diff --git a/.werf/bundle.yaml b/.werf/bundle.yaml index dbeaadf..caa6e06 100644 --- a/.werf/bundle.yaml +++ b/.werf/bundle.yaml @@ -2,7 +2,7 @@ --- image: bundle from: registry.deckhouse.io/base_images/scratch@sha256:b054705fcc9f2205777d80a558d920c0b4209efdc3163c22b5bfcb5dda1db5fc -fromCacheVersion: "2024-05-14.1" +fromCacheVersion: "2024-09-22.1" import: # Rendering .werf/images-digests.yaml is required! - image: images-digests diff --git a/charts/deckhouse_lib_helm-1.22.0.tgz b/charts/deckhouse_lib_helm-1.22.0.tgz deleted file mode 100644 index 7a6b077..0000000 Binary files a/charts/deckhouse_lib_helm-1.22.0.tgz and /dev/null differ diff --git a/charts/helm_lib/Chart.yaml b/charts/helm_lib/Chart.yaml new file mode 100644 index 0000000..4e10745 --- /dev/null +++ b/charts/helm_lib/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v2 +type: library +name: deckhouse_lib_helm +version: 1.31.0 +description: "Helm utils template definitions for Deckhouse modules." diff --git a/charts/helm_lib/LICENSE b/charts/helm_lib/LICENSE new file mode 100644 index 0000000..13fe0e3 --- /dev/null +++ b/charts/helm_lib/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright The Events Exporter authors + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/charts/helm_lib/README.md b/charts/helm_lib/README.md new file mode 100644 index 0000000..b9e7f66 --- /dev/null +++ b/charts/helm_lib/README.md @@ -0,0 +1,1167 @@ +# Helm library for Deckhouse modules + +## Table of contents + +| Table of contents | +|---| +| **Api Version And Kind** | +| [helm_lib_kind_exists](#helm_lib_kind_exists) | +| [helm_lib_get_api_version_by_kind](#helm_lib_get_api_version_by_kind) | +| **Enable Ds Eviction** | +| [helm_lib_prevent_ds_eviction_annotation](#helm_lib_prevent_ds_eviction_annotation) | +| **Envs For Proxy** | +| [helm_lib_envs_for_proxy](#helm_lib_envs_for_proxy) | +| **High Availability** | +| [helm_lib_is_ha_to_value](#helm_lib_is_ha_to_value) | +| [helm_lib_ha_enabled](#helm_lib_ha_enabled) | +| **Kube Rbac Proxy** | +| [helm_lib_kube_rbac_proxy_ca_certificate](#helm_lib_kube_rbac_proxy_ca_certificate) | +| **Module Documentation Uri** | +| [helm_lib_module_documentation_uri](#helm_lib_module_documentation_uri) | +| **Module Ephemeral Storage** | +| [helm_lib_module_ephemeral_storage_logs_with_extra](#helm_lib_module_ephemeral_storage_logs_with_extra) | +| [helm_lib_module_ephemeral_storage_only_logs](#helm_lib_module_ephemeral_storage_only_logs) | +| **Module Generate Common Name** | +| [helm_lib_module_generate_common_name](#helm_lib_module_generate_common_name) | +| **Module Https** | +| [helm_lib_module_uri_scheme](#helm_lib_module_uri_scheme) | +| [helm_lib_module_https_mode](#helm_lib_module_https_mode) | +| [helm_lib_module_https_cert_manager_cluster_issuer_name](#helm_lib_module_https_cert_manager_cluster_issuer_name) | +| [helm_lib_module_https_ingress_tls_enabled](#helm_lib_module_https_ingress_tls_enabled) | +| [helm_lib_module_https_copy_custom_certificate](#helm_lib_module_https_copy_custom_certificate) | +| [helm_lib_module_https_secret_name](#helm_lib_module_https_secret_name) | +| **Module Image** | +| [helm_lib_module_image](#helm_lib_module_image) | +| [helm_lib_module_image_no_fail](#helm_lib_module_image_no_fail) | +| [helm_lib_module_common_image](#helm_lib_module_common_image) | +| [helm_lib_module_common_image_no_fail](#helm_lib_module_common_image_no_fail) | +| **Module Ingress Class** | +| [helm_lib_module_ingress_class](#helm_lib_module_ingress_class) | +| **Module Init Container** | +| [helm_lib_module_init_container_chown_nobody_volume](#helm_lib_module_init_container_chown_nobody_volume) | +| [helm_lib_module_init_container_chown_deckhouse_volume](#helm_lib_module_init_container_chown_deckhouse_volume) | +| [helm_lib_module_init_container_check_linux_kernel](#helm_lib_module_init_container_check_linux_kernel) | +| **Module Labels** | +| [helm_lib_module_labels](#helm_lib_module_labels) | +| **Module Public Domain** | +| [helm_lib_module_public_domain](#helm_lib_module_public_domain) | +| **Module Security Context** | +| [helm_lib_module_pod_security_context_run_as_user_custom](#helm_lib_module_pod_security_context_run_as_user_custom) | +| [helm_lib_module_pod_security_context_run_as_user_nobody](#helm_lib_module_pod_security_context_run_as_user_nobody) | +| [helm_lib_module_pod_security_context_run_as_user_nobody_with_writable_fs](#helm_lib_module_pod_security_context_run_as_user_nobody_with_writable_fs) | +| [helm_lib_module_pod_security_context_run_as_user_deckhouse](#helm_lib_module_pod_security_context_run_as_user_deckhouse) | +| [helm_lib_module_pod_security_context_run_as_user_deckhouse_with_writable_fs](#helm_lib_module_pod_security_context_run_as_user_deckhouse_with_writable_fs) | +| [helm_lib_module_container_security_context_run_as_user_deckhouse_pss_restricted](#helm_lib_module_container_security_context_run_as_user_deckhouse_pss_restricted) | +| [helm_lib_module_pod_security_context_run_as_user_root](#helm_lib_module_pod_security_context_run_as_user_root) | +| [helm_lib_module_pod_security_context_runtime_default](#helm_lib_module_pod_security_context_runtime_default) | +| [helm_lib_module_container_security_context_not_allow_privilege_escalation](#helm_lib_module_container_security_context_not_allow_privilege_escalation) | +| [helm_lib_module_container_security_context_read_only_root_filesystem_with_selinux](#helm_lib_module_container_security_context_read_only_root_filesystem_with_selinux) | +| [helm_lib_module_container_security_context_read_only_root_filesystem](#helm_lib_module_container_security_context_read_only_root_filesystem) | +| [helm_lib_module_container_security_context_privileged](#helm_lib_module_container_security_context_privileged) | +| [helm_lib_module_container_security_context_escalated_sys_admin_privileged](#helm_lib_module_container_security_context_escalated_sys_admin_privileged) | +| [helm_lib_module_container_security_context_privileged_read_only_root_filesystem](#helm_lib_module_container_security_context_privileged_read_only_root_filesystem) | +| [helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all](#helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all) | +| [helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_and_add](#helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_and_add) | +| [helm_lib_module_container_security_context_capabilities_drop_all_and_add](#helm_lib_module_container_security_context_capabilities_drop_all_and_add) | +| [helm_lib_module_container_security_context_capabilities_drop_all_and_run_as_user_custom](#helm_lib_module_container_security_context_capabilities_drop_all_and_run_as_user_custom) | +| **Module Storage Class** | +| [helm_lib_module_storage_class_annotations](#helm_lib_module_storage_class_annotations) | +| **Monitoring Grafana Dashboards** | +| [helm_lib_grafana_dashboard_definitions_recursion](#helm_lib_grafana_dashboard_definitions_recursion) | +| [helm_lib_grafana_dashboard_definitions](#helm_lib_grafana_dashboard_definitions) | +| [helm_lib_single_dashboard](#helm_lib_single_dashboard) | +| **Monitoring Prometheus Rules** | +| [helm_lib_prometheus_rules_recursion](#helm_lib_prometheus_rules_recursion) | +| [helm_lib_prometheus_rules](#helm_lib_prometheus_rules) | +| [helm_lib_prometheus_target_scrape_timeout_seconds](#helm_lib_prometheus_target_scrape_timeout_seconds) | +| **Node Affinity** | +| [helm_lib_internal_check_node_selector_strategy](#helm_lib_internal_check_node_selector_strategy) | +| [helm_lib_node_selector](#helm_lib_node_selector) | +| [helm_lib_tolerations](#helm_lib_tolerations) | +| [_helm_lib_cloud_or_hybrid_cluster](#_helm_lib_cloud_or_hybrid_cluster) | +| [helm_lib_internal_check_tolerations_strategy](#helm_lib_internal_check_tolerations_strategy) | +| [_helm_lib_any_node_tolerations](#_helm_lib_any_node_tolerations) | +| [_helm_lib_wildcard_tolerations](#_helm_lib_wildcard_tolerations) | +| [_helm_lib_monitoring_tolerations](#_helm_lib_monitoring_tolerations) | +| [_helm_lib_frontend_tolerations](#_helm_lib_frontend_tolerations) | +| [_helm_lib_system_tolerations](#_helm_lib_system_tolerations) | +| [_helm_lib_additional_tolerations_uninitialized](#_helm_lib_additional_tolerations_uninitialized) | +| [_helm_lib_additional_tolerations_node_problems](#_helm_lib_additional_tolerations_node_problems) | +| [_helm_lib_additional_tolerations_storage_problems](#_helm_lib_additional_tolerations_storage_problems) | +| [_helm_lib_additional_tolerations_no_csi](#_helm_lib_additional_tolerations_no_csi) | +| [_helm_lib_additional_tolerations_cloud_provider_uninitialized](#_helm_lib_additional_tolerations_cloud_provider_uninitialized) | +| **Pod Disruption Budget** | +| [helm_lib_pdb_daemonset](#helm_lib_pdb_daemonset) | +| **Priority Class** | +| [helm_lib_priority_class](#helm_lib_priority_class) | +| **Resources Management** | +| [helm_lib_resources_management_pod_resources](#helm_lib_resources_management_pod_resources) | +| [helm_lib_resources_management_original_pod_resources](#helm_lib_resources_management_original_pod_resources) | +| [helm_lib_resources_management_vpa_spec](#helm_lib_resources_management_vpa_spec) | +| [helm_lib_resources_management_cpu_units_to_millicores](#helm_lib_resources_management_cpu_units_to_millicores) | +| [helm_lib_resources_management_memory_units_to_bytes](#helm_lib_resources_management_memory_units_to_bytes) | +| [helm_lib_vpa_kube_rbac_proxy_resources](#helm_lib_vpa_kube_rbac_proxy_resources) | +| [helm_lib_container_kube_rbac_proxy_resources](#helm_lib_container_kube_rbac_proxy_resources) | +| **Spec For High Availability** | +| [helm_lib_pod_anti_affinity_for_ha](#helm_lib_pod_anti_affinity_for_ha) | +| [helm_lib_deployment_on_master_strategy_and_replicas_for_ha](#helm_lib_deployment_on_master_strategy_and_replicas_for_ha) | +| [helm_lib_deployment_on_master_custom_strategy_and_replicas_for_ha](#helm_lib_deployment_on_master_custom_strategy_and_replicas_for_ha) | +| [helm_lib_deployment_strategy_and_replicas_for_ha](#helm_lib_deployment_strategy_and_replicas_for_ha) | + +## Api Version And Kind + +### helm_lib_kind_exists + + returns true if the specified resource kind (case-insensitive) is represented in the cluster + +#### Usage + +`{{ include "helm_lib_kind_exists" (list . "") }} ` + +#### Arguments + +list: +- Template context with .Values, .Chart, etc +- Kind name portion + + +### helm_lib_get_api_version_by_kind + + returns current apiVersion string, based on available helm capabilities, for the provided kind (not all kinds are supported) + +#### Usage + +`{{ include "helm_lib_get_api_version_by_kind" (list . "") }} ` + +#### Arguments + +list: +- Template context with .Values, .Chart, etc +- Kind name portion + +## Enable Ds Eviction + +### helm_lib_prevent_ds_eviction_annotation + + Adds `cluster-autoscaler.kubernetes.io/enable-ds-eviction` annotation to manage DaemonSet eviction by the Cluster Autoscaler. + This is important to prevent the eviction of DaemonSet pods during cluster scaling. + +#### Usage + +`{{ include "helm_lib_prevent_ds_eviction_annotation" . }} ` + + +## Envs For Proxy + +### helm_lib_envs_for_proxy + + Add HTTP_PROXY, HTTPS_PROXY and NO_PROXY environment variables for container + depends on [proxy settings](https://deckhouse.io/documentation/v1/deckhouse-configure-global.html#parameters-modules-proxy) + +#### Usage + +`{{ include "helm_lib_envs_for_proxy" . }} ` + +#### Arguments + +- Template context with .Values, .Chart, etc + +## High Availability + +### helm_lib_is_ha_to_value + + returns value "yes" if cluster is highly available, else — returns "no" + +#### Usage + +`{{ include "helm_lib_is_ha_to_value" (list . yes no) }} ` + +#### Arguments + +list: +- Template context with .Values, .Chart, etc +- Yes value +- No value + + +### helm_lib_ha_enabled + + returns empty value, which is treated by go template as false + +#### Usage + +`{{- if (include "helm_lib_ha_enabled" .) }} ` + +#### Arguments + +- Template context with .Values, .Chart, etc + +## Kube Rbac Proxy + +### helm_lib_kube_rbac_proxy_ca_certificate + + Renders configmap with kube-rbac-proxy CA certificate which uses to verify the kube-rbac-proxy clients. + +#### Usage + +`{{ include "helm_lib_kube_rbac_proxy_ca_certificate" (list . "namespace") }} ` + +#### Arguments + +list: +- Template context with .Values, .Chart, etc +- Namespace where CA configmap will be created + +## Module Documentation Uri + +### helm_lib_module_documentation_uri + + returns rendered documentation uri using publicDomainTemplate or deckhouse.io domains + +#### Usage + +`{{ include "helm_lib_module_documentation_uri" (list . "") }} ` + + +## Module Ephemeral Storage + +### helm_lib_module_ephemeral_storage_logs_with_extra + + 50Mi for container logs `log-opts.max-file * log-opts.max-size` would be added to passed value + returns ephemeral-storage size for logs with extra space + +#### Usage + +`{{ include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 }} ` + +#### Arguments + +- Extra space in mebibytes + + +### helm_lib_module_ephemeral_storage_only_logs + + 50Mi for container logs `log-opts.max-file * log-opts.max-size` would be requested + returns ephemeral-storage size for only logs + +#### Usage + +`{{ include "helm_lib_module_ephemeral_storage_only_logs" . }} ` + +#### Arguments + +- Template context with .Values, .Chart, etc + +## Module Generate Common Name + +### helm_lib_module_generate_common_name + + returns the commonName parameter for use in the Certificate custom resource(cert-manager) + +#### Usage + +`{{ include "helm_lib_module_generate_common_name" (list . "") }} ` + +#### Arguments + +list: +- Template context with .Values, .Chart, etc +- Name portion + +## Module Https + +### helm_lib_module_uri_scheme + + return module uri scheme "http" or "https" + +#### Usage + +`{{ include "helm_lib_module_uri_scheme" . }} ` + +#### Arguments + +- Template context with .Values, .Chart, etc + + +### helm_lib_module_https_mode + + returns https mode for module + +#### Usage + +`{{ if (include "helm_lib_module_https_mode" .) }} ` + +#### Arguments + +- Template context with .Values, .Chart, etc + + +### helm_lib_module_https_cert_manager_cluster_issuer_name + + returns cluster issuer name + +#### Usage + +`{{ include "helm_lib_module_https_cert_manager_cluster_issuer_name" . }} ` + +#### Arguments + +- Template context with .Values, .Chart, etc + + +### helm_lib_module_https_ingress_tls_enabled + + returns not empty string if tls should enable for ingress + +#### Usage + +`{{ if (include "helm_lib_module_https_ingress_tls_enabled" .) }} ` + +#### Arguments + +- Template context with .Values, .Chart, etc + + +### helm_lib_module_https_copy_custom_certificate + + Renders secret with [custom certificate](https://deckhouse.io/documentation/v1/deckhouse-configure-global.html#parameters-modules-https-customcertificate) + in passed namespace with passed prefix + +#### Usage + +`{{ include "helm_lib_module_https_copy_custom_certificate" (list . "namespace" "secret_name_prefix") }} ` + +#### Arguments + +list: +- Template context with .Values, .Chart, etc +- Namespace +- Secret name prefix + + +### helm_lib_module_https_secret_name + + returns custom certificate name + +#### Usage + +`{{ include "helm_lib_module_https_secret_name (list . "secret_name_prefix") }} ` + +#### Arguments + +list: +- Template context with .Values, .Chart, etc +- Secret name prefix + +## Module Image + +### helm_lib_module_image + + returns image name + +#### Usage + +`{{ include "helm_lib_module_image" (list . "") }} ` + +#### Arguments + +list: +- Template context with .Values, .Chart, etc +- Container name + + +### helm_lib_module_image_no_fail + + returns image name if found + +#### Usage + +`{{ include "helm_lib_module_image_no_fail" (list . "") }} ` + +#### Arguments + +list: +- Template context with .Values, .Chart, etc +- Container name + + +### helm_lib_module_common_image + + returns image name from common module + +#### Usage + +`{{ include "helm_lib_module_common_image" (list . "") }} ` + +#### Arguments + +list: +- Template context with .Values, .Chart, etc +- Container name + + +### helm_lib_module_common_image_no_fail + + returns image name from common module if found + +#### Usage + +`{{ include "helm_lib_module_common_image_no_fail" (list . "") }} ` + +#### Arguments + +list: +- Template context with .Values, .Chart, etc +- Container name + +## Module Ingress Class + +### helm_lib_module_ingress_class + + returns ingress class from module settings or if not exists from global config + +#### Usage + +`{{ include "helm_lib_module_ingress_class" . }} ` + +#### Arguments + +- Template context with .Values, .Chart, etc + +## Module Init Container + +### helm_lib_module_init_container_chown_nobody_volume + + ### Migration 11.12.2020: Remove this helper with all its usages after this commit reached RockSolid + returns initContainer which chowns recursively all files and directories in passed volume + +#### Usage + +`{{ include "helm_lib_module_init_container_chown_nobody_volume" (list . "volume-name") }} ` + + + +### helm_lib_module_init_container_chown_deckhouse_volume + + returns initContainer which chowns recursively all files and directories in passed volume + +#### Usage + +`{{ include "helm_lib_module_init_container_chown_deckhouse_volume" (list . "volume-name") }} ` + + + +### helm_lib_module_init_container_check_linux_kernel + + returns initContainer which checks the kernel version on the node for compliance to semver constraint + +#### Usage + +`{{ include "helm_lib_module_init_container_check_linux_kernel" (list . ">= 4.9.17") }} ` + +#### Arguments + +list: +- Template context with .Values, .Chart, etc +- Semver constraint + +## Module Labels + +### helm_lib_module_labels + + returns deckhouse labels + +#### Usage + +`{{ include "helm_lib_module_labels" (list . (dict "app" "test" "component" "testing")) }} ` + +#### Arguments + +list: +- Template context with .Values, .Chart, etc +- Additional labels dict + +## Module Public Domain + +### helm_lib_module_public_domain + + returns rendered publicDomainTemplate to service fqdn + +#### Usage + +`{{ include "helm_lib_module_public_domain" (list . "") }} ` + +#### Arguments + +list: +- Template context with .Values, .Chart, etc +- Name portion + +## Module Security Context + +### helm_lib_module_pod_security_context_run_as_user_custom + + returns PodSecurityContext parameters for Pod with custom user and group + +#### Usage + +`{{ include "helm_lib_module_pod_security_context_run_as_user_custom" (list . 1000 1000) }} ` + +#### Arguments + +list: +- Template context with .Values, .Chart, etc +- User id +- Group id + + +### helm_lib_module_pod_security_context_run_as_user_nobody + + returns PodSecurityContext parameters for Pod with user and group "nobody" + +#### Usage + +`{{ include "helm_lib_module_pod_security_context_run_as_user_nobody" . }} ` + +#### Arguments + +- Template context with .Values, .Chart, etc + + +### helm_lib_module_pod_security_context_run_as_user_nobody_with_writable_fs + + returns PodSecurityContext parameters for Pod with user and group "nobody" with write access to mounted volumes + +#### Usage + +`{{ include "helm_lib_module_pod_security_context_run_as_user_nobody_with_writable_fs" . }} ` + +#### Arguments + +- Template context with .Values, .Chart, etc + + +### helm_lib_module_pod_security_context_run_as_user_deckhouse + + returns PodSecurityContext parameters for Pod with user and group "deckhouse" + +#### Usage + +`{{ include "helm_lib_module_pod_security_context_run_as_user_deckhouse" . }} ` + +#### Arguments + +- Template context with .Values, .Chart, etc + + +### helm_lib_module_pod_security_context_run_as_user_deckhouse_with_writable_fs + + returns PodSecurityContext parameters for Pod with user and group "deckhouse" with write access to mounted volumes + +#### Usage + +`{{ include "helm_lib_module_pod_security_context_run_as_user_deckhouse_with_writable_fs" . }} ` + +#### Arguments + +- Template context with .Values, .Chart, etc + + +### helm_lib_module_container_security_context_run_as_user_deckhouse_pss_restricted + + returns SecurityContext parameters for Container with user and group "deckhouse" plus minimal required settings to comply with the Restricted mode of the Pod Security Standards + +#### Usage + +`{{ include "helm_lib_module_container_security_context_run_as_user_deckhouse_pss_restricted" . }} ` + +#### Arguments + +- Template context with .Values, .Chart, etc + + +### helm_lib_module_pod_security_context_run_as_user_root + + returns PodSecurityContext parameters for Pod with user and group 0 + +#### Usage + +`{{ include "helm_lib_module_pod_security_context_run_as_user_root" . }} ` + +#### Arguments + +- Template context with .Values, .Chart, etc + + +### helm_lib_module_pod_security_context_runtime_default + + returns PodSecurityContext parameters for Pod with seccomp profile RuntimeDefault + +#### Usage + +`{{ include "helm_lib_module_pod_security_context_runtime_default" . }} ` + +#### Arguments + +- Template context with .Values, .Chart, etc + + +### helm_lib_module_container_security_context_not_allow_privilege_escalation + + returns SecurityContext parameters for Container with allowPrivilegeEscalation false + +#### Usage + +`{{ include "helm_lib_module_container_security_context_not_allow_privilege_escalation" . }} ` + + + +### helm_lib_module_container_security_context_read_only_root_filesystem_with_selinux + + returns SecurityContext parameters for Container with read only root filesystem and options for SELinux compatibility + +#### Usage + +`{{ include "helm_lib_module_container_security_context_read_only_root_filesystem_with_selinux" . }} ` + +#### Arguments + +- Template context with .Values, .Chart, etc + + +### helm_lib_module_container_security_context_read_only_root_filesystem + + returns SecurityContext parameters for Container with read only root filesystem + +#### Usage + +`{{ include "helm_lib_module_container_security_context_read_only_root_filesystem" . }} ` + +#### Arguments + +- Template context with .Values, .Chart, etc + + +### helm_lib_module_container_security_context_privileged + + returns SecurityContext parameters for Container running privileged + +#### Usage + +`{{ include "helm_lib_module_container_security_context_privileged" . }} ` + + + +### helm_lib_module_container_security_context_escalated_sys_admin_privileged + + returns SecurityContext parameters for Container running privileged with escalation and sys_admin + +#### Usage + +`{{ include "helm_lib_module_container_security_context_escalated_sys_admin_privileged" . }} ` + + + +### helm_lib_module_container_security_context_privileged_read_only_root_filesystem + + returns SecurityContext parameters for Container running privileged with read only root filesystem + +#### Usage + +`{{ include "helm_lib_module_container_security_context_privileged_read_only_root_filesystem" . }} ` + +#### Arguments + +- Template context with .Values, .Chart, etc + + +### helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all + + returns SecurityContext for Container with read only root filesystem and all capabilities dropped + +#### Usage + +`{{ include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all" . }} ` + +#### Arguments + +- Template context with .Values, .Chart, etc + + +### helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_and_add + + returns SecurityContext parameters for Container with read only root filesystem, all dropped and some added capabilities + +#### Usage + +`{{ include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_and_add" (list . (list "KILL" "SYS_PTRACE")) }} ` + +#### Arguments + +list: +- Template context with .Values, .Chart, etc +- List of capabilities + + +### helm_lib_module_container_security_context_capabilities_drop_all_and_add + + returns SecurityContext parameters for Container with all dropped and some added capabilities + +#### Usage + +`{{ include "helm_lib_module_container_security_context_capabilities_drop_all_and_add" (list . (list "KILL" "SYS_PTRACE")) }} ` + +#### Arguments + +list: +- Template context with .Values, .Chart, etc +- List of capabilities + + +### helm_lib_module_container_security_context_capabilities_drop_all_and_run_as_user_custom + + returns SecurityContext parameters for Container with read only root filesystem, all dropped, and custom user ID + +#### Usage + +`{{ include "helm_lib_module_container_security_context_capabilities_drop_all_and_run_as_user_custom" (list . 1000 1000) }} ` + +#### Arguments + +list: +- Template context with .Values, .Chart, etc +- User id +- Group id + +## Module Storage Class + +### helm_lib_module_storage_class_annotations + + return module StorageClass annotations + +#### Usage + +`{{ include "helm_lib_module_storage_class_annotations" (list $ $index $storageClass.name) }} ` + +#### Arguments + +list: +- Template context with .Values, .Chart, etc +- Storage class index +- Storage class name + +## Monitoring Grafana Dashboards + +### helm_lib_grafana_dashboard_definitions_recursion + + returns all the dashboard-definintions from / + current dir is optional — used for recursion but you can use it for partially generating dashboards + +#### Usage + +`{{ include "helm_lib_grafana_dashboard_definitions_recursion" (list . [current dir]) }} ` + +#### Arguments + +list: +- Template context with .Values, .Chart, etc +- Dashboards root dir +- Dashboards current dir + + +### helm_lib_grafana_dashboard_definitions + + returns dashboard-definintions from monitoring/grafana-dashboards/ + +#### Usage + +`{{ include "helm_lib_grafana_dashboard_definitions" . }} ` + +#### Arguments + +- Template context with .Values, .Chart, etc + + +### helm_lib_single_dashboard + + renders a single dashboard + +#### Usage + +`{{ include "helm_lib_single_dashboard" (list . "dashboard-name" "folder" $dashboard) }} ` + +#### Arguments + +list: +- Template context with .Values, .Chart, etc +- Dashboard name +- Folder +- Dashboard definition + +## Monitoring Prometheus Rules + +### helm_lib_prometheus_rules_recursion + + returns all the prometheus rules from / + current dir is optional — used for recursion but you can use it for partially generating rules + +#### Usage + +`{{ include "helm_lib_prometheus_rules_recursion" (list . [current dir]) }} ` + +#### Arguments + +list: +- Template context with .Values, .Chart, etc +- Namespace for creating rules +- Rules root dir +- Current dir (optional) + + +### helm_lib_prometheus_rules + + returns all the prometheus rules from monitoring/prometheus-rules/ + +#### Usage + +`{{ include "helm_lib_prometheus_rules" (list . ) }} ` + +#### Arguments + +list: +- Template context with .Values, .Chart, etc +- Namespace for creating rules + + +### helm_lib_prometheus_target_scrape_timeout_seconds + + returns adjust timeout value to scrape interval / + +#### Usage + +`{{ include "helm_lib_prometheus_target_scrape_timeout_seconds" (list . ) }} ` + +#### Arguments + +list: +- Template context with .Values, .Chart, etc +- Target timeout in seconds + +## Node Affinity + +### helm_lib_internal_check_node_selector_strategy + + Verify node selector strategy. + + + +### helm_lib_node_selector + + Returns node selector for workloads depend on strategy. + +#### Arguments + +list: +- Template context with .Values, .Chart, etc +- strategy, one of "frontend" "monitoring" "system" "master" "any-node" "wildcard" + + +### helm_lib_tolerations + + Returns tolerations for workloads depend on strategy. + +#### Usage + +`{{ include "helm_lib_tolerations" (tuple . "any-node" "with-uninitialized" "without-storage-problems") }} ` + +#### Arguments + +list: +- Template context with .Values, .Chart, etc +- base strategy, one of "frontend" "monitoring" "system" any-node" "wildcard" +- list of additional strategies. To add strategy list it with prefix "with-", to remove strategy list it with prefix "without-". + + +### _helm_lib_cloud_or_hybrid_cluster + + Check cluster type. + Returns not empty string if this is cloud or hybrid cluster + + + +### helm_lib_internal_check_tolerations_strategy + + Verify base strategy. + Fails if strategy not in allowed list + + + +### _helm_lib_any_node_tolerations + + Base strategy for any uncordoned node in cluster. + +#### Usage + +`{{ include "helm_lib_tolerations" (tuple . "any-node") }} ` + + + +### _helm_lib_wildcard_tolerations + + Base strategy that tolerates all. + +#### Usage + +`{{ include "helm_lib_tolerations" (tuple . "wildcard") }} ` + + + +### _helm_lib_monitoring_tolerations + + Base strategy that tolerates nodes with "dedicated.deckhouse.io: monitoring" and "dedicated.deckhouse.io: system" taints. + +#### Usage + +`{{ include "helm_lib_tolerations" (tuple . "monitoring") }} ` + + + +### _helm_lib_frontend_tolerations + + Base strategy that tolerates nodes with "dedicated.deckhouse.io: frontend" taints. + +#### Usage + +`{{ include "helm_lib_tolerations" (tuple . "frontend") }} ` + + + +### _helm_lib_system_tolerations + + Base strategy that tolerates nodes with "dedicated.deckhouse.io: system" taints. + +#### Usage + +`{{ include "helm_lib_tolerations" (tuple . "system") }} ` + + + +### _helm_lib_additional_tolerations_uninitialized + + Additional strategy "uninitialized" - used for CNI's and kube-proxy to allow cni components scheduled on node after CCM initialization. + +#### Usage + +`{{ include "helm_lib_tolerations" (tuple . "any-node" "with-uninitialized") }} ` + + + +### _helm_lib_additional_tolerations_node_problems + + Additional strategy "node-problems" - used for shedule critical components on non-ready nodes or nodes under pressure. + +#### Usage + +`{{ include "helm_lib_tolerations" (tuple . "any-node" "with-node-problems") }} ` + + + +### _helm_lib_additional_tolerations_storage_problems + + Additional strategy "storage-problems" - used for shedule critical components on nodes with drbd problems. This additional strategy enabled by default in any base strategy except "wildcard". + +#### Usage + +`{{ include "helm_lib_tolerations" (tuple . "any-node" "without-storage-problems") }} ` + + + +### _helm_lib_additional_tolerations_no_csi + + Additional strategy "no-csi" - used for any node with no CSI: any node, which was initialized by deckhouse, but have no csi-node driver registered on it. + +#### Usage + +`{{ include "helm_lib_tolerations" (tuple . "any-node" "with-no-csi") }} ` + + + +### _helm_lib_additional_tolerations_cloud_provider_uninitialized + + Additional strategy "cloud-provider-uninitialized" - used for any node which is not initialized by CCM. + +#### Usage + +`{{ include "helm_lib_tolerations" (tuple . "any-node" "with-cloud-provider-uninitialized") }} ` + + +## Pod Disruption Budget + +### helm_lib_pdb_daemonset + + Returns PDB max unavailable + +#### Usage + +`{{ include "helm_lib_pdb_daemonset" . }} ` + +#### Arguments + +- Template context with .Values, .Chart, etc + +## Priority Class + +### helm_lib_priority_class + + returns priority class if priority-class module enabled, otherwise returns nothing + +#### Arguments + +list: +- Template context with .Values, .Chart, etc +- Priority class name + +## Resources Management + +### helm_lib_resources_management_pod_resources + + returns rendered resources section based on configuration if it is + +#### Usage + +`{{ include "helm_lib_resources_management_pod_resources" (list [ephemeral storage requests]) }} ` + +#### Arguments + +list: +- VPA resource configuration [example](https://deckhouse.io/documentation/v1/modules/110-istio/configuration.html#parameters-controlplane-resourcesmanagement) +- Ephemeral storage requests + + +### helm_lib_resources_management_original_pod_resources + + returns rendered resources section based on configuration if it is present + +#### Usage + +`{{ include "helm_lib_resources_management_original_pod_resources" }} ` + +#### Arguments + +- VPA resource configuration [example](https://deckhouse.io/documentation/v1/modules/110-istio/configuration.html#parameters-controlplane-resourcesmanagement) + + +### helm_lib_resources_management_vpa_spec + + returns rendered vpa spec based on configuration and target reference + +#### Usage + +`{{ include "helm_lib_resources_management_vpa_spec" (list ) }} ` + +#### Arguments + +list: +- Target API version +- Target Kind +- Target Name +- Target container name +- VPA resource configuration [example](https://deckhouse.io/documentation/v1/modules/110-istio/configuration.html#parameters-controlplane-resourcesmanagement) + + +### helm_lib_resources_management_cpu_units_to_millicores + + helper for converting cpu units to millicores + +#### Usage + +`{{ include "helm_lib_resources_management_cpu_units_to_millicores" }} ` + + + +### helm_lib_resources_management_memory_units_to_bytes + + helper for converting memory units to bytes + +#### Usage + +`{{ include "helm_lib_resources_management_memory_units_to_bytes" }} ` + + + +### helm_lib_vpa_kube_rbac_proxy_resources + + helper for VPA resources for kube_rbac_proxy + +#### Usage + +`{{ include "helm_lib_vpa_kube_rbac_proxy_resources" . }} ` + +#### Arguments + +- Template context with .Values, .Chart, etc + + +### helm_lib_container_kube_rbac_proxy_resources + + helper for container resources for kube_rbac_proxy + +#### Usage + +`{{ include "helm_lib_container_kube_rbac_proxy_resources" . }} ` + +#### Arguments + +- Template context with .Values, .Chart, etc + +## Spec For High Availability + +### helm_lib_pod_anti_affinity_for_ha + + returns pod affinity spec + +#### Usage + +`{{ include "helm_lib_pod_anti_affinity_for_ha" (list . (dict "app" "test")) }} ` + +#### Arguments + +list: +- Template context with .Values, .Chart, etc +- Match labels for podAntiAffinity label selector + + +### helm_lib_deployment_on_master_strategy_and_replicas_for_ha + + returns deployment strategy and replicas for ha components running on master nodes + +#### Usage + +`{{ include "helm_lib_deployment_on_master_strategy_and_replicas_for_ha" }} ` + +#### Arguments + +- Template context with .Values, .Chart, etc + + +### helm_lib_deployment_on_master_custom_strategy_and_replicas_for_ha + + returns deployment with custom strategy and replicas for ha components running on master nodes + +#### Usage + +`{{ include "helm_lib_deployment_on_master_custom_strategy_and_replicas_for_ha" (list . (dict "strategy" "strategy_type")) }} ` + + + +### helm_lib_deployment_strategy_and_replicas_for_ha + + returns deployment strategy and replicas for ha components running not on master nodes + +#### Usage + +`{{ include "helm_lib_deployment_strategy_and_replicas_for_ha" }} ` + +#### Arguments + +- Template context with .Values, .Chart, etc diff --git a/charts/helm_lib/templates/_api_version_and_kind.tpl b/charts/helm_lib/templates/_api_version_and_kind.tpl new file mode 100644 index 0000000..4de8a8a --- /dev/null +++ b/charts/helm_lib/templates/_api_version_and_kind.tpl @@ -0,0 +1,36 @@ +{{- /* Usage: {{ include "helm_lib_kind_exists" (list . "") }} */ -}} +{{- /* returns true if the specified resource kind (case-insensitive) is represented in the cluster */ -}} +{{- define "helm_lib_kind_exists" }} + {{- $context := index . 0 -}} {{- /* Template context with .Values, .Chart, etc */ -}} + {{- $kind_name := index . 1 -}} {{- /* Kind name portion */ -}} + {{- if eq (len $context.Capabilities.APIVersions) 0 -}} + {{- fail "Helm reports no capabilities" -}} + {{- end -}} + {{ range $cap := $context.Capabilities.APIVersions }} + {{- if hasSuffix (lower (printf "/%s" $kind_name)) (lower $cap) }} + found + {{- break }} + {{- end }} + {{- end }} +{{- end -}} + +{{- /* Usage: {{ include "helm_lib_get_api_version_by_kind" (list . "") }} */ -}} +{{- /* returns current apiVersion string, based on available helm capabilities, for the provided kind (not all kinds are supported) */ -}} +{{- define "helm_lib_get_api_version_by_kind" }} + {{- $context := index . 0 -}} {{- /* Template context with .Values, .Chart, etc */ -}} + {{- $kind_name := index . 1 -}} {{- /* Kind name portion */ -}} + {{- if eq (len $context.Capabilities.APIVersions) 0 -}} + {{- fail "Helm reports no capabilities" -}} + {{- end -}} + {{- if or (eq $kind_name "ValidatingAdmissionPolicy") (eq $kind_name "ValidatingAdmissionPolicyBinding") -}} + {{- if $context.Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1/ValidatingAdmissionPolicy" -}} +admissionregistration.k8s.io/v1 + {{- else if $context.Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1beta1/ValidatingAdmissionPolicy" -}} +admissionregistration.k8s.io/v1beta1 + {{- else -}} +admissionregistration.k8s.io/v1alpha1 + {{- end -}} + {{- else -}} + {{- fail (printf "Kind '%s' isn't supported by the 'helm_lib_get_api_version_by_kind' helper" $kind_name) -}} + {{- end -}} +{{- end -}} diff --git a/charts/helm_lib/templates/_csi_controller.tpl b/charts/helm_lib/templates/_csi_controller.tpl new file mode 100644 index 0000000..9bc0d8c --- /dev/null +++ b/charts/helm_lib/templates/_csi_controller.tpl @@ -0,0 +1,763 @@ +{{- define "attacher_resources" }} +cpu: 10m +memory: 25Mi +{{- end }} + +{{- define "provisioner_resources" }} +cpu: 10m +memory: 25Mi +{{- end }} + +{{- define "resizer_resources" }} +cpu: 10m +memory: 25Mi +{{- end }} + +{{- define "syncer_resources" }} +cpu: 10m +memory: 25Mi +{{- end }} + +{{- define "snapshotter_resources" }} +cpu: 10m +memory: 25Mi +{{- end }} + +{{- define "livenessprobe_resources" }} +cpu: 10m +memory: 25Mi +{{- end }} + +{{- define "controller_resources" }} +cpu: 10m +memory: 50Mi +{{- end }} + +{{- /* Usage: {{ include "helm_lib_csi_controller_manifests" (list . $config) }} */ -}} +{{- define "helm_lib_csi_controller_manifests" }} + {{- $context := index . 0 }} + + {{- $config := index . 1 }} + {{- $fullname := $config.fullname | default "csi-controller" }} + {{- $snapshotterEnabled := dig "snapshotterEnabled" true $config }} + {{- $resizerEnabled := dig "resizerEnabled" true $config }} + {{- $syncerEnabled := dig "syncerEnabled" false $config }} + {{- $topologyEnabled := dig "topologyEnabled" true $config }} + {{- $extraCreateMetadataEnabled := dig "extraCreateMetadataEnabled" false $config }} + {{- $controllerImage := $config.controllerImage | required "$config.controllerImage is required" }} + {{- $provisionerTimeout := $config.provisionerTimeout | default "600s" }} + {{- $attacherTimeout := $config.attacherTimeout | default "600s" }} + {{- $resizerTimeout := $config.resizerTimeout | default "600s" }} + {{- $snapshotterTimeout := $config.snapshotterTimeout | default "600s" }} + {{- $provisionerWorkers := $config.provisionerWorkers | default "10" }} + {{- $attacherWorkers := $config.attacherWorkers | default "10" }} + {{- $resizerWorkers := $config.resizerWorkers | default "10" }} + {{- $snapshotterWorkers := $config.snapshotterWorkers | default "10" }} + {{- $additionalControllerEnvs := $config.additionalControllerEnvs }} + {{- $additionalSyncerEnvs := $config.additionalSyncerEnvs }} + {{- $additionalControllerArgs := $config.additionalControllerArgs }} + {{- $additionalControllerVolumes := $config.additionalControllerVolumes }} + {{- $additionalControllerVolumeMounts := $config.additionalControllerVolumeMounts }} + {{- $additionalContainers := $config.additionalContainers }} + {{- $livenessProbePort := $config.livenessProbePort | default 9808 }} + {{- $initContainerCommand := $config.initContainerCommand }} + {{- $initContainerImage := $config.initContainerImage }} + {{- $initContainerVolumeMounts := $config.initContainerVolumeMounts }} + + {{- $kubernetesSemVer := semver $context.Values.global.discovery.kubernetesVersion }} + + {{- $provisionerImageName := join "" (list "csiExternalProvisioner" $kubernetesSemVer.Major $kubernetesSemVer.Minor) }} + {{- $provisionerImage := include "helm_lib_module_common_image_no_fail" (list $context $provisionerImageName) }} + + {{- $attacherImageName := join "" (list "csiExternalAttacher" $kubernetesSemVer.Major $kubernetesSemVer.Minor) }} + {{- $attacherImage := include "helm_lib_module_common_image_no_fail" (list $context $attacherImageName) }} + + {{- $resizerImageName := join "" (list "csiExternalResizer" $kubernetesSemVer.Major $kubernetesSemVer.Minor) }} + {{- $resizerImage := include "helm_lib_module_common_image_no_fail" (list $context $resizerImageName) }} + + {{- $syncerImageName := join "" (list "csiVsphereSyncer" $kubernetesSemVer.Major $kubernetesSemVer.Minor) }} + {{- $syncerImage := include "helm_lib_module_common_image_no_fail" (list $context $syncerImageName) }} + + {{- $snapshotterImageName := join "" (list "csiExternalSnapshotter" $kubernetesSemVer.Major $kubernetesSemVer.Minor) }} + {{- $snapshotterImage := include "helm_lib_module_common_image_no_fail" (list $context $snapshotterImageName) }} + + {{- $livenessprobeImageName := join "" (list "csiLivenessprobe" $kubernetesSemVer.Major $kubernetesSemVer.Minor) }} + {{- $livenessprobeImage := include "helm_lib_module_common_image_no_fail" (list $context $livenessprobeImageName) }} + + {{- if $provisionerImage }} + {{- if ($context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }} +--- +apiVersion: autoscaling.k8s.io/v1 +kind: VerticalPodAutoscaler +metadata: + name: {{ $fullname }} + namespace: d8-{{ $context.Chart.Name }} + {{- include "helm_lib_module_labels" (list $context (dict "app" "csi-controller" "workload-resource-policy.deckhouse.io" "master")) | nindent 2 }} +spec: + targetRef: + apiVersion: "apps/v1" + kind: Deployment + name: {{ $fullname }} + updatePolicy: + updateMode: "Auto" + resourcePolicy: + containerPolicies: + - containerName: "provisioner" + minAllowed: + {{- include "provisioner_resources" $context | nindent 8 }} + maxAllowed: + cpu: 20m + memory: 50Mi + - containerName: "attacher" + minAllowed: + {{- include "attacher_resources" $context | nindent 8 }} + maxAllowed: + cpu: 20m + memory: 50Mi + {{- if $resizerEnabled }} + - containerName: "resizer" + minAllowed: + {{- include "resizer_resources" $context | nindent 8 }} + maxAllowed: + cpu: 20m + memory: 50Mi + {{- end }} + {{- if $syncerEnabled }} + - containerName: "syncer" + minAllowed: + {{- include "syncer_resources" $context | nindent 8 }} + maxAllowed: + cpu: 20m + memory: 50Mi + {{- end }} + {{- if $snapshotterEnabled }} + - containerName: "snapshotter" + minAllowed: + {{- include "snapshotter_resources" $context | nindent 8 }} + maxAllowed: + cpu: 20m + memory: 50Mi + {{- end }} + - containerName: "livenessprobe" + minAllowed: + {{- include "livenessprobe_resources" $context | nindent 8 }} + maxAllowed: + cpu: 20m + memory: 50Mi + - containerName: "controller" + minAllowed: + {{- include "controller_resources" $context | nindent 8 }} + maxAllowed: + cpu: 20m + memory: 100Mi + {{- end }} +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ $fullname }} + namespace: d8-{{ $context.Chart.Name }} + {{- include "helm_lib_module_labels" (list $context (dict "app" "csi-controller")) | nindent 2 }} +spec: + maxUnavailable: 1 + selector: + matchLabels: + app: {{ $fullname }} +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + name: {{ $fullname }} + namespace: d8-{{ $context.Chart.Name }} + {{- include "helm_lib_module_labels" (list $context (dict "app" "csi-controller")) | nindent 2 }} +spec: + replicas: 1 + revisionHistoryLimit: 2 + selector: + matchLabels: + app: {{ $fullname }} + strategy: + type: Recreate + template: + metadata: + labels: + app: {{ $fullname }} + {{- if hasPrefix "cloud-provider-" $context.Chart.Name }} + annotations: + cloud-config-checksum: {{ include (print $context.Template.BasePath "/cloud-controller-manager/secret.yaml") $context | sha256sum }} + {{- end }} + spec: + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + imagePullSecrets: + - name: deckhouse-registry + {{- include "helm_lib_priority_class" (tuple $context "system-cluster-critical") | nindent 6 }} + {{- include "helm_lib_node_selector" (tuple $context "master") | nindent 6 }} + {{- include "helm_lib_tolerations" (tuple $context "any-node" "with-uninitialized") | nindent 6 }} +{{- if $context.Values.global.enabledModules | has "csi-nfs" }} + {{- include "helm_lib_module_pod_security_context_runtime_default" . | nindent 6 }} +{{- else }} + {{- include "helm_lib_module_pod_security_context_run_as_user_deckhouse" . | nindent 6 }} +{{- end }} + serviceAccountName: csi + containers: + - name: provisioner + {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }} + image: {{ $provisionerImage | quote }} + args: + - "--timeout={{ $provisionerTimeout }}" + - "--v=5" + - "--csi-address=$(ADDRESS)" + {{- if $topologyEnabled }} + - "--feature-gates=Topology=true" + - "--strict-topology" + {{- else }} + - "--feature-gates=Topology=false" + {{- end }} + - "--default-fstype=ext4" + - "--leader-election=true" + - "--leader-election-namespace=$(NAMESPACE)" + - "--enable-capacity" + - "--capacity-ownerref-level=2" + {{- if $extraCreateMetadataEnabled }} + - "--extra-create-metadata=true" + {{- end }} + - "--worker-threads={{ $provisionerWorkers }}" + env: + - name: ADDRESS + value: /csi/csi.sock + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: + requests: + {{- include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 | nindent 12 }} + {{- if not ( $context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }} + {{- include "provisioner_resources" $context | nindent 12 }} + {{- end }} + - name: attacher + {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }} + image: {{ $attacherImage | quote }} + args: + - "--timeout={{ $attacherTimeout }}" + - "--v=5" + - "--csi-address=$(ADDRESS)" + - "--leader-election=true" + - "--leader-election-namespace=$(NAMESPACE)" + - "--worker-threads={{ $attacherWorkers }}" + env: + - name: ADDRESS + value: /csi/csi.sock + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: + requests: + {{- include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 | nindent 12 }} + {{- if not ( $context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }} + {{- include "attacher_resources" $context | nindent 12 }} + {{- end }} + {{- if $resizerEnabled }} + - name: resizer + {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }} + image: {{ $resizerImage | quote }} + args: + - "--timeout={{ $resizerTimeout }}" + - "--v=5" + - "--csi-address=$(ADDRESS)" + - "--leader-election=true" + - "--leader-election-namespace=$(NAMESPACE)" + - "--workers={{ $resizerWorkers }}" + env: + - name: ADDRESS + value: /csi/csi.sock + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: + requests: + {{- include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 | nindent 12 }} + {{- if not ( $context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }} + {{- include "resizer_resources" $context | nindent 12 }} + {{- end }} + {{- end }} + {{- if $syncerEnabled }} + - name: syncer + {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }} + image: {{ $syncerImage | quote }} + args: + - "--leader-election" + - "--leader-election-lease-duration=30s" + - "--leader-election-renew-deadline=20s" + - "--leader-election-retry-period=10s" + {{- if $additionalControllerArgs }} + {{- $additionalControllerArgs | toYaml | nindent 8 }} + {{- end }} + {{- if $additionalSyncerEnvs }} + env: + {{- $additionalSyncerEnvs | toYaml | nindent 8 }} + {{- end }} + {{- if $additionalControllerVolumeMounts }} + volumeMounts: + {{- $additionalControllerVolumeMounts | toYaml | nindent 8 }} + {{- end }} + resources: + requests: + {{- include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 | nindent 12 }} + {{- if not ( $context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }} + {{- include "syncer_resources" $context | nindent 12 }} + {{- end }} + {{- end }} + {{- if $snapshotterEnabled }} + - name: snapshotter + {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }} + image: {{ $snapshotterImage | quote }} + args: + - "--timeout={{ $snapshotterTimeout }}" + - "--v=5" + - "--csi-address=$(ADDRESS)" + - "--leader-election=true" + - "--leader-election-namespace=$(NAMESPACE)" + - "--worker-threads={{ $snapshotterWorkers }}" + env: + - name: ADDRESS + value: /csi/csi.sock + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: + requests: + {{- include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 | nindent 12 }} + {{- if not ( $context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }} + {{- include "snapshotter_resources" $context | nindent 12 }} + {{- end }} + {{- end }} + - name: livenessprobe + {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }} + image: {{ $livenessprobeImage | quote }} + args: + - "--csi-address=$(ADDRESS)" + - "--http-endpoint=$(HOST_IP):{{ $livenessProbePort }}" + env: + - name: ADDRESS + value: /csi/csi.sock + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: + requests: + {{- include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 | nindent 12 }} + {{- if not ( $context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }} + {{- include "livenessprobe_resources" $context | nindent 12 }} + {{- end }} + - name: controller +{{- if $context.Values.global.enabledModules | has "csi-nfs" }} + {{- include "helm_lib_module_container_security_context_escalated_sys_admin_privileged" . | nindent 8 }} +{{- else }} + {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }} +{{- end }} + image: {{ $controllerImage | quote }} + args: + {{- if $additionalControllerArgs }} + {{- $additionalControllerArgs | toYaml | nindent 8 }} + {{- end }} + {{- if $additionalControllerEnvs }} + env: + {{- $additionalControllerEnvs | toYaml | nindent 8 }} + {{- end }} + livenessProbe: + httpGet: + path: /healthz + port: {{ $livenessProbePort }} + volumeMounts: + - name: socket-dir + mountPath: /csi + {{- /* For an unknown reason vSphere csi-controller won't start without `/tmp` directory */ -}} + {{- if eq $context.Chart.Name "cloud-provider-vsphere" }} + - name: tmp + mountPath: /tmp + {{- end }} + {{- if $additionalControllerVolumeMounts }} + {{- $additionalControllerVolumeMounts | toYaml | nindent 8 }} + {{- end }} + resources: + requests: + {{- include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 | nindent 12 }} + {{- if not ( $context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }} + {{- include "controller_resources" $context | nindent 12 }} + {{- end }} + {{- if $additionalContainers }} + {{- $additionalContainers | toYaml | nindent 6 }} + {{- end }} + {{- if $initContainerCommand }} + initContainers: + - command: + {{- $initContainerCommand | toYaml | nindent 8 }} + image: {{ $initContainerImage }} + imagePullPolicy: IfNotPresent + name: csi-controller-init-container + {{- if $initContainerVolumeMounts }} + volumeMounts: + {{- $initContainerVolumeMounts | toYaml | nindent 8 }} + {{- end }} + resources: + requests: + {{- include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 | nindent 12 }} + {{- end }} + volumes: + - name: socket-dir + emptyDir: {} + {{- /* For an unknown reason vSphere csi-controller won't start without `/tmp` directory */ -}} + {{- if eq $context.Chart.Name "cloud-provider-vsphere" }} + - name: tmp + emptyDir: {} + {{- end }} + {{- if $additionalControllerVolumes }} + {{- $additionalControllerVolumes | toYaml | nindent 6 }} + {{- end }} + {{- end }} +{{- end }} + + +{{- /* Usage: {{ include "helm_lib_csi_controller_rbac" . }} */ -}} +{{- define "helm_lib_csi_controller_rbac" }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi + namespace: d8-{{ .Chart.Name }} + {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }} + +# =========== +# provisioner +# =========== +# Source https://github.com/kubernetes-csi/external-provisioner/blob/master/deploy/kubernetes/rbac.yaml +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: d8:{{ .Chart.Name }}:csi:controller:external-provisioner + {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }} +rules: +- apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "delete"] +- apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] +- apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] +- apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list"] +- apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["get", "list"] +- apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] +# Access to volumeattachments is only needed when the CSI driver +# has the PUBLISH_UNPUBLISH_VOLUME controller capability. +# In that case, external-provisioner will watch volumeattachments +# to determine when it is safe to delete a volume. +- apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: d8:{{ .Chart.Name }}:csi:controller:external-provisioner + {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }} +subjects: +- kind: ServiceAccount + name: csi + namespace: d8-{{ .Chart.Name }} +roleRef: + kind: ClusterRole + name: d8:{{ .Chart.Name }}:csi:controller:external-provisioner + apiGroup: rbac.authorization.k8s.io +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi:controller:external-provisioner + namespace: d8-{{ .Chart.Name }} + {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }} +rules: +# Only one of the following rules for endpoints or leases is required based on +# what is set for `--leader-election-type`. Endpoints are deprecated in favor of Leases. +- apiGroups: [""] + resources: ["endpoints"] + verbs: ["get", "watch", "list", "delete", "update", "create"] +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] +# Permissions for CSIStorageCapacity are only needed enabling the publishing +# of storage capacity information. +- apiGroups: ["storage.k8s.io"] + resources: ["csistoragecapacities"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +# The GET permissions below are needed for walking up the ownership chain +# for CSIStorageCapacity. They are sufficient for deployment via +# StatefulSet (only needs to get Pod) and Deployment (needs to get +# Pod and then ReplicaSet to find the Deployment). +- apiGroups: [""] + resources: ["pods"] + verbs: ["get"] +- apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get"] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi:controller:external-provisioner + namespace: d8-{{ .Chart.Name }} + {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }} +subjects: +- kind: ServiceAccount + name: csi + namespace: d8-{{ .Chart.Name }} +roleRef: + kind: Role + name: csi:controller:external-provisioner + apiGroup: rbac.authorization.k8s.io + +# ======== +# attacher +# ======== +# Source https://github.com/kubernetes-csi/external-attacher/blob/master/deploy/kubernetes/rbac.yaml +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: d8:{{ .Chart.Name }}:csi:controller:external-attacher + {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }} +rules: +- apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update", "patch"] +- apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] +- apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update", "patch"] +- apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["patch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: d8:{{ .Chart.Name }}:csi:controller:external-attacher + {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }} +subjects: +- kind: ServiceAccount + name: csi + namespace: d8-{{ .Chart.Name }} +roleRef: + kind: ClusterRole + name: d8:{{ .Chart.Name }}:csi:controller:external-attacher + apiGroup: rbac.authorization.k8s.io +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi:controller:external-attacher + namespace: d8-{{ .Chart.Name }} + {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }} +rules: +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi:controller:external-attacher + namespace: d8-{{ .Chart.Name }} + {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }} +subjects: +- kind: ServiceAccount + name: csi + namespace: d8-{{ .Chart.Name }} +roleRef: + kind: Role + name: csi:controller:external-attacher + apiGroup: rbac.authorization.k8s.io + +# ======= +# resizer +# ======= +# Source https://github.com/kubernetes-csi/external-resizer/blob/master/deploy/kubernetes/rbac.yaml +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: d8:{{ .Chart.Name }}:csi:controller:external-resizer + {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }} +rules: +- apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "patch"] +- apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["patch"] +- apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: d8:{{ .Chart.Name }}:csi:controller:external-resizer + {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }} +subjects: +- kind: ServiceAccount + name: csi + namespace: d8-{{ .Chart.Name }} +roleRef: + kind: ClusterRole + name: d8:{{ .Chart.Name }}:csi:controller:external-resizer + apiGroup: rbac.authorization.k8s.io +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi:controller:external-resizer + namespace: d8-{{ .Chart.Name }} + {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }} +rules: +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi:controller:external-resizer + namespace: d8-{{ .Chart.Name }} + {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }} +subjects: +- kind: ServiceAccount + name: csi + namespace: d8-{{ .Chart.Name }} +roleRef: + kind: Role + name: csi:controller:external-resizer + apiGroup: rbac.authorization.k8s.io +# ======== +# snapshotter +# ======== +# Source https://github.com/kubernetes-csi/external-snapshotter/blob/master/deploy/kubernetes/csi-snapshotter/rbac-csi-snapshotter.yaml +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: d8:{{ .Chart.Name }}:csi:controller:external-snapshotter + {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }} +rules: +- apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list"] +- apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] +- apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] +- apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["update", "patch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: d8:{{ .Chart.Name }}:csi:controller:external-snapshotter + {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }} +subjects: +- kind: ServiceAccount + name: csi + namespace: d8-{{ .Chart.Name }} +roleRef: + kind: ClusterRole + name: d8:{{ .Chart.Name }}:csi:controller:external-snapshotter + apiGroup: rbac.authorization.k8s.io +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi:controller:external-snapshotter + namespace: d8-{{ .Chart.Name }} + {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }} +rules: +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi:controller:external-snapshotter + namespace: d8-{{ .Chart.Name }} + {{- include "helm_lib_module_labels" (list . (dict "app" "csi-controller")) | nindent 2 }} +subjects: +- kind: ServiceAccount + name: csi + namespace: d8-{{ .Chart.Name }} +roleRef: + kind: Role + name: csi:controller:external-snapshotter + apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/charts/helm_lib/templates/_csi_node.tpl b/charts/helm_lib/templates/_csi_node.tpl new file mode 100644 index 0000000..254bc40 --- /dev/null +++ b/charts/helm_lib/templates/_csi_node.tpl @@ -0,0 +1,206 @@ +{{- define "node_driver_registrar_resources" }} +cpu: 12m +memory: 25Mi +{{- end }} + +{{- define "node_resources" }} +cpu: 12m +memory: 25Mi +{{- end }} + +{{- /* Usage: {{ include "helm_lib_csi_node_manifests" (list . $config) }} */ -}} +{{- define "helm_lib_csi_node_manifests" }} + {{- $context := index . 0 }} + + {{- $config := index . 1 }} + {{- $fullname := $config.fullname | default "csi-node" }} + {{- $nodeImage := $config.nodeImage | required "$config.nodeImage is required" }} + {{- $driverFQDN := $config.driverFQDN | required "$config.driverFQDN is required" }} + {{- $serviceAccount := $config.serviceAccount | default "" }} + {{- $additionalNodeEnvs := $config.additionalNodeEnvs }} + {{- $additionalNodeArgs := $config.additionalNodeArgs }} + {{- $additionalNodeVolumes := $config.additionalNodeVolumes }} + {{- $additionalNodeVolumeMounts := $config.additionalNodeVolumeMounts }} + {{- $additionalNodeLivenessProbesCmd := $config.additionalNodeLivenessProbesCmd }} + {{- $initContainerCommand := $config.initContainerCommand }} + {{- $initContainerImage := $config.initContainerImage }} + {{- $initContainerVolumeMounts := $config.initContainerVolumeMounts }} + + {{- $kubernetesSemVer := semver $context.Values.global.discovery.kubernetesVersion }} + {{- $driverRegistrarImageName := join "" (list "csiNodeDriverRegistrar" $kubernetesSemVer.Major $kubernetesSemVer.Minor) }} + {{- $driverRegistrarImage := include "helm_lib_module_common_image_no_fail" (list $context $driverRegistrarImageName) }} + {{- if $driverRegistrarImage }} + {{- if or (include "_helm_lib_cloud_or_hybrid_cluster" $context) ($context.Values.global.enabledModules | has "ceph-csi") ($context.Values.global.enabledModules | has "csi-nfs") ($context.Values.global.enabledModules | has "csi-ceph") ($context.Values.global.enabledModules | has "csi-yadro") }} + {{- if ($context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }} +--- +apiVersion: autoscaling.k8s.io/v1 +kind: VerticalPodAutoscaler +metadata: + name: {{ $fullname }} + namespace: d8-{{ $context.Chart.Name }} + {{- include "helm_lib_module_labels" (list $context (dict "app" "csi-node" "workload-resource-policy.deckhouse.io" "every-node")) | nindent 2 }} +spec: + targetRef: + apiVersion: "apps/v1" + kind: DaemonSet + name: {{ $fullname }} + updatePolicy: + updateMode: "Auto" + resourcePolicy: + containerPolicies: + - containerName: "node-driver-registrar" + minAllowed: + {{- include "node_driver_registrar_resources" $context | nindent 8 }} + maxAllowed: + cpu: 25m + memory: 50Mi + - containerName: "node" + minAllowed: + {{- include "node_resources" $context | nindent 8 }} + maxAllowed: + cpu: 25m + memory: 50Mi + {{- end }} +--- +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: {{ $fullname }} + namespace: d8-{{ $context.Chart.Name }} + {{- include "helm_lib_module_labels" (list $context (dict "app" "csi-node")) | nindent 2 }} +spec: + updateStrategy: + type: RollingUpdate + selector: + matchLabels: + app: {{ $fullname }} + template: + metadata: + labels: + app: {{ $fullname }} + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - operator: In + key: node.deckhouse.io/type + values: + - CloudEphemeral + - CloudPermanent + - CloudStatic + {{- if or (eq $fullname "csi-node-rbd") (eq $fullname "csi-node-cephfs") (eq $fullname "csi-nfs") (eq $fullname "csi-yadro") }} + - Static + {{- end }} + imagePullSecrets: + - name: deckhouse-registry + {{- include "helm_lib_priority_class" (tuple $context "system-node-critical") | nindent 6 }} + {{- include "helm_lib_tolerations" (tuple $context "any-node" "with-no-csi") | nindent 6 }} + {{- include "helm_lib_module_pod_security_context_run_as_user_root" . | nindent 6 }} + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + containers: + - name: node-driver-registrar + {{- include "helm_lib_module_container_security_context_not_allow_privilege_escalation" $context | nindent 8 }} + image: {{ $driverRegistrarImage | quote }} + args: + - "--v=5" + - "--csi-address=$(CSI_ENDPOINT)" + - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" + env: + - name: CSI_ENDPOINT + value: "/csi/csi.sock" + - name: DRIVER_REG_SOCK_PATH + value: "/var/lib/kubelet/csi-plugins/{{ $driverFQDN }}/csi.sock" + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- if $additionalNodeLivenessProbesCmd }} + livenessProbe: + initialDelaySeconds: 3 + exec: + command: + {{- $additionalNodeLivenessProbesCmd | toYaml | nindent 12 }} + {{- end }} + volumeMounts: + - name: plugin-dir + mountPath: /csi + - name: registration-dir + mountPath: /registration + resources: + requests: + {{- include "helm_lib_module_ephemeral_storage_only_logs" 10 | nindent 12 }} + {{- if not ($context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }} + {{- include "node_driver_registrar_resources" $context | nindent 12 }} + {{- end }} + - name: node + securityContext: + privileged: true + image: {{ $nodeImage }} + args: + {{- if $additionalNodeArgs }} + {{- $additionalNodeArgs | toYaml | nindent 8 }} + {{- end }} + {{- if $additionalNodeEnvs }} + env: + {{- $additionalNodeEnvs | toYaml | nindent 8 }} + {{- end }} + volumeMounts: + - name: kubelet-dir + mountPath: /var/lib/kubelet + mountPropagation: "Bidirectional" + - name: plugin-dir + mountPath: /csi + - name: device-dir + mountPath: /dev + {{- if $additionalNodeVolumeMounts }} + {{- $additionalNodeVolumeMounts | toYaml | nindent 8 }} + {{- end }} + resources: + requests: + {{- include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 | nindent 12 }} + {{- if not ($context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }} + {{- include "node_resources" $context | nindent 12 }} + {{- end }} + {{- if $initContainerCommand }} + initContainers: + - command: + {{- $initContainerCommand | toYaml | nindent 8 }} + image: {{ $initContainerImage }} + imagePullPolicy: IfNotPresent + name: csi-node-init-container + {{- if $initContainerVolumeMounts }} + volumeMounts: + {{- $initContainerVolumeMounts | toYaml | nindent 8 }} + {{- end }} + resources: + requests: + {{- include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 | nindent 12 }} + {{- end }} + serviceAccount: {{ $serviceAccount | quote }} + serviceAccountName: {{ $serviceAccount | quote }} + volumes: + - name: registration-dir + hostPath: + path: /var/lib/kubelet/plugins_registry/ + type: Directory + - name: kubelet-dir + hostPath: + path: /var/lib/kubelet + type: Directory + - name: plugin-dir + hostPath: + path: /var/lib/kubelet/csi-plugins/{{ $driverFQDN }}/ + type: DirectoryOrCreate + - name: device-dir + hostPath: + path: /dev + type: Directory + {{- if $additionalNodeVolumes }} + {{- $additionalNodeVolumes | toYaml | nindent 6 }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/helm_lib/templates/_enable_ds_eviction.tpl b/charts/helm_lib/templates/_enable_ds_eviction.tpl new file mode 100644 index 0000000..b912c05 --- /dev/null +++ b/charts/helm_lib/templates/_enable_ds_eviction.tpl @@ -0,0 +1,6 @@ +{{- /* Usage: {{ include "helm_lib_prevent_ds_eviction_annotation" . }} */ -}} +{{- /* Adds `cluster-autoscaler.kubernetes.io/enable-ds-eviction` annotation to manage DaemonSet eviction by the Cluster Autoscaler. */ -}} +{{- /* This is important to prevent the eviction of DaemonSet pods during cluster scaling. */ -}} +{{- define "helm_lib_prevent_ds_eviction_annotation" -}} +cluster-autoscaler.kubernetes.io/enable-ds-eviction: "false" +{{- end }} diff --git a/charts/helm_lib/templates/_envs_for_proxy.tpl b/charts/helm_lib/templates/_envs_for_proxy.tpl new file mode 100644 index 0000000..177bb1c --- /dev/null +++ b/charts/helm_lib/templates/_envs_for_proxy.tpl @@ -0,0 +1,30 @@ +{{- /* Usage: {{ include "helm_lib_envs_for_proxy" . }} */ -}} +{{- /* Add HTTP_PROXY, HTTPS_PROXY and NO_PROXY environment variables for container */ -}} +{{- /* depends on [proxy settings](https://deckhouse.io/documentation/v1/deckhouse-configure-global.html#parameters-modules-proxy) */ -}} +{{- define "helm_lib_envs_for_proxy" }} + {{- $context := . -}} {{- /* Template context with .Values, .Chart, etc */ -}} + {{- if $context.Values.global.clusterConfiguration }} + {{- if $context.Values.global.clusterConfiguration.proxy }} + {{- if $context.Values.global.clusterConfiguration.proxy.httpProxy }} +- name: HTTP_PROXY + value: {{ $context.Values.global.clusterConfiguration.proxy.httpProxy | quote }} +- name: http_proxy + value: {{ $context.Values.global.clusterConfiguration.proxy.httpProxy | quote }} + {{- end }} + {{- if $context.Values.global.clusterConfiguration.proxy.httpsProxy }} +- name: HTTPS_PROXY + value: {{ $context.Values.global.clusterConfiguration.proxy.httpsProxy | quote }} +- name: https_proxy + value: {{ $context.Values.global.clusterConfiguration.proxy.httpsProxy | quote }} + {{- end }} + {{- $noProxy := list "127.0.0.1" "169.254.169.254" $context.Values.global.clusterConfiguration.clusterDomain $context.Values.global.clusterConfiguration.podSubnetCIDR $context.Values.global.clusterConfiguration.serviceSubnetCIDR }} + {{- if $context.Values.global.clusterConfiguration.proxy.noProxy }} + {{- $noProxy = concat $noProxy $context.Values.global.clusterConfiguration.proxy.noProxy }} + {{- end }} +- name: NO_PROXY + value: {{ $noProxy | join "," | quote }} +- name: no_proxy + value: {{ $noProxy | join "," | quote }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/helm_lib/templates/_high_availability.tpl b/charts/helm_lib/templates/_high_availability.tpl new file mode 100644 index 0000000..8c7da23 --- /dev/null +++ b/charts/helm_lib/templates/_high_availability.tpl @@ -0,0 +1,39 @@ +{{- /* Usage: {{ include "helm_lib_is_ha_to_value" (list . yes no) }} */ -}} +{{- /* returns value "yes" if cluster is highly available, else — returns "no" */ -}} +{{- define "helm_lib_is_ha_to_value" }} + {{- $context := index . 0 -}} {{- /* Template context with .Values, .Chart, etc */ -}} + {{- $yes := index . 1 -}} {{- /* Yes value */ -}} + {{- $no := index . 2 -}} {{- /* No value */ -}} + + {{- $module_values := (index $context.Values (include "helm_lib_module_camelcase_name" $context)) }} + + {{- if hasKey $module_values "highAvailability" -}} + {{- if $module_values.highAvailability -}} {{- $yes -}} {{- else -}} {{- $no -}} {{- end -}} + {{- else if hasKey $context.Values.global "highAvailability" -}} + {{- if $context.Values.global.highAvailability -}} {{- $yes -}} {{- else -}} {{- $no -}} {{- end -}} + {{- else -}} + {{- if $context.Values.global.discovery.clusterControlPlaneIsHighlyAvailable -}} {{- $yes -}} {{- else -}} {{- $no -}} {{- end -}} + {{- end -}} +{{- end }} + +{{- /* Usage: {{- if (include "helm_lib_ha_enabled" .) }} */ -}} +{{- /* returns empty value, which is treated by go template as false */ -}} +{{- define "helm_lib_ha_enabled" }} + {{- $context := . -}} {{- /* Template context with .Values, .Chart, etc */ -}} + + {{- $module_values := (index $context.Values (include "helm_lib_module_camelcase_name" $context)) }} + + {{- if hasKey $module_values "highAvailability" -}} + {{- if $module_values.highAvailability -}} + "not empty string" + {{- end -}} + {{- else if hasKey $context.Values.global "highAvailability" -}} + {{- if $context.Values.global.highAvailability -}} + "not empty string" + {{- end -}} + {{- else -}} + {{- if $context.Values.global.discovery.clusterControlPlaneIsHighlyAvailable -}} + "not empty string" + {{- end -}} + {{- end -}} +{{- end -}} diff --git a/charts/helm_lib/templates/_kube_rbac_proxy.tpl b/charts/helm_lib/templates/_kube_rbac_proxy.tpl new file mode 100644 index 0000000..af9f7a4 --- /dev/null +++ b/charts/helm_lib/templates/_kube_rbac_proxy.tpl @@ -0,0 +1,21 @@ +{{- /* Usage: {{ include "helm_lib_kube_rbac_proxy_ca_certificate" (list . "namespace") }} */ -}} +{{- /* Renders configmap with kube-rbac-proxy CA certificate which uses to verify the kube-rbac-proxy clients. */ -}} +{{- define "helm_lib_kube_rbac_proxy_ca_certificate" -}} +{{- /* Template context with .Values, .Chart, etc */ -}} +{{- /* Namespace where CA configmap will be created */ -}} + {{- $context := index . 0 }} + {{- $namespace := index . 1 }} +--- +apiVersion: v1 +data: + ca.crt: | + {{ $context.Values.global.internal.modules.kubeRBACProxyCA.cert | nindent 4 }} +kind: ConfigMap +metadata: + annotations: + kubernetes.io/description: | + Contains a CA bundle that can be used to verify the kube-rbac-proxy clients. + {{- include "helm_lib_module_labels" (list $context) | nindent 2 }} + name: kube-rbac-proxy-ca.crt + namespace: {{ $namespace }} +{{- end }} diff --git a/charts/helm_lib/templates/_module_documentation_uri.tpl b/charts/helm_lib/templates/_module_documentation_uri.tpl new file mode 100644 index 0000000..a02cf45 --- /dev/null +++ b/charts/helm_lib/templates/_module_documentation_uri.tpl @@ -0,0 +1,15 @@ +{{- /* Usage: {{ include "helm_lib_module_documentation_uri" (list . "") }} */ -}} +{{- /* returns rendered documentation uri using publicDomainTemplate or deckhouse.io domains*/ -}} +{{- define "helm_lib_module_documentation_uri" }} + {{- $default_doc_prefix := "https://deckhouse.io/documentation/v1" -}} + {{- $context := index . 0 -}} {{- /* Template context with .Values, .Chart, etc */ -}} + {{- $path_portion := index . 1 -}} {{- /* Path to the document */ -}} + {{- $uri := "" -}} + {{- if $context.Values.global.modules.publicDomainTemplate }} + {{- $uri = printf "%s://%s%s" (include "helm_lib_module_uri_scheme" $context) (include "helm_lib_module_public_domain" (list $context "documentation")) $path_portion -}} + {{- else }} + {{- $uri = printf "%s%s" $default_doc_prefix $path_portion -}} + {{- end -}} + + {{ $uri }} +{{- end }} diff --git a/charts/helm_lib/templates/_module_ephemeral_storage.tpl b/charts/helm_lib/templates/_module_ephemeral_storage.tpl new file mode 100644 index 0000000..4b2dd02 --- /dev/null +++ b/charts/helm_lib/templates/_module_ephemeral_storage.tpl @@ -0,0 +1,15 @@ +{{- /* Usage: {{ include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 }} */ -}} +{{- /* 50Mi for container logs `log-opts.max-file * log-opts.max-size` would be added to passed value */ -}} +{{- /* returns ephemeral-storage size for logs with extra space */ -}} +{{- define "helm_lib_module_ephemeral_storage_logs_with_extra" -}} +{{- /* Extra space in mebibytes */ -}} +ephemeral-storage: {{ add . 50 }}Mi +{{- end }} + +{{- /* Usage: {{ include "helm_lib_module_ephemeral_storage_only_logs" . }} */ -}} +{{- /* 50Mi for container logs `log-opts.max-file * log-opts.max-size` would be requested */ -}} +{{- /* returns ephemeral-storage size for only logs */ -}} +{{- define "helm_lib_module_ephemeral_storage_only_logs" -}} +{{- /* Template context with .Values, .Chart, etc */ -}} +ephemeral-storage: 50Mi +{{- end }} diff --git a/charts/helm_lib/templates/_module_generate_common_name.tpl b/charts/helm_lib/templates/_module_generate_common_name.tpl new file mode 100644 index 0000000..fb142f8 --- /dev/null +++ b/charts/helm_lib/templates/_module_generate_common_name.tpl @@ -0,0 +1,13 @@ +{{- /* Usage: {{ include "helm_lib_module_generate_common_name" (list . "") }} */ -}} +{{- /* returns the commonName parameter for use in the Certificate custom resource(cert-manager) */ -}} +{{- define "helm_lib_module_generate_common_name" }} + {{- $context := index . 0 -}} {{- /* Template context with .Values, .Chart, etc */ -}} + {{- $name_portion := index . 1 -}} {{- /* Name portion */ -}} + + {{- $domain := include "helm_lib_module_public_domain" (list $context $name_portion) -}} + + {{- $domain_length := len $domain -}} + {{- if le $domain_length 64 -}} +commonName: {{ $domain }} + {{- end -}} +{{- end }} diff --git a/charts/helm_lib/templates/_module_https.tpl b/charts/helm_lib/templates/_module_https.tpl new file mode 100644 index 0000000..8ee41ef --- /dev/null +++ b/charts/helm_lib/templates/_module_https.tpl @@ -0,0 +1,160 @@ +{{- /* Usage: {{ include "helm_lib_module_uri_scheme" . }} */ -}} +{{- /* return module uri scheme "http" or "https" */ -}} +{{- define "helm_lib_module_uri_scheme" -}} + {{- $context := . -}} {{- /* Template context with .Values, .Chart, etc */ -}} + {{- $mode := "" -}} + + {{- $module_values := (index $context.Values (include "helm_lib_module_camelcase_name" $context)) -}} + {{- if hasKey $module_values "https" -}} + {{- if hasKey $module_values.https "mode" -}} + {{- $mode = $module_values.https.mode -}} + {{- else }} + {{- $mode = $context.Values.global.modules.https.mode | default "" -}} + {{- end }} + {{- else }} + {{- $mode = $context.Values.global.modules.https.mode | default "" -}} + {{- end }} + + + {{- if eq "Disabled" $mode -}} + http + {{- else -}} + https + {{- end -}} +{{- end -}} + +{{- /* Usage: {{ $https_values := include "helm_lib_https_values" . | fromYaml }} */ -}} +{{- define "helm_lib_https_values" -}} + {{- $context := . -}} + {{- $module_values := (index $context.Values (include "helm_lib_module_camelcase_name" $context)) -}} + {{- $mode := "" -}} + {{- $certManagerClusterIssuerName := "" -}} + + {{- if hasKey $module_values "https" -}} + {{- if hasKey $module_values.https "mode" -}} + {{- $mode = $module_values.https.mode -}} + {{- if eq $mode "CertManager" -}} + {{- if not (hasKey $module_values.https "certManager") -}} + {{- cat ".https.certManager.clusterIssuerName is mandatory when .https.mode is set to CertManager" | fail -}} + {{- end -}} + {{- if hasKey $module_values.https.certManager "clusterIssuerName" -}} + {{- $certManagerClusterIssuerName = $module_values.https.certManager.clusterIssuerName -}} + {{- else -}} + {{- cat ".https.certManager.clusterIssuerName is mandatory when .https.mode is set to CertManager" | fail -}} + {{- end -}} + {{- end -}} + {{- else -}} + {{- cat ".https.mode is mandatory when .https is defined" | fail -}} + {{- end -}} + {{- end -}} + + {{- if empty $mode -}} + {{- $mode = $context.Values.global.modules.https.mode -}} + {{- if eq $mode "CertManager" -}} + {{- $certManagerClusterIssuerName = $context.Values.global.modules.https.certManager.clusterIssuerName -}} + {{- end -}} + {{- end -}} + + {{- if not (has $mode (list "Disabled" "CertManager" "CustomCertificate" "OnlyInURI")) -}} + {{- cat "Unknown https.mode:" $mode | fail -}} + {{- end -}} + + {{- if and (eq $mode "CertManager") (not ($context.Values.global.enabledModules | has "cert-manager")) -}} + {{- cat "https.mode has value CertManager but cert-manager module not enabled" | fail -}} + {{- end -}} + +mode: {{ $mode }} + {{- if eq $mode "CertManager" }} +certManager: + clusterIssuerName: {{ $certManagerClusterIssuerName }} + {{- end -}} + +{{- end -}} + +{{- /* Usage: {{ if (include "helm_lib_module_https_mode" .) }} */ -}} +{{- /* returns https mode for module */ -}} +{{- define "helm_lib_module_https_mode" -}} + {{- $context := . -}} {{- /* Template context with .Values, .Chart, etc */ -}} + {{- $https_values := include "helm_lib_https_values" $context | fromYaml -}} + {{- $https_values.mode -}} +{{- end -}} + +{{- /* Usage: {{ include "helm_lib_module_https_cert_manager_cluster_issuer_name" . }} */ -}} +{{- /* returns cluster issuer name */ -}} +{{- define "helm_lib_module_https_cert_manager_cluster_issuer_name" -}} + {{- $context := . -}} {{- /* Template context with .Values, .Chart, etc */ -}} + {{- $https_values := include "helm_lib_https_values" $context | fromYaml -}} + {{- $https_values.certManager.clusterIssuerName -}} +{{- end -}} + +{{- /* Usage: {{ if (include "helm_lib_module_https_cert_manager_cluster_issuer_is_dns01_challenge_solver" .) }} */ -}} +{{- define "helm_lib_module_https_cert_manager_cluster_issuer_is_dns01_challenge_solver" -}} + {{- $context := . -}} {{- /* Template context with .Values, .Chart, etc */ -}} + {{- if has (include "helm_lib_module_https_cert_manager_cluster_issuer_name" $context) (list "route53" "cloudflare" "digitalocean" "clouddns") }} + "not empty string" + {{- end -}} +{{- end -}} + +{{- /* Usage: {{ include "helm_lib_module_https_cert_manager_acme_solver_challenge_settings" . | nindent 4 }} */ -}} +{{- define "helm_lib_module_https_cert_manager_acme_solver_challenge_settings" -}} + {{- $context := . -}} {{- /* Template context with .Values, .Chart, etc */ -}} + {{- if (include "helm_lib_module_https_cert_manager_cluster_issuer_is_dns01_challenge_solver" $context) }} +- dns01: + provider: {{ include "helm_lib_module_https_cert_manager_cluster_issuer_name" $context }} + {{- else }} +- http01: + ingressClass: {{ include "helm_lib_module_ingress_class" $context | quote }} + {{- end }} +{{- end -}} + +{{- /* Usage: {{ if (include "helm_lib_module_https_ingress_tls_enabled" .) }} */ -}} +{{- /* returns not empty string if tls should enable for ingress */ -}} +{{- define "helm_lib_module_https_ingress_tls_enabled" -}} + {{- $context := . -}} {{- /* Template context with .Values, .Chart, etc */ -}} + + {{- $mode := include "helm_lib_module_https_mode" $context -}} + + {{- if or (eq "CertManager" $mode) (eq "CustomCertificate" $mode) -}} + not empty string + {{- end -}} +{{- end -}} + +{{- /* Usage: {{ include "helm_lib_module_https_copy_custom_certificate" (list . "namespace" "secret_name_prefix") }} */ -}} +{{- /* Renders secret with [custom certificate](https://deckhouse.io/documentation/v1/deckhouse-configure-global.html#parameters-modules-https-customcertificate) */ -}} +{{- /* in passed namespace with passed prefix */ -}} +{{- define "helm_lib_module_https_copy_custom_certificate" -}} + {{- $context := index . 0 -}} {{- /* Template context with .Values, .Chart, etc */ -}} + {{- $namespace := index . 1 -}} {{- /* Namespace */ -}} + {{- $secret_name_prefix := index . 2 -}} {{- /* Secret name prefix */ -}} + {{- $mode := include "helm_lib_module_https_mode" $context -}} + {{- if eq $mode "CustomCertificate" -}} + {{- $module_values := (index $context.Values (include "helm_lib_module_camelcase_name" $context)) -}} + {{- $secret_name := include "helm_lib_module_https_secret_name" (list $context $secret_name_prefix) -}} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secret_name }} + namespace: {{ $namespace }} + {{- include "helm_lib_module_labels" (list $context) | nindent 2 }} +type: kubernetes.io/tls +data: {{ $module_values.internal.customCertificateData | toJson }} + {{- end -}} +{{- end -}} + +{{- /* Usage: {{ include "helm_lib_module_https_secret_name (list . "secret_name_prefix") }} */ -}} +{{- /* returns custom certificate name */ -}} +{{- define "helm_lib_module_https_secret_name" -}} + {{- $context := index . 0 -}} {{- /* Template context with .Values, .Chart, etc */ -}} + {{- $secret_name_prefix := index . 1 -}} {{- /* Secret name prefix */ -}} + {{- $mode := include "helm_lib_module_https_mode" $context -}} + {{- if eq $mode "CertManager" -}} + {{- $secret_name_prefix -}} + {{- else -}} + {{- if eq $mode "CustomCertificate" -}} + {{- printf "%s-customcertificate" $secret_name_prefix -}} + {{- else -}} + {{- fail "https.mode must be CustomCertificate or CertManager" -}} + {{- end -}} + {{- end -}} +{{- end -}} diff --git a/charts/helm_lib/templates/_module_image.tpl b/charts/helm_lib/templates/_module_image.tpl new file mode 100644 index 0000000..bdf29f0 --- /dev/null +++ b/charts/helm_lib/templates/_module_image.tpl @@ -0,0 +1,76 @@ +{{- /* Usage: {{ include "helm_lib_module_image" (list . "") }} */ -}} +{{- /* returns image name */ -}} +{{- define "helm_lib_module_image" }} + {{- $context := index . 0 }} {{- /* Template context with .Values, .Chart, etc */ -}} + {{- $containerName := index . 1 | trimAll "\"" }} {{- /* Container name */ -}} + {{- $moduleName := (include "helm_lib_module_camelcase_name" $context) }} + {{- if ge (len .) 3 }} + {{- $moduleName = (include "helm_lib_module_camelcase_name" (index . 2)) }} {{- /* Optional module name */ -}} + {{- end }} + {{- $imageDigest := index $context.Values.global.modulesImages.digests $moduleName $containerName }} + {{- if not $imageDigest }} + {{- $error := (printf "Image %s.%s has no digest" $moduleName $containerName ) }} + {{- fail $error }} + {{- end }} + {{- $registryBase := $context.Values.global.modulesImages.registry.base }} + {{- /* handle external modules registry */}} + {{- if index $context.Values $moduleName }} + {{- if index $context.Values $moduleName "registry" }} + {{- if index $context.Values $moduleName "registry" "base" }} + {{- $host := trimAll "/" (index $context.Values $moduleName "registry" "base") }} + {{- $path := trimAll "/" $context.Chart.Name }} + {{- $registryBase = join "/" (list $host $path) }} + {{- end }} + {{- end }} + {{- end }} + {{- printf "%s@%s" $registryBase $imageDigest }} +{{- end }} + +{{- /* Usage: {{ include "helm_lib_module_image_no_fail" (list . "") }} */ -}} +{{- /* returns image name if found */ -}} +{{- define "helm_lib_module_image_no_fail" }} + {{- $context := index . 0 }} {{- /* Template context with .Values, .Chart, etc */ -}} + {{- $containerName := index . 1 | trimAll "\"" }} {{- /* Container name */ -}} + {{- $moduleName := (include "helm_lib_module_camelcase_name" $context) }} + {{- if ge (len .) 3 }} + {{- $moduleName = (include "helm_lib_module_camelcase_name" (index . 2)) }} {{- /* Optional module name */ -}} + {{- end }} + {{- $imageDigest := index $context.Values.global.modulesImages.digests $moduleName $containerName }} + {{- if $imageDigest }} + {{- $registryBase := $context.Values.global.modulesImages.registry.base }} + {{- if index $context.Values $moduleName }} + {{- if index $context.Values $moduleName "registry" }} + {{- if index $context.Values $moduleName "registry" "base" }} + {{- $host := trimAll "/" (index $context.Values $moduleName "registry" "base") }} + {{- $path := trimAll "/" $context.Chart.Name }} + {{- $registryBase = join "/" (list $host $path) }} + {{- end }} + {{- end }} + {{- end }} + {{- printf "%s@%s" $registryBase $imageDigest }} + {{- end }} +{{- end }} + +{{- /* Usage: {{ include "helm_lib_module_common_image" (list . "") }} */ -}} +{{- /* returns image name from common module */ -}} +{{- define "helm_lib_module_common_image" }} + {{- $context := index . 0 }} {{- /* Template context with .Values, .Chart, etc */ -}} + {{- $containerName := index . 1 | trimAll "\"" }} {{- /* Container name */ -}} + {{- $imageDigest := index $context.Values.global.modulesImages.digests "common" $containerName }} + {{- if not $imageDigest }} + {{- $error := (printf "Image %s.%s has no digest" "common" $containerName ) }} + {{- fail $error }} + {{- end }} + {{- printf "%s@%s" $context.Values.global.modulesImages.registry.base $imageDigest }} +{{- end }} + +{{- /* Usage: {{ include "helm_lib_module_common_image_no_fail" (list . "") }} */ -}} +{{- /* returns image name from common module if found */ -}} +{{- define "helm_lib_module_common_image_no_fail" }} + {{- $context := index . 0 }} {{- /* Template context with .Values, .Chart, etc */ -}} + {{- $containerName := index . 1 | trimAll "\"" }} {{- /* Container name */ -}} + {{- $imageDigest := index $context.Values.global.modulesImages.digests "common" $containerName }} + {{- if $imageDigest }} + {{- printf "%s@%s" $context.Values.global.modulesImages.registry.base $imageDigest }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/helm_lib/templates/_module_ingress_class.tpl b/charts/helm_lib/templates/_module_ingress_class.tpl new file mode 100644 index 0000000..db7f50b --- /dev/null +++ b/charts/helm_lib/templates/_module_ingress_class.tpl @@ -0,0 +1,13 @@ +{{- /* Usage: {{ include "helm_lib_module_ingress_class" . }} */ -}} +{{- /* returns ingress class from module settings or if not exists from global config */ -}} +{{- define "helm_lib_module_ingress_class" -}} + {{- $context := . -}} {{- /* Template context with .Values, .Chart, etc */ -}} + + {{- $module_values := (index $context.Values (include "helm_lib_module_camelcase_name" $context)) -}} + + {{- if hasKey $module_values "ingressClass" -}} + {{- $module_values.ingressClass -}} + {{- else if hasKey $context.Values.global.modules "ingressClass" -}} + {{- $context.Values.global.modules.ingressClass -}} + {{- end -}} +{{- end -}} diff --git a/charts/helm_lib/templates/_module_init_container.tpl b/charts/helm_lib/templates/_module_init_container.tpl new file mode 100644 index 0000000..9b3fe00 --- /dev/null +++ b/charts/helm_lib/templates/_module_init_container.tpl @@ -0,0 +1,56 @@ +{{- /* ### Migration 11.12.2020: Remove this helper with all its usages after this commit reached RockSolid */ -}} +{{- /* Usage: {{ include "helm_lib_module_init_container_chown_nobody_volume" (list . "volume-name") }} */ -}} +{{- /* returns initContainer which chowns recursively all files and directories in passed volume */ -}} +{{- define "helm_lib_module_init_container_chown_nobody_volume" }} + {{- $context := index . 0 -}} + {{- $volume_name := index . 1 -}} +- name: chown-volume-{{ $volume_name }} + image: {{ include "helm_lib_module_common_image" (list $context "alpine") }} + command: ["sh", "-c", "chown -R 65534:65534 /tmp/{{ $volume_name }}"] + securityContext: + runAsNonRoot: false + runAsUser: 0 + runAsGroup: 0 + volumeMounts: + - name: {{ $volume_name }} + mountPath: /tmp/{{ $volume_name }} + resources: + requests: + {{- include "helm_lib_module_ephemeral_storage_only_logs" . | nindent 6 }} +{{- end }} + +{{- /* Usage: {{ include "helm_lib_module_init_container_chown_deckhouse_volume" (list . "volume-name") }} */ -}} +{{- /* returns initContainer which chowns recursively all files and directories in passed volume */ -}} +{{- define "helm_lib_module_init_container_chown_deckhouse_volume" }} + {{- $context := index . 0 -}} + {{- $volume_name := index . 1 -}} +- name: chown-volume-{{ $volume_name }} + image: {{ include "helm_lib_module_common_image" (list $context "alpine") }} + command: ["sh", "-c", "chown -R 64535:64535 /tmp/{{ $volume_name }}"] + securityContext: + runAsNonRoot: false + runAsUser: 0 + runAsGroup: 0 + volumeMounts: + - name: {{ $volume_name }} + mountPath: /tmp/{{ $volume_name }} + resources: + requests: + {{- include "helm_lib_module_ephemeral_storage_only_logs" . | nindent 6 }} +{{- end }} + +{{- /* Usage: {{ include "helm_lib_module_init_container_check_linux_kernel" (list . ">= 4.9.17") }} */ -}} +{{- /* returns initContainer which checks the kernel version on the node for compliance to semver constraint */ -}} +{{- define "helm_lib_module_init_container_check_linux_kernel" }} + {{- $context := index . 0 -}} {{- /* Template context with .Values, .Chart, etc */ -}} + {{- $semver_constraint := index . 1 -}} {{- /* Semver constraint */ -}} +- name: check-linux-kernel + image: {{ include "helm_lib_module_common_image" (list $context "checkKernelVersion") }} + {{- include "helm_lib_module_pod_security_context_run_as_user_deckhouse" . | nindent 2 }} + env: + - name: KERNEL_CONSTRAINT + value: {{ $semver_constraint | quote }} + resources: + requests: + {{- include "helm_lib_module_ephemeral_storage_only_logs" $context | nindent 6 }} +{{- end }} diff --git a/charts/helm_lib/templates/_module_labels.tpl b/charts/helm_lib/templates/_module_labels.tpl new file mode 100644 index 0000000..228dcf3 --- /dev/null +++ b/charts/helm_lib/templates/_module_labels.tpl @@ -0,0 +1,15 @@ +{{- /* Usage: {{ include "helm_lib_module_labels" (list . (dict "app" "test" "component" "testing")) }} */ -}} +{{- /* returns deckhouse labels */ -}} +{{- define "helm_lib_module_labels" }} + {{- $context := index . 0 -}} {{- /* Template context with .Values, .Chart, etc */ -}} + {{- /* Additional labels dict */ -}} +labels: + heritage: deckhouse + module: {{ $context.Chart.Name }} + {{- if eq (len .) 2 }} + {{- $deckhouse_additional_labels := index . 1 }} + {{- range $key, $value := $deckhouse_additional_labels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/helm_lib/templates/_module_name.tpl b/charts/helm_lib/templates/_module_name.tpl new file mode 100644 index 0000000..0fecf05 --- /dev/null +++ b/charts/helm_lib/templates/_module_name.tpl @@ -0,0 +1,11 @@ +{{- define "helm_lib_module_camelcase_name" -}} + +{{- $moduleName := "" -}} +{{- if (kindIs "string" .) -}} +{{- $moduleName = . | trimAll "\"" -}} +{{- else -}} +{{- $moduleName = .Chart.Name -}} +{{- end -}} + +{{ $moduleName | replace "-" "_" | camelcase | untitle }} +{{- end -}} diff --git a/charts/helm_lib/templates/_module_public_domain.tpl b/charts/helm_lib/templates/_module_public_domain.tpl new file mode 100644 index 0000000..bfbaae7 --- /dev/null +++ b/charts/helm_lib/templates/_module_public_domain.tpl @@ -0,0 +1,11 @@ +{{- /* Usage: {{ include "helm_lib_module_public_domain" (list . "") }} */ -}} +{{- /* returns rendered publicDomainTemplate to service fqdn */ -}} +{{- define "helm_lib_module_public_domain" }} + {{- $context := index . 0 -}} {{- /* Template context with .Values, .Chart, etc */ -}} + {{- $name_portion := index . 1 -}} {{- /* Name portion */ -}} + + {{- if not (contains "%s" $context.Values.global.modules.publicDomainTemplate) }} + {{ fail "Error!!! global.modules.publicDomainTemplate must contain \"%s\" pattern to render service fqdn!" }} + {{- end }} + {{- printf $context.Values.global.modules.publicDomainTemplate $name_portion }} +{{- end }} diff --git a/charts/helm_lib/templates/_module_security_context.tpl b/charts/helm_lib/templates/_module_security_context.tpl new file mode 100644 index 0000000..c726277 --- /dev/null +++ b/charts/helm_lib/templates/_module_security_context.tpl @@ -0,0 +1,199 @@ +{{- /* Usage: {{ include "helm_lib_module_pod_security_context_run_as_user_custom" (list . 1000 1000) }} */ -}} +{{- /* returns PodSecurityContext parameters for Pod with custom user and group */ -}} +{{- define "helm_lib_module_pod_security_context_run_as_user_custom" -}} +{{- /* Template context with .Values, .Chart, etc */ -}} +{{- /* User id */ -}} +{{- /* Group id */ -}} +securityContext: + runAsNonRoot: true + runAsUser: {{ index . 1 }} + runAsGroup: {{ index . 2 }} +{{- end }} + +{{- /* Usage: {{ include "helm_lib_module_pod_security_context_run_as_user_nobody" . }} */ -}} +{{- /* returns PodSecurityContext parameters for Pod with user and group "nobody" */ -}} +{{- define "helm_lib_module_pod_security_context_run_as_user_nobody" -}} +{{- /* Template context with .Values, .Chart, etc */ -}} +securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 +{{- end }} + +{{- /* Usage: {{ include "helm_lib_module_pod_security_context_run_as_user_nobody_with_writable_fs" . }} */ -}} +{{- /* returns PodSecurityContext parameters for Pod with user and group "nobody" with write access to mounted volumes */ -}} +{{- define "helm_lib_module_pod_security_context_run_as_user_nobody_with_writable_fs" -}} +{{- /* Template context with .Values, .Chart, etc */ -}} +securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + fsGroup: 65534 +{{- end }} + +{{- /* Usage: {{ include "helm_lib_module_pod_security_context_run_as_user_deckhouse" . }} */ -}} +{{- /* returns PodSecurityContext parameters for Pod with user and group "deckhouse" */ -}} +{{- define "helm_lib_module_pod_security_context_run_as_user_deckhouse" -}} +{{- /* Template context with .Values, .Chart, etc */ -}} +securityContext: + runAsNonRoot: true + runAsUser: 64535 + runAsGroup: 64535 +{{- end }} + +{{- /* Usage: {{ include "helm_lib_module_pod_security_context_run_as_user_deckhouse_with_writable_fs" . }} */ -}} +{{- /* returns PodSecurityContext parameters for Pod with user and group "deckhouse" with write access to mounted volumes */ -}} +{{- define "helm_lib_module_pod_security_context_run_as_user_deckhouse_with_writable_fs" -}} +{{- /* Template context with .Values, .Chart, etc */ -}} +securityContext: + runAsNonRoot: true + runAsUser: 64535 + runAsGroup: 64535 + fsGroup: 64535 +{{- end }} + +{{- /* Usage: {{ include "helm_lib_module_container_security_context_run_as_user_deckhouse_pss_restricted" . }} */ -}} +{{- /* returns SecurityContext parameters for Container with user and group "deckhouse" plus minimal required settings to comply with the Restricted mode of the Pod Security Standards */ -}} +{{- define "helm_lib_module_container_security_context_run_as_user_deckhouse_pss_restricted" -}} +{{- /* Template context with .Values, .Chart, etc */ -}} +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + runAsGroup: 64535 + runAsNonRoot: true + runAsUser: 64535 + seccompProfile: + type: RuntimeDefault +{{- end }} + +{{- /* Usage: {{ include "helm_lib_module_pod_security_context_run_as_user_root" . }} */ -}} +{{- /* returns PodSecurityContext parameters for Pod with user and group 0 */ -}} +{{- define "helm_lib_module_pod_security_context_run_as_user_root" -}} +{{- /* Template context with .Values, .Chart, etc */ -}} +securityContext: + runAsNonRoot: false + runAsUser: 0 + runAsGroup: 0 +{{- end }} + +{{- /* Usage: {{ include "helm_lib_module_pod_security_context_runtime_default" . }} */ -}} +{{- /* returns PodSecurityContext parameters for Pod with seccomp profile RuntimeDefault */ -}} +{{- define "helm_lib_module_pod_security_context_runtime_default" -}} +{{- /* Template context with .Values, .Chart, etc */ -}} +securityContext: + seccompProfile: + type: RuntimeDefault +{{- end }} + +{{- /* Usage: {{ include "helm_lib_module_container_security_context_not_allow_privilege_escalation" . }} */ -}} +{{- /* returns SecurityContext parameters for Container with allowPrivilegeEscalation false */ -}} +{{- define "helm_lib_module_container_security_context_not_allow_privilege_escalation" -}} +securityContext: + allowPrivilegeEscalation: false +{{- end }} + +{{- /* Usage: {{ include "helm_lib_module_container_security_context_read_only_root_filesystem_with_selinux" . }} */ -}} +{{- /* returns SecurityContext parameters for Container with read only root filesystem and options for SELinux compatibility*/ -}} +{{- define "helm_lib_module_container_security_context_read_only_root_filesystem_with_selinux" -}} +{{- /* Template context with .Values, .Chart, etc */ -}} +securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seLinuxOptions: + level: 's0' + type: 'spc_t' +{{- end }} + +{{- /* Usage: {{ include "helm_lib_module_container_security_context_read_only_root_filesystem" . }} */ -}} +{{- /* returns SecurityContext parameters for Container with read only root filesystem */ -}} +{{- define "helm_lib_module_container_security_context_read_only_root_filesystem" -}} +{{- /* Template context with .Values, .Chart, etc */ -}} +securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false +{{- end }} + +{{- /* Usage: {{ include "helm_lib_module_container_security_context_privileged" . }} */ -}} +{{- /* returns SecurityContext parameters for Container running privileged */ -}} +{{- define "helm_lib_module_container_security_context_privileged" -}} +securityContext: + privileged: true +{{- end }} + +{{- /* Usage: {{ include "helm_lib_module_container_security_context_escalated_sys_admin_privileged" . }} */ -}} +{{- /* returns SecurityContext parameters for Container running privileged with escalation and sys_admin */ -}} +{{- define "helm_lib_module_container_security_context_escalated_sys_admin_privileged" -}} +securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - SYS_ADMIN + privileged: true +{{- end }} + +{{- /* Usage: {{ include "helm_lib_module_container_security_context_privileged_read_only_root_filesystem" . }} */ -}} +{{- /* returns SecurityContext parameters for Container running privileged with read only root filesystem */ -}} +{{- define "helm_lib_module_container_security_context_privileged_read_only_root_filesystem" -}} +{{- /* Template context with .Values, .Chart, etc */ -}} +securityContext: + privileged: true + readOnlyRootFilesystem: true +{{- end }} + +{{- /* Usage: {{ include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all" . }} */ -}} +{{- /* returns SecurityContext for Container with read only root filesystem and all capabilities dropped */ -}} +{{- define "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all" -}} +{{- /* Template context with .Values, .Chart, etc */ -}} +securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL +{{- end }} + +{{- /* Usage: {{ include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_and_add" (list . (list "KILL" "SYS_PTRACE")) }} */ -}} +{{- /* returns SecurityContext parameters for Container with read only root filesystem, all dropped and some added capabilities */ -}} +{{- define "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_and_add" -}} +{{- /* Template context with .Values, .Chart, etc */ -}} +{{- /* List of capabilities */ -}} +securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + add: {{ index . 1 | toJson }} +{{- end }} + +{{- /* Usage: {{ include "helm_lib_module_container_security_context_capabilities_drop_all_and_add" (list . (list "KILL" "SYS_PTRACE")) }} */ -}} +{{- /* returns SecurityContext parameters for Container with all dropped and some added capabilities */ -}} +{{- define "helm_lib_module_container_security_context_capabilities_drop_all_and_add" -}} +{{- /* Template context with .Values, .Chart, etc */ -}} +{{- /* List of capabilities */ -}} +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + add: {{ index . 1 | toJson }} +{{- end }} + +{{- /* Usage: {{ include "helm_lib_module_container_security_context_capabilities_drop_all_and_run_as_user_custom" (list . 1000 1000) }} */ -}} +{{- /* returns SecurityContext parameters for Container with read only root filesystem, all dropped, and custom user ID */ -}} +{{- define "helm_lib_module_container_security_context_capabilities_drop_all_and_run_as_user_custom" -}} +{{- /* Template context with .Values, .Chart, etc */ -}} +{{- /* User id */ -}} +{{- /* Group id */ -}} +securityContext: + runAsUser: {{ index . 1 }} + runAsGroup: {{ index . 2 }} + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL +{{- end }} diff --git a/charts/helm_lib/templates/_module_storage_class.tpl b/charts/helm_lib/templates/_module_storage_class.tpl new file mode 100644 index 0000000..cf761a5 --- /dev/null +++ b/charts/helm_lib/templates/_module_storage_class.tpl @@ -0,0 +1,38 @@ +{{- /* Usage: {{ include "helm_lib_module_storage_class_annotations" (list $ $index $storageClass.name) }} */ -}} +{{- /* return module StorageClass annotations */ -}} +{{- define "helm_lib_module_storage_class_annotations" -}} + {{- $context := index . 0 -}} {{- /* Template context with .Values, .Chart, etc */ -}} + {{- $sc_index := index . 1 -}} {{- /* Storage class index */ -}} + {{- $sc_name := index . 2 -}} {{- /* Storage class name */ -}} + {{- $module_values := (index $context.Values (include "helm_lib_module_camelcase_name" $context)) -}} + {{- $annotations := dict -}} + + {{- $volume_expansion_mode_offline := false -}} + {{- range $module_name := list "cloud-provider-azure" "cloud-provider-yandex" "cloud-provider-vsphere" "cloud-provider-vcd"}} + {{- if has $module_name $context.Values.global.enabledModules }} + {{- $volume_expansion_mode_offline = true }} + {{- end }} + {{- end }} + + {{- if $volume_expansion_mode_offline }} + {{- $_ := set $annotations "storageclass.deckhouse.io/volume-expansion-mode" "offline" }} + {{- end }} + + {{- if hasKey $module_values.internal "defaultStorageClass" }} + {{- if eq $module_values.internal.defaultStorageClass $sc_name }} + {{- $_ := set $annotations "storageclass.kubernetes.io/is-default-class" "true" }} + {{- end }} + {{- else }} + {{- if eq $sc_index 0 }} + {{- if $context.Values.global.discovery.defaultStorageClass }} + {{- if eq $context.Values.global.discovery.defaultStorageClass $sc_name }} + {{- $_ := set $annotations "storageclass.kubernetes.io/is-default-class" "true" }} + {{- end }} + {{- else }} + {{- $_ := set $annotations "storageclass.kubernetes.io/is-default-class" "true" }} + {{- end }} + {{- end }} + {{- end }} + +{{- (dict "annotations" $annotations) | toYaml -}} +{{- end -}} diff --git a/charts/helm_lib/templates/_monitoring_grafana_dashboards.tpl b/charts/helm_lib/templates/_monitoring_grafana_dashboards.tpl new file mode 100644 index 0000000..ebbcefb --- /dev/null +++ b/charts/helm_lib/templates/_monitoring_grafana_dashboards.tpl @@ -0,0 +1,68 @@ +{{- /* Usage: {{ include "helm_lib_grafana_dashboard_definitions_recursion" (list . [current dir]) }} */ -}} +{{- /* returns all the dashboard-definintions from / */ -}} +{{- /* current dir is optional — used for recursion but you can use it for partially generating dashboards */ -}} +{{- define "helm_lib_grafana_dashboard_definitions_recursion" -}} + {{- $context := index . 0 }} {{- /* Template context with .Values, .Chart, etc */ -}} + {{- $rootDir := index . 1 }} {{- /* Dashboards root dir */ -}} + {{- /* Dashboards current dir */ -}} + + {{- $currentDir := "" }} + {{- if gt (len .) 2 }} {{- $currentDir = index . 2 }} {{- else }} {{- $currentDir = $rootDir }} {{- end }} + + {{- $currentDirIndex := (sub ($currentDir | splitList "/" | len) 1) }} + {{- $rootDirIndex := (sub ($rootDir | splitList "/" | len) 1) }} + {{- $folderNamesIndex := (add1 $rootDirIndex) }} + + {{- range $path, $_ := $context.Files.Glob (print $currentDir "/*.json") }} + {{- $fileName := ($path | splitList "/" | last ) }} + {{- $definition := ($context.Files.Get $path) }} + + {{- $folder := (index ($currentDir | splitList "/") $folderNamesIndex | replace "-" " " | title) }} + {{- $resourceName := (regexReplaceAllLiteral "\\.json$" $path "") }} + {{- $resourceName = ($resourceName | replace " " "-" | replace "." "-" | replace "_" "-") }} + {{- $resourceName = (slice ($resourceName | splitList "/") $folderNamesIndex | join "-") }} + {{- $resourceName = (printf "%s-%s" $context.Chart.Name $resourceName) }} + +{{ include "helm_lib_single_dashboard" (list $context $resourceName $folder $definition) }} + {{- end }} + + {{- $subDirs := list }} + {{- range $path, $_ := ($context.Files.Glob (print $currentDir "/**.json")) }} + {{- $pathSlice := ($path | splitList "/") }} + {{- $subDirs = append $subDirs (slice $pathSlice 0 (add $currentDirIndex 2) | join "/") }} + {{- end }} + + {{- range $subDir := ($subDirs | uniq) }} +{{ include "helm_lib_grafana_dashboard_definitions_recursion" (list $context $rootDir $subDir) }} + {{- end }} +{{- end }} + + +{{- /* Usage: {{ include "helm_lib_grafana_dashboard_definitions" . }} */ -}} +{{- /* returns dashboard-definintions from monitoring/grafana-dashboards/ */ -}} +{{- define "helm_lib_grafana_dashboard_definitions" -}} + {{- $context := . }} {{- /* Template context with .Values, .Chart, etc */ -}} + {{- if ( $context.Values.global.enabledModules | has "prometheus-crd" ) }} +{{- include "helm_lib_grafana_dashboard_definitions_recursion" (list $context "monitoring/grafana-dashboards") }} + {{- end }} +{{- end }} + + +{{- /* Usage: {{ include "helm_lib_single_dashboard" (list . "dashboard-name" "folder" $dashboard) }} */ -}} +{{- /* renders a single dashboard */ -}} +{{- define "helm_lib_single_dashboard" -}} + {{- $context := index . 0 }} {{- /* Template context with .Values, .Chart, etc */ -}} + {{- $resourceName := index . 1 }} {{- /* Dashboard name */ -}} + {{- $folder := index . 2 }} {{- /* Folder */ -}} + {{- $definition := index . 3 }} {{/* Dashboard definition */}} +--- +apiVersion: deckhouse.io/v1 +kind: GrafanaDashboardDefinition +metadata: + name: d8-{{ $resourceName }} + {{- include "helm_lib_module_labels" (list $context (dict "prometheus.deckhouse.io/grafana-dashboard" "")) | nindent 2 }} +spec: + folder: "{{ $folder }}" + definition: | + {{- $definition | nindent 4 }} +{{- end }} diff --git a/charts/helm_lib/templates/_monitoring_prometheus_rules.tpl b/charts/helm_lib/templates/_monitoring_prometheus_rules.tpl new file mode 100644 index 0000000..794fe30 --- /dev/null +++ b/charts/helm_lib/templates/_monitoring_prometheus_rules.tpl @@ -0,0 +1,96 @@ +{{- /* Usage: {{ include "helm_lib_prometheus_rules_recursion" (list . [current dir]) }} */ -}} +{{- /* returns all the prometheus rules from / */ -}} +{{- /* current dir is optional — used for recursion but you can use it for partially generating rules */ -}} +{{- define "helm_lib_prometheus_rules_recursion" -}} + {{- $context := index . 0 }} {{- /* Template context with .Values, .Chart, etc */ -}} + {{- $namespace := index . 1 }} {{- /* Namespace for creating rules */ -}} + {{- $rootDir := index . 2 }} {{- /* Rules root dir */ -}} + {{- $currentDir := "" }} {{- /* Current dir (optional) */ -}} + {{- if gt (len .) 3 }} {{- $currentDir = index . 3 }} {{- else }} {{- $currentDir = $rootDir }} {{- end }} + {{- $currentDirIndex := (sub ($currentDir | splitList "/" | len) 1) }} + {{- $rootDirIndex := (sub ($rootDir | splitList "/" | len) 1) }} + {{- $folderNamesIndex := (add1 $rootDirIndex) }} + + {{- range $path, $_ := $context.Files.Glob (print $currentDir "/*.{yaml,tpl}") }} + {{- $fileName := ($path | splitList "/" | last ) }} + {{- $definition := "" }} + {{- if eq ($path | splitList "." | last) "tpl" -}} + {{- $definition = tpl ($context.Files.Get $path) $context }} + {{- else }} + {{- $definition = $context.Files.Get $path }} + {{- end }} + + {{- $definition = $definition | replace "__SCRAPE_INTERVAL__" (printf "%ds" ($context.Values.global.discovery.prometheusScrapeInterval | default 30)) | replace "__SCRAPE_INTERVAL_X_2__" (printf "%ds" (mul ($context.Values.global.discovery.prometheusScrapeInterval | default 30) 2)) | replace "__SCRAPE_INTERVAL_X_3__" (printf "%ds" (mul ($context.Values.global.discovery.prometheusScrapeInterval | default 30) 3)) | replace "__SCRAPE_INTERVAL_X_4__" (printf "%ds" (mul ($context.Values.global.discovery.prometheusScrapeInterval | default 30) 4)) }} + +{{/* Patch expression based on `d8_ignore_on_update` annotation*/}} + + + {{ $definition = printf "Rules:\n%s" ($definition | nindent 2) }} + {{- $definitionStruct := ( $definition | fromYaml )}} + {{- if $definitionStruct.Error }} + {{- fail ($definitionStruct.Error | toString) }} + {{- end }} + {{- range $rule := $definitionStruct.Rules }} + + {{- range $dedicatedRule := $rule.rules }} + {{- if $dedicatedRule.annotations }} + {{- if (eq (get $dedicatedRule.annotations "d8_ignore_on_update") "true") }} + {{- $_ := set $dedicatedRule "expr" (printf "(%s) and ON() ((max(d8_is_updating) != 1) or ON() absent(d8_is_updating))" $dedicatedRule.expr) }} + {{- end }} + {{- end }} + {{- end }} + + {{- end }} + + {{ $definition = $definitionStruct.Rules | toYaml }} + + {{- $resourceName := (regexReplaceAllLiteral "\\.(yaml|tpl)$" $path "") }} + {{- $resourceName = ($resourceName | replace " " "-" | replace "." "-" | replace "_" "-") }} + {{- $resourceName = (slice ($resourceName | splitList "/") $folderNamesIndex | join "-") }} + {{- $resourceName = (printf "%s-%s" $context.Chart.Name $resourceName) }} +--- +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ $resourceName }} + namespace: {{ $namespace }} + {{- include "helm_lib_module_labels" (list $context (dict "app" "prometheus" "prometheus" "main" "component" "rules")) | nindent 2 }} +spec: + groups: + {{- $definition | nindent 4 }} + {{- end }} + + {{- $subDirs := list }} + {{- range $path, $_ := ($context.Files.Glob (print $currentDir "/**.{yaml,tpl}")) }} + {{- $pathSlice := ($path | splitList "/") }} + {{- $subDirs = append $subDirs (slice $pathSlice 0 (add $currentDirIndex 2) | join "/") }} + {{- end }} + + {{- range $subDir := ($subDirs | uniq) }} +{{ include "helm_lib_prometheus_rules_recursion" (list $context $namespace $rootDir $subDir) }} + {{- end }} +{{- end }} + + +{{- /* Usage: {{ include "helm_lib_prometheus_rules" (list . ) }} */ -}} +{{- /* returns all the prometheus rules from monitoring/prometheus-rules/ */ -}} +{{- define "helm_lib_prometheus_rules" -}} + {{- $context := index . 0 }} {{- /* Template context with .Values, .Chart, etc */ -}} + {{- $namespace := index . 1 }} {{- /* Namespace for creating rules */ -}} + {{- if ( $context.Values.global.enabledModules | has "operator-prometheus-crd" ) }} +{{- include "helm_lib_prometheus_rules_recursion" (list $context $namespace "monitoring/prometheus-rules") }} + {{- end }} +{{- end }} + +{{- /* Usage: {{ include "helm_lib_prometheus_target_scrape_timeout_seconds" (list . ) }} */ -}} +{{- /* returns adjust timeout value to scrape interval / */ -}} +{{- define "helm_lib_prometheus_target_scrape_timeout_seconds" -}} + {{- $context := index . 0 }} {{- /* Template context with .Values, .Chart, etc */ -}} + {{- $timeout := index . 1 }} {{- /* Target timeout in seconds */ -}} + {{- $scrape_interval := (int $context.Values.global.discovery.prometheusScrapeInterval | default 30) }} + {{- if gt $timeout $scrape_interval -}} +{{ $scrape_interval }}s + {{- else -}} +{{ $timeout }}s + {{- end }} +{{- end }} diff --git a/charts/helm_lib/templates/_node_affinity.tpl b/charts/helm_lib/templates/_node_affinity.tpl new file mode 100644 index 0000000..cbdd0f9 --- /dev/null +++ b/charts/helm_lib/templates/_node_affinity.tpl @@ -0,0 +1,256 @@ +{{- /* Verify node selector strategy. */ -}} +{{- define "helm_lib_internal_check_node_selector_strategy" -}} + {{ if not (has . (list "frontend" "monitoring" "system" "master" )) }} + {{- fail (printf "unknown strategy \"%v\"" .) }} + {{- end }} + {{- . -}} +{{- end }} + +{{- /* Returns node selector for workloads depend on strategy. */ -}} +{{- define "helm_lib_node_selector" }} + {{- $context := index . 0 }} {{- /* Template context with .Values, .Chart, etc */ -}} + {{- $strategy := index . 1 | include "helm_lib_internal_check_node_selector_strategy" }} {{- /* strategy, one of "frontend" "monitoring" "system" "master" "any-node" "wildcard" */ -}} + {{- $module_values := dict }} + {{- if lt (len .) 3 }} + {{- $module_values = (index $context.Values (include "helm_lib_module_camelcase_name" $context)) }} + {{- else }} + {{- $module_values = index . 2 }} + {{- end }} + {{- $camel_chart_name := (include "helm_lib_module_camelcase_name" $context) }} + + {{- if eq $strategy "monitoring" }} + {{- if $module_values.nodeSelector }} +nodeSelector: {{ $module_values.nodeSelector | toJson }} + {{- else if gt (index $context.Values.global.discovery.d8SpecificNodeCountByRole $camel_chart_name | int) 0 }} +nodeSelector: + node-role.deckhouse.io/{{$context.Chart.Name}}: "" + {{- else if gt (index $context.Values.global.discovery.d8SpecificNodeCountByRole $strategy | int) 0 }} +nodeSelector: + node-role.deckhouse.io/{{$strategy}}: "" + {{- else if gt (index $context.Values.global.discovery.d8SpecificNodeCountByRole "system" | int) 0 }} +nodeSelector: + node-role.deckhouse.io/system: "" + {{- end }} + + {{- else if or (eq $strategy "frontend") (eq $strategy "system") }} + {{- if $module_values.nodeSelector }} +nodeSelector: {{ $module_values.nodeSelector | toJson }} + {{- else if gt (index $context.Values.global.discovery.d8SpecificNodeCountByRole $camel_chart_name | int) 0 }} +nodeSelector: + node-role.deckhouse.io/{{$context.Chart.Name}}: "" + {{- else if gt (index $context.Values.global.discovery.d8SpecificNodeCountByRole $strategy | int) 0 }} +nodeSelector: + node-role.deckhouse.io/{{$strategy}}: "" + {{- end }} + + {{- else if eq $strategy "master" }} + {{- if gt (index $context.Values.global.discovery "clusterMasterCount" | int) 0 }} +nodeSelector: + node-role.kubernetes.io/control-plane: "" + {{- else if gt (index $context.Values.global.discovery.d8SpecificNodeCountByRole "master" | int) 0 }} +nodeSelector: + node-role.deckhouse.io/control-plane: "" + {{- else if gt (index $context.Values.global.discovery.d8SpecificNodeCountByRole "system" | int) 0 }} +nodeSelector: + node-role.deckhouse.io/system: "" + {{- end }} + {{- end }} +{{- end }} + + +{{- /* Returns tolerations for workloads depend on strategy. */ -}} +{{- /* Usage: {{ include "helm_lib_tolerations" (tuple . "any-node" "with-uninitialized" "without-storage-problems") }} */ -}} +{{- define "helm_lib_tolerations" }} + {{- $context := index . 0 }} {{- /* Template context with .Values, .Chart, etc */ -}} + {{- $strategy := index . 1 | include "helm_lib_internal_check_tolerations_strategy" }} {{- /* base strategy, one of "frontend" "monitoring" "system" any-node" "wildcard" */ -}} + {{- $additionalStrategies := tuple }} {{- /* list of additional strategies. To add strategy list it with prefix "with-", to remove strategy list it with prefix "without-". */ -}} + {{- if eq $strategy "custom" }} + {{ if lt (len .) 3 }} + {{- fail (print "additional strategies is required") }} + {{- end }} + {{- else }} + {{- $additionalStrategies = tuple "storage-problems" }} + {{- end }} + {{- $module_values := (index $context.Values (include "helm_lib_module_camelcase_name" $context)) }} + {{- if gt (len .) 2 }} + {{- range $as := slice . 2 (len .) }} + {{- if hasPrefix "with-" $as }} + {{- $additionalStrategies = mustAppend $additionalStrategies (trimPrefix "with-" $as) }} + {{- end }} + {{- if hasPrefix "without-" $as }} + {{- $additionalStrategies = mustWithout $additionalStrategies (trimPrefix "without-" $as) }} + {{- end }} + {{- end }} + {{- end }} +tolerations: + {{- /* Wildcard: gives permissions to schedule on any node with any taints (use with caution) */ -}} + {{- if eq $strategy "wildcard" }} + {{- include "_helm_lib_wildcard_tolerations" $context }} + + {{- else }} + {{- /* Any node: any node in the cluster with any known taints */ -}} + {{- if eq $strategy "any-node" }} + {{- include "_helm_lib_any_node_tolerations" $context }} + + {{- /* Tolerations from module config: overrides below strategies, if there is any toleration specified */ -}} + {{- else if $module_values.tolerations }} + {{- $module_values.tolerations | toYaml | nindent 0 }} + + {{- /* Monitoring: Nodes for monitoring components: prometheus, grafana, kube-state-metrics, etc. */ -}} + {{- else if eq $strategy "monitoring" }} + {{- include "_helm_lib_monitoring_tolerations" $context }} + + {{- /* Frontend: Nodes for ingress-controllers */ -}} + {{- else if eq $strategy "frontend" }} + {{- include "_helm_lib_frontend_tolerations" $context }} + + {{- /* System: Nodes for system components: prometheus, dns, cert-manager */ -}} + {{- else if eq $strategy "system" }} + {{- include "_helm_lib_system_tolerations" $context }} + {{- end }} + + {{- /* Additional strategies */ -}} + {{- range $additionalStrategies -}} + {{- include (printf "_helm_lib_additional_tolerations_%s" (. | replace "-" "_")) $context }} + {{- end }} + {{- end }} +{{- end }} + + +{{- /* Check cluster type. */ -}} +{{- /* Returns not empty string if this is cloud or hybrid cluster */ -}} +{{- define "_helm_lib_cloud_or_hybrid_cluster" }} + {{- if .Values.global.clusterConfiguration }} + {{- if eq .Values.global.clusterConfiguration.clusterType "Cloud" }} + "not empty string" + {{- /* We consider non-cloud clusters with enabled cloud-provider-.* module as Hybrid clusters */ -}} + {{- else }} + {{- range $v := .Values.global.enabledModules }} + {{- if hasPrefix "cloud-provider-" $v }} + "not empty string" + {{- end }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} + +{{- /* Verify base strategy. */ -}} +{{- /* Fails if strategy not in allowed list */ -}} +{{- define "helm_lib_internal_check_tolerations_strategy" -}} + {{ if not (has . (list "custom" "frontend" "monitoring" "system" "any-node" "wildcard" )) }} + {{- fail (printf "unknown strategy \"%v\"" .) }} + {{- end }} + {{- . -}} +{{- end }} + + +{{- /* Base strategy for any uncordoned node in cluster. */ -}} +{{- /* Usage: {{ include "helm_lib_tolerations" (tuple . "any-node") }} */ -}} +{{- define "_helm_lib_any_node_tolerations" }} +- key: node-role.kubernetes.io/master +- key: node-role.kubernetes.io/control-plane +- key: dedicated.deckhouse.io + operator: "Exists" +- key: dedicated + operator: "Exists" +- key: DeletionCandidateOfClusterAutoscaler +- key: ToBeDeletedByClusterAutoscaler + {{- if .Values.global.modules.placement.customTolerationKeys }} + {{- range $key := .Values.global.modules.placement.customTolerationKeys }} +- key: {{ $key | quote }} + operator: "Exists" + {{- end }} + {{- end }} +{{- end }} + +{{- /* Base strategy that tolerates all. */ -}} +{{- /* Usage: {{ include "helm_lib_tolerations" (tuple . "wildcard") }} */ -}} +{{- define "_helm_lib_wildcard_tolerations" }} +- operator: "Exists" +{{- end }} + +{{- /* Base strategy that tolerates nodes with "dedicated.deckhouse.io: monitoring" and "dedicated.deckhouse.io: system" taints. */ -}} +{{- /* Usage: {{ include "helm_lib_tolerations" (tuple . "monitoring") }} */ -}} +{{- define "_helm_lib_monitoring_tolerations" }} +- key: dedicated.deckhouse.io + operator: Equal + value: {{ .Chart.Name | quote }} +- key: dedicated.deckhouse.io + operator: Equal + value: "monitoring" +- key: dedicated.deckhouse.io + operator: Equal + value: "system" +{{- end }} + +{{- /* Base strategy that tolerates nodes with "dedicated.deckhouse.io: frontend" taints. */ -}} +{{- /* Usage: {{ include "helm_lib_tolerations" (tuple . "frontend") }} */ -}} +{{- define "_helm_lib_frontend_tolerations" }} +- key: dedicated.deckhouse.io + operator: Equal + value: {{ .Chart.Name | quote }} +- key: dedicated.deckhouse.io + operator: Equal + value: "frontend" +{{- end }} + +{{- /* Base strategy that tolerates nodes with "dedicated.deckhouse.io: system" taints. */ -}} +{{- /* Usage: {{ include "helm_lib_tolerations" (tuple . "system") }} */ -}} +{{- define "_helm_lib_system_tolerations" }} +- key: dedicated.deckhouse.io + operator: Equal + value: {{ .Chart.Name | quote }} +- key: dedicated.deckhouse.io + operator: Equal + value: "system" +{{- end }} + + +{{- /* Additional strategy "uninitialized" - used for CNI's and kube-proxy to allow cni components scheduled on node after CCM initialization. */ -}} +{{- /* Usage: {{ include "helm_lib_tolerations" (tuple . "any-node" "with-uninitialized") }} */ -}} +{{- define "_helm_lib_additional_tolerations_uninitialized" }} +- key: node.deckhouse.io/uninitialized + operator: "Exists" + effect: "NoSchedule" + {{- if include "_helm_lib_cloud_or_hybrid_cluster" . }} + {{- include "_helm_lib_additional_tolerations_no_csi" . }} + {{- end }} + {{- include "_helm_lib_additional_tolerations_node_problems" . }} +{{- end }} + +{{- /* Additional strategy "node-problems" - used for shedule critical components on non-ready nodes or nodes under pressure. */ -}} +{{- /* Usage: {{ include "helm_lib_tolerations" (tuple . "any-node" "with-node-problems") }} */ -}} +{{- define "_helm_lib_additional_tolerations_node_problems" }} +- key: node.kubernetes.io/not-ready +- key: node.kubernetes.io/out-of-disk +- key: node.kubernetes.io/memory-pressure +- key: node.kubernetes.io/disk-pressure +- key: node.kubernetes.io/pid-pressure +- key: node.kubernetes.io/unreachable +- key: node.kubernetes.io/network-unavailable +{{- end }} + +{{- /* Additional strategy "storage-problems" - used for shedule critical components on nodes with drbd problems. This additional strategy enabled by default in any base strategy except "wildcard". */ -}} +{{- /* Usage: {{ include "helm_lib_tolerations" (tuple . "any-node" "without-storage-problems") }} */ -}} +{{- define "_helm_lib_additional_tolerations_storage_problems" }} +- key: drbd.linbit.com/lost-quorum +- key: drbd.linbit.com/force-io-error +- key: drbd.linbit.com/ignore-fail-over +{{- end }} + +{{- /* Additional strategy "no-csi" - used for any node with no CSI: any node, which was initialized by deckhouse, but have no csi-node driver registered on it. */ -}} +{{- /* Usage: {{ include "helm_lib_tolerations" (tuple . "any-node" "with-no-csi") }} */ -}} +{{- define "_helm_lib_additional_tolerations_no_csi" }} +- key: node.deckhouse.io/csi-not-bootstrapped + operator: "Exists" + effect: "NoSchedule" +{{- end }} + +{{- /* Additional strategy "cloud-provider-uninitialized" - used for any node which is not initialized by CCM. */ -}} +{{- /* Usage: {{ include "helm_lib_tolerations" (tuple . "any-node" "with-cloud-provider-uninitialized") }} */ -}} +{{- define "_helm_lib_additional_tolerations_cloud_provider_uninitialized" }} + {{- if not .Values.global.clusterIsBootstrapped }} +- key: node.cloudprovider.kubernetes.io/uninitialized + operator: Exists + {{- end }} +{{- end }} diff --git a/charts/helm_lib/templates/_pod_disruption_budget.tpl b/charts/helm_lib/templates/_pod_disruption_budget.tpl new file mode 100644 index 0000000..ccd4f21 --- /dev/null +++ b/charts/helm_lib/templates/_pod_disruption_budget.tpl @@ -0,0 +1,6 @@ +{{- /* Usage: {{ include "helm_lib_pdb_daemonset" . }} */ -}} +{{- /* Returns PDB max unavailable */ -}} +{{- define "helm_lib_pdb_daemonset" }} + {{- $context := . -}} {{- /* Template context with .Values, .Chart, etc */ -}} +maxUnavailable: 10% +{{- end -}} diff --git a/charts/helm_lib/templates/_priority_class.tpl b/charts/helm_lib/templates/_priority_class.tpl new file mode 100644 index 0000000..5935445 --- /dev/null +++ b/charts/helm_lib/templates/_priority_class.tpl @@ -0,0 +1,9 @@ +{{- /* Usage: {{ include "helm_lib_priority_class" (tuple . "priority-class-name") }} /* -}} +{{- /* returns priority class if priority-class module enabled, otherwise returns nothing */ -}} +{{- define "helm_lib_priority_class" }} + {{- $context := index . 0 -}} {{- /* Template context with .Values, .Chart, etc */ -}} + {{- $priorityClassName := index . 1 }} {{- /* Priority class name */ -}} + {{- if ( $context.Values.global.enabledModules | has "priority-class") }} +priorityClassName: {{ $priorityClassName }} + {{- end }} +{{- end -}} diff --git a/charts/helm_lib/templates/_resources_management.tpl b/charts/helm_lib/templates/_resources_management.tpl new file mode 100644 index 0000000..dff75c1 --- /dev/null +++ b/charts/helm_lib/templates/_resources_management.tpl @@ -0,0 +1,160 @@ +{{- /* Usage: {{ include "helm_lib_resources_management_pod_resources" (list [ephemeral storage requests]) }} */ -}} +{{- /* returns rendered resources section based on configuration if it is */ -}} +{{- define "helm_lib_resources_management_pod_resources" -}} + {{- $configuration := index . 0 -}} {{- /* VPA resource configuration [example](https://deckhouse.io/documentation/v1/modules/110-istio/configuration.html#parameters-controlplane-resourcesmanagement) */ -}} + {{- /* Ephemeral storage requests */ -}} + + {{- $ephemeral_storage := "50Mi" -}} + {{- if eq (len .) 2 -}} + {{- $ephemeral_storage = index . 1 -}} + {{- end -}} + + {{- $pod_resources := (include "helm_lib_resources_management_original_pod_resources" $configuration | fromYaml) -}} + {{- if not (hasKey $pod_resources "requests") -}} + {{- $_ := set $pod_resources "requests" (dict) -}} + {{- end -}} + {{- $_ := set $pod_resources.requests "ephemeral-storage" $ephemeral_storage -}} + + {{- $pod_resources | toYaml -}} +{{- end -}} + + +{{- /* Usage: {{ include "helm_lib_resources_management_original_pod_resources" }} */ -}} +{{- /* returns rendered resources section based on configuration if it is present */ -}} +{{- define "helm_lib_resources_management_original_pod_resources" -}} + {{- $configuration := . -}} {{- /* VPA resource configuration [example](https://deckhouse.io/documentation/v1/modules/110-istio/configuration.html#parameters-controlplane-resourcesmanagement) */ -}} + + {{- if $configuration -}} + {{- if eq $configuration.mode "Static" -}} +{{- $configuration.static | toYaml -}} + + {{- else if eq $configuration.mode "VPA" -}} + {{- $resources := dict "requests" (dict) "limits" (dict) -}} + + {{- if $configuration.vpa.cpu -}} + {{- if $configuration.vpa.cpu.min -}} + {{- $_ := set $resources.requests "cpu" ($configuration.vpa.cpu.min | toString) -}} + {{- end -}} + {{- if $configuration.vpa.cpu.limitRatio -}} + {{- $cpuLimitMillicores := round (mulf (include "helm_lib_resources_management_cpu_units_to_millicores" $configuration.vpa.cpu.min) $configuration.vpa.cpu.limitRatio) 0 | int64 -}} + {{- $_ := set $resources.limits "cpu" (printf "%dm" $cpuLimitMillicores) -}} + {{- end -}} + {{- end -}} + + {{- if $configuration.vpa.memory -}} + {{- if $configuration.vpa.memory.min -}} + {{- $_ := set $resources.requests "memory" ($configuration.vpa.memory.min | toString) -}} + {{- end -}} + {{- if $configuration.vpa.memory.limitRatio -}} + {{- $memoryLimitBytes := round (mulf (include "helm_lib_resources_management_memory_units_to_bytes" $configuration.vpa.memory.min) $configuration.vpa.memory.limitRatio) 0 | int64 -}} + {{- $_ := set $resources.limits "memory" (printf "%d" $memoryLimitBytes) -}} + {{- end -}} + {{- end -}} +{{- $resources | toYaml -}} + + {{- else -}} + {{- cat "ERROR: unknown resource management mode: " $configuration.mode | fail -}} + {{- end -}} + {{- end -}} +{{- end }} + + +{{- /* Usage: {{ include "helm_lib_resources_management_vpa_spec" (list ) }} */ -}} +{{- /* returns rendered vpa spec based on configuration and target reference */ -}} +{{- define "helm_lib_resources_management_vpa_spec" -}} + {{- $targetAPIVersion := index . 0 -}} {{- /* Target API version */ -}} + {{- $targetKind := index . 1 -}} {{- /* Target Kind */ -}} + {{- $targetName := index . 2 -}} {{- /* Target Name */ -}} + {{- $targetContainer := index . 3 -}} {{- /* Target container name */ -}} + {{- $configuration := index . 4 -}} {{- /* VPA resource configuration [example](https://deckhouse.io/documentation/v1/modules/110-istio/configuration.html#parameters-controlplane-resourcesmanagement) */ -}} + +targetRef: + apiVersion: {{ $targetAPIVersion }} + kind: {{ $targetKind }} + name: {{ $targetName }} + {{- if eq ($configuration.mode) "VPA" }} +updatePolicy: + updateMode: {{ $configuration.vpa.mode | quote }} +resourcePolicy: + containerPolicies: + - containerName: {{ $targetContainer }} + maxAllowed: + cpu: {{ $configuration.vpa.cpu.max | quote }} + memory: {{ $configuration.vpa.memory.max | quote }} + minAllowed: + cpu: {{ $configuration.vpa.cpu.min | quote }} + memory: {{ $configuration.vpa.memory.min | quote }} + controlledValues: RequestsAndLimits + {{- else }} +updatePolicy: + updateMode: "Off" + {{- end }} +{{- end }} + + +{{- /* Usage: {{ include "helm_lib_resources_management_cpu_units_to_millicores" }} */ -}} +{{- /* helper for converting cpu units to millicores */ -}} +{{- define "helm_lib_resources_management_cpu_units_to_millicores" -}} + {{- $units := . | toString -}} + {{- if hasSuffix "m" $units -}} + {{- trimSuffix "m" $units -}} + {{- else -}} + {{- atoi $units | mul 1000 -}} + {{- end }} +{{- end }} + + +{{- /* Usage: {{ include "helm_lib_resources_management_memory_units_to_bytes" }} */ -}} +{{- /* helper for converting memory units to bytes */ -}} +{{- define "helm_lib_resources_management_memory_units_to_bytes" }} + {{- $units := . | toString -}} + {{- if hasSuffix "k" $units -}} + {{- trimSuffix "k" $units | atoi | mul 1000 -}} + {{- else if hasSuffix "M" $units -}} + {{- trimSuffix "M" $units | atoi | mul 1000000 -}} + {{- else if hasSuffix "G" $units -}} + {{- trimSuffix "G" $units | atoi | mul 1000000000 -}} + {{- else if hasSuffix "T" $units -}} + {{- trimSuffix "T" $units | atoi | mul 1000000000000 -}} + {{- else if hasSuffix "P" $units -}} + {{- trimSuffix "P" $units | atoi | mul 1000000000000000 -}} + {{- else if hasSuffix "E" $units -}} + {{- trimSuffix "E" $units | atoi | mul 1000000000000000000 -}} + {{- else if hasSuffix "Ki" $units -}} + {{- trimSuffix "Ki" $units | atoi | mul 1024 -}} + {{- else if hasSuffix "Mi" $units -}} + {{- trimSuffix "Mi" $units | atoi | mul 1024 | mul 1024 -}} + {{- else if hasSuffix "Gi" $units -}} + {{- trimSuffix "Gi" $units | atoi | mul 1024 | mul 1024 | mul 1024 -}} + {{- else if hasSuffix "Ti" $units -}} + {{- trimSuffix "Ti" $units | atoi | mul 1024 | mul 1024 | mul 1024 | mul 1024 -}} + {{- else if hasSuffix "Pi" $units -}} + {{- trimSuffix "Pi" $units | atoi | mul 1024 | mul 1024 | mul 1024 | mul 1024 | mul 1024 -}} + {{- else if hasSuffix "Ei" $units -}} + {{- trimSuffix "Ei" $units | atoi | mul 1024 | mul 1024 | mul 1024 | mul 1024 | mul 1024 | mul 1024 -}} + {{- else if regexMatch "^[0-9]+$" $units -}} + {{- $units -}} + {{- else -}} + {{- cat "ERROR: unknown memory format:" $units | fail -}} + {{- end }} +{{- end }} + +{{- /* Usage: {{ include "helm_lib_vpa_kube_rbac_proxy_resources" . }} */ -}} +{{- /* helper for VPA resources for kube_rbac_proxy */ -}} +{{- define "helm_lib_vpa_kube_rbac_proxy_resources" }} +{{- /* Template context with .Values, .Chart, etc */ -}} +- containerName: kube-rbac-proxy + minAllowed: + {{- include "helm_lib_container_kube_rbac_proxy_resources" . | nindent 4 }} + maxAllowed: + cpu: 20m + memory: 25Mi +{{- end }} + +{{- /* Usage: {{ include "helm_lib_container_kube_rbac_proxy_resources" . }} */ -}} +{{- /* helper for container resources for kube_rbac_proxy */ -}} +{{- define "helm_lib_container_kube_rbac_proxy_resources" }} +{{- /* Template context with .Values, .Chart, etc */ -}} +cpu: 10m +memory: 25Mi +{{- end }} diff --git a/charts/helm_lib/templates/_spec_for_high_availability.tpl b/charts/helm_lib/templates/_spec_for_high_availability.tpl new file mode 100644 index 0000000..8bfbf9e --- /dev/null +++ b/charts/helm_lib/templates/_spec_for_high_availability.tpl @@ -0,0 +1,138 @@ +{{- /* Usage: {{ include "helm_lib_pod_anti_affinity_for_ha" (list . (dict "app" "test")) }} */ -}} +{{- /* returns pod affinity spec */ -}} +{{- define "helm_lib_pod_anti_affinity_for_ha" }} +{{- $context := index . 0 -}} {{- /* Template context with .Values, .Chart, etc */ -}} +{{- $labels := index . 1 }} {{- /* Match labels for podAntiAffinity label selector */ -}} + {{- if (include "helm_lib_ha_enabled" $context) }} +affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + {{- range $key, $value := $labels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + topologyKey: kubernetes.io/hostname + {{- end }} +{{- end }} + +{{- /* Usage: {{ include "helm_lib_deployment_on_master_strategy_and_replicas_for_ha" }} */ -}} +{{- /* returns deployment strategy and replicas for ha components running on master nodes */ -}} +{{- define "helm_lib_deployment_on_master_strategy_and_replicas_for_ha" }} +{{- /* Template context with .Values, .Chart, etc */ -}} + {{- if (include "helm_lib_ha_enabled" .) }} + {{- if gt (index .Values.global.discovery "clusterMasterCount" | int) 0 }} +replicas: {{ index .Values.global.discovery "clusterMasterCount" }} +strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 0 + {{- if gt (index .Values.global.discovery "clusterMasterCount" | int) 2 }} + maxUnavailable: 2 + {{- else }} + maxUnavailable: 1 + {{- end }} + {{- else if gt (index .Values.global.discovery.d8SpecificNodeCountByRole "master" | int) 0 }} +replicas: {{ index .Values.global.discovery.d8SpecificNodeCountByRole "master" }} +strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 0 + {{- if gt (index .Values.global.discovery.d8SpecificNodeCountByRole "master" | int) 2 }} + maxUnavailable: 2 + {{- else }} + maxUnavailable: 1 + {{- end }} + {{- else }} +replicas: 2 +strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 + {{- end }} + {{- else }} +replicas: 1 +strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 + {{- end }} +{{- end }} + +{{- /* Usage: {{ include "helm_lib_deployment_on_master_custom_strategy_and_replicas_for_ha" (list . (dict "strategy" "strategy_type")) }} */ -}} +{{- /* returns deployment with custom strategy and replicas for ha components running on master nodes */ -}} +{{- define "helm_lib_deployment_on_master_custom_strategy_and_replicas_for_ha" }} +{{- $context := index . 0 }} +{{- $optionalArgs := dict }} +{{- $strategy := "RollingUpdate" }} +{{- if ge (len .) 2 }} + {{- $optionalArgs = index . 1 }} +{{- end }} +{{- if hasKey $optionalArgs "strategy" }} + {{- $strategy = $optionalArgs.strategy }} +{{- end }} +{{- /* Template context with .Values, .Chart, etc */ -}} + {{- if (include "helm_lib_ha_enabled" $context) }} + {{- if gt (index $context.Values.global.discovery "clusterMasterCount" | int) 0 }} +replicas: {{ index $context.Values.global.discovery "clusterMasterCount" }} +strategy: + type: {{ $strategy }} + {{- if eq $strategy "RollingUpdate" }} + rollingUpdate: + maxSurge: 0 + {{- if gt (index $context.Values.global.discovery "clusterMasterCount" | int) 2 }} + maxUnavailable: 2 + {{- else }} + maxUnavailable: 1 + {{- end }} + {{- end }} + {{- else if gt (index $context.Values.global.discovery.d8SpecificNodeCountByRole "master" | int) 0 }} +replicas: {{ index $context.Values.global.discovery.d8SpecificNodeCountByRole "master" }} +strategy: + type: {{ $strategy }} + {{- if eq $strategy "RollingUpdate" }} + rollingUpdate: + maxSurge: 0 + {{- if gt (index $context.Values.global.discovery.d8SpecificNodeCountByRole "master" | int) 2 }} + maxUnavailable: 2 + {{- else }} + maxUnavailable: 1 + {{- end }} + {{- end }} + {{- else }} +replicas: 2 +strategy: + type: {{ $strategy }} + {{- if eq $strategy "RollingUpdate" }} + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 + {{- end }} + {{- end }} + {{- else }} +replicas: 1 +strategy: + type: {{ $strategy }} + {{- if eq $strategy "RollingUpdate" }} + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 + {{- end }} + {{- end }} +{{- end }} + +{{- /* Usage: {{ include "helm_lib_deployment_strategy_and_replicas_for_ha" }} */ -}} +{{- /* returns deployment strategy and replicas for ha components running not on master nodes */ -}} +{{- define "helm_lib_deployment_strategy_and_replicas_for_ha" }} +{{- /* Template context with .Values, .Chart, etc */ -}} +replicas: {{ include "helm_lib_is_ha_to_value" (list . 2 1) }} +{{- if (include "helm_lib_ha_enabled" .) }} +strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 +{{- end }} +{{- end }} diff --git a/images/csi-nfs/werf.inc.yaml b/images/csi-nfs/werf.inc.yaml index 9827165..c04afc0 100644 --- a/images/csi-nfs/werf.inc.yaml +++ b/images/csi-nfs/werf.inc.yaml @@ -35,7 +35,7 @@ shell: - chmod +x /nfsplugin --- -{{ $csiBinaries := "/bin/mount /bin/umount /sbin/mount.nfs /sbin/mount.nfs4 /sbin/umount.nfs /sbin/umount.nfs4 /bin/tar /bin/gzip /bin/cp" }} +{{ $csiBinaries := "/bin/mount /bin/umount /sbin/mount.nfs /sbin/mount.nfs4 /sbin/umount.nfs /sbin/umount.nfs4 /bin/cp" }} --- image: {{ $.ImageName }}-binaries-artifact from: {{ $.BASE_ALT_DEV }} @@ -47,18 +47,18 @@ shell: --- image: {{ $.ImageName }}-distroless-artifact -from: {{ $.BASE_ALPINE_DEV }} +from: {{ $.BASE_ALT_DEV }} final: false shell: install: - - mkdir -p /relocate/bin /relocate/sbin /relocate/etc /relocate/etc/ssl /relocate/usr/bin /relocate/usr/sbin /relocate/usr/share + - mkdir -p /relocate/bin /relocate/sbin /relocate/etc /relocate/var/lib/ssl /relocate/usr/bin /relocate/usr/sbin /relocate/usr/share - cp -pr /tmp /relocate - - cp -pr /etc/passwd /etc/group /etc/hostname /etc/hosts /etc/shadow /etc/protocols /etc/services /etc/nsswitch.conf /relocate/etc + - cp -pr /etc/passwd /etc/group /etc/hostname /etc/hosts /etc/shadow /etc/protocols /etc/services /etc/nsswitch.conf /etc/netconfig /relocate/etc - cp -pr /usr/share/ca-certificates /relocate/usr/share - cp -pr /usr/share/zoneinfo /relocate/usr/share - - cp -pr etc/ssl/cert.pem /relocate/etc/ssl - - cp -pr /etc/ssl/certs /relocate/etc/ssl + - cp -pr /var/lib/ssl/cert.pem /relocate/var/lib/ssl + - cp -pr /var/lib/ssl/certs /relocate/var/lib/ssl - echo "deckhouse:x:64535:64535:deckhouse:/:/sbin/nologin" >> /relocate/etc/passwd - echo "deckhouse:x:64535:" >> /relocate/etc/group - echo "deckhouse:!::0:::::" >> /relocate/etc/shadow @@ -96,5 +96,6 @@ import: includePaths: - 'libresolv*' - 'libnss_dns*' + - 'libnss_files*' docker: ENTRYPOINT: ["/nfsplugin"] diff --git a/images/wait-rpcbind/src/cmd/main.go b/images/wait-rpcbind/src/cmd/main.go new file mode 100644 index 0000000..521fe77 --- /dev/null +++ b/images/wait-rpcbind/src/cmd/main.go @@ -0,0 +1,70 @@ +/* +Copyright 2024 Flant JSC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package main + +import ( + "log" + "net" + "os" + "os/signal" + "syscall" + "time" +) + +func main() { + log.Println("Waiting for socket /run/rpcbind.sock...") + + sigs := make(chan os.Signal, 1) + done := make(chan string, 1) + + signal.Notify(sigs, syscall.SIGINT, syscall.SIGTERM) + + go func() { + sig := <-sigs + log.Printf("Received signal %s, exiting.", sig.String()) + done <- sig.String() + }() + + for { + select { + case sigName := <-done: + log.Printf("Program terminated by %s signal.", sigName) + return + default: + info, err := os.Lstat("/run/rpcbind.sock") + if err == nil { + if (info.Mode() & os.ModeSocket) != 0 { + conn, err := net.DialTimeout("unix", "/run/rpcbind.sock", 1*time.Second) + if err == nil { + conn.Close() + log.Println("Socket /run/rpcbind.sock found and confirmed as rpcbind.") + return + } else { + log.Println("Unable to connect to the socket /run/rpcbind.sock, continuing to wait...") + } + } else { + log.Println("/run/rpcbind.sock found but is not a socket. Continuing to wait...") + } + } else if os.IsNotExist(err) { + log.Println("/run/rpcbind.sock does not exist, continuing to wait...") + } else { + log.Printf("Error checking socket /run/rpcbind.sock: %v", err) + } + time.Sleep(1 * time.Second) + } + } +} diff --git a/images/wait-rpcbind/src/go.mod b/images/wait-rpcbind/src/go.mod new file mode 100644 index 0000000..7f5218b --- /dev/null +++ b/images/wait-rpcbind/src/go.mod @@ -0,0 +1,3 @@ +module d8-controller + +go 1.22.2 diff --git a/images/wait-rpcbind/src/go.sum b/images/wait-rpcbind/src/go.sum new file mode 100644 index 0000000..e69de29 diff --git a/images/wait-rpcbind/werf.inc.yaml b/images/wait-rpcbind/werf.inc.yaml new file mode 100644 index 0000000..b6564f2 --- /dev/null +++ b/images/wait-rpcbind/werf.inc.yaml @@ -0,0 +1,36 @@ +{{- $_ := set . "BASE_GOLANG" "registry.deckhouse.io/base_images/golang:1.22.6-bullseye@sha256:260918a3795372a6d33225d361fe5349723be9667de865a23411b50fbcc76c5a" }} +{{- $_ := set . "BASE_SCRATCH" "registry.deckhouse.io/base_images/scratch@sha256:b054705fcc9f2205777d80a558d920c0b4209efdc3163c22b5bfcb5dda1db5fc" }} + +--- +image: {{ $.ImageName }}-golang-artifact +from: {{ $.BASE_GOLANG }} +final: false + +git: + - add: /images/wait-rpcbind/src + to: /src + stageDependencies: + setup: + - "**/*" +mount: + - fromPath: ~/go-pkg-cache + to: /go/pkg +shell: + setup: + - cd /src/cmd + - GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags="-s -w" -o wait-rpcbind + - mv wait-rpcbind /wait-rpcbind + - chmod +x /wait-rpcbind + +--- +image: {{ $.ImageName }} +from: {{ $.BASE_SCRATCH }} + +import: + - image: {{ $.ImageName }}-golang-artifact + add: /wait-rpcbind + to: /wait-rpcbind + before: setup + +docker: + ENTRYPOINT: ["/wait-rpcbind"] diff --git a/templates/csi/controller.yaml b/templates/csi/controller.yaml index 6bcae47..e3bf730 100644 --- a/templates/csi/controller.yaml +++ b/templates/csi/controller.yaml @@ -1,3 +1,18 @@ +### +### common +### +{{- define "csi_init_container_command" }} +- "/wait-rpcbind" +{{- end }} + +{{- define "csi_init_container_volume_mounts" }} +- name: run + mountPath: /run +{{- end }} + +{{- $csiInitContainerImage := include "helm_lib_module_image" (list . "waitRpcbind") }} + + ### ### controller ### @@ -30,6 +45,16 @@ type: Directory - name: tmp-dir emptyDir: {} + +{{- if .Values.csiNfs.v3support }} +- name: run-rpcbind-sock + hostPath: + path: /run/rpcbind.sock +- name: run + hostPath: + path: /run +{{- end }} + {{- end }} {{- define "csi_additional_controller_volume_mounts" }} @@ -38,6 +63,12 @@ mountPropagation: "Bidirectional" - mountPath: /tmp name: tmp-dir + +{{- if .Values.csiNfs.v3support }} +- name: run-rpcbind-sock + mountPath: /run/rpcbind.sock +{{- end }} + {{- end }} {{- $csiControllerImage := include "helm_lib_module_image" (list . "csiNfs") }} @@ -55,6 +86,12 @@ {{- $_ := set $csiControllerConfig "additionalControllerVolumes" (include "csi_additional_controller_volume" . | fromYamlArray) }} {{- $_ := set $csiControllerConfig "additionalControllerVolumeMounts" (include "csi_additional_controller_volume_mounts" . | fromYamlArray) }} +{{- if .Values.csiNfs.v3support }} +{{- $_ := set $csiControllerConfig "initContainerImage" $csiInitContainerImage }} +{{- $_ := set $csiControllerConfig "initContainerCommand" (include "csi_init_container_command" . | fromYamlArray) }} +{{- $_ := set $csiControllerConfig "initContainerVolumeMounts" (include "csi_init_container_volume_mounts" . | fromYamlArray) }} +{{- end }} + {{- include "helm_lib_csi_controller_manifests" (list . $csiControllerConfig) }} ### @@ -78,6 +115,22 @@ value: unix:///csi/csi.sock {{- end }} +{{- define "csi_additional_node_volume" }} +{{- if .Values.csiNfs.v3support }} +- name: run-rpcbind-sock + hostPath: + path: /run/rpcbind.sock +- name: run + hostPath: + path: /run +{{- end }} +{{- end }} + +{{- define "csi_additional_node_volume_mounts" }} +- name: run-rpcbind-sock + mountPath: /run/rpcbind.sock +{{- end }} + {{- $csiNodeConfig := dict }} {{- $_ := set $csiNodeConfig "fullname" "csi-nfs" }} {{- $_ := set $csiNodeConfig "nodeImage" $csiControllerImage }} @@ -86,4 +139,12 @@ {{- $_ := set $csiNodeConfig "additionalNodeArgs" (include "csi_node_args" . | fromYamlArray) }} {{- $_ := set $csiNodeConfig "additionalNodeEnvs" (include "csi_node_envs" . | fromYamlArray) }} +{{- if .Values.csiNfs.v3support }} +{{- $_ := set $csiNodeConfig "additionalNodeVolumes" (include "csi_additional_node_volume" . | fromYamlArray) }} +{{- $_ := set $csiNodeConfig "additionalNodeVolumeMounts" (include "csi_additional_node_volume_mounts" . | fromYamlArray) }} +{{- $_ := set $csiNodeConfig "initContainerImage" $csiInitContainerImage }} +{{- $_ := set $csiNodeConfig "initContainerCommand" (include "csi_init_container_command" . | fromYamlArray) }} +{{- $_ := set $csiNodeConfig "initContainerVolumeMounts" (include "csi_init_container_volume_mounts" . | fromYamlArray) }} +{{- end }} + {{- include "helm_lib_csi_node_manifests" (list . $csiNodeConfig) }}