From 4c7dc314ef753d660c01da6ec8d3de63723688ca Mon Sep 17 00:00:00 2001 From: Engin Diri Date: Fri, 21 Jul 2023 08:46:36 +0200 Subject: [PATCH] feat: add helm chart (#379) * Added helm chart source for the operator This commit includes a new directory, helm, which contains the necessary files for deploying the application to Kubernetes clusters using the Helm package manager. The chart includes: - Deployment - Role and role binding - Service account - CRD definition Resources for the Pulumi Kubernetes Operator, as well as the configurable values file (values.yaml) for specifying the deployment of the Operator. This change will allow our customers to more easily manage and deploy the Operator on various Kubernetes environments, streamlining the process and reducing the potential for errors. Signed-off-by: Engin Diri * Add GitHub workflows to build, test and distribute the Helm chart This commit introduces a series of GitHub workflows to the codebase, which will be used to automate various tasks related to continuous integration and deployment. These workflows are defined in the `.github/workflows` directory, and include the following: - `ct-linting-and-testing.yaml`: This workflow is triggered on pull requests, and is responsible for linting and testing the chart to ensure that it is in a releasable state. - `chart-publish.yaml`: This workflow is triggered on the main branch only when changes are detected in the chart directory, and is responsible for releasing the chart as traditional bundle and OCI artefact. - Diverse linter configuration files to tune the linting process to our needs. Overall, these workflows will help to streamline the development process of the Helm charts and ensure that templating code is always in a deployable state. Signed-off-by: Engin Diri * feat: update all actions Signed-off-by: Engin Diri * feat: update all actions Signed-off-by: Engin Diri * feat: update helm chart name Signed-off-by: Engin Diri * chore: add changelog entry --------- Signed-off-by: Engin Diri Co-authored-by: Engin Diri Co-authored-by: Ramon Quitales --- .github/configs/cr.yaml | 2 + .github/configs/ct-install.yaml | 13 + .github/configs/ct-lint.yaml | 13 + .github/configs/lintconf.yaml | 42 + .github/workflows/chart-lint-and-test.yml | 75 + .github/workflows/chart-publish.yaml | 79 + CHANGELOG.md | 1 + deploy/helm/pulumi-operator/.helmignore | 23 + deploy/helm/pulumi-operator/Chart.yaml | 38 + deploy/helm/pulumi-operator/README.md | 125 ++ deploy/helm/pulumi-operator/README.md.gotmpl | 82 + .../pulumi-operator/crds/program-crd.yaml | 186 +++ .../helm/pulumi-operator/crds/stack-crd.yaml | 1465 +++++++++++++++++ .../pulumi-operator/templates/_helpers.tpl | 62 + .../pulumi-operator/templates/deployment.yaml | 113 ++ .../helm/pulumi-operator/templates/role.yaml | 90 + .../templates/rolebinding.yaml | 14 + deploy/helm/pulumi-operator/templates/sa.yaml | 12 + .../pulumi-operator/templates/service.yaml | 24 + .../templates/servicemonitor.yaml | 45 + deploy/helm/pulumi-operator/values.yaml | 145 ++ 21 files changed, 2649 insertions(+) create mode 100644 .github/configs/cr.yaml create mode 100644 .github/configs/ct-install.yaml create mode 100644 .github/configs/ct-lint.yaml create mode 100644 .github/configs/lintconf.yaml create mode 100644 .github/workflows/chart-lint-and-test.yml create mode 100644 .github/workflows/chart-publish.yaml create mode 100755 deploy/helm/pulumi-operator/.helmignore create mode 100755 deploy/helm/pulumi-operator/Chart.yaml create mode 100644 deploy/helm/pulumi-operator/README.md create mode 100644 deploy/helm/pulumi-operator/README.md.gotmpl create mode 100644 deploy/helm/pulumi-operator/crds/program-crd.yaml create mode 100644 deploy/helm/pulumi-operator/crds/stack-crd.yaml create mode 100755 deploy/helm/pulumi-operator/templates/_helpers.tpl create mode 100644 deploy/helm/pulumi-operator/templates/deployment.yaml create mode 100644 deploy/helm/pulumi-operator/templates/role.yaml create mode 100644 deploy/helm/pulumi-operator/templates/rolebinding.yaml create mode 100644 deploy/helm/pulumi-operator/templates/sa.yaml create mode 100644 deploy/helm/pulumi-operator/templates/service.yaml create mode 100644 deploy/helm/pulumi-operator/templates/servicemonitor.yaml create mode 100644 deploy/helm/pulumi-operator/values.yaml diff --git a/.github/configs/cr.yaml b/.github/configs/cr.yaml new file mode 100644 index 00000000..612b8390 --- /dev/null +++ b/.github/configs/cr.yaml @@ -0,0 +1,2 @@ +## Reference: https://github.com/helm/chart-releaser +index-path: "./index.yaml" \ No newline at end of file diff --git a/.github/configs/ct-install.yaml b/.github/configs/ct-install.yaml new file mode 100644 index 00000000..2946efdf --- /dev/null +++ b/.github/configs/ct-install.yaml @@ -0,0 +1,13 @@ +## Reference: https://github.com/helm/chart-testing/blob/master/doc/ct_lint-and-install.md +# Don't add the 'debug' attribute, otherwise the workflow won't work anymore +# Only Used for the CT Lint Stage +remote: origin +target-branch: master +chart-dirs: + - deploy/helm +helm-extra-args: "--timeout 600s" +validate-chart-schema: false +validate-maintainers: true +validate-yaml: true +exclude-deprecated: true +excluded-charts: [] diff --git a/.github/configs/ct-lint.yaml b/.github/configs/ct-lint.yaml new file mode 100644 index 00000000..2946efdf --- /dev/null +++ b/.github/configs/ct-lint.yaml @@ -0,0 +1,13 @@ +## Reference: https://github.com/helm/chart-testing/blob/master/doc/ct_lint-and-install.md +# Don't add the 'debug' attribute, otherwise the workflow won't work anymore +# Only Used for the CT Lint Stage +remote: origin +target-branch: master +chart-dirs: + - deploy/helm +helm-extra-args: "--timeout 600s" +validate-chart-schema: false +validate-maintainers: true +validate-yaml: true +exclude-deprecated: true +excluded-charts: [] diff --git a/.github/configs/lintconf.yaml b/.github/configs/lintconf.yaml new file mode 100644 index 00000000..f52bab7e --- /dev/null +++ b/.github/configs/lintconf.yaml @@ -0,0 +1,42 @@ +--- +rules: + braces: + min-spaces-inside: 0 + max-spaces-inside: 0 + min-spaces-inside-empty: -1 + max-spaces-inside-empty: -1 + brackets: + min-spaces-inside: 0 + max-spaces-inside: 0 + min-spaces-inside-empty: -1 + max-spaces-inside-empty: -1 + colons: + max-spaces-before: 0 + max-spaces-after: 1 + commas: + max-spaces-before: 0 + min-spaces-after: 1 + max-spaces-after: 1 + comments: + require-starting-space: true + min-spaces-from-content: 1 + document-end: disable + document-start: disable # No --- to start a file + empty-lines: + max: 2 + max-start: 0 + max-end: 0 + hyphens: + max-spaces-after: 1 + indentation: + spaces: consistent + indent-sequences: whatever # - list indentation will handle both indentation and without + check-multi-line-strings: false + key-duplicates: enable + line-length: disable # Lines can be any length + new-line-at-end-of-file: enable + new-lines: + type: unix + trailing-spaces: enable + truthy: + level: warning \ No newline at end of file diff --git a/.github/workflows/chart-lint-and-test.yml b/.github/workflows/chart-lint-and-test.yml new file mode 100644 index 00000000..ba2eaa20 --- /dev/null +++ b/.github/workflows/chart-lint-and-test.yml @@ -0,0 +1,75 @@ +name: ct-linting-and-testing +on: + pull_request: + paths: + - deploy/helm/** + +permissions: read-all + +jobs: + chart-test: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + with: + fetch-depth: 0 + + - name: Set up Helm + uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 + with: + version: v3.6.3 + + - name: Set up python + uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b # v4.6.0 + with: + python-version: 3.7 + + - name: Run Trivy vulnerability scanner in IaC mode + uses: aquasecurity/trivy-action@e5f43133f6e8736992c9f3c1b3296e24b37e17f2 # 0.10.0 + with: + scan-type: 'config' + hide-progress: false + format: 'sarif' + scan-ref: 'deploy/helm/pulumi-operator' + output: 'trivy-results.sarif' + exit-code: '1' + ignore-unfixed: true + severity: 'CRITICAL,HIGH' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@f3feb00acb00f31a6f60280e6ace9ca31d91c76a # v2.3.2 + with: + sarif_file: 'trivy-results.sarif' + + - name: Setup Chart Linting + id: lint + uses: helm/chart-testing-action@e8788873172cb653a90ca2e819d79d65a66d4e76 # v2.4.0 + + - name: List changed charts + id: list-changed + run: | + ## If executed with debug this won't work anymore. + changed=$(ct --config ./.github/configs/ct-lint.yaml list-changed) + charts=$(echo "$changed" | tr '\n' ' ' | xargs) + if [[ -n "$changed" ]]; then + echo "::set-output name=changed::true" + echo "::set-output name=changed_charts::$charts" + fi + + - name: Run Artifact Hub lint + run: | + curl -s https://api.github.com/repos/artifacthub/hub/releases/latest | grep -E 'browser_download_url' | grep linux_amd64.tar.gz\" | grep -Eo 'https://[^\"]*' | xargs wget -O - | tar -xz + ./ah lint -p deploy/helm/pulumi-operator || exit 1 + rm -f ./ah + + - name: Run chart-testing (lint) + run: ct lint --debug --config ./.github/configs/ct-lint.yaml --lint-conf ./.github/configs/lintconf.yaml + + - name: Create kind cluster + uses: helm/kind-action@d8ccf8fb623ce1bb360ae2f45f323d9d5c5e9f00 # v1.5.0 + if: steps.list-changed.outputs.changed == 'true' + + - name: Run chart-testing (install) + run: ct install --config ./.github/configs/ct-lint.yaml + if: steps.list-changed.outputs.changed == 'true' diff --git a/.github/workflows/chart-publish.yaml b/.github/workflows/chart-publish.yaml new file mode 100644 index 00000000..205a8c83 --- /dev/null +++ b/.github/workflows/chart-publish.yaml @@ -0,0 +1,79 @@ +--- +name: chart-publish +on: + push: + branches: + - master + paths: + - "deploy/helm/**" +env: + HELM_DOCS_VERSION: "1.11.0" + +permissions: read-all + +jobs: + publish: + permissions: + contents: write # for helm/chart-releaser-action to push chart release and create a release + packages: write # for helm/chart-releaser-action to push chart release and create a release + id-token: write # for helm/chart-releaser-action to push chart release and create a release + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + with: + fetch-depth: 0 + + - name: Install Helm + uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 + + - name: Configure Git + run: | + git config user.name "$GITHUB_ACTOR" + git config user.email "$GITHUB_ACTOR@users.noreply.github.com" + + - name: install helm-docs + run: | + cd /tmp + wget https://github.com/norwoodj/helm-docs/releases/download/v${{env.HELM_DOCS_VERSION}}/helm-docs_${{env.HELM_DOCS_VERSION}}_Linux_x86_64.tar.gz + tar -xvf helm-docs_${{env.HELM_DOCS_VERSION}}_Linux_x86_64.tar.gz + sudo mv helm-docs /usr/local/sbin + + - name: run helm-docs + run: | + helm-docs -t README.md.gotmpl -o README.md -b for-the-badge + + - name: Login to GHCR + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # tag=v2.1.0 + with: + registry: ghcr.io + username: ${ GITHUB_REPOSITORY_OWNER } + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Run Artifact Hub lint + run: | + curl -s https://api.github.com/repos/artifacthub/hub/releases/latest | grep -E 'browser_download_url' | grep linux_amd64.tar.gz\" | grep -Eo 'https://[^\"]*' | xargs wget -O - | tar -xz + ./ah lint -p deploy/helm/pulumi-operator || exit 1 + rm -f ./ah + + - name: Run chart-releaser + uses: helm/chart-releaser-action@be16258da8010256c6e82849661221415f031968 # v1.5.0 + with: + config: "./.github/configs/cr.yaml" + charts_dir: "deploy/helm" + env: + CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + + - uses: sigstore/cosign-installer@204a51a57a74d190b284a0ce69b44bc37201f343 # v3.0.3 + - name: Push chart to GHCR + env: + COSIGN_EXPERIMENTAL: 1 + run: | + shopt -s nullglob + for pkg in .cr-release-packages/*; do + if [ -z "${pkg:-}" ]; then + break + fi + helm push "${pkg}" oci://ghcr.io/pulumi/helm-charts |& tee .digest + cosign sign -y $(cat .digest | awk -F "[, ]+" '/Pushed/{print $NF}') + done diff --git a/CHANGELOG.md b/CHANGELOG.md index 672f2f70..f59ec23d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ CHANGELOG ## HEAD (unreleased) - Use digest field for Flux source artifact if present [#459](https://github.com/pulumi/pulumi-kubernetes-operator/pull/459) +- Add Helm chart support for installing the Pulumi Operator. [#379](https://github.com/pulumi/pulumi-kubernetes-operator/pull/379) ## 1.12.1 (2023-05-19) - Update to [Pulumi SDK v3.68.0](https://github.com/pulumi/pulumi/releases/tag/v3.68.0) and the base diff --git a/deploy/helm/pulumi-operator/.helmignore b/deploy/helm/pulumi-operator/.helmignore new file mode 100755 index 00000000..0e8a0eb3 --- /dev/null +++ b/deploy/helm/pulumi-operator/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/deploy/helm/pulumi-operator/Chart.yaml b/deploy/helm/pulumi-operator/Chart.yaml new file mode 100755 index 00000000..02339051 --- /dev/null +++ b/deploy/helm/pulumi-operator/Chart.yaml @@ -0,0 +1,38 @@ +apiVersion: v2 +name: pulumi-kubernetes-operator +description: A Helm chart for the Pulumi Kubernetes Operator +home: https://pulumi.com +sources: + - https://github.com/pulumi/pulumi-kubernetes-operator + +icon: https://www.pulumi.com/logos/brand/twitter-card.png + +type: application + +version: 0.1.0 +appVersion: "1.10.1" + +keywords: + - pulumi + - kubernetes + - operator + +maintainers: + - name: dirien + email: engin@pulumi.com + url: https://pulumi.com + +annotations: + artifacthub.io/containsSecurityUpdates: "false" + artifacthub.io/changes: | + - initial release + artifacthub.io/images: | + - name: pulumi-kubernetes-operator + image: docker.io/pulumi-kubernetes-operator:v1.10.1 + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: website + url: https://pulumi.com + artifacthub.io/maintainers: | + - name: dirien + email: engin@pulumi.com diff --git a/deploy/helm/pulumi-operator/README.md b/deploy/helm/pulumi-operator/README.md new file mode 100644 index 00000000..4fcf3c05 --- /dev/null +++ b/deploy/helm/pulumi-operator/README.md @@ -0,0 +1,125 @@ +# node-red βš™ + +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=for-the-badge) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=for-the-badge) ![AppVersion: 1.10.1](https://img.shields.io/badge/AppVersion-1.10.1-informational?style=for-the-badge) + +## Description πŸ“œ + +A Helm chart for the Pulumi Kubernetes Operator + +## Usage (via OCI Registry) + +To install the chart using the OCI artifact, run: + +```bash +helm install pulumi-kubernetes-operator oci://ghcr.io/pulumi/helm-charts/pulumi-kubernetes-operator --version 0.1.0 +``` + +## Usage +Adding `pulumi-kubernetes-operator` repository +Before installing any chart provided by this repository, add the `pulumi-kubernetes-operator` Charts Repository: + +```bash +helm repo add pulumi-kubernetes-operator https://pulumi.github.io/pulumi-kubernetes-operator/ +helm repo update +``` + +### Installing the Chart πŸ“¦ +To install the chart with the release name `pulumi-kubernetes-operator` run: + +```bash +helm install pulumi-kubernetes-operator pulumi-kubernetes-operator/pulumi-kubernetes-operator --version 0.1.0 +``` + +After a few seconds, the `pulumi-kubernetes-operator` should be running. + +To install the chart in a specific namespace use following commands: + +```bash +kubectl create ns pulumi-kubernetes-operator +helm install pulumi-kubernetes-operator pulumi-kubernetes-operator/pulumi-kubernetes-operator --namespace pulumi-kubernetes-operator +``` + +> **Tip**: List all releases using `helm list`, a release is a name used to track a specific deployment + +### Uninstalling the Chart πŸ—‘οΈ + +To uninstall the `pulumi-kubernetes-operator` deployment: + +```bash +helm uninstall pulumi-kubernetes-operator +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | The affinity constraint | +| controller.args | list | `["--zap-level=error","--zap-time-encoding=iso8601"]` | List of arguments to pass to the operator | +| controller.gracefulShutdownTimeoutDuration | string | `"5m"` | Graceful shutdown timeout duration, default: `5m` | +| controller.kubernetesClusterDomain | string | `"cluster.local"` | Kubernetes Cluster Domain, default: `cluster.local` | +| controller.maxConcurrentReconciles | string | `"10"` | Max concurrent reconciles, default: `10` | +| controller.pulumiInferNamespace | string | `"1"` | Pulumi infer namespace, default: `1` | +| deploymentAnnotations | object | `{}` | Deployment annotations | +| deploymentStrategy | string | `""` | Specifies the strategy used to replace old Pods by new ones, default: `RollingUpdate` | +| extraEnv | list | `[]` | Extra Environments to be passed to the operator | +| extraSidecars | list | `[]` | You can configure extra sidecars containers to run alongside the pulumi-kubernetes-operator pod. default: [] | +| extraVolumeMounts | string | `nil` | Extra Volume Mounts for the pulumi-kubernetes-operator pod | +| extraVolumes | string | `nil` | Extra Volumes for the pod | +| fullnameOverride | string | `""` | String to fully override "pulumi-kubernetes-operator.fullname" | +| image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | +| image.registry | string | `"docker.io"` | The image registry to pull from | +| image.repository | string | `"pulumi/pulumi-kubernetes-operator"` | The image repository to pull from | +| image.tag | string | `""` | The image tag to pull, default: `Chart.appVersion` | +| imagePullSecrets | string | `""` | The image pull secrets | +| initContainers | list | `[]` | containers which are run before the app containers are started | +| nameOverride | string | `""` | Provide a name in place of pulumi-kubernetes-operator | +| nodeSelector | object | `{}` | Node selector | +| podAnnotations | object | `{}` | Pod annotations | +| podLabels | object | `{}` | Labels to add to the pulumi-kubernetes-operator pod. default: {} | +| podSecurityContext | object | `{"fsGroup":1000,"runAsUser":1000}` | Pod Security Context see [values.yaml](values.yaml) | +| podSecurityContext.fsGroup | int | `1000` | pulumi-kubernetes-operator group is 1000 | +| podSecurityContext.runAsUser | int | `1000` | pulumi-kubernetes-operator user is 1000 | +| replicaCount | int | `1` | Specifies the replica count for the deployment | +| resources | object | `{"limits":{"cpu":"500m","memory":"5123Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}` | CPU/Memory resource requests/limits | +| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"runAsGroup":10003,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security Context see [values.yaml](values.yaml) | +| serviceAccount.annotations | object | `{}` | Additional ServiceAccount annotations | +| serviceAccount.create | bool | `true` | Create service account | +| serviceAccount.name | string | `""` | Service account name to use, when empty will be set to created account if | +| serviceMonitor.enabled | bool | `false` | When set true then use a ServiceMonitor to configure scraping | +| tolerations | list | `[]` | Toleration labels for pod assignment | + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```bash +helm install pulumi-kubernetes-operator pulumi-kubernetes-operator/pulumi-kubernetes-operator --set image.tag=latest +``` + +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, + +```bash +helm install pulumi-kubernetes-operator pulumi-kubernetes-operator/pulumi-kubernetes-operator -f values.yaml +``` + +> **Tip**: You can use the default [values.yaml](values.yaml) + +## Contributing 🀝 + +### Contributing via GitHub + +Feel free to join. Checkout the [contributing guide](CONTRIBUTING.md) + +## License βš–οΈ + +Apache License, Version 2.0 + +## Source Code + +* + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| dirien | | | diff --git a/deploy/helm/pulumi-operator/README.md.gotmpl b/deploy/helm/pulumi-operator/README.md.gotmpl new file mode 100644 index 00000000..30dd522c --- /dev/null +++ b/deploy/helm/pulumi-operator/README.md.gotmpl @@ -0,0 +1,82 @@ +# node-red βš™ + +{{ template "chart.badgesSection" . }} + +## Description πŸ“œ + +{{ template "chart.description" . }} + +## Usage (via OCI Registry) + +To install the chart using the OCI artifact, run: + +```bash +helm install pulumi-kubernetes-operator oci://ghcr.io/pulumi/helm-charts/pulumi-kubernetes-operator --version {{ .Version }} +``` + +## Usage +Adding `pulumi-kubernetes-operator` repository +Before installing any chart provided by this repository, add the `pulumi-kubernetes-operator` Charts Repository: + +```bash +helm repo add pulumi-kubernetes-operator https://pulumi.github.io/pulumi-kubernetes-operator/ +helm repo update +``` + +### Installing the Chart πŸ“¦ +To install the chart with the release name `pulumi-kubernetes-operator` run: + +```bash +helm install pulumi-kubernetes-operator pulumi-kubernetes-operator/pulumi-kubernetes-operator --version {{ .Version }} +``` + +After a few seconds, the `pulumi-kubernetes-operator` should be running. + +To install the chart in a specific namespace use following commands: + +```bash +kubectl create ns pulumi-kubernetes-operator +helm install pulumi-kubernetes-operator pulumi-kubernetes-operator/pulumi-kubernetes-operator --namespace pulumi-kubernetes-operator +``` + +> **Tip**: List all releases using `helm list`, a release is a name used to track a specific deployment + +### Uninstalling the Chart πŸ—‘οΈ + +To uninstall the `pulumi-kubernetes-operator` deployment: + +```bash +helm uninstall pulumi-kubernetes-operator +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +{{ template "chart.valuesSection" . }} + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```bash +helm install pulumi-kubernetes-operator pulumi-kubernetes-operator/pulumi-kubernetes-operator --set image.tag=latest +``` + +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, + +```bash +helm install pulumi-kubernetes-operator pulumi-kubernetes-operator/pulumi-kubernetes-operator -f values.yaml +``` + +> **Tip**: You can use the default [values.yaml](values.yaml) + +## Contributing 🀝 + +### Contributing via GitHub + +Feel free to join. Checkout the [contributing guide](CONTRIBUTING.md) + +## License βš–οΈ + +Apache License, Version 2.0 + +{{ template "chart.sourcesSection" . }} + +{{ template "chart.maintainersSection" . }} diff --git a/deploy/helm/pulumi-operator/crds/program-crd.yaml b/deploy/helm/pulumi-operator/crds/program-crd.yaml new file mode 100644 index 00000000..2c05e44c --- /dev/null +++ b/deploy/helm/pulumi-operator/crds/program-crd.yaml @@ -0,0 +1,186 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: programs.pulumi.com + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 +spec: + group: pulumi.com + names: + kind: Program + listKind: ProgramList + plural: programs + singular: program + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: Program is the schema for the inline YAML program API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + program: + properties: + configuration: + additionalProperties: + properties: + default: + description: default is a value of the appropriate type for the + template to use if no value is specified. + x-kubernetes-preserve-unknown-fields: true + type: + description: type is the (required) data type for the parameter. + enum: + - String + - Number + - List + - List + type: string + type: object + description: configuration specifies the Pulumi config inputs to the + deployment. Either type or default is required. + type: object + outputs: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: outputs specifies the Pulumi stack outputs of the program + and how they are computed from the resources. + type: object + resources: + additionalProperties: + properties: + get: + description: A getter function for the resource. Supplying get + is mutually exclusive to properties. + properties: + id: + description: The ID of the resource to import. + minLength: 1 + type: string + state: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: state contains the known properties (input & + output) of the resource. This assists the provider in figuring + out the correct resource. + type: object + required: + - id + type: object + options: + description: options contains all resource options supported by + Pulumi. + properties: + additionalSecretOutputs: + description: additionalSecretOutputs specifies properties + that must be encrypted as secrets. + items: + type: string + type: array + aliases: + description: aliases specifies names that this resource used + to have, so that renaming or refactoring doesn’t replace + it. + items: + type: string + type: array + customTimeouts: + description: customTimeouts overrides the default retry/timeout + behavior for resource provisioning. + properties: + create: + description: create is the custom timeout for create operations. + type: string + delete: + description: delete is the custom timeout for delete operations. + type: string + update: + description: update is the custom timeout for update operations. + type: string + type: object + deleteBeforeReplace: + description: deleteBeforeReplace overrides the default create-before-delete + behavior when replacing. + type: boolean + dependsOn: + description: dependsOn adds explicit dependencies in addition + to the ones in the dependency graph. + items: + x-kubernetes-preserve-unknown-fields: true + type: array + ignoreChanges: + description: ignoreChanges declares that changes to certain + properties should be ignored when diffing. + items: + type: string + type: array + import: + description: import adopts an existing resource from your + cloud account under the control of Pulumi. + type: string + parent: + description: parent resource option specifies a parent for + a resource. It is used to associate children with the parents + that encapsulate or are responsible for them. + x-kubernetes-preserve-unknown-fields: true + protect: + description: protect prevents accidental deletion of a resource. + type: boolean + provider: + description: provider resource option sets a provider for + the resource. + x-kubernetes-preserve-unknown-fields: true + providers: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: providers resource option sets a map of providers + for the resource and its children. + type: object + version: + description: version specifies a provider plugin version that + should be used when operating on a resource. + type: string + type: object + properties: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: properties contains the primary resource-specific + keys and values to initialize the resource state. + type: object + type: + description: type is the Pulumi type token for this resource. + minLength: 1 + type: string + required: + - type + type: object + description: resources declares the Pulumi resources that will be deployed + and managed by the program. + type: object + variables: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: variables specifies intermediate values of the program; + the values of variables are expressions that can be re-used. + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/deploy/helm/pulumi-operator/crds/stack-crd.yaml b/deploy/helm/pulumi-operator/crds/stack-crd.yaml new file mode 100644 index 00000000..0519110a --- /dev/null +++ b/deploy/helm/pulumi-operator/crds/stack-crd.yaml @@ -0,0 +1,1465 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: stacks.pulumi.com + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 +spec: + group: pulumi.com + names: + kind: Stack + listKind: StackList + plural: stacks + singular: stack + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.lastUpdate.state + name: State + type: string + name: v1 + schema: + openAPIV3Schema: + description: Stack is the Schema for the stacks API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: StackSpec defines the desired state of Pulumi Stack being managed + by this operator. + properties: + accessTokenSecret: + description: '(optional) AccessTokenSecret is the name of a secret containing + the PULUMI_ACCESS_TOKEN for Pulumi access. Deprecated: use EnvRefs + with a "secret" entry with the key PULUMI_ACCESS_TOKEN instead.' + type: string + backend: + description: '(optional) Backend is an optional backend URL to use for + all Pulumi operations.
Examples:
- Pulumi Service: "https://app.pulumi.com" + (default)
- Self-managed Pulumi Service: "https://pulumi.acmecorp.com" +
- Local: "file://./einstein"
- AWS: "s3://" +
- Azure: "azblob://" +
- GCP: "gs://" +
See: https://www.pulumi.com/docs/intro/concepts/state/' + type: string + branch: + description: (optional) Branch is the branch name to deploy, either + the simple or fully qualified ref name, e.g. refs/heads/master. This + is mutually exclusive with the Commit setting. Either value needs + to be specified. When specified, the operator will periodically poll + to check if the branch has any new commits. The frequency of the polling + is configurable through ResyncFrequencySeconds, defaulting to every + 60 seconds. + type: string + commit: + description: (optional) Commit is the hash of the commit to deploy. + If used, HEAD will be in detached mode. This is mutually exclusive + with the Branch setting. Either value needs to be specified. + type: string + config: + additionalProperties: + type: string + description: (optional) Config is the configuration for this stack, + which can be optionally specified inline. If this is omitted, configuration + is assumed to be checked in and taken from the source repository. + type: object + continueResyncOnCommitMatch: + description: (optional) ContinueResyncOnCommitMatch - when true - informs + the operator to continue trying to update stacks even if the revision + of the source matches. This might be useful in environments where + Pulumi programs have dynamic elements for example, calls to internal + APIs where GitOps style commit tracking is not sufficient. Defaults + to false, i.e. when a particular revision is successfully run, the + operator will not attempt to rerun the program at that revision again. + type: boolean + destroyOnFinalize: + description: (optional) DestroyOnFinalize can be set to true to destroy + the stack completely upon deletion of the CRD. + type: boolean + envRefs: + additionalProperties: + description: ResourceRef identifies a resource from which information + can be loaded. Environment variables, files on the filesystem, Kubernetes + secrets and literal strings are currently supported. + properties: + env: + description: Env selects an environment variable set on the operator + process + properties: + name: + description: Name of the environment variable + type: string + required: + - name + type: object + filesystem: + description: FileSystem selects a file on the operator's file + system + properties: + path: + description: Path on the filesystem to use to load information + from. + type: string + required: + - path + type: object + literal: + description: LiteralRef refers to a literal value + properties: + value: + description: Value to load + type: string + required: + - value + type: object + secret: + description: SecretRef refers to a Kubernetes secret + properties: + key: + description: Key within the secret to use. + type: string + name: + description: Name of the secret + type: string + namespace: + description: Namespace where the secret is stored. Deprecated; + non-empty values will be considered invalid unless namespace + isolation is disabled in the controller. + type: string + required: + - key + - name + type: object + type: + description: 'SelectorType is required and signifies the type + of selector. Must be one of: Env, FS, Secret, Literal' + type: string + required: + - type + type: object + description: (optional) EnvRefs is an optional map containing environment + variables as keys and stores descriptors to where the variables' values + should be loaded from (one of literal, environment variable, file + on the filesystem, or Kubernetes secret) as values. + type: object + envSecrets: + description: '(optional) SecretEnvs is an optional array of secret names + containing environment variables to set. Deprecated: use EnvRefs instead.' + items: + type: string + type: array + envs: + description: '(optional) Envs is an optional array of config maps containing + environment variables to set. Deprecated: use EnvRefs instead.' + items: + type: string + type: array + expectNoRefreshChanges: + description: (optional) ExpectNoRefreshChanges can be set to true if + a stack is not expected to have changes during a refresh before the + update is run. This could occur, for example, is a resource's state + is changing outside of Pulumi (e.g., metadata, timestamps). + type: boolean + fluxSource: + description: FluxSource specifies how to fetch source code from a Flux + source object. + properties: + dir: + description: Dir gives the subdirectory containing the Pulumi project + (i.e., containing Pulumi.yaml) of interest, within the fetched + source. + type: string + sourceRef: + properties: + apiVersion: + type: string + kind: + type: string + name: + type: string + required: + - apiVersion + - kind + - name + type: object + required: + - sourceRef + type: object + gitAuth: + description: '(optional) GitAuth allows configuring git authentication + options There are 3 different authentication options: * SSH private + key (and its optional password) * Personal access token * Basic auth + username and password Only one authentication mode will be considered + if more than one option is specified, with ssh private key/password + preferred first, then personal access token, and finally basic auth + credentials.' + properties: + accessToken: + description: ResourceRef identifies a resource from which information + can be loaded. Environment variables, files on the filesystem, + Kubernetes secrets and literal strings are currently supported. + properties: + env: + description: Env selects an environment variable set on the + operator process + properties: + name: + description: Name of the environment variable + type: string + required: + - name + type: object + filesystem: + description: FileSystem selects a file on the operator's file + system + properties: + path: + description: Path on the filesystem to use to load information + from. + type: string + required: + - path + type: object + literal: + description: LiteralRef refers to a literal value + properties: + value: + description: Value to load + type: string + required: + - value + type: object + secret: + description: SecretRef refers to a Kubernetes secret + properties: + key: + description: Key within the secret to use. + type: string + name: + description: Name of the secret + type: string + namespace: + description: Namespace where the secret is stored. Deprecated; + non-empty values will be considered invalid unless namespace + isolation is disabled in the controller. + type: string + required: + - key + - name + type: object + type: + description: 'SelectorType is required and signifies the type + of selector. Must be one of: Env, FS, Secret, Literal' + type: string + required: + - type + type: object + basicAuth: + description: BasicAuth configures git authentication through basic + auth β€” i.e. username and password. Both UserName and Password + are required. + properties: + password: + description: ResourceRef identifies a resource from which information + can be loaded. Environment variables, files on the filesystem, + Kubernetes secrets and literal strings are currently supported. + properties: + env: + description: Env selects an environment variable set on + the operator process + properties: + name: + description: Name of the environment variable + type: string + required: + - name + type: object + filesystem: + description: FileSystem selects a file on the operator's + file system + properties: + path: + description: Path on the filesystem to use to load information + from. + type: string + required: + - path + type: object + literal: + description: LiteralRef refers to a literal value + properties: + value: + description: Value to load + type: string + required: + - value + type: object + secret: + description: SecretRef refers to a Kubernetes secret + properties: + key: + description: Key within the secret to use. + type: string + name: + description: Name of the secret + type: string + namespace: + description: Namespace where the secret is stored. Deprecated; + non-empty values will be considered invalid unless + namespace isolation is disabled in the controller. + type: string + required: + - key + - name + type: object + type: + description: 'SelectorType is required and signifies the + type of selector. Must be one of: Env, FS, Secret, Literal' + type: string + required: + - type + type: object + userName: + description: ResourceRef identifies a resource from which information + can be loaded. Environment variables, files on the filesystem, + Kubernetes secrets and literal strings are currently supported. + properties: + env: + description: Env selects an environment variable set on + the operator process + properties: + name: + description: Name of the environment variable + type: string + required: + - name + type: object + filesystem: + description: FileSystem selects a file on the operator's + file system + properties: + path: + description: Path on the filesystem to use to load information + from. + type: string + required: + - path + type: object + literal: + description: LiteralRef refers to a literal value + properties: + value: + description: Value to load + type: string + required: + - value + type: object + secret: + description: SecretRef refers to a Kubernetes secret + properties: + key: + description: Key within the secret to use. + type: string + name: + description: Name of the secret + type: string + namespace: + description: Namespace where the secret is stored. Deprecated; + non-empty values will be considered invalid unless + namespace isolation is disabled in the controller. + type: string + required: + - key + - name + type: object + type: + description: 'SelectorType is required and signifies the + type of selector. Must be one of: Env, FS, Secret, Literal' + type: string + required: + - type + type: object + required: + - password + - userName + type: object + sshAuth: + description: SSHAuth configures ssh-based auth for git authentication. + SSHPrivateKey is required but password is optional. + properties: + password: + description: ResourceRef identifies a resource from which information + can be loaded. Environment variables, files on the filesystem, + Kubernetes secrets and literal strings are currently supported. + properties: + env: + description: Env selects an environment variable set on + the operator process + properties: + name: + description: Name of the environment variable + type: string + required: + - name + type: object + filesystem: + description: FileSystem selects a file on the operator's + file system + properties: + path: + description: Path on the filesystem to use to load information + from. + type: string + required: + - path + type: object + literal: + description: LiteralRef refers to a literal value + properties: + value: + description: Value to load + type: string + required: + - value + type: object + secret: + description: SecretRef refers to a Kubernetes secret + properties: + key: + description: Key within the secret to use. + type: string + name: + description: Name of the secret + type: string + namespace: + description: Namespace where the secret is stored. Deprecated; + non-empty values will be considered invalid unless + namespace isolation is disabled in the controller. + type: string + required: + - key + - name + type: object + type: + description: 'SelectorType is required and signifies the + type of selector. Must be one of: Env, FS, Secret, Literal' + type: string + required: + - type + type: object + sshPrivateKey: + description: ResourceRef identifies a resource from which information + can be loaded. Environment variables, files on the filesystem, + Kubernetes secrets and literal strings are currently supported. + properties: + env: + description: Env selects an environment variable set on + the operator process + properties: + name: + description: Name of the environment variable + type: string + required: + - name + type: object + filesystem: + description: FileSystem selects a file on the operator's + file system + properties: + path: + description: Path on the filesystem to use to load information + from. + type: string + required: + - path + type: object + literal: + description: LiteralRef refers to a literal value + properties: + value: + description: Value to load + type: string + required: + - value + type: object + secret: + description: SecretRef refers to a Kubernetes secret + properties: + key: + description: Key within the secret to use. + type: string + name: + description: Name of the secret + type: string + namespace: + description: Namespace where the secret is stored. Deprecated; + non-empty values will be considered invalid unless + namespace isolation is disabled in the controller. + type: string + required: + - key + - name + type: object + type: + description: 'SelectorType is required and signifies the + type of selector. Must be one of: Env, FS, Secret, Literal' + type: string + required: + - type + type: object + required: + - sshPrivateKey + type: object + type: object + gitAuthSecret: + description: '(optional) GitAuthSecret is the the name of a secret containing + an authentication option for the git repository. There are 3 different + authentication options: * Personal access token * SSH private key + (and it''s optional password) * Basic auth username and password Only + one authentication mode will be considered if more than one option + is specified, with ssh private key/password preferred first, then + personal access token, and finally basic auth credentials. Deprecated. + Use GitAuth instead.' + type: string + programRef: + description: ProgramRef refers to a Program object, to be used as the + source for the stack. + properties: + name: + type: string + required: + - name + type: object + projectRepo: + description: ProjectRepo is the git source control repository from which + we fetch the project code and configuration. + type: string + refresh: + description: (optional) Refresh can be set to true to refresh the stack + before it is updated. + type: boolean + repoDir: + description: (optional) RepoDir is the directory to work from in the + project's source repository where Pulumi.yaml is located. It is used + in case Pulumi.yaml is not in the project source root. + type: string + resyncFrequencySeconds: + description: (optional) ResyncFrequencySeconds when set to a non-zero + value, triggers a resync of the stack at the specified frequency even + if no changes to the custom-resource are detected. If branch tracking + is enabled (branch is non-empty), commit polling will occur at this + frequency. The minimal resync frequency supported is 60 seconds. + format: int64 + type: integer + retryOnUpdateConflict: + description: (optional) RetryOnUpdateConflict issues a stack update + retry reconciliation loop in the event that the update hits a HTTP + 409 conflict due to another update in progress. This is only recommended + if you are sure that the stack updates are idempotent, and if you + are willing to accept retry loops until all spawned retries succeed. + This will also create a more populated, and randomized activity timeline + for the stack in the Pulumi Service. + type: boolean + secrets: + additionalProperties: + type: string + description: '(optional) Secrets is the secret configuration for this + stack, which can be optionally specified inline. If this is omitted, + secrets configuration is assumed to be checked in and taken from the + source repository. Deprecated: use SecretRefs instead.' + type: object + secretsProvider: + description: '(optional) SecretsProvider is used to initialize a Stack + with alternative encryption. Examples: - AWS: "awskms:///arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34bc-56ef-1234567890ab?region=us-east-1" + - Azure: "azurekeyvault://acmecorpvault.vault.azure.net/keys/mykeyname" + - GCP: "gcpkms://projects/MYPROJECT/locations/MYLOCATION/keyRings/MYKEYRING/cryptoKeys/MYKEY" + - See: https://www.pulumi.com/docs/intro/concepts/secrets/#initializing-a-stack-with-alternative-encryption' + type: string + secretsRef: + additionalProperties: + description: ResourceRef identifies a resource from which information + can be loaded. Environment variables, files on the filesystem, Kubernetes + secrets and literal strings are currently supported. + properties: + env: + description: Env selects an environment variable set on the operator + process + properties: + name: + description: Name of the environment variable + type: string + required: + - name + type: object + filesystem: + description: FileSystem selects a file on the operator's file + system + properties: + path: + description: Path on the filesystem to use to load information + from. + type: string + required: + - path + type: object + literal: + description: LiteralRef refers to a literal value + properties: + value: + description: Value to load + type: string + required: + - value + type: object + secret: + description: SecretRef refers to a Kubernetes secret + properties: + key: + description: Key within the secret to use. + type: string + name: + description: Name of the secret + type: string + namespace: + description: Namespace where the secret is stored. Deprecated; + non-empty values will be considered invalid unless namespace + isolation is disabled in the controller. + type: string + required: + - key + - name + type: object + type: + description: 'SelectorType is required and signifies the type + of selector. Must be one of: Env, FS, Secret, Literal' + type: string + required: + - type + type: object + description: (optional) SecretRefs is the secret configuration for this + stack which can be specified through ResourceRef. If this is omitted, + secrets configuration is assumed to be checked in and taken from the + source repository. + type: object + stack: + description: Stack is the fully qualified name of the stack to deploy + (/). + type: string + useLocalStackOnly: + description: (optional) UseLocalStackOnly can be set to true to prevent + the operator from creating stacks that do not exist in the tracking + git repo. The default behavior is to create a stack if it doesn't + exist. + type: boolean + required: + - stack + type: object + status: + description: StackStatus defines the observed state of Stack + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + type FooStatus struct{ // Represents the observations of a foo's + current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details + about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers of + specific condition types may define expected values and meanings + for this field, and whether the values are considered a guaranteed + API. The value should be a CamelCase string. This field may + not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastUpdate: + description: LastUpdate contains details of the status of the last update. + properties: + lastAttemptedCommit: + description: Last commit attempted + type: string + lastResyncTime: + description: LastResyncTime contains a timestamp for the last time + a resync of the stack took place. + format: date-time + type: string + lastSuccessfulCommit: + description: Last commit successfully applied + type: string + permalink: + description: Permalink is the Pulumi Console URL of the stack operation. + type: string + state: + description: State is the state of the stack update - one of `succeeded` + or `failed` + type: string + type: object + observedGeneration: + description: ObservedGeneration records the value of .meta.generation + at the point the controller last processed this object + format: int64 + type: integer + outputs: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: Outputs contains the exported stack output variables resulting + from a deployment. + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} + - name: v1alpha1 + schema: + openAPIV3Schema: + description: 'Stack is the Schema for the stacks API. Deprecated: Note Stacks + from pulumi.com/v1alpha1 is deprecated in favor of pulumi.com/v1. It is completely + backward compatible. Users are strongly encouraged to switch to pulumi.com/v1.' + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: StackSpec defines the desired state of Pulumi Stack being managed + by this operator. + properties: + accessTokenSecret: + description: '(optional) AccessTokenSecret is the name of a secret containing + the PULUMI_ACCESS_TOKEN for Pulumi access. Deprecated: use EnvRefs + with a "secret" entry with the key PULUMI_ACCESS_TOKEN instead.' + type: string + backend: + description: '(optional) Backend is an optional backend URL to use for + all Pulumi operations.
Examples:
- Pulumi Service: "https://app.pulumi.com" + (default)
- Self-managed Pulumi Service: "https://pulumi.acmecorp.com" +
- Local: "file://./einstein"
- AWS: "s3://" +
- Azure: "azblob://" +
- GCP: "gs://" +
See: https://www.pulumi.com/docs/intro/concepts/state/' + type: string + branch: + description: (optional) Branch is the branch name to deploy, either + the simple or fully qualified ref name, e.g. refs/heads/master. This + is mutually exclusive with the Commit setting. Either value needs + to be specified. When specified, the operator will periodically poll + to check if the branch has any new commits. The frequency of the polling + is configurable through ResyncFrequencySeconds, defaulting to every + 60 seconds. + type: string + commit: + description: (optional) Commit is the hash of the commit to deploy. + If used, HEAD will be in detached mode. This is mutually exclusive + with the Branch setting. Either value needs to be specified. + type: string + config: + additionalProperties: + type: string + description: (optional) Config is the configuration for this stack, + which can be optionally specified inline. If this is omitted, configuration + is assumed to be checked in and taken from the source repository. + type: object + continueResyncOnCommitMatch: + description: (optional) ContinueResyncOnCommitMatch - when true - informs + the operator to continue trying to update stacks even if the revision + of the source matches. This might be useful in environments where + Pulumi programs have dynamic elements for example, calls to internal + APIs where GitOps style commit tracking is not sufficient. Defaults + to false, i.e. when a particular revision is successfully run, the + operator will not attempt to rerun the program at that revision again. + type: boolean + destroyOnFinalize: + description: (optional) DestroyOnFinalize can be set to true to destroy + the stack completely upon deletion of the CRD. + type: boolean + envRefs: + additionalProperties: + description: ResourceRef identifies a resource from which information + can be loaded. Environment variables, files on the filesystem, Kubernetes + secrets and literal strings are currently supported. + properties: + env: + description: Env selects an environment variable set on the operator + process + properties: + name: + description: Name of the environment variable + type: string + required: + - name + type: object + filesystem: + description: FileSystem selects a file on the operator's file + system + properties: + path: + description: Path on the filesystem to use to load information + from. + type: string + required: + - path + type: object + literal: + description: LiteralRef refers to a literal value + properties: + value: + description: Value to load + type: string + required: + - value + type: object + secret: + description: SecretRef refers to a Kubernetes secret + properties: + key: + description: Key within the secret to use. + type: string + name: + description: Name of the secret + type: string + namespace: + description: Namespace where the secret is stored. Deprecated; + non-empty values will be considered invalid unless namespace + isolation is disabled in the controller. + type: string + required: + - key + - name + type: object + type: + description: 'SelectorType is required and signifies the type + of selector. Must be one of: Env, FS, Secret, Literal' + type: string + required: + - type + type: object + description: (optional) EnvRefs is an optional map containing environment + variables as keys and stores descriptors to where the variables' values + should be loaded from (one of literal, environment variable, file + on the filesystem, or Kubernetes secret) as values. + type: object + envSecrets: + description: '(optional) SecretEnvs is an optional array of secret names + containing environment variables to set. Deprecated: use EnvRefs instead.' + items: + type: string + type: array + envs: + description: '(optional) Envs is an optional array of config maps containing + environment variables to set. Deprecated: use EnvRefs instead.' + items: + type: string + type: array + expectNoRefreshChanges: + description: (optional) ExpectNoRefreshChanges can be set to true if + a stack is not expected to have changes during a refresh before the + update is run. This could occur, for example, is a resource's state + is changing outside of Pulumi (e.g., metadata, timestamps). + type: boolean + fluxSource: + description: FluxSource specifies how to fetch source code from a Flux + source object. + properties: + dir: + description: Dir gives the subdirectory containing the Pulumi project + (i.e., containing Pulumi.yaml) of interest, within the fetched + source. + type: string + sourceRef: + properties: + apiVersion: + type: string + kind: + type: string + name: + type: string + required: + - apiVersion + - kind + - name + type: object + required: + - sourceRef + type: object + gitAuth: + description: '(optional) GitAuth allows configuring git authentication + options There are 3 different authentication options: * SSH private + key (and its optional password) * Personal access token * Basic auth + username and password Only one authentication mode will be considered + if more than one option is specified, with ssh private key/password + preferred first, then personal access token, and finally basic auth + credentials.' + properties: + accessToken: + description: ResourceRef identifies a resource from which information + can be loaded. Environment variables, files on the filesystem, + Kubernetes secrets and literal strings are currently supported. + properties: + env: + description: Env selects an environment variable set on the + operator process + properties: + name: + description: Name of the environment variable + type: string + required: + - name + type: object + filesystem: + description: FileSystem selects a file on the operator's file + system + properties: + path: + description: Path on the filesystem to use to load information + from. + type: string + required: + - path + type: object + literal: + description: LiteralRef refers to a literal value + properties: + value: + description: Value to load + type: string + required: + - value + type: object + secret: + description: SecretRef refers to a Kubernetes secret + properties: + key: + description: Key within the secret to use. + type: string + name: + description: Name of the secret + type: string + namespace: + description: Namespace where the secret is stored. Deprecated; + non-empty values will be considered invalid unless namespace + isolation is disabled in the controller. + type: string + required: + - key + - name + type: object + type: + description: 'SelectorType is required and signifies the type + of selector. Must be one of: Env, FS, Secret, Literal' + type: string + required: + - type + type: object + basicAuth: + description: BasicAuth configures git authentication through basic + auth β€” i.e. username and password. Both UserName and Password + are required. + properties: + password: + description: ResourceRef identifies a resource from which information + can be loaded. Environment variables, files on the filesystem, + Kubernetes secrets and literal strings are currently supported. + properties: + env: + description: Env selects an environment variable set on + the operator process + properties: + name: + description: Name of the environment variable + type: string + required: + - name + type: object + filesystem: + description: FileSystem selects a file on the operator's + file system + properties: + path: + description: Path on the filesystem to use to load information + from. + type: string + required: + - path + type: object + literal: + description: LiteralRef refers to a literal value + properties: + value: + description: Value to load + type: string + required: + - value + type: object + secret: + description: SecretRef refers to a Kubernetes secret + properties: + key: + description: Key within the secret to use. + type: string + name: + description: Name of the secret + type: string + namespace: + description: Namespace where the secret is stored. Deprecated; + non-empty values will be considered invalid unless + namespace isolation is disabled in the controller. + type: string + required: + - key + - name + type: object + type: + description: 'SelectorType is required and signifies the + type of selector. Must be one of: Env, FS, Secret, Literal' + type: string + required: + - type + type: object + userName: + description: ResourceRef identifies a resource from which information + can be loaded. Environment variables, files on the filesystem, + Kubernetes secrets and literal strings are currently supported. + properties: + env: + description: Env selects an environment variable set on + the operator process + properties: + name: + description: Name of the environment variable + type: string + required: + - name + type: object + filesystem: + description: FileSystem selects a file on the operator's + file system + properties: + path: + description: Path on the filesystem to use to load information + from. + type: string + required: + - path + type: object + literal: + description: LiteralRef refers to a literal value + properties: + value: + description: Value to load + type: string + required: + - value + type: object + secret: + description: SecretRef refers to a Kubernetes secret + properties: + key: + description: Key within the secret to use. + type: string + name: + description: Name of the secret + type: string + namespace: + description: Namespace where the secret is stored. Deprecated; + non-empty values will be considered invalid unless + namespace isolation is disabled in the controller. + type: string + required: + - key + - name + type: object + type: + description: 'SelectorType is required and signifies the + type of selector. Must be one of: Env, FS, Secret, Literal' + type: string + required: + - type + type: object + required: + - password + - userName + type: object + sshAuth: + description: SSHAuth configures ssh-based auth for git authentication. + SSHPrivateKey is required but password is optional. + properties: + password: + description: ResourceRef identifies a resource from which information + can be loaded. Environment variables, files on the filesystem, + Kubernetes secrets and literal strings are currently supported. + properties: + env: + description: Env selects an environment variable set on + the operator process + properties: + name: + description: Name of the environment variable + type: string + required: + - name + type: object + filesystem: + description: FileSystem selects a file on the operator's + file system + properties: + path: + description: Path on the filesystem to use to load information + from. + type: string + required: + - path + type: object + literal: + description: LiteralRef refers to a literal value + properties: + value: + description: Value to load + type: string + required: + - value + type: object + secret: + description: SecretRef refers to a Kubernetes secret + properties: + key: + description: Key within the secret to use. + type: string + name: + description: Name of the secret + type: string + namespace: + description: Namespace where the secret is stored. Deprecated; + non-empty values will be considered invalid unless + namespace isolation is disabled in the controller. + type: string + required: + - key + - name + type: object + type: + description: 'SelectorType is required and signifies the + type of selector. Must be one of: Env, FS, Secret, Literal' + type: string + required: + - type + type: object + sshPrivateKey: + description: ResourceRef identifies a resource from which information + can be loaded. Environment variables, files on the filesystem, + Kubernetes secrets and literal strings are currently supported. + properties: + env: + description: Env selects an environment variable set on + the operator process + properties: + name: + description: Name of the environment variable + type: string + required: + - name + type: object + filesystem: + description: FileSystem selects a file on the operator's + file system + properties: + path: + description: Path on the filesystem to use to load information + from. + type: string + required: + - path + type: object + literal: + description: LiteralRef refers to a literal value + properties: + value: + description: Value to load + type: string + required: + - value + type: object + secret: + description: SecretRef refers to a Kubernetes secret + properties: + key: + description: Key within the secret to use. + type: string + name: + description: Name of the secret + type: string + namespace: + description: Namespace where the secret is stored. Deprecated; + non-empty values will be considered invalid unless + namespace isolation is disabled in the controller. + type: string + required: + - key + - name + type: object + type: + description: 'SelectorType is required and signifies the + type of selector. Must be one of: Env, FS, Secret, Literal' + type: string + required: + - type + type: object + required: + - sshPrivateKey + type: object + type: object + gitAuthSecret: + description: '(optional) GitAuthSecret is the the name of a secret containing + an authentication option for the git repository. There are 3 different + authentication options: * Personal access token * SSH private key + (and it''s optional password) * Basic auth username and password Only + one authentication mode will be considered if more than one option + is specified, with ssh private key/password preferred first, then + personal access token, and finally basic auth credentials. Deprecated. + Use GitAuth instead.' + type: string + programRef: + description: ProgramRef refers to a Program object, to be used as the + source for the stack. + properties: + name: + type: string + required: + - name + type: object + projectRepo: + description: ProjectRepo is the git source control repository from which + we fetch the project code and configuration. + type: string + refresh: + description: (optional) Refresh can be set to true to refresh the stack + before it is updated. + type: boolean + repoDir: + description: (optional) RepoDir is the directory to work from in the + project's source repository where Pulumi.yaml is located. It is used + in case Pulumi.yaml is not in the project source root. + type: string + resyncFrequencySeconds: + description: (optional) ResyncFrequencySeconds when set to a non-zero + value, triggers a resync of the stack at the specified frequency even + if no changes to the custom-resource are detected. If branch tracking + is enabled (branch is non-empty), commit polling will occur at this + frequency. The minimal resync frequency supported is 60 seconds. + format: int64 + type: integer + retryOnUpdateConflict: + description: (optional) RetryOnUpdateConflict issues a stack update + retry reconciliation loop in the event that the update hits a HTTP + 409 conflict due to another update in progress. This is only recommended + if you are sure that the stack updates are idempotent, and if you + are willing to accept retry loops until all spawned retries succeed. + This will also create a more populated, and randomized activity timeline + for the stack in the Pulumi Service. + type: boolean + secrets: + additionalProperties: + type: string + description: '(optional) Secrets is the secret configuration for this + stack, which can be optionally specified inline. If this is omitted, + secrets configuration is assumed to be checked in and taken from the + source repository. Deprecated: use SecretRefs instead.' + type: object + secretsProvider: + description: '(optional) SecretsProvider is used to initialize a Stack + with alternative encryption. Examples: - AWS: "awskms:///arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34bc-56ef-1234567890ab?region=us-east-1" + - Azure: "azurekeyvault://acmecorpvault.vault.azure.net/keys/mykeyname" + - GCP: "gcpkms://projects/MYPROJECT/locations/MYLOCATION/keyRings/MYKEYRING/cryptoKeys/MYKEY" + - See: https://www.pulumi.com/docs/intro/concepts/secrets/#initializing-a-stack-with-alternative-encryption' + type: string + secretsRef: + additionalProperties: + description: ResourceRef identifies a resource from which information + can be loaded. Environment variables, files on the filesystem, Kubernetes + secrets and literal strings are currently supported. + properties: + env: + description: Env selects an environment variable set on the operator + process + properties: + name: + description: Name of the environment variable + type: string + required: + - name + type: object + filesystem: + description: FileSystem selects a file on the operator's file + system + properties: + path: + description: Path on the filesystem to use to load information + from. + type: string + required: + - path + type: object + literal: + description: LiteralRef refers to a literal value + properties: + value: + description: Value to load + type: string + required: + - value + type: object + secret: + description: SecretRef refers to a Kubernetes secret + properties: + key: + description: Key within the secret to use. + type: string + name: + description: Name of the secret + type: string + namespace: + description: Namespace where the secret is stored. Deprecated; + non-empty values will be considered invalid unless namespace + isolation is disabled in the controller. + type: string + required: + - key + - name + type: object + type: + description: 'SelectorType is required and signifies the type + of selector. Must be one of: Env, FS, Secret, Literal' + type: string + required: + - type + type: object + description: (optional) SecretRefs is the secret configuration for this + stack which can be specified through ResourceRef. If this is omitted, + secrets configuration is assumed to be checked in and taken from the + source repository. + type: object + stack: + description: Stack is the fully qualified name of the stack to deploy + (/). + type: string + useLocalStackOnly: + description: (optional) UseLocalStackOnly can be set to true to prevent + the operator from creating stacks that do not exist in the tracking + git repo. The default behavior is to create a stack if it doesn't + exist. + type: boolean + required: + - stack + type: object + status: + description: StackStatus defines the observed state of Stack + properties: + lastUpdate: + description: LastUpdate contains details of the status of the last update. + properties: + lastAttemptedCommit: + description: Last commit attempted + type: string + lastResyncTime: + description: LastResyncTime contains a timestamp for the last time + a resync of the stack took place. + format: date-time + type: string + lastSuccessfulCommit: + description: Last commit successfully applied + type: string + permalink: + description: Permalink is the Pulumi Console URL of the stack operation. + type: string + state: + description: State is the state of the stack update - one of `succeeded` + or `failed` + type: string + type: object + outputs: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: Outputs contains the exported stack output variables resulting + from a deployment. + type: object + type: object + type: object + served: true + storage: false + subresources: + status: {} diff --git a/deploy/helm/pulumi-operator/templates/_helpers.tpl b/deploy/helm/pulumi-operator/templates/_helpers.tpl new file mode 100755 index 00000000..95312fe5 --- /dev/null +++ b/deploy/helm/pulumi-operator/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "pulumi-kubernetes-operator.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "pulumi-kubernetes-operator.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "pulumi-kubernetes-operator.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "pulumi-kubernetes-operator.labels" -}} +helm.sh/chart: {{ include "pulumi-kubernetes-operator.chart" . }} +{{ include "pulumi-kubernetes-operator.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "pulumi-kubernetes-operator.selectorLabels" -}} +app.kubernetes.io/name: {{ include "pulumi-kubernetes-operator.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "pulumi-kubernetes-operator.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "pulumi-kubernetes-operator.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/deploy/helm/pulumi-operator/templates/deployment.yaml b/deploy/helm/pulumi-operator/templates/deployment.yaml new file mode 100644 index 00000000..f452c973 --- /dev/null +++ b/deploy/helm/pulumi-operator/templates/deployment.yaml @@ -0,0 +1,113 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + {{- with .Values.deploymentAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ include "pulumi-kubernetes-operator.fullname" . }} + labels: + {{- include "pulumi-kubernetes-operator.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + strategy: + type: {{ .Values.deploymentStrategy }} + selector: + matchLabels: + {{- include "pulumi-kubernetes-operator.selectorLabels" . | nindent 6 }} + app: {{ template "pulumi-kubernetes-operator.name" . }} + release: {{ .Release.Name }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + app: {{ template "pulumi-kubernetes-operator.name" . }} + release: {{ .Release.Name }} + {{- include "pulumi-kubernetes-operator.selectorLabels" . | nindent 8 }} + {{- if .Values.podLabels }} + {{ toYaml .Values.podLabels | indent 8 }} + {{- end }} + spec: + containers: + {{- if .Values.extraSidecars }} + {{- toYaml .Values.extraSidecars | nindent 8 }} + {{- end}} + - args: + {{- with .Values.controller.args }} + {{- toYaml . | nindent 10 }} + {{- end }} + env: + {{- if .Values.extraEnv }} + {{- toYaml .Values.extraEnv | nindent 10 }} + {{- end }} + - name: WATCH_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: OPERATOR_NAME + value: {{ include "pulumi-kubernetes-operator.name" . }} + - name: GRACEFUL_SHUTDOWN_TIMEOUT_DURATION + value: {{ .Values.controller.gracefulShutdownTimeoutDuration }} + - name: MAX_CONCURRENT_RECONCILES + value: {{ .Values.controller.maxConcurrentReconciles | quote }} + - name: PULUMI_INFER_NAMESPACE + value: {{ .Values.controller.pulumiInferNamespace | quote }} + - name: KUBERNETES_CLUSTER_DOMAIN + value: {{ .Values.controller.kubernetesClusterDomain }} + image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:v{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + name: {{ .Chart.Name }} + {{- if .Values.securityContext }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + {{- end }} + {{- if .Values.resources }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumeMounts: + {{- with .Values.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + - mountPath: /tmp + name: tmp-dir + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "pulumi-kubernetes-operator.serviceAccountName" . }} + {{- if .Values.podSecurityContext }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- end }} + {{- if .Values.initContainers }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + initContainers: + {{- with .Values.initContainers }} + {{- toYaml . | nindent 6 }} + {{- end }} + {{- end }} + volumes: + {{- with .Values.extraVolumes }} + {{- toYaml . | nindent 8 }} + {{- end }} + - emptyDir: {} + name: tmp-dir diff --git a/deploy/helm/pulumi-operator/templates/role.yaml b/deploy/helm/pulumi-operator/templates/role.yaml new file mode 100644 index 00000000..8038fcb5 --- /dev/null +++ b/deploy/helm/pulumi-operator/templates/role.yaml @@ -0,0 +1,90 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "pulumi-kubernetes-operator.fullname" . }} + labels: + {{- include "pulumi-kubernetes-operator.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - pods + - services + - services/finalizers + - endpoints + - persistentvolumeclaims + - events + - configmaps + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create +- apiGroups: + - apps + resourceNames: + - pulumi-kubernetes-operator + resources: + - deployments/finalizers + verbs: + - update +- apiGroups: + - "" + resources: + - pods + verbs: + - get +- apiGroups: + - apps + resources: + - replicasets + - deployments + verbs: + - get +- apiGroups: + - pulumi.com + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - list + - update diff --git a/deploy/helm/pulumi-operator/templates/rolebinding.yaml b/deploy/helm/pulumi-operator/templates/rolebinding.yaml new file mode 100644 index 00000000..71f584ed --- /dev/null +++ b/deploy/helm/pulumi-operator/templates/rolebinding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "pulumi-kubernetes-operator.fullname" . }} + labels: + {{- include "pulumi-kubernetes-operator.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "pulumi-kubernetes-operator.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "pulumi-kubernetes-operator.serviceAccountName" . }} + namespace: '{{ .Release.Namespace }}' diff --git a/deploy/helm/pulumi-operator/templates/sa.yaml b/deploy/helm/pulumi-operator/templates/sa.yaml new file mode 100644 index 00000000..8b585e9a --- /dev/null +++ b/deploy/helm/pulumi-operator/templates/sa.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "pulumi-kubernetes-operator.fullname" . }} + labels: + {{- include "pulumi-kubernetes-operator.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/deploy/helm/pulumi-operator/templates/service.yaml b/deploy/helm/pulumi-operator/templates/service.yaml new file mode 100644 index 00000000..06c92e08 --- /dev/null +++ b/deploy/helm/pulumi-operator/templates/service.yaml @@ -0,0 +1,24 @@ +{{- if $.Values.serviceMonitor.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ print (include "pulumi-kubernetes-operator.fullname" .) "-metrics" }} + labels: + app: {{ template "pulumi-kubernetes-operator.name" . }} + annotations: +{{ toYaml .Values.serviceMonitor.service.annotations | indent 4 }} +spec: + type: {{ .Values.serviceMonitor.service.type }} + ports: + - port: 8383 + targetPort: metrics + protocol: TCP + name: http-metrics + - port: 8686 + targetPort: http + protocol: TCP + name: cr-metrics + selector: + app: {{ template "pulumi-kubernetes-operator.name" . }} + release: {{ .Release.Name }} + {{- end }} diff --git a/deploy/helm/pulumi-operator/templates/servicemonitor.yaml b/deploy/helm/pulumi-operator/templates/servicemonitor.yaml new file mode 100644 index 00000000..6d8b9858 --- /dev/null +++ b/deploy/helm/pulumi-operator/templates/servicemonitor.yaml @@ -0,0 +1,45 @@ +{{- if $.Values.serviceMonitor.enabled }} +{{- if and ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) ( .Values.serviceMonitor.enabled ) }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: +{{- if .Values.serviceMonitor.labels }} + labels: +{{ toYaml .Values.serviceMonitor.labels | indent 4}} +{{- end }} + name: {{ template "pulumi-kubernetes-operator.fullname" . }} +{{- if .Values.serviceMonitor.namespace }} + namespace: {{ .Values.serviceMonitor.namespace }} +{{- end }} +spec: + endpoints: + - targetPort: 8383 +{{- if .Values.serviceMonitor.interval }} + interval: {{ .Values.serviceMonitor.interval }} +{{- end }} +{{- if .Values.serviceMonitor.telemetryPath }} + path: {{ .Values.serviceMonitor.telemetryPath }} +{{- end }} +{{- if .Values.serviceMonitor.timeout }} + scrapeTimeout: {{ .Values.serviceMonitor.timeout }} +{{- end }} +{{- if .Values.serviceMonitor.metricRelabelings }} + metricRelabelings: +{{ toYaml .Values.serviceMonitor.metricRelabelings | indent 4 }} +{{- end }} + jobLabel: {{ template "pulumi-kubernetes-operator.fullname" . }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + app: {{ template "pulumi-kubernetes-operator.name" . }} + release: {{ .Release.Name }} +{{- if .Values.serviceMonitor.targetLabels }} + targetLabels: +{{- range .Values.serviceMonitor.targetLabels }} + - {{ . }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/deploy/helm/pulumi-operator/values.yaml b/deploy/helm/pulumi-operator/values.yaml new file mode 100644 index 00000000..fec4cee8 --- /dev/null +++ b/deploy/helm/pulumi-operator/values.yaml @@ -0,0 +1,145 @@ +# -- Specifies the strategy used to replace old Pods by new ones, default: `RollingUpdate` +deploymentStrategy: "" + +# -- Specifies the replica count for the deployment +replicaCount: 1 + +image: + # -- The image registry to pull from + registry: docker.io + # -- The image repository to pull from + repository: pulumi/pulumi-kubernetes-operator + # -- The image pull policy + pullPolicy: IfNotPresent + # -- The image tag to pull, default: `Chart.appVersion` + tag: "" + +controller: + # -- Graceful shutdown timeout duration, default: `5m` + gracefulShutdownTimeoutDuration: 5m + # -- Max concurrent reconciles, default: `10` + maxConcurrentReconciles: "10" + # -- Pulumi infer namespace, default: `1` + pulumiInferNamespace: "1" + # -- Kubernetes Cluster Domain, default: `cluster.local` + kubernetesClusterDomain: cluster.local + + # -- List of arguments to pass to the operator + args: + - --zap-level=error + - --zap-time-encoding=iso8601 + +# -- Extra Environments to be passed to the operator +extraEnv: [] + +# -- The image pull secrets +imagePullSecrets: "" + +# -- Provide a name in place of pulumi-kubernetes-operator +nameOverride: "" +# -- String to fully override "pulumi-kubernetes-operator.fullname" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + # -- Create service account + create: true + # Annotations to add to the service account + # -- Additional ServiceAccount annotations + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + # -- Service account name to use, when empty will be set to created account if + name: "" + +# -- Pod annotations +podAnnotations: {} + +# -- Deployment annotations +deploymentAnnotations: {} + +# -- Pod Security Context see [values.yaml](values.yaml) +podSecurityContext: + # -- pulumi-kubernetes-operator group is 1000 + fsGroup: 1000 + # -- pulumi-kubernetes-operator user is 1000 + runAsUser: 1000 + +# -- Security Context see [values.yaml](values.yaml) +securityContext: + privileged: false + runAsNonRoot: true + allowPrivilegeEscalation: false + # readOnlyRootFilesystem: true + runAsGroup: 10003 + # runAsUser: 10003 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + +# -- containers which are run before the app containers are started +initContainers: [] + +# -- CPU/Memory resource requests/limits +resources: + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + limits: + cpu: 500m + memory: 5123Mi + requests: + cpu: 100m + memory: 128Mi + +# -- Node selector +nodeSelector: {} + +# -- Toleration labels for pod assignment +tolerations: [] + +# -- The affinity constraint +affinity: {} + +# -- Extra Volumes for the pod +extraVolumes: +# - name: pv-claim +# persistentVolumeClaim: +# claimName: task-pv-volume +# - name: example +# configMap: +# name: example + +# -- Extra Volume Mounts for the pulumi-kubernetes-operator pod +extraVolumeMounts: +# - name: test +# mountPath: /test + +# -- Labels to add to the pulumi-kubernetes-operator pod. default: {} +podLabels: {} + +# -- You can configure extra sidecars containers to run alongside the pulumi-kubernetes-operator pod. default: [] +extraSidecars: [] +# - name: sidecar-example +# image: busybox +# command: ["/bin/sh", "-c", "echo hello from sidecar"] + +serviceMonitor: + # -- When set true then use a ServiceMonitor to configure scraping + enabled: false + # Set the namespace the ServiceMonitor should be deployed + # namespace: monitoring + # Set how frequently Prometheus should scrape + # interval: 30s + # Set path to minecraft-exporter telemtery-path + # telemetryPath: /metrics + # Set labels for the ServiceMonitor, use this to define your scrape label for Prometheus Operator + # labels: + # Set timeout for scrape + # timeout: 10s + # Set of labels to transfer on the Kubernetes Service onto the target. + # targetLabels: [] + # metricRelabelings: []