifies an action involving - a GRPC port. - properties: - port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. - format: int32 - type: integer - service: - description: "Service is the name of the - service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default - behavior is defined by gRPC." - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies the http request - to perform. - properties: - host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the - request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom - header to be used in HTTP probes - properties: - name: - description: The header field name. - This will be canonicalized upon - output, so case-variant names will - be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP - server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting - to the host. Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform - the probe. Default to 10 seconds. Minimum - value is 1. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for - the probe to be considered successful after - having failed. Defaults to 1. Must be 1 for - liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. - properties: - host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: Optional duration in seconds the - pod needs to terminate gracefully upon probe - failure. The grace period is the duration - in seconds after the processes running in - the pod are sent a termination signal and - the time when the processes are forcibly halted - with a kill signal. Set this value longer - than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds - will be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value zero - indicates stop immediately via the kill signal - (no opportunity to shut down). This is a beta - field and requires enabling ProbeTerminationGracePeriod - feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: 'Number of seconds after which - the probe times out. Defaults to 1 second. - Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - type: object - stdin: - description: Whether this container should allocate - a buffer for stdin in the container runtime. If - this is not set, reads from stdin in the container - will always result in EOF. Default is false. - type: boolean - stdinOnce: - description: Whether the container runtime should - close the stdin channel after it has been opened - by a single attach. When stdin is true the stdin - stream will remain open across multiple attach - sessions. If stdinOnce is set to true, stdin is - opened on container start, is empty until the - first client attaches to stdin, and then remains - open and accepts data until the client disconnects, - at which time stdin is closed and remains closed - until the container is restarted. If this flag - is false, a container processes that reads from - stdin will never receive an EOF. Default is false - type: boolean - terminationMessagePath: - description: 'Optional: Path at which the file to - which the container''s termination message will - be written is mounted into the container''s filesystem. - Message written is intended to be brief final - status, such as an assertion failure message. - Will be truncated by the node if greater than - 4096 bytes. The total message length across all - containers will be limited to 12kb. Defaults to - /dev/termination-log. Cannot be updated.' - type: string - terminationMessagePolicy: - description: Indicate how the termination message - should be populated. File will use the contents - of terminationMessagePath to populate the container - status message on both success and failure. FallbackToLogsOnError - will use the last chunk of container log output - if the termination message file is empty and the - container exited with an error. The log output - is limited to 2048 bytes or 80 lines, whichever - is smaller. Defaults to File. Cannot be updated. - type: string - tty: - description: Whether this container should allocate - a TTY for itself, also requires 'stdin' to be - true. Default is false. - type: boolean - volumeDevices: - description: volumeDevices is the list of block - devices to be used by the container. - items: - description: volumeDevice describes a mapping - of a raw block device within a container. - properties: - devicePath: - description: devicePath is the path inside - of the container that the device will be - mapped to. - type: string - name: - description: name must match the name of a - persistentVolumeClaim in the pod - type: string - required: - - devicePath - - name - type: object - type: array - volumeMounts: - description: Pod volumes to mount into the container's - filesystem. Cannot be updated. - items: - description: VolumeMount describes a mounting - of a Volume within a container. - properties: - mountPath: - description: Path within the container at - which the volume should be mounted. Must - not contain ':'. - type: string - mountPropagation: - description: mountPropagation determines how - mounts are propagated from the host to container - and the other way around. When not set, - MountPropagationNone is used. This field - is beta in 1.10. - type: string - name: - description: This must match the Name of a - Volume. - type: string - readOnly: - description: Mounted read-only if true, read-write - otherwise (false or unspecified). Defaults - to false. - type: boolean - subPath: - description: Path within the volume from which - the container's volume should be mounted. - Defaults to "" (volume's root). - type: string - subPathExpr: - description: Expanded path within the volume - from which the container's volume should - be mounted. Behaves similarly to SubPath - but environment variable references $(VAR_NAME) - are expanded using the container's environment. - Defaults to "" (volume's root). SubPathExpr - and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - type: array - workingDir: - description: Container's working directory. If not - specified, the container runtime's default will - be used, which might be configured in the container - image. Cannot be updated. - type: string - required: - - name - type: object - type: array - dnsConfig: - description: Specifies the DNS parameters of a pod. Parameters - specified here will be merged to the generated DNS configuration - based on DNSPolicy. - properties: - nameservers: - description: A list of DNS name server IP addresses. - This will be appended to the base nameservers generated - from DNSPolicy. Duplicated nameservers will be removed. - items: - type: string - type: array - options: - description: A list of DNS resolver options. This - will be merged with the base options generated from - DNSPolicy. Duplicated entries will be removed. Resolution - options given in Options will override those that - appear in the base DNSPolicy. - items: - description: PodDNSConfigOption defines DNS resolver - options of a pod. - properties: - name: - description: Required. - type: string - value: - type: string - type: object - type: array - searches: - description: A list of DNS search domains for host-name - lookup. This will be appended to the base search - paths generated from DNSPolicy. Duplicated search - paths will be removed. - items: - type: string - type: array - type: object - dnsPolicy: - description: Set DNS policy for the pod. Defaults to "ClusterFirst". - Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', - 'Default' or 'None'. DNS parameters given in DNSConfig - will be merged with the policy selected with DNSPolicy. - To have DNS options set along with hostNetwork, you - have to specify DNS policy explicitly to 'ClusterFirstWithHostNet'. - type: string - enableServiceLinks: - description: 'EnableServiceLinks indicates whether information - about services should be injected into pod''s environment - variables, matching the syntax of Docker links. Optional: - Defaults to true.' - type: boolean - ephemeralContainers: - description: List of ephemeral containers run in this - pod. Ephemeral containers may be run in an existing - pod to perform user-initiated actions such as debugging. - This list cannot be specified when creating a pod, and - it cannot be modified by updating the pod spec. In order - to add an ephemeral container to an existing pod, use - the pod's ephemeralcontainers subresource. - items: - description: "An EphemeralContainer is a temporary container - that you may add to an existing Pod for user-initiated - activities such as debugging. Ephemeral containers - have no resource or scheduling guarantees, and they - will not be restarted when they exit or when a Pod - is removed or restarted. The kubelet may evict a Pod - if an ephemeral container causes the Pod to exceed - its resource allocation. \n To add an ephemeral container, - use the ephemeralcontainers subresource of an existing - Pod. Ephemeral containers may not be removed or restarted." - properties: - args: - description: 'Arguments to the entrypoint. The image''s - CMD is used if this is not provided. Variable - references $(VAR_NAME) are expanded using the - container''s environment. If a variable cannot - be resolved, the reference in the input string - will be unchanged. Double $$ are reduced to a - single $, which allows for escaping the $(VAR_NAME) - syntax: i.e. "$$(VAR_NAME)" will produce the string - literal "$(VAR_NAME)". Escaped references will - never be expanded, regardless of whether the variable - exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' - items: - type: string - type: array - command: - description: 'Entrypoint array. Not executed within - a shell. The image''s ENTRYPOINT is used if this - is not provided. Variable references $(VAR_NAME) - are expanded using the container''s environment. - If a variable cannot be resolved, the reference - in the input string will be unchanged. Double - $$ are reduced to a single $, which allows for - escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' - items: - type: string - type: array - env: - description: List of environment variables to set - in the container. Cannot be updated. - items: - description: EnvVar represents an environment - variable present in a Container. - properties: - name: - description: Name of the environment variable. - Must be a C_IDENTIFIER. - type: string - value: - description: 'Variable references $(VAR_NAME) - are expanded using the previously defined - environment variables in the container and - any service environment variables. If a - variable cannot be resolved, the reference - in the input string will be unchanged. Double - $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal - "$(VAR_NAME)". Escaped references will never - be expanded, regardless of whether the variable - exists or not. Defaults to "".' - type: string - valueFrom: - description: Source for the environment variable's - value. Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: 'Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: 'Selects a field of the pod: - supports metadata.name, metadata.namespace, - `metadata.labels['''']`, `metadata.annotations['''']`, - spec.nodeName, spec.serviceAccountName, - status.hostIP, status.podIP, status.podIPs.' - properties: - apiVersion: - description: Version of the schema - the FieldPath is written in terms - of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to - select in the specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - description: 'Selects a resource of the - container: only resources limits and - requests (limits.cpu, limits.memory, - limits.ephemeral-storage, requests.cpu, - requests.memory and requests.ephemeral-storage) - are currently supported.' - properties: - containerName: - description: 'Container name: required - for volumes, optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output - format of the exposed resources, - defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to - select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret - in the pod's namespace - properties: - key: - description: The key of the secret - to select from. Must be a valid - secret key. - type: string - name: - description: 'Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - envFrom: - description: List of sources to populate environment - variables in the container. The keys defined within - a source must be a C_IDENTIFIER. All invalid keys - will be reported as an event when the container - is starting. When a key exists in multiple sources, - the value associated with the last source will - take precedence. Values defined by an Env with - a duplicate key will take precedence. Cannot be - updated. - items: - description: EnvFromSource represents the source - of a set of ConfigMaps - properties: - configMapRef: - description: The ConfigMap to select from - properties: - name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap - must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - prefix: - description: An optional identifier to prepend - to each key in the ConfigMap. Must be a - C_IDENTIFIER. - type: string - secretRef: - description: The Secret to select from - properties: - name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - optional: - description: Specify whether the Secret - must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - type: object - type: array - image: - description: 'Container image name. More info: https://kubernetes.io/docs/concepts/containers/images' - type: string - imagePullPolicy: - description: 'Image pull policy. One of Always, - Never, IfNotPresent. Defaults to Always if :latest - tag is specified, or IfNotPresent otherwise. Cannot - be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' - type: string - lifecycle: - description: Lifecycle is not allowed for ephemeral - containers. - properties: - postStart: - description: 'PostStart is called immediately - after a container is created. If the handler - fails, the container is terminated and restarted - according to its restart policy. Other management - of the container blocks until the hook completes. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' - properties: - exec: - description: Exec specifies the action to - take. - properties: - command: - description: Command is the command - line to execute inside the container, - the working directory for the command is - root ('/') in the container's filesystem. - The command is simply exec'd, it is - not run inside a shell, so traditional - shell instructions ('|', etc) won't - work. To use a shell, you need to - explicitly call out to that shell. - Exit status of 0 is treated as live/healthy - and non-zero is unhealthy. - items: - type: string - type: array - type: object - httpGet: - description: HTTPGet specifies the http - request to perform. - properties: - host: - description: Host name to connect to, - defaults to the pod IP. You probably - want to set "Host" in httpHeaders - instead. - type: string - httpHeaders: - description: Custom headers to set in - the request. HTTP allows repeated - headers. - items: - description: HTTPHeader describes - a custom header to be used in HTTP - probes - properties: - name: - description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. - type: string - value: - description: The header field - value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP - server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port - to access on the container. Number - must be in the range 1 to 65535. Name - must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting - to the host. Defaults to HTTP. - type: string - required: - - port - type: object - tcpSocket: - description: Deprecated. TCPSocket is NOT - supported as a LifecycleHandler and kept - for the backward compatibility. There - are no validation of this field and lifecycle - hooks will fail in runtime when tcp handler - is specified. - properties: - host: - description: 'Optional: Host name to - connect to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port - to access on the container. Number - must be in the range 1 to 65535. Name - must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - preStop: - description: 'PreStop is called immediately - before a container is terminated due to an - API request or management event such as liveness/startup - probe failure, preemption, resource contention, - etc. The handler is not called if the container - crashes or exits. The Pod''s termination grace - period countdown begins before the PreStop - hook is executed. Regardless of the outcome - of the handler, the container will eventually - terminate within the Pod''s termination grace - period (unless delayed by finalizers). Other - management of the container blocks until the - hook completes or until the termination grace - period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' - properties: - exec: - description: Exec specifies the action to - take. - properties: - command: - description: Command is the command - line to execute inside the container, - the working directory for the command is - root ('/') in the container's filesystem. - The command is simply exec'd, it is - not run inside a shell, so traditional - shell instructions ('|', etc) won't - work. To use a shell, you need to - explicitly call out to that shell. - Exit status of 0 is treated as live/healthy - and non-zero is unhealthy. - items: - type: string - type: array - type: object - httpGet: - description: HTTPGet specifies the http - request to perform. - properties: - host: - description: Host name to connect to, - defaults to the pod IP. You probably - want to set "Host" in httpHeaders - instead. - type: string - httpHeaders: - description: Custom headers to set in - the request. HTTP allows repeated - headers. - items: - description: HTTPHeader describes - a custom header to be used in HTTP - probes - properties: - name: - description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. - type: string - value: - description: The header field - value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP - server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port - to access on the container. Number - must be in the range 1 to 65535. Name - must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting - to the host. Defaults to HTTP. - type: string - required: - - port - type: object - tcpSocket: - description: Deprecated. TCPSocket is NOT - supported as a LifecycleHandler and kept - for the backward compatibility. There - are no validation of this field and lifecycle - hooks will fail in runtime when tcp handler - is specified. - properties: - host: - description: 'Optional: Host name to - connect to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port - to access on the container. Number - must be in the range 1 to 65535. Name - must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - type: object - livenessProbe: - description: Probes are not allowed for ephemeral - containers. - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: Command is the command line - to execute inside the container, the working - directory for the command is root ('/') - in the container's filesystem. The command - is simply exec'd, it is not run inside - a shell, so traditional shell instructions - ('|', etc) won't work. To use a shell, - you need to explicitly call out to that - shell. Exit status of 0 is treated as - live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for - the probe to be considered failed after having - succeeded. Defaults to 3. Minimum value is - 1. - format: int32 - type: integer - grpc: - description: GRPC specifies an action involving - a GRPC port. - properties: - port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. - format: int32 - type: integer - service: - description: "Service is the name of the - service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default - behavior is defined by gRPC." - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies the http request - to perform. - properties: - host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the - request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom - header to be used in HTTP probes - properties: - name: - description: The header field name. - This will be canonicalized upon - output, so case-variant names will - be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP - server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting - to the host. Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform - the probe. Default to 10 seconds. Minimum - value is 1. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for - the probe to be considered successful after - having failed. Defaults to 1. Must be 1 for - liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. - properties: - host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: Optional duration in seconds the - pod needs to terminate gracefully upon probe - failure. The grace period is the duration - in seconds after the processes running in - the pod are sent a termination signal and - the time when the processes are forcibly halted - with a kill signal. Set this value longer - than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds - will be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value zero - indicates stop immediately via the kill signal - (no opportunity to shut down). This is a beta - field and requires enabling ProbeTerminationGracePeriod - feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: 'Number of seconds after which - the probe times out. Defaults to 1 second. - Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - type: object - name: - description: Name of the ephemeral container specified - as a DNS_LABEL. This name must be unique among - all containers, init containers and ephemeral - containers. - type: string - ports: - description: Ports are not allowed for ephemeral - containers. - items: - description: ContainerPort represents a network - port in a single container. - properties: - containerPort: - description: Number of port to expose on the - pod's IP address. This must be a valid port - number, 0 < x < 65536. - format: int32 - type: integer - hostIP: - description: What host IP to bind the external - port to. - type: string - hostPort: - description: Number of port to expose on the - host. If specified, this must be a valid - port number, 0 < x < 65536. If HostNetwork - is specified, this must match ContainerPort. - Most containers do not need this. - format: int32 - type: integer - name: - description: If specified, this must be an - IANA_SVC_NAME and unique within the pod. - Each named port in a pod must have a unique - name. Name for the port that can be referred - to by services. - type: string - protocol: - default: TCP - description: Protocol for port. Must be UDP, - TCP, or SCTP. Defaults to "TCP". - type: string - required: - - containerPort - - protocol - type: object - type: array - x-kubernetes-list-map-keys: - - containerPort - - protocol - x-kubernetes-list-type: map - readinessProbe: - description: Probes are not allowed for ephemeral - containers. - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: Command is the command line - to execute inside the container, the working - directory for the command is root ('/') - in the container's filesystem. The command - is simply exec'd, it is not run inside - a shell, so traditional shell instructions - ('|', etc) won't work. To use a shell, - you need to explicitly call out to that - shell. Exit status of 0 is treated as - live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for - the probe to be considered failed after having - succeeded. Defaults to 3. Minimum value is - 1. - format: int32 - type: integer - grpc: - description: GRPC specifies an action involving - a GRPC port. - properties: - port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. - format: int32 - type: integer - service: - description: "Service is the name of the - service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default - behavior is defined by gRPC." - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies the http request - to perform. - properties: - host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the - request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom - header to be used in HTTP probes - properties: - name: - description: The header field name. - This will be canonicalized upon - output, so case-variant names will - be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP - server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting - to the host. Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform - the probe. Default to 10 seconds. Minimum - value is 1. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for - the probe to be considered successful after - having failed. Defaults to 1. Must be 1 for - liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. - properties: - host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: Optional duration in seconds the - pod needs to terminate gracefully upon probe - failure. The grace period is the duration - in seconds after the processes running in - the pod are sent a termination signal and - the time when the processes are forcibly halted - with a kill signal. Set this value longer - than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds - will be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value zero - indicates stop immediately via the kill signal - (no opportunity to shut down). This is a beta - field and requires enabling ProbeTerminationGracePeriod - feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: 'Number of seconds after which - the probe times out. Defaults to 1 second. - Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - type: object - resizePolicy: - description: Resources resize policy for the container. - items: - description: ContainerResizePolicy represents - resource resize policy for the container. - properties: - resourceName: - description: 'Name of the resource to which - this resource resize policy applies. Supported - values: cpu, memory.' - type: string - restartPolicy: - description: Restart policy to apply when - specified resource is resized. If not specified, - it defaults to NotRequired. - type: string - required: - - resourceName - - restartPolicy - type: object - type: array - x-kubernetes-list-type: atomic - resources: - description: Resources are not allowed for ephemeral - containers. Ephemeral containers use spare resources - already allocated to the pod. - properties: - claims: - description: "Claims lists the names of resources, - defined in spec.resourceClaims, that are used - by this container. \n This is an alpha field - and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable. - It can only be set for containers." - items: - description: ResourceClaim references one - entry in PodSpec.ResourceClaims. - properties: - name: - description: Name must match the name - of one entry in pod.spec.resourceClaims - of the Pod where this field is used. - It makes that resource available inside - a container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount - of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum - amount of compute resources required. If Requests - is omitted for a container, it defaults to - Limits if that is explicitly specified, otherwise - to an implementation-defined value. Requests - cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - restartPolicy: - description: Restart policy for the container to - manage the restart behavior of each container - within a pod. This may only be set for init containers. - You cannot set this field on ephemeral containers. - type: string - securityContext: - description: 'Optional: SecurityContext defines - the security options the ephemeral container should - be run with. If set, the fields of SecurityContext - override the equivalent fields of PodSecurityContext.' - properties: - allowPrivilegeEscalation: - description: 'AllowPrivilegeEscalation controls - whether a process can gain more privileges - than its parent process. This bool directly - controls if the no_new_privs flag will be - set on the container process. AllowPrivilegeEscalation - is true always when the container is: 1) run - as Privileged 2) has CAP_SYS_ADMIN Note that - this field cannot be set when spec.os.name - is windows.' - type: boolean - capabilities: - description: The capabilities to add/drop when - running containers. Defaults to the default - set of capabilities granted by the container - runtime. Note that this field cannot be set - when spec.os.name is windows. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX - capabilities type - type: string - type: array - drop: - description: Removed capabilities - items: - description: Capability represent POSIX - capabilities type - type: string - type: array - type: object - privileged: - description: Run container in privileged mode. - Processes in privileged containers are essentially - equivalent to root on the host. Defaults to - false. Note that this field cannot be set - when spec.os.name is windows. - type: boolean - procMount: - description: procMount denotes the type of proc - mount to use for the containers. The default - is DefaultProcMount which uses the container - runtime defaults for readonly paths and masked - paths. This requires the ProcMountType feature - flag to be enabled. Note that this field cannot - be set when spec.os.name is windows. - type: string - readOnlyRootFilesystem: - description: Whether this container has a read-only - root filesystem. Default is false. Note that - this field cannot be set when spec.os.name - is windows. - type: boolean - runAsGroup: - description: The GID to run the entrypoint of - the container process. Uses runtime default - if unset. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. Note that this field cannot be - set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: Indicates that the container must - run as a non-root user. If true, the Kubelet - will validate the image at runtime to ensure - that it does not run as UID 0 (root) and fail - to start the container if it does. If unset - or false, no such validation will be performed. - May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. - type: boolean - runAsUser: - description: The UID to run the entrypoint of - the container process. Defaults to user specified - in image metadata if unspecified. May also - be set in PodSecurityContext. If set in both - SecurityContext and PodSecurityContext, the - value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name - is windows. - format: int64 - type: integer - seLinuxOptions: - description: The SELinux context to be applied - to the container. If unspecified, the container - runtime will allocate a random SELinux context - for each container. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. Note that this field cannot be - set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label - that applies to the container. - type: string - role: - description: Role is a SELinux role label - that applies to the container. - type: string - type: - description: Type is a SELinux type label - that applies to the container. - type: string - user: - description: User is a SELinux user label - that applies to the container. - type: string - type: object - seccompProfile: - description: The seccomp options to use by this - container. If seccomp options are provided - at both the pod & container level, the container - options override the pod options. Note that - this field cannot be set when spec.os.name - is windows. - properties: - localhostProfile: - description: localhostProfile indicates - a profile defined in a file on the node - should be used. The profile must be preconfigured - on the node to work. Must be a descending - path, relative to the kubelet's configured - seccomp profile location. Must be set - if type is "Localhost". Must NOT be set - for any other type. - type: string - type: - description: "type indicates which kind - of seccomp profile will be applied. Valid - options are: \n Localhost - a profile - defined in a file on the node should be - used. RuntimeDefault - the container runtime - default profile should be used. Unconfined - - no profile should be applied." - type: string - required: - - type - type: object - windowsOptions: - description: The Windows specific settings applied - to all containers. If unspecified, the options - from the PodSecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. Note that this field cannot be - set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: GMSACredentialSpec is where - the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) - inlines the contents of the GMSA credential - spec named by the GMSACredentialSpecName - field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the - name of the GMSA credential spec to use. - type: string - hostProcess: - description: HostProcess determines if a - container should be run as a 'Host Process' - container. All of a Pod's containers must - have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess - containers and non-HostProcess containers). - In addition, if HostProcess is true then - HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: The UserName in Windows to - run the entrypoint of the container process. - Defaults to the user specified in image - metadata if unspecified. May also be set - in PodSecurityContext. If set in both - SecurityContext and PodSecurityContext, - the value specified in SecurityContext - takes precedence. - type: string - type: object - type: object - startupProbe: - description: Probes are not allowed for ephemeral - containers. - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: Command is the command line - to execute inside the container, the working - directory for the command is root ('/') - in the container's filesystem. The command - is simply exec'd, it is not run inside - a shell, so traditional shell instructions - ('|', etc) won't work. To use a shell, - you need to explicitly call out to that - shell. Exit status of 0 is treated as - live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for - the probe to be considered failed after having - succeeded. Defaults to 3. Minimum value is - 1. - format: int32 - type: integer - grpc: - description: GRPC specifies an action involving - a GRPC port. - properties: - port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. - format: int32 - type: integer - service: - description: "Service is the name of the - service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default - behavior is defined by gRPC." - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies the http request - to perform. - properties: - host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the - request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom - header to be used in HTTP probes - properties: - name: - description: The header field name. - This will be canonicalized upon - output, so case-variant names will - be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP - server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting - to the host. Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform - the probe. Default to 10 seconds. Minimum - value is 1. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for - the probe to be considered successful after - having failed. Defaults to 1. Must be 1 for - liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. - properties: - host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: Optional duration in seconds the - pod needs to terminate gracefully upon probe - failure. The grace period is the duration - in seconds after the processes running in - the pod are sent a termination signal and - the time when the processes are forcibly halted - with a kill signal. Set this value longer - than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds - will be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value zero - indicates stop immediately via the kill signal - (no opportunity to shut down). This is a beta - field and requires enabling ProbeTerminationGracePeriod - feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: 'Number of seconds after which - the probe times out. Defaults to 1 second. - Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - type: object - stdin: - description: Whether this container should allocate - a buffer for stdin in the container runtime. If - this is not set, reads from stdin in the container - will always result in EOF. Default is false. - type: boolean - stdinOnce: - description: Whether the container runtime should - close the stdin channel after it has been opened - by a single attach. When stdin is true the stdin - stream will remain open across multiple attach - sessions. If stdinOnce is set to true, stdin is - opened on container start, is empty until the - first client attaches to stdin, and then remains - open and accepts data until the client disconnects, - at which time stdin is closed and remains closed - until the container is restarted. If this flag - is false, a container processes that reads from - stdin will never receive an EOF. Default is false - type: boolean - targetContainerName: - description: "If set, the name of the container - from PodSpec that this ephemeral container targets. - The ephemeral container will be run in the namespaces - (IPC, PID, etc) of this container. If not set - then the ephemeral container uses the namespaces - configured in the Pod spec. \n The container runtime - must implement support for this feature. If the - runtime does not support namespace targeting then - the result of setting this field is undefined." - type: string - terminationMessagePath: - description: 'Optional: Path at which the file to - which the container''s termination message will - be written is mounted into the container''s filesystem. - Message written is intended to be brief final - status, such as an assertion failure message. - Will be truncated by the node if greater than - 4096 bytes. The total message length across all - containers will be limited to 12kb. Defaults to - /dev/termination-log. Cannot be updated.' - type: string - terminationMessagePolicy: - description: Indicate how the termination message - should be populated. File will use the contents - of terminationMessagePath to populate the container - status message on both success and failure. FallbackToLogsOnError - will use the last chunk of container log output - if the termination message file is empty and the - container exited with an error. The log output - is limited to 2048 bytes or 80 lines, whichever - is smaller. Defaults to File. Cannot be updated. - type: string - tty: - description: Whether this container should allocate - a TTY for itself, also requires 'stdin' to be - true. Default is false. - type: boolean - volumeDevices: - description: volumeDevices is the list of block - devices to be used by the container. - items: - description: volumeDevice describes a mapping - of a raw block device within a container. - properties: - devicePath: - description: devicePath is the path inside - of the container that the device will be - mapped to. - type: string - name: - description: name must match the name of a - persistentVolumeClaim in the pod - type: string - required: - - devicePath - - name - type: object - type: array - volumeMounts: - description: Pod volumes to mount into the container's - filesystem. Subpath mounts are not allowed for - ephemeral containers. Cannot be updated. - items: - description: VolumeMount describes a mounting - of a Volume within a container. - properties: - mountPath: - description: Path within the container at - which the volume should be mounted. Must - not contain ':'. - type: string - mountPropagation: - description: mountPropagation determines how - mounts are propagated from the host to container - and the other way around. When not set, - MountPropagationNone is used. This field - is beta in 1.10. - type: string - name: - description: This must match the Name of a - Volume. - type: string - readOnly: - description: Mounted read-only if true, read-write - otherwise (false or unspecified). Defaults - to false. - type: boolean - subPath: - description: Path within the volume from which - the container's volume should be mounted. - Defaults to "" (volume's root). - type: string - subPathExpr: - description: Expanded path within the volume - from which the container's volume should - be mounted. Behaves similarly to SubPath - but environment variable references $(VAR_NAME) - are expanded using the container's environment. - Defaults to "" (volume's root). SubPathExpr - and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - type: array - workingDir: - description: Container's working directory. If not - specified, the container runtime's default will - be used, which might be configured in the container - image. Cannot be updated. - type: string - required: - - name - type: object - type: array - hostAliases: - description: HostAliases is an optional list of hosts - and IPs that will be injected into the pod's hosts file - if specified. This is only valid for non-hostNetwork - pods. - items: - description: HostAlias holds the mapping between IP - and hostnames that will be injected as an entry in - the pod's hosts file. - properties: - hostnames: - description: Hostnames for the above IP address. - items: - type: string - type: array - ip: - description: IP address of the host file entry. - type: string - type: object - type: array - hostIPC: - description: 'Use the host''s ipc namespace. Optional: - Default to false.' - type: boolean - hostNetwork: - description: Host networking requested for this pod. Use - the host's network namespace. If this option is set, - the ports that will be used must be specified. Default - to false. - type: boolean - hostPID: - description: 'Use the host''s pid namespace. Optional: - Default to false.' - type: boolean - hostUsers: - description: 'Use the host''s user namespace. Optional: - Default to true. If set to true or not present, the - pod will be run in the host user namespace, useful for - when the pod needs a feature only available to the host - user namespace, such as loading a kernel module with - CAP_SYS_MODULE. When set to false, a new userns is created - for the pod. Setting false is useful for mitigating - container breakout vulnerabilities even allowing users - to run their containers as root without actually having - root privileges on the host. This field is alpha-level - and is only honored by servers that enable the UserNamespacesSupport - feature.' - type: boolean - hostname: - description: Specifies the hostname of the Pod If not - specified, the pod's hostname will be set to a system-defined - value. - type: string - imagePullSecrets: - description: 'ImagePullSecrets is an optional list of - references to secrets in the same namespace to use for - pulling any of the images used by this PodSpec. If specified, - these secrets will be passed to individual puller implementations - for them to use. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' - items: - description: LocalObjectReference contains enough information - to let you locate the referenced object inside the - same namespace. - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - type: object - x-kubernetes-map-type: atomic - type: array - initContainers: - description: 'List of initialization containers belonging - to the pod. Init containers are executed in order prior - to containers being started. If any init container fails, - the pod is considered to have failed and is handled - according to its restartPolicy. The name for an init - container or normal container must be unique among all - containers. Init containers may not have Lifecycle actions, - Readiness probes, Liveness probes, or Startup probes. - The resourceRequirements of an init container are taken - into account during scheduling by finding the highest - request/limit for each resource type, and then using - the max of of that value or the sum of the normal containers. - Limits are applied to init containers in a similar fashion. - Init containers cannot currently be added or removed. - Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/' - items: - description: A single application container that you - want to run within a pod. - properties: - args: - description: 'Arguments to the entrypoint. The container - image''s CMD is used if this is not provided. - Variable references $(VAR_NAME) are expanded using - the container''s environment. If a variable cannot - be resolved, the reference in the input string - will be unchanged. Double $$ are reduced to a - single $, which allows for escaping the $(VAR_NAME) - syntax: i.e. "$$(VAR_NAME)" will produce the string - literal "$(VAR_NAME)". Escaped references will - never be expanded, regardless of whether the variable - exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' - items: - type: string - type: array - command: - description: 'Entrypoint array. Not executed within - a shell. The container image''s ENTRYPOINT is - used if this is not provided. Variable references - $(VAR_NAME) are expanded using the container''s - environment. If a variable cannot be resolved, - the reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' - items: - type: string - type: array - env: - description: List of environment variables to set - in the container. Cannot be updated. - items: - description: EnvVar represents an environment - variable present in a Container. - properties: - name: - description: Name of the environment variable. - Must be a C_IDENTIFIER. - type: string - value: - description: 'Variable references $(VAR_NAME) - are expanded using the previously defined - environment variables in the container and - any service environment variables. If a - variable cannot be resolved, the reference - in the input string will be unchanged. Double - $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal - "$(VAR_NAME)". Escaped references will never - be expanded, regardless of whether the variable - exists or not. Defaults to "".' - type: string - valueFrom: - description: Source for the environment variable's - value. Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: 'Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: 'Selects a field of the pod: - supports metadata.name, metadata.namespace, - `metadata.labels['''']`, `metadata.annotations['''']`, - spec.nodeName, spec.serviceAccountName, - status.hostIP, status.podIP, status.podIPs.' - properties: - apiVersion: - description: Version of the schema - the FieldPath is written in terms - of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to - select in the specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - description: 'Selects a resource of the - container: only resources limits and - requests (limits.cpu, limits.memory, - limits.ephemeral-storage, requests.cpu, - requests.memory and requests.ephemeral-storage) - are currently supported.' - properties: - containerName: - description: 'Container name: required - for volumes, optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output - format of the exposed resources, - defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to - select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret - in the pod's namespace - properties: - key: - description: The key of the secret - to select from. Must be a valid - secret key. - type: string - name: - description: 'Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - optional: - description: Specify whether the Secret - or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - envFrom: - description: List of sources to populate environment - variables in the container. The keys defined within - a source must be a C_IDENTIFIER. All invalid keys - will be reported as an event when the container - is starting. When a key exists in multiple sources, - the value associated with the last source will - take precedence. Values defined by an Env with - a duplicate key will take precedence. Cannot be - updated. - items: - description: EnvFromSource represents the source - of a set of ConfigMaps - properties: - configMapRef: - description: The ConfigMap to select from - properties: - name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap - must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - prefix: - description: An optional identifier to prepend - to each key in the ConfigMap. Must be a - C_IDENTIFIER. - type: string - secretRef: - description: The Secret to select from - properties: - name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - optional: - description: Specify whether the Secret - must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - type: object - type: array - image: - description: 'Container image name. More info: https://kubernetes.io/docs/concepts/containers/images - This field is optional to allow higher level config - management to default or override container images - in workload controllers like Deployments and StatefulSets.' - type: string - imagePullPolicy: - description: 'Image pull policy. One of Always, - Never, IfNotPresent. Defaults to Always if :latest - tag is specified, or IfNotPresent otherwise. Cannot - be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' - type: string - lifecycle: - description: Actions that the management system - should take in response to container lifecycle - events. Cannot be updated. - properties: - postStart: - description: 'PostStart is called immediately - after a container is created. If the handler - fails, the container is terminated and restarted - according to its restart policy. Other management - of the container blocks until the hook completes. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' - properties: - exec: - description: Exec specifies the action to - take. - properties: - command: - description: Command is the command - line to execute inside the container, - the working directory for the command is - root ('/') in the container's filesystem. - The command is simply exec'd, it is - not run inside a shell, so traditional - shell instructions ('|', etc) won't - work. To use a shell, you need to - explicitly call out to that shell. - Exit status of 0 is treated as live/healthy - and non-zero is unhealthy. - items: - type: string - type: array - type: object - httpGet: - description: HTTPGet specifies the http - request to perform. - properties: - host: - description: Host name to connect to, - defaults to the pod IP. You probably - want to set "Host" in httpHeaders - instead. - type: string - httpHeaders: - description: Custom headers to set in - the request. HTTP allows repeated - headers. - items: - description: HTTPHeader describes - a custom header to be used in HTTP - probes - properties: - name: - description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. - type: string - value: - description: The header field - value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP - server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port - to access on the container. Number - must be in the range 1 to 65535. Name - must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting - to the host. Defaults to HTTP. - type: string - required: - - port - type: object - tcpSocket: - description: Deprecated. TCPSocket is NOT - supported as a LifecycleHandler and kept - for the backward compatibility. There - are no validation of this field and lifecycle - hooks will fail in runtime when tcp handler - is specified. - properties: - host: - description: 'Optional: Host name to - connect to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port - to access on the container. Number - must be in the range 1 to 65535. Name - must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - preStop: - description: 'PreStop is called immediately - before a container is terminated due to an - API request or management event such as liveness/startup - probe failure, preemption, resource contention, - etc. The handler is not called if the container - crashes or exits. The Pod''s termination grace - period countdown begins before the PreStop - hook is executed. Regardless of the outcome - of the handler, the container will eventually - terminate within the Pod''s termination grace - period (unless delayed by finalizers). Other - management of the container blocks until the - hook completes or until the termination grace - period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' - properties: - exec: - description: Exec specifies the action to - take. - properties: - command: - description: Command is the command - line to execute inside the container, - the working directory for the command is - root ('/') in the container's filesystem. - The command is simply exec'd, it is - not run inside a shell, so traditional - shell instructions ('|', etc) won't - work. To use a shell, you need to - explicitly call out to that shell. - Exit status of 0 is treated as live/healthy - and non-zero is unhealthy. - items: - type: string - type: array - type: object - httpGet: - description: HTTPGet specifies the http - request to perform. - properties: - host: - description: Host name to connect to, - defaults to the pod IP. You probably - want to set "Host" in httpHeaders - instead. - type: string - httpHeaders: - description: Custom headers to set in - the request. HTTP allows repeated - headers. - items: - description: HTTPHeader describes - a custom header to be used in HTTP - probes - properties: - name: - description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. - type: string - value: - description: The header field - value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP - server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port - to access on the container. Number - must be in the range 1 to 65535. Name - must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting - to the host. Defaults to HTTP. - type: string - required: - - port - type: object - tcpSocket: - description: Deprecated. TCPSocket is NOT - supported as a LifecycleHandler and kept - for the backward compatibility. There - are no validation of this field and lifecycle - hooks will fail in runtime when tcp handler - is specified. - properties: - host: - description: 'Optional: Host name to - connect to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port - to access on the container. Number - must be in the range 1 to 65535. Name - must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - type: object - livenessProbe: - description: 'Periodic probe of container liveness. - Container will be restarted if the probe fails. - Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: Command is the command line - to execute inside the container, the working - directory for the command is root ('/') - in the container's filesystem. The command - is simply exec'd, it is not run inside - a shell, so traditional shell instructions - ('|', etc) won't work. To use a shell, - you need to explicitly call out to that - shell. Exit status of 0 is treated as - live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for - the probe to be considered failed after having - succeeded. Defaults to 3. Minimum value is - 1. - format: int32 - type: integer - grpc: - description: GRPC specifies an action involving - a GRPC port. - properties: - port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. - format: int32 - type: integer - service: - description: "Service is the name of the - service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default - behavior is defined by gRPC." - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies the http request - to perform. - properties: - host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the - request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom - header to be used in HTTP probes - properties: - name: - description: The header field name. - This will be canonicalized upon - output, so case-variant names will - be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP - server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting - to the host. Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform - the probe. Default to 10 seconds. Minimum - value is 1. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for - the probe to be considered successful after - having failed. Defaults to 1. Must be 1 for - liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. - properties: - host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: Optional duration in seconds the - pod needs to terminate gracefully upon probe - failure. The grace period is the duration - in seconds after the processes running in - the pod are sent a termination signal and - the time when the processes are forcibly halted - with a kill signal. Set this value longer - than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds - will be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value zero - indicates stop immediately via the kill signal - (no opportunity to shut down). This is a beta - field and requires enabling ProbeTerminationGracePeriod - feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: 'Number of seconds after which - the probe times out. Defaults to 1 second. - Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - type: object - name: - description: Name of the container specified as - a DNS_LABEL. Each container in a pod must have - a unique name (DNS_LABEL). Cannot be updated. - type: string - ports: - description: List of ports to expose from the container. - Not specifying a port here DOES NOT prevent that - port from being exposed. Any port which is listening - on the default "0.0.0.0" address inside a container - will be accessible from the network. Modifying - this array with strategic merge patch may corrupt - the data. For more information See https://github.com/kubernetes/kubernetes/issues/108255. - Cannot be updated. - items: - description: ContainerPort represents a network - port in a single container. - properties: - containerPort: - description: Number of port to expose on the - pod's IP address. This must be a valid port - number, 0 < x < 65536. - format: int32 - type: integer - hostIP: - description: What host IP to bind the external - port to. - type: string - hostPort: - description: Number of port to expose on the - host. If specified, this must be a valid - port number, 0 < x < 65536. If HostNetwork - is specified, this must match ContainerPort. - Most containers do not need this. - format: int32 - type: integer - name: - description: If specified, this must be an - IANA_SVC_NAME and unique within the pod. - Each named port in a pod must have a unique - name. Name for the port that can be referred - to by services. - type: string - protocol: - default: TCP - description: Protocol for port. Must be UDP, - TCP, or SCTP. Defaults to "TCP". - type: string - required: - - containerPort - - protocol - type: object - type: array - x-kubernetes-list-map-keys: - - containerPort - - protocol - x-kubernetes-list-type: map - readinessProbe: - description: 'Periodic probe of container service - readiness. Container will be removed from service - endpoints if the probe fails. Cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: Command is the command line - to execute inside the container, the working - directory for the command is root ('/') - in the container's filesystem. The command - is simply exec'd, it is not run inside - a shell, so traditional shell instructions - ('|', etc) won't work. To use a shell, - you need to explicitly call out to that - shell. Exit status of 0 is treated as - live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for - the probe to be considered failed after having - succeeded. Defaults to 3. Minimum value is - 1. - format: int32 - type: integer - grpc: - description: GRPC specifies an action involving - a GRPC port. - properties: - port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. - format: int32 - type: integer - service: - description: "Service is the name of the - service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default - behavior is defined by gRPC." - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies the http request - to perform. - properties: - host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the - request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom - header to be used in HTTP probes - properties: - name: - description: The header field name. - This will be canonicalized upon - output, so case-variant names will - be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP - server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting - to the host. Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform - the probe. Default to 10 seconds. Minimum - value is 1. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for - the probe to be considered successful after - having failed. Defaults to 1. Must be 1 for - liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. - properties: - host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: Optional duration in seconds the - pod needs to terminate gracefully upon probe - failure. The grace period is the duration - in seconds after the processes running in - the pod are sent a termination signal and - the time when the processes are forcibly halted - with a kill signal. Set this value longer - than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds - will be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value zero - indicates stop immediately via the kill signal - (no opportunity to shut down). This is a beta - field and requires enabling ProbeTerminationGracePeriod - feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: 'Number of seconds after which - the probe times out. Defaults to 1 second. - Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - type: object - resizePolicy: - description: Resources resize policy for the container. - items: - description: ContainerResizePolicy represents - resource resize policy for the container. - properties: - resourceName: - description: 'Name of the resource to which - this resource resize policy applies. Supported - values: cpu, memory.' - type: string - restartPolicy: - description: Restart policy to apply when - specified resource is resized. If not specified, - it defaults to NotRequired. - type: string - required: - - resourceName - - restartPolicy - type: object - type: array - x-kubernetes-list-type: atomic - resources: - description: 'Compute Resources required by this - container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - properties: - claims: - description: "Claims lists the names of resources, - defined in spec.resourceClaims, that are used - by this container. \n This is an alpha field - and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable. - It can only be set for containers." - items: - description: ResourceClaim references one - entry in PodSpec.ResourceClaims. - properties: - name: - description: Name must match the name - of one entry in pod.spec.resourceClaims - of the Pod where this field is used. - It makes that resource available inside - a container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount - of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum - amount of compute resources required. If Requests - is omitted for a container, it defaults to - Limits if that is explicitly specified, otherwise - to an implementation-defined value. Requests - cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - restartPolicy: - description: 'RestartPolicy defines the restart - behavior of individual containers in a pod. This - field may only be set for init containers, and - the only allowed value is "Always". For non-init - containers or when this field is not specified, - the restart behavior is defined by the Pod''s - restart policy and the container type. Setting - the RestartPolicy as "Always" for the init container - will have the following effect: this init container - will be continually restarted on exit until all - regular containers have terminated. Once all regular - containers have completed, all init containers - with restartPolicy "Always" will be shut down. - This lifecycle differs from normal init containers - and is often referred to as a "sidecar" container. - Although this init container still starts in the - init container sequence, it does not wait for - the container to complete before proceeding to - the next init container. Instead, the next init - container starts immediately after this init container - is started, or after any startupProbe has successfully - completed.' - type: string - securityContext: - description: 'SecurityContext defines the security - options the container should be run with. If set, - the fields of SecurityContext override the equivalent - fields of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' - properties: - allowPrivilegeEscalation: - description: 'AllowPrivilegeEscalation controls - whether a process can gain more privileges - than its parent process. This bool directly - controls if the no_new_privs flag will be - set on the container process. AllowPrivilegeEscalation - is true always when the container is: 1) run - as Privileged 2) has CAP_SYS_ADMIN Note that - this field cannot be set when spec.os.name - is windows.' - type: boolean - capabilities: - description: The capabilities to add/drop when - running containers. Defaults to the default - set of capabilities granted by the container - runtime. Note that this field cannot be set - when spec.os.name is windows. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX - capabilities type - type: string - type: array - drop: - description: Removed capabilities - items: - description: Capability represent POSIX - capabilities type - type: string - type: array - type: object - privileged: - description: Run container in privileged mode. - Processes in privileged containers are essentially - equivalent to root on the host. Defaults to - false. Note that this field cannot be set - when spec.os.name is windows. - type: boolean - procMount: - description: procMount denotes the type of proc - mount to use for the containers. The default - is DefaultProcMount which uses the container - runtime defaults for readonly paths and masked - paths. This requires the ProcMountType feature - flag to be enabled. Note that this field cannot - be set when spec.os.name is windows. - type: string - readOnlyRootFilesystem: - description: Whether this container has a read-only - root filesystem. Default is false. Note that - this field cannot be set when spec.os.name - is windows. - type: boolean - runAsGroup: - description: The GID to run the entrypoint of - the container process. Uses runtime default - if unset. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. Note that this field cannot be - set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: Indicates that the container must - run as a non-root user. If true, the Kubelet - will validate the image at runtime to ensure - that it does not run as UID 0 (root) and fail - to start the container if it does. If unset - or false, no such validation will be performed. - May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. - type: boolean - runAsUser: - description: The UID to run the entrypoint of - the container process. Defaults to user specified - in image metadata if unspecified. May also - be set in PodSecurityContext. If set in both - SecurityContext and PodSecurityContext, the - value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name - is windows. - format: int64 - type: integer - seLinuxOptions: - description: The SELinux context to be applied - to the container. If unspecified, the container - runtime will allocate a random SELinux context - for each container. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. Note that this field cannot be - set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label - that applies to the container. - type: string - role: - description: Role is a SELinux role label - that applies to the container. - type: string - type: - description: Type is a SELinux type label - that applies to the container. - type: string - user: - description: User is a SELinux user label - that applies to the container. - type: string - type: object - seccompProfile: - description: The seccomp options to use by this - container. If seccomp options are provided - at both the pod & container level, the container - options override the pod options. Note that - this field cannot be set when spec.os.name - is windows. - properties: - localhostProfile: - description: localhostProfile indicates - a profile defined in a file on the node - should be used. The profile must be preconfigured - on the node to work. Must be a descending - path, relative to the kubelet's configured - seccomp profile location. Must be set - if type is "Localhost". Must NOT be set - for any other type. - type: string - type: - description: "type indicates which kind - of seccomp profile will be applied. Valid - options are: \n Localhost - a profile - defined in a file on the node should be - used. RuntimeDefault - the container runtime - default profile should be used. Unconfined - - no profile should be applied." - type: string - required: - - type - type: object - windowsOptions: - description: The Windows specific settings applied - to all containers. If unspecified, the options - from the PodSecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. Note that this field cannot be - set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: GMSACredentialSpec is where - the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) - inlines the contents of the GMSA credential - spec named by the GMSACredentialSpecName - field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the - name of the GMSA credential spec to use. - type: string - hostProcess: - description: HostProcess determines if a - container should be run as a 'Host Process' - container. All of a Pod's containers must - have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess - containers and non-HostProcess containers). - In addition, if HostProcess is true then - HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: The UserName in Windows to - run the entrypoint of the container process. - Defaults to the user specified in image - metadata if unspecified. May also be set - in PodSecurityContext. If set in both - SecurityContext and PodSecurityContext, - the value specified in SecurityContext - takes precedence. - type: string - type: object - type: object - startupProbe: - description: 'StartupProbe indicates that the Pod - has successfully initialized. If specified, no - other probes are executed until this completes - successfully. If this probe fails, the Pod will - be restarted, just as if the livenessProbe failed. - This can be used to provide different probe parameters - at the beginning of a Pod''s lifecycle, when it - might take a long time to load data or warm a - cache, than during steady-state operation. This - cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: Command is the command line - to execute inside the container, the working - directory for the command is root ('/') - in the container's filesystem. The command - is simply exec'd, it is not run inside - a shell, so traditional shell instructions - ('|', etc) won't work. To use a shell, - you need to explicitly call out to that - shell. Exit status of 0 is treated as - live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for - the probe to be considered failed after having - succeeded. Defaults to 3. Minimum value is - 1. - format: int32 - type: integer - grpc: - description: GRPC specifies an action involving - a GRPC port. - properties: - port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. - format: int32 - type: integer - service: - description: "Service is the name of the - service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default - behavior is defined by gRPC." - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies the http request - to perform. - properties: - host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the - request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom - header to be used in HTTP probes - properties: - name: - description: The header field name. - This will be canonicalized upon - output, so case-variant names will - be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP - server. - type: string - port: - anyOf: - - type: integer - - type: string - description: Name or number of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: Scheme to use for connecting - to the host. Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform - the probe. Default to 10 seconds. Minimum - value is 1. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for - the probe to be considered successful after - having failed. Defaults to 1. Must be 1 for - liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. - properties: - host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: Number or name of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: Optional duration in seconds the - pod needs to terminate gracefully upon probe - failure. The grace period is the duration - in seconds after the processes running in - the pod are sent a termination signal and - the time when the processes are forcibly halted - with a kill signal. Set this value longer - than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds - will be used. Otherwise, this value overrides - the value provided by the pod spec. Value - must be non-negative integer. The value zero - indicates stop immediately via the kill signal - (no opportunity to shut down). This is a beta - field and requires enabling ProbeTerminationGracePeriod - feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: 'Number of seconds after which - the probe times out. Defaults to 1 second. - Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - type: object - stdin: - description: Whether this container should allocate - a buffer for stdin in the container runtime. If - this is not set, reads from stdin in the container - will always result in EOF. Default is false. - type: boolean - stdinOnce: - description: Whether the container runtime should - close the stdin channel after it has been opened - by a single attach. When stdin is true the stdin - stream will remain open across multiple attach - sessions. If stdinOnce is set to true, stdin is - opened on container start, is empty until the - first client attaches to stdin, and then remains - open and accepts data until the client disconnects, - at which time stdin is closed and remains closed - until the container is restarted. If this flag - is false, a container processes that reads from - stdin will never receive an EOF. Default is false - type: boolean - terminationMessagePath: - description: 'Optional: Path at which the file to - which the container''s termination message will - be written is mounted into the container''s filesystem. - Message written is intended to be brief final - status, such as an assertion failure message. - Will be truncated by the node if greater than - 4096 bytes. The total message length across all - containers will be limited to 12kb. Defaults to - /dev/termination-log. Cannot be updated.' - type: string - terminationMessagePolicy: - description: Indicate how the termination message - should be populated. File will use the contents - of terminationMessagePath to populate the container - status message on both success and failure. FallbackToLogsOnError - will use the last chunk of container log output - if the termination message file is empty and the - container exited with an error. The log output - is limited to 2048 bytes or 80 lines, whichever - is smaller. Defaults to File. Cannot be updated. - type: string - tty: - description: Whether this container should allocate - a TTY for itself, also requires 'stdin' to be - true. Default is false. - type: boolean - volumeDevices: - description: volumeDevices is the list of block - devices to be used by the container. - items: - description: volumeDevice describes a mapping - of a raw block device within a container. - properties: - devicePath: - description: devicePath is the path inside - of the container that the device will be - mapped to. - type: string - name: - description: name must match the name of a - persistentVolumeClaim in the pod - type: string - required: - - devicePath - - name - type: object - type: array - volumeMounts: - description: Pod volumes to mount into the container's - filesystem. Cannot be updated. - items: - description: VolumeMount describes a mounting - of a Volume within a container. - properties: - mountPath: - description: Path within the container at - which the volume should be mounted. Must - not contain ':'. - type: string - mountPropagation: - description: mountPropagation determines how - mounts are propagated from the host to container - and the other way around. When not set, - MountPropagationNone is used. This field - is beta in 1.10. - type: string - name: - description: This must match the Name of a - Volume. - type: string - readOnly: - description: Mounted read-only if true, read-write - otherwise (false or unspecified). Defaults - to false. - type: boolean - subPath: - description: Path within the volume from which - the container's volume should be mounted. - Defaults to "" (volume's root). - type: string - subPathExpr: - description: Expanded path within the volume - from which the container's volume should - be mounted. Behaves similarly to SubPath - but environment variable references $(VAR_NAME) - are expanded using the container's environment. - Defaults to "" (volume's root). SubPathExpr - and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - type: array - workingDir: - description: Container's working directory. If not - specified, the container runtime's default will - be used, which might be configured in the container - image. Cannot be updated. - type: string - required: - - name - type: object - type: array - nodeName: - description: NodeName is a request to schedule this pod - onto a specific node. If it is non-empty, the scheduler - simply schedules this pod onto that node, assuming that - it fits resource requirements. - type: string - nodeSelector: - additionalProperties: - type: string - description: 'NodeSelector is a selector which must be - true for the pod to fit on a node. Selector which must - match a node''s labels for the pod to be scheduled on - that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' - type: object - x-kubernetes-map-type: atomic - os: - description: "Specifies the OS of the containers in the - pod. Some pod and container fields are restricted if - this is set. \n If the OS field is set to linux, the - following fields must be unset: -securityContext.windowsOptions - \n If the OS field is set to windows, following fields - must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers - - spec.securityContext.seLinuxOptions - spec.securityContext.seccompProfile - - spec.securityContext.fsGroup - spec.securityContext.fsGroupChangePolicy - - spec.securityContext.sysctls - spec.shareProcessNamespace - - spec.securityContext.runAsUser - spec.securityContext.runAsGroup - - spec.securityContext.supplementalGroups - spec.containers[*].securityContext.seLinuxOptions - - spec.containers[*].securityContext.seccompProfile - - spec.containers[*].securityContext.capabilities - - spec.containers[*].securityContext.readOnlyRootFilesystem - - spec.containers[*].securityContext.privileged - spec.containers[*].securityContext.allowPrivilegeEscalation - - spec.containers[*].securityContext.procMount - spec.containers[*].securityContext.runAsUser - - spec.containers[*].securityContext.runAsGroup" - properties: - name: - description: 'Name is the name of the operating system. - The currently supported values are linux and windows. - Additional value may be defined in future and can - be one of: https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration - Clients should expect to handle additional values - and treat unrecognized values in this field as os: - null' - type: string - required: - - name - type: object - overhead: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Overhead represents the resource overhead - associated with running a pod for a given RuntimeClass. - This field will be autopopulated at admission time by - the RuntimeClass admission controller. If the RuntimeClass - admission controller is enabled, overhead must not be - set in Pod create requests. The RuntimeClass admission - controller will reject Pod create requests which have - the overhead already set. If RuntimeClass is configured - and selected in the PodSpec, Overhead will be set to - the value defined in the corresponding RuntimeClass, - otherwise it will remain unset and treated as zero. - More info: https://git.k8s.io/enhancements/keps/sig-node/688-pod-overhead/README.md' - type: object - preemptionPolicy: - description: PreemptionPolicy is the Policy for preempting - pods with lower priority. One of Never, PreemptLowerPriority. - Defaults to PreemptLowerPriority if unset. - type: string - priority: - description: The priority value. Various system components - use this field to find the priority of the pod. When - Priority Admission Controller is enabled, it prevents - users from setting this field. The admission controller - populates this field from PriorityClassName. The higher - the value, the higher the priority. - format: int32 - type: integer - priorityClassName: - description: If specified, indicates the pod's priority. - "system-node-critical" and "system-cluster-critical" - are two special keywords which indicate the highest - priorities with the former being the highest priority. - Any other name must be defined by creating a PriorityClass - object with that name. If not specified, the pod priority - will be default or zero if there is no default. - type: string - readinessGates: - description: 'If specified, all readiness gates will be - evaluated for pod readiness. A pod is ready when all - its containers are ready AND all conditions specified - in the readiness gates have status equal to "True" More - info: https://git.k8s.io/enhancements/keps/sig-network/580-pod-readiness-gates' - items: - description: PodReadinessGate contains the reference - to a pod condition - properties: - conditionType: - description: ConditionType refers to a condition - in the pod's condition list with matching type. - type: string - required: - - conditionType - type: object - type: array - resourceClaims: - description: "ResourceClaims defines which ResourceClaims - must be allocated and reserved before the Pod is allowed - to start. The resources will be made available to those - containers which consume them by name. \n This is an - alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable." - items: - description: PodResourceClaim references exactly one - ResourceClaim through a ClaimSource. It adds a name - to it that uniquely identifies the ResourceClaim inside - the Pod. Containers that need access to the ResourceClaim - reference it with this name. - properties: - name: - description: Name uniquely identifies this resource - claim inside the pod. This must be a DNS_LABEL. - type: string - source: - description: Source describes where to find the - ResourceClaim. - properties: - resourceClaimName: - description: ResourceClaimName is the name of - a ResourceClaim object in the same namespace - as this pod. - type: string - resourceClaimTemplateName: - description: "ResourceClaimTemplateName is the - name of a ResourceClaimTemplate object in - the same namespace as this pod. \n The template - will be used to create a new ResourceClaim, - which will be bound to this pod. When this - pod is deleted, the ResourceClaim will also - be deleted. The pod name and resource name, - along with a generated component, will be - used to form a unique name for the ResourceClaim, - which will be recorded in pod.status.resourceClaimStatuses. - \n This field is immutable and no changes - will be made to the corresponding ResourceClaim - by the control plane after creating the ResourceClaim." - type: string - type: object - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - restartPolicy: - description: 'Restart policy for all containers within - the pod. One of Always, OnFailure, Never. In some contexts, - only a subset of those values may be permitted. Default - to Always. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy' - type: string - runtimeClassName: - description: 'RuntimeClassName refers to a RuntimeClass - object in the node.k8s.io group, which should be used - to run this pod. If no RuntimeClass resource matches - the named class, the pod will not be run. If unset or - empty, the "legacy" RuntimeClass will be used, which - is an implicit class with an empty definition that uses - the default runtime handler. More info: https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class' - type: string - schedulerName: - description: If specified, the pod will be dispatched - by specified scheduler. If not specified, the pod will - be dispatched by default scheduler. - type: string - schedulingGates: - description: "SchedulingGates is an opaque list of values - that if specified will block scheduling the pod. If - schedulingGates is not empty, the pod will stay in the - SchedulingGated state and the scheduler will not attempt - to schedule the pod. \n SchedulingGates can only be - set at pod creation time, and be removed only afterwards. - \n This is a beta feature enabled by the PodSchedulingReadiness - feature gate." - items: - description: PodSchedulingGate is associated to a Pod - to guard its scheduling. - properties: - name: - description: Name of the scheduling gate. Each scheduling - gate must have a unique name field. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - securityContext: - description: 'SecurityContext holds pod-level security - attributes and common container settings. Optional: - Defaults to empty. See type description for default - values of each field.' - properties: - fsGroup: - description: "A special supplemental group that applies - to all containers in a pod. Some volume types allow - the Kubelet to change the ownership of that volume - to be owned by the pod: \n 1. The owning GID will - be the FSGroup 2. The setgid bit is set (new files - created in the volume will be owned by FSGroup) - 3. The permission bits are OR'd with rw-rw---- \n - If unset, the Kubelet will not modify the ownership - and permissions of any volume. Note that this field - cannot be set when spec.os.name is windows." - format: int64 - type: integer - fsGroupChangePolicy: - description: 'fsGroupChangePolicy defines behavior - of changing ownership and permission of the volume - before being exposed inside Pod. This field will - only apply to volume types which support fsGroup - based ownership(and permissions). It will have no - effect on ephemeral volume types such as: secret, - configmaps and emptydir. Valid values are "OnRootMismatch" - and "Always". If not specified, "Always" is used. - Note that this field cannot be set when spec.os.name - is windows.' - type: string - runAsGroup: - description: The GID to run the entrypoint of the - container process. Uses runtime default if unset. - May also be set in SecurityContext. If set in both - SecurityContext and PodSecurityContext, the value - specified in SecurityContext takes precedence for - that container. Note that this field cannot be set - when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: Indicates that the container must run - as a non-root user. If true, the Kubelet will validate - the image at runtime to ensure that it does not - run as UID 0 (root) and fail to start the container - if it does. If unset or false, no such validation - will be performed. May also be set in SecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: The UID to run the entrypoint of the - container process. Defaults to user specified in - image metadata if unspecified. May also be set in - SecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in SecurityContext - takes precedence for that container. Note that this - field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxOptions: - description: The SELinux context to be applied to - all containers. If unspecified, the container runtime - will allocate a random SELinux context for each - container. May also be set in SecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence - for that container. Note that this field cannot - be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that - applies to the container. - type: string - role: - description: Role is a SELinux role label that - applies to the container. - type: string - type: - description: Type is a SELinux type label that - applies to the container. - type: string - user: - description: User is a SELinux user label that - applies to the container. - type: string - type: object - seccompProfile: - description: The seccomp options to use by the containers - in this pod. Note that this field cannot be set - when spec.os.name is windows. - properties: - localhostProfile: - description: localhostProfile indicates a profile - defined in a file on the node should be used. - The profile must be preconfigured on the node - to work. Must be a descending path, relative - to the kubelet's configured seccomp profile - location. Must be set if type is "Localhost". - Must NOT be set for any other type. - type: string - type: - description: "type indicates which kind of seccomp - profile will be applied. Valid options are: - \n Localhost - a profile defined in a file on - the node should be used. RuntimeDefault - the - container runtime default profile should be - used. Unconfined - no profile should be applied." - type: string - required: - - type - type: object - supplementalGroups: - description: A list of groups applied to the first - process run in each container, in addition to the - container's primary GID, the fsGroup (if specified), - and group memberships defined in the container image - for the uid of the container process. If unspecified, - no additional groups are added to any container. - Note that group memberships defined in the container - image for the uid of the container process are still - effective, even if they are not included in this - list. Note that this field cannot be set when spec.os.name - is windows. - items: - format: int64 - type: integer - type: array - sysctls: - description: Sysctls hold a list of namespaced sysctls - used for the pod. Pods with unsupported sysctls - (by the container runtime) might fail to launch. - Note that this field cannot be set when spec.os.name - is windows. - items: - description: Sysctl defines a kernel parameter to - be set - properties: - name: - description: Name of a property to set - type: string - value: - description: Value of a property to set - type: string - required: - - name - - value - type: object - type: array - windowsOptions: - description: The Windows specific settings applied - to all containers. If unspecified, the options within - a container's SecurityContext will be used. If set - in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name - is linux. - properties: - gmsaCredentialSpec: - description: GMSACredentialSpec is where the GMSA - admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) - inlines the contents of the GMSA credential - spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name - of the GMSA credential spec to use. - type: string - hostProcess: - description: HostProcess determines if a container - should be run as a 'Host Process' container. - All of a Pod's containers must have the same - effective HostProcess value (it is not allowed - to have a mix of HostProcess containers and - non-HostProcess containers). In addition, if - HostProcess is true then HostNetwork must also - be set to true. - type: boolean - runAsUserName: - description: The UserName in Windows to run the - entrypoint of the container process. Defaults - to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set - in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. - type: string - type: object - type: object - serviceAccount: - description: 'DeprecatedServiceAccount is a depreciated - alias for ServiceAccountName. Deprecated: Use serviceAccountName - instead.' - type: string - serviceAccountName: - description: 'ServiceAccountName is the name of the ServiceAccount - to use to run this pod. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/' - type: string - setHostnameAsFQDN: - description: If true the pod's hostname will be configured - as the pod's FQDN, rather than the leaf name (the default). - In Linux containers, this means setting the FQDN in - the hostname field of the kernel (the nodename field - of struct utsname). In Windows containers, this means - setting the registry value of hostname for the registry - key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters - to FQDN. If a pod does not have FQDN, this has no effect. - Default to false. - type: boolean - shareProcessNamespace: - description: 'Share a single process namespace between - all of the containers in a pod. When this is set containers - will be able to view and signal processes from other - containers in the same pod, and the first process in - each container will not be assigned PID 1. HostPID and - ShareProcessNamespace cannot both be set. Optional: - Default to false.' - type: boolean - subdomain: - description: If specified, the fully qualified Pod hostname - will be "...svc.". If not specified, the pod will not have a - domainname at all. - type: string - terminationGracePeriodSeconds: - description: Optional duration in seconds the pod needs - to terminate gracefully. May be decreased in delete - request. Value must be non-negative integer. The value - zero indicates stop immediately via the kill signal - (no opportunity to shut down). If this value is nil, - the default grace period will be used instead. The grace - period is the duration in seconds after the processes - running in the pod are sent a termination signal and - the time when the processes are forcibly halted with - a kill signal. Set this value longer than the expected - cleanup time for your process. Defaults to 30 seconds. - format: int64 - type: integer - tolerations: - description: If specified, the pod's tolerations. - items: - description: The pod this Toleration is attached to - tolerates any taint that matches the triple - using the matching operator . - properties: - effect: - description: Effect indicates the taint effect to - match. Empty means match all taint effects. When - specified, allowed values are NoSchedule, PreferNoSchedule - and NoExecute. - type: string - key: - description: Key is the taint key that the toleration - applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; - this combination means to match all values and - all keys. - type: string - operator: - description: Operator represents a key's relationship - to the value. Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent to wildcard - for value, so that a pod can tolerate all taints - of a particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents the period - of time the toleration (which must be of effect - NoExecute, otherwise this field is ignored) tolerates - the taint. By default, it is not set, which means - tolerate the taint forever (do not evict). Zero - and negative values will be treated as 0 (evict - immediately) by the system. - format: int64 - type: integer - value: - description: Value is the taint value the toleration - matches to. If the operator is Exists, the value - should be empty, otherwise just a regular string. - type: string - type: object - type: array - topologySpreadConstraints: - description: TopologySpreadConstraints describes how a - group of pods ought to spread across topology domains. - Scheduler will schedule pods in a way which abides by - the constraints. All topologySpreadConstraints are ANDed. - items: - description: TopologySpreadConstraint specifies how - to spread matching pods among the given topology. - properties: - labelSelector: - description: LabelSelector is used to find matching - pods. Pods that match this label selector are - counted to determine the number of pods in their - corresponding topology domain. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: "MatchLabelKeys is a set of pod label - keys to select the pods over which spreading will - be calculated. The keys are used to lookup values - from the incoming pod labels, those key-value - labels are ANDed with labelSelector to select - the group of existing pods over which spreading - will be calculated for the incoming pod. The same - key is forbidden to exist in both MatchLabelKeys - and LabelSelector. MatchLabelKeys cannot be set - when LabelSelector isn't set. Keys that don't - exist in the incoming pod labels will be ignored. - A null or empty list means only match against - labelSelector. \n This is a beta field and requires - the MatchLabelKeysInPodTopologySpread feature - gate to be enabled (enabled by default)." - items: - type: string - type: array - x-kubernetes-list-type: atomic - maxSkew: - description: 'MaxSkew describes the degree to which - pods may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, - it is the maximum permitted difference between - the number of matching pods in the target topology - and the global minimum. The global minimum is - the minimum number of matching pods in an eligible - domain or zero if the number of eligible domains - is less than MinDomains. For example, in a 3-zone - cluster, MaxSkew is set to 1, and pods with the - same labelSelector spread as 2/2/1: In this case, - the global minimum is 1. | zone1 | zone2 | zone3 - | | P P | P P | P | - if MaxSkew is 1, - incoming pod can only be scheduled to zone3 to - become 2/2/2; scheduling it onto zone1(zone2) - would make the ActualSkew(3-1) on zone1(zone2) - violate MaxSkew(1). - if MaxSkew is 2, incoming - pod can be scheduled onto any zone. When `whenUnsatisfiable=ScheduleAnyway`, - it is used to give higher precedence to topologies - that satisfy it. It''s a required field. Default - value is 1 and 0 is not allowed.' - format: int32 - type: integer - minDomains: - description: "MinDomains indicates a minimum number - of eligible domains. When the number of eligible - domains with matching topology keys is less than - minDomains, Pod Topology Spread treats \"global - minimum\" as 0, and then the calculation of Skew - is performed. And when the number of eligible - domains with matching topology keys equals or - greater than minDomains, this value has no effect - on scheduling. As a result, when the number of - eligible domains is less than minDomains, scheduler - won't schedule more than maxSkew Pods to those - domains. If value is nil, the constraint behaves - as if MinDomains is equal to 1. Valid values are - integers greater than 0. When value is not nil, - WhenUnsatisfiable must be DoNotSchedule. \n For - example, in a 3-zone cluster, MaxSkew is set to - 2, MinDomains is set to 5 and pods with the same - labelSelector spread as 2/2/2: | zone1 | zone2 - | zone3 | | P P | P P | P P | The number - of domains is less than 5(MinDomains), so \"global - minimum\" is treated as 0. In this situation, - new pod with the same labelSelector cannot be - scheduled, because computed skew will be 3(3 - - 0) if new Pod is scheduled to any of the three - zones, it will violate MaxSkew. \n This is a beta - field and requires the MinDomainsInPodTopologySpread - feature gate to be enabled (enabled by default)." - format: int32 - type: integer - nodeAffinityPolicy: - description: "NodeAffinityPolicy indicates how we - will treat Pod's nodeAffinity/nodeSelector when - calculating pod topology spread skew. Options - are: - Honor: only nodes matching nodeAffinity/nodeSelector - are included in the calculations. - Ignore: nodeAffinity/nodeSelector - are ignored. All nodes are included in the calculations. - \n If this value is nil, the behavior is equivalent - to the Honor policy. This is a beta-level feature - default enabled by the NodeInclusionPolicyInPodTopologySpread - feature flag." - type: string - nodeTaintsPolicy: - description: "NodeTaintsPolicy indicates how we - will treat node taints when calculating pod topology - spread skew. Options are: - Honor: nodes without - taints, along with tainted nodes for which the - incoming pod has a toleration, are included. - - Ignore: node taints are ignored. All nodes are - included. \n If this value is nil, the behavior - is equivalent to the Ignore policy. This is a - beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread - feature flag." - type: string - topologyKey: - description: TopologyKey is the key of node labels. - Nodes that have a label with this key and identical - values are considered to be in the same topology. - We consider each as a "bucket", and - try to put balanced number of pods into each bucket. - We define a domain as a particular instance of - a topology. Also, we define an eligible domain - as a domain whose nodes meet the requirements - of nodeAffinityPolicy and nodeTaintsPolicy. e.g. - If TopologyKey is "kubernetes.io/hostname", each - Node is a domain of that topology. And, if TopologyKey - is "topology.kubernetes.io/zone", each zone is - a domain of that topology. It's a required field. - type: string - whenUnsatisfiable: - description: 'WhenUnsatisfiable indicates how to - deal with a pod if it doesn''t satisfy the spread - constraint. - DoNotSchedule (default) tells the - scheduler not to schedule it. - ScheduleAnyway - tells the scheduler to schedule the pod in any - location, but giving higher precedence to topologies - that would help reduce the skew. A constraint - is considered "Unsatisfiable" for an incoming - pod if and only if every possible node assignment - for that pod would violate "MaxSkew" on some topology. - For example, in a 3-zone cluster, MaxSkew is set - to 1, and pods with the same labelSelector spread - as 3/1/1: | zone1 | zone2 | zone3 | | P P P | P | P | - If WhenUnsatisfiable is set to DoNotSchedule, - incoming pod can only be scheduled to zone2(zone3) - to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) - satisfies MaxSkew(1). In other words, the cluster - can still be imbalanced, but scheduler won''t - make it *more* imbalanced. It''s a required field.' - type: string - required: - - maxSkew - - topologyKey - - whenUnsatisfiable - type: object - type: array - x-kubernetes-list-map-keys: - - topologyKey - - whenUnsatisfiable - x-kubernetes-list-type: map - volumes: - description: 'List of volumes that can be mounted by containers - belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes' - items: - description: Volume represents a named volume in a pod - that may be accessed by any container in the pod. - properties: - awsElasticBlockStore: - description: 'awsElasticBlockStore represents an - AWS Disk resource that is attached to a kubelet''s - host machine and then exposed to the pod. More - info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' - properties: - fsType: - description: 'fsType is the filesystem type - of the volume that you want to mount. Tip: - Ensure that the filesystem type is supported - by the host operating system. Examples: "ext4", - "xfs", "ntfs". Implicitly inferred to be "ext4" - if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - TODO: how do we prevent errors in the filesystem - from compromising the machine' - type: string - partition: - description: 'partition is the partition in - the volume that you want to mount. If omitted, - the default is to mount by volume name. Examples: - For volume /dev/sda1, you specify the partition - as "1". Similarly, the volume partition for - /dev/sda is "0" (or you can leave the property - empty).' - format: int32 - type: integer - readOnly: - description: 'readOnly value true will force - the readOnly setting in VolumeMounts. More - info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' - type: boolean - volumeID: - description: 'volumeID is unique ID of the persistent - disk resource in AWS (Amazon EBS volume). - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' - type: string - required: - - volumeID - type: object - azureDisk: - description: azureDisk represents an Azure Data - Disk mount on the host and bind mount to the pod. - properties: - cachingMode: - description: 'cachingMode is the Host Caching - mode: None, Read Only, Read Write.' - type: string - diskName: - description: diskName is the Name of the data - disk in the blob storage - type: string - diskURI: - description: diskURI is the URI of data disk - in the blob storage - type: string - fsType: - description: fsType is Filesystem type to mount. - Must be a filesystem type supported by the - host operating system. Ex. "ext4", "xfs", - "ntfs". Implicitly inferred to be "ext4" if - unspecified. - type: string - kind: - description: 'kind expected values are Shared: - multiple blob disks per storage account Dedicated: - single blob disk per storage account Managed: - azure managed data disk (only in managed availability - set). defaults to shared' - type: string - readOnly: - description: readOnly Defaults to false (read/write). - ReadOnly here will force the ReadOnly setting - in VolumeMounts. - type: boolean - required: - - diskName - - diskURI - type: object - azureFile: - description: azureFile represents an Azure File - Service mount on the host and bind mount to the - pod. - properties: - readOnly: - description: readOnly defaults to false (read/write). - ReadOnly here will force the ReadOnly setting - in VolumeMounts. - type: boolean - secretName: - description: secretName is the name of secret - that contains Azure Storage Account Name and - Key - type: string - shareName: - description: shareName is the azure share Name - type: string - required: - - secretName - - shareName - type: object - cephfs: - description: cephFS represents a Ceph FS mount on - the host that shares a pod's lifetime - properties: - monitors: - description: 'monitors is Required: Monitors - is a collection of Ceph monitors More info: - https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' - items: - type: string - type: array - path: - description: 'path is Optional: Used as the - mounted root, rather than the full Ceph tree, - default is /' - type: string - readOnly: - description: 'readOnly is Optional: Defaults - to false (read/write). ReadOnly here will - force the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' - type: boolean - secretFile: - description: 'secretFile is Optional: SecretFile - is the path to key ring for User, default - is /etc/ceph/user.secret More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' - type: string - secretRef: - description: 'secretRef is Optional: SecretRef - is reference to the authentication secret - for User, default is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' - properties: - name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - type: object - x-kubernetes-map-type: atomic - user: - description: 'user is optional: User is the - rados user name, default is admin More info: - https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' - type: string - required: - - monitors - type: object - cinder: - description: 'cinder represents a cinder volume - attached and mounted on kubelets host machine. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md' - properties: - fsType: - description: 'fsType is the filesystem type - to mount. Must be a filesystem type supported - by the host operating system. Examples: "ext4", - "xfs", "ntfs". Implicitly inferred to be "ext4" - if unspecified. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' - type: string - readOnly: - description: 'readOnly defaults to false (read/write). - ReadOnly here will force the ReadOnly setting - in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' - type: boolean - secretRef: - description: 'secretRef is optional: points - to a secret object containing parameters used - to connect to OpenStack.' - properties: - name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - type: object - x-kubernetes-map-type: atomic - volumeID: - description: 'volumeID used to identify the - volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' - type: string - required: - - volumeID - type: object - configMap: - description: configMap represents a configMap that - should populate this volume - properties: - defaultMode: - description: 'defaultMode is optional: mode - bits used to set permissions on created files - by default. Must be an octal value between - 0000 and 0777 or a decimal value between 0 - and 511. YAML accepts both octal and decimal - values, JSON requires decimal values for mode - bits. Defaults to 0644. Directories within - the path are not affected by this setting. - This might be in conflict with other options - that affect the file mode, like fsGroup, and - the result can be other mode bits set.' - format: int32 - type: integer - items: - description: items if unspecified, each key-value - pair in the Data field of the referenced ConfigMap - will be projected into the volume as a file - whose name is the key and content is the value. - If specified, the listed keys will be projected - into the specified paths, and unlisted keys - will not be present. If a key is specified - which is not present in the ConfigMap, the - volume setup will error unless it is marked - optional. Paths must be relative and may not - contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within - a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: 'mode is Optional: mode bits - used to set permissions on this file. - Must be an octal value between 0000 - and 0777 or a decimal value between - 0 and 511. YAML accepts both octal and - decimal values, JSON requires decimal - values for mode bits. If not specified, - the volume defaultMode will be used. - This might be in conflict with other - options that affect the file mode, like - fsGroup, and the result can be other - mode bits set.' - format: int32 - type: integer - path: - description: path is the relative path - of the file to map the key to. May not - be an absolute path. May not contain - the path element '..'. May not start - with the string '..'. - type: string - required: - - key - - path - type: object - type: array - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - optional: - description: optional specify whether the ConfigMap - or its keys must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - csi: - description: csi (Container Storage Interface) represents - ephemeral storage that is handled by certain external - CSI drivers (Beta feature). - properties: - driver: - description: driver is the name of the CSI driver - that handles this volume. Consult with your - admin for the correct name as registered in - the cluster. - type: string - fsType: - description: fsType to mount. Ex. "ext4", "xfs", - "ntfs". If not provided, the empty value is - passed to the associated CSI driver which - will determine the default filesystem to apply. - type: string - nodePublishSecretRef: - description: nodePublishSecretRef is a reference - to the secret object containing sensitive - information to pass to the CSI driver to complete - the CSI NodePublishVolume and NodeUnpublishVolume - calls. This field is optional, and may be - empty if no secret is required. If the secret - object contains more than one secret, all - secret references are passed. - properties: - name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - type: object - x-kubernetes-map-type: atomic - readOnly: - description: readOnly specifies a read-only - configuration for the volume. Defaults to - false (read/write). - type: boolean - volumeAttributes: - additionalProperties: - type: string - description: volumeAttributes stores driver-specific - properties that are passed to the CSI driver. - Consult your driver's documentation for supported - values. - type: object - required: - - driver - type: object - downwardAPI: - description: downwardAPI represents downward API - about the pod that should populate this volume - properties: - defaultMode: - description: 'Optional: mode bits to use on - created files by default. Must be a Optional: - mode bits used to set permissions on created - files by default. Must be an octal value between - 0000 and 0777 or a decimal value between 0 - and 511. YAML accepts both octal and decimal - values, JSON requires decimal values for mode - bits. Defaults to 0644. Directories within - the path are not affected by this setting. - This might be in conflict with other options - that affect the file mode, like fsGroup, and - the result can be other mode bits set.' - format: int32 - type: integer - items: - description: Items is a list of downward API - volume file - items: - description: DownwardAPIVolumeFile represents - information to create the file containing - the pod field - properties: - fieldRef: - description: 'Required: Selects a field - of the pod: only annotations, labels, - name and namespace are supported.' - properties: - apiVersion: - description: Version of the schema - the FieldPath is written in terms - of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to - select in the specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - description: 'Optional: mode bits used - to set permissions on this file, must - be an octal value between 0000 and 0777 - or a decimal value between 0 and 511. - YAML accepts both octal and decimal - values, JSON requires decimal values - for mode bits. If not specified, the - volume defaultMode will be used. This - might be in conflict with other options - that affect the file mode, like fsGroup, - and the result can be other mode bits - set.' - format: int32 - type: integer - path: - description: 'Required: Path is the relative - path name of the file to be created. - Must not be absolute or contain the - ''..'' path. Must be utf-8 encoded. - The first item of the relative path - must not start with ''..''' - type: string - resourceFieldRef: - description: 'Selects a resource of the - container: only resources limits and - requests (limits.cpu, limits.memory, - requests.cpu and requests.memory) are - currently supported.' - properties: - containerName: - description: 'Container name: required - for volumes, optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output - format of the exposed resources, - defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to - select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - type: object - emptyDir: - description: 'emptyDir represents a temporary directory - that shares a pod''s lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' - properties: - medium: - description: 'medium represents what type of - storage medium should back this directory. - The default is "" which means to use the node''s - default medium. Must be an empty string (default) - or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' - type: string - sizeLimit: - anyOf: - - type: integer - - type: string - description: 'sizeLimit is the total amount - of local storage required for this EmptyDir - volume. The size limit is also applicable - for memory medium. The maximum usage on memory - medium EmptyDir would be the minimum value - between the SizeLimit specified here and the - sum of memory limits of all containers in - a pod. The default is nil which means that - the limit is undefined. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - ephemeral: - description: "ephemeral represents a volume that - is handled by a cluster storage driver. The volume's - lifecycle is tied to the pod that defines it - - it will be created before the pod starts, and - deleted when the pod is removed. \n Use this if: - a) the volume is only needed while the pod runs, - b) features of normal volumes like restoring from - snapshot or capacity tracking are needed, c) the - storage driver is specified through a storage - class, and d) the storage driver supports dynamic - volume provisioning through a PersistentVolumeClaim - (see EphemeralVolumeSource for more information - on the connection between this volume type and - PersistentVolumeClaim). \n Use PersistentVolumeClaim - or one of the vendor-specific APIs for volumes - that persist for longer than the lifecycle of - an individual pod. \n Use CSI for light-weight - local ephemeral volumes if the CSI driver is meant - to be used that way - see the documentation of - the driver for more information. \n A pod can - use both types of ephemeral volumes and persistent - volumes at the same time." - properties: - volumeClaimTemplate: - description: "Will be used to create a stand-alone - PVC to provision the volume. The pod in which - this EphemeralVolumeSource is embedded will - be the owner of the PVC, i.e. the PVC will - be deleted together with the pod. The name - of the PVC will be `-` - where `` is the name from the - `PodSpec.Volumes` array entry. Pod validation - will reject the pod if the concatenated name - is not valid for a PVC (for example, too long). - \n An existing PVC with that name that is - not owned by the pod will *not* be used for - the pod to avoid using an unrelated volume - by mistake. Starting the pod is then blocked - until the unrelated PVC is removed. If such - a pre-created PVC is meant to be used by the - pod, the PVC has to updated with an owner - reference to the pod once the pod exists. - Normally this should not be necessary, but - it may be useful when manually reconstructing - a broken cluster. \n This field is read-only - and no changes will be made by Kubernetes - to the PVC after it has been created. \n Required, - must not be nil." - properties: - metadata: - description: May contain labels and annotations - that will be copied into the PVC when - creating it. No other fields are allowed - and will be rejected during validation. - type: object - spec: - description: The specification for the PersistentVolumeClaim. - The entire content is copied unchanged - into the PVC that gets created from this - template. The same fields as in a PersistentVolumeClaim - are also valid here. - properties: - accessModes: - description: 'accessModes contains the - desired access modes the volume should - have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' - items: - type: string - type: array - dataSource: - description: 'dataSource field can be - used to specify either: * An existing - VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external - controller can support the specified - data source, it will create a new - volume based on the contents of the - specified data source. When the AnyVolumeDataSource - feature gate is enabled, dataSource - contents will be copied to dataSourceRef, - and dataSourceRef contents will be - copied to dataSource when dataSourceRef.namespace - is not specified. If the namespace - is specified, then dataSourceRef will - not be copied to dataSource.' - properties: - apiGroup: - description: APIGroup is the group - for the resource being referenced. - If APIGroup is not specified, - the specified Kind must be in - the core API group. For any other - third-party types, APIGroup is - required. - type: string - kind: - description: Kind is the type of - resource being referenced - type: string - name: - description: Name is the name of - resource being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: 'dataSourceRef specifies - the object from which to populate - the volume with data, if a non-empty - volume is desired. This may be any - object from a non-empty API group - (non core object) or a PersistentVolumeClaim - object. When this field is specified, - volume binding will only succeed if - the type of the specified object matches - some installed volume populator or - dynamic provisioner. This field will - replace the functionality of the dataSource - field and as such if both fields are - non-empty, they must have the same - value. For backwards compatibility, - when namespace isn''t specified in - dataSourceRef, both fields (dataSource - and dataSourceRef) will be set to - the same value automatically if one - of them is empty and the other is - non-empty. When namespace is specified - in dataSourceRef, dataSource isn''t - set to the same value and must be - empty. There are three important differences - between dataSource and dataSourceRef: - * While dataSource only allows two - specific types of objects, dataSourceRef - allows any non-core object, as well - as PersistentVolumeClaim objects. - * While dataSource ignores disallowed - values (dropping them), dataSourceRef - preserves all values, and generates - an error if a disallowed value is - specified. * While dataSource only - allows local objects, dataSourceRef - allows objects in any namespaces. - (Beta) Using this field requires the - AnyVolumeDataSource feature gate to - be enabled. (Alpha) Using the namespace - field of dataSourceRef requires the - CrossNamespaceVolumeDataSource feature - gate to be enabled.' - properties: - apiGroup: - description: APIGroup is the group - for the resource being referenced. - If APIGroup is not specified, - the specified Kind must be in - the core API group. For any other - third-party types, APIGroup is - required. - type: string - kind: - description: Kind is the type of - resource being referenced - type: string - name: - description: Name is the name of - resource being referenced - type: string - namespace: - description: Namespace is the namespace - of resource being referenced Note - that when a namespace is specified, - a gateway.networking.k8s.io/ReferenceGrant - object is required in the referent - namespace to allow that namespace's - owner to accept the reference. - See the ReferenceGrant documentation - for details. (Alpha) This field - requires the CrossNamespaceVolumeDataSource - feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: 'resources represents the - minimum resources the volume should - have. If RecoverVolumeExpansionFailure - feature is enabled users are allowed - to specify resource requirements that - are lower than previous value but - must still be higher than capacity - recorded in the status field of the - claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' - properties: - claims: - description: "Claims lists the names - of resources, defined in spec.resourceClaims, - that are used by this container. - \n This is an alpha field and - requires enabling the DynamicResourceAllocation - feature gate. \n This field is - immutable. It can only be set - for containers." - items: - description: ResourceClaim references - one entry in PodSpec.ResourceClaims. - properties: - name: - description: Name must match - the name of one entry in - pod.spec.resourceClaims - of the Pod where this field - is used. It makes that resource - available inside a container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the - maximum amount of compute resources - allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes - the minimum amount of compute - resources required. If Requests - is omitted for a container, it - defaults to Limits if that is - explicitly specified, otherwise - to an implementation-defined value. - Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - selector: - description: selector is a label query - over volumes to consider for binding. - properties: - matchExpressions: - description: matchExpressions is - a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector - requirement is a selector that - contains values, a key, and - an operator that relates the - key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: operator represents - a key's relationship to - a set of values. Valid operators - are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an - array of string values. - If the operator is In or - NotIn, the values array - must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be - empty. This array is replaced - during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map - of {key,value} pairs. A single - {key,value} in the matchLabels - map is equivalent to an element - of matchExpressions, whose key - field is "key", the operator is - "In", and the values array contains - only "value". The requirements - are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: 'storageClassName is the - name of the StorageClass required - by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' - type: string - volumeMode: - description: volumeMode defines what - type of volume is required by the - claim. Value of Filesystem is implied - when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding - reference to the PersistentVolume - backing this claim. - type: string - type: object - required: - - spec - type: object - type: object - fc: - description: fc represents a Fibre Channel resource - that is attached to a kubelet's host machine and - then exposed to the pod. - properties: - fsType: - description: 'fsType is the filesystem type - to mount. Must be a filesystem type supported - by the host operating system. Ex. "ext4", - "xfs", "ntfs". Implicitly inferred to be "ext4" - if unspecified. TODO: how do we prevent errors - in the filesystem from compromising the machine' - type: string - lun: - description: 'lun is Optional: FC target lun - number' - format: int32 - type: integer - readOnly: - description: 'readOnly is Optional: Defaults - to false (read/write). ReadOnly here will - force the ReadOnly setting in VolumeMounts.' - type: boolean - targetWWNs: - description: 'targetWWNs is Optional: FC target - worldwide names (WWNs)' - items: - type: string - type: array - wwids: - description: 'wwids Optional: FC volume world - wide identifiers (wwids) Either wwids or combination - of targetWWNs and lun must be set, but not - both simultaneously.' - items: - type: string - type: array - type: object - flexVolume: - description: flexVolume represents a generic volume - resource that is provisioned/attached using an - exec based plugin. - properties: - driver: - description: driver is the name of the driver - to use for this volume. - type: string - fsType: - description: fsType is the filesystem type to - mount. Must be a filesystem type supported - by the host operating system. Ex. "ext4", - "xfs", "ntfs". The default filesystem depends - on FlexVolume script. - type: string - options: - additionalProperties: - type: string - description: 'options is Optional: this field - holds extra command options if any.' - type: object - readOnly: - description: 'readOnly is Optional: defaults - to false (read/write). ReadOnly here will - force the ReadOnly setting in VolumeMounts.' - type: boolean - secretRef: - description: 'secretRef is Optional: secretRef - is reference to the secret object containing - sensitive information to pass to the plugin - scripts. This may be empty if no secret object - is specified. If the secret object contains - more than one secret, all secrets are passed - to the plugin scripts.' - properties: - name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - type: object - x-kubernetes-map-type: atomic - required: - - driver - type: object - flocker: - description: flocker represents a Flocker volume - attached to a kubelet's host machine. This depends - on the Flocker control service being running - properties: - datasetName: - description: datasetName is Name of the dataset - stored as metadata -> name on the dataset - for Flocker should be considered as deprecated - type: string - datasetUUID: - description: datasetUUID is the UUID of the - dataset. This is unique identifier of a Flocker - dataset - type: string - type: object - gcePersistentDisk: - description: 'gcePersistentDisk represents a GCE - Disk resource that is attached to a kubelet''s - host machine and then exposed to the pod. More - info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' - properties: - fsType: - description: 'fsType is filesystem type of the - volume that you want to mount. Tip: Ensure - that the filesystem type is supported by the - host operating system. Examples: "ext4", "xfs", - "ntfs". Implicitly inferred to be "ext4" if - unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - TODO: how do we prevent errors in the filesystem - from compromising the machine' - type: string - partition: - description: 'partition is the partition in - the volume that you want to mount. If omitted, - the default is to mount by volume name. Examples: - For volume /dev/sda1, you specify the partition - as "1". Similarly, the volume partition for - /dev/sda is "0" (or you can leave the property - empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' - format: int32 - type: integer - pdName: - description: 'pdName is unique name of the PD - resource in GCE. Used to identify the disk - in GCE. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' - type: string - readOnly: - description: 'readOnly here will force the ReadOnly - setting in VolumeMounts. Defaults to false. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' - type: boolean - required: - - pdName - type: object - gitRepo: - description: 'gitRepo represents a git repository - at a particular revision. DEPRECATED: GitRepo - is deprecated. To provision a container with a - git repo, mount an EmptyDir into an InitContainer - that clones the repo using git, then mount the - EmptyDir into the Pod''s container.' - properties: - directory: - description: directory is the target directory - name. Must not contain or start with '..'. If - '.' is supplied, the volume directory will - be the git repository. Otherwise, if specified, - the volume will contain the git repository - in the subdirectory with the given name. - type: string - repository: - description: repository is the URL - type: string - revision: - description: revision is the commit hash for - the specified revision. - type: string - required: - - repository - type: object - glusterfs: - description: 'glusterfs represents a Glusterfs mount - on the host that shares a pod''s lifetime. More - info: https://examples.k8s.io/volumes/glusterfs/README.md' - properties: - endpoints: - description: 'endpoints is the endpoint name - that details Glusterfs topology. More info: - https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' - type: string - path: - description: 'path is the Glusterfs volume path. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' - type: string - readOnly: - description: 'readOnly here will force the Glusterfs - volume to be mounted with read-only permissions. - Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' - type: boolean - required: - - endpoints - - path - type: object - hostPath: - description: 'hostPath represents a pre-existing - file or directory on the host machine that is - directly exposed to the container. This is generally - used for system agents or other privileged things - that are allowed to see the host machine. Most - containers will NOT need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - --- TODO(jonesdl) We need to restrict who can - use host directory mounts and who can/can not - mount host directories as read/write.' - properties: - path: - description: 'path of the directory on the host. - If the path is a symlink, it will follow the - link to the real path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' - type: string - type: - description: 'type for HostPath Volume Defaults - to "" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' - type: string - required: - - path - type: object - iscsi: - description: 'iscsi represents an ISCSI Disk resource - that is attached to a kubelet''s host machine - and then exposed to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md' - properties: - chapAuthDiscovery: - description: chapAuthDiscovery defines whether - support iSCSI Discovery CHAP authentication - type: boolean - chapAuthSession: - description: chapAuthSession defines whether - support iSCSI Session CHAP authentication - type: boolean - fsType: - description: 'fsType is the filesystem type - of the volume that you want to mount. Tip: - Ensure that the filesystem type is supported - by the host operating system. Examples: "ext4", - "xfs", "ntfs". Implicitly inferred to be "ext4" - if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi - TODO: how do we prevent errors in the filesystem - from compromising the machine' - type: string - initiatorName: - description: initiatorName is the custom iSCSI - Initiator Name. If initiatorName is specified - with iscsiInterface simultaneously, new iSCSI - interface : will - be created for the connection. - type: string - iqn: - description: iqn is the target iSCSI Qualified - Name. - type: string - iscsiInterface: - description: iscsiInterface is the interface - Name that uses an iSCSI transport. Defaults - to 'default' (tcp). - type: string - lun: - description: lun represents iSCSI Target Lun - number. - format: int32 - type: integer - portals: - description: portals is the iSCSI Target Portal - List. The portal is either an IP or ip_addr:port - if the port is other than default (typically - TCP ports 860 and 3260). - items: - type: string - type: array - readOnly: - description: readOnly here will force the ReadOnly - setting in VolumeMounts. Defaults to false. - type: boolean - secretRef: - description: secretRef is the CHAP Secret for - iSCSI target and initiator authentication - properties: - name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - type: object - x-kubernetes-map-type: atomic - targetPortal: - description: targetPortal is iSCSI Target Portal. - The Portal is either an IP or ip_addr:port - if the port is other than default (typically - TCP ports 860 and 3260). - type: string - required: - - iqn - - lun - - targetPortal - type: object - name: - description: 'name of the volume. Must be a DNS_LABEL - and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - nfs: - description: 'nfs represents an NFS mount on the - host that shares a pod''s lifetime More info: - https://kubernetes.io/docs/concepts/storage/volumes#nfs' - properties: - path: - description: 'path that is exported by the NFS - server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' - type: string - readOnly: - description: 'readOnly here will force the NFS - export to be mounted with read-only permissions. - Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' - type: boolean - server: - description: 'server is the hostname or IP address - of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' - type: string - required: - - path - - server - type: object - persistentVolumeClaim: - description: 'persistentVolumeClaimVolumeSource - represents a reference to a PersistentVolumeClaim - in the same namespace. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' - properties: - claimName: - description: 'claimName is the name of a PersistentVolumeClaim - in the same namespace as the pod using this - volume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' - type: string - readOnly: - description: readOnly Will force the ReadOnly - setting in VolumeMounts. Default false. - type: boolean - required: - - claimName - type: object - photonPersistentDisk: - description: photonPersistentDisk represents a PhotonController - persistent disk attached and mounted on kubelets - host machine - properties: - fsType: - description: fsType is the filesystem type to - mount. Must be a filesystem type supported - by the host operating system. Ex. "ext4", - "xfs", "ntfs". Implicitly inferred to be "ext4" - if unspecified. - type: string - pdID: - description: pdID is the ID that identifies - Photon Controller persistent disk - type: string - required: - - pdID - type: object - portworxVolume: - description: portworxVolume represents a portworx - volume attached and mounted on kubelets host machine - properties: - fsType: - description: fSType represents the filesystem - type to mount Must be a filesystem type supported - by the host operating system. Ex. "ext4", - "xfs". Implicitly inferred to be "ext4" if - unspecified. - type: string - readOnly: - description: readOnly defaults to false (read/write). - ReadOnly here will force the ReadOnly setting - in VolumeMounts. - type: boolean - volumeID: - description: volumeID uniquely identifies a - Portworx volume - type: string - required: - - volumeID - type: object - projected: - description: projected items for all in one resources - secrets, configmaps, and downward API - properties: - defaultMode: - description: defaultMode are the mode bits used - to set permissions on created files by default. - Must be an octal value between 0000 and 0777 - or a decimal value between 0 and 511. YAML - accepts both octal and decimal values, JSON - requires decimal values for mode bits. Directories - within the path are not affected by this setting. - This might be in conflict with other options - that affect the file mode, like fsGroup, and - the result can be other mode bits set. - format: int32 - type: integer - sources: - description: sources is the list of volume projections - items: - description: Projection that may be projected - along with other supported volume types - properties: - configMap: - description: configMap information about - the configMap data to project - properties: - items: - description: items if unspecified, - each key-value pair in the Data - field of the referenced ConfigMap - will be projected into the volume - as a file whose name is the key - and content is the value. If specified, - the listed keys will be projected - into the specified paths, and unlisted - keys will not be present. If a key - is specified which is not present - in the ConfigMap, the volume setup - will error unless it is marked optional. - Paths must be relative and may not - contain the '..' path or start with - '..'. - items: - description: Maps a string key to - a path within a volume. - properties: - key: - description: key is the key - to project. - type: string - mode: - description: 'mode is Optional: - mode bits used to set permissions - on this file. Must be an octal - value between 0000 and 0777 - or a decimal value between - 0 and 511. YAML accepts both - octal and decimal values, - JSON requires decimal values - for mode bits. If not specified, - the volume defaultMode will - be used. This might be in - conflict with other options - that affect the file mode, - like fsGroup, and the result - can be other mode bits set.' - format: int32 - type: integer - path: - description: path is the relative - path of the file to map the - key to. May not be an absolute - path. May not contain the - path element '..'. May not - start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - name: - description: 'Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - optional: - description: optional specify whether - the ConfigMap or its keys must be - defined - type: boolean - type: object - x-kubernetes-map-type: atomic - downwardAPI: - description: downwardAPI information about - the downwardAPI data to project - properties: - items: - description: Items is a list of DownwardAPIVolume - file - items: - description: DownwardAPIVolumeFile - represents information to create - the file containing the pod field - properties: - fieldRef: - description: 'Required: Selects - a field of the pod: only annotations, - labels, name and namespace - are supported.' - properties: - apiVersion: - description: Version of - the schema the FieldPath - is written in terms of, - defaults to "v1". - type: string - fieldPath: - description: Path of the - field to select in the - specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - description: 'Optional: mode - bits used to set permissions - on this file, must be an octal - value between 0000 and 0777 - or a decimal value between - 0 and 511. YAML accepts both - octal and decimal values, - JSON requires decimal values - for mode bits. If not specified, - the volume defaultMode will - be used. This might be in - conflict with other options - that affect the file mode, - like fsGroup, and the result - can be other mode bits set.' - format: int32 - type: integer - path: - description: 'Required: Path - is the relative path name - of the file to be created. - Must not be absolute or contain - the ''..'' path. Must be utf-8 - encoded. The first item of - the relative path must not - start with ''..''' - type: string - resourceFieldRef: - description: 'Selects a resource - of the container: only resources - limits and requests (limits.cpu, - limits.memory, requests.cpu - and requests.memory) are currently - supported.' - properties: - containerName: - description: 'Container - name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the - output format of the exposed - resources, defaults to - "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: - resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - type: object - secret: - description: secret information about - the secret data to project - properties: - items: - description: items if unspecified, - each key-value pair in the Data - field of the referenced Secret will - be projected into the volume as - a file whose name is the key and - content is the value. If specified, - the listed keys will be projected - into the specified paths, and unlisted - keys will not be present. If a key - is specified which is not present - in the Secret, the volume setup - will error unless it is marked optional. - Paths must be relative and may not - contain the '..' path or start with - '..'. - items: - description: Maps a string key to - a path within a volume. - properties: - key: - description: key is the key - to project. - type: string - mode: - description: 'mode is Optional: - mode bits used to set permissions - on this file. Must be an octal - value between 0000 and 0777 - or a decimal value between - 0 and 511. YAML accepts both - octal and decimal values, - JSON requires decimal values - for mode bits. If not specified, - the volume defaultMode will - be used. This might be in - conflict with other options - that affect the file mode, - like fsGroup, and the result - can be other mode bits set.' - format: int32 - type: integer - path: - description: path is the relative - path of the file to map the - key to. May not be an absolute - path. May not contain the - path element '..'. May not - start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - name: - description: 'Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - optional: - description: optional field specify - whether the Secret or its key must - be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - serviceAccountToken: - description: serviceAccountToken is information - about the serviceAccountToken data to - project - properties: - audience: - description: audience is the intended - audience of the token. A recipient - of a token must identify itself - with an identifier specified in - the audience of the token, and otherwise - should reject the token. The audience - defaults to the identifier of the - apiserver. - type: string - expirationSeconds: - description: expirationSeconds is - the requested duration of validity - of the service account token. As - the token approaches expiration, - the kubelet volume plugin will proactively - rotate the service account token. - The kubelet will start trying to - rotate the token if the token is - older than 80 percent of its time - to live or if the token is older - than 24 hours.Defaults to 1 hour - and must be at least 10 minutes. - format: int64 - type: integer - path: - description: path is the path relative - to the mount point of the file to - project the token into. - type: string - required: - - path - type: object - type: object - type: array - type: object - quobyte: - description: quobyte represents a Quobyte mount - on the host that shares a pod's lifetime - properties: - group: - description: group to map volume access to Default - is no group - type: string - readOnly: - description: readOnly here will force the Quobyte - volume to be mounted with read-only permissions. - Defaults to false. - type: boolean - registry: - description: registry represents a single or - multiple Quobyte Registry services specified - as a string as host:port pair (multiple entries - are separated with commas) which acts as the - central registry for volumes - type: string - tenant: - description: tenant owning the given Quobyte - volume in the Backend Used with dynamically - provisioned Quobyte volumes, value is set - by the plugin - type: string - user: - description: user to map volume access to Defaults - to serivceaccount user - type: string - volume: - description: volume is a string that references - an already created Quobyte volume by name. - type: string - required: - - registry - - volume - type: object - rbd: - description: 'rbd represents a Rados Block Device - mount on the host that shares a pod''s lifetime. - More info: https://examples.k8s.io/volumes/rbd/README.md' - properties: - fsType: - description: 'fsType is the filesystem type - of the volume that you want to mount. Tip: - Ensure that the filesystem type is supported - by the host operating system. Examples: "ext4", - "xfs", "ntfs". Implicitly inferred to be "ext4" - if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd - TODO: how do we prevent errors in the filesystem - from compromising the machine' - type: string - image: - description: 'image is the rados image name. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' - type: string - keyring: - description: 'keyring is the path to key ring - for RBDUser. Default is /etc/ceph/keyring. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' - type: string - monitors: - description: 'monitors is a collection of Ceph - monitors. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' - items: - type: string - type: array - pool: - description: 'pool is the rados pool name. Default - is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' - type: string - readOnly: - description: 'readOnly here will force the ReadOnly - setting in VolumeMounts. Defaults to false. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' - type: boolean - secretRef: - description: 'secretRef is name of the authentication - secret for RBDUser. If provided overrides - keyring. Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' - properties: - name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - type: object - x-kubernetes-map-type: atomic - user: - description: 'user is the rados user name. Default - is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' - type: string - required: - - image - - monitors - type: object - scaleIO: - description: scaleIO represents a ScaleIO persistent - volume attached and mounted on Kubernetes nodes. - properties: - fsType: - description: fsType is the filesystem type to - mount. Must be a filesystem type supported - by the host operating system. Ex. "ext4", - "xfs", "ntfs". Default is "xfs". - type: string - gateway: - description: gateway is the host address of - the ScaleIO API Gateway. - type: string - protectionDomain: - description: protectionDomain is the name of - the ScaleIO Protection Domain for the configured - storage. - type: string - readOnly: - description: readOnly Defaults to false (read/write). - ReadOnly here will force the ReadOnly setting - in VolumeMounts. - type: boolean - secretRef: - description: secretRef references to the secret - for ScaleIO user and other sensitive information. - If this is not provided, Login operation will - fail. - properties: - name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - type: object - x-kubernetes-map-type: atomic - sslEnabled: - description: sslEnabled Flag enable/disable - SSL communication with Gateway, default false - type: boolean - storageMode: - description: storageMode indicates whether the - storage for a volume should be ThickProvisioned - or ThinProvisioned. Default is ThinProvisioned. - type: string - storagePool: - description: storagePool is the ScaleIO Storage - Pool associated with the protection domain. - type: string - system: - description: system is the name of the storage - system as configured in ScaleIO. - type: string - volumeName: - description: volumeName is the name of a volume - already created in the ScaleIO system that - is associated with this volume source. - type: string - required: - - gateway - - secretRef - - system - type: object - secret: - description: 'secret represents a secret that should - populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' - properties: - defaultMode: - description: 'defaultMode is Optional: mode - bits used to set permissions on created files - by default. Must be an octal value between - 0000 and 0777 or a decimal value between 0 - and 511. YAML accepts both octal and decimal - values, JSON requires decimal values for mode - bits. Defaults to 0644. Directories within - the path are not affected by this setting. - This might be in conflict with other options - that affect the file mode, like fsGroup, and - the result can be other mode bits set.' - format: int32 - type: integer - items: - description: items If unspecified, each key-value - pair in the Data field of the referenced Secret - will be projected into the volume as a file - whose name is the key and content is the value. - If specified, the listed keys will be projected - into the specified paths, and unlisted keys - will not be present. If a key is specified - which is not present in the Secret, the volume - setup will error unless it is marked optional. - Paths must be relative and may not contain - the '..' path or start with '..'. - items: - description: Maps a string key to a path within - a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: 'mode is Optional: mode bits - used to set permissions on this file. - Must be an octal value between 0000 - and 0777 or a decimal value between - 0 and 511. YAML accepts both octal and - decimal values, JSON requires decimal - values for mode bits. If not specified, - the volume defaultMode will be used. - This might be in conflict with other - options that affect the file mode, like - fsGroup, and the result can be other - mode bits set.' - format: int32 - type: integer - path: - description: path is the relative path - of the file to map the key to. May not - be an absolute path. May not contain - the path element '..'. May not start - with the string '..'. - type: string - required: - - key - - path - type: object - type: array - optional: - description: optional field specify whether - the Secret or its keys must be defined - type: boolean - secretName: - description: 'secretName is the name of the - secret in the pod''s namespace to use. More - info: https://kubernetes.io/docs/concepts/storage/volumes#secret' - type: string - type: object - storageos: - description: storageOS represents a StorageOS volume - attached and mounted on Kubernetes nodes. - properties: - fsType: - description: fsType is the filesystem type to - mount. Must be a filesystem type supported - by the host operating system. Ex. "ext4", - "xfs", "ntfs". Implicitly inferred to be "ext4" - if unspecified. - type: string - readOnly: - description: readOnly defaults to false (read/write). - ReadOnly here will force the ReadOnly setting - in VolumeMounts. - type: boolean - secretRef: - description: secretRef specifies the secret - to use for obtaining the StorageOS API credentials. If - not specified, default values will be attempted. - properties: - name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' - type: string - type: object - x-kubernetes-map-type: atomic - volumeName: - description: volumeName is the human-readable - name of the StorageOS volume. Volume names - are only unique within a namespace. - type: string - volumeNamespace: - description: volumeNamespace specifies the scope - of the volume within StorageOS. If no namespace - is specified then the Pod's namespace will - be used. This allows the Kubernetes name - scoping to be mirrored within StorageOS for - tighter integration. Set VolumeName to any - name to override the default behaviour. Set - to "default" if you are not using namespaces - within StorageOS. Namespaces that do not pre-exist - within StorageOS will be created. - type: string - type: object - vsphereVolume: - description: vsphereVolume represents a vSphere - volume attached and mounted on kubelets host machine - properties: - fsType: - description: fsType is filesystem type to mount. - Must be a filesystem type supported by the - host operating system. Ex. "ext4", "xfs", - "ntfs". Implicitly inferred to be "ext4" if - unspecified. - type: string - storagePolicyID: - description: storagePolicyID is the storage - Policy Based Management (SPBM) profile ID - associated with the StoragePolicyName. - type: string - storagePolicyName: - description: storagePolicyName is the storage - Policy Based Management (SPBM) profile name. - type: string - volumePath: - description: volumePath is the path that identifies - vSphere volume vmdk - type: string - required: - - volumePath - type: object - required: - - name - type: object - type: array - required: - - containers - type: object - type: object - ttlSecondsAfterFinished: - description: ttlSecondsAfterFinished limits the lifetime of a - Job that has finished execution (either Complete or Failed). - If this field is set, ttlSecondsAfterFinished after the Job - finishes, it is eligible to be automatically deleted. When the - Job is being deleted, its lifecycle guarantees (e.g. finalizers) - will be honored. If this field is unset, the Job won't be automatically - deleted. If this field is set to zero, the Job becomes eligible - to be deleted immediately after it finishes. - format: int32 - type: integer - required: - - template - type: object - maxReplicaCount: - format: int32 - type: integer - minReplicaCount: - format: int32 - type: integer - pollingInterval: - format: int32 - type: integer - rollout: - description: Rollout defines the strategy for job rollouts - properties: - propagationPolicy: - type: string - strategy: - type: string - type: object - rolloutStrategy: - type: string - scalingStrategy: - description: ScalingStrategy defines the strategy of Scaling - properties: - customScalingQueueLengthDeduction: - format: int32 - type: integer - customScalingRunningJobPercentage: - type: string - multipleScalersCalculation: - type: string - pendingPodConditions: - items: - type: string - type: array - strategy: - type: string - type: object - successfulJobsHistoryLimit: - format: int32 - type: integer - triggers: - items: - description: ScaleTriggers reference the scaler that will be used - properties: - authenticationRef: - description: AuthenticationRef points to the TriggerAuthentication - or ClusterTriggerAuthentication object that is used to authenticate - the scaler with the environment - properties: - kind: - description: Kind of the resource being referred to. Defaults - to TriggerAuthentication. - type: string - name: - type: string - required: - - name - type: object - metadata: - additionalProperties: - type: string - type: object - name: - type: string - type: - type: string - useCachedMetrics: - type: boolean - required: - - metadata - - type - type: object - type: array - required: - - jobTargetRef - - triggers - type: object - status: - description: ScaledJobStatus defines the observed state of ScaledJob - properties: - Paused: - type: string - conditions: - description: Conditions an array representation to store multiple - Conditions - items: - description: Condition to store the condition state - properties: - message: - description: A human readable message indicating details about - the transition. - type: string - reason: - description: The reason for the condition's last transition. - type: string - status: - description: Status of the condition, one of True, False, Unknown. - type: string - type: - description: Type of condition - type: string - required: - - status - - type - type: object - type: array - lastActiveTime: - format: date-time - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} -{{- end -}} diff --git a/examples/helm-keda/templates/crds/crd-scaledobjects.yaml b/examples/helm-keda/templates/crds/crd-scaledobjects.yaml deleted file mode 100644 index 05f98ce1b..000000000 --- a/examples/helm-keda/templates/crds/crd-scaledobjects.yaml +++ /dev/null @@ -1,406 +0,0 @@ -{{- if .Values.crds.install }} -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.13.0 - {{- if .Values.additionalAnnotations }} - {{- toYaml .Values.additionalAnnotations | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/name: {{ .Values.operator.name }} - {{- include "keda.labels" . | indent 4 }} - name: scaledobjects.keda.sh -spec: - group: keda.sh - names: - kind: ScaledObject - listKind: ScaledObjectList - plural: scaledobjects - shortNames: - - so - singular: scaledobject - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.scaleTargetKind - name: ScaleTargetKind - type: string - - jsonPath: .spec.scaleTargetRef.name - name: ScaleTargetName - type: string - - jsonPath: .spec.minReplicaCount - name: Min - type: integer - - jsonPath: .spec.maxReplicaCount - name: Max - type: integer - - jsonPath: .spec.triggers[*].type - name: Triggers - type: string - - jsonPath: .spec.triggers[*].authenticationRef.name - name: Authentication - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Active")].status - name: Active - type: string - - jsonPath: .status.conditions[?(@.type=="Fallback")].status - name: Fallback - type: string - - jsonPath: .status.conditions[?(@.type=="Paused")].status - name: Paused - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: ScaledObject is a specification for a ScaledObject resource - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ScaledObjectSpec is the spec for a ScaledObject resource - properties: - advanced: - description: AdvancedConfig specifies advance scaling options - properties: - horizontalPodAutoscalerConfig: - description: HorizontalPodAutoscalerConfig specifies horizontal - scale config - properties: - behavior: - description: HorizontalPodAutoscalerBehavior configures the - scaling behavior of the target in both Up and Down directions - (scaleUp and scaleDown fields respectively). - properties: - scaleDown: - description: scaleDown is scaling policy for scaling Down. - If not set, the default value is to allow to scale down - to minReplicas pods, with a 300 second stabilization - window (i.e., the highest recommendation for the last - 300sec is used). - properties: - policies: - description: policies is a list of potential scaling - polices which can be used during scaling. At least - one policy must be specified, otherwise the HPAScalingRules - will be discarded as invalid - items: - description: HPAScalingPolicy is a single policy - which must hold true for a specified past interval. - properties: - periodSeconds: - description: periodSeconds specifies the window - of time for which the policy should hold true. - PeriodSeconds must be greater than zero and - less than or equal to 1800 (30 min). - format: int32 - type: integer - type: - description: type is used to specify the scaling - policy. - type: string - value: - description: value contains the amount of change - which is permitted by the policy. It must - be greater than zero - format: int32 - type: integer - required: - - periodSeconds - - type - - value - type: object - type: array - x-kubernetes-list-type: atomic - selectPolicy: - description: selectPolicy is used to specify which - policy should be used. If not set, the default value - Max is used. - type: string - stabilizationWindowSeconds: - description: 'stabilizationWindowSeconds is the number - of seconds for which past recommendations should - be considered while scaling up or scaling down. - StabilizationWindowSeconds must be greater than - or equal to zero and less than or equal to 3600 - (one hour). If not set, use the default values: - - For scale up: 0 (i.e. no stabilization is done). - - For scale down: 300 (i.e. the stabilization window - is 300 seconds long).' - format: int32 - maximum: 3600 - minimum: 0 - type: integer - type: object - scaleUp: - description: 'scaleUp is scaling policy for scaling Up. - If not set, the default value is the higher of: * increase - no more than 4 pods per 60 seconds * double the number - of pods per 60 seconds No stabilization is used.' - properties: - policies: - description: policies is a list of potential scaling - polices which can be used during scaling. At least - one policy must be specified, otherwise the HPAScalingRules - will be discarded as invalid - items: - description: HPAScalingPolicy is a single policy - which must hold true for a specified past interval. - properties: - periodSeconds: - description: periodSeconds specifies the window - of time for which the policy should hold true. - PeriodSeconds must be greater than zero and - less than or equal to 1800 (30 min). - format: int32 - type: integer - type: - description: type is used to specify the scaling - policy. - type: string - value: - description: value contains the amount of change - which is permitted by the policy. It must - be greater than zero - format: int32 - type: integer - required: - - periodSeconds - - type - - value - type: object - type: array - x-kubernetes-list-type: atomic - selectPolicy: - description: selectPolicy is used to specify which - policy should be used. If not set, the default value - Max is used. - type: string - stabilizationWindowSeconds: - description: 'stabilizationWindowSeconds is the number - of seconds for which past recommendations should - be considered while scaling up or scaling down. - StabilizationWindowSeconds must be greater than - or equal to zero and less than or equal to 3600 - (one hour). If not set, use the default values: - - For scale up: 0 (i.e. no stabilization is done). - - For scale down: 300 (i.e. the stabilization window - is 300 seconds long).' - format: int32 - maximum: 3600 - minimum: 0 - type: integer - type: object - type: object - name: - type: string - type: object - restoreToOriginalReplicaCount: - type: boolean - scalingModifiers: - description: ScalingModifiers describes advanced scaling logic - options like formula - properties: - activationTarget: - type: string - formula: - type: string - metricType: - description: MetricTargetType specifies the type of metric - being targeted, and should be either "Value", "AverageValue", - or "Utilization" - type: string - target: - type: string - type: object - type: object - cooldownPeriod: - format: int32 - type: integer - fallback: - description: Fallback is the spec for fallback options - properties: - failureThreshold: - format: int32 - type: integer - replicas: - format: int32 - type: integer - required: - - failureThreshold - - replicas - type: object - idleReplicaCount: - format: int32 - type: integer - maxReplicaCount: - format: int32 - type: integer - minReplicaCount: - format: int32 - type: integer - pollingInterval: - format: int32 - type: integer - scaleTargetRef: - description: ScaleTarget holds the reference to the scale target Object - properties: - apiVersion: - type: string - envSourceContainerName: - type: string - kind: - type: string - name: - type: string - required: - - name - type: object - triggers: - items: - description: ScaleTriggers reference the scaler that will be used - properties: - authenticationRef: - description: AuthenticationRef points to the TriggerAuthentication - or ClusterTriggerAuthentication object that is used to authenticate - the scaler with the environment - properties: - kind: - description: Kind of the resource being referred to. Defaults - to TriggerAuthentication. - type: string - name: - type: string - required: - - name - type: object - metadata: - additionalProperties: - type: string - type: object - metricType: - description: MetricTargetType specifies the type of metric being - targeted, and should be either "Value", "AverageValue", or - "Utilization" - type: string - name: - type: string - type: - type: string - useCachedMetrics: - type: boolean - required: - - metadata - - type - type: object - type: array - required: - - scaleTargetRef - - triggers - type: object - status: - description: ScaledObjectStatus is the status for a ScaledObject resource - properties: - compositeScalerName: - type: string - conditions: - description: Conditions an array representation to store multiple - Conditions - items: - description: Condition to store the condition state - properties: - message: - description: A human readable message indicating details about - the transition. - type: string - reason: - description: The reason for the condition's last transition. - type: string - status: - description: Status of the condition, one of True, False, Unknown. - type: string - type: - description: Type of condition - type: string - required: - - status - - type - type: object - type: array - externalMetricNames: - items: - type: string - type: array - health: - additionalProperties: - description: HealthStatus is the status for a ScaledObject's health - properties: - numberOfFailures: - format: int32 - type: integer - status: - description: HealthStatusType is an indication of whether the - health status is happy or failing - type: string - type: object - type: object - hpaName: - type: string - lastActiveTime: - format: date-time - type: string - originalReplicaCount: - format: int32 - type: integer - pausedReplicaCount: - format: int32 - type: integer - resourceMetricNames: - items: - type: string - type: array - scaleTargetGVKR: - description: GroupVersionKindResource provides unified structure for - schema.GroupVersionKind and Resource - properties: - group: - type: string - kind: - type: string - resource: - type: string - version: - type: string - required: - - group - - kind - - resource - - version - type: object - scaleTargetKind: - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} -{{- end -}} diff --git a/examples/helm-keda/templates/crds/crd-triggerauthentications.yaml b/examples/helm-keda/templates/crds/crd-triggerauthentications.yaml deleted file mode 100644 index 4facbdbaa..000000000 --- a/examples/helm-keda/templates/crds/crd-triggerauthentications.yaml +++ /dev/null @@ -1,274 +0,0 @@ -{{- if .Values.crds.install }} -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.13.0 - {{- if .Values.additionalAnnotations }} - {{- toYaml .Values.additionalAnnotations | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/name: {{ .Values.operator.name }} - {{- include "keda.labels" . | indent 4 }} - name: triggerauthentications.keda.sh -spec: - group: keda.sh - names: - kind: TriggerAuthentication - listKind: TriggerAuthenticationList - plural: triggerauthentications - shortNames: - - ta - - triggerauth - singular: triggerauthentication - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.podIdentity.provider - name: PodIdentity - type: string - - jsonPath: .spec.secretTargetRef[*].name - name: Secret - type: string - - jsonPath: .spec.env[*].name - name: Env - type: string - - jsonPath: .spec.hashiCorpVault.address - name: VaultAddress - type: string - - jsonPath: .status.scaledobjects - name: ScaledObjects - priority: 1 - type: string - - jsonPath: .status.scaledjobs - name: ScaledJobs - priority: 1 - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: TriggerAuthentication defines how a trigger can authenticate - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: TriggerAuthenticationSpec defines the various ways to authenticate - properties: - azureKeyVault: - description: AzureKeyVault is used to authenticate using Azure Key - Vault - properties: - cloud: - properties: - activeDirectoryEndpoint: - type: string - keyVaultResourceURL: - type: string - type: - type: string - required: - - type - type: object - credentials: - properties: - clientId: - type: string - clientSecret: - properties: - valueFrom: - properties: - secretKeyRef: - properties: - key: - type: string - name: - type: string - required: - - key - - name - type: object - required: - - secretKeyRef - type: object - required: - - valueFrom - type: object - tenantId: - type: string - required: - - clientId - - clientSecret - - tenantId - type: object - podIdentity: - description: AuthPodIdentity allows users to select the platform - native identity mechanism - properties: - identityId: - type: string - provider: - description: PodIdentityProvider contains the list of providers - type: string - required: - - provider - type: object - secrets: - items: - properties: - name: - type: string - parameter: - type: string - version: - type: string - required: - - name - - parameter - type: object - type: array - vaultUri: - type: string - required: - - secrets - - vaultUri - type: object - env: - items: - description: AuthEnvironment is used to authenticate using environment - variables in the destination ScaleTarget spec - properties: - containerName: - type: string - name: - type: string - parameter: - type: string - required: - - name - - parameter - type: object - type: array - hashiCorpVault: - description: HashiCorpVault is used to authenticate using Hashicorp - Vault - properties: - address: - type: string - authentication: - description: VaultAuthentication contains the list of Hashicorp - Vault authentication methods - type: string - credential: - description: Credential defines the Hashicorp Vault credentials - depending on the authentication method - properties: - serviceAccount: - type: string - token: - type: string - type: object - mount: - type: string - namespace: - type: string - role: - type: string - secrets: - items: - description: VaultSecret defines the mapping between the path - of the secret in Vault to the parameter - properties: - key: - type: string - parameter: - type: string - path: - type: string - pkiData: - properties: - altNames: - type: string - commonName: - type: string - format: - type: string - ipSans: - type: string - otherSans: - type: string - ttl: - type: string - uriSans: - type: string - type: object - type: - description: VaultSecretType defines the type of vault secret - type: string - required: - - key - - parameter - - path - type: object - type: array - required: - - address - - authentication - - secrets - type: object - podIdentity: - description: AuthPodIdentity allows users to select the platform native - identity mechanism - properties: - identityId: - type: string - provider: - description: PodIdentityProvider contains the list of providers - type: string - required: - - provider - type: object - secretTargetRef: - items: - description: AuthSecretTargetRef is used to authenticate using a - reference to a secret - properties: - key: - type: string - name: - type: string - parameter: - type: string - required: - - key - - name - - parameter - type: object - type: array - type: object - status: - description: TriggerAuthenticationStatus defines the observed state of - TriggerAuthentication - properties: - scaledjobs: - type: string - scaledobjects: - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} -{{- end -}} diff --git a/examples/helm-keda/templates/extensibility/extra-manifests.yaml b/examples/helm-keda/templates/extensibility/extra-manifests.yaml deleted file mode 100644 index 2855904ec..000000000 --- a/examples/helm-keda/templates/extensibility/extra-manifests.yaml +++ /dev/null @@ -1,4 +0,0 @@ -{{ range .Values.extraObjects }} ---- -{{ tpl (toYaml .) $ }} -{{ end }} \ No newline at end of file diff --git a/examples/helm-keda/templates/manager/clusterrole.yaml b/examples/helm-keda/templates/manager/clusterrole.yaml deleted file mode 100644 index 0242a03fb..000000000 --- a/examples/helm-keda/templates/manager/clusterrole.yaml +++ /dev/null @@ -1,180 +0,0 @@ -{{- if .Values.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - {{- with .Values.additionalAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/name: {{ .Values.operator.name }} - {{- include "keda.labels" . | indent 4 }} - name: {{ .Values.operator.name }} -rules: -- apiGroups: - - "" - resources: - - configmaps - - configmaps/status - - events - verbs: - - '*' -- apiGroups: - - "" - resources: - - external - - pods - {{- if eq .Values.permissions.operator.restrict.secret false }} - - secrets - {{- end }} - - services - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - list - - watch -- apiGroups: - - '*' - resources: - - '*' - verbs: - - get -- apiGroups: - - '*' - resources: - - '*/scale' - verbs: - - '*' - {{- if and .Values.certificates.autoGenerated ( not .Values.certificates.certManager.enabled ) }} -- apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - verbs: - - get - - list - - patch - - update - - watch -- apiGroups: - - apiregistration.k8s.io - resources: - - apiservices - verbs: - - get - - list - - patch - - update - - watch - {{- end }} -- apiGroups: - - apps - resources: - - deployments - - statefulsets - verbs: - - list - - watch -- apiGroups: - - autoscaling - resources: - - horizontalpodautoscalers - verbs: - - '*' -- apiGroups: - - batch - resources: - - jobs - verbs: - - '*' -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - '*' -- apiGroups: - - keda.sh - resources: - - clustertriggerauthentications - - clustertriggerauthentications/status - verbs: - - '*' -- apiGroups: - - keda.sh - resources: - - scaledjobs - - scaledjobs/finalizers - - scaledjobs/status - verbs: - - '*' -- apiGroups: - - keda.sh - resources: - - scaledobjects - - scaledobjects/finalizers - - scaledobjects/status - verbs: - - '*' -- apiGroups: - - keda.sh - resources: - - triggerauthentications - - triggerauthentications/status - verbs: - - '*' -{{- if .Values.rbac.aggregateToDefaultRoles }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: keda:edit - labels: - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - app.kubernetes.io/name: {{ .Values.operator.name }} - {{- include "keda.labels" . | indent 4 }} -rules: -- apiGroups: - - keda.sh - resources: - - clustertriggerauthentications - - scaledjobs - - scaledobjects - - triggerauthentications - verbs: - - create - - delete - - patch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: keda:view - labels: - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-view: "true" - app.kubernetes.io/name: {{ .Values.operator.name }} - {{- include "keda.labels" . | indent 4 }} -rules: -- apiGroups: - - keda.sh - resources: - - clustertriggerauthentications - - scaledjobs - - scaledobjects - - triggerauthentications - verbs: - - get - - list - - watch -{{- end -}} -{{- end -}} diff --git a/examples/helm-keda/templates/manager/clusterrolebinding.yaml b/examples/helm-keda/templates/manager/clusterrolebinding.yaml deleted file mode 100644 index 5d13f80ad..000000000 --- a/examples/helm-keda/templates/manager/clusterrolebinding.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if .Values.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - {{- with .Values.additionalAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/name: {{ .Values.operator.name }} - {{- include "keda.labels" . | indent 4 }} - name: {{ .Values.operator.name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ .Values.operator.name }} -subjects: -- kind: ServiceAccount - name: {{ .Values.serviceAccount.name }} - namespace: {{ .Release.Namespace }} -{{- end -}} diff --git a/examples/helm-keda/templates/manager/deployment.yaml b/examples/helm-keda/templates/manager/deployment.yaml deleted file mode 100644 index b993ae94c..000000000 --- a/examples/helm-keda/templates/manager/deployment.yaml +++ /dev/null @@ -1,216 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ .Values.operator.name }} - namespace: {{ .Release.Namespace }} - {{- with .Values.additionalAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - app: {{ .Values.operator.name }} - name: {{ .Values.operator.name }} - app.kubernetes.io/name: {{ .Values.operator.name }} - {{- include "keda.labels" . | indent 4 }} -spec: - revisionHistoryLimit: {{ .Values.operator.revisionHistoryLimit}} - replicas: {{ .Values.operator.replicaCount}} - {{- with .Values.upgradeStrategy.operator }} - strategy: - {{- toYaml . | nindent 4 }} - {{- end }} - selector: - matchLabels: - app: {{ .Values.operator.name }} - template: - metadata: - labels: - app: {{ .Values.operator.name }} - name: {{ .Values.operator.name }} - app.kubernetes.io/name: {{ .Values.operator.name }} - {{- include "keda.labels" . | indent 8 }} - {{- if .Values.podIdentity.activeDirectory.identity }} - aadpodidbinding: {{ .Values.podIdentity.activeDirectory.identity }} - {{- end }} - {{- if .Values.podLabels.keda }} - {{- toYaml .Values.podLabels.keda | nindent 8 }} - {{- end }} - {{- if .Values.podIdentity.azureWorkload.enabled }} - azure.workload.identity/use: "true" - {{- end }} - {{- if or .Values.podAnnotations.keda .Values.additionalAnnotations }} - annotations: - {{- if .Values.podAnnotations.keda }} - {{- toYaml .Values.podAnnotations.keda | nindent 8 }} - {{- end }} - {{- if .Values.additionalAnnotations }} - {{- toYaml .Values.additionalAnnotations | nindent 8 }} - {{- end }} - {{- end }} - spec: - {{- if .Values.priorityClassName }} - priorityClassName: {{ .Values.priorityClassName | quote }} - {{- end }} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ .Values.serviceAccount.name }} - automountServiceAccountToken: true - securityContext: - {{- if .Values.podSecurityContext.operator }} - {{- toYaml .Values.podSecurityContext.operator | nindent 8 }} - {{- else }} - {{- toYaml .Values.podSecurityContext | nindent 8 }} - {{- end }} - containers: - - name: {{ .Values.operator.name }} - securityContext: - {{- if .Values.securityContext.operator }} - {{- toYaml .Values.securityContext.operator | nindent 12 }} - {{- else }} - {{- toYaml .Values.securityContext | nindent 12 }} - {{- end }} - image: "{{ .Values.image.keda.repository }}:{{ .Values.image.keda.tag | default .Chart.AppVersion }}" - command: - - "/keda" - args: - - "--leader-elect" - - "--zap-log-level={{ .Values.logging.operator.level }}" - - "--zap-encoder={{ .Values.logging.operator.format }}" - - "--zap-time-encoding={{ .Values.logging.operator.timeEncoding }}" - - "--cert-dir={{ .Values.certificates.mountPath }}" - - "--enable-cert-rotation={{ and .Values.certificates.autoGenerated ( not .Values.certificates.certManager.enabled ) }}" - - "--cert-secret-name={{ .Values.certificates.secretName }}" - - "--operator-service-name={{ .Values.operator.name }}" - - "--metrics-server-service-name={{ .Values.operator.name }}-metrics-apiserver" - - "--webhooks-service-name={{ .Values.webhooks.name }}" - - "--k8s-cluster-domain={{ .Values.clusterDomain }}" - {{- if .Values.prometheus.operator.enabled }} - - "--metrics-bind-address=:{{ .Values.prometheus.operator.port }}" - - "--enable-prometheus-metrics={{ .Values.prometheus.operator.enabled }}" - {{- end }} - {{- if .Values.opentelemetry.operator.enabled }} - - "--enable-opentelemetry-metrics={{ .Values.opentelemetry.operator.enabled}}" - {{- end }} - {{- range $key, $value := .Values.extraArgs.keda }} - - "--{{ $key }}={{ $value }}" - {{- end }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: {{ .Values.operator.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.operator.livenessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.operator.livenessProbe.timeoutSeconds }} - failureThreshold: {{ .Values.operator.livenessProbe.failureThreshold }} - successThreshold: {{ .Values.operator.livenessProbe.successThreshold }} - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: {{ .Values.operator.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.operator.readinessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.operator.readinessProbe.timeoutSeconds }} - failureThreshold: {{ .Values.operator.readinessProbe.failureThreshold }} - successThreshold: {{ .Values.operator.readinessProbe.successThreshold }} - ports: - - containerPort: 8080 - name: http - protocol: TCP - env: - - name: WATCH_NAMESPACE - value: {{ .Values.watchNamespace | quote }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: OPERATOR_NAME - value: {{ .Values.operator.name }} - - name: KEDA_HTTP_DEFAULT_TIMEOUT - value: {{ .Values.http.timeout | quote }} - - name: KEDA_HTTP_MIN_TLS_VERSION - value: {{ .Values.http.minTlsVersion }} - {{- if ( not .Values.http.keepAlive.enabled ) }} - - name: KEDA_HTTP_DISABLE_KEEP_ALIVE - value: "true" - {{- end }} - {{- if .Values.permissions.operator.restrict.secret }} - - name: KEDA_RESTRICT_SECRET_ACCESS - value: {{ .Values.permissions.operator.restrict.secret | quote }} - {{- end }} - {{- if .Values.opentelemetry.collector.uri }} - - name: OTEL_EXPORTER_OTLP_ENDPOINT - value: {{ .Values.opentelemetry.collector.uri | quote }} - {{- end }} - {{- if .Values.env }} - {{- toYaml .Values.env | nindent 12 -}} - {{- end }} - volumeMounts: - - mountPath: {{ .Values.certificates.mountPath }} - name: certificates - readOnly: true - {{- if .Values.grpcTLSCertsSecret }} - - name: grpc-certs - mountPath: /grpccerts - {{- end }} - {{- if .Values.hashiCorpVaultTLS }} - - name: hashicorp-vault-certs - mountPath: /hashicorp-vaultcerts - {{- end }} - {{- if .Values.volumes.keda.extraVolumeMounts }} - {{- toYaml .Values.volumes.keda.extraVolumeMounts | nindent 10 }} - {{- end }} - resources: - {{- if .Values.resources.operator }} - {{- toYaml .Values.resources.operator | nindent 12 }} - {{- else }} - {{- toYaml .Values.resources | nindent 12 }} - {{- end }} - volumes: - - name: certificates - secret: - defaultMode: 420 - secretName: {{ .Values.certificates.secretName }} - optional: {{ and .Values.certificates.autoGenerated ( not .Values.certificates.certManager.enabled ) }} - {{- if .Values.grpcTLSCertsSecret }} - - name: grpc-certs - secret: - secretName: {{ .Values.grpcTLSCertsSecret }} - {{- end }} - {{- if .Values.hashiCorpVaultTLS }} - - name: hashicorp-vault-certs - secret: - secretName: {{ .Values.hashiCorpVaultTLS }} - {{- end }} - {{- if .Values.volumes.keda.extraVolumes }} - {{- toYaml .Values.volumes.keda.extraVolumes | nindent 6 }} - {{- end }} - nodeSelector: - kubernetes.io/os: linux - {{- with .Values.nodeSelector }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- if .Values.podIdentity.gcp.enabled }} - iam.gke.io/gke-metadata-server-enabled: "true" - {{- end }} - {{- if .Values.operator.affinity }} - affinity: - {{- toYaml .Values.operator.affinity | nindent 8 }} - {{- else if .Values.affinity }} - affinity: - {{- toYaml .Values.affinity | nindent 8 }} - {{- end }} - {{- with .Values.topologySpreadConstraints.operator }} - topologySpreadConstraints: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/examples/helm-keda/templates/manager/poddisruptionbudget.yaml b/examples/helm-keda/templates/manager/poddisruptionbudget.yaml deleted file mode 100644 index 4d087c630..000000000 --- a/examples/helm-keda/templates/manager/poddisruptionbudget.yaml +++ /dev/null @@ -1,32 +0,0 @@ -{{- if or (or .Values.podDisruptionBudget.minAvailable .Values.podDisruptionBudget.maxUnavailable) .Values.podDisruptionBudget.operator }} -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - namespace: {{ .Release.Namespace }} - name: {{ .Values.operator.name }} - {{- with .Values.additionalAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/name: {{ .Values.serviceAccount.name }} - {{- include "keda.labels" . | indent 4 }} -spec: - {{- if .Values.podDisruptionBudget.minAvailable }} - minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} - {{- end }} - {{- if .Values.podDisruptionBudget.maxUnavailable }} - maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} - {{- end }} - {{- if .Values.podDisruptionBudget.operator }} - {{- if .Values.podDisruptionBudget.operator.minAvailable }} - minAvailable: {{ .Values.podDisruptionBudget.operator.minAvailable }} - {{- end }} - {{- if .Values.podDisruptionBudget.operator.maxUnavailable }} - maxUnavailable: {{ .Values.podDisruptionBudget.operator.maxUnavailable }} - {{- end }} - {{- end }} - selector: - matchLabels: - app: {{ .Values.operator.name }} -{{- end }} diff --git a/examples/helm-keda/templates/manager/podmonitor.yaml b/examples/helm-keda/templates/manager/podmonitor.yaml deleted file mode 100644 index 7304828f8..000000000 --- a/examples/helm-keda/templates/manager/podmonitor.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{- if and .Values.prometheus.operator.enabled .Values.prometheus.operator.podMonitor.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: PodMonitor -metadata: - name: {{ .Values.operator.name }} - {{- with .Values.additionalAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/name: {{ .Values.operator.name }} - {{- include "keda.labels" . | indent 4 }} - {{- range $key, $value := .Values.prometheus.operator.podMonitor.additionalLabels }} - {{ $key }}: {{ $value | quote }} - {{- end }} - {{- with .Values.prometheus.operator.podMonitor.namespace }} - namespace: {{ . }} - {{- end }} -spec: - podMetricsEndpoints: - - port: http - path: /metrics - {{- with .Values.prometheus.operator.podMonitor.interval }} - interval: {{ . }} - {{- end }} - {{- with .Values.prometheus.operator.podMonitor.scrapeTimeout }} - scrapeTimeout: {{ . }} - {{- end }} - {{- with .Values.prometheus.operator.podMonitor.relabelings }} - relabelings: -{{ toYaml . | indent 4 }} - {{- end }} - namespaceSelector: - matchNames: - - {{ .Release.Namespace }} - selector: - matchLabels: - app: {{ .Values.operator.name }} -{{- end }} diff --git a/examples/helm-keda/templates/manager/prometheusrules.yaml b/examples/helm-keda/templates/manager/prometheusrules.yaml deleted file mode 100644 index d117ca139..000000000 --- a/examples/helm-keda/templates/manager/prometheusrules.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if and .Values.prometheus.operator.enabled .Values.prometheus.operator.prometheusRules.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: {{ .Values.operator.name }} - {{- with .Values.additionalAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/name: {{ .Values.operator.name }} - {{- include "keda.labels" . | indent 4 }} - {{- range $key, $value := .Values.prometheus.operator.prometheusRules.additionalLabels }} - {{ $key }}: {{ $value | quote }} - {{- end }} - {{- with .Values.prometheus.operator.prometheusRules.namespace }} - namespace: {{ . }} - {{- end }} -spec: - groups: - - name: {{ .Values.operator.name }} - rules: -{{ toYaml .Values.prometheus.operator.prometheusRules.alerts | indent 6 }} -{{- end }} diff --git a/examples/helm-keda/templates/manager/role.yaml b/examples/helm-keda/templates/manager/role.yaml deleted file mode 100644 index e2cd4eca8..000000000 --- a/examples/helm-keda/templates/manager/role.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{- if .Values.rbac.create }} -{{- if or (and .Values.certificates.autoGenerated (not .Values.certificates.certManager.enabled)) (.Values.permissions.operator.restrict.secret) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - {{- with .Values.additionalAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/name: {{ .Values.operator.name }} - {{- include "keda.labels" . | indent 4 }} - name: {{ .Values.operator.name }} - namespace: {{ .Release.Namespace }} -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - {{- if and .Values.certificates.autoGenerated (not .Values.certificates.certManager.enabled) }} - - create - - delete - - patch - - update - {{- end }} - - watch - - get - - list -{{- end -}} -{{- end -}} \ No newline at end of file diff --git a/examples/helm-keda/templates/manager/rolebinding.yaml b/examples/helm-keda/templates/manager/rolebinding.yaml deleted file mode 100644 index 0d1381ab5..000000000 --- a/examples/helm-keda/templates/manager/rolebinding.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if .Values.rbac.create }} -{{- if or (and .Values.certificates.autoGenerated (not .Values.certificates.certManager.enabled)) (.Values.permissions.operator.restrict.secret) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - {{- with .Values.additionalAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/name: {{ .Values.operator.name }} - {{- include "keda.labels" . | indent 4 }} - name: {{ .Values.operator.name }} - namespace: {{ .Release.Namespace }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ .Values.operator.name }} -subjects: -- kind: ServiceAccount - name: {{ .Values.serviceAccount.name }} - namespace: {{ .Release.Namespace }} -{{- end -}} -{{- end -}} diff --git a/examples/helm-keda/templates/manager/service.yaml b/examples/helm-keda/templates/manager/service.yaml deleted file mode 100644 index 599289eaa..000000000 --- a/examples/helm-keda/templates/manager/service.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - {{- if or .Values.additionalAnnotations .Values.service.annotations (and .Values.prometheus.operator.enabled ( not (or .Values.prometheus.operator.podMonitor.enabled .Values.prometheus.operator.serviceMonitor.enabled ))) }} - annotations: - {{- if and .Values.prometheus.operator.enabled ( not (or .Values.prometheus.operator.podMonitor.enabled .Values.prometheus.operator.serviceMonitor.enabled )) }} - prometheus.io/scrape: "true" - prometheus.io/port: {{ .Values.prometheus.operator.port | quote }} - prometheus.io/path: "/metrics" - {{- end }} - {{- with .Values.additionalAnnotations }} - {{- range $key, $value := . }} - {{ $key }}: {{ $value | quote }} - {{- end }} - {{- end }} - {{- with .Values.service.annotations }} - {{- range $key, $value := . }} - {{ $key }}: {{ $value | quote }} - {{- end }} - {{- end }} - {{- end }} - labels: - app.kubernetes.io/name: {{ .Values.operator.name }} - {{- include "keda.labels" . | indent 4 }} - name: {{ .Values.operator.name }} - namespace: {{ .Release.Namespace }} -spec: - ports: - - name: metricsservice - port: 9666 - targetPort: 9666 - {{- if .Values.prometheus.operator.enabled }} - - name: metrics - port: {{ .Values.prometheus.operator.port }} - targetPort: {{ .Values.prometheus.operator.port }} - {{- end }} - selector: - app: {{ .Values.operator.name }} diff --git a/examples/helm-keda/templates/manager/servicemonitor.yaml b/examples/helm-keda/templates/manager/servicemonitor.yaml deleted file mode 100644 index 727601cb9..000000000 --- a/examples/helm-keda/templates/manager/servicemonitor.yaml +++ /dev/null @@ -1,60 +0,0 @@ -{{- if and .Values.prometheus.operator.enabled .Values.prometheus.operator.serviceMonitor.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ .Values.operator.name }} - {{- with .Values.additionalAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/name: {{ .Values.operator.name }} - {{- include "keda.labels" . | indent 4 }} - {{- range $key, $value := .Values.prometheus.operator.serviceMonitor.additionalLabels }} - {{ $key }}: {{ $value | quote }} - {{- end }} - {{- with .Values.prometheus.operator.serviceMonitor.namespace }} - namespace: {{ . }} - {{- end }} -spec: - {{- with .Values.prometheus.operator.serviceMonitor.jobLabel }} - jobLabel: {{ . }} - {{- end }} - {{- with .Values.prometheus.operator.serviceMonitor.targetLabels }} - targetLabels: - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.prometheus.operator.serviceMonitor.podTargetLabels }} - podTargetLabels: - {{- toYaml . | nindent 4 }} - {{- end }} - endpoints: - - port: {{ .Values.prometheus.operator.serviceMonitor.port }} - {{- with .Values.prometheus.operator.serviceMonitor.targetPort }} - targetPort: {{ . }} - {{- end }} - path: /metrics - {{- with .Values.prometheus.operator.serviceMonitor.interval }} - interval: {{ . }} - {{- end }} - {{- with .Values.prometheus.operator.serviceMonitor.scrapeTimeout }} - scrapeTimeout: {{ . }} - {{- end }} - {{- if .Values.prometheus.operator.serviceMonitor.relabelings}} - {{- with .Values.prometheus.operator.serviceMonitor.relabelings }} - relabelings: - {{- toYaml . | nindent 6 }} - {{- end }} - {{- else }} - {{- with .Values.prometheus.operator.serviceMonitor.relabellings }} - relabelings: - {{- toYaml . | nindent 6 }} - {{- end }} - {{- end}} - namespaceSelector: - matchNames: - - {{ .Release.Namespace }} - selector: - matchLabels: - app.kubernetes.io/name: {{ .Values.operator.name }} -{{- end }} diff --git a/examples/helm-keda/templates/metrics-server/apiservice.yaml b/examples/helm-keda/templates/metrics-server/apiservice.yaml deleted file mode 100644 index 0568f08aa..000000000 --- a/examples/helm-keda/templates/metrics-server/apiservice.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - {{- if or .Values.certificates.certManager.enabled .Values.additionalAnnotations }} - annotations: - {{- if .Values.certificates.certManager.enabled }} - {{- if .Values.certificates.certManager.generateCA }} - cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Values.operator.name }}-ca - {{- else }} - cert-manager.io/inject-ca-from-secret: {{ .Release.Namespace }}/{{ .Values.certificates.certManager.caSecretName }} - {{- end }} - {{- end }} - {{- if .Values.additionalAnnotations }} - {{- toYaml .Values.additionalAnnotations | nindent 4 }} - {{- end }} - {{- end }} - labels: - app.kubernetes.io/name: v1beta1.external.metrics.k8s.io - {{- include "keda.labels" . | indent 4 }} - name: v1beta1.external.metrics.k8s.io -spec: - service: - name: {{ .Values.operator.name }}-metrics-apiserver - namespace: {{ .Release.Namespace }} - port: {{ .Values.service.portHttps }} - group: external.metrics.k8s.io - version: v1beta1 - groupPriorityMinimum: 100 - versionPriority: 100 - insecureSkipTLSVerify: false diff --git a/examples/helm-keda/templates/metrics-server/clusterrole.yaml b/examples/helm-keda/templates/metrics-server/clusterrole.yaml deleted file mode 100644 index 4036b292c..000000000 --- a/examples/helm-keda/templates/metrics-server/clusterrole.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if .Values.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - {{- with .Values.additionalAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/name: {{ .Values.operator.name }}-external-metrics-reader - {{- include "keda.labels" . | indent 4 }} - name: {{ .Values.operator.name }}-external-metrics-reader -rules: -- apiGroups: - - external.metrics.k8s.io - resources: - - '*' - verbs: - - '*' -{{- end -}} diff --git a/examples/helm-keda/templates/metrics-server/clusterrolebinding.yaml b/examples/helm-keda/templates/metrics-server/clusterrolebinding.yaml deleted file mode 100644 index af00d4244..000000000 --- a/examples/helm-keda/templates/metrics-server/clusterrolebinding.yaml +++ /dev/null @@ -1,62 +0,0 @@ -{{- if .Values.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - {{- with .Values.additionalAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/name: {{ .Values.operator.name }}-system-auth-delegator - {{- include "keda.labels" . | indent 4 }} - name: {{ .Values.operator.name }}-system-auth-delegator -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: {{ .Values.serviceAccount.name }} - namespace: {{ .Release.Namespace }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - {{- with .Values.additionalAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/name: {{ .Values.operator.name }}-auth-reader - {{- include "keda.labels" . | indent 4 }} - name: {{ .Values.operator.name }}-auth-reader - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: extension-apiserver-authentication-reader -subjects: -- kind: ServiceAccount - name: {{ .Values.serviceAccount.name }} - namespace: {{ .Release.Namespace }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - {{- with .Values.additionalAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/name: {{ .Values.operator.name }}-hpa-controller-external-metrics - {{- include "keda.labels" . | indent 4 }} - name: {{ .Values.operator.name }}-hpa-controller-external-metrics -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ .Values.operator.name }}-external-metrics-reader -subjects: -- kind: ServiceAccount - name: horizontal-pod-autoscaler - namespace: kube-system -{{- end -}} diff --git a/examples/helm-keda/templates/metrics-server/deployment.yaml b/examples/helm-keda/templates/metrics-server/deployment.yaml deleted file mode 100644 index 3965e3ff6..000000000 --- a/examples/helm-keda/templates/metrics-server/deployment.yaml +++ /dev/null @@ -1,201 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ .Values.operator.name }}-metrics-apiserver - namespace: {{ .Release.Namespace }} - {{- with .Values.additionalAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - app: {{ .Values.operator.name }}-metrics-apiserver - app.kubernetes.io/name: {{ .Values.operator.name }}-metrics-apiserver - {{- include "keda.labels" . | indent 4 }} -spec: - revisionHistoryLimit: {{ .Values.metricsServer.revisionHistoryLimit}} - replicas: {{ .Values.metricsServer.replicaCount }} - {{- with .Values.upgradeStrategy.metricsApiServer }} - strategy: - {{- toYaml . | nindent 4 }} - {{- end }} - selector: - matchLabels: - app: {{ .Values.operator.name }}-metrics-apiserver - template: - metadata: - labels: - app: {{ .Values.operator.name }}-metrics-apiserver - app.kubernetes.io/name: {{ .Values.operator.name }}-metrics-apiserver - {{- include "keda.labels" . | indent 8 }} - {{- if .Values.podIdentity.activeDirectory.identity }} - aadpodidbinding: {{ .Values.podIdentity.activeDirectory.identity }} - {{- end }} - {{- if .Values.podLabels.metricsAdapter }} - {{- toYaml .Values.podLabels.metricsAdapter | nindent 8}} - {{- end }} - {{- if .Values.podIdentity.azureWorkload.enabled }} - azure.workload.identity/use: "true" - {{- end }} - {{- if or .Values.additionalAnnotations .Values.podAnnotations.metricsAdapter (and .Values.prometheus.metricServer.enabled ( not (or .Values.prometheus.metricServer.podMonitor.enabled .Values.prometheus.metricServer.serviceMonitor.enabled )) )}} - annotations: - {{- if .Values.additionalAnnotations }} - {{- toYaml .Values.additionalAnnotations | nindent 8 }} - {{- end }} - {{- if and .Values.prometheus.metricServer.enabled ( not (or .Values.prometheus.metricServer.podMonitor.enabled .Values.prometheus.metricServer.serviceMonitor.enabled )) }} - prometheus.io/scrape: "true" - prometheus.io/port: {{ .Values.prometheus.metricServer.port | quote }} - {{- end }} - {{- if .Values.podAnnotations.metricsAdapter }} - {{- toYaml .Values.podAnnotations.metricsAdapter | nindent 8}} - {{- end }} - {{- end }} - spec: - {{- if .Values.priorityClassName }} - priorityClassName: {{ .Values.priorityClassName | quote }} - {{- end }} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ .Values.serviceAccount.name }} - automountServiceAccountToken: true - securityContext: - {{- if .Values.podSecurityContext.metricServer }} - {{- toYaml .Values.podSecurityContext.metricServer | nindent 8 }} - {{- else }} - {{- toYaml .Values.podSecurityContext | nindent 8 }} - {{- end }} - containers: - - name: {{ .Values.operator.name }}-metrics-apiserver - securityContext: - {{- if .Values.securityContext.metricServer }} - {{- toYaml .Values.securityContext.metricServer | nindent 12 }} - {{- else }} - {{- toYaml .Values.securityContext | nindent 12 }} - {{- end }} - image: "{{ .Values.image.metricsApiServer.repository }}:{{ .Values.image.metricsApiServer.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - livenessProbe: - httpGet: - path: /healthz - port: {{ .Values.service.portHttpsTarget }} - scheme: HTTPS - initialDelaySeconds: {{ .Values.metricsServer.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.metricsServer.livenessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.metricsServer.livenessProbe.timeoutSeconds }} - failureThreshold: {{ .Values.metricsServer.livenessProbe.failureThreshold }} - successThreshold: {{ .Values.metricsServer.livenessProbe.successThreshold }} - readinessProbe: - httpGet: - path: /readyz - port: {{ .Values.service.portHttpsTarget }} - scheme: HTTPS - initialDelaySeconds: {{ .Values.metricsServer.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.metricsServer.readinessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.metricsServer.readinessProbe.timeoutSeconds }} - failureThreshold: {{ .Values.metricsServer.readinessProbe.failureThreshold }} - successThreshold: {{ .Values.metricsServer.readinessProbe.successThreshold }} - env: - - name: WATCH_NAMESPACE - value: {{ .Values.watchNamespace | quote }} - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: KEDA_HTTP_DEFAULT_TIMEOUT - value: {{ .Values.http.timeout | quote }} - - name: KEDA_HTTP_MIN_TLS_VERSION - value: {{ .Values.http.minTlsVersion }} - {{- if ( not .Values.http.keepAlive.enabled ) }} - - name: KEDA_HTTP_DISABLE_KEEP_ALIVE - value: "true" - {{- end }} - {{- if .Values.permissions.metricServer.restrict.secret }} - - name: KEDA_RESTRICT_SECRET_ACCESS - value: {{ .Values.permissions.metricServer.restrict.secret | quote }} - {{- end }} - {{- if .Values.env }} - {{- toYaml .Values.env | nindent 12 -}} - {{- end }} - args: - - /usr/local/bin/keda-adapter - - --port={{ .Values.prometheus.metricServer.port }} - - --secure-port={{ .Values.service.portHttpsTarget }} - - --logtostderr=true - - --metrics-service-address={{ .Values.operator.name }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}:9666 - - --client-ca-file={{ .Values.certificates.mountPath }}/ca.crt - - --tls-cert-file={{ .Values.certificates.mountPath }}/tls.crt - - --tls-private-key-file={{ .Values.certificates.mountPath }}/tls.key - - --cert-dir={{ .Values.certificates.mountPath }} - - --v={{ .Values.logging.metricServer.level }} - {{- range $key, $value := .Values.extraArgs.metricsAdapter }} - - --{{ $key }}={{ $value }} - {{- end }} - ports: - - containerPort: {{ .Values.service.portHttpsTarget }} - name: https - protocol: TCP - - containerPort: {{ .Values.prometheus.metricServer.port }} - name: {{ .Values.prometheus.metricServer.portName }} - protocol: TCP - volumeMounts: - - mountPath: {{ .Values.certificates.mountPath }} - name: certificates - readOnly: true - {{- if .Values.grpcTLSCertsSecret }} - - name: grpc-certs - mountPath: /grpccerts - {{- end }} - {{- if .Values.hashiCorpVaultTLS }} - - name: hashicorp-vault-certs - mountPath: /hashicorp-vaultcerts - {{- end }} - {{- if .Values.volumes.metricsApiServer.extraVolumeMounts }} - {{- toYaml .Values.volumes.metricsApiServer.extraVolumeMounts | nindent 10 }} - {{- end }} - resources: - {{- if .Values.resources.metricServer }} - {{- toYaml .Values.resources.metricServer | nindent 12 }} - {{- else }} - {{- toYaml .Values.resources | nindent 12 }} - {{- end }} - volumes: - - name: certificates - secret: - defaultMode: 420 - secretName: {{ .Values.certificates.secretName }} - {{- if .Values.grpcTLSCertsSecret }} - - name: grpc-certs - secret: - secretName: {{ .Values.grpcTLSCertsSecret }} - {{- end }} - {{- if .Values.hashiCorpVaultTLS }} - - name: hashicorp-vault-certs - secret: - secretName: {{ .Values.hashiCorpVaultTLS }} - {{- end }} - {{- if .Values.volumes.metricsApiServer.extraVolumes }} - {{- toYaml .Values.volumes.metricsApiServer.extraVolumes | nindent 6 }} - {{- end }} - dnsPolicy: {{ .Values.metricsServer.dnsPolicy }} - hostNetwork: {{ .Values.metricsServer.useHostNetwork }} - nodeSelector: - kubernetes.io/os: linux - {{- with .Values.nodeSelector }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- if .Values.metricsServer.affinity }} - affinity: - {{- toYaml .Values.metricsServer.affinity | nindent 8 }} - {{- else if .Values.affinity }} - affinity: - {{- toYaml .Values.affinity | nindent 8 }} - {{- end }} - {{- with .Values.topologySpreadConstraints.metricsServer}} - topologySpreadConstraints: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/examples/helm-keda/templates/metrics-server/poddisruptionbudget.yaml b/examples/helm-keda/templates/metrics-server/poddisruptionbudget.yaml deleted file mode 100644 index c71ab124a..000000000 --- a/examples/helm-keda/templates/metrics-server/poddisruptionbudget.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{- if or (or .Values.podDisruptionBudget.minAvailable .Values.podDisruptionBudget.maxUnavailable) .Values.podDisruptionBudget.metricServer }} -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - namespace: {{ .Release.Namespace }} - name: {{ .Values.operator.name }}-metrics-apiserver - {{- with .Values.additionalAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/name: {{ .Values.operator.name }}-metrics-apiserver - {{- include "keda.labels" . | indent 4 }} -spec: - {{- if .Values.podDisruptionBudget.minAvailable }} - minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} - {{- end }} - {{- if .Values.podDisruptionBudget.maxUnavailable }} - maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} - {{- end }} - {{- if .Values.podDisruptionBudget.metricServer }} - {{- if .Values.podDisruptionBudget.metricServer.minAvailable }} - minAvailable: {{ .Values.podDisruptionBudget.metricServer.minAvailable }} - {{- end }} - {{- if .Values.podDisruptionBudget.metricServer.maxUnavailable }} - maxUnavailable: {{ .Values.podDisruptionBudget.metricServer.maxUnavailable }} - {{- end }} - {{- end }} - selector: - matchLabels: - app: {{ .Values.operator.name }}-metrics-apiserver -{{- end }} - diff --git a/examples/helm-keda/templates/metrics-server/podmonitor.yaml b/examples/helm-keda/templates/metrics-server/podmonitor.yaml deleted file mode 100644 index b639cd6d8..000000000 --- a/examples/helm-keda/templates/metrics-server/podmonitor.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{- if and .Values.prometheus.metricServer.enabled .Values.prometheus.metricServer.podMonitor.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: PodMonitor -metadata: - name: {{ .Values.operator.name }}-metrics-apiserver - {{- with .Values.additionalAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/name: {{ .Values.operator.name }} - {{- include "keda.labels" . | indent 4 }} - {{- range $key, $value := .Values.prometheus.metricServer.podMonitor.additionalLabels }} - {{ $key }}: {{ $value | quote }} - {{- end }} - {{- with .Values.prometheus.metricServer.podMonitor.namespace }} - namespace: {{ . }} - {{- end }} -spec: - podMetricsEndpoints: - - port: {{ .Values.prometheus.metricServer.portName }} - path: /metrics - {{- with .Values.prometheus.metricServer.podMonitor.interval }} - interval: {{ . }} - {{- end }} - {{- with .Values.prometheus.metricServer.podMonitor.scrapeTimeout }} - scrapeTimeout: {{ . }} - {{- end }} - {{- with .Values.prometheus.metricServer.podMonitor.relabelings }} - relabelings: -{{ toYaml . | indent 4 }} - {{- end }} - namespaceSelector: - matchNames: - - {{ .Release.Namespace }} - selector: - matchLabels: - app: {{ .Values.operator.name }}-metrics-apiserver -{{- end }} diff --git a/examples/helm-keda/templates/metrics-server/service.yaml b/examples/helm-keda/templates/metrics-server/service.yaml deleted file mode 100644 index cf6f69665..000000000 --- a/examples/helm-keda/templates/metrics-server/service.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/name: {{ .Values.operator.name }}-metrics-apiserver - app: {{ .Values.operator.name }}-metrics-apiserver - {{- include "keda.labels" . | indent 4 }} - name: {{ .Values.operator.name }}-metrics-apiserver - namespace: {{ .Release.Namespace }} - {{- if or .Values.additionalAnnotations .Values.service.annotations (and .Values.prometheus.metricServer.enabled ( not (or .Values.prometheus.metricServer.podMonitor.enabled .Values.prometheus.metricServer.serviceMonitor.enabled )))}} - annotations: - {{- if and .Values.prometheus.metricServer.enabled ( not (or .Values.prometheus.metricServer.podMonitor.enabled .Values.prometheus.metricServer.serviceMonitor.enabled )) }} - prometheus.io/scrape: "true" - prometheus.io/port: {{ .Values.prometheus.metricServer.port | quote }} - prometheus.io/path: "/metrics" - {{- end }} - {{- with .Values.additionalAnnotations }} - {{- range $key, $value := . }} - {{ $key }}: {{ $value | quote }} - {{- end }} - {{- end }} - {{- with .Values.service.annotations }} - {{- range $key, $value := . }} - {{ $key }}: {{ $value | quote }} - {{- end }} - {{- end }} - {{- end }} -spec: - ports: - - name: https - port: {{ .Values.service.portHttps }} - targetPort: {{ .Values.service.portHttpsTarget }} - protocol: TCP - - name: {{ .Values.prometheus.metricServer.portName }} - port: {{ .Values.prometheus.metricServer.port }} - targetPort: {{ .Values.prometheus.metricServer.port }} - protocol: TCP - selector: - app: {{ .Values.operator.name }}-metrics-apiserver diff --git a/examples/helm-keda/templates/metrics-server/servicemonitor.yaml b/examples/helm-keda/templates/metrics-server/servicemonitor.yaml deleted file mode 100644 index a2a0dfc71..000000000 --- a/examples/helm-keda/templates/metrics-server/servicemonitor.yaml +++ /dev/null @@ -1,60 +0,0 @@ -{{- if and .Values.prometheus.metricServer.enabled .Values.prometheus.metricServer.serviceMonitor.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ .Values.operator.name }}-metrics-apiserver - {{- with .Values.additionalAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/name: {{ .Values.operator.name }} - {{- include "keda.labels" . | indent 4 }} - {{- range $key, $value := .Values.prometheus.metricServer.serviceMonitor.additionalLabels }} - {{ $key }}: {{ $value | quote }} - {{- end }} - {{- with .Values.prometheus.metricServer.serviceMonitor.namespace }} - namespace: {{ . }} - {{- end }} -spec: - {{- with .Values.prometheus.metricServer.serviceMonitor.jobLabel }} - jobLabel: {{ . }} - {{- end }} - {{- with .Values.prometheus.metricServer.serviceMonitor.targetLabels }} - targetLabels: - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.prometheus.metricServer.serviceMonitor.podTargetLabels }} - podTargetLabels: - {{- toYaml . | nindent 4 }} - {{- end }} - endpoints: - - port: {{ .Values.prometheus.metricServer.portName }} - {{- with .Values.prometheus.metricServer.serviceMonitor.targetPort }} - targetPort: {{ . }} - {{- end }} - path: /metrics - {{- with .Values.prometheus.metricServer.serviceMonitor.interval }} - interval: {{ . }} - {{- end }} - {{- with .Values.prometheus.metricServer.serviceMonitor.scrapeTimeout }} - scrapeTimeout: {{ . }} - {{- end }} - {{- if .Values.prometheus.metricServer.serviceMonitor.relabelings}} - {{- with .Values.prometheus.metricServer.serviceMonitor.relabelings }} - relabelings: - {{- toYaml . | nindent 6 }} - {{- end }} - {{- else }} - {{- with .Values.prometheus.metricServer.serviceMonitor.relabellings }} - relabelings: - {{- toYaml . | nindent 6 }} - {{- end }} - {{- end}} - namespaceSelector: - matchNames: - - {{ .Release.Namespace }} - selector: - matchLabels: - app.kubernetes.io/name: {{ .Values.operator.name }}-metrics-apiserver -{{- end }} diff --git a/examples/helm-keda/templates/serviceaccount.yaml b/examples/helm-keda/templates/serviceaccount.yaml deleted file mode 100644 index d93d1b7e5..000000000 --- a/examples/helm-keda/templates/serviceaccount.yaml +++ /dev/null @@ -1,49 +0,0 @@ -{{- if .Values.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/name: {{ .Values.serviceAccount.name }} - {{- if .Values.podIdentity.azureWorkload.enabled }} - azure.workload.identity/use: "true" - {{- end }} - {{- include "keda.labels" . | nindent 4 }} - {{- if or .Values.podIdentity.azureWorkload.enabled .Values.podIdentity.aws.irsa.enabled .Values.serviceAccount.annotations .Values.podIdentity.gcp.enabled }} - annotations: - {{- if .Values.additionalAnnotations }} - {{- toYaml .Values.additionalAnnotations | nindent 4 }} - {{- end }} - {{- if .Values.podIdentity.azureWorkload.enabled }} - {{- if .Values.podIdentity.azureWorkload.clientId }} - azure.workload.identity/client-id: {{ .Values.podIdentity.azureWorkload.clientId | quote }} - {{- end }} - {{- if .Values.podIdentity.azureWorkload.tenantId }} - azure.workload.identity/tenant-id: {{ .Values.podIdentity.azureWorkload.tenantId | quote }} - {{- end }} - azure.workload.identity/service-account-token-expiration: {{ .Values.podIdentity.azureWorkload.tokenExpiration | quote }} - {{- end }} - {{- if .Values.podIdentity.aws.irsa.enabled }} - {{- if .Values.podIdentity.aws.irsa.audience }} - eks.amazonaws.com/audience: {{ .Values.podIdentity.aws.irsa.audience | quote }} - {{- end }} - {{- if .Values.podIdentity.aws.irsa.roleArn }} - eks.amazonaws.com/role-arn: {{ .Values.podIdentity.aws.irsa.roleArn | quote }} - {{- end }} - {{- if .Values.podIdentity.aws.irsa.stsRegionalEndpoints }} - eks.amazonaws.com/sts-regional-endpoints: {{ .Values.podIdentity.aws.irsa.stsRegionalEndpoints | quote }} - {{- end }} - eks.amazonaws.com/token-expiration: {{ .Values.podIdentity.aws.irsa.tokenExpiration | quote }} - {{- end }} - {{- if .Values.podIdentity.gcp.enabled }} - {{- if .Values.podIdentity.gcp.gcpIAMServiceAccount }} - iam.gke.io/gcp-service-account: {{ .Values.podIdentity.gcp.gcpIAMServiceAccount }} - {{- end }} - {{- end }} - {{- if .Values.serviceAccount.annotations }} - {{- toYaml .Values.serviceAccount.annotations | nindent 4}} - {{- end }} - {{- end }} - name: {{ .Values.serviceAccount.name }} - namespace: {{ .Release.Namespace }} -automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} -{{- end -}} diff --git a/examples/helm-keda/templates/webhooks/deployment.yaml b/examples/helm-keda/templates/webhooks/deployment.yaml deleted file mode 100644 index c47c62106..000000000 --- a/examples/helm-keda/templates/webhooks/deployment.yaml +++ /dev/null @@ -1,169 +0,0 @@ -{{- if and .Values.webhooks.enabled }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ .Values.webhooks.name }} - namespace: {{ .Release.Namespace }} - {{- with .Values.additionalAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - app: {{ .Values.webhooks.name }} - name: {{ .Values.webhooks.name }} - app.kubernetes.io/name: {{ .Values.webhooks.name }} - {{- include "keda.labels" . | indent 4 }} -spec: - revisionHistoryLimit: {{ .Values.webhooks.revisionHistoryLimit}} - replicas: {{ .Values.webhooks.replicaCount}} - {{- with .Values.upgradeStrategy.webhooks }} - strategy: - {{- toYaml . | nindent 4 }} - {{- end }} - selector: - matchLabels: - app: {{ .Values.webhooks.name }} - template: - metadata: - labels: - app: {{ .Values.webhooks.name }} - name: {{ .Values.webhooks.name }} - app.kubernetes.io/name: {{ .Values.webhooks.name }} - {{- include "keda.labels" . | indent 8 }} - {{- if .Values.podLabels.webhooks }} - {{- toYaml .Values.podLabels.webhooks | nindent 8 }} - {{- end }} - {{- if or .Values.podAnnotations.webhooks .Values.additionalAnnotations }} - annotations: - {{- if .Values.podAnnotations.webhooks }} - {{- toYaml .Values.podAnnotations.webhooks | nindent 8 }} - {{- end }} - {{- if .Values.additionalAnnotations }} - {{- toYaml .Values.additionalAnnotations | nindent 8 }} - {{- end }} - {{- end }} - spec: - {{- if .Values.priorityClassName }} - priorityClassName: {{ .Values.priorityClassName | quote }} - {{- end }} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ .Values.serviceAccount.name }} - automountServiceAccountToken: true - securityContext: - {{- if .Values.podSecurityContext.webhooks }} - {{- toYaml .Values.podSecurityContext.webhooks | nindent 8 }} - {{- else }} - {{- toYaml .Values.podSecurityContext | nindent 8 }} - {{- end }} - containers: - - name: {{ .Values.webhooks.name }} - securityContext: - {{- if .Values.securityContext.webhooks }} - {{- toYaml .Values.securityContext.webhooks | nindent 12 }} - {{- else }} - {{- toYaml .Values.securityContext | nindent 12 }} - {{- end }} - image: "{{ .Values.image.webhooks.repository }}:{{ .Values.image.webhooks.tag | default .Chart.AppVersion }}" - command: - - /keda-admission-webhooks - args: - - "--zap-log-level={{ .Values.logging.webhooks.level }}" - - "--zap-encoder={{ .Values.logging.webhooks.format }}" - - "--zap-time-encoding={{ .Values.logging.webhooks.timeEncoding }}" - - "--cert-dir={{ .Values.certificates.mountPath }}" - - "--health-probe-bind-address=:{{ .Values.webhooks.healthProbePort }}" - {{- if .Values.webhooks.port }} - - "--port={{ .Values.webhooks.port }}" - {{- end }} - - --metrics-bind-address=:{{ .Values.prometheus.webhooks.port }} - {{- range $key, $value := .Values.extraArgs.webhooks }} - - --{{ $key }}={{ $value }} - {{- end }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - livenessProbe: - httpGet: - path: /healthz - port: {{ .Values.webhooks.healthProbePort }} - initialDelaySeconds: {{ .Values.webhooks.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.webhooks.livenessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.webhooks.livenessProbe.timeoutSeconds }} - failureThreshold: {{ .Values.webhooks.livenessProbe.failureThreshold }} - successThreshold: {{ .Values.webhooks.livenessProbe.successThreshold }} - readinessProbe: - httpGet: - path: /readyz - port: {{ .Values.webhooks.healthProbePort }} - initialDelaySeconds: {{ .Values.webhooks.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.webhooks.readinessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.webhooks.readinessProbe.timeoutSeconds }} - failureThreshold: {{ .Values.webhooks.readinessProbe.failureThreshold }} - successThreshold: {{ .Values.webhooks.readinessProbe.successThreshold }} - ports: - - containerPort: {{ .Values.webhooks.port | default 9443 }} - name: http - protocol: TCP - {{- if .Values.prometheus.webhooks.enabled }} - - containerPort: {{ .Values.prometheus.webhooks.port }} - name: metrics - protocol: TCP - {{- end }} - env: - - name: WATCH_NAMESPACE - value: {{ .Values.watchNamespace | quote }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- if .Values.env }} - {{- toYaml .Values.env | nindent 12 -}} - {{- end }} - volumeMounts: - - mountPath: {{ .Values.certificates.mountPath }} - name: certificates - readOnly: true - {{- if .Values.volumes.webhooks.extraVolumeMounts }} - {{- toYaml .Values.volumes.webhooks.extraVolumeMounts | nindent 12 }} - {{- end }} - resources: - {{- if .Values.resources.webhooks }} - {{- toYaml .Values.resources.webhooks | nindent 12 }} - {{- else }} - {{- toYaml .Values.resources | nindent 12 }} - {{- end }} - volumes: - - name: certificates - secret: - defaultMode: 420 - secretName: {{ .Values.certificates.secretName }} - {{- if .Values.volumes.webhooks.extraVolumes }} - {{- toYaml .Values.volumes.webhooks.extraVolumes | nindent 8 }} - {{- end }} - hostNetwork: {{ .Values.webhooks.useHostNetwork }} - nodeSelector: - kubernetes.io/os: linux - {{- with .Values.nodeSelector }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- if .Values.webhooks.affinity }} - affinity: - {{- toYaml .Values.webhooks.affinity | nindent 8 }} - {{- else if .Values.affinity }} - affinity: - {{- toYaml .Values.affinity | nindent 8 }} - {{- end }} - {{- with .Values.topologySpreadConstraints.webhooks }} - topologySpreadConstraints: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} -{{- end }} diff --git a/examples/helm-keda/templates/webhooks/poddisruptionbudget.yaml b/examples/helm-keda/templates/webhooks/poddisruptionbudget.yaml deleted file mode 100644 index 3e43c2a73..000000000 --- a/examples/helm-keda/templates/webhooks/poddisruptionbudget.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{- if and .Values.webhooks.enabled }} -{{- if or (or .Values.podDisruptionBudget.minAvailable .Values.podDisruptionBudget.maxUnavailable) .Values.podDisruptionBudget.webhooks }} -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - namespace: {{ .Release.Namespace }} - name: {{ .Values.webhooks.name }} - {{- with .Values.additionalAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/name: {{ .Values.serviceAccount.name }} - {{- include "keda.labels" . | indent 4 }} -spec: - {{- if .Values.podDisruptionBudget.minAvailable }} - minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} - {{- end }} - {{- if .Values.podDisruptionBudget.maxUnavailable }} - maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} - {{- end }} - {{- if .Values.podDisruptionBudget.webhooks }} - {{- if .Values.podDisruptionBudget.webhooks.minAvailable }} - minAvailable: {{ .Values.podDisruptionBudget.webhooks.minAvailable }} - {{- end }} - {{- if .Values.podDisruptionBudget.webhooks.maxUnavailable }} - maxUnavailable: {{ .Values.podDisruptionBudget.webhooks.maxUnavailable }} - {{- end }} - {{- end }} - selector: - matchLabels: - app: {{ .Values.webhooks.name }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/examples/helm-keda/templates/webhooks/prometheusrules.yaml b/examples/helm-keda/templates/webhooks/prometheusrules.yaml deleted file mode 100644 index d434348f8..000000000 --- a/examples/helm-keda/templates/webhooks/prometheusrules.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if and .Values.webhooks.enabled }} -{{- if and .Values.prometheus.webhooks.enabled .Values.prometheus.webhooks.prometheusRules.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: {{ .Values.webhooks.name }} - {{- with .Values.additionalAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/name: {{ .Values.webhooks.name }} - {{- include "keda.labels" . | indent 4 }} - {{- range $key, $value := .Values.prometheus.webhooks.prometheusRules.additionalLabels }} - {{ $key }}: {{ $value | quote }} - {{- end }} - {{- with .Values.prometheus.webhooks.prometheusRules.namespace }} - namespace: {{ . }} - {{- end }} -spec: - groups: - - name: {{ .Values.webhooks.name }} - rules: -{{ toYaml .Values.prometheus.webhooks.prometheusRules.alerts | indent 6 }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/examples/helm-keda/templates/webhooks/service.yaml b/examples/helm-keda/templates/webhooks/service.yaml deleted file mode 100644 index d7b784195..000000000 --- a/examples/helm-keda/templates/webhooks/service.yaml +++ /dev/null @@ -1,41 +0,0 @@ -{{- if and .Values.webhooks.enabled }} -apiVersion: v1 -kind: Service -metadata: - {{- if or .Values.prometheus.webhooks.enabled .Values.additionalAnnotations .Values.service.annotations }} - annotations: - {{- if and .Values.prometheus.webhooks.enabled ( not .Values.prometheus.webhooks.serviceMonitor.enabled ) }} - prometheus.io/scrape: "true" - prometheus.io/port: {{ .Values.prometheus.webhooks.port | quote }} - prometheus.io/path: "/metrics" - {{- end }} - {{- with .Values.additionalAnnotations }} - {{- range $key, $value := . }} - {{ $key }}: {{ $value | quote }} - {{- end }} - {{- end }} - {{- with .Values.service.annotations }} - {{- range $key, $value := . }} - {{ $key }}: {{ $value | quote }} - {{- end }} - {{- end }} - {{- end }} - labels: - app.kubernetes.io/name: {{ .Values.webhooks.name }} - {{- include "keda.labels" . | indent 4 }} - name: {{ .Values.webhooks.name }} - namespace: {{ .Release.Namespace }} -spec: - ports: - - name: http - port: 443 - protocol: TCP - targetPort: {{ .Values.webhooks.port | default 9443 }} - {{- if .Values.prometheus.webhooks.enabled }} - - name: {{ .Values.prometheus.webhooks.serviceMonitor.port }} - port: {{ .Values.prometheus.webhooks.port }} - targetPort: {{ .Values.prometheus.webhooks.port }} - {{- end }} - selector: - app: {{ .Values.webhooks.name }} -{{- end }} diff --git a/examples/helm-keda/templates/webhooks/servicemonitor.yaml b/examples/helm-keda/templates/webhooks/servicemonitor.yaml deleted file mode 100644 index 48b5223d7..000000000 --- a/examples/helm-keda/templates/webhooks/servicemonitor.yaml +++ /dev/null @@ -1,62 +0,0 @@ -{{- if and .Values.webhooks.enabled }} -{{- if and .Values.prometheus.webhooks.enabled .Values.prometheus.webhooks.serviceMonitor.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ .Values.webhooks.name }} - {{- with .Values.additionalAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/name: {{ .Values.webhooks.name }} - {{- include "keda.labels" . | indent 4 }} - {{- range $key, $value := .Values.prometheus.webhooks.serviceMonitor.additionalLabels }} - {{ $key }}: {{ $value | quote }} - {{- end }} - {{- with .Values.prometheus.webhooks.serviceMonitor.namespace }} - namespace: {{ . }} - {{- end }} -spec: - {{- with .Values.prometheus.webhooks.serviceMonitor.jobLabel }} - jobLabel: {{ . }} - {{- end }} - {{- with .Values.prometheus.webhooks.serviceMonitor.targetLabels }} - targetLabels: - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.prometheus.webhooks.serviceMonitor.podTargetLabels }} - podTargetLabels: - {{- toYaml . | nindent 4 }} - {{- end }} - endpoints: - - port: {{ .Values.prometheus.webhooks.serviceMonitor.port }} - {{- with .Values.prometheus.webhooks.serviceMonitor.targetPort }} - targetPort: {{ . }} - {{- end }} - path: /metrics - {{- with .Values.prometheus.webhooks.serviceMonitor.interval }} - interval: {{ . }} - {{- end }} - {{- with .Values.prometheus.webhooks.serviceMonitor.scrapeTimeout }} - scrapeTimeout: {{ . }} - {{- end }} - {{- if .Values.prometheus.webhooks.serviceMonitor.relabelings}} - {{- with .Values.prometheus.webhooks.serviceMonitor.relabelings }} - relabelings: - {{- toYaml . | nindent 6 }} - {{- end }} - {{- else }} - {{- with .Values.prometheus.webhooks.serviceMonitor.relabellings }} - relabelings: - {{- toYaml . | nindent 6 }} - {{- end }} - {{- end}} - namespaceSelector: - matchNames: - - {{ .Release.Namespace }} - selector: - matchLabels: - app.kubernetes.io/name: {{ .Values.webhooks.name }} -{{- end }} -{{- end }} diff --git a/examples/helm-keda/templates/webhooks/validatingconfiguration.yaml b/examples/helm-keda/templates/webhooks/validatingconfiguration.yaml deleted file mode 100644 index 5e2cde6b5..000000000 --- a/examples/helm-keda/templates/webhooks/validatingconfiguration.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{{- if and .Values.webhooks.enabled }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - {{- if or .Values.certificates.certManager.enabled .Values.additionalAnnotations }} - annotations: - {{- if .Values.certificates.certManager.enabled }} - {{- if .Values.certificates.certManager.generateCA }} - cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Values.operator.name }}-ca - {{- else }} - cert-manager.io/inject-ca-from-secret: {{ .Release.Namespace }}/{{ .Values.certificates.certManager.caSecretName }} - {{- end }} - {{- end }} - {{- if .Values.additionalAnnotations }} - {{- toYaml .Values.additionalAnnotations | nindent 4 }} - {{- end }} - {{- end }} - labels: - app.kubernetes.io/name: {{ .Values.webhooks.name }} - {{- include "keda.labels" . | indent 4 }} - name: keda-admission -webhooks: -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: {{ .Values.webhooks.name }} - namespace: {{ .Release.Namespace }} - path: /validate-keda-sh-v1alpha1-scaledobject - failurePolicy: {{ .Values.webhooks.failurePolicy }} - matchPolicy: Equivalent - name: vscaledobject.kb.io - namespaceSelector: {} - objectSelector: {} - rules: - - apiGroups: - - keda.sh - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - scaledobjects - sideEffects: None - timeoutSeconds: 10 -{{- end }} diff --git a/examples/helm-keda/values.yaml b/examples/helm-keda/values.yaml deleted file mode 100644 index 45f866cb4..000000000 --- a/examples/helm-keda/values.yaml +++ /dev/null @@ -1,690 +0,0 @@ -# Default values for keda. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -image: - keda: - # -- Image name of KEDA operator - repository: ghcr.io/kedacore/keda - # -- Image tag of KEDA operator. Optional, given app version of Helm chart is used by default - tag: "" - metricsApiServer: - # -- Image name of KEDA Metrics API Server - repository: ghcr.io/kedacore/keda-metrics-apiserver - # -- Image tag of KEDA Metrics API Server. Optional, given app version of Helm chart is used by default - tag: "" - webhooks: - # -- Image name of KEDA admission-webhooks - repository: ghcr.io/kedacore/keda-admission-webhooks - # -- Image tag of KEDA admission-webhooks . Optional, given app version of Helm chart is used by default - tag: "" - # -- Image pullPolicy for all KEDA components - pullPolicy: Always - -# -- Kubernetes cluster domain -clusterDomain: cluster.local - -crds: - # -- Defines whether the KEDA CRDs have to be installed or not. - install: true - -# -- Defines Kubernetes namespaces to watch to scale their workloads. Default watches all namespaces -watchNamespace: "" - -# -- Name of secret to use to pull images to use to pull Docker images -imagePullSecrets: [] - -operator: - # -- Name of the KEDA operator - name: keda-operator - # -- ReplicaSets for this Deployment you want to retain (Default: 10) - revisionHistoryLimit: 10 - # -- Capability to configure the number of replicas for KEDA operator. - # While you can run more replicas of our operator, only one operator instance will be the leader and serving traffic. - # You can run multiple replicas, but they will not improve the performance of KEDA, it could only reduce downtime during a failover. - # Learn more in [our documentation](https://keda.sh/docs/latest/operate/cluster/#high-availability). - replicaCount: 1 - # -- [Affinity] for pod scheduling for KEDA operator. Takes precedence over the `affinity` field - affinity: {} - # podAntiAffinity: - # requiredDuringSchedulingIgnoredDuringExecution: - # - labelSelector: - # matchExpressions: - # - key: app - # operator: In - # values: - # - keda-operator - # topologyKey: "kubernetes.io/hostname" - # -- Liveness probes for operator ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/)) - livenessProbe: - initialDelaySeconds: 25 - periodSeconds: 10 - timeoutSeconds: 1 - failureThreshold: 3 - successThreshold: 1 - # -- Readiness probes for operator ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-readiness-probes)) - readinessProbe: - initialDelaySeconds: 20 - periodSeconds: 3 - timeoutSeconds: 1 - failureThreshold: 3 - successThreshold: 1 - -metricsServer: - # -- ReplicaSets for this Deployment you want to retain (Default: 10) - revisionHistoryLimit: 10 - # -- Capability to configure the number of replicas for KEDA metric server. - # While you can run more replicas of our metric server, only one instance will used and serve traffic. - # You can run multiple replicas, but they will not improve the performance of KEDA, it could only reduce downtime during a failover. - # Learn more in [our documentation](https://keda.sh/docs/latest/operate/cluster/#high-availability). - replicaCount: 1 - # use ClusterFirstWithHostNet if `useHostNetwork: true` https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy - # -- Defined the DNS policy for the metric server - dnsPolicy: ClusterFirst - # -- Enable metric server to use host network - useHostNetwork: false - # -- [Affinity] for pod scheduling for Metrics API Server. Takes precedence over the `affinity` field - affinity: {} - # podAntiAffinity: - # requiredDuringSchedulingIgnoredDuringExecution: - # - labelSelector: - # matchExpressions: - # - key: app - # operator: In - # values: - # - keda-operator-metrics-apiserver - # topologyKey: "kubernetes.io/hostname" - # -- Liveness probes for Metrics API Server ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/)) - livenessProbe: - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 1 - failureThreshold: 3 - successThreshold: 1 - # -- Readiness probes for Metrics API Server ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-readiness-probes)) - readinessProbe: - initialDelaySeconds: 5 - periodSeconds: 3 - timeoutSeconds: 1 - failureThreshold: 3 - successThreshold: 1 - -webhooks: - # -- Enable admission webhooks (this feature option will be removed in v2.12) - enabled: true - # -- Port number to use for KEDA admission webhooks. Default is 9443. - port: "" - # -- Port number to use for KEDA admission webhooks health probe - healthProbePort: 8081 - # -- Liveness probes for admission webhooks ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/)) - livenessProbe: - initialDelaySeconds: 25 - periodSeconds: 10 - timeoutSeconds: 1 - failureThreshold: 3 - successThreshold: 1 - # -- Readiness probes for admission webhooks ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-readiness-probes)) - readinessProbe: - initialDelaySeconds: 20 - periodSeconds: 3 - timeoutSeconds: 1 - failureThreshold: 3 - successThreshold: 1 - # -- Enable webhook to use host network, this is required on EKS with custom CNI - useHostNetwork: false - # -- Name of the KEDA admission webhooks - name: keda-admission-webhooks - # -- ReplicaSets for this Deployment you want to retain (Default: 10) - revisionHistoryLimit: 10 - # -- Capability to configure the number of replicas for KEDA admission webhooks - replicaCount: 1 - # -- [Affinity] for pod scheduling for KEDA admission webhooks. Takes precedence over the `affinity` field - affinity: {} - # podAntiAffinity: - # requiredDuringSchedulingIgnoredDuringExecution: - # - labelSelector: - # matchExpressions: - # - key: app - # operator: In - # values: - # - keda-operator - # topologyKey: "kubernetes.io/hostname" - - # -- [Failure policy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy) to use with KEDA admission webhooks - failurePolicy: Ignore - -upgradeStrategy: - # -- Capability to configure [Deployment upgrade strategy] for operator - operator: {} - # type: RollingUpdate - # rollingUpdate: - # maxUnavailable: 1 - # maxSurge: 1 - - # -- Capability to configure [Deployment upgrade strategy] for Metrics Api Server - metricsApiServer: {} - # type: RollingUpdate - # rollingUpdate: - # maxUnavailable: 1 - # maxSurge: 1 - - # -- Capability to configure [Deployment upgrade strategy] for Admission webhooks - webhooks: {} - # type: RollingUpdate - # rollingUpdate: - # maxUnavailable: 1 - # maxSurge: 1 - -podDisruptionBudget: - # -- Capability to configure [Pod Disruption Budget] - operator: {} - # minAvailable: 1 - # maxUnavailable: 1 - - # -- Capability to configure [Pod Disruption Budget] - metricServer: {} - # minAvailable: 1 - # maxUnavailable: 1 - - # -- Capability to configure [Pod Disruption Budget] - webhooks: {} - # minAvailable: 1 - # maxUnavailable: 1 - -# -- Custom labels to add into metadata -additionalLabels: - {} - # foo: bar - -# -- Custom annotations to add into metadata -additionalAnnotations: - {} - # foo: bar - -podAnnotations: - # -- Pod annotations for KEDA operator - keda: {} - # -- Pod annotations for KEDA Metrics Adapter - metricsAdapter: {} - # -- Pod annotations for KEDA Admission webhooks - webhooks: {} -podLabels: - # -- Pod labels for KEDA operator - keda: {} - # -- Pod labels for KEDA Metrics Adapter - metricsAdapter: {} - # -- Pod labels for KEDA Admission webhooks - webhooks: {} - -rbac: - # -- Specifies whether RBAC should be used - create: true - # -- Specifies whether RBAC for CRDs should be [aggregated](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles) to default roles (view, edit, admin) - aggregateToDefaultRoles: false - -serviceAccount: - # -- Specifies whether a service account should be created - create: true - # -- The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: keda-operator - # -- Specifies whether a service account should automount API-Credentials - automountServiceAccountToken: true - # -- Annotations to add to the service account - annotations: {} - -podIdentity: - activeDirectory: - # Set to the value of the Azure Active Directory Pod Identity - # See https://keda.sh/docs/concepts/authentication/#azure-pod-identity - # This will be set as a label on the KEDA Pod(s) - # -- Identity in Azure Active Directory to use for Azure pod identity - identity: "" - azureWorkload: - # -- Set to true to enable Azure Workload Identity usage. - # See https://keda.sh/docs/concepts/authentication/#azure-workload-identity - # This will be set as a label on the KEDA service account. - enabled: false - # Set to the value of the Azure Active Directory Client and Tenant Ids - # respectively. These will be set as annotations on the KEDA service account. - # -- Id of Azure Active Directory Client to use for authentication with Azure Workload Identity. ([docs](https://keda.sh/docs/concepts/authentication/#azure-workload-identity)) - clientId: "" - # -- Id Azure Active Directory Tenant to use for authentication with for Azure Workload Identity. ([docs](https://keda.sh/docs/concepts/authentication/#azure-workload-identity)) - tenantId: "" - # Set to the value of the service account token expiration duration. - # This will be set as an annotation on the KEDA service account. - # -- Duration in seconds to automatically expire tokens for the service account. ([docs](https://keda.sh/docs/concepts/authentication/#azure-workload-identity)) - tokenExpiration: 3600 - aws: - irsa: - # -- Specifies whether [AWS IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) is to be enabled or not. - enabled: false - # -- Sets the token audience for IRSA. - # This will be set as an annotation on the KEDA service account. - audience: "sts.amazonaws.com" - # -- Set to the value of the ARN of an IAM role with a web identity provider. - # This will be set as an annotation on the KEDA service account. - roleArn: "" - # -- Sets the use of an STS regional endpoint instead of global. - # Recommended to use regional endpoint in almost all cases. - # This will be set as an annotation on the KEDA service account. - stsRegionalEndpoints: "true" - # -- Set to the value of the service account token expiration duration. - # This will be set as an annotation on the KEDA service account. - tokenExpiration: 86400 - gcp: - # -- Set to true to enable GCP Workload Identity. - # See https://keda.sh/docs/2.10/authentication-providers/gcp-workload-identity/ - # This will be set as a annotation on the KEDA service account. - enabled: false - # -- GCP IAM Service Account Email which you would like to use for workload identity. - gcpIAMServiceAccount: "" - -# -- Set this if you are using an external scaler and want to communicate -# over TLS (recommended). This variable holds the name of the secret that -# will be mounted to the /grpccerts path on the Pod -grpcTLSCertsSecret: "" - -# -- Set this if you are using HashiCorp Vault and want to communicate -# over TLS (recommended). This variable holds the name of the secret that -# will be mounted to the /vault path on the Pod -hashiCorpVaultTLS: "" - -logging: - operator: - # -- Logging level for KEDA Operator. - # allowed values: `debug`, `info`, `error`, or an integer value greater than 0, specified as string - level: info - # -- Logging format for KEDA Operator. - # allowed values: `json` or `console` - format: console - # -- Logging time encoding for KEDA Operator. - # allowed values are `epoch`, `millis`, `nano`, `iso8601`, `rfc3339` or `rfc3339nano` - timeEncoding: rfc3339 - metricServer: - # -- Logging level for Metrics Server. - # allowed values: `0` for info, `4` for debug, or an integer value greater than 0, specified as string - level: 0 - - webhooks: - # -- Logging level for KEDA Operator. - # allowed values: `debug`, `info`, `error`, or an integer value greater than 0, specified as string - level: info - # -- Logging format for KEDA Admission webhooks. - # allowed values: `json` or `console` - format: console - # -- Logging time encoding for KEDA Operator. - # allowed values are `epoch`, `millis`, `nano`, `iso8601`, `rfc3339` or `rfc3339nano` - timeEncoding: rfc3339 - -# -- [Security context] for all containers -# @default -- [See below](#KEDA-is-secure-by-default) -securityContext: - # -- [Security context] of the operator container - # @default -- [See below](#KEDA-is-secure-by-default) - operator: - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - seccompProfile: - type: RuntimeDefault - # -- [Security context] of the metricServer container - # @default -- [See below](#KEDA-is-secure-by-default) - metricServer: - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - seccompProfile: - type: RuntimeDefault - # -- [Security context] of the admission webhooks container - # @default -- [See below](#KEDA-is-secure-by-default) - webhooks: - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - seccompProfile: - type: RuntimeDefault - -# -- [Pod security context] for all pods -# @default -- [See below](#KEDA-is-secure-by-default) -podSecurityContext: - # -- [Pod security context] of the KEDA operator pod - # @default -- [See below](#KEDA-is-secure-by-default) - operator: - runAsNonRoot: true - # runAsUser: 1000 - # runAsGroup: 1000 - # fsGroup: 1000 - - # -- [Pod security context] of the KEDA metrics apiserver pod - # @default -- [See below](#KEDA-is-secure-by-default) - metricServer: - runAsNonRoot: true - # runAsUser: 1000 - # runAsGroup: 1000 - # fsGroup: 1000 - - # -- [Pod security context] of the KEDA admission webhooks - # @default -- [See below](#KEDA-is-secure-by-default) - webhooks: - runAsNonRoot: true - # runAsUser: 1000 - # runAsGroup: 1000 - # fsGroup: 1000 - -service: - # -- KEDA Metric Server service type - type: ClusterIP - # -- HTTPS port for KEDA Metric Server service - portHttps: 443 - # -- HTTPS port for KEDA Metric Server container - portHttpsTarget: 6443 - # -- Annotations to add the KEDA Metric Server service - annotations: {} - -# We provides the default values that we describe in our docs: -# https://keda.sh/docs/latest/operate/cluster/ -# If you want to specify the resources (or totally remove the defaults), change or comment the following -# lines, adjust them as necessary, or simply add the curly braces after 'operator' and/or 'metricServer' -# and remove/comment the default values -resources: - # -- Manage [resource request & limits] of KEDA operator pod - operator: - limits: - cpu: 1 - memory: 1000Mi - requests: - cpu: 100m - memory: 100Mi - # -- Manage [resource request & limits] of KEDA metrics apiserver pod - metricServer: - limits: - cpu: 1 - memory: 1000Mi - requests: - cpu: 100m - memory: 100Mi - # -- Manage [resource request & limits] of KEDA admission webhooks pod - webhooks: - limits: - cpu: 50m - memory: 100Mi - requests: - cpu: 10m - memory: 10Mi -# -- Node selector for pod scheduling ([docs](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/)) -nodeSelector: {} -# -- Tolerations for pod scheduling ([docs](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)) -tolerations: [] - -topologySpreadConstraints: - # -- [Pod Topology Constraints] of KEDA operator pod - operator: [] - # -- [Pod Topology Constraints] of KEDA metrics apiserver pod - metricsServer: [] - # -- [Pod Topology Constraints] of KEDA admission webhooks pod - webhooks: [] - -# -- [Affinity] for pod scheduling for both KEDA operator and Metrics API Server -affinity: {} - # podAntiAffinity: - # requiredDuringSchedulingIgnoredDuringExecution: - # - labelSelector: - # matchExpressions: - # - key: app - # operator: In - # values: - # - keda-operator - # - keda-operator-metrics-apiserver - # topologyKey: "kubernetes.io/hostname" - -# -- priorityClassName for all KEDA components -priorityClassName: "" - -## The default HTTP timeout in milliseconds that KEDA should use -## when making requests to external services. Removing this defaults to a -## reasonable default -http: - # -- The default HTTP timeout to use for all scalers that use raw HTTP clients (some scalers use SDKs to access target services. These have built-in HTTP clients, and the timeout does not necessarily apply to them) - timeout: 3000 - keepAlive: - # -- Enable HTTP connection keep alive - enabled: true - # -- The minimum TLS version to use for all scalers that use raw HTTP clients (some scalers use SDKs to access target services. These have built-in HTTP clients, and this value does not necessarily apply to them) - minTlsVersion: TLS12 - -## Extra KEDA Operator and Metrics Adapter container arguments -extraArgs: - # -- Additional KEDA Operator container arguments - keda: {} - # -- Additional Metrics Adapter container arguments - metricsAdapter: {} - -# -- Additional environment variables that will be passed onto all KEDA components -env: [] -# - name: ENV_NAME -# value: 'ENV-VALUE' - -# Extra volumes and volume mounts for the deployment. Optional. -volumes: - keda: - # -- Extra volumes for KEDA deployment - extraVolumes: [] - # -- Extra volume mounts for KEDA deployment - extraVolumeMounts: [] - - metricsApiServer: - # -- Extra volumes for metric server deployment - extraVolumes: [] - # -- Extra volume mounts for metric server deployment - extraVolumeMounts: [] - - webhooks: - # -- Extra volumes for admission webhooks deployment - extraVolumes: [] - # -- Extra volume mounts for admission webhooks deployment - extraVolumeMounts: [] - -prometheus: - metricServer: - # -- Enable metric server Prometheus metrics expose - enabled: false - # -- HTTP port used for exposing metrics server prometheus metrics - port: 8080 - # -- HTTP port name for exposing metrics server prometheus metrics - portName: metrics - serviceMonitor: - # -- Enables ServiceMonitor creation for the Prometheus Operator - enabled: false - # -- JobLabel selects the label from the associated Kubernetes service which will be used as the job label for all metrics. [ServiceMonitor Spec] - jobLabel: "" - # -- TargetLabels transfers labels from the Kubernetes `Service` onto the created metrics - targetLabels: [] - # -- PodTargetLabels transfers labels on the Kubernetes `Pod` onto the created metrics - podTargetLabels: [] - # -- Name of the service port this endpoint refers to. Mutually exclusive with targetPort - port: metrics - # -- Name or number of the target port of the Pod behind the Service, the port must be specified with container port property. Mutually exclusive with port - targetPort: "" - # -- Interval at which metrics should be scraped If not specified Prometheus’ global scrape interval is used. - interval: "" - # -- Timeout after which the scrape is ended If not specified, the Prometheus global scrape timeout is used unless it is less than Interval in which the latter is used - scrapeTimeout: "" - # -- DEPRECATED. List of expressions that define custom relabeling rules for metric server ServiceMonitor crd (prometheus operator). [RelabelConfig Spec] - relabellings: [] - # -- List of expressions that define custom relabeling rules for metric server ServiceMonitor crd (prometheus operator). [RelabelConfig Spec] - relabelings: [] - # -- Additional labels to add for metric server using ServiceMonitor crd (prometheus operator) - additionalLabels: {} - podMonitor: - # -- Enables PodMonitor creation for the Prometheus Operator - enabled: false - # -- Scraping interval for metric server using podMonitor crd (prometheus operator) - interval: "" - # -- Scraping timeout for metric server using podMonitor crd (prometheus operator) - scrapeTimeout: "" - # -- Scraping namespace for metric server using podMonitor crd (prometheus operator) - namespace: "" - # -- Additional labels to add for metric server using podMonitor crd (prometheus operator) - additionalLabels: {} - # -- List of expressions that define custom relabeling rules for metric server podMonitor crd (prometheus operator) - relabelings: [] - operator: - # -- Enable KEDA Operator prometheus metrics expose - enabled: false - # -- Port used for exposing KEDA Operator prometheus metrics - port: 8080 - serviceMonitor: - # -- Enables ServiceMonitor creation for the Prometheus Operator - enabled: false - # -- JobLabel selects the label from the associated Kubernetes service which will be used as the job label for all metrics. [ServiceMonitor Spec] - jobLabel: "" - # -- TargetLabels transfers labels from the Kubernetes `Service` onto the created metrics - targetLabels: [] - # -- PodTargetLabels transfers labels on the Kubernetes `Pod` onto the created metrics - podTargetLabels: [] - # -- Name of the service port this endpoint refers to. Mutually exclusive with targetPort - port: metrics - # -- Name or number of the target port of the Pod behind the Service, - # the port must be specified with container port property. Mutually exclusive with port - targetPort: "" - # -- Interval at which metrics should be scraped If not specified Prometheus’ global scrape interval is used. - interval: "" - # -- Timeout after which the scrape is ended If not specified, the Prometheus global scrape timeout is used unless it is less than Interval in which the latter is used - scrapeTimeout: "" - # -- DEPRECATED. List of expressions that define custom relabeling rules for metric server ServiceMonitor crd (prometheus operator). [RelabelConfig Spec] - relabellings: [] - # -- List of expressions that define custom relabeling rules for metric server ServiceMonitor crd (prometheus operator). [RelabelConfig Spec] - relabelings: [] - # -- Additional labels to add for metric server using ServiceMonitor crd (prometheus operator) - additionalLabels: {} - podMonitor: - # -- Enables PodMonitor creation for the Prometheus Operator - enabled: false - # -- Scraping interval for KEDA Operator using podMonitor crd (prometheus operator) - interval: "" - # -- Scraping timeout for KEDA Operator using podMonitor crd (prometheus operator) - scrapeTimeout: "" - # -- Scraping namespace for KEDA Operator using podMonitor crd (prometheus operator) - namespace: "" - # -- Additional labels to add for KEDA Operator using podMonitor crd (prometheus operator) - additionalLabels: {} - # -- List of expressions that define custom relabeling rules for KEDA Operator podMonitor crd (prometheus operator) - relabelings: [] - prometheusRules: - # -- Enables PrometheusRules creation for the Prometheus Operator - enabled: false - # -- Scraping namespace for KEDA Operator using prometheusRules crd (prometheus operator) - namespace: "" - # -- Additional labels to add for KEDA Operator using prometheusRules crd (prometheus operator) - additionalLabels: {} - # -- Additional alerts to add for KEDA Operator using prometheusRules crd (prometheus operator) - alerts: - [] - # - alert: KedaScalerErrors - # annotations: - # description: Keda scaledObject {{ $labels.scaledObject }} is experiencing errors with {{ $labels.scaler }} scaler - # summary: Keda Scaler {{ $labels.scaler }} Errors - # expr: sum by ( scaledObject , scaler) (rate(keda_metrics_adapter_scaler_errors[2m])) > 0 - # for: 2m - # labels: - webhooks: - # -- Enable KEDA admission webhooks prometheus metrics expose - enabled: false - # -- Port used for exposing KEDA admission webhooks prometheus metrics - port: 8080 - serviceMonitor: - # -- Enables ServiceMonitor creation for the Prometheus webhooks - enabled: false - # -- jobLabel selects the label from the associated Kubernetes service which will be used as the job label for all metrics. [ServiceMonitor Spec] - jobLabel: "" - # -- TargetLabels transfers labels from the Kubernetes `Service` onto the created metrics - targetLabels: [] - # -- PodTargetLabels transfers labels on the Kubernetes `Pod` onto the created metrics - podTargetLabels: [] - # -- Name of the service port this endpoint refers to. Mutually exclusive with targetPort - port: metrics - # -- Name or number of the target port of the Pod behind the Service, the port must be specified with container port property. Mutually exclusive with port - targetPort: "" - # -- Interval at which metrics should be scraped If not specified Prometheus’ global scrape interval is used. - interval: "" - # -- Timeout after which the scrape is ended If not specified, the Prometheus global scrape timeout is used unless it is less than Interval in which the latter is used - scrapeTimeout: "" - # -- DEPRECATED. List of expressions that define custom relabeling rules for metric server ServiceMonitor crd (prometheus operator). [RelabelConfig Spec] - relabellings: [] - # -- List of expressions that define custom relabeling rules for metric server ServiceMonitor crd (prometheus operator). [RelabelConfig Spec] - relabelings: [] - # -- Additional labels to add for metric server using ServiceMonitor crd (prometheus operator) - additionalLabels: {} - prometheusRules: - # -- Enables PrometheusRules creation for the Prometheus Operator - enabled: false - # -- Scraping namespace for KEDA admission webhooks using prometheusRules crd (prometheus operator) - namespace: "" - # -- Additional labels to add for KEDA admission webhooks using prometheusRules crd (prometheus operator) - additionalLabels: {} - # -- Additional alerts to add for KEDA admission webhooks using prometheusRules crd (prometheus operator) - alerts: [] - -opentelemetry: - collector: - # -- Uri of OpenTelemetry Collector to push telemetry to - uri: "" - operator: - # -- Enable pushing metrics to an OpenTelemetry Collector for operator - enabled: false - -certificates: - # -- Enables the self generation for KEDA TLS certificates inside KEDA operator - autoGenerated: true - # -- Secret name to be mounted with KEDA TLS certificates - secretName: kedaorg-certs - # -- Path where KEDA TLS certificates are mounted - mountPath: /certs - certManager: - # -- Enables Cert-manager for certificate management - enabled: false - # -- Generates a self-signed CA with Cert-manager. - # If generateCA is false, the secret with the CA - # has to be annotated with `cert-manager.io/allow-direct-injection: "true"` - generateCA: true - # -- Secret name where the CA is stored (generatedby cert-manager or user given) - caSecretName: "kedaorg-ca" - # -- Add labels/annotations to secrets created by Certificate resources - # [docs](https://cert-manager.io/docs/usage/certificate/#creating-certificate-resources) - secretTemplate: {} - # annotations: - # my-secret-annotation-1: "foo" - # my-secret-annotation-2: "bar" - # labels: - # my-secret-label: foo - -permissions: - metricServer: - restrict: - # -- Restrict Secret Access for Metrics Server - secret: false - operator: - restrict: - # -- Restrict Secret Access for KEDA operator - secret: false - -# -- Array of extra K8s manifests to deploy -extraObjects: [] - # - apiVersion: keda.sh/v1alpha1 - # kind: ClusterTriggerAuthentication - # metadata: - # name: aws-credentials - # namespace: keda - # spec: - # podIdentity: - # provider: aws-eks - -# -- Capability to turn on/off ASCII art in Helm installation notes -asciiArt: true \ No newline at end of file diff --git a/modules/helm/template.go b/modules/helm/template.go index 95a727125..a9070e12d 100644 --- a/modules/helm/template.go +++ b/modules/helm/template.go @@ -72,16 +72,18 @@ func RenderTemplateE(t testing.TestingT, options *Options, chartDir string, rele return RunHelmCommandAndGetStdOutE(t, options, "template", args...) } +// RenderTemplate runs `helm template` to render a *remote* chart given the provided options and returns stdout/stderr from +// the template command. If you pass in templateFiles, this will only render those templates. This function will fail +// the test if there is an error rendering the template. func RenderRemoteTemplate(t testing.TestingT, options *Options, chartURL string, releaseName string, templateFiles []string, extraHelmArgs ...string) string { out, err := RenderRemoteTemplateE(t, options, chartURL, releaseName, templateFiles, extraHelmArgs...) require.NoError(t, err) return out } -// RenderTemplateE runs `helm template` to render the template given the provided options and returns stdout/stderr from +// RenderTemplate runs `helm template` to render a *remote* helm chart given the provided options and returns stdout/stderr from // the template command. If you pass in templateFiles, this will only render those templates. func RenderRemoteTemplateE(t testing.TestingT, options *Options, chartURL string, releaseName string, templateFiles []string, extraHelmArgs ...string) (string, error) { - // TODO: verify the charts exists and verify dependencies // Now construct the args // We first construct the template args args := []string{} @@ -93,20 +95,15 @@ func RenderRemoteTemplateE(t testing.TestingT, options *Options, chartURL string return "", err } for _, templateFile := range templateFiles { - // validate this is a valid template file - // absTemplateFile := filepath.Join(absChartDir, templateFile) - // if !strings.HasPrefix(templateFile, "charts") && !files.FileExists(absTemplateFile) { - // return "", errors.WithStackTrace(TemplateFileNotFoundError{Path: templateFile, ChartDir: absChartDir}) - // } - - // Note: we only get the abs template file path to check it actually exists, but the `helm template` command - // expects the relative path from the chart. + // As the helm command fails if a non valid template is given as input + // we do not check if the template file exists or not as we do for local charts + // as it would add unecessary networking calls args = append(args, "--show-only", templateFile) } // deal extraHelmArgs args = append(args, extraHelmArgs...) - // ... and add the name and chart at the end as the command expects + // ... and add the helm chart name, the remote repo and chart URL at the end args = append(args, releaseName, "--repo", chartURL) // Finally, call out to helm template command diff --git a/modules/helm/template_test.go b/modules/helm/template_test.go index 209eab690..1c212099b 100644 --- a/modules/helm/template_test.go +++ b/modules/helm/template_test.go @@ -20,14 +20,14 @@ import ( "github.com/gruntwork-io/terratest/modules/random" ) -const ( - remote2ChartSource = "https://charts.bitnami.com/bitnami" - remote2ChartName = "nginx" - remote2ChartVersion = "13.2.23" -) - // Test that we can render locally a remote chart (e.g bitnami/nginx) func TestRemoteChartRender(t *testing.T) { + const ( + remoteChartSource = "https://charts.bitnami.com/bitnami" + remoteChartName = "nginx" + remoteChartVersion = "13.2.23" + ) + t.Parallel() namespaceName := fmt.Sprintf( @@ -36,21 +36,20 @@ func TestRemoteChartRender(t *testing.T) { strings.ToLower(random.UniqueId()), ) - releaseName := "keda" + releaseName := remoteChartName options := &Options{ SetValues: map[string]string{ - "metricsServer.replicaCount": "999", - "resources.metricServer.limits.memory": "1234Mi", + "image.repository": remoteChartName, + "image.registry": "", + "image.tag": remoteChartVersion, }, KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName), } // Run RenderTemplate to render the template and capture the output. Note that we use the version without `E`, since // we want to assert that the template renders without any errors. - // Additionally, although we know there is only one yaml file in the template, we deliberately path a templateFiles - // arg to demonstrate how to select individual templates to render. - output := RenderRemoteTemplate(t, options, "https://kedacore.github.io/charts", releaseName, []string{"templates/metrics-server/deployment.yaml"}) + output := RenderRemoteTemplate(t, options, remoteChartSource, releaseName, []string{"templates/deployment.yaml"}) // Now we use kubernetes/client-go library to render the template output into the Deployment struct. This will // ensure the Deployment resource is rendered correctly. @@ -61,8 +60,8 @@ func TestRemoteChartRender(t *testing.T) { require.Equal(t, namespaceName, deployment.Namespace) // Finally, we verify the deployment pod template spec is set to the expected container image value - var expectedMetricsServerReplica int32 - expectedMetricsServerReplica = 999 - deploymentMetricsServerReplica := *deployment.Spec.Replicas - require.Equal(t, expectedMetricsServerReplica, deploymentMetricsServerReplica) + expectedContainerImage := remoteChartName + ":" + remoteChartVersion + deploymentContainers := deployment.Spec.Template.Spec.Containers + require.Equal(t, len(deploymentContainers), 1) + require.Equal(t, deploymentContainers[0].Image, expectedContainerImage) } From 8508fcb4e4ddca438aa306a450fb81792c74016c Mon Sep 17 00:00:00 2001 From: Jerome Guionnet Date: Wed, 1 Nov 2023 12:02:52 -0700 Subject: [PATCH 6/6] further clean up --- test/helm_keda_example_template_test.go | 80 ---------------- .../helm_keda_remote_example_template_test.go | 96 ++----------------- 2 files changed, 6 insertions(+), 170 deletions(-) delete mode 100644 test/helm_keda_example_template_test.go diff --git a/test/helm_keda_example_template_test.go b/test/helm_keda_example_template_test.go deleted file mode 100644 index 4c4a8f709..000000000 --- a/test/helm_keda_example_template_test.go +++ /dev/null @@ -1,80 +0,0 @@ -//go:build kubeall || helm -// +build kubeall helm - -// **NOTE**: we have build tags to differentiate kubernetes tests from non-kubernetes tests, and further differentiate helm -// tests. This is done because minikube is heavy and can interfere with docker related tests in terratest. Similarly, helm -// can overload the minikube system and thus interfere with the other kubernetes tests. Specifically, many of the tests -// start to fail with `connection refused` errors from `minikube`. To avoid overloading the system, we run the kubernetes -// tests and helm tests separately from the others. This may not be necessary if you have a sufficiently powerful machine. -// We recommend at least 4 cores and 16GB of RAM if you want to run all the tests together. - -package test - -import ( - "path/filepath" - "strings" - "testing" - - "github.com/stretchr/testify/require" - appsv1 "k8s.io/api/apps/v1" - - "github.com/gruntwork-io/terratest/modules/helm" - "github.com/gruntwork-io/terratest/modules/k8s" - "github.com/gruntwork-io/terratest/modules/logger" - "github.com/gruntwork-io/terratest/modules/random" -) - -// This file contains examples of how to use terratest to test helm chart template logic by rendering the templates -// using `helm template`, and then reading in the rendered templates. -// There are two tests: -// - TestHelmBasicExampleTemplateRenderedDeployment: An example of how to read in the rendered object and check the -// computed values. -// - TestHelmBasicExampleTemplateRequiredTemplateArgs: An example of how to check that the required args are indeed -// required for the template to render. - -// An example of how to verify the rendered template object of a Helm Chart given various inputs. -func TestHelmKedaLocalExampleTemplateRenderedDeployment(t *testing.T) { - t.Parallel() - - // Path to the helm chart we will test - helmChartPath, err := filepath.Abs("../examples/helm-keda") - releaseName := "keda" - require.NoError(t, err) - - // Since we aren't deploying any resources, there is no need to setup kubectl authentication or helm home. - - // Set up the namespace; confirm that the template renders the expected value for the namespace. - namespaceName := "medieval-" + strings.ToLower(random.UniqueId()) - logger.Logf(t, "Namespace: %s\n", namespaceName) - - // Setup the args. For this test, we will set the following input values: - // - containerImageRepo=nginx - // - containerImageTag=1.15.8 - options := &helm.Options{ - SetValues: map[string]string{ - "metricsServer.replicaCount": "999", - "resources.metricServer.limits.memory": "1234Mi", - }, - KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName), - } - - // Run RenderTemplate to render the template and capture the output. Note that we use the version without `E`, since - // we want to assert that the template renders without any errors. - // Additionally, although we know there is only one yaml file in the template, we deliberately path a templateFiles - // arg to demonstrate how to select individual templates to render. - output := helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/metrics-server/deployment.yaml"}) - - // Now we use kubernetes/client-go library to render the template output into the Deployment struct. This will - // ensure the Deployment resource is rendered correctly. - var deployment appsv1.Deployment - helm.UnmarshalK8SYaml(t, output, &deployment) - - // Verify the namespace matches the expected supplied namespace. - require.Equal(t, namespaceName, deployment.Namespace) - - // Finally, we verify the deployment pod template spec is set to the expected container image value - var expectedMetricsServerReplica int32 - expectedMetricsServerReplica = 999 - deploymentMetricsServerReplica := *deployment.Spec.Replicas - require.Equal(t, expectedMetricsServerReplica, deploymentMetricsServerReplica) -} diff --git a/test/helm_keda_remote_example_template_test.go b/test/helm_keda_remote_example_template_test.go index 645fd633e..dbf6bbc59 100644 --- a/test/helm_keda_remote_example_template_test.go +++ b/test/helm_keda_remote_example_template_test.go @@ -23,32 +23,23 @@ import ( "github.com/gruntwork-io/terratest/modules/random" ) -// This file contains examples of how to use terratest to test helm chart template logic by rendering the templates +// This file contains an example of how to use terratest to test *remote* helm chart template logic by rendering the templates // using `helm template`, and then reading in the rendered templates. -// There are two tests: -// - TestHelmKedaExampleTemplateRenderedDeployment: An example of how to read in the rendered object and check the +// - TestHelmKedaRemoteExampleTemplateRenderedDeployment: An example of how to read in the rendered object and check the // computed values. -// - TestHelmKedaExampleTemplateRequiredTemplateArgs: An example of how to check that the required args are indeed -// required for the template to render. // An example of how to verify the rendered template object of a Helm Chart given various inputs. func TestHelmKedaRemoteExampleTemplateRenderedDeployment(t *testing.T) { t.Parallel() - // Path to the helm chart we will test - // helmChartPath, err := filepath.Abs("../examples/helm-basic-example") + // chart name releaseName := "keda" - // require.NoError(t, err) - - // Since we aren't deploying any resources, there is no need to setup kubectl authentication or helm home. // Set up the namespace; confirm that the template renders the expected value for the namespace. namespaceName := "medieval-" + strings.ToLower(random.UniqueId()) logger.Logf(t, "Namespace: %s\n", namespaceName) // Setup the args. For this test, we will set the following input values: - // - containerImageRepo=nginx - // - containerImageTag=1.15.8 options := &helm.Options{ SetValues: map[string]string{ "metricsServer.replicaCount": "999", @@ -57,10 +48,10 @@ func TestHelmKedaRemoteExampleTemplateRenderedDeployment(t *testing.T) { KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName), } - // Run RenderTemplate to render the template and capture the output. Note that we use the version without `E`, since + // Run RenderTemplate to render the *remote* template and capture the output. Note that we use the version without `E`, since // we want to assert that the template renders without any errors. - // Additionally, although we know there is only one yaml file in the template, we deliberately path a templateFiles - // arg to demonstrate how to select individual templates to render. + // Additionally, we path a the templateFile for which we are setting test values to + // demonstrate how to select individual templates to render. output := helm.RenderRemoteTemplate(t, options, "https://kedacore.github.io/charts", releaseName, []string{"templates/metrics-server/deployment.yaml"}) // Now we use kubernetes/client-go library to render the template output into the Deployment struct. This will @@ -76,79 +67,4 @@ func TestHelmKedaRemoteExampleTemplateRenderedDeployment(t *testing.T) { expectedMetricsServerReplica = 999 deploymentMetricsServerReplica := *deployment.Spec.Replicas require.Equal(t, expectedMetricsServerReplica, deploymentMetricsServerReplica) - - // # Source: keda/templates/metrics-server/deployment.yaml - // apiVersion: apps/v1 - // kind: Deployment - // metadata: - // name: keda-operator-metrics-apiserver - // namespace: medieval-38bl76 - // labels: - // app: keda-operator-metrics-apiserver - // app.kubernetes.io/name: keda-operator-metrics-apiserver - // helm.sh/chart: keda-2.12.0 - // app.kubernetes.io/component: operator - // app.kubernetes.io/managed-by: Helm - // app.kubernetes.io/instance: release-name - // app.kubernetes.io/part-of: keda-operator - // app.kubernetes.io/version: 2.12.0 - // spec: - // revisionHistoryLimit: 10 - // replicas: 1 } - -// An example of how to verify required values for a helm chart. -// func TestHelmKedaExampleTemplateRequiredTemplateArgs(t *testing.T) { -// t.Parallel() - -// // Path to the helm chart we will test -// helmChartPath, err := filepath.Abs("../examples/helm-basic-example") -// releaseName := "helm-basic" -// require.NoError(t, err) - -// // Since we aren't deploying any resources, there is no need to setup kubectl authentication, helm home, or -// // namespaces - -// // Here, we use a table driven test to iterate through all the required values as subtests. You can learn more about -// // go subtests here: https://blog.golang.org/subtests -// // The struct captures the inputs that we will pass to helm template and a human friendly name so we can identify it -// // in the test output. In this case, each test case will be a complete values input except for one of the required -// // values missing, to test that neglecting a required value will cause the template rendering to fail. -// testCases := []struct { -// name string -// values map[string]string -// }{ -// { -// "MissingContainerImageRepo", -// map[string]string{"containerImageTag": "1.15.8"}, -// }, -// { -// "MissingContainerImageTag", -// map[string]string{"containerImageRepo": "nginx"}, -// }, -// // { -// // "NotMissing", -// // map[string]string{"containerImageRepo": "nginx", "containerImageTag": "1.15.8"}, -// // }, -// } - -// // Now we iterate over each test case and spawn a sub test -// for _, testCase := range testCases { -// // Here, we capture the range variable and force it into the scope of this block. If we don't do this, when the -// // subtest switches contexts (because of t.Parallel), the testCase value will have been updated by the for loop -// // and will be the next testCase! -// testCase := testCase - -// // The actual sub test spawning. We name the sub test using the human friendly name. Note that we name the sub -// // test T struct to subT to make it clear which T struct corresponds to which test. However, in most cases you -// // will not reference the main test T so you can name it the same. -// t.Run(testCase.name, func(subT *testing.T) { -// subT.Parallel() - -// // Now we try rendering the template, but verify we get an error -// options := &helm.Options{SetValues: testCase.values} -// _, err := helm.RenderTemplateE(t, options, helmChartPath, releaseName, []string{}) -// require.Error(t, err) -// }) -// } -// }