From 0267da0ea1c785cd0c7fd0061f6e52fb9e210a16 Mon Sep 17 00:00:00 2001 From: Keyvan Date: Mon, 6 Jul 2020 20:54:31 +0200 Subject: [PATCH 01/41] Added kubeContext Signed-off-by: Keyvan --- base.yaml | 1 + charts/management-portal/templates/deployment.yaml | 2 +- helmfile.d/00-init.yaml | 4 +++- helmfile.d/10-base.yaml | 3 ++- helmfile.d/20-dashboard.yaml | 3 ++- helmfile.d/20-fitbit.yaml | 5 +++-- helmfile.d/20-hdfs.yaml | 3 ++- helmfile.d/20-ingestion.yaml | 3 ++- helmfile.d/20-kafka-analysis.yaml | 5 +++-- helmfile.d/20-redcap.yaml | 3 ++- helmfile.d/20-s3.yaml | 3 ++- helmfile.d/20-upload.yaml | 3 ++- helmfile.d/99-velero.yaml | 3 ++- 13 files changed, 27 insertions(+), 14 deletions(-) diff --git a/base.yaml b/base.yaml index 9e77f3d9..62797f3d 100644 --- a/base.yaml +++ b/base.yaml @@ -1,3 +1,4 @@ +kubeContext: default server_name: example.com maintainer_email: MAINTAINER_EMAIL kafka_num_brokers: 3 diff --git a/charts/management-portal/templates/deployment.yaml b/charts/management-portal/templates/deployment.yaml index 19d88033..05ce1e24 100644 --- a/charts/management-portal/templates/deployment.yaml +++ b/charts/management-portal/templates/deployment.yaml @@ -47,7 +47,7 @@ spec: - name: SPRING_PROFILES_ACTIVE value: "prod,swagger" - name: SPRING_DATASOURCE_URL - value: "jdbc:postgresql://{{ .Values.postgres.host }}:5432/managementportal" + value: "jdbc:postgresql://{{ .Values.postgres.host }}:5432/managementportal&sslmode=require" - name: SPRING_DATASOURCE_USERNAME value: {{ .Values.postgres.user }} - name: SPRING_DATASOURCE_PASSWORD diff --git a/helmfile.d/00-init.yaml b/helmfile.d/00-init.yaml index e409ed0a..6323da6a 100644 --- a/helmfile.d/00-init.yaml +++ b/helmfile.d/00-init.yaml @@ -14,6 +14,7 @@ helmDefaults: atomic: true force: true timeout: 600 + kubeContext: {{ .Values.kubeContext }} releases: - name: mongodb @@ -105,7 +106,8 @@ releases: - name: nginx-ingress chart: stable/nginx-ingress - version: 1.30.0 + version: 1.40.2 + force: false installed: {{ .Values.nginx_ingress._install }} values: - "../charts/nginx-ingress/values.yaml" diff --git a/helmfile.d/10-base.yaml b/helmfile.d/10-base.yaml index 09796d9e..2ac3ef80 100644 --- a/helmfile.d/10-base.yaml +++ b/helmfile.d/10-base.yaml @@ -7,6 +7,7 @@ environments: helmDefaults: atomic: true timeout: 600 + kubeContext: {{ .Values.kubeContext }} releases: - name: cp-zookeeper @@ -41,7 +42,7 @@ releases: value: radar-base-tls - name: ingress.tls[0].hosts values: ["{{ .Values.server_name }}"] - + - name: catalog-server chart: ../charts/catalog-server wait: true diff --git a/helmfile.d/20-dashboard.yaml b/helmfile.d/20-dashboard.yaml index 270f0736..dcc7f532 100644 --- a/helmfile.d/20-dashboard.yaml +++ b/helmfile.d/20-dashboard.yaml @@ -7,7 +7,8 @@ environments: helmDefaults: atomic: true timeout: 600 - + kubeContext: {{ .Values.kubeContext }} + releases: - name: radar-dashboard chart: ../charts/radar-dashboard diff --git a/helmfile.d/20-fitbit.yaml b/helmfile.d/20-fitbit.yaml index 168015d4..3b0a01e7 100644 --- a/helmfile.d/20-fitbit.yaml +++ b/helmfile.d/20-fitbit.yaml @@ -7,7 +7,8 @@ environments: helmDefaults: atomic: true timeout: 600 - + kubeContext: {{ .Values.kubeContext }} + releases: - name: radar-fitbit-connector chart: ../charts/radar-fitbit-connector @@ -49,4 +50,4 @@ releases: - name: fitbit_api_secret value: {{ .Values.fitbit_api_secret }} - name: client_secret - value: {{ .Values.management_portal.client_secrets.radar_rest_sources_backend }} \ No newline at end of file + value: {{ .Values.management_portal.client_secrets.radar_rest_sources_backend }} diff --git a/helmfile.d/20-hdfs.yaml b/helmfile.d/20-hdfs.yaml index 30f97944..ae9f162a 100644 --- a/helmfile.d/20-hdfs.yaml +++ b/helmfile.d/20-hdfs.yaml @@ -8,7 +8,8 @@ helmDefaults: atomic: true force: true timeout: 600 - + kubeContext: {{ .Values.kubeContext }} + releases: - name: hdfs chart: ../kubernetes-HDFS/charts/hdfs-k8s diff --git a/helmfile.d/20-ingestion.yaml b/helmfile.d/20-ingestion.yaml index 27f07069..a0ef227a 100644 --- a/helmfile.d/20-ingestion.yaml +++ b/helmfile.d/20-ingestion.yaml @@ -7,7 +7,8 @@ environments: helmDefaults: atomic: true timeout: 600 - + kubeContext: {{ .Values.kubeContext }} + releases: - name: cp-kafka-rest chart: ../cp-helm-charts/charts/cp-kafka-rest diff --git a/helmfile.d/20-kafka-analysis.yaml b/helmfile.d/20-kafka-analysis.yaml index cf598b7f..6472bc2c 100644 --- a/helmfile.d/20-kafka-analysis.yaml +++ b/helmfile.d/20-kafka-analysis.yaml @@ -7,7 +7,8 @@ environments: helmDefaults: atomic: true timeout: 600 - + kubeContext: {{ .Values.kubeContext }} + releases: - name: radar-backend-monitor chart: ../charts/radar-backend @@ -18,7 +19,7 @@ releases: set: - name: kafka_num_brokers value: {{ .Values.kafka_num_brokers }} - + - name: radar-backend-stream chart: ../charts/radar-backend installed: {{ .Values.radar_backend_stream._install }} diff --git a/helmfile.d/20-redcap.yaml b/helmfile.d/20-redcap.yaml index ce7b4e45..1e4a5b81 100644 --- a/helmfile.d/20-redcap.yaml +++ b/helmfile.d/20-redcap.yaml @@ -7,7 +7,8 @@ environments: helmDefaults: atomic: true timeout: 600 - + kubeContext: {{ .Values.kubeContext }} + releases: - name: radar-integration chart: ../charts/radar-integration diff --git a/helmfile.d/20-s3.yaml b/helmfile.d/20-s3.yaml index 8e14e56c..defa5134 100644 --- a/helmfile.d/20-s3.yaml +++ b/helmfile.d/20-s3.yaml @@ -14,7 +14,8 @@ helmDefaults: atomic: true force: true timeout: 600 - + kubeContext: {{ .Values.kubeContext }} + releases: - name: redis chart: bitnami/redis diff --git a/helmfile.d/20-upload.yaml b/helmfile.d/20-upload.yaml index 254927e1..0bd6cf18 100644 --- a/helmfile.d/20-upload.yaml +++ b/helmfile.d/20-upload.yaml @@ -7,7 +7,8 @@ environments: helmDefaults: atomic: true timeout: 600 - + kubeContext: {{ .Values.kubeContext }} + releases: - name: radar-upload-postgresql chart: stable/postgresql diff --git a/helmfile.d/99-velero.yaml b/helmfile.d/99-velero.yaml index cff289e7..01f146ec 100644 --- a/helmfile.d/99-velero.yaml +++ b/helmfile.d/99-velero.yaml @@ -8,7 +8,8 @@ helmDefaults: atomic: true force: true timeout: 600 - + kubeContext: {{ .Values.kubeContext }} + releases: - name: velero chart: ../charts/velero From 0401d0e23fad09762736dc26ba42e668c4913604 Mon Sep 17 00:00:00 2001 From: nivethika Date: Thu, 9 Jul 2020 14:23:43 +0200 Subject: [PATCH 02/41] commit first changes --- .gitignore | 1 + base.yaml | 4 ++++ .../management-portal/templates/deployment.yaml | 15 ++++++++++++--- .../templates/secrets-postgres-keystore.yaml | 12 ++++++++++++ charts/management-portal/values.yaml | 5 ++++- 5 files changed, 33 insertions(+), 4 deletions(-) create mode 100644 charts/management-portal/templates/secrets-postgres-keystore.yaml diff --git a/.gitignore b/.gitignore index a00f6784..2870fc79 100644 --- a/.gitignore +++ b/.gitignore @@ -7,3 +7,4 @@ radar-is.yml production.yaml .idea/ RADAR-Kubernetes.iml +postgreskeystore.jks diff --git a/base.yaml b/base.yaml index 62797f3d..aa0bd610 100644 --- a/base.yaml +++ b/base.yaml @@ -114,6 +114,10 @@ postgresql: management_portal: _install: true replicaCount: 1 # should be 1 + postgres: + ssl: + enabled: false + keystorepassword: keystorepassword managementportal: catalogue_server_enable_auto_import: true common_admin_password: password diff --git a/charts/management-portal/templates/deployment.yaml b/charts/management-portal/templates/deployment.yaml index 05ce1e24..5c693216 100644 --- a/charts/management-portal/templates/deployment.yaml +++ b/charts/management-portal/templates/deployment.yaml @@ -47,7 +47,7 @@ spec: - name: SPRING_PROFILES_ACTIVE value: "prod,swagger" - name: SPRING_DATASOURCE_URL - value: "jdbc:postgresql://{{ .Values.postgres.host }}:5432/managementportal&sslmode=require" + value: "jdbc:postgresql://{{ .Values.postgres.host }}:5432/managementportal&?ssl=true" - name: SPRING_DATASOURCE_USERNAME value: {{ .Values.postgres.user }} - name: SPRING_DATASOURCE_PASSWORD @@ -82,9 +82,9 @@ spec: - name: SPRING_APPLICATION_JSON value: '{"managementportal":{"oauth":{"checkingKeyAliases":["{{ .Values.managementportal.oauth_checking_key_aliases_0 }}","{{ .Values.managementportal.oauth_checking_key_aliases_1 }}"]}}}' - name: JHIPSTER_SLEEP # gives time for the database to boot before the application - value: "10" + value: "0" - name: JAVA_OPTS # maximum heap size for the JVM running ManagementPortal, increase this as necessary - value: "-Xmx1500m" + value: "-Xmx1500m -Djavax.net.ssl.trustStore=/etc/share/cert/BaltimoreCyberTrustRoot.crt.pem -Djavax.net.ssl.trustStorePassword={{ .Values.postgres.ssl.keystorepassword }}" ports: - name: http containerPort: 8080 @@ -118,6 +118,10 @@ spec: mountPath: /config/ - name: keystore mountPath: /mp-includes/config/ + {{- if .Values.postgres.ssl.enabled }} + - name: postgres-root-cert + mountPath: ~/.postgresql/ + {{ end }} volumes: - name: config configMap: @@ -125,6 +129,11 @@ spec: - name: keystore secret: secretName: {{ include "management-portal.fullname" . }}-keystore + {{- if .Values.postgres.ssl.enabled }} + - name: postgres-root-cert + secret: + secretName: {{ include "management-portal.fullname" . }}-root-cert + {{ end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/management-portal/templates/secrets-postgres-keystore.yaml b/charts/management-portal/templates/secrets-postgres-keystore.yaml new file mode 100644 index 00000000..3494f5a7 --- /dev/null +++ b/charts/management-portal/templates/secrets-postgres-keystore.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "management-portal.fullname" . }}-root-cert + labels: + app: {{ template "management-portal.name" . }} + chart: {{ template "management-portal.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +type: Opaque +data: + root.crt: {{ .Files.Get "files/BaltimoreCyberTrustRoot.crt.pem" | b64enc | quote }} diff --git a/charts/management-portal/values.yaml b/charts/management-portal/values.yaml index 12727f1b..8efff0ba 100644 --- a/charts/management-portal/values.yaml +++ b/charts/management-portal/values.yaml @@ -6,7 +6,7 @@ replicaCount: 2 image: repository: radarbase/management-portal - tag: 0.5.8 + tag: 0.6.0 pullPolicy: IfNotPresent nameOverride: "" @@ -57,6 +57,9 @@ postgres: host: postgresql-postgresql user: postgres password: password + ssl: + enabled: false + keystorepassword: keystorepassword from_email: from-email server_name: localhost From c1d48792ee1f5e23bfa0a080ea4178faadc216e4 Mon Sep 17 00:00:00 2001 From: nivethika Date: Thu, 9 Jul 2020 14:33:50 +0200 Subject: [PATCH 03/41] working configurations --- .../templates/deployment.yaml | 13 +--- helmfile.d/10-base.yaml | 63 +------------------ 2 files changed, 3 insertions(+), 73 deletions(-) diff --git a/charts/management-portal/templates/deployment.yaml b/charts/management-portal/templates/deployment.yaml index 5c693216..bfb661f4 100644 --- a/charts/management-portal/templates/deployment.yaml +++ b/charts/management-portal/templates/deployment.yaml @@ -47,7 +47,7 @@ spec: - name: SPRING_PROFILES_ACTIVE value: "prod,swagger" - name: SPRING_DATASOURCE_URL - value: "jdbc:postgresql://{{ .Values.postgres.host }}:5432/managementportal&?ssl=true" + value: "jdbc:postgresql://{{ .Values.postgres.host }}:5432/managementportal?ssl=true" - name: SPRING_DATASOURCE_USERNAME value: {{ .Values.postgres.user }} - name: SPRING_DATASOURCE_PASSWORD @@ -84,7 +84,7 @@ spec: - name: JHIPSTER_SLEEP # gives time for the database to boot before the application value: "0" - name: JAVA_OPTS # maximum heap size for the JVM running ManagementPortal, increase this as necessary - value: "-Xmx1500m -Djavax.net.ssl.trustStore=/etc/share/cert/BaltimoreCyberTrustRoot.crt.pem -Djavax.net.ssl.trustStorePassword={{ .Values.postgres.ssl.keystorepassword }}" + value: "-Xmx1500m" ports: - name: http containerPort: 8080 @@ -118,10 +118,6 @@ spec: mountPath: /config/ - name: keystore mountPath: /mp-includes/config/ - {{- if .Values.postgres.ssl.enabled }} - - name: postgres-root-cert - mountPath: ~/.postgresql/ - {{ end }} volumes: - name: config configMap: @@ -129,11 +125,6 @@ spec: - name: keystore secret: secretName: {{ include "management-portal.fullname" . }}-keystore - {{- if .Values.postgres.ssl.enabled }} - - name: postgres-root-cert - secret: - secretName: {{ include "management-portal.fullname" . }}-root-cert - {{ end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/helmfile.d/10-base.yaml b/helmfile.d/10-base.yaml index 2ac3ef80..27158e45 100644 --- a/helmfile.d/10-base.yaml +++ b/helmfile.d/10-base.yaml @@ -5,68 +5,12 @@ environments: - ../production.yaml helmDefaults: - atomic: true + atomic: false timeout: 600 kubeContext: {{ .Values.kubeContext }} releases: - - name: cp-zookeeper - chart: ../cp-helm-charts/charts/cp-zookeeper - wait: true - installed: {{ .Values.cp_zookeeper._install }} - values: - - {{ .Values.cp_zookeeper | toYaml | indent 8 | trim }} - - name: cp-kafka - chart: ../cp-helm-charts/charts/cp-kafka - wait: true - installed: {{ .Values.cp_kafka._install }} - values: - - "../charts/cp-kafka/values.yaml" - - {{ .Values.cp_kafka | toYaml | indent 8 | trim }} - set: - - name: brokers - value: {{ .Values.kafka_num_brokers }} - - name: cp-schema-registry - chart: ../cp-helm-charts/charts/cp-schema-registry - wait: true - installed: {{ .Values.cp_schema_registry._install }} - values: - - "../charts/cp-schema-registry/values.yaml" - - {{ .Values.cp_schema_registry | toYaml | indent 8 | trim }} - set: - - name: ingress.hosts[0].host - value: "{{ .Values.server_name }}" - - name: ingress.hosts[0].paths - values: ["/schema/?(.*)"] - - name: ingress.tls[0].secretName - value: radar-base-tls - - name: ingress.tls[0].hosts - values: ["{{ .Values.server_name }}"] - - name: catalog-server - chart: ../charts/catalog-server - wait: true - installed: {{ .Values.catalog_server._install }} - values: - - "../charts/postgresql/values.yaml" - - {{ .Values.catalog_server | toYaml | indent 8 | trim }} - set: - - name: kafka_num_brokers - value: {{ .Values.kafka_num_brokers }} - - - name: postgresql - chart: stable/postgresql - version: 5.3.3 - wait: false - installed: {{ .Values.postgresql._install }} - values: - - "../charts/postgresql/values.yaml" - - {{ .Values.postgresql | toYaml | indent 8 | trim }} - set: - - name: postgresqlPassword - value: {{ .Values.postgres_password }} - - name: replication.password - value: {{ .Values.postgres_password }} - name: management-portal chart: ../charts/management-portal @@ -81,8 +25,3 @@ releases: - name: postgres.password value: {{ .Values.postgres_password }} - - name: smtp - chart: ../charts/smtp - installed: {{ .Values.smtp._install }} - values: - - {{ .Values.smtp | toYaml | indent 8 | trim }} From ca33e59ed22d9c406218ccf0aefdf7ccf0fea705 Mon Sep 17 00:00:00 2001 From: nivethika Date: Fri, 10 Jul 2020 12:58:00 +0200 Subject: [PATCH 04/41] working ssl config (verify-ca) --- .../templates/deployment.yaml | 11 +++- helmfile.d/10-base.yaml | 63 ++++++++++++++++++- 2 files changed, 72 insertions(+), 2 deletions(-) diff --git a/charts/management-portal/templates/deployment.yaml b/charts/management-portal/templates/deployment.yaml index bfb661f4..86a471ca 100644 --- a/charts/management-portal/templates/deployment.yaml +++ b/charts/management-portal/templates/deployment.yaml @@ -47,7 +47,7 @@ spec: - name: SPRING_PROFILES_ACTIVE value: "prod,swagger" - name: SPRING_DATASOURCE_URL - value: "jdbc:postgresql://{{ .Values.postgres.host }}:5432/managementportal?ssl=true" + value: "jdbc:postgresql://{{ .Values.postgres.host }}:5432/managementportal?ssl=true&sslmode=verify-ca" - name: SPRING_DATASOURCE_USERNAME value: {{ .Values.postgres.user }} - name: SPRING_DATASOURCE_PASSWORD @@ -118,6 +118,10 @@ spec: mountPath: /config/ - name: keystore mountPath: /mp-includes/config/ + {{- if .Values.postgres.ssl.enabled }} + - name: postgres-root-cert + mountPath: /root/.postgresql/ + {{ end }} volumes: - name: config configMap: @@ -125,6 +129,11 @@ spec: - name: keystore secret: secretName: {{ include "management-portal.fullname" . }}-keystore + {{- if .Values.postgres.ssl.enabled }} + - name: postgres-root-cert + secret: + secretName: {{ include "management-portal.fullname" . }}-root-cert + {{ end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/helmfile.d/10-base.yaml b/helmfile.d/10-base.yaml index 27158e45..2ac3ef80 100644 --- a/helmfile.d/10-base.yaml +++ b/helmfile.d/10-base.yaml @@ -5,12 +5,68 @@ environments: - ../production.yaml helmDefaults: - atomic: false + atomic: true timeout: 600 kubeContext: {{ .Values.kubeContext }} releases: + - name: cp-zookeeper + chart: ../cp-helm-charts/charts/cp-zookeeper + wait: true + installed: {{ .Values.cp_zookeeper._install }} + values: + - {{ .Values.cp_zookeeper | toYaml | indent 8 | trim }} + - name: cp-kafka + chart: ../cp-helm-charts/charts/cp-kafka + wait: true + installed: {{ .Values.cp_kafka._install }} + values: + - "../charts/cp-kafka/values.yaml" + - {{ .Values.cp_kafka | toYaml | indent 8 | trim }} + set: + - name: brokers + value: {{ .Values.kafka_num_brokers }} + - name: cp-schema-registry + chart: ../cp-helm-charts/charts/cp-schema-registry + wait: true + installed: {{ .Values.cp_schema_registry._install }} + values: + - "../charts/cp-schema-registry/values.yaml" + - {{ .Values.cp_schema_registry | toYaml | indent 8 | trim }} + set: + - name: ingress.hosts[0].host + value: "{{ .Values.server_name }}" + - name: ingress.hosts[0].paths + values: ["/schema/?(.*)"] + - name: ingress.tls[0].secretName + value: radar-base-tls + - name: ingress.tls[0].hosts + values: ["{{ .Values.server_name }}"] + - name: catalog-server + chart: ../charts/catalog-server + wait: true + installed: {{ .Values.catalog_server._install }} + values: + - "../charts/postgresql/values.yaml" + - {{ .Values.catalog_server | toYaml | indent 8 | trim }} + set: + - name: kafka_num_brokers + value: {{ .Values.kafka_num_brokers }} + + - name: postgresql + chart: stable/postgresql + version: 5.3.3 + wait: false + installed: {{ .Values.postgresql._install }} + values: + - "../charts/postgresql/values.yaml" + - {{ .Values.postgresql | toYaml | indent 8 | trim }} + set: + - name: postgresqlPassword + value: {{ .Values.postgres_password }} + - name: replication.password + value: {{ .Values.postgres_password }} - name: management-portal chart: ../charts/management-portal @@ -25,3 +81,8 @@ releases: - name: postgres.password value: {{ .Values.postgres_password }} + - name: smtp + chart: ../charts/smtp + installed: {{ .Values.smtp._install }} + values: + - {{ .Values.smtp | toYaml | indent 8 | trim }} From 82821b8513afd867938e588e368ebc1948be17cf Mon Sep 17 00:00:00 2001 From: nivethika Date: Mon, 13 Jul 2020 10:20:02 +0200 Subject: [PATCH 05/41] integrate sendgrid with management portal mail service --- base.yaml | 7 +++++++ .../templates/deployment.yaml | 18 ++++++++++++++++++ .../management-portal/templates/secrets.yaml | 4 ++++ charts/management-portal/values.yaml | 8 ++++++++ 4 files changed, 37 insertions(+) diff --git a/base.yaml b/base.yaml index aa0bd610..bc9cacd7 100644 --- a/base.yaml +++ b/base.yaml @@ -135,6 +135,13 @@ management_portal: radar_upload_frontend: secret radar_rest_sources_backend: secret radarFitbitConnector: secret + sendGrid: + enabled: false + host: smtp + port: 25 + username: username + password: secret + from: no-reply-more@chdr.nl smtp: diff --git a/charts/management-portal/templates/deployment.yaml b/charts/management-portal/templates/deployment.yaml index 86a471ca..e7b897e8 100644 --- a/charts/management-portal/templates/deployment.yaml +++ b/charts/management-portal/templates/deployment.yaml @@ -85,6 +85,24 @@ spec: value: "0" - name: JAVA_OPTS # maximum heap size for the JVM running ManagementPortal, increase this as necessary value: "-Xmx1500m" + {{- if .Values.sendGrid.enabled }} + - name: SPRING_MAIL_HOST + value: {{ .Values.sendGrid.host | quote }} + - name: SPRING_MAIL_PORT + value: {{ .Values.sendGrid.port | quote }} + - name: SPRING_MAIL_USERNAME + valueFrom: + secretKeyRef: + name: {{ template "management-portal.secretName" . }} + key: sendGridUsername + - name: SPRING_MAIL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "management-portal.secretName" . }} + key: sendGridPassword + - name: SPRING_MAIL_FROM + value: {{ .Values.sendGrid.from | quote }} + {{ end }} ports: - name: http containerPort: 8080 diff --git a/charts/management-portal/templates/secrets.yaml b/charts/management-portal/templates/secrets.yaml index 9ec0ef0c..73e132e7 100644 --- a/charts/management-portal/templates/secrets.yaml +++ b/charts/management-portal/templates/secrets.yaml @@ -13,4 +13,8 @@ data: postgresql_password: {{ .Values.postgres.password | b64enc | quote }} managementportal_frontend_client_secret: {{ .Values.managementportal.frontend_client_secret | b64enc | quote }} managementportal_common_admin_password: {{ .Values.managementportal.common_admin_password | b64enc | quote }} + {{- if .Values.sendGrid.enabled }} + sendGridUsername: {{ .Values.sendGrid.username | b64enc | quote }} + sendGridPassword: {{ .Values.sendGrid.password | b64enc | quote }} + {{ end }} {{- end -}} diff --git a/charts/management-portal/values.yaml b/charts/management-portal/values.yaml index 8efff0ba..cfd3a4e8 100644 --- a/charts/management-portal/values.yaml +++ b/charts/management-portal/values.yaml @@ -81,3 +81,11 @@ client_secrets: radar_upload_frontend: secret radar_rest_sources_backend: secret radarFitbitConnector: secret + +sendGrid: + enabled: false + host: smtp + port: 25 + username: username + password: secret + from: no-reply-more@chdr.nl \ No newline at end of file From ee5f31c863099a984fe6ad85f06045b868d88253 Mon Sep 17 00:00:00 2001 From: nivethika Date: Mon, 13 Jul 2020 15:25:06 +0200 Subject: [PATCH 06/41] adapt kafka-init to optionally init radar-base for confluent cloud based stack --- base.yaml | 9 +++++++ .../catalog-server/templates/configmap.yaml | 24 +++++++++++++++++++ .../catalog-server/templates/deployment.yaml | 24 +++++++++++++++++++ charts/catalog-server/templates/secrets.yaml | 17 +++++++++++++ charts/catalog-server/values.yaml | 10 +++++++- 5 files changed, 83 insertions(+), 1 deletion(-) create mode 100644 charts/catalog-server/templates/configmap.yaml create mode 100644 charts/catalog-server/templates/secrets.yaml diff --git a/base.yaml b/base.yaml index bc9cacd7..6d4f7bbf 100644 --- a/base.yaml +++ b/base.yaml @@ -105,6 +105,15 @@ cp_schema_registry: catalog_server: _install: true replicaCount: 1 + schema_registry: http://cp-schema-registry:8081 + + cc: + enabled: false + bootstrapServerurl: confluent-url + apiKey: ccApikey + apiSecret: ccApiSecret + schemaRegistryApiKey: srApiKey + schemaRegistryApiSecret: srApiSecret postgresql: _install: true diff --git a/charts/catalog-server/templates/configmap.yaml b/charts/catalog-server/templates/configmap.yaml new file mode 100644 index 00000000..11c482a5 --- /dev/null +++ b/charts/catalog-server/templates/configmap.yaml @@ -0,0 +1,24 @@ +{{- if .Values.cc.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "catalog-server.fullname" . }}-java-config + labels: + app: {{ template "catalog-server.name" . }} + chart: {{ template "catalog-server.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +data: + java-config.properties: | + # Kafka + bootstrap.servers={{ .Values.cc.bootstrapServerurl }} + security.protocol=SASL_SSL + sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="{{ .Values.cc.apiKey }}" password="{{ .Values.cc.apiSecret }}"; + ssl.endpoint.identification.algorithm=https + sasl.mechanism=PLAIN + + # Confluent Cloud Schema Registry + schema.registry.url={{ .Values.schema_registry}} + basic.auth.credentials.source=USER_INFO + schema.registry.basic.auth.user.info={{ .Values.cc.schemaRegistryApiKey }}:{{ .Values.cc.schemaRegistryApiSecret }} +{{- end -}} \ No newline at end of file diff --git a/charts/catalog-server/templates/deployment.yaml b/charts/catalog-server/templates/deployment.yaml index ee4b4f2c..a1c2c2ab 100644 --- a/charts/catalog-server/templates/deployment.yaml +++ b/charts/catalog-server/templates/deployment.yaml @@ -54,6 +54,25 @@ spec: value: "3" - name: RADAR_NUM_REPLICATION_FACTOR value: "3" + {{- if .Values.cc.enabled }} + - name: CC_CONFIG_FILE_PATH + value: "/etc/config/java-config.properties" + - name: CC_API_KEY + valueFrom: + secretKeyRef: + name: {{ template "catalog-server.fullname" . }} + key: srApiKey + - name: CC_API_SECRET + valueFrom: + secretKeyRef: + name: {{ template "catalog-server.fullname" . }} + key: srApiSecret + command: + - "cc_topic_init.sh" + volumeMounts: + - name: cc-java-config + mountPath: /etc/config/java-config.properties + {{ end }} containers: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" @@ -112,6 +131,11 @@ spec: {{- else }} emptyDir: {} {{ end }} + {{- if .Values.cc.enabled }} + - name: cc-java-config + configMap: + name: {{ include "catalog-server.fullname" . }}-java-config + {{- end -}} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/catalog-server/templates/secrets.yaml b/charts/catalog-server/templates/secrets.yaml new file mode 100644 index 00000000..98093adb --- /dev/null +++ b/charts/catalog-server/templates/secrets.yaml @@ -0,0 +1,17 @@ +{{- if .Values.cc.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "catalog-server.fullname" . }} + labels: + app: {{ template "catalog-server.name" . }} + chart: {{ template "catalog-server.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +type: Opaque +data: + ccApiKey: {{ .Values.cc.apiKey | b64enc | quote }} + ccApiSecret: {{ .Values.cc.apiSecret | b64enc | quote }} + srApiKey: {{ .Values.cc.schemaRegistryApiKey| b64enc | quote }} + srApiSecret: {{ .Values.cc.schemaRegistryApiSecret | b64enc | quote }} +{{- end -}} diff --git a/charts/catalog-server/values.yaml b/charts/catalog-server/values.yaml index 9a8b1dd4..4a19029a 100644 --- a/charts/catalog-server/values.yaml +++ b/charts/catalog-server/values.yaml @@ -6,7 +6,7 @@ replicaCount: 2 image: repository: radarbase/kafka-init - tag: 0.5.10.1 + tag: 0.5.11-rc0 pullPolicy: IfNotPresent nameOverride: "" @@ -67,3 +67,11 @@ affinity: {} kafka_num_brokers: 3 zookeeper: cp-zookeeper-headless:2181 schema_registry: http://cp-schema-registry:8081 + +cc: + enabled: false + bootstrapServerurl: confluent-url + apiKey: ccApikey + apiSecret: ccApiSecret + schemaRegistryApiKey: srApiKey + schemaRegistryApiSecret: srApiSecret \ No newline at end of file From 038b5eccc477dfa1384867b94e78a4545cfc7481 Mon Sep 17 00:00:00 2001 From: nivethika Date: Tue, 14 Jul 2020 16:39:07 +0200 Subject: [PATCH 07/41] correct mount path and remove unnecessary config --- charts/catalog-server/templates/configmap.yaml | 5 ----- charts/catalog-server/templates/deployment.yaml | 2 +- 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/charts/catalog-server/templates/configmap.yaml b/charts/catalog-server/templates/configmap.yaml index 11c482a5..7f071970 100644 --- a/charts/catalog-server/templates/configmap.yaml +++ b/charts/catalog-server/templates/configmap.yaml @@ -16,9 +16,4 @@ data: sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="{{ .Values.cc.apiKey }}" password="{{ .Values.cc.apiSecret }}"; ssl.endpoint.identification.algorithm=https sasl.mechanism=PLAIN - - # Confluent Cloud Schema Registry - schema.registry.url={{ .Values.schema_registry}} - basic.auth.credentials.source=USER_INFO - schema.registry.basic.auth.user.info={{ .Values.cc.schemaRegistryApiKey }}:{{ .Values.cc.schemaRegistryApiSecret }} {{- end -}} \ No newline at end of file diff --git a/charts/catalog-server/templates/deployment.yaml b/charts/catalog-server/templates/deployment.yaml index a1c2c2ab..d2659e4c 100644 --- a/charts/catalog-server/templates/deployment.yaml +++ b/charts/catalog-server/templates/deployment.yaml @@ -71,7 +71,7 @@ spec: - "cc_topic_init.sh" volumeMounts: - name: cc-java-config - mountPath: /etc/config/java-config.properties + mountPath: /etc/config/ {{ end }} containers: - name: {{ .Chart.Name }} From f5a935a632569e3670448e24aebf5d148f542045 Mon Sep 17 00:00:00 2001 From: nivethika Date: Wed, 15 Jul 2020 10:53:13 +0200 Subject: [PATCH 08/41] single point for confluent cloud config on base.yml --- base.yaml | 16 +++++++++------- helmfile.d/10-base.yaml | 3 +++ 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/base.yaml b/base.yaml index 6d4f7bbf..e538d441 100644 --- a/base.yaml +++ b/base.yaml @@ -88,6 +88,15 @@ velero: aws_secret_access_key=secretKey # --------------------------------------------------------- 10-base.yaml --------------------------------------------------------- +confluentCloud: + enabled: false + cc: + bootstrapServerurl: confluent-url + apiKey: ccApikey + apiSecret: ccApiSecret + schemaRegistryApiKey: srApiKey + schemaRegistryApiSecret: srApiSecret + cp_zookeeper: _install: true @@ -107,13 +116,6 @@ catalog_server: replicaCount: 1 schema_registry: http://cp-schema-registry:8081 - cc: - enabled: false - bootstrapServerurl: confluent-url - apiKey: ccApikey - apiSecret: ccApiSecret - schemaRegistryApiKey: srApiKey - schemaRegistryApiSecret: srApiSecret postgresql: _install: true diff --git a/helmfile.d/10-base.yaml b/helmfile.d/10-base.yaml index 2ac3ef80..90fd8b33 100644 --- a/helmfile.d/10-base.yaml +++ b/helmfile.d/10-base.yaml @@ -50,9 +50,12 @@ releases: values: - "../charts/postgresql/values.yaml" - {{ .Values.catalog_server | toYaml | indent 8 | trim }} + - {{ .Values.confluentCloud| toYaml | indent 8 | trim }} set: - name: kafka_num_brokers value: {{ .Values.kafka_num_brokers }} + - name: cc.enabled + value: {{ .Values.confluentCloud.enabled }} - name: postgresql chart: stable/postgresql From 414845f29e38b8640a5c5f02af2dc99539d58c0d Mon Sep 17 00:00:00 2001 From: nivethika Date: Wed, 15 Jul 2020 11:12:08 +0200 Subject: [PATCH 09/41] override schema registry url if confluent cloud is enabled. --- base.yaml | 4 ++-- helmfile.d/10-base.yaml | 5 ++++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/base.yaml b/base.yaml index e538d441..699a2eab 100644 --- a/base.yaml +++ b/base.yaml @@ -91,12 +91,12 @@ velero: confluentCloud: enabled: false cc: - bootstrapServerurl: confluent-url + bootstrapServerurl: confluentBootstrapServers apiKey: ccApikey apiSecret: ccApiSecret schemaRegistryApiKey: srApiKey schemaRegistryApiSecret: srApiSecret - + schemaRegistryUrl: confluentSchemaRegistryUrl cp_zookeeper: _install: true diff --git a/helmfile.d/10-base.yaml b/helmfile.d/10-base.yaml index 90fd8b33..26c662a1 100644 --- a/helmfile.d/10-base.yaml +++ b/helmfile.d/10-base.yaml @@ -56,7 +56,10 @@ releases: value: {{ .Values.kafka_num_brokers }} - name: cc.enabled value: {{ .Values.confluentCloud.enabled }} - + {{- if .Values.confluentCloud.enabled }} + - name: schema_registry + value: {{ .Values.confluentCloud.cc.schemaRegistryUrl }} + {{ end }} - name: postgresql chart: stable/postgresql version: 5.3.3 From 4c71c0019a2d7c5fb3817f39509179165320c50d Mon Sep 17 00:00:00 2001 From: nivethika Date: Wed, 15 Jul 2020 11:26:50 +0200 Subject: [PATCH 10/41] migrate to camelcase syntax and to config format of radar-gateway:0.5.0 --- charts/radar-gateway/templates/configmap.yaml | 19 ++++++++++++++----- charts/radar-gateway/values.yaml | 15 +++++++++++---- helmfile.d/20-ingestion.yaml | 9 +++++++++ 3 files changed, 34 insertions(+), 9 deletions(-) diff --git a/charts/radar-gateway/templates/configmap.yaml b/charts/radar-gateway/templates/configmap.yaml index 6dc17008..63d3f4af 100644 --- a/charts/radar-gateway/templates/configmap.yaml +++ b/charts/radar-gateway/templates/configmap.yaml @@ -9,8 +9,17 @@ metadata: heritage: {{ .Release.Service }} data: gateway.yml: | - baseUri: http://0.0.0.0/radar-gateway/ - managementPortalUrl: http://{{ .Values.managementportal_host }}:8080/managementportal - restProxyUrl: {{ .Values.rest_proxy }} - schemaRegistryUrl: {{ .Values.schema_registry }} - #maxRequests: {{ .Values.max_requests }} + # Resource config class + #resourceConfig: org.radarbase.gateway.inject.ManagementPortalEnhancerFactory + + server: + baseUri: http://0.0.0.0/radar-gateway/ + + kafka: + producer: + bootstrap.servers: {{ .Values.bootstrapServers }} + serialization: + schema.registry.url: {{ .Values.schemaRegistry }} + + auth: + managementPortalUrl: http://{{ .Values.managementportalHost }}:8080/managementportal diff --git a/charts/radar-gateway/values.yaml b/charts/radar-gateway/values.yaml index 3b7be57f..9e3f41fc 100644 --- a/charts/radar-gateway/values.yaml +++ b/charts/radar-gateway/values.yaml @@ -6,7 +6,7 @@ replicaCount: 2 image: repository: radarbase/radar-gateway - tag: 0.3.9 + tag: 0.5.0 pullPolicy: IfNotPresent nameOverride: "" @@ -56,7 +56,14 @@ tolerations: [] affinity: {} -managementportal_host: management-portal -rest_proxy: http://cp-kafka-rest:8082 -schema_registry: http://cp-schema-registry:8081 +managementportalHost: management-portal +schemaRegistry: http://cp-schema-registry:8081 max_requests: 1000 +bootstrapServers: kafka-1:9092 + +cc: + enabled: false + apiKey: ccApikey + apiSecret: ccApiSecret + schemaRegistryApiKey: srApiKey + schemaRegistryApiSecret: srApiSecret \ No newline at end of file diff --git a/helmfile.d/20-ingestion.yaml b/helmfile.d/20-ingestion.yaml index a0ef227a..4b9d27cb 100644 --- a/helmfile.d/20-ingestion.yaml +++ b/helmfile.d/20-ingestion.yaml @@ -23,6 +23,15 @@ releases: installed: {{ .Values.radar_gateway._install }} values: - {{ .Values.radar_gateway | toYaml | indent 8 | trim }} + - {{ .Values.confluentCloud| toYaml | indent 8 | trim }} set: - name: ingress.hosts values: [{{ .Values.server_name }}] + - name: cc.enabled + value: {{ .Values.confluentCloud.enabled }} + {{- if .Values.confluentCloud.enabled }} + - name: schemaRegistry + value: {{ .Values.confluentCloud.cc.schemaRegistryUrl }} + - name: bootstrapServers + value: {{ .Values.confluentCloud.cc.bootstrapServerurl }} + {{ end }} From 0255f2d53350a25e6a686421d30b829c58fa2c64 Mon Sep 17 00:00:00 2001 From: nivethika Date: Wed, 15 Jul 2020 12:18:10 +0200 Subject: [PATCH 11/41] finalize configmap adaptation for gateway and optionally deploy servicemonitor --- charts/radar-gateway/templates/configmap.yaml | 12 +++++++++++- charts/radar-gateway/templates/servicemonitor.yaml | 2 ++ charts/radar-gateway/values.yaml | 3 +++ helmfile.d/20-ingestion.yaml | 9 ++------- 4 files changed, 18 insertions(+), 8 deletions(-) diff --git a/charts/radar-gateway/templates/configmap.yaml b/charts/radar-gateway/templates/configmap.yaml index 63d3f4af..72883e90 100644 --- a/charts/radar-gateway/templates/configmap.yaml +++ b/charts/radar-gateway/templates/configmap.yaml @@ -18,8 +18,18 @@ data: kafka: producer: bootstrap.servers: {{ .Values.bootstrapServers }} + {{- if .Values.cc.enabled }} + admin: + bootstrap.servers: {{ .Values.bootstrapServers }} + security.protocol: SASL_SSL + sasl.jaas.config: org.apache.kafka.common.security.plain.PlainLoginModule required username="{{ .Values.cc.apiKey }}" password="{{ .Values.cc.apiSecret }}"; + ssl.endpoint.identification.algorithm: https + sasl.mechanism: PLAIN + {{ end }} serialization: schema.registry.url: {{ .Values.schemaRegistry }} - + {{- if .Values.cc.enabled }} + schema.registry.basic.auth.user.info: {{ .Values.cc.schemaRegistryApiKey }}:{{ .Values.cc.schemaRegistryApiSecret }} + {{ end }} auth: managementPortalUrl: http://{{ .Values.managementportalHost }}:8080/managementportal diff --git a/charts/radar-gateway/templates/servicemonitor.yaml b/charts/radar-gateway/templates/servicemonitor.yaml index fb875f2e..4c1329f7 100644 --- a/charts/radar-gateway/templates/servicemonitor.yaml +++ b/charts/radar-gateway/templates/servicemonitor.yaml @@ -1,3 +1,4 @@ +{{- if .Values.serviceMonitor.enabled }} apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: @@ -17,3 +18,4 @@ spec: endpoints: - port: metrics interval: 15s +{{- end -}} \ No newline at end of file diff --git a/charts/radar-gateway/values.yaml b/charts/radar-gateway/values.yaml index 9e3f41fc..0b17c394 100644 --- a/charts/radar-gateway/values.yaml +++ b/charts/radar-gateway/values.yaml @@ -56,6 +56,9 @@ tolerations: [] affinity: {} +serviceMonitor: + enabled: true + managementportalHost: management-portal schemaRegistry: http://cp-schema-registry:8081 max_requests: 1000 diff --git a/helmfile.d/20-ingestion.yaml b/helmfile.d/20-ingestion.yaml index 4b9d27cb..3856e49c 100644 --- a/helmfile.d/20-ingestion.yaml +++ b/helmfile.d/20-ingestion.yaml @@ -10,13 +10,6 @@ helmDefaults: kubeContext: {{ .Values.kubeContext }} releases: - - name: cp-kafka-rest - chart: ../cp-helm-charts/charts/cp-kafka-rest - wait: false - installed: {{ .Values.cp_kafka_rest._install }} - values: - - "../charts/cp-kafka-rest/values.yaml" - - {{ .Values.cp_kafka_rest | toYaml | indent 8 | trim }} - name: radar-gateway chart: ../charts/radar-gateway @@ -29,6 +22,8 @@ releases: values: [{{ .Values.server_name }}] - name: cc.enabled value: {{ .Values.confluentCloud.enabled }} + - name: serviceMonitor.enabled + value: {{ .Values.prometheus_operator._install }} {{- if .Values.confluentCloud.enabled }} - name: schemaRegistry value: {{ .Values.confluentCloud.cc.schemaRegistryUrl }} From 879889c0e94d08031c4e5c0d328a6db460c71f37 Mon Sep 17 00:00:00 2001 From: nivethika Date: Wed, 15 Jul 2020 13:46:03 +0200 Subject: [PATCH 12/41] add back rest-proxy to helmfile --- helmfile.d/20-ingestion.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/helmfile.d/20-ingestion.yaml b/helmfile.d/20-ingestion.yaml index 3856e49c..1ac60b9d 100644 --- a/helmfile.d/20-ingestion.yaml +++ b/helmfile.d/20-ingestion.yaml @@ -10,6 +10,13 @@ helmDefaults: kubeContext: {{ .Values.kubeContext }} releases: + - name: cp-kafka-rest + chart: ../cp-helm-charts/charts/cp-kafka-rest + wait: false + installed: {{ .Values.cp_kafka_rest._install }} + values: + - "../charts/cp-kafka-rest/values.yaml" + - {{ .Values.cp_kafka_rest | toYaml | indent 8 | trim }} - name: radar-gateway chart: ../charts/radar-gateway From c7aaae9c217f1b88887e1ba84bfa3f1cdc59f2d5 Mon Sep 17 00:00:00 2001 From: nivethika Date: Wed, 15 Jul 2020 17:23:11 +0200 Subject: [PATCH 13/41] commit initial set-up for schema-registry-proxy --- base.yaml | 7 ++++ charts/cc-schema-registry-proxy/.helmignore | 22 +++++++++++ charts/cc-schema-registry-proxy/Chart.yaml | 5 +++ .../templates/NOTES.txt | 0 .../templates/_helpers.tpl | 32 ++++++++++++++++ .../templates/ingress.yaml | 28 ++++++++++++++ .../templates/service.yaml | 15 ++++++++ .../templates/tests/test-connection.yaml | 18 +++++++++ charts/cc-schema-registry-proxy/values.yaml | 38 +++++++++++++++++++ helmfile.d/30-confluent-cloud.yaml | 26 +++++++++++++ 10 files changed, 191 insertions(+) create mode 100644 charts/cc-schema-registry-proxy/.helmignore create mode 100644 charts/cc-schema-registry-proxy/Chart.yaml create mode 100644 charts/cc-schema-registry-proxy/templates/NOTES.txt create mode 100644 charts/cc-schema-registry-proxy/templates/_helpers.tpl create mode 100644 charts/cc-schema-registry-proxy/templates/ingress.yaml create mode 100644 charts/cc-schema-registry-proxy/templates/service.yaml create mode 100644 charts/cc-schema-registry-proxy/templates/tests/test-connection.yaml create mode 100644 charts/cc-schema-registry-proxy/values.yaml create mode 100644 helmfile.d/30-confluent-cloud.yaml diff --git a/base.yaml b/base.yaml index 699a2eab..61929b82 100644 --- a/base.yaml +++ b/base.yaml @@ -340,3 +340,10 @@ radar_s3_connector: replicaCount: 1 # The bucket name where intermediate data for cold storage should be written to. bucketName: radar_intermediate_storage + + +# --------------------------------------------------------- 30-confluent-cloud.yaml --------------------------------------------------------- + +ccSchemaRegistryProxy: + _install: false + externalName: schema-registry-domain \ No newline at end of file diff --git a/charts/cc-schema-registry-proxy/.helmignore b/charts/cc-schema-registry-proxy/.helmignore new file mode 100644 index 00000000..50af0317 --- /dev/null +++ b/charts/cc-schema-registry-proxy/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/cc-schema-registry-proxy/Chart.yaml b/charts/cc-schema-registry-proxy/Chart.yaml new file mode 100644 index 00000000..7b84111c --- /dev/null +++ b/charts/cc-schema-registry-proxy/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +appVersion: "1.0" +description: A Helm chart for Kubernetes +name: cc-schema-registry-proxy +version: 0.1.0 diff --git a/charts/cc-schema-registry-proxy/templates/NOTES.txt b/charts/cc-schema-registry-proxy/templates/NOTES.txt new file mode 100644 index 00000000..e69de29b diff --git a/charts/cc-schema-registry-proxy/templates/_helpers.tpl b/charts/cc-schema-registry-proxy/templates/_helpers.tpl new file mode 100644 index 00000000..e3ebd47b --- /dev/null +++ b/charts/cc-schema-registry-proxy/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "cc-schema-registry-proxy.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "cc-schema-registry-proxy.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "cc-schema-registry-proxy.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/cc-schema-registry-proxy/templates/ingress.yaml b/charts/cc-schema-registry-proxy/templates/ingress.yaml new file mode 100644 index 00000000..045f7733 --- /dev/null +++ b/charts/cc-schema-registry-proxy/templates/ingress.yaml @@ -0,0 +1,28 @@ +{{- $fullName := include "cc-schema-registry-proxy.fullname" . -}} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + app.kubernetes.io/name: {{ include "cc-schema-registry-proxy.name" . }} + helm.sh/chart: {{ include "cc-schema-registry-proxy.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + nginx.ingress.kubernetes.io/upstream-vhost: {{ .Values.service.externalName }} +spec: + rules: + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ . }} + backend: + serviceName: {{ $fullName }} + servicePort: https + {{- end }} + {{- end }} diff --git a/charts/cc-schema-registry-proxy/templates/service.yaml b/charts/cc-schema-registry-proxy/templates/service.yaml new file mode 100644 index 00000000..4c725c93 --- /dev/null +++ b/charts/cc-schema-registry-proxy/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "cc-schema-registry-proxy.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "cc-schema-registry-proxy.name" . }} + helm.sh/chart: {{ include "cc-schema-registry-proxy.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +spec: + type: {{ .Values.service.type }} + externalName: {{ .Values.service.externalName }} + selector: + app.kubernetes.io/name: {{ include "cc-schema-registry-proxy.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/charts/cc-schema-registry-proxy/templates/tests/test-connection.yaml b/charts/cc-schema-registry-proxy/templates/tests/test-connection.yaml new file mode 100644 index 00000000..a110cc1d --- /dev/null +++ b/charts/cc-schema-registry-proxy/templates/tests/test-connection.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "cc-schema-registry-proxy.fullname" . }}-test-connection" + labels: + app.kubernetes.io/name: {{ include "cc-schema-registry-proxy.name" . }} + helm.sh/chart: {{ include "cc-schema-registry-proxy.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + annotations: + "helm.sh/hook": test-success +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "cc-schema-registry-proxy.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/charts/cc-schema-registry-proxy/values.yaml b/charts/cc-schema-registry-proxy/values.yaml new file mode 100644 index 00000000..804e3a20 --- /dev/null +++ b/charts/cc-schema-registry-proxy/values.yaml @@ -0,0 +1,38 @@ + +replicaCount: 1 + +service: + type: ExternalName + externalName: schema-registry-domain + +ingress: + enabled: true + annotations: + kubernetes.io/ingress.class: nginx + cert-manager.io/cluster-issuer: letsencrypt-prod + nginx.ingress.kubernetes.io/rewrite-target: /$1 + nginx.ingress.kubernetes.io/configuration-snippet: | + limit_except GET { + deny all; + } + nginx.ingress.kubernetes.io/server-snippet: | + proxy_ssl_name schema-registry-domain; + proxy_ssl_server_name on; + hosts: + - host: localhost + path: "/schema/?(.*)" + tls: + secretName: radar-base-tls + hosts: + more-dev.thehyve.net + + + + +cc: + enabled: false + bootstrapServerurl: confluent-url + apiKey: ccApikey + apiSecret: ccApiSecret + schemaRegistryApiKey: srApiKey + schemaRegistryApiSecret: srApiSecret \ No newline at end of file diff --git a/helmfile.d/30-confluent-cloud.yaml b/helmfile.d/30-confluent-cloud.yaml new file mode 100644 index 00000000..c97f9771 --- /dev/null +++ b/helmfile.d/30-confluent-cloud.yaml @@ -0,0 +1,26 @@ +environments: + default: + values: + - ../base.yaml + - ../production.yaml + +helmDefaults: + atomic: true + timeout: 600 + kubeContext: {{ .Values.kubeContext }} + +releases: + - name: cc-schema-registry-proxy + chart: ../charts/cc-schema-registry-proxy + installed: {{ .Values.ccSchemaRegistryProxy._install }} + values: + - {{ .Values.ccSchemaRegistryProxy | toYaml | indent 8 | trim }} + set: + - name: kafka_num_brokers + value: {{ .Values.kafka_num_brokers }} + - name: s3Endpoint + value: {{ .Values.minio.s3Endpoint }} + - name: bucketAccessKey + value: {{ .Values.minio.accessKey }} + - name: bucketSecretKey + value: {{ .Values.minio.secretKey }} From c25d295777b374e2cc24029c921a00f489163847 Mon Sep 17 00:00:00 2001 From: nivethika Date: Wed, 15 Jul 2020 19:41:30 +0200 Subject: [PATCH 14/41] add basic auth --- .../templates/ingress.yaml | 29 +++++++++++++++---- charts/cc-schema-registry-proxy/values.yaml | 14 ++------- .../management-portal/templates/ingress.yaml | 2 +- helmfile.d/30-confluent-cloud.yaml | 11 ++----- 4 files changed, 30 insertions(+), 26 deletions(-) diff --git a/charts/cc-schema-registry-proxy/templates/ingress.yaml b/charts/cc-schema-registry-proxy/templates/ingress.yaml index 045f7733..a7fa7c3e 100644 --- a/charts/cc-schema-registry-proxy/templates/ingress.yaml +++ b/charts/cc-schema-registry-proxy/templates/ingress.yaml @@ -1,4 +1,10 @@ +{{- if .Values.ingress.enabled -}} {{- $fullName := include "cc-schema-registry-proxy.fullname" . -}} +{{- $path := .Values.ingress.path -}} +{{- $hosts := .Values.ingress.hosts -}} +{{- $externalName := .Values.service.externalName -}} +{{- $credentials := print .Values.cc.schemaRegistryApiKey ":" .Values.cc.schemaRegistryApiSecret -}} + apiVersion: extensions/v1beta1 kind: Ingress metadata: @@ -12,17 +18,30 @@ metadata: annotations: {{- toYaml . | nindent 4 }} {{- end }} - nginx.ingress.kubernetes.io/upstream-vhost: {{ .Values.service.externalName }} + nginx.ingress.kubernetes.io/upstream-vhost: {{ $externalName }} + nginx.ingress.kubernetes.io/backend-protocol: https + nginx.ingress.kubernetes.io/server-snippet: | + proxy_ssl_name "{{ $externalName }};" + proxy_ssl_server_name on; + proxy_set_header Authorization "Basic {{ $credentials | quote | b64enc }}"; + spec: +{{- if .Values.ingress.tls }} + tls: + - hosts: + {{- range $hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .Values.ingress.tls.secretName }} +{{- end }} rules: {{- range .Values.ingress.hosts }} - - host: {{ .host | quote }} + - host: {{ . | quote }} http: paths: - {{- range .paths }} - - path: {{ . }} + - path: {{ $path | quote }} backend: serviceName: {{ $fullName }} servicePort: https - {{- end }} {{- end }} +{{- end }} diff --git a/charts/cc-schema-registry-proxy/values.yaml b/charts/cc-schema-registry-proxy/values.yaml index 804e3a20..20efd715 100644 --- a/charts/cc-schema-registry-proxy/values.yaml +++ b/charts/cc-schema-registry-proxy/values.yaml @@ -15,24 +15,14 @@ ingress: limit_except GET { deny all; } - nginx.ingress.kubernetes.io/server-snippet: | - proxy_ssl_name schema-registry-domain; - proxy_ssl_server_name on; + path: "/schema/?(.*)" hosts: - - host: localhost - path: "/schema/?(.*)" + - localhost tls: secretName: radar-base-tls - hosts: - more-dev.thehyve.net - cc: - enabled: false - bootstrapServerurl: confluent-url - apiKey: ccApikey - apiSecret: ccApiSecret schemaRegistryApiKey: srApiKey schemaRegistryApiSecret: srApiSecret \ No newline at end of file diff --git a/charts/management-portal/templates/ingress.yaml b/charts/management-portal/templates/ingress.yaml index 37462d2f..4aed24b5 100644 --- a/charts/management-portal/templates/ingress.yaml +++ b/charts/management-portal/templates/ingress.yaml @@ -22,7 +22,7 @@ spec: {{- range $hosts }} - {{ . | quote }} {{- end }} - secretName: {{ .secretName }} + secretName: {{ .Values.ingress.tls.secretName }} {{- end }} rules: {{- range .Values.ingress.hosts }} diff --git a/helmfile.d/30-confluent-cloud.yaml b/helmfile.d/30-confluent-cloud.yaml index c97f9771..fcf09135 100644 --- a/helmfile.d/30-confluent-cloud.yaml +++ b/helmfile.d/30-confluent-cloud.yaml @@ -15,12 +15,7 @@ releases: installed: {{ .Values.ccSchemaRegistryProxy._install }} values: - {{ .Values.ccSchemaRegistryProxy | toYaml | indent 8 | trim }} + - {{ .Values.confluentCloud| toYaml | indent 8 | trim }} set: - - name: kafka_num_brokers - value: {{ .Values.kafka_num_brokers }} - - name: s3Endpoint - value: {{ .Values.minio.s3Endpoint }} - - name: bucketAccessKey - value: {{ .Values.minio.accessKey }} - - name: bucketSecretKey - value: {{ .Values.minio.secretKey }} + - name: service.externalName + value: {{ .Values.ccSchemaRegistryProxy.externalName }} From 8d5d6acf1c7059e034109b7acbc09cce50624eaa Mon Sep 17 00:00:00 2001 From: nivethika Date: Wed, 15 Jul 2020 22:29:57 +0200 Subject: [PATCH 15/41] working redirect to external-host --- charts/cc-schema-registry-proxy/templates/ingress.yaml | 7 +++---- charts/cc-schema-registry-proxy/values.yaml | 2 +- helmfile.d/30-confluent-cloud.yaml | 2 ++ 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/charts/cc-schema-registry-proxy/templates/ingress.yaml b/charts/cc-schema-registry-proxy/templates/ingress.yaml index a7fa7c3e..58b30ed6 100644 --- a/charts/cc-schema-registry-proxy/templates/ingress.yaml +++ b/charts/cc-schema-registry-proxy/templates/ingress.yaml @@ -19,10 +19,9 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} nginx.ingress.kubernetes.io/upstream-vhost: {{ $externalName }} + nginx.ingress.kubernetes.io/rewrite-target: /$1 nginx.ingress.kubernetes.io/backend-protocol: https - nginx.ingress.kubernetes.io/server-snippet: | - proxy_ssl_name "{{ $externalName }};" - proxy_ssl_server_name on; + nginx.ingress.kubernetes.io/configuration-snippet: | proxy_set_header Authorization "Basic {{ $credentials | quote | b64enc }}"; spec: @@ -42,6 +41,6 @@ spec: - path: {{ $path | quote }} backend: serviceName: {{ $fullName }} - servicePort: https + servicePort: 443 {{- end }} {{- end }} diff --git a/charts/cc-schema-registry-proxy/values.yaml b/charts/cc-schema-registry-proxy/values.yaml index 20efd715..da374cb7 100644 --- a/charts/cc-schema-registry-proxy/values.yaml +++ b/charts/cc-schema-registry-proxy/values.yaml @@ -10,7 +10,7 @@ ingress: annotations: kubernetes.io/ingress.class: nginx cert-manager.io/cluster-issuer: letsencrypt-prod - nginx.ingress.kubernetes.io/rewrite-target: /$1 + ingress.kubernetes.io/preserve-host: "false" nginx.ingress.kubernetes.io/configuration-snippet: | limit_except GET { deny all; diff --git a/helmfile.d/30-confluent-cloud.yaml b/helmfile.d/30-confluent-cloud.yaml index fcf09135..dba7e7f2 100644 --- a/helmfile.d/30-confluent-cloud.yaml +++ b/helmfile.d/30-confluent-cloud.yaml @@ -19,3 +19,5 @@ releases: set: - name: service.externalName value: {{ .Values.ccSchemaRegistryProxy.externalName }} + - name: ingress.hosts + values: [{{ .Values.server_name }}] \ No newline at end of file From ffb47e446ee579ee1672cb3d0dc5424b69be1fc8 Mon Sep 17 00:00:00 2001 From: nivethika Date: Thu, 16 Jul 2020 11:51:12 +0200 Subject: [PATCH 16/41] move all annotations to single point --- .../templates/ingress.yaml | 14 +++++++++----- charts/cc-schema-registry-proxy/values.yaml | 10 ---------- 2 files changed, 9 insertions(+), 15 deletions(-) diff --git a/charts/cc-schema-registry-proxy/templates/ingress.yaml b/charts/cc-schema-registry-proxy/templates/ingress.yaml index 58b30ed6..c97253d1 100644 --- a/charts/cc-schema-registry-proxy/templates/ingress.yaml +++ b/charts/cc-schema-registry-proxy/templates/ingress.yaml @@ -14,15 +14,19 @@ metadata: helm.sh/chart: {{ include "cc-schema-registry-proxy.chart" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} - {{- with .Values.ingress.annotations }} annotations: - {{- toYaml . | nindent 4 }} - {{- end }} + kubernetes.io/ingress.class: nginx + cert-manager.io/cluster-issuer: letsencrypt-prod + ingress.kubernetes.io/preserve-host: "false" + nginx.ingress.kubernetes.io/configuration-snippet: | + limit_except GET { + deny all; + } + more_set_headers "Authorization: Basic {{ $credentials | b64enc }}"; nginx.ingress.kubernetes.io/upstream-vhost: {{ $externalName }} nginx.ingress.kubernetes.io/rewrite-target: /$1 nginx.ingress.kubernetes.io/backend-protocol: https - nginx.ingress.kubernetes.io/configuration-snippet: | - proxy_set_header Authorization "Basic {{ $credentials | quote | b64enc }}"; + spec: {{- if .Values.ingress.tls }} diff --git a/charts/cc-schema-registry-proxy/values.yaml b/charts/cc-schema-registry-proxy/values.yaml index da374cb7..32a8ce51 100644 --- a/charts/cc-schema-registry-proxy/values.yaml +++ b/charts/cc-schema-registry-proxy/values.yaml @@ -7,22 +7,12 @@ service: ingress: enabled: true - annotations: - kubernetes.io/ingress.class: nginx - cert-manager.io/cluster-issuer: letsencrypt-prod - ingress.kubernetes.io/preserve-host: "false" - nginx.ingress.kubernetes.io/configuration-snippet: | - limit_except GET { - deny all; - } path: "/schema/?(.*)" hosts: - localhost tls: secretName: radar-base-tls - - cc: schemaRegistryApiKey: srApiKey schemaRegistryApiSecret: srApiSecret \ No newline at end of file From 4cbb20b3c23998041d68e7c2ea31cf2f4f16f937 Mon Sep 17 00:00:00 2001 From: nivethika Date: Thu, 16 Jul 2020 12:45:24 +0200 Subject: [PATCH 17/41] working auth configuration --- charts/cc-schema-registry-proxy/templates/ingress.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/cc-schema-registry-proxy/templates/ingress.yaml b/charts/cc-schema-registry-proxy/templates/ingress.yaml index c97253d1..cc1334a4 100644 --- a/charts/cc-schema-registry-proxy/templates/ingress.yaml +++ b/charts/cc-schema-registry-proxy/templates/ingress.yaml @@ -22,7 +22,7 @@ metadata: limit_except GET { deny all; } - more_set_headers "Authorization: Basic {{ $credentials | b64enc }}"; + more_set_input_headers "Authorization: Basic {{ $credentials | b64enc }}"; nginx.ingress.kubernetes.io/upstream-vhost: {{ $externalName }} nginx.ingress.kubernetes.io/rewrite-target: /$1 nginx.ingress.kubernetes.io/backend-protocol: https From 0fab95bf32f9bba42ec1e3f41abb2ea3cc7528f3 Mon Sep 17 00:00:00 2001 From: nivethika Date: Thu, 16 Jul 2020 14:19:27 +0200 Subject: [PATCH 18/41] fixes configuration issues on gateway --- charts/radar-gateway/templates/configmap.yaml | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/charts/radar-gateway/templates/configmap.yaml b/charts/radar-gateway/templates/configmap.yaml index 72883e90..ea46a578 100644 --- a/charts/radar-gateway/templates/configmap.yaml +++ b/charts/radar-gateway/templates/configmap.yaml @@ -19,12 +19,17 @@ data: producer: bootstrap.servers: {{ .Values.bootstrapServers }} {{- if .Values.cc.enabled }} - admin: - bootstrap.servers: {{ .Values.bootstrapServers }} - security.protocol: SASL_SSL - sasl.jaas.config: org.apache.kafka.common.security.plain.PlainLoginModule required username="{{ .Values.cc.apiKey }}" password="{{ .Values.cc.apiSecret }}"; - ssl.endpoint.identification.algorithm: https - sasl.mechanism: PLAIN + bootstrap.servers: {{ .Values.bootstrapServers }} + security.protocol: SASL_SSL + sasl.jaas.config: org.apache.kafka.common.security.plain.PlainLoginModule required username="{{ .Values.cc.apiKey }}" password="{{ .Values.cc.apiSecret }}"; + ssl.endpoint.identification.algorithm: https + sasl.mechanism: PLAIN + admin: + bootstrap.servers: {{ .Values.bootstrapServers }} + security.protocol: SASL_SSL + sasl.jaas.config: org.apache.kafka.common.security.plain.PlainLoginModule required username="{{ .Values.cc.apiKey }}" password="{{ .Values.cc.apiSecret }}"; + ssl.endpoint.identification.algorithm: https + sasl.mechanism: PLAIN {{ end }} serialization: schema.registry.url: {{ .Values.schemaRegistry }} From b1d8687907f64ce6b0535a1af8eef90816b92fe1 Mon Sep 17 00:00:00 2001 From: Joris Borgdorff Date: Thu, 16 Jul 2020 19:53:26 +0200 Subject: [PATCH 19/41] Add radar-s3-connector combined with s3proxy to stack --- base.yaml | 11 ++- .../templates/configmap.yaml | 7 +- .../templates/deployment.yaml | 70 +++++++++++++-- charts/radar-s3-connector/values.yaml | 18 ++-- charts/s3proxy/.helmignore | 22 +++++ charts/s3proxy/Chart.yaml | 5 ++ charts/s3proxy/templates/NOTES.txt | 0 charts/s3proxy/templates/_helpers.tpl | 32 +++++++ charts/s3proxy/templates/configmap.yaml | 9 ++ charts/s3proxy/templates/deployment.yaml | 90 +++++++++++++++++++ charts/s3proxy/templates/ingress.yaml | 0 charts/s3proxy/templates/service.yaml | 19 ++++ .../templates/tests/test-connection.yaml | 18 ++++ charts/s3proxy/values.yaml | 47 ++++++++++ helmfile.d/20-s3.yaml | 17 ++-- 15 files changed, 337 insertions(+), 28 deletions(-) create mode 100644 charts/s3proxy/.helmignore create mode 100644 charts/s3proxy/Chart.yaml create mode 100644 charts/s3proxy/templates/NOTES.txt create mode 100644 charts/s3proxy/templates/_helpers.tpl create mode 100644 charts/s3proxy/templates/configmap.yaml create mode 100644 charts/s3proxy/templates/deployment.yaml create mode 100644 charts/s3proxy/templates/ingress.yaml create mode 100644 charts/s3proxy/templates/service.yaml create mode 100644 charts/s3proxy/templates/tests/test-connection.yaml create mode 100644 charts/s3proxy/values.yaml diff --git a/base.yaml b/base.yaml index 61929b82..0fc66782 100644 --- a/base.yaml +++ b/base.yaml @@ -340,10 +340,19 @@ radar_s3_connector: replicaCount: 1 # The bucket name where intermediate data for cold storage should be written to. bucketName: radar_intermediate_storage + bucketAccessKey: AKIAIOSFODNN7EXAMPLE + bucketSecretKey: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY + s3Endpoint: http://minio:9000/ +s3_proxy: + _install: false + replicaCount: 1 + s3AccessKey: AKIAIOSFODNN7EXAMPLE + s3Secret: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY + provider: azureblob # --------------------------------------------------------- 30-confluent-cloud.yaml --------------------------------------------------------- ccSchemaRegistryProxy: _install: false - externalName: schema-registry-domain \ No newline at end of file + externalName: schema-registry-domain diff --git a/charts/radar-s3-connector/templates/configmap.yaml b/charts/radar-s3-connector/templates/configmap.yaml index 97390885..0f8bb4b4 100644 --- a/charts/radar-s3-connector/templates/configmap.yaml +++ b/charts/radar-s3-connector/templates/configmap.yaml @@ -21,14 +21,15 @@ data: aws.secret.access.key={{ .Values.bucketSecretKey }} store.url={{ .Values.s3Endpoint }} storage.class=io.confluent.connect.s3.storage.S3Storage - format.class=org.radarbase.connect.s3.RadarBaseAvroFormat + format.class=io.confluent.connect.s3.format.avro.AvroFormat + transforms=keyToValue + transforms.keyToValue.type=org.radarbase.kafka.connect.transforms.KeyValueTransform rotate.schedule.interval.ms = 900000 timezone=UTC avro.codec=deflate errors.tolerance=all errors.deadletterqueue.topic.name=dead_letter_queue_s3 - errors.deadletterqueue.topic.replication.factor=2 + errors.deadletterqueue.topic.replication.factor=3 errors.deadletterqueue.context.headers.enable=true errors.retry.delay.max.ms=60000 errors.retry.timeout=300000 - diff --git a/charts/radar-s3-connector/templates/deployment.yaml b/charts/radar-s3-connector/templates/deployment.yaml index 0aa8b19c..d14d306e 100644 --- a/charts/radar-s3-connector/templates/deployment.yaml +++ b/charts/radar-s3-connector/templates/deployment.yaml @@ -43,7 +43,47 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} env: - name: CONNECT_BOOTSTRAP_SERVERS - value: "{{ .Values.kafka }}" + value: "{{ .Values.kafka.url }}" + - name: CONNECT_REQUEST_TIMEOUT_MS + value: "20000" + - name: CONNECT_RETRY_BACKOFF_MS + value: "500" + - name: CONNECT_SECURITY_PROTOCOL + value: "{{ .Values.kafka.securityProtocol }}" + - name: CONNECT_SASL_JAAS_CONFIG + value: "{{ .Values.kafka.saslJaasConfig }}" + - name: CONNECT_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM + value: "{{ .Values.kafka.sslEndpointIdentificationAlgorithm }}" + - name: CONNECT_SASL_MECHANISM + value: "{{ .Values.kafka.saslMechanism }}" + - name: CONNECT_PRODUCER_BOOTSTRAP_SERVERS + value: "{{ .Values.kafka.url }}" + - name: CONNECT_PRODUCER_SECURITY_PROTOCOL + value: "{{ .Values.kafka.securityProtocol }}" + - name: CONNECT_PRODUCER_SASL_JAAS_CONFIG + value: "{{ .Values.kafka.saslJaasConfig }}" + - name: CONNECT_PRODUCER_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM + value: "{{ .Values.kafka.sslEndpointIdentificationAlgorithm }}" + - name: CONNECT_PRODUCER_SASL_MECHANISM + value: "{{ .Values.kafka.saslMechanism }}" + - name: CONNECT_PRODUCER_REQUEST_TIMEOUT_MS + value: "20000" + - name: CONNECT_PRODUCER_RETRY_BACKOFF_MS + value: "500" + - name: CONNECT_CONSUMER_BOOTSTRAP_SERVERS + value: "{{ .Values.kafka.url }}" + - name: CONNECT_CONSUMER_SECURITY_PROTOCOL + value: "{{ .Values.kafka.securityProtocol }}" + - name: CONNECT_CONSUMER_SASL_JAAS_CONFIG + value: "{{ .Values.kafka.saslJaasConfig }}" + - name: CONNECT_CONSUMER_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM + value: "{{ .Values.kafka.sslEndpointIdentificationAlgorithm }}" + - name: CONNECT_CONSUMER_SASL_MECHANISM + value: "{{ .Values.kafka.saslMechanism }}" + - name: CONNECT_CONSUMER_REQUEST_TIMEOUT_MS + value: "20000" + - name: CONNECT_CONSUMER_RETRY_BACKOFF_MS + value: "500" - name: CONNECT_REST_PORT value: "8083" - name: CONNECT_GROUP_ID @@ -59,9 +99,25 @@ spec: - name: CONNECT_VALUE_CONVERTER value: "io.confluent.connect.avro.AvroConverter" - name: CONNECT_KEY_CONVERTER_SCHEMA_REGISTRY_URL - value: "{{ .Values.schema_registry }}" + value: "{{ .Values.schemaRegistry.url }}" - name: CONNECT_VALUE_CONVERTER_SCHEMA_REGISTRY_URL - value: "{{ .Values.schema_registry }}" + value: "{{ .Values.schemaRegistry.url }}" + - name: CONNECT_KEY_CONVERTER_ENHANCED_AVRO_SCHEMA_SUPPORT + value: "false" + - name: CONNECT_VALUE_CONVERTER_ENHANCED_AVRO_SCHEMA_SUPPORT + value: "false" + - name: CONNECT_KEY_CONVERTER_BASIC_AUTH_CREDENTIALS_SOURCE + value: "USER_INFO" + - name: CONNECT_KEY_CONVERTER_SCHEMA_REGISTRY_BASIC_AUTH_USER_INFO + value: "{{ .Values.schemaRegistry.basicAuth }}" + - name: CONNECT_VALUE_CONVERTER_BASIC_AUTH_CREDENTIALS_SOURCE + value: "USER_INFO" + - name: CONNECT_VALUE_CONVERTER_SCHEMA_REGISTRY_BASIC_AUTH_USER_INFO + value: "{{ .Values.schemaRegistry.basicAuth }}" + - name: CONNECT_BASIC_AUTH_CREDENTIALS_SOURCE + value: "USER_INFO" + - name: CONNECT_BASIC_AUTH_USER_INFO + value: "{{ .Values.schemaRegistry.basicAuth }}" - name: CONNECT_INTERNAL_KEY_CONVERTER value: "org.apache.kafka.connect.json.JsonConverter" - name: CONNECT_INTERNAL_VALUE_CONVERTER @@ -70,16 +126,14 @@ spec: value: "/tmp/connect2.offset" - name: CONNECT_REST_ADVERTISED_HOST_NAME value: {{ include "radar-s3-connector.fullname" . }} - - name: CONNECT_ZOOKEEPER_CONNECT - value: "{{ .Values.zookeeper }}" + - name: CONNECT_PLUGIN_PATH + value: "/usr/share/kafka-connect/plugins" - name: CONNECTOR_PROPERTY_FILE_PREFIX - value: "sink-s3" + value: "sink-s3/sink-s3" - name: CONNECT_VALUE_CONVERTER_CONNECT_META_DATA value: "false" - name: KAFKA_HEAP_OPTS value: "-Xms256m -Xmx4g" - - name: KAFKA_BROKERS - value: "{{ .Values.kafka_num_brokers }}" - name: CONNECT_LOG4J_LOGGERS value: "org.reflections=ERROR" - name: AWS_ACCESS_KEY diff --git a/charts/radar-s3-connector/values.yaml b/charts/radar-s3-connector/values.yaml index 6c86b882..b883b239 100644 --- a/charts/radar-s3-connector/values.yaml +++ b/charts/radar-s3-connector/values.yaml @@ -5,8 +5,8 @@ replicaCount: 1 image: - repository: radarbase/radar-s3-connector - tag: 1.0.0 + repository: radarbase/kafka-connect-s3 + tag: "5.5.1" pullPolicy: IfNotPresent nameOverride: "" @@ -43,10 +43,16 @@ tolerations: [] affinity: {} -zookeeper: cp-zookeeper-headless:2181 -kafka: PLAINTEXT://cp-kafka-headless:9092 -kafka_num_brokers: "3" -schema_registry: http://cp-schema-registry:8081 +kafka: + url: PLAINTEXT://cp-kafka-headless:9092 + securityProtocol: PLAINTEXT + saslJaasConfig: "" + saslMechanism: GSSAPI + sslEndpointIdentificationAlgorithm: https + +schemaRegistry: + url: http://cp-schema-registry:8081 + basicAuth: "" topics: android_phone_usage_event_output,android_biovotion_vsm1_acceleration,android_biovotion_vsm1_battery_level,android_biovotion_vsm1_blood_volume_pulse,android_biovotion_vsm1_energy,android_biovotion_vsm1_galvanic_skin_response,android_biovotion_vsm1_heartrate,android_biovotion_vsm1_heartrate_variability,android_biovotion_vsm1_led_current,android_biovotion_vsm1_oxygen_saturation,android_biovotion_vsm1_ppg_raw,android_biovotion_vsm1_respiration_rate,android_biovotion_vsm1_temperature,android_bittium_faros_acceleration,android_bittium_faros_battery_level,android_bittium_faros_ecg,android_bittium_faros_inter_beat_interval,android_bittium_faros_temperature,android_empatica_e4_acceleration,android_empatica_e4_battery_level,android_empatica_e4_blood_volume_pulse,android_empatica_e4_electrodermal_activity,android_empatica_e4_inter_beat_interval,android_empatica_e4_sensor_status,android_empatica_e4_temperature,android_local_weather,android_pebble_2_acceleration,android_pebble_2_battery_level,android_pebble_2_heartrate,android_pebble_2_heartrate_filtered,android_phone_acceleration,android_phone_battery_level,android_phone_bluetooth_devices,android_phone_call,android_phone_contacts,android_phone_gyroscope,android_phone_light,android_phone_magnetic_field,android_phone_ppg,android_phone_relative_location,android_phone_sms,android_phone_sms_unread,android_phone_step_count,android_phone_usage_event,android_phone_user_interaction,android_processed_audio,application_device_info,application_external_time,application_record_counts,application_server_status,application_time_zone,application_uptime,certh_banking_app_event,certh_banking_app_transaction,connect_fitbit_activity_log,connect_fitbit_intraday_calories,connect_fitbit_intraday_heart_rate,connect_fitbit_intraday_steps,connect_fitbit_sleep_classic,connect_fitbit_sleep_stages,connect_fitbit_time_zone,connect_upload_altoida_acceleration,connect_upload_altoida_action,connect_upload_altoida_attitude,connect_upload_altoida_bit_metrics,connect_upload_altoida_blink,connect_upload_altoida_diagnostics,connect_upload_altoida_domain_result,connect_upload_altoida_dot_metrics,connect_upload_altoida_eye_tracking,connect_upload_altoida_gravity,connect_upload_altoida_magnetic_field,connect_upload_altoida_metadata,connect_upload_altoida_object,connect_upload_altoida_path,connect_upload_altoida_rotation,connect_upload_altoida_summary,connect_upload_altoida_tap,connect_upload_altoida_touch,connect_upload_axivity_acceleration,connect_upload_axivity_battery_level,connect_upload_axivity_event,connect_upload_axivity_light,connect_upload_axivity_metadata,connect_upload_axivity_temperature,connect_upload_oxford_camera_data,connect_upload_oxford_camera_image,connect_upload_physilog_binary_data,notification_thinc_it,questionnaire_app_event,questionnaire_ari_self,questionnaire_art_cognitive_test,questionnaire_audio,questionnaire_baars_iv,questionnaire_bipq,questionnaire_completion_log,questionnaire_esm,questionnaire_esm28q,questionnaire_esm_epi_mod_1,questionnaire_evening_assessment,questionnaire_gad7,questionnaire_morning_assessment,questionnaire_patient_determined_disease_step,questionnaire_perceived_deficits_questionnaire,questionnaire_phq8,questionnaire_rpq,questionnaire_rses,questionnaire_tam,questionnaire_timezone,task_2MW_test,task_romberg_test,task_tandem_walking_test,thincit_code_breaker,thincit_pdq5,thincit_spotter,thincit_symbol_check,thincit_trails, s3Endpoint: http://minio:9000/ diff --git a/charts/s3proxy/.helmignore b/charts/s3proxy/.helmignore new file mode 100644 index 00000000..50af0317 --- /dev/null +++ b/charts/s3proxy/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/s3proxy/Chart.yaml b/charts/s3proxy/Chart.yaml new file mode 100644 index 00000000..bfd2a3f5 --- /dev/null +++ b/charts/s3proxy/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +appVersion: "1.0" +description: A Helm chart for Kubernetes +name: s3-proxy +version: 0.1.0 diff --git a/charts/s3proxy/templates/NOTES.txt b/charts/s3proxy/templates/NOTES.txt new file mode 100644 index 00000000..e69de29b diff --git a/charts/s3proxy/templates/_helpers.tpl b/charts/s3proxy/templates/_helpers.tpl new file mode 100644 index 00000000..ce9bf52e --- /dev/null +++ b/charts/s3proxy/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "s3-proxy.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "s3-proxy.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "s3-proxy.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/s3proxy/templates/configmap.yaml b/charts/s3proxy/templates/configmap.yaml new file mode 100644 index 00000000..2e78d15a --- /dev/null +++ b/charts/s3proxy/templates/configmap.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "s3-proxy.fullname" . }} + labels: + app: {{ template "s3-proxy.name" . }} + chart: {{ template "s3-proxy.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} diff --git a/charts/s3proxy/templates/deployment.yaml b/charts/s3proxy/templates/deployment.yaml new file mode 100644 index 00000000..e8235544 --- /dev/null +++ b/charts/s3proxy/templates/deployment.yaml @@ -0,0 +1,90 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "s3-proxy.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "s3-proxy.name" . }} + helm.sh/chart: {{ include "s3-proxy.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "s3-proxy.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "s3-proxy.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: "app.kubernetes.io/name" + operator: In + values: + - {{ template "s3-proxy.name" . }} + - key: "app.kubernetes.io/instance" + operator: In + values: + - {{ .Release.Name }} + topologyKey: "kubernetes.io/hostname" + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + - name: S3PROXY_AUTHORIZATION + value: "aws-v2-or-v4" + - name: S3PROXY_IDENTITY + value: "{{ .Values.s3AccessKey }}" + - name: S3PROXY_IDENTITY + value: "{{ .Values.s3Secret }}" + - name: JCLOUD_ENDPOINT + value: "{{ .Values.endpoint }}" + - name: JCLOUD_PROVIDER + value: "{{ .Values.provider }}" + - name: JCLOUD_IDENTITY + value: "{{ .Values.identity }}" + - name: JCLOUD_CREDENTIAL + value: "{{ .Values.credential }}" + ports: + - name: http + containerPort: {{ .Values.service.port }} + protocol: TCP + livenessProbe: + exec: + command: [/usr/bin/nc, -zv, localhost, "80"] + initialDelaySeconds: 5 + periodSeconds: 60 + timeoutSeconds: 3 + successThreshold: 1 + failureThreshold: 3 + readinessProbe: + exec: + command: [/usr/bin/nc, -zv, localhost, "80"] + initialDelaySeconds: 5 + periodSeconds: 60 + timeoutSeconds: 3 + successThreshold: 1 + failureThreshold: 3 + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/s3proxy/templates/ingress.yaml b/charts/s3proxy/templates/ingress.yaml new file mode 100644 index 00000000..e69de29b diff --git a/charts/s3proxy/templates/service.yaml b/charts/s3proxy/templates/service.yaml new file mode 100644 index 00000000..41b66ae6 --- /dev/null +++ b/charts/s3proxy/templates/service.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "s3-proxy.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "s3-proxy.name" . }} + helm.sh/chart: {{ include "s3-proxy.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + app.kubernetes.io/name: {{ include "s3-proxy.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/charts/s3proxy/templates/tests/test-connection.yaml b/charts/s3proxy/templates/tests/test-connection.yaml new file mode 100644 index 00000000..613f4950 --- /dev/null +++ b/charts/s3proxy/templates/tests/test-connection.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "s3-proxy.fullname" . }}-test-connection" + labels: + app.kubernetes.io/name: {{ include "s3-proxy.name" . }} + helm.sh/chart: {{ include "s3-proxy.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + annotations: + "helm.sh/hook": test-success +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "s3-proxy.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/charts/s3proxy/values.yaml b/charts/s3proxy/values.yaml new file mode 100644 index 00000000..c0b444fe --- /dev/null +++ b/charts/s3proxy/values.yaml @@ -0,0 +1,47 @@ +# Default values for s3-proxy. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + repository: andrewgaul/s3proxy + tag: travis-1412 + pullPolicy: IfNotPresent + +nameOverride: "" +fullnameOverride: "" + +service: + type: ClusterIP + port: 80 + +ingress: + enabled: false + annotations: {} + tls: [] + +resources: + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + requests: + cpu: 100m + memory: 128Mi + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +s3AccessKey: null +s3Secret: null +provider: null +endpoint: null +identity: null +credentials: null \ No newline at end of file diff --git a/helmfile.d/20-s3.yaml b/helmfile.d/20-s3.yaml index defa5134..f816227e 100644 --- a/helmfile.d/20-s3.yaml +++ b/helmfile.d/20-s3.yaml @@ -13,7 +13,7 @@ environments: helmDefaults: atomic: true force: true - timeout: 600 + timeout: 90 kubeContext: {{ .Values.kubeContext }} releases: @@ -45,12 +45,9 @@ releases: installed: {{ .Values.radar_s3_connector._install }} values: - {{ .Values.radar_s3_connector | toYaml | indent 8 | trim }} - set: - - name: kafka_num_brokers - value: {{ .Values.kafka_num_brokers }} - - name: s3Endpoint - value: {{ .Values.minio.s3Endpoint }} - - name: bucketAccessKey - value: {{ .Values.minio.accessKey }} - - name: bucketSecretKey - value: {{ .Values.minio.secretKey }} + + - name: s3-proxy + chart: ../charts/s3proxy + installed: {{ .Values.s3_proxy._install }} + values: + - {{ .Values.s3_proxy | toYaml | indent 8 | trim }} From 3cb2b674fae2252a8154f2ccd5617618bc5e31ed Mon Sep 17 00:00:00 2001 From: Joris Borgdorff Date: Thu, 16 Jul 2020 20:03:08 +0200 Subject: [PATCH 20/41] Fix connection test --- charts/s3proxy/templates/tests/test-connection.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/s3proxy/templates/tests/test-connection.yaml b/charts/s3proxy/templates/tests/test-connection.yaml index 613f4950..60cb05e2 100644 --- a/charts/s3proxy/templates/tests/test-connection.yaml +++ b/charts/s3proxy/templates/tests/test-connection.yaml @@ -11,8 +11,8 @@ metadata: "helm.sh/hook": test-success spec: containers: - - name: wget + - name: nc image: busybox - command: ['wget'] - args: ['{{ include "s3-proxy.fullname" . }}:{{ .Values.service.port }}'] + command: ['/bin/nc'] + args: ['-zv', '{{ include "s3-proxy.fullname" . }}', '{{ .Values.service.port }}'] restartPolicy: Never From d2724863ae333e3a77b2d138d8cb847564265658 Mon Sep 17 00:00:00 2001 From: Joris Borgdorff Date: Wed, 22 Jul 2020 16:11:53 +0200 Subject: [PATCH 21/41] Misc changes for ManagementPortal database checks - Fixed health check - Separated ManagementPortal helmfile --- .../templates/deployment.yaml | 10 +++- helmfile.d/10-base.yaml | 33 +------------ helmfile.d/10-managementportal.yaml | 46 +++++++++++++++++++ 3 files changed, 56 insertions(+), 33 deletions(-) create mode 100644 helmfile.d/10-managementportal.yaml diff --git a/charts/management-portal/templates/deployment.yaml b/charts/management-portal/templates/deployment.yaml index e7b897e8..6690e731 100644 --- a/charts/management-portal/templates/deployment.yaml +++ b/charts/management-portal/templates/deployment.yaml @@ -55,6 +55,12 @@ spec: secretKeyRef: name: {{ template "management-portal.secretName" . }} key: postgresql_password + - name: SPRING_DATASOURCE_HIKARI_CONNECTION_TIMEOUT + value: "15000" + - name: SPRING_DATASOURCE_HIKARI_VALIDATION_TIMEOUT + value: "15000" + - name: SPRING_DATASOURCE_HIKARI_LEAK_DETECTION_THRESHOLD + value: "30000" - name: MANAGEMENTPORTAL_MAIL_FROM value: {{ .Values.from_email }} - name: MANAGEMENTPORTAL_COMMON_BASEURL @@ -112,7 +118,7 @@ spec: command: - /bin/sh - -c - - wget --spider localhost:8080/managementportal/oauth/token_key + - "wget -O - localhost:8080/managementportal/management/health | grep -v '\"status\": \"DOWN\"'" initialDelaySeconds: 60 periodSeconds: 90 timeoutSeconds: 5 @@ -123,7 +129,7 @@ spec: command: - /bin/sh - -c - - wget --spider localhost:8080/managementportal/oauth/token_key + - "wget -O - localhost:8080/managementportal/management/health | grep -v '\"status\": \"DOWN\"'" initialDelaySeconds: 60 periodSeconds: 90 timeoutSeconds: 5 diff --git a/helmfile.d/10-base.yaml b/helmfile.d/10-base.yaml index 26c662a1..b10eea1a 100644 --- a/helmfile.d/10-base.yaml +++ b/helmfile.d/10-base.yaml @@ -3,6 +3,8 @@ environments: values: - ../base.yaml - ../production.yaml + secrets: + - ../../secrets/production.yaml helmDefaults: atomic: true @@ -60,35 +62,4 @@ releases: - name: schema_registry value: {{ .Values.confluentCloud.cc.schemaRegistryUrl }} {{ end }} - - name: postgresql - chart: stable/postgresql - version: 5.3.3 - wait: false - installed: {{ .Values.postgresql._install }} - values: - - "../charts/postgresql/values.yaml" - - {{ .Values.postgresql | toYaml | indent 8 | trim }} - set: - - name: postgresqlPassword - value: {{ .Values.postgres_password }} - - name: replication.password - value: {{ .Values.postgres_password }} - - name: management-portal - chart: ../charts/management-portal - installed: {{ .Values.management_portal._install }} - values: - - {{ .Values.management_portal | toYaml | indent 8 | trim }} - set: - - name: ingress.hosts - values: [{{ .Values.server_name }}] - - name: server_name - value: {{ .Values.server_name }} - - name: postgres.password - value: {{ .Values.postgres_password }} - - - name: smtp - chart: ../charts/smtp - installed: {{ .Values.smtp._install }} - values: - - {{ .Values.smtp | toYaml | indent 8 | trim }} diff --git a/helmfile.d/10-managementportal.yaml b/helmfile.d/10-managementportal.yaml new file mode 100644 index 00000000..538085f2 --- /dev/null +++ b/helmfile.d/10-managementportal.yaml @@ -0,0 +1,46 @@ +environments: + default: + values: + - ../base.yaml + - ../production.yaml + secrets: + - ../../secrets/production.yaml + +helmDefaults: + atomic: true + timeout: 180 + kubeContext: {{ .Values.kubeContext }} + +releases: + - name: postgresql + chart: stable/postgresql + version: 5.3.3 + wait: false + installed: {{ .Values.postgresql._install }} + values: + - "../charts/postgresql/values.yaml" + - {{ .Values.postgresql | toYaml | indent 8 | trim }} + set: + - name: postgresqlPassword + value: {{ .Values.postgres_password }} + - name: replication.password + value: {{ .Values.postgres_password }} + + - name: management-portal + chart: ../charts/management-portal + installed: {{ .Values.management_portal._install }} + values: + - {{ .Values.management_portal | toYaml | indent 8 | trim }} + set: + - name: ingress.hosts + values: [{{ .Values.server_name }}] + - name: server_name + value: {{ .Values.server_name }} + - name: postgres.password + value: {{ .Values.postgres_password }} + + - name: smtp + chart: ../charts/smtp + installed: {{ .Values.smtp._install }} + values: + - {{ .Values.smtp | toYaml | indent 8 | trim }} From 851da7f66066508619e92a1fd64f427ce5efa99d Mon Sep 17 00:00:00 2001 From: Joris Borgdorff Date: Wed, 22 Jul 2020 16:24:52 +0200 Subject: [PATCH 22/41] Use hierarchical s3-proxy settings --- base.yaml | 8 +++++--- charts/s3proxy/templates/NOTES.txt | 20 ++++++++++++++++++++ charts/s3proxy/templates/deployment.yaml | 12 ++++++------ charts/s3proxy/values.yaml | 15 +++++++++------ 4 files changed, 40 insertions(+), 15 deletions(-) diff --git a/base.yaml b/base.yaml index 0fc66782..65e86207 100644 --- a/base.yaml +++ b/base.yaml @@ -347,9 +347,11 @@ radar_s3_connector: s3_proxy: _install: false replicaCount: 1 - s3AccessKey: AKIAIOSFODNN7EXAMPLE - s3Secret: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY - provider: azureblob + s3: + identity: AKIAIOSFODNN7EXAMPLE + credential: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY + target: + provider: azureblob # --------------------------------------------------------- 30-confluent-cloud.yaml --------------------------------------------------------- diff --git a/charts/s3proxy/templates/NOTES.txt b/charts/s3proxy/templates/NOTES.txt index e69de29b..97f23e61 100644 --- a/charts/s3proxy/templates/NOTES.txt +++ b/charts/s3proxy/templates/NOTES.txt @@ -0,0 +1,20 @@ +# S3Proxy + +Uses https://hub.docker.com/r/andrewgaul/s3proxy to proxy S3 API requests to any supported cloud provider. + +Find some example configurations at https://github.com/gaul/s3proxy/wiki/Storage-backend-examples. + + +For example, set + + # Credentials used to access this proxy + s3: + identity: MyUser + credential: MySecret + + # Where requests should be proxied to + target: + provider: azureblob + endpoint: http://MyCloud.com + identity: MyCloudUser + credentials: MyCloudSecret diff --git a/charts/s3proxy/templates/deployment.yaml b/charts/s3proxy/templates/deployment.yaml index e8235544..d8c9dd7e 100644 --- a/charts/s3proxy/templates/deployment.yaml +++ b/charts/s3proxy/templates/deployment.yaml @@ -43,17 +43,17 @@ spec: - name: S3PROXY_AUTHORIZATION value: "aws-v2-or-v4" - name: S3PROXY_IDENTITY - value: "{{ .Values.s3AccessKey }}" + value: "{{ .Values.s3.identity }}" - name: S3PROXY_IDENTITY - value: "{{ .Values.s3Secret }}" + value: "{{ .Values.s3.credential }}" - name: JCLOUD_ENDPOINT - value: "{{ .Values.endpoint }}" + value: "{{ .Values.target.endpoint }}" - name: JCLOUD_PROVIDER - value: "{{ .Values.provider }}" + value: "{{ .Values.target.provider }}" - name: JCLOUD_IDENTITY - value: "{{ .Values.identity }}" + value: "{{ .Values.target.identity }}" - name: JCLOUD_CREDENTIAL - value: "{{ .Values.credential }}" + value: "{{ .Values.target.credential }}" ports: - name: http containerPort: {{ .Values.service.port }} diff --git a/charts/s3proxy/values.yaml b/charts/s3proxy/values.yaml index c0b444fe..e5814c94 100644 --- a/charts/s3proxy/values.yaml +++ b/charts/s3proxy/values.yaml @@ -39,9 +39,12 @@ tolerations: [] affinity: {} -s3AccessKey: null -s3Secret: null -provider: null -endpoint: null -identity: null -credentials: null \ No newline at end of file +s3: + identity: null + credential: null + +target: + provider: null + endpoint: null + identity: null + credentials: null From e8236247c5ff72127f7bea5b3a3fdc01d6f9fec3 Mon Sep 17 00:00:00 2001 From: Joris Borgdorff Date: Wed, 22 Jul 2020 16:26:02 +0200 Subject: [PATCH 23/41] Renamed s3proxy to s3-proxy for clarity --- charts/{s3proxy => s3-proxy}/.helmignore | 0 charts/{s3proxy => s3-proxy}/Chart.yaml | 0 charts/{s3proxy => s3-proxy}/templates/NOTES.txt | 0 charts/{s3proxy => s3-proxy}/templates/_helpers.tpl | 0 charts/{s3proxy => s3-proxy}/templates/configmap.yaml | 0 charts/{s3proxy => s3-proxy}/templates/deployment.yaml | 0 charts/{s3proxy => s3-proxy}/templates/ingress.yaml | 0 charts/{s3proxy => s3-proxy}/templates/service.yaml | 0 .../{s3proxy => s3-proxy}/templates/tests/test-connection.yaml | 0 charts/{s3proxy => s3-proxy}/values.yaml | 0 helmfile.d/20-s3.yaml | 2 +- 11 files changed, 1 insertion(+), 1 deletion(-) rename charts/{s3proxy => s3-proxy}/.helmignore (100%) rename charts/{s3proxy => s3-proxy}/Chart.yaml (100%) rename charts/{s3proxy => s3-proxy}/templates/NOTES.txt (100%) rename charts/{s3proxy => s3-proxy}/templates/_helpers.tpl (100%) rename charts/{s3proxy => s3-proxy}/templates/configmap.yaml (100%) rename charts/{s3proxy => s3-proxy}/templates/deployment.yaml (100%) rename charts/{s3proxy => s3-proxy}/templates/ingress.yaml (100%) rename charts/{s3proxy => s3-proxy}/templates/service.yaml (100%) rename charts/{s3proxy => s3-proxy}/templates/tests/test-connection.yaml (100%) rename charts/{s3proxy => s3-proxy}/values.yaml (100%) diff --git a/charts/s3proxy/.helmignore b/charts/s3-proxy/.helmignore similarity index 100% rename from charts/s3proxy/.helmignore rename to charts/s3-proxy/.helmignore diff --git a/charts/s3proxy/Chart.yaml b/charts/s3-proxy/Chart.yaml similarity index 100% rename from charts/s3proxy/Chart.yaml rename to charts/s3-proxy/Chart.yaml diff --git a/charts/s3proxy/templates/NOTES.txt b/charts/s3-proxy/templates/NOTES.txt similarity index 100% rename from charts/s3proxy/templates/NOTES.txt rename to charts/s3-proxy/templates/NOTES.txt diff --git a/charts/s3proxy/templates/_helpers.tpl b/charts/s3-proxy/templates/_helpers.tpl similarity index 100% rename from charts/s3proxy/templates/_helpers.tpl rename to charts/s3-proxy/templates/_helpers.tpl diff --git a/charts/s3proxy/templates/configmap.yaml b/charts/s3-proxy/templates/configmap.yaml similarity index 100% rename from charts/s3proxy/templates/configmap.yaml rename to charts/s3-proxy/templates/configmap.yaml diff --git a/charts/s3proxy/templates/deployment.yaml b/charts/s3-proxy/templates/deployment.yaml similarity index 100% rename from charts/s3proxy/templates/deployment.yaml rename to charts/s3-proxy/templates/deployment.yaml diff --git a/charts/s3proxy/templates/ingress.yaml b/charts/s3-proxy/templates/ingress.yaml similarity index 100% rename from charts/s3proxy/templates/ingress.yaml rename to charts/s3-proxy/templates/ingress.yaml diff --git a/charts/s3proxy/templates/service.yaml b/charts/s3-proxy/templates/service.yaml similarity index 100% rename from charts/s3proxy/templates/service.yaml rename to charts/s3-proxy/templates/service.yaml diff --git a/charts/s3proxy/templates/tests/test-connection.yaml b/charts/s3-proxy/templates/tests/test-connection.yaml similarity index 100% rename from charts/s3proxy/templates/tests/test-connection.yaml rename to charts/s3-proxy/templates/tests/test-connection.yaml diff --git a/charts/s3proxy/values.yaml b/charts/s3-proxy/values.yaml similarity index 100% rename from charts/s3proxy/values.yaml rename to charts/s3-proxy/values.yaml diff --git a/helmfile.d/20-s3.yaml b/helmfile.d/20-s3.yaml index f816227e..bfcfa9f5 100644 --- a/helmfile.d/20-s3.yaml +++ b/helmfile.d/20-s3.yaml @@ -47,7 +47,7 @@ releases: - {{ .Values.radar_s3_connector | toYaml | indent 8 | trim }} - name: s3-proxy - chart: ../charts/s3proxy + chart: ../charts/s3-proxy installed: {{ .Values.s3_proxy._install }} values: - {{ .Values.s3_proxy | toYaml | indent 8 | trim }} From 6eb853c992ee97f9ec040a3edabce364fc6d96d8 Mon Sep 17 00:00:00 2001 From: Joris Borgdorff Date: Wed, 22 Jul 2020 17:52:34 +0200 Subject: [PATCH 24/41] Use updated S3 values --- charts/radar-s3-connector/templates/configmap.yaml | 4 ++-- charts/radar-s3-connector/values.yaml | 4 ++-- helmfile.d/20-s3.yaml | 4 +++- 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/charts/radar-s3-connector/templates/configmap.yaml b/charts/radar-s3-connector/templates/configmap.yaml index 0f8bb4b4..0484b6a4 100644 --- a/charts/radar-s3-connector/templates/configmap.yaml +++ b/charts/radar-s3-connector/templates/configmap.yaml @@ -22,8 +22,8 @@ data: store.url={{ .Values.s3Endpoint }} storage.class=io.confluent.connect.s3.storage.S3Storage format.class=io.confluent.connect.s3.format.avro.AvroFormat - transforms=keyToValue - transforms.keyToValue.type=org.radarbase.kafka.connect.transforms.KeyValueTransform + transforms=combineKeyValue + transforms.combineKeyValue.type=org.radarbase.kafka.connect.transforms.CombineKeyValue rotate.schedule.interval.ms = 900000 timezone=UTC avro.codec=deflate diff --git a/charts/radar-s3-connector/values.yaml b/charts/radar-s3-connector/values.yaml index b883b239..743f2c6b 100644 --- a/charts/radar-s3-connector/values.yaml +++ b/charts/radar-s3-connector/values.yaml @@ -5,7 +5,7 @@ replicaCount: 1 image: - repository: radarbase/kafka-connect-s3 + repository: radarbase/kafka-connect-transform-s3 tag: "5.5.1" pullPolicy: IfNotPresent @@ -58,4 +58,4 @@ topics: android_phone_usage_event_output,android_biovotion_vsm1_acceleration,and s3Endpoint: http://minio:9000/ bucketAccessKey: access_key bucketSecretKey: secret -bucketName: radar_intermediate_storage \ No newline at end of file +bucketName: radar_intermediate_storage diff --git a/helmfile.d/20-s3.yaml b/helmfile.d/20-s3.yaml index bfcfa9f5..31f0d8d0 100644 --- a/helmfile.d/20-s3.yaml +++ b/helmfile.d/20-s3.yaml @@ -8,7 +8,9 @@ environments: default: values: - ../base.yaml - - ../production.yaml + - ../../etc/production.yaml + secrets: + - ../../secrets/production.yaml helmDefaults: atomic: true From 8abe5eb8ca739190aee7e5082b9726eb653b5cce Mon Sep 17 00:00:00 2001 From: Joris Borgdorff Date: Thu, 23 Jul 2020 11:42:04 +0200 Subject: [PATCH 25/41] Enable radar-output --- base.yaml | 22 ++++--- .../templates/configmap-restructure.yaml | 49 +++++++++------ charts/radar-output/values.yaml | 61 ++++++++++++++----- charts/s3-proxy/README.md | 22 +++++++ charts/s3-proxy/templates/NOTES.txt | 20 ------ helmfile.d/20-hdfs.yaml | 13 ++-- helmfile.d/20-s3.yaml | 2 +- 7 files changed, 117 insertions(+), 72 deletions(-) create mode 100644 charts/s3-proxy/README.md diff --git a/base.yaml b/base.yaml index 65e86207..5ee4bf13 100644 --- a/base.yaml +++ b/base.yaml @@ -248,14 +248,20 @@ ceph: radar_output: _install: true replicaCount: 1 - num_threads: 2 - target_type: s3 - source_type: s3 - hdfs_namenodes: "[hdfs-namenode-0, hdfs-namenode-1]" - sourceBucketName: radar-intermediate-storage - targetBucketName: radar-output-storage - redisUrl: redis://redis-master:6379 - minimumFileAge: 900 + source: + s3: + endpoint: http://minio:9000/ + accessToken: AKIAIOSFODNN7EXAMPLE + secretKey: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY + bucket: radar-intermediate-storage + target: + s3: + endpoint: http://minio:9000/ + accessToken: AKIAIOSFODNN7EXAMPLE + secretKey: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY + bucket: radar-output-storage + redis: + url: redis://redis-master:6379 # --------------------------------------------------------- 20-ingestion.yaml --------------------------------------------------------- diff --git a/charts/radar-output/templates/configmap-restructure.yaml b/charts/radar-output/templates/configmap-restructure.yaml index a2c25bae..b9f1645e 100644 --- a/charts/radar-output/templates/configmap-restructure.yaml +++ b/charts/radar-output/templates/configmap-restructure.yaml @@ -16,27 +16,40 @@ data: interval: 300 source: - type: "{{ .Values.source_type }}" + type: "{{ .Values.source.type }}" # Minio S3 settings s3: - endpoint: "{{ .Values.s3Endpoint }}" - accessToken: "{{ .Values.bucketAccessKey }}" - secretKey: "{{ .Values.bucketSecretKey }}" - bucket: "{{ .Values.sourceBucketName }}" + endpoint: "{{ .Values.source.s3.endpoint }}" + accessToken: "{{ .Values.source.s3.accessToken }}" + secretKey: "{{ .Values.source.s3.secretKey }}" + bucket: "{{ .Values.source.s3.bucket }}" + azure: + endpoint: "{{ .Values.source.azure.endpoint }}" + username: "{{ .Values.source.azure.username }}" + password: "{{ .Values.source.azure.password }}" + accountName: "{{ .Values.source.azure.accountName }}" + accountKey: "{{ .Values.source.azure.accountKey }}" + sasToken: "{{ .Values.source.azure.sasToken }}" + container: "{{ .Values.source.azure.container }}" target: - type: "{{ .Values.target_type }}" - local: - userId: 0 - groupId: 0 + type: "{{ .Values.target.type }}" s3: - endpoint: "{{ .Values.s3Endpoint }}" - accessToken: "{{ .Values.bucketAccessKey }}" - secretKey: "{{ .Values.bucketSecretKey }}" - bucket: "{{ .Values.targetBucketName }}" + endpoint: "{{ .Values.target.s3.endpoint }}" + accessToken: "{{ .Values.target.s3.accessToken }}" + secretKey: "{{ .Values.target.s3.secretKey }}" + bucket: "{{ .Values.target.s3.bucket }}" + azure: + endpoint: "{{ .Values.target.azure.endpoint }}" + username: "{{ .Values.target.azure.username }}" + password: "{{ .Values.target.azure.password }}" + accountName: "{{ .Values.target.azure.accountName }}" + accountKey: "{{ .Values.target.azure.accountKey }}" + sasToken: "{{ .Values.target.azure.sasToken }}" + container: "{{ .Values.target.azure.container }}" redis: - uri: "{{ .Values.redisUrl }}" + uri: "{{ .Values.redis.url }}" lockPrefix: radar-output/lock/ # Compression characteristics @@ -72,10 +85,10 @@ data: # Maximum number of offsets in cache. cacheOffsetsSize: 500000 # Number of threads to do processing with - numThreads: "{{ .Values.num_threads }}" + numThreads: "{{ .Values.worker.numThreads }}" # Maximum number of files to process in any given topic. # maxFilesPerTopic: null - minimumFileAge: {{ .Values.minimumFileAge }} + minimumFileAge: {{ .Values.worker.minimumFileAge }} cleaner: # Enable cleaning up old source files @@ -95,11 +108,11 @@ data: paths: # Input directories in HDFS inputs: - - /topics + - "{{ .Values.paths.input }}" # Root temporary directory for local file processing. temp: /output/+tmp # Output directory - output: / + output: "{{ .Values.paths.output }}" # Output path construction factory # factory: org.radarbase.output.path.MonthlyObservationKeyPathFactory # Additional properties diff --git a/charts/radar-output/values.yaml b/charts/radar-output/values.yaml index a2b631e6..90824b80 100644 --- a/charts/radar-output/values.yaml +++ b/charts/radar-output/values.yaml @@ -6,7 +6,7 @@ replicaCount: 1 image_output: repository: radarbase/radar-output-restructure - tag: 1.1.1-rc0 + tag: 1.1.2 pullPolicy: IfNotPresent imagePullSecrets: [] @@ -49,7 +49,7 @@ tolerations: [] affinity: {} persistence: - enabled: true + enabled: false ## If defined, storageClassName: ## If set to "-", storageClassName: "", which disables dynamic provisioning ## If undefined (the default) or set to null, no storageClassName spec is @@ -61,17 +61,46 @@ persistence: ## If you want to reuse an existing claim, you can pass the name of the PVC using ## the existingClaim variable # existingClaim: your-claim - accessMode: ReadWriteOnce - size: 30Gi - -num_threads: 2 -hdfs_namenodes: hdfs_namenodes -target_type: s3 -source_type: s3 -s3Endpoint: "http://localhost:9000" -bucketAccessKey: access_key -bucketSecretKey: secret -sourceBucketName: radar-intermediate-storage -targetBucketName: radar-output-storage -redisUrl: "redis://redis-master:6379" -minimumFileAge: 900 \ No newline at end of file + +source: + type: s3 + s3: + endpoint: "http://minio:9000" + accessToken: access_key + secretKey: secret + bucket: radar-intermediate-storage + azure: + endpoint: "" + username: "" + password: "" + accountName: "" + accountKey: "" + sasToken: "" + container: "" + +target: + type: s3 + s3: + endpoint: "http://minio:9000" + accessToken: access_key + secretKey: secret + bucket: radar-output-storage + azure: + endpoint: "" + username: "" + password: "" + accountName: "" + accountKey: "" + sasToken: "" + container: "" + +redis: + url: redis://redis-master:6379 + +worker: + minimumFileAge: 900 + numThreads: 2 + +paths: + input: output + output: "" diff --git a/charts/s3-proxy/README.md b/charts/s3-proxy/README.md new file mode 100644 index 00000000..a223001f --- /dev/null +++ b/charts/s3-proxy/README.md @@ -0,0 +1,22 @@ +# S3Proxy + +Uses https://hub.docker.com/r/andrewgaul/s3proxy to proxy S3 API requests to any supported cloud provider. + +Find some example configurations at https://github.com/gaul/s3proxy/wiki/Storage-backend-examples. + + +For example, set + +```yaml +# Credentials used to access this proxy +s3: + identity: MyUser + credential: MySecret + +# Where requests should be proxied to +target: + provider: azureblob + endpoint: http://MyCloud.com + identity: MyCloudUser + credentials: MyCloudSecret +``` \ No newline at end of file diff --git a/charts/s3-proxy/templates/NOTES.txt b/charts/s3-proxy/templates/NOTES.txt index 97f23e61..e69de29b 100644 --- a/charts/s3-proxy/templates/NOTES.txt +++ b/charts/s3-proxy/templates/NOTES.txt @@ -1,20 +0,0 @@ -# S3Proxy - -Uses https://hub.docker.com/r/andrewgaul/s3proxy to proxy S3 API requests to any supported cloud provider. - -Find some example configurations at https://github.com/gaul/s3proxy/wiki/Storage-backend-examples. - - -For example, set - - # Credentials used to access this proxy - s3: - identity: MyUser - credential: MySecret - - # Where requests should be proxied to - target: - provider: azureblob - endpoint: http://MyCloud.com - identity: MyCloudUser - credentials: MyCloudSecret diff --git a/helmfile.d/20-hdfs.yaml b/helmfile.d/20-hdfs.yaml index ae9f162a..1b06f1b0 100644 --- a/helmfile.d/20-hdfs.yaml +++ b/helmfile.d/20-hdfs.yaml @@ -2,12 +2,14 @@ environments: default: values: - ../base.yaml - - ../production.yaml + - ../../etc/production.yaml + secrets: + - ../../secrets/production.yaml helmDefaults: atomic: true force: true - timeout: 600 + timeout: 120 kubeContext: {{ .Values.kubeContext }} releases: @@ -32,10 +34,3 @@ releases: installed: {{ .Values.radar_output._install }} values: - {{ .Values.radar_output | toYaml | indent 8 | trim }} - set: - - name: s3Endpoint - value: {{ .Values.minio.s3Endpoint }} - - name: bucketAccessKey - value: {{ .Values.minio.accessKey }} - - name: bucketSecretKey - value: {{ .Values.minio.secretKey }} diff --git a/helmfile.d/20-s3.yaml b/helmfile.d/20-s3.yaml index 31f0d8d0..48d53891 100644 --- a/helmfile.d/20-s3.yaml +++ b/helmfile.d/20-s3.yaml @@ -15,7 +15,7 @@ environments: helmDefaults: atomic: true force: true - timeout: 90 + timeout: 240 kubeContext: {{ .Values.kubeContext }} releases: From c181d9745e24346c8e6f5bc525ebc6c1bdd24fcf Mon Sep 17 00:00:00 2001 From: Joris Borgdorff Date: Thu, 23 Jul 2020 13:32:46 +0200 Subject: [PATCH 26/41] Disable master-slave replication in redis by default --- charts/redis/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/redis/values.yaml b/charts/redis/values.yaml index 6c27db36..025d51e8 100644 --- a/charts/redis/values.yaml +++ b/charts/redis/values.yaml @@ -1,7 +1,7 @@ usePassword: false cluster: - enabled: true + enabled: false slaveCount: 1 networkPolicy: From 7dc545637fd97c67af99f75924c0fc164294b907 Mon Sep 17 00:00:00 2001 From: Joris Borgdorff Date: Thu, 23 Jul 2020 17:05:57 +0200 Subject: [PATCH 27/41] Fixed catalog-server --- charts/catalog-server/templates/deployment.yaml | 2 +- charts/catalog-server/templates/pvc.yaml | 2 +- charts/catalog-server/values.yaml | 4 ++-- helmfile.d/10-base.yaml | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/catalog-server/templates/deployment.yaml b/charts/catalog-server/templates/deployment.yaml index d2659e4c..267c9e8e 100644 --- a/charts/catalog-server/templates/deployment.yaml +++ b/charts/catalog-server/templates/deployment.yaml @@ -76,7 +76,7 @@ spec: containers: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - args: + command: - radar-schemas-tools - serve - /schema/merged diff --git a/charts/catalog-server/templates/pvc.yaml b/charts/catalog-server/templates/pvc.yaml index 78c51594..00b74aa7 100644 --- a/charts/catalog-server/templates/pvc.yaml +++ b/charts/catalog-server/templates/pvc.yaml @@ -21,4 +21,4 @@ spec: storageClassName: "{{ .Values.persistence.storageClass }}" {{- end }} {{- end }} -{{- end -}} +{{- end }} diff --git a/charts/catalog-server/values.yaml b/charts/catalog-server/values.yaml index 4a19029a..133e0fc1 100644 --- a/charts/catalog-server/values.yaml +++ b/charts/catalog-server/values.yaml @@ -43,7 +43,7 @@ resources: memory: 128Mi persistence: - enabled: true + enabled: false ## If defined, storageClassName: ## If set to "-", storageClassName: "", which disables dynamic provisioning ## If undefined (the default) or set to null, no storageClassName spec is @@ -74,4 +74,4 @@ cc: apiKey: ccApikey apiSecret: ccApiSecret schemaRegistryApiKey: srApiKey - schemaRegistryApiSecret: srApiSecret \ No newline at end of file + schemaRegistryApiSecret: srApiSecret diff --git a/helmfile.d/10-base.yaml b/helmfile.d/10-base.yaml index b10eea1a..0ba0826c 100644 --- a/helmfile.d/10-base.yaml +++ b/helmfile.d/10-base.yaml @@ -2,7 +2,7 @@ environments: default: values: - ../base.yaml - - ../production.yaml + - ../../etc/production.yaml secrets: - ../../secrets/production.yaml @@ -50,7 +50,7 @@ releases: wait: true installed: {{ .Values.catalog_server._install }} values: - - "../charts/postgresql/values.yaml" + - "../charts/catalog-server/values.yaml" - {{ .Values.catalog_server | toYaml | indent 8 | trim }} - {{ .Values.confluentCloud| toYaml | indent 8 | trim }} set: From 16dfded5b4cfed4a8c6bbd05cde2a8c4db17eb2a Mon Sep 17 00:00:00 2001 From: Joris Borgdorff Date: Mon, 27 Jul 2020 09:25:23 +0200 Subject: [PATCH 28/41] Change confluent_cloud variable case --- base.yaml | 2 +- helmfile.d/10-base.yaml | 8 ++++---- helmfile.d/20-ingestion.yaml | 10 +++++----- helmfile.d/30-confluent-cloud.yaml | 2 +- 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/base.yaml b/base.yaml index 5ee4bf13..8848aba1 100644 --- a/base.yaml +++ b/base.yaml @@ -88,7 +88,7 @@ velero: aws_secret_access_key=secretKey # --------------------------------------------------------- 10-base.yaml --------------------------------------------------------- -confluentCloud: +confluent_cloud: enabled: false cc: bootstrapServerurl: confluentBootstrapServers diff --git a/helmfile.d/10-base.yaml b/helmfile.d/10-base.yaml index 0ba0826c..03c7e29d 100644 --- a/helmfile.d/10-base.yaml +++ b/helmfile.d/10-base.yaml @@ -52,14 +52,14 @@ releases: values: - "../charts/catalog-server/values.yaml" - {{ .Values.catalog_server | toYaml | indent 8 | trim }} - - {{ .Values.confluentCloud| toYaml | indent 8 | trim }} + - {{ .Values.confluent_cloud | toYaml | indent 8 | trim }} set: - name: kafka_num_brokers value: {{ .Values.kafka_num_brokers }} - name: cc.enabled - value: {{ .Values.confluentCloud.enabled }} - {{- if .Values.confluentCloud.enabled }} + value: {{ .Values.confluent_cloud.enabled }} + {{- if .Values.confluent_cloud.enabled }} - name: schema_registry - value: {{ .Values.confluentCloud.cc.schemaRegistryUrl }} + value: {{ .Values.confluent_cloud.cc.schemaRegistryUrl }} {{ end }} diff --git a/helmfile.d/20-ingestion.yaml b/helmfile.d/20-ingestion.yaml index 1ac60b9d..8bb5fecc 100644 --- a/helmfile.d/20-ingestion.yaml +++ b/helmfile.d/20-ingestion.yaml @@ -23,17 +23,17 @@ releases: installed: {{ .Values.radar_gateway._install }} values: - {{ .Values.radar_gateway | toYaml | indent 8 | trim }} - - {{ .Values.confluentCloud| toYaml | indent 8 | trim }} + - {{ .Values.confluent_cloud | toYaml | indent 8 | trim }} set: - name: ingress.hosts values: [{{ .Values.server_name }}] - name: cc.enabled - value: {{ .Values.confluentCloud.enabled }} + value: {{ .Values.confluent_cloud.enabled }} - name: serviceMonitor.enabled value: {{ .Values.prometheus_operator._install }} - {{- if .Values.confluentCloud.enabled }} + {{- if .Values.confluent_cloud.enabled }} - name: schemaRegistry - value: {{ .Values.confluentCloud.cc.schemaRegistryUrl }} + value: {{ .Values.confluent_cloud.cc.schemaRegistryUrl }} - name: bootstrapServers - value: {{ .Values.confluentCloud.cc.bootstrapServerurl }} + value: {{ .Values.confluent_cloud.cc.bootstrapServerurl }} {{ end }} diff --git a/helmfile.d/30-confluent-cloud.yaml b/helmfile.d/30-confluent-cloud.yaml index dba7e7f2..a0539cec 100644 --- a/helmfile.d/30-confluent-cloud.yaml +++ b/helmfile.d/30-confluent-cloud.yaml @@ -15,7 +15,7 @@ releases: installed: {{ .Values.ccSchemaRegistryProxy._install }} values: - {{ .Values.ccSchemaRegistryProxy | toYaml | indent 8 | trim }} - - {{ .Values.confluentCloud| toYaml | indent 8 | trim }} + - {{ .Values.confluent_cloud| toYaml | indent 8 | trim }} set: - name: service.externalName value: {{ .Values.ccSchemaRegistryProxy.externalName }} From 769928c0e648289230277f6d1760405668c2ba2f Mon Sep 17 00:00:00 2001 From: Joris Borgdorff Date: Thu, 6 Aug 2020 12:08:09 +0200 Subject: [PATCH 29/41] Working setup --- charts/radar-gateway/templates/configmap.yaml | 2 +- charts/radar-gateway/values.yaml | 4 +- .../templates/configmap-restructure.yaml | 2 +- charts/radar-output/values.yaml | 4 +- .../templates/configmap.yaml | 12 +- .../templates/deployment.yaml | 109 ++++++++++++------ .../radar-s3-connector/templates/secrets.yaml | 18 +++ charts/radar-s3-connector/values.yaml | 5 + charts/s3-proxy/templates/deployment.yaml | 20 ++-- charts/s3-proxy/templates/secrets.yaml | 13 +++ charts/s3-proxy/values.yaml | 4 +- helmfile.d/20-ingestion.yaml | 4 +- helmfile.d/20-s3.yaml | 7 +- 13 files changed, 148 insertions(+), 56 deletions(-) create mode 100644 charts/radar-s3-connector/templates/secrets.yaml create mode 100644 charts/s3-proxy/templates/secrets.yaml diff --git a/charts/radar-gateway/templates/configmap.yaml b/charts/radar-gateway/templates/configmap.yaml index ea46a578..e4697c84 100644 --- a/charts/radar-gateway/templates/configmap.yaml +++ b/charts/radar-gateway/templates/configmap.yaml @@ -19,7 +19,6 @@ data: producer: bootstrap.servers: {{ .Values.bootstrapServers }} {{- if .Values.cc.enabled }} - bootstrap.servers: {{ .Values.bootstrapServers }} security.protocol: SASL_SSL sasl.jaas.config: org.apache.kafka.common.security.plain.PlainLoginModule required username="{{ .Values.cc.apiKey }}" password="{{ .Values.cc.apiSecret }}"; ssl.endpoint.identification.algorithm: https @@ -34,6 +33,7 @@ data: serialization: schema.registry.url: {{ .Values.schemaRegistry }} {{- if .Values.cc.enabled }} + basic.auth.credentials.source: USER_INFO schema.registry.basic.auth.user.info: {{ .Values.cc.schemaRegistryApiKey }}:{{ .Values.cc.schemaRegistryApiSecret }} {{ end }} auth: diff --git a/charts/radar-gateway/values.yaml b/charts/radar-gateway/values.yaml index 0b17c394..43fbd67b 100644 --- a/charts/radar-gateway/values.yaml +++ b/charts/radar-gateway/values.yaml @@ -6,7 +6,7 @@ replicaCount: 2 image: repository: radarbase/radar-gateway - tag: 0.5.0 + tag: 0.5.1 pullPolicy: IfNotPresent nameOverride: "" @@ -69,4 +69,4 @@ cc: apiKey: ccApikey apiSecret: ccApiSecret schemaRegistryApiKey: srApiKey - schemaRegistryApiSecret: srApiSecret \ No newline at end of file + schemaRegistryApiSecret: srApiSecret diff --git a/charts/radar-output/templates/configmap-restructure.yaml b/charts/radar-output/templates/configmap-restructure.yaml index b9f1645e..89c312c7 100644 --- a/charts/radar-output/templates/configmap-restructure.yaml +++ b/charts/radar-output/templates/configmap-restructure.yaml @@ -72,7 +72,7 @@ data: # This may incur data loss if multiple measurements are recorded # at exactly the same time. By default, all values are considered # when looking at distinct lines. - # distinctFields: [key.sourceId, value.time] + distinctFields: [key.sourceId, value.time, value.timeReceived] # Format factory class # factory: org.radarbase.hdfs.data.FormatFactory # Additional format properties diff --git a/charts/radar-output/values.yaml b/charts/radar-output/values.yaml index 90824b80..075a0f12 100644 --- a/charts/radar-output/values.yaml +++ b/charts/radar-output/values.yaml @@ -102,5 +102,5 @@ worker: numThreads: 2 paths: - input: output - output: "" + input: topics + output: output diff --git a/charts/radar-s3-connector/templates/configmap.yaml b/charts/radar-s3-connector/templates/configmap.yaml index 0484b6a4..7b102317 100644 --- a/charts/radar-s3-connector/templates/configmap.yaml +++ b/charts/radar-s3-connector/templates/configmap.yaml @@ -11,23 +11,23 @@ data: sink-s3.properties: | name=radar-s3-sink-connector connector.class=io.confluent.connect.s3.S3SinkConnector - tasks.max=4 + tasks.max={{ .Values.maxTasks }} topics={{ .Values.topics }} - flush.size=10000 + flush.size={{ .Values.flushSize | int }} s3.bucket.name={{ .Values.bucketName }} - s3.part.size=5242880 + s3.part.size={{ .Values.s3PartSize | int }} + s3.object.tagging={{ .Values.s3Tagging }} connect.meta.data=false - aws.access.key.id={{ .Values.bucketAccessKey }} - aws.secret.access.key={{ .Values.bucketSecretKey }} store.url={{ .Values.s3Endpoint }} storage.class=io.confluent.connect.s3.storage.S3Storage format.class=io.confluent.connect.s3.format.avro.AvroFormat transforms=combineKeyValue transforms.combineKeyValue.type=org.radarbase.kafka.connect.transforms.CombineKeyValue - rotate.schedule.interval.ms = 900000 + rotate.schedule.interval.ms={{ .Values.rotateInterval | int }} timezone=UTC avro.codec=deflate errors.tolerance=all + errors.log.enable=true errors.deadletterqueue.topic.name=dead_letter_queue_s3 errors.deadletterqueue.topic.replication.factor=3 errors.deadletterqueue.context.headers.enable=true diff --git a/charts/radar-s3-connector/templates/deployment.yaml b/charts/radar-s3-connector/templates/deployment.yaml index d14d306e..872900c1 100644 --- a/charts/radar-s3-connector/templates/deployment.yaml +++ b/charts/radar-s3-connector/templates/deployment.yaml @@ -48,38 +48,81 @@ spec: value: "20000" - name: CONNECT_RETRY_BACKOFF_MS value: "500" + - name: CONNECT_PRODUCER_BOOTSTRAP_SERVERS + value: "{{ .Values.kafka.url }}" + {{- if .Values.cc.enabled }} - name: CONNECT_SECURITY_PROTOCOL - value: "{{ .Values.kafka.securityProtocol }}" + value: "SASL_SSL" - name: CONNECT_SASL_JAAS_CONFIG - value: "{{ .Values.kafka.saslJaasConfig }}" + valueFrom: + secretKeyRef: + name: {{ template "radar-s3-connector.fullname" . }} + key: kafkaSaslJaasConfig - name: CONNECT_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM - value: "{{ .Values.kafka.sslEndpointIdentificationAlgorithm }}" + value: "https" + - name: CONNECT_SSL_ENABLED_PROTOCOLS + value: "TLSv1.2" - name: CONNECT_SASL_MECHANISM - value: "{{ .Values.kafka.saslMechanism }}" - - name: CONNECT_PRODUCER_BOOTSTRAP_SERVERS - value: "{{ .Values.kafka.url }}" + value: "PLAIN" - name: CONNECT_PRODUCER_SECURITY_PROTOCOL - value: "{{ .Values.kafka.securityProtocol }}" + value: "SASL_SSL" - name: CONNECT_PRODUCER_SASL_JAAS_CONFIG - value: "{{ .Values.kafka.saslJaasConfig }}" + valueFrom: + secretKeyRef: + name: {{ template "radar-s3-connector.fullname" . }} + key: kafkaSaslJaasConfig - name: CONNECT_PRODUCER_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM - value: "{{ .Values.kafka.sslEndpointIdentificationAlgorithm }}" + value: "https" + - name: CONNECT_PRODUCER_SSL_ENABLED_PROTOCOLS + value: "TLSv1.2" - name: CONNECT_PRODUCER_SASL_MECHANISM - value: "{{ .Values.kafka.saslMechanism }}" + value: "PLAIN" + - name: CONNECT_CONSUMER_SECURITY_PROTOCOL + value: "SASL_SSL" + - name: CONNECT_CONSUMER_SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ template "radar-s3-connector.fullname" . }} + key: kafkaSaslJaasConfig + - name: CONNECT_CONSUMER_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM + value: "https" + - name: CONNECT_CONSUMER_SSL_ENABLED_PROTOCOLS + value: "TLSv1.2" + - name: CONNECT_CONSUMER_SASL_MECHANISM + value: "PLAIN" + - name: CONNECT_KEY_CONVERTER_BASIC_AUTH_CREDENTIALS_SOURCE + value: "USER_INFO" + - name: CONNECT_KEY_CONVERTER_SCHEMA_REGISTRY_BASIC_AUTH_USER_INFO + valueFrom: + secretKeyRef: + name: {{ template "radar-s3-connector.fullname" . }} + key: schemaRegistryCredential + - name: CONNECT_VALUE_CONVERTER_BASIC_AUTH_CREDENTIALS_SOURCE + value: "USER_INFO" + - name: CONNECT_VALUE_CONVERTER_SCHEMA_REGISTRY_BASIC_AUTH_USER_INFO + valueFrom: + secretKeyRef: + name: {{ template "radar-s3-connector.fullname" . }} + key: schemaRegistryCredential + - name: CONNECT_BASIC_AUTH_CREDENTIALS_SOURCE + value: "USER_INFO" + - name: CONNECT_BASIC_AUTH_USER_INFO + valueFrom: + secretKeyRef: + name: {{ template "radar-s3-connector.fullname" . }} + key: schemaRegistryCredential + - name: CONNECT_SCHEMA_REGISTRY_BASIC_AUTH_USER_INFO + valueFrom: + secretKeyRef: + name: {{ template "radar-s3-connector.fullname" . }} + key: schemaRegistryCredential + {{- end }} - name: CONNECT_PRODUCER_REQUEST_TIMEOUT_MS value: "20000" - name: CONNECT_PRODUCER_RETRY_BACKOFF_MS value: "500" - name: CONNECT_CONSUMER_BOOTSTRAP_SERVERS value: "{{ .Values.kafka.url }}" - - name: CONNECT_CONSUMER_SECURITY_PROTOCOL - value: "{{ .Values.kafka.securityProtocol }}" - - name: CONNECT_CONSUMER_SASL_JAAS_CONFIG - value: "{{ .Values.kafka.saslJaasConfig }}" - - name: CONNECT_CONSUMER_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM - value: "{{ .Values.kafka.sslEndpointIdentificationAlgorithm }}" - - name: CONNECT_CONSUMER_SASL_MECHANISM - value: "{{ .Values.kafka.saslMechanism }}" - name: CONNECT_CONSUMER_REQUEST_TIMEOUT_MS value: "20000" - name: CONNECT_CONSUMER_RETRY_BACKOFF_MS @@ -98,6 +141,10 @@ spec: value: "io.confluent.connect.avro.AvroConverter" - name: CONNECT_VALUE_CONVERTER value: "io.confluent.connect.avro.AvroConverter" + - name: CONNECT_KEY_CONVERTER_SCHEMAS_ENABLE + value: "false" + - name: CONNECT_VALUE_CONVERTER_SCHEMAS_ENABLE + value: "false" - name: CONNECT_KEY_CONVERTER_SCHEMA_REGISTRY_URL value: "{{ .Values.schemaRegistry.url }}" - name: CONNECT_VALUE_CONVERTER_SCHEMA_REGISTRY_URL @@ -106,22 +153,12 @@ spec: value: "false" - name: CONNECT_VALUE_CONVERTER_ENHANCED_AVRO_SCHEMA_SUPPORT value: "false" - - name: CONNECT_KEY_CONVERTER_BASIC_AUTH_CREDENTIALS_SOURCE - value: "USER_INFO" - - name: CONNECT_KEY_CONVERTER_SCHEMA_REGISTRY_BASIC_AUTH_USER_INFO - value: "{{ .Values.schemaRegistry.basicAuth }}" - - name: CONNECT_VALUE_CONVERTER_BASIC_AUTH_CREDENTIALS_SOURCE - value: "USER_INFO" - - name: CONNECT_VALUE_CONVERTER_SCHEMA_REGISTRY_BASIC_AUTH_USER_INFO - value: "{{ .Values.schemaRegistry.basicAuth }}" - - name: CONNECT_BASIC_AUTH_CREDENTIALS_SOURCE - value: "USER_INFO" - - name: CONNECT_BASIC_AUTH_USER_INFO - value: "{{ .Values.schemaRegistry.basicAuth }}" - name: CONNECT_INTERNAL_KEY_CONVERTER value: "org.apache.kafka.connect.json.JsonConverter" - name: CONNECT_INTERNAL_VALUE_CONVERTER value: "org.apache.kafka.connect.json.JsonConverter" + - name: CONNECT_OFFSET_FLUSH_INTERVAL_MS + value: "10000" - name: CONNECT_OFFSET_STORAGE_FILE_FILENAME value: "/tmp/connect2.offset" - name: CONNECT_REST_ADVERTISED_HOST_NAME @@ -137,9 +174,15 @@ spec: - name: CONNECT_LOG4J_LOGGERS value: "org.reflections=ERROR" - name: AWS_ACCESS_KEY - value: "{{ .Values.bucketAccessKey }}" + valueFrom: + secretKeyRef: + name: {{ template "radar-s3-connector.fullname" . }} + key: awsAccessKey - name: AWS_SECRET_KEY - value: "{{ .Values.bucketSecretKey }}" + valueFrom: + secretKeyRef: + name: {{ template "radar-s3-connector.fullname" . }} + key: awsSecretKey ports: - name: http containerPort: 8083 @@ -149,7 +192,7 @@ spec: command: - /bin/sh - -c - - curl -sf localhost:8083/connectors/radar-s3-sink-connector/status | grep -o '\"state\":\"[^\"]*\"' | tr '\\n' ',' | grep -vq FAILED || exit 1 + - curl -sf localhost:8083/connectors/radar-s3-sink-connector/status | grep -o '\"state\":\"[^\"]*\"' | tr '\\n' ',' | grep -vq FAILED || exit 1 initialDelaySeconds: 5 periodSeconds: 60 timeoutSeconds: 3 diff --git a/charts/radar-s3-connector/templates/secrets.yaml b/charts/radar-s3-connector/templates/secrets.yaml new file mode 100644 index 00000000..b1a52c07 --- /dev/null +++ b/charts/radar-s3-connector/templates/secrets.yaml @@ -0,0 +1,18 @@ +{{- if .Values.cc.enabled }} +{{- $jaasConfig := print `org.apache.kafka.common.security.plain.PlainLoginModule required username="` .Values.cc.apiKey `" password="` .Values.cc.apiSecret `";` -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "radar-s3-connector.fullname" . }} + labels: + app: {{ template "radar-s3-connector.name" . }} + chart: {{ template "radar-s3-connector.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +type: Opaque +data: + schemaRegistryCredential: {{ print .Values.cc.schemaRegistryApiKey ":" .Values.cc.schemaRegistryApiSecret | b64enc | quote }} + kafkaSaslJaasConfig: {{ $jaasConfig | b64enc | quote }} + awsAccessKey: {{ .Values.bucketAccessKey | b64enc | quote }} + awsSecretKey: {{ .Values.bucketSecretKey | b64enc | quote }} +{{- end -}} diff --git a/charts/radar-s3-connector/values.yaml b/charts/radar-s3-connector/values.yaml index 743f2c6b..b44c5b4a 100644 --- a/charts/radar-s3-connector/values.yaml +++ b/charts/radar-s3-connector/values.yaml @@ -56,6 +56,11 @@ schemaRegistry: topics: android_phone_usage_event_output,android_biovotion_vsm1_acceleration,android_biovotion_vsm1_battery_level,android_biovotion_vsm1_blood_volume_pulse,android_biovotion_vsm1_energy,android_biovotion_vsm1_galvanic_skin_response,android_biovotion_vsm1_heartrate,android_biovotion_vsm1_heartrate_variability,android_biovotion_vsm1_led_current,android_biovotion_vsm1_oxygen_saturation,android_biovotion_vsm1_ppg_raw,android_biovotion_vsm1_respiration_rate,android_biovotion_vsm1_temperature,android_bittium_faros_acceleration,android_bittium_faros_battery_level,android_bittium_faros_ecg,android_bittium_faros_inter_beat_interval,android_bittium_faros_temperature,android_empatica_e4_acceleration,android_empatica_e4_battery_level,android_empatica_e4_blood_volume_pulse,android_empatica_e4_electrodermal_activity,android_empatica_e4_inter_beat_interval,android_empatica_e4_sensor_status,android_empatica_e4_temperature,android_local_weather,android_pebble_2_acceleration,android_pebble_2_battery_level,android_pebble_2_heartrate,android_pebble_2_heartrate_filtered,android_phone_acceleration,android_phone_battery_level,android_phone_bluetooth_devices,android_phone_call,android_phone_contacts,android_phone_gyroscope,android_phone_light,android_phone_magnetic_field,android_phone_ppg,android_phone_relative_location,android_phone_sms,android_phone_sms_unread,android_phone_step_count,android_phone_usage_event,android_phone_user_interaction,android_processed_audio,application_device_info,application_external_time,application_record_counts,application_server_status,application_time_zone,application_uptime,certh_banking_app_event,certh_banking_app_transaction,connect_fitbit_activity_log,connect_fitbit_intraday_calories,connect_fitbit_intraday_heart_rate,connect_fitbit_intraday_steps,connect_fitbit_sleep_classic,connect_fitbit_sleep_stages,connect_fitbit_time_zone,connect_upload_altoida_acceleration,connect_upload_altoida_action,connect_upload_altoida_attitude,connect_upload_altoida_bit_metrics,connect_upload_altoida_blink,connect_upload_altoida_diagnostics,connect_upload_altoida_domain_result,connect_upload_altoida_dot_metrics,connect_upload_altoida_eye_tracking,connect_upload_altoida_gravity,connect_upload_altoida_magnetic_field,connect_upload_altoida_metadata,connect_upload_altoida_object,connect_upload_altoida_path,connect_upload_altoida_rotation,connect_upload_altoida_summary,connect_upload_altoida_tap,connect_upload_altoida_touch,connect_upload_axivity_acceleration,connect_upload_axivity_battery_level,connect_upload_axivity_event,connect_upload_axivity_light,connect_upload_axivity_metadata,connect_upload_axivity_temperature,connect_upload_oxford_camera_data,connect_upload_oxford_camera_image,connect_upload_physilog_binary_data,notification_thinc_it,questionnaire_app_event,questionnaire_ari_self,questionnaire_art_cognitive_test,questionnaire_audio,questionnaire_baars_iv,questionnaire_bipq,questionnaire_completion_log,questionnaire_esm,questionnaire_esm28q,questionnaire_esm_epi_mod_1,questionnaire_evening_assessment,questionnaire_gad7,questionnaire_morning_assessment,questionnaire_patient_determined_disease_step,questionnaire_perceived_deficits_questionnaire,questionnaire_phq8,questionnaire_rpq,questionnaire_rses,questionnaire_tam,questionnaire_timezone,task_2MW_test,task_romberg_test,task_tandem_walking_test,thincit_code_breaker,thincit_pdq5,thincit_spotter,thincit_symbol_check,thincit_trails, s3Endpoint: http://minio:9000/ +s3Tagging: false +s3PartSize: 5242880 +flushSize: 10000 +rotateInterval: 900000 +maxTasks: 4 bucketAccessKey: access_key bucketSecretKey: secret bucketName: radar_intermediate_storage diff --git a/charts/s3-proxy/templates/deployment.yaml b/charts/s3-proxy/templates/deployment.yaml index d8c9dd7e..4593fbc8 100644 --- a/charts/s3-proxy/templates/deployment.yaml +++ b/charts/s3-proxy/templates/deployment.yaml @@ -44,16 +44,22 @@ spec: value: "aws-v2-or-v4" - name: S3PROXY_IDENTITY value: "{{ .Values.s3.identity }}" - - name: S3PROXY_IDENTITY - value: "{{ .Values.s3.credential }}" - - name: JCLOUD_ENDPOINT + - name: S3PROXY_CREDENTIAL + valueFrom: + secretKeyRef: + name: {{ template "s3-proxy.fullname" . }} + key: s3Credential + - name: JCLOUDS_ENDPOINT value: "{{ .Values.target.endpoint }}" - - name: JCLOUD_PROVIDER + - name: JCLOUDS_PROVIDER value: "{{ .Values.target.provider }}" - - name: JCLOUD_IDENTITY + - name: JCLOUDS_IDENTITY value: "{{ .Values.target.identity }}" - - name: JCLOUD_CREDENTIAL - value: "{{ .Values.target.credential }}" + - name: JCLOUDS_CREDENTIAL + valueFrom: + secretKeyRef: + name: {{ template "s3-proxy.fullname" . }} + key: targetCredential ports: - name: http containerPort: {{ .Values.service.port }} diff --git a/charts/s3-proxy/templates/secrets.yaml b/charts/s3-proxy/templates/secrets.yaml new file mode 100644 index 00000000..8113085f --- /dev/null +++ b/charts/s3-proxy/templates/secrets.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "s3-proxy.fullname" . }} + labels: + app: {{ template "s3-proxy.name" . }} + chart: {{ template "s3-proxy.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +type: Opaque +data: + s3Credential: {{ .Values.s3.credential | b64enc | quote }} + targetCredential: {{ .Values.target.credential | b64enc | quote }} diff --git a/charts/s3-proxy/values.yaml b/charts/s3-proxy/values.yaml index e5814c94..decce988 100644 --- a/charts/s3-proxy/values.yaml +++ b/charts/s3-proxy/values.yaml @@ -6,7 +6,7 @@ replicaCount: 1 image: repository: andrewgaul/s3proxy - tag: travis-1412 + tag: travis-1430 pullPolicy: IfNotPresent nameOverride: "" @@ -47,4 +47,4 @@ target: provider: null endpoint: null identity: null - credentials: null + credential: null diff --git a/helmfile.d/20-ingestion.yaml b/helmfile.d/20-ingestion.yaml index 8bb5fecc..da8f574d 100644 --- a/helmfile.d/20-ingestion.yaml +++ b/helmfile.d/20-ingestion.yaml @@ -2,7 +2,9 @@ environments: default: values: - ../base.yaml - - ../production.yaml + - ../../etc/production.yaml + secrets: + - ../../secrets/production.yaml helmDefaults: atomic: true diff --git a/helmfile.d/20-s3.yaml b/helmfile.d/20-s3.yaml index 48d53891..1c44339b 100644 --- a/helmfile.d/20-s3.yaml +++ b/helmfile.d/20-s3.yaml @@ -13,7 +13,7 @@ environments: - ../../secrets/production.yaml helmDefaults: - atomic: true + atomic: false force: true timeout: 240 kubeContext: {{ .Values.kubeContext }} @@ -46,7 +46,12 @@ releases: chart: ../charts/radar-s3-connector installed: {{ .Values.radar_s3_connector._install }} values: + - "../charts/radar-s3-connector/values.yaml" - {{ .Values.radar_s3_connector | toYaml | indent 8 | trim }} + - {{ .Values.confluent_cloud | toYaml | indent 8 | trim }} + set: + - name: cc.enabled + value: {{ .Values.confluent_cloud.enabled }} - name: s3-proxy chart: ../charts/s3-proxy From e3a7f29ef523162653d6452def6012fe84c65f70 Mon Sep 17 00:00:00 2001 From: K1Hyve <53298451+K1Hyve@users.noreply.github.com> Date: Thu, 6 Aug 2020 12:00:25 +0200 Subject: [PATCH 30/41] Enable ssl-redirect --- charts/nginx-ingress/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/nginx-ingress/values.yaml b/charts/nginx-ingress/values.yaml index 48e4e365..f424d0e9 100644 --- a/charts/nginx-ingress/values.yaml +++ b/charts/nginx-ingress/values.yaml @@ -2,7 +2,7 @@ controller: # hostNetwork: "true" # dnsPolicy: "ClusterFirstWithHostNet" config: - ssl-redirect: "false" + ssl-redirect: "true" server-tokens: "false" http-snippet: limit_req_zone $binary_remote_addr zone=login_limit:10m rate=2r/s; From 04bd2f36239c61881f9459f660147fda1202d172 Mon Sep 17 00:00:00 2001 From: nivethika Date: Fri, 7 Aug 2020 17:07:47 +0200 Subject: [PATCH 31/41] add more-promasys-sync oauth config to management-portal --- base.yaml | 1 + charts/management-portal/templates/configmap.yaml | 3 ++- charts/management-portal/values.yaml | 1 + 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/base.yaml b/base.yaml index 8848aba1..2de91af4 100644 --- a/base.yaml +++ b/base.yaml @@ -146,6 +146,7 @@ management_portal: radar_upload_frontend: secret radar_rest_sources_backend: secret radarFitbitConnector: secret + morePromasysSync: secret sendGrid: enabled: false host: smtp diff --git a/charts/management-portal/templates/configmap.yaml b/charts/management-portal/templates/configmap.yaml index 96031b9b..89b9c66b 100644 --- a/charts/management-portal/templates/configmap.yaml +++ b/charts/management-portal/templates/configmap.yaml @@ -21,4 +21,5 @@ data: radar_upload_frontend;res_ManagementPortal,res_upload;{{ .Values.client_secrets.radar_upload_frontend }};SOURCETYPE.READ,MEASUREMENT.CREATE,PROJECT.READ,SUBJECT.READ;authorization_code;https://{{ .Values.server_name }}/upload/login,http://localhost:8080/upload/login;3600;78000;; radar_rest_sources_auth_backend;res_ManagementPortal;{{ .Values.client_secrets.radar_rest_sources_backend }};PROJECT.READ,SOURCETYPE.READ,SUBJECT.READ,SOURCE.READ;client_credentials;;;43200;86400;{}; radar_rest_sources_authorizer;res_restAuthorizer;;SOURCETYPE.READ,PROJECT.READ,SUBJECT.READ;authorization_code;https://{{ .Values.server_name }}/rest-sources/authorizer/login;;43200;86400;{}; - radar_fitbit_connector;res_restAuthorizer;{{ .Values.client_secrets.radarFitbitConnector }};SUBJECT.READ;client_credentials;;;43200;;{}; \ No newline at end of file + radar_fitbit_connector;res_restAuthorizer;{{ .Values.client_secrets.radarFitbitConnector }};SUBJECT.READ;client_credentials;;;43200;;{}; + more_promasys_sync_client;res_ManagementPortal;{{ .Values.client_secrets.morePromasysSync }};PROJECT.READ,PROJECT.CREATE,SUBJECT.READ,SUBJECT.CREATE;client_credentials;;;43200;;{}; diff --git a/charts/management-portal/values.yaml b/charts/management-portal/values.yaml index cfd3a4e8..1d032876 100644 --- a/charts/management-portal/values.yaml +++ b/charts/management-portal/values.yaml @@ -81,6 +81,7 @@ client_secrets: radar_upload_frontend: secret radar_rest_sources_backend: secret radarFitbitConnector: secret + morePromasysSync: secret sendGrid: enabled: false From f9779bd2c287e1229a2b24fa6c6d20570d511b55 Mon Sep 17 00:00:00 2001 From: Joris Borgdorff Date: Tue, 25 Aug 2020 14:37:33 +0200 Subject: [PATCH 32/41] Update using relative paths --- helmfile.d/30-confluent-cloud.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/helmfile.d/30-confluent-cloud.yaml b/helmfile.d/30-confluent-cloud.yaml index a0539cec..0d196078 100644 --- a/helmfile.d/30-confluent-cloud.yaml +++ b/helmfile.d/30-confluent-cloud.yaml @@ -2,7 +2,9 @@ environments: default: values: - ../base.yaml - - ../production.yaml + - ../../etc/production.yaml + secrets: + - ../../secrets/production.yaml helmDefaults: atomic: true @@ -20,4 +22,4 @@ releases: - name: service.externalName value: {{ .Values.ccSchemaRegistryProxy.externalName }} - name: ingress.hosts - values: [{{ .Values.server_name }}] \ No newline at end of file + values: [{{ .Values.server_name }}] From 66436fe0d7d21f5f3e86cecc99ea666d647b86cf Mon Sep 17 00:00:00 2001 From: Joris Borgdorff Date: Tue, 25 Aug 2020 17:16:21 +0200 Subject: [PATCH 33/41] Fix app-config deployment --- charts/app-config/templates/configmap.yaml | 2 +- charts/app-config/templates/deployment.yaml | 8 +++++++- charts/app-config/templates/ingress.yaml | 1 - helmfile.d/10-managementportal.yaml | 3 +-- 4 files changed, 9 insertions(+), 5 deletions(-) diff --git a/charts/app-config/templates/configmap.yaml b/charts/app-config/templates/configmap.yaml index 0616d5dd..caee70b0 100644 --- a/charts/app-config/templates/configmap.yaml +++ b/charts/app-config/templates/configmap.yaml @@ -16,7 +16,7 @@ data: enhancerFactory: org.radarbase.appconfig.inject.ManagementPortalEnhancerFactory authentication: - url: http://managementportal:8080/managementportal/ + url: http://management-portal:8080/managementportal clientId: {{ .Values.clientId }} clientSecret: {{ .Values.clientSecret }} resourceName: res_appconfig diff --git a/charts/app-config/templates/deployment.yaml b/charts/app-config/templates/deployment.yaml index 31edcfbe..d93fc174 100644 --- a/charts/app-config/templates/deployment.yaml +++ b/charts/app-config/templates/deployment.yaml @@ -29,6 +29,9 @@ spec: {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + volumeMounts: + - name: config + mountPath: /etc/radar-app-config/ ports: - name: http containerPort: 8090 @@ -41,7 +44,6 @@ spec: tcpSocket: port: http timeoutSeconds: 5 - name: radar-integration readinessProbe: failureThreshold: 3 initialDelaySeconds: 5 @@ -52,6 +54,10 @@ spec: timeoutSeconds: 5 resources: {{- toYaml .Values.resources | nindent 12 }} + volumes: + - name: config + configMap: + name: {{ include "app-config.fullname" . }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/app-config/templates/ingress.yaml b/charts/app-config/templates/ingress.yaml index a1f262fb..98c44ac8 100644 --- a/charts/app-config/templates/ingress.yaml +++ b/charts/app-config/templates/ingress.yaml @@ -35,6 +35,5 @@ spec: backend: serviceName: {{ $fullName }} servicePort: {{ $svcPort }} - {{- end }} {{- end }} {{- end }} diff --git a/helmfile.d/10-managementportal.yaml b/helmfile.d/10-managementportal.yaml index ebf4b1bb..741bdc32 100644 --- a/helmfile.d/10-managementportal.yaml +++ b/helmfile.d/10-managementportal.yaml @@ -2,12 +2,11 @@ environments: default: values: - ../base.yaml - - ../production.yaml + - ../../etc/production.yaml secrets: - ../../secrets/production.yaml helmDefaults: - atomic: true timeout: 180 kubeContext: {{ .Values.kubeContext }} From 3a88e1123cc2adb2d43c13163c8667f5c1fd903a Mon Sep 17 00:00:00 2001 From: Joris Borgdorff Date: Thu, 27 Aug 2020 09:59:59 +0200 Subject: [PATCH 34/41] Fix app-config setup --- charts/app-config/templates/configmap.yaml | 8 +++++--- charts/app-config/values.yaml | 8 +++++--- charts/management-portal/templates/configmap.yaml | 10 +++++----- helmfile.d/10-managementportal.yaml | 2 -- 4 files changed, 15 insertions(+), 13 deletions(-) diff --git a/charts/app-config/templates/configmap.yaml b/charts/app-config/templates/configmap.yaml index caee70b0..7a47f816 100644 --- a/charts/app-config/templates/configmap.yaml +++ b/charts/app-config/templates/configmap.yaml @@ -23,6 +23,8 @@ data: jdbc: driver: "org.postgresql.Driver" - url: "jdbc:postgresql://{{ .Values.postgres.host }}:5432/appconfig" - user: {{ .Values.postgres.user }} - password: {{ .Values.postgres.password }} + url: "{{ .Values.jdbc.url }}" + user: {{ .Values.jdbc.user }} + password: {{ .Values.jdbc.password }} + properties: + hibernate.dialect: {{ .Values.jdbc.dialect }} diff --git a/charts/app-config/values.yaml b/charts/app-config/values.yaml index 89cd6b5e..7ec8d5b1 100644 --- a/charts/app-config/values.yaml +++ b/charts/app-config/values.yaml @@ -53,7 +53,7 @@ resources: # lines, adjust them as necessary, and remove the curly braces after 'resources:'. limits: cpu: 100m - memory: 128Mi + memory: 256Mi requests: cpu: 100m memory: 128Mi @@ -67,7 +67,9 @@ affinity: {} clientId: radar_appconfig clientSecret: secret -postgres: - host: postgresql-postgresql +jdbc: + driver: org.postgresql.Driver + url: jdbc:postgresql://postgresql-postgresql/appconfig user: postgres password: password + dialect: org.hibernate.dialect.PostgreSQLDialect diff --git a/charts/management-portal/templates/configmap.yaml b/charts/management-portal/templates/configmap.yaml index 92ccb19e..ac45eb09 100644 --- a/charts/management-portal/templates/configmap.yaml +++ b/charts/management-portal/templates/configmap.yaml @@ -10,9 +10,9 @@ metadata: data: oauth_client_details.csv: | client_id;resource_ids;client_secret;scope;authorized_grant_types;redirect_uri;authorities;access_token_validity;refresh_token_validity;additional_information;autoapprove - pRMT;res_ManagementPortal,res_gateway;{{ .Values.client_secrets.prmt }};MEASUREMENT.CREATE,SUBJECT.UPDATE,SUBJECT.READ,PROJECT.READ,SOURCETYPE.READ,SOURCE.READ,SOURCETYPE.READ,SOURCEDATA.READ,USER.READ,ROLE.READ;refresh_token,authorization_code;;;43200;7948800;{"dynamic_registration": true}; - aRMT;res_ManagementPortal,res_gateway;{{ .Values.client_secrets.armt }};MEASUREMENT.CREATE,SUBJECT.UPDATE,SUBJECT.READ,PROJECT.READ,SOURCETYPE.READ,SOURCE.READ,SOURCETYPE.READ,SOURCEDATA.READ,USER.READ,ROLE.READ;refresh_token,authorization_code;;;43200;7948800;{"dynamic_registration": true}; - THINC-IT;res_ManagementPortal,res_gateway;;MEASUREMENT.CREATE,SUBJECT.UPDATE,SUBJECT.READ,PROJECT.READ,SOURCETYPE.READ,SOURCE.READ,SOURCETYPE.READ,SOURCEDATA.READ,USER.READ,ROLE.READ;refresh_token,authorization_code;;;43200;7948800;{"dynamic_registration": true}; + pRMT;res_ManagementPortal,res_gateway,res_appconfig;{{ .Values.client_secrets.prmt }};MEASUREMENT.CREATE,SUBJECT.UPDATE,SUBJECT.READ,PROJECT.READ,SOURCETYPE.READ,SOURCE.READ,SOURCETYPE.READ,SOURCEDATA.READ,USER.READ,ROLE.READ;refresh_token,authorization_code;;;43200;7948800;{"dynamic_registration": true}; + aRMT;res_ManagementPortal,res_gateway,res_appconfig;{{ .Values.client_secrets.armt }};MEASUREMENT.CREATE,SUBJECT.UPDATE,SUBJECT.READ,PROJECT.READ,SOURCETYPE.READ,SOURCE.READ,SOURCETYPE.READ,SOURCEDATA.READ,USER.READ,ROLE.READ;refresh_token,authorization_code;;;43200;7948800;{"dynamic_registration": true}; + THINC-IT;res_ManagementPortal,res_gateway,res_appconfig;;MEASUREMENT.CREATE,SUBJECT.UPDATE,SUBJECT.READ,PROJECT.READ,SOURCETYPE.READ,SOURCE.READ,SOURCETYPE.READ,SOURCEDATA.READ,USER.READ,ROLE.READ;refresh_token,authorization_code;;;43200;7948800;{"dynamic_registration": true}; radar_restapi;res_ManagementPortal;secret;SUBJECT.READ,PROJECT.READ,SOURCE.READ,SOURCETYPE.READ,SOURCEDATA.READ;client_credentials;;;43200;259200;{}; radar_redcap_integrator;res_ManagementPortal;{{ .Values.client_secrets.radar_redcap_integrator }};PROJECT.READ,SUBJECT.CREATE,SUBJECT.READ,SUBJECT.UPDATE;client_credentials;;;43200;259200;{}; radar_dashboard;res_ManagementPortal,res_RestApi;;SUBJECT.READ,PROJECT.READ,SOURCE.READ,SOURCETYPE.READ,MEASUREMENT.READ;refresh_token,authorization_code;;;43200;259200;{}; @@ -23,5 +23,5 @@ data: radar_rest_sources_authorizer;res_restAuthorizer;;SOURCETYPE.READ,PROJECT.READ,SUBJECT.READ;authorization_code;https://{{ .Values.server_name }}/rest-sources/authorizer/login;;43200;86400;{}; radar_fitbit_connector;res_restAuthorizer;{{ .Values.client_secrets.radarFitbitConnector }};SUBJECT.READ;client_credentials;;;43200;;{}; more_promasys_sync_client;res_ManagementPortal;{{ .Values.client_secrets.morePromasysSync }};PROJECT.READ,PROJECT.CREATE,SUBJECT.READ,SUBJECT.CREATE;client_credentials;;;43200;;{}; - radar_appconfig;res_ManagementPortal;test;SOURCETYPE.READ,MEASUREMENT.CREATE,PROJECT.READ,SUBJECT.READ,OAUTHCLIENTS.READ;{{ .Values.client_secrets.radarAppconfig }};;3600;78000;; - radar_appconfig_frontend;res_appconfig;;SOURCETYPE.READ,MEASUREMENT.CREATE,PROJECT.READ,PROJECT.CREATE,PROJECT.UPDATE,SUBJECT.READ,SUBJECT.UPDATE,OAUTHCLIENTS.READ;authorization_code,refresh_token;https://{{ .Values.server_name }}/appconfig/login;3600;78000;; + radar_appconfig;res_ManagementPortal,res_appconfig;{{ .Values.client_secrets.radarAppconfig }};SOURCETYPE.READ,MEASUREMENT.CREATE,PROJECT.READ,SUBJECT.READ,OAUTHCLIENTS.READ;client_credentials;;;900;;; + radar_appconfig_frontend;res_appconfig;;SOURCETYPE.READ,MEASUREMENT.CREATE,PROJECT.READ,PROJECT.CREATE,PROJECT.UPDATE,SUBJECT.READ,SUBJECT.UPDATE,OAUTHCLIENTS.READ;authorization_code,refresh_token;https://{{ .Values.server_name }}/appconfig/login;1800;78000;; diff --git a/helmfile.d/10-managementportal.yaml b/helmfile.d/10-managementportal.yaml index 741bdc32..7e9e35fd 100644 --- a/helmfile.d/10-managementportal.yaml +++ b/helmfile.d/10-managementportal.yaml @@ -52,5 +52,3 @@ releases: set: - name: ingress.hosts values: [{{ .Values.server_name }}] - - name: postgres.password - value: {{ .Values.postgres_password }} From 565c271a50afdbfcf3e1534f54fa073666d4055e Mon Sep 17 00:00:00 2001 From: Joris Borgdorff Date: Thu, 27 Aug 2020 11:49:26 +0200 Subject: [PATCH 35/41] Fixed appconfig resource limits --- charts/app-config/templates/deployment.yaml | 7 +++++-- charts/app-config/values.yaml | 6 +++--- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/charts/app-config/templates/deployment.yaml b/charts/app-config/templates/deployment.yaml index d93fc174..7dfbd1b4 100644 --- a/charts/app-config/templates/deployment.yaml +++ b/charts/app-config/templates/deployment.yaml @@ -29,6 +29,9 @@ spec: {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + - name: JAVA_OPTS + value: "{{ .Values.javaOpts }}" volumeMounts: - name: config mountPath: /etc/radar-app-config/ @@ -38,7 +41,7 @@ spec: protocol: TCP livenessProbe: failureThreshold: 3 - initialDelaySeconds: 5 + initialDelaySeconds: 20 periodSeconds: 60 successThreshold: 1 tcpSocket: @@ -46,7 +49,7 @@ spec: timeoutSeconds: 5 readinessProbe: failureThreshold: 3 - initialDelaySeconds: 5 + initialDelaySeconds: 20 periodSeconds: 60 successThreshold: 1 tcpSocket: diff --git a/charts/app-config/values.yaml b/charts/app-config/values.yaml index 7ec8d5b1..65c47e5b 100644 --- a/charts/app-config/values.yaml +++ b/charts/app-config/values.yaml @@ -52,11 +52,10 @@ resources: # resources, such as Minikube. If you do want to specify resources, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'resources:'. limits: - cpu: 100m - memory: 256Mi + cpu: 2 requests: cpu: 100m - memory: 128Mi + memory: 768Mi nodeSelector: {} @@ -64,6 +63,7 @@ tolerations: [] affinity: {} +javaOpts: "-Xmx550m" clientId: radar_appconfig clientSecret: secret From c4575e1bfa0c9106efedca0d9445798b7ba45115 Mon Sep 17 00:00:00 2001 From: Joris Borgdorff Date: Thu, 27 Aug 2020 11:58:04 +0200 Subject: [PATCH 36/41] Set default secret for radarAppConfig --- charts/management-portal/values.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/charts/management-portal/values.yaml b/charts/management-portal/values.yaml index 1d032876..93e34578 100644 --- a/charts/management-portal/values.yaml +++ b/charts/management-portal/values.yaml @@ -82,6 +82,7 @@ client_secrets: radar_rest_sources_backend: secret radarFitbitConnector: secret morePromasysSync: secret + radarAppconfig: secret sendGrid: enabled: false @@ -89,4 +90,4 @@ sendGrid: port: 25 username: username password: secret - from: no-reply-more@chdr.nl \ No newline at end of file + from: no-reply-more@chdr.nl From 61515850c3e860b0d3dca2dae2afd1e3f10000a9 Mon Sep 17 00:00:00 2001 From: Keyvan Date: Thu, 27 Aug 2020 15:55:40 +0200 Subject: [PATCH 37/41] Minor fixes and improvments Signed-off-by: Keyvan --- charts/cert-manager/requirements.lock | 4 +- charts/cert-manager/templates/00-crd.yaml | 5545 ----------------- .../templates/deployment.yaml | 2 +- .../management-portal/templates/ingress.yaml | 2 +- charts/prometheus-operator/values.yaml | 41 +- helmfile.d/00-init.yaml | 5 +- 6 files changed, 26 insertions(+), 5573 deletions(-) delete mode 100644 charts/cert-manager/templates/00-crd.yaml diff --git a/charts/cert-manager/requirements.lock b/charts/cert-manager/requirements.lock index 866f3d14..7a0de8bd 100644 --- a/charts/cert-manager/requirements.lock +++ b/charts/cert-manager/requirements.lock @@ -2,5 +2,5 @@ dependencies: - name: cert-manager repository: https://charts.jetstack.io version: v0.13.0 -digest: sha256:c7b4858b27dbfb9ac616c51a173f78bb13794d0c438fa1c62469caa814c842f2 -generated: "2020-02-07T15:22:17.359866455+01:00" +digest: sha256:286bd0a59060907dfadcadc5b8d6445635086132184b43f93a0eb9333fc1fc8b +generated: "2020-07-09T16:52:09.217042516+02:00" diff --git a/charts/cert-manager/templates/00-crd.yaml b/charts/cert-manager/templates/00-crd.yaml deleted file mode 100644 index ecb930d9..00000000 --- a/charts/cert-manager/templates/00-crd.yaml +++ /dev/null @@ -1,5545 +0,0 @@ -# https://raw.githubusercontent.com/jetstack/cert-manager/release-0.13/deploy/manifests/00-crds.yaml -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: certificaterequests.cert-manager.io -spec: - additionalPrinterColumns: - - JSONPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - JSONPath: .spec.issuerRef.name - name: Issuer - priority: 1 - type: string - - JSONPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - JSONPath: .metadata.creationTimestamp - description: CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before order - across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - name: Age - type: date - group: cert-manager.io - preserveUnknownFields: false - names: - kind: CertificateRequest - listKind: CertificateRequestList - plural: certificaterequests - shortNames: - - cr - - crs - singular: certificaterequest - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - description: CertificateRequest is a type to represent a Certificate Signing - Request - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: CertificateRequestSpec defines the desired state of CertificateRequest - type: object - required: - - csr - - issuerRef - properties: - csr: - description: Byte slice containing the PEM encoded CertificateSigningRequest - type: string - format: byte - duration: - description: Requested certificate default Duration - type: string - isCA: - description: IsCA will mark the resulting certificate as valid for signing. - This implies that the 'cert sign' usage is set - type: boolean - issuerRef: - description: IssuerRef is a reference to the issuer for this CertificateRequest. If - the 'kind' field is not set, or set to 'Issuer', an Issuer resource - with the given name in the same namespace as the CertificateRequest - will be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer - with the provided name will be used. The 'name' field in this stanza - is required at all times. The group field refers to the API group - of the issuer which defaults to 'cert-manager.io' if empty. - type: object - required: - - name - properties: - group: - type: string - kind: - type: string - name: - type: string - usages: - description: Usages is the set of x509 actions that are enabled for - a given key. Defaults are ('digital signature', 'key encipherment') - if empty - type: array - items: - description: 'KeyUsage specifies valid usage contexts for keys. See: - https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 - Valid KeyUsage values are as follows: "signing", "digital signature", - "content commitment", "key encipherment", "key agreement", "data - encipherment", "cert sign", "crl sign", "encipher only", "decipher - only", "any", "server auth", "client auth", "code signing", "email - protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec - user", "timestamping", "ocsp signing", "microsoft sgc", "netscape - sgc"' - type: string - enum: - - signing - - digital signature - - content commitment - - key encipherment - - key agreement - - data encipherment - - cert sign - - crl sign - - encipher only - - decipher only - - any - - server auth - - client auth - - code signing - - email protection - - s/mime - - ipsec end system - - ipsec tunnel - - ipsec user - - timestamping - - ocsp signing - - microsoft sgc - - netscape sgc - status: - description: CertificateStatus defines the observed state of CertificateRequest - and resulting signed certificate. - type: object - properties: - ca: - description: Byte slice containing the PEM encoded certificate authority - of the signed certificate. - type: string - format: byte - certificate: - description: Byte slice containing a PEM encoded signed certificate - resulting from the given certificate signing request. - type: string - format: byte - conditions: - type: array - items: - description: CertificateRequestCondition contains condition information - for a CertificateRequest. - type: object - required: - - status - - type - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding - to the last status change of this condition. - type: string - format: date-time - message: - description: Message is a human readable description of the details - of the last transition, complementing reason. - type: string - reason: - description: Reason is a brief machine readable explanation for - the condition's last transition. - type: string - status: - description: Status of the condition, one of ('True', 'False', - 'Unknown'). - type: string - enum: - - "True" - - "False" - - Unknown - type: - description: Type of the condition, currently ('Ready', 'InvalidRequest'). - type: string - failureTime: - description: FailureTime stores the time that this CertificateRequest - failed. This is used to influence garbage collection and back-off. - type: string - format: date-time - version: v1alpha2 - versions: - - name: v1alpha2 - served: true - storage: true ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: certificates.cert-manager.io -spec: - additionalPrinterColumns: - - JSONPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - JSONPath: .spec.secretName - name: Secret - type: string - - JSONPath: .spec.issuerRef.name - name: Issuer - priority: 1 - type: string - - JSONPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - JSONPath: .metadata.creationTimestamp - description: CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before order - across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - name: Age - type: date - group: cert-manager.io - preserveUnknownFields: false - names: - kind: Certificate - listKind: CertificateList - plural: certificates - shortNames: - - cert - - certs - singular: certificate - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - description: Certificate is a type to represent a Certificate from ACME - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: CertificateSpec defines the desired state of Certificate. A - valid Certificate requires at least one of a CommonName, DNSName, or URISAN - to be valid. - type: object - required: - - issuerRef - - secretName - properties: - commonName: - description: CommonName is a common name to be used on the Certificate. - The CommonName should have a length of 64 characters or fewer to avoid - generating invalid CSRs. - type: string - dnsNames: - description: DNSNames is a list of subject alt names to be used on the - Certificate. - type: array - items: - type: string - duration: - description: Certificate default Duration - type: string - ipAddresses: - description: IPAddresses is a list of IP addresses to be used on the - Certificate - type: array - items: - type: string - isCA: - description: IsCA will mark this Certificate as valid for signing. This - implies that the 'cert sign' usage is set - type: boolean - issuerRef: - description: IssuerRef is a reference to the issuer for this certificate. - If the 'kind' field is not set, or set to 'Issuer', an Issuer resource - with the given name in the same namespace as the Certificate will - be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer - with the provided name will be used. The 'name' field in this stanza - is required at all times. - type: object - required: - - name - properties: - group: - type: string - kind: - type: string - name: - type: string - keyAlgorithm: - description: KeyAlgorithm is the private key algorithm of the corresponding - private key for this certificate. If provided, allowed values are - either "rsa" or "ecdsa" If KeyAlgorithm is specified and KeySize is - not provided, key size of 256 will be used for "ecdsa" key algorithm - and key size of 2048 will be used for "rsa" key algorithm. - type: string - enum: - - rsa - - ecdsa - keyEncoding: - description: KeyEncoding is the private key cryptography standards (PKCS) - for this certificate's private key to be encoded in. If provided, - allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8, - respectively. If KeyEncoding is not specified, then PKCS#1 will be - used by default. - type: string - enum: - - pkcs1 - - pkcs8 - keySize: - description: KeySize is the key bit size of the corresponding private - key for this certificate. If provided, value must be between 2048 - and 8192 inclusive when KeyAlgorithm is empty or is set to "rsa", - and value must be one of (256, 384, 521) when KeyAlgorithm is set - to "ecdsa". - type: integer - organization: - description: Organization is the organization to be used on the Certificate - type: array - items: - type: string - renewBefore: - description: Certificate renew before expiration duration - type: string - secretName: - description: SecretName is the name of the secret resource to store - this secret in - type: string - subject: - description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). - type: object - properties: - countries: - description: Countries to be used on the Certificate. - type: array - items: - type: string - localities: - description: Cities to be used on the Certificate. - type: array - items: - type: string - organizationalUnits: - description: Organizational Units to be used on the Certificate. - type: array - items: - type: string - postalCodes: - description: Postal codes to be used on the Certificate. - type: array - items: - type: string - provinces: - description: State/Provinces to be used on the Certificate. - type: array - items: - type: string - serialNumber: - description: Serial number to be used on the Certificate. - type: string - streetAddresses: - description: Street addresses to be used on the Certificate. - type: array - items: - type: string - uriSANs: - description: URISANs is a list of URI Subject Alternative Names to be - set on this Certificate. - type: array - items: - type: string - usages: - description: Usages is the set of x509 actions that are enabled for - a given key. Defaults are ('digital signature', 'key encipherment') - if empty - type: array - items: - description: 'KeyUsage specifies valid usage contexts for keys. See: - https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 - Valid KeyUsage values are as follows: "signing", "digital signature", - "content commitment", "key encipherment", "key agreement", "data - encipherment", "cert sign", "crl sign", "encipher only", "decipher - only", "any", "server auth", "client auth", "code signing", "email - protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec - user", "timestamping", "ocsp signing", "microsoft sgc", "netscape - sgc"' - type: string - enum: - - signing - - digital signature - - content commitment - - key encipherment - - key agreement - - data encipherment - - cert sign - - crl sign - - encipher only - - decipher only - - any - - server auth - - client auth - - code signing - - email protection - - s/mime - - ipsec end system - - ipsec tunnel - - ipsec user - - timestamping - - ocsp signing - - microsoft sgc - - netscape sgc - status: - description: CertificateStatus defines the observed state of Certificate - type: object - properties: - conditions: - type: array - items: - description: CertificateCondition contains condition information for - an Certificate. - type: object - required: - - status - - type - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding - to the last status change of this condition. - type: string - format: date-time - message: - description: Message is a human readable description of the details - of the last transition, complementing reason. - type: string - reason: - description: Reason is a brief machine readable explanation for - the condition's last transition. - type: string - status: - description: Status of the condition, one of ('True', 'False', - 'Unknown'). - type: string - enum: - - "True" - - "False" - - Unknown - type: - description: Type of the condition, currently ('Ready'). - type: string - lastFailureTime: - type: string - format: date-time - notAfter: - description: The expiration time of the certificate stored in the secret - named by this resource in spec.secretName. - type: string - format: date-time - version: v1alpha2 - versions: - - name: v1alpha2 - served: true - storage: true ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: challenges.acme.cert-manager.io -spec: - additionalPrinterColumns: - - JSONPath: .status.state - name: State - type: string - - JSONPath: .spec.dnsName - name: Domain - type: string - - JSONPath: .status.reason - name: Reason - priority: 1 - type: string - - JSONPath: .metadata.creationTimestamp - description: CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before order - across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - name: Age - type: date - group: acme.cert-manager.io - preserveUnknownFields: false - names: - kind: Challenge - listKind: ChallengeList - plural: challenges - singular: challenge - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - description: Challenge is a type to represent a Challenge request with an ACME - server - type: object - required: - - metadata - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - type: object - required: - - authzURL - - dnsName - - issuerRef - - key - - token - - type - - url - properties: - authzURL: - description: AuthzURL is the URL to the ACME Authorization resource - that this challenge is a part of. - type: string - dnsName: - description: DNSName is the identifier that this challenge is for, e.g. - example.com. - type: string - issuerRef: - description: IssuerRef references a properly configured ACME-type Issuer - which should be used to create this Challenge. If the Issuer does - not exist, processing will be retried. If the Issuer is not an 'ACME' - Issuer, an error will be returned and the Challenge will be marked - as failed. - type: object - required: - - name - properties: - group: - type: string - kind: - type: string - name: - type: string - key: - description: Key is the ACME challenge key for this challenge - type: string - solver: - description: Solver contains the domain solving configuration that should - be used to solve this challenge resource. - type: object - properties: - dns01: - type: object - properties: - acmedns: - description: ACMEIssuerDNS01ProviderAcmeDNS is a structure containing - the configuration for ACME-DNS servers - type: object - required: - - accountSecretRef - - host - properties: - accountSecretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - host: - type: string - akamai: - description: ACMEIssuerDNS01ProviderAkamai is a structure containing - the DNS configuration for Akamai DNS—Zone Record Management - API - type: object - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - properties: - accessTokenSecretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - clientSecretSecretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - clientTokenSecretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - serviceConsumerDomain: - type: string - azuredns: - description: ACMEIssuerDNS01ProviderAzureDNS is a structure - containing the configuration for Azure DNS - type: object - required: - - clientID - - clientSecretSecretRef - - resourceGroupName - - subscriptionID - - tenantID - properties: - clientID: - type: string - clientSecretSecretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - environment: - type: string - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - hostedZoneName: - type: string - resourceGroupName: - type: string - subscriptionID: - type: string - tenantID: - type: string - clouddns: - description: ACMEIssuerDNS01ProviderCloudDNS is a structure - containing the DNS configuration for Google Cloud DNS - type: object - required: - - project - properties: - project: - type: string - serviceAccountSecretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - cloudflare: - description: ACMEIssuerDNS01ProviderCloudflare is a structure - containing the DNS configuration for Cloudflare - type: object - required: - - email - properties: - apiKeySecretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - apiTokenSecretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - email: - type: string - cnameStrategy: - description: CNAMEStrategy configures how the DNS01 provider - should handle CNAME records when found in DNS zones. - type: string - enum: - - None - - Follow - digitalocean: - description: ACMEIssuerDNS01ProviderDigitalOcean is a structure - containing the DNS configuration for DigitalOcean Domains - type: object - required: - - tokenSecretRef - properties: - tokenSecretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - rfc2136: - description: ACMEIssuerDNS01ProviderRFC2136 is a structure containing - the configuration for RFC2136 DNS - type: object - required: - - nameserver - properties: - nameserver: - description: 'The IP address of the DNS supporting RFC2136. - Required. Note: FQDN is not a valid value, only IP.' - type: string - tsigAlgorithm: - description: 'The TSIG Algorithm configured in the DNS supporting - RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` - are defined. Supported values are (case-insensitive): - ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or - ``HMACSHA512``.' - type: string - tsigKeyName: - description: The TSIG Key name configured in the DNS. If - ``tsigSecretSecretRef`` is defined, this field is required. - type: string - tsigSecretSecretRef: - description: The name of the secret containing the TSIG - value. If ``tsigKeyName`` is defined, this field is required. - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - route53: - description: ACMEIssuerDNS01ProviderRoute53 is a structure containing - the Route 53 configuration for AWS - type: object - required: - - region - properties: - accessKeyID: - description: 'The AccessKeyID is used for authentication. - If not set we fall-back to using env vars, shared credentials - file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: string - hostedZoneID: - description: If set, the provider will manage only this - zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName - api call. - type: string - region: - description: Always set the region when using AccessKeyID - and SecretAccessKey - type: string - role: - description: Role is a Role ARN which the Route53 provider - will assume using either the explicit credentials AccessKeyID/SecretAccessKey - or the inferred credentials from environment variables, - shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication. - If not set we fall-back to using env vars, shared credentials - file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - webhook: - description: ACMEIssuerDNS01ProviderWebhook specifies configuration - for a webhook DNS01 provider, including where to POST ChallengePayload - resources. - type: object - required: - - groupName - - solverName - properties: - config: - description: Additional configuration that should be passed - to the webhook apiserver when challenges are processed. - This can contain arbitrary JSON data. Secret values should - not be specified in this stanza. If secret values are - needed (e.g. credentials for a DNS service), you should - use a SecretKeySelector to reference a Secret resource. - For details on the schema of this field, consult the webhook - provider implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: The API group name that should be used when - POSTing ChallengePayload resources to the webhook apiserver. - This should be the same as the GroupName specified in - the webhook provider implementation. - type: string - solverName: - description: The name of the solver to use, as defined in - the webhook provider implementation. This will typically - be the name of the provider, e.g. 'cloudflare'. - type: string - http01: - description: ACMEChallengeSolverHTTP01 contains configuration detailing - how to solve HTTP01 challenges within a Kubernetes cluster. Typically - this is accomplished through creating 'routes' of some description - that configure ingress controllers to direct traffic to 'solver - pods', which are responsible for responding to the ACME server's - HTTP requests. - type: object - properties: - ingress: - description: The ingress based HTTP01 challenge solver will - solve challenges by creating or modifying Ingress resources - in order to route requests for '/.well-known/acme-challenge/XYZ' - to 'challenge solver' pods that are provisioned by cert-manager - for each Challenge to be completed. - type: object - properties: - class: - description: The ingress class to use when creating Ingress - resources to solve ACME challenges that use this challenge - solver. Only one of 'class' or 'name' may be specified. - type: string - name: - description: The name of the ingress resource that should - have ACME challenge solving routes inserted into it in - order to solve HTTP01 challenges. This is typically used - in conjunction with ingress controllers like ingress-gce, - which maintains a 1:1 mapping between external IPs and - ingress resources. - type: string - podTemplate: - description: Optional pod template used to configure the - ACME challenge solver pods used for HTTP01 challenges - type: object - properties: - metadata: - description: ObjectMeta overrides for the pod used to - solve HTTP01 challenges. Only the 'labels' and 'annotations' - fields may be set. If labels or annotations overlap - with in-built values, the values here will override - the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added to - the create ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to the - created ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - spec: - description: PodSpec defines overrides for the HTTP01 - challenge solver pod. Only the 'nodeSelector', 'affinity' - and 'tolerations' fields are supported currently. - All other fields will be ignored. - type: object - properties: - affinity: - description: If specified, the pod's scheduling - constraints - type: object - properties: - nodeAffinity: - description: Describes node affinity scheduling - rules for the pod. - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to - schedule pods to nodes that satisfy the - affinity expressions specified by this - field, but it may choose a node that violates - one or more of the expressions. The node - that is most preferred is the one with - the greatest sum of weights, i.e. for - each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a - sum by iterating through the elements - of this field and adding "weight" to the - sum if the node matches the corresponding - matchExpressions; the node(s) with the - highest sum are the most preferred. - type: array - items: - description: An empty preferred scheduling - term matches all objects with implicit - weight 0 (i.e. it's a no-op). A null - preferred scheduling term matches no - objects (i.e. is also a no-op). - type: object - required: - - preference - - weight - properties: - preference: - description: A node selector term, - associated with the corresponding - weight. - type: object - properties: - matchExpressions: - description: A list of node selector - requirements by node's labels. - type: array - items: - description: A node selector - requirement is a selector - that contains values, a key, - and an operator that relates - the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key - that the selector applies - to. - type: string - operator: - description: Represents - a key's relationship to - a set of values. Valid - operators are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An array of - string values. If the - operator is In or NotIn, - the values array must - be non-empty. If the operator - is Exists or DoesNotExist, - the values array must - be empty. If the operator - is Gt or Lt, the values - array must have a single - element, which will be - interpreted as an integer. - This array is replaced - during a strategic merge - patch. - type: array - items: - type: string - matchFields: - description: A list of node selector - requirements by node's fields. - type: array - items: - description: A node selector - requirement is a selector - that contains values, a key, - and an operator that relates - the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key - that the selector applies - to. - type: string - operator: - description: Represents - a key's relationship to - a set of values. Valid - operators are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An array of - string values. If the - operator is In or NotIn, - the values array must - be non-empty. If the operator - is Exists or DoesNotExist, - the values array must - be empty. If the operator - is Gt or Lt, the values - array must have a single - element, which will be - interpreted as an integer. - This array is replaced - during a strategic merge - patch. - type: array - items: - type: string - weight: - description: Weight associated with - matching the corresponding nodeSelectorTerm, - in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements - specified by this field are not met at - scheduling time, the pod will not be scheduled - onto the node. If the affinity requirements - specified by this field cease to be met - at some point during pod execution (e.g. - due to an update), the system may or may - not try to eventually evict the pod from - its node. - type: object - required: - - nodeSelectorTerms - properties: - nodeSelectorTerms: - description: Required. A list of node - selector terms. The terms are ORed. - type: array - items: - description: A null or empty node - selector term matches no objects. - The requirements of them are ANDed. - The TopologySelectorTerm type implements - a subset of the NodeSelectorTerm. - type: object - properties: - matchExpressions: - description: A list of node selector - requirements by node's labels. - type: array - items: - description: A node selector - requirement is a selector - that contains values, a key, - and an operator that relates - the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key - that the selector applies - to. - type: string - operator: - description: Represents - a key's relationship to - a set of values. Valid - operators are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An array of - string values. If the - operator is In or NotIn, - the values array must - be non-empty. If the operator - is Exists or DoesNotExist, - the values array must - be empty. If the operator - is Gt or Lt, the values - array must have a single - element, which will be - interpreted as an integer. - This array is replaced - during a strategic merge - patch. - type: array - items: - type: string - matchFields: - description: A list of node selector - requirements by node's fields. - type: array - items: - description: A node selector - requirement is a selector - that contains values, a key, - and an operator that relates - the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key - that the selector applies - to. - type: string - operator: - description: Represents - a key's relationship to - a set of values. Valid - operators are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An array of - string values. If the - operator is In or NotIn, - the values array must - be non-empty. If the operator - is Exists or DoesNotExist, - the values array must - be empty. If the operator - is Gt or Lt, the values - array must have a single - element, which will be - interpreted as an integer. - This array is replaced - during a strategic merge - patch. - type: array - items: - type: string - podAffinity: - description: Describes pod affinity scheduling - rules (e.g. co-locate this pod in the same - node, zone, etc. as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to - schedule pods to nodes that satisfy the - affinity expressions specified by this - field, but it may choose a node that violates - one or more of the expressions. The node - that is most preferred is the one with - the greatest sum of weights, i.e. for - each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a - sum by iterating through the elements - of this field and adding "weight" to the - sum if the node has pods which matches - the corresponding podAffinityTerm; the - node(s) with the highest sum are the most - preferred. - type: array - items: - description: The weights of all of the - matched WeightedPodAffinityTerm fields - are added per-node to find the most - preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod affinity - term, associated with the corresponding - weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over - a set of resources, in this - case pods. - type: object - properties: - matchExpressions: - description: matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - type: array - items: - description: A label selector - requirement is a selector - that contains values, - a key, and an operator - that relates the key and - values. - type: object - required: - - key - - operator - properties: - key: - description: key is - the label key that - the selector applies - to. - type: string - operator: - description: operator - represents a key's - relationship to a - set of values. Valid - operators are In, - NotIn, Exists and - DoesNotExist. - type: string - values: - description: values - is an array of string - values. If the operator - is In or NotIn, the - values array must - be non-empty. If the - operator is Exists - or DoesNotExist, the - values array must - be empty. This array - is replaced during - a strategic merge - patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is - a map of {key,value} pairs. - A single {key,value} in - the matchLabels map is equivalent - to an element of matchExpressions, - whose key field is "key", - the operator is "In", and - the values array contains - only "value". The requirements - are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means "this - pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be - co-located (affinity) or not - co-located (anti-affinity) with - the pods matching the labelSelector - in the specified namespaces, - where co-located is defined - as running on a node whose value - of the label with key topologyKey - matches that of any node on - which any of the selected pods - is running. Empty topologyKey - is not allowed. - type: string - weight: - description: weight associated with - matching the corresponding podAffinityTerm, - in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements - specified by this field are not met at - scheduling time, the pod will not be scheduled - onto the node. If the affinity requirements - specified by this field cease to be met - at some point during pod execution (e.g. - due to a pod label update), the system - may or may not try to eventually evict - the pod from its node. When there are - multiple elements, the lists of nodes - corresponding to each podAffinityTerm - are intersected, i.e. all terms must be - satisfied. - type: array - items: - description: Defines a set of pods (namely - those matching the labelSelector relative - to the given namespace(s)) that this - pod should be co-located (affinity) - or not co-located (anti-affinity) with, - where co-located is defined as running - on a node whose value of the label with - key matches that of any - node on which a pod of the set of pods - is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a - set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - type: array - items: - description: A label selector - requirement is a selector - that contains values, a key, - and an operator that relates - the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the - label key that the selector - applies to. - type: string - operator: - description: operator represents - a key's relationship to - a set of values. Valid - operators are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values is an - array of string values. - If the operator is In - or NotIn, the values array - must be non-empty. If - the operator is Exists - or DoesNotExist, the values - array must be empty. This - array is replaced during - a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a - map of {key,value} pairs. A - single {key,value} in the matchLabels - map is equivalent to an element - of matchExpressions, whose key - field is "key", the operator - is "In", and the values array - contains only "value". The requirements - are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); null - or empty list means "this pod's - namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located - (affinity) or not co-located (anti-affinity) - with the pods matching the labelSelector - in the specified namespaces, where - co-located is defined as running - on a node whose value of the label - with key topologyKey matches that - of any node on which any of the - selected pods is running. Empty - topologyKey is not allowed. - type: string - podAntiAffinity: - description: Describes pod anti-affinity scheduling - rules (e.g. avoid putting this pod in the - same node, zone, etc. as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to - schedule pods to nodes that satisfy the - anti-affinity expressions specified by - this field, but it may choose a node that - violates one or more of the expressions. - The node that is most preferred is the - one with the greatest sum of weights, - i.e. for each node that meets all of the - scheduling requirements (resource request, - requiredDuringScheduling anti-affinity - expressions, etc.), compute a sum by iterating - through the elements of this field and - adding "weight" to the sum if the node - has pods which matches the corresponding - podAffinityTerm; the node(s) with the - highest sum are the most preferred. - type: array - items: - description: The weights of all of the - matched WeightedPodAffinityTerm fields - are added per-node to find the most - preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod affinity - term, associated with the corresponding - weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over - a set of resources, in this - case pods. - type: object - properties: - matchExpressions: - description: matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - type: array - items: - description: A label selector - requirement is a selector - that contains values, - a key, and an operator - that relates the key and - values. - type: object - required: - - key - - operator - properties: - key: - description: key is - the label key that - the selector applies - to. - type: string - operator: - description: operator - represents a key's - relationship to a - set of values. Valid - operators are In, - NotIn, Exists and - DoesNotExist. - type: string - values: - description: values - is an array of string - values. If the operator - is In or NotIn, the - values array must - be non-empty. If the - operator is Exists - or DoesNotExist, the - values array must - be empty. This array - is replaced during - a strategic merge - patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is - a map of {key,value} pairs. - A single {key,value} in - the matchLabels map is equivalent - to an element of matchExpressions, - whose key field is "key", - the operator is "In", and - the values array contains - only "value". The requirements - are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means "this - pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be - co-located (affinity) or not - co-located (anti-affinity) with - the pods matching the labelSelector - in the specified namespaces, - where co-located is defined - as running on a node whose value - of the label with key topologyKey - matches that of any node on - which any of the selected pods - is running. Empty topologyKey - is not allowed. - type: string - weight: - description: weight associated with - matching the corresponding podAffinityTerm, - in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements - specified by this field are not met at - scheduling time, the pod will not be scheduled - onto the node. If the anti-affinity requirements - specified by this field cease to be met - at some point during pod execution (e.g. - due to a pod label update), the system - may or may not try to eventually evict - the pod from its node. When there are - multiple elements, the lists of nodes - corresponding to each podAffinityTerm - are intersected, i.e. all terms must be - satisfied. - type: array - items: - description: Defines a set of pods (namely - those matching the labelSelector relative - to the given namespace(s)) that this - pod should be co-located (affinity) - or not co-located (anti-affinity) with, - where co-located is defined as running - on a node whose value of the label with - key matches that of any - node on which a pod of the set of pods - is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a - set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - type: array - items: - description: A label selector - requirement is a selector - that contains values, a key, - and an operator that relates - the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the - label key that the selector - applies to. - type: string - operator: - description: operator represents - a key's relationship to - a set of values. Valid - operators are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values is an - array of string values. - If the operator is In - or NotIn, the values array - must be non-empty. If - the operator is Exists - or DoesNotExist, the values - array must be empty. This - array is replaced during - a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a - map of {key,value} pairs. A - single {key,value} in the matchLabels - map is equivalent to an element - of matchExpressions, whose key - field is "key", the operator - is "In", and the values array - contains only "value". The requirements - are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); null - or empty list means "this pod's - namespace" - type: array - items: - type: string - topologyKey: - description: This pod should be co-located - (affinity) or not co-located (anti-affinity) - with the pods matching the labelSelector - in the specified namespaces, where - co-located is defined as running - on a node whose value of the label - with key topologyKey matches that - of any node on which any of the - selected pods is running. Empty - topologyKey is not allowed. - type: string - nodeSelector: - description: 'NodeSelector is a selector which must - be true for the pod to fit on a node. Selector - which must match a node''s labels for the pod - to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' - type: object - additionalProperties: - type: string - tolerations: - description: If specified, the pod's tolerations. - type: array - items: - description: The pod this Toleration is attached - to tolerates any taint that matches the triple - using the matching operator - . - type: object - properties: - effect: - description: Effect indicates the taint effect - to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, - PreferNoSchedule and NoExecute. - type: string - key: - description: Key is the taint key that the - toleration applies to. Empty means match - all taint keys. If the key is empty, operator - must be Exists; this combination means to - match all values and all keys. - type: string - operator: - description: Operator represents a key's relationship - to the value. Valid operators are Exists - and Equal. Defaults to Equal. Exists is - equivalent to wildcard for value, so that - a pod can tolerate all taints of a particular - category. - type: string - tolerationSeconds: - description: TolerationSeconds represents - the period of time the toleration (which - must be of effect NoExecute, otherwise this - field is ignored) tolerates the taint. By - default, it is not set, which means tolerate - the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict - immediately) by the system. - type: integer - format: int64 - value: - description: Value is the taint value the - toleration matches to. If the operator is - Exists, the value should be empty, otherwise - just a regular string. - type: string - serviceType: - description: Optional service type for Kubernetes solver - service - type: string - selector: - description: Selector selects a set of DNSNames on the Certificate - resource that should be solved using this challenge solver. - type: object - properties: - dnsNames: - description: List of DNSNames that this solver will be used - to solve. If specified and a match is found, a dnsNames selector - will take precedence over a dnsZones selector. If multiple - solvers match with the same dnsNames value, the solver with - the most matching labels in matchLabels will be selected. - If neither has more matches, the solver defined earlier in - the list will be selected. - type: array - items: - type: string - dnsZones: - description: List of DNSZones that this solver will be used - to solve. The most specific DNS zone match specified here - will take precedence over other DNS zone matches, so a solver - specifying sys.example.com will be selected over one specifying - example.com for the domain www.sys.example.com. If multiple - solvers match with the same dnsZones value, the solver with - the most matching labels in matchLabels will be selected. - If neither has more matches, the solver defined earlier in - the list will be selected. - type: array - items: - type: string - matchLabels: - description: A label selector that is used to refine the set - of certificate's that this challenge solver will apply to. - type: object - additionalProperties: - type: string - token: - description: Token is the ACME challenge token for this challenge. - type: string - type: - description: Type is the type of ACME challenge this resource represents, - e.g. "dns01" or "http01" - type: string - url: - description: URL is the URL of the ACME Challenge resource for this - challenge. This can be used to lookup details about the status of - this challenge. - type: string - wildcard: - description: Wildcard will be true if this challenge is for a wildcard - identifier, for example '*.example.com' - type: boolean - status: - type: object - properties: - presented: - description: Presented will be set to true if the challenge values for - this challenge are currently 'presented'. This *does not* imply the - self check is passing. Only that the values have been 'submitted' - for the appropriate challenge mechanism (i.e. the DNS01 TXT record - has been presented, or the HTTP01 configuration has been configured). - type: boolean - processing: - description: Processing is used to denote whether this challenge should - be processed or not. This field will only be set to true by the 'scheduling' - component. It will only be set to false by the 'challenges' controller, - after the challenge has reached a final state or timed out. If this - field is set to false, the challenge controller will not take any - more action. - type: boolean - reason: - description: Reason contains human readable information on why the Challenge - is in the current state. - type: string - state: - description: State contains the current 'state' of the challenge. If - not set, the state of the challenge is unknown. - type: string - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - version: v1alpha2 - versions: - - name: v1alpha2 - served: true - storage: true ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: clusterissuers.cert-manager.io -spec: - additionalPrinterColumns: - - JSONPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - JSONPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - JSONPath: .metadata.creationTimestamp - description: CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before order - across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - name: Age - type: date - group: cert-manager.io - preserveUnknownFields: false - names: - kind: ClusterIssuer - listKind: ClusterIssuerList - plural: clusterissuers - singular: clusterissuer - scope: Cluster - subresources: - status: {} - validation: - openAPIV3Schema: - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: IssuerSpec is the specification of an Issuer. This includes - any configuration required for the issuer. - type: object - properties: - acme: - description: ACMEIssuer contains the specification for an ACME issuer - type: object - required: - - privateKeySecretRef - - server - properties: - email: - description: Email is the email for this account - type: string - externalAccountBinding: - description: ExternalAcccountBinding is a reference to a CA external - account of the ACME server. - type: object - required: - - keyAlgorithm - - keyID - - keySecretRef - properties: - keyAlgorithm: - description: keyAlgorithm is the MAC key algorithm that the - key is used for. Valid values are "HS256", "HS384" and "HS512". - type: string - enum: - - HS256 - - HS384 - - HS512 - keyID: - description: keyID is the ID of the CA key that the External - Account is bound to. - type: string - keySecretRef: - description: keySecretRef is a Secret Key Selector referencing - a data item in a Kubernetes Secret which holds the symmetric - MAC key of the External Account Binding. The `key` is the - index string that is paired with the key data in the Secret - and should not be confused with the key data itself, or indeed - with the External Account Binding keyID above. The secret - key stored in the Secret **must** be un-padded, base64 URL - encoded data. - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - privateKeySecretRef: - description: PrivateKey is the name of a secret containing the private - key for this user account. - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. Must be a - valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - server: - description: Server is the ACME server URL - type: string - skipTLSVerify: - description: If true, skip verifying the ACME server TLS certificate - type: boolean - solvers: - description: Solvers is a list of challenge solvers that will be - used to solve ACME challenges for the matching domains. - type: array - items: - type: object - properties: - dns01: - type: object - properties: - acmedns: - description: ACMEIssuerDNS01ProviderAcmeDNS is a structure - containing the configuration for ACME-DNS servers - type: object - required: - - accountSecretRef - - host - properties: - accountSecretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - host: - type: string - akamai: - description: ACMEIssuerDNS01ProviderAkamai is a structure - containing the DNS configuration for Akamai DNS—Zone - Record Management API - type: object - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - properties: - accessTokenSecretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - clientSecretSecretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - clientTokenSecretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - serviceConsumerDomain: - type: string - azuredns: - description: ACMEIssuerDNS01ProviderAzureDNS is a structure - containing the configuration for Azure DNS - type: object - required: - - clientID - - clientSecretSecretRef - - resourceGroupName - - subscriptionID - - tenantID - properties: - clientID: - type: string - clientSecretSecretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - environment: - type: string - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - hostedZoneName: - type: string - resourceGroupName: - type: string - subscriptionID: - type: string - tenantID: - type: string - clouddns: - description: ACMEIssuerDNS01ProviderCloudDNS is a structure - containing the DNS configuration for Google Cloud DNS - type: object - required: - - project - properties: - project: - type: string - serviceAccountSecretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - cloudflare: - description: ACMEIssuerDNS01ProviderCloudflare is a structure - containing the DNS configuration for Cloudflare - type: object - required: - - email - properties: - apiKeySecretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - apiTokenSecretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - email: - type: string - cnameStrategy: - description: CNAMEStrategy configures how the DNS01 provider - should handle CNAME records when found in DNS zones. - type: string - enum: - - None - - Follow - digitalocean: - description: ACMEIssuerDNS01ProviderDigitalOcean is a - structure containing the DNS configuration for DigitalOcean - Domains - type: object - required: - - tokenSecretRef - properties: - tokenSecretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - rfc2136: - description: ACMEIssuerDNS01ProviderRFC2136 is a structure - containing the configuration for RFC2136 DNS - type: object - required: - - nameserver - properties: - nameserver: - description: 'The IP address of the DNS supporting - RFC2136. Required. Note: FQDN is not a valid value, - only IP.' - type: string - tsigAlgorithm: - description: 'The TSIG Algorithm configured in the - DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` - and ``tsigKeyName`` are defined. Supported values - are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, - ``HMACSHA256`` or ``HMACSHA512``.' - type: string - tsigKeyName: - description: The TSIG Key name configured in the DNS. - If ``tsigSecretSecretRef`` is defined, this field - is required. - type: string - tsigSecretSecretRef: - description: The name of the secret containing the - TSIG value. If ``tsigKeyName`` is defined, this - field is required. - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - route53: - description: ACMEIssuerDNS01ProviderRoute53 is a structure - containing the Route 53 configuration for AWS - type: object - required: - - region - properties: - accessKeyID: - description: 'The AccessKeyID is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: string - hostedZoneID: - description: If set, the provider will manage only - this zone in Route53 and will not do an lookup using - the route53:ListHostedZonesByName api call. - type: string - region: - description: Always set the region when using AccessKeyID - and SecretAccessKey - type: string - role: - description: Role is a Role ARN which the Route53 - provider will assume using either the explicit credentials - AccessKeyID/SecretAccessKey or the inferred credentials - from environment variables, shared credentials file - or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - webhook: - description: ACMEIssuerDNS01ProviderWebhook specifies - configuration for a webhook DNS01 provider, including - where to POST ChallengePayload resources. - type: object - required: - - groupName - - solverName - properties: - config: - description: Additional configuration that should - be passed to the webhook apiserver when challenges - are processed. This can contain arbitrary JSON data. - Secret values should not be specified in this stanza. - If secret values are needed (e.g. credentials for - a DNS service), you should use a SecretKeySelector - to reference a Secret resource. For details on the - schema of this field, consult the webhook provider - implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: The API group name that should be used - when POSTing ChallengePayload resources to the webhook - apiserver. This should be the same as the GroupName - specified in the webhook provider implementation. - type: string - solverName: - description: The name of the solver to use, as defined - in the webhook provider implementation. This will - typically be the name of the provider, e.g. 'cloudflare'. - type: string - http01: - description: ACMEChallengeSolverHTTP01 contains configuration - detailing how to solve HTTP01 challenges within a Kubernetes - cluster. Typically this is accomplished through creating - 'routes' of some description that configure ingress controllers - to direct traffic to 'solver pods', which are responsible - for responding to the ACME server's HTTP requests. - type: object - properties: - ingress: - description: The ingress based HTTP01 challenge solver - will solve challenges by creating or modifying Ingress - resources in order to route requests for '/.well-known/acme-challenge/XYZ' - to 'challenge solver' pods that are provisioned by cert-manager - for each Challenge to be completed. - type: object - properties: - class: - description: The ingress class to use when creating - Ingress resources to solve ACME challenges that - use this challenge solver. Only one of 'class' or - 'name' may be specified. - type: string - name: - description: The name of the ingress resource that - should have ACME challenge solving routes inserted - into it in order to solve HTTP01 challenges. This - is typically used in conjunction with ingress controllers - like ingress-gce, which maintains a 1:1 mapping - between external IPs and ingress resources. - type: string - podTemplate: - description: Optional pod template used to configure - the ACME challenge solver pods used for HTTP01 challenges - type: object - properties: - metadata: - description: ObjectMeta overrides for the pod - used to solve HTTP01 challenges. Only the 'labels' - and 'annotations' fields may be set. If labels - or annotations overlap with in-built values, - the values here will override the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added - to the create ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to - the created ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - spec: - description: PodSpec defines overrides for the - HTTP01 challenge solver pod. Only the 'nodeSelector', - 'affinity' and 'tolerations' fields are supported - currently. All other fields will be ignored. - type: object - properties: - affinity: - description: If specified, the pod's scheduling - constraints - type: object - properties: - nodeAffinity: - description: Describes node affinity scheduling - rules for the pod. - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer - to schedule pods to nodes that satisfy - the affinity expressions specified - by this field, but it may choose - a node that violates one or more - of the expressions. The node that - is most preferred is the one with - the greatest sum of weights, i.e. - for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling - affinity expressions, etc.), compute - a sum by iterating through the elements - of this field and adding "weight" - to the sum if the node matches the - corresponding matchExpressions; - the node(s) with the highest sum - are the most preferred. - type: array - items: - description: An empty preferred - scheduling term matches all objects - with implicit weight 0 (i.e. it's - a no-op). A null preferred scheduling - term matches no objects (i.e. - is also a no-op). - type: object - required: - - preference - - weight - properties: - preference: - description: A node selector - term, associated with the - corresponding weight. - type: object - properties: - matchExpressions: - description: A list of node - selector requirements - by node's labels. - type: array - items: - description: A node selector - requirement is a selector - that contains values, - a key, and an operator - that relates the key - and values. - type: object - required: - - key - - operator - properties: - key: - description: The label - key that the selector - applies to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, Exists, - DoesNotExist. Gt, - and Lt. - type: string - values: - description: An array - of string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. If - the operator is - Gt or Lt, the values - array must have - a single element, - which will be interpreted - as an integer. This - array is replaced - during a strategic - merge patch. - type: array - items: - type: string - matchFields: - description: A list of node - selector requirements - by node's fields. - type: array - items: - description: A node selector - requirement is a selector - that contains values, - a key, and an operator - that relates the key - and values. - type: object - required: - - key - - operator - properties: - key: - description: The label - key that the selector - applies to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, Exists, - DoesNotExist. Gt, - and Lt. - type: string - values: - description: An array - of string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. If - the operator is - Gt or Lt, the values - array must have - a single element, - which will be interpreted - as an integer. This - array is replaced - during a strategic - merge patch. - type: array - items: - type: string - weight: - description: Weight associated - with matching the corresponding - nodeSelectorTerm, in the range - 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements - specified by this field are not - met at scheduling time, the pod - will not be scheduled onto the node. - If the affinity requirements specified - by this field cease to be met at - some point during pod execution - (e.g. due to an update), the system - may or may not try to eventually - evict the pod from its node. - type: object - required: - - nodeSelectorTerms - properties: - nodeSelectorTerms: - description: Required. A list - of node selector terms. The - terms are ORed. - type: array - items: - description: A null or empty - node selector term matches - no objects. The requirements - of them are ANDed. The TopologySelectorTerm - type implements a subset of - the NodeSelectorTerm. - type: object - properties: - matchExpressions: - description: A list of node - selector requirements - by node's labels. - type: array - items: - description: A node selector - requirement is a selector - that contains values, - a key, and an operator - that relates the key - and values. - type: object - required: - - key - - operator - properties: - key: - description: The label - key that the selector - applies to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, Exists, - DoesNotExist. Gt, - and Lt. - type: string - values: - description: An array - of string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. If - the operator is - Gt or Lt, the values - array must have - a single element, - which will be interpreted - as an integer. This - array is replaced - during a strategic - merge patch. - type: array - items: - type: string - matchFields: - description: A list of node - selector requirements - by node's fields. - type: array - items: - description: A node selector - requirement is a selector - that contains values, - a key, and an operator - that relates the key - and values. - type: object - required: - - key - - operator - properties: - key: - description: The label - key that the selector - applies to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, Exists, - DoesNotExist. Gt, - and Lt. - type: string - values: - description: An array - of string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. If - the operator is - Gt or Lt, the values - array must have - a single element, - which will be interpreted - as an integer. This - array is replaced - during a strategic - merge patch. - type: array - items: - type: string - podAffinity: - description: Describes pod affinity scheduling - rules (e.g. co-locate this pod in the - same node, zone, etc. as some other - pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer - to schedule pods to nodes that satisfy - the affinity expressions specified - by this field, but it may choose - a node that violates one or more - of the expressions. The node that - is most preferred is the one with - the greatest sum of weights, i.e. - for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling - affinity expressions, etc.), compute - a sum by iterating through the elements - of this field and adding "weight" - to the sum if the node has pods - which matches the corresponding - podAffinityTerm; the node(s) with - the highest sum are the most preferred. - type: array - items: - description: The weights of all - of the matched WeightedPodAffinityTerm - fields are added per-node to find - the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod - affinity term, associated - with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query - over a set of resources, - in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions - is a list of label - selector requirements. - The requirements are - ANDed. - type: array - items: - description: A label - selector requirement - is a selector that - contains values, - a key, and an operator - that relates the - key and values. - type: object - required: - - key - - operator - properties: - key: - description: key - is the label - key that the - selector applies - to. - type: string - operator: - description: operator - represents a - key's relationship - to a set of - values. Valid - operators are - In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values - is an array - of string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or - DoesNotExist, - the values array - must be empty. - This array is - replaced during - a strategic - merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels - map is equivalent - to an element of matchExpressions, - whose key field is - "key", the operator - is "In", and the values - array contains only - "value". The requirements - are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces - specifies which namespaces - the labelSelector applies - to (matches against); - null or empty list means - "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should - be co-located (affinity) - or not co-located (anti-affinity) - with the pods matching - the labelSelector in the - specified namespaces, - where co-located is defined - as running on a node whose - value of the label with - key topologyKey matches - that of any node on which - any of the selected pods - is running. Empty topologyKey - is not allowed. - type: string - weight: - description: weight associated - with matching the corresponding - podAffinityTerm, in the range - 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements - specified by this field are not - met at scheduling time, the pod - will not be scheduled onto the node. - If the affinity requirements specified - by this field cease to be met at - some point during pod execution - (e.g. due to a pod label update), - the system may or may not try to - eventually evict the pod from its - node. When there are multiple elements, - the lists of nodes corresponding - to each podAffinityTerm are intersected, - i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods - (namely those matching the labelSelector - relative to the given namespace(s)) - that this pod should be co-located - (affinity) or not co-located (anti-affinity) - with, where co-located is defined - as running on a node whose value - of the label with key - matches that of any node on which - a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over - a set of resources, in this - case pods. - type: object - properties: - matchExpressions: - description: matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - type: array - items: - description: A label selector - requirement is a selector - that contains values, - a key, and an operator - that relates the key - and values. - type: object - required: - - key - - operator - properties: - key: - description: key is - the label key that - the selector applies - to. - type: string - operator: - description: operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values - is an array of string - values. If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. This - array is replaced - during a strategic - merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an element - of matchExpressions, whose - key field is "key", the - operator is "In", and - the values array contains - only "value". The requirements - are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means "this - pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should - be co-located (affinity) or - not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on a - node whose value of the label - with key topologyKey matches - that of any node on which - any of the selected pods is - running. Empty topologyKey - is not allowed. - type: string - podAntiAffinity: - description: Describes pod anti-affinity - scheduling rules (e.g. avoid putting - this pod in the same node, zone, etc. - as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer - to schedule pods to nodes that satisfy - the anti-affinity expressions specified - by this field, but it may choose - a node that violates one or more - of the expressions. The node that - is most preferred is the one with - the greatest sum of weights, i.e. - for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling - anti-affinity expressions, etc.), - compute a sum by iterating through - the elements of this field and adding - "weight" to the sum if the node - has pods which matches the corresponding - podAffinityTerm; the node(s) with - the highest sum are the most preferred. - type: array - items: - description: The weights of all - of the matched WeightedPodAffinityTerm - fields are added per-node to find - the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod - affinity term, associated - with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query - over a set of resources, - in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions - is a list of label - selector requirements. - The requirements are - ANDed. - type: array - items: - description: A label - selector requirement - is a selector that - contains values, - a key, and an operator - that relates the - key and values. - type: object - required: - - key - - operator - properties: - key: - description: key - is the label - key that the - selector applies - to. - type: string - operator: - description: operator - represents a - key's relationship - to a set of - values. Valid - operators are - In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values - is an array - of string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or - DoesNotExist, - the values array - must be empty. - This array is - replaced during - a strategic - merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels - map is equivalent - to an element of matchExpressions, - whose key field is - "key", the operator - is "In", and the values - array contains only - "value". The requirements - are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces - specifies which namespaces - the labelSelector applies - to (matches against); - null or empty list means - "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should - be co-located (affinity) - or not co-located (anti-affinity) - with the pods matching - the labelSelector in the - specified namespaces, - where co-located is defined - as running on a node whose - value of the label with - key topologyKey matches - that of any node on which - any of the selected pods - is running. Empty topologyKey - is not allowed. - type: string - weight: - description: weight associated - with matching the corresponding - podAffinityTerm, in the range - 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity - requirements specified by this field - are not met at scheduling time, - the pod will not be scheduled onto - the node. If the anti-affinity requirements - specified by this field cease to - be met at some point during pod - execution (e.g. due to a pod label - update), the system may or may not - try to eventually evict the pod - from its node. When there are multiple - elements, the lists of nodes corresponding - to each podAffinityTerm are intersected, - i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods - (namely those matching the labelSelector - relative to the given namespace(s)) - that this pod should be co-located - (affinity) or not co-located (anti-affinity) - with, where co-located is defined - as running on a node whose value - of the label with key - matches that of any node on which - a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over - a set of resources, in this - case pods. - type: object - properties: - matchExpressions: - description: matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - type: array - items: - description: A label selector - requirement is a selector - that contains values, - a key, and an operator - that relates the key - and values. - type: object - required: - - key - - operator - properties: - key: - description: key is - the label key that - the selector applies - to. - type: string - operator: - description: operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values - is an array of string - values. If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. This - array is replaced - during a strategic - merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an element - of matchExpressions, whose - key field is "key", the - operator is "In", and - the values array contains - only "value". The requirements - are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means "this - pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should - be co-located (affinity) or - not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on a - node whose value of the label - with key topologyKey matches - that of any node on which - any of the selected pods is - running. Empty topologyKey - is not allowed. - type: string - nodeSelector: - description: 'NodeSelector is a selector which - must be true for the pod to fit on a node. - Selector which must match a node''s labels - for the pod to be scheduled on that node. - More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' - type: object - additionalProperties: - type: string - tolerations: - description: If specified, the pod's tolerations. - type: array - items: - description: The pod this Toleration is - attached to tolerates any taint that matches - the triple using the - matching operator . - type: object - properties: - effect: - description: Effect indicates the taint - effect to match. Empty means match - all taint effects. When specified, - allowed values are NoSchedule, PreferNoSchedule - and NoExecute. - type: string - key: - description: Key is the taint key that - the toleration applies to. Empty means - match all taint keys. If the key is - empty, operator must be Exists; this - combination means to match all values - and all keys. - type: string - operator: - description: Operator represents a key's - relationship to the value. Valid operators - are Exists and Equal. Defaults to - Equal. Exists is equivalent to wildcard - for value, so that a pod can tolerate - all taints of a particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents - the period of time the toleration - (which must be of effect NoExecute, - otherwise this field is ignored) tolerates - the taint. By default, it is not set, - which means tolerate the taint forever - (do not evict). Zero and negative - values will be treated as 0 (evict - immediately) by the system. - type: integer - format: int64 - value: - description: Value is the taint value - the toleration matches to. If the - operator is Exists, the value should - be empty, otherwise just a regular - string. - type: string - serviceType: - description: Optional service type for Kubernetes - solver service - type: string - selector: - description: Selector selects a set of DNSNames on the Certificate - resource that should be solved using this challenge solver. - type: object - properties: - dnsNames: - description: List of DNSNames that this solver will be - used to solve. If specified and a match is found, a - dnsNames selector will take precedence over a dnsZones - selector. If multiple solvers match with the same dnsNames - value, the solver with the most matching labels in matchLabels - will be selected. If neither has more matches, the solver - defined earlier in the list will be selected. - type: array - items: - type: string - dnsZones: - description: List of DNSZones that this solver will be - used to solve. The most specific DNS zone match specified - here will take precedence over other DNS zone matches, - so a solver specifying sys.example.com will be selected - over one specifying example.com for the domain www.sys.example.com. - If multiple solvers match with the same dnsZones value, - the solver with the most matching labels in matchLabels - will be selected. If neither has more matches, the solver - defined earlier in the list will be selected. - type: array - items: - type: string - matchLabels: - description: A label selector that is used to refine the - set of certificate's that this challenge solver will - apply to. - type: object - additionalProperties: - type: string - ca: - type: object - required: - - secretName - properties: - secretName: - description: SecretName is the name of the secret used to sign Certificates - issued by this Issuer. - type: string - selfSigned: - type: object - vault: - type: object - required: - - auth - - path - - server - properties: - auth: - description: Vault authentication - type: object - properties: - appRole: - description: This Secret contains a AppRole and Secret - type: object - required: - - path - - roleId - - secretRef - properties: - path: - description: Where the authentication path is mounted in - Vault. - type: string - roleId: - type: string - secretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - kubernetes: - description: This contains a Role and Secret with a ServiceAccount - token to authenticate with vault. - type: object - required: - - role - - secretRef - properties: - mountPath: - description: The Vault mountPath here is the mount path - to use when authenticating with Vault. For example, setting - a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` - to authenticate with Vault. If unspecified, the default - value "/v1/auth/kubernetes" will be used. - type: string - role: - description: A required field containing the Vault Role - to assume. A Role binds a Kubernetes ServiceAccount with - a set of Vault policies. - type: string - secretRef: - description: The required Secret field containing a Kubernetes - ServiceAccount JWT used for authenticating with Vault. - Use of 'ambient credentials' is not supported. - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - tokenSecretRef: - description: This Secret contains the Vault token key - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - caBundle: - description: Base64 encoded CA bundle to validate Vault server certificate. - Only used if the Server URL is using HTTPS protocol. This parameter - is ignored for plain HTTP protocol connection. If not set the - system root certificates are used to validate the TLS connection. - type: string - format: byte - path: - description: Vault URL path to the certificate role - type: string - server: - description: Server is the vault connection address - type: string - venafi: - description: VenafiIssuer describes issuer configuration details for - Venafi Cloud. - type: object - required: - - zone - properties: - cloud: - description: Cloud specifies the Venafi cloud configuration settings. - Only one of TPP or Cloud may be specified. - type: object - required: - - apiTokenSecretRef - properties: - apiTokenSecretRef: - description: APITokenSecretRef is a secret key selector for - the Venafi Cloud API token. - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - url: - description: URL is the base URL for Venafi Cloud - type: string - tpp: - description: TPP specifies Trust Protection Platform configuration - settings. Only one of TPP or Cloud may be specified. - type: object - required: - - credentialsRef - - url - properties: - caBundle: - description: CABundle is a PEM encoded TLS certifiate to use - to verify connections to the TPP instance. If specified, system - roots will not be used and the issuing CA for the TPP instance - must be verifiable using the provided root. If not specified, - the connection will be verified using the cert-manager system - root certificates. - type: string - format: byte - credentialsRef: - description: CredentialsRef is a reference to a Secret containing - the username and password for the TPP server. The secret must - contain two keys, 'username' and 'password'. - type: object - required: - - name - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - url: - description: URL is the base URL for the Venafi TPP instance - type: string - zone: - description: Zone is the Venafi Policy Zone to use for this issuer. - All requests made to the Venafi platform will be restricted by - the named zone policy. This field is required. - type: string - status: - description: IssuerStatus contains status information about an Issuer - type: object - properties: - acme: - type: object - properties: - lastRegisteredEmail: - description: LastRegisteredEmail is the email associated with the - latest registered ACME account, in order to track changes made - to registered account associated with the Issuer - type: string - uri: - description: URI is the unique account identifier, which can also - be used to retrieve account details from the CA - type: string - conditions: - type: array - items: - description: IssuerCondition contains condition information for an - Issuer. - type: object - required: - - status - - type - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding - to the last status change of this condition. - type: string - format: date-time - message: - description: Message is a human readable description of the details - of the last transition, complementing reason. - type: string - reason: - description: Reason is a brief machine readable explanation for - the condition's last transition. - type: string - status: - description: Status of the condition, one of ('True', 'False', - 'Unknown'). - type: string - enum: - - "True" - - "False" - - Unknown - type: - description: Type of the condition, currently ('Ready'). - type: string - version: v1alpha2 - versions: - - name: v1alpha2 - served: true - storage: true ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: issuers.cert-manager.io -spec: - additionalPrinterColumns: - - JSONPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - JSONPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - JSONPath: .metadata.creationTimestamp - description: CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before order - across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - name: Age - type: date - group: cert-manager.io - preserveUnknownFields: false - names: - kind: Issuer - listKind: IssuerList - plural: issuers - singular: issuer - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: IssuerSpec is the specification of an Issuer. This includes - any configuration required for the issuer. - type: object - properties: - acme: - description: ACMEIssuer contains the specification for an ACME issuer - type: object - required: - - privateKeySecretRef - - server - properties: - email: - description: Email is the email for this account - type: string - externalAccountBinding: - description: ExternalAcccountBinding is a reference to a CA external - account of the ACME server. - type: object - required: - - keyAlgorithm - - keyID - - keySecretRef - properties: - keyAlgorithm: - description: keyAlgorithm is the MAC key algorithm that the - key is used for. Valid values are "HS256", "HS384" and "HS512". - type: string - enum: - - HS256 - - HS384 - - HS512 - keyID: - description: keyID is the ID of the CA key that the External - Account is bound to. - type: string - keySecretRef: - description: keySecretRef is a Secret Key Selector referencing - a data item in a Kubernetes Secret which holds the symmetric - MAC key of the External Account Binding. The `key` is the - index string that is paired with the key data in the Secret - and should not be confused with the key data itself, or indeed - with the External Account Binding keyID above. The secret - key stored in the Secret **must** be un-padded, base64 URL - encoded data. - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - privateKeySecretRef: - description: PrivateKey is the name of a secret containing the private - key for this user account. - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. Must be a - valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - server: - description: Server is the ACME server URL - type: string - skipTLSVerify: - description: If true, skip verifying the ACME server TLS certificate - type: boolean - solvers: - description: Solvers is a list of challenge solvers that will be - used to solve ACME challenges for the matching domains. - type: array - items: - type: object - properties: - dns01: - type: object - properties: - acmedns: - description: ACMEIssuerDNS01ProviderAcmeDNS is a structure - containing the configuration for ACME-DNS servers - type: object - required: - - accountSecretRef - - host - properties: - accountSecretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - host: - type: string - akamai: - description: ACMEIssuerDNS01ProviderAkamai is a structure - containing the DNS configuration for Akamai DNS—Zone - Record Management API - type: object - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - properties: - accessTokenSecretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - clientSecretSecretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - clientTokenSecretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - serviceConsumerDomain: - type: string - azuredns: - description: ACMEIssuerDNS01ProviderAzureDNS is a structure - containing the configuration for Azure DNS - type: object - required: - - clientID - - clientSecretSecretRef - - resourceGroupName - - subscriptionID - - tenantID - properties: - clientID: - type: string - clientSecretSecretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - environment: - type: string - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - hostedZoneName: - type: string - resourceGroupName: - type: string - subscriptionID: - type: string - tenantID: - type: string - clouddns: - description: ACMEIssuerDNS01ProviderCloudDNS is a structure - containing the DNS configuration for Google Cloud DNS - type: object - required: - - project - properties: - project: - type: string - serviceAccountSecretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - cloudflare: - description: ACMEIssuerDNS01ProviderCloudflare is a structure - containing the DNS configuration for Cloudflare - type: object - required: - - email - properties: - apiKeySecretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - apiTokenSecretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - email: - type: string - cnameStrategy: - description: CNAMEStrategy configures how the DNS01 provider - should handle CNAME records when found in DNS zones. - type: string - enum: - - None - - Follow - digitalocean: - description: ACMEIssuerDNS01ProviderDigitalOcean is a - structure containing the DNS configuration for DigitalOcean - Domains - type: object - required: - - tokenSecretRef - properties: - tokenSecretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - rfc2136: - description: ACMEIssuerDNS01ProviderRFC2136 is a structure - containing the configuration for RFC2136 DNS - type: object - required: - - nameserver - properties: - nameserver: - description: 'The IP address of the DNS supporting - RFC2136. Required. Note: FQDN is not a valid value, - only IP.' - type: string - tsigAlgorithm: - description: 'The TSIG Algorithm configured in the - DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` - and ``tsigKeyName`` are defined. Supported values - are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, - ``HMACSHA256`` or ``HMACSHA512``.' - type: string - tsigKeyName: - description: The TSIG Key name configured in the DNS. - If ``tsigSecretSecretRef`` is defined, this field - is required. - type: string - tsigSecretSecretRef: - description: The name of the secret containing the - TSIG value. If ``tsigKeyName`` is defined, this - field is required. - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - route53: - description: ACMEIssuerDNS01ProviderRoute53 is a structure - containing the Route 53 configuration for AWS - type: object - required: - - region - properties: - accessKeyID: - description: 'The AccessKeyID is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: string - hostedZoneID: - description: If set, the provider will manage only - this zone in Route53 and will not do an lookup using - the route53:ListHostedZonesByName api call. - type: string - region: - description: Always set the region when using AccessKeyID - and SecretAccessKey - type: string - role: - description: Role is a Role ARN which the Route53 - provider will assume using either the explicit credentials - AccessKeyID/SecretAccessKey or the inferred credentials - from environment variables, shared credentials file - or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - webhook: - description: ACMEIssuerDNS01ProviderWebhook specifies - configuration for a webhook DNS01 provider, including - where to POST ChallengePayload resources. - type: object - required: - - groupName - - solverName - properties: - config: - description: Additional configuration that should - be passed to the webhook apiserver when challenges - are processed. This can contain arbitrary JSON data. - Secret values should not be specified in this stanza. - If secret values are needed (e.g. credentials for - a DNS service), you should use a SecretKeySelector - to reference a Secret resource. For details on the - schema of this field, consult the webhook provider - implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: The API group name that should be used - when POSTing ChallengePayload resources to the webhook - apiserver. This should be the same as the GroupName - specified in the webhook provider implementation. - type: string - solverName: - description: The name of the solver to use, as defined - in the webhook provider implementation. This will - typically be the name of the provider, e.g. 'cloudflare'. - type: string - http01: - description: ACMEChallengeSolverHTTP01 contains configuration - detailing how to solve HTTP01 challenges within a Kubernetes - cluster. Typically this is accomplished through creating - 'routes' of some description that configure ingress controllers - to direct traffic to 'solver pods', which are responsible - for responding to the ACME server's HTTP requests. - type: object - properties: - ingress: - description: The ingress based HTTP01 challenge solver - will solve challenges by creating or modifying Ingress - resources in order to route requests for '/.well-known/acme-challenge/XYZ' - to 'challenge solver' pods that are provisioned by cert-manager - for each Challenge to be completed. - type: object - properties: - class: - description: The ingress class to use when creating - Ingress resources to solve ACME challenges that - use this challenge solver. Only one of 'class' or - 'name' may be specified. - type: string - name: - description: The name of the ingress resource that - should have ACME challenge solving routes inserted - into it in order to solve HTTP01 challenges. This - is typically used in conjunction with ingress controllers - like ingress-gce, which maintains a 1:1 mapping - between external IPs and ingress resources. - type: string - podTemplate: - description: Optional pod template used to configure - the ACME challenge solver pods used for HTTP01 challenges - type: object - properties: - metadata: - description: ObjectMeta overrides for the pod - used to solve HTTP01 challenges. Only the 'labels' - and 'annotations' fields may be set. If labels - or annotations overlap with in-built values, - the values here will override the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added - to the create ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to - the created ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - spec: - description: PodSpec defines overrides for the - HTTP01 challenge solver pod. Only the 'nodeSelector', - 'affinity' and 'tolerations' fields are supported - currently. All other fields will be ignored. - type: object - properties: - affinity: - description: If specified, the pod's scheduling - constraints - type: object - properties: - nodeAffinity: - description: Describes node affinity scheduling - rules for the pod. - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer - to schedule pods to nodes that satisfy - the affinity expressions specified - by this field, but it may choose - a node that violates one or more - of the expressions. The node that - is most preferred is the one with - the greatest sum of weights, i.e. - for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling - affinity expressions, etc.), compute - a sum by iterating through the elements - of this field and adding "weight" - to the sum if the node matches the - corresponding matchExpressions; - the node(s) with the highest sum - are the most preferred. - type: array - items: - description: An empty preferred - scheduling term matches all objects - with implicit weight 0 (i.e. it's - a no-op). A null preferred scheduling - term matches no objects (i.e. - is also a no-op). - type: object - required: - - preference - - weight - properties: - preference: - description: A node selector - term, associated with the - corresponding weight. - type: object - properties: - matchExpressions: - description: A list of node - selector requirements - by node's labels. - type: array - items: - description: A node selector - requirement is a selector - that contains values, - a key, and an operator - that relates the key - and values. - type: object - required: - - key - - operator - properties: - key: - description: The label - key that the selector - applies to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, Exists, - DoesNotExist. Gt, - and Lt. - type: string - values: - description: An array - of string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. If - the operator is - Gt or Lt, the values - array must have - a single element, - which will be interpreted - as an integer. This - array is replaced - during a strategic - merge patch. - type: array - items: - type: string - matchFields: - description: A list of node - selector requirements - by node's fields. - type: array - items: - description: A node selector - requirement is a selector - that contains values, - a key, and an operator - that relates the key - and values. - type: object - required: - - key - - operator - properties: - key: - description: The label - key that the selector - applies to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, Exists, - DoesNotExist. Gt, - and Lt. - type: string - values: - description: An array - of string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. If - the operator is - Gt or Lt, the values - array must have - a single element, - which will be interpreted - as an integer. This - array is replaced - during a strategic - merge patch. - type: array - items: - type: string - weight: - description: Weight associated - with matching the corresponding - nodeSelectorTerm, in the range - 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements - specified by this field are not - met at scheduling time, the pod - will not be scheduled onto the node. - If the affinity requirements specified - by this field cease to be met at - some point during pod execution - (e.g. due to an update), the system - may or may not try to eventually - evict the pod from its node. - type: object - required: - - nodeSelectorTerms - properties: - nodeSelectorTerms: - description: Required. A list - of node selector terms. The - terms are ORed. - type: array - items: - description: A null or empty - node selector term matches - no objects. The requirements - of them are ANDed. The TopologySelectorTerm - type implements a subset of - the NodeSelectorTerm. - type: object - properties: - matchExpressions: - description: A list of node - selector requirements - by node's labels. - type: array - items: - description: A node selector - requirement is a selector - that contains values, - a key, and an operator - that relates the key - and values. - type: object - required: - - key - - operator - properties: - key: - description: The label - key that the selector - applies to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, Exists, - DoesNotExist. Gt, - and Lt. - type: string - values: - description: An array - of string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. If - the operator is - Gt or Lt, the values - array must have - a single element, - which will be interpreted - as an integer. This - array is replaced - during a strategic - merge patch. - type: array - items: - type: string - matchFields: - description: A list of node - selector requirements - by node's fields. - type: array - items: - description: A node selector - requirement is a selector - that contains values, - a key, and an operator - that relates the key - and values. - type: object - required: - - key - - operator - properties: - key: - description: The label - key that the selector - applies to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, Exists, - DoesNotExist. Gt, - and Lt. - type: string - values: - description: An array - of string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. If - the operator is - Gt or Lt, the values - array must have - a single element, - which will be interpreted - as an integer. This - array is replaced - during a strategic - merge patch. - type: array - items: - type: string - podAffinity: - description: Describes pod affinity scheduling - rules (e.g. co-locate this pod in the - same node, zone, etc. as some other - pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer - to schedule pods to nodes that satisfy - the affinity expressions specified - by this field, but it may choose - a node that violates one or more - of the expressions. The node that - is most preferred is the one with - the greatest sum of weights, i.e. - for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling - affinity expressions, etc.), compute - a sum by iterating through the elements - of this field and adding "weight" - to the sum if the node has pods - which matches the corresponding - podAffinityTerm; the node(s) with - the highest sum are the most preferred. - type: array - items: - description: The weights of all - of the matched WeightedPodAffinityTerm - fields are added per-node to find - the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod - affinity term, associated - with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query - over a set of resources, - in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions - is a list of label - selector requirements. - The requirements are - ANDed. - type: array - items: - description: A label - selector requirement - is a selector that - contains values, - a key, and an operator - that relates the - key and values. - type: object - required: - - key - - operator - properties: - key: - description: key - is the label - key that the - selector applies - to. - type: string - operator: - description: operator - represents a - key's relationship - to a set of - values. Valid - operators are - In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values - is an array - of string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or - DoesNotExist, - the values array - must be empty. - This array is - replaced during - a strategic - merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels - map is equivalent - to an element of matchExpressions, - whose key field is - "key", the operator - is "In", and the values - array contains only - "value". The requirements - are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces - specifies which namespaces - the labelSelector applies - to (matches against); - null or empty list means - "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should - be co-located (affinity) - or not co-located (anti-affinity) - with the pods matching - the labelSelector in the - specified namespaces, - where co-located is defined - as running on a node whose - value of the label with - key topologyKey matches - that of any node on which - any of the selected pods - is running. Empty topologyKey - is not allowed. - type: string - weight: - description: weight associated - with matching the corresponding - podAffinityTerm, in the range - 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements - specified by this field are not - met at scheduling time, the pod - will not be scheduled onto the node. - If the affinity requirements specified - by this field cease to be met at - some point during pod execution - (e.g. due to a pod label update), - the system may or may not try to - eventually evict the pod from its - node. When there are multiple elements, - the lists of nodes corresponding - to each podAffinityTerm are intersected, - i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods - (namely those matching the labelSelector - relative to the given namespace(s)) - that this pod should be co-located - (affinity) or not co-located (anti-affinity) - with, where co-located is defined - as running on a node whose value - of the label with key - matches that of any node on which - a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over - a set of resources, in this - case pods. - type: object - properties: - matchExpressions: - description: matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - type: array - items: - description: A label selector - requirement is a selector - that contains values, - a key, and an operator - that relates the key - and values. - type: object - required: - - key - - operator - properties: - key: - description: key is - the label key that - the selector applies - to. - type: string - operator: - description: operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values - is an array of string - values. If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. This - array is replaced - during a strategic - merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an element - of matchExpressions, whose - key field is "key", the - operator is "In", and - the values array contains - only "value". The requirements - are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means "this - pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should - be co-located (affinity) or - not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on a - node whose value of the label - with key topologyKey matches - that of any node on which - any of the selected pods is - running. Empty topologyKey - is not allowed. - type: string - podAntiAffinity: - description: Describes pod anti-affinity - scheduling rules (e.g. avoid putting - this pod in the same node, zone, etc. - as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer - to schedule pods to nodes that satisfy - the anti-affinity expressions specified - by this field, but it may choose - a node that violates one or more - of the expressions. The node that - is most preferred is the one with - the greatest sum of weights, i.e. - for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling - anti-affinity expressions, etc.), - compute a sum by iterating through - the elements of this field and adding - "weight" to the sum if the node - has pods which matches the corresponding - podAffinityTerm; the node(s) with - the highest sum are the most preferred. - type: array - items: - description: The weights of all - of the matched WeightedPodAffinityTerm - fields are added per-node to find - the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod - affinity term, associated - with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query - over a set of resources, - in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions - is a list of label - selector requirements. - The requirements are - ANDed. - type: array - items: - description: A label - selector requirement - is a selector that - contains values, - a key, and an operator - that relates the - key and values. - type: object - required: - - key - - operator - properties: - key: - description: key - is the label - key that the - selector applies - to. - type: string - operator: - description: operator - represents a - key's relationship - to a set of - values. Valid - operators are - In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values - is an array - of string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or - DoesNotExist, - the values array - must be empty. - This array is - replaced during - a strategic - merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels - map is equivalent - to an element of matchExpressions, - whose key field is - "key", the operator - is "In", and the values - array contains only - "value". The requirements - are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces - specifies which namespaces - the labelSelector applies - to (matches against); - null or empty list means - "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should - be co-located (affinity) - or not co-located (anti-affinity) - with the pods matching - the labelSelector in the - specified namespaces, - where co-located is defined - as running on a node whose - value of the label with - key topologyKey matches - that of any node on which - any of the selected pods - is running. Empty topologyKey - is not allowed. - type: string - weight: - description: weight associated - with matching the corresponding - podAffinityTerm, in the range - 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity - requirements specified by this field - are not met at scheduling time, - the pod will not be scheduled onto - the node. If the anti-affinity requirements - specified by this field cease to - be met at some point during pod - execution (e.g. due to a pod label - update), the system may or may not - try to eventually evict the pod - from its node. When there are multiple - elements, the lists of nodes corresponding - to each podAffinityTerm are intersected, - i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods - (namely those matching the labelSelector - relative to the given namespace(s)) - that this pod should be co-located - (affinity) or not co-located (anti-affinity) - with, where co-located is defined - as running on a node whose value - of the label with key - matches that of any node on which - a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over - a set of resources, in this - case pods. - type: object - properties: - matchExpressions: - description: matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - type: array - items: - description: A label selector - requirement is a selector - that contains values, - a key, and an operator - that relates the key - and values. - type: object - required: - - key - - operator - properties: - key: - description: key is - the label key that - the selector applies - to. - type: string - operator: - description: operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values - is an array of string - values. If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. This - array is replaced - during a strategic - merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an element - of matchExpressions, whose - key field is "key", the - operator is "In", and - the values array contains - only "value". The requirements - are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means "this - pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should - be co-located (affinity) or - not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on a - node whose value of the label - with key topologyKey matches - that of any node on which - any of the selected pods is - running. Empty topologyKey - is not allowed. - type: string - nodeSelector: - description: 'NodeSelector is a selector which - must be true for the pod to fit on a node. - Selector which must match a node''s labels - for the pod to be scheduled on that node. - More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' - type: object - additionalProperties: - type: string - tolerations: - description: If specified, the pod's tolerations. - type: array - items: - description: The pod this Toleration is - attached to tolerates any taint that matches - the triple using the - matching operator . - type: object - properties: - effect: - description: Effect indicates the taint - effect to match. Empty means match - all taint effects. When specified, - allowed values are NoSchedule, PreferNoSchedule - and NoExecute. - type: string - key: - description: Key is the taint key that - the toleration applies to. Empty means - match all taint keys. If the key is - empty, operator must be Exists; this - combination means to match all values - and all keys. - type: string - operator: - description: Operator represents a key's - relationship to the value. Valid operators - are Exists and Equal. Defaults to - Equal. Exists is equivalent to wildcard - for value, so that a pod can tolerate - all taints of a particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents - the period of time the toleration - (which must be of effect NoExecute, - otherwise this field is ignored) tolerates - the taint. By default, it is not set, - which means tolerate the taint forever - (do not evict). Zero and negative - values will be treated as 0 (evict - immediately) by the system. - type: integer - format: int64 - value: - description: Value is the taint value - the toleration matches to. If the - operator is Exists, the value should - be empty, otherwise just a regular - string. - type: string - serviceType: - description: Optional service type for Kubernetes - solver service - type: string - selector: - description: Selector selects a set of DNSNames on the Certificate - resource that should be solved using this challenge solver. - type: object - properties: - dnsNames: - description: List of DNSNames that this solver will be - used to solve. If specified and a match is found, a - dnsNames selector will take precedence over a dnsZones - selector. If multiple solvers match with the same dnsNames - value, the solver with the most matching labels in matchLabels - will be selected. If neither has more matches, the solver - defined earlier in the list will be selected. - type: array - items: - type: string - dnsZones: - description: List of DNSZones that this solver will be - used to solve. The most specific DNS zone match specified - here will take precedence over other DNS zone matches, - so a solver specifying sys.example.com will be selected - over one specifying example.com for the domain www.sys.example.com. - If multiple solvers match with the same dnsZones value, - the solver with the most matching labels in matchLabels - will be selected. If neither has more matches, the solver - defined earlier in the list will be selected. - type: array - items: - type: string - matchLabels: - description: A label selector that is used to refine the - set of certificate's that this challenge solver will - apply to. - type: object - additionalProperties: - type: string - ca: - type: object - required: - - secretName - properties: - secretName: - description: SecretName is the name of the secret used to sign Certificates - issued by this Issuer. - type: string - selfSigned: - type: object - vault: - type: object - required: - - auth - - path - - server - properties: - auth: - description: Vault authentication - type: object - properties: - appRole: - description: This Secret contains a AppRole and Secret - type: object - required: - - path - - roleId - - secretRef - properties: - path: - description: Where the authentication path is mounted in - Vault. - type: string - roleId: - type: string - secretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - kubernetes: - description: This contains a Role and Secret with a ServiceAccount - token to authenticate with vault. - type: object - required: - - role - - secretRef - properties: - mountPath: - description: The Vault mountPath here is the mount path - to use when authenticating with Vault. For example, setting - a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` - to authenticate with Vault. If unspecified, the default - value "/v1/auth/kubernetes" will be used. - type: string - role: - description: A required field containing the Vault Role - to assume. A Role binds a Kubernetes ServiceAccount with - a set of Vault policies. - type: string - secretRef: - description: The required Secret field containing a Kubernetes - ServiceAccount JWT used for authenticating with Vault. - Use of 'ambient credentials' is not supported. - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - tokenSecretRef: - description: This Secret contains the Vault token key - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - caBundle: - description: Base64 encoded CA bundle to validate Vault server certificate. - Only used if the Server URL is using HTTPS protocol. This parameter - is ignored for plain HTTP protocol connection. If not set the - system root certificates are used to validate the TLS connection. - type: string - format: byte - path: - description: Vault URL path to the certificate role - type: string - server: - description: Server is the vault connection address - type: string - venafi: - description: VenafiIssuer describes issuer configuration details for - Venafi Cloud. - type: object - required: - - zone - properties: - cloud: - description: Cloud specifies the Venafi cloud configuration settings. - Only one of TPP or Cloud may be specified. - type: object - required: - - apiTokenSecretRef - properties: - apiTokenSecretRef: - description: APITokenSecretRef is a secret key selector for - the Venafi Cloud API token. - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - url: - description: URL is the base URL for Venafi Cloud - type: string - tpp: - description: TPP specifies Trust Protection Platform configuration - settings. Only one of TPP or Cloud may be specified. - type: object - required: - - credentialsRef - - url - properties: - caBundle: - description: CABundle is a PEM encoded TLS certifiate to use - to verify connections to the TPP instance. If specified, system - roots will not be used and the issuing CA for the TPP instance - must be verifiable using the provided root. If not specified, - the connection will be verified using the cert-manager system - root certificates. - type: string - format: byte - credentialsRef: - description: CredentialsRef is a reference to a Secret containing - the username and password for the TPP server. The secret must - contain two keys, 'username' and 'password'. - type: object - required: - - name - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - url: - description: URL is the base URL for the Venafi TPP instance - type: string - zone: - description: Zone is the Venafi Policy Zone to use for this issuer. - All requests made to the Venafi platform will be restricted by - the named zone policy. This field is required. - type: string - status: - description: IssuerStatus contains status information about an Issuer - type: object - properties: - acme: - type: object - properties: - lastRegisteredEmail: - description: LastRegisteredEmail is the email associated with the - latest registered ACME account, in order to track changes made - to registered account associated with the Issuer - type: string - uri: - description: URI is the unique account identifier, which can also - be used to retrieve account details from the CA - type: string - conditions: - type: array - items: - description: IssuerCondition contains condition information for an - Issuer. - type: object - required: - - status - - type - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding - to the last status change of this condition. - type: string - format: date-time - message: - description: Message is a human readable description of the details - of the last transition, complementing reason. - type: string - reason: - description: Reason is a brief machine readable explanation for - the condition's last transition. - type: string - status: - description: Status of the condition, one of ('True', 'False', - 'Unknown'). - type: string - enum: - - "True" - - "False" - - Unknown - type: - description: Type of the condition, currently ('Ready'). - type: string - version: v1alpha2 - versions: - - name: v1alpha2 - served: true - storage: true ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: orders.acme.cert-manager.io -spec: - additionalPrinterColumns: - - JSONPath: .status.state - name: State - type: string - - JSONPath: .spec.issuerRef.name - name: Issuer - priority: 1 - type: string - - JSONPath: .status.reason - name: Reason - priority: 1 - type: string - - JSONPath: .metadata.creationTimestamp - description: CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before order - across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - name: Age - type: date - group: acme.cert-manager.io - preserveUnknownFields: false - names: - kind: Order - listKind: OrderList - plural: orders - singular: order - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - description: Order is a type to represent an Order with an ACME server - type: object - required: - - metadata - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - type: object - required: - - csr - - issuerRef - properties: - commonName: - description: CommonName is the common name as specified on the DER encoded - CSR. If CommonName is not specified, the first DNSName specified will - be used as the CommonName. At least one of CommonName or a DNSNames - must be set. This field must match the corresponding field on the - DER encoded CSR. - type: string - csr: - description: Certificate signing request bytes in DER encoding. This - will be used when finalizing the order. This field must be set on - the order. - type: string - format: byte - dnsNames: - description: DNSNames is a list of DNS names that should be included - as part of the Order validation process. If CommonName is not specified, - the first DNSName specified will be used as the CommonName. At least - one of CommonName or a DNSNames must be set. This field must match - the corresponding field on the DER encoded CSR. - type: array - items: - type: string - issuerRef: - description: IssuerRef references a properly configured ACME-type Issuer - which should be used to create this Order. If the Issuer does not - exist, processing will be retried. If the Issuer is not an 'ACME' - Issuer, an error will be returned and the Order will be marked as - failed. - type: object - required: - - name - properties: - group: - type: string - kind: - type: string - name: - type: string - status: - type: object - properties: - authorizations: - description: Authorizations contains data returned from the ACME server - on what authoriations must be completed in order to validate the DNS - names specified on the Order. - type: array - items: - description: ACMEAuthorization contains data returned from the ACME - server on an authorization that must be completed in order validate - a DNS name on an ACME Order resource. - type: object - required: - - url - properties: - challenges: - description: Challenges specifies the challenge types offered - by the ACME server. One of these challenge types will be selected - when validating the DNS name and an appropriate Challenge resource - will be created to perform the ACME challenge process. - type: array - items: - description: Challenge specifies a challenge offered by the - ACME server for an Order. An appropriate Challenge resource - can be created to perform the ACME challenge process. - type: object - required: - - token - - type - - url - properties: - token: - description: Token is the token that must be presented for - this challenge. This is used to compute the 'key' that - must also be presented. - type: string - type: - description: Type is the type of challenge being offered, - e.g. http-01, dns-01 - type: string - url: - description: URL is the URL of this challenge. It can be - used to retrieve additional metadata about the Challenge - from the ACME server. - type: string - identifier: - description: Identifier is the DNS name to be validated as part - of this authorization - type: string - url: - description: URL is the URL of the Authorization that must be - completed - type: string - wildcard: - description: Wildcard will be true if this authorization is for - a wildcard DNS name. If this is true, the identifier will be - the *non-wildcard* version of the DNS name. For example, if - '*.example.com' is the DNS name being validated, this field - will be 'true' and the 'identifier' field will be 'example.com'. - type: boolean - certificate: - description: Certificate is a copy of the PEM encoded certificate for - this Order. This field will be populated after the order has been - successfully finalized with the ACME server, and the order has transitioned - to the 'valid' state. - type: string - format: byte - failureTime: - description: FailureTime stores the time that this order failed. This - is used to influence garbage collection and back-off. - type: string - format: date-time - finalizeURL: - description: FinalizeURL of the Order. This is used to obtain certificates - for this order once it has been completed. - type: string - reason: - description: Reason optionally provides more information about a why - the order is in the current state. - type: string - state: - description: State contains the current state of this Order resource. - States 'success' and 'expired' are 'final' - type: string - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - url: - description: URL of the Order. This will initially be empty when the - resource is first created. The Order controller will populate this - field when the Order is first processed. This field will be immutable - after it is initially set. - type: string - version: v1alpha2 - versions: - - name: v1alpha2 - served: true - storage: true ---- diff --git a/charts/management-portal/templates/deployment.yaml b/charts/management-portal/templates/deployment.yaml index 19d88033..05ce1e24 100644 --- a/charts/management-portal/templates/deployment.yaml +++ b/charts/management-portal/templates/deployment.yaml @@ -47,7 +47,7 @@ spec: - name: SPRING_PROFILES_ACTIVE value: "prod,swagger" - name: SPRING_DATASOURCE_URL - value: "jdbc:postgresql://{{ .Values.postgres.host }}:5432/managementportal" + value: "jdbc:postgresql://{{ .Values.postgres.host }}:5432/managementportal&sslmode=require" - name: SPRING_DATASOURCE_USERNAME value: {{ .Values.postgres.user }} - name: SPRING_DATASOURCE_PASSWORD diff --git a/charts/management-portal/templates/ingress.yaml b/charts/management-portal/templates/ingress.yaml index 37462d2f..4aed24b5 100644 --- a/charts/management-portal/templates/ingress.yaml +++ b/charts/management-portal/templates/ingress.yaml @@ -22,7 +22,7 @@ spec: {{- range $hosts }} - {{ . | quote }} {{- end }} - secretName: {{ .secretName }} + secretName: {{ .Values.ingress.tls.secretName }} {{- end }} rules: {{- range .Values.ingress.hosts }} diff --git a/charts/prometheus-operator/values.yaml b/charts/prometheus-operator/values.yaml index b99e7245..a17d9404 100644 --- a/charts/prometheus-operator/values.yaml +++ b/charts/prometheus-operator/values.yaml @@ -24,29 +24,25 @@ prometheus-operator: requests: storage: 2Gi ruleNamespaceSelector: - namespaceSelector: - matchNames: - - default - - monitoring - - cert-manager - ruleSelector: - namespaceSelector: - matchNames: - - default - - cert-manager - - monitoring + matchExpressions: + - key: name + operator: In + values: + - default + - monitoring + - graylog + - cert-manager + - kube-system serviceMonitorNamespaceSelector: - namespaceSelector: - matchNames: - - default - - cert-manager - - monitoring - serviceMonitorSelector: - namespaceSelector: - matchNames: - - default - - cert-manager - - monitoring + matchExpressions: + - key: name + operator: In + values: + - default + - monitoring + - graylog + - cert-manager + - kube-system ingress: enabled: true @@ -85,6 +81,7 @@ prometheus-operator: group_wait: 30s receiver: "default" repeat_interval: 12h + routes: [] ingress: enabled: true diff --git a/helmfile.d/00-init.yaml b/helmfile.d/00-init.yaml index b21391d4..ad604848 100644 --- a/helmfile.d/00-init.yaml +++ b/helmfile.d/00-init.yaml @@ -12,7 +12,7 @@ environments: helmDefaults: atomic: true - force: true + # force: true timeout: 600 kubeContext: {{ .Values.kubeContext }} @@ -106,7 +106,8 @@ releases: - name: nginx-ingress chart: stable/nginx-ingress - version: 1.30.0 + version: 1.40.2 + force: false installed: {{ .Values.nginx_ingress._install }} values: - "../charts/nginx-ingress/values.yaml" From a13145dd08bdc439b34eb7a8591392be9bb2d2d9 Mon Sep 17 00:00:00 2001 From: K1Hyve <53298451+K1Hyve@users.noreply.github.com> Date: Tue, 1 Sep 2020 18:36:35 +0200 Subject: [PATCH 38/41] Removed reference to chdr --- base.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/base.yaml b/base.yaml index 96657e84..d777b337 100644 --- a/base.yaml +++ b/base.yaml @@ -154,7 +154,7 @@ management_portal: port: 25 username: username password: secret - from: no-reply-more@chdr.nl + from: noreply@example.com app_config: _install: true From fbda1ed3e20e0f4c30183193b95fd84d935774af Mon Sep 17 00:00:00 2001 From: Keyvan Date: Tue, 1 Sep 2020 21:59:13 +0200 Subject: [PATCH 39/41] More general configuration for management-portal Signed-off-by: Keyvan --- charts/management-portal/templates/deployment.yaml | 2 +- .../templates/secrets-postgres-keystore.yaml | 4 +++- charts/management-portal/values.yaml | 3 +++ 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/charts/management-portal/templates/deployment.yaml b/charts/management-portal/templates/deployment.yaml index 6690e731..c56df83a 100644 --- a/charts/management-portal/templates/deployment.yaml +++ b/charts/management-portal/templates/deployment.yaml @@ -47,7 +47,7 @@ spec: - name: SPRING_PROFILES_ACTIVE value: "prod,swagger" - name: SPRING_DATASOURCE_URL - value: "jdbc:postgresql://{{ .Values.postgres.host }}:5432/managementportal?ssl=true&sslmode=verify-ca" + value: "jdbc:postgresql://{{ .Values.postgres.host }}:{{ .Values.postgres.port }}/{{ .Values.postgres.database }}{{ .Values.postgres.connection_parameters }}" - name: SPRING_DATASOURCE_USERNAME value: {{ .Values.postgres.user }} - name: SPRING_DATASOURCE_PASSWORD diff --git a/charts/management-portal/templates/secrets-postgres-keystore.yaml b/charts/management-portal/templates/secrets-postgres-keystore.yaml index 3494f5a7..6ff5ff98 100644 --- a/charts/management-portal/templates/secrets-postgres-keystore.yaml +++ b/charts/management-portal/templates/secrets-postgres-keystore.yaml @@ -1,3 +1,4 @@ +{{- if .Values.postgres.ssl.enabled }} apiVersion: v1 kind: Secret metadata: @@ -9,4 +10,5 @@ metadata: heritage: {{ .Release.Service | quote }} type: Opaque data: - root.crt: {{ .Files.Get "files/BaltimoreCyberTrustRoot.crt.pem" | b64enc | quote }} + root.crt: {{ .Files.Get "files/root.crt" | b64enc | quote }} +{{ end }} diff --git a/charts/management-portal/values.yaml b/charts/management-portal/values.yaml index 93e34578..dbf4c355 100644 --- a/charts/management-portal/values.yaml +++ b/charts/management-portal/values.yaml @@ -55,6 +55,9 @@ affinity: {} postgres: host: postgresql-postgresql + port: 5432 + database: managementportal + connection_parameters: "" user: postgres password: password ssl: From 71673c7ced64cf59254dbfd7dfe8614abdab2ddb Mon Sep 17 00:00:00 2001 From: Keyvan Date: Tue, 1 Sep 2020 22:13:58 +0200 Subject: [PATCH 40/41] Replaced sendGrid references with smtp Signed-off-by: Keyvan --- base.yaml | 4 ++-- charts/management-portal/templates/deployment.yaml | 12 ++++++------ charts/management-portal/templates/secrets.yaml | 6 +++--- charts/management-portal/values.yaml | 4 ++-- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/base.yaml b/base.yaml index d777b337..4a9a1659 100644 --- a/base.yaml +++ b/base.yaml @@ -148,7 +148,7 @@ management_portal: radarFitbitConnector: secret morePromasysSync: secret radarAppconfig: secret - sendGrid: + smtp: enabled: false host: smtp port: 25 @@ -160,7 +160,7 @@ app_config: _install: true replicaCount: 1 # should be 1 clientSecret: secret - + smtp: _install: true replicaCount: 1 diff --git a/charts/management-portal/templates/deployment.yaml b/charts/management-portal/templates/deployment.yaml index c56df83a..31ff00cb 100644 --- a/charts/management-portal/templates/deployment.yaml +++ b/charts/management-portal/templates/deployment.yaml @@ -91,23 +91,23 @@ spec: value: "0" - name: JAVA_OPTS # maximum heap size for the JVM running ManagementPortal, increase this as necessary value: "-Xmx1500m" - {{- if .Values.sendGrid.enabled }} + {{- if .Values.smtp.enabled }} - name: SPRING_MAIL_HOST - value: {{ .Values.sendGrid.host | quote }} + value: {{ .Values.smtp.host | quote }} - name: SPRING_MAIL_PORT - value: {{ .Values.sendGrid.port | quote }} + value: {{ .Values.smtp.port | quote }} - name: SPRING_MAIL_USERNAME valueFrom: secretKeyRef: name: {{ template "management-portal.secretName" . }} - key: sendGridUsername + key: smtpUsername - name: SPRING_MAIL_PASSWORD valueFrom: secretKeyRef: name: {{ template "management-portal.secretName" . }} - key: sendGridPassword + key: smtpPassword - name: SPRING_MAIL_FROM - value: {{ .Values.sendGrid.from | quote }} + value: {{ .Values.smtp.from | quote }} {{ end }} ports: - name: http diff --git a/charts/management-portal/templates/secrets.yaml b/charts/management-portal/templates/secrets.yaml index 73e132e7..cf6a8533 100644 --- a/charts/management-portal/templates/secrets.yaml +++ b/charts/management-portal/templates/secrets.yaml @@ -13,8 +13,8 @@ data: postgresql_password: {{ .Values.postgres.password | b64enc | quote }} managementportal_frontend_client_secret: {{ .Values.managementportal.frontend_client_secret | b64enc | quote }} managementportal_common_admin_password: {{ .Values.managementportal.common_admin_password | b64enc | quote }} - {{- if .Values.sendGrid.enabled }} - sendGridUsername: {{ .Values.sendGrid.username | b64enc | quote }} - sendGridPassword: {{ .Values.sendGrid.password | b64enc | quote }} + {{- if .Values.smtp.enabled }} + smtpUsername: {{ .Values.smtp.username | b64enc | quote }} + smtpPassword: {{ .Values.smtp.password | b64enc | quote }} {{ end }} {{- end -}} diff --git a/charts/management-portal/values.yaml b/charts/management-portal/values.yaml index dbf4c355..d99820c8 100644 --- a/charts/management-portal/values.yaml +++ b/charts/management-portal/values.yaml @@ -87,10 +87,10 @@ client_secrets: morePromasysSync: secret radarAppconfig: secret -sendGrid: +smtp: enabled: false host: smtp port: 25 username: username password: secret - from: no-reply-more@chdr.nl + from: noreply@example.com From 855e582debec669bbe9ba8001177d45a0e660515 Mon Sep 17 00:00:00 2001 From: Keyvan Date: Tue, 1 Sep 2020 22:36:07 +0200 Subject: [PATCH 41/41] Added ability to add extra oauth_clients to management-portal Signed-off-by: Keyvan --- base.yaml | 2 +- charts/management-portal/templates/configmap.yaml | 4 +++- charts/management-portal/values.yaml | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/base.yaml b/base.yaml index 4a9a1659..a2052f63 100644 --- a/base.yaml +++ b/base.yaml @@ -146,8 +146,8 @@ management_portal: radar_upload_frontend: secret radar_rest_sources_backend: secret radarFitbitConnector: secret - morePromasysSync: secret radarAppconfig: secret + extra_oauth_clients: [] smtp: enabled: false host: smtp diff --git a/charts/management-portal/templates/configmap.yaml b/charts/management-portal/templates/configmap.yaml index ac45eb09..e1e43280 100644 --- a/charts/management-portal/templates/configmap.yaml +++ b/charts/management-portal/templates/configmap.yaml @@ -22,6 +22,8 @@ data: radar_rest_sources_auth_backend;res_ManagementPortal;{{ .Values.client_secrets.radar_rest_sources_backend }};PROJECT.READ,SOURCETYPE.READ,SUBJECT.READ,SOURCE.READ;client_credentials;;;43200;86400;{}; radar_rest_sources_authorizer;res_restAuthorizer;;SOURCETYPE.READ,PROJECT.READ,SUBJECT.READ;authorization_code;https://{{ .Values.server_name }}/rest-sources/authorizer/login;;43200;86400;{}; radar_fitbit_connector;res_restAuthorizer;{{ .Values.client_secrets.radarFitbitConnector }};SUBJECT.READ;client_credentials;;;43200;;{}; - more_promasys_sync_client;res_ManagementPortal;{{ .Values.client_secrets.morePromasysSync }};PROJECT.READ,PROJECT.CREATE,SUBJECT.READ,SUBJECT.CREATE;client_credentials;;;43200;;{}; radar_appconfig;res_ManagementPortal,res_appconfig;{{ .Values.client_secrets.radarAppconfig }};SOURCETYPE.READ,MEASUREMENT.CREATE,PROJECT.READ,SUBJECT.READ,OAUTHCLIENTS.READ;client_credentials;;;900;;; radar_appconfig_frontend;res_appconfig;;SOURCETYPE.READ,MEASUREMENT.CREATE,PROJECT.READ,PROJECT.CREATE,PROJECT.UPDATE,SUBJECT.READ,SUBJECT.UPDATE,OAUTHCLIENTS.READ;authorization_code,refresh_token;https://{{ .Values.server_name }}/appconfig/login;1800;78000;; + {{- range .Values.extra_oauth_clients }} + {{ . }} + {{- end }} diff --git a/charts/management-portal/values.yaml b/charts/management-portal/values.yaml index d99820c8..a13cb943 100644 --- a/charts/management-portal/values.yaml +++ b/charts/management-portal/values.yaml @@ -84,9 +84,10 @@ client_secrets: radar_upload_frontend: secret radar_rest_sources_backend: secret radarFitbitConnector: secret - morePromasysSync: secret radarAppconfig: secret +extra_oauth_clients: [] + smtp: enabled: false host: smtp