diff --git a/charts/apps/Chart.yaml b/charts/apps/Chart.yaml index 727735b2..3fb96010 100644 --- a/charts/apps/Chart.yaml +++ b/charts/apps/Chart.yaml @@ -2,4 +2,4 @@ apiVersion: v2 name: authz description: ArgoCD Apps used to deploy Authorization infrastructure type: application -version: 0.2.0 +version: 0.3.0 diff --git a/charts/bundler/static/admin.json b/charts/apps/static/admin.json similarity index 100% rename from charts/bundler/static/admin.json rename to charts/apps/static/admin.json diff --git a/charts/apps/templates/bundler-app.yaml b/charts/apps/templates/bundler-app.yaml index eb2a6dce..22f50e8b 100644 --- a/charts/apps/templates/bundler-app.yaml +++ b/charts/apps/templates/bundler-app.yaml @@ -12,6 +12,11 @@ spec: repoURL: {{ .Values.bundler.repoUrl }} targetRevision: {{ .Values.bundler.targetRevision }} path: {{ .Values.bundler.path }} + {{- if .Values.bundler.valuesObject }} + helm: + valuesObject: + {{ .Values.bundler.valuesObject | toYaml | nindent 10 }} + {{- end }} destination: name: {{ .Values.destination.name }} server: {{ .Values.destination.server }} diff --git a/charts/apps/templates/bundler-static-data.yaml b/charts/apps/templates/bundler-static-data.yaml new file mode 100644 index 00000000..0f47d8d1 --- /dev/null +++ b/charts/apps/templates/bundler-static-data.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: bundler-static-data +data: + {{- ( .Files.Glob "static/*.json" ).AsConfig | nindent 2 }} diff --git a/charts/bundler/templates/ispyb-secret.yaml b/charts/apps/templates/ispyb-secret.yaml similarity index 100% rename from charts/bundler/templates/ispyb-secret.yaml rename to charts/apps/templates/ispyb-secret.yaml diff --git a/charts/bundler/templates/token-authorization-secret.yaml b/charts/apps/templates/token-authorization-secret.yaml similarity index 99% rename from charts/bundler/templates/token-authorization-secret.yaml rename to charts/apps/templates/token-authorization-secret.yaml index c3f2fc0c..1fcfe4a4 100644 --- a/charts/bundler/templates/token-authorization-secret.yaml +++ b/charts/apps/templates/token-authorization-secret.yaml @@ -12,4 +12,3 @@ spec: creationTimestamp: null name: token-authorization namespace: authz-warehouse - diff --git a/charts/apps/values.yaml b/charts/apps/values.yaml index 32faecea..4a864e5d 100644 --- a/charts/apps/values.yaml +++ b/charts/apps/values.yaml @@ -10,6 +10,45 @@ bundler: repoUrl: https://github.com/DiamondLightSource/authz.git targetRevision: HEAD path: charts/bundler + valuesObject: + + extraEnvVars: + - name: BUNDLER_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + name: ispyb + key: password + - name: BUNDLER_DATABASE_URL + value: mysql://ispybdbproxy.diamond.ac.uk:4306/ispyb/ispyb_ro:$(BUNDLER_DATABASE_PASSWORD) + - name: BUNDLER_REQUIRE_TOKEN + valueFrom: + secretKeyRef: + name: token-authorization + key: bearer + - name: BUNDLER_STATIC_DATA + value: /srv/bundler/*.json + + volumeMounts: + - name: static-bundler-volume + mountPath: /srv/bundler/ + + volumes: + - name: static-bundler-volume + configMap: + name: bundler-static-data + + autoscaling: + enabled: true + maxReplicas: 10 + targetMemoryUtilizationPercentage: 80 + + ingress: + enabled: true + hosts: + - host: authz.diamond.ac.uk + paths: + - path: /bundle.tar.gz + pathType: Prefix opa: enabled: true @@ -17,15 +56,22 @@ opa: targetRevision: HEAD path: charts/opa valuesObject: - orgData: - bundlerSecret: - name: token-authorization - key: bearer - orgPolicy: - enabled: true + + env: + - name: BUNDLER_BEARER_TOKEN + valueFrom: + secretKeyRef: + name: token-authorization + key: bearer + - name: ISSUER + value: https://authn.diamond.ac.uk/realms/master + autoscaling: enabled: true minReplicas: 2 + maxReplicas: 10 + targetMemoryUtilizationPercentage: 80 + ingress: enabled: true hosts: @@ -33,3 +79,35 @@ opa: paths: - path: / pathType: Prefix + + config: + services: + diamond-bundler: + url: https://authz.diamond.ac.uk + credentials: + bearer: + token: ${BUNDLER_BEARER_TOKEN} + ghcr: + url: https://ghcr.io + type: oci + bundles: + diamond-permissionables: + service: diamond-bundler + resource: bundle.tar.gz + polling: + min_delay_seconds: 10 + max_delay_seconds: 60 + diamond-policies: + service: ghcr + resource: ghcr.io/diamondlightsource/authz-policy:0.0.16 + polling: + min_delay_seconds: 30 + max_delay_seconds: 120 + + resources: + requests: + cpu: 1000m + memory: 2Gi + limits: + cpu: 1000m + memory: 2Gi diff --git a/charts/bundler/.gitignore b/charts/bundler/.gitignore deleted file mode 100644 index 948259a7..00000000 --- a/charts/bundler/.gitignore +++ /dev/null @@ -1 +0,0 @@ -charts/*.tgz diff --git a/charts/bundler/.helmignore b/charts/bundler/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/charts/bundler/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/bundler/Chart.lock b/charts/bundler/Chart.lock deleted file mode 100644 index fc17781c..00000000 --- a/charts/bundler/Chart.lock +++ /dev/null @@ -1,6 +0,0 @@ -dependencies: -- name: common - repository: oci://docker.io/bitnamicharts - version: 2.23.0 -digest: sha256:c6a6a1cd877a7776095f62977d2fe441ee8b1145d624b6a57bc08dd52aa2611b -generated: "2024-09-17T10:12:41.346935619+01:00" diff --git a/charts/bundler/Chart.yaml b/charts/bundler/Chart.yaml index 8dd11459..d1c46faa 100644 --- a/charts/bundler/Chart.yaml +++ b/charts/bundler/Chart.yaml @@ -1,13 +1,24 @@ apiVersion: v2 name: bundler description: A Open Policy Agent (OPA) Data Bundle Server providing permissionable data from ISPyB + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. type: application -version: 0.5.3 + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.6.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. appVersion: 0.0.16 -maintainers: - - name: garryod - email: "garry.o'donnell@diamond.ac.uk" -dependencies: - - name: common - version: 2.23.0 - repository: oci://docker.io/bitnamicharts diff --git a/charts/bundler/templates/NOTES.txt b/charts/bundler/templates/NOTES.txt new file mode 100644 index 00000000..7c819f60 --- /dev/null +++ b/charts/bundler/templates/NOTES.txt @@ -0,0 +1,22 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range $host := .Values.ingress.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "bundler.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch its status by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "bundler.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "bundler.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "bundler.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT +{{- end }} diff --git a/charts/bundler/templates/_helpers.tpl b/charts/bundler/templates/_helpers.tpl index b7c037d1..9230d112 100644 --- a/charts/bundler/templates/_helpers.tpl +++ b/charts/bundler/templates/_helpers.tpl @@ -1,8 +1,62 @@ {{/* -Create the database URL environment variable for use by the bundler +Expand the name of the chart. */}} -{{- define "bundler.databaseURL" -}} -{{- $raw_user_info := printf "%s:$BUNDLER_DATABASE_PASSWORD" .Values.bundler.database.user }} -{{- $raw_database_url := urlJoin (dict "scheme" .Values.bundler.database.scheme "host" .Values.bundler.database.host "path" .Values.bundler.database.path "userinfo" $raw_user_info ) }} -{{- replace "$BUNDLER_DATABASE_PASSWORD" "$(BUNDLER_DATABASE_PASSWORD)" $raw_database_url }} +{{- define "bundler.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "bundler.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "bundler.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "bundler.labels" -}} +helm.sh/chart: {{ include "bundler.chart" . }} +{{ include "bundler.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "bundler.selectorLabels" -}} +app.kubernetes.io/name: {{ include "bundler.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "bundler.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "bundler.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} {{- end }} diff --git a/charts/bundler/templates/deployment.yaml b/charts/bundler/templates/deployment.yaml index ef6090ff..5ed36265 100644 --- a/charts/bundler/templates/deployment.yaml +++ b/charts/bundler/templates/deployment.yaml @@ -1,14 +1,16 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ include "common.names.fullname" . }} - namespace: {{ .Release.Namespace }} + name: {{ include "bundler.fullname" . }} labels: - {{- include "common.labels.standard" . | nindent 4 }} + {{- include "bundler.labels" . | nindent 4 }} spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} selector: matchLabels: - {{- include "common.labels.matchLabels" . | nindent 6 }} + {{- include "bundler.selectorLabels" . | nindent 6 }} template: metadata: {{- with .Values.podAnnotations }} @@ -16,70 +18,61 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} labels: - {{- include "common.labels.matchLabels" . | nindent 8 }} + {{- include "bundler.labels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} spec: {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - {{- if .Values.serviceAccount.create }} - serviceAccountName: {{ default (include "common.names.fullname" .) .Values.serviceAccount.name }} - {{- else }} - serviceAccountName: {{ default "default" .Values.serviceAccount.name }} - {{- end }} + serviceAccountName: {{ include "bundler.serviceAccountName" . }} + {{- with .Values.podSecurityContext }} securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- toYaml . | nindent 8 }} + {{- end }} containers: - - name: bundler + - name: {{ .Chart.Name }} + {{- with .Values.securityContext }} securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.repository}}:{{ default .Chart.AppVersion .Values.image.tag }}" + {{- toYaml . | nindent 12 }} + {{- end }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} args: - serve env: - - name: BUNDLER_PORT - value: "80" - - name: BUNDLER_DATABASE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Values.bundler.database.passwordSecret.name }} - key: {{ .Values.bundler.database.passwordSecret.key }} - - name: BUNDLER_DATABASE_URL - value: {{ include "bundler.databaseURL" . }} - - name: BUNDLER_REQUIRE_TOKEN - valueFrom: - secretKeyRef: - name: {{ .Values.bundler.requireTokenSecret.name }} - key: {{ .Values.bundler.requireTokenSecret.key }} - name: BUNDLER_POLLING_INTERVAL - value: {{ .Values.bundler.pollingInterval }} - - name: BUNDLER_STATIC_DATA - value: /srv/bundler/*.json + value: {{ .Values.pollingInterval | quote }} + - name: BUNDLER_PORT + value: {{ .Values.service.port | quote }} + {{- with .Values.extraEnvVars }} + {{- toYaml . | nindent 12 }} + {{- end }} ports: - name: http - containerPort: 80 + containerPort: {{ .Values.service.port }} protocol: TCP + {{- with .Values.livenessProbe }} livenessProbe: - httpGet: - path: /healthz - port: http + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.readinessProbe }} readinessProbe: - httpGet: - path: /healthz - port: http + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.resources }} resources: - {{- toYaml .Values.resources | nindent 12 }} - {{ if .Values.bundler.staticDataPattern -}} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.volumeMounts }} volumeMounts: - - name: static-bundler-volume - mountPath: /srv/bundler/ + {{- toYaml . | nindent 12 }} {{- end }} - {{ if .Values.bundler.staticDataPattern -}} + {{- with .Values.volumes }} volumes: - - name: static-bundler-volume - configMap: - name: {{ include "common.names.fullname" . }}-static-data + {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.nodeSelector }} nodeSelector: diff --git a/charts/bundler/templates/hpa.yaml b/charts/bundler/templates/hpa.yaml index ed9b1f4a..9590a415 100644 --- a/charts/bundler/templates/hpa.yaml +++ b/charts/bundler/templates/hpa.yaml @@ -1,15 +1,15 @@ +{{- if .Values.autoscaling.enabled }} apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: - name: {{ include "common.names.fullname" . }} - namespace: {{ .Release.Namespace }} + name: {{ include "bundler.fullname" . }} labels: - {{- include "common.labels.standard" . | nindent 4 }} + {{- include "bundler.labels" . | nindent 4 }} spec: scaleTargetRef: apiVersion: apps/v1 kind: Deployment - name: {{ include "common.names.fullname" . }} + name: {{ include "bundler.fullname" . }} minReplicas: {{ .Values.autoscaling.minReplicas }} maxReplicas: {{ .Values.autoscaling.maxReplicas }} metrics: @@ -29,3 +29,4 @@ spec: type: Utilization averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} {{- end }} +{{- end }} diff --git a/charts/bundler/templates/ingress.yaml b/charts/bundler/templates/ingress.yaml index ced0fbb8..5772121d 100644 --- a/charts/bundler/templates/ingress.yaml +++ b/charts/bundler/templates/ingress.yaml @@ -2,17 +2,16 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: {{ include "common.names.fullname" . }} - namespace: {{ .Release.Namespace }} + name: {{ include "bundler.fullname" . }} labels: - {{- include "common.labels.standard" . | nindent 4 }} + {{- include "bundler.labels" . | nindent 4 }} {{- with .Values.ingress.annotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} spec: - {{- if .Values.ingress.className }} - ingressClassName: {{ .Values.ingress.className }} + {{- with .Values.ingress.className }} + ingressClassName: {{ . }} {{- end }} {{- if .Values.ingress.tls }} tls: @@ -31,12 +30,12 @@ spec: paths: {{- range .paths }} - path: {{ .path }} - {{- if .pathType }} - pathType: {{ .pathType }} + {{- with .pathType }} + pathType: {{ . }} {{- end }} backend: service: - name: {{ include "common.names.fullname" $ }} + name: {{ include "bundler.fullname" $ }} port: number: {{ $.Values.service.port }} {{- end }} diff --git a/charts/bundler/templates/service.yaml b/charts/bundler/templates/service.yaml index 64cbe661..c5d90227 100644 --- a/charts/bundler/templates/service.yaml +++ b/charts/bundler/templates/service.yaml @@ -1,10 +1,9 @@ apiVersion: v1 kind: Service metadata: - name: {{ include "common.names.fullname" . }} - namespace: {{ .Release.Namespace }} + name: {{ include "bundler.fullname" . }} labels: - {{- include "common.labels.standard" . | nindent 4 }} + {{- include "bundler.labels" . | nindent 4 }} spec: type: {{ .Values.service.type }} ports: @@ -13,4 +12,4 @@ spec: protocol: TCP name: http selector: - {{- include "common.labels.matchLabels" . | nindent 4 }} + {{- include "bundler.selectorLabels" . | nindent 4 }} diff --git a/charts/bundler/templates/serviceaccount.yaml b/charts/bundler/templates/serviceaccount.yaml index dbbfebb4..e53ec749 100644 --- a/charts/bundler/templates/serviceaccount.yaml +++ b/charts/bundler/templates/serviceaccount.yaml @@ -2,8 +2,12 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: {{ include "common.names.fullname" . }} - namespace: {{ .Release.Namespace }} + name: {{ include "bundler.serviceAccountName" . }} labels: - {{- include "common.labels.standard" . | nindent 4 }} + {{- include "bundler.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automount }} {{- end }} diff --git a/charts/bundler/templates/static_config.yaml b/charts/bundler/templates/static_config.yaml deleted file mode 100644 index 1419f5a4..00000000 --- a/charts/bundler/templates/static_config.yaml +++ /dev/null @@ -1,9 +0,0 @@ -{{ if .Values.bundler.staticDataPattern -}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.names.fullname" . }}-static-data - namespace: {{ .Release.Namespace }} -data: - {{- ( .Files.Glob .Values.bundler.staticDataPattern ).AsConfig | nindent 2 }} -{{- end }} diff --git a/charts/bundler/templates/tests/test-connection.yaml b/charts/bundler/templates/tests/test-connection.yaml index 21ee05dc..b19258fe 100644 --- a/charts/bundler/templates/tests/test-connection.yaml +++ b/charts/bundler/templates/tests/test-connection.yaml @@ -1,9 +1,9 @@ apiVersion: v1 kind: Pod metadata: - name: "{{ include "common.names.fullname" . }}-test-connection" + name: "{{ include "bundler.fullname" . }}-test-connection" labels: - {{- include "common.labels.standard" . | nindent 4 }} + {{- include "bundler.labels" . | nindent 4 }} annotations: "helm.sh/hook": test spec: @@ -11,5 +11,5 @@ spec: - name: wget image: busybox command: ['wget'] - args: ['{{ include "common.names.fullname" . }}:{{ .Values.service.port }}'] + args: ['{{ include "bundler.fullname" . }}:{{ .Values.service.port }}'] restartPolicy: Never diff --git a/charts/bundler/values.yaml b/charts/bundler/values.yaml index f53ae6b2..3ec118bd 100644 --- a/charts/bundler/values.yaml +++ b/charts/bundler/values.yaml @@ -1,61 +1,125 @@ +# Default values for bundler. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +pollingInterval: 60s + +# This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/ +replicaCount: 1 + +# This sets the container image more information can be found here: https://kubernetes.io/docs/concepts/containers/images/ image: repository: ghcr.io/diamondlightsource/authz-bundler + # This sets the pull policy for images. pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. tag: "" +# This is for the secrets for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ imagePullSecrets: [] +# This is to override the chart name. nameOverride: "" fullnameOverride: "" -bundler: - database: - scheme: mysql - host: ispybdbproxy.diamond.ac.uk:4306 - path: ispyb - user: ispyb_ro - passwordSecret: - name: ispyb - key: password - requireTokenSecret: - name: token-authorization - key: bearer - pollingInterval: 60s - staticDataPattern: "static/*.json" - +# This section builds out the service account more information can be found here: https://kubernetes.io/docs/concepts/security/service-accounts/ serviceAccount: + # Specifies whether a service account should be created create: true + # Automatically mount a ServiceAccount's API credentials? + automount: true + # Annotations to add to the service account annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template name: "" - podAnnotations: {} + +# This is for setting Kubernetes Annotations to a Pod. +# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +podAnnotations: {} +# This is for setting Kubernetes Labels to a Pod. +# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +podLabels: {} podSecurityContext: {} + # fsGroup: 2000 securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 +# This is for setting up a service more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/ service: + # This sets the service type more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types type: ClusterIP + # This sets the ports more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#field-spec-ports port: 80 +# This block is for setting up the ingress for more information can be found here: https://kubernetes.io/docs/concepts/services-networking/ingress/ ingress: - enabled: true + enabled: false className: "" annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" hosts: - - host: authz.diamond.ac.uk + - host: chart-example.local paths: - - path: /bundle.tar.gz + - path: / pathType: ImplementationSpecific tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +# This is to setup the liveness and readiness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ +livenessProbe: + httpGet: + path: /healthz + port: http +readinessProbe: + httpGet: + path: /healthz + port: http +# This section is for setting up autoscaling more information can be found here: https://kubernetes.io/docs/concepts/workloads/autoscaling/ autoscaling: + enabled: false minReplicas: 1 - maxReplicas: 10 + maxReplicas: 100 targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 -nodeSelector: {} +# Additional volumes on the output Deployment definition. +volumes: [] +# - name: foo +# secret: +# secretName: mysecret +# optional: false -affinity: {} +# Additional volumeMounts on the output Deployment definition. +volumeMounts: [] +# - name: foo +# mountPath: "/etc/foo" +# readOnly: true + +nodeSelector: {} tolerations: [] + +affinity: {} diff --git a/charts/opa/.gitignore b/charts/opa/.gitignore deleted file mode 100644 index 948259a7..00000000 --- a/charts/opa/.gitignore +++ /dev/null @@ -1 +0,0 @@ -charts/*.tgz diff --git a/charts/opa/Chart.lock b/charts/opa/Chart.lock deleted file mode 100644 index 1d51d1cc..00000000 --- a/charts/opa/Chart.lock +++ /dev/null @@ -1,6 +0,0 @@ -dependencies: -- name: common - repository: oci://docker.io/bitnamicharts - version: 2.23.0 -digest: sha256:c6a6a1cd877a7776095f62977d2fe441ee8b1145d624b6a57bc08dd52aa2611b -generated: "2024-09-17T11:46:38.801325647+01:00" diff --git a/charts/opa/Chart.yaml b/charts/opa/Chart.yaml index 51de9c4f..b4f8de5c 100644 --- a/charts/opa/Chart.yaml +++ b/charts/opa/Chart.yaml @@ -1,13 +1,24 @@ apiVersion: v2 name: opa description: An OPA deployment to run alongside applications requiring authorization + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. type: application -version: 0.6.5 -appVersion: 0.59.0 -maintainers: - - name: garryod - email: "garry.o'donnell@diamond.ac.uk" -dependencies: - - name: common - version: 2.23.0 - repository: oci://docker.io/bitnamicharts + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.7.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: 1.11.0 diff --git a/charts/opa/templates/NOTES.txt b/charts/opa/templates/NOTES.txt new file mode 100644 index 00000000..82a40f23 --- /dev/null +++ b/charts/opa/templates/NOTES.txt @@ -0,0 +1,22 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range $host := .Values.ingress.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "opa.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch its status by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "opa.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "opa.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "opa.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT +{{- end }} diff --git a/charts/opa/templates/_helpers.tpl b/charts/opa/templates/_helpers.tpl index 267603b3..b0f15350 100644 --- a/charts/opa/templates/_helpers.tpl +++ b/charts/opa/templates/_helpers.tpl @@ -1,30 +1,62 @@ {{/* -Create the tag to be used to pull the chart +Expand the name of the chart. */}} -{{- define "opa.imageTag" -}} -{{- if .Values.image.tagOverride }} -{{- .Values.image.tagOverride }} +{{- define "opa.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "opa.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} {{- else }} -{{- $version := default .Chart.AppVersion .Values.image.version }} -{{- if .Values.image.envoy }} -{{- print $version "-envoy" }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} {{- else }} -{{- $version }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} {{- end }} {{- end }} {{- end }} {{/* -Determine the query port to be used +Create chart name and version as used by the chart label. */}} -{{- define "opa.queryPort" -}} -{{- if .Values.portOverride }} -{{- .Values.image.portOverride }} -{{- else }} -{{- if .Values.image.envoy }} -{{- 9191 }} -{{- else }} -{{- 8181 }} +{{- define "opa.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "opa.labels" -}} +helm.sh/chart: {{ include "opa.chart" . }} +{{ include "opa.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "opa.selectorLabels" -}} +app.kubernetes.io/name: {{ include "opa.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "opa.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "opa.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} {{- end }} {{- end }} diff --git a/charts/opa/templates/deployment.yaml b/charts/opa/templates/deployment.yaml index 282cb899..4e503d51 100644 --- a/charts/opa/templates/deployment.yaml +++ b/charts/opa/templates/deployment.yaml @@ -1,16 +1,16 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ include "common.names.fullname" . }} + name: {{ include "opa.fullname" . }} labels: - {{- include "common.labels.standard" . | nindent 4 }} + {{- include "opa.labels" . | nindent 4 }} spec: {{- if not .Values.autoscaling.enabled }} replicas: {{ .Values.replicaCount }} {{- end }} selector: matchLabels: - {{- include "common.labels.matchLabels" . | nindent 6 }} + {{- include "opa.selectorLabels" . | nindent 6 }} template: metadata: annotations: @@ -19,80 +19,74 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} labels: - {{- include "common.labels.matchLabels" . | nindent 8 }} + {{- include "opa.labels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} spec: {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - {{- if .Values.serviceAccount.create }} - serviceAccountName: {{ default (include "common.names.fullname" .) .Values.serviceAccount.name }} - {{- else }} - serviceAccountName: {{ default "default" .Values.serviceAccount.name }} - {{- end }} + serviceAccountName: {{ include "opa.serviceAccountName" . }} + {{- with .Values.podSecurityContext }} securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- toYaml . | nindent 8 }} + {{- end }} containers: - - name: opa + - name: {{ .Chart.Name }} + {{- with .Values.securityContext }} securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ include "opa.imageTag" . }}" + {{- toYaml . | nindent 12 }} + {{- end }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} args: - run - --server - --diagnostic-addr - 0.0.0.0:8282 + - --addr + - 0.0.0.0:8181 - --config-file - /etc/opa-config/config.yaml - - --log-level - - {{ .Values.logLevel }} - {{- if .Values.envOverride }} - env: - {{- .Values.envOverride | toYaml | nindent 12 }} - {{- else if or .Values.orgData.bundlerSecret .Values.extraEnv }} + - --log-level={{ .Values.logLevel | default "info" }} + {{- with .Values.env }} env: - {{- if and .Values.orgData.enabled .Values.orgData.bundlerSecret }} - - name: BUNDLER_BEARER_TOKEN - valueFrom: - secretKeyRef: - name: {{ tpl .Values.orgData.bundlerSecret.name . }} - key: {{ .Values.orgData.bundlerSecret.key }} - {{- end -}} - {{- if .Values.orgPolicy.enabled }} - {{- with .Values.orgPolicy.issuer }} - - name: ISSUER - value: {{ . }} - {{- end }} - {{- end }} - {{- if .Values.extraEnv }} - {{- .Values.extraEnv | toYaml | nindent 12 }} - {{- end }} + {{- toYaml . | nindent 12 }} {{- end }} + {{- with .Values.volumeMounts }} volumeMounts: - name: opa-config mountPath: /etc/opa-config + {{- toYaml . | nindent 12 }} + {{- end }} ports: - - name: query - containerPort: {{ include "opa.queryPort" . }} + - name: http + containerPort: {{ .Values.service.port }} protocol: TCP - name: diagnostic containerPort: 8282 protocol: TCP + {{- with .Values.livenessProbe }} livenessProbe: - httpGet: - path: /health - port: diagnostic + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.readinessProbe }} readinessProbe: - httpGet: - path: /health - port: diagnostic + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.resources }} resources: - {{- toYaml .Values.resources | nindent 12 }} + {{- toYaml . | nindent 12 }} + {{- end }} volumes: - name: opa-config configMap: name: opa-config + {{- with .Values.volumes }} + {{- toYaml . | nindent 8 }} + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/opa/templates/hpa.yaml b/charts/opa/templates/hpa.yaml index 8f497ab4..0ad79fa3 100644 --- a/charts/opa/templates/hpa.yaml +++ b/charts/opa/templates/hpa.yaml @@ -1,15 +1,15 @@ -{{- if .Values.autoscaling.enabled -}} +{{- if .Values.autoscaling.enabled }} apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: - name: {{ include "common.names.fullname" . }} + name: {{ include "opa.fullname" . }} labels: - {{- include "common.labels.standard" . | nindent 4 }} + {{- include "opa.labels" . | nindent 4 }} spec: scaleTargetRef: apiVersion: apps/v1 kind: Deployment - name: {{ include "common.names.fullname" . }} + name: {{ include "opa.fullname" . }} minReplicas: {{ .Values.autoscaling.minReplicas }} maxReplicas: {{ .Values.autoscaling.maxReplicas }} metrics: diff --git a/charts/opa/templates/ingress.yaml b/charts/opa/templates/ingress.yaml index ced0fbb8..5d33a65a 100644 --- a/charts/opa/templates/ingress.yaml +++ b/charts/opa/templates/ingress.yaml @@ -2,17 +2,16 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: {{ include "common.names.fullname" . }} - namespace: {{ .Release.Namespace }} + name: {{ include "opa.fullname" . }} labels: - {{- include "common.labels.standard" . | nindent 4 }} + {{- include "opa.labels" . | nindent 4 }} {{- with .Values.ingress.annotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} spec: - {{- if .Values.ingress.className }} - ingressClassName: {{ .Values.ingress.className }} + {{- with .Values.ingress.className }} + ingressClassName: {{ . }} {{- end }} {{- if .Values.ingress.tls }} tls: @@ -31,12 +30,12 @@ spec: paths: {{- range .paths }} - path: {{ .path }} - {{- if .pathType }} - pathType: {{ .pathType }} + {{- with .pathType }} + pathType: {{ . }} {{- end }} backend: service: - name: {{ include "common.names.fullname" $ }} + name: {{ include "opa.fullname" $ }} port: number: {{ $.Values.service.port }} {{- end }} diff --git a/charts/opa/templates/opa-config.yaml b/charts/opa/templates/opa-config.yaml index 87c630e4..24f45926 100644 --- a/charts/opa/templates/opa-config.yaml +++ b/charts/opa/templates/opa-config.yaml @@ -4,44 +4,4 @@ metadata: name: opa-config data: config.yaml: | - {{- if .Values.configOverride }} - {{- .Values.configOverride | toYaml | nindent 4 }} - {{- else }} - services: - diamond-bundler: - url: https://authz.diamond.ac.uk - credentials: - bearer: - token: ${BUNDLER_BEARER_TOKEN} - ghcr: - url: https://ghcr.io - type: oci - {{- if .Values.extraServices }} - {{- .Values.extraServices | toYaml | nindent 6 }} - {{- end }} - {{- if or .Values.orgData.enabled .Values.orgPolicy.enabled .Values.extraBundles }} - bundles: - {{- if .Values.orgData.enabled }} - diamond-permissionables: - service: diamond-bundler - resource: bundle.tar.gz - polling: - min_delay_seconds: 10 - max_delay_seconds: 60 - {{- end }} - {{- if .Values.orgPolicy.enabled }} - diamond-policies: - service: ghcr - resource: ghcr.io/diamondlightsource/authz-policy:0.0.16 - polling: - min_delay_seconds: 30 - max_delay_seconds: 120 - {{- end }} - {{- if .Values.extraBundles }} - {{- .Values.extraBundles | toYaml | nindent 6 }} - {{- end }} - {{- end }} - {{- if .Values.extraConfig }} - {{- .Values.extraConfig | toYaml | nindent 4 }} - {{- end }} - {{- end }} + {{- .Values.config | toYaml | nindent 4 }} diff --git a/charts/opa/templates/service.yaml b/charts/opa/templates/service.yaml index 5b8413e4..0a7db99f 100644 --- a/charts/opa/templates/service.yaml +++ b/charts/opa/templates/service.yaml @@ -1,15 +1,15 @@ apiVersion: v1 kind: Service metadata: - name: {{ include "common.names.fullname" . }} + name: {{ include "opa.fullname" . }} labels: - {{- include "common.labels.standard" . | nindent 4 }} + {{- include "opa.labels" . | nindent 4 }} spec: type: {{ .Values.service.type }} ports: - port: {{ .Values.service.port }} - targetPort: query + targetPort: http protocol: TCP - name: query + name: http selector: - {{- include "common.labels.matchLabels" . | nindent 4 }} + {{- include "opa.selectorLabels" . | nindent 4 }} diff --git a/charts/opa/templates/serviceaccount.yaml b/charts/opa/templates/serviceaccount.yaml index f0a7c416..8e81071f 100644 --- a/charts/opa/templates/serviceaccount.yaml +++ b/charts/opa/templates/serviceaccount.yaml @@ -2,7 +2,12 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: {{ include "common.names.fullname" . }} + name: {{ include "opa.serviceAccountName" . }} labels: - {{- include "common.labels.standard" . | nindent 4 }} + {{- include "opa.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automount }} {{- end }} diff --git a/charts/opa/templates/tests/test-connection.yaml b/charts/opa/templates/tests/test-connection.yaml index 21ee05dc..b59abe8b 100644 --- a/charts/opa/templates/tests/test-connection.yaml +++ b/charts/opa/templates/tests/test-connection.yaml @@ -1,9 +1,9 @@ apiVersion: v1 kind: Pod metadata: - name: "{{ include "common.names.fullname" . }}-test-connection" + name: "{{ include "opa.fullname" . }}-test-connection" labels: - {{- include "common.labels.standard" . | nindent 4 }} + {{- include "opa.labels" . | nindent 4 }} annotations: "helm.sh/hook": test spec: @@ -11,5 +11,5 @@ spec: - name: wget image: busybox command: ['wget'] - args: ['{{ include "common.names.fullname" . }}:{{ .Values.service.port }}'] + args: ['{{ include "opa.fullname" . }}:{{ .Values.service.port }}'] restartPolicy: Never diff --git a/charts/opa/values.yaml b/charts/opa/values.yaml index a92717c0..e3d7deb8 100644 --- a/charts/opa/values.yaml +++ b/charts/opa/values.yaml @@ -1,68 +1,127 @@ +# Default values for opa. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +logLevel: info + +env: [] + +config: | + "" + +# This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/ +replicaCount: 1 + +# This sets the container image more information can be found here: https://kubernetes.io/docs/concepts/containers/images/ image: repository: docker.io/openpolicyagent/opa + # This sets the pull policy for images. pullPolicy: IfNotPresent - tagOverride: "" - version: "" - envoy: false + # Overrides the image tag whose default is the chart appVersion. + tag: "" +# This is for the secrets for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ imagePullSecrets: [] +# This is to override the chart name. nameOverride: "" fullnameOverride: "" -logLevel: info -orgData: - enabled: true - bundlerSecret: - name: bundler - key: bearer-token -orgPolicy: - enabled: false - issuer: https://authn.diamond.ac.uk/realms/master -configOverride: {} -extraConfig: {} -extraServices: {} -extraBundles: {} -envOverride: [] -extraEnv: [] -portOverride: "" - +# This section builds out the service account more information can be found here: https://kubernetes.io/docs/concepts/security/service-accounts/ serviceAccount: + # Specifies whether a service account should be created create: true + # Automatically mount a ServiceAccount's API credentials? + automount: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template name: "" +# This is for setting Kubernetes Annotations to a Pod. +# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ podAnnotations: {} +# This is for setting Kubernetes Labels to a Pod. +# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +podLabels: {} podSecurityContext: {} + # fsGroup: 2000 securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 +# This is for setting up a service more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/ service: + # This sets the service type more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types type: ClusterIP + # This sets the ports more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#field-spec-ports port: 80 +# This block is for setting up the ingress for more information can be found here: https://kubernetes.io/docs/concepts/services-networking/ingress/ ingress: enabled: false className: "" annotations: {} - hosts: [] + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: + - path: / + pathType: ImplementationSpecific tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local -resources: - requests: - cpu: 1000m - memory: 2Gi - limits: - cpu: 1000m - memory: 2Gi +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi -replicaCount: 1 +# This is to setup the liveness and readiness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ +livenessProbe: + httpGet: + path: / + port: diagnostic +readinessProbe: + httpGet: + path: / + port: diagnostic +# This section is for setting up autoscaling more information can be found here: https://kubernetes.io/docs/concepts/workloads/autoscaling/ autoscaling: enabled: false minReplicas: 1 - maxReplicas: 10 + maxReplicas: 100 targetCPUUtilizationPercentage: 80 - targetMemoryUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +# Additional volumes on the output Deployment definition. +volumes: [] +# - name: foo +# secret: +# secretName: mysecret +# optional: false + +# Additional volumeMounts on the output Deployment definition. +volumeMounts: [] +# - name: foo +# mountPath: "/etc/foo" +# readOnly: true nodeSelector: {}