diff --git a/chart/otomi/values.schema.json b/chart/otomi/values.schema.json new file mode 100644 index 0000000000..e62a5aca3d --- /dev/null +++ b/chart/otomi/values.schema.json @@ -0,0 +1,4690 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema", + "version": 3, + "additionalProperties": true, + "definitions": { + "rawValues": { + "description": "May define value overrides for a chart. WARNING: these values currently have no schema and can't be validated as such, and may break deployment. You are on your own here.", + "type": "object" + }, + "alerts": { + "additionalProperties": false, + "properties": { + "drone": { + "items": { + "enum": [ + "slack", + "msteams", + "opsgenie" + ], + "type": "string" + }, + "type": "array", + "uniqueItems": true + }, + "email": { + "additionalProperties": false, + "properties": { + "critical": { + "$ref": "#/definitions/email", + "description": "One or more email addresses (comma separated) for critical events.", + "x-secret": "" + }, + "nonCritical": { + "$ref": "#/definitions/email", + "description": "One or more email addresses (comma separated) for non-critical events.", + "x-secret": "" + } + } + }, + "groupInterval": { + "default": "5m", + "description": "How long to wait before sending a notification about new alerts that are added to a group of alerts for which an initial notification has already been sent. (Usually ~5m or more.)", + "$ref": "#/definitions/duration" + }, + "msteams": { + "additionalProperties": false, + "properties": { + "highPrio": { + "description": "The high prio web hook.", + "$ref": "#/definitions/wordCharacterPattern", + "x-secret": "" + }, + "lowPrio": { + "description": "The low prio web hook.", + "$ref": "#/definitions/wordCharacterPattern", + "x-secret": "" + } + } + }, + "receivers": { + "description": "Notification receivers.", + "items": { + "enum": [ + "slack", + "msteams", + "opsgenie", + "email", + "none" + ], + "type": "string" + }, + "type": "array", + "uniqueItems": true + }, + "repeatInterval": { + "default": "3h", + "description": "How long to wait before sending a notification again if it has already been sent successfully for an alert. (Usually ~3h or more).", + "$ref": "#/definitions/duration" + }, + "slack": { + "additionalProperties": false, + "properties": { + "channel": { + "default": "mon-otomi", + "description": "The Slack channel for non-critical notifications.", + "$ref": "#/definitions/wordCharacterPattern" + }, + "channelCrit": { + "default": "mon-otomi-crit", + "description": "The Slack channel for critical notifications.", + "$ref": "#/definitions/wordCharacterPattern" + }, + "url": { + "$ref": "#/definitions/url", + "description": "A Slack webhook URL.", + "x-secret": "" + } + } + }, + "opsgenie": { + "additionalProperties": false, + "properties": { + "apiKey": { + "description": "The api key to use for authn", + "$ref": "#/definitions/wordCharacterPattern", + "x-secret": "" + }, + "url": { + "$ref": "#/definitions/url", + "description": "A Slack webhook URL.", + "x-secret": "" + }, + "responders": { + "type": "array", + "items": { + "allOf": [ + { + "properties": { + "type": { + "type": "string", + "enum": [ + "team", + "user", + "escalation", + "schedule" + ] + } + } + }, + { + "oneOf": [ + { + "title": "ID", + "required": [ + "id" + ], + "properties": { + "id": { + "$ref": "#/definitions/wordCharacterPattern" + } + } + }, + { + "title": "Name", + "required": [ + "name" + ], + "properties": { + "name": { + "$ref": "#/definitions/idName" + } + } + }, + { + "title": "Username", + "required": [ + "username" + ], + "properties": { + "username": { + "$ref": "#/definitions/wordCharacterPattern" + } + } + } + ] + } + ], + "required": [ + "type" + ] + } + } + } + } + } + }, + "annotations": { + "$ref": "#/definitions/labelsAnnotations", + "description": "A set of annotations." + }, + "autoscaling": { + "additionalProperties": false, + "properties": { + "maxReplicas": { + "type": "integer", + "default": 10 + }, + "minReplicas": { + "type": "integer", + "default": 1 + } + } + }, + "autoscalingEnabled": { + "additionalProperties": false, + "properties": { + "enabled": { + "default": true, + "type": "boolean" + }, + "maxReplicas": { + "type": "integer", + "default": 10 + }, + "minReplicas": { + "type": "integer", + "default": 1 + }, + "targetCPUUtilizationPercentage": { + "type": "integer", + "default": 80 + }, + "targetMemoryUtilizationPercentage": { + "type": "integer", + "default": 80 + } + } + }, + "aws": { + "definitions": { + "accessKey": { + "title": "AWS access key", + "description": "An AWS access key ID.", + "$ref": "#/definitions/wordCharacterPattern", + "x-secret": "" + }, + "secretKey": { + "title": "AWS secret key", + "description": "An AWS secret key.", + "type": "string", + "x-secret": "" + }, + "region": { + "title": "AWS region", + "description": "An AWS region.", + "$ref": "#/definitions/wordCharacterPattern" + }, + "role": { + "description": "Role may be set explicitly if no metadata can be accessed.", + "example": "arn:aws:iam::YYYYYYYYYYYY:role/dns-manager", + "$ref": "#/definitions/wordCharacterPattern" + } + } + }, + "azure": { + "definitions": { + "clientId": { + "title": "Azure client id", + "description": "An Azure client id.", + "$ref": "#/definitions/wordCharacterPattern" + }, + "clientSecret": { + "title": "Azure client secret", + "description": "An Azure client secret.", + "type": "string", + "x-secret": "" + }, + "dns": { + "properties": { + "resourceGroup": { + "$ref": "#/definitions/azure/definitions/resourceGroup" + }, + "hostedZoneName": { + "title": "Hosted zone name", + "description": "Name of the DNS zone that should be used.", + "$ref": "#/definitions/wordCharacterPattern" + }, + "tenantId": { + "$ref": "#/definitions/azure/definitions/tenantId" + }, + "subscriptionId": { + "$ref": "#/definitions/azure/definitions/subscriptionId" + }, + "aadClientId": { + "$ref": "#/definitions/azure/definitions/clientId" + }, + "aadClientSecret": { + "$ref": "#/definitions/azure/definitions/clientSecret", + "title": "Client secret", + "type": "string", + "description": "Azure Application Client Secret", + "x-secret": "" + } + }, + "required": [ + "tenantId", + "subscriptionId", + "resourceGroup", + "aadClientId", + "aadClientSecret" + ] + }, + "environment": { + "title": "Azure environment", + "description": "An Azure environment.", + "type": "string", + "default": "AzurePublicCloud", + "enum": [ + "AzurePublicCloud", + "AzureChinaCloud", + "AzureUSGovernment", + "AzureGermanCloud" + ] + }, + "tenantId": { + "title": "Azure tenant id", + "description": "An Azure tenant id.", + "$ref": "#/definitions/wordCharacterPattern" + }, + "subscriptionId": { + "title": "Azure subscription id", + "description": "An Azure subscription id.", + "$ref": "#/definitions/wordCharacterPattern" + }, + "resourceGroup": { + "title": "Resource group", + "description": "An Azure resource group.", + "$ref": "#/definitions/wordCharacterPattern" + } + } + }, + "cluster": { + "additionalProperties": false, + "properties": { + "apiName": { + "description": "Exact name of cluster as created when on AWS. Optional otherwise and will be generated for UI purposes. When on AWS this name is used for chart cluster-autoscaler.", + "$ref": "#/definitions/wordCharacterPattern" + }, + "apiServer": { + "description": "Used to generate KUBECONFIG for download, for local access to target cluster.", + "pattern": "^https:\\/\\/.*" + }, + "domainSuffix": { + "$ref": "#/definitions/domain", + "description": "Domain suffix for the cluster. Also added to list of dns zones in the Otomi Console." + }, + "k8sContext": { + "$ref": "#/definitions/k8sContext", + "description": "Optional. Must be set for development mode and must point to an existing context in KUBECONFIG." + }, + "name": { + "$ref": "#/definitions/clusterName", + "description": "Short name that will be used in construction of cluster domain and messaging." + }, + "owner": { + "$ref": "#/definitions/idName", + "description": "The name of the organization owning the cluster.", + "default": "otomi" + }, + "provider": { + "$ref": "#/definitions/provider" + }, + "region": { + "description": "An AWS region. Only required for AWS.", + "examples": [ + "eu-central-1" + ] + } + }, + "required": [ + "name", + "provider" + ], + "allOf": [ + { + "oneOf": [ + { + "properties": { + "provider": { + "enum": [ + "aws" + ] + } + }, + "required": [ + "apiName", + "region" + ] + }, + { + "not": { + "properties": { + "provider": { + "enum": [ + "aws" + ] + } + } + } + } + ] + } + ] + }, + "clusterName": { + "$ref": "#/definitions/wordCharacterPattern", + "type": "string" + }, + "containerSpecNoSec": { + "properties": { + "image": { + "$ref": "#/definitions/image" + }, + "resources": { + "$ref": "#/definitions/resources" + }, + "env": { + "$ref": "#/definitions/env" + }, + "files": { + "$ref": "#/definitions/files" + }, + "nativeSecrets": { + "$ref": "#/definitions/nativeSecrets", + "description": "Reserved for internal use." + }, + "secrets": { + "$ref": "#/definitions/secrets" + }, + "secretMounts": { + "$ref": "#/definitions/secretMounts" + }, + "command": { + "type": "array", + "items": { + "type": "string" + } + }, + "args": { + "type": "array", + "items": { + "type": "string" + } + } + }, + "required": [ + "image", + "resources" + ] + }, + "containerSpec": { + "allOf": [ + { + "$ref": "#/definitions/securityContext" + }, + { + "$ref": "#/definitions/containerSpecNoSec" + } + ] + }, + "cpuQuantity": { + "description": "Amount of cpu cores, or slice of cpu core in millis.", + "examples": [ + "1", + "200m" + ], + "pattern": "^([1-9][0-9]*|([0]|[1-9]+)\\\\.[0-9]{1,3}|[1-9][0-9]*m)$", + "type": "string" + }, + "backup": { + "type": "object", + "description": "PV backups", + "properties": { + "name": { + "$ref": "#/definitions/wordCharacterPattern" + }, + "ttl": { + "$ref": "#/definitions/backupTtl" + }, + "schedule": { + "$ref": "#/definitions/backupSchedule" + }, + "snapshotVolumes": { + "type": "boolean", + "default": false + }, + "labelSelector": { + "$ref": "#/definitions/labels", + "description": "Individual objects must match this label selector to be included in the backup." + } + } + }, + "domain": { + "pattern": "^((([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9]))|([a-f0-9:]+:+)+[a-f0-9]+$", + "type": "string" + }, + "droneGit": { + "properties": { + "clientID": { + "$ref": "#/definitions/wordCharacterPattern" + }, + "clientSecretValue": { + "type": "string", + "x-secret": "" + } + } + }, + "duration": { + "description": "Prometheus duration (See: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#configuration-file)", + "pattern": "((([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?|0)", + "type": "string", + "default": "1d" + }, + "email": { + "pattern": "^(([^<>()\\[\\]\\\\.,;:\\s@\"]+(\\.[^<>()\\[\\]\\\\.,;:\\s@\"]+)*)|(\".+\"))@((\\[[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\])|(([a-zA-Z\\-0-9]+\\.)+[a-zA-Z]{2,}))$", + "type": "string" + }, + "env": { + "additionalProperties": false, + "examples": [ + { + "FOO": "bar" + }, + { + "bar": "foo" + } + ], + "patternProperties": { + "[a-zA-Z_]{1,}[a-zA-Z0-9_]*": { + "maxLength": 131072, + "type": "string" + } + }, + "nullable": true, + "type": "object", + "title": "Environment variables" + }, + "files": { + "additionalProperties": false, + "description": "Dictionary of absolute path > content pairs.", + "patternProperties": { + "^[/].*": { + "type": "string" + } + } + }, + "google": { + "additionalProperties": false, + "definitions": { + "accountJson": { + "type": "string", + "x-secret": "" + }, + "project": { + "$ref": "#/definitions/wordCharacterPattern" + } + } + }, + "hostPort": { + "pattern": "^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9]):()([1-9]|[1-5]?[0-9]{2,4}|6[1-4][0-9]{3}|65[1-4][0-9]{2}|655[1-2][0-9]|6553[1-5])$", + "type": "string" + }, + "idName": { + "description": "A lowercase name that starts with a letter and may contain dashes.", + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])$", + "type": "string" + }, + "image": { + "additionalProperties": false, + "properties": { + "pullPolicy": { + "default": "IfNotPresent", + "enum": [ + "IfNotPresent", + "Always" + ], + "type": "string" + }, + "repository": { + "$ref": "#/definitions/repository" + }, + "tag": { + "default": "latest", + "$ref": "#/definitions/wordCharacterPattern" + } + }, + "title": "Container image" + }, + "imagePullPolicy": { + "default": "IfNotPresent", + "enum": [ + "IfNotPresent", + "Always" + ], + "type": "string" + }, + "imageTag": { + "x-default": "stable", + "pattern": "[\\w][\\w.-]{0,127}", + "type": "string", + "x-message": "a valid container registry image tag" + }, + "imageSimple": { + "properties": { + "tag": { + "$ref": "#/definitions/imageTag" + }, + "pullPolicy": { + "$ref": "#/definitions/imagePullPolicy" + } + }, + "required": [ + "tag" + ], + "type": "object", + "title": "Container image" + }, + "ingressNginx": { + "additionalProperties": false, + "properties": { + "_rawValues": { + "$ref": "#/definitions/rawValues" + }, + "tracing": { + "description": "Configure Nginx for tracing. Requires Otel Collector to be enabled.", + "propterties": { + "enabled": { + "default": false, + "type": "boolean" + }, + "samplingRatio": { + "type": "string", + "default": "0.01" + } + } + }, + "autoscaling": { + "$ref": "#/definitions/autoscalingEnabled" + }, + "maxBodySize": { + "type": "string", + "default": "1024m" + }, + "maxBodySizeBytes": { + "type": "integer", + "minimum": 0, + "default": 1073741824, + "description": "Needed for modsecurity. Should correspond to maxBodySize, but expressed in bytes." + }, + "modsecurity": { + "title": "MOD Security", + "description": "Enables MOD Security functionality.", + "properties": { + "block": { + "description": "Makes nginx block requests that are marked as violating the modsec rules.", + "type": "boolean", + "default": false + }, + "enabled": { + "type": "boolean", + "default": false + }, + "owasp": { + "description": "Turns on the default OWASP rule set for modsec. See", + "type": "boolean", + "default": true + } + }, + "type": "object" + }, + "image": { + "properties": { + "tag": { + "$ref": "#/definitions/imageTag", + "x-default": "v1.0.5" + }, + "pullPolicy": { + "$ref": "#/definitions/imagePullPolicy" + } + } + }, + "resources": { + "$ref": "#/definitions/resources" + }, + "service": { + "properties": { + "annotations": { + "$ref": "#/definitions/annotations" + } + } + } + } + }, + "ingressClassParameters": { + "type": "object", + "properties": { + "entrypoint": { + "description": "A public IP address that has a route to a private loadbalancer ip, allowing access to private clusters. (Provider \"custom\" only.)", + "type": "string" + }, + "network": { + "title": "Load balancer type", + "type": "string", + "enum": [ + "public", + "private" + ], + "default": "public" + }, + "loadBalancerIP": { + "title": "Load balancer IP address", + "description": "A static IP address assigned to a load balancer", + "type": "string" + }, + "loadBalancerRG": { + "title": "Load balancer Azure resource group", + "type": "string" + }, + "loadBalancerSubnet": { + "title": "Load balancer Azure subnet", + "type": "string", + "description": "Specify subnet provider for load balancer IP address (applies to private network only)" + }, + "sourceIpAddressFiltering": { + "title": "Source IP address filtering", + "type": "string", + "description": "Whitelist source IP address ranges. The value is a comma separated list of CIDRs, e.g. 10.0.0.0/24,172.10.0.1" + } + } + }, + "ipV4Address": { + "type": "string", + "pattern": "^(?:[0-9]{1,3}\\.){3}[0-9]{1,3}$" + }, + "jobs": { + "description": "You may pass an array of Job objects. The Kubernetes API accepts a Job specification, which is meant for run-to-completion apps (e.g. batch Jobs).", + "items": { + "type": "object", + "allOf": [ + { + "properties": { + "id": { + "type": "string", + "readOnly": true + } + }, + "type": "object" + }, + { + "$ref": "#/definitions/jobSpec" + }, + { + "$ref": "#/definitions/podSpec" + } + ] + }, + "type": "array" + }, + "jobSpec": { + "properties": { + "type": { + "default": "Job", + "enum": [ + "Job", + "CronJob" + ], + "type": "string" + }, + "name": { + "$ref": "#/definitions/idName", + "title": "Name", + "description": "A job name", + "example": "some-job" + }, + "enabled": { + "default": true, + "type": "boolean" + }, + "runPolicy": { + "default": "OnSpecChange", + "description": "If runPolicy is set to 'Always', the job controller will always be re-deployed after a successful deployment with Helm.\nIf runPolicy is set to 'OnSpecChange', the job controller will only be re-deployed if one changes this specification.\n", + "enum": [ + "Always", + "OnSpecChange" + ], + "type": "string" + }, + "schedule": { + "default": "0 1 * * *", + "description": "Must give a cron-type expression if the job type is 'Cronjob'.", + "type": "string" + }, + "script": { + "$ref": "#/definitions/script" + }, + "shell": { + "default": "/bin/sh", + "description": "Full path to a shell binary that exists in the image.", + "type": "string" + }, + "ttlSecondsAfterFinished": { + "default": 86400, + "description": "Time To Live after job is finished in seconds. Will be removed afterwards.", + "minimum": 0, + "title": "TTL after finished", + "type": "integer" + }, + "init": { + "type": "array", + "items": { + "$ref": "#/definitions/containerSpec" + }, + "nullable": true + } + }, + "required": [ + "name", + "script", + "type" + ], + "type": "object" + }, + "k8sContext": { + "description": "The cluster k8s context as found in $KUBECONFIG.", + "$ref": "#/definitions/wordCharacterPattern" + }, + "labels": { + "$ref": "#/definitions/labelsAnnotations", + "description": "A set of labels." + }, + "labelsAnnotations": { + "additionalProperties": false, + "patternProperties": { + "^((([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9]){1,253}\\/)?([a-z0-9A-Z]+[a-z0-9A-Z-_.]+[a-z0-9A-Z]){1,63}$": { + "pattern": "^((.){1,253}\\/)?(.){1,63}$", + "type": "string" + } + } + }, + "logLevel": { + "type": "string", + "default": "info", + "enum": [ + "error", + "warn", + "info", + "debug", + "trace" + ] + }, + "memoryQuantity": { + "description": "Amount of memory. Valid units are E|P|T|G|M|K|Ei|Pi|Ti|Gi|Mi|Ki.", + "examples": [ + "1Mi", + "0.5M" + ], + "pattern": "^([0-9]+\\.)?[0-9]+(E|P|T|G|M|K|Ei|Pi|Ti|Gi|Mi|Ki)?$", + "type": "string" + }, + "nativeSecrets": { + "description": "List of kubernetes secret names.", + "additionalProperties": false, + "patternProperties": { + "[a-zA-Z_]{1,}[a-zA-Z0-9_]*": { + "maxLength": 131072, + "type": "string" + } + }, + "nullable": true, + "type": "object", + "title": "Kubernetes secrets" + }, + "netpol": { + "type": "object", + "properties": { + "name": { + "type": "string", + "title": "Network Policy name", + "description": "A unique name for the network policy" + }, + "ruleType": { + "properties": { + "ingress": { + "properties": { + "toLabelName": { + "type": "string", + "title": "Selector label name", + "description": "The name of the Pod selector label" + }, + "toLabelValue": { + "type": "string", + "title": "Selector label value", + "description": "The value of the Pod selector label" + }, + "mode": { + "default": "AllowOnly", + "enum": [ + "AllowOnly", + "AllowAll" + ] + }, + "allow": { + "title": "Add team or team with service", + "type": "array", + "items": { + "type": "object", + "properties": { + "fromLabelName": { + "type": "string", + "title": "Selector label name", + "description": "The name of the Pod selector label" + }, + "fromLabelValue": { + "type": "string", + "title": "Selector label value", + "description": "The value of the Pod selector label" + }, + "fromNamespace": { + "type": "string", + "title": "Namespace name", + "description": "The name of the namespace" + } + }, + "required": [ + "fromNamespace" + ] + } + } + } + }, + "egress": { + "properties": { + "domain": { + "title": "FQDN or IP address", + "$ref": "#/definitions/domain" + }, + "ports": { + "properties": { + "number": { + "title": "Port number", + "type": "integer", + "minimum": 1, + "maximum": 65535 + }, + "protocol": { + "title": "Protocol", + "type": "string", + "enum": [ + "HTTPS", + "HTTP", + "TCP" + ], + "default": "HTTPS" + } + }, + "required": [ + "number", + "protocol" + ], + "default": [ + { + "number": 443, + "protocol": "HTTPS" + } + ] + } + }, + "required": [ + "domain" + ] + } + } + } + } + }, + "path": { + "description": "An absolute path", + "type": "string", + "pattern": "^[/].*$" + }, + "podSecurityContext": { + "allOf": [ + { + "$ref": "#/definitions/securityContext" + }, + { + "properties": { + "fsGroup": { + "description": "Supplementary group ID. Volumes that support ownership management are modified to be owned and writable by this ID.", + "$ref": "#/definitions/unixOwnerId" + }, + "fsGroupChangePolicy": { + "description": "'Defines behavior for changing ownership and permission of the volume before being exposed inside a Pod. This field only applies to volume types that support fsGroup controlled ownership and permissions.\nThis field has two possible values:\n- OnRootMismatch: Only change permissions and ownership if permission and ownership of root directory does not match with expected permissions of the volume. This could help shorten the time it takes to change ownership and permission of a volume.\n- Always: Always change permission and ownership of the volume when volume is mounted.'\n", + "type": "string", + "enum": [ + "Always", + "OnRootMismatch" + ] + } + } + } + ], + "description": "Security context for the pod.", + "title": "Pod security context" + }, + "podSpec": { + "allOf": [ + { + "properties": { + "annotations": { + "$ref": "#/definitions/annotations", + "title": "Pod annotations" + } + }, + "type": "object" + }, + { + "$ref": "#/definitions/podSecurityContext" + }, + { + "$ref": "#/definitions/containerSpec" + } + ], + "type": "object" + }, + "portNumber": { + "maximum": 32768, + "minimum": 80, + "type": "integer" + }, + "provider": { + "type": "string", + "description": "Enter the cloud provider of this cluster. Choose 'custom' for laptop install (minikube, kind) or onprem installs.", + "enum": [ + "aws", + "azure", + "digitalocean", + "google", + "custom", + "kind", + "linode", + "ovh", + "vultr", + "scaleway", + "civo" + ] + }, + "redisChart": { + "properties": { + "_rawValues": { + "$ref": "#/definitions/rawValues" + }, + "architecture": { + "type": "string", + "enum": [ + "standalone", + "replication" + ], + "default": "standalone" + }, + "password": { + "type": "string", + "x-secret": "{{ randAlpha 24 }}" + }, + "resources": { + "additionalProperties": false, + "properties": { + "master": { + "$ref": "#/definitions/resources" + }, + "sentinel": { + "$ref": "#/definitions/resources" + }, + "slave": { + "$ref": "#/definitions/resources" + } + } + }, + "sizes": { + "additionalProperties": false, + "properties": { + "master": { + "$ref": "#/definitions/size" + }, + "sentinel": { + "$ref": "#/definitions/size" + }, + "slave": { + "$ref": "#/definitions/size" + } + } + } + }, + "type": "object" + }, + "registry": { + "pattern": "^[a-z0-9]+(?:[._-][a-z0-9]+)*$", + "type": "string" + }, + "repoUrl": { + "description": "Path to a remote git repo with or without protocol prefix of either https:// or file:// (https:// used if omitted)", + "pattern": "^(https://|file://)?(.+@)*([\\w\\d\\.]+)(:[\\d]+){0,1}/*(.*)$", + "type": "string" + }, + "repository": { + "description": "A container image repository.", + "pattern": "^[a-z0-9]+(?:[/._-]{1,2}[a-z0-9]+)*$", + "type": "string" + }, + "resource": { + "additionalProperties": false, + "properties": { + "cpu": { + "$ref": "#/definitions/cpuQuantity" + }, + "memory": { + "$ref": "#/definitions/memoryQuantity" + } + }, + "required": [ + "cpu", + "memory" + ] + }, + "resources": { + "additionalProperties": false, + "description": "Compute resources for containers.", + "properties": { + "limits": { + "$ref": "#/definitions/resource", + "description": "Requested resources (best effort)." + }, + "requests": { + "$ref": "#/definitions/resource", + "description": "Requested resources (guaranteed)." + } + }, + "required": [ + "limits", + "requests" + ], + "title": "Pod resources" + }, + "shortcuts": { + "type": "array", + "items": { + "additionalProperties": false, + "properties": { + "title": { + "type": "string", + "description": "Title for the shortcut" + }, + "description": { + "type": "string", + "description": "A short description about the target of this shortcut." + }, + "path": { + "$ref": "#/definitions/path" + } + }, + "type": "object" + } + }, + "unixOwnerIdRange": { + "type": "object", + "additionalProperties": false, + "required": [ + "min", + "max" + ], + "properties": { + "min": { + "type": "integer", + "minimum": 0, + "maximum": 65535 + }, + "max": { + "type": "integer", + "minimum": 0, + "maximum": 65535 + } + } + }, + "unixOwnerId": { + "description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.", + "type": "integer", + "minimum": 0, + "maximum": 65535, + "default": 1001 + }, + "script": { + "description": "May specify a non-empty string containing an executable script.", + "type": "string", + "properties": { + "id": { + "readOnly": true, + "type": "string" + }, + "name": { + "$ref": "#/definitions/idName" + } + }, + "required": [ + "name", + "type" + ] + }, + "backupSchedule": { + "default": "0 0 * * *", + "description": "Cron-type expression to schedule the backup. Defaults to once a day at 00:00.", + "type": "string" + }, + "secret": { + "type": "object", + "properties": { + "id": { + "readOnly": true, + "type": "string" + }, + "clusterWide": { + "description": "Will create the secret in all namespaces.", + "type": "boolean", + "default": false + }, + "teamWide": { + "description": "Will create the secret in all team-* namespaces.", + "type": "boolean", + "default": false + }, + "name": { + "$ref": "#/definitions/idName" + }, + "namespace": { + "$ref": "#/definitions/idName", + "description": "A kubernetes namespace." + } + }, + "required": [ + "name" + ], + "oneOf": [ + { + "title": "Generic", + "properties": { + "type": { + "default": "generic", + "enum": [ + "generic" + ] + }, + "entries": { + "type": "array", + "items": { + "description": "A property name at vaultPath", + "minItems": 1, + "pattern": "^[-._a-zA-Z0-9]+$", + "type": "string" + }, + "uniqueItems": true + } + }, + "required": [ + "type", + "entries" + ] + }, + { + "title": "Docker registry", + "properties": { + "type": { + "default": "docker-registry", + "enum": [ + "docker-registry" + ], + "type": "string" + } + }, + "required": [ + "type" + ] + }, + { + "title": "TLS", + "properties": { + "type": { + "default": "tls", + "enum": [ + "tls" + ], + "type": "string" + }, + "crt": { + "type": "string", + "default": "tls.crt" + }, + "key": { + "type": "string", + "default": "tls.key" + }, + "ca": { + "type": "string", + "default": "ca.crt" + } + }, + "required": [ + "type", + "crt", + "key" + ] + } + ] + }, + "secrets": { + "description": "List of secret names that will have their props injected as env vars into the container.", + "items": { + "type": "string", + "pattern": "[a-zA-Z_]{1,}[a-zA-Z0-9_]*" + }, + "nullable": true, + "title": "Secrets", + "type": "array" + }, + "secretMounts": { + "description": "Dictionary of absolute folder path > secret name. Will mount the contents of the secret in the container at the specified folder path.", + "examples": [ + { + "/foo": "bar" + } + ], + "nullable": true, + "patternProperties": { + "^[/].*$": { + "type": "string" + } + }, + "title": "Secret mounts", + "type": "object" + }, + "secretTemplates": { + "definitions": { + "otomiAdminUsername": { + "x-secret": "admin" + } + } + }, + "securityContext": { + "additionalProperties": { + "uniqueItems": true + }, + "properties": { + "runAsUser": { + "$ref": "#/definitions/unixOwnerId" + }, + "runAsNonRoot": { + "description": "Enforces that the container must run as non root. This implies that the UID must also be set with runAsUser.", + "type": "boolean", + "default": true + }, + "runAsGroup": { + "description": "The GID to run the entrypoint of the container process. Defaults to group specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.", + "$ref": "#/definitions/unixOwnerId" + } + } + }, + "service": { + "additionalProperties": false, + "properties": { + "authz": { + "additionalProperties": false, + "description": "Identifies a workload to authorize.", + "properties": { + "forwardOriginalToken": { + "default": false, + "description": "If true istio will forward the bearer token instead of removing it from the headers.", + "type": "boolean" + }, + "workload": { + "$ref": "#/definitions/labelsAnnotations" + } + } + }, + "certArn": { + "description": "Only available on AWS when an external LB is configured. The cert ARN will be registered on the load balancer for SSL termination.", + "example": "arn:aws:acm:eu-central-1:xxx:certificate/xxx", + "pattern": "arn:aws(-cn|-us-gov)?:acm:\\S+:\\d+:\\w+\\/\\S+", + "type": "string" + }, + "trafficControl": { + "title": "Traffic Control", + "description": "Split traffic between multiple services (blue/green, canary)", + "properties": { + "enabled": { + "type": "boolean", + "default": false + }, + "weightV1": { + "type": "integer", + "default": 90 + }, + "weightV2": { + "type": "integer", + "default": 10 + } + } + }, + "certName": { + "description": "The name of a TLS secret known to exist in the team namespace.", + "example": "www-example-com", + "type": "string" + }, + "domain": { + "description": "A custom service domain name (max 64 bytes).", + "maxLength": 64, + "$ref": "#/definitions/wordCharacterPattern" + }, + "forwardPath": { + "default": false, + "description": "Whether to forward the path into the service, or 'terminate' it.", + "type": "boolean" + }, + "hasCert": { + "description": "Select when a certificate exists and should not be generated.", + "type": "boolean" + }, + "headers": { + "properties": { + "response": { + "properties": { + "set": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "name", + "value" + ] + } + } + } + }, + "request": { + "properties": { + "set": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "name", + "value" + ] + } + } + } + } + } + }, + "hide": { + "description": "Used by otomi console to determine wether to render it on screen or not. Only used by core services.", + "type": "boolean" + }, + "host": { + "description": "Reference to another core service name. Used by otomi console to show a variation of a core service with a different path (i.e. Loki). Only used by core services.", + "$ref": "#/definitions/wordCharacterPattern" + }, + "id": { + "description": "Unique identifier created by and used in API. Optional.", + "type": "string" + }, + "auth": { + "description": "Available only for core apps.", + "type": "boolean" + }, + "isShared": { + "description": "When true the service will get it's own domain by prefixing the app name to the cluster domain. Mostly used by core apps.", + "type": "boolean" + }, + "ksvc": { + "type": "object", + "properties": { + "predeployed": { + "description": "Set this flag it the service is managed by knative service", + "type": "boolean", + "default": false + } + } + }, + "logo": { + "description": "Used by otomi-console as an override mechanism to display another logo.", + "properties": { + "name": { + "type": "string" + } + }, + "required": [ + "name" + ] + }, + "name": { + "$ref": "#/definitions/idName", + "description": "Short name. Will be used for generation of knative service name, as well as service URL." + }, + "namespace": { + "$ref": "#/definitions/idName", + "description": "A kubernetes namespace. Only used by core services, so should be disallowed for non-admins." + }, + "ownHost": { + "default": true, + "description": "When true the service will get it's own domain by prefixing the app name to the team domain. Mostly set to true. This will probably be removed soon.", + "type": "boolean" + }, + "path": { + "description": "Used by otomi-console to render a path for the app. Only used by core services.", + "$ref": "#/definitions/wordCharacterPattern" + }, + "paths": { + "items": { + "description": "Path mapping to only route certain paths to the service. This allows micro services to operate on the same domain and port.\nWhen left empty all paths will go to this service.\n", + "$ref": "#/definitions/wordCharacterPattern" + }, + "type": "array" + }, + "port": { + "$ref": "#/definitions/portNumber", + "description": "Points to the backing k8s service (only used when 'svc' is set)." + }, + "ingressClassName": { + "description": "Ingress class name", + "type": "string", + "default": "platform", + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])+$" + }, + "svc": { + "$ref": "#/definitions/idName", + "description": "When given a backing k8s service is expected to be deployed with this name, which will be exposed through this team service." + }, + "tlsPass": { + "description": "Will pass the request to the backing service without TLS termination.", + "type": "boolean", + "default": false + }, + "useCname": { + "description": "Will configure additional host(CNAME) for the service.", + "type": "boolean", + "default": false + }, + "cname": { + "properties": { + "domain": { + "description": "CNAME of the service.", + "type": "string" + }, + "tlsSecretName": { + "description": "Kubernetes secret name of type TLS (not required if the tlsPass flag is set to true).", + "type": "string" + } + } + }, + "type": { + "nullable": true, + "default": "public", + "description": "Will determine the ingress routing.", + "enum": [ + "public", + "cluster" + ], + "type": "string" + }, + "removeRequestHeaders": { + "description": "Strip selected headers from HTTP request.", + "type": "array", + "items": { + "type": "string" + } + } + }, + "required": [ + "name", + "type" + ] + }, + "size": { + "description": "Disk size. Valid units are E|P|T|G|Ti|Gi.", + "examples": [ + "1Gi", + "0.5Ti" + ], + "pattern": "^([0-9]+\\.)?[0-9]+(E|P|T|G||Ti|Gi)?$", + "type": "string" + }, + "subdomainType": { + "type": "string", + "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + }, + "team": { + "additionalProperties": false, + "properties": { + "alerts": { + "$ref": "#/definitions/alerts" + }, + "apps": { + "type": "object", + "properties": { + "shortcuts": { + "$ref": "#/definitions/shortcuts" + } + } + }, + "backups": { + "type": "array", + "items": { + "$ref": "#/definitions/backup" + } + }, + "secrets": { + "items": { + "$ref": "#/definitions/secret" + }, + "type": "array" + }, + "id": { + "$ref": "#/definitions/idName", + "description": "Must be the same as the name." + }, + "jobs": { + "$ref": "#/definitions/jobs" + }, + "limitRange": { + "description": "Kubernetes limit range. As is.", + "properties": { + "default": { + "$ref": "#/definitions/resource" + }, + "defaultRequest": { + "$ref": "#/definitions/resource" + } + } + }, + "oidc": { + "additionalProperties": false, + "properties": { + "groupMapping": { + "description": "IDP group id to map onto this team.", + "$ref": "#/definitions/wordCharacterPattern" + } + } + }, + "password": { + "description": "Will be used to separate team resources.", + "type": "string", + "x-secret": "" + }, + "resourceQuota": { + "description": "List of kubernetes resource quota. Should adhere to the \"spec.hard\" format as described here: https://kubernetes.io/docs/concepts/policy/resource-quotas/. Not validated as there is no schema published. Change at your own risk.", + "type": "object" + }, + "selfService": { + "$ref": "#/definitions/teamSelfService" + }, + "services": { + "items": { + "$ref": "#/definitions/service" + }, + "type": "array" + }, + "netpols": { + "items": { + "$ref": "#/definitions/netpol" + }, + "type": "array" + }, + "managedMonitoring": { + "title": "Managed monitoring", + "description": "Activate managed Grafana, Prometheus or Alertmanager instances", + "properties": { + "grafana": { + "type": "boolean", + "default": true + }, + "prometheus": { + "type": "boolean", + "default": false + }, + "alertmanager": { + "type": "boolean", + "default": false + }, + "private": { + "type": "boolean", + "default": false + } + } + }, + "networkPolicy": { + "ingressPrivate": { + "title": "Enable filtering of ingress traffic inside the cluster", + "description": "When set a user can define ingress from other services for a particular team service", + "type": "boolean", + "default": true + }, + "egressPublic": { + "title": "Enable filtering of egress traffic outside the cluster", + "description": "When set a user can define egress towards FQDNs and public IPs for a team service", + "type": "boolean", + "default": true + } + }, + "workloads": { + "type": "array", + "items": { + "$ref": "#/definitions/workload" + } + }, + "projects": { + "type": "array", + "items": { + "$ref": "#/definitions/project" + } + }, + "policies": { + "type": "object" + }, + "builds": { + "type": "array", + "items": { + "$ref": "#/definitions/build" + } + }, + "sealedsecrets": { + "type": "array", + "items": { + "$ref": "#/definitions/sealedsecret" + } + } + } + }, + "teamSelfService": { + "title": "Team permissions", + "description": "Grant team permissions to modify certain configuration parameters.", + "type": "object", + "properties": { + "service": { + "title": "Service", + "type": "array", + "items": { + "type": "string", + "enum": [ + "ingress" + ] + }, + "uniqueItems": true + }, + "team": { + "title": "Team settings", + "type": "array", + "items": { + "type": "string", + "enum": [ + "oidc", + "managedMonitoring", + "alerts", + "resourceQuota", + "networkPolicy" + ] + }, + "uniqueItems": true + }, + "apps": { + "title": "Apps", + "type": "array", + "items": { + "type": "string", + "enum": [ + "argocd", + "gitea" + ] + }, + "uniqueItems": true + }, + "access": { + "title": "Access", + "type": "array", + "items": { + "type": "string", + "enum": [ + "shell", + "downloadKubeConfig", + "downloadDockerConfig", + "downloadCertificateAuthority" + ] + }, + "uniqueItems": true + } + } + }, + "backupTtl": { + "default": "168h", + "description": "Expiration of the backup. Defaults to 7 days.", + "title": "TTL after finished", + "type": "string" + }, + "backupRetentionPolicy": { + "default": "7d", + "description": "Delete backups according to retention policy. In DAYS|WEEKS|MONTHS", + "title": "Retention policy", + "type": "string" + }, + "url": { + "pattern": "^https?:\\/\\/[-a-zA-Z0-9@:%._\\+~#=]{1,256}\\.[a-zA-Z0-9()]{1,6}\\b([-a-zA-Z0-9()@:%_\\+.~#?&\\/=]*)", + "type": "string" + }, + "volumes": { + "items": { + "additionalProperties": false, + "properties": { + "name": { + "description": "Name must match mount name.", + "$ref": "#/definitions/wordCharacterPattern" + }, + "configMap": { + "properties": { + "name": { + "$ref": "#/definitions/wordCharacterPattern" + } + } + } + } + }, + "type": "array" + }, + "wordCharacterPattern": { + "type": "string", + "pattern": "^[^\\s]+$" + }, + "project": { + "type": "object", + "description": "A single project can represent application's build, workload and service.", + "properties": { + "name": { + "description": "Name of the project", + "$ref": "#/definitions/wordCharacterPattern" + } + }, + "required": [ + "name" + ] + }, + "policies": { + "type": "object" + }, + "build": { + "type": "object", + "description": "Define location of code to build", + "properties": { + "name": { + "description": "Name of the image", + "$ref": "#/definitions/wordCharacterPattern" + }, + "tag": { + "description": "Image tag", + "$ref": "#/definitions/imageTag" + }, + "trigger": { + "type": "boolean", + "default": false + }, + "externalRepo": { + "type": "boolean", + "description": "Select when using an external private Git repository.", + "default": false + }, + "scanSource": { + "type": "boolean", + "default": true, + "description": "Select to scan source" + }, + "secretName": { + "description": "The name of the secret with the credentials of the external private Git repository", + "type": "string" + }, + "mode": { + "properties": { + "docker": { + "properties": { + "repoUrl": { + "description": "URL of the Git repository holding the application code.", + "$ref": "#/definitions/url" + }, + "revision": { + "description": "This may be a commit sha, branch name, or tag. If omitted, will equal to HEAD.", + "$ref": "#/definitions/wordCharacterPattern", + "default": "HEAD" + }, + "path": { + "description": "A relative directory path within the Git repository.", + "type": "string", + "default": "./Dockerfile" + }, + "envVars": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "name", + "value" + ] + } + } + } + }, + "buildpacks": { + "properties": { + "repoUrl": { + "description": "URL of the Git repository holding the application code.", + "$ref": "#/definitions/url" + }, + "revision": { + "description": "This may be a commit sha, branch name, or tag. If omitted, will equal to HEAD.", + "$ref": "#/definitions/wordCharacterPattern", + "default": "HEAD" + }, + "path": { + "description": "A relative directory path within the Git repository.", + "type": "string" + }, + "envVars": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "name", + "value" + ] + } + } + } + } + } + } + }, + "required": [ + "name" + ] + }, + "sealedsecret": { + "type": "object", + "description": "Define location of code to build", + "properties": { + "name": { + "type": "string" + }, + "namespace": { + "type": "string" + }, + "immutable": { + "description": "Immutable, if set to true, ensures that data stored in the Secret cannot be updated (only object metadata can be modified).", + "type": "boolean" + }, + "type": { + "description": "Used to facilitate programmatic handling of secret data.", + "type": "string", + "default": "kubernetes.io/opaque", + "enum": [ + "kubernetes.io/opaque", + "kubernetes.io/service-account-token", + "kubernetes.io/dockercfg", + "kubernetes.io/dockerconfigjson", + "kubernetes.io/basic-auth", + "kubernetes.io/ssh-auth", + "kubernetes.io/tls" + ] + }, + "encryptedData": { + "type": "object" + }, + "metadata": { + "type": "object" + } + }, + "required": [ + "type", + "encryptedData", + "name" + ] + }, + "workload": { + "type": "object", + "description": "Define location of the application's manifests or chart", + "properties": { + "name": { + "$ref": "#/definitions/wordCharacterPattern" + }, + "url": { + "description": "URL to either Helm or Git repository", + "$ref": "#/definitions/url" + }, + "chartProvider": { + "type": "string", + "title": "Chart provider", + "enum": [ + "helm", + "git" + ], + "default": "git" + }, + "path": { + "description": "A relative directory path within the Git repository. Absolute paths cause errors. (only valid for applications sourced from Git)", + "$ref": "#/definitions/wordCharacterPattern" + }, + "chart": { + "description": "Chart is a Helm chart name, and must be specified for applications sourced from a Helm repo.", + "$ref": "#/definitions/wordCharacterPattern" + }, + "revision": { + "description": "In case of Git, this can be commit, tag, or branch. If omitted, will equal to HEAD. In case of Helm, this is a semver tag for the Chart's version.", + "$ref": "#/definitions/wordCharacterPattern", + "default": "HEAD" + }, + "chartMetadata": { + "title": "", + "properties": { + "helmChartVersion": { + "type": "string", + "title": "Helm chart version", + "default": "" + }, + "helmChartDescription": { + "type": "string", + "title": "Helm chart description", + "default": "" + } + } + }, + "namespace": { + "description": "Workload namespace. Applicable only for team-admin. Default value is 'team-'", + "$ref": "#/definitions/domain" + }, + "imageUpdateStrategy": { + "description": "Automatically update the image. Only supported wit Helm charts in local Gitea repository and images stored in Harbor.", + "title": "Auto Image Updater", + "additionalProperties": false, + "properties": { + "digest": { + "additionalProperties": false, + "properties": { + "imageRepository": { + "type": "string", + "description": "The container image repository name", + "$ref": "#/definitions/wordCharacterPattern" + }, + "tag": { + "$ref": "#/definitions/wordCharacterPattern" + }, + "imageParameter": { + "type": "string", + "default": "image.name", + "description": "The parameter for specifying the image name" + }, + "tagParameter": { + "type": "string", + "default": "image.tag", + "description": "The parameter for specifying the image tag" + } + }, + "required": [ + "tag" + ] + }, + "semver": { + "additionalProperties": false, + "properties": { + "imageRepository": { + "type": "string", + "description": "The container image repository name", + "$ref": "#/definitions/wordCharacterPattern" + }, + "versionConstraint": { + "$ref": "#/definitions/wordCharacterPattern" + }, + "imageParameter": { + "type": "string", + "default": "image.name", + "description": "The parameter for specifying the image name" + }, + "tagParameter": { + "type": "string", + "default": "image.tag", + "description": "The parameter for specifying the image tag" + } + }, + "required": [ + "versionConstraint" + ] + }, + "type": { + "type": "string", + "enum": [ + "semver", + "digest", + "disabled" + ], + "default": "disabled" + } + }, + "required": [ + "type" + ] + } + }, + "required": [ + "name", + "url" + ] + } + }, + "properties": { + "alerts": { + "$ref": "#/definitions/alerts" + }, + "azure": { + "description": "Azure specific configuration.", + "properties": { + "storageType": { + "properties": { + "fast": { + "type": "string" + }, + "standard": { + "type": "string" + } + } + }, + "appgw": { + "properties": { + "isManaged": { + "default": false, + "description": "Indicates Azure Application Gateway Ingress Controller add-on is installed by AKS.", + "type": "boolean" + } + } + } + } + }, + "cloud": { + "additionalProperties": true, + "properties": { + "skipStorageClasses": { + "description": "List of storage classes to exclude from deployment, to avoid k8s errors due to patching not allowed.\nThis is a rather hacky way to circumvent the patching problem, going against idempotency, but we need it.\nWithout it we can't add new storageclasses to a cluster upgrading otomi.\n", + "type": "array", + "items": { + "type": "string", + "enum": [ + "std", + "std-immediate", + "fast", + "fast-immediate" + ] + } + } + } + }, + "apps": { + "additionalProperties": true, + "properties": { + "alertmanager": { + "additionalProperties": false, + "properties": { + "_rawValues": { + "$ref": "#/definitions/rawValues" + }, + "enabled": { + "type": "boolean", + "default": false + }, + "image": { + "$ref": "#/definitions/imageSimple" + }, + "resources": { + "$ref": "#/definitions/resources" + } + } + }, + "argocd": { + "additionalProperties": false, + "properties": { + "_rawValues": { + "$ref": "#/definitions/rawValues" + }, + "enabled": { + "type": "boolean", + "default": true + }, + "autoscaling": { + "$ref": "#/definitions/autoscalingEnabled" + }, + "resources": { + "additionalProperties": false, + "properties": { + "server": { + "$ref": "#/definitions/resources" + }, + "controller": { + "$ref": "#/definitions/resources" + }, + "repo": { + "$ref": "#/definitions/resources" + }, + "redis": { + "$ref": "#/definitions/resources" + } + } + } + } + }, + "cert-manager": { + "additionalProperties": false, + "properties": { + "_rawValues": { + "$ref": "#/definitions/rawValues" + }, + "resources": { + "$ref": "#/definitions/resources" + }, + "byoWildcardCert": { + "description": "Bring your own trusted wildcard certificate. Only applicable for byo-wildcard-cert issuer", + "type": "string" + }, + "byoWildcardCertKey": { + "description": "A certificate key corresponding to the byoWildcardCert.", + "type": "string", + "x-secret": "" + }, + "customRootCA": { + "x-secret": "", + "type": "string", + "description": "CA that is used to create and verify self-signed certificates. Leave it empty to generate one automatically." + }, + "customRootCAKey": { + "x-secret": "", + "type": "string", + "description": "CA private key that is used to issue certificates. Leave it empty to generate one automatically." + }, + "email": { + "$ref": "#/definitions/email" + }, + "issuer": { + "description": "Indicates the origin of the wildcard certificate. \nThe custom-ca - cert-manager uses the customRootCA to generate wildcard certificate.\nThe letsencrypt - cert-manager requests certificate from letsencrypt endpoint.\nThe byo-wildcard-cert allows users to bring their own trusted wildcard certificate (cert-manager not involved)\n", + "type": "string", + "enum": [ + "custom-ca", + "letsencrypt", + "byo-wildcard-cert" + ], + "default": "custom-ca" + }, + "stage": { + "type": "string", + "enum": [ + "production", + "staging" + ], + "default": "production" + } + } + }, + "cnpg": { + "additionalProperties": false, + "properties": { + "_rawValues": { + "$ref": "#/definitions/rawValues" + }, + "resources": { + "$ref": "#/definitions/resources" + } + } + }, + "cluster-autoscaler": { + "additionalProperties": false, + "properties": { + "_rawValues": { + "$ref": "#/definitions/rawValues" + }, + "enabled": { + "type": "boolean" + } + } + }, + "cluster-overprovisioner": { + "additionalProperties": false, + "properties": { + "_rawValues": { + "$ref": "#/definitions/rawValues" + }, + "enabled": { + "type": "boolean" + }, + "cpu": { + "$ref": "#/definitions/cpuQuantity" + }, + "memory": { + "$ref": "#/definitions/memoryQuantity" + } + } + }, + "drone": { + "additionalProperties": false, + "properties": { + "_rawValues": { + "$ref": "#/definitions/rawValues" + }, + "enabled": { + "type": "boolean", + "default": false + }, + "adminIsMachine": { + "type": "boolean", + "default": false + }, + "adminUser": { + "$ref": "#/definitions/wordCharacterPattern" + }, + "adminToken": { + "$ref": "#/definitions/wordCharacterPattern", + "x-secret": "" + }, + "debug": { + "type": "boolean", + "default": false + }, + "githubAdmins": { + "additionalProperties": false, + "properties": { + "org": { + "$ref": "#/definitions/wordCharacterPattern" + }, + "team": { + "$ref": "#/definitions/wordCharacterPattern" + }, + "token": { + "$ref": "#/definitions/wordCharacterPattern" + } + } + }, + "orgsFilter": { + "$ref": "#/definitions/wordCharacterPattern" + }, + "owner": { + "$ref": "#/definitions/wordCharacterPattern" + }, + "repo": { + "$ref": "#/definitions/idName" + }, + "repoFilter": { + "$ref": "#/definitions/wordCharacterPattern" + }, + "image": { + "additionalProperties": false, + "properties": { + "agent": { + "$ref": "#/definitions/imageSimple" + }, + "server": { + "$ref": "#/definitions/imageSimple" + } + } + }, + "resources": { + "additionalProperties": false, + "properties": { + "runner": { + "properties": { + "requests": { + "properties": { + "cpu": { + "description": "Requested compute resources for all the containers started by the runner (guaranteed), expressed in millicores.", + "type": "integer", + "default": 1000 + }, + "memory": { + "$ref": "#/definitions/memoryQuantity", + "description": "Requested memory resources for all the containers started by the runner (guaranteed).", + "default": "1Gi" + } + } + } + } + }, + "agent": { + "$ref": "#/definitions/resources" + }, + "server": { + "$ref": "#/definitions/resources" + } + } + }, + "sharedSecret": { + "description": "A secret used by drone-admit-members plugin. https://docs.drone.io/runner/kubernetes/configuration/reference/drone-secret-plugin-token/", + "type": "string", + "x-secret": "{{ randAlphaNum 32 }}" + }, + "sourceControl": { + "additionalProperties": false, + "properties": { + "bitbucketCloud": { + "$ref": "#/definitions/droneGit" + }, + "bitbucketServer": { + "properties": { + "consumerKey": { + "default": "consumerKey", + "type": "string", + "x-secret": "" + }, + "passwordKey": { + "default": "password", + "type": "string", + "x-secret": "" + }, + "privateKey": { + "default": "privateKey", + "type": "string", + "x-secret": "" + }, + "server": { + "type": "string" + }, + "username": { + "type": "string", + "x-secret": "" + } + } + }, + "gitea": { + "allOf": [ + { + "$ref": "#/definitions/droneGit" + }, + { + "properties": { + "server": { + "type": "string" + } + } + } + ] + }, + "github": { + "allOf": [ + { + "$ref": "#/definitions/droneGit" + }, + { + "properties": { + "server": { + "default": "https://github.com", + "type": "string" + } + } + } + ] + }, + "gitlab": { + "allOf": [ + { + "$ref": "#/definitions/droneGit" + }, + { + "properties": { + "server": { + "type": "string" + } + } + } + ] + }, + "gogs": { + "properties": { + "server": { + "type": "string" + } + } + }, + "password": { + "type": "string" + }, + "provider": { + "default": "github", + "enum": [ + "github", + "gitlab", + "gitea", + "gogs", + "bitbucketCloud", + "bitbucketServer" + ], + "type": "string" + }, + "secret": { + "type": "string" + }, + "username": { + "type": "string" + } + } + }, + "trace": { + "default": false, + "type": "boolean" + } + } + }, + "external-dns": { + "additionalProperties": false, + "properties": { + "_rawValues": { + "$ref": "#/definitions/rawValues" + }, + "logLevel": { + "type": "string", + "default": "info" + } + } + }, + "falco": { + "additionalProperties": false, + "properties": { + "_rawValues": { + "$ref": "#/definitions/rawValues" + }, + "enabled": { + "type": "boolean", + "default": false + }, + "driver": { + "type": "string", + "default": "ebpf", + "enum": [ + "module", + "ebpf", + "modern-bpf" + ] + }, + "resources": { + "additionalProperties": false, + "properties": { + "falco": { + "$ref": "#/definitions/resources" + }, + "falcoCtlInstall": { + "$ref": "#/definitions/resources" + }, + "falcoCtlFollow": { + "$ref": "#/definitions/resources" + }, + "falcoDriverLoader": { + "$ref": "#/definitions/resources" + }, + "falcoExporter": { + "$ref": "#/definitions/resources" + } + } + } + } + }, + "gitea": { + "properties": { + "_rawValues": { + "$ref": "#/definitions/rawValues" + }, + "enabled": { + "type": "boolean" + }, + "adminPassword": { + "type": "string", + "x-secret": "" + }, + "postgresqlPassword": { + "type": "string", + "description": "This password was generated and cannot be changed without manual intervention.", + "x-secret": "{{ randAlphaNum 20 }}", + "readOnly": true + }, + "image": { + "additionalProperties": false, + "properties": { + "gitea": { + "$ref": "#/definitions/imageSimple" + }, + "postgresql": { + "$ref": "#/definitions/imageSimple" + }, + "memcached": { + "$ref": "#/definitions/imageSimple" + } + } + }, + "resources": { + "additionalProperties": false, + "properties": { + "gitea": { + "$ref": "#/definitions/resources" + }, + "postgresql": { + "$ref": "#/definitions/resources" + }, + "memcached": { + "$ref": "#/definitions/resources" + } + } + } + } + }, + "grafana": { + "additionalProperties": false, + "properties": { + "_rawValues": { + "$ref": "#/definitions/rawValues" + }, + "enabled": { + "type": "boolean", + "default": false + }, + "adminPassword": { + "type": "string", + "x-secret": "" + }, + "image": { + "$ref": "#/definitions/imageSimple" + }, + "resources": { + "$ref": "#/definitions/resources" + } + } + }, + "harbor": { + "additionalProperties": false, + "properties": { + "_rawValues": { + "$ref": "#/definitions/rawValues" + }, + "enabled": { + "type": "boolean", + "default": true + }, + "privateLibrary": { + "type": "boolean", + "default": true, + "description": "Will mark the main project named \"library\" as private." + }, + "adminPassword": { + "type": "string", + "x-secret": "" + }, + "core": { + "properties": { + "secret": { + "type": "string", + "x-secret": "{{ randAlphaNum 16 }}" + }, + "xsrfKey": { + "type": "string", + "x-secret": "{{ randAlphaNum 32 }}" + } + } + }, + "jobservice": { + "properties": { + "secret": { + "type": "string", + "x-secret": "{{ randAlphaNum 16 }}" + } + } + }, + "registry": { + "properties": { + "secret": { + "type": "string", + "x-secret": "{{ randAlpha 16 }}" + }, + "credentials": { + "properties": { + "htpasswd": { + "type": "string", + "x-secret": "" + }, + "username": { + "type": "string", + "$ref": "#/definitions/secretTemplates/definitions/otomiAdminUsername" + }, + "password": { + "type": "string", + "x-secret": "{{ randAlphaNum 32 }}" + } + } + } + }, + "required": [ + "secret", + "credentials" + ] + }, + "image": { + "$ref": "#/definitions/imageSimple" + }, + "resources": { + "additionalProperties": false, + "properties": { + "chartmuseum": { + "$ref": "#/definitions/resources" + }, + "core": { + "$ref": "#/definitions/resources" + }, + "jobservice": { + "$ref": "#/definitions/resources" + }, + "portal": { + "$ref": "#/definitions/resources" + }, + "redis": { + "$ref": "#/definitions/resources" + }, + "registry": { + "$ref": "#/definitions/resources" + }, + "registry-controller": { + "$ref": "#/definitions/resources" + }, + "trivy": { + "$ref": "#/definitions/resources" + } + } + }, + "secretKey": { + "type": "string", + "x-secret": "{{ randAlpha 16 }}" + } + } + }, + "httpbin": { + "description": "The famous httpbin application.", + "properties": { + "enabled": { + "type": "boolean", + "default": false + } + } + }, + "ingress-nginx-platform": { + "$ref": "#/definitions/ingressNginx" + }, + "istio": { + "additionalProperties": false, + "properties": { + "_rawValues": { + "$ref": "#/definitions/rawValues" + }, + "enabled": { + "default": true, + "type": "boolean" + }, + "tracing": { + "description": "Configure Istio for tracing. Requires Otel Collector to be enabled.", + "propterties": { + "enabled": { + "default": false, + "type": "boolean" + }, + "samplingRatio": { + "type": "string", + "default": "0.01" + } + } + }, + "autoscaling": { + "properties": { + "egressgateway": { + "$ref": "#/definitions/autoscaling" + }, + "ingressgateway": { + "$ref": "#/definitions/autoscaling" + }, + "pilot": { + "$ref": "#/definitions/autoscaling" + } + } + }, + "egressGateway": { + "properties": { + "enabled": { + "default": false, + "type": "boolean" + } + } + }, + "global": { + "additionalProperties": false, + "properties": { + "logging": { + "properties": { + "level": { + "type": "string" + } + } + }, + "proxy": { + "additionalProperties": false, + "properties": { + "resources": { + "$ref": "#/definitions/resources" + } + } + } + } + }, + "extensionProviders": { + "description": "See: https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig", + "type": "array", + "items": { + "type": "object" + } + }, + "image": { + "$ref": "#/definitions/imageSimple" + }, + "resources": { + "properties": { + "egressgateway": { + "$ref": "#/definitions/resources" + }, + "ingressgateway": { + "$ref": "#/definitions/resources" + }, + "ingressgateway-private": { + "$ref": "#/definitions/resources" + }, + "pilot": { + "$ref": "#/definitions/resources" + } + } + } + } + }, + "jaeger": { + "additionalProperties": false, + "properties": { + "enabled": { + "type": "boolean", + "default": false + }, + "_rawValues": { + "$ref": "#/definitions/rawValues" + } + } + }, + "keycloak": { + "additionalProperties": false, + "properties": { + "_rawValues": { + "$ref": "#/definitions/rawValues" + }, + "enabled": { + "type": "boolean", + "default": true + }, + "idp": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string", + "default": "otomi-idp" + }, + "clientID": { + "$ref": "#/definitions/wordCharacterPattern", + "default": "otomi" + }, + "clientSecret": { + "type": "string", + "x-secret": "{{ randAlphaNum 32 }}" + } + } + }, + "adminPassword": { + "type": "string", + "x-secret": "" + }, + "theme": { + "type": "string", + "default": "otomi" + }, + "image": { + "properties": { + "keycloak": { + "$ref": "#/definitions/imageSimple" + }, + "postgresql": { + "$ref": "#/definitions/imageSimple" + } + } + }, + "resources": { + "additionalProperties": false, + "properties": { + "keycloak": { + "$ref": "#/definitions/resources" + }, + "operator": { + "$ref": "#/definitions/resources" + } + } + } + } + }, + "kyverno": { + "additionalProperties": false, + "properties": { + "enabled": { + "type": "boolean", + "default": false + }, + "_rawValues": { + "$ref": "#/definitions/rawValues" + }, + "mode": { + "type": "string", + "enum": [ + "DevTest", + "Prod" + ], + "default": "DevTest" + }, + "resources": { + "additionalProperties": false, + "properties": { + "admissionController": { + "$ref": "#/definitions/resources" + }, + "cleanupController": { + "$ref": "#/definitions/resources" + }, + "backgroundController": { + "$ref": "#/definitions/resources" + }, + "reportsController": { + "$ref": "#/definitions/resources" + } + } + } + } + }, + "kiali": { + "additionalProperties": false, + "properties": { + "enabled": { + "type": "boolean", + "default": false + }, + "_rawValues": { + "$ref": "#/definitions/rawValues" + }, + "resources": { + "additionalProperties": false, + "properties": { + "operator": { + "$ref": "#/definitions/resources" + }, + "pod": { + "$ref": "#/definitions/resources" + } + } + } + } + }, + "knative": { + "additionalProperties": false, + "properties": { + "enabled": { + "type": "boolean", + "default": true + }, + "serving": { + "type": "object", + "properties": { + "replicas": { + "description": "For HA mode set to 5. Read more at https://github.com/knative/operator/issues/376", + "default": 1, + "type": "integer", + "minimum": 1 + } + } + } + } + }, + "kube-descheduler": { + "additionalProperties": false, + "properties": { + "enabled": { + "default": true, + "type": "boolean" + }, + "schedule": { + "default": "*/30 * * * *", + "type": "string" + } + } + }, + "kured": { + "additionalProperties": false, + "properties": { + "_rawValues": { + "$ref": "#/definitions/rawValues" + }, + "enabled": { + "default": false, + "type": "boolean" + }, + "resources": { + "additionalProperties": false, + "properties": { + "kuredDaemonSet": { + "$ref": "#/definitions/resources" + } + } + } + } + }, + "sealed-secrets": { + "additionalProperties": false, + "properties": { + "_rawValues": { + "$ref": "#/definitions/rawValues" + }, + "enabled": { + "type": "boolean", + "default": true + }, + "resources": { + "properties": { + "operator": { + "$ref": "#/definitions/resources" + } + } + } + } + }, + "tekton": { + "additionalProperties": false, + "properties": { + "_rawValues": { + "$ref": "#/definitions/rawValues" + }, + "resources": { + "additionalProperties": false, + "properties": { + "dashboard": { + "$ref": "#/definitions/resources" + } + } + } + } + }, + "loki": { + "additionalProperties": false, + "properties": { + "_rawValues": { + "$ref": "#/definitions/rawValues" + }, + "enabled": { + "type": "boolean", + "default": false + }, + "resources": { + "additionalProperties": false, + "properties": { + "compactor": { + "$ref": "#/definitions/resources" + }, + "ingester": { + "$ref": "#/definitions/resources" + }, + "gateway": { + "$ref": "#/definitions/resources" + }, + "querier": { + "$ref": "#/definitions/resources" + }, + "distributor": { + "$ref": "#/definitions/resources" + }, + "queryFrontend": { + "$ref": "#/definitions/resources" + } + } + }, + "autoscaling": { + "properties": { + "ingester": { + "$ref": "#/definitions/autoscalingEnabled" + }, + "gateway": { + "$ref": "#/definitions/autoscalingEnabled" + }, + "querier": { + "$ref": "#/definitions/autoscalingEnabled" + }, + "distributor": { + "$ref": "#/definitions/autoscalingEnabled" + }, + "queryFrontend": { + "$ref": "#/definitions/autoscalingEnabled" + } + } + }, + "adminPassword": { + "type": "string", + "x-secret": "{{ randAlphaNum 20 }}" + }, + "persistence": { + "properties": { + "querier": { + "properties": { + "size": { + "default": "20Gi", + "$ref": "#/definitions/size" + } + } + }, + "ingester": { + "properties": { + "size": { + "default": "20Gi", + "$ref": "#/definitions/size" + } + } + } + } + }, + "retention": { + "additionalProperties": false, + "properties": { + "duration": { + "default": "24h", + "type": "string" + }, + "period": { + "default": "24h", + "description": "Should be a multiple of 24h. See https://grafana.com/docs/loki/latest/operations/storage/boltdb-shipper/.", + "type": "string" + } + }, + "required": [ + "duration" + ] + }, + "v11StartDate": { + "description": "Set this to a date just after deployment in case of an upgrade. (Otomi started at v9 with filesystem.)", + "title": "Schema v11 start date", + "type": "string" + } + }, + "required": [ + "adminPassword" + ] + }, + "metrics-server": { + "additionalProperties": false, + "properties": { + "_rawValues": { + "$ref": "#/definitions/rawValues" + }, + "enabled": { + "type": "boolean", + "default": true + }, + "apiServer": { + "additionalProperties": false, + "properties": { + "enabled": { + "type": "boolean", + "default": true + } + } + }, + "extraArgs": { + "type": "array" + }, + "resources": { + "$ref": "#/definitions/resources" + } + } + }, + "minio": { + "additionalProperties": false, + "properties": { + "_rawValues": { + "$ref": "#/definitions/rawValues" + }, + "enabled": { + "type": "boolean", + "default": false + }, + "resources": { + "$ref": "#/definitions/resources" + }, + "provisioning": { + "additionalProperties": false, + "properties": { + "enabled": { + "type": "boolean", + "default": true + } + } + }, + "persistence": { + "properties": { + "enabled": { + "type": "boolean", + "default": true + }, + "size": { + "$ref": "#/definitions/size", + "default": "20Gi" + } + } + } + } + }, + "oauth2-proxy": { + "additionalProperties": false, + "properties": { + "_rawValues": { + "$ref": "#/definitions/rawValues" + }, + "config": { + "properties": { + "cookieSecret": { + "description": "Cookie secret must be 32 byte base64 encoded string.", + "pattern": "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$", + "type": "string", + "x-secret": "{{ randAlphaNum 32 | b64enc }}" + } + } + } + } + }, + "oauth2-proxy-redis": { + "$ref": "#/definitions/redisChart" + }, + "otomi-api": { + "additionalProperties": false, + "properties": { + "_rawValues": { + "$ref": "#/definitions/rawValues" + }, + "editorInactivityTimeout": { + "type": "integer", + "default": 10 + }, + "git": { + "additionalProperties": false, + "properties": { + "branch": { + "type": "string" + }, + "email": { + "$ref": "#/definitions/email" + }, + "password": { + "type": "string", + "x-secret": "" + }, + "repoUrl": { + "$ref": "#/definitions/repoUrl" + }, + "user": { + "type": "string" + } + } + }, + "resources": { + "additionalProperties": false, + "properties": { + "api": { + "$ref": "#/definitions/resources" + }, + "tools": { + "$ref": "#/definitions/resources" + } + } + } + } + }, + "otomi-console": { + "additionalProperties": false, + "properties": { + "_rawValues": { + "$ref": "#/definitions/rawValues" + } + }, + "allOf": [ + { + "anyOf": [ + { + "not": { + "properties": { + "enabled": { + "const": true + } + }, + "required": [ + "enabled" + ] + } + }, + { + "properties": { + "registry": { + "required": [ + "username", + "password" + ] + } + } + } + ] + } + ], + "type": "object" + }, + "otomi-operator": { + "additionalProperties": false, + "properties": { + "_rawValues": { + "$ref": "#/definitions/rawValues" + }, + "resources": { + "additionalProperties": false, + "properties": { + "operator": { + "$ref": "#/definitions/resources" + } + } + } + } + }, + "oltp": { + "additionalProperties": false, + "properties": { + "_rawValues": { + "$ref": "#/definitions/rawValues" + }, + "enabled": { + "type": "boolean", + "default": false + } + } + }, + "prometheus": { + "additionalProperties": false, + "properties": { + "_rawValues": { + "$ref": "#/definitions/rawValues" + }, + "enabled": { + "type": "boolean", + "default": false + }, + "disabledRules": { + "type": "array", + "items": { + "type": "string" + } + }, + "remoteWrite": { + "properties": { + "enabled": { + "type": "boolean", + "default": false + }, + "insecureSkipVerify": { + "type": "boolean", + "default": false + }, + "rwConfig": { + "properties": { + "target": { + "type": "string" + }, + "basicAuth": { + "properties": { + "enabled": { + "type": "boolean", + "default": false + }, + "username": { + "type": "string" + }, + "password": { + "$ref": "#/definitions/wordCharacterPattern", + "x-secret": "" + } + } + }, + "customConfig": { + "description": "Custom remote write config. Will be appended to the remoteWrite list.", + "type": "string" + } + } + } + } + }, + "replicas": { + "type": "integer", + "default": 1 + }, + "scrapeInterval": { + "type": "string", + "default": "60s" + }, + "retention": { + "$ref": "#/definitions/duration" + }, + "retentionSize": { + "description": "The maximum number of bytes of storage blocks to retain. The oldest data will be removed first. Defaults to 0 or disabled. Units supported: B, KB, MB, GB, TB, PB, EB", + "default": "4GB", + "pattern": "^([0-9]+\\.)?[0-9]+(B|KB|MB|GB|TB|PB|EB)?$" + }, + "storageSize": { + "$ref": "#/definitions/size", + "default": "5Gi" + }, + "image": { + "properties": { + "prometheus": { + "$ref": "#/definitions/imageSimple" + }, + "kube-state-metrics": { + "$ref": "#/definitions/imageSimple" + }, + "node-exporter": { + "$ref": "#/definitions/imageSimple" + } + } + }, + "resources": { + "properties": { + "prometheus": { + "$ref": "#/definitions/resources" + }, + "kube-state-metrics": { + "$ref": "#/definitions/resources" + }, + "node-exporter": { + "$ref": "#/definitions/resources" + } + } + } + } + }, + "rabbitmq": { + "additionalProperties": false, + "properties": { + "_rawValues": { + "$ref": "#/definitions/rawValues" + }, + "enabled": { + "type": "boolean", + "default": false + }, + "resources": { + "properties": { + "clusterOperator": { + "description": "Controller which is used to create RabbitMQ-clusters", + "$ref": "#/definitions/resources" + }, + "msgTopologyOperator": { + "description": "Controller which is used to create RabbitMQ queues and policies", + "$ref": "#/definitions/resources" + } + } + } + } + }, + "redis-shared": { + "allOf": [ + { + "$ref": "#/definitions/redisChart" + }, + { + "properties": { + "enabled": { + "type": "boolean", + "default": false + } + } + } + ] + }, + "tempo": { + "additionalProperties": false, + "properties": { + "_rawValues": { + "$ref": "#/definitions/rawValues" + }, + "enabled": { + "type": "boolean", + "default": false + }, + "resources": { + "additionalProperties": false, + "properties": { + "compactor": { + "$ref": "#/definitions/resources" + }, + "ingester": { + "$ref": "#/definitions/resources" + }, + "querier": { + "$ref": "#/definitions/resources" + }, + "distributor": { + "$ref": "#/definitions/resources" + }, + "queryFrontend": { + "$ref": "#/definitions/resources" + }, + "memcached": { + "$ref": "#/definitions/resources" + } + } + }, + "autoscaling": { + "properties": { + "ingester": { + "$ref": "#/definitions/autoscalingEnabled" + }, + "querier": { + "$ref": "#/definitions/autoscalingEnabled" + }, + "distributor": { + "$ref": "#/definitions/autoscalingEnabled" + }, + "queryFrontend": { + "$ref": "#/definitions/autoscalingEnabled" + } + } + }, + "persistence": { + "properties": { + "ingester": { + "properties": { + "size": { + "default": "10Gi", + "$ref": "#/definitions/size" + } + } + } + } + } + } + }, + "trivy": { + "properties": { + "_rawValues": { + "$ref": "#/definitions/rawValues" + }, + "enabled": { + "type": "boolean", + "default": false + }, + "operator": { + "properties": { + "replicaCount": { + "description": "Number of Operator replicas.", + "type": "integer", + "default": 1 + } + } + }, + "resources": { + "additionalProperties": false, + "properties": { + "operator": { + "$ref": "#/definitions/resources" + }, + "trivy": { + "$ref": "#/definitions/resources" + } + } + } + } + }, + "otel": { + "properties": { + "enabled": { + "type": "boolean", + "default": false + }, + "collector": { + "properties": { + "mode": { + "title": "Collector mode", + "description": "Mode to run collector in.", + "type": "string", + "default": "deployment", + "enum": [ + "deployment", + "daemonset", + "statefulset" + ] + }, + "attributes": { + "type": "array", + "title": "Kubernetes Attributes", + "$ref": "#/definitions/labelsAnnotations", + "description": "Attributes to extract metadata from pods" + } + } + }, + "operator": { + "properties": { + "replicaCount": { + "description": "Number of replicas.", + "type": "integer", + "default": 1 + } + } + }, + "resources": { + "additionalProperties": false, + "properties": { + "collector": { + "$ref": "#/definitions/resources" + }, + "manager": { + "$ref": "#/definitions/resources" + }, + "kubeRBACProxy": { + "$ref": "#/definitions/resources" + } + } + } + } + }, + "velero": { + "additionalProperties": false, + "properties": { + "_rawValues": { + "$ref": "#/definitions/rawValues" + }, + "enabled": { + "type": "boolean", + "default": false + }, + "restic": { + "enabled": { + "type": "boolean", + "default": false + } + }, + "cloud": { + "properties": { + "azure": { + "additionalProperties": false, + "description": "Azure", + "properties": { + "resourceGroup": { + "description": "The resource group of the worker nodes (VM's and disks)", + "$ref": "#/definitions/wordCharacterPattern" + }, + "environment": { + "title": "Azure environment", + "type": "string", + "enum": [ + "AzurePublicCloud", + "AzureChinaCloud", + "AzureUSGovernment", + "AzureGermanCloud" + ], + "default": "AzurePublicCloud" + }, + "tenantId": { + "$ref": "#/definitions/wordCharacterPattern" + }, + "subscriptionId": { + "$ref": "#/definitions/wordCharacterPattern" + }, + "aadClientId": { + "$ref": "#/definitions/wordCharacterPattern" + }, + "aadClientSecret": { + "$ref": "#/definitions/wordCharacterPattern", + "x-secret": "" + } + }, + "required": [ + "tenantId", + "subscriptionId", + "aadClientId", + "aadClientSecret", + "resourceGroup", + "environment" + ] + }, + "aws": { + "additionalProperties": false, + "description": "Amazon Web Services", + "properties": { + "region": { + "type": "string", + "description": "The AWS region where the cluster is running.", + "$ref": "#/definitions/wordCharacterPattern" + }, + "accessKeyId": { + "type": "string", + "description": "The ID of the access key", + "$ref": "#/definitions/wordCharacterPattern" + }, + "secretAccessKey": { + "type": "string", + "description": "The secret of the access key", + "$ref": "#/definitions/wordCharacterPattern", + "x-secret": "" + } + } + }, + "google": { + "additionalProperties": false, + "description": "Google Cloud Platform", + "properties": { + "serviceAccount": { + "type": "string", + "description": "The IAM account with permissions to manage snapshot resources in the GCP Project.", + "$ref": "#/definitions/wordCharacterPattern" + }, + "project": { + "type": "string", + "description": "The name of the GCP project.", + "$ref": "#/definitions/wordCharacterPattern" + }, + "saKeyJson": { + "type": "string", + "x-secret": "" + } + } + }, + "type": { + "type": "string", + "enum": [ + "aws", + "azure", + "google", + "custom" + ], + "default": "custom" + } + } + }, + "logLevel": { + "description": "Set log-level for the Velero pod.", + "default": "info", + "enum": [ + "debug", + "info", + "warning", + "error", + "fatal", + "panic" + ] + }, + "resources": { + "$ref": "#/definitions/resources" + } + } + } + }, + "patternProperties": { + "^ingress-nginx-[a-z0-9]([-a-z0-9]*[a-z0-9])+$": { + "$ref": "#/definitions/ingressNginx" + } + } + }, + "cluster": { + "$ref": "#/definitions/cluster" + }, + "dns": { + "additionalProperties": false, + "properties": { + "zones": { + "description": "Extra dns zones that the cluster can administer. Team services can use this to publish their URLs on.", + "items": { + "$ref": "#/definitions/domain" + }, + "type": "array" + }, + "domainFilters": { + "description": "Limit possible target zones by domain suffixes.", + "items": { + "type": "string" + }, + "type": "array" + }, + "zoneIdFilters": { + "description": "Limit possible target zones by zone id.", + "items": { + "type": "string" + }, + "type": "array" + }, + "provider": { + "description": "The DNS provider managing the domains.", + "oneOf": [ + { + "title": "AWS", + "description": "Uses credentials when either a pair of id+key or a secret name is provided. Assumes node role otherwise.", + "additionalProperties": false, + "properties": { + "aws": { + "properties": { + "credentials": { + "properties": { + "secretKey": { + "$ref": "#/definitions/aws/definitions/secretKey" + }, + "accessKey": { + "$ref": "#/definitions/aws/definitions/accessKey" + } + }, + "required": [ + "secretKey", + "accessKey" + ] + }, + "region": { + "$ref": "#/definitions/aws/definitions/region" + }, + "role": { + "$ref": "#/definitions/aws/definitions/role" + } + }, + "required": [ + "region" + ], + "oneOf": [ + { + "required": [ + "credentials" + ] + }, + { + "required": [ + "role" + ] + }, + { + "not": { + "anyOf": [ + { + "required": [ + "credentials" + ] + }, + { + "required": [ + "role" + ] + } + ] + } + } + ] + } + }, + "required": [ + "aws" + ] + }, + { + "title": "Azure", + "additionalProperties": false, + "properties": { + "azure": { + "$ref": "#/definitions/azure/definitions/dns" + } + }, + "required": [ + "azure" + ] + }, + { + "title": "Azure Private", + "additionalProperties": false, + "properties": { + "azure-private-dns": { + "$ref": "#/definitions/azure/definitions/dns" + } + }, + "required": [ + "azure-private-dns" + ] + }, + { + "title": "Google", + "additionalProperties": false, + "properties": { + "google": { + "properties": { + "serviceAccountKey": { + "$ref": "#/definitions/google/definitions/accountJson", + "description": "A service account key in json format for managing a DNS zone." + }, + "project": { + "$ref": "#/definitions/google/definitions/project" + } + }, + "required": [ + "project", + "serviceAccountKey" + ] + } + }, + "required": [ + "google" + ] + }, + { + "title": "Digital Ocean", + "additionalProperties": false, + "properties": { + "digitalocean": { + "properties": { + "apiToken": { + "type": "string", + "x-secret": "" + } + }, + "required": [ + "apiToken" + ] + } + }, + "required": [ + "digitalocean" + ] + }, + { + "title": "Civo Cloud", + "additionalProperties": false, + "properties": { + "civo": { + "properties": { + "apiToken": { + "type": "string", + "x-secret": "" + } + }, + "required": [ + "apiToken" + ] + } + }, + "required": [ + "civo" + ] + }, + { + "title": "Linode", + "additionalProperties": false, + "properties": { + "linode": { + "properties": { + "apiKey": { + "type": "string", + "x-secret": "" + } + }, + "required": [ + "apiToken" + ] + } + }, + "required": [ + "linode" + ] + }, + { + "title": "CloudFlare", + "additionalProperties": false, + "properties": { + "cloudflare": { + "properties": { + "apiToken": { + "type": "string", + "x-secret": "" + }, + "apiSecret": { + "type": "string", + "x-secret": "", + "description": "Required when Email is set." + }, + "email": { + "$ref": "#/definitions/email", + "description": "Required when Email is set." + }, + "proxied": { + "type": "boolean", + "x-default": true + } + }, + "oneOf": [ + { + "required": [ + "apiToken" + ] + }, + { + "required": [ + "apiSecret", + "email" + ] + }, + { + "not": { + "anyOf": [ + { + "required": [ + "apiToken" + ] + }, + { + "required": [ + "apiSecret" + ] + }, + { + "required": [ + "email" + ] + } + ] + } + } + ] + } + }, + "required": [ + "cloudflare" + ] + }, + { + "title": "Other", + "additionalProperties": false, + "properties": { + "other": { + "description": "This option requires configuration for both external-dns as well as cert-manager. No schema validation is available so provide correct data.", + "type": "object", + "properties": { + "name": { + "type": "string", + "description": "Name of the provider." + }, + "external-dns": { + "title": "YAML for external-dns.", + "type": "object", + "description": "The provider config as provided here: https://github.com/redkubes/otomi-core/blob/main/charts/external-dns/values.yaml" + }, + "cert-manager": { + "title": "YAML for cert-manager.", + "type": "object", + "description": "The dns01 config as provided here: https://cert-manager.io/docs/configuration/acme/dns01/" + } + }, + "required": [ + "name", + "external-dns", + "cert-manager" + ] + } + }, + "required": [ + "other" + ] + } + ] + }, + "entrypoint": { + "$ref": "#/definitions/ipV4Address", + "description": "Optional. A public IP address that will override (loadbalancer) ip used for registering hosts. This allows for access to private clusters." + } + } + }, + "home": { + "$ref": "#/definitions/alerts" + }, + "files": { + "type": "object", + "description": "Custom values for the workload chart.", + "patternProperties": { + "^/|(/[\\w-]+)+$": { + "type": "string", + "pattern": "^[^\\s]+$" + } + } + }, + "kms": { + "additionalProperties": false, + "properties": { + "sops": { + "oneOf": [ + { + "properties": { + "provider": { + "type": "string", + "const": "aws" + }, + "aws": { + "properties": { + "keys": { + "description": "Comma separated list of one or two ARNs to keys as defined in AWS KMS. One if used for both enc+dec. Two if one for enc, other for dec. (You can specify a role by appending it to the ARN of the key with a + sign.)", + "title": "AWS KMS keys", + "type": "string" + }, + "accessKey": { + "$ref": "#/definitions/aws/definitions/accessKey" + }, + "secretKey": { + "$ref": "#/definitions/aws/definitions/secretKey" + }, + "region": { + "$ref": "#/definitions/aws/definitions/region" + } + }, + "required": [ + "accessKey", + "keys", + "secretKey" + ] + } + }, + "required": [ + "aws" + ] + }, + { + "properties": { + "provider": { + "type": "string", + "const": "azure" + }, + "azure": { + "properties": { + "keys": { + "description": "Comma separated list of one or two paths to keys as defined in Azure Keyvault. One if used for both enc+dec. Two if one for enc, other for dec.", + "title": "Azure Keyvault keys", + "type": "string" + }, + "clientId": { + "$ref": "#/definitions/azure/definitions/clientId" + }, + "clientSecret": { + "$ref": "#/definitions/azure/definitions/clientSecret" + }, + "tenantId": { + "$ref": "#/definitions/azure/definitions/tenantId" + } + }, + "required": [ + "clientId", + "clientSecret", + "keys" + ] + } + }, + "required": [ + "azure" + ] + }, + { + "properties": { + "provider": { + "type": "string", + "const": "google" + }, + "google": { + "properties": { + "keys": { + "description": "Comma separated list of one or two paths to keys as defined in GCP KMS. One if used for both enc+dec. Two if one for enc, other for dec.", + "title": "GCP KMS keys", + "type": "string" + }, + "accountJson": { + "$ref": "#/definitions/google/definitions/accountJson" + }, + "project": { + "$ref": "#/definitions/google/definitions/project" + } + }, + "required": [ + "keys", + "accountJson", + "project" + ] + } + }, + "required": [ + "google" + ] + } + ] + } + } + }, + "oidc": { + "additionalProperties": false, + "description": "Holds many parts used in different locations. Please see keycloak, grafana, istio and oauth-proxy as those are all consuming (parts of) these settings.", + "properties": { + "issuer": { + "$ref": "#/definitions/url" + }, + "clientID": { + "$ref": "#/definitions/wordCharacterPattern" + }, + "clientSecret": { + "type": "string", + "x-secret": "" + }, + "adminGroupID": { + "$ref": "#/definitions/wordCharacterPattern" + }, + "teamAdminGroupID": { + "$ref": "#/definitions/wordCharacterPattern" + }, + "usernameClaimMapper": { + "$ref": "#/definitions/wordCharacterPattern", + "description": "Claim name from identity provider used by Keycloak to create the username. Best to not change this from the default.", + "default": "${CLAIM.upn}" + }, + "subClaimMapper": { + "type": "string", + "description": "Claim name passed by Keycloak as a unique user identifier. Best to not change this from the default.", + "default": "sub" + } + }, + "required": [ + "clientID", + "clientSecret", + "issuer" + ] + }, + "otomi": { + "additionalProperties": false, + "properties": { + "additionalClusters": { + "type": "array", + "items": { + "title": "Additional cluster", + "description": "A k8s cluster managed by Otomi.", + "properties": { + "domainSuffix": { + "$ref": "#/definitions/domain" + }, + "name": { + "$ref": "#/definitions/idName" + }, + "provider": { + "$ref": "#/definitions/provider" + } + }, + "required": [ + "domainSuffix", + "name", + "provider" + ] + } + }, + "adminPassword": { + "type": "string", + "x-secret": "{{ randAlphaNum 20 }}" + }, + "globalPullSecret": { + "title": "Global pullsecret", + "description": "Will be connected to each \"default\" service account in all otomi app namespaces. Handy for authenticating with DockerHub to avoid rate limiting. Also useful when pulling all otomi images from a private repo. (One would need to override all the images in the config first.)", + "additionalProperties": false, + "properties": { + "username": { + "$ref": "#/definitions/wordCharacterPattern" + }, + "password": { + "type": "string", + "x-secret": "" + }, + "email": { + "$ref": "#/definitions/email", + "default": "not@us.ed" + }, + "server": { + "$ref": "#/definitions/wordCharacterPattern", + "default": "docker.io" + } + }, + "required": [ + "username", + "password" + ] + }, + "hasExternalDNS": { + "description": "Set this to true when an external dns zone is available to manage dns records. (Expects required `dns:` fields to be set.)", + "default": false, + "type": "boolean" + }, + "hasExternalIDP": { + "default": false, + "description": "Set this to true when bringing your own external IDP such as Azure AD. (Expects required `oidc:` fields to be set.)", + "type": "boolean" + }, + "isHomeMonitored": { + "default": false, + "description": "Whether this cluster is home monitored (like when under a Premium SLA). Sends criticals home.", + "type": "boolean" + }, + "isMultitenant": { + "default": true, + "description": "Whether to separate team metrics and logs. Disabling this lets everybody be admin and see everything.", + "type": "boolean" + }, + "nodeSelector": { + "$ref": "#/definitions/labelsAnnotations", + "description": "One or more \"label: value\" pairs that must exist on one or more nodes, which will force all otomi platform workloads to be scheduled there." + }, + "version": { + "default": "latest", + "description": "Best pin this to a valid release version found in the repo.", + "pattern": "(v[0-9]+.[0-9]+.[0-9]+|[a-zA-Z]+[a-zA-Z0-9-])" + } + } + }, + "ingress": { + "properties": { + "platformClass": { + "type": "object", + "allOf": [ + { + "properties": { + "className": { + "type": "string", + "enum": [ + "platform" + ] + } + } + }, + { + "$ref": "#/definitions/ingressClassParameters" + } + ] + }, + "classes": { + "type": "array", + "items": { + "allOf": [ + { + "type": "object", + "properties": { + "className": { + "type": "string" + } + } + }, + { + "$ref": "#/definitions/ingressClassParameters" + } + ], + "required": [ + "className" + ] + } + } + } + }, + "smtp": { + "additionalProperties": false, + "properties": { + "auth_identity": { + "type": "string" + }, + "auth_password": { + "type": "string", + "x-secret": "" + }, + "auth_secret": { + "type": "string", + "x-secret": "" + }, + "auth_username": { + "type": "string" + }, + "from": { + "$ref": "#/definitions/email", + "description": "The \"from\" address. Defaults to alerts@$clusterDomain." + }, + "hello": { + "type": "string" + }, + "smarthost": { + "$ref": "#/definitions/hostPort", + "description": "The smtp host:port combination." + } + }, + "required": [ + "smarthost" + ] + }, + "platformBackups": { + "type": "object", + "properties": { + "database": { + "type": "object", + "title": "Database backups", + "properties": { + "harbor": { + "title": "Harbor", + "properties": { + "enabled": { + "type": "boolean", + "default": false + }, + "resources": { + "$ref": "#/definitions/resources" + }, + "retentionPolicy": { + "$ref": "#/definitions/backupRetentionPolicy" + }, + "schedule": { + "$ref": "#/definitions/backupSchedule" + } + } + }, + "gitea": { + "title": "Gitea", + "properties": { + "enabled": { + "type": "boolean", + "default": false + }, + "resources": { + "$ref": "#/definitions/resources" + }, + "retentionPolicy": { + "$ref": "#/definitions/backupRetentionPolicy" + }, + "schedule": { + "$ref": "#/definitions/backupSchedule" + } + } + }, + "keycloak": { + "title": "Keycloak", + "properties": { + "enabled": { + "type": "boolean", + "default": false + }, + "resources": { + "$ref": "#/definitions/resources" + }, + "retentionPolicy": { + "$ref": "#/definitions/backupRetentionPolicy" + }, + "schedule": { + "$ref": "#/definitions/backupSchedule" + } + } + } + } + } + } + }, + "obj": { + "properties": { + "bucket": { + "properties": { + "loki": { + "type": "string", + "$ref": "#/definitions/wordCharacterPattern", + "default": "loki" + }, + "cnpg": { + "type": "string", + "$ref": "#/definitions/wordCharacterPattern", + "default": "cnpg" + }, + "velero": { + "type": "string", + "$ref": "#/definitions/wordCharacterPattern", + "default": "velero" + }, + "harbor": { + "type": "string", + "$ref": "#/definitions/wordCharacterPattern", + "default": "harbor" + }, + "tempo": { + "type": "string", + "$ref": "#/definitions/wordCharacterPattern", + "default": "tempo" + } + } + }, + "provider": { + "properties": { + "linode": { + "additionalProperties": false, + "properties": { + "region": { + "description": "The region of the bucket", + "$ref": "#/definitions/wordCharacterPattern" + }, + "accessKeyId": { + "type": "string", + "description": "The ID of the access key", + "$ref": "#/definitions/wordCharacterPattern" + }, + "secretAccessKey": { + "type": "string", + "description": "The secret of the access key", + "$ref": "#/definitions/wordCharacterPattern", + "x-secret": "" + } + }, + "required": [ + "region", + "accessKeyId", + "secretAccessKey" + ] + }, + "type": { + "type": "string", + "enum": [ + "minioLocal", + "linode", + "disabled" + ], + "default": "disabled" + } + } + } + } + }, + "databases": { + "properties": { + "keycloak": { + "title": "Keycloak", + "properties": { + "size": { + "type": "string" + }, + "resources": { + "$ref": "#/definitions/resources" + }, + "replicas": { + "type": "integer", + "default": 2 + }, + "imported": { + "type": "boolean", + "default": false + } + } + }, + "harbor": { + "title": "Harbor", + "properties": { + "size": { + "type": "string" + }, + "resources": { + "$ref": "#/definitions/resources" + }, + "replicas": { + "type": "integer", + "default": 2 + } + } + }, + "gitea": { + "title": "gitea", + "properties": { + "useOtomiDB": { + "type": "boolean", + "default": false + }, + "size": { + "type": "string" + }, + "resources": { + "$ref": "#/definitions/resources" + }, + "replicas": { + "type": "integer", + "default": 2 + }, + "imported": { + "type": "boolean", + "default": false + } + } + } + } + }, + "teamConfig": { + "additionalProperties": false, + "patternProperties": { + "^[a-z0-9]([-a-z0-9]*[a-z0-9])+$": { + "$ref": "#/definitions/team" + } + }, + "properties": { + "admin": { + "properties": { + "password": { + "type": "string", + "x-secret": "{{ randAlpha 16 }}" + } + } + } + } + }, + "version": { + "type": "integer", + "description": "DO NOT CHANGE! Holds the values-schema version. For more details, see `otomi migrate`." + }, + "license": { + "type": "string", + "describe": "License in form of JWT", + "x-secret": "" + }, + "status": { + "type": "object", + "properties": { + "otomi": { + "properties": { + "deployingTag": { + "type": "string" + }, + "deployingVersion": { + "type": "string" + }, + "status": { + "type": "string", + "enum": [ + "deploying", + "deployed" + ] + }, + "version": { + "type": "string" + } + } + }, + "helm": { + "type": "object" + } + } + } + }, + "required": [ + "cluster" + ] +} diff --git a/charts/otomi-db/templates/cluster.yaml b/charts/otomi-db/templates/cluster.yaml index 5aa786c292..7650f38238 100644 --- a/charts/otomi-db/templates/cluster.yaml +++ b/charts/otomi-db/templates/cluster.yaml @@ -44,7 +44,7 @@ spec: backup: retentionPolicy: {{ .Values.backup.retentionPolicy }} barmanObjectStore: - destinationPath: s3://database + destinationPath: {{ .Values.backup.minioLocal.destinationPath }} endpointURL: "http://minio.minio.svc.cluster.local:9000" s3Credentials: accessKeyId: @@ -54,44 +54,22 @@ spec: name: minio-creds key: MINIO_SECRET_KEY {{- end }} - {{- if eq .Values.backup.type "azure" }} + {{- if eq .Values.backup.type "linode" }} backup: retentionPolicy: {{ .Values.backup.retentionPolicy }} barmanObjectStore: - destinationPath: "https://{{ .Values.backup.azure.accountName }}.blob.core.windows.net/{{ .Values.backup.azure.containerName }}" - azureCredentials: - storageAccount: - name: azure-creds - key: AZURE_STORAGE_ACCOUNT - storageKey: - name: azure-creds - key: AZURE_STORAGE_KEY - {{- end }} - {{- if eq .Values.backup.type "s3" }} - backup: - retentionPolicy: {{ .Values.backup.retentionPolicy }} - barmanObjectStore: - destinationPath: s3://{{ .Values.backup.s3.bucket }} - endpointURL: {{ .Values.backup.s3.endpointURL }} + destinationPath: {{ .Values.backup.linode.destinationPath }} + endpointURL: {{ .Values.backup.linode.endpointURL }} s3Credentials: accessKeyId: - name: s3-creds + name: linode-creds key: S3_STORAGE_ACCOUNT secretAccessKey: - name: s3-creds + name: linode-creds key: S3_STORAGE_KEY {{- end }} - {{- if eq .Values.backup.type "gcs" }} - backup: - retentionPolicy: {{ .Values.backup.retentionPolicy }} - barmanObjectStore: - destinationPath: "gs://{{ .Values.backup.gcs.bucket }}" - googleCredentials: - applicationCredentials: - name: gcs-creds - key: gcsCredentials - {{- end }} {{- end }} + {{- with .Values.clusterSpec }} {{- toYaml . | nindent 2 }} {{- end }} diff --git a/charts/otomi-db/values.yaml b/charts/otomi-db/values.yaml index 40fe898723..3916d9b810 100644 --- a/charts/otomi-db/values.yaml +++ b/charts/otomi-db/values.yaml @@ -19,7 +19,6 @@ clusterAffinity: topologyKey: kubernetes.io/hostname podAntiAffinityType: preferred - # Example for backups: # clusterBackup: # backup: @@ -34,8 +33,6 @@ clusterAffinity: # name: minio-creds # key: MINIO_SECRET_KEY - - clusterSpec: bootstrap: initdb: @@ -51,11 +48,7 @@ backup: backupOwnerReference: none retentionPolicy: 7d type: minioLocal - azure: - storageAccount: "" - container: "" - s3: - endpointURL: "" - bucket: "" - gcs: - bucket: "" \ No newline at end of file + minioLocal: + destinationPath: "" + linode: + destinationPath: "" \ No newline at end of file diff --git a/charts/velero/templates/deployment.yaml b/charts/velero/templates/deployment.yaml index 0468cba94d..2caee32a63 100644 --- a/charts/velero/templates/deployment.yaml +++ b/charts/velero/templates/deployment.yaml @@ -229,7 +229,7 @@ spec: {{- end }} {{- with .Values.credentials.extraEnvVars }} {{- range $key, $value := . }} - - name: {{ default "none" $key }} + - name: {{ default "none" (upper $key) }} valueFrom: secretKeyRef: name: {{ include "velero.secretName" $ }} diff --git a/helmfile.d/snippets/defaults.yaml b/helmfile.d/snippets/defaults.yaml index e5e4011871..a22e336605 100644 --- a/helmfile.d/snippets/defaults.yaml +++ b/helmfile.d/snippets/defaults.yaml @@ -691,24 +691,29 @@ environments: requests: cpu: 50m memory: 256Mi + obj: + provider: + type: disabled + bucket: + loki: loki + cnpg: cnpg + velero: velero + harbor: harbor + tempo: tempo platformBackups: database: harbor: enabled: false - persistentVolumes: gitea: enabled: false - drone: - enabled: false keycloak: enabled: false - harbor: - enabled: false - argo: - enabled: false - minio: + persistentVolumes: + gitea: enabled: false - cluster: {} + cluster: + provider: linode + name: apl dns: domainFilters: [] zoneIdFilters: [] diff --git a/tests/fixtures/env/apps/cnpg.yaml b/tests/fixtures/env/apps/cnpg.yaml index d55ec0253b..ebb21954c3 100644 --- a/tests/fixtures/env/apps/cnpg.yaml +++ b/tests/fixtures/env/apps/cnpg.yaml @@ -7,9 +7,3 @@ apps: requests: cpu: 100m memory: 200Mi - storage: - s3: - accessKeyId: 2C2F1864-3ADB-4D06-8F77-C82CAB6F0415 - bucket: databases/ - s3Url: https://nl-ams-1.linodeobjects.com - type: s3 diff --git a/tests/fixtures/env/apps/harbor.yaml b/tests/fixtures/env/apps/harbor.yaml index 07703603eb..7c662a594f 100644 --- a/tests/fixtures/env/apps/harbor.yaml +++ b/tests/fixtures/env/apps/harbor.yaml @@ -1,12 +1,6 @@ apps: harbor: enabled: true - persistence: - imageChartStorage: - gcs: - bucket: otomi-harbor - rootdirectory: /google/demo - type: gcs core: {} registry: credentials: {} diff --git a/tests/fixtures/env/apps/loki.yaml b/tests/fixtures/env/apps/loki.yaml index f6cc3933c9..28a7632efc 100644 --- a/tests/fixtures/env/apps/loki.yaml +++ b/tests/fixtures/env/apps/loki.yaml @@ -83,10 +83,4 @@ apps: retention: duration: 24h period: 24h - storage: - s3: - bucket: my-bucket - region: west-eu - useInstanceRole: true - type: s3 v11StartDate: 2021-05-13 diff --git a/tests/fixtures/env/apps/secrets.cnpg.yaml b/tests/fixtures/env/apps/secrets.cnpg.yaml deleted file mode 100644 index 25ca56547e..0000000000 --- a/tests/fixtures/env/apps/secrets.cnpg.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apps: - cnpg: - storage: - s3: - secretAccessKey: superdupersecretacceskey diff --git a/tests/fixtures/env/apps/secrets.harbor.yaml b/tests/fixtures/env/apps/secrets.harbor.yaml index 0a142da368..21d1988301 100644 --- a/tests/fixtures/env/apps/secrets.harbor.yaml +++ b/tests/fixtures/env/apps/secrets.harbor.yaml @@ -1,10 +1,6 @@ apps: harbor: adminPassword: harborsomesecretvalue - persistence: - imageChartStorage: - gcs: - encodedkey: somesecretvalue secretKey: somesecretvalue core: secret: vQFMm9Qk0pTUF3MK diff --git a/tests/fixtures/env/apps/secrets.velero.yaml b/tests/fixtures/env/apps/secrets.velero.yaml deleted file mode 100644 index 29e5ccb915..0000000000 --- a/tests/fixtures/env/apps/secrets.velero.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apps: - velero: - cloud: - google: - saKeyJson: '{key in json format}' - # azure: - # aadClientSecret: somesecret diff --git a/tests/fixtures/env/apps/tempo.yaml b/tests/fixtures/env/apps/tempo.yaml index b70f95fba1..acbbdd58fa 100644 --- a/tests/fixtures/env/apps/tempo.yaml +++ b/tests/fixtures/env/apps/tempo.yaml @@ -1,12 +1,6 @@ apps: tempo: enabled: true - storage: - type: minioLocal - # azure: - # accountName: account_name - # containerName: container_name - # accountKey: shshsheyeywywiqwioqw autoscaling: ingester: enabled: true diff --git a/tests/fixtures/env/apps/velero.yaml b/tests/fixtures/env/apps/velero.yaml index 57afa4d0e3..03651fbb55 100644 --- a/tests/fixtures/env/apps/velero.yaml +++ b/tests/fixtures/env/apps/velero.yaml @@ -3,27 +3,3 @@ apps: enabled: true restic: enabled: false - cloud: - # azure: - # resourceGroup: test - # environment: AzurePublicCloud - # subscriptionId: test - # tenantId: test - # aadClientId: bla12344556666658457847476 - # aadClientSecret: bla383736363653 - # type: azure - # storage: - # azureBlob: - # storageAccount: bla - # bucket: velero - # resourceGroup: bla - # type: azureBlob - google: - project: velero - serviceAccount: bla - type: google - storage: - gcs: - bucket: velero - serviceAccount: bla - type: gcs diff --git a/tests/fixtures/env/cluster.yaml b/tests/fixtures/env/cluster.yaml index 82da4bf98a..3a657f2bdc 100644 --- a/tests/fixtures/env/cluster.yaml +++ b/tests/fixtures/env/cluster.yaml @@ -4,4 +4,4 @@ cluster: k8sContext: otomi-eks-demo name: demo owner: redkubes - provider: azure + provider: linode diff --git a/tests/fixtures/env/secrets.settings.yaml b/tests/fixtures/env/secrets.settings.yaml index e2295d84af..d517b3fab0 100644 --- a/tests/fixtures/env/secrets.settings.yaml +++ b/tests/fixtures/env/secrets.settings.yaml @@ -24,3 +24,14 @@ otomi: password: blablabla smtp: auth_password: somesecretvalue +obj: + provider: + # s3: + # secretAccessKey: somesecretvalue + linode: + secretAccessKey: somesecretvalue + # azureBlob: + # aadClientSecret: somesecretvalue +platformBackups: + persistentVolumes: + linodeApiToken: justanapitokenhere diff --git a/tests/fixtures/env/settings.yaml b/tests/fixtures/env/settings.yaml index e5bccffe17..ac34e32da7 100644 --- a/tests/fixtures/env/settings.yaml +++ b/tests/fixtures/env/settings.yaml @@ -61,7 +61,7 @@ otomi: additionalClusters: - domainSuffix: demo.eks.otomi.cloud name: demo - provider: aws + provider: custom globalPullSecret: username: otomi hasExternalDNS: true @@ -76,19 +76,31 @@ platformBackups: enabled: true retentionPolicy: 7d schedule: 0 0 0 * * * + keycloak: + enabled: true + retentionPolicy: 7d + schedule: 0 0 0 * * * + gitea: + enabled: true + retentionPolicy: 7d + schedule: 0 0 0 * * * persistentVolumes: - argo: - enabled: false - drone: - enabled: false gitea: enabled: false - harbor: - enabled: false - keycloak: - enabled: false - minio: - enabled: false +obj: + bucket: + loki: loki + cnpg: cnpg + velero: velero + harbor: harbor + tempo: tempo + provider: + # type: minioLocal + linode: + region: nl-ams-1 + accessKeyId: someaccessKeyId + type: linode + # type: disabled smtp: auth_username: no-reply@doma.in from: no-reply@doma.in diff --git a/values-schema.yaml b/values-schema.yaml index 078c3afc92..9600cef502 100644 --- a/values-schema.yaml +++ b/values-schema.yaml @@ -292,7 +292,7 @@ definitions: type: string backup: type: object - description: Team backups + description: PV backups properties: name: $ref: '#/definitions/wordCharacterPattern' @@ -691,17 +691,9 @@ definitions: type: string description: Enter the cloud provider of this cluster. Choose 'custom' for laptop install (minikube, kind) or onprem installs. enum: - - aws - - azure - - digitalocean - - google - custom - - kind - linode - - ovh - - vultr - - scaleway - - civo + default: linode redisChart: properties: _rawValues: @@ -1462,114 +1454,6 @@ definitions: required: - name - url - storageProvider: - type: object - title: Storage provider - description: Select the preferred provider for storing database backups. - oneOf: - - title: Local Minio - type: object - description: Select to use the in-cluster Minio instance. - properties: - type: - type: string - enum: - - minioLocal - default: minioLocal - - title: Azure Blob - type: object - x-hideTitle: true - properties: - azure: - type: object - description: Select to store in Azure Blob storage. - title: Azure blob (container) storage - properties: - accountKey: - type: string - x-secret: '' - accountName: - type: string - containerName: - type: string - required: - - accountKey - - accountName - - containerName - type: - type: string - enum: - - azure - default: azure - required: - - azure - - type - - title: S3 - type: object - x-hideTitle: true - properties: - s3: - type: object - title: S3 - description: Select to store in AWS S3 or S3 compatible blob storage. - properties: - bucket: - type: string - description: The name of the bucket. - $ref: '#/definitions/wordCharacterPattern' - s3Url: - type: string - description: The full S3 URL. - $ref: '#/definitions/wordCharacterPattern' - accessKeyId: - type: string - description: The ID of the access key. Optional if cloud provider is AWS. - $ref: '#/definitions/wordCharacterPattern' - secretAccessKey: - type: string - description: The secret of the access key. Optional if cloud provider is AWS. - $ref: '#/definitions/wordCharacterPattern' - x-secret: '' - required: - - bucket - - s3Url - - accessKeyId - - secretAccessKey - type: - type: string - enum: - - s3 - default: s3 - required: - - s3 - - type - - title: gcs - type: object - x-hideTitle: true - properties: - gcs: - type: object - title: Google Cloud Storage - description: Select to store backups in Google Cloud Storage. - properties: - bucket: - type: string - description: Name of the bucket. - $ref: '#/definitions/wordCharacterPattern' - serviceAccountKey: - $ref: '#/definitions/google/definitions/accountJson' - description: A service account key in json format for authentication. - required: - - bucket - - serviceAccountKey - type: - type: string - enum: - - gcs - default: gcs - required: - - gcs - - type properties: alerts: @@ -1674,8 +1558,6 @@ properties: $ref: '#/definitions/rawValues' resources: $ref: '#/definitions/resources' - storage: - $ref: '#/definitions/storageProvider' drone: additionalProperties: false properties: @@ -1919,74 +1801,6 @@ properties: secret: type: string x-secret: '{{ randAlphaNum 16 }}' - persistence: - additionalProperties: false - properties: - imageChartStorage: - additionalProperties: false - description: For reference go to https://github.com/distribution/distribution/blob/main/docs/configuration.md#storage - properties: - s3: - additionalProperties: false - properties: - accesskey: - $ref: '#/definitions/aws/definitions/accessKey' - secretkey: - $ref: '#/definitions/aws/definitions/secretKey' - region: - $ref: '#/definitions/aws/definitions/region' - regionendpoint: - type: string - bucket: - type: string - encrypt: - type: boolean - keyid: - type: string - secure: - type: boolean - v4auth: - type: boolean - chunksize: - type: integer - multipartcopychunksize: - type: integer - multipartcopymaxconcurrency: - type: integer - multipartcopythresholdsize: - type: integer - rootdirectory: - type: string - azure: - additionalProperties: false - properties: - accountname: - type: string - accountkey: - type: string - x-secret: '' - container: - type: string - realm: - type: string - gcs: - additionalProperties: false - properties: - bucket: - type: string - encodedkey: - type: string - x-secret: '' - rootdirectory: - type: string - type: - type: string - enum: - - s3 - - azure - - gcs - - filesystem - default: filesystem registry: properties: secret: @@ -2294,49 +2108,6 @@ properties: type: string required: - duration - storage: - description: 'Chunk storage' - properties: - azure: - properties: - accountName: - $ref: '#/definitions/wordCharacterPattern' - containerName: - $ref: '#/definitions/wordCharacterPattern' - accountKey: - $ref: '#/definitions/wordCharacterPattern' - x-secret: '' - s3: - properties: - useInstanceRole: - type: boolean - default: false - bucket: - $ref: '#/definitions/wordCharacterPattern' - s3Url: - $ref: '#/definitions/wordCharacterPattern' - accessKeyId: - $ref: '#/definitions/wordCharacterPattern' - secretAccessKey: - $ref: '#/definitions/wordCharacterPattern' - x-secret: '' - region: - $ref: '#/definitions/wordCharacterPattern' - gcs: - properties: - bucket: - $ref: '#/definitions/wordCharacterPattern' - serviceAccount: - $ref: '#/definitions/wordCharacterPattern' - type: - type: string - enum: - - azure - - s3 - - gcs - - minioLocal - - filesystem - default: minioLocal v11StartDate: description: Set this to a date just after deployment in case of an upgrade. (Otomi started at v9 with filesystem.) title: Schema v11 start date @@ -2629,35 +2400,6 @@ properties: size: default: 10Gi $ref: '#/definitions/size' - storage: - properties: - azure: - properties: - accountName: - $ref: '#/definitions/wordCharacterPattern' - containerName: - $ref: '#/definitions/wordCharacterPattern' - accountKey: - $ref: '#/definitions/wordCharacterPattern' - x-secret: '' - s3: - properties: - bucket: - $ref: '#/definitions/wordCharacterPattern' - s3Url: - $ref: '#/definitions/wordCharacterPattern' - accessKeyId: - $ref: '#/definitions/wordCharacterPattern' - secretAccessKey: - $ref: '#/definitions/wordCharacterPattern' - x-secret: '' - type: - type: string - enum: - - azure - - s3 - - minioLocal - default: minioLocal trivy: properties: _rawValues: @@ -2726,156 +2468,6 @@ properties: enabled: type: boolean default: false - cloud: - properties: - azure: - additionalProperties: false - description: Azure - properties: - resourceGroup: - description: The resource group of the worker nodes (VM's and disks) - $ref: '#/definitions/wordCharacterPattern' - environment: - title: Azure environment - type: string - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureUSGovernment - - AzureGermanCloud - default: AzurePublicCloud - tenantId: - $ref: '#/definitions/wordCharacterPattern' - subscriptionId: - $ref: '#/definitions/wordCharacterPattern' - aadClientId: - $ref: '#/definitions/wordCharacterPattern' - aadClientSecret: - $ref: '#/definitions/wordCharacterPattern' - x-secret: '' - required: - - tenantId - - subscriptionId - - aadClientId - - aadClientSecret - - resourceGroup - - environment - aws: - additionalProperties: false - description: Amazon Web Services - properties: - region: - type: string - description: The AWS region where the cluster is running. - $ref: '#/definitions/wordCharacterPattern' - accessKeyId: - type: string - description: The ID of the access key - $ref: '#/definitions/wordCharacterPattern' - secretAccessKey: - type: string - description: The secret of the access key - $ref: '#/definitions/wordCharacterPattern' - x-secret: '' - google: - additionalProperties: false - description: Google Cloud Platform - properties: - serviceAccount: - type: string - description: The IAM account with permissions to manage snapshot resources in the GCP Project. - $ref: '#/definitions/wordCharacterPattern' - project: - type: string - description: The name of the GCP project. - $ref: '#/definitions/wordCharacterPattern' - saKeyJson: - type: string - x-secret: '' - type: - type: string - enum: - - aws - - azure - - google - - custom - default: custom - storage: - properties: - azureBlob: - additionalProperties: false - properties: - storageAccount: - type: string - description: The used Azure storage account - $ref: '#/definitions/wordCharacterPattern' - resourceGroup: - type: string - description: The resource group of the storage account - $ref: '#/definitions/wordCharacterPattern' - bucket: - type: string - description: Name of the blob container. - $ref: '#/definitions/wordCharacterPattern' - tenantId: - $ref: '#/definitions/wordCharacterPattern' - subscriptionId: - $ref: '#/definitions/wordCharacterPattern' - aadClientId: - $ref: '#/definitions/wordCharacterPattern' - aadClientSecret: - $ref: '#/definitions/wordCharacterPattern' - x-secret: '' - required: - - resourceGroup - - storageAccount - - bucket - s3: - additionalProperties: false - properties: - bucket: - type: string - description: Name of the blob container. - $ref: '#/definitions/wordCharacterPattern' - s3Url: - description: The name (URL) of the S3 bucket - $ref: '#/definitions/wordCharacterPattern' - accessKeyId: - type: string - description: The ID of the access key - $ref: '#/definitions/wordCharacterPattern' - secretAccessKey: - type: string - description: The secret of the access key - $ref: '#/definitions/wordCharacterPattern' - x-secret: '' - required: - - bucket - - s3Url - gcs: - additionalProperties: false - properties: - bucket: - type: string - description: Name of the bucket. - $ref: '#/definitions/wordCharacterPattern' - serviceAccount: - description: The name of the GCP service account to use. - $ref: '#/definitions/wordCharacterPattern' - saKeyJson: - type: string - x-secret: '' - required: - - bucket - - serviceAccount - type: - type: string - enum: - - azureBlob - - s3 - - gcs - - minioLocal - default: minioLocal logLevel: description: Set log-level for the Velero pod. default: info @@ -3293,54 +2885,42 @@ properties: $ref: '#/definitions/backupRetentionPolicy' schedule: $ref: '#/definitions/backupSchedule' - persistentVolumes: - type: object - title: PersistentVolumes backups - properties: gitea: title: Gitea properties: enabled: type: boolean default: false - ttl: - $ref: '#/definitions/backupTtl' - schedule: - $ref: '#/definitions/backupSchedule' - drone: - title: Drone - properties: - enabled: - type: boolean - default: false - ttl: - $ref: '#/definitions/backupTtl' + resources: + $ref: '#/definitions/resources' + retentionPolicy: + $ref: '#/definitions/backupRetentionPolicy' schedule: $ref: '#/definitions/backupSchedule' keycloak: title: Keycloak - properties: - enabled: - type: boolean - default: false - ttl: - $ref: '#/definitions/backupTtl' - schedule: - $ref: '#/definitions/backupSchedule' - harbor: - title: Harbor properties: enabled: type: boolean default: false resources: $ref: '#/definitions/resources' - ttl: - $ref: '#/definitions/backupTtl' + retentionPolicy: + $ref: '#/definitions/backupRetentionPolicy' schedule: $ref: '#/definitions/backupSchedule' - argo: - title: ArgoCD + persistentVolumes: + type: object + description: Create backups of persistent volumes + additionalProperties: false + properties: + linodeApiToken: + type: string + description: Linode API Token + $ref: '#/definitions/wordCharacterPattern' + x-secret: '' + gitea: + title: Gitea properties: enabled: type: boolean @@ -3349,16 +2929,37 @@ properties: $ref: '#/definitions/backupTtl' schedule: $ref: '#/definitions/backupSchedule' - minio: - title: Minio + obj: + properties: + provider: + properties: + linode: + additionalProperties: false properties: - enabled: - type: boolean - default: false - ttl: - $ref: '#/definitions/backupTtl' - schedule: - $ref: '#/definitions/backupSchedule' + region: + description: The region of the bucket + $ref: '#/definitions/wordCharacterPattern' + accessKeyId: + type: string + description: The ID of the access key + $ref: '#/definitions/wordCharacterPattern' + secretAccessKey: + type: string + description: The secret of the access key + $ref: '#/definitions/wordCharacterPattern' + x-secret: '' + required: + - region + - accessKeyId + - secretAccessKey + type: + type: string + enum: + - minioLocal + - linode + - disabled + default: disabled + databases: properties: keycloak: diff --git a/values/gitea/gitea-otomi-db.gotmpl b/values/gitea/gitea-otomi-db.gotmpl index 57d68f01c8..06fec004aa 100644 --- a/values/gitea/gitea-otomi-db.gotmpl +++ b/values/gitea/gitea-otomi-db.gotmpl @@ -2,10 +2,33 @@ {{- $k := $v.apps.gitea }} {{- $cnpg := $v.apps.cnpg }} {{- $gdb := $v.databases.gitea }} +{{- $obj := $v.obj.provider }} +{{- $bu := $v.obj.bucket }} +{{- $b := $v.platformBackups.database.gitea }} name: gitea-db storage: size: {{ $gdb.size }} +instances: {{ $gdb.replicas }} + +{{- if eq $obj.type "minioLocal" "linode" }} +{{- if $b.enabled }} +backup: + enabled: {{ $b.enabled }} + schedule: {{ $b.schedule }} + retentionPolicy: {{ $b.retentionPolicy }} + type: {{ $obj.type }} +{{- if eq $obj.type "minioLocal" }} + minioLocal: + destinationPath: "s3://{{ $bu.cnpg }}/gitea" +{{- end }} +{{- if eq $obj.type "linode" }} + linode: + destinationPath: "s3://{{ $bu.cnpg }}/gitea" + endpointURL: {{ $bu.cnpg }}.{{ $obj.linode.region }}.linodeobjects.com +{{- end }} +{{- end }} +{{- end }} {{- if $gdb.imported }} clusterSpec: @@ -44,6 +67,14 @@ clusterSpec: localeCType: 'en_US.UTF-8' {{- end }} -instances: {{ $gdb.replicas }} - -resources: {{- toYaml $gdb.resources | nindent 6 }} +resources: + {{- with $gdb | get "resources" nil }} + {{- toYaml . | nindent 6 }} + {{- else }} + limits: + cpu: 100m + memory: 512Mi + requests: + cpu: 50m + memory: 256Mi + {{- end }} diff --git a/values/gitea/gitea-raw.gotmpl b/values/gitea/gitea-raw.gotmpl index aee4561269..841110b6b9 100644 --- a/values/gitea/gitea-raw.gotmpl +++ b/values/gitea/gitea-raw.gotmpl @@ -1,19 +1,39 @@ {{- $v := .Values }} +{{- $otomiAdmin := "otomi-admin" }} +{{- $obj := $v.obj.provider }} resources: {{- if $v._derived.untrustedCA }} - - apiVersion: v1 - kind: Secret - metadata: - name: custom-ca - data: - ca-certificates.crt: {{ .Values._derived.caCert | b64enc }} +- apiVersion: v1 + kind: Secret + metadata: + name: custom-ca + data: + ca-certificates.crt: {{ .Values._derived.caCert | b64enc }} +{{- end }} +- apiVersion: v1 + kind: Secret + type: kubernetes.io/basic-auth + metadata: + name: gitea-db-secret + data: + username: "{{ "gitea" | b64enc }}" + password: "{{ $v.apps.gitea.postgresqlPassword | b64enc }}" +{{- if eq $obj.type "minioLocal" }} +- apiVersion: v1 + kind: Secret + metadata: + name: minio-creds + data: + MINIO_ACCESS_KEY: "{{ $otomiAdmin | b64enc }}" + MINIO_SECRET_KEY: "{{ $v.otomi.adminPassword | b64enc }}" +{{- end }} +{{- if eq $obj.type "linode" }} +- apiVersion: v1 + kind: Secret + metadata: + name: linode-creds + data: + S3_STORAGE_ACCOUNT: "{{ $obj.linode.accessKeyId | b64enc }}" + S3_STORAGE_KEY: "{{ $obj.linode.secretAccessKey | b64enc }}" {{- end }} - - apiVersion: v1 - kind: Secret - type: kubernetes.io/basic-auth - metadata: - name: gitea-db-secret - data: - username: "{{ "gitea" | b64enc }}" - password: "{{ $v.apps.gitea.postgresqlPassword | b64enc }}" diff --git a/values/harbor/harbor-otomi-db.gotmpl b/values/harbor/harbor-otomi-db.gotmpl index 5c12838c5d..5a3ff6d876 100644 --- a/values/harbor/harbor-otomi-db.gotmpl +++ b/values/harbor/harbor-otomi-db.gotmpl @@ -1,7 +1,8 @@ {{- $v := .Values }} {{- $hdb := $v.databases.harbor }} {{- $cnpg := $v.apps.cnpg }} -{{- $sp := $cnpg.storage }} +{{- $obj := $v.obj.provider }} +{{- $bu := $v.obj.bucket }} {{- $b := $v.platformBackups.database.harbor }} name: harbor-otomi-db @@ -9,25 +10,22 @@ storage: size: {{ $hdb.size }} instances: {{ $hdb.replicas }} +{{- if eq $obj.type "minioLocal" "linode" }} {{- if $b.enabled }} backup: enabled: {{ $b.enabled }} schedule: {{ $b.schedule }} retentionPolicy: {{ $b.retentionPolicy }} - type: {{ $sp.type }} -{{- if eq $sp.type "azure" }} - azure: - storageAccount: {{ $sp.azure.accountName }} - container: {{ $sp.azure.containerName }} + type: {{ $obj.type }} +{{- if eq $obj.type "minioLocal" }} + minioLocal: + destinationPath: "s3://{{ $bu.cnpg }}/harbor" {{- end }} -{{- if eq $sp.type "s3" }} - s3: - endpointURL: {{ $sp.s3.s3Url }} - bucket: {{ $sp.s3.bucket }} +{{- if eq $obj.type "linode" }} + linode: + destinationPath: "s3://{{ $bu.cnpg }}/harbor" + endpointURL: https://{{ $bu.cnpg }}.{{ $obj.linode.region }}.linodeobjects.com {{- end }} -{{- if eq $sp.type "gcs" }} - gcs: - bucket: {{ $sp.gcs.bucket }} {{- end }} {{- end }} diff --git a/values/harbor/harbor-raw.gotmpl b/values/harbor/harbor-raw.gotmpl index 0b3836e907..c0a8191010 100644 --- a/values/harbor/harbor-raw.gotmpl +++ b/values/harbor/harbor-raw.gotmpl @@ -3,7 +3,7 @@ {{- $harborDomain := printf "harbor.%s" $v.cluster.domainSuffix }} {{- $otomiAdmin := "otomi-admin" }} {{- $cnpg := $v.apps.cnpg }} -{{- $sp := $v.apps.cnpg.storage }} +{{- $obj := $v.obj.provider }} resources: - apiVersion: cert-manager.io/v1 @@ -32,7 +32,7 @@ resources: issuerRef: name: custom-ca kind: ClusterIssuer -{{- if eq $sp.type "minioLocal" }} +{{- if eq $obj.type "minioLocal" }} - apiVersion: v1 kind: Secret metadata: @@ -41,29 +41,12 @@ resources: MINIO_ACCESS_KEY: "{{ $otomiAdmin | b64enc }}" MINIO_SECRET_KEY: "{{ $v.otomi.adminPassword | b64enc }}" {{- end }} -{{- if eq $sp.type "azure" }} +{{- if eq $obj.type "linode" }} - apiVersion: v1 kind: Secret metadata: - name: azure-creds + name: linode-creds data: - AZURE_STORAGE_ACCOUNT: "{{ $sp.azure.accountName | b64enc }}" - AZURE_STORAGE_KEY: "{{ $sp.azure.accountKey | b64enc }}" -{{- end }} -{{- if eq $sp.type "s3" }} -- apiVersion: v1 - kind: Secret - metadata: - name: s3-creds - data: - S3_STORAGE_ACCOUNT: "{{ $sp.s3.accessKeyId | b64enc }}" - S3_STORAGE_KEY: "{{ $sp.s3.secretAccessKey | b64enc }}" -{{- end }} -{{- if eq $sp.type "gcs" }} -- apiVersion: v1 - kind: Secret - metadata: - name: gcs-creds - data: - gcsCredentials: "{{ $sp.gcs.serviceAccountKey | b64enc }}" + S3_STORAGE_ACCOUNT: "{{ $obj.linode.accessKeyId | b64enc }}" + S3_STORAGE_KEY: "{{ $obj.linode.secretAccessKey | b64enc }}" {{- end }} \ No newline at end of file diff --git a/values/harbor/harbor.gotmpl b/values/harbor/harbor.gotmpl index 380fb00e71..29c8c127f3 100644 --- a/values/harbor/harbor.gotmpl +++ b/values/harbor/harbor.gotmpl @@ -1,7 +1,8 @@ {{- $v := .Values }} {{- $h := $v.apps.harbor }} {{- $db := $v.databases.harbor }} -{{- $hp := $h | get "persistence" dict }} +{{- $obj := $v.obj.provider }} +{{- $bu := $v.obj.bucket }} {{- $harborDomain := printf "harbor.%s" $v.cluster.domainSuffix }} {{- $notaryDomain := printf "notary.%s" $v.cluster.domainSuffix }} {{- $harborSecretName := ($harborDomain | replace "." "-") }} @@ -130,7 +131,6 @@ notary: persistence: enabled: true - # resourcePolicy: 'keep' persistentVolumeClaim: registry: # Use the existing PVC which must be created manually before bound, @@ -167,16 +167,38 @@ persistence: existingClaim: '' subPath: '' accessMode: ReadWriteOnce - size: 5Gi - # Define which storage backend is used for registry and chartmuseum to store - # images and charts. Refer to - # https://github.com/docker/distribution/blob/master/docs/configuration.md#storage - # for the detail. + size: 5Gi imageChartStorage: - {{ $imageChartStorageType := $hp | get "imageChartStorage.type" "filesystem" }} - type: {{ $imageChartStorageType }} - {{- if ne $imageChartStorageType "filesystem" }} - {{ $imageChartStorageType }}: {{- toYaml ($hp.imageChartStorage | get $imageChartStorageType) | nindent 6 }} + {{- if eq $obj.type "minioLocal" "linode" }} + disableredirect: true + type: s3 + s3: + {{- if eq $obj.type "minioLocal" }} + bucket: harbor + region: us-east-1 + regionendpoint: http://minio.minio.svc.cluster.local:9000 + accesskey: otomi-admin + secretkey: {{ $v.otomi.adminPassword }} + secure: false + v4auth: true + {{- end }} + {{- if eq $obj.type "linode" }} + bucket: {{ $bu.harbor }} + regionendpoint: https://{{ $obj.linode.region }}.linodeobjects.com + accesskey: {{ $obj.linode.accessKeyId }} + secretkey: {{ $obj.linode.secretAccessKey }} + region: {{ $obj.linode.region }} + encrypt: false + secure: true + v4auth: true + # By bumping the `multipartcopythresholdsize` option to 5GiB (up from its default + # of 32Mib), Distribution will only initiate an asynchronous server-side COPY + # operation once the blob is 5GiB in size. This effectively means there will be no + # more 403 Forbidden errors from Object Storage unless a layer/blob is > 5GiB in size + multipartcopythresholdsize: "5368709120" + {{- end }} + {{- else }} + type: filesystem {{- end }} postgresql: @@ -235,11 +257,11 @@ registry: {{- toYaml . | nindent 6 }} {{- else }} limits: + cpu: 1000m + memory: 1Gi + requests: cpu: 100m memory: 128Mi - requests: - cpu: 50m - memory: 64Mi {{- end }} controller: image: diff --git a/values/keycloak/keycloak-otomi-db.gotmpl b/values/keycloak/keycloak-otomi-db.gotmpl index c92b0163ff..50825a7ec7 100644 --- a/values/keycloak/keycloak-otomi-db.gotmpl +++ b/values/keycloak/keycloak-otomi-db.gotmpl @@ -1,11 +1,35 @@ {{- $v := .Values }} {{- $k := $v.apps.keycloak }} {{- $cnpg := $v.apps.cnpg }} +{{- $sp := $cnpg.storage }} {{- $kdb := $v.databases.keycloak }} +{{- $obj := $v.obj.provider }} +{{- $bu := $v.obj.bucket }} +{{- $b := $v.platformBackups.database.keycloak }} name: keycloak-db storage: size: {{ $kdb.size }} +instances: {{ $kdb.replicas }} + +{{- if eq $obj.type "minioLocal" "linode" }} +{{- if $b.enabled }} +backup: + enabled: {{ $b.enabled }} + schedule: {{ $b.schedule }} + retentionPolicy: {{ $b.retentionPolicy }} + type: {{ $obj.type }} +{{- if eq $obj.type "minioLocal" }} + minioLocal: + destinationPath: "s3://{{ $bu.cnpg }}/keycloak" +{{- end }} +{{- if eq $obj.type "linode" }} + linode: + destinationPath: "s3://{{ $bu.cnpg }}/keycloak" + endpointURL: {{ $bu.cnpg }}.{{ $obj.linode.region }}.linodeobjects.com +{{- end }} +{{- end }} +{{- end }} {{- if $kdb.imported }} clusterSpec: @@ -40,6 +64,4 @@ clusterSpec: localeCType: 'en_US.UTF-8' {{- end }} -instances: {{ $kdb.replicas }} - resources: {{- toYaml $kdb.resources | nindent 6 }} \ No newline at end of file diff --git a/values/keycloak/keycloak-raw.gotmpl b/values/keycloak/keycloak-raw.gotmpl index 8c27e09689..aa4ca4431d 100644 --- a/values/keycloak/keycloak-raw.gotmpl +++ b/values/keycloak/keycloak-raw.gotmpl @@ -1,15 +1,37 @@ +{{- $v := .Values }} +{{- $otomiAdmin := "otomi-admin" }} +{{- $obj := $v.obj.provider }} + resources: - - apiVersion: v1 - kind: Secret - metadata: - name: custom-ca - data: - custom-ca.pem: {{ .Values._derived.caCert | b64enc }} - - apiVersion: v1 - kind: Secret - metadata: - name: keycloak-initial-admin - namespace: keycloak - data: - password: {{ .Values.otomi.adminPassword | b64enc }} - username: {{ .Values.apps.keycloak.adminUsername | b64enc }} +- apiVersion: v1 + kind: Secret + metadata: + name: custom-ca + data: + custom-ca.pem: {{ .Values._derived.caCert | b64enc }} +- apiVersion: v1 + kind: Secret + metadata: + name: keycloak-initial-admin + namespace: keycloak + data: + password: {{ .Values.otomi.adminPassword | b64enc }} + username: {{ .Values.apps.keycloak.adminUsername | b64enc }} +{{- if eq $obj.type "minioLocal" }} +- apiVersion: v1 + kind: Secret + metadata: + name: minio-creds + data: + MINIO_ACCESS_KEY: "{{ $otomiAdmin | b64enc }}" + MINIO_SECRET_KEY: "{{ $v.otomi.adminPassword | b64enc }}" +{{- end }} +{{- if eq $obj.type "linode" }} +- apiVersion: v1 + kind: Secret + metadata: + name: linode-creds + data: + S3_STORAGE_ACCOUNT: "{{ $obj.linode.accessKeyId | b64enc }}" + S3_STORAGE_KEY: "{{ $obj.linode.secretAccessKey | b64enc }}" +{{- end }} \ No newline at end of file diff --git a/values/loki/loki.gotmpl b/values/loki/loki.gotmpl index 3ae3538463..03fe8eb576 100644 --- a/values/loki/loki.gotmpl +++ b/values/loki/loki.gotmpl @@ -1,6 +1,7 @@ {{- $v := .Values -}} {{- $l:= $v.apps.loki }} -{{- $st := $l.storage }} +{{- $obj := $v.obj.provider }} +{{- $bu := $v.obj.bucket }} nameOverride: loki @@ -22,167 +23,39 @@ serviceMonitor: loki: podAnnotations: sidecar.istio.io/inject: "false" - config: |- - auth_enabled: true - server: - http_listen_port: 3100 - common: - compactor_address: http://loki-compactor.monitoring:3100 - distributor: - ring: - kvstore: - store: memberlist - memberlist: - join_members: - - loki-memberlist - ingester: - lifecycler: - ring: - kvstore: - store: memberlist - replication_factor: 1 - chunk_idle_period: 30m - chunk_block_size: 262144 - chunk_encoding: snappy - chunk_retain_period: 1m - max_transfer_retries: 0 - wal: - dir: /var/loki/wal - replay_memory_ceiling: 512MB - limits_config: - enforce_metric_name: false - reject_old_samples: true - reject_old_samples_max_age: 168h - max_cache_freshness_per_query: 10m - split_queries_by_interval: 24h - query_timeout: 5m - runtime_config: - file: /var/loki-runtime/runtime.yaml - chunk_store_config: - max_look_back_period: 0s - table_manager: - retention_deletes_enabled: false - retention_period: 0s - query_range: - align_queries_with_step: true - max_retries: 5 - cache_results: true - results_cache: - cache: - embedded_cache: - enabled: true - ttl: 24h - frontend_worker: - frontend_address: loki-query-frontend-headless.monitoring:9095 - frontend: - log_queries_longer_than: 5s - compress_responses: true - tail_proxy_url: http://loki-querier.monitoring:3100 - compactor: - {{- if eq $st.type "s3" }} + schemaConfig: + configs: + - from: 2020-09-07 + store: boltdb-shipper + object_store: s3 + schema: v11 + index: + prefix: loki_index_ + period: 24h + {{- if eq $obj.type "minioLocal" "linode" }} + storageConfig: + boltdb_shipper: + active_index_directory: /var/loki/index + cache_location: /var/loki/index_cache + resync_interval: 5s shared_store: s3 + aws: + {{- if eq $obj.type "minioLocal" }} + s3: http://otomi-admin:{{ $v.otomi.adminPassword }}@minio.minio.svc.cluster.local.:9000/{{ $bu.loki }} + s3forcepathstyle: true {{- end }} - {{- if eq $st.type "minioLocal" }} - shared_store: s3 - {{- end }} - {{- if eq $st.type "azure" }} - shared_store: azure - {{- end }} - {{- if eq $st.type "gcs" }} - shared_store: gcs - {{- end }} - working_directory: /loki/compactor - compaction_interval: 5m - ruler: - storage: - type: local - local: - directory: /etc/loki/rules - ring: - kvstore: - store: memberlist - rule_path: /tmp/loki/scratch - alertmanager_url: https://alertmanager.xx - external_url: https://alertmanager.xx - schema_config: - configs: - - from: {{ $l | get "v11StartDate" "2023-01-01" }} - store: boltdb-shipper - {{- if eq $st.type "minioLocal" }} - object_store: s3 - {{- end }} - {{- if eq $st.type "s3" }} - object_store: s3 - {{- end }} - {{- if eq $st.type "azure" }} - object_store: azure - {{- end }} - {{- if eq $st.type "gcs" }} - object_store: gcs - {{- end }} - schema: v11 - index: - prefix: index_ - period: 24h - storage_config: - boltdb_shipper: - {{- if eq $st.type "minioLocal" }} - shared_store: s3 - {{- end }} - {{- if eq $st.type "s3" }} - shared_store: s3 - {{- end }} - {{- if eq $st.type "azure" }} - shared_store: azure - {{- end }} - {{- if eq $st.type "gcs" }} - shared_store: gcs - {{- end }} - {{- if eq $st.type "filesystem" }} - shared_store: filesystem - {{- end }} - active_index_directory: /var/loki/index - cache_location: /var/loki/cache - cache_ttl: 168h - {{- if eq $st.type "gcs" }} - gcs: - bucket_name: {{ $st.gcs.bucket }} - {{- end }} - {{- if eq $st.type "filesystem" }} - filesystem: - directory: "/var/loki/chunks" - {{- else }} - filesystem: null - {{- end }} - {{- if eq $st.type "minioLocal" }} - aws: - s3: http://otomi-admin:{{ $v.otomi.adminPassword }}@minio.minio.svc.cluster.local.:9000/loki - s3forcepathstyle: true - {{- end }} - {{- if eq $st.type "s3" }} - {{- if $st.s3.useInstanceRole }} - aws: - s3: s3://{{ $st.s3.region }}/{{ $st.s3.bucket }} - dynamodb: - dynamodb_url: dynamodb://{{ $st.s3.region }} - {{- else }} - aws: - s3: s3://{{ $st.s3.accessKeyId }}:{{ $st.s3.secretAccessKey }}@{{ $st.s3.s3Url }}/{{ $st.s3.bucket }} - s3forcepathstyle: true - {{- end }} - {{- end }} - {{- if eq $st.type "azure" }} - azure: - account_name: {{ $st.azure.accountName }} - account_key: {{ $st.azure.accountKey }} - container_name: {{ $st.azure.containerName }} - {{- end }} - -{{- if and (eq $st.type "gcs") $st.gcs.serviceAccount }} -serviceAccount: - annotations: - iam.gke.io/gcp-service-account: {{ $st.gcs.serviceAccount }} -{{- end }} + {{- if eq $obj.type "linode" }} + s3: https://{{ $obj.linode.accessKeyId }}:{{ $obj.linode.secretAccessKey }}@{{ $obj.linode.region }}.linodeobjects.com/{{ $bu.loki }} + s3forcepathstyle: true + sse_encryption: false + http_config: + idle_conn_timeout: 90s + insecure_skip_verify: true + backoff_config: + min_period: 2s + max_period: 5s + {{- end }} + {{- end }} ingester: resources: {{- $l.resources.ingester | toYaml | nindent 4 }} @@ -195,14 +68,6 @@ ingester: maxReplicas: {{ $l.autoscaling.ingester.maxReplicas }} targetCPUUtilizationPercentage: {{ $l.autoscaling.ingester.targetCPUUtilizationPercentage }} targetMemoryUtilizationPercentage: {{ $l.autoscaling.ingester.targetMemoryUtilizationPercentage }} - {{- if eq $st.type "filesystem" }} - persistence: - enabled: true - claims: - - name: data - size: {{ $l.persistence.ingester.size }} - storageClass: null - {{- end }} gateway: resources: {{- $l.resources.gateway | toYaml | nindent 4 }} @@ -223,12 +88,6 @@ querier: maxReplicas: {{ $l.autoscaling.querier.maxReplicas }} targetCPUUtilizationPercentage: {{ $l.autoscaling.querier.targetCPUUtilizationPercentage }} targetMemoryUtilizationPercentage: {{ $l.autoscaling.querier.targetMemoryUtilizationPercentage }} - {{- if eq $st.type "filesystem" }} - persistence: - enabled: true - size: {{ $l.persistence.querier.size }} - storageClass: null - {{- end }} distributor: resources: {{- $l.resources.distributor | toYaml | nindent 4 }} diff --git a/values/minio/minio.gotmpl b/values/minio/minio.gotmpl index 70e2833066..066540b406 100644 --- a/values/minio/minio.gotmpl +++ b/values/minio/minio.gotmpl @@ -67,7 +67,7 @@ provisioning: - name: loki - name: harbor - name: tempo - - name: database + - name: cnpg policies: - name: otomi-apps statements: @@ -83,8 +83,7 @@ provisioning: - arn:aws:s3:::loki - arn:aws:s3:::harbor - arn:aws:s3:::tempo - - arn:aws:s3:::harbor - - arn:aws:s3:::database + - arn:aws:s3:::cnpg - effect: Allow principal: AWS: @@ -96,7 +95,7 @@ provisioning: - arn:aws:s3:::loki - arn:aws:s3:::harbor - arn:aws:s3:::tempo - - arn:aws:s3:::database + - arn:aws:s3:::cnpg condition: StringEquals: s3:prefix: @@ -116,4 +115,4 @@ provisioning: - arn:aws:s3:::loki/** - arn:aws:s3:::harbor/** - arn:aws:s3:::tempo/** - - arn:aws:s3:::database/** + - arn:aws:s3:::cnpg/** diff --git a/values/tempo/tempo.gotmpl b/values/tempo/tempo.gotmpl index 798d7dff12..a7d5f3e874 100644 --- a/values/tempo/tempo.gotmpl +++ b/values/tempo/tempo.gotmpl @@ -1,13 +1,14 @@ {{- $v := .Values -}} {{- $t:= $v.apps.tempo }} -{{- $st := $t.storage }} +{{- $obj := $v.obj.provider }} +{{- $bu := $v.obj.bucket }} fullnameOverride: tempo ingester: resources: {{- $t.resources.ingester | toYaml | nindent 4 }} - {{- if eq $st.type "filesystem" }} + {{- if eq $obj.type "disabled" }} persistence: enabled: true size: {{ $t.persistence.ingester.size }} # default to 10Gi @@ -65,15 +66,11 @@ metricsGenerator: remote_write: - url: http://po-prometheus.monitoring:9090/api/v1/write +{{- if eq $obj.type "minioLocal" "linode" }} storage: trace: - {{- if eq $st.type "minioLocal" "s3" }} backend: s3 - {{- end }} - {{- if eq $st.type "azure" }} - backend: azure - {{- end }} - {{- if eq $st.type "minioLocal" }} + {{- if eq $obj.type "minioLocal" }} s3: bucket: tempo endpoint: minio.minio.svc.cluster.local:9000 @@ -81,19 +78,14 @@ storage: secret_key: {{ $v.otomi.adminPassword }} insecure: true {{- end }} - {{- if eq $st.type "s3" }} + {{- if eq $obj.type "linode" }} s3: - bucket: {{ $st.s3.bucket }} - endpoint: {{ $st.s3.s3Url }} - access_key: {{ $st.s3.accessKeyId }} - secret_key: {{ $st.s3.secretAccessKey }} - {{- end }} - {{- if eq $st.type "azure" }} - azure: - storage_account_name: {{ $st.azure.accountName }} - storage_account_key: {{ $st.azure.accountKey }} - container_name: {{ $st.azure.containerName }} + bucket: {{ $bu.tempo }} + endpoint: {{ $obj.linode.region }}.linodeobjects.com + access_key: {{ $obj.linode.accessKeyId }} + secret_key: {{ $obj.linode.secretAccessKey }} {{- end }} +{{- end }} traces: otlp: diff --git a/values/velero/velero.gotmpl b/values/velero/velero.gotmpl index d3effe49a2..5f4591fab1 100644 --- a/values/velero/velero.gotmpl +++ b/values/velero/velero.gotmpl @@ -1,8 +1,8 @@ {{- $v := .Values }} {{- $vl := $v.apps.velero }} +{{- $obj := $v.obj.provider }} +{{- $bu := $v.obj.bucket }} {{- $b := $v.platformBackups.persistentVolumes }} -{{- $cp := $vl.cloud }} -{{- $sp := $vl.storage }} resources: {{- $vl.resources | toYaml | nindent 2 }} @@ -15,29 +15,14 @@ metrics: additionalLabels: prometheus: system -{{- if eq $cp.type "custom" }} +{{- if eq $v.cluster.provider "custom" }} snapshotsEnabled: false {{- end }} upgradeCRDs: false cleanUpCRDs: false - - initContainers: - - name: velero-plugin-for-azure - image: velero/velero-plugin-for-microsoft-azure:v1.8.2 - imagePullPolicy: IfNotPresent - resources: - requests: - cpu: 50m - memory: 32Mi - limits: - cpu: 100m - memory: 512Mi - volumeMounts: - - mountPath: /target - name: plugins - name: velero-plugin-for-aws image: velero/velero-plugin-for-aws:v1.8.2 imagePullPolicy: IfNotPresent @@ -51,8 +36,9 @@ initContainers: volumeMounts: - mountPath: /target name: plugins - - name: velero-plugin-for-gcp - image: velero/velero-plugin-for-gcp:v1.8.2 +{{- if eq $v.cluster.provider "linode" }} + - name: velero-plugin-for-linode + image: displague/velero-plugin-linode:v0.0.1 imagePullPolicy: IfNotPresent resources: requests: @@ -60,10 +46,11 @@ initContainers: memory: 32Mi limits: cpu: 100m - memory: 32Mi + memory: 512Mi volumeMounts: - mountPath: /target name: plugins +{{- end }} podSecurityContext: runAsUser: 1000 @@ -71,116 +58,57 @@ podSecurityContext: configuration: # Use restic for File System Backups instead of kopia uploaderType: restic - defaultBackupStorageLocation: otomi - - {{- if eq $sp.type "azureBlob" }} - backupStorageLocation: - - name: otomi - provider: azure - default: true - bucket: {{ $sp.azureBlob.bucket }} - config: - storageAccount: {{ $sp.azureBlob.storageAccount }} - resourceGroup: {{ $sp.azureBlob.resourceGroup }} - {{- end }} - {{- if eq $sp.type "s3" }} + defaultBackupStorageLocation: apl + {{- if eq $obj.type "minioLocal" }} backupStorageLocation: - - name: otomi + - name: apl-minio provider: aws default: true - bucket: {{ $sp.s3.bucket }} - config: - s3Url: {{ $sp.s3.s3Url }} - region: {{ $cp.aws.region }} - {{- end }} - {{- if eq $sp.type "minioLocal" }} - backupStorageLocation: - - name: otomi - provider: aws - default: true - bucket: velero + bucket: {{ $bu.velero}} config: s3Url: http://minio.minio.svc.cluster.local:9000 publicUrl: http://minio.minio.svc.cluster.local:9000 region: minio s3ForcePathStyle: true {{- end }} - {{- if eq $sp.type "gcs" }} + {{- if eq $obj.type "linode" }} backupStorageLocation: - - name: otomi - provider: gcp - default: true - bucket: {{ $sp.gcs.bucket }} - config: - serviceAccount: {{ $sp.gcs.serviceAccount }} - {{- end }} - - {{- if eq $cp.type "azure" }} - volumeSnapshotLocation: - - name: otomi - provider: azure - config: - resourceGroup: {{ $cp.azure.resourceGroup }} - {{- end }} - - {{- if eq $cp.type "aws" }} - volumeSnapshotLocation: - - name: otomi + - name: apl-linode provider: aws + default: true + bucket: {{ $bu.velero }} config: - region: {{ $cp.aws.region }} + s3Url: https://{{ $obj.linode.region }}.linodeobjects.com + region: {{ $obj.linode.region }} + s3ForcePathStyle: true {{- end }} - - {{- if eq $cp.type "google" }} + {{- if eq $v.cluster.provider "linode" }} volumeSnapshotLocation: - - name: otomi - provider: gcp - config: - project: {{ $cp.google.project }} + - name: apl-linode + provider: linode.com/velero {{- end }} - # if set Velero will back up all pod volumes using Restic with the exception of service account tokens, secrets, config maps and hostpath volumes defaultVolumesToRestic: {{ $vl.restic.enabled }} logLevel: {{ $vl.logLevel }} + credentials: +{{- with $v.platformBackups.persistentVolumes | get "linodeApiToken" nil }} + extraEnvVars: + linode_token: {{ $v.platformBackups.persistentVolumes.linodeApiToken }} +{{- end }} secretContents: cloud: | -{{- if eq $cp.type "azure" }} - AZURE_RESOURCE_GROUP={{ $cp.azure.resourceGroup }} - AZURE_CLOUD_NAME={{ $cp.azure.environment }} - AZURE_SUBSCRIPTION_ID={{ $cp.azure.subscriptionId }} - AZURE_TENANT_ID={{ $cp.azure.tenantId }} - AZURE_CLIENT_ID={{ $cp.azure.aadClientId }} - AZURE_CLIENT_SECRET={{ $cp.azure.aadClientSecret }} -{{- end }} -{{- if and (eq $sp.type "azureBlob") (not (eq $cp.type "azure")) }} - AZURE_SUBSCRIPTION_ID={{ $sp.azureBlob.subscriptionId }} - AZURE_TENANT_ID={{ $sp.azureBlob.tenantId }} - AZURE_CLIENT_ID={{ $sp.azureBlob.aadClientId }} - AZURE_CLIENT_SECRET={{ $sp.azureBlob.aadClientSecret }} +{{- if eq $obj.type "linode" }} + [default] + aws_access_key_id={{ $obj.linode.accessKeyId }} + aws_secret_access_key={{ $obj.linode.secretAccessKey }} {{- end }} -{{- if eq $sp.type "minioLocal" }} +{{- if eq $obj.type "minioLocal" }} [default] aws_access_key_id=otomi-admin aws_secret_access_key={{ $v.otomi.adminPassword }} {{- end }} -{{- if eq $cp.type "aws" }} - [default] - aws_access_key_id={{ $cp.s3.accessKeyId }} - aws_secret_access_key={{ $cp.s3.secretAccessKey }} -{{- end }} -{{- if and (eq $sp.type "s3") (not (eq $cp.type "aws")) }} - [default] - aws_access_key_id={{ $sp.s3.accessKeyId }} - aws_secret_access_key={{ $sp.s3.secretAccessKey }} -{{- end }} -{{- if eq $cp.type "google" }} - '{{ $cp.google.saKeyJson }}' -{{- end }} -{{- if and (eq $sp.type "gcs") (not (eq $cp.type "google")) }} - '{{ $sp.gcs.saKeyJson }}' -{{- end }} kubectl: # Resource requests/limits to specify for the upgrade/cleanup job. @@ -205,8 +133,8 @@ nodeAgent: runAsUser: 1338 fsGroup: 1338 -schedules: {{- if $b.gitea.enabled }} +schedules: gitea: disabled: false schedule: {{ $b.gitea.schedule }} @@ -219,80 +147,5 @@ schedules: - pv - pvc includeClusterResources: true - storageLocation: otomi -{{- end }} -{{- if $b.keycloak.enabled }} - keycloak: - disabled: false - schedule: {{ $b.keycloak.schedule }} - useOwnerReferencesInBackup: false - template: - ttl: {{ $b.keycloak.ttl }} - includedNamespaces: - - keycloak - includedResources: - - pv - - pvc - includeClusterResources: true - storageLocation: otomi -{{- end }} -{{- if $b.drone.enabled }} - drone: - disabled: false - schedule: {{ $b.drone.schedule }} - useOwnerReferencesInBackup: false - template: - ttl: {{ $b.drone.ttl }} - includedNamespaces: - - drone - includedResources: - - pv - - pvc - includeClusterResources: true - storageLocation: otomi -{{- end }} -{{- if $b.harbor.enabled }} - harbor: - disabled: false - schedule: {{ $b.harbor.schedule }} - useOwnerReferencesInBackup: false - template: - ttl: {{ $b.harbor.ttl }} - includedNamespaces: - - harbor - includedResources: - - pv - - pvc - includeClusterResources: true - storageLocation: otomi -{{- end }} -{{- if $b.argo.enabled }} - argocd: - disabled: false - schedule: {{ $b.argo.schedule }} - useOwnerReferencesInBackup: false - template: - ttl: {{ $b.argo.ttl }} - includedNamespaces: - - argocd - includedResources: - - pv - - pvc - includeClusterResources: true - storageLocation: otomi -{{- end }} -{{- if $b.minio.enabled }} - minio: - disabled: false - schedule: {{ $b.minio.schedule }} - useOwnerReferencesInBackup: false - template: - ttl: {{ $b.kubeapps.ttl }} - includedNamespaces: - - minio - includedResources: - - pv - - pvc - includeClusterResources: true - storageLocation: otomi -{{- end }} + storageLocation: apl +{{- end }} \ No newline at end of file diff --git a/versions.yaml b/versions.yaml index 3ed377cbd7..152751225e 100644 --- a/versions.yaml +++ b/versions.yaml @@ -1,4 +1,4 @@ -api: main -console: main -tasks: main +api: sr-storage-backup-refactor +console: sr-storage-backup-refactor +tasks: 2.5.0 tools: 1.6.4