diff --git a/charts/deckhouse_lib_helm-1.31.0.tgz b/charts/deckhouse_lib_helm-1.31.0.tgz new file mode 100644 index 0000000..669d8b0 Binary files /dev/null and b/charts/deckhouse_lib_helm-1.31.0.tgz differ diff --git a/charts/helm_lib/Chart.yaml b/charts/helm_lib/Chart.yaml deleted file mode 100644 index 4e10745..0000000 --- a/charts/helm_lib/Chart.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v2 -type: library -name: deckhouse_lib_helm -version: 1.31.0 -description: "Helm utils template definitions for Deckhouse modules." diff --git a/charts/helm_lib/LICENSE b/charts/helm_lib/LICENSE deleted file mode 100644 index 13fe0e3..0000000 --- a/charts/helm_lib/LICENSE +++ /dev/null @@ -1,201 +0,0 @@ - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright The Events Exporter authors - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. diff --git a/charts/helm_lib/README.md b/charts/helm_lib/README.md deleted file mode 100644 index b9e7f66..0000000 --- a/charts/helm_lib/README.md +++ /dev/null @@ -1,1167 +0,0 @@ -# Helm library for Deckhouse modules - -## Table of contents - -| Table of contents | -|---| -| **Api Version And Kind** | -| [helm_lib_kind_exists](#helm_lib_kind_exists) | -| [helm_lib_get_api_version_by_kind](#helm_lib_get_api_version_by_kind) | -| **Enable Ds Eviction** | -| [helm_lib_prevent_ds_eviction_annotation](#helm_lib_prevent_ds_eviction_annotation) | -| **Envs For Proxy** | -| [helm_lib_envs_for_proxy](#helm_lib_envs_for_proxy) | -| **High Availability** | -| [helm_lib_is_ha_to_value](#helm_lib_is_ha_to_value) | -| [helm_lib_ha_enabled](#helm_lib_ha_enabled) | -| **Kube Rbac Proxy** | -| [helm_lib_kube_rbac_proxy_ca_certificate](#helm_lib_kube_rbac_proxy_ca_certificate) | -| **Module Documentation Uri** | -| [helm_lib_module_documentation_uri](#helm_lib_module_documentation_uri) | -| **Module Ephemeral Storage** | -| [helm_lib_module_ephemeral_storage_logs_with_extra](#helm_lib_module_ephemeral_storage_logs_with_extra) | -| [helm_lib_module_ephemeral_storage_only_logs](#helm_lib_module_ephemeral_storage_only_logs) | -| **Module Generate Common Name** | -| [helm_lib_module_generate_common_name](#helm_lib_module_generate_common_name) | -| **Module Https** | -| [helm_lib_module_uri_scheme](#helm_lib_module_uri_scheme) | -| [helm_lib_module_https_mode](#helm_lib_module_https_mode) | -| [helm_lib_module_https_cert_manager_cluster_issuer_name](#helm_lib_module_https_cert_manager_cluster_issuer_name) | -| [helm_lib_module_https_ingress_tls_enabled](#helm_lib_module_https_ingress_tls_enabled) | -| [helm_lib_module_https_copy_custom_certificate](#helm_lib_module_https_copy_custom_certificate) | -| [helm_lib_module_https_secret_name](#helm_lib_module_https_secret_name) | -| **Module Image** | -| [helm_lib_module_image](#helm_lib_module_image) | -| [helm_lib_module_image_no_fail](#helm_lib_module_image_no_fail) | -| [helm_lib_module_common_image](#helm_lib_module_common_image) | -| [helm_lib_module_common_image_no_fail](#helm_lib_module_common_image_no_fail) | -| **Module Ingress Class** | -| [helm_lib_module_ingress_class](#helm_lib_module_ingress_class) | -| **Module Init Container** | -| [helm_lib_module_init_container_chown_nobody_volume](#helm_lib_module_init_container_chown_nobody_volume) | -| [helm_lib_module_init_container_chown_deckhouse_volume](#helm_lib_module_init_container_chown_deckhouse_volume) | -| [helm_lib_module_init_container_check_linux_kernel](#helm_lib_module_init_container_check_linux_kernel) | -| **Module Labels** | -| [helm_lib_module_labels](#helm_lib_module_labels) | -| **Module Public Domain** | -| [helm_lib_module_public_domain](#helm_lib_module_public_domain) | -| **Module Security Context** | -| [helm_lib_module_pod_security_context_run_as_user_custom](#helm_lib_module_pod_security_context_run_as_user_custom) | -| [helm_lib_module_pod_security_context_run_as_user_nobody](#helm_lib_module_pod_security_context_run_as_user_nobody) | -| [helm_lib_module_pod_security_context_run_as_user_nobody_with_writable_fs](#helm_lib_module_pod_security_context_run_as_user_nobody_with_writable_fs) | -| [helm_lib_module_pod_security_context_run_as_user_deckhouse](#helm_lib_module_pod_security_context_run_as_user_deckhouse) | -| [helm_lib_module_pod_security_context_run_as_user_deckhouse_with_writable_fs](#helm_lib_module_pod_security_context_run_as_user_deckhouse_with_writable_fs) | -| [helm_lib_module_container_security_context_run_as_user_deckhouse_pss_restricted](#helm_lib_module_container_security_context_run_as_user_deckhouse_pss_restricted) | -| [helm_lib_module_pod_security_context_run_as_user_root](#helm_lib_module_pod_security_context_run_as_user_root) | -| [helm_lib_module_pod_security_context_runtime_default](#helm_lib_module_pod_security_context_runtime_default) | -| [helm_lib_module_container_security_context_not_allow_privilege_escalation](#helm_lib_module_container_security_context_not_allow_privilege_escalation) | -| [helm_lib_module_container_security_context_read_only_root_filesystem_with_selinux](#helm_lib_module_container_security_context_read_only_root_filesystem_with_selinux) | -| [helm_lib_module_container_security_context_read_only_root_filesystem](#helm_lib_module_container_security_context_read_only_root_filesystem) | -| [helm_lib_module_container_security_context_privileged](#helm_lib_module_container_security_context_privileged) | -| [helm_lib_module_container_security_context_escalated_sys_admin_privileged](#helm_lib_module_container_security_context_escalated_sys_admin_privileged) | -| [helm_lib_module_container_security_context_privileged_read_only_root_filesystem](#helm_lib_module_container_security_context_privileged_read_only_root_filesystem) | -| [helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all](#helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all) | -| [helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_and_add](#helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_and_add) | -| [helm_lib_module_container_security_context_capabilities_drop_all_and_add](#helm_lib_module_container_security_context_capabilities_drop_all_and_add) | -| [helm_lib_module_container_security_context_capabilities_drop_all_and_run_as_user_custom](#helm_lib_module_container_security_context_capabilities_drop_all_and_run_as_user_custom) | -| **Module Storage Class** | -| [helm_lib_module_storage_class_annotations](#helm_lib_module_storage_class_annotations) | -| **Monitoring Grafana Dashboards** | -| [helm_lib_grafana_dashboard_definitions_recursion](#helm_lib_grafana_dashboard_definitions_recursion) | -| [helm_lib_grafana_dashboard_definitions](#helm_lib_grafana_dashboard_definitions) | -| [helm_lib_single_dashboard](#helm_lib_single_dashboard) | -| **Monitoring Prometheus Rules** | -| [helm_lib_prometheus_rules_recursion](#helm_lib_prometheus_rules_recursion) | -| [helm_lib_prometheus_rules](#helm_lib_prometheus_rules) | -| [helm_lib_prometheus_target_scrape_timeout_seconds](#helm_lib_prometheus_target_scrape_timeout_seconds) | -| **Node Affinity** | -| [helm_lib_internal_check_node_selector_strategy](#helm_lib_internal_check_node_selector_strategy) | -| [helm_lib_node_selector](#helm_lib_node_selector) | -| [helm_lib_tolerations](#helm_lib_tolerations) | -| [_helm_lib_cloud_or_hybrid_cluster](#_helm_lib_cloud_or_hybrid_cluster) | -| [helm_lib_internal_check_tolerations_strategy](#helm_lib_internal_check_tolerations_strategy) | -| [_helm_lib_any_node_tolerations](#_helm_lib_any_node_tolerations) | -| [_helm_lib_wildcard_tolerations](#_helm_lib_wildcard_tolerations) | -| [_helm_lib_monitoring_tolerations](#_helm_lib_monitoring_tolerations) | -| [_helm_lib_frontend_tolerations](#_helm_lib_frontend_tolerations) | -| [_helm_lib_system_tolerations](#_helm_lib_system_tolerations) | -| [_helm_lib_additional_tolerations_uninitialized](#_helm_lib_additional_tolerations_uninitialized) | -| [_helm_lib_additional_tolerations_node_problems](#_helm_lib_additional_tolerations_node_problems) | -| [_helm_lib_additional_tolerations_storage_problems](#_helm_lib_additional_tolerations_storage_problems) | -| [_helm_lib_additional_tolerations_no_csi](#_helm_lib_additional_tolerations_no_csi) | -| [_helm_lib_additional_tolerations_cloud_provider_uninitialized](#_helm_lib_additional_tolerations_cloud_provider_uninitialized) | -| **Pod Disruption Budget** | -| [helm_lib_pdb_daemonset](#helm_lib_pdb_daemonset) | -| **Priority Class** | -| [helm_lib_priority_class](#helm_lib_priority_class) | -| **Resources Management** | -| [helm_lib_resources_management_pod_resources](#helm_lib_resources_management_pod_resources) | -| [helm_lib_resources_management_original_pod_resources](#helm_lib_resources_management_original_pod_resources) | -| [helm_lib_resources_management_vpa_spec](#helm_lib_resources_management_vpa_spec) | -| [helm_lib_resources_management_cpu_units_to_millicores](#helm_lib_resources_management_cpu_units_to_millicores) | -| [helm_lib_resources_management_memory_units_to_bytes](#helm_lib_resources_management_memory_units_to_bytes) | -| [helm_lib_vpa_kube_rbac_proxy_resources](#helm_lib_vpa_kube_rbac_proxy_resources) | -| [helm_lib_container_kube_rbac_proxy_resources](#helm_lib_container_kube_rbac_proxy_resources) | -| **Spec For High Availability** | -| [helm_lib_pod_anti_affinity_for_ha](#helm_lib_pod_anti_affinity_for_ha) | -| [helm_lib_deployment_on_master_strategy_and_replicas_for_ha](#helm_lib_deployment_on_master_strategy_and_replicas_for_ha) | -| [helm_lib_deployment_on_master_custom_strategy_and_replicas_for_ha](#helm_lib_deployment_on_master_custom_strategy_and_replicas_for_ha) | -| [helm_lib_deployment_strategy_and_replicas_for_ha](#helm_lib_deployment_strategy_and_replicas_for_ha) | - -## Api Version And Kind - -### helm_lib_kind_exists - - returns true if the specified resource kind (case-insensitive) is represented in the cluster - -#### Usage - -`{{ include "helm_lib_kind_exists" (list . "") }} ` - -#### Arguments - -list: -- Template context with .Values, .Chart, etc -- Kind name portion - - -### helm_lib_get_api_version_by_kind - - returns current apiVersion string, based on available helm capabilities, for the provided kind (not all kinds are supported) - -#### Usage - -`{{ include "helm_lib_get_api_version_by_kind" (list . "") }} ` - -#### Arguments - -list: -- Template context with .Values, .Chart, etc -- Kind name portion - -## Enable Ds Eviction - -### helm_lib_prevent_ds_eviction_annotation - - Adds `cluster-autoscaler.kubernetes.io/enable-ds-eviction` annotation to manage DaemonSet eviction by the Cluster Autoscaler. - This is important to prevent the eviction of DaemonSet pods during cluster scaling. - -#### Usage - -`{{ include "helm_lib_prevent_ds_eviction_annotation" . }} ` - - -## Envs For Proxy - -### helm_lib_envs_for_proxy - - Add HTTP_PROXY, HTTPS_PROXY and NO_PROXY environment variables for container - depends on [proxy settings](https://deckhouse.io/documentation/v1/deckhouse-configure-global.html#parameters-modules-proxy) - -#### Usage - -`{{ include "helm_lib_envs_for_proxy" . }} ` - -#### Arguments - -- Template context with .Values, .Chart, etc - -## High Availability - -### helm_lib_is_ha_to_value - - returns value "yes" if cluster is highly available, else — returns "no" - -#### Usage - -`{{ include "helm_lib_is_ha_to_value" (list . yes no) }} ` - -#### Arguments - -list: -- Template context with .Values, .Chart, etc -- Yes value -- No value - - -### helm_lib_ha_enabled - - returns empty value, which is treated by go template as false - -#### Usage - -`{{- if (include "helm_lib_ha_enabled" .) }} ` - -#### Arguments - -- Template context with .Values, .Chart, etc - -## Kube Rbac Proxy - -### helm_lib_kube_rbac_proxy_ca_certificate - - Renders configmap with kube-rbac-proxy CA certificate which uses to verify the kube-rbac-proxy clients. - -#### Usage - -`{{ include "helm_lib_kube_rbac_proxy_ca_certificate" (list . "namespace") }} ` - -#### Arguments - -list: -- Template context with .Values, .Chart, etc -- Namespace where CA configmap will be created - -## Module Documentation Uri - -### helm_lib_module_documentation_uri - - returns rendered documentation uri using publicDomainTemplate or deckhouse.io domains - -#### Usage - -`{{ include "helm_lib_module_documentation_uri" (list . "") }} ` - - -## Module Ephemeral Storage - -### helm_lib_module_ephemeral_storage_logs_with_extra - - 50Mi for container logs `log-opts.max-file * log-opts.max-size` would be added to passed value - returns ephemeral-storage size for logs with extra space - -#### Usage - -`{{ include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 }} ` - -#### Arguments - -- Extra space in mebibytes - - -### helm_lib_module_ephemeral_storage_only_logs - - 50Mi for container logs `log-opts.max-file * log-opts.max-size` would be requested - returns ephemeral-storage size for only logs - -#### Usage - -`{{ include "helm_lib_module_ephemeral_storage_only_logs" . }} ` - -#### Arguments - -- Template context with .Values, .Chart, etc - -## Module Generate Common Name - -### helm_lib_module_generate_common_name - - returns the commonName parameter for use in the Certificate custom resource(cert-manager) - -#### Usage - -`{{ include "helm_lib_module_generate_common_name" (list . "") }} ` - -#### Arguments - -list: -- Template context with .Values, .Chart, etc -- Name portion - -## Module Https - -### helm_lib_module_uri_scheme - - return module uri scheme "http" or "https" - -#### Usage - -`{{ include "helm_lib_module_uri_scheme" . }} ` - -#### Arguments - -- Template context with .Values, .Chart, etc - - -### helm_lib_module_https_mode - - returns https mode for module - -#### Usage - -`{{ if (include "helm_lib_module_https_mode" .) }} ` - -#### Arguments - -- Template context with .Values, .Chart, etc - - -### helm_lib_module_https_cert_manager_cluster_issuer_name - - returns cluster issuer name - -#### Usage - -`{{ include "helm_lib_module_https_cert_manager_cluster_issuer_name" . }} ` - -#### Arguments - -- Template context with .Values, .Chart, etc - - -### helm_lib_module_https_ingress_tls_enabled - - returns not empty string if tls should enable for ingress - -#### Usage - -`{{ if (include "helm_lib_module_https_ingress_tls_enabled" .) }} ` - -#### Arguments - -- Template context with .Values, .Chart, etc - - -### helm_lib_module_https_copy_custom_certificate - - Renders secret with [custom certificate](https://deckhouse.io/documentation/v1/deckhouse-configure-global.html#parameters-modules-https-customcertificate) - in passed namespace with passed prefix - -#### Usage - -`{{ include "helm_lib_module_https_copy_custom_certificate" (list . "namespace" "secret_name_prefix") }} ` - -#### Arguments - -list: -- Template context with .Values, .Chart, etc -- Namespace -- Secret name prefix - - -### helm_lib_module_https_secret_name - - returns custom certificate name - -#### Usage - -`{{ include "helm_lib_module_https_secret_name (list . "secret_name_prefix") }} ` - -#### Arguments - -list: -- Template context with .Values, .Chart, etc -- Secret name prefix - -## Module Image - -### helm_lib_module_image - - returns image name - -#### Usage - -`{{ include "helm_lib_module_image" (list . "") }} ` - -#### Arguments - -list: -- Template context with .Values, .Chart, etc -- Container name - - -### helm_lib_module_image_no_fail - - returns image name if found - -#### Usage - -`{{ include "helm_lib_module_image_no_fail" (list . "") }} ` - -#### Arguments - -list: -- Template context with .Values, .Chart, etc -- Container name - - -### helm_lib_module_common_image - - returns image name from common module - -#### Usage - -`{{ include "helm_lib_module_common_image" (list . "") }} ` - -#### Arguments - -list: -- Template context with .Values, .Chart, etc -- Container name - - -### helm_lib_module_common_image_no_fail - - returns image name from common module if found - -#### Usage - -`{{ include "helm_lib_module_common_image_no_fail" (list . "") }} ` - -#### Arguments - -list: -- Template context with .Values, .Chart, etc -- Container name - -## Module Ingress Class - -### helm_lib_module_ingress_class - - returns ingress class from module settings or if not exists from global config - -#### Usage - -`{{ include "helm_lib_module_ingress_class" . }} ` - -#### Arguments - -- Template context with .Values, .Chart, etc - -## Module Init Container - -### helm_lib_module_init_container_chown_nobody_volume - - ### Migration 11.12.2020: Remove this helper with all its usages after this commit reached RockSolid - returns initContainer which chowns recursively all files and directories in passed volume - -#### Usage - -`{{ include "helm_lib_module_init_container_chown_nobody_volume" (list . "volume-name") }} ` - - - -### helm_lib_module_init_container_chown_deckhouse_volume - - returns initContainer which chowns recursively all files and directories in passed volume - -#### Usage - -`{{ include "helm_lib_module_init_container_chown_deckhouse_volume" (list . "volume-name") }} ` - - - -### helm_lib_module_init_container_check_linux_kernel - - returns initContainer which checks the kernel version on the node for compliance to semver constraint - -#### Usage - -`{{ include "helm_lib_module_init_container_check_linux_kernel" (list . ">= 4.9.17") }} ` - -#### Arguments - -list: -- Template context with .Values, .Chart, etc -- Semver constraint - -## Module Labels - -### helm_lib_module_labels - - returns deckhouse labels - -#### Usage - -`{{ include "helm_lib_module_labels" (list . (dict "app" "test" "component" "testing")) }} ` - -#### Arguments - -list: -- Template context with .Values, .Chart, etc -- Additional labels dict - -## Module Public Domain - -### helm_lib_module_public_domain - - returns rendered publicDomainTemplate to service fqdn - -#### Usage - -`{{ include "helm_lib_module_public_domain" (list . "") }} ` - -#### Arguments - -list: -- Template context with .Values, .Chart, etc -- Name portion - -## Module Security Context - -### helm_lib_module_pod_security_context_run_as_user_custom - - returns PodSecurityContext parameters for Pod with custom user and group - -#### Usage - -`{{ include "helm_lib_module_pod_security_context_run_as_user_custom" (list . 1000 1000) }} ` - -#### Arguments - -list: -- Template context with .Values, .Chart, etc -- User id -- Group id - - -### helm_lib_module_pod_security_context_run_as_user_nobody - - returns PodSecurityContext parameters for Pod with user and group "nobody" - -#### Usage - -`{{ include "helm_lib_module_pod_security_context_run_as_user_nobody" . }} ` - -#### Arguments - -- Template context with .Values, .Chart, etc - - -### helm_lib_module_pod_security_context_run_as_user_nobody_with_writable_fs - - returns PodSecurityContext parameters for Pod with user and group "nobody" with write access to mounted volumes - -#### Usage - -`{{ include "helm_lib_module_pod_security_context_run_as_user_nobody_with_writable_fs" . }} ` - -#### Arguments - -- Template context with .Values, .Chart, etc - - -### helm_lib_module_pod_security_context_run_as_user_deckhouse - - returns PodSecurityContext parameters for Pod with user and group "deckhouse" - -#### Usage - -`{{ include "helm_lib_module_pod_security_context_run_as_user_deckhouse" . }} ` - -#### Arguments - -- Template context with .Values, .Chart, etc - - -### helm_lib_module_pod_security_context_run_as_user_deckhouse_with_writable_fs - - returns PodSecurityContext parameters for Pod with user and group "deckhouse" with write access to mounted volumes - -#### Usage - -`{{ include "helm_lib_module_pod_security_context_run_as_user_deckhouse_with_writable_fs" . }} ` - -#### Arguments - -- Template context with .Values, .Chart, etc - - -### helm_lib_module_container_security_context_run_as_user_deckhouse_pss_restricted - - returns SecurityContext parameters for Container with user and group "deckhouse" plus minimal required settings to comply with the Restricted mode of the Pod Security Standards - -#### Usage - -`{{ include "helm_lib_module_container_security_context_run_as_user_deckhouse_pss_restricted" . }} ` - -#### Arguments - -- Template context with .Values, .Chart, etc - - -### helm_lib_module_pod_security_context_run_as_user_root - - returns PodSecurityContext parameters for Pod with user and group 0 - -#### Usage - -`{{ include "helm_lib_module_pod_security_context_run_as_user_root" . }} ` - -#### Arguments - -- Template context with .Values, .Chart, etc - - -### helm_lib_module_pod_security_context_runtime_default - - returns PodSecurityContext parameters for Pod with seccomp profile RuntimeDefault - -#### Usage - -`{{ include "helm_lib_module_pod_security_context_runtime_default" . }} ` - -#### Arguments - -- Template context with .Values, .Chart, etc - - -### helm_lib_module_container_security_context_not_allow_privilege_escalation - - returns SecurityContext parameters for Container with allowPrivilegeEscalation false - -#### Usage - -`{{ include "helm_lib_module_container_security_context_not_allow_privilege_escalation" . }} ` - - - -### helm_lib_module_container_security_context_read_only_root_filesystem_with_selinux - - returns SecurityContext parameters for Container with read only root filesystem and options for SELinux compatibility - -#### Usage - -`{{ include "helm_lib_module_container_security_context_read_only_root_filesystem_with_selinux" . }} ` - -#### Arguments - -- Template context with .Values, .Chart, etc - - -### helm_lib_module_container_security_context_read_only_root_filesystem - - returns SecurityContext parameters for Container with read only root filesystem - -#### Usage - -`{{ include "helm_lib_module_container_security_context_read_only_root_filesystem" . }} ` - -#### Arguments - -- Template context with .Values, .Chart, etc - - -### helm_lib_module_container_security_context_privileged - - returns SecurityContext parameters for Container running privileged - -#### Usage - -`{{ include "helm_lib_module_container_security_context_privileged" . }} ` - - - -### helm_lib_module_container_security_context_escalated_sys_admin_privileged - - returns SecurityContext parameters for Container running privileged with escalation and sys_admin - -#### Usage - -`{{ include "helm_lib_module_container_security_context_escalated_sys_admin_privileged" . }} ` - - - -### helm_lib_module_container_security_context_privileged_read_only_root_filesystem - - returns SecurityContext parameters for Container running privileged with read only root filesystem - -#### Usage - -`{{ include "helm_lib_module_container_security_context_privileged_read_only_root_filesystem" . }} ` - -#### Arguments - -- Template context with .Values, .Chart, etc - - -### helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all - - returns SecurityContext for Container with read only root filesystem and all capabilities dropped - -#### Usage - -`{{ include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all" . }} ` - -#### Arguments - -- Template context with .Values, .Chart, etc - - -### helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_and_add - - returns SecurityContext parameters for Container with read only root filesystem, all dropped and some added capabilities - -#### Usage - -`{{ include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_and_add" (list . (list "KILL" "SYS_PTRACE")) }} ` - -#### Arguments - -list: -- Template context with .Values, .Chart, etc -- List of capabilities - - -### helm_lib_module_container_security_context_capabilities_drop_all_and_add - - returns SecurityContext parameters for Container with all dropped and some added capabilities - -#### Usage - -`{{ include "helm_lib_module_container_security_context_capabilities_drop_all_and_add" (list . (list "KILL" "SYS_PTRACE")) }} ` - -#### Arguments - -list: -- Template context with .Values, .Chart, etc -- List of capabilities - - -### helm_lib_module_container_security_context_capabilities_drop_all_and_run_as_user_custom - - returns SecurityContext parameters for Container with read only root filesystem, all dropped, and custom user ID - -#### Usage - -`{{ include "helm_lib_module_container_security_context_capabilities_drop_all_and_run_as_user_custom" (list . 1000 1000) }} ` - -#### Arguments - -list: -- Template context with .Values, .Chart, etc -- User id -- Group id - -## Module Storage Class - -### helm_lib_module_storage_class_annotations - - return module StorageClass annotations - -#### Usage - -`{{ include "helm_lib_module_storage_class_annotations" (list $ $index $storageClass.name) }} ` - -#### Arguments - -list: -- Template context with .Values, .Chart, etc -- Storage class index -- Storage class name - -## Monitoring Grafana Dashboards - -### helm_lib_grafana_dashboard_definitions_recursion - - returns all the dashboard-definintions from / - current dir is optional — used for recursion but you can use it for partially generating dashboards - -#### Usage - -`{{ include "helm_lib_grafana_dashboard_definitions_recursion" (list . [current dir]) }} ` - -#### Arguments - -list: -- Template context with .Values, .Chart, etc -- Dashboards root dir -- Dashboards current dir - - -### helm_lib_grafana_dashboard_definitions - - returns dashboard-definintions from monitoring/grafana-dashboards/ - -#### Usage - -`{{ include "helm_lib_grafana_dashboard_definitions" . }} ` - -#### Arguments - -- Template context with .Values, .Chart, etc - - -### helm_lib_single_dashboard - - renders a single dashboard - -#### Usage - -`{{ include "helm_lib_single_dashboard" (list . "dashboard-name" "folder" $dashboard) }} ` - -#### Arguments - -list: -- Template context with .Values, .Chart, etc -- Dashboard name -- Folder -- Dashboard definition - -## Monitoring Prometheus Rules - -### helm_lib_prometheus_rules_recursion - - returns all the prometheus rules from / - current dir is optional — used for recursion but you can use it for partially generating rules - -#### Usage - -`{{ include "helm_lib_prometheus_rules_recursion" (list . [current dir]) }} ` - -#### Arguments - -list: -- Template context with .Values, .Chart, etc -- Namespace for creating rules -- Rules root dir -- Current dir (optional) - - -### helm_lib_prometheus_rules - - returns all the prometheus rules from monitoring/prometheus-rules/ - -#### Usage - -`{{ include "helm_lib_prometheus_rules" (list . ) }} ` - -#### Arguments - -list: -- Template context with .Values, .Chart, etc -- Namespace for creating rules - - -### helm_lib_prometheus_target_scrape_timeout_seconds - - returns adjust timeout value to scrape interval / - -#### Usage - -`{{ include "helm_lib_prometheus_target_scrape_timeout_seconds" (list . ) }} ` - -#### Arguments - -list: -- Template context with .Values, .Chart, etc -- Target timeout in seconds - -## Node Affinity - -### helm_lib_internal_check_node_selector_strategy - - Verify node selector strategy. - - - -### helm_lib_node_selector - - Returns node selector for workloads depend on strategy. - -#### Arguments - -list: -- Template context with .Values, .Chart, etc -- strategy, one of "frontend" "monitoring" "system" "master" "any-node" "wildcard" - - -### helm_lib_tolerations - - Returns tolerations for workloads depend on strategy. - -#### Usage - -`{{ include "helm_lib_tolerations" (tuple . "any-node" "with-uninitialized" "without-storage-problems") }} ` - -#### Arguments - -list: -- Template context with .Values, .Chart, etc -- base strategy, one of "frontend" "monitoring" "system" any-node" "wildcard" -- list of additional strategies. To add strategy list it with prefix "with-", to remove strategy list it with prefix "without-". - - -### _helm_lib_cloud_or_hybrid_cluster - - Check cluster type. - Returns not empty string if this is cloud or hybrid cluster - - - -### helm_lib_internal_check_tolerations_strategy - - Verify base strategy. - Fails if strategy not in allowed list - - - -### _helm_lib_any_node_tolerations - - Base strategy for any uncordoned node in cluster. - -#### Usage - -`{{ include "helm_lib_tolerations" (tuple . "any-node") }} ` - - - -### _helm_lib_wildcard_tolerations - - Base strategy that tolerates all. - -#### Usage - -`{{ include "helm_lib_tolerations" (tuple . "wildcard") }} ` - - - -### _helm_lib_monitoring_tolerations - - Base strategy that tolerates nodes with "dedicated.deckhouse.io: monitoring" and "dedicated.deckhouse.io: system" taints. - -#### Usage - -`{{ include "helm_lib_tolerations" (tuple . "monitoring") }} ` - - - -### _helm_lib_frontend_tolerations - - Base strategy that tolerates nodes with "dedicated.deckhouse.io: frontend" taints. - -#### Usage - -`{{ include "helm_lib_tolerations" (tuple . "frontend") }} ` - - - -### _helm_lib_system_tolerations - - Base strategy that tolerates nodes with "dedicated.deckhouse.io: system" taints. - -#### Usage - -`{{ include "helm_lib_tolerations" (tuple . "system") }} ` - - - -### _helm_lib_additional_tolerations_uninitialized - - Additional strategy "uninitialized" - used for CNI's and kube-proxy to allow cni components scheduled on node after CCM initialization. - -#### Usage - -`{{ include "helm_lib_tolerations" (tuple . "any-node" "with-uninitialized") }} ` - - - -### _helm_lib_additional_tolerations_node_problems - - Additional strategy "node-problems" - used for shedule critical components on non-ready nodes or nodes under pressure. - -#### Usage - -`{{ include "helm_lib_tolerations" (tuple . "any-node" "with-node-problems") }} ` - - - -### _helm_lib_additional_tolerations_storage_problems - - Additional strategy "storage-problems" - used for shedule critical components on nodes with drbd problems. This additional strategy enabled by default in any base strategy except "wildcard". - -#### Usage - -`{{ include "helm_lib_tolerations" (tuple . "any-node" "without-storage-problems") }} ` - - - -### _helm_lib_additional_tolerations_no_csi - - Additional strategy "no-csi" - used for any node with no CSI: any node, which was initialized by deckhouse, but have no csi-node driver registered on it. - -#### Usage - -`{{ include "helm_lib_tolerations" (tuple . "any-node" "with-no-csi") }} ` - - - -### _helm_lib_additional_tolerations_cloud_provider_uninitialized - - Additional strategy "cloud-provider-uninitialized" - used for any node which is not initialized by CCM. - -#### Usage - -`{{ include "helm_lib_tolerations" (tuple . "any-node" "with-cloud-provider-uninitialized") }} ` - - -## Pod Disruption Budget - -### helm_lib_pdb_daemonset - - Returns PDB max unavailable - -#### Usage - -`{{ include "helm_lib_pdb_daemonset" . }} ` - -#### Arguments - -- Template context with .Values, .Chart, etc - -## Priority Class - -### helm_lib_priority_class - - returns priority class if priority-class module enabled, otherwise returns nothing - -#### Arguments - -list: -- Template context with .Values, .Chart, etc -- Priority class name - -## Resources Management - -### helm_lib_resources_management_pod_resources - - returns rendered resources section based on configuration if it is - -#### Usage - -`{{ include "helm_lib_resources_management_pod_resources" (list [ephemeral storage requests]) }} ` - -#### Arguments - -list: -- VPA resource configuration [example](https://deckhouse.io/documentation/v1/modules/110-istio/configuration.html#parameters-controlplane-resourcesmanagement) -- Ephemeral storage requests - - -### helm_lib_resources_management_original_pod_resources - - returns rendered resources section based on configuration if it is present - -#### Usage - -`{{ include "helm_lib_resources_management_original_pod_resources" }} ` - -#### Arguments - -- VPA resource configuration [example](https://deckhouse.io/documentation/v1/modules/110-istio/configuration.html#parameters-controlplane-resourcesmanagement) - - -### helm_lib_resources_management_vpa_spec - - returns rendered vpa spec based on configuration and target reference - -#### Usage - -`{{ include "helm_lib_resources_management_vpa_spec" (list ) }} ` - -#### Arguments - -list: -- Target API version -- Target Kind -- Target Name -- Target container name -- VPA resource configuration [example](https://deckhouse.io/documentation/v1/modules/110-istio/configuration.html#parameters-controlplane-resourcesmanagement) - - -### helm_lib_resources_management_cpu_units_to_millicores - - helper for converting cpu units to millicores - -#### Usage - -`{{ include "helm_lib_resources_management_cpu_units_to_millicores" }} ` - - - -### helm_lib_resources_management_memory_units_to_bytes - - helper for converting memory units to bytes - -#### Usage - -`{{ include "helm_lib_resources_management_memory_units_to_bytes" }} ` - - - -### helm_lib_vpa_kube_rbac_proxy_resources - - helper for VPA resources for kube_rbac_proxy - -#### Usage - -`{{ include "helm_lib_vpa_kube_rbac_proxy_resources" . }} ` - -#### Arguments - -- Template context with .Values, .Chart, etc - - -### helm_lib_container_kube_rbac_proxy_resources - - helper for container resources for kube_rbac_proxy - -#### Usage - -`{{ include "helm_lib_container_kube_rbac_proxy_resources" . }} ` - -#### Arguments - -- Template context with .Values, .Chart, etc - -## Spec For High Availability - -### helm_lib_pod_anti_affinity_for_ha - - returns pod affinity spec - -#### Usage - -`{{ include "helm_lib_pod_anti_affinity_for_ha" (list . (dict "app" "test")) }} ` - -#### Arguments - -list: -- Template context with .Values, .Chart, etc -- Match labels for podAntiAffinity label selector - - -### helm_lib_deployment_on_master_strategy_and_replicas_for_ha - - returns deployment strategy and replicas for ha components running on master nodes - -#### Usage - -`{{ include "helm_lib_deployment_on_master_strategy_and_replicas_for_ha" }} ` - -#### Arguments - -- Template context with .Values, .Chart, etc - - -### helm_lib_deployment_on_master_custom_strategy_and_replicas_for_ha - - returns deployment with custom strategy and replicas for ha components running on master nodes - -#### Usage - -`{{ include "helm_lib_deployment_on_master_custom_strategy_and_replicas_for_ha" (list . (dict "strategy" "strategy_type")) }} ` - - - -### helm_lib_deployment_strategy_and_replicas_for_ha - - returns deployment strategy and replicas for ha components running not on master nodes - -#### Usage - -`{{ include "helm_lib_deployment_strategy_and_replicas_for_ha" }} ` - -#### Arguments - -- Template context with .Values, .Chart, etc diff --git a/charts/helm_lib/templates/_api_version_and_kind.tpl b/charts/helm_lib/templates/_api_version_and_kind.tpl deleted file mode 100644 index 4de8a8a..0000000 --- a/charts/helm_lib/templates/_api_version_and_kind.tpl +++ /dev/null @@ -1,36 +0,0 @@ -{{- /* Usage: {{ include "helm_lib_kind_exists" (list . "") }} */ -}} -{{- /* returns true if the specified resource kind (case-insensitive) is represented in the cluster */ -}} -{{- define "helm_lib_kind_exists" }} - {{- $context := index . 0 -}} {{- /* Template context with .Values, .Chart, etc */ -}} - {{- $kind_name := index . 1 -}} {{- /* Kind name portion */ -}} - {{- if eq (len $context.Capabilities.APIVersions) 0 -}} - {{- fail "Helm reports no capabilities" -}} - {{- end -}} - {{ range $cap := $context.Capabilities.APIVersions }} - {{- if hasSuffix (lower (printf "/%s" $kind_name)) (lower $cap) }} - found - {{- break }} - {{- end }} - {{- end }} -{{- end -}} - -{{- /* Usage: {{ include "helm_lib_get_api_version_by_kind" (list . "") }} */ -}} -{{- /* returns current apiVersion string, based on available helm capabilities, for the provided kind (not all kinds are supported) */ -}} -{{- define "helm_lib_get_api_version_by_kind" }} - {{- $context := index . 0 -}} {{- /* Template context with .Values, .Chart, etc */ -}} - {{- $kind_name := index . 1 -}} {{- /* Kind name portion */ -}} - {{- if eq (len $context.Capabilities.APIVersions) 0 -}} - {{- fail "Helm reports no capabilities" -}} - {{- end -}} - {{- if or (eq $kind_name "ValidatingAdmissionPolicy") (eq $kind_name "ValidatingAdmissionPolicyBinding") -}} - {{- if $context.Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1/ValidatingAdmissionPolicy" -}} -admissionregistration.k8s.io/v1 - {{- else if $context.Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1beta1/ValidatingAdmissionPolicy" -}} -admissionregistration.k8s.io/v1beta1 - {{- else -}} -admissionregistration.k8s.io/v1alpha1 - {{- end -}} - {{- else -}} - {{- fail (printf "Kind '%s' isn't supported by the 'helm_lib_get_api_version_by_kind' helper" $kind_name) -}} - {{- end -}} -{{- end -}} diff --git a/charts/helm_lib/templates/_csi_controller.tpl b/charts/helm_lib/templates/_csi_controller.tpl deleted file mode 100644 index 9bc0d8c..0000000 --- a/charts/helm_lib/templates/_csi_controller.tpl +++ /dev/null @@ -1,763 +0,0 @@ -{{- define "attacher_resources" }} -cpu: 10m -memory: 25Mi -{{- end }} - -{{- define "provisioner_resources" }} -cpu: 10m -memory: 25Mi -{{- end }} - -{{- define "resizer_resources" }} -cpu: 10m -memory: 25Mi -{{- end }} - -{{- define "syncer_resources" }} -cpu: 10m -memory: 25Mi -{{- end }} - -{{- define "snapshotter_resources" }} -cpu: 10m -memory: 25Mi -{{- end }} - -{{- define "livenessprobe_resources" }} -cpu: 10m -memory: 25Mi -{{- end }} - -{{- define "controller_resources" }} -cpu: 10m -memory: 50Mi -{{- end }} - -{{- /* Usage: {{ include "helm_lib_csi_controller_manifests" (list . $config) }} */ -}} -{{- define "helm_lib_csi_controller_manifests" }} - {{- $context := index . 0 }} - - {{- $config := index . 1 }} - {{- $fullname := $config.fullname | default "csi-controller" }} - {{- $snapshotterEnabled := dig "snapshotterEnabled" true $config }} - {{- $resizerEnabled := dig "resizerEnabled" true $config }} - {{- $syncerEnabled := dig "syncerEnabled" false $config }} - {{- $topologyEnabled := dig "topologyEnabled" true $config }} - {{- $extraCreateMetadataEnabled := dig "extraCreateMetadataEnabled" false $config }} - {{- $controllerImage := $config.controllerImage | required "$config.controllerImage is required" }} - {{- $provisionerTimeout := $config.provisionerTimeout | default "600s" }} - {{- $attacherTimeout := $config.attacherTimeout | default "600s" }} - {{- $resizerTimeout := $config.resizerTimeout | default "600s" }} - {{- $snapshotterTimeout := $config.snapshotterTimeout | default "600s" }} - {{- $provisionerWorkers := $config.provisionerWorkers | default "10" }} - {{- $attacherWorkers := $config.attacherWorkers | default "10" }} - {{- $resizerWorkers := $config.resizerWorkers | default "10" }} - {{- $snapshotterWorkers := $config.snapshotterWorkers | default "10" }} - {{- $additionalControllerEnvs := $config.additionalControllerEnvs }} - {{- $additionalSyncerEnvs := $config.additionalSyncerEnvs }} - {{- $additionalControllerArgs := $config.additionalControllerArgs }} - {{- $additionalControllerVolumes := $config.additionalControllerVolumes }} - {{- $additionalControllerVolumeMounts := $config.additionalControllerVolumeMounts }} - {{- $additionalContainers := $config.additionalContainers }} - {{- $livenessProbePort := $config.livenessProbePort | default 9808 }} - {{- $initContainerCommand := $config.initContainerCommand }} - {{- $initContainerImage := $config.initContainerImage }} - {{- $initContainerVolumeMounts := $config.initContainerVolumeMounts }} - - {{- $kubernetesSemVer := semver $context.Values.global.discovery.kubernetesVersion }} - - {{- $provisionerImageName := join "" (list "csiExternalProvisioner" $kubernetesSemVer.Major $kubernetesSemVer.Minor) }} - {{- $provisionerImage := include "helm_lib_module_common_image_no_fail" (list $context $provisionerImageName) }} - - {{- $attacherImageName := join "" (list "csiExternalAttacher" $kubernetesSemVer.Major $kubernetesSemVer.Minor) }} - {{- $attacherImage := include "helm_lib_module_common_image_no_fail" (list $context $attacherImageName) }} - - {{- $resizerImageName := join "" (list "csiExternalResizer" $kubernetesSemVer.Major $kubernetesSemVer.Minor) }} - {{- $resizerImage := include "helm_lib_module_common_image_no_fail" (list $context $resizerImageName) }} - - {{- $syncerImageName := join "" (list "csiVsphereSyncer" $kubernetesSemVer.Major $kubernetesSemVer.Minor) }} - {{- $syncerImage := include "helm_lib_module_common_image_no_fail" (list $context $syncerImageName) }} - - {{- $snapshotterImageName := join "" (list "csiExternalSnapshotter" $kubernetesSemVer.Major $kubernetesSemVer.Minor) }} - {{- $snapshotterImage := include "helm_lib_module_common_image_no_fail" (list $context $snapshotterImageName) }} - - {{- $livenessprobeImageName := join "" (list "csiLivenessprobe" $kubernetesSemVer.Major $kubernetesSemVer.Minor) }} - {{- $livenessprobeImage := include "helm_lib_module_common_image_no_fail" (list $context $livenessprobeImageName) }} - - {{- if $provisionerImage }} - {{- if ($context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }} ---- -apiVersion: autoscaling.k8s.io/v1 -kind: VerticalPodAutoscaler -metadata: - name: {{ $fullname }} - namespace: d8-{{ $context.Chart.Name }} - {{- include "helm_lib_module_labels" (list $context (dict "app" "csi-controller" "workload-resource-policy.deckhouse.io" "master")) | nindent 2 }} -spec: - targetRef: - apiVersion: "apps/v1" - kind: Deployment - name: {{ $fullname }} - updatePolicy: - updateMode: "Auto" - resourcePolicy: - containerPolicies: - - containerName: "provisioner" - minAllowed: - {{- include "provisioner_resources" $context | nindent 8 }} - maxAllowed: - cpu: 20m - memory: 50Mi - - containerName: "attacher" - minAllowed: - {{- include "attacher_resources" $context | nindent 8 }} - maxAllowed: - cpu: 20m - memory: 50Mi - {{- if $resizerEnabled }} - - containerName: "resizer" - minAllowed: - {{- include "resizer_resources" $context | nindent 8 }} - maxAllowed: - cpu: 20m - memory: 50Mi - {{- end }} - {{- if $syncerEnabled }} - - containerName: "syncer" - minAllowed: - {{- include "syncer_resources" $context | nindent 8 }} - maxAllowed: - cpu: 20m - memory: 50Mi - {{- end }} - {{- if $snapshotterEnabled }} - - containerName: "snapshotter" - minAllowed: - {{- include "snapshotter_resources" $context | nindent 8 }} - maxAllowed: - cpu: 20m - memory: 50Mi - {{- end }} - - containerName: "livenessprobe" - minAllowed: - {{- include "livenessprobe_resources" $context | nindent 8 }} - maxAllowed: - cpu: 20m - memory: 50Mi - - containerName: "controller" - minAllowed: - {{- include "controller_resources" $context | nindent 8 }} - maxAllowed: - cpu: 20m - memory: 100Mi - {{- end }} ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{ $fullname }} - namespace: d8-{{ $context.Chart.Name }} - {{- include "helm_lib_module_labels" (list $context (dict "app" "csi-controller")) | nindent 2 }} -spec: - maxUnavailable: 1 - selector: - matchLabels: - app: {{ $fullname }} ---- -kind: Deployment -apiVersion: apps/v1 -metadata: - name: {{ $fullname }} - namespace: d8-{{ $context.Chart.Name }} - {{- include "helm_lib_module_labels" (list $context (dict "app" "csi-controller")) | nindent 2 }} -spec: - replicas: 1 - revisionHistoryLimit: 2 - selector: - matchLabels: - app: {{ $fullname }} - strategy: - type: Recreate - template: - metadata: - labels: - app: {{ $fullname }} - {{- if hasPrefix "cloud-provider-" $context.Chart.Name }} - annotations: - cloud-config-checksum: {{ include (print $context.Template.BasePath "/cloud-controller-manager/secret.yaml") $context | sha256sum }} - {{- end }} - spec: - hostNetwork: true - dnsPolicy: ClusterFirstWithHostNet - imagePullSecrets: - - name: deckhouse-registry - {{- include "helm_lib_priority_class" (tuple $context "system-cluster-critical") | nindent 6 }} - {{- include "helm_lib_node_selector" (tuple $context "master") | nindent 6 }} - {{- include "helm_lib_tolerations" (tuple $context "any-node" "with-uninitialized") | nindent 6 }} -{{- if $context.Values.global.enabledModules | has "csi-nfs" }} - {{- include "helm_lib_module_pod_security_context_runtime_default" . | nindent 6 }} -{{- else }} - {{- include "helm_lib_module_pod_security_context_run_as_user_deckhouse" . | nindent 6 }} -{{- end }} - serviceAccountName: csi - containers: - - name: provisioner - {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }} - image: {{ $provisionerImage | quote }} - args: - - "--timeout={{ $provisionerTimeout }}" - - "--v=5" - - "--csi-address=$(ADDRESS)" - {{- if $topologyEnabled }} - - "--feature-gates=Topology=true" - - "--strict-topology" - {{- else }} - - "--feature-gates=Topology=false" - {{- end }} - - "--default-fstype=ext4" - - "--leader-election=true" - - "--leader-election-namespace=$(NAMESPACE)" - - "--enable-capacity" - - "--capacity-ownerref-level=2" - {{- if $extraCreateMetadataEnabled }} - - "--extra-create-metadata=true" - {{- end }} - - "--worker-threads={{ $provisionerWorkers }}" - env: - - name: ADDRESS - value: /csi/csi.sock - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - volumeMounts: - - name: socket-dir - mountPath: /csi - resources: - requests: - {{- include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 | nindent 12 }} - {{- if not ( $context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }} - {{- include "provisioner_resources" $context | nindent 12 }} - {{- end }} - - name: attacher - {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }} - image: {{ $attacherImage | quote }} - args: - - "--timeout={{ $attacherTimeout }}" - - "--v=5" - - "--csi-address=$(ADDRESS)" - - "--leader-election=true" - - "--leader-election-namespace=$(NAMESPACE)" - - "--worker-threads={{ $attacherWorkers }}" - env: - - name: ADDRESS - value: /csi/csi.sock - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - volumeMounts: - - name: socket-dir - mountPath: /csi - resources: - requests: - {{- include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 | nindent 12 }} - {{- if not ( $context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }} - {{- include "attacher_resources" $context | nindent 12 }} - {{- end }} - {{- if $resizerEnabled }} - - name: resizer - {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }} - image: {{ $resizerImage | quote }} - args: - - "--timeout={{ $resizerTimeout }}" - - "--v=5" - - "--csi-address=$(ADDRESS)" - - "--leader-election=true" - - "--leader-election-namespace=$(NAMESPACE)" - - "--workers={{ $resizerWorkers }}" - env: - - name: ADDRESS - value: /csi/csi.sock - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - volumeMounts: - - name: socket-dir - mountPath: /csi - resources: - requests: - {{- include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 | nindent 12 }} - {{- if not ( $context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }} - {{- include "resizer_resources" $context | nindent 12 }} - {{- end }} - {{- end }} - {{- if $syncerEnabled }} - - name: syncer - {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }} - image: {{ $syncerImage | quote }} - args: - - "--leader-election" - - "--leader-election-lease-duration=30s" - - "--leader-election-renew-deadline=20s" - - "--leader-election-retry-period=10s" - {{- if $additionalControllerArgs }} - {{- $additionalControllerArgs | toYaml | nindent 8 }} - {{- end }} - {{- if $additionalSyncerEnvs }} - env: - {{- $additionalSyncerEnvs | toYaml | nindent 8 }} - {{- end }} - {{- if $additionalControllerVolumeMounts }} - volumeMounts: - {{- $additionalControllerVolumeMounts | toYaml | nindent 8 }} - {{- end }} - resources: - requests: - {{- include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 | nindent 12 }} - {{- if not ( $context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }} - {{- include "syncer_resources" $context | nindent 12 }} - {{- end }} - {{- end }} - {{- if $snapshotterEnabled }} - - name: snapshotter - {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }} - image: {{ $snapshotterImage | quote }} - args: - - "--timeout={{ $snapshotterTimeout }}" - - "--v=5" - - "--csi-address=$(ADDRESS)" - - "--leader-election=true" - - "--leader-election-namespace=$(NAMESPACE)" - - "--worker-threads={{ $snapshotterWorkers }}" - env: - - name: ADDRESS - value: /csi/csi.sock - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - volumeMounts: - - name: socket-dir - mountPath: /csi - resources: - requests: - {{- include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 | nindent 12 }} - {{- if not ( $context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }} - {{- include "snapshotter_resources" $context | nindent 12 }} - {{- end }} - {{- end }} - - name: livenessprobe - {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }} - image: {{ $livenessprobeImage | quote }} - args: - - "--csi-address=$(ADDRESS)" - - "--http-endpoint=$(HOST_IP):{{ $livenessProbePort }}" - env: - - name: ADDRESS - value: /csi/csi.sock - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - volumeMounts: - - name: socket-dir - mountPath: /csi - resources: - requests: - {{- include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 | nindent 12 }} - {{- if not ( $context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }} - {{- include "livenessprobe_resources" $context | nindent 12 }} - {{- end }} - - name: controller -{{- if $context.Values.global.enabledModules | has "csi-nfs" }} - {{- include "helm_lib_module_container_security_context_escalated_sys_admin_privileged" . | nindent 8 }} -{{- else }} - {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }} -{{- end }} - image: {{ $controllerImage | quote }} - args: - {{- if $additionalControllerArgs }} - {{- $additionalControllerArgs | toYaml | nindent 8 }} - {{- end }} - {{- if $additionalControllerEnvs }} - env: - {{- $additionalControllerEnvs | toYaml | nindent 8 }} - {{- end }} - livenessProbe: - httpGet: - path: /healthz - port: {{ $livenessProbePort }} - volumeMounts: - - name: socket-dir - mountPath: /csi - {{- /* For an unknown reason vSphere csi-controller won't start without `/tmp` directory */ -}} - {{- if eq $context.Chart.Name "cloud-provider-vsphere" }} - - name: tmp - mountPath: /tmp - {{- end }} - {{- if $additionalControllerVolumeMounts }} - {{- $additionalControllerVolumeMounts | toYaml | nindent 8 }} - {{- end }} - resources: - requests: - {{- include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 | nindent 12 }} - {{- if not ( $context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }} - {{- include "controller_resources" $context | nindent 12 }} - {{- end }} - {{- if $additionalContainers }} - {{- $additionalContainers | toYaml | nindent 6 }} - {{- end }} - {{- if $initContainerCommand }} - initContainers: - - command: - {{- $initContainerCommand | toYaml | nindent 8 }} - image: {{ $initContainerImage }} - imagePullPolicy: IfNotPresent - name: csi-controller-init-container - {{- if $initContainerVolumeMounts }} - volumeMounts: - {{- $initContainerVolumeMounts | toYaml | nindent 8 }} - {{- end }} - resources: - requests: - {{- include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 | nindent 12 }} - {{- end }} - volumes: - - name: socket-dir - emptyDir: {} - {{- /* For an unknown reason vSphere csi-controller won't start without `/tmp` directory */ -}} - {{- if eq $context.Chart.Name "cloud-provider-vsphere" }} - - name: tmp - emptyDir: {} - {{- end }} - {{- if $additionalControllerVolumes }} - {{- $additionalControllerVolumes | toYaml | nindent 6 }} - {{- end }} - {{- end }} -{{- end }} - - -{{- /* Usage: {{ include "helm_lib_csi_controller_rbac" . }} */ -}} -{{- define "helm_lib_csi_controller_rbac" }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: csi - namespace: d8-{{ .Chart.Name }} - {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }} - -# =========== -# provisioner -# =========== -# Source https://github.com/kubernetes-csi/external-provisioner/blob/master/deploy/kubernetes/rbac.yaml ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: d8:{{ .Chart.Name }}:csi:controller:external-provisioner - {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }} -rules: -- apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "create", "delete"] -- apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch", "update"] -- apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list", "watch"] -- apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] -- apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshots"] - verbs: ["get", "list"] -- apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents"] - verbs: ["get", "list"] -- apiGroups: ["storage.k8s.io"] - resources: ["csinodes"] - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch"] -# Access to volumeattachments is only needed when the CSI driver -# has the PUBLISH_UNPUBLISH_VOLUME controller capability. -# In that case, external-provisioner will watch volumeattachments -# to determine when it is safe to delete a volume. -- apiGroups: ["storage.k8s.io"] - resources: ["volumeattachments"] - verbs: ["get", "list", "watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: d8:{{ .Chart.Name }}:csi:controller:external-provisioner - {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }} -subjects: -- kind: ServiceAccount - name: csi - namespace: d8-{{ .Chart.Name }} -roleRef: - kind: ClusterRole - name: d8:{{ .Chart.Name }}:csi:controller:external-provisioner - apiGroup: rbac.authorization.k8s.io ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi:controller:external-provisioner - namespace: d8-{{ .Chart.Name }} - {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }} -rules: -# Only one of the following rules for endpoints or leases is required based on -# what is set for `--leader-election-type`. Endpoints are deprecated in favor of Leases. -- apiGroups: [""] - resources: ["endpoints"] - verbs: ["get", "watch", "list", "delete", "update", "create"] -- apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "watch", "list", "delete", "update", "create"] -# Permissions for CSIStorageCapacity are only needed enabling the publishing -# of storage capacity information. -- apiGroups: ["storage.k8s.io"] - resources: ["csistoragecapacities"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] -# The GET permissions below are needed for walking up the ownership chain -# for CSIStorageCapacity. They are sufficient for deployment via -# StatefulSet (only needs to get Pod) and Deployment (needs to get -# Pod and then ReplicaSet to find the Deployment). -- apiGroups: [""] - resources: ["pods"] - verbs: ["get"] -- apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["get"] ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi:controller:external-provisioner - namespace: d8-{{ .Chart.Name }} - {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }} -subjects: -- kind: ServiceAccount - name: csi - namespace: d8-{{ .Chart.Name }} -roleRef: - kind: Role - name: csi:controller:external-provisioner - apiGroup: rbac.authorization.k8s.io - -# ======== -# attacher -# ======== -# Source https://github.com/kubernetes-csi/external-attacher/blob/master/deploy/kubernetes/rbac.yaml ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: d8:{{ .Chart.Name }}:csi:controller:external-attacher - {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }} -rules: -- apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "update", "patch"] -- apiGroups: ["storage.k8s.io"] - resources: ["csinodes"] - verbs: ["get", "list", "watch"] -- apiGroups: ["storage.k8s.io"] - resources: ["volumeattachments"] - verbs: ["get", "list", "watch", "update", "patch"] -- apiGroups: ["storage.k8s.io"] - resources: ["volumeattachments/status"] - verbs: ["patch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: d8:{{ .Chart.Name }}:csi:controller:external-attacher - {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }} -subjects: -- kind: ServiceAccount - name: csi - namespace: d8-{{ .Chart.Name }} -roleRef: - kind: ClusterRole - name: d8:{{ .Chart.Name }}:csi:controller:external-attacher - apiGroup: rbac.authorization.k8s.io ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi:controller:external-attacher - namespace: d8-{{ .Chart.Name }} - {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }} -rules: -- apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "watch", "list", "delete", "update", "create"] ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi:controller:external-attacher - namespace: d8-{{ .Chart.Name }} - {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }} -subjects: -- kind: ServiceAccount - name: csi - namespace: d8-{{ .Chart.Name }} -roleRef: - kind: Role - name: csi:controller:external-attacher - apiGroup: rbac.authorization.k8s.io - -# ======= -# resizer -# ======= -# Source https://github.com/kubernetes-csi/external-resizer/blob/master/deploy/kubernetes/rbac.yaml ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: d8:{{ .Chart.Name }}:csi:controller:external-resizer - {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }} -rules: -- apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "patch"] -- apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: ["persistentvolumeclaims/status"] - verbs: ["patch"] -- apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: d8:{{ .Chart.Name }}:csi:controller:external-resizer - {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }} -subjects: -- kind: ServiceAccount - name: csi - namespace: d8-{{ .Chart.Name }} -roleRef: - kind: ClusterRole - name: d8:{{ .Chart.Name }}:csi:controller:external-resizer - apiGroup: rbac.authorization.k8s.io ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi:controller:external-resizer - namespace: d8-{{ .Chart.Name }} - {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }} -rules: -- apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "watch", "list", "delete", "update", "create"] ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi:controller:external-resizer - namespace: d8-{{ .Chart.Name }} - {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }} -subjects: -- kind: ServiceAccount - name: csi - namespace: d8-{{ .Chart.Name }} -roleRef: - kind: Role - name: csi:controller:external-resizer - apiGroup: rbac.authorization.k8s.io -# ======== -# snapshotter -# ======== -# Source https://github.com/kubernetes-csi/external-snapshotter/blob/master/deploy/kubernetes/csi-snapshotter/rbac-csi-snapshotter.yaml ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: d8:{{ .Chart.Name }}:csi:controller:external-snapshotter - {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }} -rules: -- apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] -- apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list"] -- apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotclasses"] - verbs: ["get", "list", "watch"] -- apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents"] - verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] -- apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents/status"] - verbs: ["update", "patch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: d8:{{ .Chart.Name }}:csi:controller:external-snapshotter - {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }} -subjects: -- kind: ServiceAccount - name: csi - namespace: d8-{{ .Chart.Name }} -roleRef: - kind: ClusterRole - name: d8:{{ .Chart.Name }}:csi:controller:external-snapshotter - apiGroup: rbac.authorization.k8s.io ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi:controller:external-snapshotter - namespace: d8-{{ .Chart.Name }} - {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }} -rules: -- apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "watch", "list", "delete", "update", "create"] ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi:controller:external-snapshotter - namespace: d8-{{ .Chart.Name }} - {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }} -subjects: -- kind: ServiceAccount - name: csi - namespace: d8-{{ .Chart.Name }} -roleRef: - kind: Role - name: csi:controller:external-snapshotter - apiGroup: rbac.authorization.k8s.io -{{- end }} diff --git a/charts/helm_lib/templates/_csi_node.tpl b/charts/helm_lib/templates/_csi_node.tpl deleted file mode 100644 index 254bc40..0000000 --- a/charts/helm_lib/templates/_csi_node.tpl +++ /dev/null @@ -1,206 +0,0 @@ -{{- define "node_driver_registrar_resources" }} -cpu: 12m -memory: 25Mi -{{- end }} - -{{- define "node_resources" }} -cpu: 12m -memory: 25Mi -{{- end }} - -{{- /* Usage: {{ include "helm_lib_csi_node_manifests" (list . $config) }} */ -}} -{{- define "helm_lib_csi_node_manifests" }} - {{- $context := index . 0 }} - - {{- $config := index . 1 }} - {{- $fullname := $config.fullname | default "csi-node" }} - {{- $nodeImage := $config.nodeImage | required "$config.nodeImage is required" }} - {{- $driverFQDN := $config.driverFQDN | required "$config.driverFQDN is required" }} - {{- $serviceAccount := $config.serviceAccount | default "" }} - {{- $additionalNodeEnvs := $config.additionalNodeEnvs }} - {{- $additionalNodeArgs := $config.additionalNodeArgs }} - {{- $additionalNodeVolumes := $config.additionalNodeVolumes }} - {{- $additionalNodeVolumeMounts := $config.additionalNodeVolumeMounts }} - {{- $additionalNodeLivenessProbesCmd := $config.additionalNodeLivenessProbesCmd }} - {{- $initContainerCommand := $config.initContainerCommand }} - {{- $initContainerImage := $config.initContainerImage }} - {{- $initContainerVolumeMounts := $config.initContainerVolumeMounts }} - - {{- $kubernetesSemVer := semver $context.Values.global.discovery.kubernetesVersion }} - {{- $driverRegistrarImageName := join "" (list "csiNodeDriverRegistrar" $kubernetesSemVer.Major $kubernetesSemVer.Minor) }} - {{- $driverRegistrarImage := include "helm_lib_module_common_image_no_fail" (list $context $driverRegistrarImageName) }} - {{- if $driverRegistrarImage }} - {{- if or (include "_helm_lib_cloud_or_hybrid_cluster" $context) ($context.Values.global.enabledModules | has "ceph-csi") ($context.Values.global.enabledModules | has "csi-nfs") ($context.Values.global.enabledModules | has "csi-ceph") ($context.Values.global.enabledModules | has "csi-yadro") }} - {{- if ($context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }} ---- -apiVersion: autoscaling.k8s.io/v1 -kind: VerticalPodAutoscaler -metadata: - name: {{ $fullname }} - namespace: d8-{{ $context.Chart.Name }} - {{- include "helm_lib_module_labels" (list $context (dict "app" "csi-node" "workload-resource-policy.deckhouse.io" "every-node")) | nindent 2 }} -spec: - targetRef: - apiVersion: "apps/v1" - kind: DaemonSet - name: {{ $fullname }} - updatePolicy: - updateMode: "Auto" - resourcePolicy: - containerPolicies: - - containerName: "node-driver-registrar" - minAllowed: - {{- include "node_driver_registrar_resources" $context | nindent 8 }} - maxAllowed: - cpu: 25m - memory: 50Mi - - containerName: "node" - minAllowed: - {{- include "node_resources" $context | nindent 8 }} - maxAllowed: - cpu: 25m - memory: 50Mi - {{- end }} ---- -kind: DaemonSet -apiVersion: apps/v1 -metadata: - name: {{ $fullname }} - namespace: d8-{{ $context.Chart.Name }} - {{- include "helm_lib_module_labels" (list $context (dict "app" "csi-node")) | nindent 2 }} -spec: - updateStrategy: - type: RollingUpdate - selector: - matchLabels: - app: {{ $fullname }} - template: - metadata: - labels: - app: {{ $fullname }} - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - operator: In - key: node.deckhouse.io/type - values: - - CloudEphemeral - - CloudPermanent - - CloudStatic - {{- if or (eq $fullname "csi-node-rbd") (eq $fullname "csi-node-cephfs") (eq $fullname "csi-nfs") (eq $fullname "csi-yadro") }} - - Static - {{- end }} - imagePullSecrets: - - name: deckhouse-registry - {{- include "helm_lib_priority_class" (tuple $context "system-node-critical") | nindent 6 }} - {{- include "helm_lib_tolerations" (tuple $context "any-node" "with-no-csi") | nindent 6 }} - {{- include "helm_lib_module_pod_security_context_run_as_user_root" . | nindent 6 }} - hostNetwork: true - dnsPolicy: ClusterFirstWithHostNet - containers: - - name: node-driver-registrar - {{- include "helm_lib_module_container_security_context_not_allow_privilege_escalation" $context | nindent 8 }} - image: {{ $driverRegistrarImage | quote }} - args: - - "--v=5" - - "--csi-address=$(CSI_ENDPOINT)" - - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" - env: - - name: CSI_ENDPOINT - value: "/csi/csi.sock" - - name: DRIVER_REG_SOCK_PATH - value: "/var/lib/kubelet/csi-plugins/{{ $driverFQDN }}/csi.sock" - - name: KUBE_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - {{- if $additionalNodeLivenessProbesCmd }} - livenessProbe: - initialDelaySeconds: 3 - exec: - command: - {{- $additionalNodeLivenessProbesCmd | toYaml | nindent 12 }} - {{- end }} - volumeMounts: - - name: plugin-dir - mountPath: /csi - - name: registration-dir - mountPath: /registration - resources: - requests: - {{- include "helm_lib_module_ephemeral_storage_only_logs" 10 | nindent 12 }} - {{- if not ($context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }} - {{- include "node_driver_registrar_resources" $context | nindent 12 }} - {{- end }} - - name: node - securityContext: - privileged: true - image: {{ $nodeImage }} - args: - {{- if $additionalNodeArgs }} - {{- $additionalNodeArgs | toYaml | nindent 8 }} - {{- end }} - {{- if $additionalNodeEnvs }} - env: - {{- $additionalNodeEnvs | toYaml | nindent 8 }} - {{- end }} - volumeMounts: - - name: kubelet-dir - mountPath: /var/lib/kubelet - mountPropagation: "Bidirectional" - - name: plugin-dir - mountPath: /csi - - name: device-dir - mountPath: /dev - {{- if $additionalNodeVolumeMounts }} - {{- $additionalNodeVolumeMounts | toYaml | nindent 8 }} - {{- end }} - resources: - requests: - {{- include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 | nindent 12 }} - {{- if not ($context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }} - {{- include "node_resources" $context | nindent 12 }} - {{- end }} - {{- if $initContainerCommand }} - initContainers: - - command: - {{- $initContainerCommand | toYaml | nindent 8 }} - image: {{ $initContainerImage }} - imagePullPolicy: IfNotPresent - name: csi-node-init-container - {{- if $initContainerVolumeMounts }} - volumeMounts: - {{- $initContainerVolumeMounts | toYaml | nindent 8 }} - {{- end }} - resources: - requests: - {{- include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 | nindent 12 }} - {{- end }} - serviceAccount: {{ $serviceAccount | quote }} - serviceAccountName: {{ $serviceAccount | quote }} - volumes: - - name: registration-dir - hostPath: - path: /var/lib/kubelet/plugins_registry/ - type: Directory - - name: kubelet-dir - hostPath: - path: /var/lib/kubelet - type: Directory - - name: plugin-dir - hostPath: - path: /var/lib/kubelet/csi-plugins/{{ $driverFQDN }}/ - type: DirectoryOrCreate - - name: device-dir - hostPath: - path: /dev - type: Directory - {{- if $additionalNodeVolumes }} - {{- $additionalNodeVolumes | toYaml | nindent 6 }} - {{- end }} - {{- end }} - {{- end }} -{{- end }} diff --git a/charts/helm_lib/templates/_enable_ds_eviction.tpl b/charts/helm_lib/templates/_enable_ds_eviction.tpl deleted file mode 100644 index b912c05..0000000 --- a/charts/helm_lib/templates/_enable_ds_eviction.tpl +++ /dev/null @@ -1,6 +0,0 @@ -{{- /* Usage: {{ include "helm_lib_prevent_ds_eviction_annotation" . }} */ -}} -{{- /* Adds `cluster-autoscaler.kubernetes.io/enable-ds-eviction` annotation to manage DaemonSet eviction by the Cluster Autoscaler. */ -}} -{{- /* This is important to prevent the eviction of DaemonSet pods during cluster scaling. */ -}} -{{- define "helm_lib_prevent_ds_eviction_annotation" -}} -cluster-autoscaler.kubernetes.io/enable-ds-eviction: "false" -{{- end }} diff --git a/charts/helm_lib/templates/_envs_for_proxy.tpl b/charts/helm_lib/templates/_envs_for_proxy.tpl deleted file mode 100644 index 177bb1c..0000000 --- a/charts/helm_lib/templates/_envs_for_proxy.tpl +++ /dev/null @@ -1,30 +0,0 @@ -{{- /* Usage: {{ include "helm_lib_envs_for_proxy" . }} */ -}} -{{- /* Add HTTP_PROXY, HTTPS_PROXY and NO_PROXY environment variables for container */ -}} -{{- /* depends on [proxy settings](https://deckhouse.io/documentation/v1/deckhouse-configure-global.html#parameters-modules-proxy) */ -}} -{{- define "helm_lib_envs_for_proxy" }} - {{- $context := . -}} {{- /* Template context with .Values, .Chart, etc */ -}} - {{- if $context.Values.global.clusterConfiguration }} - {{- if $context.Values.global.clusterConfiguration.proxy }} - {{- if $context.Values.global.clusterConfiguration.proxy.httpProxy }} -- name: HTTP_PROXY - value: {{ $context.Values.global.clusterConfiguration.proxy.httpProxy | quote }} -- name: http_proxy - value: {{ $context.Values.global.clusterConfiguration.proxy.httpProxy | quote }} - {{- end }} - {{- if $context.Values.global.clusterConfiguration.proxy.httpsProxy }} -- name: HTTPS_PROXY - value: {{ $context.Values.global.clusterConfiguration.proxy.httpsProxy | quote }} -- name: https_proxy - value: {{ $context.Values.global.clusterConfiguration.proxy.httpsProxy | quote }} - {{- end }} - {{- $noProxy := list "127.0.0.1" "169.254.169.254" $context.Values.global.clusterConfiguration.clusterDomain $context.Values.global.clusterConfiguration.podSubnetCIDR $context.Values.global.clusterConfiguration.serviceSubnetCIDR }} - {{- if $context.Values.global.clusterConfiguration.proxy.noProxy }} - {{- $noProxy = concat $noProxy $context.Values.global.clusterConfiguration.proxy.noProxy }} - {{- end }} -- name: NO_PROXY - value: {{ $noProxy | join "," | quote }} -- name: no_proxy - value: {{ $noProxy | join "," | quote }} - {{- end }} - {{- end }} -{{- end }} diff --git a/charts/helm_lib/templates/_high_availability.tpl b/charts/helm_lib/templates/_high_availability.tpl deleted file mode 100644 index 8c7da23..0000000 --- a/charts/helm_lib/templates/_high_availability.tpl +++ /dev/null @@ -1,39 +0,0 @@ -{{- /* Usage: {{ include "helm_lib_is_ha_to_value" (list . yes no) }} */ -}} -{{- /* returns value "yes" if cluster is highly available, else — returns "no" */ -}} -{{- define "helm_lib_is_ha_to_value" }} - {{- $context := index . 0 -}} {{- /* Template context with .Values, .Chart, etc */ -}} - {{- $yes := index . 1 -}} {{- /* Yes value */ -}} - {{- $no := index . 2 -}} {{- /* No value */ -}} - - {{- $module_values := (index $context.Values (include "helm_lib_module_camelcase_name" $context)) }} - - {{- if hasKey $module_values "highAvailability" -}} - {{- if $module_values.highAvailability -}} {{- $yes -}} {{- else -}} {{- $no -}} {{- end -}} - {{- else if hasKey $context.Values.global "highAvailability" -}} - {{- if $context.Values.global.highAvailability -}} {{- $yes -}} {{- else -}} {{- $no -}} {{- end -}} - {{- else -}} - {{- if $context.Values.global.discovery.clusterControlPlaneIsHighlyAvailable -}} {{- $yes -}} {{- else -}} {{- $no -}} {{- end -}} - {{- end -}} -{{- end }} - -{{- /* Usage: {{- if (include "helm_lib_ha_enabled" .) }} */ -}} -{{- /* returns empty value, which is treated by go template as false */ -}} -{{- define "helm_lib_ha_enabled" }} - {{- $context := . -}} {{- /* Template context with .Values, .Chart, etc */ -}} - - {{- $module_values := (index $context.Values (include "helm_lib_module_camelcase_name" $context)) }} - - {{- if hasKey $module_values "highAvailability" -}} - {{- if $module_values.highAvailability -}} - "not empty string" - {{- end -}} - {{- else if hasKey $context.Values.global "highAvailability" -}} - {{- if $context.Values.global.highAvailability -}} - "not empty string" - {{- end -}} - {{- else -}} - {{- if $context.Values.global.discovery.clusterControlPlaneIsHighlyAvailable -}} - "not empty string" - {{- end -}} - {{- end -}} -{{- end -}} diff --git a/charts/helm_lib/templates/_kube_rbac_proxy.tpl b/charts/helm_lib/templates/_kube_rbac_proxy.tpl deleted file mode 100644 index af9f7a4..0000000 --- a/charts/helm_lib/templates/_kube_rbac_proxy.tpl +++ /dev/null @@ -1,21 +0,0 @@ -{{- /* Usage: {{ include "helm_lib_kube_rbac_proxy_ca_certificate" (list . "namespace") }} */ -}} -{{- /* Renders configmap with kube-rbac-proxy CA certificate which uses to verify the kube-rbac-proxy clients. */ -}} -{{- define "helm_lib_kube_rbac_proxy_ca_certificate" -}} -{{- /* Template context with .Values, .Chart, etc */ -}} -{{- /* Namespace where CA configmap will be created */ -}} - {{- $context := index . 0 }} - {{- $namespace := index . 1 }} ---- -apiVersion: v1 -data: - ca.crt: | - {{ $context.Values.global.internal.modules.kubeRBACProxyCA.cert | nindent 4 }} -kind: ConfigMap -metadata: - annotations: - kubernetes.io/description: | - Contains a CA bundle that can be used to verify the kube-rbac-proxy clients. - {{- include "helm_lib_module_labels" (list $context) | nindent 2 }} - name: kube-rbac-proxy-ca.crt - namespace: {{ $namespace }} -{{- end }} diff --git a/charts/helm_lib/templates/_module_documentation_uri.tpl b/charts/helm_lib/templates/_module_documentation_uri.tpl deleted file mode 100644 index a02cf45..0000000 --- a/charts/helm_lib/templates/_module_documentation_uri.tpl +++ /dev/null @@ -1,15 +0,0 @@ -{{- /* Usage: {{ include "helm_lib_module_documentation_uri" (list . "") }} */ -}} -{{- /* returns rendered documentation uri using publicDomainTemplate or deckhouse.io domains*/ -}} -{{- define "helm_lib_module_documentation_uri" }} - {{- $default_doc_prefix := "https://deckhouse.io/documentation/v1" -}} - {{- $context := index . 0 -}} {{- /* Template context with .Values, .Chart, etc */ -}} - {{- $path_portion := index . 1 -}} {{- /* Path to the document */ -}} - {{- $uri := "" -}} - {{- if $context.Values.global.modules.publicDomainTemplate }} - {{- $uri = printf "%s://%s%s" (include "helm_lib_module_uri_scheme" $context) (include "helm_lib_module_public_domain" (list $context "documentation")) $path_portion -}} - {{- else }} - {{- $uri = printf "%s%s" $default_doc_prefix $path_portion -}} - {{- end -}} - - {{ $uri }} -{{- end }} diff --git a/charts/helm_lib/templates/_module_ephemeral_storage.tpl b/charts/helm_lib/templates/_module_ephemeral_storage.tpl deleted file mode 100644 index 4b2dd02..0000000 --- a/charts/helm_lib/templates/_module_ephemeral_storage.tpl +++ /dev/null @@ -1,15 +0,0 @@ -{{- /* Usage: {{ include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 }} */ -}} -{{- /* 50Mi for container logs `log-opts.max-file * log-opts.max-size` would be added to passed value */ -}} -{{- /* returns ephemeral-storage size for logs with extra space */ -}} -{{- define "helm_lib_module_ephemeral_storage_logs_with_extra" -}} -{{- /* Extra space in mebibytes */ -}} -ephemeral-storage: {{ add . 50 }}Mi -{{- end }} - -{{- /* Usage: {{ include "helm_lib_module_ephemeral_storage_only_logs" . }} */ -}} -{{- /* 50Mi for container logs `log-opts.max-file * log-opts.max-size` would be requested */ -}} -{{- /* returns ephemeral-storage size for only logs */ -}} -{{- define "helm_lib_module_ephemeral_storage_only_logs" -}} -{{- /* Template context with .Values, .Chart, etc */ -}} -ephemeral-storage: 50Mi -{{- end }} diff --git a/charts/helm_lib/templates/_module_generate_common_name.tpl b/charts/helm_lib/templates/_module_generate_common_name.tpl deleted file mode 100644 index fb142f8..0000000 --- a/charts/helm_lib/templates/_module_generate_common_name.tpl +++ /dev/null @@ -1,13 +0,0 @@ -{{- /* Usage: {{ include "helm_lib_module_generate_common_name" (list . "") }} */ -}} -{{- /* returns the commonName parameter for use in the Certificate custom resource(cert-manager) */ -}} -{{- define "helm_lib_module_generate_common_name" }} - {{- $context := index . 0 -}} {{- /* Template context with .Values, .Chart, etc */ -}} - {{- $name_portion := index . 1 -}} {{- /* Name portion */ -}} - - {{- $domain := include "helm_lib_module_public_domain" (list $context $name_portion) -}} - - {{- $domain_length := len $domain -}} - {{- if le $domain_length 64 -}} -commonName: {{ $domain }} - {{- end -}} -{{- end }} diff --git a/charts/helm_lib/templates/_module_https.tpl b/charts/helm_lib/templates/_module_https.tpl deleted file mode 100644 index 8ee41ef..0000000 --- a/charts/helm_lib/templates/_module_https.tpl +++ /dev/null @@ -1,160 +0,0 @@ -{{- /* Usage: {{ include "helm_lib_module_uri_scheme" . }} */ -}} -{{- /* return module uri scheme "http" or "https" */ -}} -{{- define "helm_lib_module_uri_scheme" -}} - {{- $context := . -}} {{- /* Template context with .Values, .Chart, etc */ -}} - {{- $mode := "" -}} - - {{- $module_values := (index $context.Values (include "helm_lib_module_camelcase_name" $context)) -}} - {{- if hasKey $module_values "https" -}} - {{- if hasKey $module_values.https "mode" -}} - {{- $mode = $module_values.https.mode -}} - {{- else }} - {{- $mode = $context.Values.global.modules.https.mode | default "" -}} - {{- end }} - {{- else }} - {{- $mode = $context.Values.global.modules.https.mode | default "" -}} - {{- end }} - - - {{- if eq "Disabled" $mode -}} - http - {{- else -}} - https - {{- end -}} -{{- end -}} - -{{- /* Usage: {{ $https_values := include "helm_lib_https_values" . | fromYaml }} */ -}} -{{- define "helm_lib_https_values" -}} - {{- $context := . -}} - {{- $module_values := (index $context.Values (include "helm_lib_module_camelcase_name" $context)) -}} - {{- $mode := "" -}} - {{- $certManagerClusterIssuerName := "" -}} - - {{- if hasKey $module_values "https" -}} - {{- if hasKey $module_values.https "mode" -}} - {{- $mode = $module_values.https.mode -}} - {{- if eq $mode "CertManager" -}} - {{- if not (hasKey $module_values.https "certManager") -}} - {{- cat ".https.certManager.clusterIssuerName is mandatory when .https.mode is set to CertManager" | fail -}} - {{- end -}} - {{- if hasKey $module_values.https.certManager "clusterIssuerName" -}} - {{- $certManagerClusterIssuerName = $module_values.https.certManager.clusterIssuerName -}} - {{- else -}} - {{- cat ".https.certManager.clusterIssuerName is mandatory when .https.mode is set to CertManager" | fail -}} - {{- end -}} - {{- end -}} - {{- else -}} - {{- cat ".https.mode is mandatory when .https is defined" | fail -}} - {{- end -}} - {{- end -}} - - {{- if empty $mode -}} - {{- $mode = $context.Values.global.modules.https.mode -}} - {{- if eq $mode "CertManager" -}} - {{- $certManagerClusterIssuerName = $context.Values.global.modules.https.certManager.clusterIssuerName -}} - {{- end -}} - {{- end -}} - - {{- if not (has $mode (list "Disabled" "CertManager" "CustomCertificate" "OnlyInURI")) -}} - {{- cat "Unknown https.mode:" $mode | fail -}} - {{- end -}} - - {{- if and (eq $mode "CertManager") (not ($context.Values.global.enabledModules | has "cert-manager")) -}} - {{- cat "https.mode has value CertManager but cert-manager module not enabled" | fail -}} - {{- end -}} - -mode: {{ $mode }} - {{- if eq $mode "CertManager" }} -certManager: - clusterIssuerName: {{ $certManagerClusterIssuerName }} - {{- end -}} - -{{- end -}} - -{{- /* Usage: {{ if (include "helm_lib_module_https_mode" .) }} */ -}} -{{- /* returns https mode for module */ -}} -{{- define "helm_lib_module_https_mode" -}} - {{- $context := . -}} {{- /* Template context with .Values, .Chart, etc */ -}} - {{- $https_values := include "helm_lib_https_values" $context | fromYaml -}} - {{- $https_values.mode -}} -{{- end -}} - -{{- /* Usage: {{ include "helm_lib_module_https_cert_manager_cluster_issuer_name" . }} */ -}} -{{- /* returns cluster issuer name */ -}} -{{- define "helm_lib_module_https_cert_manager_cluster_issuer_name" -}} - {{- $context := . -}} {{- /* Template context with .Values, .Chart, etc */ -}} - {{- $https_values := include "helm_lib_https_values" $context | fromYaml -}} - {{- $https_values.certManager.clusterIssuerName -}} -{{- end -}} - -{{- /* Usage: {{ if (include "helm_lib_module_https_cert_manager_cluster_issuer_is_dns01_challenge_solver" .) }} */ -}} -{{- define "helm_lib_module_https_cert_manager_cluster_issuer_is_dns01_challenge_solver" -}} - {{- $context := . -}} {{- /* Template context with .Values, .Chart, etc */ -}} - {{- if has (include "helm_lib_module_https_cert_manager_cluster_issuer_name" $context) (list "route53" "cloudflare" "digitalocean" "clouddns") }} - "not empty string" - {{- end -}} -{{- end -}} - -{{- /* Usage: {{ include "helm_lib_module_https_cert_manager_acme_solver_challenge_settings" . | nindent 4 }} */ -}} -{{- define "helm_lib_module_https_cert_manager_acme_solver_challenge_settings" -}} - {{- $context := . -}} {{- /* Template context with .Values, .Chart, etc */ -}} - {{- if (include "helm_lib_module_https_cert_manager_cluster_issuer_is_dns01_challenge_solver" $context) }} -- dns01: - provider: {{ include "helm_lib_module_https_cert_manager_cluster_issuer_name" $context }} - {{- else }} -- http01: - ingressClass: {{ include "helm_lib_module_ingress_class" $context | quote }} - {{- end }} -{{- end -}} - -{{- /* Usage: {{ if (include "helm_lib_module_https_ingress_tls_enabled" .) }} */ -}} -{{- /* returns not empty string if tls should enable for ingress */ -}} -{{- define "helm_lib_module_https_ingress_tls_enabled" -}} - {{- $context := . -}} {{- /* Template context with .Values, .Chart, etc */ -}} - - {{- $mode := include "helm_lib_module_https_mode" $context -}} - - {{- if or (eq "CertManager" $mode) (eq "CustomCertificate" $mode) -}} - not empty string - {{- end -}} -{{- end -}} - -{{- /* Usage: {{ include "helm_lib_module_https_copy_custom_certificate" (list . "namespace" "secret_name_prefix") }} */ -}} -{{- /* Renders secret with [custom certificate](https://deckhouse.io/documentation/v1/deckhouse-configure-global.html#parameters-modules-https-customcertificate) */ -}} -{{- /* in passed namespace with passed prefix */ -}} -{{- define "helm_lib_module_https_copy_custom_certificate" -}} - {{- $context := index . 0 -}} {{- /* Template context with .Values, .Chart, etc */ -}} - {{- $namespace := index . 1 -}} {{- /* Namespace */ -}} - {{- $secret_name_prefix := index . 2 -}} {{- /* Secret name prefix */ -}} - {{- $mode := include "helm_lib_module_https_mode" $context -}} - {{- if eq $mode "CustomCertificate" -}} - {{- $module_values := (index $context.Values (include "helm_lib_module_camelcase_name" $context)) -}} - {{- $secret_name := include "helm_lib_module_https_secret_name" (list $context $secret_name_prefix) -}} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ $secret_name }} - namespace: {{ $namespace }} - {{- include "helm_lib_module_labels" (list $context) | nindent 2 }} -type: kubernetes.io/tls -data: {{ $module_values.internal.customCertificateData | toJson }} - {{- end -}} -{{- end -}} - -{{- /* Usage: {{ include "helm_lib_module_https_secret_name (list . "secret_name_prefix") }} */ -}} -{{- /* returns custom certificate name */ -}} -{{- define "helm_lib_module_https_secret_name" -}} - {{- $context := index . 0 -}} {{- /* Template context with .Values, .Chart, etc */ -}} - {{- $secret_name_prefix := index . 1 -}} {{- /* Secret name prefix */ -}} - {{- $mode := include "helm_lib_module_https_mode" $context -}} - {{- if eq $mode "CertManager" -}} - {{- $secret_name_prefix -}} - {{- else -}} - {{- if eq $mode "CustomCertificate" -}} - {{- printf "%s-customcertificate" $secret_name_prefix -}} - {{- else -}} - {{- fail "https.mode must be CustomCertificate or CertManager" -}} - {{- end -}} - {{- end -}} -{{- end -}} diff --git a/charts/helm_lib/templates/_module_image.tpl b/charts/helm_lib/templates/_module_image.tpl deleted file mode 100644 index bdf29f0..0000000 --- a/charts/helm_lib/templates/_module_image.tpl +++ /dev/null @@ -1,76 +0,0 @@ -{{- /* Usage: {{ include "helm_lib_module_image" (list . "") }} */ -}} -{{- /* returns image name */ -}} -{{- define "helm_lib_module_image" }} - {{- $context := index . 0 }} {{- /* Template context with .Values, .Chart, etc */ -}} - {{- $containerName := index . 1 | trimAll "\"" }} {{- /* Container name */ -}} - {{- $moduleName := (include "helm_lib_module_camelcase_name" $context) }} - {{- if ge (len .) 3 }} - {{- $moduleName = (include "helm_lib_module_camelcase_name" (index . 2)) }} {{- /* Optional module name */ -}} - {{- end }} - {{- $imageDigest := index $context.Values.global.modulesImages.digests $moduleName $containerName }} - {{- if not $imageDigest }} - {{- $error := (printf "Image %s.%s has no digest" $moduleName $containerName ) }} - {{- fail $error }} - {{- end }} - {{- $registryBase := $context.Values.global.modulesImages.registry.base }} - {{- /* handle external modules registry */}} - {{- if index $context.Values $moduleName }} - {{- if index $context.Values $moduleName "registry" }} - {{- if index $context.Values $moduleName "registry" "base" }} - {{- $host := trimAll "/" (index $context.Values $moduleName "registry" "base") }} - {{- $path := trimAll "/" $context.Chart.Name }} - {{- $registryBase = join "/" (list $host $path) }} - {{- end }} - {{- end }} - {{- end }} - {{- printf "%s@%s" $registryBase $imageDigest }} -{{- end }} - -{{- /* Usage: {{ include "helm_lib_module_image_no_fail" (list . "") }} */ -}} -{{- /* returns image name if found */ -}} -{{- define "helm_lib_module_image_no_fail" }} - {{- $context := index . 0 }} {{- /* Template context with .Values, .Chart, etc */ -}} - {{- $containerName := index . 1 | trimAll "\"" }} {{- /* Container name */ -}} - {{- $moduleName := (include "helm_lib_module_camelcase_name" $context) }} - {{- if ge (len .) 3 }} - {{- $moduleName = (include "helm_lib_module_camelcase_name" (index . 2)) }} {{- /* Optional module name */ -}} - {{- end }} - {{- $imageDigest := index $context.Values.global.modulesImages.digests $moduleName $containerName }} - {{- if $imageDigest }} - {{- $registryBase := $context.Values.global.modulesImages.registry.base }} - {{- if index $context.Values $moduleName }} - {{- if index $context.Values $moduleName "registry" }} - {{- if index $context.Values $moduleName "registry" "base" }} - {{- $host := trimAll "/" (index $context.Values $moduleName "registry" "base") }} - {{- $path := trimAll "/" $context.Chart.Name }} - {{- $registryBase = join "/" (list $host $path) }} - {{- end }} - {{- end }} - {{- end }} - {{- printf "%s@%s" $registryBase $imageDigest }} - {{- end }} -{{- end }} - -{{- /* Usage: {{ include "helm_lib_module_common_image" (list . "") }} */ -}} -{{- /* returns image name from common module */ -}} -{{- define "helm_lib_module_common_image" }} - {{- $context := index . 0 }} {{- /* Template context with .Values, .Chart, etc */ -}} - {{- $containerName := index . 1 | trimAll "\"" }} {{- /* Container name */ -}} - {{- $imageDigest := index $context.Values.global.modulesImages.digests "common" $containerName }} - {{- if not $imageDigest }} - {{- $error := (printf "Image %s.%s has no digest" "common" $containerName ) }} - {{- fail $error }} - {{- end }} - {{- printf "%s@%s" $context.Values.global.modulesImages.registry.base $imageDigest }} -{{- end }} - -{{- /* Usage: {{ include "helm_lib_module_common_image_no_fail" (list . "") }} */ -}} -{{- /* returns image name from common module if found */ -}} -{{- define "helm_lib_module_common_image_no_fail" }} - {{- $context := index . 0 }} {{- /* Template context with .Values, .Chart, etc */ -}} - {{- $containerName := index . 1 | trimAll "\"" }} {{- /* Container name */ -}} - {{- $imageDigest := index $context.Values.global.modulesImages.digests "common" $containerName }} - {{- if $imageDigest }} - {{- printf "%s@%s" $context.Values.global.modulesImages.registry.base $imageDigest }} - {{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/helm_lib/templates/_module_ingress_class.tpl b/charts/helm_lib/templates/_module_ingress_class.tpl deleted file mode 100644 index db7f50b..0000000 --- a/charts/helm_lib/templates/_module_ingress_class.tpl +++ /dev/null @@ -1,13 +0,0 @@ -{{- /* Usage: {{ include "helm_lib_module_ingress_class" . }} */ -}} -{{- /* returns ingress class from module settings or if not exists from global config */ -}} -{{- define "helm_lib_module_ingress_class" -}} - {{- $context := . -}} {{- /* Template context with .Values, .Chart, etc */ -}} - - {{- $module_values := (index $context.Values (include "helm_lib_module_camelcase_name" $context)) -}} - - {{- if hasKey $module_values "ingressClass" -}} - {{- $module_values.ingressClass -}} - {{- else if hasKey $context.Values.global.modules "ingressClass" -}} - {{- $context.Values.global.modules.ingressClass -}} - {{- end -}} -{{- end -}} diff --git a/charts/helm_lib/templates/_module_init_container.tpl b/charts/helm_lib/templates/_module_init_container.tpl deleted file mode 100644 index 9b3fe00..0000000 --- a/charts/helm_lib/templates/_module_init_container.tpl +++ /dev/null @@ -1,56 +0,0 @@ -{{- /* ### Migration 11.12.2020: Remove this helper with all its usages after this commit reached RockSolid */ -}} -{{- /* Usage: {{ include "helm_lib_module_init_container_chown_nobody_volume" (list . "volume-name") }} */ -}} -{{- /* returns initContainer which chowns recursively all files and directories in passed volume */ -}} -{{- define "helm_lib_module_init_container_chown_nobody_volume" }} - {{- $context := index . 0 -}} - {{- $volume_name := index . 1 -}} -- name: chown-volume-{{ $volume_name }} - image: {{ include "helm_lib_module_common_image" (list $context "alpine") }} - command: ["sh", "-c", "chown -R 65534:65534 /tmp/{{ $volume_name }}"] - securityContext: - runAsNonRoot: false - runAsUser: 0 - runAsGroup: 0 - volumeMounts: - - name: {{ $volume_name }} - mountPath: /tmp/{{ $volume_name }} - resources: - requests: - {{- include "helm_lib_module_ephemeral_storage_only_logs" . | nindent 6 }} -{{- end }} - -{{- /* Usage: {{ include "helm_lib_module_init_container_chown_deckhouse_volume" (list . "volume-name") }} */ -}} -{{- /* returns initContainer which chowns recursively all files and directories in passed volume */ -}} -{{- define "helm_lib_module_init_container_chown_deckhouse_volume" }} - {{- $context := index . 0 -}} - {{- $volume_name := index . 1 -}} -- name: chown-volume-{{ $volume_name }} - image: {{ include "helm_lib_module_common_image" (list $context "alpine") }} - command: ["sh", "-c", "chown -R 64535:64535 /tmp/{{ $volume_name }}"] - securityContext: - runAsNonRoot: false - runAsUser: 0 - runAsGroup: 0 - volumeMounts: - - name: {{ $volume_name }} - mountPath: /tmp/{{ $volume_name }} - resources: - requests: - {{- include "helm_lib_module_ephemeral_storage_only_logs" . | nindent 6 }} -{{- end }} - -{{- /* Usage: {{ include "helm_lib_module_init_container_check_linux_kernel" (list . ">= 4.9.17") }} */ -}} -{{- /* returns initContainer which checks the kernel version on the node for compliance to semver constraint */ -}} -{{- define "helm_lib_module_init_container_check_linux_kernel" }} - {{- $context := index . 0 -}} {{- /* Template context with .Values, .Chart, etc */ -}} - {{- $semver_constraint := index . 1 -}} {{- /* Semver constraint */ -}} -- name: check-linux-kernel - image: {{ include "helm_lib_module_common_image" (list $context "checkKernelVersion") }} - {{- include "helm_lib_module_pod_security_context_run_as_user_deckhouse" . | nindent 2 }} - env: - - name: KERNEL_CONSTRAINT - value: {{ $semver_constraint | quote }} - resources: - requests: - {{- include "helm_lib_module_ephemeral_storage_only_logs" $context | nindent 6 }} -{{- end }} diff --git a/charts/helm_lib/templates/_module_labels.tpl b/charts/helm_lib/templates/_module_labels.tpl deleted file mode 100644 index 228dcf3..0000000 --- a/charts/helm_lib/templates/_module_labels.tpl +++ /dev/null @@ -1,15 +0,0 @@ -{{- /* Usage: {{ include "helm_lib_module_labels" (list . (dict "app" "test" "component" "testing")) }} */ -}} -{{- /* returns deckhouse labels */ -}} -{{- define "helm_lib_module_labels" }} - {{- $context := index . 0 -}} {{- /* Template context with .Values, .Chart, etc */ -}} - {{- /* Additional labels dict */ -}} -labels: - heritage: deckhouse - module: {{ $context.Chart.Name }} - {{- if eq (len .) 2 }} - {{- $deckhouse_additional_labels := index . 1 }} - {{- range $key, $value := $deckhouse_additional_labels }} - {{ $key }}: {{ $value | quote }} - {{- end }} - {{- end }} -{{- end }} diff --git a/charts/helm_lib/templates/_module_name.tpl b/charts/helm_lib/templates/_module_name.tpl deleted file mode 100644 index 0fecf05..0000000 --- a/charts/helm_lib/templates/_module_name.tpl +++ /dev/null @@ -1,11 +0,0 @@ -{{- define "helm_lib_module_camelcase_name" -}} - -{{- $moduleName := "" -}} -{{- if (kindIs "string" .) -}} -{{- $moduleName = . | trimAll "\"" -}} -{{- else -}} -{{- $moduleName = .Chart.Name -}} -{{- end -}} - -{{ $moduleName | replace "-" "_" | camelcase | untitle }} -{{- end -}} diff --git a/charts/helm_lib/templates/_module_public_domain.tpl b/charts/helm_lib/templates/_module_public_domain.tpl deleted file mode 100644 index bfbaae7..0000000 --- a/charts/helm_lib/templates/_module_public_domain.tpl +++ /dev/null @@ -1,11 +0,0 @@ -{{- /* Usage: {{ include "helm_lib_module_public_domain" (list . "") }} */ -}} -{{- /* returns rendered publicDomainTemplate to service fqdn */ -}} -{{- define "helm_lib_module_public_domain" }} - {{- $context := index . 0 -}} {{- /* Template context with .Values, .Chart, etc */ -}} - {{- $name_portion := index . 1 -}} {{- /* Name portion */ -}} - - {{- if not (contains "%s" $context.Values.global.modules.publicDomainTemplate) }} - {{ fail "Error!!! global.modules.publicDomainTemplate must contain \"%s\" pattern to render service fqdn!" }} - {{- end }} - {{- printf $context.Values.global.modules.publicDomainTemplate $name_portion }} -{{- end }} diff --git a/charts/helm_lib/templates/_module_security_context.tpl b/charts/helm_lib/templates/_module_security_context.tpl deleted file mode 100644 index c726277..0000000 --- a/charts/helm_lib/templates/_module_security_context.tpl +++ /dev/null @@ -1,199 +0,0 @@ -{{- /* Usage: {{ include "helm_lib_module_pod_security_context_run_as_user_custom" (list . 1000 1000) }} */ -}} -{{- /* returns PodSecurityContext parameters for Pod with custom user and group */ -}} -{{- define "helm_lib_module_pod_security_context_run_as_user_custom" -}} -{{- /* Template context with .Values, .Chart, etc */ -}} -{{- /* User id */ -}} -{{- /* Group id */ -}} -securityContext: - runAsNonRoot: true - runAsUser: {{ index . 1 }} - runAsGroup: {{ index . 2 }} -{{- end }} - -{{- /* Usage: {{ include "helm_lib_module_pod_security_context_run_as_user_nobody" . }} */ -}} -{{- /* returns PodSecurityContext parameters for Pod with user and group "nobody" */ -}} -{{- define "helm_lib_module_pod_security_context_run_as_user_nobody" -}} -{{- /* Template context with .Values, .Chart, etc */ -}} -securityContext: - runAsNonRoot: true - runAsUser: 65534 - runAsGroup: 65534 -{{- end }} - -{{- /* Usage: {{ include "helm_lib_module_pod_security_context_run_as_user_nobody_with_writable_fs" . }} */ -}} -{{- /* returns PodSecurityContext parameters for Pod with user and group "nobody" with write access to mounted volumes */ -}} -{{- define "helm_lib_module_pod_security_context_run_as_user_nobody_with_writable_fs" -}} -{{- /* Template context with .Values, .Chart, etc */ -}} -securityContext: - runAsNonRoot: true - runAsUser: 65534 - runAsGroup: 65534 - fsGroup: 65534 -{{- end }} - -{{- /* Usage: {{ include "helm_lib_module_pod_security_context_run_as_user_deckhouse" . }} */ -}} -{{- /* returns PodSecurityContext parameters for Pod with user and group "deckhouse" */ -}} -{{- define "helm_lib_module_pod_security_context_run_as_user_deckhouse" -}} -{{- /* Template context with .Values, .Chart, etc */ -}} -securityContext: - runAsNonRoot: true - runAsUser: 64535 - runAsGroup: 64535 -{{- end }} - -{{- /* Usage: {{ include "helm_lib_module_pod_security_context_run_as_user_deckhouse_with_writable_fs" . }} */ -}} -{{- /* returns PodSecurityContext parameters for Pod with user and group "deckhouse" with write access to mounted volumes */ -}} -{{- define "helm_lib_module_pod_security_context_run_as_user_deckhouse_with_writable_fs" -}} -{{- /* Template context with .Values, .Chart, etc */ -}} -securityContext: - runAsNonRoot: true - runAsUser: 64535 - runAsGroup: 64535 - fsGroup: 64535 -{{- end }} - -{{- /* Usage: {{ include "helm_lib_module_container_security_context_run_as_user_deckhouse_pss_restricted" . }} */ -}} -{{- /* returns SecurityContext parameters for Container with user and group "deckhouse" plus minimal required settings to comply with the Restricted mode of the Pod Security Standards */ -}} -{{- define "helm_lib_module_container_security_context_run_as_user_deckhouse_pss_restricted" -}} -{{- /* Template context with .Values, .Chart, etc */ -}} -securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - runAsGroup: 64535 - runAsNonRoot: true - runAsUser: 64535 - seccompProfile: - type: RuntimeDefault -{{- end }} - -{{- /* Usage: {{ include "helm_lib_module_pod_security_context_run_as_user_root" . }} */ -}} -{{- /* returns PodSecurityContext parameters for Pod with user and group 0 */ -}} -{{- define "helm_lib_module_pod_security_context_run_as_user_root" -}} -{{- /* Template context with .Values, .Chart, etc */ -}} -securityContext: - runAsNonRoot: false - runAsUser: 0 - runAsGroup: 0 -{{- end }} - -{{- /* Usage: {{ include "helm_lib_module_pod_security_context_runtime_default" . }} */ -}} -{{- /* returns PodSecurityContext parameters for Pod with seccomp profile RuntimeDefault */ -}} -{{- define "helm_lib_module_pod_security_context_runtime_default" -}} -{{- /* Template context with .Values, .Chart, etc */ -}} -securityContext: - seccompProfile: - type: RuntimeDefault -{{- end }} - -{{- /* Usage: {{ include "helm_lib_module_container_security_context_not_allow_privilege_escalation" . }} */ -}} -{{- /* returns SecurityContext parameters for Container with allowPrivilegeEscalation false */ -}} -{{- define "helm_lib_module_container_security_context_not_allow_privilege_escalation" -}} -securityContext: - allowPrivilegeEscalation: false -{{- end }} - -{{- /* Usage: {{ include "helm_lib_module_container_security_context_read_only_root_filesystem_with_selinux" . }} */ -}} -{{- /* returns SecurityContext parameters for Container with read only root filesystem and options for SELinux compatibility*/ -}} -{{- define "helm_lib_module_container_security_context_read_only_root_filesystem_with_selinux" -}} -{{- /* Template context with .Values, .Chart, etc */ -}} -securityContext: - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - seLinuxOptions: - level: 's0' - type: 'spc_t' -{{- end }} - -{{- /* Usage: {{ include "helm_lib_module_container_security_context_read_only_root_filesystem" . }} */ -}} -{{- /* returns SecurityContext parameters for Container with read only root filesystem */ -}} -{{- define "helm_lib_module_container_security_context_read_only_root_filesystem" -}} -{{- /* Template context with .Values, .Chart, etc */ -}} -securityContext: - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false -{{- end }} - -{{- /* Usage: {{ include "helm_lib_module_container_security_context_privileged" . }} */ -}} -{{- /* returns SecurityContext parameters for Container running privileged */ -}} -{{- define "helm_lib_module_container_security_context_privileged" -}} -securityContext: - privileged: true -{{- end }} - -{{- /* Usage: {{ include "helm_lib_module_container_security_context_escalated_sys_admin_privileged" . }} */ -}} -{{- /* returns SecurityContext parameters for Container running privileged with escalation and sys_admin */ -}} -{{- define "helm_lib_module_container_security_context_escalated_sys_admin_privileged" -}} -securityContext: - allowPrivilegeEscalation: true - capabilities: - add: - - SYS_ADMIN - privileged: true -{{- end }} - -{{- /* Usage: {{ include "helm_lib_module_container_security_context_privileged_read_only_root_filesystem" . }} */ -}} -{{- /* returns SecurityContext parameters for Container running privileged with read only root filesystem */ -}} -{{- define "helm_lib_module_container_security_context_privileged_read_only_root_filesystem" -}} -{{- /* Template context with .Values, .Chart, etc */ -}} -securityContext: - privileged: true - readOnlyRootFilesystem: true -{{- end }} - -{{- /* Usage: {{ include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all" . }} */ -}} -{{- /* returns SecurityContext for Container with read only root filesystem and all capabilities dropped */ -}} -{{- define "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all" -}} -{{- /* Template context with .Values, .Chart, etc */ -}} -securityContext: - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL -{{- end }} - -{{- /* Usage: {{ include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_and_add" (list . (list "KILL" "SYS_PTRACE")) }} */ -}} -{{- /* returns SecurityContext parameters for Container with read only root filesystem, all dropped and some added capabilities */ -}} -{{- define "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_and_add" -}} -{{- /* Template context with .Values, .Chart, etc */ -}} -{{- /* List of capabilities */ -}} -securityContext: - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - add: {{ index . 1 | toJson }} -{{- end }} - -{{- /* Usage: {{ include "helm_lib_module_container_security_context_capabilities_drop_all_and_add" (list . (list "KILL" "SYS_PTRACE")) }} */ -}} -{{- /* returns SecurityContext parameters for Container with all dropped and some added capabilities */ -}} -{{- define "helm_lib_module_container_security_context_capabilities_drop_all_and_add" -}} -{{- /* Template context with .Values, .Chart, etc */ -}} -{{- /* List of capabilities */ -}} -securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - add: {{ index . 1 | toJson }} -{{- end }} - -{{- /* Usage: {{ include "helm_lib_module_container_security_context_capabilities_drop_all_and_run_as_user_custom" (list . 1000 1000) }} */ -}} -{{- /* returns SecurityContext parameters for Container with read only root filesystem, all dropped, and custom user ID */ -}} -{{- define "helm_lib_module_container_security_context_capabilities_drop_all_and_run_as_user_custom" -}} -{{- /* Template context with .Values, .Chart, etc */ -}} -{{- /* User id */ -}} -{{- /* Group id */ -}} -securityContext: - runAsUser: {{ index . 1 }} - runAsGroup: {{ index . 2 }} - runAsNonRoot: true - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL -{{- end }} diff --git a/charts/helm_lib/templates/_module_storage_class.tpl b/charts/helm_lib/templates/_module_storage_class.tpl deleted file mode 100644 index cf761a5..0000000 --- a/charts/helm_lib/templates/_module_storage_class.tpl +++ /dev/null @@ -1,38 +0,0 @@ -{{- /* Usage: {{ include "helm_lib_module_storage_class_annotations" (list $ $index $storageClass.name) }} */ -}} -{{- /* return module StorageClass annotations */ -}} -{{- define "helm_lib_module_storage_class_annotations" -}} - {{- $context := index . 0 -}} {{- /* Template context with .Values, .Chart, etc */ -}} - {{- $sc_index := index . 1 -}} {{- /* Storage class index */ -}} - {{- $sc_name := index . 2 -}} {{- /* Storage class name */ -}} - {{- $module_values := (index $context.Values (include "helm_lib_module_camelcase_name" $context)) -}} - {{- $annotations := dict -}} - - {{- $volume_expansion_mode_offline := false -}} - {{- range $module_name := list "cloud-provider-azure" "cloud-provider-yandex" "cloud-provider-vsphere" "cloud-provider-vcd"}} - {{- if has $module_name $context.Values.global.enabledModules }} - {{- $volume_expansion_mode_offline = true }} - {{- end }} - {{- end }} - - {{- if $volume_expansion_mode_offline }} - {{- $_ := set $annotations "storageclass.deckhouse.io/volume-expansion-mode" "offline" }} - {{- end }} - - {{- if hasKey $module_values.internal "defaultStorageClass" }} - {{- if eq $module_values.internal.defaultStorageClass $sc_name }} - {{- $_ := set $annotations "storageclass.kubernetes.io/is-default-class" "true" }} - {{- end }} - {{- else }} - {{- if eq $sc_index 0 }} - {{- if $context.Values.global.discovery.defaultStorageClass }} - {{- if eq $context.Values.global.discovery.defaultStorageClass $sc_name }} - {{- $_ := set $annotations "storageclass.kubernetes.io/is-default-class" "true" }} - {{- end }} - {{- else }} - {{- $_ := set $annotations "storageclass.kubernetes.io/is-default-class" "true" }} - {{- end }} - {{- end }} - {{- end }} - -{{- (dict "annotations" $annotations) | toYaml -}} -{{- end -}} diff --git a/charts/helm_lib/templates/_monitoring_grafana_dashboards.tpl b/charts/helm_lib/templates/_monitoring_grafana_dashboards.tpl deleted file mode 100644 index ebbcefb..0000000 --- a/charts/helm_lib/templates/_monitoring_grafana_dashboards.tpl +++ /dev/null @@ -1,68 +0,0 @@ -{{- /* Usage: {{ include "helm_lib_grafana_dashboard_definitions_recursion" (list . [current dir]) }} */ -}} -{{- /* returns all the dashboard-definintions from / */ -}} -{{- /* current dir is optional — used for recursion but you can use it for partially generating dashboards */ -}} -{{- define "helm_lib_grafana_dashboard_definitions_recursion" -}} - {{- $context := index . 0 }} {{- /* Template context with .Values, .Chart, etc */ -}} - {{- $rootDir := index . 1 }} {{- /* Dashboards root dir */ -}} - {{- /* Dashboards current dir */ -}} - - {{- $currentDir := "" }} - {{- if gt (len .) 2 }} {{- $currentDir = index . 2 }} {{- else }} {{- $currentDir = $rootDir }} {{- end }} - - {{- $currentDirIndex := (sub ($currentDir | splitList "/" | len) 1) }} - {{- $rootDirIndex := (sub ($rootDir | splitList "/" | len) 1) }} - {{- $folderNamesIndex := (add1 $rootDirIndex) }} - - {{- range $path, $_ := $context.Files.Glob (print $currentDir "/*.json") }} - {{- $fileName := ($path | splitList "/" | last ) }} - {{- $definition := ($context.Files.Get $path) }} - - {{- $folder := (index ($currentDir | splitList "/") $folderNamesIndex | replace "-" " " | title) }} - {{- $resourceName := (regexReplaceAllLiteral "\\.json$" $path "") }} - {{- $resourceName = ($resourceName | replace " " "-" | replace "." "-" | replace "_" "-") }} - {{- $resourceName = (slice ($resourceName | splitList "/") $folderNamesIndex | join "-") }} - {{- $resourceName = (printf "%s-%s" $context.Chart.Name $resourceName) }} - -{{ include "helm_lib_single_dashboard" (list $context $resourceName $folder $definition) }} - {{- end }} - - {{- $subDirs := list }} - {{- range $path, $_ := ($context.Files.Glob (print $currentDir "/**.json")) }} - {{- $pathSlice := ($path | splitList "/") }} - {{- $subDirs = append $subDirs (slice $pathSlice 0 (add $currentDirIndex 2) | join "/") }} - {{- end }} - - {{- range $subDir := ($subDirs | uniq) }} -{{ include "helm_lib_grafana_dashboard_definitions_recursion" (list $context $rootDir $subDir) }} - {{- end }} -{{- end }} - - -{{- /* Usage: {{ include "helm_lib_grafana_dashboard_definitions" . }} */ -}} -{{- /* returns dashboard-definintions from monitoring/grafana-dashboards/ */ -}} -{{- define "helm_lib_grafana_dashboard_definitions" -}} - {{- $context := . }} {{- /* Template context with .Values, .Chart, etc */ -}} - {{- if ( $context.Values.global.enabledModules | has "prometheus-crd" ) }} -{{- include "helm_lib_grafana_dashboard_definitions_recursion" (list $context "monitoring/grafana-dashboards") }} - {{- end }} -{{- end }} - - -{{- /* Usage: {{ include "helm_lib_single_dashboard" (list . "dashboard-name" "folder" $dashboard) }} */ -}} -{{- /* renders a single dashboard */ -}} -{{- define "helm_lib_single_dashboard" -}} - {{- $context := index . 0 }} {{- /* Template context with .Values, .Chart, etc */ -}} - {{- $resourceName := index . 1 }} {{- /* Dashboard name */ -}} - {{- $folder := index . 2 }} {{- /* Folder */ -}} - {{- $definition := index . 3 }} {{/* Dashboard definition */}} ---- -apiVersion: deckhouse.io/v1 -kind: GrafanaDashboardDefinition -metadata: - name: d8-{{ $resourceName }} - {{- include "helm_lib_module_labels" (list $context (dict "prometheus.deckhouse.io/grafana-dashboard" "")) | nindent 2 }} -spec: - folder: "{{ $folder }}" - definition: | - {{- $definition | nindent 4 }} -{{- end }} diff --git a/charts/helm_lib/templates/_monitoring_prometheus_rules.tpl b/charts/helm_lib/templates/_monitoring_prometheus_rules.tpl deleted file mode 100644 index 794fe30..0000000 --- a/charts/helm_lib/templates/_monitoring_prometheus_rules.tpl +++ /dev/null @@ -1,96 +0,0 @@ -{{- /* Usage: {{ include "helm_lib_prometheus_rules_recursion" (list . [current dir]) }} */ -}} -{{- /* returns all the prometheus rules from / */ -}} -{{- /* current dir is optional — used for recursion but you can use it for partially generating rules */ -}} -{{- define "helm_lib_prometheus_rules_recursion" -}} - {{- $context := index . 0 }} {{- /* Template context with .Values, .Chart, etc */ -}} - {{- $namespace := index . 1 }} {{- /* Namespace for creating rules */ -}} - {{- $rootDir := index . 2 }} {{- /* Rules root dir */ -}} - {{- $currentDir := "" }} {{- /* Current dir (optional) */ -}} - {{- if gt (len .) 3 }} {{- $currentDir = index . 3 }} {{- else }} {{- $currentDir = $rootDir }} {{- end }} - {{- $currentDirIndex := (sub ($currentDir | splitList "/" | len) 1) }} - {{- $rootDirIndex := (sub ($rootDir | splitList "/" | len) 1) }} - {{- $folderNamesIndex := (add1 $rootDirIndex) }} - - {{- range $path, $_ := $context.Files.Glob (print $currentDir "/*.{yaml,tpl}") }} - {{- $fileName := ($path | splitList "/" | last ) }} - {{- $definition := "" }} - {{- if eq ($path | splitList "." | last) "tpl" -}} - {{- $definition = tpl ($context.Files.Get $path) $context }} - {{- else }} - {{- $definition = $context.Files.Get $path }} - {{- end }} - - {{- $definition = $definition | replace "__SCRAPE_INTERVAL__" (printf "%ds" ($context.Values.global.discovery.prometheusScrapeInterval | default 30)) | replace "__SCRAPE_INTERVAL_X_2__" (printf "%ds" (mul ($context.Values.global.discovery.prometheusScrapeInterval | default 30) 2)) | replace "__SCRAPE_INTERVAL_X_3__" (printf "%ds" (mul ($context.Values.global.discovery.prometheusScrapeInterval | default 30) 3)) | replace "__SCRAPE_INTERVAL_X_4__" (printf "%ds" (mul ($context.Values.global.discovery.prometheusScrapeInterval | default 30) 4)) }} - -{{/* Patch expression based on `d8_ignore_on_update` annotation*/}} - - - {{ $definition = printf "Rules:\n%s" ($definition | nindent 2) }} - {{- $definitionStruct := ( $definition | fromYaml )}} - {{- if $definitionStruct.Error }} - {{- fail ($definitionStruct.Error | toString) }} - {{- end }} - {{- range $rule := $definitionStruct.Rules }} - - {{- range $dedicatedRule := $rule.rules }} - {{- if $dedicatedRule.annotations }} - {{- if (eq (get $dedicatedRule.annotations "d8_ignore_on_update") "true") }} - {{- $_ := set $dedicatedRule "expr" (printf "(%s) and ON() ((max(d8_is_updating) != 1) or ON() absent(d8_is_updating))" $dedicatedRule.expr) }} - {{- end }} - {{- end }} - {{- end }} - - {{- end }} - - {{ $definition = $definitionStruct.Rules | toYaml }} - - {{- $resourceName := (regexReplaceAllLiteral "\\.(yaml|tpl)$" $path "") }} - {{- $resourceName = ($resourceName | replace " " "-" | replace "." "-" | replace "_" "-") }} - {{- $resourceName = (slice ($resourceName | splitList "/") $folderNamesIndex | join "-") }} - {{- $resourceName = (printf "%s-%s" $context.Chart.Name $resourceName) }} ---- -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: {{ $resourceName }} - namespace: {{ $namespace }} - {{- include "helm_lib_module_labels" (list $context (dict "app" "prometheus" "prometheus" "main" "component" "rules")) | nindent 2 }} -spec: - groups: - {{- $definition | nindent 4 }} - {{- end }} - - {{- $subDirs := list }} - {{- range $path, $_ := ($context.Files.Glob (print $currentDir "/**.{yaml,tpl}")) }} - {{- $pathSlice := ($path | splitList "/") }} - {{- $subDirs = append $subDirs (slice $pathSlice 0 (add $currentDirIndex 2) | join "/") }} - {{- end }} - - {{- range $subDir := ($subDirs | uniq) }} -{{ include "helm_lib_prometheus_rules_recursion" (list $context $namespace $rootDir $subDir) }} - {{- end }} -{{- end }} - - -{{- /* Usage: {{ include "helm_lib_prometheus_rules" (list . ) }} */ -}} -{{- /* returns all the prometheus rules from monitoring/prometheus-rules/ */ -}} -{{- define "helm_lib_prometheus_rules" -}} - {{- $context := index . 0 }} {{- /* Template context with .Values, .Chart, etc */ -}} - {{- $namespace := index . 1 }} {{- /* Namespace for creating rules */ -}} - {{- if ( $context.Values.global.enabledModules | has "operator-prometheus-crd" ) }} -{{- include "helm_lib_prometheus_rules_recursion" (list $context $namespace "monitoring/prometheus-rules") }} - {{- end }} -{{- end }} - -{{- /* Usage: {{ include "helm_lib_prometheus_target_scrape_timeout_seconds" (list . ) }} */ -}} -{{- /* returns adjust timeout value to scrape interval / */ -}} -{{- define "helm_lib_prometheus_target_scrape_timeout_seconds" -}} - {{- $context := index . 0 }} {{- /* Template context with .Values, .Chart, etc */ -}} - {{- $timeout := index . 1 }} {{- /* Target timeout in seconds */ -}} - {{- $scrape_interval := (int $context.Values.global.discovery.prometheusScrapeInterval | default 30) }} - {{- if gt $timeout $scrape_interval -}} -{{ $scrape_interval }}s - {{- else -}} -{{ $timeout }}s - {{- end }} -{{- end }} diff --git a/charts/helm_lib/templates/_node_affinity.tpl b/charts/helm_lib/templates/_node_affinity.tpl deleted file mode 100644 index cbdd0f9..0000000 --- a/charts/helm_lib/templates/_node_affinity.tpl +++ /dev/null @@ -1,256 +0,0 @@ -{{- /* Verify node selector strategy. */ -}} -{{- define "helm_lib_internal_check_node_selector_strategy" -}} - {{ if not (has . (list "frontend" "monitoring" "system" "master" )) }} - {{- fail (printf "unknown strategy \"%v\"" .) }} - {{- end }} - {{- . -}} -{{- end }} - -{{- /* Returns node selector for workloads depend on strategy. */ -}} -{{- define "helm_lib_node_selector" }} - {{- $context := index . 0 }} {{- /* Template context with .Values, .Chart, etc */ -}} - {{- $strategy := index . 1 | include "helm_lib_internal_check_node_selector_strategy" }} {{- /* strategy, one of "frontend" "monitoring" "system" "master" "any-node" "wildcard" */ -}} - {{- $module_values := dict }} - {{- if lt (len .) 3 }} - {{- $module_values = (index $context.Values (include "helm_lib_module_camelcase_name" $context)) }} - {{- else }} - {{- $module_values = index . 2 }} - {{- end }} - {{- $camel_chart_name := (include "helm_lib_module_camelcase_name" $context) }} - - {{- if eq $strategy "monitoring" }} - {{- if $module_values.nodeSelector }} -nodeSelector: {{ $module_values.nodeSelector | toJson }} - {{- else if gt (index $context.Values.global.discovery.d8SpecificNodeCountByRole $camel_chart_name | int) 0 }} -nodeSelector: - node-role.deckhouse.io/{{$context.Chart.Name}}: "" - {{- else if gt (index $context.Values.global.discovery.d8SpecificNodeCountByRole $strategy | int) 0 }} -nodeSelector: - node-role.deckhouse.io/{{$strategy}}: "" - {{- else if gt (index $context.Values.global.discovery.d8SpecificNodeCountByRole "system" | int) 0 }} -nodeSelector: - node-role.deckhouse.io/system: "" - {{- end }} - - {{- else if or (eq $strategy "frontend") (eq $strategy "system") }} - {{- if $module_values.nodeSelector }} -nodeSelector: {{ $module_values.nodeSelector | toJson }} - {{- else if gt (index $context.Values.global.discovery.d8SpecificNodeCountByRole $camel_chart_name | int) 0 }} -nodeSelector: - node-role.deckhouse.io/{{$context.Chart.Name}}: "" - {{- else if gt (index $context.Values.global.discovery.d8SpecificNodeCountByRole $strategy | int) 0 }} -nodeSelector: - node-role.deckhouse.io/{{$strategy}}: "" - {{- end }} - - {{- else if eq $strategy "master" }} - {{- if gt (index $context.Values.global.discovery "clusterMasterCount" | int) 0 }} -nodeSelector: - node-role.kubernetes.io/control-plane: "" - {{- else if gt (index $context.Values.global.discovery.d8SpecificNodeCountByRole "master" | int) 0 }} -nodeSelector: - node-role.deckhouse.io/control-plane: "" - {{- else if gt (index $context.Values.global.discovery.d8SpecificNodeCountByRole "system" | int) 0 }} -nodeSelector: - node-role.deckhouse.io/system: "" - {{- end }} - {{- end }} -{{- end }} - - -{{- /* Returns tolerations for workloads depend on strategy. */ -}} -{{- /* Usage: {{ include "helm_lib_tolerations" (tuple . "any-node" "with-uninitialized" "without-storage-problems") }} */ -}} -{{- define "helm_lib_tolerations" }} - {{- $context := index . 0 }} {{- /* Template context with .Values, .Chart, etc */ -}} - {{- $strategy := index . 1 | include "helm_lib_internal_check_tolerations_strategy" }} {{- /* base strategy, one of "frontend" "monitoring" "system" any-node" "wildcard" */ -}} - {{- $additionalStrategies := tuple }} {{- /* list of additional strategies. To add strategy list it with prefix "with-", to remove strategy list it with prefix "without-". */ -}} - {{- if eq $strategy "custom" }} - {{ if lt (len .) 3 }} - {{- fail (print "additional strategies is required") }} - {{- end }} - {{- else }} - {{- $additionalStrategies = tuple "storage-problems" }} - {{- end }} - {{- $module_values := (index $context.Values (include "helm_lib_module_camelcase_name" $context)) }} - {{- if gt (len .) 2 }} - {{- range $as := slice . 2 (len .) }} - {{- if hasPrefix "with-" $as }} - {{- $additionalStrategies = mustAppend $additionalStrategies (trimPrefix "with-" $as) }} - {{- end }} - {{- if hasPrefix "without-" $as }} - {{- $additionalStrategies = mustWithout $additionalStrategies (trimPrefix "without-" $as) }} - {{- end }} - {{- end }} - {{- end }} -tolerations: - {{- /* Wildcard: gives permissions to schedule on any node with any taints (use with caution) */ -}} - {{- if eq $strategy "wildcard" }} - {{- include "_helm_lib_wildcard_tolerations" $context }} - - {{- else }} - {{- /* Any node: any node in the cluster with any known taints */ -}} - {{- if eq $strategy "any-node" }} - {{- include "_helm_lib_any_node_tolerations" $context }} - - {{- /* Tolerations from module config: overrides below strategies, if there is any toleration specified */ -}} - {{- else if $module_values.tolerations }} - {{- $module_values.tolerations | toYaml | nindent 0 }} - - {{- /* Monitoring: Nodes for monitoring components: prometheus, grafana, kube-state-metrics, etc. */ -}} - {{- else if eq $strategy "monitoring" }} - {{- include "_helm_lib_monitoring_tolerations" $context }} - - {{- /* Frontend: Nodes for ingress-controllers */ -}} - {{- else if eq $strategy "frontend" }} - {{- include "_helm_lib_frontend_tolerations" $context }} - - {{- /* System: Nodes for system components: prometheus, dns, cert-manager */ -}} - {{- else if eq $strategy "system" }} - {{- include "_helm_lib_system_tolerations" $context }} - {{- end }} - - {{- /* Additional strategies */ -}} - {{- range $additionalStrategies -}} - {{- include (printf "_helm_lib_additional_tolerations_%s" (. | replace "-" "_")) $context }} - {{- end }} - {{- end }} -{{- end }} - - -{{- /* Check cluster type. */ -}} -{{- /* Returns not empty string if this is cloud or hybrid cluster */ -}} -{{- define "_helm_lib_cloud_or_hybrid_cluster" }} - {{- if .Values.global.clusterConfiguration }} - {{- if eq .Values.global.clusterConfiguration.clusterType "Cloud" }} - "not empty string" - {{- /* We consider non-cloud clusters with enabled cloud-provider-.* module as Hybrid clusters */ -}} - {{- else }} - {{- range $v := .Values.global.enabledModules }} - {{- if hasPrefix "cloud-provider-" $v }} - "not empty string" - {{- end }} - {{- end }} - {{- end }} - {{- end }} -{{- end }} - -{{- /* Verify base strategy. */ -}} -{{- /* Fails if strategy not in allowed list */ -}} -{{- define "helm_lib_internal_check_tolerations_strategy" -}} - {{ if not (has . (list "custom" "frontend" "monitoring" "system" "any-node" "wildcard" )) }} - {{- fail (printf "unknown strategy \"%v\"" .) }} - {{- end }} - {{- . -}} -{{- end }} - - -{{- /* Base strategy for any uncordoned node in cluster. */ -}} -{{- /* Usage: {{ include "helm_lib_tolerations" (tuple . "any-node") }} */ -}} -{{- define "_helm_lib_any_node_tolerations" }} -- key: node-role.kubernetes.io/master -- key: node-role.kubernetes.io/control-plane -- key: dedicated.deckhouse.io - operator: "Exists" -- key: dedicated - operator: "Exists" -- key: DeletionCandidateOfClusterAutoscaler -- key: ToBeDeletedByClusterAutoscaler - {{- if .Values.global.modules.placement.customTolerationKeys }} - {{- range $key := .Values.global.modules.placement.customTolerationKeys }} -- key: {{ $key | quote }} - operator: "Exists" - {{- end }} - {{- end }} -{{- end }} - -{{- /* Base strategy that tolerates all. */ -}} -{{- /* Usage: {{ include "helm_lib_tolerations" (tuple . "wildcard") }} */ -}} -{{- define "_helm_lib_wildcard_tolerations" }} -- operator: "Exists" -{{- end }} - -{{- /* Base strategy that tolerates nodes with "dedicated.deckhouse.io: monitoring" and "dedicated.deckhouse.io: system" taints. */ -}} -{{- /* Usage: {{ include "helm_lib_tolerations" (tuple . "monitoring") }} */ -}} -{{- define "_helm_lib_monitoring_tolerations" }} -- key: dedicated.deckhouse.io - operator: Equal - value: {{ .Chart.Name | quote }} -- key: dedicated.deckhouse.io - operator: Equal - value: "monitoring" -- key: dedicated.deckhouse.io - operator: Equal - value: "system" -{{- end }} - -{{- /* Base strategy that tolerates nodes with "dedicated.deckhouse.io: frontend" taints. */ -}} -{{- /* Usage: {{ include "helm_lib_tolerations" (tuple . "frontend") }} */ -}} -{{- define "_helm_lib_frontend_tolerations" }} -- key: dedicated.deckhouse.io - operator: Equal - value: {{ .Chart.Name | quote }} -- key: dedicated.deckhouse.io - operator: Equal - value: "frontend" -{{- end }} - -{{- /* Base strategy that tolerates nodes with "dedicated.deckhouse.io: system" taints. */ -}} -{{- /* Usage: {{ include "helm_lib_tolerations" (tuple . "system") }} */ -}} -{{- define "_helm_lib_system_tolerations" }} -- key: dedicated.deckhouse.io - operator: Equal - value: {{ .Chart.Name | quote }} -- key: dedicated.deckhouse.io - operator: Equal - value: "system" -{{- end }} - - -{{- /* Additional strategy "uninitialized" - used for CNI's and kube-proxy to allow cni components scheduled on node after CCM initialization. */ -}} -{{- /* Usage: {{ include "helm_lib_tolerations" (tuple . "any-node" "with-uninitialized") }} */ -}} -{{- define "_helm_lib_additional_tolerations_uninitialized" }} -- key: node.deckhouse.io/uninitialized - operator: "Exists" - effect: "NoSchedule" - {{- if include "_helm_lib_cloud_or_hybrid_cluster" . }} - {{- include "_helm_lib_additional_tolerations_no_csi" . }} - {{- end }} - {{- include "_helm_lib_additional_tolerations_node_problems" . }} -{{- end }} - -{{- /* Additional strategy "node-problems" - used for shedule critical components on non-ready nodes or nodes under pressure. */ -}} -{{- /* Usage: {{ include "helm_lib_tolerations" (tuple . "any-node" "with-node-problems") }} */ -}} -{{- define "_helm_lib_additional_tolerations_node_problems" }} -- key: node.kubernetes.io/not-ready -- key: node.kubernetes.io/out-of-disk -- key: node.kubernetes.io/memory-pressure -- key: node.kubernetes.io/disk-pressure -- key: node.kubernetes.io/pid-pressure -- key: node.kubernetes.io/unreachable -- key: node.kubernetes.io/network-unavailable -{{- end }} - -{{- /* Additional strategy "storage-problems" - used for shedule critical components on nodes with drbd problems. This additional strategy enabled by default in any base strategy except "wildcard". */ -}} -{{- /* Usage: {{ include "helm_lib_tolerations" (tuple . "any-node" "without-storage-problems") }} */ -}} -{{- define "_helm_lib_additional_tolerations_storage_problems" }} -- key: drbd.linbit.com/lost-quorum -- key: drbd.linbit.com/force-io-error -- key: drbd.linbit.com/ignore-fail-over -{{- end }} - -{{- /* Additional strategy "no-csi" - used for any node with no CSI: any node, which was initialized by deckhouse, but have no csi-node driver registered on it. */ -}} -{{- /* Usage: {{ include "helm_lib_tolerations" (tuple . "any-node" "with-no-csi") }} */ -}} -{{- define "_helm_lib_additional_tolerations_no_csi" }} -- key: node.deckhouse.io/csi-not-bootstrapped - operator: "Exists" - effect: "NoSchedule" -{{- end }} - -{{- /* Additional strategy "cloud-provider-uninitialized" - used for any node which is not initialized by CCM. */ -}} -{{- /* Usage: {{ include "helm_lib_tolerations" (tuple . "any-node" "with-cloud-provider-uninitialized") }} */ -}} -{{- define "_helm_lib_additional_tolerations_cloud_provider_uninitialized" }} - {{- if not .Values.global.clusterIsBootstrapped }} -- key: node.cloudprovider.kubernetes.io/uninitialized - operator: Exists - {{- end }} -{{- end }} diff --git a/charts/helm_lib/templates/_pod_disruption_budget.tpl b/charts/helm_lib/templates/_pod_disruption_budget.tpl deleted file mode 100644 index ccd4f21..0000000 --- a/charts/helm_lib/templates/_pod_disruption_budget.tpl +++ /dev/null @@ -1,6 +0,0 @@ -{{- /* Usage: {{ include "helm_lib_pdb_daemonset" . }} */ -}} -{{- /* Returns PDB max unavailable */ -}} -{{- define "helm_lib_pdb_daemonset" }} - {{- $context := . -}} {{- /* Template context with .Values, .Chart, etc */ -}} -maxUnavailable: 10% -{{- end -}} diff --git a/charts/helm_lib/templates/_priority_class.tpl b/charts/helm_lib/templates/_priority_class.tpl deleted file mode 100644 index 5935445..0000000 --- a/charts/helm_lib/templates/_priority_class.tpl +++ /dev/null @@ -1,9 +0,0 @@ -{{- /* Usage: {{ include "helm_lib_priority_class" (tuple . "priority-class-name") }} /* -}} -{{- /* returns priority class if priority-class module enabled, otherwise returns nothing */ -}} -{{- define "helm_lib_priority_class" }} - {{- $context := index . 0 -}} {{- /* Template context with .Values, .Chart, etc */ -}} - {{- $priorityClassName := index . 1 }} {{- /* Priority class name */ -}} - {{- if ( $context.Values.global.enabledModules | has "priority-class") }} -priorityClassName: {{ $priorityClassName }} - {{- end }} -{{- end -}} diff --git a/charts/helm_lib/templates/_resources_management.tpl b/charts/helm_lib/templates/_resources_management.tpl deleted file mode 100644 index dff75c1..0000000 --- a/charts/helm_lib/templates/_resources_management.tpl +++ /dev/null @@ -1,160 +0,0 @@ -{{- /* Usage: {{ include "helm_lib_resources_management_pod_resources" (list [ephemeral storage requests]) }} */ -}} -{{- /* returns rendered resources section based on configuration if it is */ -}} -{{- define "helm_lib_resources_management_pod_resources" -}} - {{- $configuration := index . 0 -}} {{- /* VPA resource configuration [example](https://deckhouse.io/documentation/v1/modules/110-istio/configuration.html#parameters-controlplane-resourcesmanagement) */ -}} - {{- /* Ephemeral storage requests */ -}} - - {{- $ephemeral_storage := "50Mi" -}} - {{- if eq (len .) 2 -}} - {{- $ephemeral_storage = index . 1 -}} - {{- end -}} - - {{- $pod_resources := (include "helm_lib_resources_management_original_pod_resources" $configuration | fromYaml) -}} - {{- if not (hasKey $pod_resources "requests") -}} - {{- $_ := set $pod_resources "requests" (dict) -}} - {{- end -}} - {{- $_ := set $pod_resources.requests "ephemeral-storage" $ephemeral_storage -}} - - {{- $pod_resources | toYaml -}} -{{- end -}} - - -{{- /* Usage: {{ include "helm_lib_resources_management_original_pod_resources" }} */ -}} -{{- /* returns rendered resources section based on configuration if it is present */ -}} -{{- define "helm_lib_resources_management_original_pod_resources" -}} - {{- $configuration := . -}} {{- /* VPA resource configuration [example](https://deckhouse.io/documentation/v1/modules/110-istio/configuration.html#parameters-controlplane-resourcesmanagement) */ -}} - - {{- if $configuration -}} - {{- if eq $configuration.mode "Static" -}} -{{- $configuration.static | toYaml -}} - - {{- else if eq $configuration.mode "VPA" -}} - {{- $resources := dict "requests" (dict) "limits" (dict) -}} - - {{- if $configuration.vpa.cpu -}} - {{- if $configuration.vpa.cpu.min -}} - {{- $_ := set $resources.requests "cpu" ($configuration.vpa.cpu.min | toString) -}} - {{- end -}} - {{- if $configuration.vpa.cpu.limitRatio -}} - {{- $cpuLimitMillicores := round (mulf (include "helm_lib_resources_management_cpu_units_to_millicores" $configuration.vpa.cpu.min) $configuration.vpa.cpu.limitRatio) 0 | int64 -}} - {{- $_ := set $resources.limits "cpu" (printf "%dm" $cpuLimitMillicores) -}} - {{- end -}} - {{- end -}} - - {{- if $configuration.vpa.memory -}} - {{- if $configuration.vpa.memory.min -}} - {{- $_ := set $resources.requests "memory" ($configuration.vpa.memory.min | toString) -}} - {{- end -}} - {{- if $configuration.vpa.memory.limitRatio -}} - {{- $memoryLimitBytes := round (mulf (include "helm_lib_resources_management_memory_units_to_bytes" $configuration.vpa.memory.min) $configuration.vpa.memory.limitRatio) 0 | int64 -}} - {{- $_ := set $resources.limits "memory" (printf "%d" $memoryLimitBytes) -}} - {{- end -}} - {{- end -}} -{{- $resources | toYaml -}} - - {{- else -}} - {{- cat "ERROR: unknown resource management mode: " $configuration.mode | fail -}} - {{- end -}} - {{- end -}} -{{- end }} - - -{{- /* Usage: {{ include "helm_lib_resources_management_vpa_spec" (list ) }} */ -}} -{{- /* returns rendered vpa spec based on configuration and target reference */ -}} -{{- define "helm_lib_resources_management_vpa_spec" -}} - {{- $targetAPIVersion := index . 0 -}} {{- /* Target API version */ -}} - {{- $targetKind := index . 1 -}} {{- /* Target Kind */ -}} - {{- $targetName := index . 2 -}} {{- /* Target Name */ -}} - {{- $targetContainer := index . 3 -}} {{- /* Target container name */ -}} - {{- $configuration := index . 4 -}} {{- /* VPA resource configuration [example](https://deckhouse.io/documentation/v1/modules/110-istio/configuration.html#parameters-controlplane-resourcesmanagement) */ -}} - -targetRef: - apiVersion: {{ $targetAPIVersion }} - kind: {{ $targetKind }} - name: {{ $targetName }} - {{- if eq ($configuration.mode) "VPA" }} -updatePolicy: - updateMode: {{ $configuration.vpa.mode | quote }} -resourcePolicy: - containerPolicies: - - containerName: {{ $targetContainer }} - maxAllowed: - cpu: {{ $configuration.vpa.cpu.max | quote }} - memory: {{ $configuration.vpa.memory.max | quote }} - minAllowed: - cpu: {{ $configuration.vpa.cpu.min | quote }} - memory: {{ $configuration.vpa.memory.min | quote }} - controlledValues: RequestsAndLimits - {{- else }} -updatePolicy: - updateMode: "Off" - {{- end }} -{{- end }} - - -{{- /* Usage: {{ include "helm_lib_resources_management_cpu_units_to_millicores" }} */ -}} -{{- /* helper for converting cpu units to millicores */ -}} -{{- define "helm_lib_resources_management_cpu_units_to_millicores" -}} - {{- $units := . | toString -}} - {{- if hasSuffix "m" $units -}} - {{- trimSuffix "m" $units -}} - {{- else -}} - {{- atoi $units | mul 1000 -}} - {{- end }} -{{- end }} - - -{{- /* Usage: {{ include "helm_lib_resources_management_memory_units_to_bytes" }} */ -}} -{{- /* helper for converting memory units to bytes */ -}} -{{- define "helm_lib_resources_management_memory_units_to_bytes" }} - {{- $units := . | toString -}} - {{- if hasSuffix "k" $units -}} - {{- trimSuffix "k" $units | atoi | mul 1000 -}} - {{- else if hasSuffix "M" $units -}} - {{- trimSuffix "M" $units | atoi | mul 1000000 -}} - {{- else if hasSuffix "G" $units -}} - {{- trimSuffix "G" $units | atoi | mul 1000000000 -}} - {{- else if hasSuffix "T" $units -}} - {{- trimSuffix "T" $units | atoi | mul 1000000000000 -}} - {{- else if hasSuffix "P" $units -}} - {{- trimSuffix "P" $units | atoi | mul 1000000000000000 -}} - {{- else if hasSuffix "E" $units -}} - {{- trimSuffix "E" $units | atoi | mul 1000000000000000000 -}} - {{- else if hasSuffix "Ki" $units -}} - {{- trimSuffix "Ki" $units | atoi | mul 1024 -}} - {{- else if hasSuffix "Mi" $units -}} - {{- trimSuffix "Mi" $units | atoi | mul 1024 | mul 1024 -}} - {{- else if hasSuffix "Gi" $units -}} - {{- trimSuffix "Gi" $units | atoi | mul 1024 | mul 1024 | mul 1024 -}} - {{- else if hasSuffix "Ti" $units -}} - {{- trimSuffix "Ti" $units | atoi | mul 1024 | mul 1024 | mul 1024 | mul 1024 -}} - {{- else if hasSuffix "Pi" $units -}} - {{- trimSuffix "Pi" $units | atoi | mul 1024 | mul 1024 | mul 1024 | mul 1024 | mul 1024 -}} - {{- else if hasSuffix "Ei" $units -}} - {{- trimSuffix "Ei" $units | atoi | mul 1024 | mul 1024 | mul 1024 | mul 1024 | mul 1024 | mul 1024 -}} - {{- else if regexMatch "^[0-9]+$" $units -}} - {{- $units -}} - {{- else -}} - {{- cat "ERROR: unknown memory format:" $units | fail -}} - {{- end }} -{{- end }} - -{{- /* Usage: {{ include "helm_lib_vpa_kube_rbac_proxy_resources" . }} */ -}} -{{- /* helper for VPA resources for kube_rbac_proxy */ -}} -{{- define "helm_lib_vpa_kube_rbac_proxy_resources" }} -{{- /* Template context with .Values, .Chart, etc */ -}} -- containerName: kube-rbac-proxy - minAllowed: - {{- include "helm_lib_container_kube_rbac_proxy_resources" . | nindent 4 }} - maxAllowed: - cpu: 20m - memory: 25Mi -{{- end }} - -{{- /* Usage: {{ include "helm_lib_container_kube_rbac_proxy_resources" . }} */ -}} -{{- /* helper for container resources for kube_rbac_proxy */ -}} -{{- define "helm_lib_container_kube_rbac_proxy_resources" }} -{{- /* Template context with .Values, .Chart, etc */ -}} -cpu: 10m -memory: 25Mi -{{- end }} diff --git a/charts/helm_lib/templates/_spec_for_high_availability.tpl b/charts/helm_lib/templates/_spec_for_high_availability.tpl deleted file mode 100644 index 8bfbf9e..0000000 --- a/charts/helm_lib/templates/_spec_for_high_availability.tpl +++ /dev/null @@ -1,138 +0,0 @@ -{{- /* Usage: {{ include "helm_lib_pod_anti_affinity_for_ha" (list . (dict "app" "test")) }} */ -}} -{{- /* returns pod affinity spec */ -}} -{{- define "helm_lib_pod_anti_affinity_for_ha" }} -{{- $context := index . 0 -}} {{- /* Template context with .Values, .Chart, etc */ -}} -{{- $labels := index . 1 }} {{- /* Match labels for podAntiAffinity label selector */ -}} - {{- if (include "helm_lib_ha_enabled" $context) }} -affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - {{- range $key, $value := $labels }} - {{ $key }}: {{ $value | quote }} - {{- end }} - topologyKey: kubernetes.io/hostname - {{- end }} -{{- end }} - -{{- /* Usage: {{ include "helm_lib_deployment_on_master_strategy_and_replicas_for_ha" }} */ -}} -{{- /* returns deployment strategy and replicas for ha components running on master nodes */ -}} -{{- define "helm_lib_deployment_on_master_strategy_and_replicas_for_ha" }} -{{- /* Template context with .Values, .Chart, etc */ -}} - {{- if (include "helm_lib_ha_enabled" .) }} - {{- if gt (index .Values.global.discovery "clusterMasterCount" | int) 0 }} -replicas: {{ index .Values.global.discovery "clusterMasterCount" }} -strategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 0 - {{- if gt (index .Values.global.discovery "clusterMasterCount" | int) 2 }} - maxUnavailable: 2 - {{- else }} - maxUnavailable: 1 - {{- end }} - {{- else if gt (index .Values.global.discovery.d8SpecificNodeCountByRole "master" | int) 0 }} -replicas: {{ index .Values.global.discovery.d8SpecificNodeCountByRole "master" }} -strategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 0 - {{- if gt (index .Values.global.discovery.d8SpecificNodeCountByRole "master" | int) 2 }} - maxUnavailable: 2 - {{- else }} - maxUnavailable: 1 - {{- end }} - {{- else }} -replicas: 2 -strategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 0 - maxUnavailable: 1 - {{- end }} - {{- else }} -replicas: 1 -strategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 0 - maxUnavailable: 1 - {{- end }} -{{- end }} - -{{- /* Usage: {{ include "helm_lib_deployment_on_master_custom_strategy_and_replicas_for_ha" (list . (dict "strategy" "strategy_type")) }} */ -}} -{{- /* returns deployment with custom strategy and replicas for ha components running on master nodes */ -}} -{{- define "helm_lib_deployment_on_master_custom_strategy_and_replicas_for_ha" }} -{{- $context := index . 0 }} -{{- $optionalArgs := dict }} -{{- $strategy := "RollingUpdate" }} -{{- if ge (len .) 2 }} - {{- $optionalArgs = index . 1 }} -{{- end }} -{{- if hasKey $optionalArgs "strategy" }} - {{- $strategy = $optionalArgs.strategy }} -{{- end }} -{{- /* Template context with .Values, .Chart, etc */ -}} - {{- if (include "helm_lib_ha_enabled" $context) }} - {{- if gt (index $context.Values.global.discovery "clusterMasterCount" | int) 0 }} -replicas: {{ index $context.Values.global.discovery "clusterMasterCount" }} -strategy: - type: {{ $strategy }} - {{- if eq $strategy "RollingUpdate" }} - rollingUpdate: - maxSurge: 0 - {{- if gt (index $context.Values.global.discovery "clusterMasterCount" | int) 2 }} - maxUnavailable: 2 - {{- else }} - maxUnavailable: 1 - {{- end }} - {{- end }} - {{- else if gt (index $context.Values.global.discovery.d8SpecificNodeCountByRole "master" | int) 0 }} -replicas: {{ index $context.Values.global.discovery.d8SpecificNodeCountByRole "master" }} -strategy: - type: {{ $strategy }} - {{- if eq $strategy "RollingUpdate" }} - rollingUpdate: - maxSurge: 0 - {{- if gt (index $context.Values.global.discovery.d8SpecificNodeCountByRole "master" | int) 2 }} - maxUnavailable: 2 - {{- else }} - maxUnavailable: 1 - {{- end }} - {{- end }} - {{- else }} -replicas: 2 -strategy: - type: {{ $strategy }} - {{- if eq $strategy "RollingUpdate" }} - rollingUpdate: - maxSurge: 0 - maxUnavailable: 1 - {{- end }} - {{- end }} - {{- else }} -replicas: 1 -strategy: - type: {{ $strategy }} - {{- if eq $strategy "RollingUpdate" }} - rollingUpdate: - maxSurge: 0 - maxUnavailable: 1 - {{- end }} - {{- end }} -{{- end }} - -{{- /* Usage: {{ include "helm_lib_deployment_strategy_and_replicas_for_ha" }} */ -}} -{{- /* returns deployment strategy and replicas for ha components running not on master nodes */ -}} -{{- define "helm_lib_deployment_strategy_and_replicas_for_ha" }} -{{- /* Template context with .Values, .Chart, etc */ -}} -replicas: {{ include "helm_lib_is_ha_to_value" (list . 2 1) }} -{{- if (include "helm_lib_ha_enabled" .) }} -strategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 0 - maxUnavailable: 1 -{{- end }} -{{- end }}