diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 6952aa96..fd38f858 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -29,6 +29,7 @@ ct.yaml @cloudoperators/greenhouse-backend /kubeconfig-generator/ @Nuckal777 @ivogoman @uwe-mayer /logshipper/ @cloudoperators/greenhouse-observability @cloudoperators/greenhouse-backend /opentelemetry-operator @cloudoperators/greenhouse-observability +/plutono @cloudoperators/greenhouse-observability /service-proxy/ @cloudoperators/greenhouse-backend @databus23 /teams2slack/ @cloudoperators/greenhouse-backend @voigts /thanos/ @cloudoperators/greenhouse-observability diff --git a/plutono/README.md b/plutono/README.md new file mode 100644 index 00000000..24dfaa96 --- /dev/null +++ b/plutono/README.md @@ -0,0 +1,564 @@ +--- +title: Plutono +--- + +Installs the web dashboarding system [Plutono](https://github.com/credativ/plutono)to Easily collect, correlate, and visualize Prometheus metrics with beautiful dashboards. + +# Owner + +1. Richard Tief (@richardtief) + +## Quick Start + +This guide provides a quick and straightforward way to deploy Plutono as a Greenhouse Plugin on your Kubernetes cluster. + +**Prerequisites** + +- A running and Greenhouse-managed Kubernetes cluster +- `kube-monitoring` Plugin installed to have at least one Prometheus instance running in the cluster + +The plugin works by factory default with anonymous access enabled. If you use the standard configuration in the kube-monitoring plugin, the data source and some [k8s-monitoring](https://github.com/cloudoperators/k8s-monitoring) dashboards are already pre-installed. + +**Step 1 Add your dashboards** + +Dashboards are selected from `ConfigMaps` across namespaces. The plugin searches for `ConfigMaps` with the label `plutono-dashboard: "true"` and imports them into Plutono. The `ConfigMap` should contain a key like `my-dashboard.json` with the dashboard JSON content. + +**Step 2 Add your datasources** + +Data sources are selected from `Secrets` across namespaces. The plugin searches for `Secrets` with the label `plutono-dashboard: "true"` and imports them into Plutono. The `Secrets` should contain valid datasource configuration YAML like [example-datasource-config-file](http://docs.grafana.org/administration/provisioning/#example-datasource-config-file). + +```yaml + +## Configuration + + +| Parameter | Description | Default | +|-------------------------------------------|-----------------------------------------------|---------------------------------------------------------| +| `plutono.replicas` | Number of nodes | `1` | +| `plutono.podDisruptionBudget.minAvailable` | Pod disruption minimum available | `nil` | +| `plutono.podDisruptionBudget.maxUnavailable` | Pod disruption maximum unavailable | `nil` | +| `plutono.podDisruptionBudget.apiVersion` | Pod disruption apiVersion | `nil` | +| `plutono.deploymentStrategy` | Deployment strategy | `{ "type": "RollingUpdate" }` | +| `plutono.livenessProbe` | Liveness Probe settings | `{ "httpGet": { "path": "/api/health", "port": 3000 } "initialDelaySeconds": 60, "timeoutSeconds": 30, "failureThreshold": 10 }` | +| `plutono.readinessProbe` | Readiness Probe settings | `{ "httpGet": { "path": "/api/health", "port": 3000 } }`| +| `plutono.securityContext` | Deployment securityContext | `{"runAsUser": 472, "runAsGroup": 472, "fsGroup": 472}` | +| `plutono.priorityClassName` | Name of Priority Class to assign pods | `nil` | +| `plutono.image.registry` | Image registry | `docker.io` | +| `plutono.image.repository` | Image repository | `plutono/plutono` | +| `plutono.image.tag` | Overrides the Plutono image tag whose default is the chart appVersion (`Must be >= 5.0.0`) | `` | +| `plutono.image.sha` | Image sha (optional) | `` | +| `plutono.image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `plutono.image.pullSecrets` | Image pull secrets (can be templated) | `[]` | +| `plutono.service.enabled` | Enable plutono service | `true` | +| `plutono.service.ipFamilies` | Kubernetes service IP families | `[]` | +| `plutono.service.ipFamilyPolicy` | Kubernetes service IP family policy | `""` | +| `plutono.service.type` | Kubernetes service type | `ClusterIP` | +| `plutono.service.port` | Kubernetes port where service is exposed | `80` | +| `plutono.service.portName` | Name of the port on the service | `service` | +| `plutono.service.appProtocol` | Adds the appProtocol field to the service | `` | +| `plutono.service.targetPort` | Internal service is port | `3000` | +| `plutono.service.nodePort` | Kubernetes service nodePort | `nil` | +| `plutono.service.annotations` | Service annotations (can be templated) | `{}` | +| `plutono.service.labels` | Custom labels | `{}` | +| `plutono.service.clusterIP` | internal cluster service IP | `nil` | +| `plutono.service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `nil` | +| `plutono.service.loadBalancerSourceRanges` | list of IP CIDRs allowed access to lb (if supported) | `[]` | +| `plutono.service.externalIPs` | service external IP addresses | `[]` | +| `plutono.service.externalTrafficPolicy` | change the default externalTrafficPolicy | `nil` | +| `plutono.headlessService` | Create a headless service | `false` | +| `plutono.extraExposePorts` | Additional service ports for sidecar containers| `[]` | +| `plutono.hostAliases` | adds rules to the pod's /etc/hosts | `[]` | +| `plutono.ingress.enabled` | Enables Ingress | `false` | +| `plutono.ingress.annotations` | Ingress annotations (values are templated) | `{}` | +| `plutono.ingress.labels` | Custom labels | `{}` | +| `plutono.ingress.path` | Ingress accepted path | `/` | +| `plutono.ingress.pathType` | Ingress type of path | `Prefix` | +| `plutono.ingress.hosts` | Ingress accepted hostnames | `["chart-example.local"]` | +| `plutono.ingress.extraPaths` | Ingress extra paths to prepend to every host configuration. Useful when configuring [custom actions with AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.6/guide/ingress/annotations/#actions). Requires `ingress.hosts` to have one or more host entries. | `[]` | +| `plutono.ingress.tls` | Ingress TLS configuration | `[]` | +| `plutono.ingress.ingressClassName` | Ingress Class Name. MAY be required for Kubernetes versions >= 1.18 | `""` | +| `plutono.resources` | CPU/Memory resource requests/limits | `{}` | +| `plutono.nodeSelector` | Node labels for pod assignment | `{}` | +| `plutono.tolerations` | Toleration labels for pod assignment | `[]` | +| `plutono.affinity` | Affinity settings for pod assignment | `{}` | +| `plutono.extraInitContainers` | Init containers to add to the plutono pod | `{}` | +| `plutono.extraContainers` | Sidecar containers to add to the plutono pod | `""` | +| `plutono.extraContainerVolumes` | Volumes that can be mounted in sidecar containers | `[]` | +| `plutono.extraLabels` | Custom labels for all manifests | `{}` | +| `plutono.schedulerName` | Name of the k8s scheduler (other than default) | `nil` | +| `plutono.persistence.enabled` | Use persistent volume to store data | `false` | +| `plutono.persistence.type` | Type of persistence (`pvc` or `statefulset`) | `pvc` | +| `plutono.persistence.size` | Size of persistent volume claim | `10Gi` | +| `plutono.persistence.existingClaim` | Use an existing PVC to persist data (can be templated) | `nil` | +| `plutono.persistence.storageClassName` | Type of persistent volume claim | `nil` | +| `plutono.persistence.accessModes` | Persistence access modes | `[ReadWriteOnce]` | +| `plutono.persistence.annotations` | PersistentVolumeClaim annotations | `{}` | +| `plutono.persistence.finalizers` | PersistentVolumeClaim finalizers | `[ "kubernetes.io/pvc-protection" ]` | +| `plutono.persistence.extraPvcLabels` | Extra labels to apply to a PVC. | `{}` | +| `plutono.persistence.subPath` | Mount a sub dir of the persistent volume (can be templated) | `nil` | +| `plutono.persistence.inMemory.enabled` | If persistence is not enabled, whether to mount the local storage in-memory to improve performance | `false` | +| `plutono.persistence.inMemory.sizeLimit` | SizeLimit for the in-memory local storage | `nil` | +| `plutono.persistence.disableWarning` | Hide NOTES warning, useful when persiting to a database | `false` | +| `plutono.initChownData.enabled` | If false, don't reset data ownership at startup | true | +| `plutono.initChownData.image.registry` | init-chown-data container image registry | `docker.io` | +| `plutono.initChownData.image.repository` | init-chown-data container image repository | `busybox` | +| `plutono.initChownData.image.tag` | init-chown-data container image tag | `1.31.1` | +| `plutono.initChownData.image.sha` | init-chown-data container image sha (optional)| `""` | +| `plutono.initChownData.image.pullPolicy` | init-chown-data container image pull policy | `IfNotPresent` | +| `plutono.initChownData.resources` | init-chown-data pod resource requests & limits | `{}` | +| `plutono.schedulerName` | Alternate scheduler name | `nil` | +| `plutono.env` | Extra environment variables passed to pods | `{}` | +| `plutono.envValueFrom` | Environment variables from alternate sources. See the API docs on [EnvVarSource](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#envvarsource-v1-core) for format details. Can be templated | `{}` | +| `plutono.envFromSecret` | Name of a Kubernetes secret (must be manually created in the same namespace) containing values to be added to the environment. Can be templated | `""` | +| `plutono.envFromSecrets` | List of Kubernetes secrets (must be manually created in the same namespace) containing values to be added to the environment. Can be templated | `[]` | +| `plutono.envFromConfigMaps` | List of Kubernetes ConfigMaps (must be manually created in the same namespace) containing values to be added to the environment. Can be templated | `[]` | +| `plutono.envRenderSecret` | Sensible environment variables passed to pods and stored as secret. (passed through [tpl](https://helm.sh/docs/howto/charts_tips_and_tricks/#using-the-tpl-function)) | `{}` | +| `plutono.enableServiceLinks` | Inject Kubernetes services as environment variables. | `true` | +| `plutono.extraSecretMounts` | Additional plutono server secret mounts | `[]` | +| `plutono.extraVolumeMounts` | Additional plutono server volume mounts | `[]` | +| `plutono.extraVolumes` | Additional Plutono server volumes | `[]` | +| `plutono.automountServiceAccountToken` | Mounted the service account token on the plutono pod. Mandatory, if sidecars are enabled | `true` | +| `plutono.createConfigmap` | Enable creating the plutono configmap | `true` | +| `plutono.extraConfigmapMounts` | Additional plutono server configMap volume mounts (values are templated) | `[]` | +| `plutono.extraEmptyDirMounts` | Additional plutono server emptyDir volume mounts | `[]` | +| `plutono.plugins` | Plugins to be loaded along with Plutono | `[]` | +| `plutono.datasources` | Configure plutono datasources (passed through tpl) | `{}` | +| `plutono.alerting` | Configure plutono alerting (passed through tpl) | `{}` | +| `plutono.notifiers` | Configure plutono notifiers | `{}` | +| `plutono.dashboardProviders` | Configure plutono dashboard providers | `{}` | +| `plutono.dashboards` | Dashboards to import | `{}` | +| `plutono.dashboardsConfigMaps` | ConfigMaps reference that contains dashboards | `{}` | +| `plutono.plutono.ini` | Plutono's primary configuration | `{}` | +| `global.imageRegistry` | Global image pull registry for all images. | `null` | +| `global.imagePullSecrets` | Global image pull secrets (can be templated). Allows either an array of {name: pullSecret} maps (k8s-style), or an array of strings (more common helm-style). | `[]` | +| `plutono.ldap.enabled` | Enable LDAP authentication | `false` | +| `plutono.ldap.existingSecret` | The name of an existing secret containing the `ldap.toml` file, this must have the key `ldap-toml`. | `""` | +| `plutono.ldap.config` | Plutono's LDAP configuration | `""` | +| `plutono.annotations` | Deployment annotations | `{}` | +| `plutono.labels` | Deployment labels | `{}` | +| `plutono.podAnnotations` | Pod annotations | `{}` | +| `plutono.podLabels` | Pod labels | `{}` | +| `plutono.podPortName` | Name of the plutono port on the pod | `plutono` | +| `plutono.lifecycleHooks` | Lifecycle hooks for podStart and preStop [Example](https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/#define-poststart-and-prestop-handlers) | `{}` | +| `plutono.sidecar.image.registry` | Sidecar image registry | `quay.io` | +| `plutono.sidecar.image.repository` | Sidecar image repository | `kiwigrid/k8s-sidecar` | +| `plutono.sidecar.image.tag` | Sidecar image tag | `1.26.0` | +| `plutono.sidecar.image.sha` | Sidecar image sha (optional) | `""` | +| `plutono.sidecar.imagePullPolicy` | Sidecar image pull policy | `IfNotPresent` | +| `plutono.sidecar.resources` | Sidecar resources | `{}` | +| `plutono.sidecar.securityContext` | Sidecar securityContext | `{}` | +| `plutono.sidecar.enableUniqueFilenames` | Sets the kiwigrid/k8s-sidecar UNIQUE_FILENAMES environment variable. If set to `true` the sidecar will create unique filenames where duplicate data keys exist between ConfigMaps and/or Secrets within the same or multiple Namespaces. | `false` | +| `plutono.sidecar.alerts.enabled` | Enables the cluster wide search for alerts and adds/updates/deletes them in plutono |`false` | +| `plutono.sidecar.alerts.label` | Label that config maps with alerts should have to be added | `plutono_alert` | +| `plutono.sidecar.alerts.labelValue` | Label value that config maps with alerts should have to be added | `""` | +| `plutono.sidecar.alerts.searchNamespace` | Namespaces list. If specified, the sidecar will search for alerts config-maps inside these namespaces. Otherwise the namespace in which the sidecar is running will be used. It's also possible to specify ALL to search in all namespaces. | `nil` | +| `plutono.sidecar.alerts.watchMethod` | Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds. | `WATCH` | +| `plutono.sidecar.alerts.resource` | Should the sidecar looks into secrets, configmaps or both. | `both` | +| `plutono.sidecar.alerts.reloadURL` | Full url of datasource configuration reload API endpoint, to invoke after a config-map change | `"http://localhost:3000/api/admin/provisioning/alerting/reload"` | +| `plutono.sidecar.alerts.skipReload` | Enabling this omits defining the REQ_URL and REQ_METHOD environment variables | `false` | +| `plutono.sidecar.alerts.initAlerts` | Set to true to deploy the alerts sidecar as an initContainer. This is needed if skipReload is true, to load any alerts defined at startup time. | `false` | +| `plutono.sidecar.alerts.extraMounts` | Additional alerts sidecar volume mounts. | `[]` | +| `plutono.sidecar.dashboards.enabled` | Enables the cluster wide search for dashboards and adds/updates/deletes them in plutono | `false` | +| `plutono.sidecar.dashboards.SCProvider` | Enables creation of sidecar provider | `true` | +| `plutono.sidecar.dashboards.provider.name` | Unique name of the plutono provider | `sidecarProvider` | +| `plutono.sidecar.dashboards.provider.orgid` | Id of the organisation, to which the dashboards should be added | `1` | +| `plutono.sidecar.dashboards.provider.folder` | Logical folder in which plutono groups dashboards | `""` | +| `plutono.sidecar.dashboards.provider.folderUid` | Allows you to specify the static UID for the logical folder above | `""` | +| `plutono.sidecar.dashboards.provider.disableDelete` | Activate to avoid the deletion of imported dashboards | `false` | +| `plutono.sidecar.dashboards.provider.allowUiUpdates` | Allow updating provisioned dashboards from the UI | `false` | +| `plutono.sidecar.dashboards.provider.type` | Provider type | `file` | +| `plutono.sidecar.dashboards.provider.foldersFromFilesStructure` | Allow Plutono to replicate dashboard structure from filesystem. | `false` | +| `plutono.sidecar.dashboards.watchMethod` | Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds. | `WATCH` | +| `plutono.sidecar.skipTlsVerify` | Set to true to skip tls verification for kube api calls | `nil` | +| `plutono.sidecar.dashboards.label` | Label that config maps with dashboards should have to be added | `plutono_dashboard` | +| `plutono.sidecar.dashboards.labelValue` | Label value that config maps with dashboards should have to be added | `""` | +| `plutono.sidecar.dashboards.folder` | Folder in the pod that should hold the collected dashboards (unless `sidecar.dashboards.defaultFolderName` is set). This path will be mounted. | `/tmp/dashboards` | +| `plutono.sidecar.dashboards.folderAnnotation` | The annotation the sidecar will look for in configmaps to override the destination folder for files | `nil` | +| `plutono.sidecar.dashboards.defaultFolderName` | The default folder name, it will create a subfolder under the `sidecar.dashboards.folder` and put dashboards in there instead | `nil` | +| `plutono.sidecar.dashboards.searchNamespace` | Namespaces list. If specified, the sidecar will search for dashboards config-maps inside these namespaces. Otherwise the namespace in which the sidecar is running will be used. It's also possible to specify ALL to search in all namespaces. | `nil` | +| `plutono.sidecar.dashboards.script` | Absolute path to shell script to execute after a configmap got reloaded. | `nil` | +| `plutono.sidecar.dashboards.reloadURL` | Full url of dashboards configuration reload API endpoint, to invoke after a config-map change | `"http://localhost:3000/api/admin/provisioning/dashboards/reload"` | +| `plutono.sidecar.dashboards.skipReload` | Enabling this omits defining the REQ_USERNAME, REQ_PASSWORD, REQ_URL and REQ_METHOD environment variables | `false` | +| `plutono.sidecar.dashboards.resource` | Should the sidecar looks into secrets, configmaps or both. | `both` | +| `plutono.sidecar.dashboards.extraMounts` | Additional dashboard sidecar volume mounts. | `[]` | +| `plutono.sidecar.datasources.enabled` | Enables the cluster wide search for datasources and adds/updates/deletes them in plutono |`false` | +| `plutono.sidecar.datasources.label` | Label that config maps with datasources should have to be added | `plutono_datasource` | +| `plutono.sidecar.datasources.labelValue` | Label value that config maps with datasources should have to be added | `""` | +| `plutono.sidecar.datasources.searchNamespace` | Namespaces list. If specified, the sidecar will search for datasources config-maps inside these namespaces. Otherwise the namespace in which the sidecar is running will be used. It's also possible to specify ALL to search in all namespaces. | `nil` | +| `plutono.sidecar.datasources.watchMethod` | Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds. | `WATCH` | +| `plutono.sidecar.datasources.resource` | Should the sidecar looks into secrets, configmaps or both. | `both` | +| `plutono.sidecar.datasources.reloadURL` | Full url of datasource configuration reload API endpoint, to invoke after a config-map change | `"http://localhost:3000/api/admin/provisioning/datasources/reload"` | +| `plutono.sidecar.datasources.skipReload` | Enabling this omits defining the REQ_URL and REQ_METHOD environment variables | `false` | +| `plutono.sidecar.datasources.initDatasources` | Set to true to deploy the datasource sidecar as an initContainer in addition to a container. This is needed if skipReload is true, to load any datasources defined at startup time. | `false` | +| `plutono.sidecar.notifiers.enabled` | Enables the cluster wide search for notifiers and adds/updates/deletes them in plutono | `false` | +| `plutono.sidecar.notifiers.label` | Label that config maps with notifiers should have to be added | `plutono_notifier` | +| `plutono.sidecar.notifiers.labelValue` | Label value that config maps with notifiers should have to be added | `""` | +| `plutono.sidecar.notifiers.searchNamespace` | Namespaces list. If specified, the sidecar will search for notifiers config-maps (or secrets) inside these namespaces. Otherwise the namespace in which the sidecar is running will be used. It's also possible to specify ALL to search in all namespaces. | `nil` | +| `plutono.sidecar.notifiers.watchMethod` | Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds. | `WATCH` | +| `plutono.sidecar.notifiers.resource` | Should the sidecar looks into secrets, configmaps or both. | `both` | +| `plutono.sidecar.notifiers.reloadURL` | Full url of notifier configuration reload API endpoint, to invoke after a config-map change | `"http://localhost:3000/api/admin/provisioning/notifications/reload"` | +| `plutono.sidecar.notifiers.skipReload` | Enabling this omits defining the REQ_URL and REQ_METHOD environment variables | `false` | +| `plutono.sidecar.notifiers.initNotifiers` | Set to true to deploy the notifier sidecar as an initContainer in addition to a container. This is needed if skipReload is true, to load any notifiers defined at startup time. | `false` | +| `plutono.smtp.existingSecret` | The name of an existing secret containing the SMTP credentials. | `""` | +| `plutono.smtp.userKey` | The key in the existing SMTP secret containing the username. | `"user"` | +| `plutono.smtp.passwordKey` | The key in the existing SMTP secret containing the password. | `"password"` | +| `plutono.admin.existingSecret` | The name of an existing secret containing the admin credentials (can be templated). | `""` | +| `plutono.admin.userKey` | The key in the existing admin secret containing the username. | `"admin-user"` | +| `plutono.admin.passwordKey` | The key in the existing admin secret containing the password. | `"admin-password"` | +| `plutono.serviceAccount.automountServiceAccountToken` | Automount the service account token on all pods where is service account is used | `false` | +| `plutono.serviceAccount.annotations` | ServiceAccount annotations | | +| `plutono.serviceAccount.create` | Create service account | `true` | +| `plutono.serviceAccount.labels` | ServiceAccount labels | `{}` | +| `plutono.serviceAccount.name` | Service account name to use, when empty will be set to created account if `serviceAccount.create` is set else to `default` | `` | +| `plutono.serviceAccount.nameTest` | Service account name to use for test, when empty will be set to created account if `serviceAccount.create` is set else to `default` | `nil` | +| `plutono.rbac.create` | Create and use RBAC resources | `true` | +| `plutono.rbac.namespaced` | Creates Role and Rolebinding instead of the default ClusterRole and ClusteRoleBindings for the plutono instance | `false` | +| `plutono.rbac.useExistingRole` | Set to a rolename to use existing role - skipping role creating - but still doing serviceaccount and rolebinding to the rolename set here. | `nil` | +| `plutono.rbac.pspEnabled` | Create PodSecurityPolicy (with `rbac.create`, grant roles permissions as well) | `false` | +| `plutono.rbac.pspUseAppArmor` | Enforce AppArmor in created PodSecurityPolicy (requires `rbac.pspEnabled`) | `false` | +| `plutono.rbac.extraRoleRules` | Additional rules to add to the Role | [] | +| `plutono.rbac.extraClusterRoleRules` | Additional rules to add to the ClusterRole | [] | +| `plutono.command` | Define command to be executed by plutono container at startup | `nil` | +| `plutono.args` | Define additional args if command is used | `nil` | +| `plutono.testFramework.enabled` | Whether to create test-related resources | `true` | +| `plutono.testFramework.image.registry` | `test-framework` image registry. | `docker.io` | +| `plutono.testFramework.image.repository` | `test-framework` image repository. | `bats/bats` | +| `plutono.testFramework.image.tag` | `test-framework` image tag. | `v1.4.1` | +| `plutono.testFramework.imagePullPolicy` | `test-framework` image pull policy. | `IfNotPresent` | +| `plutono.testFramework.securityContext` | `test-framework` securityContext | `{}` | +| `plutono.downloadDashboards.env` | Environment variables to be passed to the `download-dashboards` container | `{}` | +| `plutono.downloadDashboards.envFromSecret` | Name of a Kubernetes secret (must be manually created in the same namespace) containing values to be added to the environment. Can be templated | `""` | +| `plutono.downloadDashboards.resources` | Resources of `download-dashboards` container | `{}` | +| `plutono.downloadDashboardsImage.registry` | Curl docker image registry | `docker.io` | +| `plutono.downloadDashboardsImage.repository` | Curl docker image repository | `curlimages/curl` | +| `plutono.downloadDashboardsImage.tag` | Curl docker image tag | `7.73.0` | +| `plutono.downloadDashboardsImage.sha` | Curl docker image sha (optional) | `""` | +| `plutono.downloadDashboardsImage.pullPolicy` | Curl docker image pull policy | `IfNotPresent` | +| `plutono.namespaceOverride` | Override the deployment namespace | `""` (`Release.Namespace`) | +| `plutono.serviceMonitor.enabled` | Use servicemonitor from prometheus operator | `false` | +| `plutono.serviceMonitor.namespace` | Namespace this servicemonitor is installed in | | +| `plutono.serviceMonitor.interval` | How frequently Prometheus should scrape | `1m` | +| `plutono.serviceMonitor.path` | Path to scrape | `/metrics` | +| `plutono.serviceMonitor.scheme` | Scheme to use for metrics scraping | `http` | +| `plutono.serviceMonitor.tlsConfig` | TLS configuration block for the endpoint | `{}` | +| `plutono.serviceMonitor.labels` | Labels for the servicemonitor passed to Prometheus Operator | `{}` | +| `plutono.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `30s` | +| `plutono.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping. | `[]` | +| `plutono.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion. | `[]` | +| `plutono.revisionHistoryLimit` | Number of old ReplicaSets to retain | `10` | +| `plutono.networkPolicy.enabled` | Enable creation of NetworkPolicy resources. | `false` | +| `plutono.networkPolicy.allowExternal` | Don't require client label for connections | `true` | +| `plutono.networkPolicy.explicitNamespacesSelector` | A Kubernetes LabelSelector to explicitly select namespaces from which traffic could be allowed | `{}` | +| `plutono.networkPolicy.ingress` | Enable the creation of an ingress network policy | `true` | +| `plutono.networkPolicy.egress.enabled` | Enable the creation of an egress network policy | `false` | +| `plutono.networkPolicy.egress.ports` | An array of ports to allow for the egress | `[]` | +| `plutono.enableKubeBackwardCompatibility` | Enable backward compatibility of kubernetes where pod's definition version below 1.13 doesn't have the enableServiceLinks option | `false` | + +### Example ingress with path + +With plutono 6.3 and above + +```yaml +plutono.ini: + server: + domain: monitoring.example.com + root_url: "%(protocol)s://%(domain)s/plutono" + serve_from_sub_path: true +ingress: + enabled: true + hosts: + - "monitoring.example.com" + path: "/plutono" +``` + +### Example of extraVolumeMounts and extraVolumes + +Configure additional volumes with `extraVolumes` and volume mounts with `extraVolumeMounts`. + +Example for `extraVolumeMounts` and corresponding `extraVolumes`: + +```yaml +extraVolumeMounts: + - name: plugins + mountPath: /var/lib/plutono/plugins + subPath: configs/plutono/plugins + readOnly: false + - name: dashboards + mountPath: /var/lib/plutono/dashboards + hostPath: /usr/shared/plutono/dashboards + readOnly: false + +extraVolumes: + - name: plugins + existingClaim: existing-plutono-claim + - name: dashboards + hostPath: /usr/shared/plutono/dashboards +``` + +Volumes default to `emptyDir`. Set to `persistentVolumeClaim`, +`hostPath`, `csi`, or `configMap` for other types. For a +`persistentVolumeClaim`, specify an existing claim name with +`existingClaim`. + +## Import dashboards + +There are a few methods to import dashboards to Plutono. Below are some examples and explanations as to how to use each method: + +```yaml +dashboards: + default: + some-dashboard: + json: | + { + "annotations": + + ... + # Complete json file here + ... + + "title": "Some Dashboard", + "uid": "abcd1234", + "version": 1 + } + custom-dashboard: + # This is a path to a file inside the dashboards directory inside the chart directory + file: dashboards/custom-dashboard.json + prometheus-stats: + # Ref: https://plutono.com/dashboards/2 + gnetId: 2 + revision: 2 + datasource: Prometheus + loki-dashboard-quick-search: + gnetId: 12019 + revision: 2 + datasource: + - name: DS_PROMETHEUS + value: Prometheus + - name: DS_LOKI + value: Loki + local-dashboard: + url: https://raw.githubusercontent.com/user/repository/master/dashboards/dashboard.json +``` + +## BASE64 dashboards + +Dashboards could be stored on a server that does not return JSON directly and instead of it returns a Base64 encoded file (e.g. Gerrit) +A new parameter has been added to the url use case so if you specify a b64content value equals to true after the url entry a Base64 decoding is applied before save the file to disk. +If this entry is not set or is equals to false not decoding is applied to the file before saving it to disk. + +### Gerrit use case + +Gerrit API for download files has the following schema: where {project-name} and +{file-id} usually has '/' in their values and so they MUST be replaced by %2F so if project-name is user/repo, branch-id is master and file-id is equals to dir1/dir2/dashboard +the url value is + +## Sidecar for dashboards + +If the parameter `sidecar.dashboards.enabled` is set, a sidecar container is deployed in the plutono +pod. This container watches all configmaps (or secrets) in the cluster and filters out the ones with +a label as defined in `sidecar.dashboards.label`. The files defined in those configmaps are written +to a folder and accessed by plutono. Changes to the configmaps are monitored and the imported +dashboards are deleted/updated. + +A recommendation is to use one configmap per dashboard, as a reduction of multiple dashboards inside +one configmap is currently not properly mirrored in plutono. + +#### Example dashboard config: + +*Folder structure:* +```bash +dashboards/ +├── dashboard1.json +├── dashboard2.json +dashboard-json-configmap.yaml +``` + +*Helm template to create a configmap for each dashboard:* +```yaml +{{- range $path, $bytes := .Files.Glob "dashboards/*.json" }} +--- +apiVersion: v1 +kind: ConfigMap + +metadata: + name: {{ printf "%s-%s" $.Release.Name $path | replace "/" "-" | trunc 63 }} + labels: + plutono-dashboard: "true" + +data: +{{ printf "%s: |-" $path | replace "/" "-" | indent 2 }} +{{ printf "%s" $bytes | indent 4 }} + +{{- end }} +``` + +## Sidecar for datasources + +If the parameter `sidecar.datasources.enabled` is set, an init container is deployed in the plutono +pod. This container lists all secrets (or configmaps, though not recommended) in the cluster and +filters out the ones with a label as defined in `sidecar.datasources.label`. The files defined in +those secrets are written to a folder and accessed by plutono on startup. Using these yaml files, +the data sources in plutono can be imported. + +Should you aim for reloading datasources in Plutono each time the config is changed, set `sidecar.datasources.skipReload: false` and adjust `sidecar.datasources.reloadURL` to `http://..svc.cluster.local/api/admin/provisioning/datasources/reload`. + +Secrets are recommended over configmaps for this usecase because datasources usually contain private +data like usernames and passwords. Secrets are the more appropriate cluster resource to manage those. + +Example values to add a postgres datasource as a kubernetes secret: + +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: plutono-datasources + labels: + plutono-datasource: "true" # default value for: sidecar.datasources.label +stringData: + pg-db.yaml: |- + apiVersion: 1 + datasources: + - name: My pg db datasource + type: postgres + url: my-postgresql-db:5432 + user: db-readonly-user + secureJsonData: + password: 'SUperSEcretPa$$word' + jsonData: + database: my_datase + sslmode: 'disable' # disable/require/verify-ca/verify-full + maxOpenConns: 0 # Plutono v5.4+ + maxIdleConns: 2 # Plutono v5.4+ + connMaxLifetime: 14400 # Plutono v5.4+ + postgresVersion: 1000 # 903=9.3, 904=9.4, 905=9.5, 906=9.6, 1000=10 + timescaledb: false + # allow users to edit datasources from the UI. + editable: false +``` + +Example values to add a datasource adapted from [Grafana](http://docs.grafana.org/administration/provisioning/#example-datasource-config-file): + +```yaml +datasources: + datasources.yaml: + apiVersion: 1 + datasources: + # name of the datasource. Required + - name: Graphite + # datasource type. Required + type: graphite + # access mode. proxy or direct (Server or Browser in the UI). Required + access: proxy + # org id. will default to orgId 1 if not specified + orgId: 1 + # url + url: http://localhost:8080 + # database password, if used + password: + # database user, if used + user: + # database name, if used + database: + # enable/disable basic auth + basicAuth: + # basic auth username + basicAuthUser: + # basic auth password + basicAuthPassword: + # enable/disable with credentials headers + withCredentials: + # mark as default datasource. Max one per org + isDefault: + # fields that will be converted to json and stored in json_data + jsonData: + graphiteVersion: "1.1" + tlsAuth: true + tlsAuthWithCACert: true + # json object of data that will be encrypted. + secureJsonData: + tlsCACert: "..." + tlsClientCert: "..." + tlsClientKey: "..." + version: 1 + # allow users to edit datasources from the UI. + editable: false +``` + +## How to serve Plutono with a path prefix (/plutono) + +In order to serve Plutono with a prefix (e.g., ), add the following to your values.yaml. + +```yaml +ingress: + enabled: true + annotations: + kubernetes.io/ingress.class: "nginx" + nginx.ingress.kubernetes.io/rewrite-target: /$1 + nginx.ingress.kubernetes.io/use-regex: "true" + + path: /plutono/?(.*) + hosts: + - k8s.example.dev + +plutono.ini: + server: + root_url: http://localhost:3000/plutono # this host can be localhost +``` + +## How to securely reference secrets in plutono.ini + +This example uses Plutono [file providers](https://plutono.com/docs/plutono/latest/administration/configuration/#file-provider) for secret values and the `extraSecretMounts` configuration flag (Additional plutono server secret mounts) to mount the secrets. + +In plutono.ini: + +```yaml +plutono.ini: + [auth.generic_oauth] + enabled = true + client_id = $__file{/etc/secrets/auth_generic_oauth/client_id} + client_secret = $__file{/etc/secrets/auth_generic_oauth/client_secret} +``` + +Existing secret, or created along with helm: + +```yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: auth-generic-oauth-secret +type: Opaque +stringData: + client_id: + client_secret: +``` + +Include in the `extraSecretMounts` configuration flag: + +```yaml +- extraSecretMounts: + - name: auth-generic-oauth-secret-mount + secretName: auth-generic-oauth-secret + defaultMode: 0440 + mountPath: /etc/secrets/auth_generic_oauth + readOnly: true +``` + +### extraSecretMounts using a Container Storage Interface (CSI) provider + +This example uses a CSI driver e.g. retrieving secrets using [Azure Key Vault Provider](https://github.com/Azure/secrets-store-csi-driver-provider-azure) + +```yaml +- extraSecretMounts: + - name: secrets-store-inline + mountPath: /run/secrets + readOnly: true + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: "my-provider" + nodePublishSecretRef: + name: akv-creds +``` + diff --git a/plutono/charts/Chart.yaml b/plutono/charts/Chart.yaml new file mode 100644 index 00000000..75fe9ae2 --- /dev/null +++ b/plutono/charts/Chart.yaml @@ -0,0 +1,19 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: v2 +name: plutono +version: 0.1.0 +description: Plutono is a fork of Grafana v7.5.17 keeping the Apache License +type: application +maintainers: + - name: Richard Tief (I520251) + email: richard.tief@sap.com +name: plutono +appVersion: v7.5.32 +sources: + - ghcr.io/cloudoperators/greenhouse-extensions +keywords: + - visualization + - querying + diff --git a/plutono/charts/templates/NOTES.txt b/plutono/charts/templates/NOTES.txt new file mode 100644 index 00000000..6c16a723 --- /dev/null +++ b/plutono/charts/templates/NOTES.txt @@ -0,0 +1,55 @@ +1. Get your '{{ .Values.plutono.adminUser }}' user password by running: + + kubectl get secret --namespace {{ include "plutono.namespace" . }} {{ .Values.plutono.admin.existingSecret | default (include "plutono.fullname" .) }} -o jsonpath="{.data.{{ .Values.plutono.admin.passwordKey | default "admin-password" }}}" | base64 --decode ; echo + + +2. The Plutono server can be accessed via port {{ .Values.plutono.service.port }} on the following DNS name from within your cluster: + + {{ include "plutono.fullname" . }}.{{ include "plutono.namespace" . }}.svc.cluster.local +{{ if .Values.plutono.ingress.enabled }} + If you bind plutono to 80, please update values in values.yaml and reinstall: + ``` + securityContext: + runAsUser: 0 + runAsGroup: 0 + fsGroup: 0 + + command: + - "setcap" + - "'cap_net_bind_service=+ep'" + - "/usr/sbin/plutono-server &&" + - "sh" + - "/run.sh" + ``` + Details refer to https://plutono.com/docs/installation/configuration/#http-port. + Or plutono would always crash. + + From outside the cluster, the server URL(s) are: + {{- range .Values.plutono.ingress.hosts }} + http://{{ . }} + {{- end }} +{{- else }} + Get the Plutono URL to visit by running these commands in the same shell: + {{- if contains "NodePort" .Values.plutono.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ include "plutono.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "plutono.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ include "plutono.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT + {{- else if contains "LoadBalancer" .Values.plutono.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get svc --namespace {{ include "plutono.namespace" . }} -w {{ include "plutono.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ include "plutono.namespace" . }} {{ include "plutono.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + http://$SERVICE_IP:{{ .Values.plutono.service.port -}} + {{- else if contains "ClusterIP" .Values.plutono.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ include "plutono.namespace" . }} -l "app.kubernetes.io/name={{ include "plutono.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + kubectl --namespace {{ include "plutono.namespace" . }} port-forward $POD_NAME 3000 + {{- end }} +{{- end }} + +3. Login with the password from step 1 and the username: {{ .Values.plutono.adminUser }} + +{{- if and (not .Values.plutono.persistence.enabled) (not .Values.plutono.persistence.disableWarning) }} +################################################################################# +###### WARNING: Persistence is disabled!!! You will lose your data when ##### +###### the Plutono pod is terminated. ##### +################################################################################# +{{- end }} diff --git a/plutono/charts/templates/_config.tpl b/plutono/charts/templates/_config.tpl new file mode 100644 index 00000000..6e0ccebd --- /dev/null +++ b/plutono/charts/templates/_config.tpl @@ -0,0 +1,172 @@ +{{/* + Generate config map data + */}} +{{- define "plutono.configData" -}} +{{ include "plutono.assertNoLeakedSecrets" . }} +{{- $files := .Files }} +{{- $root := . -}} +{{- with .Values.plutono.plugins }} +plugins: {{ join "," . }} +{{- end }} +plutono.ini: | +{{- range $elem, $elemVal := index .Values.plutono "plutono.ini" }} + {{- if not (kindIs "map" $elemVal) }} + {{- if kindIs "invalid" $elemVal }} + {{ $elem }} = + {{- else if kindIs "string" $elemVal }} + {{ $elem }} = {{ tpl $elemVal $ }} + {{- else }} + {{ $elem }} = {{ $elemVal }} + {{- end }} + {{- end }} +{{- end }} +{{- range $key, $value := index .Values.plutono "plutono.ini" }} + {{- if kindIs "map" $value }} + [{{ $key }}] + {{- range $elem, $elemVal := $value }} + {{- if kindIs "invalid" $elemVal }} + {{ $elem }} = + {{- else if kindIs "string" $elemVal }} + {{ $elem }} = {{ tpl $elemVal $ }} + {{- else }} + {{ $elem }} = {{ $elemVal }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} + +{{- range $key, $value := .Values.plutono.datasources }} +{{- if not (hasKey $value "secret") }} +{{ $key }}: | + {{- tpl (toYaml $value | nindent 2) $root }} +{{- end }} +{{- end }} + +{{- range $key, $value := .Values.plutono.notifiers }} +{{- if not (hasKey $value "secret") }} +{{ $key }}: | + {{- toYaml $value | nindent 2 }} +{{- end }} +{{- end }} + +{{- range $key, $value := .Values.plutono.alerting }} +{{- if (hasKey $value "file") }} +{{ $key }}: +{{- toYaml ( $files.Get $value.file ) | nindent 2 }} +{{- else if (or (hasKey $value "secret") (hasKey $value "secretFile"))}} +{{/* will be stored inside secret generated by "configSecret.yaml"*/}} +{{- else }} +{{ $key }}: | + {{- tpl (toYaml $value | nindent 2) $root }} +{{- end }} +{{- end }} + +{{- range $key, $value := .Values.plutono.dashboardProviders }} +{{ $key }}: | + {{- toYaml $value | nindent 2 }} +{{- end }} + +{{- if .Values.plutono.dashboards }} +download_dashboards.sh: | + #!/usr/bin/env sh + set -euf + {{- if .Values.plutono.dashboardProviders }} + {{- range $key, $value := .Values.plutono.dashboardProviders }} + {{- range $value.providers }} + mkdir -p {{ .options.path }} + {{- end }} + {{- end }} + {{- end }} +{{ $dashboardProviders := .Values.plutono.dashboardProviders }} +{{- range $provider, $dashboards := .Values.plutono.dashboards }} + {{- range $key, $value := $dashboards }} + {{- if (or (hasKey $value "gnetId") (hasKey $value "url")) }} + curl -skf \ + --connect-timeout 60 \ + --max-time 60 \ + {{- if not $value.b64content }} + {{- if not $value.acceptHeader }} + -H "Accept: application/json" \ + {{- else }} + -H "Accept: {{ $value.acceptHeader }}" \ + {{- end }} + {{- if $value.token }} + -H "Authorization: token {{ $value.token }}" \ + {{- end }} + {{- if $value.bearerToken }} + -H "Authorization: Bearer {{ $value.bearerToken }}" \ + {{- end }} + {{- if $value.basic }} + -H "Authorization: Basic {{ $value.basic }}" \ + {{- end }} + {{- if $value.gitlabToken }} + -H "PRIVATE-TOKEN: {{ $value.gitlabToken }}" \ + {{- end }} + -H "Content-Type: application/json;charset=UTF-8" \ + {{- end }} + {{- $dpPath := "" -}} + {{- range $kd := (index $dashboardProviders "dashboardproviders.yaml").providers }} + {{- if eq $kd.name $provider }} + {{- $dpPath = $kd.options.path }} + {{- end }} + {{- end }} + {{- if $value.url }} + "{{ $value.url }}" \ + {{- else }} + "https://plutono.com/api/dashboards/{{ $value.gnetId }}/revisions/{{- if $value.revision -}}{{ $value.revision }}{{- else -}}1{{- end -}}/download" \ + {{- end }} + {{- if $value.datasource }} + {{- if kindIs "string" $value.datasource }} + | sed '/-- .* --/! s/"datasource":.*,/"datasource": "{{ $value.datasource }}",/g' \ + {{- end }} + {{- if kindIs "slice" $value.datasource }} + {{- range $value.datasource }} + | sed '/-- .* --/! s/${{"{"}}{{ .name }}}/{{ .value }}/g' \ + {{- end }} + {{- end }} + {{- end }} + {{- if $value.b64content }} + | base64 -d \ + {{- end }} + > "{{- if $dpPath -}}{{ $dpPath }}{{- else -}}/var/lib/plutono/dashboards/{{ $provider }}{{- end -}}/{{ $key }}.json" + {{ end }} + {{- end }} +{{- end }} +{{- end }} +{{- end -}} + +{{/* + Generate dashboard json config map data + */}} +{{- define "plutono.configDashboardProviderData" -}} +provider.yaml: |- + apiVersion: 1 + providers: + - name: '{{ .Values.plutono.sidecar.dashboards.provider.name }}' + orgId: {{ .Values.plutono.sidecar.dashboards.provider.orgid }} + {{- if not .Values.plutono.sidecar.dashboards.provider.foldersFromFilesStructure }} + folder: '{{ .Values.plutono.sidecar.dashboards.provider.folder }}' + folderUid: '{{ .Values.plutono.sidecar.dashboards.provider.folderUid }}' + {{- end }} + type: {{ .Values.plutono.sidecar.dashboards.provider.type }} + disableDeletion: {{ .Values.plutono.sidecar.dashboards.provider.disableDelete }} + allowUiUpdates: {{ .Values.plutono.sidecar.dashboards.provider.allowUiUpdates }} + updateIntervalSeconds: {{ .Values.plutono.sidecar.dashboards.provider.updateIntervalSeconds | default 30 }} + options: + foldersFromFilesStructure: {{ .Values.plutono.sidecar.dashboards.provider.foldersFromFilesStructure }} + path: {{ .Values.plutono.sidecar.dashboards.folder }}{{- with .Values.plutono.sidecar.dashboards.defaultFolderName }}/{{ . }}{{- end }} +{{- end -}} + +{{- define "plutono.secretsData" -}} +{{- if and (not .Values.plutono.env.PL_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) (not .Values.plutono.admin.existingSecret) (not .Values.plutono.env.PL_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.plutono.env.PL_SECURITY_ADMIN_PASSWORD) }} +admin-user: {{ .Values.plutono.adminUser | b64enc | quote }} +{{- if .Values.plutono.adminPassword }} +admin-password: {{ .Values.plutono.adminPassword | b64enc | quote }} +{{- else }} +admin-password: {{ include "plutono.password" . }} +{{- end }} +{{- end }} +{{- if not .Values.plutono.ldap.existingSecret }} +ldap-toml: {{ tpl .Values.plutono.ldap.config $ | b64enc | quote }} +{{- end }} +{{- end -}} diff --git a/plutono/charts/templates/_helpers.tpl b/plutono/charts/templates/_helpers.tpl new file mode 100644 index 00000000..0d68384c --- /dev/null +++ b/plutono/charts/templates/_helpers.tpl @@ -0,0 +1,256 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "plutono.name" -}} +{{- default .Chart.Name .Values.plutono.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "plutono.fullname" -}} +{{- if .Values.plutono.fullnameOverride }} +{{- .Values.plutono.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.plutono.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "plutono.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create the name of the service account +*/}} +{{- define "plutono.serviceAccountName" -}} +{{- if .Values.plutono.serviceAccount.create }} +{{- default (include "plutono.fullname" .) .Values.plutono.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.plutono.serviceAccount.name }} +{{- end }} +{{- end }} + +{{- define "plutono.serviceAccountNameTest" -}} +{{- if .Values.plutono.serviceAccount.create }} +{{- default (print (include "plutono.fullname" .) "-test") .Values.plutono.serviceAccount.nameTest }} +{{- else }} +{{- default "default" .Values.plutono.serviceAccount.nameTest }} +{{- end }} +{{- end }} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "plutono.namespace" -}} +{{- if .Values.plutono.namespaceOverride }} +{{- .Values.plutono.namespaceOverride }} +{{- else }} +{{- .Release.Namespace }} +{{- end }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "plutono.labels" -}} +helm.sh/chart: {{ include "plutono.chart" . }} +{{ include "plutono.selectorLabels" . }} +{{- if or .Chart.AppVersion .Values.plutono.image.tag }} +app.kubernetes.io/version: {{ mustRegexReplaceAllLiteral "@sha.*" .Values.plutono.image.tag "" | default .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- with .Values.plutono.extraLabels }} +{{ toYaml . }} +{{- end }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "plutono.selectorLabels" -}} +app.kubernetes.io/name: {{ include "plutono.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Looks if there's an existing secret and reuse its password. If not it generates +new password and use it. +*/}} +{{- define "plutono.password" -}} +{{- $secret := (lookup "v1" "Secret" (include "plutono.namespace" .) (include "plutono.fullname" .) ) }} +{{- if $secret }} +{{- index $secret "data" "admin-password" }} +{{- else }} +{{- (randAlphaNum 40) | b64enc | quote }} +{{- end }} +{{- end }} + +{{/* +Return the appropriate apiVersion for rbac. +*/}} +{{- define "plutono.rbac.apiVersion" -}} +{{- if $.Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }} +{{- print "rbac.authorization.k8s.io/v1" }} +{{- else }} +{{- print "rbac.authorization.k8s.io/v1beta1" }} +{{- end }} +{{- end }} + +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "plutono.ingress.apiVersion" -}} +{{- if and ($.Capabilities.APIVersions.Has "networking.k8s.io/v1") (semverCompare ">= 1.19-0" .Capabilities.KubeVersion.Version) }} +{{- print "networking.k8s.io/v1" }} +{{- else if $.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }} +{{- print "networking.k8s.io/v1beta1" }} +{{- else }} +{{- print "extensions/v1beta1" }} +{{- end }} +{{- end }} + +{{/* +Return the appropriate apiVersion for Horizontal Pod Autoscaler. +*/}} +{{- define "plutono.hpa.apiVersion" -}} +{{- if .Capabilities.APIVersions.Has "autoscaling/v2" }} +{{- print "autoscaling/v2" }} +{{- else }} +{{- print "autoscaling/v2beta2" }} +{{- end }} +{{- end }} + +{{/* +Return the appropriate apiVersion for podDisruptionBudget. +*/}} +{{- define "plutono.podDisruptionBudget.apiVersion" -}} +{{- if $.Values.plutono.podDisruptionBudget.apiVersion }} +{{- print $.Values.plutono.podDisruptionBudget.apiVersion }} +{{- else if $.Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +{{- print "policy/v1" }} +{{- else }} +{{- print "policy/v1beta1" }} +{{- end }} +{{- end }} + +{{/* +Return if ingress is stable. +*/}} +{{- define "plutono.ingress.isStable" -}} +{{- eq (include "plutono.ingress.apiVersion" .) "networking.k8s.io/v1" }} +{{- end }} + +{{/* +Return if ingress supports ingressClassName. +*/}} +{{- define "plutono.ingress.supportsIngressClassName" -}} +{{- or (eq (include "plutono.ingress.isStable" .) "true") (and (eq (include "plutono.ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18-0" .Capabilities.KubeVersion.Version)) }} +{{- end }} + +{{/* +Return if ingress supports pathType. +*/}} +{{- define "plutono.ingress.supportsPathType" -}} +{{- or (eq (include "plutono.ingress.isStable" .) "true") (and (eq (include "plutono.ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18-0" .Capabilities.KubeVersion.Version)) }} +{{- end }} + +{{/* +Formats imagePullSecrets. Input is (dict "root" . "imagePullSecrets" .{specific imagePullSecrets}) +*/}} +{{- define "plutono.imagePullSecrets" -}} +{{- $root := .root }} +{{- range (concat .root.Values.global.imagePullSecrets .imagePullSecrets) }} +{{- if eq (typeOf .) "map[string]interface {}" }} +- {{ toYaml (dict "name" (tpl .name $root)) | trim }} +{{- else }} +- name: {{ tpl . $root }} +{{- end }} +{{- end }} +{{- end }} + + +{{/* + Checks whether or not the configSecret secret has to be created + */}} +{{- define "plutono.shouldCreateConfigSecret" -}} +{{- $secretFound := false -}} +{{- range $key, $value := .Values.plutono.datasources }} + {{- if hasKey $value "secret" }} + {{- $secretFound = true}} + {{- end }} +{{- end }} +{{- range $key, $value := .Values.plutono.notifiers }} + {{- if hasKey $value "secret" }} + {{- $secretFound = true}} + {{- end }} +{{- end }} +{{- range $key, $value := .Values.plutono.alerting }} + {{- if (or (hasKey $value "secret") (hasKey $value "secretFile")) }} + {{- $secretFound = true}} + {{- end }} +{{- end }} +{{- $secretFound}} +{{- end -}} + +{{/* + Checks whether the user is attempting to store secrets in plaintext + in the plutono.ini configmap +*/}} +{{/* plutono.assertNoLeakedSecrets checks for sensitive keys in values */}} +{{- define "plutono.assertNoLeakedSecrets" -}} + {{- $sensitiveKeysYaml := ` +sensitiveKeys: +- path: ["database", "password"] +- path: ["smtp", "password"] +- path: ["security", "secret_key"] +- path: ["security", "admin_password"] +- path: ["auth.basic", "password"] +- path: ["auth.ldap", "bind_password"] +- path: ["auth.google", "client_secret"] +- path: ["auth.github", "client_secret"] +- path: ["auth.gitlab", "client_secret"] +- path: ["auth.generic_oauth", "client_secret"] +- path: ["auth.okta", "client_secret"] +- path: ["auth.azuread", "client_secret"] +- path: ["auth.plutono_com", "client_secret"] +- path: ["auth.plutononet", "client_secret"] +- path: ["azure", "user_identity_client_secret"] +- path: ["unified_alerting", "ha_redis_password"] +- path: ["metrics", "basic_auth_password"] +- path: ["external_image_storage.s3", "secret_key"] +- path: ["external_image_storage.webdav", "password"] +- path: ["external_image_storage.azure_blob", "account_key"] +` | fromYaml -}} + {{- if $.Values.plutono.assertNoLeakedSecrets -}} + {{- $plutonoIni := index .Values.plutono "plutono.ini" -}} + {{- range $_, $secret := $sensitiveKeysYaml.sensitiveKeys -}} + {{- $currentMap := $plutonoIni -}} + {{- $shouldContinue := true -}} + {{- range $index, $elem := $secret.path -}} + {{- if and $shouldContinue (hasKey $currentMap $elem) -}} + {{- if eq (len $secret.path) (add1 $index) -}} + {{- if not (regexMatch "\\$(?:__(?:env|file|vault))?{[^}]+}" (index $currentMap $elem)) -}} + {{- fail (printf "Sensitive key '%s' should not be defined explicitly in values. Use variable expansion instead. You can disable this client-side validation by changing the value of assertNoLeakedSecrets." (join "." $secret.path)) -}} + {{- end -}} + {{- else -}} + {{- $currentMap = index $currentMap $elem -}} + {{- end -}} + {{- else -}} + {{- $shouldContinue = false -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} diff --git a/plutono/charts/templates/_pod.tpl b/plutono/charts/templates/_pod.tpl new file mode 100644 index 00000000..b176d611 --- /dev/null +++ b/plutono/charts/templates/_pod.tpl @@ -0,0 +1,1306 @@ +{{- define "plutono.pod" -}} +{{- $sts := list "sts" "StatefulSet" "statefulset" -}} +{{- $root := . -}} +{{- with .Values.plutono.schedulerName }} +schedulerName: "{{ . }}" +{{- end }} +serviceAccountName: {{ include "plutono.serviceAccountName" . }} +automountServiceAccountToken: {{ .Values.plutono.automountServiceAccountToken }} +{{- with .Values.plutono.securityContext }} +securityContext: + {{- toYaml . | nindent 2 }} +{{- end }} +{{- with .Values.plutono.hostAliases }} +hostAliases: + {{- toYaml . | nindent 2 }} +{{- end }} +{{- if .Values.plutono.dnsPolicy }} +dnsPolicy: {{ .Values.plutono.dnsPolicy }} +{{- end }} +{{- with .Values.plutono.dnsConfig }} +dnsConfig: + {{- toYaml . | nindent 2 }} +{{- end }} +{{- with .Values.plutono.priorityClassName }} +priorityClassName: {{ . }} +{{- end }} +{{- if ( or .Values.plutono.persistence.enabled .Values.plutono.dashboards .Values.plutono.extraInitContainers (and .Values.plutono.sidecar.alerts.enabled .Values.plutono.sidecar.alerts.initAlerts) (and .Values.plutono.sidecar.datasources.enabled .Values.plutono.sidecar.datasources.initDatasources) (and .Values.plutono.sidecar.notifiers.enabled .Values.plutono.sidecar.notifiers.initNotifiers)) }} +initContainers: +{{- end }} +{{- if ( and .Values.plutono.persistence.enabled .Values.plutono.initChownData.enabled ) }} + - name: init-chown-data + {{- $registry := .Values.global.imageRegistry | default .Values.plutono.initChownData.image.registry -}} + {{- if .Values.plutono.initChownData.image.sha }} + image: "{{ $registry }}/{{ .Values.plutono.initChownData.image.repository }}:{{ .Values.plutono.initChownData.image.tag }}@sha256:{{ .Values.plutono.initChownData.image.sha }}" + {{- else }} + image: "{{ $registry }}/{{ .Values.plutono.initChownData.image.repository }}:{{ .Values.plutono.initChownData.image.tag }}" + {{- end }} + imagePullPolicy: {{ .Values.plutono.initChownData.image.pullPolicy }} + {{- with .Values.plutono.initChownData.securityContext }} + securityContext: + {{- toYaml . | nindent 6 }} + {{- end }} + command: + - chown + - -R + - {{ .Values.plutono.securityContext.runAsUser }}:{{ .Values.plutono.securityContext.runAsGroup }} + - /var/lib/plutono + {{- with .Values.plutono.initChownData.resources }} + resources: + {{- toYaml . | nindent 6 }} + {{- end }} + volumeMounts: + - name: storage + mountPath: "/var/lib/plutono" + {{- with .Values.plutono.persistence.subPath }} + subPath: {{ tpl . $root }} + {{- end }} +{{- end }} +{{- if .Values.plutono.dashboards }} + - name: download-dashboards + {{- $registry := .Values.global.imageRegistry | default .Values.plutono.downloadDashboardsImage.registry -}} + {{- if .Values.plutono.downloadDashboardsImage.sha }} + image: "{{ $registry }}/{{ .Values.plutono.downloadDashboardsImage.repository }}:{{ .Values.plutono.downloadDashboardsImage.tag }}@sha256:{{ .Values.plutono.downloadDashboardsImage.sha }}" + {{- else }} + image: "{{ $registry }}/{{ .Values.plutono.downloadDashboardsImage.repository }}:{{ .Values.plutono.downloadDashboardsImage.tag }}" + {{- end }} + imagePullPolicy: {{ .Values.plutono.downloadDashboardsImage.pullPolicy }} + command: ["/bin/sh"] + args: [ "-c", "mkdir -p /var/lib/plutono/dashboards/default && /bin/sh -x /etc/plutono/download_dashboards.sh" ] + {{- with .Values.plutono.downloadDashboards.resources }} + resources: + {{- toYaml . | nindent 6 }} + {{- end }} + env: + {{- range $key, $value := .Values.plutono.downloadDashboards.env }} + - name: "{{ $key }}" + value: "{{ $value }}" + {{- end }} + {{- range $key, $value := .Values.plutono.downloadDashboards.envValueFrom }} + - name: {{ $key | quote }} + valueFrom: + {{- tpl (toYaml $value) $ | nindent 10 }} + {{- end }} + {{- with .Values.plutono.downloadDashboards.securityContext }} + securityContext: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.plutono.downloadDashboards.envFromSecret }} + envFrom: + - secretRef: + name: {{ tpl . $root }} + {{- end }} + volumeMounts: + - name: config + mountPath: "/etc/plutono/download_dashboards.sh" + subPath: download_dashboards.sh + - name: storage + mountPath: "/var/lib/plutono" + {{- with .Values.plutono.persistence.subPath }} + subPath: {{ tpl . $root }} + {{- end }} + {{- range .Values.plutono.extraSecretMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + readOnly: {{ .readOnly }} + {{- end }} +{{- end }} +{{- if and .Values.plutono.sidecar.alerts.enabled .Values.plutono.sidecar.alerts.initAlerts }} + - name: {{ include "plutono.name" . }}-init-sc-alerts + {{- $registry := .Values.global.imageRegistry | default .Values.plutono.sidecar.image.registry -}} + {{- if .Values.plutono.sidecar.image.sha }} + image: "{{ $registry }}/{{ .Values.plutono.sidecar.image.repository }}:{{ .Values.plutono.sidecar.image.tag }}@sha256:{{ .Values.plutono.sidecar.image.sha }}" + {{- else }} + image: "{{ $registry }}/{{ .Values.plutono.sidecar.image.repository }}:{{ .Values.plutono.sidecar.image.tag }}" + {{- end }} + imagePullPolicy: {{ .Values.plutono.sidecar.imagePullPolicy }} + env: + {{- range $key, $value := .Values.plutono.sidecar.alerts.env }} + - name: "{{ $key }}" + value: "{{ $value }}" + {{- end }} + {{- if .Values.plutono.sidecar.alerts.ignoreAlreadyProcessed }} + - name: IGNORE_ALREADY_PROCESSED + value: "true" + {{- end }} + - name: METHOD + value: "LIST" + - name: LABEL + value: "{{ .Values.plutono.sidecar.alerts.label }}" + {{- with .Values.plutono.sidecar.alerts.labelValue }} + - name: LABEL_VALUE + value: {{ quote . }} + {{- end }} + {{- if or .Values.plutono.sidecar.logLevel .Values.plutono.sidecar.alerts.logLevel }} + - name: LOG_LEVEL + value: {{ default .Values.plutono.sidecar.logLevel .Values.plutono.sidecar.alerts.logLevel }} + {{- end }} + - name: FOLDER + value: "/etc/plutono/provisioning/alerting" + - name: RESOURCE + value: {{ quote .Values.plutono.sidecar.alerts.resource }} + {{- with .Values.plutono.sidecar.enableUniqueFilenames }} + - name: UNIQUE_FILENAMES + value: "{{ . }}" + {{- end }} + {{- with .Values.plutono.sidecar.alerts.searchNamespace }} + - name: NAMESPACE + value: {{ . | join "," | quote }} + {{- end }} + {{- with .Values.plutono.sidecar.alerts.skipTlsVerify }} + - name: SKIP_TLS_VERIFY + value: {{ quote . }} + {{- end }} + {{- with .Values.plutono.sidecar.alerts.script }} + - name: SCRIPT + value: {{ quote . }} + {{- end }} + {{- with .Values.plutono.sidecar.livenessProbe }} + livenessProbe: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.plutono.sidecar.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.plutono.sidecar.resources }} + resources: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.plutono.sidecar.securityContext }} + securityContext: + {{- toYaml . | nindent 6 }} + {{- end }} + volumeMounts: + - name: sc-alerts-volume + mountPath: "/etc/plutono/provisioning/alerting" + {{- with .Values.plutono.sidecar.alerts.extraMounts }} + {{- toYaml . | trim | nindent 6 }} + {{- end }} +{{- end }} +{{- if and .Values.plutono.sidecar.datasources.enabled .Values.plutono.sidecar.datasources.initDatasources }} + - name: {{ include "plutono.name" . }}-init-sc-datasources + {{- $registry := .Values.global.imageRegistry | default .Values.plutono.sidecar.image.registry -}} + {{- if .Values.plutono.sidecar.image.sha }} + image: "{{ $registry }}/{{ .Values.plutono.sidecar.image.repository }}:{{ .Values.plutono.sidecar.image.tag }}@sha256:{{ .Values.plutono.sidecar.image.sha }}" + {{- else }} + image: "{{ $registry }}/{{ .Values.plutono.sidecar.image.repository }}:{{ .Values.plutono.sidecar.image.tag }}" + {{- end }} + imagePullPolicy: {{ .Values.plutono.sidecar.imagePullPolicy }} + env: + {{- range $key, $value := .Values.plutono.sidecar.datasources.env }} + - name: "{{ $key }}" + value: "{{ $value }}" + {{- end }} + {{- range $key, $value := .Values.plutono.sidecar.datasources.envValueFrom }} + - name: {{ $key | quote }} + valueFrom: + {{- tpl (toYaml $value) $ | nindent 10 }} + {{- end }} + {{- if .Values.plutono.sidecar.datasources.ignoreAlreadyProcessed }} + - name: IGNORE_ALREADY_PROCESSED + value: "true" + {{- end }} + - name: METHOD + value: "LIST" + - name: LABEL + value: "{{ .Values.plutono.sidecar.datasources.label }}" + {{- with .Values.plutono.sidecar.datasources.labelValue }} + - name: LABEL_VALUE + value: {{ quote . }} + {{- end }} + {{- if or .Values.plutono.sidecar.logLevel .Values.plutono.sidecar.datasources.logLevel }} + - name: LOG_LEVEL + value: {{ default .Values.plutono.sidecar.logLevel .Values.plutono.sidecar.datasources.logLevel }} + {{- end }} + - name: FOLDER + value: "/etc/plutono/provisioning/datasources" + - name: RESOURCE + value: {{ quote .Values.plutono.sidecar.datasources.resource }} + {{- with .Values.plutono.sidecar.enableUniqueFilenames }} + - name: UNIQUE_FILENAMES + value: "{{ . }}" + {{- end }} + {{- if .Values.plutono.sidecar.datasources.searchNamespace }} + - name: NAMESPACE + value: "{{ tpl (.Values.plutono.sidecar.datasources.searchNamespace | join ",") . }}" + {{- end }} + {{- with .Values.plutono.sidecar.skipTlsVerify }} + - name: SKIP_TLS_VERIFY + value: "{{ . }}" + {{- end }} + {{- with .Values.plutono.sidecar.resources }} + resources: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.plutono.sidecar.securityContext }} + securityContext: + {{- toYaml . | nindent 6 }} + {{- end }} + volumeMounts: + - name: sc-datasources-volume + mountPath: "/etc/plutono/provisioning/datasources" +{{- end }} +{{- if and .Values.plutono.sidecar.notifiers.enabled .Values.plutono.sidecar.notifiers.initNotifiers }} + - name: {{ include "plutono.name" . }}-init-sc-notifiers + {{- $registry := .Values.global.imageRegistry | default .Values.plutono.sidecar.image.registry -}} + {{- if .Values.plutono.sidecar.image.sha }} + image: "{{ $registry }}/{{ .Values.plutono.sidecar.image.repository }}:{{ .Values.plutono.sidecar.image.tag }}@sha256:{{ .Values.plutono.sidecar.image.sha }}" + {{- else }} + image: "{{ $registry }}/{{ .Values.plutono.sidecar.image.repository }}:{{ .Values.plutono.sidecar.image.tag }}" + {{- end }} + imagePullPolicy: {{ .Values.plutono.sidecar.imagePullPolicy }} + env: + {{- range $key, $value := .Values.plutono.sidecar.notifiers.env }} + - name: "{{ $key }}" + value: "{{ $value }}" + {{- end }} + {{- if .Values.plutono.sidecar.notifiers.ignoreAlreadyProcessed }} + - name: IGNORE_ALREADY_PROCESSED + value: "true" + {{- end }} + - name: METHOD + value: LIST + - name: LABEL + value: "{{ .Values.plutono.sidecar.notifiers.label }}" + {{- with .Values.plutono.sidecar.notifiers.labelValue }} + - name: LABEL_VALUE + value: {{ quote . }} + {{- end }} + {{- if or .Values.plutono.sidecar.logLevel .Values.plutono.sidecar.notifiers.logLevel }} + - name: LOG_LEVEL + value: {{ default .Values.plutono.sidecar.logLevel .Values.plutono.sidecar.notifiers.logLevel }} + {{- end }} + - name: FOLDER + value: "/etc/plutono/provisioning/notifiers" + - name: RESOURCE + value: {{ quote .Values.plutono.sidecar.notifiers.resource }} + {{- with .Values.plutono.sidecar.enableUniqueFilenames }} + - name: UNIQUE_FILENAMES + value: "{{ . }}" + {{- end }} + {{- with .Values.plutono.sidecar.notifiers.searchNamespace }} + - name: NAMESPACE + value: "{{ tpl (. | join ",") $root }}" + {{- end }} + {{- with .Values.plutono.sidecar.skipTlsVerify }} + - name: SKIP_TLS_VERIFY + value: "{{ . }}" + {{- end }} + {{- with .Values.plutono.sidecar.livenessProbe }} + livenessProbe: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.plutono.sidecar.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.plutono.sidecar.resources }} + resources: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.plutono.sidecar.securityContext }} + securityContext: + {{- toYaml . | nindent 6 }} + {{- end }} + volumeMounts: + - name: sc-notifiers-volume + mountPath: "/etc/plutono/provisioning/notifiers" +{{- end}} +{{- with .Values.plutono.extraInitContainers }} + {{- tpl (toYaml .) $root | nindent 2 }} +{{- end }} +{{- if or .Values.plutono.image.pullSecrets .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- include "plutono.imagePullSecrets" (dict "root" $root "imagePullSecrets" .Values.plutono.image.pullSecrets) | nindent 2 }} +{{- end }} +{{- if not .Values.plutono.enableKubeBackwardCompatibility }} +enableServiceLinks: {{ .Values.plutono.enableServiceLinks }} +{{- end }} +containers: +{{- if and .Values.plutono.sidecar.alerts.enabled (not .Values.plutono.sidecar.alerts.initAlerts) }} + - name: {{ include "plutono.name" . }}-sc-alerts + {{- $registry := .Values.global.imageRegistry | default .Values.plutono.sidecar.image.registry -}} + {{- if .Values.plutono.sidecar.image.sha }} + image: "{{ $registry }}/{{ .Values.plutono.sidecar.image.repository }}:{{ .Values.plutono.sidecar.image.tag }}@sha256:{{ .Values.plutono.sidecar.image.sha }}" + {{- else }} + image: "{{ $registry }}/{{ .Values.plutono.sidecar.image.repository }}:{{ .Values.plutono.sidecar.image.tag }}" + {{- end }} + imagePullPolicy: {{ .Values.plutono.sidecar.imagePullPolicy }} + env: + {{- range $key, $value := .Values.plutono.sidecar.alerts.env }} + - name: "{{ $key }}" + value: "{{ $value }}" + {{- end }} + {{- if .Values.plutono.sidecar.alerts.ignoreAlreadyProcessed }} + - name: IGNORE_ALREADY_PROCESSED + value: "true" + {{- end }} + - name: METHOD + value: {{ .Values.plutono.sidecar.alerts.watchMethod }} + - name: LABEL + value: "{{ .Values.plutono.sidecar.alerts.label }}" + {{- with .Values.plutono.sidecar.alerts.labelValue }} + - name: LABEL_VALUE + value: {{ quote . }} + {{- end }} + {{- if or .Values.plutono.sidecar.logLevel .Values.plutono.sidecar.alerts.logLevel }} + - name: LOG_LEVEL + value: {{ default .Values.plutono.sidecar.logLevel .Values.plutono.sidecar.alerts.logLevel }} + {{- end }} + - name: FOLDER + value: "/etc/plutono/provisioning/alerting" + - name: RESOURCE + value: {{ quote .Values.plutono.sidecar.alerts.resource }} + {{- with .Values.plutono.sidecar.enableUniqueFilenames }} + - name: UNIQUE_FILENAMES + value: "{{ . }}" + {{- end }} + {{- with .Values.plutono.sidecar.alerts.searchNamespace }} + - name: NAMESPACE + value: {{ . | join "," | quote }} + {{- end }} + {{- with .Values.plutono.sidecar.alerts.skipTlsVerify }} + - name: SKIP_TLS_VERIFY + value: {{ quote . }} + {{- end }} + {{- with .Values.plutono.sidecar.alerts.script }} + - name: SCRIPT + value: {{ quote . }} + {{- end }} + {{- if and (not .Values.plutono.env.PL_SECURITY_ADMIN_USER) (not .Values.plutono.env.PL_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + - name: REQ_USERNAME + valueFrom: + secretKeyRef: + name: {{ (tpl .Values.plutono.admin.existingSecret .) | default (include "plutono.fullname" .) }} + key: {{ .Values.plutono.admin.userKey | default "admin-user" }} + {{- end }} + {{- if and (not .Values.plutono.env.PL_SECURITY_ADMIN_PASSWORD) (not .Values.plutono.env.PL_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.plutono.env.PL_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + - name: REQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ (tpl .Values.plutono.admin.existingSecret .) | default (include "plutono.fullname" .) }} + key: {{ .Values.plutono.admin.passwordKey | default "admin-password" }} + {{- end }} + {{- if not .Values.plutono.sidecar.alerts.skipReload }} + - name: REQ_URL + value: {{ .Values.plutono.sidecar.alerts.reloadURL }} + - name: REQ_METHOD + value: POST + {{- end }} + {{- if .Values.plutono.sidecar.alerts.watchServerTimeout }} + {{- if ne .Values.plutono.sidecar.alerts.watchMethod "WATCH" }} + {{- fail (printf "Cannot use .Values.plutono.sidecar.alerts.watchServerTimeout with .Values.plutono.sidecar.alerts.watchMethod %s" .Values.plutono.sidecar.alerts.watchMethod) }} + {{- end }} + - name: WATCH_SERVER_TIMEOUT + value: "{{ .Values.plutono.sidecar.alerts.watchServerTimeout }}" + {{- end }} + {{- if .Values.plutono.sidecar.alerts.watchClientTimeout }} + {{- if ne .Values.plutono.sidecar.alerts.watchMethod "WATCH" }} + {{- fail (printf "Cannot use .Values.plutono.sidecar.alerts.watchClientTimeout with .Values.plutono.sidecar.alerts.watchMethod %s" .Values.plutono.sidecar.alerts.watchMethod) }} + {{- end }} + - name: WATCH_CLIENT_TIMEOUT + value: "{{ .Values.plutono.sidecar.alerts.watchClientTimeout }}" + {{- end }} + {{- with .Values.plutono.sidecar.livenessProbe }} + livenessProbe: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.plutono.sidecar.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.plutono.sidecar.resources }} + resources: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.plutono.sidecar.securityContext }} + securityContext: + {{- toYaml . | nindent 6 }} + {{- end }} + volumeMounts: + - name: sc-alerts-volume + mountPath: "/etc/plutono/provisioning/alerting" + {{- with .Values.plutono.sidecar.alerts.extraMounts }} + {{- toYaml . | trim | nindent 6 }} + {{- end }} +{{- end}} +{{- if .Values.plutono.sidecar.dashboards.enabled }} + - name: {{ include "plutono.name" . }}-sc-dashboard + {{- $registry := .Values.global.imageRegistry | default .Values.plutono.sidecar.image.registry -}} + {{- if .Values.plutono.sidecar.image.sha }} + image: "{{ $registry }}/{{ .Values.plutono.sidecar.image.repository }}:{{ .Values.plutono.sidecar.image.tag }}@sha256:{{ .Values.plutono.sidecar.image.sha }}" + {{- else }} + image: "{{ $registry }}/{{ .Values.plutono.sidecar.image.repository }}:{{ .Values.plutono.sidecar.image.tag }}" + {{- end }} + imagePullPolicy: {{ .Values.plutono.sidecar.imagePullPolicy }} + env: + {{- range $key, $value := .Values.plutono.sidecar.dashboards.env }} + - name: "{{ $key }}" + value: "{{ $value }}" + {{- end }} + {{- range $key, $value := .Values.plutono.sidecar.dashboards.envValueFrom }} + - name: {{ $key | quote }} + valueFrom: + {{- tpl (toYaml $value) $ | nindent 10 }} + {{- end }} + {{- if .Values.plutono.sidecar.dashboards.ignoreAlreadyProcessed }} + - name: IGNORE_ALREADY_PROCESSED + value: "true" + {{- end }} + - name: METHOD + value: {{ .Values.plutono.sidecar.dashboards.watchMethod }} + - name: LABEL + value: "{{ .Values.plutono.sidecar.dashboards.label }}" + {{- with .Values.plutono.sidecar.dashboards.labelValue }} + - name: LABEL_VALUE + value: {{ quote . }} + {{- end }} + {{- if or .Values.plutono.sidecar.logLevel .Values.plutono.sidecar.dashboards.logLevel }} + - name: LOG_LEVEL + value: {{ default .Values.plutono.sidecar.logLevel .Values.plutono.sidecar.dashboards.logLevel }} + {{- end }} + - name: FOLDER + value: "{{ .Values.plutono.sidecar.dashboards.folder }}{{- with .Values.plutono.sidecar.dashboards.defaultFolderName }}/{{ . }}{{- end }}" + - name: RESOURCE + value: {{ quote .Values.plutono.sidecar.dashboards.resource }} + {{- with .Values.plutono.sidecar.enableUniqueFilenames }} + - name: UNIQUE_FILENAMES + value: "{{ . }}" + {{- end }} + {{- with .Values.plutono.sidecar.dashboards.searchNamespace }} + - name: NAMESPACE + value: "{{ tpl (. | join ",") $root }}" + {{- end }} + {{- with .Values.plutono.sidecar.skipTlsVerify }} + - name: SKIP_TLS_VERIFY + value: "{{ . }}" + {{- end }} + {{- with .Values.plutono.sidecar.dashboards.folderAnnotation }} + - name: FOLDER_ANNOTATION + value: "{{ . }}" + {{- end }} + {{- with .Values.plutono.sidecar.dashboards.script }} + - name: SCRIPT + value: "{{ . }}" + {{- end }} + {{- if not .Values.plutono.sidecar.dashboards.skipReload }} + {{- if and (not .Values.plutono.env.PL_SECURITY_ADMIN_USER) (not .Values.plutono.env.PL_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + - name: REQ_USERNAME + valueFrom: + secretKeyRef: + name: {{ (tpl .Values.plutono.admin.existingSecret .) | default (include "plutono.fullname" .) }} + key: {{ .Values.plutono.admin.userKey | default "admin-user" }} + {{- end }} + {{- if and (not .Values.plutono.env.PL_SECURITY_ADMIN_PASSWORD) (not .Values.plutono.env.PL_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.plutono.env.PL_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + - name: REQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ (tpl .Values.plutono.admin.existingSecret .) | default (include "plutono.fullname" .) }} + key: {{ .Values.plutono.admin.passwordKey | default "admin-password" }} + {{- end }} + - name: REQ_URL + value: {{ .Values.plutono.sidecar.dashboards.reloadURL }} + - name: REQ_METHOD + value: POST + {{- end }} + {{- if .Values.plutono.sidecar.dashboards.watchServerTimeout }} + {{- if ne .Values.plutono.sidecar.dashboards.watchMethod "WATCH" }} + {{- fail (printf "Cannot use .Values.plutono.sidecar.dashboards.watchServerTimeout with .Values.plutono.sidecar.dashboards.watchMethod %s" .Values.plutono.sidecar.dashboards.watchMethod) }} + {{- end }} + - name: WATCH_SERVER_TIMEOUT + value: "{{ .Values.plutono.sidecar.dashboards.watchServerTimeout }}" + {{- end }} + {{- if .Values.plutono.sidecar.dashboards.watchClientTimeout }} + {{- if ne .Values.plutono.sidecar.dashboards.watchMethod "WATCH" }} + {{- fail (printf "Cannot use .Values.plutono.sidecar.dashboards.watchClientTimeout with .Values.plutono.sidecar.dashboards.watchMethod %s" .Values.plutono.sidecar.dashboards.watchMethod) }} + {{- end }} + - name: WATCH_CLIENT_TIMEOUT + value: {{ .Values.plutono.sidecar.dashboards.watchClientTimeout | quote }} + {{- end }} + {{- with .Values.plutono.sidecar.livenessProbe }} + livenessProbe: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.plutono.sidecar.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.plutono.sidecar.resources }} + resources: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.plutono.sidecar.securityContext }} + securityContext: + {{- toYaml . | nindent 6 }} + {{- end }} + volumeMounts: + - name: sc-dashboard-volume + mountPath: {{ .Values.plutono.sidecar.dashboards.folder | quote }} + {{- with .Values.plutono.sidecar.dashboards.extraMounts }} + {{- toYaml . | trim | nindent 6 }} + {{- end }} +{{- end}} +{{- if and .Values.plutono.sidecar.datasources.enabled (not .Values.plutono.sidecar.datasources.initDatasources) }} + - name: {{ include "plutono.name" . }}-sc-datasources + {{- $registry := .Values.global.imageRegistry | default .Values.plutono.sidecar.image.registry -}} + {{- if .Values.plutono.sidecar.image.sha }} + image: "{{ $registry }}/{{ .Values.plutono.sidecar.image.repository }}:{{ .Values.plutono.sidecar.image.tag }}@sha256:{{ .Values.plutono.sidecar.image.sha }}" + {{- else }} + image: "{{ $registry }}/{{ .Values.plutono.sidecar.image.repository }}:{{ .Values.plutono.sidecar.image.tag }}" + {{- end }} + imagePullPolicy: {{ .Values.plutono.sidecar.imagePullPolicy }} + env: + {{- range $key, $value := .Values.plutono.sidecar.datasources.env }} + - name: "{{ $key }}" + value: "{{ $value }}" + {{- end }} + {{- range $key, $value := .Values.plutono.sidecar.datasources.envValueFrom }} + - name: {{ $key | quote }} + valueFrom: + {{- tpl (toYaml $value) $ | nindent 10 }} + {{- end }} + {{- if .Values.plutono.sidecar.datasources.ignoreAlreadyProcessed }} + - name: IGNORE_ALREADY_PROCESSED + value: "true" + {{- end }} + - name: METHOD + value: {{ .Values.plutono.sidecar.datasources.watchMethod }} + - name: LABEL + value: "{{ .Values.plutono.sidecar.datasources.label }}" + {{- with .Values.plutono.sidecar.datasources.labelValue }} + - name: LABEL_VALUE + value: {{ quote . }} + {{- end }} + {{- if or .Values.plutono.sidecar.logLevel .Values.plutono.sidecar.datasources.logLevel }} + - name: LOG_LEVEL + value: {{ default .Values.plutono.sidecar.logLevel .Values.plutono.sidecar.datasources.logLevel }} + {{- end }} + - name: FOLDER + value: "/etc/plutono/provisioning/datasources" + - name: RESOURCE + value: {{ quote .Values.plutono.sidecar.datasources.resource }} + {{- with .Values.plutono.sidecar.enableUniqueFilenames }} + - name: UNIQUE_FILENAMES + value: "{{ . }}" + {{- end }} + {{- with .Values.plutono.sidecar.datasources.searchNamespace }} + - name: NAMESPACE + value: "{{ tpl (. | join ",") $root }}" + {{- end }} + {{- if .Values.plutono.sidecar.skipTlsVerify }} + - name: SKIP_TLS_VERIFY + value: "{{ .Values.plutono.sidecar.skipTlsVerify }}" + {{- end }} + {{- if .Values.plutono.sidecar.datasources.script }} + - name: SCRIPT + value: "{{ .Values.plutono.sidecar.datasources.script }}" + {{- end }} + {{- if and (not .Values.plutono.env.PL_SECURITY_ADMIN_USER) (not .Values.plutono.env.PL_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + - name: REQ_USERNAME + valueFrom: + secretKeyRef: + name: {{ (tpl .Values.plutono.admin.existingSecret .) | default (include "plutono.fullname" .) }} + key: {{ .Values.plutono.admin.userKey | default "admin-user" }} + {{- end }} + {{- if and (not .Values.plutono.env.PL_SECURITY_ADMIN_PASSWORD) (not .Values.plutono.env.PL_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.plutono.env.PL_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + - name: REQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ (tpl .Values.plutono.admin.existingSecret .) | default (include "plutono.fullname" .) }} + key: {{ .Values.plutono.admin.passwordKey | default "admin-password" }} + {{- end }} + {{- if not .Values.plutono.sidecar.datasources.skipReload }} + - name: REQ_URL + value: {{ .Values.plutono.sidecar.datasources.reloadURL }} + - name: REQ_METHOD + value: POST + {{- end }} + {{- if .Values.plutono.sidecar.datasources.watchServerTimeout }} + {{- if ne .Values.plutono.sidecar.datasources.watchMethod "WATCH" }} + {{- fail (printf "Cannot use .Values.plutono.sidecar.datasources.watchServerTimeout with .Values.plutono.sidecar.datasources.watchMethod %s" .Values.plutono.sidecar.datasources.watchMethod) }} + {{- end }} + - name: WATCH_SERVER_TIMEOUT + value: "{{ .Values.plutono.sidecar.datasources.watchServerTimeout }}" + {{- end }} + {{- if .Values.plutono.sidecar.datasources.watchClientTimeout }} + {{- if ne .Values.plutono.sidecar.datasources.watchMethod "WATCH" }} + {{- fail (printf "Cannot use .Values.plutono.sidecar.datasources.watchClientTimeout with .Values.plutono.sidecar.datasources.watchMethod %s" .Values.plutono.sidecar.datasources.watchMethod) }} + {{- end }} + - name: WATCH_CLIENT_TIMEOUT + value: "{{ .Values.plutono.sidecar.datasources.watchClientTimeout }}" + {{- end }} + {{- with .Values.plutono.sidecar.livenessProbe }} + livenessProbe: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.plutono.sidecar.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.plutono.sidecar.resources }} + resources: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.plutono.sidecar.securityContext }} + securityContext: + {{- toYaml . | nindent 6 }} + {{- end }} + volumeMounts: + - name: sc-datasources-volume + mountPath: "/etc/plutono/provisioning/datasources" +{{- end}} +{{- if .Values.plutono.sidecar.notifiers.enabled }} + - name: {{ include "plutono.name" . }}-sc-notifiers + {{- $registry := .Values.global.imageRegistry | default .Values.plutono.sidecar.image.registry -}} + {{- if .Values.plutono.sidecar.image.sha }} + image: "{{ $registry }}/{{ .Values.plutono.sidecar.image.repository }}:{{ .Values.plutono.sidecar.image.tag }}@sha256:{{ .Values.plutono.sidecar.image.sha }}" + {{- else }} + image: "{{ $registry }}/{{ .Values.plutono.sidecar.image.repository }}:{{ .Values.plutono.sidecar.image.tag }}" + {{- end }} + imagePullPolicy: {{ .Values.plutono.sidecar.imagePullPolicy }} + env: + {{- range $key, $value := .Values.plutono.sidecar.notifiers.env }} + - name: "{{ $key }}" + value: "{{ $value }}" + {{- end }} + {{- if .Values.plutono.sidecar.notifiers.ignoreAlreadyProcessed }} + - name: IGNORE_ALREADY_PROCESSED + value: "true" + {{- end }} + - name: METHOD + value: {{ .Values.plutono.sidecar.notifiers.watchMethod }} + - name: LABEL + value: "{{ .Values.plutono.sidecar.notifiers.label }}" + {{- with .Values.plutono.sidecar.notifiers.labelValue }} + - name: LABEL_VALUE + value: {{ quote . }} + {{- end }} + {{- if or .Values.plutono.sidecar.logLevel .Values.plutono.sidecar.notifiers.logLevel }} + - name: LOG_LEVEL + value: {{ default .Values.plutono.sidecar.logLevel .Values.plutono.sidecar.notifiers.logLevel }} + {{- end }} + - name: FOLDER + value: "/etc/plutono/provisioning/notifiers" + - name: RESOURCE + value: {{ quote .Values.plutono.sidecar.notifiers.resource }} + {{- if .Values.plutono.sidecar.enableUniqueFilenames }} + - name: UNIQUE_FILENAMES + value: "{{ .Values.plutono.sidecar.enableUniqueFilenames }}" + {{- end }} + {{- with .Values.plutono.sidecar.notifiers.searchNamespace }} + - name: NAMESPACE + value: "{{ tpl (. | join ",") $root }}" + {{- end }} + {{- with .Values.plutono.sidecar.skipTlsVerify }} + - name: SKIP_TLS_VERIFY + value: "{{ . }}" + {{- end }} + {{- if .Values.plutono.sidecar.notifiers.script }} + - name: SCRIPT + value: "{{ .Values.plutono.sidecar.notifiers.script }}" + {{- end }} + {{- if and (not .Values.plutono.env.PL_SECURITY_ADMIN_USER) (not .Values.plutono.env.PL_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + - name: REQ_USERNAME + valueFrom: + secretKeyRef: + name: {{ (tpl .Values.plutono.admin.existingSecret .) | default (include "plutono.fullname" .) }} + key: {{ .Values.plutono.admin.userKey | default "admin-user" }} + {{- end }} + {{- if and (not .Values.plutono.env.PL_SECURITY_ADMIN_PASSWORD) (not .Values.plutono.env.PL_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.plutono.env.PL_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + - name: REQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ (tpl .Values.plutono.admin.existingSecret .) | default (include "plutono.fullname" .) }} + key: {{ .Values.plutono.admin.passwordKey | default "admin-password" }} + {{- end }} + {{- if not .Values.plutono.sidecar.notifiers.skipReload }} + - name: REQ_URL + value: {{ .Values.plutono.sidecar.notifiers.reloadURL }} + - name: REQ_METHOD + value: POST + {{- end }} + {{- if .Values.plutono.sidecar.notifiers.watchServerTimeout }} + {{- if ne .Values.plutono.sidecar.notifiers.watchMethod "WATCH" }} + {{- fail (printf "Cannot use .Values.plutono.sidecar.notifiers.watchServerTimeout with .Values.plutono.sidecar.notifiers.watchMethod %s" .Values.plutono.sidecar.notifiers.watchMethod) }} + {{- end }} + - name: WATCH_SERVER_TIMEOUT + value: "{{ .Values.plutono.sidecar.notifiers.watchServerTimeout }}" + {{- end }} + {{- if .Values.plutono.sidecar.notifiers.watchClientTimeout }} + {{- if ne .Values.plutono.sidecar.notifiers.watchMethod "WATCH" }} + {{- fail (printf "Cannot use .Values.plutono.sidecar.notifiers.watchClientTimeout with .Values.plutono.sidecar.notifiers.watchMethod %s" .Values.plutono.sidecar.notifiers.watchMethod) }} + {{- end }} + - name: WATCH_CLIENT_TIMEOUT + value: "{{ .Values.plutono.sidecar.notifiers.watchClientTimeout }}" + {{- end }} + {{- with .Values.plutono.sidecar.livenessProbe }} + livenessProbe: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.plutono.sidecar.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.plutono.sidecar.resources }} + resources: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.plutono.sidecar.securityContext }} + securityContext: + {{- toYaml . | nindent 6 }} + {{- end }} + volumeMounts: + - name: sc-notifiers-volume + mountPath: "/etc/plutono/provisioning/notifiers" +{{- end}} +{{- if .Values.plutono.sidecar.plugins.enabled }} + - name: {{ include "plutono.name" . }}-sc-plugins + {{- $registry := .Values.global.imageRegistry | default .Values.plutono.sidecar.image.registry -}} + {{- if .Values.plutono.sidecar.image.sha }} + image: "{{ $registry }}/{{ .Values.plutono.sidecar.image.repository }}:{{ .Values.plutono.sidecar.image.tag }}@sha256:{{ .Values.plutono.sidecar.image.sha }}" + {{- else }} + image: "{{ $registry }}/{{ .Values.plutono.sidecar.image.repository }}:{{ .Values.plutono.sidecar.image.tag }}" + {{- end }} + imagePullPolicy: {{ .Values.plutono.sidecar.imagePullPolicy }} + env: + {{- range $key, $value := .Values.plutono.sidecar.plugins.env }} + - name: "{{ $key }}" + value: "{{ $value }}" + {{- end }} + {{- if .Values.plutono.sidecar.plugins.ignoreAlreadyProcessed }} + - name: IGNORE_ALREADY_PROCESSED + value: "true" + {{- end }} + - name: METHOD + value: {{ .Values.plutono.sidecar.plugins.watchMethod }} + - name: LABEL + value: "{{ .Values.plutono.sidecar.plugins.label }}" + {{- if .Values.plutono.sidecar.plugins.labelValue }} + - name: LABEL_VALUE + value: {{ quote .Values.plutono.sidecar.plugins.labelValue }} + {{- end }} + {{- if or .Values.plutono.sidecar.logLevel .Values.plutono.sidecar.plugins.logLevel }} + - name: LOG_LEVEL + value: {{ default .Values.plutono.sidecar.logLevel .Values.plutono.sidecar.plugins.logLevel }} + {{- end }} + - name: FOLDER + value: "/etc/plutono/provisioning/plugins" + - name: RESOURCE + value: {{ quote .Values.plutono.sidecar.plugins.resource }} + {{- with .Values.plutono.sidecar.enableUniqueFilenames }} + - name: UNIQUE_FILENAMES + value: "{{ . }}" + {{- end }} + {{- with .Values.plutono.sidecar.plugins.searchNamespace }} + - name: NAMESPACE + value: "{{ tpl (. | join ",") $root }}" + {{- end }} + {{- with .Values.plutono.sidecar.plugins.script }} + - name: SCRIPT + value: "{{ . }}" + {{- end }} + {{- with .Values.plutono.sidecar.skipTlsVerify }} + - name: SKIP_TLS_VERIFY + value: "{{ . }}" + {{- end }} + {{- if and (not .Values.plutono.env.PL_SECURITY_ADMIN_USER) (not .Values.plutono.env.PL_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + - name: REQ_USERNAME + valueFrom: + secretKeyRef: + name: {{ (tpl .Values.plutono.admin.existingSecret .) | default (include "plutono.fullname" .) }} + key: {{ .Values.plutono.admin.userKey | default "admin-user" }} + {{- end }} + {{- if and (not .Values.plutono.env.PL_SECURITY_ADMIN_PASSWORD) (not .Values.plutono.env.PL_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.plutono.env.PL_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + - name: REQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ (tpl .Values.plutono.admin.existingSecret .) | default (include "plutono.fullname" .) }} + key: {{ .Values.plutono.admin.passwordKey | default "admin-password" }} + {{- end }} + {{- if not .Values.plutono.sidecar.plugins.skipReload }} + - name: REQ_URL + value: {{ .Values.plutono.sidecar.plugins.reloadURL }} + - name: REQ_METHOD + value: POST + {{- end }} + {{- if .Values.plutono.sidecar.plugins.watchServerTimeout }} + {{- if ne .Values.plutono.sidecar.plugins.watchMethod "WATCH" }} + {{- fail (printf "Cannot use .Values.plutono.sidecar.plugins.watchServerTimeout with .Values.plutono.sidecar.plugins.watchMethod %s" .Values.plutono.sidecar.plugins.watchMethod) }} + {{- end }} + - name: WATCH_SERVER_TIMEOUT + value: "{{ .Values.plutono.sidecar.plugins.watchServerTimeout }}" + {{- end }} + {{- if .Values.plutono.sidecar.plugins.watchClientTimeout }} + {{- if ne .Values.plutono.sidecar.plugins.watchMethod "WATCH" }} + {{- fail (printf "Cannot use .Values.plutono.sidecar.plugins.watchClientTimeout with .Values.plutono.sidecar.plugins.watchMethod %s" .Values.plutono.sidecar.plugins.watchMethod) }} + {{- end }} + - name: WATCH_CLIENT_TIMEOUT + value: "{{ .Values.plutono.sidecar.plugins.watchClientTimeout }}" + {{- end }} + {{- with .Values.plutono.sidecar.livenessProbe }} + livenessProbe: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.plutono.sidecar.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.plutono.sidecar.resources }} + resources: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.plutono.sidecar.securityContext }} + securityContext: + {{- toYaml . | nindent 6 }} + {{- end }} + volumeMounts: + - name: sc-plugins-volume + mountPath: "/etc/plutono/provisioning/plugins" +{{- end}} + - name: {{ .Chart.Name }} + {{- $registry := .Values.global.imageRegistry | default .Values.plutono.image.registry -}} + {{- if .Values.plutono.image.sha }} + image: "{{ $registry }}/{{ .Values.plutono.image.repository }}:{{ .Values.plutono.image.tag | default .Chart.AppVersion }}@sha256:{{ .Values.plutono.image.sha }}" + {{- else }} + image: "{{ $registry }}/{{ .Values.plutono.image.repository }}:{{ .Values.plutono.image.tag | default .Chart.AppVersion }}" + {{- end }} + imagePullPolicy: {{ .Values.plutono.image.pullPolicy }} + {{- if .Values.plutono.command }} + command: + {{- range .Values.plutono.command }} + - {{ . | quote }} + {{- end }} + {{- end }} + {{- if .Values.plutono.args }} + args: + {{- range .Values.plutono.args }} + - {{ . | quote }} + {{- end }} + {{- end }} + {{- with .Values.plutono.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 6 }} + {{- end }} + volumeMounts: + - name: config + mountPath: "/etc/plutono/plutono.ini" + subPath: plutono.ini + {{- if .Values.plutono.ldap.enabled }} + - name: ldap + mountPath: "/etc/plutono/ldap.toml" + subPath: ldap.toml + {{- end }} + {{- range .Values.plutono.extraConfigmapMounts }} + - name: {{ tpl .name $root }} + mountPath: {{ tpl .mountPath $root }} + subPath: {{ tpl (.subPath | default "") $root }} + readOnly: {{ .readOnly }} + {{- end }} + - name: storage + mountPath: "/var/lib/plutono" + {{- with .Values.plutono.persistence.subPath }} + subPath: {{ tpl . $root }} + {{- end }} + {{- with .Values.plutono.dashboards }} + {{- range $provider, $dashboards := . }} + {{- range $key, $value := $dashboards }} + {{- if (or (hasKey $value "json") (hasKey $value "file")) }} + - name: dashboards-{{ $provider }} + mountPath: "/var/lib/plutono/dashboards/{{ $provider }}/{{ $key }}.json" + subPath: "{{ $key }}.json" + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- with .Values.plutono.dashboardsConfigMaps }} + {{- range (keys . | sortAlpha) }} + - name: dashboards-{{ . }} + mountPath: "/var/lib/plutono/dashboards/{{ . }}" + {{- end }} + {{- end }} + {{- with .Values.plutono.datasources }} + {{- $datasources := . }} + {{- range (keys . | sortAlpha) }} + {{- if (or (hasKey (index $datasources .) "secret")) }} {{/*check if current datasource should be handeled as secret */}} + - name: config-secret + mountPath: "/etc/plutono/provisioning/datasources/{{ . }}" + subPath: {{ . | quote }} + {{- else }} + - name: config + mountPath: "/etc/plutono/provisioning/datasources/{{ . }}" + subPath: {{ . | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- with .Values.plutono.notifiers }} + {{- $notifiers := . }} + {{- range (keys . | sortAlpha) }} + {{- if (or (hasKey (index $notifiers .) "secret")) }} {{/*check if current notifier should be handeled as secret */}} + - name: config-secret + mountPath: "/etc/plutono/provisioning/notifiers/{{ . }}" + subPath: {{ . | quote }} + {{- else }} + - name: config + mountPath: "/etc/plutono/provisioning/notifiers/{{ . }}" + subPath: {{ . | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- with .Values.plutono.alerting }} + {{- $alertingmap := .}} + {{- range (keys . | sortAlpha) }} + {{- if (or (hasKey (index $.Values.plutono.alerting .) "secret") (hasKey (index $.Values.plutono.alerting .) "secretFile")) }} {{/*check if current alerting entry should be handeled as secret */}} + - name: config-secret + mountPath: "/etc/plutono/provisioning/alerting/{{ . }}" + subPath: {{ . | quote }} + {{- else }} + - name: config + mountPath: "/etc/plutono/provisioning/alerting/{{ . }}" + subPath: {{ . | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- with .Values.plutono.dashboardProviders }} + {{- range (keys . | sortAlpha) }} + - name: config + mountPath: "/etc/plutono/provisioning/dashboards/{{ . }}" + subPath: {{ . | quote }} + {{- end }} + {{- end }} + {{- with .Values.plutono.sidecar.alerts.enabled }} + - name: sc-alerts-volume + mountPath: "/etc/plutono/provisioning/alerting" + {{- end}} + {{- if .Values.plutono.sidecar.dashboards.enabled }} + - name: sc-dashboard-volume + mountPath: {{ .Values.plutono.sidecar.dashboards.folder | quote }} + {{- if .Values.plutono.sidecar.dashboards.SCProvider }} + - name: sc-dashboard-provider + mountPath: "/etc/plutono/provisioning/dashboards/sc-dashboardproviders.yaml" + subPath: provider.yaml + {{- end}} + {{- end}} + {{- if .Values.plutono.sidecar.datasources.enabled }} + - name: sc-datasources-volume + mountPath: "/etc/plutono/provisioning/datasources" + {{- end}} + {{- if .Values.plutono.sidecar.plugins.enabled }} + - name: sc-plugins-volume + mountPath: "/etc/plutono/provisioning/plugins" + {{- end}} + {{- if .Values.plutono.sidecar.notifiers.enabled }} + - name: sc-notifiers-volume + mountPath: "/etc/plutono/provisioning/notifiers" + {{- end}} + {{- range .Values.plutono.extraSecretMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + readOnly: {{ .readOnly }} + subPath: {{ .subPath | default "" }} + {{- end }} + {{- range .Values.plutono.extraVolumeMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath | default "" }} + readOnly: {{ .readOnly }} + {{- end }} + {{- range .Values.plutono.extraEmptyDirMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + {{- end }} + ports: + - name: {{ .Values.plutono.podPortName }} + containerPort: {{ .Values.plutono.service.targetPort }} + protocol: TCP + - name: {{ .Values.plutono.gossipPortName }}-tcp + containerPort: 9094 + protocol: TCP + - name: {{ .Values.plutono.gossipPortName }}-udp + containerPort: 9094 + protocol: UDP + env: + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if and (not .Values.plutono.env.PL_SECURITY_ADMIN_USER) (not .Values.plutono.env.PL_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + - name: PL_SECURITY_ADMIN_USER + valueFrom: + secretKeyRef: + name: {{ (tpl .Values.plutono.admin.existingSecret .) | default (include "plutono.fullname" .) }} + key: {{ .Values.plutono.admin.userKey | default "admin-user" }} + {{- end }} + {{- if and (not .Values.plutono.env.PL_SECURITY_ADMIN_PASSWORD) (not .Values.plutono.env.PL_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.plutono.env.PL_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + - name: PL_SECURITY_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ (tpl .Values.plutono.admin.existingSecret .) | default (include "plutono.fullname" .) }} + key: {{ .Values.plutono.admin.passwordKey | default "admin-password" }} + {{- end }} + {{- if .Values.plutono.plugins }} + - name: PL_INSTALL_PLUGINS + valueFrom: + configMapKeyRef: + name: {{ include "plutono.fullname" . }} + key: plugins + {{- end }} + {{- if .Values.plutono.smtp.existingSecret }} + - name: PL_SMTP_USER + valueFrom: + secretKeyRef: + name: {{ .Values.plutono.smtp.existingSecret }} + key: {{ .Values.plutono.smtp.userKey | default "user" }} + - name: PL_SMTP_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.plutono.smtp.existingSecret }} + key: {{ .Values.plutono.smtp.passwordKey | default "password" }} + {{- end }} + - name: PL_PATHS_DATA + value: {{ (get .Values.plutono "plutono.ini").paths.data }} + - name: PL_PATHS_LOGS + value: {{ (get .Values.plutono "plutono.ini").paths.logs }} + - name: PL_PATHS_PLUGINS + value: {{ (get .Values.plutono "plutono.ini").paths.plugins }} + - name: PL_PATHS_PROVISIONING + value: {{ (get .Values.plutono "plutono.ini").paths.provisioning }} + {{- range $key, $value := .Values.plutono.envValueFrom }} + - name: {{ $key | quote }} + valueFrom: + {{- tpl (toYaml $value) $ | nindent 10 }} + {{- end }} + {{- range $key, $value := .Values.plutono.env }} + - name: "{{ tpl $key $ }}" + value: "{{ tpl (print $value) $ }}" + {{- end }} + {{- if or .Values.plutono.envFromSecret (or .Values.plutono.envRenderSecret .Values.plutono.envFromSecrets) .Values.plutono.envFromConfigMaps }} + envFrom: + {{- if .Values.plutono.envFromSecret }} + - secretRef: + name: {{ tpl .Values.plutono.envFromSecret . }} + {{- end }} + {{- if .Values.plutono.envRenderSecret }} + - secretRef: + name: {{ include "plutono.fullname" . }}-env + {{- end }} + {{- range .Values.plutono.envFromSecrets }} + - secretRef: + name: {{ tpl .name $ }} + optional: {{ .optional | default false }} + {{- if .prefix }} + prefix: {{ tpl .prefix $ }} + {{- end }} + {{- end }} + {{- range .Values.plutono.envFromConfigMaps }} + - configMapRef: + name: {{ tpl .name $ }} + optional: {{ .optional | default false }} + {{- if .prefix }} + prefix: {{ tpl .prefix $ }} + {{- end }} + {{- end }} + {{- end }} + {{- with .Values.plutono.livenessProbe }} + livenessProbe: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.plutono.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.plutono.lifecycleHooks }} + lifecycle: + {{- tpl (toYaml .) $root | nindent 6 }} + {{- end }} + {{- with .Values.plutono.resources }} + resources: + {{- toYaml . | nindent 6 }} + {{- end }} +{{- with .Values.plutono.extraContainers }} + {{- tpl . $ | nindent 2 }} +{{- end }} +{{- with .Values.plutono.nodeSelector }} +nodeSelector: + {{- toYaml . | nindent 2 }} +{{- end }} +{{- with .Values.plutono.affinity }} +affinity: + {{- tpl (toYaml .) $root | nindent 2 }} +{{- end }} +{{- with .Values.plutono.topologySpreadConstraints }} +topologySpreadConstraints: + {{- toYaml . | nindent 2 }} +{{- end }} +{{- with .Values.plutono.tolerations }} +tolerations: + {{- toYaml . | nindent 2 }} +{{- end }} +volumes: + - name: config + configMap: + name: {{ include "plutono.fullname" . }} + {{- $createConfigSecret := eq (include "plutono.shouldCreateConfigSecret" .) "true" -}} + {{- if and .Values.plutono.createConfigmap $createConfigSecret }} + - name: config-secret + secret: + secretName: {{ include "plutono.fullname" . }}-config-secret + {{- end }} + {{- range .Values.plutono.extraConfigmapMounts }} + - name: {{ tpl .name $root }} + configMap: + name: {{ tpl .configMap $root }} + {{- with .optional }} + optional: {{ . }} + {{- end }} + {{- with .items }} + items: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} + {{- if .Values.plutono.dashboards }} + {{- range (keys .Values.plutono.dashboards | sortAlpha) }} + - name: dashboards-{{ . }} + configMap: + name: {{ include "plutono.fullname" $ }}-dashboards-{{ . }} + {{- end }} + {{- end }} + {{- if .Values.plutono.dashboardsConfigMaps }} + {{- range $provider, $name := .Values.plutono.dashboardsConfigMaps }} + - name: dashboards-{{ $provider }} + configMap: + name: {{ tpl $name $root }} + {{- end }} + {{- end }} + {{- if .Values.plutono.ldap.enabled }} + - name: ldap + secret: + {{- if .Values.plutono.ldap.existingSecret }} + secretName: {{ .Values.plutono.ldap.existingSecret }} + {{- else }} + secretName: {{ include "plutono.fullname" . }} + {{- end }} + items: + - key: ldap-toml + path: ldap.toml + {{- end }} + {{- if and .Values.plutono.persistence.enabled (eq .Values.plutono.persistence.type "pvc") }} + - name: storage + persistentVolumeClaim: + claimName: {{ tpl (.Values.plutono.persistence.existingClaim | default (include "plutono.fullname" .)) . }} + {{- else if and .Values.plutono.persistence.enabled (has .Values.plutono.persistence.type $sts) }} + {{/* nothing */}} + {{- else }} + - name: storage + {{- if .Values.plutono.persistence.inMemory.enabled }} + emptyDir: + medium: Memory + {{- with .Values.plutono.persistence.inMemory.sizeLimit }} + sizeLimit: {{ . }} + {{- end }} + {{- else }} + emptyDir: {} + {{- end }} + {{- end }} + {{- if .Values.plutono.sidecar.alerts.enabled }} + - name: sc-alerts-volume + emptyDir: + {{- with .Values.plutono.sidecar.alerts.sizeLimit }} + sizeLimit: {{ . }} + {{- else }} + {} + {{- end }} + {{- end }} + {{- if .Values.plutono.sidecar.dashboards.enabled }} + - name: sc-dashboard-volume + emptyDir: + {{- with .Values.plutono.sidecar.dashboards.sizeLimit }} + sizeLimit: {{ . }} + {{- else }} + {} + {{- end }} + {{- if .Values.plutono.sidecar.dashboards.SCProvider }} + - name: sc-dashboard-provider + configMap: + name: {{ include "plutono.fullname" . }}-config-dashboards + {{- end }} + {{- end }} + {{- if .Values.plutono.sidecar.datasources.enabled }} + - name: sc-datasources-volume + emptyDir: + {{- with .Values.plutono.sidecar.datasources.sizeLimit }} + sizeLimit: {{ . }} + {{- else }} + {} + {{- end }} + {{- end }} + {{- if .Values.plutono.sidecar.plugins.enabled }} + - name: sc-plugins-volume + emptyDir: + {{- with .Values.plutono.sidecar.plugins.sizeLimit }} + sizeLimit: {{ . }} + {{- else }} + {} + {{- end }} + {{- end }} + {{- if .Values.plutono.sidecar.notifiers.enabled }} + - name: sc-notifiers-volume + emptyDir: + {{- with .Values.plutono.sidecar.notifiers.sizeLimit }} + sizeLimit: {{ . }} + {{- else }} + {} + {{- end }} + {{- end }} + {{- range .Values.plutono.extraSecretMounts }} + {{- if .secretName }} + - name: {{ .name }} + secret: + secretName: {{ .secretName }} + defaultMode: {{ .defaultMode }} + {{- with .optional }} + optional: {{ . }} + {{- end }} + {{- with .items }} + items: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- else if .projected }} + - name: {{ .name }} + projected: + {{- toYaml .projected | nindent 6 }} + {{- else if .csi }} + - name: {{ .name }} + csi: + {{- toYaml .csi | nindent 6 }} + {{- end }} + {{- end }} + {{- range .Values.plutono.extraVolumes }} + - name: {{ .name }} + {{- if .existingClaim }} + persistentVolumeClaim: + claimName: {{ .existingClaim }} + {{- else if .hostPath }} + hostPath: + {{ toYaml .hostPath | nindent 6 }} + {{- else if .csi }} + csi: + {{- toYaml .csi | nindent 6 }} + {{- else if .configMap }} + configMap: + {{- toYaml .configMap | nindent 6 }} + {{- else if .emptyDir }} + emptyDir: + {{- toYaml .emptyDir | nindent 6 }} + {{- else }} + emptyDir: {} + {{- end }} + {{- end }} + {{- range .Values.plutono.extraEmptyDirMounts }} + - name: {{ .name }} + emptyDir: {} + {{- end }} + {{- with .Values.plutono.extraContainerVolumes }} + {{- tpl (toYaml .) $root | nindent 2 }} + {{- end }} +{{- end }} diff --git a/plutono/charts/templates/clusterrole.yaml b/plutono/charts/templates/clusterrole.yaml new file mode 100644 index 00000000..f48db508 --- /dev/null +++ b/plutono/charts/templates/clusterrole.yaml @@ -0,0 +1,28 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors +# SPDX-License-Identifier: Apache-2.0 + +{{- if and .Values.plutono.rbac.create (or (not .Values.plutono.rbac.namespaced) .Values.plutono.rbac.extraClusterRoleRules) (not .Values.plutono.rbac.useExistingClusterRole) }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: + {{- include "plutono.labels" . | nindent 4 }} + {{- with .Values.plutono.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ include "plutono.fullname" . }}-clusterrole +{{- if or .Values.plutono.sidecar.dashboards.enabled .Values.plutono.rbac.extraClusterRoleRules .Values.plutono.sidecar.datasources.enabled .Values.plutono.sidecar.plugins.enabled .Values.plutono.sidecar.alerts.enabled }} +rules: + {{- if or .Values.plutono.sidecar.dashboards.enabled .Values.plutono.sidecar.datasources.enabled .Values.plutono.sidecar.plugins.enabled .Values.plutono.sidecar.alerts.enabled }} + - apiGroups: [""] # "" indicates the core API group + resources: ["configmaps", "secrets"] + verbs: ["get", "watch", "list"] + {{- end}} + {{- with .Values.plutono.rbac.extraClusterRoleRules }} + {{- toYaml . | nindent 2 }} + {{- end}} +{{- else }} +rules: [] +{{- end}} +{{- end}} diff --git a/plutono/charts/templates/clusterrolebinding.yaml b/plutono/charts/templates/clusterrolebinding.yaml new file mode 100644 index 00000000..19371341 --- /dev/null +++ b/plutono/charts/templates/clusterrolebinding.yaml @@ -0,0 +1,27 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors +# SPDX-License-Identifier: Apache-2.0 + +{{- if and .Values.plutono.rbac.create (or (not .Values.plutono.rbac.namespaced) .Values.plutono.rbac.extraClusterRoleRules) }} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "plutono.fullname" . }}-clusterrolebinding + labels: + {{- include "plutono.labels" . | nindent 4 }} + {{- with .Values.plutono.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +subjects: + - kind: ServiceAccount + name: {{ include "plutono.serviceAccountName" . }} + namespace: {{ include "plutono.namespace" . }} +roleRef: + kind: ClusterRole + {{- if .Values.plutono.rbac.useExistingClusterRole }} + name: {{ .Values.plutono.rbac.useExistingClusterRole }} + {{- else }} + name: {{ include "plutono.fullname" . }}-clusterrole + {{- end }} + apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/plutono/charts/templates/configSecret.yaml b/plutono/charts/templates/configSecret.yaml new file mode 100644 index 00000000..cdb849f5 --- /dev/null +++ b/plutono/charts/templates/configSecret.yaml @@ -0,0 +1,46 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors +# SPDX-License-Identifier: Apache-2.0 + +{{- $createConfigSecret := eq (include "plutono.shouldCreateConfigSecret" .) "true" -}} +{{- if and .Values.plutono.createConfigmap $createConfigSecret }} +{{- $files := .Files }} +{{- $root := . -}} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ include "plutono.fullname" . }}-config-secret" + namespace: {{ include "plutono.namespace" . }} + labels: + {{- include "plutono.labels" . | nindent 4 }} + {{- with .Values.plutono.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +data: +{{- range $key, $value := .Values.plutono.alerting }} + {{- if (hasKey $value "secretFile") }} + {{- $key | nindent 2 }}: + {{- toYaml ( $files.Get $value.secretFile ) | b64enc | nindent 4}} + {{/* as of https://helm.sh/docs/chart_template_guide/accessing_files/ this will only work if you fork this chart and add files to it*/}} + {{- end }} +{{- end }} +stringData: +{{- range $key, $value := .Values.plutono.datasources }} +{{- if (hasKey $value "secret") }} +{{- $key | nindent 2 }}: | + {{- tpl (toYaml $value.secret | nindent 4) $root }} +{{- end }} +{{- end }} +{{- range $key, $value := .Values.plutono.notifiers }} +{{- if (hasKey $value "secret") }} +{{- $key | nindent 2 }}: | + {{- tpl (toYaml $value.secret | nindent 4) $root }} +{{- end }} +{{- end }} +{{- range $key, $value := .Values.plutono.alerting }} +{{ if (hasKey $value "secret") }} + {{- $key | nindent 2 }}: | + {{- tpl (toYaml $value.secret | nindent 4) $root }} + {{- end }} +{{- end }} +{{- end }} diff --git a/plutono/charts/templates/configmap-dashboard-provider.yaml b/plutono/charts/templates/configmap-dashboard-provider.yaml new file mode 100644 index 00000000..8f48933b --- /dev/null +++ b/plutono/charts/templates/configmap-dashboard-provider.yaml @@ -0,0 +1,18 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors +# SPDX-License-Identifier: Apache-2.0 + +{{- if and .Values.plutono.sidecar.dashboards.enabled .Values.plutono.sidecar.dashboards.SCProvider }} +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + {{- include "plutono.labels" . | nindent 4 }} + {{- with .Values.plutono.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ include "plutono.fullname" . }}-config-dashboards + namespace: {{ include "plutono.namespace" . }} +data: + {{- include "plutono.configDashboardProviderData" . | nindent 2 }} +{{- end }} diff --git a/plutono/charts/templates/configmap.yaml b/plutono/charts/templates/configmap.yaml new file mode 100644 index 00000000..90a0614a --- /dev/null +++ b/plutono/charts/templates/configmap.yaml @@ -0,0 +1,23 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors +# SPDX-License-Identifier: Apache-2.0 + +{{- if .Values.plutono.createConfigmap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "plutono.fullname" . }} + namespace: {{ include "plutono.namespace" . }} + labels: + {{- include "plutono.labels" . | nindent 4 }} + {{- if or .Values.plutono.configMapAnnotations .Values.plutono.annotations }} + annotations: + {{- with .Values.plutono.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.plutono.configMapAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +data: + {{- include "plutono.configData" . | nindent 2 }} +{{- end }} diff --git a/plutono/charts/templates/dashboards-json-configmap.yaml b/plutono/charts/templates/dashboards-json-configmap.yaml new file mode 100644 index 00000000..fed19f2a --- /dev/null +++ b/plutono/charts/templates/dashboards-json-configmap.yaml @@ -0,0 +1,41 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors +# SPDX-License-Identifier: Apache-2.0 + +{{- if .Values.plutono.dashboards }} +{{ $files := .Files }} +{{- range $provider, $dashboards := .Values.plutono.dashboards }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "plutono.fullname" $ }}-dashboards-{{ $provider }} + namespace: {{ include "plutono.namespace" $ }} + labels: + {{- include "plutono.labels" $ | nindent 4 }} + dashboard-provider: {{ $provider }} + {{- if $.Values.plutono.sidecar.dashboards.enabled }} + {{ $.Values.plutono.sidecar.dashboards.label }}: {{ $.Values.plutono.sidecar.dashboards.labelValue | quote }} + {{- end }} +{{- if $dashboards }} +data: +{{- $dashboardFound := false }} +{{- range $key, $value := $dashboards }} +{{- if (or (hasKey $value "json") (hasKey $value "file")) }} +{{- $dashboardFound = true }} + {{- print $key | nindent 2 }}.json: + {{- if hasKey $value "json" }} + |- + {{- $value.json | nindent 6 }} + {{- end }} + {{- if hasKey $value "file" }} + {{- toYaml ( $files.Get $value.file ) | nindent 4}} + {{- end }} +{{- end }} +{{- end }} +{{- if not $dashboardFound }} + {} +{{- end }} +{{- end }} +--- +{{- end }} + +{{- end }} diff --git a/plutono/charts/templates/deployment.yaml b/plutono/charts/templates/deployment.yaml new file mode 100644 index 00000000..3148c5f2 --- /dev/null +++ b/plutono/charts/templates/deployment.yaml @@ -0,0 +1,56 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors +# SPDX-License-Identifier: Apache-2.0 + +{{- if (and (not .Values.plutono.useStatefulSet) (or (not .Values.plutono.persistence.enabled) (eq .Values.plutono.persistence.type "pvc"))) }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "plutono.fullname" . }} + namespace: {{ include "plutono.namespace" . }} + labels: + {{- include "plutono.labels" . | nindent 4 }} + {{- with .Values.plutono.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.plutono.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if and (not .Values.plutono.autoscaling.enabled) (.Values.plutono.replicas) }} + replicas: {{ .Values.plutono.replicas }} + {{- end }} + revisionHistoryLimit: {{ .Values.plutono.revisionHistoryLimit }} + selector: + matchLabels: + {{- include "plutono.selectorLabels" . | nindent 6 }} + {{- with .Values.plutono.deploymentStrategy }} + strategy: + {{- toYaml . | trim | nindent 4 }} + {{- end }} + template: + metadata: + labels: + {{- include "plutono.selectorLabels" . | nindent 8 }} + {{- with .Values.plutono.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + annotations: + checksum/config: {{ include "plutono.configData" . | sha256sum }} + {{- if .Values.plutono.dashboards }} + checksum/dashboards-json-config: {{ include (print $.Template.BasePath "/dashboards-json-configmap.yaml") . | sha256sum }} + {{- end }} + checksum/sc-dashboard-provider-config: {{ include "plutono.configDashboardProviderData" . | sha256sum }} + {{- if and (or (and (not .Values.plutono.admin.existingSecret) (not .Values.plutono.env.PL_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.plutono.env.PL_SECURITY_ADMIN_PASSWORD)) (and .Values.plutono.ldap.enabled (not .Values.plutono.ldap.existingSecret))) (not .Values.plutono.env.PL_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + checksum/secret: {{ include "plutono.secretsData" . | sha256sum }} + {{- end }} + {{- if .Values.plutono.envRenderSecret }} + checksum/secret-env: {{ tpl (toYaml .Values.plutono.envRenderSecret) . | sha256sum }} + {{- end }} + kubectl.kubernetes.io/default-container: {{ .Chart.Name }} + {{- with .Values.plutono.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- include "plutono.pod" . | nindent 6 }} +{{- end }} diff --git a/plutono/charts/templates/extra-manifests.yaml b/plutono/charts/templates/extra-manifests.yaml new file mode 100644 index 00000000..529bd82d --- /dev/null +++ b/plutono/charts/templates/extra-manifests.yaml @@ -0,0 +1,7 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors +# SPDX-License-Identifier: Apache-2.0 + +{{ range .Values.plutono.extraObjects }} +--- +{{ tpl (toYaml .) $ }} +{{ end }} diff --git a/plutono/charts/templates/headless-service.yaml b/plutono/charts/templates/headless-service.yaml new file mode 100644 index 00000000..41e27f55 --- /dev/null +++ b/plutono/charts/templates/headless-service.yaml @@ -0,0 +1,25 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors +# SPDX-License-Identifier: Apache-2.0 + +{{- $sts := list "sts" "StatefulSet" "statefulset" -}} +{{- if or .Values.plutono.headlessService (and .Values.plutono.persistence.enabled (not .Values.plutono.persistence.existingClaim) (has .Values.plutono.persistence.type $sts)) }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "plutono.fullname" . }}-headless + namespace: {{ include "plutono.namespace" . }} + labels: + {{- include "plutono.labels" . | nindent 4 }} + {{- with .Values.plutono.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + clusterIP: None + selector: + {{- include "plutono.selectorLabels" . | nindent 4 }} + type: ClusterIP + ports: + - name: {{ .Values.plutono.gossipPortName }}-tcp + port: 9094 +{{- end }} diff --git a/plutono/charts/templates/hpa.yaml b/plutono/charts/templates/hpa.yaml new file mode 100644 index 00000000..cfbcb405 --- /dev/null +++ b/plutono/charts/templates/hpa.yaml @@ -0,0 +1,55 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors +# SPDX-License-Identifier: Apache-2.0 + +{{- $sts := list "sts" "StatefulSet" "statefulset" -}} +{{- if .Values.plutono.autoscaling.enabled }} +apiVersion: {{ include "plutono.hpa.apiVersion" . }} +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "plutono.fullname" . }} + namespace: {{ include "plutono.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "plutono.name" . }} + helm.sh/chart: {{ include "plutono.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + {{- if has .Values.plutono.persistence.type $sts }} + kind: StatefulSet + {{- else }} + kind: Deployment + {{- end }} + name: {{ include "plutono.fullname" . }} + minReplicas: {{ .Values.plutono.autoscaling.minReplicas }} + maxReplicas: {{ .Values.plutono.autoscaling.maxReplicas }} + metrics: + {{- if .Values.plutono.autoscaling.targetMemory }} + - type: Resource + resource: + name: memory + {{- if eq (include "plutono.hpa.apiVersion" .) "autoscaling/v2beta1" }} + targetAverageUtilization: {{ .Values.plutono.autoscaling.targetMemory }} + {{- else }} + target: + type: Utilization + averageUtilization: {{ .Values.plutono.autoscaling.targetMemory }} + {{- end }} + {{- end }} + {{- if .Values.plutono.autoscaling.targetCPU }} + - type: Resource + resource: + name: cpu + {{- if eq (include "plutono.hpa.apiVersion" .) "autoscaling/v2beta1" }} + targetAverageUtilization: {{ .Values.plutono.autoscaling.targetCPU }} + {{- else }} + target: + type: Utilization + averageUtilization: {{ .Values.plutono.autoscaling.targetCPU }} + {{- end }} + {{- end }} + {{- if .Values.plutono.autoscaling.behavior }} + behavior: {{ toYaml .Values.plutono.autoscaling.behavior | nindent 4 }} + {{- end }} +{{- end }} diff --git a/plutono/charts/templates/ingress.yaml b/plutono/charts/templates/ingress.yaml new file mode 100644 index 00000000..410d10d8 --- /dev/null +++ b/plutono/charts/templates/ingress.yaml @@ -0,0 +1,81 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors +# SPDX-License-Identifier: Apache-2.0 + +{{- if .Values.plutono.ingress.enabled -}} +{{- $ingressApiIsStable := eq (include "plutono.ingress.isStable" .) "true" -}} +{{- $ingressSupportsIngressClassName := eq (include "plutono.ingress.supportsIngressClassName" .) "true" -}} +{{- $ingressSupportsPathType := eq (include "plutono.ingress.supportsPathType" .) "true" -}} +{{- $fullName := include "plutono.fullname" . -}} +{{- $servicePort := .Values.plutono.service.port -}} +{{- $ingressPath := .Values.plutono.ingress.path -}} +{{- $ingressPathType := .Values.plutono.ingress.pathType -}} +{{- $extraPaths := .Values.plutono.ingress.extraPaths -}} +apiVersion: {{ include "plutono.ingress.apiVersion" . }} +kind: Ingress +metadata: + name: {{ $fullName }} + namespace: {{ include "plutono.namespace" . }} + labels: + {{- include "plutono.labels" . | nindent 4 }} + {{- with .Values.plutono.ingress.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.plutono.ingress.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ tpl $value $ | quote }} + {{- end }} + {{- end }} +spec: + {{- if and $ingressSupportsIngressClassName .Values.plutono.ingress.ingressClassName }} + ingressClassName: {{ .Values.plutono.ingress.ingressClassName }} + {{- end -}} + {{- with .Values.plutono.ingress.tls }} + tls: + {{- tpl (toYaml .) $ | nindent 4 }} + {{- end }} + rules: + {{- if .Values.plutono.ingress.hosts }} + {{- range .Values.plutono.ingress.hosts }} + - host: {{ tpl . $ | quote }} + http: + paths: + {{- with $extraPaths }} + {{- toYaml . | nindent 10 }} + {{- end }} + - path: {{ $ingressPath }} + {{- if $ingressSupportsPathType }} + pathType: {{ $ingressPathType }} + {{- end }} + backend: + {{- if $ingressApiIsStable }} + service: + name: {{ $fullName }} + port: + number: {{ $servicePort }} + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ $servicePort }} + {{- end }} + {{- end }} + {{- else }} + - http: + paths: + - backend: + {{- if $ingressApiIsStable }} + service: + name: {{ $fullName }} + port: + number: {{ $servicePort }} + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ $servicePort }} + {{- end }} + {{- with $ingressPath }} + path: {{ . }} + {{- end }} + {{- if $ingressSupportsPathType }} + pathType: {{ $ingressPathType }} + {{- end }} + {{- end -}} +{{- end }} diff --git a/plutono/charts/templates/networkpolicy.yaml b/plutono/charts/templates/networkpolicy.yaml new file mode 100644 index 00000000..b141790b --- /dev/null +++ b/plutono/charts/templates/networkpolicy.yaml @@ -0,0 +1,64 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors +# SPDX-License-Identifier: Apache-2.0 + +{{- if .Values.plutono.networkPolicy.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "plutono.fullname" . }} + namespace: {{ include "plutono.namespace" . }} + labels: + {{- include "plutono.labels" . | nindent 4 }} + {{- with .Values.plutono.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.plutono.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + policyTypes: + {{- if .Values.plutono.networkPolicy.ingress }} + - Ingress + {{- end }} + {{- if .Values.plutono.networkPolicy.egress.enabled }} + - Egress + {{- end }} + podSelector: + matchLabels: + {{- include "plutono.selectorLabels" . | nindent 6 }} + + {{- if .Values.plutono.networkPolicy.egress.enabled }} + egress: + {{- if not .Values.plutono.networkPolicy.egress.blockDNSResolution }} + - ports: + - port: 53 + protocol: UDP + {{- end }} + - ports: + {{ .Values.plutono.networkPolicy.egress.ports | toJson }} + {{- with .Values.plutono.networkPolicy.egress.to }} + to: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.plutono.networkPolicy.ingress }} + ingress: + - ports: + - port: {{ .Values.plutono.service.targetPort }} + {{- if not .Values.plutono.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: + {{ include "plutono.fullname" . }}-client: "true" + {{- with .Values.plutono.networkPolicy.explicitNamespacesSelector }} + - namespaceSelector: + {{- toYaml . | nindent 12 }} + {{- end }} + - podSelector: + matchLabels: + {{- include "plutono.labels" . | nindent 14 }} + role: read + {{- end }} + {{- end }} +{{- end }} diff --git a/plutono/charts/templates/poddisruptionbudget.yaml b/plutono/charts/templates/poddisruptionbudget.yaml new file mode 100644 index 00000000..076e89aa --- /dev/null +++ b/plutono/charts/templates/poddisruptionbudget.yaml @@ -0,0 +1,25 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors +# SPDX-License-Identifier: Apache-2.0 + +{{- if .Values.plutono.podDisruptionBudget }} +apiVersion: {{ include "plutono.podDisruptionBudget.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ include "plutono.fullname" . }} + namespace: {{ include "plutono.namespace" . }} + labels: + {{- include "plutono.labels" . | nindent 4 }} + {{- with .Values.plutono.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- with .Values.plutono.podDisruptionBudget.minAvailable }} + minAvailable: {{ . }} + {{- end }} + {{- with .Values.plutono.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ . }} + {{- end }} + selector: + matchLabels: + {{- include "plutono.selectorLabels" . | nindent 6 }} +{{- end }} diff --git a/plutono/charts/templates/podsecuritypolicy.yaml b/plutono/charts/templates/podsecuritypolicy.yaml new file mode 100644 index 00000000..da52c6ee --- /dev/null +++ b/plutono/charts/templates/podsecuritypolicy.yaml @@ -0,0 +1,52 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors +# SPDX-License-Identifier: Apache-2.0 + +{{- if and .Values.plutono.rbac.pspEnabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "plutono.fullname" . }} + labels: + {{- include "plutono.labels" . | nindent 4 }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + {{- if .Values.plutono.rbac.pspUseAppArmor }} + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + {{- end }} +spec: + privileged: false + allowPrivilegeEscalation: false + requiredDropCapabilities: + # Default set from Docker, with DAC_OVERRIDE and CHOWN + - ALL + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'csi' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: false +{{- end }} diff --git a/plutono/charts/templates/pvc.yaml b/plutono/charts/templates/pvc.yaml new file mode 100644 index 00000000..af4f3cab --- /dev/null +++ b/plutono/charts/templates/pvc.yaml @@ -0,0 +1,42 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors +# SPDX-License-Identifier: Apache-2.0 + +{{- if and (not .Values.plutono.useStatefulSet) .Values.plutono.persistence.enabled (not .Values.plutono.persistence.existingClaim) (eq .Values.plutono.persistence.type "pvc")}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ include "plutono.fullname" . }} + namespace: {{ include "plutono.namespace" . }} + labels: + {{- include "plutono.labels" . | nindent 4 }} + {{- with .Values.plutono.persistence.extraPvcLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.plutono.persistence.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.plutono.persistence.finalizers }} + finalizers: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + accessModes: + {{- range .Values.plutono.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.plutono.persistence.size | quote }} + {{- if and (.Values.plutono.persistence.lookupVolumeName) (lookup "v1" "PersistentVolumeClaim" (include "plutono.namespace" .) (include "plutono.fullname" .)) }} + volumeName: {{ (lookup "v1" "PersistentVolumeClaim" (include "plutono.namespace" .) (include "plutono.fullname" .)).spec.volumeName }} + {{- end }} + {{- with .Values.plutono.persistence.storageClassName }} + storageClassName: {{ . }} + {{- end }} + {{- with .Values.plutono.persistence.selectorLabels }} + selector: + matchLabels: + {{- toYaml . | nindent 6 }} + {{- end }} +{{- end }} diff --git a/plutono/charts/templates/role.yaml b/plutono/charts/templates/role.yaml new file mode 100644 index 00000000..907532a1 --- /dev/null +++ b/plutono/charts/templates/role.yaml @@ -0,0 +1,35 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors +# SPDX-License-Identifier: Apache-2.0 + +{{- if and .Values.plutono.rbac.create (not .Values.plutono.rbac.useExistingRole) -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "plutono.fullname" . }} + namespace: {{ include "plutono.namespace" . }} + labels: + {{- include "plutono.labels" . | nindent 4 }} + {{- with .Values.plutono.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- if or .Values.plutono.rbac.pspEnabled (and .Values.plutono.rbac.namespaced (or .Values.plutono.sidecar.dashboards.enabled .Values.plutono.sidecar.datasources.enabled .Values.plutono.sidecar.plugins.enabled .Values.plutono.rbac.extraRoleRules)) }} +rules: + {{- if and .Values.plutono.rbac.pspEnabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} + - apiGroups: ['extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: [{{ include "plutono.fullname" . }}] + {{- end }} + {{- if and .Values.plutono.rbac.namespaced (or .Values.plutono.sidecar.dashboards.enabled .Values.plutono.sidecar.datasources.enabled .Values.plutono.sidecar.plugins.enabled) }} + - apiGroups: [""] # "" indicates the core API group + resources: ["configmaps", "secrets"] + verbs: ["get", "watch", "list"] + {{- end }} + {{- with .Values.plutono.rbac.extraRoleRules }} + {{- toYaml . | nindent 2 }} + {{- end}} +{{- else }} +rules: [] +{{- end }} +{{- end }} diff --git a/plutono/charts/templates/rolebinding.yaml b/plutono/charts/templates/rolebinding.yaml new file mode 100644 index 00000000..c013ade1 --- /dev/null +++ b/plutono/charts/templates/rolebinding.yaml @@ -0,0 +1,28 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors +# SPDX-License-Identifier: Apache-2.0 + +{{- if .Values.plutono.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "plutono.fullname" . }} + namespace: {{ include "plutono.namespace" . }} + labels: + {{- include "plutono.labels" . | nindent 4 }} + {{- with .Values.plutono.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + {{- if .Values.plutono.rbac.useExistingRole }} + name: {{ .Values.plutono.rbac.useExistingRole }} + {{- else }} + name: {{ include "plutono.fullname" . }} + {{- end }} +subjects: +- kind: ServiceAccount + name: {{ include "plutono.serviceAccountName" . }} + namespace: {{ include "plutono.namespace" . }} +{{- end }} diff --git a/plutono/charts/templates/secret-env.yaml b/plutono/charts/templates/secret-env.yaml new file mode 100644 index 00000000..742a7413 --- /dev/null +++ b/plutono/charts/templates/secret-env.yaml @@ -0,0 +1,17 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors +# SPDX-License-Identifier: Apache-2.0 + +{{- if .Values.plutono.envRenderSecret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "plutono.fullname" . }}-env + namespace: {{ include "plutono.namespace" . }} + labels: + {{- include "plutono.labels" . | nindent 4 }} +type: Opaque +data: +{{- range $key, $val := .Values.plutono.envRenderSecret }} + {{ $key }}: {{ tpl ($val | toString) $ | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/plutono/charts/templates/secret.yaml b/plutono/charts/templates/secret.yaml new file mode 100644 index 00000000..9c78c142 --- /dev/null +++ b/plutono/charts/templates/secret.yaml @@ -0,0 +1,19 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors +# SPDX-License-Identifier: Apache-2.0 + +{{- if or (and (not .Values.plutono.admin.existingSecret) (not .Values.plutono.env.PL_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.plutono.env.PL_SECURITY_ADMIN_PASSWORD) (not .Values.plutono.env.PL_SECURITY_DISABLE_INITIAL_ADMIN_CREATION)) (and .Values.plutono.ldap.enabled (not .Values.plutono.ldap.existingSecret)) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "plutono.fullname" . }} + namespace: {{ include "plutono.namespace" . }} + labels: + {{- include "plutono.labels" . | nindent 4 }} + {{- with .Values.plutono.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +type: Opaque +data: + {{- include "plutono.secretsData" . | nindent 2 }} +{{- end }} diff --git a/plutono/charts/templates/service.yaml b/plutono/charts/templates/service.yaml new file mode 100644 index 00000000..268390a2 --- /dev/null +++ b/plutono/charts/templates/service.yaml @@ -0,0 +1,70 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors +# SPDX-License-Identifier: Apache-2.0 + +{{- if .Values.plutono.service.enabled }} +{{- $root := . }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "plutono.fullname" . }} + namespace: {{ include "plutono.namespace" . }} + labels: + {{- include "plutono.labels" . | nindent 4 }} + {{- with .Values.plutono.service.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.plutono.service.annotations }} + annotations: + {{- tpl (toYaml . | nindent 4) $root }} + {{- end }} +spec: + {{- if (or (eq .Values.plutono.service.type "ClusterIP") (empty .Values.plutono.service.type)) }} + type: ClusterIP + {{- with .Values.plutono.service.clusterIP }} + clusterIP: {{ . }} + {{- end }} + {{- else if eq .Values.plutono.service.type "LoadBalancer" }} + type: LoadBalancer + {{- with .Values.plutono.service.loadBalancerIP }} + loadBalancerIP: {{ . }} + {{- end }} + {{- with .Values.plutono.service.loadBalancerClass }} + loadBalancerClass: {{ . }} + {{- end }} + {{- with .Values.plutono.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- else }} + type: {{ .Values.plutono.service.type }} + {{- end }} + {{- if .Values.plutono.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.plutono.service.ipFamilyPolicy }} + {{- end }} + {{- if .Values.plutono.service.ipFamilies }} + ipFamilies: {{ .Values.plutono.service.ipFamilies | toYaml | nindent 2 }} + {{- end }} + {{- with .Values.plutono.service.externalIPs }} + externalIPs: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.plutono.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ . }} + {{- end }} + ports: + - name: {{ .Values.plutono.service.portName }} + port: {{ .Values.plutono.service.port }} + protocol: TCP + targetPort: {{ .Values.plutono.service.targetPort }} + {{- with .Values.plutono.service.appProtocol }} + appProtocol: {{ . }} + {{- end }} + {{- if (and (eq .Values.plutono.service.type "NodePort") (not (empty .Values.plutono.service.nodePort))) }} + nodePort: {{ .Values.plutono.service.nodePort }} + {{- end }} + {{- with .Values.plutono.extraExposePorts }} + {{- tpl (toYaml . | nindent 4) $root }} + {{- end }} + selector: + {{- include "plutono.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/plutono/charts/templates/serviceaccount.yaml b/plutono/charts/templates/serviceaccount.yaml new file mode 100644 index 00000000..fa241435 --- /dev/null +++ b/plutono/charts/templates/serviceaccount.yaml @@ -0,0 +1,20 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors +# SPDX-License-Identifier: Apache-2.0 + +{{- if .Values.plutono.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: {{ .Values.plutono.serviceAccount.autoMount | default .Values.plutono.serviceAccount.automountServiceAccountToken }} +metadata: + labels: + {{- include "plutono.labels" . | nindent 4 }} + {{- with .Values.plutono.serviceAccount.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.plutono.serviceAccount.annotations }} + annotations: + {{- tpl (toYaml . | nindent 4) $ }} + {{- end }} + name: {{ include "plutono.serviceAccountName" . }} + namespace: {{ include "plutono.namespace" . }} +{{- end }} diff --git a/plutono/charts/templates/servicemonitor.yaml b/plutono/charts/templates/servicemonitor.yaml new file mode 100644 index 00000000..8d76a75c --- /dev/null +++ b/plutono/charts/templates/servicemonitor.yaml @@ -0,0 +1,55 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors +# SPDX-License-Identifier: Apache-2.0 + +{{- if .Values.plutono.serviceMonitor.enabled }} +--- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "plutono.fullname" . }} + {{- if .Values.plutono.serviceMonitor.namespace }} + namespace: {{ tpl .Values.plutono.serviceMonitor.namespace . }} + {{- else }} + namespace: {{ include "plutono.namespace" . }} + {{- end }} + labels: + {{- include "plutono.labels" . | nindent 4 }} + {{- with .Values.plutono.serviceMonitor.labels }} + {{- tpl (toYaml . | nindent 4) $ }} + {{- end }} +spec: + endpoints: + - port: {{ .Values.plutono.service.portName }} + {{- with .Values.plutono.serviceMonitor.interval }} + interval: {{ . }} + {{- end }} + {{- with .Values.plutono.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ . }} + {{- end }} + honorLabels: true + path: {{ .Values.plutono.serviceMonitor.path }} + scheme: {{ .Values.plutono.serviceMonitor.scheme }} + {{- with .Values.plutono.serviceMonitor.tlsConfig }} + tlsConfig: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.plutono.serviceMonitor.relabelings }} + relabelings: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.plutono.serviceMonitor.metricRelabelings }} + metricRelabelings: + {{- toYaml . | nindent 6 }} + {{- end }} + jobLabel: "{{ .Release.Name }}" + selector: + matchLabels: + {{- include "plutono.selectorLabels" . | nindent 6 }} + namespaceSelector: + matchNames: + - {{ include "plutono.namespace" . }} + {{- with .Values.plutono.serviceMonitor.targetLabels }} + targetLabels: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/plutono/charts/templates/statefulset.yaml b/plutono/charts/templates/statefulset.yaml new file mode 100644 index 00000000..730451bc --- /dev/null +++ b/plutono/charts/templates/statefulset.yaml @@ -0,0 +1,61 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors +# SPDX-License-Identifier: Apache-2.0 + +{{- $sts := list "sts" "StatefulSet" "statefulset" -}} +{{- if (or (.Values.plutono.useStatefulSet) (and .Values.plutono.persistence.enabled (not .Values.plutono.persistence.existingClaim) (has .Values.plutono.persistence.type $sts)))}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "plutono.fullname" . }} + namespace: {{ include "plutono.namespace" . }} + labels: + {{- include "plutono.labels" . | nindent 4 }} + {{- with .Values.plutono.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.plutono.replicas }} + selector: + matchLabels: + {{- include "plutono.selectorLabels" . | nindent 6 }} + serviceName: {{ include "plutono.fullname" . }}-headless + template: + metadata: + labels: + {{- include "plutono.selectorLabels" . | nindent 8 }} + {{- with .Values.plutono.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + checksum/dashboards-json-config: {{ include (print $.Template.BasePath "/dashboards-json-configmap.yaml") . | sha256sum }} + checksum/sc-dashboard-provider-config: {{ include (print $.Template.BasePath "/configmap-dashboard-provider.yaml") . | sha256sum }} + {{- if and (or (and (not .Values.plutono.admin.existingSecret) (not .Values.plutono.env.PL_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.plutono.env.PL_SECURITY_ADMIN_PASSWORD)) (and .Values.plutono.ldap.enabled (not .Values.plutono.ldap.existingSecret))) (not .Values.plutono.env.PL_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} + {{- end }} + kubectl.kubernetes.io/default-container: {{ .Chart.Name }} + {{- with .Values.plutono.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- include "plutono.pod" . | nindent 6 }} + {{- if .Values.plutono.persistence.enabled}} + volumeClaimTemplates: + - apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + name: storage + spec: + accessModes: {{ .Values.plutono.persistence.accessModes }} + storageClassName: {{ .Values.plutono.persistence.storageClassName }} + resources: + requests: + storage: {{ .Values.plutono.persistence.size }} + {{- with .Values.plutono.persistence.selectorLabels }} + selector: + matchLabels: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/plutono/charts/templates/tests/test-configmap.yaml b/plutono/charts/templates/tests/test-configmap.yaml new file mode 100644 index 00000000..fe9e3559 --- /dev/null +++ b/plutono/charts/templates/tests/test-configmap.yaml @@ -0,0 +1,23 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors +# SPDX-License-Identifier: Apache-2.0 + +{{- if .Values.plutono.testFramework.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "plutono.fullname" . }}-test + namespace: {{ include "plutono.namespace" . }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded" + labels: + {{- include "plutono.labels" . | nindent 4 }} +data: + run.sh: |- + @test "Test Health" { + url="http://{{ include "plutono.fullname" . }}/api/health" + + code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}') + [ "$code" == "200" ] + } +{{- end }} diff --git a/plutono/charts/templates/tests/test-podsecuritypolicy.yaml b/plutono/charts/templates/tests/test-podsecuritypolicy.yaml new file mode 100644 index 00000000..5192379d --- /dev/null +++ b/plutono/charts/templates/tests/test-podsecuritypolicy.yaml @@ -0,0 +1,35 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors +# SPDX-License-Identifier: Apache-2.0 + +{{- if and (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") .Values.plutono.testFramework.enabled .Values.plutono.rbac.pspEnabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "plutono.fullname" . }}-test + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded" + labels: + {{- include "plutono.labels" . | nindent 4 }} +spec: + allowPrivilegeEscalation: true + privileged: false + hostNetwork: false + hostIPC: false + hostPID: false + fsGroup: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + runAsUser: + rule: RunAsAny + volumes: + - configMap + - downwardAPI + - emptyDir + - projected + - csi + - secret +{{- end }} diff --git a/plutono/charts/templates/tests/test-role.yaml b/plutono/charts/templates/tests/test-role.yaml new file mode 100644 index 00000000..b7f36e9a --- /dev/null +++ b/plutono/charts/templates/tests/test-role.yaml @@ -0,0 +1,20 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors +# SPDX-License-Identifier: Apache-2.0 + +{{- if and (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") .Values.plutono.testFramework.enabled .Values.plutono.rbac.pspEnabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "plutono.fullname" . }}-test + namespace: {{ include "plutono.namespace" . }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded" + labels: + {{- include "plutono.labels" . | nindent 4 }} +rules: + - apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: [{{ include "plutono.fullname" . }}-test] +{{- end }} diff --git a/plutono/charts/templates/tests/test-rolebinding.yaml b/plutono/charts/templates/tests/test-rolebinding.yaml new file mode 100644 index 00000000..863ce402 --- /dev/null +++ b/plutono/charts/templates/tests/test-rolebinding.yaml @@ -0,0 +1,23 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors +# SPDX-License-Identifier: Apache-2.0 + +{{- if and (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") .Values.plutono.testFramework.enabled .Values.plutono.rbac.pspEnabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "plutono.fullname" . }}-test + namespace: {{ include "plutono.namespace" . }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded" + labels: + {{- include "plutono.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "plutono.fullname" . }}-test +subjects: + - kind: ServiceAccount + name: {{ include "plutono.serviceAccountNameTest" . }} + namespace: {{ include "plutono.namespace" . }} +{{- end }} diff --git a/plutono/charts/templates/tests/test-serviceaccount.yaml b/plutono/charts/templates/tests/test-serviceaccount.yaml new file mode 100644 index 00000000..df08c8db --- /dev/null +++ b/plutono/charts/templates/tests/test-serviceaccount.yaml @@ -0,0 +1,15 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors +# SPDX-License-Identifier: Apache-2.0 + +{{- if and .Values.plutono.testFramework.enabled .Values.plutono.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + {{- include "plutono.labels" . | nindent 4 }} + name: {{ include "plutono.serviceAccountNameTest" . }} + namespace: {{ include "plutono.namespace" . }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded" +{{- end }} diff --git a/plutono/charts/templates/tests/test.yaml b/plutono/charts/templates/tests/test.yaml new file mode 100644 index 00000000..0013c3e7 --- /dev/null +++ b/plutono/charts/templates/tests/test.yaml @@ -0,0 +1,56 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors +# SPDX-License-Identifier: Apache-2.0 + +{{- if .Values.plutono.testFramework.enabled }} +{{- $root := . }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "plutono.fullname" . }}-test + labels: + {{- include "plutono.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded" + namespace: {{ include "plutono.namespace" . }} +spec: + serviceAccountName: {{ include "plutono.serviceAccountNameTest" . }} + {{- with .Values.plutono.testFramework.securityContext }} + securityContext: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if or .Values.plutono.image.pullSecrets .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- include "plutono.imagePullSecrets" (dict "root" $root "imagePullSecrets" .Values.plutono.image.pullSecrets) | nindent 4 }} + {{- end }} + {{- with .Values.plutono.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.plutono.affinity }} + affinity: + {{- tpl (toYaml .) $root | nindent 4 }} + {{- end }} + {{- with .Values.plutono.tolerations }} + tolerations: + {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ .Release.Name }}-test + image: "{{ .Values.global.imageRegistry | default .Values.plutono.testFramework.image.registry }}/{{ .Values.plutono.testFramework.image.repository }}:{{ .Values.plutono.testFramework.image.tag }}" + imagePullPolicy: "{{ .Values.plutono.testFramework.imagePullPolicy}}" + command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"] + volumeMounts: + - mountPath: /tests + name: tests + readOnly: true + {{- with .Values.plutono.testFramework.resources }} + resources: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: tests + configMap: + name: {{ include "plutono.fullname" . }}-test + restartPolicy: Never +{{- end }} diff --git a/plutono/charts/values.yaml b/plutono/charts/values.yaml new file mode 100644 index 00000000..d4f50ca3 --- /dev/null +++ b/plutono/charts/values.yaml @@ -0,0 +1,1220 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors +# SPDX-License-Identifier: Apache-2.0 + +global: + # -- Overrides the Docker registry globally for all images + imageRegistry: null + + # To help compatibility with other charts which use global.imagePullSecrets. + # Allow either an array of {name: pullSecret} maps (k8s-style), or an array of strings (more common helm-style). + # Can be templated. + # global: + # imagePullSecrets: + # - name: pullSecret1 + # - name: pullSecret2 + # or + # global: + # imagePullSecrets: + # - pullSecret1 + # - pullSecret2 + imagePullSecrets: [] + +plutono: + rbac: + create: true + ## Use an existing ClusterRole/Role (depending on rbac.namespaced false/true) + # useExistingRole: name-of-some-role + # useExistingClusterRole: name-of-some-clusterRole + pspEnabled: false + pspUseAppArmor: false + namespaced: false + extraRoleRules: [] + # - apiGroups: [] + # resources: [] + # verbs: [] + extraClusterRoleRules: [] + # - apiGroups: [] + # resources: [] + # verbs: [] + serviceAccount: + create: true + name: + nameTest: + ## ServiceAccount labels. + labels: {} + ## Service account annotations. Can be templated. + # annotations: + # eks.amazonaws.com/role-arn: arn:aws:iam::123456789000:role/iam-role-name-here + + ## autoMount is deprecated in favor of automountServiceAccountToken + # autoMount: false + automountServiceAccountToken: false + + replicas: 1 + + ## Create a headless service for the deployment + headlessService: false + + ## Should the service account be auto mounted on the pod + automountServiceAccountToken: true + + ## Create HorizontalPodAutoscaler object for deployment type + # + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 5 + targetCPU: "60" + targetMemory: "" + behavior: {} + + ## See `kubectl explain poddisruptionbudget.spec` for more + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + podDisruptionBudget: {} + # apiVersion: "" + # minAvailable: 1 + # maxUnavailable: 1 + + ## See `kubectl explain deployment.spec.strategy` for more + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + deploymentStrategy: + type: RollingUpdate + + readinessProbe: + httpGet: + path: /api/health + port: 3000 + + livenessProbe: + httpGet: + path: /api/health + port: 3000 + initialDelaySeconds: 60 + timeoutSeconds: 30 + failureThreshold: 10 + + ## Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + # schedulerName: "default-scheduler" + + image: + registry: ghcr.io + repository: credativ/plutono + # Overrides the Plutono image tag whose default is the chart appVersion + tag: "" + sha: "" + pullPolicy: IfNotPresent + + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Can be templated. + ## + pullSecrets: [] + # - myRegistrKeySecretName + + testFramework: + enabled: true + image: + registry: "docker.io" + repository: bats/bats + tag: "1.11.0" + imagePullPolicy: IfNotPresent + securityContext: {} + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + # dns configuration for pod + dnsPolicy: ~ + dnsConfig: {} + # nameservers: + # - 8.8.8.8 + # options: + # - name: ndots + # value: "2" + # - name: edns0 + + securityContext: + runAsNonRoot: true + runAsUser: 472 + runAsGroup: 472 + fsGroup: 472 + + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + + # Enable creating the plutono configmap + createConfigmap: true + + # Extra configmaps to mount in plutono pods + # Values are templated. + extraConfigmapMounts: [] + # - name: certs-configmap + # mountPath: /etc/plutono/ssl/ + # subPath: certificates.crt # (optional) + # configMap: certs-configmap + # readOnly: true + # optional: false + + + extraEmptyDirMounts: [] + # - name: provisioning-notifiers + # mountPath: /etc/plutono/provisioning/notifiers + + + # Apply extra labels to common labels. + extraLabels: + plugin: plutono + + ## Assign a PriorityClassName to pods if set + # priorityClassName: + + downloadDashboardsImage: + # -- The Docker registry + registry: docker.io + repository: curlimages/curl + tag: 7.85.0 + sha: "" + pullPolicy: IfNotPresent + + downloadDashboards: + env: {} + envFromSecret: "" + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + envValueFrom: {} + # ENV_NAME: + # configMapKeyRef: + # name: configmap-name + # key: value_key + + ## Pod Annotations + # podAnnotations: {} + + ## ConfigMap Annotations + # configMapAnnotations: {} + # argocd.argoproj.io/sync-options: Replace=true + + ## Pod Labels + # podLabels: {} + + podPortName: plutono + gossipPortName: gossip + ## Deployment annotations + # annotations: {} + + ## Expose the plutono service to be accessed from outside the cluster (LoadBalancer service). + ## or access it from within the cluster (ClusterIP service). Set the service type and the port to serve it. + ## ref: http://kubernetes.io/docs/user-guide/services/ + ## + service: + enabled: true + type: ClusterIP + # Set the ip family policy to configure dual-stack see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services) + ipFamilyPolicy: "" + # Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6. + ipFamilies: [] + loadBalancerIP: "" + loadBalancerClass: "" + loadBalancerSourceRanges: [] + port: 80 + targetPort: 3000 + # targetPort: 4181 To be used with a proxy extraContainer + ## Service annotations. Can be templated. + annotations: {} + labels: + greenhouse.sap/expose: "true" + portName: service + # Adds the appProtocol field to the service. This allows to work with istio protocol selection. Ex: "http" or "tcp" + appProtocol: "" + + serviceMonitor: + ## If true, a ServiceMonitor CR is created for a prometheus operator + ## https://github.com/coreos/prometheus-operator + ## + enabled: false + path: /metrics + # namespace: monitoring (defaults to use the namespace this chart is deployed to) + labels: {} + interval: 30s + scheme: http + tlsConfig: {} + scrapeTimeout: 30s + relabelings: [] + metricRelabelings: [] + targetLabels: [] + + extraExposePorts: [] + # - name: keycloak + # port: 8080 + # targetPort: 8080 + + # overrides pod.spec.hostAliases in the plutono deployment's pods + hostAliases: [] + # - ip: "1.2.3.4" + # hostnames: + # - "my.host.com" + + ingress: + enabled: false + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + # ingressClassName: nginx + # Values can be templated + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + labels: {} + path: / + + # pathType is only for k8s >= 1.1= + pathType: Prefix + + hosts: + - chart-example.local + ## Extra paths to prepend to every host configuration. This is useful when working with annotation based services. + extraPaths: [] + # - path: /* + # backend: + # serviceName: ssl-redirect + # servicePort: use-annotation + ## Or for k8s > 1.19 + # - path: /* + # pathType: Prefix + # backend: + # service: + # name: ssl-redirect + # port: + # name: use-annotation + + + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + ## Node labels for pod assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + # + nodeSelector: {} + + ## Tolerations for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + + ## Affinity for pod assignment (evaluated as template) + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## + affinity: {} + + ## Topology Spread Constraints + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## + topologySpreadConstraints: [] + + ## Additional init containers (evaluated as template) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + ## + extraInitContainers: [] + + ## Enable an Specify container in extraContainers. This is meant to allow adding an authentication proxy to a plutono pod + extraContainers: "" + # extraContainers: | + # - name: proxy + # image: quay.io/gambol99/keycloak-proxy:latest + # args: + # - -provider=github + # - -client-id= + # - -client-secret= + # - -github-org= + # - -email-domain=* + # - -cookie-secret= + # - -http-address=http://0.0.0.0:4181 + # - -upstream-url=http://127.0.0.1:3000 + # ports: + # - name: proxy-web + # containerPort: 4181 + + ## Volumes that can be used in init containers that will not be mounted to deployment pods + extraContainerVolumes: [] + # - name: volume-from-secret + # secret: + # secretName: secret-to-mount + # - name: empty-dir-volume + # emptyDir: {} + + ## Enable persistence using Persistent Volume Claims + ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + type: pvc + enabled: false + # storageClassName: default + accessModes: + - ReadWriteOnce + size: 10Gi + # annotations: {} + finalizers: + - kubernetes.io/pvc-protection + # selectorLabels: {} + ## Sub-directory of the PV to mount. Can be templated. + # subPath: "" + ## Name of an existing PVC. Can be templated. + # existingClaim: + ## Extra labels to apply to a PVC. + extraPvcLabels: {} + disableWarning: false + + ## If persistence is not enabled, this allows to mount the + ## local storage in-memory to improve performance + ## + inMemory: + enabled: false + ## The maximum usage on memory medium EmptyDir would be + ## the minimum value between the SizeLimit specified + ## here and the sum of memory limits of all containers in a pod + ## + # sizeLimit: 300Mi + + ## If 'lookupVolumeName' is set to true, Helm will attempt to retrieve + ## the current value of 'spec.volumeName' and incorporate it into the template. + lookupVolumeName: true + + initChownData: + ## If false, data ownership will not be reset at startup + ## This allows the plutono-server to be run with an arbitrary user + ## + enabled: true + + ## initChownData container image + ## + image: + # -- The Docker registry + registry: docker.io + repository: library/busybox + tag: "1.31.1" + sha: "" + pullPolicy: IfNotPresent + + ## initChownData resource requests and limits + ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + securityContext: + runAsNonRoot: false + runAsUser: 0 + seccompProfile: + type: RuntimeDefault + capabilities: + add: + - CHOWN + + # Administrator credentials when not using an existing secret (see below) + adminUser: admin + adminPassword: strongpassword + + # Use an existing secret for the admin user. + admin: + ## Name of the secret. Can be templated. + existingSecret: "" + userKey: admin-user + passwordKey: admin-password + + ## Define command to be executed at startup by plutono container + ## Needed if using `vault-env` to manage secrets (ref: https://banzaicloud.com/blog/inject-secrets-into-pods-vault/) + ## Default is "run.sh" as defined in plutono's Dockerfile + # command: + # - "sh" + # - "/run.sh" + + ## Optionally define args if command is used + ## Needed if using `hashicorp/envconsul` to manage secrets + ## By default no arguments are set + # args: + # - "-secret" + # - "secret/plutono" + # - "./plutono" + + ## Extra environment variables that will be pass onto deployment pods + ## + ## to provide plutono with access to CloudWatch on AWS EKS: + ## 1. create an iam role of type "Web identity" with provider oidc.eks.* (note the provider for later) + ## 2. edit the "Trust relationships" of the role, add a line inside the StringEquals clause using the + ## same oidc eks provider as noted before (same as the existing line) + ## also, replace NAMESPACE and prometheus-operator-plutono with the service account namespace and name + ## + ## "oidc.eks.us-east-1.amazonaws.com/id/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:sub": "system:serviceaccount:NAMESPACE:prometheus-operator-plutono", + ## + ## 3. attach a policy to the role, you can use a built in policy called CloudWatchReadOnlyAccess + ## 4. use the following env: (replace 123456789000 and iam-role-name-here with your aws account number and role name) + ## + ## env: + ## AWS_ROLE_ARN: arn:aws:iam::123456789000:role/iam-role-name-here + ## AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token + ## AWS_REGION: us-east-1 + ## + ## 5. uncomment the EKS section in extraSecretMounts: below + ## 6. uncomment the annotation section in the serviceAccount: above + ## make sure to replace arn:aws:iam::123456789000:role/iam-role-name-here with your role arn + + env: {} + + ## "valueFrom" environment variable references that will be added to deployment pods. Name is templated. + ## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core + ## Renders in container spec as: + ## env: + ## ... + ## - name: + ## valueFrom: + ## + envValueFrom: {} + # ENV_NAME: + # configMapKeyRef: + # name: configmap-name + # key: value_key + + ## The name of a secret in the same kubernetes namespace which contain values to be added to the environment + ## This can be useful for auth tokens, etc. Value is templated. + envFromSecret: "" + + ## Sensible environment variables that will be rendered as new secret object + ## This can be useful for auth tokens, etc. + ## If the secret values contains "{{", they'll need to be properly escaped so that they are not interpreted by Helm + ## ref: https://helm.sh/docs/howto/charts_tips_and_tricks/#using-the-tpl-function + envRenderSecret: {} + + ## The names of secrets in the same kubernetes namespace which contain values to be added to the environment + ## Each entry should contain a name key, and can optionally specify whether the secret must be defined with an optional key. + ## Name is templated. + envFromSecrets: [] + ## - name: secret-name + ## prefix: prefix + ## optional: true + + ## The names of conifgmaps in the same kubernetes namespace which contain values to be added to the environment + ## Each entry should contain a name key, and can optionally specify whether the configmap must be defined with an optional key. + ## Name is templated. + ## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#configmapenvsource-v1-core + envFromConfigMaps: [] + ## - name: configmap-name + ## prefix: prefix + ## optional: true + + # Inject Kubernetes services as environment variables. + # See https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/#environment-variables + enableServiceLinks: true + + ## Additional plutono server secret mounts + # Defines additional mounts with secrets. Secrets must be manually created in the namespace. + extraSecretMounts: [] + # - name: secret-files + # mountPath: /etc/secrets + # secretName: plutono-secret-files + # readOnly: true + # optional: false + # subPath: "" + # + # for AWS EKS (cloudwatch) use the following (see also instruction in env: above) + # - name: aws-iam-token + # mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount + # readOnly: true + # projected: + # defaultMode: 420 + # sources: + # - serviceAccountToken: + # audience: sts.amazonaws.com + # expirationSeconds: 86400 + # path: token + # + # for CSI e.g. Azure Key Vault use the following + # - name: secrets-store-inline + # mountPath: /run/secrets + # readOnly: true + # csi: + # driver: secrets-store.csi.k8s.io + # readOnly: true + # volumeAttributes: + # secretProviderClass: "akv-plutono-spc" + # nodePublishSecretRef: # Only required when using service principal mode + # name: plutono-akv-creds # Only required when using service principal mode + + ## Additional plutono server volume mounts + # Defines additional volume mounts. + extraVolumeMounts: [] + # - name: extra-volume-0 + # mountPath: /mnt/volume0 + # readOnly: true + # - name: extra-volume-1 + # mountPath: /mnt/volume1 + # readOnly: true + # - name: plutono-secrets + # mountPath: /mnt/volume2 + + ## Additional Plutono server volumes + extraVolumes: [] + # - name: extra-volume-0 + # existingClaim: volume-claim + # - name: extra-volume-1 + # hostPath: + # path: /usr/shared/ + # type: "" + # - name: plutono-secrets + # csi: + # driver: secrets-store.csi.k8s.io + # readOnly: true + # volumeAttributes: + # secretProviderClass: "plutono-env-spc" + + ## Container Lifecycle Hooks. Execute a specific bash command or make an HTTP request + lifecycleHooks: {} + # postStart: + # exec: + # command: [] + + ## Pass the plugins you want installed as a list. + ## + plugins: [] + # - digrich-bubblechart-panel + # - plutono-clock-panel + ## You can also use other plugin download URL, as long as they are valid zip files, + ## and specify the name of the plugin after the semicolon. Like this: + # - https://plutono.com/api/plugins/marcusolsson-json-datasource/versions/1.3.2/download;marcusolsson-json-datasource + + ## Configure plutono datasources + ## ref: http://docs.plutono.org/administration/provisioning/#datasources + ## + datasources: {} + # datasources.yaml: + # apiVersion: 1 + # datasources: + # - name: Prometheus + # type: prometheus + # url: http://prometheus-prometheus-server + # access: proxy + # isDefault: true + # - name: CloudWatch + # type: cloudwatch + # access: proxy + # uid: cloudwatch + # editable: false + # jsonData: + # authType: default + # defaultRegion: us-east-1 + # deleteDatasources: [] + # - name: Prometheus + + ## Configure plutono alerting (can be templated) + ## ref: http://docs.plutono.org/administration/provisioning/#alerting + ## + alerting: {} + # rules.yaml: + # apiVersion: 1 + # groups: + # - orgId: 1 + # name: '{{ .Chart.Name }}_my_rule_group' + # folder: my_first_folder + # interval: 60s + # rules: + # - uid: my_id_1 + # title: my_first_rule + # condition: A + # data: + # - refId: A + # datasourceUid: '-100' + # model: + # conditions: + # - evaluator: + # params: + # - 3 + # type: gt + # operator: + # type: and + # query: + # params: + # - A + # reducer: + # type: last + # type: query + # datasource: + # type: __expr__ + # uid: '-100' + # expression: 1==0 + # intervalMs: 1000 + # maxDataPoints: 43200 + # refId: A + # type: math + # dashboardUid: my_dashboard + # panelId: 123 + # noDataState: Alerting + # for: 60s + # annotations: + # some_key: some_value + # labels: + # team: sre_team_1 + # contactpoints.yaml: + # secret: + # apiVersion: 1 + # contactPoints: + # - orgId: 1 + # name: cp_1 + # receivers: + # - uid: first_uid + # type: pagerduty + # settings: + # integrationKey: XXX + # severity: critical + # class: ping failure + # component: Plutono + # group: app-stack + # summary: | + # {{ `{{ include "default.message" . }}` }} + + dashboardProviders: {} + # dashboardproviders.yaml: + # apiVersion: 1 + # providers: + # - name: 'default' + # orgId: 1 + # folder: '' + # type: file + # disableDeletion: false + # editable: true + # options: + # path: /var/lib/plutono/dashboards/default + + ## Configure plutono dashboard to import + ## NOTE: To use dashboards you must also enable/configure dashboardProviders + ## ref: https://plutono.com/dashboards + ## + ## dashboards per provider, use provider name as key. + ## + dashboards: {} + # default: + # some-dashboard: + # json: | + # $RAW_JSON + # custom-dashboard: + # file: dashboards/custom-dashboard.json + # prometheus-stats: + # gnetId: 2 + # revision: 2 + # datasource: Prometheus + # local-dashboard: + # url: https://example.com/repository/test.json + # token: '' + # local-dashboard-base64: + # url: https://example.com/repository/test-b64.json + # token: '' + # b64content: true + # local-dashboard-gitlab: + # url: https://example.com/repository/test-gitlab.json + # gitlabToken: '' + # local-dashboard-bitbucket: + # url: https://example.com/repository/test-bitbucket.json + # bearerToken: '' + # local-dashboard-azure: + # url: https://example.com/repository/test-azure.json + # basic: '' + # acceptHeader: '*/*' + + ## Reference to external ConfigMap per provider. Use provider name as key and ConfigMap name as value. + ## A provider dashboards must be defined either by external ConfigMaps or in values.yaml, not in both. + ## ConfigMap data example: + ## + ## data: + ## example-dashboard.json: | + ## RAW_JSON + ## + dashboardsConfigMaps: {} + # default: "" + + ## Plutono's primary configuration + ## NOTE: values in map will be converted to ini format + ## ref: http://docs.plutono.org/installation/configuration/ + ## + plutono.ini: + paths: + data: /var/lib/plutono/ + logs: /var/log/plutono + plugins: /var/lib/plutono/plugins + provisioning: /etc/plutono/provisioning + log: + mode: console + auth: + disable_login_form: true + auth.anonymous: + # enable anonymous access + enabled: true + # specify organization name that should be used for unauthenticated users + org_role: Admin + + ## plutono Authentication can be enabled with the following values on plutono.ini + # server: + # The full public facing url you use in browser, used for redirects and emails + # root_url: + # https://plutono.com/docs/plutono/latest/auth/github/#enable-github-in-plutono + # auth.github: + # enabled: false + # allow_sign_up: false + # scopes: user:email,read:org + # auth_url: https://github.com/login/oauth/authorize + # token_url: https://github.com/login/oauth/access_token + # api_url: https://api.github.com/user + # team_ids: + # allowed_organizations: + # client_id: + # client_secret: + ## LDAP Authentication can be enabled with the following values on plutono.ini + ## NOTE: Plutono will fail to start if the value for ldap.toml is invalid + # auth.ldap: + # enabled: true + # allow_sign_up: true + # config_file: /etc/plutono/ldap.toml + + ## Plutono's LDAP configuration + ## Templated by the template in _helpers.tpl + ## NOTE: To enable the plutono.ini must be configured with auth.ldap.enabled + ## ref: http://docs.plutono.org/installation/configuration/#auth-ldap + ## ref: http://docs.plutono.org/installation/ldap/#configuration + ldap: + enabled: false + # `existingSecret` is a reference to an existing secret containing the ldap configuration + # for Plutono in a key `ldap-toml`. + existingSecret: "" + # `config` is the content of `ldap.toml` that will be stored in the created secret + config: "" + # config: |- + # verbose_logging = true + + # [[servers]] + # host = "my-ldap-server" + # port = 636 + # use_ssl = true + # start_tls = false + # ssl_skip_verify = false + # bind_dn = "uid=%s,ou=users,dc=myorg,dc=com" + + ## Plutono's SMTP configuration + ## NOTE: To enable, plutono.ini must be configured with smtp.enabled + ## ref: http://docs.plutono.org/installation/configuration/#smtp + smtp: + # `existingSecret` is a reference to an existing secret containing the smtp configuration + # for Plutono. + existingSecret: "" + userKey: "user" + passwordKey: "password" + + ## Sidecars that collect the configmaps with specified label and stores the included files them into the respective folders + ## Requires at least Plutono 5 to work and can't be used together with parameters dashboardProviders, datasources and dashboards + sidecar: + image: + # -- The Docker registry + registry: quay.io + repository: kiwigrid/k8s-sidecar + tag: 1.27.5 + sha: "" + imagePullPolicy: IfNotPresent + resources: {} + # limits: + # cpu: 100m + # memory: 100Mi + # requests: + # cpu: 50m + # memory: 50Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + # skipTlsVerify Set to true to skip tls verification for kube api calls + # skipTlsVerify: true + enableUniqueFilenames: false + readinessProbe: {} + livenessProbe: {} + # Log level default for all sidecars. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL. Defaults to INFO + # logLevel: INFO + alerts: + enabled: false + # Additional environment variables for the alerts sidecar + env: {} + # Do not reprocess already processed unchanged resources on k8s API reconnect. + # ignoreAlreadyProcessed: true + # label that the configmaps with alert are marked with + label: plutono_alert + # value of label that the configmaps with alert are set to + labelValue: "" + # Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL. + # logLevel: INFO + # If specified, the sidecar will search for alert config-maps inside this namespace. + # Otherwise the namespace in which the sidecar is running will be used. + # It's also possible to specify ALL to search in all namespaces + searchNamespace: null + # Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds. + watchMethod: WATCH + # search in configmap, secret or both + resource: both + # watchServerTimeout: request to the server, asking it to cleanly close the connection after that. + # defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S + # watchServerTimeout: 3600 + # + # watchClientTimeout: is a client-side timeout, configuring your local socket. + # If you have a network outage dropping all packets with no RST/FIN, + # this is how long your client waits before realizing & dropping the connection. + # defaults to 66sec (sic!) + # watchClientTimeout: 60 + # + # Endpoint to send request to reload alerts + reloadURL: "http://localhost:3000/api/admin/provisioning/alerting/reload" + # Absolute path to shell script to execute after a alert got reloaded + script: null + skipReload: false + # This is needed if skipReload is true, to load any alerts defined at startup time. + # Deploy the alert sidecar as an initContainer. + initAlerts: false + # Additional alert sidecar volume mounts + extraMounts: [] + # Sets the size limit of the alert sidecar emptyDir volume + sizeLimit: {} + dashboards: + enabled: true + # Additional environment variables for the dashboards sidecar + env: {} + ## "valueFrom" environment variable references that will be added to deployment pods. Name is templated. + ## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core + ## Renders in container spec as: + ## env: + ## ... + ## - name: + ## valueFrom: + ## + envValueFrom: {} + # ENV_NAME: + # configMapKeyRef: + # name: configmap-name + # key: value_key + # Do not reprocess already processed unchanged resources on k8s API reconnect. + # ignoreAlreadyProcessed: true + SCProvider: true + # label that the configmaps with dashboards are marked with + label: plutono-dashboard + # value of label that the configmaps with dashboards are set to + labelValue: "true" + # Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL. + # logLevel: INFO + # folder in the pod that should hold the collected dashboards (unless `defaultFolderName` is set) + folder: /tmp/dashboards + # The default folder name, it will create a subfolder under the `folder` and put dashboards in there instead + defaultFolderName: null + # Namespaces list. If specified, the sidecar will search for config-maps/secrets inside these namespaces. + # Otherwise the namespace in which the sidecar is running will be used. + # It's also possible to specify ALL to search in all namespaces. + searchNamespace: null + # Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds. + watchMethod: WATCH + # search in configmap, secret or both + resource: both + # If specified, the sidecar will look for annotation with this name to create folder and put graph here. + # You can use this parameter together with `provider.foldersFromFilesStructure`to annotate configmaps and create folder structure. + folderAnnotation: null + # Endpoint to send request to reload alerts + reloadURL: "http://localhost:3000/api/admin/provisioning/dashboards/reload" + # Absolute path to shell script to execute after a configmap got reloaded + script: null + skipReload: false + # watchServerTimeout: request to the server, asking it to cleanly close the connection after that. + # defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S + # watchServerTimeout: 3600 + # + # watchClientTimeout: is a client-side timeout, configuring your local socket. + # If you have a network outage dropping all packets with no RST/FIN, + # this is how long your client waits before realizing & dropping the connection. + # defaults to 66sec (sic!) + # watchClientTimeout: 60 + # + # provider configuration that lets plutono manage the dashboards + provider: + # name of the provider, should be unique + name: sidecarProvider + # orgid as configured in plutono + orgid: 1 + # folder in which the dashboards should be imported in plutono + folder: '' + # folder UID. will be automatically generated if not specified + folderUid: '' + # type of the provider + type: file + # disableDelete to activate a import-only behaviour + disableDelete: false + # allow updating provisioned dashboards from the UI + allowUiUpdates: false + # allow Plutono to replicate dashboard structure from filesystem + foldersFromFilesStructure: false + # Additional dashboard sidecar volume mounts + extraMounts: [] + # Sets the size limit of the dashboard sidecar emptyDir volume + sizeLimit: {} + datasources: + enabled: true + # Additional environment variables for the datasourcessidecar + env: {} + ## "valueFrom" environment variable references that will be added to deployment pods. Name is templated. + ## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core + ## Renders in container spec as: + ## env: + ## ... + ## - name: + ## valueFrom: + ## + envValueFrom: {} + # ENV_NAME: + # configMapKeyRef: + # name: configmap-name + # key: value_key + # Do not reprocess already processed unchanged resources on k8s API reconnect. + # ignoreAlreadyProcessed: true + # label that the configmaps with datasources are marked with + label: plutono-datasource + # value of label that the configmaps with datasources are set to + labelValue: "true" + # Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL. + # logLevel: INFO + # If specified, the sidecar will search for datasource config-maps inside this namespace. + # Otherwise the namespace in which the sidecar is running will be used. + # It's also possible to specify ALL to search in all namespaces + searchNamespace: null + # Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds. + watchMethod: WATCH + # search in configmap, secret or both + resource: both + # watchServerTimeout: request to the server, asking it to cleanly close the connection after that. + # defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S + # watchServerTimeout: 3600 + # + # watchClientTimeout: is a client-side timeout, configuring your local socket. + # If you have a network outage dropping all packets with no RST/FIN, + # this is how long your client waits before realizing & dropping the connection. + # defaults to 66sec (sic!) + # watchClientTimeout: 60 + # + # Endpoint to send request to reload datasources + reloadURL: "http://localhost:3000/api/admin/provisioning/datasources/reload" + # Absolute path to shell script to execute after a datasource got reloaded + script: null + skipReload: false + # This is needed if skipReload is true, to load any datasources defined at startup time. + # Deploy the datasources sidecar as an initContainer. + initDatasources: false + # Sets the size limit of the datasource sidecar emptyDir volume + sizeLimit: {} + plugins: + enabled: false + # Additional environment variables for the plugins sidecar + env: {} + # Do not reprocess already processed unchanged resources on k8s API reconnect. + # ignoreAlreadyProcessed: true + # label that the configmaps with plugins are marked with + label: plutono_plugin + # value of label that the configmaps with plugins are set to + labelValue: "" + # Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL. + # logLevel: INFO + # If specified, the sidecar will search for plugin config-maps inside this namespace. + # Otherwise the namespace in which the sidecar is running will be used. + # It's also possible to specify ALL to search in all namespaces + searchNamespace: null + # Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds. + watchMethod: WATCH + # search in configmap, secret or both + resource: both + # watchServerTimeout: request to the server, asking it to cleanly close the connection after that. + # defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S + # watchServerTimeout: 3600 + # + # watchClientTimeout: is a client-side timeout, configuring your local socket. + # If you have a network outage dropping all packets with no RST/FIN, + # this is how long your client waits before realizing & dropping the connection. + # defaults to 66sec (sic!) + # watchClientTimeout: 60 + # + # Endpoint to send request to reload plugins + reloadURL: "http://localhost:3000/api/admin/provisioning/plugins/reload" + # Absolute path to shell script to execute after a plugin got reloaded + script: null + skipReload: false + # Deploy the datasource sidecar as an initContainer in addition to a container. + # This is needed if skipReload is true, to load any plugins defined at startup time. + initPlugins: false + # Sets the size limit of the plugin sidecar emptyDir volume + sizeLimit: {} + notifiers: + enabled: false + # Additional environment variables for the notifierssidecar + env: {} + # Do not reprocess already processed unchanged resources on k8s API reconnect. + # ignoreAlreadyProcessed: true + # label that the configmaps with notifiers are marked with + label: plutono_notifier + # value of label that the configmaps with notifiers are set to + labelValue: "" + # Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL. + # logLevel: INFO + # If specified, the sidecar will search for notifier config-maps inside this namespace. + # Otherwise the namespace in which the sidecar is running will be used. + # It's also possible to specify ALL to search in all namespaces + searchNamespace: null + # Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds. + watchMethod: WATCH + # search in configmap, secret or both + resource: both + # watchServerTimeout: request to the server, asking it to cleanly close the connection after that. + # defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S + # watchServerTimeout: 3600 + # + # watchClientTimeout: is a client-side timeout, configuring your local socket. + # If you have a network outage dropping all packets with no RST/FIN, + # this is how long your client waits before realizing & dropping the connection. + # defaults to 66sec (sic!) + # watchClientTimeout: 60 + # + # Endpoint to send request to reload notifiers + reloadURL: "http://localhost:3000/api/admin/provisioning/notifications/reload" + # Absolute path to shell script to execute after a notifier got reloaded + script: null + skipReload: false + # Deploy the notifier sidecar as an initContainer in addition to a container. + # This is needed if skipReload is true, to load any notifiers defined at startup time. + initNotifiers: false + # Sets the size limit of the notifier sidecar emptyDir volume + sizeLimit: {} + + ## Override the deployment namespace + ## + namespaceOverride: "" + + ## Number of old ReplicaSets to retain + ## + revisionHistoryLimit: 10 + + networkPolicy: + ## @param networkPolicy.enabled Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now. + ## + enabled: false + ## @param networkPolicy.allowExternal Don't require client label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## client label will have network access to plutono port defined. + ## When true, plutono will accept connections from any source + ## (with the correct destination port). + ## + ingress: true + ## @param networkPolicy.ingress When true enables the creation + ## an ingress network policy + ## + allowExternal: true + ## @param networkPolicy.explicitNamespacesSelector A Kubernetes LabelSelector to explicitly select namespaces from which traffic could be allowed + ## If explicitNamespacesSelector is missing or set to {}, only client Pods that are in the networkPolicy's namespace + ## and that match other criteria, the ones that have the good label, can reach the plutono. + ## But sometimes, we want the plutono to be accessible to clients from other namespaces, in this case, we can use this + ## LabelSelector to select these namespaces, note that the networkPolicy's namespace should also be explicitly added. + ## + ## Example: + ## explicitNamespacesSelector: + ## matchLabels: + ## role: frontend + ## matchExpressions: + ## - {key: role, operator: In, values: [frontend]} + ## + explicitNamespacesSelector: {} + ## + ## + ## + ## + ## + ## + egress: + ## @param networkPolicy.egress.enabled When enabled, an egress network policy will be + ## created allowing plutono to connect to external data sources from kubernetes cluster. + enabled: false + ## + ## @param networkPolicy.egress.blockDNSResolution When enabled, DNS resolution will be blocked + ## for all pods in the plutono namespace. + blockDNSResolution: false + ## + ## @param networkPolicy.egress.ports Add individual ports to be allowed by the egress + ports: [] + ## Add ports to the egress by specifying - port: + ## E.X. + ## - port: 80 + ## - port: 443 + ## + ## @param networkPolicy.egress.to Allow egress traffic to specific destinations + to: [] + ## Add destinations to the egress by specifying - ipBlock: + ## E.X. + ## to: + ## - namespaceSelector: + ## matchExpressions: + ## - {key: role, operator: In, values: [plutono]} + ## + ## + ## + ## + ## + + # Enable backward compatibility of kubernetes where version below 1.13 doesn't have the enableServiceLinks option + enableKubeBackwardCompatibility: false + useStatefulSet: false + # Create a dynamic manifests via values: + extraObjects: [] + # - apiVersion: "kubernetes-client.io/v1" + # kind: ExternalSecret + # metadata: + # name: plutono-secrets + # spec: + # backendType: gcpSecretsManager + # data: + # - key: plutono-admin-password + # name: adminPassword + + # assertNoLeakedSecrets is a helper function defined in _helpers.tpl that checks if secret + # values are not exposed in the rendered plutono.ini configmap. It is enabled by default. + # + # To pass values into plutono.ini without exposing them in a configmap, use variable expansion: + # https://plutono.com/docs/plutono/latest/setup-plutono/configure-plutono/#variable-expansion + # + # Alternatively, if you wish to allow secret values to be exposed in the rendered plutono.ini configmap, + # you can disable this check by setting assertNoLeakedSecrets to false. + assertNoLeakedSecrets: true diff --git a/plutono/plugindefinition.yaml b/plutono/plugindefinition.yaml new file mode 100644 index 00000000..52a43dad --- /dev/null +++ b/plutono/plugindefinition.yaml @@ -0,0 +1,13 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors +# SPDX-License-Identifier: Apache-2.0 +apiVersion: greenhouse.sap/v1alpha1 +kind: PluginDefinition +metadata: + name: plutono +spec: + description: Plutono is a fork of Grafana 7.5.17 limited to maintenance and security updates. + version: 0.1.0 + helmChart: + name: plutono + repository: oci://ghcr.io/cloudoperators/greenhouse-extensions/charts + version: 0.1.0