""
|
-| fullnameOverride | Overrides fullname template | ""
|
-| replicaCount | Number of KubeVault webhook server replicas to create (only 1 is supported) | 1
|
-| license | License for the product. Get a license by following the steps from [here](https://kubevault.com/docs/latest/setup/install/enterprise/#get-a-trial-license). ""
|
-| licenseSecretName | Name of Secret with the license as key.txt key | ""
|
-| registryFQDN | Docker registry fqdn used to pull docker images Set this to use docker registry hosted at ${registryFQDN}/${registry}/${image} | ghcr.io
|
-| server.registry | Docker registry used to pull KubeVault webhook server image | kubevault
|
-| server.repository | KubeVault webhook server container image | vault-operator
|
-| server.tag | KubeVault webhook server container image tag | ""
|
-| server.securityContext | Security options this container should run with | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65534}
|
-| server.resources | Compute Resources required by the webhook server container | {}
|
-| imagePullSecrets | Specify an array of imagePullSecrets. Secrets must be manually created in the namespace. []
|
-| imagePullPolicy | Container image pull policy | IfNotPresent
|
-| criticalAddon | If true, installs KubeVault webhook server as critical addon | false
|
-| logLevel | Log level for webhook server | 3
|
-| annotations | Annotations applied to webhook server deployment | {}
|
-| podAnnotations | Annotations passed to webhook server pod(s). | {}
|
-| nodeSelector | Node labels for pod assignment | {"kubernetes.io/os":"linux"}
|
-| tolerations | Tolerations for pod assignment | []
|
-| affinity | Affinity rules for pod assignment | {}
|
-| podSecurityContext | Security options the webhook server pod should run with. | {}
|
-| serviceAccount.create | Specifies whether a service account should be created | true
|
-| serviceAccount.annotations | Annotations to add to the service account | {}
|
-| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | ""
|
-| apiserver.groupPriorityMinimum | The minimum priority the webhook api group should have at least. Please see https://github.com/kubernetes/kube-aggregator/blob/release-1.9/pkg/apis/apiregistration/v1beta1/types.go#L58-L64 for more information on proper values of this field. | 10000
|
-| apiserver.versionPriority | The ordering of the webhook api inside of the group. Please see https://github.com/kubernetes/kube-aggregator/blob/release-1.9/pkg/apis/apiregistration/v1beta1/types.go#L66-L70 for more information on proper values of this field | 15
|
-| apiserver.enableMutatingWebhook | If true, mutating webhook is configured for KubeVault CRDss | true
|
-| apiserver.enableValidatingWebhook | If true, validating webhook is configured for KubeVault CRDss | true
|
-| apiserver.ca | CA certificate used by the Kubernetes api server. This field is automatically assigned by the webhook server. | not-ca-cert
|
-| apiserver.useKubeapiserverFqdnForAks | If true, uses kube-apiserver FQDN for AKS cluster to workaround https://github.com/Azure/AKS/issues/522 (default true) | true
|
-| apiserver.healthcheck.enabled | healthcheck configures the readiness and liveliness probes for the webhook server pod. | false
|
-| apiserver.port | Port used to expose the webhook server apiserver | 8443
|
-| apiserver.servingCerts.generate | If true, generates on install/upgrade the certs that allow the kube-apiserver (and potentially ServiceMonitor) to authenticate webhook servers pods. Otherwise specify certs in `apiserver.servingCerts.{caCrt, serverCrt, serverKey}`. | true
|
-| apiserver.servingCerts.caCrt | CA certficate used by serving certificate of webhook server. | ""
|
-| apiserver.servingCerts.serverCrt | Serving certficate used by webhook server. | ""
|
-| apiserver.servingCerts.serverKey | Private key for the serving certificate used by webhook server. | ""
|
-| apiserver.webhook.failurePolicy | | Ignore
|
-| monitoring.agent | Name of monitoring agent (one of "prometheus.io", "prometheus.io/operator", "prometheus.io/builtin") | ""
|
-| monitoring.serviceMonitor.labels | Specify the labels for ServiceMonitor. Prometheus crd will select ServiceMonitor using these labels. Only usable when monitoring agent is `prometheus.io/webhook server`. | {}
|
+| Parameter | Description | Default |
+|--------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------|
+| nameOverride | Overrides name template | ""
|
+| fullnameOverride | Overrides fullname template | ""
|
+| replicaCount | Number of KubeVault webhook server replicas to create (only 1 is supported) | 1
|
+| registryFQDN | Docker registry fqdn used to pull docker images Set this to use docker registry hosted at ${registryFQDN}/${registry}/${image} | ghcr.io
|
+| server.registry | Docker registry used to pull KubeVault webhook server image | kubevault
|
+| server.repository | KubeVault webhook server container image | vault-operator
|
+| server.tag | KubeVault webhook server container image tag | ""
|
+| server.securityContext | Security options this container should run with | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65534}
|
+| server.resources | Compute Resources required by the webhook server container | {}
|
+| imagePullSecrets | Specify an array of imagePullSecrets. Secrets must be manually created in the namespace. []
|
+| imagePullPolicy | Container image pull policy | IfNotPresent
|
+| criticalAddon | If true, installs KubeVault webhook server as critical addon | false
|
+| logLevel | Log level for webhook server | 3
|
+| annotations | Annotations applied to webhook server deployment | {}
|
+| podAnnotations | Annotations passed to webhook server pod(s). | {}
|
+| nodeSelector | Node labels for pod assignment | {"kubernetes.io/os":"linux"}
|
+| tolerations | Tolerations for pod assignment | []
|
+| affinity | Affinity rules for pod assignment | {}
|
+| podSecurityContext | Security options the webhook server pod should run with. | {}
|
+| serviceAccount.create | Specifies whether a service account should be created | true
|
+| serviceAccount.annotations | Annotations to add to the service account | {}
|
+| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | ""
|
+| apiserver.groupPriorityMinimum | The minimum priority the webhook api group should have at least. Please see https://github.com/kubernetes/kube-aggregator/blob/release-1.9/pkg/apis/apiregistration/v1beta1/types.go#L58-L64 for more information on proper values of this field. | 10000
|
+| apiserver.versionPriority | The ordering of the webhook api inside of the group. Please see https://github.com/kubernetes/kube-aggregator/blob/release-1.9/pkg/apis/apiregistration/v1beta1/types.go#L66-L70 for more information on proper values of this field | 15
|
+| apiserver.enableMutatingWebhook | If true, mutating webhook is configured for KubeVault CRDss | true
|
+| apiserver.enableValidatingWebhook | If true, validating webhook is configured for KubeVault CRDss | true
|
+| apiserver.ca | CA certificate used by the Kubernetes api server. This field is automatically assigned by the webhook server. | not-ca-cert
|
+| apiserver.useKubeapiserverFqdnForAks | If true, uses kube-apiserver FQDN for AKS cluster to workaround https://github.com/Azure/AKS/issues/522 (default true) | true
|
+| apiserver.healthcheck.enabled | healthcheck configures the readiness and liveliness probes for the webhook server pod. | false
|
+| apiserver.port | Port used to expose the webhook server apiserver | 8443
|
+| apiserver.servingCerts.generate | If true, generates on install/upgrade the certs that allow the kube-apiserver (and potentially ServiceMonitor) to authenticate webhook servers pods. Otherwise specify certs in `apiserver.servingCerts.{caCrt, serverCrt, serverKey}`. | true
|
+| apiserver.servingCerts.caCrt | CA certficate used by serving certificate of webhook server. | ""
|
+| apiserver.servingCerts.serverCrt | Serving certficate used by webhook server. | ""
|
+| apiserver.servingCerts.serverKey | Private key for the serving certificate used by webhook server. | ""
|
+| apiserver.webhook.failurePolicy | | Ignore
|
+| monitoring.agent | Name of monitoring agent (one of "prometheus.io", "prometheus.io/operator", "prometheus.io/builtin") | ""
|
+| monitoring.serviceMonitor.labels | Specify the labels for ServiceMonitor. Prometheus crd will select ServiceMonitor using these labels. Only usable when monitoring agent is `prometheus.io/webhook server`. | {}
|
Specify each parameter using the `--set key=value[,key=value]` argument to `helm upgrade -i`. For example:
diff --git a/charts/kubevault-webhook-server/templates/_helpers.tpl b/charts/kubevault-webhook-server/templates/_helpers.tpl
index 1c65b276..84b6991d 100644
--- a/charts/kubevault-webhook-server/templates/_helpers.tpl
+++ b/charts/kubevault-webhook-server/templates/_helpers.tpl
@@ -62,24 +62,6 @@ Create the name of the service account to use
{{- end }}
{{- end }}
-{{/*
-Returns the appscode license
-*/}}
-{{- define "appscode.license" -}}
-{{- .Values.license }}
-{{- end }}
-
-{{/*
-Returns the appscode license secret name
-*/}}
-{{- define "appscode.licenseSecretName" -}}
-{{- if .Values.licenseSecretName }}
-{{- .Values.licenseSecretName -}}
-{{- else if .Values.license }}
-{{- printf "%s-license" (include "kubevault-webhook-server.fullname" .) -}}
-{{- end }}
-{{- end }}
-
{{/*
Returns the registry used for operator docker image
*/}}
diff --git a/charts/kubevault-webhook-server/templates/deployment.yaml b/charts/kubevault-webhook-server/templates/deployment.yaml
index d9f7c3ba..2bb74b8b 100644
--- a/charts/kubevault-webhook-server/templates/deployment.yaml
+++ b/charts/kubevault-webhook-server/templates/deployment.yaml
@@ -50,9 +50,6 @@ spec:
- --enable-mutating-webhook={{ .Values.apiserver.enableMutatingWebhook }}
- --enable-validating-webhook={{ .Values.apiserver.enableValidatingWebhook }}
- --use-kubeapiserver-fqdn-for-aks={{ .Values.apiserver.useKubeapiserverFqdnForAks }}
- {{- if include "appscode.licenseSecretName" . }}
- - --license-file=/var/run/secrets/appscode/license/key.txt
- {{- end }}
env:
- name: POD_NAME
valueFrom:
@@ -70,10 +67,6 @@ spec:
name: tmpdir
- mountPath: /var/serving-cert
name: serving-cert
- {{- if include "appscode.licenseSecretName" . }}
- - mountPath: /var/run/secrets/appscode/license
- name: license
- {{- end }}
{{- if .Values.apiserver.healthcheck.enabled }}
readinessProbe:
httpGet:
@@ -98,12 +91,6 @@ spec:
secret:
defaultMode: 420
secretName: {{ include "kubevault-webhook-server.fullname" . }}-apiserver-cert
- {{- if include "appscode.licenseSecretName" . }}
- - name: license
- secret:
- defaultMode: 420
- secretName: {{ include "appscode.licenseSecretName" . }}
- {{- end }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
{{- if or .Values.tolerations $criticalAddon }}
diff --git a/charts/kubevault-webhook-server/templates/license-checker-cluster-role-binding.yaml b/charts/kubevault-webhook-server/templates/license-checker-cluster-role-binding.yaml
deleted file mode 100644
index 88c8613a..00000000
--- a/charts/kubevault-webhook-server/templates/license-checker-cluster-role-binding.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: {{ include "kubevault-webhook-server.fullname" . }}-license-checker
- labels:
- {{- include "kubevault-webhook-server.labels" . | nindent 4 }}
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: appscode:license-checker
-subjects:
-- kind: ServiceAccount
- name: {{ include "kubevault-webhook-server.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
diff --git a/charts/kubevault-webhook-server/templates/license-checker-cluster-role.yaml b/charts/kubevault-webhook-server/templates/license-checker-cluster-role.yaml
deleted file mode 100644
index 184b3c7a..00000000
--- a/charts/kubevault-webhook-server/templates/license-checker-cluster-role.yaml
+++ /dev/null
@@ -1,38 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: appscode:license-checker
- annotations:
- "helm.sh/hook": pre-install,pre-upgrade
- "helm.sh/hook-delete-policy": before-hook-creation
-rules:
-# Get cluster id
-- apiGroups:
- - ""
- resources:
- - namespaces
- verbs: ["get"]
-# Issue license
-- apiGroups:
- - proxyserver.licenses.appscode.com
- resources:
- - licenserequests
- verbs: ["create"]
-# Detect workload/owner of operator pod
-- apiGroups:
- - ""
- resources:
- - pods
- verbs: ["get"]
-- apiGroups:
- - apps
- resources:
- - deployments
- - replicasets
- verbs: ["get"]
-# Write events in case of license verification failure
-- apiGroups:
- - ""
- resources:
- - events
- verbs: ["get", "list", "create", "patch"]
diff --git a/charts/kubevault-webhook-server/templates/license-reader-cluster-role-binding.yaml b/charts/kubevault-webhook-server/templates/license-reader-cluster-role-binding.yaml
deleted file mode 100644
index 6fe27555..00000000
--- a/charts/kubevault-webhook-server/templates/license-reader-cluster-role-binding.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: {{ include "kubevault-webhook-server.fullname" . }}-license-reader
- labels:
- {{- include "kubevault-webhook-server.labels" . | nindent 4 }}
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: appscode:license-reader
-subjects:
-- kind: ServiceAccount
- name: {{ include "kubevault-webhook-server.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
diff --git a/charts/kubevault-webhook-server/templates/license-reader-cluster-role.yaml b/charts/kubevault-webhook-server/templates/license-reader-cluster-role.yaml
deleted file mode 100644
index 655cc6d4..00000000
--- a/charts/kubevault-webhook-server/templates/license-reader-cluster-role.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: appscode:license-reader
- annotations:
- "helm.sh/hook": pre-install,pre-upgrade
- "helm.sh/hook-delete-policy": before-hook-creation
-rules:
-# Detect license server endpoint for kubevault addons
-- apiGroups:
- - apiregistration.k8s.io
- resources:
- - apiservices
- verbs: ["get"]
-- nonResourceURLs:
- - /appscode/license
- verbs: ["get"]
diff --git a/charts/kubevault-webhook-server/templates/license.yaml b/charts/kubevault-webhook-server/templates/license.yaml
deleted file mode 100644
index 22253f0e..00000000
--- a/charts/kubevault-webhook-server/templates/license.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-# if license file is provided, then create a secret for license
-{{- if include "appscode.license" . }}
-apiVersion: v1
-kind: Secret
-metadata:
- name: {{ include "appscode.licenseSecretName" . }}
- namespace: {{ .Release.Namespace }}
- labels:
- {{- include "kubevault-webhook-server.labels" . | nindent 4 }}
-type: Opaque
-data:
- key.txt: {{ include "appscode.license" . | b64enc }}
-{{- end }}
diff --git a/charts/kubevault-webhook-server/values.openapiv3_schema.yaml b/charts/kubevault-webhook-server/values.openapiv3_schema.yaml
index 58f9567b..fae1dc04 100644
--- a/charts/kubevault-webhook-server/values.openapiv3_schema.yaml
+++ b/charts/kubevault-webhook-server/values.openapiv3_schema.yaml
@@ -954,10 +954,6 @@ properties:
items:
type: string
type: array
- license:
- type: string
- licenseSecretName:
- type: string
logLevel:
format: int32
type: integer
diff --git a/charts/kubevault-webhook-server/values.yaml b/charts/kubevault-webhook-server/values.yaml
index d55e2ce1..b8c9fe73 100644
--- a/charts/kubevault-webhook-server/values.yaml
+++ b/charts/kubevault-webhook-server/values.yaml
@@ -9,17 +9,6 @@ nameOverride: ""
fullnameOverride: ""
# Number of KubeVault webhook server replicas to create (only 1 is supported)
replicaCount: 1
-# License for the product.
-# Get a license by following the steps from [here](https://kubevault.com/docs/latest/setup/install/enterprise/#get-a-trial-license).
-# Example:
-# helm install appscode/kubevault-ops-manager \
-# --set-file license=/path/to/license/file
-# or
-# helm install appscode/kubevault-ops-manager \
-# --set license=