From 224d0531e6b23779eec74a531f6203248544e8df Mon Sep 17 00:00:00 2001 From: killianmuldoon Date: Thu, 22 Feb 2024 16:24:34 +0000 Subject: [PATCH] feat(helm): make cfssl image configurable in helm values Signed-off-by: killianmuldoon --- charts/kamaji/Chart.yaml | 2 +- charts/kamaji/README.md | 142 +++++++++--------- .../kamaji/templates/etcd_job_preinstall.yaml | 2 +- charts/kamaji/values.yaml | 5 + 4 files changed, 79 insertions(+), 72 deletions(-) diff --git a/charts/kamaji/Chart.yaml b/charts/kamaji/Chart.yaml index e8985df8..c270848e 100644 --- a/charts/kamaji/Chart.yaml +++ b/charts/kamaji/Chart.yaml @@ -15,7 +15,7 @@ name: kamaji sources: - https://github.com/clastix/kamaji type: application -version: 0.14.0 +version: 0.14.2 annotations: catalog.cattle.io/certified: partner catalog.cattle.io/release-name: kamaji diff --git a/charts/kamaji/README.md b/charts/kamaji/README.md index 8a79a014..1542c733 100644 --- a/charts/kamaji/README.md +++ b/charts/kamaji/README.md @@ -63,76 +63,78 @@ Here the values you can override: ## Values -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| affinity | object | `{}` | Kubernetes affinity rules to apply to Kamaji controller pods | -| datastore.basicAuth.passwordSecret.keyPath | string | `nil` | The Secret key where the data is stored. | -| datastore.basicAuth.passwordSecret.name | string | `nil` | The name of the Secret containing the password used to connect to the relational database. | -| datastore.basicAuth.passwordSecret.namespace | string | `nil` | The namespace of the Secret containing the password used to connect to the relational database. | -| datastore.basicAuth.usernameSecret.keyPath | string | `nil` | The Secret key where the data is stored. | -| datastore.basicAuth.usernameSecret.name | string | `nil` | The name of the Secret containing the username used to connect to the relational database. | -| datastore.basicAuth.usernameSecret.namespace | string | `nil` | The namespace of the Secret containing the username used to connect to the relational database. | -| datastore.driver | string | `"etcd"` | (string) The Kamaji Datastore driver, supported: etcd, MySQL, PostgreSQL (defaults=etcd). | -| datastore.enabled | bool | `true` | (bool) Enable the Kamaji Datastore creation (default=true) | -| datastore.endpoints | list | `[]` | (array) List of endpoints of the selected Datastore. When letting the Chart install the etcd datastore, this field is populated automatically. | -| datastore.nameOverride | string | `nil` | The Datastore name override, if empty and enabled=true defaults to `default`, if enabled=false, this is the name of the Datastore to connect to. | -| datastore.tlsConfig.certificateAuthority.certificate.keyPath | string | `nil` | Key of the Secret which contains the content of the certificate. | -| datastore.tlsConfig.certificateAuthority.certificate.name | string | `nil` | Name of the Secret containing the CA required to establish the mandatory SSL/TLS connection to the datastore. | -| datastore.tlsConfig.certificateAuthority.certificate.namespace | string | `nil` | Namespace of the Secret containing the CA required to establish the mandatory SSL/TLS connection to the datastore. | -| datastore.tlsConfig.certificateAuthority.privateKey.keyPath | string | `nil` | Key of the Secret which contains the content of the private key. | -| datastore.tlsConfig.certificateAuthority.privateKey.name | string | `nil` | Name of the Secret containing the CA private key required to establish the mandatory SSL/TLS connection to the datastore. | -| datastore.tlsConfig.certificateAuthority.privateKey.namespace | string | `nil` | Namespace of the Secret containing the CA private key required to establish the mandatory SSL/TLS connection to the datastore. | -| datastore.tlsConfig.clientCertificate.certificate.keyPath | string | `nil` | Key of the Secret which contains the content of the certificate. | -| datastore.tlsConfig.clientCertificate.certificate.name | string | `nil` | Name of the Secret containing the client certificate required to establish the mandatory SSL/TLS connection to the datastore. | -| datastore.tlsConfig.clientCertificate.certificate.namespace | string | `nil` | Namespace of the Secret containing the client certificate required to establish the mandatory SSL/TLS connection to the datastore. | -| datastore.tlsConfig.clientCertificate.privateKey.keyPath | string | `nil` | Key of the Secret which contains the content of the private key. | -| datastore.tlsConfig.clientCertificate.privateKey.name | string | `nil` | Name of the Secret containing the client certificate private key required to establish the mandatory SSL/TLS connection to the datastore. | -| datastore.tlsConfig.clientCertificate.privateKey.namespace | string | `nil` | Namespace of the Secret containing the client certificate private key required to establish the mandatory SSL/TLS connection to the datastore. | -| etcd.compactionInterval | int | `0` | ETCD Compaction interval (e.g. "5m0s"). (default: "0" (disabled)) | -| etcd.deploy | bool | `true` | Install an etcd with enabled multi-tenancy along with Kamaji | -| etcd.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/coreos/etcd","tag":"v3.5.6"}` | Install specific etcd image | -| etcd.livenessProbe | object | `{"failureThreshold":8,"httpGet":{"path":"/health?serializable=true","port":2381,"scheme":"HTTP"},"initialDelaySeconds":10,"periodSeconds":10,"timeoutSeconds":15}` | The livenessProbe for the etcd container | -| etcd.overrides.caSecret.name | string | `"etcd-certs"` | Name of the secret which contains CA's certificate and private key. (default: "etcd-certs") | -| etcd.overrides.caSecret.namespace | string | `"kamaji-system"` | Namespace of the secret which contains CA's certificate and private key. (default: "kamaji-system") | -| etcd.overrides.clientSecret.name | string | `"root-client-certs"` | Name of the secret which contains ETCD client certificates. (default: "root-client-certs") | -| etcd.overrides.clientSecret.namespace | string | `"kamaji-system"` | Name of the namespace where the secret which contains ETCD client certificates is. (default: "kamaji-system") | -| etcd.overrides.endpoints | object | `{"etcd-0":"etcd-0.etcd.kamaji-system.svc.cluster.local","etcd-1":"etcd-1.etcd.kamaji-system.svc.cluster.local","etcd-2":"etcd-2.etcd.kamaji-system.svc.cluster.local"}` | (map) Dictionary of the endpoints for the etcd cluster's members, key is the name of the etcd server. Don't define the protocol (TLS is automatically inflected), or any port, inflected from .etcd.peerApiPort value. | -| etcd.peerApiPort | int | `2380` | The peer API port which servers are listening to. | -| etcd.persistence.accessModes[0] | string | `"ReadWriteOnce"` | | -| etcd.persistence.customAnnotations | object | `{}` | The custom annotations to add to the PVC | -| etcd.persistence.size | string | `"10Gi"` | | -| etcd.persistence.storageClassName | string | `""` | | -| etcd.port | int | `2379` | The client request port. | -| etcd.serviceAccount.create | bool | `true` | Create a ServiceAccount, required to install and provision the etcd backing storage (default: true) | -| etcd.serviceAccount.name | string | `""` | Define the ServiceAccount name to use during the setup and provision of the etcd backing storage (default: "") | -| etcd.tolerations | list | `[]` | (array) Kubernetes affinity rules to apply to Kamaji etcd pods | -| extraArgs | list | `[]` | A list of extra arguments to add to the kamaji controller default ones | -| fullnameOverride | string | `""` | | -| healthProbeBindAddress | string | `":8081"` | The address the probe endpoint binds to. (default ":8081") | -| image.pullPolicy | string | `"Always"` | | -| image.repository | string | `"clastix/kamaji"` | The container image of the Kamaji controller. | -| image.tag | string | `nil` | Overrides the image tag whose default is the chart appVersion. | -| imagePullSecrets | list | `[]` | | -| livenessProbe | object | `{"httpGet":{"path":"/healthz","port":"healthcheck"},"initialDelaySeconds":15,"periodSeconds":20}` | The livenessProbe for the controller container | -| loggingDevel.enable | bool | `false` | (string) Development Mode defaults(encoder=consoleEncoder,logLevel=Debug,stackTraceLevel=Warn). Production Mode defaults(encoder=jsonEncoder,logLevel=Info,stackTraceLevel=Error) (default false) | -| metricsBindAddress | string | `":8080"` | (string) The address the metric endpoint binds to. (default ":8080") | -| nameOverride | string | `""` | | -| nodeSelector | object | `{}` | Kubernetes node selector rules to schedule Kamaji controller | -| podAnnotations | object | `{}` | The annotations to apply to the Kamaji controller pods. | -| podSecurityContext | object | `{"runAsNonRoot":true}` | The securityContext to apply to the Kamaji controller pods. | -| readinessProbe | object | `{"httpGet":{"path":"/readyz","port":"healthcheck"},"initialDelaySeconds":5,"periodSeconds":10}` | The readinessProbe for the controller container | -| replicaCount | int | `1` | The number of the pod replicas for the Kamaji controller. | -| resources.limits.cpu | string | `"200m"` | | -| resources.limits.memory | string | `"100Mi"` | | -| resources.requests.cpu | string | `"100m"` | | -| resources.requests.memory | string | `"20Mi"` | | -| securityContext | object | `{"allowPrivilegeEscalation":false}` | The securityContext to apply to the Kamaji controller container only. It does not apply to the Kamaji RBAC proxy container. | -| serviceAccount.annotations | object | `{}` | | -| serviceAccount.create | bool | `true` | | -| serviceAccount.name | string | `"kamaji-controller-manager"` | | -| serviceMonitor.enabled | bool | `false` | Toggle the ServiceMonitor true if you have Prometheus Operator installed and configured | -| temporaryDirectoryPath | string | `"/tmp/kamaji"` | Directory which will be used to work with temporary files. (default "/tmp/kamaji") | -| tolerations | list | `[]` | Kubernetes node taints that the Kamaji controller pods would tolerate | +| Key | Type | Default | Description | +|----------------------------------------------------------------|--------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| affinity | object | `{}` | Kubernetes affinity rules to apply to Kamaji controller pods | +| cfssl.image.repository | string | `"cfssl/cfssl"` | | +| cfssl.image.tag | string | `"latest"` | | +| datastore.basicAuth.passwordSecret.keyPath | string | `nil` | The Secret key where the data is stored. | +| datastore.basicAuth.passwordSecret.name | string | `nil` | The name of the Secret containing the password used to connect to the relational database. | +| datastore.basicAuth.passwordSecret.namespace | string | `nil` | The namespace of the Secret containing the password used to connect to the relational database. | +| datastore.basicAuth.usernameSecret.keyPath | string | `nil` | The Secret key where the data is stored. | +| datastore.basicAuth.usernameSecret.name | string | `nil` | The name of the Secret containing the username used to connect to the relational database. | +| datastore.basicAuth.usernameSecret.namespace | string | `nil` | The namespace of the Secret containing the username used to connect to the relational database. | +| datastore.driver | string | `"etcd"` | (string) The Kamaji Datastore driver, supported: etcd, MySQL, PostgreSQL (defaults=etcd). | +| datastore.enabled | bool | `true` | (bool) Enable the Kamaji Datastore creation (default=true) | +| datastore.endpoints | list | `[]` | (array) List of endpoints of the selected Datastore. When letting the Chart install the etcd datastore, this field is populated automatically. | +| datastore.nameOverride | string | `nil` | The Datastore name override, if empty and enabled=true defaults to `default`, if enabled=false, this is the name of the Datastore to connect to. | +| datastore.tlsConfig.certificateAuthority.certificate.keyPath | string | `nil` | Key of the Secret which contains the content of the certificate. | +| datastore.tlsConfig.certificateAuthority.certificate.name | string | `nil` | Name of the Secret containing the CA required to establish the mandatory SSL/TLS connection to the datastore. | +| datastore.tlsConfig.certificateAuthority.certificate.namespace | string | `nil` | Namespace of the Secret containing the CA required to establish the mandatory SSL/TLS connection to the datastore. | +| datastore.tlsConfig.certificateAuthority.privateKey.keyPath | string | `nil` | Key of the Secret which contains the content of the private key. | +| datastore.tlsConfig.certificateAuthority.privateKey.name | string | `nil` | Name of the Secret containing the CA private key required to establish the mandatory SSL/TLS connection to the datastore. | +| datastore.tlsConfig.certificateAuthority.privateKey.namespace | string | `nil` | Namespace of the Secret containing the CA private key required to establish the mandatory SSL/TLS connection to the datastore. | +| datastore.tlsConfig.clientCertificate.certificate.keyPath | string | `nil` | Key of the Secret which contains the content of the certificate. | +| datastore.tlsConfig.clientCertificate.certificate.name | string | `nil` | Name of the Secret containing the client certificate required to establish the mandatory SSL/TLS connection to the datastore. | +| datastore.tlsConfig.clientCertificate.certificate.namespace | string | `nil` | Namespace of the Secret containing the client certificate required to establish the mandatory SSL/TLS connection to the datastore. | +| datastore.tlsConfig.clientCertificate.privateKey.keyPath | string | `nil` | Key of the Secret which contains the content of the private key. | +| datastore.tlsConfig.clientCertificate.privateKey.name | string | `nil` | Name of the Secret containing the client certificate private key required to establish the mandatory SSL/TLS connection to the datastore. | +| datastore.tlsConfig.clientCertificate.privateKey.namespace | string | `nil` | Namespace of the Secret containing the client certificate private key required to establish the mandatory SSL/TLS connection to the datastore. | +| etcd.compactionInterval | int | `0` | ETCD Compaction interval (e.g. "5m0s"). (default: "0" (disabled)) | +| etcd.deploy | bool | `true` | Install an etcd with enabled multi-tenancy along with Kamaji | +| etcd.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/coreos/etcd","tag":"v3.5.6"}` | Install specific etcd image | +| etcd.livenessProbe | object | `{"failureThreshold":8,"httpGet":{"path":"/health?serializable=true","port":2381,"scheme":"HTTP"},"initialDelaySeconds":10,"periodSeconds":10,"timeoutSeconds":15}` | The livenessProbe for the etcd container | +| etcd.overrides.caSecret.name | string | `"etcd-certs"` | Name of the secret which contains CA's certificate and private key. (default: "etcd-certs") | +| etcd.overrides.caSecret.namespace | string | `"kamaji-system"` | Namespace of the secret which contains CA's certificate and private key. (default: "kamaji-system") | +| etcd.overrides.clientSecret.name | string | `"root-client-certs"` | Name of the secret which contains ETCD client certificates. (default: "root-client-certs") | +| etcd.overrides.clientSecret.namespace | string | `"kamaji-system"` | Name of the namespace where the secret which contains ETCD client certificates is. (default: "kamaji-system") | +| etcd.overrides.endpoints | object | `{"etcd-0":"etcd-0.etcd.kamaji-system.svc.cluster.local","etcd-1":"etcd-1.etcd.kamaji-system.svc.cluster.local","etcd-2":"etcd-2.etcd.kamaji-system.svc.cluster.local"}` | (map) Dictionary of the endpoints for the etcd cluster's members, key is the name of the etcd server. Don't define the protocol (TLS is automatically inflected), or any port, inflected from .etcd.peerApiPort value. | +| etcd.peerApiPort | int | `2380` | The peer API port which servers are listening to. | +| etcd.persistence.accessModes[0] | string | `"ReadWriteOnce"` | | +| etcd.persistence.customAnnotations | object | `{}` | The custom annotations to add to the PVC | +| etcd.persistence.size | string | `"10Gi"` | | +| etcd.persistence.storageClassName | string | `""` | | +| etcd.port | int | `2379` | The client request port. | +| etcd.serviceAccount.create | bool | `true` | Create a ServiceAccount, required to install and provision the etcd backing storage (default: true) | +| etcd.serviceAccount.name | string | `""` | Define the ServiceAccount name to use during the setup and provision of the etcd backing storage (default: "") | +| etcd.tolerations | list | `[]` | (array) Kubernetes affinity rules to apply to Kamaji etcd pods | +| extraArgs | list | `[]` | A list of extra arguments to add to the kamaji controller default ones | +| fullnameOverride | string | `""` | | +| healthProbeBindAddress | string | `":8081"` | The address the probe endpoint binds to. (default ":8081") | +| image.pullPolicy | string | `"Always"` | | +| image.repository | string | `"clastix/kamaji"` | The container image of the Kamaji controller. | +| image.tag | string | `nil` | Overrides the image tag whose default is the chart appVersion. | +| imagePullSecrets | list | `[]` | | +| livenessProbe | object | `{"httpGet":{"path":"/healthz","port":"healthcheck"},"initialDelaySeconds":15,"periodSeconds":20}` | The livenessProbe for the controller container | +| loggingDevel.enable | bool | `false` | (string) Development Mode defaults(encoder=consoleEncoder,logLevel=Debug,stackTraceLevel=Warn). Production Mode defaults(encoder=jsonEncoder,logLevel=Info,stackTraceLevel=Error) (default false) | +| metricsBindAddress | string | `":8080"` | (string) The address the metric endpoint binds to. (default ":8080") | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | Kubernetes node selector rules to schedule Kamaji controller | +| podAnnotations | object | `{}` | The annotations to apply to the Kamaji controller pods. | +| podSecurityContext | object | `{"runAsNonRoot":true}` | The securityContext to apply to the Kamaji controller pods. | +| readinessProbe | object | `{"httpGet":{"path":"/readyz","port":"healthcheck"},"initialDelaySeconds":5,"periodSeconds":10}` | The readinessProbe for the controller container | +| replicaCount | int | `1` | The number of the pod replicas for the Kamaji controller. | +| resources.limits.cpu | string | `"200m"` | | +| resources.limits.memory | string | `"100Mi"` | | +| resources.requests.cpu | string | `"100m"` | | +| resources.requests.memory | string | `"20Mi"` | | +| securityContext | object | `{"allowPrivilegeEscalation":false}` | The securityContext to apply to the Kamaji controller container only. It does not apply to the Kamaji RBAC proxy container. | +| serviceAccount.annotations | object | `{}` | | +| serviceAccount.create | bool | `true` | | +| serviceAccount.name | string | `"kamaji-controller-manager"` | | +| serviceMonitor.enabled | bool | `false` | Toggle the ServiceMonitor true if you have Prometheus Operator installed and configured | +| temporaryDirectoryPath | string | `"/tmp/kamaji"` | Directory which will be used to work with temporary files. (default "/tmp/kamaji") | +| tolerations | list | `[]` | Kubernetes node taints that the Kamaji controller pods would tolerate | ## Installing and managing etcd as DataStore diff --git a/charts/kamaji/templates/etcd_job_preinstall.yaml b/charts/kamaji/templates/etcd_job_preinstall.yaml index 834e2973..3344a58a 100644 --- a/charts/kamaji/templates/etcd_job_preinstall.yaml +++ b/charts/kamaji/templates/etcd_job_preinstall.yaml @@ -19,7 +19,7 @@ spec: restartPolicy: Never initContainers: - name: cfssl - image: cfssl/cfssl:latest + image: "{{ .Values.cfssl.image.repository }}:{{ .Values.cfssl.image.tag }}" command: - bash - -c diff --git a/charts/kamaji/values.yaml b/charts/kamaji/values.yaml index 6dc584db..814f2aa9 100644 --- a/charts/kamaji/values.yaml +++ b/charts/kamaji/values.yaml @@ -214,3 +214,8 @@ datastore: namespace: # -- Key of the Secret which contains the content of the private key. keyPath: + +cfssl: + image: + repository: cfssl/cfssl + tag: latest \ No newline at end of file