diff --git a/charts/codezero/Chart.yaml b/charts/codezero/Chart.yaml index e3bb31a..bac7f7c 100644 --- a/charts/codezero/Chart.yaml +++ b/charts/codezero/Chart.yaml @@ -15,10 +15,10 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.0.1 +version: 0.1.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "0.0.1" +appVersion: "v2" diff --git a/charts/codezero/templates/_helpers.tpl b/charts/codezero/templates/_helpers.tpl index cc6f6c4..ef0d3f0 100644 --- a/charts/codezero/templates/_helpers.tpl +++ b/charts/codezero/templates/_helpers.tpl @@ -49,23 +49,17 @@ helm.sh/chart: {{ include "codezero.chart" . }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/part-of: codezero {{- with .Values.codezero.labels }} {{ . | toYaml }} {{- end }} {{- end }} -{{/* -External Load Balancer service selector labels -*/}} -{{- define "codezero.externalLBSelectorLabels" -}} -codezero.io/externallb: "true" -{{- end }} - {{/* Pod labels */}} {{- define "codezero.podLabels" -}} -{{- include "codezero.selectorLabels" . }} +{{ include "codezero.labels" . }} {{- with .Values.codezero.podLabels }} {{ . | toYaml }} {{- end }} diff --git a/charts/codezero/templates/lb/_helpers.tpl b/charts/codezero/templates/lb/_helpers.tpl new file mode 100644 index 0000000..ae88acf --- /dev/null +++ b/charts/codezero/templates/lb/_helpers.tpl @@ -0,0 +1,90 @@ +{{- if ne .Release.Namespace "codezero" }} +{{- fail "The CodeZero LB has to be installed in codezero namespace" }} +{{- end }} + +{{/* +Expand the name of the chart. +*/}} +{{- define "lb.name" -}} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if hasSuffix .Values.lb.name $name }} +{{- $name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" $name .Values.lb.name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "lb.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if .Values.fullnameOverride }} +{{- $name = .Values.fullnameOverride }} +{{- else }} +{{- if contains $name .Release.Name }} +{{- $name = .Release.Name }} +{{- else }} +{{- $name = printf "%s-%s" .Release.Name $name }} +{{- end }} +{{- end }} +{{- if hasSuffix .Values.lb.name $name }} +{{- $name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" $name .Values.lb.name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "lb.labels" -}} +{{ include "codezero.labels" . }} +{{ include "lb.selectorLabels" . }} +{{- with .Values.lb.labels }} +{{ . | toYaml }} +{{- end }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "lb.selectorLabels" -}} +app.kubernetes.io/name: {{ include "lb.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Pod labels +*/}} +{{- define "lb.podLabels" -}} +{{ include "codezero.podLabels" . }} +{{ include "lb.selectorLabels" . }} +{{- with .Values.lb.podLabels }} +{{ . | toYaml }} +{{- end }} +{{- end }} + +{{/* +Pod annotations +*/}} +{{- define "lb.podAnnotations" -}} +{{ include "codezero.podAnnotations" . }} +checksum/configmap: {{ include (print .Template.BasePath "/lb/configmap.yaml") . | sha1sum }} +{{- with .Values.lb.podAnnotations }} +{{ . | toYaml }} +{{- end }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "lb.serviceAccountName" -}} +{{- if .Values.lb.serviceAccount.create }} +{{- default (include "lb.fullname" .) .Values.lb.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.lb.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/charts/codezero/templates/lb/configmap.yaml b/charts/codezero/templates/lb/configmap.yaml new file mode 100644 index 0000000..3ee84a5 --- /dev/null +++ b/charts/codezero/templates/lb/configmap.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "lb.fullname" . }} + labels: + {{- include "lb.labels" . | nindent 4 }} +data: + haproxy.cfg: | + global + log stdout format raw local0 + maxconn 4096 + + defaults + log global + timeout client 60s + timeout connect 60s + timeout server 60s + + frontend system + bind :8800 ssl crt /etc/ssl/certs/space/server.pem + default_backend system + + backend system + server system codezero-system:8800 check + + frontend orchestrator + bind :8900 ssl crt /etc/ssl/certs/space/server.pem + default_backend orchestrator + + backend orchestrator + server orchestrator codezero-orchestrator:8900 check diff --git a/charts/codezero/templates/lb/deployment.yaml b/charts/codezero/templates/lb/deployment.yaml new file mode 100644 index 0000000..8f0f562 --- /dev/null +++ b/charts/codezero/templates/lb/deployment.yaml @@ -0,0 +1,61 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "lb.fullname" . }} + labels: + {{- include "lb.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.lb.replicaCount }} + selector: + matchLabels: + {{- include "lb.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + {{- include "lb.podAnnotations" . | nindent 8 }} + labels: + {{- include "lb.podLabels" . | nindent 8 }} + spec: + serviceAccountName: {{ include "lb.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.lb.podSecurityContext | nindent 8 }} + containers: + - name: {{ include "lb.name" . }} + securityContext: + {{- toYaml .Values.lb.securityContext | nindent 12 }} + image: "haproxytech/haproxy-alpine:{{ .Values.lb.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.lb.image.pullPolicy }} + args: ["-f", "/usr/local/etc/haproxy/haproxy.cfg"] + ports: + - containerPort: 8800 + protocol: TCP + - containerPort: 8900 + protocol: TCP + resources: + {{- toYaml .Values.lb.resources | nindent 12 }} + volumeMounts: + - name: haproxy-config + mountPath: /usr/local/etc/haproxy/haproxy.cfg + subPath: haproxy.cfg + - mountPath: /etc/ssl/certs/space + name: codezero-cert + readOnly: true + volumes: + - name: haproxy-config + configMap: + name: {{ include "lb.fullname" . }} + - name: codezero-cert + secret: + secretName: codezero-cert + {{- with .Values.lb.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.lb.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.lb.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/codezero/templates/lb/service.yaml b/charts/codezero/templates/lb/service.yaml new file mode 100644 index 0000000..4534df9 --- /dev/null +++ b/charts/codezero/templates/lb/service.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + name: codezero + labels: + {{- include "lb.labels" . | nindent 4 }} +spec: + type: {{ .Values.lb.service.type }} + ports: + - port: 8800 + targetPort: 8800 + protocol: TCP + name: system-http + - port: 8900 + targetPort: 8900 + protocol: TCP + name: orchestrator-http + selector: + {{- include "lb.selectorLabels" . | nindent 4 }} diff --git a/charts/codezero/templates/lb/serviceaccount.yaml b/charts/codezero/templates/lb/serviceaccount.yaml new file mode 100644 index 0000000..759e6d4 --- /dev/null +++ b/charts/codezero/templates/lb/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.lb.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "lb.serviceAccountName" . }} + labels: + {{- include "lb.labels" . | nindent 4 }} + {{- with .Values.lb.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/codezero/templates/orchestrator/_helpers.tpl b/charts/codezero/templates/orchestrator/_helpers.tpl index 0bb0e64..103f319 100644 --- a/charts/codezero/templates/orchestrator/_helpers.tpl +++ b/charts/codezero/templates/orchestrator/_helpers.tpl @@ -1,3 +1,7 @@ +{{- if ne .Release.Namespace "codezero" }} +{{- fail "The CodeZero orchestrator has to be installed in codezero namespace" }} +{{- end }} + {{/* Expand the name of the chart. */}} @@ -56,8 +60,8 @@ app.kubernetes.io/instance: {{ .Release.Name }} Pod labels */}} {{- define "orchestrator.podLabels" -}} -{{- include "codezero.podLabels" . }} -{{- include "orchestrator.selectorLabels" . }} +{{ include "codezero.podLabels" . }} +{{ include "orchestrator.selectorLabels" . }} {{- with .Values.orchestrator.podLabels }} {{ . | toYaml }} {{- end }} @@ -67,8 +71,7 @@ Pod labels Pod annotations */}} {{- define "orchestrator.podAnnotations" -}} -{{- include "codezero.podAnnotations" . }} -checksum/configmap: {{ include (print .Template.BasePath "/orchestrator/configmap.yaml") . | sha1sum }} +{{ include "codezero.podAnnotations" . }} {{- with .Values.orchestrator.podAnnotations }} {{ . | toYaml }} {{- end }} @@ -83,4 +86,4 @@ Create the name of the service account to use {{- else }} {{- default "default" .Values.orchestrator.serviceAccount.name }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/codezero/templates/orchestrator/deployment.yaml b/charts/codezero/templates/orchestrator/deployment.yaml index b021a9f..4f42842 100644 --- a/charts/codezero/templates/orchestrator/deployment.yaml +++ b/charts/codezero/templates/orchestrator/deployment.yaml @@ -1,7 +1,3 @@ -{{- if ne .Release.Namespace "codezero" }} -{{- fail "The codezero orchestrator has to be installed in codezero namespace" }} -{{- end }} - apiVersion: apps/v1 kind: Deployment metadata: @@ -13,16 +9,12 @@ spec: selector: matchLabels: {{- include "orchestrator.selectorLabels" . | nindent 6 }} - {{- include "codezero.externalLBSelectorLabels" . | nindent 6 }} template: metadata: - {{- with .Values.orchestrator.podAnnotations }} annotations: - {{- toYaml . | nindent 8 }} - {{- end }} + {{- include "orchestrator.podAnnotations" . | nindent 8 }} labels: - {{- include "orchestrator.selectorLabels" . | nindent 8 }} - {{- include "codezero.externalLBSelectorLabels" . | nindent 8 }} + {{- include "orchestrator.podLabels" . | nindent 8 }} spec: serviceAccountName: {{ include "orchestrator.serviceAccountName" . }} securityContext: @@ -48,8 +40,6 @@ spec: value: /etc/ssl/certs/space/tls.key - name: CZ_PORT value: '8900' - - name: CZ_HTTPS_PORT - value: '8901' - name: NODE_ENV value: 'development' - name: DEBUG diff --git a/charts/codezero/templates/service.yaml b/charts/codezero/templates/service.yaml deleted file mode 100644 index e3e9e93..0000000 --- a/charts/codezero/templates/service.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ include "codezero.fullname" . }} - labels: - {{- include "codezero.labels" . | nindent 4 }} -spec: - type: {{ .Values.codezero.service.type }} - ports: - - port: 8800 - targetPort: 8800 - protocol: TCP - name: system-http - - port: 8901 - targetPort: 8901 - protocol: TCP - name: orchestrator-https - selector: - {{- include "codezero.externalLBSelectorLabels" . | nindent 4 }} diff --git a/charts/codezero/templates/system/_helpers.tpl b/charts/codezero/templates/system/_helpers.tpl index b9b9166..36a43b4 100644 --- a/charts/codezero/templates/system/_helpers.tpl +++ b/charts/codezero/templates/system/_helpers.tpl @@ -1,3 +1,7 @@ +{{- if ne .Release.Namespace "codezero" }} +{{- fail "The CodeZero system has to be installed in codezero namespace" }} +{{- end }} + {{/* Expand the name of the chart. */}} @@ -56,8 +60,8 @@ app.kubernetes.io/instance: {{ .Release.Name }} Pod labels */}} {{- define "system.podLabels" -}} -{{- include "codezero.podLabels" . }} -{{- include "system.selectorLabels" . }} +{{ include "codezero.podLabels" . }} +{{ include "system.selectorLabels" . }} {{- with .Values.system.podLabels }} {{ . | toYaml }} {{- end }} @@ -67,8 +71,7 @@ Pod labels Pod annotations */}} {{- define "system.podAnnotations" -}} -{{- include "codezero.podAnnotations" . }} -checksum/configmap: {{ include (print .Template.BasePath "/system/configmap.yaml") . | sha1sum }} +{{ include "codezero.podAnnotations" . }} {{- with .Values.system.podAnnotations }} {{ . | toYaml }} {{- end }} @@ -83,4 +86,4 @@ Create the name of the service account to use {{- else }} {{- default "default" .Values.system.serviceAccount.name }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/codezero/templates/system/deployment.yaml b/charts/codezero/templates/system/deployment.yaml index 04c2aea..a4d05db 100644 --- a/charts/codezero/templates/system/deployment.yaml +++ b/charts/codezero/templates/system/deployment.yaml @@ -1,7 +1,3 @@ -{{- if ne .Release.Namespace "codezero" }} -{{- fail "The codezero system has to be installed in codezero namespace" }} -{{- end }} - apiVersion: apps/v1 kind: Deployment metadata: @@ -13,16 +9,12 @@ spec: selector: matchLabels: {{- include "system.selectorLabels" . | nindent 6 }} - {{- include "codezero.externalLBSelectorLabels" . | nindent 6 }} template: metadata: - {{- with .Values.system.podAnnotations }} annotations: - {{- toYaml . | nindent 8 }} - {{- end }} + {{- include "system.podAnnotations" . | nindent 8 }} labels: - {{- include "system.selectorLabels" . | nindent 8 }} - {{- include "codezero.externalLBSelectorLabels" . | nindent 8 }} + {{- include "system.podLabels" . | nindent 8 }} spec: serviceAccountName: {{ include "system.serviceAccountName" . }} securityContext: @@ -47,7 +39,7 @@ spec: key: spaceID optional: true - name: CZ_ORCHESTRATOR_AUTHORITY - value: "{{ include "orchestrator.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:8900" + value: "{{ include "orchestrator.fullname" . }}.{{ .Release.Namespace }}:8900" - name: CZ_PORT value: "8800" envFrom: diff --git a/charts/codezero/values.yaml b/charts/codezero/values.yaml index fc088e6..cb016cf 100644 --- a/charts/codezero/values.yaml +++ b/charts/codezero/values.yaml @@ -1,4 +1,4 @@ -# Default values for Code Zero. +# Default values for CodeZero. # This is a YAML-formatted file. # Declare variables to be passed into your templates. @@ -16,9 +16,6 @@ codezero: labels: { } podLabels: { } - service: - type: LoadBalancer - system: name: system image: @@ -38,12 +35,9 @@ system: tolerations: [ ] affinity: { } - serviceAccount: # Specifies whether a service account should be created + serviceAccount: create: true - # Annotations to add to the service account annotations: { } - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template name: "" orchestrator: @@ -65,10 +59,45 @@ orchestrator: tolerations: [ ] affinity: { } - serviceAccount: # Specifies whether a service account should be created + serviceAccount: create: true - # Annotations to add to the service account annotations: { } - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template name: "" + +lb: + name: lb + image: + tag: "2.8.1" + pullPolicy: Always + replicaCount: 1 + + podAnnotations: { } + labels: { } + podLabels: { } + + podSecurityContext: { } + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + seccompProfile: + type: RuntimeDefault + + resources: { } + nodeSelector: { } + tolerations: [ ] + affinity: { } + + serviceAccount: + create: true + annotations: { } + name: "" + + service: + type: LoadBalancer \ No newline at end of file