From 54102eac60ae6acf157a1c5d28b08dd4c3823886 Mon Sep 17 00:00:00 2001 From: John Peterson Date: Mon, 12 Oct 2020 12:30:43 -0700 Subject: [PATCH] Openshift Pipelines operator v1.1.1 --- .../operator/pipeline-operator/.gitignore | 24 + .../operator/pipeline-operator/CHANGELOG.md | 5 + .../pipeline-operator/CONTRIBUTING.md | 78 + .../operator/pipeline-operator/Dockerfile | 13 + .../operator/pipeline-operator/Makefile | 92 ++ Openshift4/operator/pipeline-operator/PROJECT | 8 + .../operator/pipeline-operator/README.md | 39 + ...shiftpipelines.charts.helm.k8s.io.crd.yaml | 29 + ...operator.v1.1.1.clusterserviceversion.yaml | 502 +++++++ .../bundle/1.1.1/metadata/annotations.yaml | 12 + .../openshiftpipeline-operator.package.yaml | 5 + .../bundle/bundle-1.1.1.Dockerfile | 19 + .../openshiftpipeline-operator.package.yaml | 5 + .../charts.my.domain_openshiftpipelines.yaml | 44 + .../config/crd/kustomization.yaml | 6 + .../config/default/kustomization.yaml | 26 + .../default/manager_auth_proxy_patch.yaml | 26 + .../config/manager/kustomization.yaml | 2 + .../config/manager/manager.yaml | 38 + .../config/prometheus/kustomization.yaml | 2 + .../config/prometheus/monitor.yaml | 16 + .../rbac/auth_proxy_client_clusterrole.yaml | 7 + .../config/rbac/auth_proxy_role.yaml | 13 + .../config/rbac/auth_proxy_role_binding.yaml | 12 + .../config/rbac/auth_proxy_service.yaml | 14 + .../config/rbac/kustomization.yaml | 12 + .../config/rbac/leader_election_role.yaml | 25 + .../rbac/leader_election_role_binding.yaml | 12 + .../rbac/openshiftpipelines_editor_role.yaml | 24 + .../rbac/openshiftpipelines_viewer_role.yaml | 20 + .../pipeline-operator/config/rbac/role.yaml | 77 + .../config/rbac/role_binding.yaml | 12 + .../charts_v1alpha1_openshiftpipelines.yaml | 1291 ++++++++++++++++ .../config/scorecard/bases/config.yaml | 7 + .../config/scorecard/kustomization.yaml | 16 + .../scorecard/patches/basic.config.yaml | 10 + .../config/scorecard/patches/olm.config.yaml | 50 + .../openshift-pipelines/CHANGELOG.md | 8 + .../openshift-pipelines/Chart.yaml | 16 + .../helm-charts/openshift-pipelines/LICENSE | 201 +++ .../helm-charts/openshift-pipelines/README.md | 223 +++ .../charts/pipelines/.helmignore | 22 + .../charts/pipelines/CHANGELOG.md | 176 +++ .../charts/pipelines/Chart.yaml | 21 + .../charts/pipelines/LICENSE | 202 +++ .../charts/pipelines/OWNERS | 8 + .../charts/pipelines/README.md | 220 +++ .../pipelines/charts/postgresql/.helmignore | 21 + .../pipelines/charts/postgresql/Chart.yaml | 22 + .../pipelines/charts/postgresql/README.md | 576 +++++++ .../charts/postgresql/ci/default-values.yaml | 1 + .../ci/shmvolume-disabled-values.yaml | 2 + .../charts/postgresql/files/README.md | 1 + .../charts/postgresql/files/conf.d/README.md | 4 + .../docker-entrypoint-initdb.d/README.md | 3 + .../charts/postgresql/templates/NOTES.txt | 60 + .../charts/postgresql/templates/_helpers.tpl | 420 ++++++ .../postgresql/templates/configmap.yaml | 26 + .../templates/extended-config-configmap.yaml | 21 + .../templates/initialization-configmap.yaml | 24 + .../templates/metrics-configmap.yaml | 13 + .../postgresql/templates/metrics-svc.yaml | 26 + .../postgresql/templates/networkpolicy.yaml | 38 + .../postgresql/templates/prometheusrule.yaml | 23 + .../charts/postgresql/templates/secrets.yaml | 23 + .../postgresql/templates/serviceaccount.yaml | 11 + .../postgresql/templates/servicemonitor.yaml | 33 + .../templates/statefulset-slaves.yaml | 299 ++++ .../postgresql/templates/statefulset.yaml | 453 ++++++ .../postgresql/templates/svc-headless.yaml | 19 + .../charts/postgresql/templates/svc-read.yaml | 42 + .../charts/postgresql/templates/svc.yaml | 40 + .../charts/postgresql/values-production.yaml | 542 +++++++ .../charts/postgresql/values.schema.json | 103 ++ .../pipelines/charts/postgresql/values.yaml | 548 +++++++ .../pipelines/charts/rabbitmq/.helmignore | 21 + .../pipelines/charts/rabbitmq/Chart.yaml | 17 + .../pipelines/charts/rabbitmq/README.md | 410 +++++ .../ci/affinity-toleration-values.yaml | 14 + .../charts/rabbitmq/ci/default-values.yaml | 1 + .../rabbitmq/ci/networkpolicy-values.yaml | 11 + .../charts/rabbitmq/templates/NOTES.txt | 79 + .../charts/rabbitmq/templates/_helpers.tpl | 242 +++ .../charts/rabbitmq/templates/certs.yaml | 20 + .../rabbitmq/templates/configuration.yaml | 45 + .../rabbitmq/templates/healthchecks.yaml | 33 + .../charts/rabbitmq/templates/ingress.yaml | 42 + .../rabbitmq/templates/networkpolicy.yaml | 40 + .../charts/rabbitmq/templates/pdb.yaml | 18 + .../rabbitmq/templates/prometheusrule.yaml | 25 + .../charts/rabbitmq/templates/role.yaml | 19 + .../rabbitmq/templates/rolebinding.yaml | 19 + .../charts/rabbitmq/templates/secrets.yaml | 40 + .../rabbitmq/templates/serviceaccount.yaml | 14 + .../rabbitmq/templates/servicemonitor.yaml | 38 + .../rabbitmq/templates/statefulset.yaml | 345 +++++ .../rabbitmq/templates/svc-headless.yaml | 33 + .../charts/rabbitmq/templates/svc.yaml | 74 + .../charts/rabbitmq/values-production.yaml | 583 ++++++++ .../charts/rabbitmq/values.schema.json | 100 ++ .../pipelines/charts/rabbitmq/values.yaml | 544 +++++++ .../charts/pipelines/charts/redis/.helmignore | 21 + .../charts/pipelines/charts/redis/Chart.yaml | 20 + .../charts/pipelines/charts/redis/README.md | 499 +++++++ .../charts/redis/ci/default-values.yaml | 1 + .../pipelines/charts/redis/ci/dev-values.yaml | 9 + .../charts/redis/ci/extra-flags-values.yaml | 11 + .../redis/ci/insecure-sentinel-values.yaml | 524 +++++++ .../redis/ci/production-sentinel-values.yaml | 524 +++++++ .../charts/redis/ci/production-values.yaml | 525 +++++++ .../charts/redis/ci/redis-lib-values.yaml | 13 + .../redis/ci/redisgraph-module-values.yaml | 10 + .../charts/redis/templates/NOTES.txt | 104 ++ .../charts/redis/templates/_helpers.tpl | 355 +++++ .../charts/redis/templates/configmap.yaml | 53 + .../charts/redis/templates/headless-svc.yaml | 25 + .../redis/templates/health-configmap.yaml | 155 ++ .../redis/templates/metrics-prometheus.yaml | 32 + .../charts/redis/templates/metrics-svc.yaml | 31 + .../charts/redis/templates/networkpolicy.yaml | 74 + .../redis/templates/prometheusrule.yaml | 25 + .../pipelines/charts/redis/templates/psp.yaml | 43 + .../templates/redis-master-statefulset.yaml | 420 ++++++ .../redis/templates/redis-master-svc.yaml | 40 + .../charts/redis/templates/redis-role.yaml | 22 + .../redis/templates/redis-rolebinding.yaml | 19 + .../redis/templates/redis-serviceaccount.yaml | 12 + .../templates/redis-slave-statefulset.yaml | 438 ++++++ .../redis/templates/redis-slave-svc.yaml | 41 + .../templates/redis-with-sentinel-svc.yaml | 41 + .../charts/redis/templates/secret.yaml | 15 + .../charts/redis/values-production.yaml | 633 ++++++++ .../pipelines/charts/redis/values.schema.json | 168 +++ .../charts/pipelines/charts/redis/values.yaml | 633 ++++++++ .../charts/pipelines/ci/default-values.yaml | 21 + .../charts/pipelines/icon/pipelines-logo.png | Bin 0 -> 77148 bytes .../charts/pipelines/requirements.lock | 12 + .../charts/pipelines/requirements.yaml | 13 + .../charts/pipelines/templates/NOTES.txt | 13 + .../charts/pipelines/templates/_helpers.tpl | 116 ++ .../pipelines/templates/api-ingress.yaml | 40 + .../pipelines/templates/api-service.yaml | 33 + .../templates/buildplane-config-aws.yaml | 20 + .../templates/buildplane-config-k8s.yaml | 19 + .../templates/buildplane-secret-aws.yaml | 12 + .../templates/buildplane-secret-k8s.yaml | 11 + .../pipelines/templates/database-secret.yaml | 20 + .../pipelines/templates/filebeat-config.yaml | 11 + .../templates/pipelines-configmaps.yaml | 10 + .../pipelines/templates/pipelines-hpa.yaml | 20 + .../pipelines/templates/pipelines-role.yaml | 10 + .../templates/pipelines-rolebinding.yaml | 16 + .../templates/pipelines-service-headless.yaml | 21 + .../templates/pipelines-statefulset.yaml | 468 ++++++ .../templates/pipelines-system-yaml.yaml | 13 + .../pipelines/templates/rabbitmq-secret.yaml | 12 + .../templates/rabbitmq-service-vm-int-lb.yaml | 34 + .../pipelines/templates/service-account.yaml | 6 + .../pipelines/templates/vault-configmaps.yaml | 10 + .../pipelines/templates/vault-role.yaml | 11 + .../templates/vault-rolebinding.yaml | 16 + .../pipelines/templates/vault-secret.yaml | 11 + .../templates/vault-service-headless.yaml | 23 + .../pipelines/templates/vault-service.yaml | 22 + .../templates/vault-serviceaccount.yaml | 9 + .../templates/vault-statefulset.yaml | 197 +++ .../pipelines/templates/www-ingress.yaml | 40 + .../pipelines/templates/www-service.yaml | 33 + .../values-ingress-external-secret.yaml | 105 ++ .../pipelines/values-ingress-passwords.yaml | 25 + .../charts/pipelines/values-ingress.yaml | 93 ++ .../charts/pipelines/values.yaml | 1317 +++++++++++++++++ .../openshift-pipelines/requirements.yaml | 4 + .../openshift-pipelines/values.yaml | 1199 +++++++++++++++ .../pipeline-operator/licenses/LICENSE | 202 +++ .../operator/pipeline-operator/watches.yaml | 6 + 176 files changed, 19721 insertions(+) create mode 100644 Openshift4/operator/pipeline-operator/.gitignore create mode 100755 Openshift4/operator/pipeline-operator/CHANGELOG.md create mode 100644 Openshift4/operator/pipeline-operator/CONTRIBUTING.md create mode 100644 Openshift4/operator/pipeline-operator/Dockerfile create mode 100644 Openshift4/operator/pipeline-operator/Makefile create mode 100644 Openshift4/operator/pipeline-operator/PROJECT create mode 100644 Openshift4/operator/pipeline-operator/README.md create mode 100644 Openshift4/operator/pipeline-operator/bundle/1.1.1/manifests/openshiftpipelines.charts.helm.k8s.io.crd.yaml create mode 100644 Openshift4/operator/pipeline-operator/bundle/1.1.1/manifests/pipeline-operator.v1.1.1.clusterserviceversion.yaml create mode 100644 Openshift4/operator/pipeline-operator/bundle/1.1.1/metadata/annotations.yaml create mode 100644 Openshift4/operator/pipeline-operator/bundle/1.1.1/metadata/openshiftpipeline-operator.package.yaml create mode 100644 Openshift4/operator/pipeline-operator/bundle/bundle-1.1.1.Dockerfile create mode 100644 Openshift4/operator/pipeline-operator/bundle/openshiftpipeline-operator.package.yaml create mode 100644 Openshift4/operator/pipeline-operator/config/crd/bases/charts.my.domain_openshiftpipelines.yaml create mode 100644 Openshift4/operator/pipeline-operator/config/crd/kustomization.yaml create mode 100644 Openshift4/operator/pipeline-operator/config/default/kustomization.yaml create mode 100644 Openshift4/operator/pipeline-operator/config/default/manager_auth_proxy_patch.yaml create mode 100644 Openshift4/operator/pipeline-operator/config/manager/kustomization.yaml create mode 100644 Openshift4/operator/pipeline-operator/config/manager/manager.yaml create mode 100644 Openshift4/operator/pipeline-operator/config/prometheus/kustomization.yaml create mode 100644 Openshift4/operator/pipeline-operator/config/prometheus/monitor.yaml create mode 100644 Openshift4/operator/pipeline-operator/config/rbac/auth_proxy_client_clusterrole.yaml create mode 100644 Openshift4/operator/pipeline-operator/config/rbac/auth_proxy_role.yaml create mode 100644 Openshift4/operator/pipeline-operator/config/rbac/auth_proxy_role_binding.yaml create mode 100644 Openshift4/operator/pipeline-operator/config/rbac/auth_proxy_service.yaml create mode 100644 Openshift4/operator/pipeline-operator/config/rbac/kustomization.yaml create mode 100644 Openshift4/operator/pipeline-operator/config/rbac/leader_election_role.yaml create mode 100644 Openshift4/operator/pipeline-operator/config/rbac/leader_election_role_binding.yaml create mode 100644 Openshift4/operator/pipeline-operator/config/rbac/openshiftpipelines_editor_role.yaml create mode 100644 Openshift4/operator/pipeline-operator/config/rbac/openshiftpipelines_viewer_role.yaml create mode 100644 Openshift4/operator/pipeline-operator/config/rbac/role.yaml create mode 100644 Openshift4/operator/pipeline-operator/config/rbac/role_binding.yaml create mode 100644 Openshift4/operator/pipeline-operator/config/samples/charts_v1alpha1_openshiftpipelines.yaml create mode 100644 Openshift4/operator/pipeline-operator/config/scorecard/bases/config.yaml create mode 100644 Openshift4/operator/pipeline-operator/config/scorecard/kustomization.yaml create mode 100644 Openshift4/operator/pipeline-operator/config/scorecard/patches/basic.config.yaml create mode 100644 Openshift4/operator/pipeline-operator/config/scorecard/patches/olm.config.yaml create mode 100755 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/CHANGELOG.md create mode 100755 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/Chart.yaml create mode 100755 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/LICENSE create mode 100755 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/README.md create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/.helmignore create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/CHANGELOG.md create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/Chart.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/LICENSE create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/OWNERS create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/README.md create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/.helmignore create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/Chart.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/README.md create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/ci/default-values.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/ci/shmvolume-disabled-values.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/files/README.md create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/files/conf.d/README.md create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/files/docker-entrypoint-initdb.d/README.md create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/NOTES.txt create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/_helpers.tpl create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/configmap.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/extended-config-configmap.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/initialization-configmap.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/metrics-configmap.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/metrics-svc.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/networkpolicy.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/prometheusrule.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/secrets.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/serviceaccount.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/servicemonitor.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/statefulset-slaves.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/statefulset.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/svc-headless.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/svc-read.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/svc.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/values-production.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/values.schema.json create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/values.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/.helmignore create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/Chart.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/README.md create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/ci/affinity-toleration-values.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/ci/default-values.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/ci/networkpolicy-values.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/NOTES.txt create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/_helpers.tpl create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/certs.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/configuration.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/healthchecks.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/ingress.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/networkpolicy.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/pdb.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/prometheusrule.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/role.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/rolebinding.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/secrets.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/serviceaccount.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/servicemonitor.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/statefulset.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/svc-headless.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/svc.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/values-production.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/values.schema.json create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/values.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/.helmignore create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/Chart.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/README.md create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/ci/default-values.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/ci/dev-values.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/ci/extra-flags-values.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/ci/insecure-sentinel-values.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/ci/production-sentinel-values.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/ci/production-values.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/ci/redis-lib-values.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/ci/redisgraph-module-values.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/NOTES.txt create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/_helpers.tpl create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/configmap.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/headless-svc.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/health-configmap.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/metrics-prometheus.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/metrics-svc.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/networkpolicy.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/prometheusrule.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/psp.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/redis-master-statefulset.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/redis-master-svc.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/redis-role.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/redis-rolebinding.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/redis-serviceaccount.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/redis-slave-statefulset.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/redis-slave-svc.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/redis-with-sentinel-svc.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/secret.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/values-production.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/values.schema.json create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/values.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/ci/default-values.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/icon/pipelines-logo.png create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/requirements.lock create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/requirements.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/NOTES.txt create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/_helpers.tpl create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/api-ingress.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/api-service.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/buildplane-config-aws.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/buildplane-config-k8s.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/buildplane-secret-aws.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/buildplane-secret-k8s.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/database-secret.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/filebeat-config.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/pipelines-configmaps.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/pipelines-hpa.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/pipelines-role.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/pipelines-rolebinding.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/pipelines-service-headless.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/pipelines-statefulset.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/pipelines-system-yaml.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/rabbitmq-secret.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/rabbitmq-service-vm-int-lb.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/service-account.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/vault-configmaps.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/vault-role.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/vault-rolebinding.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/vault-secret.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/vault-service-headless.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/vault-service.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/vault-serviceaccount.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/vault-statefulset.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/www-ingress.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/www-service.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/values-ingress-external-secret.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/values-ingress-passwords.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/values-ingress.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/values.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/requirements.yaml create mode 100644 Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/values.yaml create mode 100755 Openshift4/operator/pipeline-operator/licenses/LICENSE create mode 100644 Openshift4/operator/pipeline-operator/watches.yaml diff --git a/Openshift4/operator/pipeline-operator/.gitignore b/Openshift4/operator/pipeline-operator/.gitignore new file mode 100644 index 0000000..d97ffc5 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/.gitignore @@ -0,0 +1,24 @@ + +# Binaries for programs and plugins +*.exe +*.exe~ +*.dll +*.so +*.dylib +bin + +# Test binary, build with `go test -c` +*.test + +# Output of the go coverage tool, specifically when used with LiteIDE +*.out + +# Kubernetes Generated files - skip generated files, except for vendored files + +!vendor/**/zz_generated.* + +# editor and IDE paraphernalia +.idea +*.swp +*.swo +*~ diff --git a/Openshift4/operator/pipeline-operator/CHANGELOG.md b/Openshift4/operator/pipeline-operator/CHANGELOG.md new file mode 100755 index 0000000..69b3240 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/CHANGELOG.md @@ -0,0 +1,5 @@ +# JFrog Openshift Xray Chart Changelog +All changes to this chart will be documented in this file. + +## [1.1.1] Oct 9, 2020 +* Operator version 1.1.1 Openshift RT version 7.9.0, Xray version 3.8.8, Pipelines version 1.8.0 diff --git a/Openshift4/operator/pipeline-operator/CONTRIBUTING.md b/Openshift4/operator/pipeline-operator/CONTRIBUTING.md new file mode 100644 index 0000000..0c5037c --- /dev/null +++ b/Openshift4/operator/pipeline-operator/CONTRIBUTING.md @@ -0,0 +1,78 @@ +# JFrog welcomes community contribution! + +Before we can accept your contribution, process your GitHub pull requests, and thank you full-heartedly, we request that you will fill out and submit JFrog's Contributor License Agreement (CLA). + +[Click here](https://gist.github.com/jfrog-ecosystem/7d4fbeaac18edbd3cfc38831125acbb3) to view the JFrog CLA. + +Please comment in your pull request to mark your acceptance for now until CLA assistant is fixed. + +"I have read the CLA Document and I hereby sign the CLA" + +This should only take a minute to complete and is a one-time process. + +*Thanks for Your Contribution to the Community!* :-) + +## Pull Request Process ## + +- Fork this repository. +- Clone the forked repository to your local machine and perform the proposed changes. +- Test the changes in your own K8s environment and confirm everything works end to end. +- Update the CHANGELOG.md +- Submit a PR with the relevant information and check the applicable boxes and fill out the questions. + +## Acceptance Criteria ## + +- Pull requests must pass all automated checks +- CHANGELOG.md has relevant changes +- README.md has been updated if required +- One approval from JFrog reviewers + +Upon the success of the above the pull request will be mergable into master branch. Upon merge the source branch will be removed. + +Increase the version numbers in any examples files and the README.md to the new version that this Pull Request would represent. The versioning scheme we use is SemVer. +You may merge the Pull Request in once you have the sign-off of one other developer. + +## Code of Conduct +### Our Pledge + +In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation. + +### Our Standards + +Examples of behavior that contributes to creating a positive environment include: + ```` + Using welcoming and inclusive language + Being respectful of differing viewpoints and experiences + Gracefully accepting constructive criticism + Focusing on what is best for the company + Showing empathy towards other colleagues + ```` + +Examples of unacceptable behavior by participants include: + + ```` + The use of sexualized language or imagery and unwelcome sexual attention or advances + Trolling, insulting/derogatory comments, and personal or political attacks + Public or private harassment + Publishing others' private information, such as a physical or electronic address, without explicit permission + Other conduct which could reasonably be considered inappropriate in a professional setting + ```` +### Our Responsibilities + +Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior. + +Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful. + +## Scope + +This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project. Examples of representing a project include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers. + +## Enforcement + +Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at Slack #xray_splunk . All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately. + +Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership. + +## Attribution + +This Code of Conduct is adapted from the Contributor Covenant, version 1.4, available at http://contributor-covenant.org/version/1/4 diff --git a/Openshift4/operator/pipeline-operator/Dockerfile b/Openshift4/operator/pipeline-operator/Dockerfile new file mode 100644 index 0000000..f7e527f --- /dev/null +++ b/Openshift4/operator/pipeline-operator/Dockerfile @@ -0,0 +1,13 @@ +# Build the manager binary +FROM quay.io/operator-framework/helm-operator:v1.0.1 +LABEL name="JFrog Pipelines Enterprise Operator" \ + description="Openshift operator to deploy JFrog Pipelines Enterprise based on the Red Hat Universal Base Image." \ + vendor="JFrog" \ + summary="JFrog Pipelines Enterprise Operator" \ + com.jfrog.license_terms="https://jfrog.com/platform/enterprise-plus-eula/" + +COPY licenses/ /licenses +ENV HOME=/opt/helm +COPY watches.yaml ${HOME}/watches.yaml +COPY helm-charts ${HOME}/helm-charts +WORKDIR ${HOME} diff --git a/Openshift4/operator/pipeline-operator/Makefile b/Openshift4/operator/pipeline-operator/Makefile new file mode 100644 index 0000000..18155ac --- /dev/null +++ b/Openshift4/operator/pipeline-operator/Makefile @@ -0,0 +1,92 @@ +# Current Operator version +VERSION ?= 0.0.1 +# Default bundle image tag +BUNDLE_IMG ?= controller-bundle:$(VERSION) +# Options for 'bundle-build' +ifneq ($(origin CHANNELS), undefined) +BUNDLE_CHANNELS := --channels=$(CHANNELS) +endif +ifneq ($(origin DEFAULT_CHANNEL), undefined) +BUNDLE_DEFAULT_CHANNEL := --default-channel=$(DEFAULT_CHANNEL) +endif +BUNDLE_METADATA_OPTS ?= $(BUNDLE_CHANNELS) $(BUNDLE_DEFAULT_CHANNEL) + +# Image URL to use all building/pushing image targets +IMG ?= controller:latest + +all: docker-build + +# Run against the configured Kubernetes cluster in ~/.kube/config +run: helm-operator + $(HELM_OPERATOR) run + +# Install CRDs into a cluster +install: kustomize + $(KUSTOMIZE) build config/crd | kubectl apply -f - + +# Uninstall CRDs from a cluster +uninstall: kustomize + $(KUSTOMIZE) build config/crd | kubectl delete -f - + +# Deploy controller in the configured Kubernetes cluster in ~/.kube/config +deploy: kustomize + cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG} + $(KUSTOMIZE) build config/default | kubectl apply -f - + +# Undeploy controller in the configured Kubernetes cluster in ~/.kube/config +undeploy: kustomize + $(KUSTOMIZE) build config/default | kubectl delete -f - + +# Build the docker image +docker-build: + docker build . -t ${IMG} + +# Push the docker image +docker-push: + docker push ${IMG} + +PATH := $(PATH):$(PWD)/bin +SHELL := env PATH=$(PATH) /bin/sh +OS = $(shell uname -s | tr '[:upper:]' '[:lower:]') +ARCH = $(shell uname -m | sed 's/x86_64/amd64/') +OSOPER = $(shell uname -s | tr '[:upper:]' '[:lower:]' | sed 's/darwin/apple-darwin/' | sed 's/linux/linux-gnu/') +ARCHOPER = $(shell uname -m ) + +kustomize: +ifeq (, $(shell which kustomize 2>/dev/null)) + @{ \ + set -e ;\ + mkdir -p bin ;\ + curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v3.5.4/kustomize_v3.5.4_$(OS)_$(ARCH).tar.gz | tar xzf - -C bin/ ;\ + } +KUSTOMIZE=$(realpath ./bin/kustomize) +else +KUSTOMIZE=$(shell which kustomize) +endif + +helm-operator: +ifeq (, $(shell which helm-operator 2>/dev/null)) + @{ \ + set -e ;\ + mkdir -p bin ;\ + curl -LO https://github.com/operator-framework/operator-sdk/releases/download/v1.0.1/helm-operator-v1.0.1-$(ARCHOPER)-$(OSOPER) ;\ + mv helm-operator-v1.0.1-$(ARCHOPER)-$(OSOPER) ./bin/helm-operator ;\ + chmod +x ./bin/helm-operator ;\ + } +HELM_OPERATOR=$(realpath ./bin/helm-operator) +else +HELM_OPERATOR=$(shell which helm-operator) +endif + +# Generate bundle manifests and metadata, then validate generated files. +.PHONY: bundle +bundle: kustomize + operator-sdk generate kustomize manifests -q + cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG) + $(KUSTOMIZE) build config/manifests | operator-sdk generate bundle -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS) + operator-sdk bundle validate ./bundle + +# Build the bundle image. +.PHONY: bundle-build +bundle-build: + docker build -f bundle.Dockerfile -t $(BUNDLE_IMG) . diff --git a/Openshift4/operator/pipeline-operator/PROJECT b/Openshift4/operator/pipeline-operator/PROJECT new file mode 100644 index 0000000..2ca1853 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/PROJECT @@ -0,0 +1,8 @@ +domain: my.domain +layout: helm.sdk.operatorframework.io/v1 +projectName: pipeline-operator +resources: +- group: charts + kind: OpenshiftPipelines + version: v1alpha1 +version: 3-alpha diff --git a/Openshift4/operator/pipeline-operator/README.md b/Openshift4/operator/pipeline-operator/README.md new file mode 100644 index 0000000..1406bd3 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/README.md @@ -0,0 +1,39 @@ +# JFrog Pipeline Enterprise Operator + +This code base is intended to deploy Pipelines as an operator to an Openshift4 cluster. +Openshift OperatorHub has the latest official supported Cluster Service Version (CSV) for the OLM catalog. + +## Prerequisites + +###### Openshift 4 Cluster + +Available on AWS, GCP, or Azure. Follow the Cloud installer guide available here: + +[Openshift 4 Installers](https://cloud.redhat.com/openshift/install) + +###### Openshift 4 Command Line Tools + +Download and install the Openshift command line tool: oc + +[Getting Started with CLI](https://docs.openshift.com/container-platform/4.2/cli_reference/openshift_cli/getting-started-cli.html) + +## Cluster Setup +###### Security Context Constraints - Anyuid + +Openshift only allows statefulsets / pods to run in specific user and group id ranges. +Pipelines currently uses users outside of this allowed range since some containers must run as root. +Depending upon your namespace you must be granted anyuid privileges to the pipeline-operator service account. + +``` +oc adm policy add-scc-to-user anyuid -z pipeline-operator +``` + +## Contributing +Please read [CONTRIBUTING.md](JFrog-Cloud-Installers/Openshift4/xray-operator/CONTRIBUTING.md) for details on our code of conduct, and the process for submitting pull requests to us. + +## Versioning +We use [SemVer](http://semver.org/) for versioning. For the versions available, see the [tags on this repository](https://github.com/jfrog/JFrog-Cloud-Installers/tags). + +## Contact + +Github Issues \ No newline at end of file diff --git a/Openshift4/operator/pipeline-operator/bundle/1.1.1/manifests/openshiftpipelines.charts.helm.k8s.io.crd.yaml b/Openshift4/operator/pipeline-operator/bundle/1.1.1/manifests/openshiftpipelines.charts.helm.k8s.io.crd.yaml new file mode 100644 index 0000000..d0434aa --- /dev/null +++ b/Openshift4/operator/pipeline-operator/bundle/1.1.1/manifests/openshiftpipelines.charts.helm.k8s.io.crd.yaml @@ -0,0 +1,29 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: openshiftpipelines.charts.helm.k8s.io +spec: + group: charts.helm.k8s.io + names: + kind: OpenshiftPipeline + listKind: OpenshiftPipelineList + plural: openshiftpipelines + singular: openshiftpipeline + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + type: object + version: v1alpha1 + versions: + - name: v1alpha1 + served: true + storage: true +status: + acceptedNames: + kind: '' + plural: '' + conditions: null + storedVersions: null diff --git a/Openshift4/operator/pipeline-operator/bundle/1.1.1/manifests/pipeline-operator.v1.1.1.clusterserviceversion.yaml b/Openshift4/operator/pipeline-operator/bundle/1.1.1/manifests/pipeline-operator.v1.1.1.clusterserviceversion.yaml new file mode 100644 index 0000000..3c51b9b --- /dev/null +++ b/Openshift4/operator/pipeline-operator/bundle/1.1.1/manifests/pipeline-operator.v1.1.1.clusterserviceversion.yaml @@ -0,0 +1,502 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: ClusterServiceVersion +metadata: + annotations: + alm-examples: |- + [ + { + "apiVersion": "charts.helm.k8s.io/v1alpha1", + "kind": "OpenshiftPipeline", + "metadata": { + "name": "openshiftpipeline" + }, + "spec": { + "pipelines": { + "global": { + "postgresql": { + "host": "OVERRIDE", + "port": "OVERRIDE", + "database": "OVERRIDE", + "user": "OVERRIDE", + "password": "OVERRIDE", + "ssl": "false" + } + }, + "initContainer": { + "image": "registry.connect.redhat.com/jfrog/pipelines-init:1.8.0", + "pullPolicy": "Always" + }, + "imageRegistry": "registry.connect.redhat.com", + "securityContext": { + "enabled": true, + "uid": "1000721117", + "gid": "1000721117" + }, + "pipelines": { + "version": "1.8.0", + "jfrogUrl": "OVERRIDE", + "jfrogUrlUI": "OVERRIDE", + "accessControlAllowOrigins_0": "OVERRIDE", + "accessControlAllowOrigins_1": "OVERRIDE", + "joinKey": "OVERRIDE", + "masterKey": "OVERRIDE", + "api": { + "image": { + "repository": "jfrog/pipelines-api", + "pullPolicy": "Always" + }, + "externalUrl": "OVERRIDE" + }, + "www": { + "image": { + "repository": "jfrog/pipelines-www", + "pullPolicy": "Always" + }, + "externalUrl": "OVERRIDE" + }, + "router": { + "image": { + "repository": "jfrog/pipelines-router", + "pullPolicy": "Always" + } + }, + "msg": { + "uiUser": "OVERRIDE", + "uiUserPassword": "OVERRIDE" + }, + "pipelineSync": { + "image": { + "repository": "jfrog/pipelines-micro", + "pullPolicy": "Always" + } + }, + "runTrigger": { + "image": { + "repository": "jfrog/pipelines-micro", + "pullPolicy": "Always" + } + }, + "stepTrigger": { + "image": { + "repository": "jfrog/pipelines-micro", + "pullPolicy": "Always" + } + }, + "cron": { + "image": { + "repository": "jfrog/pipelines-micro", + "pullPolicy": "Always" + } + }, + "nexec": { + "image": { + "repository": "jfrog/pipelines-micro", + "pullPolicy": "Always" + } + }, + "hookHandler": { + "image": { + "repository": "jfrog/pipelines-micro", + "pullPolicy": "Always" + } + }, + "marshaller": { + "image": { + "repository": "jfrog/pipelines-micro", + "pullPolicy": "Always" + } + }, + "logup": { + "image": { + "repository": "jfrog/pipelines-micro", + "pullPolicy": "Always" + } + }, + "extensionSync": { + "image": { + "repository": "jfrog/pipelines-micro", + "pullPolicy": "Always" + } + }, + "pipelinesInit": { + "image": { + "repository": "jfrog/pipelines-installer", + "pullPolicy": "Always" + } + } + }, + "postgresql": { + "enabled": false + }, + "rabbitmq": { + "enabled": true, + "externalUrl": "OVERRIDE", + "image": { + "registry": "registry.connect.redhat.com", + "repository": "jfrog/pipelines-rabbitmq", + "tag": "3.8.9" + } + }, + "redis": { + "enabled": true, + "master": { + "command": "container-entrypoint run-redis" + }, + "image": { + "registry": "registry.redhat.io", + "repository": "rhel8/redis-5", + "tag": "1-98" + } + }, + "vault": { + "enabled": true, + "disablemlock": false, + "image": { + "repository": "registry.connect.redhat.com/jfrog/pipelines-vault", + "tag": "1.8.0" + }, + "init": { + "repository": "jfrog/pipelines-vault-init", + "pullPolicy": "Always" + } + } + } + } + } + ] + capabilities: Seamless Upgrades + categories: Developer Tools,Integration & Delivery + certified: 'true' + containerImage: registry.connect.redhat.com/jfrog/pipelines-operator:1.8.0 + createdAt: 2020-10-09 00:00:00+00:00 + description: JFrog Pipeline Enterprise deploys Pipeline CI/CD Openshift (Requires Jfrog Artifactory) + repository: https://github.com/jfrog/JFrog-Cloud-Installers/tree/openshift4/Openshift4 + support: JFrog + creationTimestamp: null + name: pipeline-operator.v1.1.1 + namespace: default +spec: + apiservicedefinitions: {} + customresourcedefinitions: + owned: + - description: Represents Pipeline Instances + displayName: Pipeline + kind: OpenshiftPipeline + name: openshiftpipelines.charts.helm.k8s.io + resources: + - kind: Deployment + name: '' + version: v1 + - kind: Service + name: '' + version: v1 + - kind: ReplicaSet + name: '' + version: v1 + - kind: Pod + name: '' + version: v1 + - kind: Secret + name: '' + version: v1 + - kind: ConfigMap + name: '' + version: v1 + - kind: StatefulSet + name: '' + version: apps/v1 + version: v1alpha1 + description: '## Overview + + + Openshift Operator to deploy JFrog Pipelinesinto your Openshift cluster. + + ## Usage + + + An external DB is required. The operator will not deploy a DB but will require + you to specify the configuration values to connect to it. + + + Search for JFrog and click JFrog Pipeline Operator to install. + + + Go to the Installed Operators. + + + Wait for the JFrog Pipeline Operator to complete the installation. + + + Open the Operator and click on the provided API: Xray + + + Click Create New Instance and provide the following parameters for your DB configuration: + + + ``` + + pipelines.global.postgresql.host= + pipelines.global.postgresql.port= + pipelines.global.postgresql.database= + pipelines.global.postgresql.user= + pipelines.global.postgresql.password= + + ``` + + + JFROG_URL is the external ip or DNS of your Artifactory to connect Pipelines to. Artifactory + is required to use this operator. + + You will need to specify your JFROG_URL in the follow locations: + + Use the cluster DNS name of the service for most operator deployments this will be: http://openshiftartifactoryha-nginx + + ``` + pipelines.pipelines.jfrogUrl= + pipelines.pipelines.jfrogUrlUI= + pipelines.pipelines.accessControlAllowOrigins_0= + pipelines.pipelines.accessControlAllowOrigins_1= + ``` + + Setup a unique master key and use the same join key you used when creating Artifactory: + + ``` + pipelines.pipelines.masterKey=$MASTER_KEY + pipelines.pipelines.joinKey=$JOIN_KEY + ``` + + Setup a unique username and password for Rabbitmq user: + + ``` + pipelines.pipelines.msg.uiUser=monitor + pipelines.pipelines.msg.uiUserPassword=monitor + ``` + + Specify external urls that will be your Openshift routes if desired: + + ``` + pipelines.rabbitmq.externalUrl=amqps://pipelines-rabbit.example.com + pipelines.pipelines.api.externalUrl=http://pipelines-api.example.com + pipelines.pipelines.www.externalUrl=http://pipelines-www.example.com + ``` + + Deploy JFrog Pipelines into your cluster. + + ## Build Plane Usage + + To use the pipelines build plane you can either use your Openshift cluster or a 3rd party cloud provider like AWS. + + Setup the Pipelines build plane. + + ## Sync issue fix + + To resolve the known host issue when syncing from a new site for now users can rsh into the pod or open the terminal into the pod in the Openshift web console. + + Once inside the container `pipelinesync` run the follow command: + + ``` + /pipelineSync/clone.sh + ``` + + Type yes to accept the host verification and then re-sync your pipeline. + ' + displayName: JFrog Pipeline Operator + icon: + - base64data: iVBORw0KGgoAAAANSUhEUgAAAZAAAAGQCAYAAACAvzbMAAAKQ2lDQ1BJQ0MgcHJvZmlsZQAAeNqdU3dYk/cWPt/3ZQ9WQtjwsZdsgQAiI6wIyBBZohCSAGGEEBJAxYWIClYUFRGcSFXEgtUKSJ2I4qAouGdBiohai1VcOO4f3Ke1fXrv7e371/u855zn/M55zw+AERImkeaiagA5UoU8Otgfj09IxMm9gAIVSOAEIBDmy8JnBcUAAPADeXh+dLA//AGvbwACAHDVLiQSx+H/g7pQJlcAIJEA4CIS5wsBkFIAyC5UyBQAyBgAsFOzZAoAlAAAbHl8QiIAqg0A7PRJPgUA2KmT3BcA2KIcqQgAjQEAmShHJAJAuwBgVYFSLALAwgCgrEAiLgTArgGAWbYyRwKAvQUAdo5YkA9AYACAmUIszAAgOAIAQx4TzQMgTAOgMNK/4KlfcIW4SAEAwMuVzZdL0jMUuJXQGnfy8ODiIeLCbLFCYRcpEGYJ5CKcl5sjE0jnA0zODAAAGvnRwf44P5Dn5uTh5mbnbO/0xaL+a/BvIj4h8d/+vIwCBAAQTs/v2l/l5dYDcMcBsHW/a6lbANpWAGjf+V0z2wmgWgrQevmLeTj8QB6eoVDIPB0cCgsL7SViob0w44s+/zPhb+CLfvb8QB7+23rwAHGaQJmtwKOD/XFhbnauUo7nywRCMW735yP+x4V//Y4p0eI0sVwsFYrxWIm4UCJNx3m5UpFEIcmV4hLpfzLxH5b9CZN3DQCshk/ATrYHtctswH7uAQKLDljSdgBAfvMtjBoLkQAQZzQyefcAAJO/+Y9AKwEAzZek4wAAvOgYXKiUF0zGCAAARKCBKrBBBwzBFKzADpzBHbzAFwJhBkRADCTAPBBCBuSAHAqhGJZBGVTAOtgEtbADGqARmuEQtMExOA3n4BJcgetwFwZgGJ7CGLyGCQRByAgTYSE6iBFijtgizggXmY4EImFINJKApCDpiBRRIsXIcqQCqUJqkV1II/ItchQ5jVxA+pDbyCAyivyKvEcxlIGyUQPUAnVAuagfGorGoHPRdDQPXYCWomvRGrQePYC2oqfRS+h1dAB9io5jgNExDmaM2WFcjIdFYIlYGibHFmPlWDVWjzVjHVg3dhUbwJ5h7wgkAouAE+wIXoQQwmyCkJBHWExYQ6gl7CO0EroIVwmDhDHCJyKTqE+0JXoS+cR4YjqxkFhGrCbuIR4hniVeJw4TX5NIJA7JkuROCiElkDJJC0lrSNtILaRTpD7SEGmcTCbrkG3J3uQIsoCsIJeRt5APkE+S+8nD5LcUOsWI4kwJoiRSpJQSSjVlP+UEpZ8yQpmgqlHNqZ7UCKqIOp9aSW2gdlAvU4epEzR1miXNmxZDy6Qto9XQmmlnafdoL+l0ugndgx5Fl9CX0mvoB+nn6YP0dwwNhg2Dx0hiKBlrGXsZpxi3GS+ZTKYF05eZyFQw1zIbmWeYD5hvVVgq9ip8FZHKEpU6lVaVfpXnqlRVc1U/1XmqC1SrVQ+rXlZ9pkZVs1DjqQnUFqvVqR1Vu6k2rs5Sd1KPUM9RX6O+X/2C+mMNsoaFRqCGSKNUY7fGGY0hFsYyZfFYQtZyVgPrLGuYTWJbsvnsTHYF+xt2L3tMU0NzqmasZpFmneZxzQEOxrHg8DnZnErOIc4NznstAy0/LbHWaq1mrX6tN9p62r7aYu1y7Rbt69rvdXCdQJ0snfU6bTr3dQm6NrpRuoW623XP6j7TY+t56Qn1yvUO6d3RR/Vt9KP1F+rv1u/RHzcwNAg2kBlsMThj8MyQY+hrmGm40fCE4agRy2i6kcRoo9FJoye4Ju6HZ+M1eBc+ZqxvHGKsNN5l3Gs8YWJpMtukxKTF5L4pzZRrmma60bTTdMzMyCzcrNisyeyOOdWca55hvtm82/yNhaVFnMVKizaLx5balnzLBZZNlvesmFY+VnlW9VbXrEnWXOss623WV2xQG1ebDJs6m8u2qK2brcR2m23fFOIUjynSKfVTbtox7PzsCuya7AbtOfZh9iX2bfbPHcwcEh3WO3Q7fHJ0dcx2bHC866ThNMOpxKnD6VdnG2ehc53zNRemS5DLEpd2lxdTbaeKp26fesuV5RruutK10/Wjm7ub3K3ZbdTdzD3Ffav7TS6bG8ldwz3vQfTw91jicczjnaebp8LzkOcvXnZeWV77vR5Ps5wmntYwbcjbxFvgvct7YDo+PWX6zukDPsY+Ap96n4e+pr4i3z2+I37Wfpl+B/ye+zv6y/2P+L/hefIW8U4FYAHBAeUBvYEagbMDawMfBJkEpQc1BY0FuwYvDD4VQgwJDVkfcpNvwBfyG/ljM9xnLJrRFcoInRVaG/owzCZMHtYRjobPCN8Qfm+m+UzpzLYIiOBHbIi4H2kZmRf5fRQpKjKqLupRtFN0cXT3LNas5Fn7Z72O8Y+pjLk722q2cnZnrGpsUmxj7Ju4gLiquIF4h/hF8ZcSdBMkCe2J5MTYxD2J43MC52yaM5zkmlSWdGOu5dyiuRfm6c7Lnnc8WTVZkHw4hZgSl7I/5YMgQlAvGE/lp25NHRPyhJuFT0W+oo2iUbG3uEo8kuadVpX2ON07fUP6aIZPRnXGMwlPUit5kRmSuSPzTVZE1t6sz9lx2S05lJyUnKNSDWmWtCvXMLcot09mKyuTDeR55m3KG5OHyvfkI/lz89sVbIVM0aO0Uq5QDhZML6greFsYW3i4SL1IWtQz32b+6vkjC4IWfL2QsFC4sLPYuHhZ8eAiv0W7FiOLUxd3LjFdUrpkeGnw0n3LaMuylv1Q4lhSVfJqedzyjlKD0qWlQyuCVzSVqZTJy26u9Fq5YxVhlWRV72qX1VtWfyoXlV+scKyorviwRrjm4ldOX9V89Xlt2treSrfK7etI66Trbqz3Wb+vSr1qQdXQhvANrRvxjeUbX21K3nShemr1js20zcrNAzVhNe1bzLas2/KhNqP2ep1/XctW/a2rt77ZJtrWv913e/MOgx0VO97vlOy8tSt4V2u9RX31btLugt2PGmIbur/mft24R3dPxZ6Pe6V7B/ZF7+tqdG9s3K+/v7IJbVI2jR5IOnDlm4Bv2pvtmne1cFoqDsJB5cEn36Z8e+NQ6KHOw9zDzd+Zf7f1COtIeSvSOr91rC2jbaA9ob3v6IyjnR1eHUe+t/9+7zHjY3XHNY9XnqCdKD3x+eSCk+OnZKeenU4/PdSZ3Hn3TPyZa11RXb1nQ8+ePxd07ky3X/fJ897nj13wvHD0Ivdi2yW3S609rj1HfnD94UivW2/rZffL7Vc8rnT0Tes70e/Tf/pqwNVz1/jXLl2feb3vxuwbt24m3Ry4Jbr1+Hb27Rd3Cu5M3F16j3iv/L7a/eoH+g/qf7T+sWXAbeD4YMBgz8NZD+8OCYee/pT/04fh0kfMR9UjRiONj50fHxsNGr3yZM6T4aeypxPPyn5W/3nrc6vn3/3i+0vPWPzY8Av5i8+/rnmp83Lvq6mvOscjxx+8znk98ab8rc7bfe+477rfx70fmSj8QP5Q89H6Y8en0E/3Pud8/vwv94Tz+4A5JREAAAAZdEVYdFNvZnR3YXJlAEFkb2JlIEltYWdlUmVhZHlxyWU8AAADJWlUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPD94cGFja2V0IGJlZ2luPSLvu78iIGlkPSJXNU0wTXBDZWhpSHpyZVN6TlRjemtjOWQiPz4gPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iQWRvYmUgWE1QIENvcmUgNS42LWMxNDggNzkuMTY0MDM2LCAyMDE5LzA4LzEzLTAxOjA2OjU3ICAgICAgICAiPiA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPiA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIiB4bWxuczp4bXA9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC8iIHhtbG5zOnhtcE1NPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvbW0vIiB4bWxuczpzdFJlZj0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL3NUeXBlL1Jlc291cmNlUmVmIyIgeG1wOkNyZWF0b3JUb29sPSJBZG9iZSBQaG90b3Nob3AgMjEuMCAoTWFjaW50b3NoKSIgeG1wTU06SW5zdGFuY2VJRD0ieG1wLmlpZDpENDgwNUU0NzUzREQxMUVBOUZGODkwMEY5OEQzRjlFMiIgeG1wTU06RG9jdW1lbnRJRD0ieG1wLmRpZDpENDgwNUU0ODUzREQxMUVBOUZGODkwMEY5OEQzRjlFMiI+IDx4bXBNTTpEZXJpdmVkRnJvbSBzdFJlZjppbnN0YW5jZUlEPSJ4bXAuaWlkOkQ0ODA1RTQ1NTNERDExRUE5RkY4OTAwRjk4RDNGOUUyIiBzdFJlZjpkb2N1bWVudElEPSJ4bXAuZGlkOkQ0ODA1RTQ2NTNERDExRUE5RkY4OTAwRjk4RDNGOUUyIi8+IDwvcmRmOkRlc2NyaXB0aW9uPiA8L3JkZjpSREY+IDwveDp4bXBtZXRhPiA8P3hwYWNrZXQgZW5kPSJyIj8+WnMr7QAAIxhJREFUeNrsnc11G0fWQMvf0ZlZgo6AUASkIgC088ZDKAKAERCMgGAEhCIgGIHA8cY7NSMQGIHBCIZYzmz49SNeWy2IIPFTVV0/957TB7JsoxvV3XXrvfr75enpyQAAAGzL/1EEAACAQAAAAIEAAAACAQAABAIAAIBAAAAAgQAAAAIBAAAEAgAACAQAAACBAAAAAgEAAAQCAAAIBAAAEAgAAAACAQAABAIAAAgEAAAQCAAAIBAAAAAEAgAACAQAABAIAAAgEAAAQCAAAAAIBAAAEAgAACAQAABAIAAAgEAAAAAQCAAAuOVdaj/ot/PfuavwzH//9b9R+TH/57//MaE0IAT+vPqDCAQgEoryuC5FMqYoABAIwC6clRIhCgFAIAA70UciAAgEAIkAIBCAZiRSHgcUBQACAdhaIuVRIBEABAKwC0dIBACBACARAAQCgEQAEAhAXBKZlRI5pigAEAjAthxqJIJEABAIwNa0kAgAAgFAIgAIBKAxiXQpCgAEAhnyz3//o9hTIl9LiQwoSQAEAplhKQ11jUQAXuYdRQCRS0Lmbxzr0a59Hlo8jUjEsDEVAAKBuIXRLT+6NWkcejo1EgFAIBBZdNGtHUcNX5JI5LiUyPCFax3oNc7LY1Yej3v2wQAgEIAtpSFRRU+PowAvUXY3PCjlMKj/pUQmGh1d1H6LfDyoVIpKLuV/O+NOAwIBsCONXk0arQguua/prFWJDFQa/dpfH+rRWRHLvUYqM5UK0QogEIBEpbGNREQKV2/8/0d69GtSuVOhiEyK8rseeVIgZH55enpK6gf9dv47dzVcaUh6aqBHK5GfdVMew9XKXvtErvf87vtKJgglDf68+gOBIBDYQhoHNWkcJfozpaLvOpLI6nmmctCPgkBCgImE4CzakL3HzbLj+CpheRizZk8RHfJ7avk80kn/rTzXo+7t3uNpAwQCqYijVx6FVHJmmd9vZfLTjzQ6MC9I5MbB+Vpavl/K8n4qjykyAd/QiQ62xDEoP0bG38S+0FiUx7r5IX0P5z+RozzfQkU2YWQXEIFA8OIoj7lZ5voPMy6K4Wq/hEYE156vo4pMZCFIVhQGBAKII3BOV5c40RFnk4avq6MiGfPEAgIBxBEe52vkUZhw+n/OdEADAAKBRsTR1QlyiOM7N6U8xivldBCYPCpk4uOIWwYIBHyKoy0jfMo/fjVpD8XdRR6DSORRcSH3k1sHCARci+NAW6x/meUIH/jO3SvyCF2yRCFgDYbxwkvykNFDkpohVfUzMhv8pfkWk0giNOaKABEIOIs6JF31BXmslcdLS5ZMIorSWqSxAIGAi6hjbkhXrUMm6PXWyKMf2W9BIGAFUliIQ3L3MbWgm5KHRB7zlbIbRCgPACIQIOrwSPeFWeYij2uKBohAIMeoY1QeZ5TGm5yuWTpd/u5jecikwQM9jvXfdSg2QCCQojyqJTZSm9OxMN+3iJ3XPid7VOg/LVFSUZNK8Yqkj/Vo62cQYmGRRUAgsIs8BmY5PDeFJdar3fqet4Bd7Z+o/eZdv/9ynTw2rKQfzffdBFcFLkdXD9+j3R54EwCBwLbykMow5g5fqfimxs/2rjLLfOSo9V9FSRO9L+2aTHwIhZ0MAYHAxuKIZYb0S9zqtU/XRRgbIP//Nqmjn5YocYn+rsmKUHoqExeDGxAIIBDYSB6hrQq7qTSqfb8fPZ/73qc8XhHKWA+5h4+W71/BmwEIBN6Sx8DE099xr9fahDTq19ANMHq0ef8WdKADAoG3Kh7ZWvUq8MuUUVMTEcce6Smr8mhQXus4tvx9yAMQCLwqD6mUQ+4sl87wUcPRxqrIBgHKwziIiKa8IYBAIEZ53Ik4AkuhVEuUhNqx3CYCAQQCrsUR8kirG7NMU4VYSYcsD8FmCushgFQhIBBAHhuLYxRwpXUauDyM5XtK+goQCAQvD0lVDQOvnE/3mWXu6d7SgQ4IBLKRx72KI/SK6nPo8lDalr9vQBQCtmE5d+SxLwtt0R9HIA+ZZT6M5DbbjkBOdJAFAAJBHkHI47O0lCNp0d80Pcu84QhE6CMRsAkpLOSxC7Gkq3643shud9vR9/Z1heJhoHNfgAgEHDENQB6XkaSrKuQ6u1SWP0pEykUbJABEIBlEHxPT7IZE0oofRDD09QciXvvp2PH3S0NkLtsa+y6j8pzd2j8+xvZMAQKJUR5NzjD/HFHncyq0PJ3ja/l8Xbra/0SfX4l0enqcvPDvn9dF4xlDIGD/5Rs0KA95sXus4Jo8FxoV9Gym+lQcQz1ab4jsTK+BdGNE0AcStjykxXbd0OllQmAbeTTGnefzSXp0vpJe2rfhMxc5bRFNSVqN5w2BgIUXUHLgk4ZOLykNWoLN0kTZVymt8T7PbXkU2vDZJQ13xFBjBAL7h/5T438zKElZfXKZD4eNaXLWuKSTZtsup1L+9/LcfDP7D/bo6542gEBgx8rj0PM5ZZ8OiTpY7iIAdHLmQ4OX8JxO2qQi16hDRlJdWDz/la10GiCQnKKPsfE/XFeG6B4znDI4ehoVNkVLK/LpS3NG5O9qUYeL+UlT5qogENhcHlJhnHk+7Y1ODKS/I7woRIQuaaS7hi9Fht7+kNLSTnLbUcdLAiMiRiCwgTzaxn+neWzrQ+UokbkMaCj/+Mk0m9KSlOo3iZDLY26WneQ+0qwd+kMQCGwQrhu/nebnyCMqkcge8tLIOG04Ijkz/vvnrhzsjwIIJJnoY2T8rnEly6+PKfkoRTLRiOSjaT615ZMJdx+BwM/ykMrgwuMpTyNZfh1eF0mRmUiOtKEFCARUHgeeW1bII12RSGrrIfGfe0EqC4HAd6RF5SufjDzSFoncW6lcLxP/qTzDCAQ0deVryC7yyEMij7qKwAeznNuTIqSyEEj28vCZurpBHtmJZCZzexKORkhlIZCskRaUj9QV8zzyFkkVjaTYN0KjCIFkGX10jZ/U1R3ygNps9tvEftoREwwRSI74mH8h+e8eRQ0qEekbkechtZTWSFdwAASSRfQhLSbXEwarXQRZ2wpWRTIyy+G+qdDy1CADBNK4PKTjfOThVCKPOSUOayQyMct+kUUiP+lEFyEFBJI0Y+N+ratztqCFDSQi/SLdhCQyZtl3BJJy9CGdmH3Hp7llfSvYUiJt43e+iKtzHXqK7gGBNBZ9uESGaQ4oZthSIo8aibiWiHz/B8dRzxlzQxBIitGHvDSudxik0xx2lohOOrxxdIpL3bBsps+oy6G3ROAIhOhjS87ZihYsiEQiWJvDfCUq/qgjv+rnmRh3qwd3dKdEQCBJRB/yMLsctntHvwdYlIhU9rLz4b5pps/lcfzKgA6nUQgd6ggkFUYOv1teclpbYFsisjNm1+zWL1JFHcPXUqoaMX929BNahg51BJJI9OFyvasR8z3AkUSqYb6bVvLSmJG+jvYWw8hHxm2Heps7iUCIPl6G1BW4loh0rkuqSUZPrVtHS/5etgo4WO3r2OT7jdtU1oS76J53FIGT6KPnMPogdQW+o5GePtdd/etHGwM3pENdI3UXoxSlQ72nKTlAIFHhtJOQ1BU0JJPC0bvyzdW7Uh4IxCGksOxHH13jbt7Hw7apAoAIIhxXHeqH7F6IQIg+vjOgeCFBpJJ31aE+ZFgvAokl+miXHyeOvv6OhRIh0SjEZYc6S74jEKIPog9IXCIT426Gep9hvQgkBlxV8jd0nAMNsL2YULwIJFh0OKKr/T5GlDBkEIVIh7qrRR07tWHIYAmG8Ybferok+vDWCKgqmHpFIyvV1jthpZKrlumY6zFjNWSr71HPUWNstHJvAYEEUfG0jZtFE2VkCh2A7mTRVUHIsenEz86a71uoXAo5GPCwl0BcRfLPUQj3BoHkEn1MaNlalXxPpeFipFxL5SLHhQpFKqqpdhDD20KfGLfrx1XvKgJBIEHRc/S9RB92pDEwbpfVXycUEdVJeR3VjGgWwPz5Hkl6cFQeZ55O2aXUEUhIL4Crda8YebXfPRkYd3NydpFJ3yyHk96pSAru0/N9GnuIOlbvBSCQ5KOPEUW7dYU00HI7DPgyJcX1VUUyzHE3SY06xipV39zxptiDYbxhCuSO6GM7cZSHlNd14PJYFck3SW/ltNSG9nXMGpKHwHuFQIIKwV2ExPR9bFj+EYpjFcn9z/VZSv1+SQf214bvFavzIpCko48H9jB4syJql0dR/vFLxOKoI42QLylHI+XvmpQfVw1fxj3vFgJJXSBEH69XRKPy4y/jbsn8pqORIrV1m1Qe/QAuZcgbhEBCeSmOjZv0FS2k16OOi8R/qgw3nunzlcJ9GwYij0tGviGQkBg4+M5bOs9frIS6Ztnx2snkJ0vD5JuOKov5vlVzPJrmho3YEEhodB1854Ri/akSkkr0q8lz/P515BI5DuC+SeQx4E1CICFVam1jf2bzgg6+n8pZhHqdeTHELJFug+eWpWQ+EXkgkFxeDOTxszz6lEQSkYhvZLLgMQ0yBIJAkAd8l0hsc0V8z7KXqOO0FEeXvkQEkpNASF8hj02YRDY6y2clLhtRtVn5GIGEXsG1jf3Ja8jD/D3HA3msRzqkp7FMNtR1vhaOT3NfHh+lo5ytDxBIjtGHUCCP5xz/BY/Xm0jjJaZWtqtnW8R0XkrjmPkdCCR3gWQdgWhahhn4m3OiE/RyFUjVSc4z0zAs5749tnPQ9zmH3pqOkRZ10/MFJBUiKZe5+XHf8+rzoPZ5bLbfCtc2I5mZH8Fy8NI4srkG1iVDcxFIzBw5eMFyZmT87xYoLLTs5Si2lPi0JsC2Wa6JJofPmfItjdq6Id9cGQ1VltGDRdHSXxgQpLC2ay27eFmLzMvzzPNpJdKQoZ4H2vE63ScClApSUikydLT8x/dmORpo4em3dCJJZdms9NvURAgkVqwPocy8A9BnDrsarXPsaqinymSgldyNrwguglFZ05DfQUAgsQok2+01teXsI3VVTS7zNlpHIhoVyQcVl0sklTUK+V5ruduKyroGEEik2A6fs4w+PK7SemsanFwmHdwirvKPnx2f6iyCPUSKQN9BQCDesN1JOsu0HIfG/agrmSPQC2GEW3kN8ntPHZ9mFPg9tyWQQwMIJMJWs4uWzyzDcjwwbneGq1ZhDWqOgEZBH4y7DvZ+4FHI1OIz1KVGQiCxYfvlXGS64NvAYfQhlXM31HXFdM5G16FEgo1C9Fl/sPR1BwYQSGTYbvXknL5yKY+gy1Wvz9Wqur3AR2QVlr6HkVgIJDoOAn2ZokGXI3eVwx5EMCu7kojc+3MHX90ybrZaRiCAQAJ7aOcZlqGrlvdlbMvhax/NbUQRXkhRd5vqCIHkHoEgEDvcRbw2kkQLtvtDDkPdM8Ti8u5HBhBIZBxZfpmKnApP01e2O88XJuyUzVvPwKOj6w+5TGaWnifSWAgkWxYZ/mYX0cco9pFsmnq7i6CsbWGr4YRAEEg0reduiK2wyLBdhg8J7Qdhu9/iMOAWOv0gCAT2JKv9PxxtAzxKpXy0b8B2h3qoUYitiLFrAIFkSm4RiIvoY5JYGY0DL3ObsrQBKSwEkm0FmBu2X/bU5FENqniw+JWdgH+ujd/ZimAZewQCRCAIJM4oJOA1o+Y07BAI7E5ue6DbFMh9wmuITQMu9xCff9JYCAQywOb8jyLVQlIx2tyAKvWRWEQgCCS7FnRWEYiDNMo08SKzKch24mXVMYBAIsBqZ10si/4l3nrNQSDJV7CyNXIEuzEmyzuKACKS7yKEHQZjEqSMVEq8zK7kKH/ng5adCLigkYZAIA1spv+SrxSkH6SsDG2Xf5HBc3aox4mKUz7uakIpeBURCEAOSEc6K87uT0ePCxXKrQplmuluoNahDwRiIpeX3mbKicl235HoRFJef5VCmZXHgMmICAQQCKyHuRIvIxHetTxTpURGFAcCgfShtQi2kTlKFxqR8HwhEKA1DbBTRFIgEQQCYTGnCCAiiYwpBgQCaQqE1mEaFAFfW58oBIHk9MDn1kLMgXbivy/0iY1dXjUEEiyZLb1ge2Z1Dv0gNndvnIf243SW+CLg8qevDYHQwgyksnjk5d5KkLZbv/NAfyp9DQgEYCPuLH5XN/GyyqX1KwK559VAIDlgew2m3DrpbLaCUxdIN/Bn12Zk2rXcuAAEEiSkYcIRyGHi/SAnDirqIJFrKw+RyKkJu08EEAg0SGH5+4YpFpKszWT5K6No3ZcSmZhlv6CI5CGAS2IpeARi9QG3XQEeU3570Ut0rL5tgcwjekYkGpmUh4jkQ3l8blAmjwYQSMDkOFHJZmu4lVoUokO7be8gGGVLWob5lsewJpNL47HDnb1DEIgLbLaGchxnbvulHCYWhYwiKPOmZDIqD3lnfi2PT+Vx4zA6YWQYAnGCzXRAK8Pym1r+vmSiEB0U0Lf8tYvUtnXVNJdsBjXQ6OS9yiTU9xyBgJsHy8GEseBbkg5ajReJzOp3MamuyOCZknfS9v2nAx2BhC8Qk9FsdIdRiDCJPPqQKKoTSVmHiO2yKwwgEAfYbpnkKBAXlX0n1h3lNHV1FZGsQys/61E8HegIJJYIpJtbAWoay0UnpaSyepFVfgcOW7u3IU8gDPgdogMdgTit/GyS64qfrhbRm8QyQ70mD1eDKSaZPEu2BUL0gUCcYrOF0spsWfcKSa24WLZCKuMidInU5OFqb5MHGamUybNE/wcCiYo5UcjekdyjwygkaInodbmURzbRh6NRjIzAQiBOIY1lh7Fxt3hekBLRPhrX8liYfPbZsC2QBx0WDAjEGUXgLwFRyHeJfNMhsk2L46A85Ld+Me4nkI4z6Tx38e4UBhBIZBFIJ+OydBmFVFyVlfe0qb4mXV1XWrVnHk6XU/Th4t1BIAjES8vZ6mzq3Gakr5TlyMOpZH+Nmc+5IiKO8hBxXBt/y9aMcok+6P9AIDFju6XSy7UgywrP17amUonLXJG5Vu7WF2HUVNWwJo5Dj0V5r2WZC7YFkty6YQgkXGaBvwyx4bOf4lArdxHJeN+OdkmNqZBk2Ox/zHJW+WEDZTjI7JmxPUCiMLAT7yiCxh+2I2m9ZtT5uRqFyIgp2TzozONpW3q+s/Lc0ncw1YaBHPOXRuNoP0pbK69jFf9hAEV4mWHruRv4O41AYG2FN9NKx2ZuW9JYk4zLdKh57aMGTi/3sW9qy6mX1xJL0d3JXhk5PSsaNdruV0IgO0IKK4wHrkeRPqdhFhTDxjxk+tzYjj4M/R9EIL6RlMeJxe87yb1ANbKT/pBrHq83EdH2Ykh76oCFgcpu3dBb2e5Yfks9jTjzJJA7HicEEnsE8jxTOaM1jNZJZKJ9DRc8Yq9HrDG0mjXdJM/0W31FndWGlKYRpXKf6/s209/cDf1dzglSWLtVdHNjf3c90ljLsh0Z+9uUpsRpDHtW1BaN3GeggYilr1GprCzwZOj/QCCJYDta6LuYnxCpRAZIZK08JpFc68T4m0S5D/R/IJAkBEIUgkTWIX0eH2KRh46oi6Ff7z7X4fMIpPkKrjD2Rw0NKFkksoKkSruRjRQaRXKdBW8ZAkkpCulkuskUEnkZ6UQ+jkkeGn3Eskgo6SsEkpRAiELWS+Q0s599Xv7uboQplpieXyIQBNJoxeZie9YhJftiWU/Kjw/G/ui30JDFJT/EuDiiRs/9SC53wQZSCCTFKKSl+0jAzxKRlIPMLbhN8OctNOo4jnhm9IjoA4FAswKJLQ3gWyKP5SGj1T4lFI1clkc75iXZI4s+EAgCCaZCmzqoyDq5bjS1Zbkfa+Ub4xpacs0yOOC9TJ5MYDhpbPKb8hYhEKIQopGRWS6zHstIrYdaxDFIIQ8f0byPv+8B/R8IJPXWV58hvVuJRIT7a8ARiQjuU3md7UQijjojGnwIBHavwKQ1c8eLGUZEUh6yJIz0kTTZ2V6lqOQ6ftVoI7mKSwd8dCK77Alvix1YjdfuQ2n7RZIoZES4vZNMpLKe6vpiXbNcJkY+Xe0iKMIoqiOHPSa0bGPr+3hg/w8EEmKFJUuRy8tkewE5iUIGlPDuUYlZpiymWum1zfdtaeU40M9N75v0Ycxrx/MeFplKfmLiWDCxzpi3AoGE/HDa3suCKMSuUKqKf7qmVV1Jpc6MRfd+KieJ6GLbCG1hSF8hkMBbZC42QxIxsVKvH8GQ3nhbHu1IK+IxDQG70Iluv3XrYjjpCfNCICAkenORunI5eu5eh3wDAgm7lePoe3n4IYToQ57vIwdfLX1LEtm8N8uFM2+MvQm6CyJ4BBJLFCIpEBdDejuskQUNy0OevzNHX9/TYdhzGZCiw55FKDK3R4ZCfzbLhSa3jjzMckn8OXfQPvSBuIsWvrqIbsqXeEoeFxqQhwwuuHb09efr+p5eGEVXjZrrmu+j6DovRByF/D8RbQGMQODvh74oH/Q7Y39eSEvlxJLv4FMeB8bd4oO32ywiqUIpDIshBgEpLLdRiAvOtDUI4FMerjrNB5QyAoEXohDjpi9EICwHX8izduTou3ukYxEI+I9CjmRyIcULjqMPkYeryYKX2sgCBAINRCEXpLLAoTykn83VBlF3zMlAILAZLju8JxQvOJDHoPy4cvT19HsgENgiCpHhia42OyKVBbbl0TXuhusKA+ZkIBDYjpFxt0zDBcucgCV5SErU5Z4ln1PcEwWBgOsoRFpcLpeRrva9ANhVHi6H6wqyFhXzlxAI7IgI5MHRd7cM23TCfriUB/0eCAT2jEJkvLvLFliH/hDYMfqQ5+bI4SmGLJOPQGB/iUiUcOfwFBe60Q/ApvKQfo8Lh6e4YT0qBAL2GBi3+x5MmB8CW+Ayan0wrNuGQMBqFDJ3/NI+94fQqQ4bRB9t43ZbWpYqQSDgQCLSoX7v8BSHhtVK4W3aDr/7nH4PBALuGDj+/iNdywhgHV1H33u/zRLtgEBg+yhEWmfnjk/TRyLwCnOHjRdSqAgEHEtEWml3jk/T14XxAHwJxEeEDQgEjPtRWcIV+6nDCw2YwuGzR6MFgYCHl3juqbV2jUTgBVytYHDI84ZAwI9E5CW+8XAqJAKruOzsHlG8CAT8ICH/vYfzIBGoN15kMIerfjiiEAQCnl5kmXAlL9vCw+mQCPiKFMaMyEIg4K816Ktiv2aIL+hzVxh3KdSWIZWFQMDbyyz9IZeeTsc8EagYOox+z9j0DIGAP4lIi+3Wo0QK0gzZP3OPjiOFCc9YeryjCIJlYJbrWR15OFdHziX9IqxfFA66qnK7PKrVleXezFztKS4TW3U7gI6Drz9UQTE/JCF+eXp6SuoH/Xb+e0oVSFsrjZanU0oKo6c5cWjmfksF3tVj3X2X/oqhi5VuPTxzn3LeF/3Pqz+S+j2ksMJOK8y1Ill4OqVUGl9Z+sSrNLrlIS1/udd/lceVWS6x/loF3i+PuYt9XzxsN0AqC4GAR4n4HJlVIUufsKeIG2Eci6C1fCWC+FoeZ2aZ4tlW9oUjibhco02ue8KTgEDAn0Qk5D/1fFppBc/Y3dBKhFEXxrcNo4xtJOJC9C6j0BNGZaUBnejxSERCf/njtcfTSqv4W3nec/Z3eDuyKD+kIpeKsW2WHd8+BkA8S8R872i38VukH8b1/R4aNj1DIOBdIlJRnHk+9ZVWKgNXI4ACEEBV6b9WEbfNj7v4HXiSxFvI/hsjHf69rwRFHB0P13zCG41AwL9Ehpqy6Hs+tVQqM62okolGVIyjQESwDxeSJttlGLY+T6MGGiYQOfSBxCmRgfGzeu8qLY1GCm2xxy6PSfnxJQF5VEx2KANJJc0bkMeCNxmBQH4S+SEaiVge4waiONccbToEWzv3JVq5Mv7mGdWZ8hYjEMhXIlLpSNpkHtuIGr3eVNM1o9dGZUnkqJHX1wYjL4k+RrzBCATCkMh5g5cgI7W+6jDVdiyVbMKPhIh9vEYe8rtnAURew1QHYyAQiFEiUmGcNnwZMqrmL51VHewERI0+Ook/Ev36/B0ZKKAz3S9MM+mqOqcympC3FoFAWBKZBCARQVJDktYaBSqSXJZpGWu6qjDLgQKHAVwT8kAgELhEPpjmR7i0tLUblEg0xZbL/AOJsv4KKNpCHggEIpCI5Li75fEQwOXURTIOoI+kxxPiHWnMfEAeCATikojkwO8DuSQRiaS2pI9k0uCorQFPh1dkQcY2e8wgEIhPIo/lIRK5CezSZASQjNqSeSQDX+ktjX6OeDK8cVk+f10Xe5YAAgF/IpFW92mAlyaVuSwMOfcUlXR5GrwgqdMP+67LBQgEwpHIxCw71x8CvLxWLSqp+kpcLCFP/4d7PpfHMSkrBALpSaTqF7kL+DJlqKn0lXxTmUx0scNcIpBY14eShslHWeiTlBUCgXQlIv0iUpGeR3C5hxqZfCkl8qQz3Qe7jOTS9FgrwN94r632T+Xxqwo+NolUUUfBG5YfLOeep0jGOsFsasKYYLYJJ3qIEKTinZRHsWG6JIToQ8Qg11pUny+01h9FkmY58S+GqGOAOBAI5CmRarvakYlvYUHpgL9SmTyoCAvd+rdJgci1zPXPRe1zvunaT/Ibyt90a8Ke8ChRx4h0Ffzy9PSU1A/67fx37uqWaIpnElE08lorv6gJZa6/78nReapoYmazMtWhzbMA78e9Rh10ku/In1d/EIFActFIEXE0Uqdlfkx11SMCa61v6Sx2fD+qVNbXgMQ8ZmgurEInOvxdaWnF+NGEOdx3F6QFb3stqKmn+yHRzecAylBG7R0jD0AgsFHFVR7t8o+Xhm1H11Xsvhg1KHO59590NvmcOw8IBLapKKXykrTWLaXxQ2vca1Romlm/SyKf9iuDEgAQCLxZgcnoIZnI99GEPQHRF7MG7kFh/KWypJOcCYGAQMBuJaYTEGVNrYeMi6JoqPyHxu3KypKuksUPmRAICAScVWQT7R85NXn2jzQ5fHXg6HvpJAcEAn5FUn6ISHLqaH9osjNZ515c2vw9hk5yQCDQUIX2qK3WKiJJPbU1C6DMR8ZOX9SlRh10kgMCgcZFUk9tpSqSIpDr6O1RxjKi7r2IiE5yQCAQmkwqkXw06Q3/LQIp40eVyDapQ4laZHRVj3QVIBAIXSSFDv99b9LoJ1mEtP6TXkt3g0ikEkeX0VWAQCA2kcw1XSKLA36KOCqZBli21QZhIuj7FWnI371HHOAaFlMEXxWeVMJTXWl2YJZpmE4kl18EWqaSzhrpAYBAIHmRSKU3lkNl0lWZyGeIy8kvQoxAABAIIJNl5fxcQeuS8t3AopMpI5YAEAiEL5TnzZlWopNKKE1FJ2PuDAACgXijk2EplLb53ndy5Okybtl9DwCBQPxCmZtah7Fuw1sdkvpqWT7lwjSzlDoAAgFwLJTC1EZH1fpPjvXYJ0qR+RU9+j4AEAjkIZSq/6QSyoGKRKTS1uOtjnkRx8Qs9/9GHgAIBDIVyqNGKEX972tiWWXOMh8ACARgE7EAwJ6wlAkAACAQAABAIAAAgEAAAACBAAAAIBAAAEAgAACAQAAAAIEAAAACAQAAQCAAAIBAAAAAgQAAAAIBAAAEAgAAgEAAAACBAAAAAgEAAAQCAAAIBAAAAIEAAAACAQAABAIAAAgEAAAQCAAAAAIBAAAEAgAACAQAABAIAAAgEAAAAAQCAAAIBAAAEAgAACAQAABAIAAAAAgEAAAQCAAAIBAAAEAgAAAACAQAABAIAAAgEAAACJ93qf2g//7rf93y4yu3FgAC42N5FEQgAACQPQgEAAAQCAAAIBAAAEAgAACAQAAAABAIAAAgEAAAQCAAAIBAAAAAgQAAACAQAABAIAAAgEAAAACBAAAAAgEAAEAgAACAQAAAAIEAAAACAQAABAIAAPAa7xL8TY/lccetBYAA66ak+OXp6YnbCgAAW0MKCwAAEAgAACAQAABAIAAAgEAAAAAQCAAAIBAAAEAgAACAQAAAAIEAAAAgEAAAQCAAAIBAAAAAgQAAAAIBAABAIAAAgEAAAACBAAAAAgEAAAQCAACAQAAAAIEAAAACAQAABAIAAAgEAAAAgQAAAAIBAAAEAgAACAQAADLl/wUYAABf0oDFt8DSAAAAAElFTkSuQmCC + mediatype: image/png + install: + spec: + deployments: + - name: pipeline-operator + spec: + replicas: 1 + selector: + matchLabels: + name: pipeline-operator + strategy: {} + template: + metadata: + labels: + name: pipeline-operator + spec: + containers: + - env: + - name: WATCH_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.annotations['olm.targetNamespaces'] + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: OPERATOR_NAME + value: pipeline-operator + image: registry.connect.redhat.com/jfrog/pipelines-operator:1.8.0 + imagePullPolicy: Always + name: pipeline-operator + resources: {} + serviceAccountName: pipeline-operator + permissions: + - rules: + - apiGroups: + - '' + resources: + - pods + - services + - services/finalizers + - endpoints + - persistentvolumeclaims + - events + - configmaps + - secrets + - serviceaccounts + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - '' + resources: + - namespaces + verbs: + - get + - apiGroups: + - '' + resourceNames: + - pipeline-operator + resources: + - '*' + verbs: + - '*' + - apiGroups: + - '' + resources: + - events + verbs: + - create + - apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create + - apiGroups: + - apps + resourceNames: + - pipeline-operator + resources: + - deployments/finalizers + verbs: + - update + - apiGroups: + - '' + resources: + - pods + verbs: + - get + - apiGroups: + - apps + resources: + - replicasets + - deployments + verbs: + - get + - apiGroups: + - charts.helm.k8s.io + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - networking.k8s.io + resources: + - '*' + verbs: + - '*' + - apiGroups: + - policy + resources: + - '*' + verbs: + - '*' + - apiGroups: + - rbac.authorization.k8s.io + resources: + - '*' + verbs: + - '*' + serviceAccountName: pipeline-operator + strategy: deployment + installModes: + - supported: true + type: OwnNamespace + - supported: true + type: SingleNamespace + - supported: false + type: MultiNamespace + - supported: true + type: AllNamespaces + keywords: + - DevOps + - CI/CD + - Developers + - Software + - Productivity + - Artifact Repository + - Repository Manager + - Docker + - Maven + - Git + - Helm + - npm + - go + - golang + - kubernetes + - k8s + - rpm + - yum + links: + - name: JFrog + url: https://www.jfrog.com + - name: JFrog Pipelines + url: https://jfrog.com/pipelines/ + - name: JFrog Pipelines Video + url: https://www.youtube.com/watch?v=5xbMYabN1MQ + maintainers: + - email: partner-support@jfrog.com + name: JFrog + maturity: alpha + provider: + name: JFrog + version: 1.1.1 +status: + certsLastUpdated: null + certsRotateAt: null + lastTransitionTime: null + lastUpdateTime: null diff --git a/Openshift4/operator/pipeline-operator/bundle/1.1.1/metadata/annotations.yaml b/Openshift4/operator/pipeline-operator/bundle/1.1.1/metadata/annotations.yaml new file mode 100644 index 0000000..2466bdd --- /dev/null +++ b/Openshift4/operator/pipeline-operator/bundle/1.1.1/metadata/annotations.yaml @@ -0,0 +1,12 @@ +annotations: + operators.operatorframework.io.bundle.channel.default.v1: alpha + operators.operatorframework.io.bundle.channels.v1: alpha + operators.operatorframework.io.bundle.manifests.v1: manifests/ + operators.operatorframework.io.bundle.mediatype.v1: registry+v1 + operators.operatorframework.io.bundle.metadata.v1: metadata/ + operators.operatorframework.io.bundle.package.v1: openshiftpipeline-operator + operators.operatorframework.io.metrics.builder: operator-sdk-v1.0.1 + operators.operatorframework.io.metrics.mediatype.v1: metrics+v1 + operators.operatorframework.io.metrics.project_layout: helm.sdk.operatorframework.io/v1 + operators.operatorframework.io.test.config.v1: tests/scorecard/ + operators.operatorframework.io.test.mediatype.v1: scorecard+v1 \ No newline at end of file diff --git a/Openshift4/operator/pipeline-operator/bundle/1.1.1/metadata/openshiftpipeline-operator.package.yaml b/Openshift4/operator/pipeline-operator/bundle/1.1.1/metadata/openshiftpipeline-operator.package.yaml new file mode 100644 index 0000000..39830f1 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/bundle/1.1.1/metadata/openshiftpipeline-operator.package.yaml @@ -0,0 +1,5 @@ +channels: +- currentCSV: pipeline-operator.v1.1.1 + name: alpha +defaultChannel: '' +packageName: openshiftpipeline-operator diff --git a/Openshift4/operator/pipeline-operator/bundle/bundle-1.1.1.Dockerfile b/Openshift4/operator/pipeline-operator/bundle/bundle-1.1.1.Dockerfile new file mode 100644 index 0000000..a1e828c --- /dev/null +++ b/Openshift4/operator/pipeline-operator/bundle/bundle-1.1.1.Dockerfile @@ -0,0 +1,19 @@ +FROM scratch + +LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1 +LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/ +LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/ +LABEL operators.operatorframework.io.bundle.package.v1=openshiftpipeline-operator +LABEL operators.operatorframework.io.bundle.channels.v1=alpha +LABEL operators.operatorframework.io.bundle.channel.default.v1=alpha +LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.0.1 +LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1 +LABEL operators.operatorframework.io.metrics.project_layout=helm.sdk.operatorframework.io/v1 +LABEL operators.operatorframework.io.test.config.v1=tests/scorecard/ +LABEL operators.operatorframework.io.test.mediatype.v1=scorecard+v1 + +COPY 1.1.1/manifests /manifests/ +COPY 1.1.1/metadata /metadata/ +LABEL com.redhat.openshift.versions="v4.5,v4.6" +LABEL com.redhat.delivery.operator.bundle=true +LABEL com.redhat.delivery.backport=true diff --git a/Openshift4/operator/pipeline-operator/bundle/openshiftpipeline-operator.package.yaml b/Openshift4/operator/pipeline-operator/bundle/openshiftpipeline-operator.package.yaml new file mode 100644 index 0000000..39830f1 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/bundle/openshiftpipeline-operator.package.yaml @@ -0,0 +1,5 @@ +channels: +- currentCSV: pipeline-operator.v1.1.1 + name: alpha +defaultChannel: '' +packageName: openshiftpipeline-operator diff --git a/Openshift4/operator/pipeline-operator/config/crd/bases/charts.my.domain_openshiftpipelines.yaml b/Openshift4/operator/pipeline-operator/config/crd/bases/charts.my.domain_openshiftpipelines.yaml new file mode 100644 index 0000000..6314b14 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/config/crd/bases/charts.my.domain_openshiftpipelines.yaml @@ -0,0 +1,44 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: openshiftpipelines.charts.my.domain +spec: + group: charts.my.domain + names: + kind: OpenshiftPipelines + listKind: OpenshiftPipelinesList + plural: openshiftpipelines + singular: openshiftpipelines + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: OpenshiftPipelines is the Schema for the openshiftpipelines API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of OpenshiftPipelines + type: object + x-kubernetes-preserve-unknown-fields: true + status: + description: Status defines the observed state of OpenshiftPipelines + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} diff --git a/Openshift4/operator/pipeline-operator/config/crd/kustomization.yaml b/Openshift4/operator/pipeline-operator/config/crd/kustomization.yaml new file mode 100644 index 0000000..06863c2 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/config/crd/kustomization.yaml @@ -0,0 +1,6 @@ +# This kustomization.yaml is not intended to be run by itself, +# since it depends on service name and namespace that are out of this kustomize package. +# It should be run by config/default +resources: +- bases/charts.my.domain_openshiftpipelines.yaml +# +kubebuilder:scaffold:crdkustomizeresource diff --git a/Openshift4/operator/pipeline-operator/config/default/kustomization.yaml b/Openshift4/operator/pipeline-operator/config/default/kustomization.yaml new file mode 100644 index 0000000..f6367cb --- /dev/null +++ b/Openshift4/operator/pipeline-operator/config/default/kustomization.yaml @@ -0,0 +1,26 @@ +# Adds namespace to all resources. +namespace: pipeline-operator-system + +# Value of this field is prepended to the +# names of all resources, e.g. a deployment named +# "wordpress" becomes "alices-wordpress". +# Note that it should also match with the prefix (text before '-') of the namespace +# field above. +namePrefix: pipeline-operator- + +# Labels to add to all resources and selectors. +#commonLabels: +# someName: someValue + +bases: +- ../crd +- ../rbac +- ../manager +# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. +#- ../prometheus + +patchesStrategicMerge: + # Protect the /metrics endpoint by putting it behind auth. + # If you want your controller-manager to expose the /metrics + # endpoint w/o any authn/z, please comment the following line. +- manager_auth_proxy_patch.yaml diff --git a/Openshift4/operator/pipeline-operator/config/default/manager_auth_proxy_patch.yaml b/Openshift4/operator/pipeline-operator/config/default/manager_auth_proxy_patch.yaml new file mode 100644 index 0000000..1e19eca --- /dev/null +++ b/Openshift4/operator/pipeline-operator/config/default/manager_auth_proxy_patch.yaml @@ -0,0 +1,26 @@ +# This patch inject a sidecar container which is a HTTP proxy for the +# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: kube-rbac-proxy + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0 + args: + - "--secure-listen-address=0.0.0.0:8443" + - "--upstream=http://127.0.0.1:8080/" + - "--logtostderr=true" + - "--v=10" + ports: + - containerPort: 8443 + name: https + - name: manager + args: + - "--metrics-addr=127.0.0.1:8080" + - "--enable-leader-election" + - "--leader-election-id=pipeline-operator" diff --git a/Openshift4/operator/pipeline-operator/config/manager/kustomization.yaml b/Openshift4/operator/pipeline-operator/config/manager/kustomization.yaml new file mode 100644 index 0000000..5c5f0b8 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/config/manager/kustomization.yaml @@ -0,0 +1,2 @@ +resources: +- manager.yaml diff --git a/Openshift4/operator/pipeline-operator/config/manager/manager.yaml b/Openshift4/operator/pipeline-operator/config/manager/manager.yaml new file mode 100644 index 0000000..4b9e761 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/config/manager/manager.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + control-plane: controller-manager + name: system +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system + labels: + control-plane: controller-manager +spec: + selector: + matchLabels: + control-plane: controller-manager + replicas: 1 + template: + metadata: + labels: + control-plane: controller-manager + spec: + containers: + - image: controller:latest + args: + - "--enable-leader-election" + - "--leader-election-id=pipeline-operator" + name: manager + resources: + limits: + cpu: 100m + memory: 90Mi + requests: + cpu: 100m + memory: 60Mi + terminationGracePeriodSeconds: 10 diff --git a/Openshift4/operator/pipeline-operator/config/prometheus/kustomization.yaml b/Openshift4/operator/pipeline-operator/config/prometheus/kustomization.yaml new file mode 100644 index 0000000..ed13716 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/config/prometheus/kustomization.yaml @@ -0,0 +1,2 @@ +resources: +- monitor.yaml diff --git a/Openshift4/operator/pipeline-operator/config/prometheus/monitor.yaml b/Openshift4/operator/pipeline-operator/config/prometheus/monitor.yaml new file mode 100644 index 0000000..9b8047b --- /dev/null +++ b/Openshift4/operator/pipeline-operator/config/prometheus/monitor.yaml @@ -0,0 +1,16 @@ + +# Prometheus Monitor Service (Metrics) +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + labels: + control-plane: controller-manager + name: controller-manager-metrics-monitor + namespace: system +spec: + endpoints: + - path: /metrics + port: https + selector: + matchLabels: + control-plane: controller-manager diff --git a/Openshift4/operator/pipeline-operator/config/rbac/auth_proxy_client_clusterrole.yaml b/Openshift4/operator/pipeline-operator/config/rbac/auth_proxy_client_clusterrole.yaml new file mode 100644 index 0000000..7d62534 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/config/rbac/auth_proxy_client_clusterrole.yaml @@ -0,0 +1,7 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: metrics-reader +rules: +- nonResourceURLs: ["/metrics"] + verbs: ["get"] diff --git a/Openshift4/operator/pipeline-operator/config/rbac/auth_proxy_role.yaml b/Openshift4/operator/pipeline-operator/config/rbac/auth_proxy_role.yaml new file mode 100644 index 0000000..618f5e4 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/config/rbac/auth_proxy_role.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: proxy-role +rules: +- apiGroups: ["authentication.k8s.io"] + resources: + - tokenreviews + verbs: ["create"] +- apiGroups: ["authorization.k8s.io"] + resources: + - subjectaccessreviews + verbs: ["create"] diff --git a/Openshift4/operator/pipeline-operator/config/rbac/auth_proxy_role_binding.yaml b/Openshift4/operator/pipeline-operator/config/rbac/auth_proxy_role_binding.yaml new file mode 100644 index 0000000..48ed1e4 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/config/rbac/auth_proxy_role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: proxy-role +subjects: +- kind: ServiceAccount + name: default + namespace: system diff --git a/Openshift4/operator/pipeline-operator/config/rbac/auth_proxy_service.yaml b/Openshift4/operator/pipeline-operator/config/rbac/auth_proxy_service.yaml new file mode 100644 index 0000000..6cf656b --- /dev/null +++ b/Openshift4/operator/pipeline-operator/config/rbac/auth_proxy_service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + control-plane: controller-manager + name: controller-manager-metrics-service + namespace: system +spec: + ports: + - name: https + port: 8443 + targetPort: https + selector: + control-plane: controller-manager diff --git a/Openshift4/operator/pipeline-operator/config/rbac/kustomization.yaml b/Openshift4/operator/pipeline-operator/config/rbac/kustomization.yaml new file mode 100644 index 0000000..66c2833 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/config/rbac/kustomization.yaml @@ -0,0 +1,12 @@ +resources: +- role.yaml +- role_binding.yaml +- leader_election_role.yaml +- leader_election_role_binding.yaml +# Comment the following 4 lines if you want to disable +# the auth proxy (https://github.com/brancz/kube-rbac-proxy) +# which protects your /metrics endpoint. +- auth_proxy_service.yaml +- auth_proxy_role.yaml +- auth_proxy_role_binding.yaml +- auth_proxy_client_clusterrole.yaml diff --git a/Openshift4/operator/pipeline-operator/config/rbac/leader_election_role.yaml b/Openshift4/operator/pipeline-operator/config/rbac/leader_election_role.yaml new file mode 100644 index 0000000..53e9749 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/config/rbac/leader_election_role.yaml @@ -0,0 +1,25 @@ +# permissions to do leader election. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: leader-election-role +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch diff --git a/Openshift4/operator/pipeline-operator/config/rbac/leader_election_role_binding.yaml b/Openshift4/operator/pipeline-operator/config/rbac/leader_election_role_binding.yaml new file mode 100644 index 0000000..eed1690 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/config/rbac/leader_election_role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: leader-election-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: leader-election-role +subjects: +- kind: ServiceAccount + name: default + namespace: system diff --git a/Openshift4/operator/pipeline-operator/config/rbac/openshiftpipelines_editor_role.yaml b/Openshift4/operator/pipeline-operator/config/rbac/openshiftpipelines_editor_role.yaml new file mode 100644 index 0000000..07084e8 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/config/rbac/openshiftpipelines_editor_role.yaml @@ -0,0 +1,24 @@ +# permissions for end users to edit openshiftpipelines. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: openshiftpipelines-editor-role +rules: +- apiGroups: + - charts.my.domain + resources: + - openshiftpipelines + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - charts.my.domain + resources: + - openshiftpipelines/status + verbs: + - get diff --git a/Openshift4/operator/pipeline-operator/config/rbac/openshiftpipelines_viewer_role.yaml b/Openshift4/operator/pipeline-operator/config/rbac/openshiftpipelines_viewer_role.yaml new file mode 100644 index 0000000..eed2a3f --- /dev/null +++ b/Openshift4/operator/pipeline-operator/config/rbac/openshiftpipelines_viewer_role.yaml @@ -0,0 +1,20 @@ +# permissions for end users to view openshiftpipelines. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: openshiftpipelines-viewer-role +rules: +- apiGroups: + - charts.my.domain + resources: + - openshiftpipelines + verbs: + - get + - list + - watch +- apiGroups: + - charts.my.domain + resources: + - openshiftpipelines/status + verbs: + - get diff --git a/Openshift4/operator/pipeline-operator/config/rbac/role.yaml b/Openshift4/operator/pipeline-operator/config/rbac/role.yaml new file mode 100644 index 0000000..b2a1317 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/config/rbac/role.yaml @@ -0,0 +1,77 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: manager-role +rules: +## +## Base operator rules +## +# We need to get namespaces so the operator can read namespaces to ensure they exist +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +# We need to manage Helm release secrets +- apiGroups: + - "" + resources: + - secrets + verbs: + - "*" +# We need to create events on CRs about things happening during reconciliation +- apiGroups: + - "" + resources: + - events + verbs: + - create + +## +## Rules for charts.my.domain/v1alpha1, Kind: OpenshiftPipelines +## +- apiGroups: + - charts.my.domain + resources: + - openshiftpipelines + - openshiftpipelines/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- verbs: + - "*" + apiGroups: + - "rbac.authorization.k8s.io" + resources: + - "clusterrolebindings" + - "clusterroles" +- verbs: + - "*" + apiGroups: + - "apps" + resources: + - "statefulsets" +- verbs: + - "*" + apiGroups: + - "" + resources: + - "configmaps" + - "secrets" + - "serviceaccounts" + - "services" +- verbs: + - "*" + apiGroups: + - "rbac.authorization.k8s.io" + resources: + - "rolebindings" + - "roles" + +# +kubebuilder:scaffold:rules diff --git a/Openshift4/operator/pipeline-operator/config/rbac/role_binding.yaml b/Openshift4/operator/pipeline-operator/config/rbac/role_binding.yaml new file mode 100644 index 0000000..8f26587 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/config/rbac/role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: manager-role +subjects: +- kind: ServiceAccount + name: default + namespace: system diff --git a/Openshift4/operator/pipeline-operator/config/samples/charts_v1alpha1_openshiftpipelines.yaml b/Openshift4/operator/pipeline-operator/config/samples/charts_v1alpha1_openshiftpipelines.yaml new file mode 100644 index 0000000..9904e58 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/config/samples/charts_v1alpha1_openshiftpipelines.yaml @@ -0,0 +1,1291 @@ +apiVersion: charts.my.domain/v1alpha1 +kind: OpenshiftPipelines +metadata: + name: openshiftpipelines-sample +spec: + # Default values copied from /helm-charts/openshift-pipelines/values.yaml + pipelines: + buildPlane: + dynamic: + customer: + accountId: "" + nodePoolName: "" + nodelimit: "" + provider: + aws: + accessKey: "" + enabled: false + instanceType: c4.xlarge + keyPairName: testaccountSSHKeyPair + nodePoolName: aws-dynamic-node-pool + nodelimit: "3" + region: us-east-1 + secretKey: "" + securityGroupId: testsecuritygroupId + subnetId: test-subnetId + vpcId: testVPCId + k8s: + cpu: "1" + enabled: false + kubeconfig: "" + memory: "1000" + namespace: default + nodePoolName: k8s-dynamic-node-pool + nodelimit: "3" + storageClass: standard + filebeat: + enabled: false + filebeatYml: | + logging.level: info + path.data: {{ .Values.pipelines.logPath }}/filebeat + name: pipelines-filebeat + queue.spool: ~ + filebeat.inputs: + - type: log + enabled: true + close_eof: ${CLOSE:false} + paths: + - {{ .Values.pipelines.logPath }}/*.log + fields: + service: "jfpip" + log_type: "pipelines" + output: + logstash: + hosts: ["{{ .Values.filebeat.logstashUrl }}"] + image: + repository: docker.elastic.co/beats/filebeat + version: 7.5.1 + livenessProbe: + exec: + command: + - sh + - -c + - | + #!/usr/bin/env bash -e + curl --fail 127.0.0.1:5066 + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 + logstashUrl: logstash:5044 + name: pipelines-filebeat + readinessProbe: + exec: + command: + - sh + - -c + - | + #!/usr/bin/env bash -e + filebeat test output + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 + resources: {} + terminationGracePeriod: 10 + global: + postgresql: + database: OVERRIDE + host: OVERRIDE + password: OVERRIDE + port: OVERRIDE + ssl: OVERRIDE + user: OVERRIDE + vault: {} + imageRegistry: registry.connect.redhat.com + initContainer: + image: registry.connect.redhat.com/jfrog/pipelines-init:1.8.0 + pullPolicy: IfNotPresent + initContainers: + resources: {} + pipelines: + accessControlAllowOrigins_0: OVERRIDE + accessControlAllowOrigins_1: OVERRIDE + affinity: {} + api: + image: + pullPolicy: IfNotPresent + repository: jfrog/pipelines-api + ingress: + annotations: {} + enabled: false + hosts: + - chart-example.local + path: / + tls: [] + livenessProbe: + enabled: true + failureThreshold: 10 + initialDelaySeconds: 20 + path: / + periodSeconds: 10 + port: api + successThreshold: 1 + timeoutSeconds: 10 + readinessProbe: + enabled: true + failureThreshold: 10 + initialDelaySeconds: 20 + path: / + periodSeconds: 10 + port: api + successThreshold: 1 + timeoutSeconds: 10 + resources: {} + service: + loadBalancerSourceRanges: [] + port: 30000 + type: ClusterIP + artifactoryHealthCheckIntervalInMins: 1 + artifactoryServiceId: FFFFFFFFFFFF + authToken: c7595edd-b63d-4fd6-9e1e-13924d6637f0 + autoscaling: + enabled: false + maxReplicas: 3 + minReplicas: 1 + targetCPUUtilizationPercentage: 70 + configMaps: "" + cron: + image: + pullPolicy: IfNotPresent + repository: jfrog/pipelines-micro + resources: {} + customInitContainers: "" + customInitContainersBegin: | + - name: "redhat-custom-setup" + image: {{ .Values.initContainer.image }} + imagePullPolicy: Always + command: + - 'sh' + - '-c' + - 'chown -R {{ .Values.securityContext.uid }}:{{ .Values.securityContext.gid }} {{ .Values.pipelines.mountPath }} && chown -R {{ .Values.securityContext.uid }}:{{ .Values.securityContext.gid }} {{ .Values.pipelines.logPath }}' + securityContext: + runAsUser: 0 + volumeMounts: + - name: jfrog-pipelines-folder + mountPath: "{{ .Values.pipelines.mountPath }}" + - name: jfrog-pipelines-logs + mountPath: {{ .Values.pipelines.logPath }} + customSidecarContainers: "" + customVolumeMounts: "" + customVolumes: "" + extensionSync: + image: + pullPolicy: IfNotPresent + repository: jfrog/pipelines-micro + resources: {} + hookHandler: + image: + pullPolicy: IfNotPresent + repository: jfrog/pipelines-micro + resources: {} + jfrogUrl: OVERRIDE + jfrogUrlUI: OVERRIDE + joinKey: OVERRIDE + licenseId: FFFFFFFFF + logPath: /opt/jfrog/pipelines/var/log + logup: + image: + pullPolicy: IfNotPresent + repository: jfrog/pipelines-micro + resources: {} + marshaller: + image: + pullPolicy: IfNotPresent + repository: jfrog/pipelines-micro + resources: {} + masterKey: OVERRIDE + mountPath: /opt/jfrog/pipelines/var/etc + msg: + uiUser: OVERRIDE + uiUserPassword: OVERRIDE + nexec: + image: + pullPolicy: IfNotPresent + repository: jfrog/pipelines-micro + resources: {} + nodeSelector: {} + pipelineSync: + image: + pullPolicy: Always + repository: jfrog/pipelines-micro + resources: {} + pipelinesInit: + image: + pullPolicy: IfNotPresent + repository: jfrog/pipelines-installer + resources: {} + rabbitmqHealthCheckIntervalInMins: 1 + rbac: + role: + rules: + - apiGroups: + - "" + - extensions + - apps + resources: + - deployments + - persistentvolumes + - persistentvolumeclaims + - pods + - deployments/scale + verbs: + - '*' + replicaCount: 1 + rootBucket: jfrogpipelines + router: + externalPort: 8082 + image: + pullPolicy: IfNotPresent + repository: jfrog/pipelines-router + internalPort: 8046 + mountPath: /opt/jfrog/router/var/etc + resources: {} + runTrigger: + image: + pullPolicy: IfNotPresent + repository: jfrog/pipelines-micro + resources: {} + serviceId: jfpip@12345 + stepTrigger: + image: + pullPolicy: IfNotPresent + repository: jfrog/pipelines-micro + resources: {} + systemYaml: | + {{- if .Values.router.routerConfiguration }} + router: + ## Router configuration + topology: + external: + refresh: + interval: "{{ .Values.router.topology.external.refresh.interval }}" + serviceRegistry: + url: "{{ .Values.router.serviceRegistry.url }}" + {{- end }} + shared: + ## Artifactory configuration + ## + artifactory: + ## Artifactory URL + ## + baseUrl: "{{ tpl (required "\n\npipelines.jfrogUrl is required!\n" .Values.pipelines.jfrogUrl) . }}" + ## Unified UI URL + ## + baseUrlUI: "{{ tpl (required "\n\npipelines.jfrogUrlUI is required!\n" .Values.pipelines.jfrogUrlUI) . }}" + ## Pipelines Service ID + ## + serviceId: "{{ .Values.pipelines.serviceId }}" + ## Artifactory Service ID + ## + artifactoryServiceId: "{{ .Values.pipelines.artifactoryServiceId }}" + ## Artifactory License ID + ## + licenseId: "{{ .Values.pipelines.licenseId }}" + ## Proxy to connect to Artifactory + ## + proxy: + url: "" + username: "" + password: "" + + ## Router configuration + ## + router: + ip: "" + accessPort: {{ .Values.pipelines.router.internalPort }} + dataPort: {{ .Values.pipelines.router.externalPort }} + joinKey: "{{ .Values.pipelines.joinKey }}" + + security: + masterKey: "{{ .Values.pipelines.masterKey }}" + + ## Database configuration + ## + db: + type: "postgres" + {{- if .Values.postgresql.enabled }} + ip: {{ tpl .Release.Name . }}-postgresql + port: "{{ .Values.postgresql.service.port }}" + name: {{ .Values.postgresql.postgresqlDatabase }} + username: {{ .Values.postgresql.postgresqlUsername }} + password: {{ .Values.postgresql.postgresqlPassword }} + {{- else }} + ip: {{ tpl .Values.global.postgresql.host . }} + port: "{{ .Values.global.postgresql.port }}" + name: {{ .Values.global.postgresql.database }} + username: {{ .Values.global.postgresql.user }} + password: {{ .Values.global.postgresql.password }} + {{- end }} + externalUrl: "" + {{- if .Values.postgresql.enabled }} + connectionString: "{{ tpl (printf "postgres://%s:%s@%s-postgresql:%v/%s" .Values.postgresql.postgresqlUsername .Values.postgresql.postgresqlPassword .Release.Name .Values.postgresql.service.port .Values.postgresql.postgresqlDatabase) . }}" + {{- else if and (not .Values.postgresql.enabled) (.Values.global.postgresql.ssl) }} + connectionString: "{{ tpl (printf "postgres://%s:%s@%v:%v/%s?sslmode=require" .Values.global.postgresql.user .Values.global.postgresql.password .Values.global.postgresql.host .Values.global.postgresql.port .Values.global.postgresql.database) . }}" + {{- else }} + connectionString: "{{ tpl (printf "postgres://%s:%s@%v:%v/%s" .Values.global.postgresql.user .Values.global.postgresql.password .Values.global.postgresql.host .Values.global.postgresql.port .Values.global.postgresql.database) . }}" + {{- end }} + + ## RabbitMQ configuration + ## + msg: + {{- if .Values.rabbitmq.enabled }} + ip: {{ .Release.Name }}-rabbitmq + port: {{ .Values.rabbitmq.service.port }} + adminPort: {{ .Values.rabbitmq.service.managerPort }} + erlangCookie: {{ .Values.rabbitmq.rabbitmq.erlangCookie }} + username: {{ .Values.rabbitmq.rabbitmq.username }} + password: {{ .Values.rabbitmq.rabbitmq.password }} + defaultExchange: pipelinesEx + amqpVhost: pipelines + amqpRootVhost: pipelinesRoot + {{- else }} + ip: {{ tpl .Values.rabbitmq.internal_ip . }} + port: {{ .Values.rabbitmq.port}} + adminPort: {{ .Values.rabbitmq.manager_port }} + erlangCookie: {{ .Values.rabbitmq.erlang_cookie }} + username: {{ .Values.rabbitmq.ms_username }} + password: {{ .Values.rabbitmq.ms_password }} + defaultExchange: {{ .Values.rabbitmq.root_vhost_exchange_name }} + amqpVhost: {{ .Values.rabbitmq.build_vhost_name}} + amqpRootVhost: {{ .Values.rabbitmq.root_vhost_name }} + protocol: {{ .Values.rabbitmq.protocol }} + {{- end }} + queues: + - "core.pipelineSync" + - "core.runTrigger" + - "core.stepTrigger" + - "core.marshaller" + - "cluster.init" + - "core.logup" + - "www.signals" + - "core.nexec" + - "core.hookHandler" + - "core.extensionSync" + ui: + {{- if .Values.rabbitmq.enabled }} + username: {{ .Values.pipelines.msg.uiUser }} + password: {{ .Values.pipelines.msg.uiUserPassword }} + {{- else }} + protocol: http + username: {{ .Values.rabbitmq.cp_username }} + password: {{ .Values.rabbitmq.cp_password }} + {{- end }} + external: + ## URL for build plane VMs to access RabbitMQ + {{- if .Values.rabbitmq.externalUrl }} + url: {{ .Values.rabbitmq.externalUrl }} + {{- else if (and .Values.rabbitmq.serviceVmLb.enabled .Values.rabbitmq.serviceVmLb.loadBalancerIP) }} + url: amqp://{{ .Values.rabbitmq.serviceVmLb.loadBalancerIP }} + {{- else if .Values.rabbitmq.enabled }} + url: amqp://{{ tpl .Release.Name . }}-rabbitmq + {{- else }} + url: {{ .Values.rabbitmq.protocol }}://{{ tpl .Values.rabbitmq.msg_hostname . }}:{{ .Values.rabbitmq.port }} + {{- end }} + rootUrl: "" + adminUrl: "" + {{- if not .Values.rabbitmq.enabled }} + build: + username: {{ .Values.rabbitmq.build_username }} + password: {{ .Values.rabbitmq.build_password }} + {{- end }} + + ## Vault configuration + ## + vault: + {{- if .Values.vault.enabled }} + ip: {{ include "pipelines.vault.name" . }} + port: {{ .Values.vault.service.port }} + {{- else }} + ip: {{ .Values.global.vault.host }} + port: {{ .Values.global.vault.port }} + {{- end }} + ## DO NOT CHANGE THE TOKEN VALUE!!! + token: "_VAULT_TOKEN_" + unsealKeys: + - "" + - "" + - "" + - "" + - "" + + ## Redis configuration + ## + redis: + ip: {{ .Release.Name }}-redis-master + port: 6379 + clusterEnabled: false + + ## This section is used for bringing up the core services and setting up + ## configurations required by the installer & the services + ## + core: + ## id is automatically determined based on the current hostname + ## or set using the SHARED_NODE_ID environment variable. + ## + id: "afd8df9d08bf257ae9b7d7dbbf348b7a3a574ebdd3a61d350d4b64e3129dee85" + installerIP: "1.2.3.4" + installerAuthToken: "{{ .Values.pipelines.authToken }}" + installerImage: "jfrog/pipelines-installer" + registryUrl: "{{ .Values.imageRegistry }}" + os: "Ubuntu_16.04" + osDistribution: "xenial" + architecture: "x86_64" + dockerVersion: "" + runMode: "{{ .Values.runMode }}" + user: "" + group: "" + noVerifySsl: false + ignoreTLSErrors: false + controlplaneVersion: "{{ default .Chart.AppVersion .Values.pipelines.version }}" + buildplaneVersion: "{{ default .Chart.AppVersion .Values.pipelines.version }}" + accessControlAllowOrigins: + - {{ .Values.pipelines.accessControlAllowOrigins_0 }} + - {{ .Values.pipelines.accessControlAllowOrigins_1 }} + rabbitmqHealthCheckIntervalInMins: {{ .Values.pipelines.rabbitmqHealthCheckIntervalInMins}} + artifactoryHealthCheckIntervalInMins: {{ .Values.pipelines.artifactoryHealthCheckIntervalInMins}} + ## Global proxy settings, to be applied to all services + ## + proxy: + httpProxy: "" + httpsProxy: "" + noProxy: "" + username: "" + password: "" + + ## Mailserver settings + ## + mailserver: + host: "" + port: "" + username: "" + password: "" + tls: "" + ssl: "" + apiRetryIntervalMs: 3000 + accountSyncFrequencyHr: 1 + imageRegistrySecret: "{{ .Values.imagePullSecrets }}" + hardDeleteIntervalInMins: 60 + configBackupCount: 5 + lastUpdateTime: "" + callHomeUrl: "https://api.bintray.com/products/jfrog/pipelines/stats/usage" + allowCallHome: true + serviceInstanceHealthCheckIntervalInMins: 1 + serviceInstanceStatsCutOffIntervalInHours: 24 + + ## Service configuration + ## + services: + api: + name: {{ include "pipelines.api.name" . }} + port: {{ .Values.pipelines.api.service.port }} + {{- if (and .Values.pipelines.api.ingress.enabled .Values.pipelines.api.ingress.tls) }} + {{- range .Values.pipelines.api.ingress.hosts }} + externalUrl: https://{{ . }} + {{- end }} + {{- else if .Values.pipelines.api.ingress.enabled }} + {{- range .Values.pipelines.api.ingress.hosts }} + externalUrl: http://{{ . }} + {{- end }} + {{- else }} + externalUrl: {{ .Values.pipelines.api.externalUrl }} + {{- end }} + www: + name: {{ include "pipelines.www.name" . }} + port: {{ .Values.pipelines.www.service.port }} + {{- if (and .Values.pipelines.www.ingress.enabled .Values.pipelines.www.ingress.tls) }} + {{- range .Values.pipelines.www.ingress.hosts }} + externalUrl: https://{{ . }} + {{- end }} + {{- else if .Values.pipelines.www.ingress.enabled }} + {{- range .Values.pipelines.www.ingress.hosts }} + externalUrl: http://{{ . }} + {{- end }} + {{- else }} + externalUrl: {{ .Values.pipelines.www.externalUrl }} + {{- end }} + sessionSecret: "{{ .Values.pipelines.authToken }}" + pipelineSync: + name: pipelineSync + runTrigger: + name: runTrigger + stepTrigger: + name: stepTrigger + cron: + name: cron + nexec: + name: nexec + hookHandler: + name: hookHandler + marshaller: + name: marshaller + extensionSync: + name: extensionSync + + ## Runtime configuration + ## + runtime: + rootBucket: "{{ .Values.pipelines.rootBucket }}" + defaultMinionCount: 1 + nodeCacheIntervalMS: 600000 + jobConsoleBatchSize: 10 + jobConsoleBufferIntervalMs: 3 + maxDiskUsagePercentage: 90 + stepTimeoutMS: 3600000 + nodeStopDayOfWeek: 0 + nodeStopIntervalDays: 30 + maxNodeCheckInDelayMin: 15 + defaultMinionInstanceSize: "c4.large" + allowDynamicNodes: true + allowCustomNodes: true + {{- range $key, $value := .Values.runtimeOverride }} + {{ $key }}: {{ $value | quote }} + {{- end }} + languageImages: + - architecture: x86_64 + os: Ubuntu_16.04 + language: node + registryUrl: docker.bintray.io + image: jfrog/pipelines-u16node + isDefault: true + defaultVersion: 10.18.0 + - architecture: x86_64 + os: Ubuntu_16.04 + language: java + registryUrl: docker.bintray.io + image: jfrog/pipelines-u16java + defaultVersion: 13 + - architecture: x86_64 + os: Ubuntu_16.04 + language: cpp + registryUrl: docker.bintray.io + image: jfrog/pipelines-u16cpp + defaultVersion: 9.0.0 + - architecture: x86_64 + os: Ubuntu_16.04 + language: go + registryUrl: docker.bintray.io + image: jfrog/pipelines-u16go + defaultVersion: 1.12.14 + - architecture: x86_64 + os: Ubuntu_18.04 + language: node + registryUrl: docker.bintray.io + image: jfrog/pipelines-u18node + isDefault: true + defaultVersion: 10.18.0 + - architecture: x86_64 + os: Ubuntu_18.04 + language: java + registryUrl: docker.bintray.io + image: jfrog/pipelines-u18java + defaultVersion: 13 + - architecture: x86_64 + os: Ubuntu_18.04 + language: cpp + registryUrl: docker.bintray.io + image: jfrog/pipelines-u18cpp + defaultVersion: 9.0.0 + - architecture: x86_64 + os: Ubuntu_18.04 + language: go + registryUrl: docker.bintray.io + image: jfrog/pipelines-u18go + defaultVersion: 1.12.14 + - architecture: x86_64 + os: CentOS_7 + language: node + registryUrl: docker.bintray.io + image: jfrog/pipelines-c7node + isDefault: true + defaultVersion: 10.18.0 + - architecture: x86_64 + os: CentOS_7 + language: java + registryUrl: docker.bintray.io + image: jfrog/pipelines-c7java + defaultVersion: 11 + - architecture: x86_64 + os: CentOS_7 + language: cpp + registryUrl: docker.bintray.io + image: jfrog/pipelines-c7cpp + defaultVersion: 3.4.2 + - architecture: x86_64 + os: CentOS_7 + language: go + registryUrl: docker.bintray.io + image: jfrog/pipelines-c7go + defaultVersion: 1.12.14 + - architecture: x86_64 + os: WindowsServer_2019 + language: node + registryUrl: docker.bintray.io + image: jfrog/pipelines-w19node + defaultVersion: 10.18.0 + - architecture: x86_64 + os: WindowsServer_2019 + language: java + registryUrl: docker.bintray.io + image: jfrog/pipelines-w19java + defaultVersion: 11 + - architecture: x86_64 + os: WindowsServer_2019 + language: cpp + registryUrl: docker.bintray.io + image: jfrog/pipelines-w19cpp + defaultVersion: 9.0.0 + - architecture: x86_64 + os: WindowsServer_2019 + language: go + registryUrl: docker.bintray.io + image: jfrog/pipelines-w19go + defaultVersion: 1.12.14 + - architecture: x86_64 + os: WindowsServer_2019 + language: dotnetcore + registryUrl: docker.bintray.io + image: jfrog/pipelines-w19dotnetcore + isDefault: true + defaultVersion: 3.1 + - architecture: x86_64 + os: RHEL_7 + language: node + registryUrl: docker.bintray.io + image: jfrog/pipelines-c7node + isDefault: true + defaultVersion: 10.18.0 + - architecture: x86_64 + os: RHEL_7 + language: java + registryUrl: docker.bintray.io + image: jfrog/pipelines-c7java + defaultVersion: 11 + - architecture: x86_64 + os: RHEL_7 + language: cpp + registryUrl: docker.bintray.io + image: jfrog/pipelines-c7cpp + defaultVersion: 3.4.2 + - architecture: x86_64 + os: RHEL_7 + language: go + registryUrl: docker.bintray.io + image: jfrog/pipelines-c7go + defaultVersion: 1.12.14 + tolerations: [] + updateStrategy: RollingUpdate + version: 1.8.0 + www: + image: + pullPolicy: IfNotPresent + repository: jfrog/pipelines-www + ingress: + annotations: {} + enabled: false + hosts: + - chart-example.local + path: / + tls: [] + livenessProbe: + enabled: true + failureThreshold: 10 + initialDelaySeconds: 20 + path: / + periodSeconds: 10 + port: www + successThreshold: 1 + timeoutSeconds: 10 + readinessProbe: + enabled: true + failureThreshold: 10 + initialDelaySeconds: 20 + path: / + periodSeconds: 10 + port: www + successThreshold: 1 + timeoutSeconds: 10 + resources: {} + service: + loadBalancerSourceRanges: [] + port: 30001 + type: ClusterIP + postgresql: + enabled: false + extraEnv: [] + global: + postgresql: + database: OVERRIDE + host: OVERRIDE + password: OVERRIDE + port: OVERRIDE + ssl: OVERRIDE + user: OVERRIDE + vault: {} + image: + debug: false + pullPolicy: IfNotPresent + registry: docker.bintray.io + repository: bitnami/postgresql + tag: 9.6.18-debian-10-r7 + ldap: + baseDN: "" + bindDN: "" + enabled: false + port: "" + prefix: "" + scheme: "" + search_attr: "" + search_filter: "" + server: "" + suffix: "" + tls: false + url: "" + livenessProbe: + enabled: true + failureThreshold: 6 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + master: + affinity: {} + annotations: {} + extraInitContainers: [] + extraVolumeMounts: [] + extraVolumes: [] + labels: {} + nodeSelector: {} + podAnnotations: {} + podLabels: {} + priorityClassName: "" + resources: {} + service: {} + sidecars: [] + tolerations: [] + metrics: + enabled: false + image: + pullPolicy: IfNotPresent + registry: docker.io + repository: bitnami/postgres-exporter + tag: 0.8.0-debian-10-r72 + livenessProbe: + enabled: true + failureThreshold: 6 + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + prometheusRule: + additionalLabels: {} + enabled: false + namespace: "" + rules: [] + readinessProbe: + enabled: true + failureThreshold: 6 + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + securityContext: + enabled: false + runAsUser: 1001 + service: + annotations: + prometheus.io/port: "9187" + prometheus.io/scrape: "true" + type: ClusterIP + serviceMonitor: + additionalLabels: {} + enabled: false + networkPolicy: + allowExternal: true + enabled: false + explicitNamespacesSelector: {} + persistence: + accessModes: + - ReadWriteOnce + annotations: {} + enabled: true + mountPath: /bitnami/postgresql + size: 50Gi + subPath: "" + postgresqlDataDir: /bitnami/postgresql/data + postgresqlDatabase: pipelinesdb + postgresqlPassword: "" + postgresqlUsername: apiuser + readinessProbe: + enabled: true + failureThreshold: 6 + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + replication: + applicationName: my_application + enabled: false + numSynchronousReplicas: 0 + password: repl_password + slaveReplicas: 1 + synchronousCommit: "off" + user: repl_user + resources: + requests: + cpu: 250m + memory: 256Mi + securityContext: + enabled: true + fsGroup: 1001 + runAsUser: 1001 + service: + annotations: {} + port: 5432 + type: ClusterIP + serviceAccount: + enabled: false + shmVolume: + chmod: + enabled: true + enabled: true + slave: + affinity: {} + annotations: {} + extraInitContainers: | + # - name: do-something + # image: busybox + # command: ['do', 'something'] + extraVolumeMounts: [] + extraVolumes: [] + labels: {} + nodeSelector: {} + podAnnotations: {} + podLabels: {} + priorityClassName: "" + service: {} + sidecars: [] + tolerations: [] + updateStrategy: + type: RollingUpdate + volumePermissions: + enabled: false + image: + pullPolicy: Always + registry: docker.io + repository: bitnami/minideb + tag: buster + securityContext: + runAsUser: 0 + rabbitmq: + affinity: {} + enabled: true + externalUrl: OVERRIDE + extraSecrets: {} + extraVolumeMounts: [] + extraVolumes: [] + forceBoot: + enabled: false + global: + postgresql: + database: OVERRIDE + host: OVERRIDE + password: OVERRIDE + port: OVERRIDE + ssl: OVERRIDE + user: OVERRIDE + vault: {} + image: + debug: false + pullPolicy: IfNotPresent + registry: quay.io + repository: jfrog/rabbitmq + tag: 3.9.1 + ingress: + annotations: {} + enabled: false + path: / + tls: true + tlsSecret: myTlsSecret + ldap: + enabled: false + port: "389" + server: "" + tls: + enabled: false + user_dn_pattern: cn=${username},dc=example,dc=org + livenessProbe: + commandOverride: [] + enabled: true + failureThreshold: 6 + initialDelaySeconds: 120 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 20 + metrics: + enabled: false + plugins: rabbitmq_prometheus + podAnnotations: + prometheus.io/port: '{{ .Values.metrics.port }}' + prometheus.io/scrape: "true" + port: 9419 + prometheusRule: + additionalLabels: {} + enabled: false + namespace: "" + rules: [] + serviceMonitor: + additionalLabels: {} + enabled: false + honorLabels: false + interval: 30s + networkPolicy: + allowExternal: true + enabled: false + nodeSelector: {} + persistence: + accessMode: ReadWriteOnce + enabled: true + path: /opt/bitnami/rabbitmq/var/lib/rabbitmq + size: 20Gi + podAnnotations: {} + podDisruptionBudget: {} + podLabels: {} + podManagementPolicy: OrderedReady + protocol: amqps + rabbitmq: + advancedConfiguration: "" + clustering: + address_type: hostname + k8s_domain: cluster.local + rebalance: false + configuration: |- + ## Clustering + cluster_formation.peer_discovery_backend = rabbit_peer_discovery_k8s + cluster_formation.k8s.host = kubernetes.default.svc.cluster.local + cluster_formation.node_cleanup.interval = 10 + cluster_formation.node_cleanup.only_log_warning = true + cluster_partition_handling = autoheal + # queue master locator + queue_master_locator=min-masters + # enable guest user + loopback_users.guest = false + env: {} + erlangCookie: PIPELINESRABBITMQCLUSTER + extraConfiguration: |- + #disk_free_limit.absolute = 50MB + #management.load_definitions = /app/load_definition.json + extraPlugins: "" + loadDefinition: + enabled: false + secretName: load-definition + logs: '-' + maxAvailableSchedulers: 2 + onlineSchedulers: 1 + password: bitnami + plugins: rabbitmq_management rabbitmq_peer_discovery_k8s + setUlimitNofiles: true + tls: + caCertificate: "" + enabled: false + failIfNoPeerCert: true + serverCertificate: "" + serverKey: "" + sslOptionsVerify: verify_peer + ulimitNofiles: "65536" + username: user + rbacEnabled: true + readinessProbe: + commandOverride: [] + enabled: true + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 20 + replicas: 1 + resources: {} + securityContext: + enabled: true + extra: {} + fsGroup: 1001 + runAsUser: 1001 + service: + annotations: {} + distPort: 25672 + managerPort: 15672 + port: 5672 + tlsPort: 5671 + type: ClusterIP + serviceVmLb: + enabled: false + loadBalancerSourceRanges: [] + tolerations: [] + updateStrategy: + type: RollingUpdate + volumePermissions: + enabled: false + image: + pullPolicy: Always + registry: docker.io + repository: bitnami/minideb + tag: buster + resources: {} + rbac: + create: true + redis: + cluster: + enabled: false + slaveCount: 2 + clusterDomain: cluster.local + configmap: |- + # Enable AOF https://redis.io/topics/persistence#append-only-file + appendonly yes + # Disable RDB persistence, AOF persistence already enabled. + save "" + enabled: true + global: + postgresql: + database: OVERRIDE + host: OVERRIDE + password: OVERRIDE + port: OVERRIDE + ssl: OVERRIDE + user: OVERRIDE + redis: {} + vault: {} + image: + pullPolicy: IfNotPresent + registry: registry.redhat.io + repository: rhel8/redis-5 + tag: 1-98 + master: + affinity: {} + command: container-entrypoint run-redis + configmap: |- + appendonly yes + loglevel notice + disableCommands: + - FLUSHDB + - FLUSHALL + extraFlags: [] + livenessProbe: + enabled: true + failureThreshold: 5 + initialDelaySeconds: 5 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + persistence: + accessModes: + - ReadWriteOnce + enabled: true + matchExpressions: {} + matchLabels: {} + path: /data + size: 8Gi + subPath: "" + podAnnotations: {} + podLabels: {} + readinessProbe: + enabled: true + failureThreshold: 5 + initialDelaySeconds: 5 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + service: + annotations: {} + labels: {} + port: 6379 + type: ClusterIP + statefulset: + updateStrategy: RollingUpdate + metrics: + enabled: false + image: + pullPolicy: IfNotPresent + registry: docker.io + repository: bitnami/redis-exporter + tag: 1.5.2-debian-10-r21 + podAnnotations: + prometheus.io/port: "9121" + prometheus.io/scrape: "true" + prometheusRule: + additionalLabels: {} + enabled: false + namespace: "" + rules: [] + service: + annotations: {} + labels: {} + type: ClusterIP + serviceMonitor: + enabled: false + selector: + prometheus: kube-prometheus + networkPolicy: + enabled: false + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} + password: "" + persistence: {} + podSecurityPolicy: + create: false + rbac: + create: false + role: + rules: [] + redisPort: 6379 + securityContext: + enabled: true + fsGroup: 1001 + runAsUser: 1001 + sentinel: + downAfterMilliseconds: 60000 + enabled: false + failoverTimeout: 18000 + image: + pullPolicy: IfNotPresent + registry: docker.io + repository: bitnami/redis-sentinel + tag: 5.0.8-debian-10-r25 + initialCheckTimeout: 5 + livenessProbe: + enabled: true + failureThreshold: 5 + initialDelaySeconds: 5 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + masterSet: mymaster + parallelSyncs: 1 + port: 26379 + quorum: 2 + readinessProbe: + enabled: true + failureThreshold: 5 + initialDelaySeconds: 5 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 1 + service: + annotations: {} + labels: {} + redisPort: 6379 + sentinelPort: 26379 + type: ClusterIP + staticID: false + usePassword: true + serviceAccount: + create: false + slave: + affinity: {} + command: /run.sh + configmap: null + disableCommands: + - FLUSHDB + - FLUSHALL + extraFlags: [] + livenessProbe: + enabled: true + failureThreshold: 5 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + persistence: + accessModes: + - ReadWriteOnce + enabled: true + matchExpressions: {} + matchLabels: {} + path: /data + size: 8Gi + subPath: "" + podAnnotations: {} + podLabels: {} + port: 6379 + readinessProbe: + enabled: true + failureThreshold: 5 + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 10 + resources: {} + service: + annotations: {} + labels: {} + port: 6379 + type: ClusterIP + statefulset: + updateStrategy: RollingUpdate + sysctlImage: + command: [] + enabled: false + mountHostSys: false + pullPolicy: Always + registry: docker.io + repository: bitnami/minideb + resources: {} + tag: buster + usePassword: false + usePasswordFile: false + volumePermissions: + enabled: false + image: + pullPolicy: Always + registry: docker.io + repository: bitnami/minideb + tag: buster + resources: {} + router: + routerConfiguration: false + serviceRegistry: {} + topology: + external: + refresh: + interval: 3s + runMode: production + runtimeOverride: {} + securityContext: + enabled: true + gid: "1000721117" + uid: "1000721117" + vault: + affinity: {} + configMaps: "" + customInitContainers: "" + customInitContainersBegin: "" + customVolumeMounts: "" + customVolumes: "" + disablemlock: false + enabled: true + image: + pullPolicy: IfNotPresent + repository: registry.connect.redhat.com/jfrog/pipelines-vault + tag: 1.8.0 + init: + image: + pullPolicy: IfNotPresent + repository: jfrog/pipelines-vault-init + nodeSelector: {} + rbac: + role: + rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - '*' + resources: {} + service: + port: 30100 + type: ClusterIP + tolerations: [] + updateStrategy: RollingUpdate + + diff --git a/Openshift4/operator/pipeline-operator/config/scorecard/bases/config.yaml b/Openshift4/operator/pipeline-operator/config/scorecard/bases/config.yaml new file mode 100644 index 0000000..c770478 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/config/scorecard/bases/config.yaml @@ -0,0 +1,7 @@ +apiVersion: scorecard.operatorframework.io/v1alpha3 +kind: Configuration +metadata: + name: config +stages: +- parallel: true + tests: [] diff --git a/Openshift4/operator/pipeline-operator/config/scorecard/kustomization.yaml b/Openshift4/operator/pipeline-operator/config/scorecard/kustomization.yaml new file mode 100644 index 0000000..d73509e --- /dev/null +++ b/Openshift4/operator/pipeline-operator/config/scorecard/kustomization.yaml @@ -0,0 +1,16 @@ +resources: +- bases/config.yaml +patchesJson6902: +- path: patches/basic.config.yaml + target: + group: scorecard.operatorframework.io + version: v1alpha3 + kind: Configuration + name: config +- path: patches/olm.config.yaml + target: + group: scorecard.operatorframework.io + version: v1alpha3 + kind: Configuration + name: config +# +kubebuilder:scaffold:patchesJson6902 diff --git a/Openshift4/operator/pipeline-operator/config/scorecard/patches/basic.config.yaml b/Openshift4/operator/pipeline-operator/config/scorecard/patches/basic.config.yaml new file mode 100644 index 0000000..0016b65 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/config/scorecard/patches/basic.config.yaml @@ -0,0 +1,10 @@ +- op: add + path: /stages/0/tests/- + value: + entrypoint: + - scorecard-test + - basic-check-spec + image: quay.io/operator-framework/scorecard-test:v1.0.1 + labels: + suite: basic + test: basic-check-spec-test diff --git a/Openshift4/operator/pipeline-operator/config/scorecard/patches/olm.config.yaml b/Openshift4/operator/pipeline-operator/config/scorecard/patches/olm.config.yaml new file mode 100644 index 0000000..a39bfc5 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/config/scorecard/patches/olm.config.yaml @@ -0,0 +1,50 @@ +- op: add + path: /stages/0/tests/- + value: + entrypoint: + - scorecard-test + - olm-bundle-validation + image: quay.io/operator-framework/scorecard-test:v1.0.1 + labels: + suite: olm + test: olm-bundle-validation-test +- op: add + path: /stages/0/tests/- + value: + entrypoint: + - scorecard-test + - olm-crds-have-validation + image: quay.io/operator-framework/scorecard-test:v1.0.1 + labels: + suite: olm + test: olm-crds-have-validation-test +- op: add + path: /stages/0/tests/- + value: + entrypoint: + - scorecard-test + - olm-crds-have-resources + image: quay.io/operator-framework/scorecard-test:v1.0.1 + labels: + suite: olm + test: olm-crds-have-resources-test +- op: add + path: /stages/0/tests/- + value: + entrypoint: + - scorecard-test + - olm-spec-descriptors + image: quay.io/operator-framework/scorecard-test:v1.0.1 + labels: + suite: olm + test: olm-spec-descriptors-test +- op: add + path: /stages/0/tests/- + value: + entrypoint: + - scorecard-test + - olm-status-descriptors + image: quay.io/operator-framework/scorecard-test:v1.0.1 + labels: + suite: olm + test: olm-status-descriptors-test diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/CHANGELOG.md b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/CHANGELOG.md new file mode 100755 index 0000000..f2dd91c --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/CHANGELOG.md @@ -0,0 +1,8 @@ +# JFrog Openshift Pipelines Chart Changelog +All changes to this chart will be documented in this file. + +## [1.5.4] Oct 7, 2020 +* Adding Openshift Pipelines helm chart version 1.5.4 app version 1.8.0 + +## [1.4.5] Sept 21, 2020 +* Adding Openshift Pipelines helm chart version 1.4.5 app version 1.7.2 diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/Chart.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/Chart.yaml new file mode 100755 index 0000000..10b49ec --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/Chart.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +appVersion: 1.8.0 +description: A Helm chart for JFrog Pipelines +home: https://jfrog.com/pipelines/ +icon: https://raw.githubusercontent.com/jfrog/charts/master/stable/pipelines/icon/pipelines-logo.png +keywords: + - pipelines + - jfrog + - devops +maintainers: +- email: vinaya@jfrog.com + name: Vinay Aggarwal +- email: johnp@jfrog.com + name: John Peterson +name: openshift-pipelines +version: 1.5.4 diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/LICENSE b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/LICENSE new file mode 100755 index 0000000..8dada3e --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright {yyyy} {name of copyright owner} + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/README.md b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/README.md new file mode 100755 index 0000000..32cae28 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/README.md @@ -0,0 +1,223 @@ +# JFrog Pipelines on Kubernetes Helm Chart + +[JFrog Pipelines](https://jfrog.com/pipelines/) + +## Prerequisites Details + +* Kubernetes 1.12+ + +## Chart Details + +This chart will do the following: + +- Deploy PostgreSQL (optionally with an external PostgreSQL instance) +- Deploy RabbitMQ (optionally as an HA cluster) +- Deploy Redis (optionally as an HA cluster) +- Deploy Vault (optionally as an HA cluster) +- Deploy JFrog Pipelines + +## Requirements + +- A running Kubernetes cluster + - Dynamic storage provisioning enabled + - Default StorageClass set to allow services using the default StorageClass for persistent storage +- A running Artifactory 7.7.x with Enterprise+ License + - Precreated repository `jfrogpipelines` in Artifactory type `Generic` with layout `maven-2-default` +- [Kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) installed and setup to use the cluster +- [Helm](https://helm.sh/) v2 or v3 installed + + +## Install JFrog Pipelines + +### Add ChartCenter Helm repository + +Before installing JFrog helm charts, you need to add the [ChartCenter helm repository](https://chartcenter.io) to your helm client + +```bash +helm repo add center https://repo.chartcenter.io +helm repo update +``` + +### Artifactory Connection Details + +In order to connect Pipelines to your Artifactory installation, you have to use a Join Key, hence it is *MANDATORY* to provide a Join Key and Jfrog Url to your Pipelines installation. Here's how you do that: + +Retrieve the connection details of your Artifactory installation, from the UI - https://www.jfrog.com/confluence/display/JFROG/General+Security+Settings#GeneralSecuritySettings-ViewingtheJoinKey. + +### Install Pipelines Chart with Ingress + +#### Pre-requisites + +Before deploying Pipelines you need to have the following +- A running Kubernetes cluster +- An [Artifactory ](https://hub.helm.sh/charts/jfrog/artifactory) or [Artifactory HA](https://hub.helm.sh/charts/jfrog/artifactory-ha) with Enterprise+ License + - Precreated repository `jfrogpipelines` in Artifactiry type `Generic` with layout `maven-2-default` +- Deployed [Nginx-ingress controller](https://hub.helm.sh/charts/stable/nginx-ingress) +- [Optional] Deployed [Cert-manager](https://hub.helm.sh/charts/jetstack/cert-manager) for automatic management of TLS certificates with [Lets Encrypt](https://letsencrypt.org/) +- [Optional] TLS secret needed for https access + +#### Prepare configurations + +Fetch the JFrog Pipelines helm chart to get the needed configuration files + +```bash +helm fetch center/jfrog/pipelines --untar +``` + +Edit local copies of `values-ingress.yaml`, `values-ingress-passwords.yaml` and `values-ingress-external-secret.yaml` with the needed configuration values + +- URLs in `values-ingress.yaml` + - Artifactory URL + - Ingress hosts + - Ingress tls secrets +- Passwords `uiUserPassword`, `postgresqlPassword` and `rabbitmq.password` must be set, and same for `masterKey` and `joinKey` in `values-ingress-passwords.yaml` + +#### Install JFrog Pipelines + +Install JFrog Pipelines + +```bash +kubectl create ns pipelines +helm upgrade --install pipelines --namespace pipelines center/jfrog/pipelines -f pipelines/values-ingress.yaml -f pipelines/values-ingress-passwords.yaml +``` + +### Use external secret + +**Note:** Best practice is to use external secrets instead of storing passwords in `values.yaml` files. + +Don't forget to **update** URLs in `values-ingress-external-secret.yaml` file. + +Fill in all required passwords, `masterKey` and `joinKey` in `values-ingress-passwords.yaml` and then create and install the external secret. + +**Note:** Helm release name for secrets generation and `helm install` must be set the same, in this case it is `pipelines`. + +With Helm v2: + +```bash +## Generate pipelines-system-yaml secret +helm template --name-template pipelines pipelines/ -x templates/pipelines-system-yaml.yaml \ + -f pipelines/values-ingress-external-secret.yaml -f pipelines/values-ingress-passwords.yaml | kubectl apply --namespace pipelines -f - + +## Generate pipelines-database secret +helm template --name-template pipelines pipelines/ -x templates/database-secret.yaml \ + -f pipelines/values-ingress-passwords.yaml | kubectl apply --namespace pipelines -f - + +## Generate pipelines-rabbitmq-secret secret +helm template --name-template pipelines pipelines/ -x templates/rabbitmq-secret.yaml \ + -f pipelines/values-ingress-passwords.yaml | kubectl apply --namespace pipelines -f - +``` + +With Helm v3: + +```bash +## Generate pipelines-system-yaml secret +helm template --name-template pipelines pipelines/ -s templates/pipelines-system-yaml.yaml \ + -f pipelines/values-ingress-external-secret.yaml -f pipelines/values-ingress-passwords.yaml | kubectl apply --namespace pipelines -f - + +## Generate pipelines-database secret +helm template --name-template pipelines pipelines/ -s templates/database-secret.yaml \ + -f pipelines/values-ingress-passwords.yaml | kubectl apply --namespace pipelines -f - + +## Generate pipelines-rabbitmq-secret secret +helm template --name-template pipelines pipelines/ -s templates/rabbitmq-secret.yaml \ + -f pipelines/values-ingress-passwords.yaml | kubectl apply --namespace pipelines -f - +``` + +Install JFrog Pipelines: + +```bash +helm upgrade --install pipelines --namespace pipelines center/jfrog/pipelines -f values-ingress-external-secret.yaml +``` + +### Using external Rabbitmq + +If you want to use external Rabbitmq, set `rabbitmq.enabled=false` and create `values-external-rabbitmq.yaml` with below yaml configuration + +```yaml +rabbitmq: + enabled: false + internal_ip: "{{ .Release.Name }}-rabbitmq" + msg_hostname: "{{ .Release.Name }}-rabbitmq" + port: 5672 + manager_port: 15672 + ms_username: admin + ms_password: password + cp_username: admin + cp_password: password + build_username: admin + build_password: password + root_vhost_exchange_name: rootvhost + erlang_cookie: secretcookie + build_vhost_name: pipelines + root_vhost_name: pipelinesRoot + protocol: amqp +``` + +```bash +helm upgrade --install pipelines --namespace pipelines center/jfrog/pipelines -f values-external-rabbitmq.yaml +``` + +### Using external Vault + +If you want to use external Vault, set `vault.enabled=false` and create `values-external-vault.yaml` with below yaml configuration + +```yaml +vault: + enabled: false + +global: + vault: + host: vault_url + port: vault_port + token: vault_token + ## Set Vault token using existing secret + # existingSecret: vault-secret +``` + +If you store external Vault token in a pre-existing Kubernetes Secret, you can specify it via `existingSecret`. + +To create a secret containing the Vault token: + +```bash +kubectl create secret generic vault-secret --from-literal=token=${VAULT_TOKEN} +``` + +```bash +helm upgrade --install pipelines --namespace pipelines center/jfrog/pipelines -f values-external-vault.yaml +``` + +### Status + +See the status of deployed **helm** release: + +With Helm v2: + +```bash +helm status pipelines +``` + +With Helm v3: + +```bash +helm status pipelines --namespace pipelines +``` + +### Pipelines Version +- By default, the pipelines images will use the value `appVersion` in the Chart.yml. This can be over-ridden by adding `version` to the pipelines section of the values.yml + +### Build Plane + +#### Build Plane with static and dynamic node-pool VMs + +To start using Pipelines you need to setup a Build Plane: +- For Static VMs Node-pool setup, please read [Managing Node Pools](https://www.jfrog.com/confluence/display/JFROG/Managing+Pipelines+Node+Pools#ManagingPipelinesNodePools-static-node-poolsAdministeringStaticNodePools). + +- For Dynamic VMs Node-pool setup, please read [Managing Dynamic Node Pools](https://www.jfrog.com/confluence/display/JFROG/Managing+Pipelines+Node+Pools#ManagingPipelinesNodePools-dynamic-node-poolsAdministeringDynamicNodePools). + +- For Kubernetes Node-pool setup, please read [Managing Dynamic Node Pools](https://www.jfrog.com/confluence/display/JFROG/Managing+Pipelines+Node+Pools#ManagingPipelinesNodePools-dynamic-node-poolsAdministeringDynamicNodePools). + +## Useful links + +- https://www.jfrog.com/confluence/display/JFROG/Pipelines+Quickstart +- https://www.jfrog.com/confluence/display/JFROG/Using+Pipelines +- https://www.jfrog.com/confluence/display/JFROG/Managing+Runtimes diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/.helmignore b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/.helmignore new file mode 100644 index 0000000..50af031 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/CHANGELOG.md b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/CHANGELOG.md new file mode 100644 index 0000000..aa04dc2 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/CHANGELOG.md @@ -0,0 +1,176 @@ +# JFrog Pipelines Chart Changelog +All changes to this chart to be documented in this file + +## [1.5.4] Oct 8, 2020 +* Changed customInitBeginContainer to customInitContainerBegin to match other charts +* Added examples in values.yaml for .Values.pipelines.customInitContainerBegin + +## [1.5.3] Oct 7, 2020 +* Adding custom init begin container to pipelines statefulset and vault statefulset +* Moved custom init container in vault statefulset from first to last position + +## [1.5.2] Oct 5, 2020 +* increasing liveness and readiness probe settings for api and www +* source above configs from values.yaml + +## [1.5.1] Oct 5, 2020 +* adding a healthcheck configuration within pipelines chart for artifactory + +## [1.5.0] Oct 1, 2020 +* Pipelines v1.8.0 +* Added support for resources in init containers + +## [1.4.9] September 30, 2020 +* Supports router configuration to set internal artifactory endpoint for saas + +## [1.4.8] September 29, 2020 +* Hardcodes routers refresh interval for pipelines + +## [1.4.7] September 25, 2020 +* Changed init container to use linux capabilities CAP_CHOWN instead of runAsUser: 0 + +## [1.4.6] September 23, 2020 +* Escalated privileges to init container only for pipelines-installer to work with pipelines images as non-root based for Openshift. + +## [1.4.5] September 18, 2020 +* Removed external Vault support as Pipelines does not support external vault until version 1.9.0 +* Added disablemlock flag to enable users to set to false for production grade system security requirements. + +## [1.4.4] September 17, 2020 +* Change jfrogUrl and jfrogUrlUI default values +* Rename ci/test-values.yaml to ci/default-values.yaml + +## [1.4.3] September 2, 2020 +* Add external Vault support + +## [1.4.2] - August 27, 2020 +* Adds support for making api rabbitmq health check interval configurable +* Cleanup system.yaml +* Add RBAC rules for Pipelines Statefulset + +## [1.4.1] - August 19, 2020 +* Add support for external rabbitmq and redis + +## [1.4.0] - Aug 8, 2020 +* Pipelines v1.7.2 +* Adds support for k8s build plane config +* Adds support for ssl enabled postgresql +* Support an existing secret for buildPlanes +* Add checksum for all secrets and configmaps + +## [1.3.11] - August 6, 2020 +* Fix external PG port + +## [1.3.10] - August 5, 2020 +* have controlplane and buildplane pull versions from global version override as specified in 1.3.7 + +## [1.3.9] - July 31, 2020 +* Added support for customVolumes, configMaps and customInitcontainers for Vault +* Added tpl for resolving jfrogUrl + +## [1.3.8] - July 30, 2020 +* Fix customSideCar container bug for configMaps + +## [1.3.7] - July 29, 2020 +* Allow overriding default version of pipelines tags with a single value in values.yml +* add `# version:` to pipelines: + +## [1.3.6] - Jul 23, 2020 +* Added support for customSidecarContainers, customVolumes, customInitcontainers and configMaps +* Update alpine version to 3.12 + +## [1.3.5] - July 20th, 2020 +* Remove 'NodeType' option from pipelines-services-headless + +## [1.3.4] - July 6th, 2020 +* Fixes callHomeUrl + +## [1.3.3] - June 30th, 2020 +* Pipelines v1.6.2 + +## [1.3.2] - June 30, 2020 +* Enable extensionSync microservice + +## [1.3.1] - June 29, 2020 +* Pipelines v1.6.1 + +## [1.3.0] - June 25, 2020 +* Pipelines v1.6.0 +* Adds a new configuration accessControlAllowOrigins +* Use ChartCenter as helm repo + +## [1.2.0] - June 2, 2020 +* Pipelines v1.5.1 +* Update Postgres image to 9.6.18-debian-10-r7 +* Disable Vault HA +* Bump alpine to v3.11 + +## [1.1.5] - May 13, 2020 +* Pipelines v1.4.7 + +## [1.1.4] - April 30, 2020 +* In readme fix helm template examples + +## [1.1.3] - April 23, 2020 +* Fix filebeat resources + +## [1.1.2] - April 23, 2020 +* Pipelines v1.4.6 +* Removes subnetId and nat fields from buildplane config which are not supported from 1.4.x + +## [1.1.1] - April 16, 2020 +* Hardcode docker.bintray.io for build images + +## [1.1.0] - April 15, 2020 +* Pipelines v1.4.2 +* Remove experimental k8s build plane support + +## [1.0.36] - April 9, 2020 +* Bump Redis chart to 10.6.3 +* Bump RabbitMQ chart to 6.25.0 +* Bump PostgreSQL chart to 8.7.3 +* Bump Vault version to 1.3.4 +* Fix k8s node compute resources + +## [1.0.35] - April 3, 2020 +* Update readme +* Disable Pipelines StatefulSet replicas if HPA is enabled + +## [1.0.34] - March 24, 2020 +* Update docs urls +* Fix filebeat compute resources + +## [1.0.33] - March 24, 2020 +* Add HPA for Pipelines services statefulset +* Add Runtime Override + +## [1.0.32] - March 19, 2020 +* Pipelines v1.3.3 + +## [1.0.31] - Mar 17, 2020 +* Changed all single quotes to double quotes in values files + +## [1.0.30] - Mar 11, 2020 +* Unified charts public release + +## [1.0.29] - March 10, 2020 +* Fix CI test + +## [1.0.28] - March 10, 2020 +* Add CI test + +## [1.0.27] - March 5, 2020 +* Pipelines v1.3.2 +* Bump Postgres to v9.6.17-debian-10-r21 +* Update readme with `joinKey` instructions + +## [1.0.26] - March 1, 2020 +* Pipelines v1.3.1 + +## [1.0.25] - Feb 27, 2020 +* Initial public release + +## [1.0.24] - Feb 26, 2020 +* Bump Redis chart to 10.5.6 +* Bump RabbitMQ chart to 6.17.5 +* Bump PostgreSQL chart to 8.4.2 diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/Chart.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/Chart.yaml new file mode 100644 index 0000000..ff2a6aa --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +appVersion: 1.8.0 +description: A Helm chart for JFrog Pipelines +home: https://jfrog.com/pipelines/ +icon: https://raw.githubusercontent.com/jfrog/charts/master/stable/pipelines/icon/pipelines-logo.png +keywords: +- pipelines +- jfrog +- devops +maintainers: +- email: rimasm@jfrog.com + name: rimusz +- email: daniele@jfrog.com + name: danielezer +- email: eldada@jfrog.com + name: eldada +name: pipelines +sources: +- https://github.com/jfrog/charts/pipelines +- https://bintray.com/jfrog/pipelines +version: 1.5.4 diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/LICENSE b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/LICENSE new file mode 100644 index 0000000..20a5aea --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/LICENSE @@ -0,0 +1,202 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright {yyyy} {name of copyright owner} + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + \ No newline at end of file diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/OWNERS b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/OWNERS new file mode 100644 index 0000000..2537d62 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/OWNERS @@ -0,0 +1,8 @@ +approvers: +- rimusz +- danielezer +- eldada +reviewers: +- rimusz +- danielezer +- eldada diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/README.md b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/README.md new file mode 100644 index 0000000..a326b8c --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/README.md @@ -0,0 +1,220 @@ +# JFrog Pipelines on Kubernetes Helm Chart + +[JFrog Pipelines](https://jfrog.com/pipelines/) + +## Prerequisites Details + +* Kubernetes 1.12+ + +## Chart Details + +This chart will do the following: + +- Deploy PostgreSQL (optionally with an external PostgreSQL instance) +- Deploy RabbitMQ (optionally as an HA cluster) +- Deploy Redis (optionally as an HA cluster) +- Deploy Vault (optionally as an HA cluster) +- Deploy JFrog Pipelines + +## Requirements + +- A running Kubernetes cluster + - Dynamic storage provisioning enabled + - Default StorageClass set to allow services using the default StorageClass for persistent storage +- A running Artifactory 7.7.x with Enterprise+ License + - Precreated repository `jfrogpipelines` in Artifactory type `Generic` with layout `maven-2-default` +- [Kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) installed and setup to use the cluster +- [Helm](https://helm.sh/) v2 or v3 installed + + +## Install JFrog Pipelines + +### Add ChartCenter Helm repository + +Before installing JFrog helm charts, you need to add the [ChartCenter helm repository](https://chartcenter.io) to your helm client + +```bash +helm repo add center https://repo.chartcenter.io +helm repo update +``` + +### Artifactory Connection Details + +In order to connect Pipelines to your Artifactory installation, you have to use a Join Key, hence it is *MANDATORY* to provide a Join Key and Jfrog Url to your Pipelines installation. Here's how you do that: + +Retrieve the connection details of your Artifactory installation, from the UI - https://www.jfrog.com/confluence/display/JFROG/General+Security+Settings#GeneralSecuritySettings-ViewingtheJoinKey. + +### Install Pipelines Chart with Ingress + +#### Pre-requisites + +Before deploying Pipelines you need to have the following +- A running Kubernetes cluster +- An [Artifactory ](https://hub.helm.sh/charts/jfrog/artifactory) or [Artifactory HA](https://hub.helm.sh/charts/jfrog/artifactory-ha) with Enterprise+ License + - Precreated repository `jfrogpipelines` in Artifactiry type `Generic` with layout `maven-2-default` +- Deployed [Nginx-ingress controller](https://hub.helm.sh/charts/stable/nginx-ingress) +- [Optional] Deployed [Cert-manager](https://hub.helm.sh/charts/jetstack/cert-manager) for automatic management of TLS certificates with [Lets Encrypt](https://letsencrypt.org/) +- [Optional] TLS secret needed for https access + +#### Prepare configurations + +Fetch the JFrog Pipelines helm chart to get the needed configuration files + +```bash +helm fetch center/jfrog/pipelines --untar +``` + +Edit local copies of `values-ingress.yaml`, `values-ingress-passwords.yaml` and `values-ingress-external-secret.yaml` with the needed configuration values + +- URLs in `values-ingress.yaml` + - Artifactory URL + - Ingress hosts + - Ingress tls secrets +- Passwords `uiUserPassword`, `postgresqlPassword` and `rabbitmq.password` must be set, and same for `masterKey` and `joinKey` in `values-ingress-passwords.yaml` + +#### Install JFrog Pipelines + +Install JFrog Pipelines + +```bash +kubectl create ns pipelines +helm upgrade --install pipelines --namespace pipelines center/jfrog/pipelines -f pipelines/values-ingress.yaml -f pipelines/values-ingress-passwords.yaml +``` + +### Use external secret + +**Note:** Best practice is to use external secrets instead of storing passwords in `values.yaml` files. + +Don't forget to **update** URLs in `values-ingress-external-secret.yaml` file. + +Fill in all required passwords, `masterKey` and `joinKey` in `values-ingress-passwords.yaml` and then create and install the external secret. + +**Note:** Helm release name for secrets generation and `helm install` must be set the same, in this case it is `pipelines`. + +With Helm v2: + +```bash +## Generate pipelines-system-yaml secret +helm template --name-template pipelines pipelines/ -x templates/pipelines-system-yaml.yaml \ + -f pipelines/values-ingress-external-secret.yaml -f pipelines/values-ingress-passwords.yaml | kubectl apply --namespace pipelines -f - + +## Generate pipelines-database secret +helm template --name-template pipelines pipelines/ -x templates/database-secret.yaml \ + -f pipelines/values-ingress-passwords.yaml | kubectl apply --namespace pipelines -f - + +## Generate pipelines-rabbitmq-secret secret +helm template --name-template pipelines pipelines/ -x templates/rabbitmq-secret.yaml \ + -f pipelines/values-ingress-passwords.yaml | kubectl apply --namespace pipelines -f - +``` + +With Helm v3: + +```bash +## Generate pipelines-system-yaml secret +helm template --name-template pipelines pipelines/ -s templates/pipelines-system-yaml.yaml \ + -f pipelines/values-ingress-external-secret.yaml -f pipelines/values-ingress-passwords.yaml | kubectl apply --namespace pipelines -f - + +## Generate pipelines-database secret +helm template --name-template pipelines pipelines/ -s templates/database-secret.yaml \ + -f pipelines/values-ingress-passwords.yaml | kubectl apply --namespace pipelines -f - + +## Generate pipelines-rabbitmq-secret secret +helm template --name-template pipelines pipelines/ -s templates/rabbitmq-secret.yaml \ + -f pipelines/values-ingress-passwords.yaml | kubectl apply --namespace pipelines -f - +``` + +Install JFrog Pipelines: + +```bash +helm upgrade --install pipelines --namespace pipelines center/jfrog/pipelines -f values-ingress-external-secret.yaml +``` + +### Using external Rabbitmq + +If you want to use external Rabbitmq, set `rabbitmq.enabled=false` and create `values-external-rabbitmq.yaml` with below yaml configuration + +```yaml +rabbitmq: + enabled: false + internal_ip: "{{ .Release.Name }}-rabbitmq" + msg_hostname: "{{ .Release.Name }}-rabbitmq" + port: 5672 + manager_port: 15672 + ms_username: admin + ms_password: password + cp_username: admin + cp_password: password + build_username: admin + build_password: password + root_vhost_exchange_name: rootvhost + erlang_cookie: secretcookie + build_vhost_name: pipelines + root_vhost_name: pipelinesRoot + protocol: amqp +``` + +```bash +helm upgrade --install pipelines --namespace pipelines center/jfrog/pipelines -f values-external-rabbitmq.yaml +``` + +### Using Vault in Production environments +To use vault securely you must set the disablemlock setting in the values.yaml to false as per the Hashicorp Vault recommendations here: + +https://www.vaultproject.io/docs/configuration#disable_mlock + +For non-prod environments it is acceptable to leave this value set to true. + +Note however this does enable a potential security issue where encrypted credentials could potentially be swapped onto an unencrypted disk. + +For this reason we recommend you always set this value to false to ensure mlock is enabled. + +Non-Prod environments: + +```` +vault: + disablemlock: true +```` + +Production environments: + +```` +vault: + disablemlock: false +```` + +### Status + +See the status of deployed **helm** release: + +With Helm v2: + +```bash +helm status pipelines +``` + +With Helm v3: + +```bash +helm status pipelines --namespace pipelines +``` + +### Pipelines Version +- By default, the pipelines images will use the value `appVersion` in the Chart.yml. This can be over-ridden by adding `version` to the pipelines section of the values.yml + +### Build Plane + +#### Build Plane with static and dynamic node-pool VMs + +To start using Pipelines you need to setup a Build Plane: +- For Static VMs Node-pool setup, please read [Managing Node Pools](https://www.jfrog.com/confluence/display/JFROG/Managing+Pipelines+Node+Pools#ManagingPipelinesNodePools-static-node-poolsAdministeringStaticNodePools). + +- For Dynamic VMs Node-pool setup, please read [Managing Dynamic Node Pools](https://www.jfrog.com/confluence/display/JFROG/Managing+Pipelines+Node+Pools#ManagingPipelinesNodePools-dynamic-node-poolsAdministeringDynamicNodePools). + +- For Kubernetes Node-pool setup, please read [Managing Dynamic Node Pools](https://www.jfrog.com/confluence/display/JFROG/Managing+Pipelines+Node+Pools#ManagingPipelinesNodePools-dynamic-node-poolsAdministeringDynamicNodePools). + + +## Useful links + +- https://www.jfrog.com/confluence/display/JFROG/Pipelines+Quickstart +- https://www.jfrog.com/confluence/display/JFROG/Using+Pipelines +- https://www.jfrog.com/confluence/display/JFROG/Managing+Runtimes diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/.helmignore b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/.helmignore new file mode 100644 index 0000000..f0c1319 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/Chart.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/Chart.yaml new file mode 100644 index 0000000..a61a09f --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +appVersion: 11.7.0 +description: Chart for PostgreSQL, an object-relational database management system + (ORDBMS) with an emphasis on extensibility and on standards-compliance. +home: https://www.postgresql.org/ +icon: https://bitnami.com/assets/stacks/postgresql/img/postgresql-stack-110x117.png +keywords: +- postgresql +- postgres +- database +- sql +- replication +- cluster +maintainers: +- email: containers@bitnami.com + name: Bitnami +- email: cedric@desaintmartin.fr + name: desaintmartin +name: postgresql +sources: +- https://github.com/bitnami/bitnami-docker-postgresql +version: 8.7.3 diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/README.md b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/README.md new file mode 100644 index 0000000..c2b848a --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/README.md @@ -0,0 +1,576 @@ +# PostgreSQL + +[PostgreSQL](https://www.postgresql.org/) is an object-relational database management system (ORDBMS) with an emphasis on extensibility and on standards-compliance. + +For HA, please see [this repo](https://github.com/bitnami/charts/tree/master/bitnami/postgresql-ha) + +## TL;DR; + +```console +$ helm repo add bitnami https://charts.bitnami.com/bitnami +$ helm install my-release bitnami/postgresql +``` + +## Introduction + +This chart bootstraps a [PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This chart has been tested to work with NGINX Ingress, cert-manager, fluentd and Prometheus on top of the [BKPR](https://kubeprod.io/). + +## Prerequisites + +- Kubernetes 1.12+ +- Helm 2.11+ or Helm 3.0-beta3+ +- PV provisioner support in the underlying infrastructure + +## Installing the Chart +To install the chart with the release name `my-release`: + +```console +$ helm install my-release bitnami/postgresql +``` + +The command deploys PostgreSQL on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. + +> **Tip**: List all releases using `helm list` + +## Uninstalling the Chart + +To uninstall/delete the `my-release` deployment: + +```console +$ helm delete my-release +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Parameters + +The following tables lists the configurable parameters of the PostgreSQL chart and their default values. + +| Parameter | Description | Default | +|-----------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------| +| `global.imageRegistry` | Global Docker Image registry | `nil` | +| `global.postgresql.postgresqlDatabase` | PostgreSQL database (overrides `postgresqlDatabase`) | `nil` | +| `global.postgresql.postgresqlUsername` | PostgreSQL username (overrides `postgresqlUsername`) | `nil` | +| `global.postgresql.existingSecret` | Name of existing secret to use for PostgreSQL passwords (overrides `existingSecret`) | `nil` | +| `global.postgresql.postgresqlPassword` | PostgreSQL admin password (overrides `postgresqlPassword`) | `nil` | +| `global.postgresql.servicePort` | PostgreSQL port (overrides `service.port`) | `nil` | +| `global.postgresql.replicationPassword` | Replication user password (overrides `replication.password`) | `nil` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | +| `global.storageClass` | Global storage class for dynamic provisioning | `nil` | +| `image.registry` | PostgreSQL Image registry | `docker.io` | +| `image.repository` | PostgreSQL Image name | `bitnami/postgresql` | +| `image.tag` | PostgreSQL Image tag | `{TAG_NAME}` | +| `image.pullPolicy` | PostgreSQL Image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Specify Image pull secrets | `nil` (does not add image pull secrets to deployed pods) | +| `image.debug` | Specify if debug values should be set | `false` | +| `nameOverride` | String to partially override postgresql.fullname template with a string (will prepend the release name) | `nil` | +| `fullnameOverride` | String to fully override postgresql.fullname template with a string | `nil` | +| `volumePermissions.enabled` | Enable init container that changes volume permissions in the data directory (for cases where the default k8s `runAsUser` and `fsUser` values do not work) | `false` | +| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` | +| `volumePermissions.image.repository` | Init container volume-permissions image name | `bitnami/minideb` | +| `volumePermissions.image.tag` | Init container volume-permissions image tag | `buster` | +| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `Always` | +| `volumePermissions.securityContext.runAsUser` | User ID for the init container (when facing issues in OpenShift or uid unknown, try value "auto") | `0` | +| `usePasswordFile` | Have the secrets mounted as a file instead of env vars | `false` | +| `ldap.enabled` | Enable LDAP support | `false` | +| `ldap.existingSecret` | Name of existing secret to use for LDAP passwords | `nil` | +| `ldap.url` | LDAP URL beginning in the form `ldap[s]://host[:port]/basedn[?[attribute][?[scope][?[filter]]]]` | `nil` | +| `ldap.server` | IP address or name of the LDAP server. | `nil` | +| `ldap.port` | Port number on the LDAP server to connect to | `nil` | +| `ldap.scheme` | Set to `ldaps` to use LDAPS. | `nil` | +| `ldap.tls` | Set to `1` to use TLS encryption | `nil` | +| `ldap.prefix` | String to prepend to the user name when forming the DN to bind | `nil` | +| `ldap.suffix` | String to append to the user name when forming the DN to bind | `nil` | +| `ldap.search_attr` | Attribute to match agains the user name in the search | `nil` | +| `ldap.search_filter` | The search filter to use when doing search+bind authentication | `nil` | +| `ldap.baseDN` | Root DN to begin the search for the user in | `nil` | +| `ldap.bindDN` | DN of user to bind to LDAP | `nil` | +| `ldap.bind_password` | Password for the user to bind to LDAP | `nil` | +| `replication.enabled` | Enable replication | `false` | +| `replication.user` | Replication user | `repl_user` | +| `replication.password` | Replication user password | `repl_password` | +| `replication.slaveReplicas` | Number of slaves replicas | `1` | +| `replication.synchronousCommit` | Set synchronous commit mode. Allowed values: `on`, `remote_apply`, `remote_write`, `local` and `off` | `off` | +| `replication.numSynchronousReplicas` | Number of replicas that will have synchronous replication. Note: Cannot be greater than `replication.slaveReplicas`. | `0` | +| `replication.applicationName` | Cluster application name. Useful for advanced replication settings | `my_application` | +| `existingSecret` | Name of existing secret to use for PostgreSQL passwords. The secret has to contain the keys `postgresql-postgres-password` which is the password for `postgresqlUsername` when it is different of `postgres`, `postgresql-password` which will override `postgresqlPassword`, `postgresql-replication-password` which will override `replication.password` and `postgresql-ldap-password` which will be sed to authenticate on LDAP. The value is evaluated as a template. | `nil` | +| `postgresqlPostgresPassword` | PostgreSQL admin password (used when `postgresqlUsername` is not `postgres`) | _random 10 character alphanumeric string_ | +| `postgresqlUsername` | PostgreSQL admin user | `postgres` | +| `postgresqlPassword` | PostgreSQL admin password | _random 10 character alphanumeric string_ | +| `postgresqlDatabase` | PostgreSQL database | `nil` | +| `postgresqlDataDir` | PostgreSQL data dir folder | `/bitnami/postgresql` (same value as persistence.mountPath) | +| `extraEnv` | Any extra environment variables you would like to pass on to the pod. The value is evaluated as a template. | `[]` | +| `extraEnvVarsCM` | Name of a Config Map containing extra environment variables you would like to pass on to the pod. The value is evaluated as a template. | `nil` | +| `postgresqlInitdbArgs` | PostgreSQL initdb extra arguments | `nil` | +| `postgresqlInitdbWalDir` | PostgreSQL location for transaction log | `nil` | +| `postgresqlConfiguration` | Runtime Config Parameters | `nil` | +| `postgresqlExtendedConf` | Extended Runtime Config Parameters (appended to main or default configuration) | `nil` | +| `pgHbaConfiguration` | Content of pg_hba.conf | `nil (do not create pg_hba.conf)` | +| `configurationConfigMap` | ConfigMap with the PostgreSQL configuration files (Note: Overrides `postgresqlConfiguration` and `pgHbaConfiguration`). The value is evaluated as a template. | `nil` | +| `extendedConfConfigMap` | ConfigMap with the extended PostgreSQL configuration files. The value is evaluated as a template. | `nil` | +| `initdbScripts` | Dictionary of initdb scripts | `nil` | +| `initdbUser` | PostgreSQL user to execute the .sql and sql.gz scripts | `nil` | +| `initdbPassword` | Password for the user specified in `initdbUser` | `nil` | +| `initdbScriptsConfigMap` | ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`). The value is evaluated as a template. | `nil` | +| `initdbScriptsSecret` | Secret with initdb scripts that contain sensitive information (Note: can be used with `initdbScriptsConfigMap` or `initdbScripts`). The value is evaluated as a template. | `nil` | +| `service.type` | Kubernetes Service type | `ClusterIP` | +| `service.port` | PostgreSQL port | `5432` | +| `service.nodePort` | Kubernetes Service nodePort | `nil` | +| `service.annotations` | Annotations for PostgreSQL service | `{}` (evaluated as a template) | +| `service.loadBalancerIP` | loadBalancerIP if service type is `LoadBalancer` | `nil` | +| `service.loadBalancerSourceRanges` | Address that are allowed when svc is LoadBalancer | `[]` (evaluated as a template) | +| `schedulerName` | Name of the k8s scheduler (other than default) | `nil` | +| `shmVolume.enabled` | Enable emptyDir volume for /dev/shm for master and slave(s) Pod(s) | `true` | +| `shmVolume.chmod.enabled` | Run at init chmod 777 of the /dev/shm (ignored if `volumePermissions.enabled` is `false`) | `true` | +| `persistence.enabled` | Enable persistence using PVC | `true` | +| `persistence.existingClaim` | Provide an existing `PersistentVolumeClaim`, the value is evaluated as a template. | `nil` | +| `persistence.mountPath` | Path to mount the volume at | `/bitnami/postgresql` | +| `persistence.subPath` | Subdirectory of the volume to mount at | `""` | +| `persistence.storageClass` | PVC Storage Class for PostgreSQL volume | `nil` | +| `persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `[ReadWriteOnce]` | +| `persistence.size` | PVC Storage Request for PostgreSQL volume | `8Gi` | +| `persistence.annotations` | Annotations for the PVC | `{}` | +| `master.nodeSelector` | Node labels for pod assignment (postgresql master) | `{}` | +| `master.affinity` | Affinity labels for pod assignment (postgresql master) | `{}` | +| `master.tolerations` | Toleration labels for pod assignment (postgresql master) | `[]` | +| `master.anotations` | Map of annotations to add to the statefulset (postgresql master) | `{}` | +| `master.labels` | Map of labels to add to the statefulset (postgresql master) | `{}` | +| `master.podAnnotations` | Map of annotations to add to the pods (postgresql master) | `{}` | +| `master.podLabels` | Map of labels to add to the pods (postgresql master) | `{}` | +| `master.priorityClassName` | Priority Class to use for each pod (postgresql master) | `nil` | +| `master.extraInitContainers` | Additional init containers to add to the pods (postgresql master) | `[]` | +| `master.extraVolumeMounts` | Additional volume mounts to add to the pods (postgresql master) | `[]` | +| `master.extraVolumes` | Additional volumes to add to the pods (postgresql master) | `[]` | +| `master.sidecars` | Add additional containers to the pod | `[]` | +| `master.service.type` | Allows using a different service type for Master | `nil` | +| `master.service.nodePort` | Allows using a different nodePort for Master | `nil` | +| `master.service.clusterIP` | Allows using a different clusterIP for Master | `nil` | +| `slave.nodeSelector` | Node labels for pod assignment (postgresql slave) | `{}` | +| `slave.affinity` | Affinity labels for pod assignment (postgresql slave) | `{}` | +| `slave.tolerations` | Toleration labels for pod assignment (postgresql slave) | `[]` | +| `slave.anotations` | Map of annotations to add to the statefulsets (postgresql slave) | `{}` | +| `slave.labels` | Map of labels to add to the statefulsets (postgresql slave) | `{}` | +| `slave.podAnnotations` | Map of annotations to add to the pods (postgresql slave) | `{}` | +| `slave.podLabels` | Map of labels to add to the pods (postgresql slave) | `{}` | +| `slave.priorityClassName` | Priority Class to use for each pod (postgresql slave) | `nil` | +| `slave.extraInitContainers` | Additional init containers to add to the pods (postgresql slave) | `[]` | +| `slave.extraVolumeMounts` | Additional volume mounts to add to the pods (postgresql slave) | `[]` | +| `slave.extraVolumes` | Additional volumes to add to the pods (postgresql slave) | `[]` | +| `slave.sidecars` | Add additional containers to the pod | `[]` | +| `slave.service.type` | Allows using a different service type for Slave | `nil` | +| `slave.service.nodePort` | Allows using a different nodePort for Slave | `nil` | +| `slave.service.clusterIP` | Allows using a different clusterIP for Slave | `nil` | +| `terminationGracePeriodSeconds` | Seconds the pod needs to terminate gracefully | `nil` | +| `resources` | CPU/Memory resource requests/limits | Memory: `256Mi`, CPU: `250m` | +| `securityContext.enabled` | Enable security context | `true` | +| `securityContext.fsGroup` | Group ID for the container | `1001` | +| `securityContext.runAsUser` | User ID for the container | `1001` | +| `serviceAccount.enabled` | Enable service account (Note: Service Account will only be automatically created if `serviceAccount.name` is not set) | `false` | +| `serviceAcccount.name` | Name of existing service account | `nil` | +| `livenessProbe.enabled` | Would you like a livenessProbe to be enabled | `true` | +| `networkPolicy.enabled` | Enable NetworkPolicy | `false` | +| `networkPolicy.allowExternal` | Don't require client label for connections | `true` | +| `networkPolicy.explicitNamespacesSelector` | A Kubernetes LabelSelector to explicitly select namespaces from which ingress traffic could be allowed | `{}` | +| `livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 30 | +| `livenessProbe.periodSeconds` | How often to perform the probe | 10 | +| `livenessProbe.timeoutSeconds` | When the probe times out | 5 | +| `livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 | +| `livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 | +| `readinessProbe.enabled` | would you like a readinessProbe to be enabled | `true` | +| `readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | 5 | +| `readinessProbe.periodSeconds` | How often to perform the probe | 10 | +| `readinessProbe.timeoutSeconds` | When the probe times out | 5 | +| `readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 | +| `readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 | +| `metrics.enabled` | Start a prometheus exporter | `false` | +| `metrics.service.type` | Kubernetes Service type | `ClusterIP` | +| `service.clusterIP` | Static clusterIP or None for headless services | `nil` | +| `metrics.service.annotations` | Additional annotations for metrics exporter pod | `{ prometheus.io/scrape: "true", prometheus.io/port: "9187"}` | +| `metrics.service.loadBalancerIP` | loadBalancerIP if redis metrics service type is `LoadBalancer` | `nil` | +| `metrics.serviceMonitor.enabled` | Set this to `true` to create ServiceMonitor for Prometheus operator | `false` | +| `metrics.serviceMonitor.additionalLabels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}` | +| `metrics.serviceMonitor.namespace` | Optional namespace in which to create ServiceMonitor | `nil` | +| `metrics.serviceMonitor.interval` | Scrape interval. If not set, the Prometheus default scrape interval is used | `nil` | +| `metrics.serviceMonitor.scrapeTimeout` | Scrape timeout. If not set, the Prometheus default scrape timeout is used | `nil` | +| `metrics.prometheusRule.enabled` | Set this to true to create prometheusRules for Prometheus operator | `false` | +| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so prometheusRules will be discovered by Prometheus | `{}` | +| `metrics.prometheusRule.namespace` | namespace where prometheusRules resource should be created | the same namespace as postgresql | +| `metrics.prometheusRule.rules` | [rules](https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/) to be created, check values for an example. | `[]` | +| `metrics.image.registry` | PostgreSQL Image registry | `docker.io` | +| `metrics.image.repository` | PostgreSQL Image name | `bitnami/postgres-exporter` | +| `metrics.image.tag` | PostgreSQL Image tag | `{TAG_NAME}` | +| `metrics.image.pullPolicy` | PostgreSQL Image pull policy | `IfNotPresent` | +| `metrics.image.pullSecrets` | Specify Image pull secrets | `nil` (does not add image pull secrets to deployed pods) | +| `metrics.customMetrics` | Additional custom metrics | `nil` | +| `metrics.securityContext.enabled` | Enable security context for metrics | `false` | +| `metrics.securityContext.runAsUser` | User ID for the container for metrics | `1001` | +| `metrics.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 30 | +| `metrics.livenessProbe.periodSeconds` | How often to perform the probe | 10 | +| `metrics.livenessProbe.timeoutSeconds` | When the probe times out | 5 | +| `metrics.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 | +| `metrics.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 | +| `metrics.readinessProbe.enabled` | would you like a readinessProbe to be enabled | `true` | +| `metrics.readinessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 5 | +| `metrics.readinessProbe.periodSeconds` | How often to perform the probe | 10 | +| `metrics.readinessProbe.timeoutSeconds` | When the probe times out | 5 | +| `metrics.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 | +| `metrics.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 | +| `updateStrategy` | Update strategy policy | `{type: "RollingUpdate"}` | + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```console +$ helm install my-release \ + --set postgresqlPassword=secretpassword,postgresqlDatabase=my-database \ + bitnami/postgresql +``` + +The above command sets the PostgreSQL `postgres` account password to `secretpassword`. Additionally it creates a database named `my-database`. + +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, + +```console +$ helm install my-release -f values.yaml bitnami/postgresql +``` + +> **Tip**: You can use the default [values.yaml](values.yaml) + +## Configuration and installation details + +### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Production configuration and horizontal scaling + +This chart includes a `values-production.yaml` file where you can find some parameters oriented to production configuration in comparison to the regular `values.yaml`. You can use this file instead of the default one. + +- Enable replication: +```diff +- replication.enabled: false ++ replication.enabled: true +``` + +- Number of slaves replicas: +```diff +- replication.slaveReplicas: 1 ++ replication.slaveReplicas: 2 +``` + +- Set synchronous commit mode: +```diff +- replication.synchronousCommit: "off" ++ replication.synchronousCommit: "on" +``` + +- Number of replicas that will have synchronous replication: +```diff +- replication.numSynchronousReplicas: 0 ++ replication.numSynchronousReplicas: 1 +``` + +- Start a prometheus exporter: +```diff +- metrics.enabled: false ++ metrics.enabled: true +``` + +To horizontally scale this chart, you can use the `--replicas` flag to modify the number of nodes in your PostgreSQL deployment. Also you can use the `values-production.yaml` file or modify the parameters shown above. + +### Customizing Master and Slave services in a replicated configuration + +At the top level, there is a service object which defines the services for both master and slave. For deeper customization, there are service objects for both the master and slave types individually. This allows you to override the values in the top level service object so that the master and slave can be of different service types and with different clusterIPs / nodePorts. Also in the case you want the master and slave to be of type nodePort, you will need to set the nodePorts to different values to prevent a collision. The values that are deeper in the master.service or slave.service objects will take precedence over the top level service object. + +### Change PostgreSQL version + +To modify the PostgreSQL version used in this chart you can specify a [valid image tag](https://hub.docker.com/r/bitnami/postgresql/tags/) using the `image.tag` parameter. For example, `image.tag=12.0.0` + +### postgresql.conf / pg_hba.conf files as configMap + +This helm chart also supports to customize the whole configuration file. + +Add your custom file to "files/postgresql.conf" in your working directory. This file will be mounted as configMap to the containers and it will be used for configuring the PostgreSQL server. + +Alternatively, you can specify PostgreSQL configuration parameters using the `postgresqlConfiguration` parameter as a dict, using camelCase, e.g. {"sharedBuffers": "500MB"}. + +In addition to these options, you can also set an external ConfigMap with all the configuration files. This is done by setting the `configurationConfigMap` parameter. Note that this will override the two previous options. + +### Allow settings to be loaded from files other than the default `postgresql.conf` + +If you don't want to provide the whole PostgreSQL configuration file and only specify certain parameters, you can add your extended `.conf` files to "files/conf.d/" in your working directory. +Those files will be mounted as configMap to the containers adding/overwriting the default configuration using the `include_dir` directive that allows settings to be loaded from files other than the default `postgresql.conf`. + +Alternatively, you can also set an external ConfigMap with all the extra configuration files. This is done by setting the `extendedConfConfigMap` parameter. Note that this will override the previous option. + +### Initialize a fresh instance + +The [Bitnami PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) image allows you to use your custom scripts to initialize a fresh instance. In order to execute the scripts, they must be located inside the chart folder `files/docker-entrypoint-initdb.d` so they can be consumed as a ConfigMap. + +Alternatively, you can specify custom scripts using the `initdbScripts` parameter as dict. + +In addition to these options, you can also set an external ConfigMap with all the initialization scripts. This is done by setting the `initdbScriptsConfigMap` parameter. Note that this will override the two previous options. If your initialization scripts contain sensitive information such as credentials or passwords, you can use the `initdbScriptsSecret` parameter. + +The allowed extensions are `.sh`, `.sql` and `.sql.gz`. + +### Sidecars + +If you need additional containers to run within the same pod as PostgreSQL (e.g. an additional metrics or logging exporter), you can do so via the `sidecars` config parameter. Simply define your container according to the Kubernetes container spec. + +```yaml +# For the PostgreSQL master +master: + sidecars: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +# For the PostgreSQL replicas +slave: + sidecars: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +### Metrics + +The chart optionally can start a metrics exporter for [prometheus](https://prometheus.io). The metrics endpoint (port 9187) is not exposed and it is expected that the metrics are collected from inside the k8s cluster using something similar as the described in the [example Prometheus scrape configuration](https://github.com/prometheus/prometheus/blob/master/documentation/examples/prometheus-kubernetes.yml). + +The exporter allows to create custom metrics from additional SQL queries. See the Chart's `values.yaml` for an example and consult the [exporters documentation](https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file) for more details. + +### Use of global variables + +In more complex scenarios, we may have the following tree of dependencies + +``` + +--------------+ + | | + +------------+ Chart 1 +-----------+ + | | | | + | --------+------+ | + | | | + | | | + | | | + | | | + v v v ++-------+------+ +--------+------+ +--------+------+ +| | | | | | +| PostgreSQL | | Sub-chart 1 | | Sub-chart 2 | +| | | | | | ++--------------+ +---------------+ +---------------+ +``` + +The three charts below depend on the parent chart Chart 1. However, subcharts 1 and 2 may need to connect to PostgreSQL as well. In order to do so, subcharts 1 and 2 need to know the PostgreSQL credentials, so one option for deploying could be deploy Chart 1 with the following parameters: + +``` +postgresql.postgresqlPassword=testtest +subchart1.postgresql.postgresqlPassword=testtest +subchart2.postgresql.postgresqlPassword=testtest +postgresql.postgresqlDatabase=db1 +subchart1.postgresql.postgresqlDatabase=db1 +subchart2.postgresql.postgresqlDatabase=db1 +``` + +If the number of dependent sub-charts increases, installing the chart with parameters can become increasingly difficult. An alternative would be to set the credentials using global variables as follows: + +``` +global.postgresql.postgresqlPassword=testtest +global.postgresql.postgresqlDatabase=db1 +``` + +This way, the credentials will be available in all of the subcharts. + +## Persistence + +The [Bitnami PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) image stores the PostgreSQL data and configurations at the `/bitnami/postgresql` path of the container. + +Persistent Volume Claims are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube. +See the [Parameters](#parameters) section to configure the PVC or to disable persistence. + +If you already have data in it, you will fail to sync to standby nodes for all commits, details can refer to [code](https://github.com/bitnami/bitnami-docker-postgresql/blob/8725fe1d7d30ebe8d9a16e9175d05f7ad9260c93/9.6/debian-9/rootfs/libpostgresql.sh#L518-L556). If you need to use those data, please covert them to sql and import after `helm install` finished. + +## NetworkPolicy + +To enable network policy for PostgreSQL, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `true`. + +For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting the DefaultDeny namespace annotation. Note: this will enforce policy for _all_ pods in the namespace: + +```console +$ kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}" +``` + +With NetworkPolicy enabled, traffic will be limited to just port 5432. + +For more precise policy, set `networkPolicy.allowExternal=false`. This will only allow pods with the generated client label to connect to PostgreSQL. +This label will be displayed in the output of a successful install. + +## Differences between Bitnami PostgreSQL image and [Docker Official](https://hub.docker.com/_/postgres) image + +- The Docker Official PostgreSQL image does not support replication. If you pass any replication environment variable, this would be ignored. The only environment variables supported by the Docker Official image are POSTGRES_USER, POSTGRES_DB, POSTGRES_PASSWORD, POSTGRES_INITDB_ARGS, POSTGRES_INITDB_WALDIR and PGDATA. All the remaining environment variables are specific to the Bitnami PostgreSQL image. +- The Bitnami PostgreSQL image is non-root by default. This requires that you run the pod with `securityContext` and updates the permissions of the volume with an `initContainer`. A key benefit of this configuration is that the pod follows security best practices and is prepared to run on Kubernetes distributions with hard security constraints like OpenShift. +- For OpenShift, one may either define the runAsUser and fsGroup accordingly, or try this more dynamic option: volumePermissions.securityContext.runAsUser="auto",securityContext.enabled=false,shmVolume.chmod.enabled=false + +### Deploy chart using Docker Official PostgreSQL Image + +From chart version 4.0.0, it is possible to use this chart with the Docker Official PostgreSQL image. +Besides specifying the new Docker repository and tag, it is important to modify the PostgreSQL data directory and volume mount point. Basically, the PostgreSQL data dir cannot be the mount point directly, it has to be a subdirectory. + +``` +image.repository=postgres +image.tag=10.6 +postgresqlDataDir=/data/pgdata +persistence.mountPath=/data/ +``` + +## Upgrade + +It's necessary to specify the existing passwords while performing an upgrade to ensure the secrets are not updated with invalid randomly generated passwords. Remember to specify the existing values of the `postgresqlPassword` and `replication.password` parameters when upgrading the chart: + +```bash +$ helm upgrade my-release stable/postgresql \ + --set postgresqlPassword=[POSTGRESQL_PASSWORD] \ + --set replication.password=[REPLICATION_PASSWORD] +``` + +> Note: you need to substitute the placeholders _[POSTGRESQL_PASSWORD]_, and _[REPLICATION_PASSWORD]_ with the values obtained from instructions in the installation notes. + +## 8.0.0 + +Prefixes the port names with their protocols to comply with Istio conventions. + +If you depend on the port names in your setup, make sure to update them to reflect this change. + +## 7.1.0 + +Adds support for LDAP configuration. + +## 7.0.0 + +Helm performs a lookup for the object based on its group (apps), version (v1), and kind (Deployment). Also known as its GroupVersionKind, or GVK. Changing the GVK is considered a compatibility breaker from Kubernetes' point of view, so you cannot "upgrade" those objects to the new GVK in-place. Earlier versions of Helm 3 did not perform the lookup correctly which has since been fixed to match the spec. + +In https://github.com/helm/charts/pull/17281 the `apiVersion` of the statefulset resources was updated to `apps/v1` in tune with the api's deprecated, resulting in compatibility breakage. + +This major version bump signifies this change. + +## 6.5.7 + +In this version, the chart will use PostgreSQL with the Postgis extension included. The version used with Postgresql version 10, 11 and 12 is Postgis 2.5. It has been compiled with the following dependencies: + +- protobuf +- protobuf-c +- json-c +- geos +- proj + +## 5.0.0 + +In this version, the **chart is using PostgreSQL 11 instead of PostgreSQL 10**. You can find the main difference and notable changes in the following links: [https://www.postgresql.org/about/news/1894/](https://www.postgresql.org/about/news/1894/) and [https://www.postgresql.org/about/featurematrix/](https://www.postgresql.org/about/featurematrix/). + +For major releases of PostgreSQL, the internal data storage format is subject to change, thus complicating upgrades, you can see some errors like the following one in the logs: + +```console +Welcome to the Bitnami postgresql container +Subscribe to project updates by watching https://github.com/bitnami/bitnami-docker-postgresql +Submit issues and feature requests at https://github.com/bitnami/bitnami-docker-postgresql/issues +Send us your feedback at containers@bitnami.com + +INFO ==> ** Starting PostgreSQL setup ** +NFO ==> Validating settings in POSTGRESQL_* env vars.. +INFO ==> Initializing PostgreSQL database... +INFO ==> postgresql.conf file not detected. Generating it... +INFO ==> pg_hba.conf file not detected. Generating it... +INFO ==> Deploying PostgreSQL with persisted data... +INFO ==> Configuring replication parameters +INFO ==> Loading custom scripts... +INFO ==> Enabling remote connections +INFO ==> Stopping PostgreSQL... +INFO ==> ** PostgreSQL setup finished! ** + +INFO ==> ** Starting PostgreSQL ** + [1] FATAL: database files are incompatible with server + [1] DETAIL: The data directory was initialized by PostgreSQL version 10, which is not compatible with this version 11.3. +``` + +In this case, you should migrate the data from the old chart to the new one following an approach similar to that described in [this section](https://www.postgresql.org/docs/current/upgrading.html#UPGRADING-VIA-PGDUMPALL) from the official documentation. Basically, create a database dump in the old chart, move and restore it in the new one. + +### 4.0.0 + +This chart will use by default the Bitnami PostgreSQL container starting from version `10.7.0-r68`. This version moves the initialization logic from node.js to bash. This new version of the chart requires setting the `POSTGRES_PASSWORD` in the slaves as well, in order to properly configure the `pg_hba.conf` file. Users from previous versions of the chart are advised to upgrade immediately. + +IMPORTANT: If you do not want to upgrade the chart version then make sure you use the `10.7.0-r68` version of the container. Otherwise, you will get this error + +``` +The POSTGRESQL_PASSWORD environment variable is empty or not set. Set the environment variable ALLOW_EMPTY_PASSWORD=yes to allow the container to be started with blank passwords. This is recommended only for development +``` + +### 3.0.0 + +This releases make it possible to specify different nodeSelector, affinity and tolerations for master and slave pods. +It also fixes an issue with `postgresql.master.fullname` helper template not obeying fullnameOverride. + +#### Breaking changes + +- `affinty` has been renamed to `master.affinity` and `slave.affinity`. +- `tolerations` has been renamed to `master.tolerations` and `slave.tolerations`. +- `nodeSelector` has been renamed to `master.nodeSelector` and `slave.nodeSelector`. + +### 2.0.0 + +In order to upgrade from the `0.X.X` branch to `1.X.X`, you should follow the below steps: + + - Obtain the service name (`SERVICE_NAME`) and password (`OLD_PASSWORD`) of the existing postgresql chart. You can find the instructions to obtain the password in the NOTES.txt, the service name can be obtained by running + +```console +$ kubectl get svc +``` + +- Install (not upgrade) the new version + +```console +$ helm repo update +$ helm install my-release bitnami/postgresql +``` + +- Connect to the new pod (you can obtain the name by running `kubectl get pods`): + +```console +$ kubectl exec -it NAME bash +``` + +- Once logged in, create a dump file from the previous database using `pg_dump`, for that we should connect to the previous postgresql chart: + +```console +$ pg_dump -h SERVICE_NAME -U postgres DATABASE_NAME > /tmp/backup.sql +``` + +After run above command you should be prompted for a password, this password is the previous chart password (`OLD_PASSWORD`). +This operation could take some time depending on the database size. + +- Once you have the backup file, you can restore it with a command like the one below: + +```console +$ psql -U postgres DATABASE_NAME < /tmp/backup.sql +``` + +In this case, you are accessing to the local postgresql, so the password should be the new one (you can find it in NOTES.txt). + +If you want to restore the database and the database schema does not exist, it is necessary to first follow the steps described below. + +```console +$ psql -U postgres +postgres=# drop database DATABASE_NAME; +postgres=# create database DATABASE_NAME; +postgres=# create user USER_NAME; +postgres=# alter role USER_NAME with password 'BITNAMI_USER_PASSWORD'; +postgres=# grant all privileges on database DATABASE_NAME to USER_NAME; +postgres=# alter database DATABASE_NAME owner to USER_NAME; +``` diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/ci/default-values.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/ci/default-values.yaml new file mode 100644 index 0000000..fc2ba60 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/ci/default-values.yaml @@ -0,0 +1 @@ +# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml. diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/ci/shmvolume-disabled-values.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/ci/shmvolume-disabled-values.yaml new file mode 100644 index 0000000..347d3b4 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/ci/shmvolume-disabled-values.yaml @@ -0,0 +1,2 @@ +shmVolume: + enabled: false diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/files/README.md b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/files/README.md new file mode 100644 index 0000000..1813a2f --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/files/README.md @@ -0,0 +1 @@ +Copy here your postgresql.conf and/or pg_hba.conf files to use it as a config map. diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/files/conf.d/README.md b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/files/conf.d/README.md new file mode 100644 index 0000000..184c187 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/files/conf.d/README.md @@ -0,0 +1,4 @@ +If you don't want to provide the whole configuration file and only specify certain parameters, you can copy here your extended `.conf` files. +These files will be injected as a config maps and add/overwrite the default configuration using the `include_dir` directive that allows settings to be loaded from files other than the default `postgresql.conf`. + +More info in the [bitnami-docker-postgresql README](https://github.com/bitnami/bitnami-docker-postgresql#configuration-file). diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/files/docker-entrypoint-initdb.d/README.md b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/files/docker-entrypoint-initdb.d/README.md new file mode 100644 index 0000000..cba3809 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/files/docker-entrypoint-initdb.d/README.md @@ -0,0 +1,3 @@ +You can copy here your custom `.sh`, `.sql` or `.sql.gz` file so they are executed during the first boot of the image. + +More info in the [bitnami-docker-postgresql](https://github.com/bitnami/bitnami-docker-postgresql#initializing-a-new-instance) repository. \ No newline at end of file diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/NOTES.txt b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/NOTES.txt new file mode 100644 index 0000000..3b5e6c6 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/NOTES.txt @@ -0,0 +1,60 @@ +** Please be patient while the chart is being deployed ** + +PostgreSQL can be accessed via port {{ template "postgresql.port" . }} on the following DNS name from within your cluster: + + {{ template "postgresql.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local - Read/Write connection +{{- if .Values.replication.enabled }} + {{ template "postgresql.fullname" . }}-read.{{ .Release.Namespace }}.svc.cluster.local - Read only connection +{{- end }} + +{{- if and .Values.postgresqlPostgresPassword (not (eq .Values.postgresqlUsername "postgres")) }} + +To get the password for "postgres" run: + + export POSTGRES_ADMIN_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "postgresql.secretName" . }} -o jsonpath="{.data.postgresql-postgres-password}" | base64 --decode) +{{- end }} + +To get the password for "{{ template "postgresql.username" . }}" run: + + export POSTGRES_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "postgresql.secretName" . }} -o jsonpath="{.data.postgresql-password}" | base64 --decode) + +To connect to your database run the following command: + + kubectl run {{ template "postgresql.fullname" . }}-client --rm --tty -i --restart='Never' --namespace {{ .Release.Namespace }} --image {{ template "postgresql.image" . }} --env="PGPASSWORD=$POSTGRES_PASSWORD" {{- if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }} + --labels="{{ template "postgresql.fullname" . }}-client=true" {{- end }} --command -- psql --host {{ template "postgresql.fullname" . }} -U {{ .Values.postgresqlUsername }} -d {{- if .Values.postgresqlDatabase }} {{ .Values.postgresqlDatabase }}{{- else }} postgres{{- end }} -p {{ template "postgresql.port" . }} + +{{ if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }} +Note: Since NetworkPolicy is enabled, only pods with label {{ template "postgresql.fullname" . }}-client=true" will be able to connect to this PostgreSQL cluster. +{{- end }} + +To connect to your database from outside the cluster execute the following commands: + +{{- if contains "NodePort" .Values.service.type }} + + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "postgresql.fullname" . }}) + {{ if (include "postgresql.password" . ) }}PGPASSWORD="$POSTGRES_PASSWORD" {{ end }}psql --host $NODE_IP --port $NODE_PORT -U {{ .Values.postgresqlUsername }} -d {{- if .Values.postgresqlDatabase }} {{ .Values.postgresqlDatabase }}{{- else }} postgres{{- end }} + +{{- else if contains "LoadBalancer" .Values.service.type }} + + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "postgresql.fullname" . }}' + + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "postgresql.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + {{ if (include "postgresql.password" . ) }}PGPASSWORD="$POSTGRES_PASSWORD" {{ end }}psql --host $SERVICE_IP --port {{ template "postgresql.port" . }} -U {{ .Values.postgresqlUsername }} -d {{- if .Values.postgresqlDatabase }} {{ .Values.postgresqlDatabase }}{{- else }} postgres{{- end }} + +{{- else if contains "ClusterIP" .Values.service.type }} + + kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ template "postgresql.fullname" . }} {{ template "postgresql.port" . }}:{{ template "postgresql.port" . }} & + {{ if (include "postgresql.password" . ) }}PGPASSWORD="$POSTGRES_PASSWORD" {{ end }}psql --host 127.0.0.1 -U {{ .Values.postgresqlUsername }} -d {{- if .Values.postgresqlDatabase }} {{ .Values.postgresqlDatabase }}{{- else }} postgres{{- end }} -p {{ template "postgresql.port" . }} + +{{- end }} + +{{- include "postgresql.validateValues" . -}} + +{{- if and (contains "bitnami/" .Values.image.repository) (not (.Values.image.tag | toString | regexFind "-r\\d+$|sha256:")) }} + +WARNING: Rolling tag detected ({{ .Values.image.repository }}:{{ .Values.image.tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. ++info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ + +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/_helpers.tpl b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/_helpers.tpl new file mode 100644 index 0000000..7084348 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/_helpers.tpl @@ -0,0 +1,420 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "postgresql.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "postgresql.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "postgresql.master.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- $fullname := default (printf "%s-%s" .Release.Name $name) .Values.fullnameOverride -}} +{{- if .Values.replication.enabled -}} +{{- printf "%s-%s" $fullname "master" | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s" $fullname | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for networkpolicy. +*/}} +{{- define "postgresql.networkPolicy.apiVersion" -}} +{{- if semverCompare ">=1.4-0, <1.7-0" .Capabilities.KubeVersion.GitVersion -}} +"extensions/v1beta1" +{{- else if semverCompare "^1.7-0" .Capabilities.KubeVersion.GitVersion -}} +"networking.k8s.io/v1" +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "postgresql.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Return the proper PostgreSQL image name +*/}} +{{- define "postgresql.image" -}} +{{- $registryName := .Values.image.registry -}} +{{- $repositoryName := .Values.image.repository -}} +{{- $tag := .Values.image.tag | toString -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. +Also, we can't use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} + {{- if .Values.global.imageRegistry }} + {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} + {{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} + {{- end -}} +{{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL postgres user password +*/}} +{{- define "postgresql.postgres.password" -}} +{{- if .Values.global.postgresql.postgresqlPostgresPassword }} + {{- .Values.global.postgresql.postgresqlPostgresPassword -}} +{{- else if .Values.postgresqlPostgresPassword -}} + {{- .Values.postgresqlPostgresPassword -}} +{{- else -}} + {{- randAlphaNum 10 -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL password +*/}} +{{- define "postgresql.password" -}} +{{- if .Values.global.postgresql.postgresqlPassword }} + {{- .Values.global.postgresql.postgresqlPassword -}} +{{- else if .Values.postgresqlPassword -}} + {{- .Values.postgresqlPassword -}} +{{- else -}} + {{- randAlphaNum 10 -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL replication password +*/}} +{{- define "postgresql.replication.password" -}} +{{- if .Values.global.postgresql.replicationPassword }} + {{- .Values.global.postgresql.replicationPassword -}} +{{- else if .Values.replication.password -}} + {{- .Values.replication.password -}} +{{- else -}} + {{- randAlphaNum 10 -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL username +*/}} +{{- define "postgresql.username" -}} +{{- if .Values.global.postgresql.postgresqlUsername }} + {{- .Values.global.postgresql.postgresqlUsername -}} +{{- else -}} + {{- .Values.postgresqlUsername -}} +{{- end -}} +{{- end -}} + + +{{/* +Return PostgreSQL replication username +*/}} +{{- define "postgresql.replication.username" -}} +{{- if .Values.global.postgresql.replicationUser }} + {{- .Values.global.postgresql.replicationUser -}} +{{- else -}} + {{- .Values.replication.user -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL port +*/}} +{{- define "postgresql.port" -}} +{{- if .Values.global.postgresql.servicePort }} + {{- .Values.global.postgresql.servicePort -}} +{{- else -}} + {{- .Values.service.port -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL created database +*/}} +{{- define "postgresql.database" -}} +{{- if .Values.global.postgresql.postgresqlDatabase }} + {{- .Values.global.postgresql.postgresqlDatabase -}} +{{- else if .Values.postgresqlDatabase -}} + {{- .Values.postgresqlDatabase -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper image name to change the volume permissions +*/}} +{{- define "postgresql.volumePermissions.image" -}} +{{- $registryName := .Values.volumePermissions.image.registry -}} +{{- $repositoryName := .Values.volumePermissions.image.repository -}} +{{- $tag := .Values.volumePermissions.image.tag | toString -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. +Also, we can't use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} + {{- if .Values.global.imageRegistry }} + {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} + {{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} + {{- end -}} +{{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper PostgreSQL metrics image name +*/}} +{{- define "postgresql.metrics.image" -}} +{{- $registryName := default "docker.io" .Values.metrics.image.registry -}} +{{- $repositoryName := .Values.metrics.image.repository -}} +{{- $tag := default "latest" .Values.metrics.image.tag | toString -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. +Also, we can't use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} + {{- if .Values.global.imageRegistry }} + {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} + {{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} + {{- end -}} +{{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- end -}} +{{- end -}} + +{{/* +Get the password secret. +*/}} +{{- define "postgresql.secretName" -}} +{{- if .Values.global.postgresql.existingSecret }} + {{- printf "%s" (tpl .Values.global.postgresql.existingSecret $) -}} +{{- else if .Values.existingSecret -}} + {{- printf "%s" (tpl .Values.existingSecret $) -}} +{{- else -}} + {{- printf "%s" (include "postgresql.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a secret object should be created +*/}} +{{- define "postgresql.createSecret" -}} +{{- if .Values.global.postgresql.existingSecret }} +{{- else if .Values.existingSecret -}} +{{- else -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Get the configuration ConfigMap name. +*/}} +{{- define "postgresql.configurationCM" -}} +{{- if .Values.configurationConfigMap -}} +{{- printf "%s" (tpl .Values.configurationConfigMap $) -}} +{{- else -}} +{{- printf "%s-configuration" (include "postgresql.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Get the extended configuration ConfigMap name. +*/}} +{{- define "postgresql.extendedConfigurationCM" -}} +{{- if .Values.extendedConfConfigMap -}} +{{- printf "%s" (tpl .Values.extendedConfConfigMap $) -}} +{{- else -}} +{{- printf "%s-extended-configuration" (include "postgresql.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Get the initialization scripts ConfigMap name. +*/}} +{{- define "postgresql.initdbScriptsCM" -}} +{{- if .Values.initdbScriptsConfigMap -}} +{{- printf "%s" (tpl .Values.initdbScriptsConfigMap $) -}} +{{- else -}} +{{- printf "%s-init-scripts" (include "postgresql.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Get the initialization scripts Secret name. +*/}} +{{- define "postgresql.initdbScriptsSecret" -}} +{{- printf "%s" (tpl .Values.initdbScriptsSecret $) -}} +{{- end -}} + +{{/* +Get the metrics ConfigMap name. +*/}} +{{- define "postgresql.metricsCM" -}} +{{- printf "%s-metrics" (include "postgresql.fullname" .) -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "postgresql.imagePullSecrets" -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic. +Also, we can not use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- else if or .Values.image.pullSecrets .Values.metrics.image.pullSecrets .Values.volumePermissions.image.pullSecrets }} +imagePullSecrets: +{{- range .Values.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- range .Values.metrics.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- range .Values.volumePermissions.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- end -}} +{{- else if or .Values.image.pullSecrets .Values.metrics.image.pullSecrets .Values.volumePermissions.image.pullSecrets }} +imagePullSecrets: +{{- range .Values.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- range .Values.metrics.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- range .Values.volumePermissions.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- end -}} +{{- end -}} + +{{/* +Get the readiness probe command +*/}} +{{- define "postgresql.readinessProbeCommand" -}} +- | +{{- if (include "postgresql.database" .) }} + exec pg_isready -U {{ include "postgresql.username" . | quote }} -d {{ (include "postgresql.database" .) | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }} +{{- else }} + exec pg_isready -U {{ include "postgresql.username" . | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }} +{{- end }} +{{- if contains "bitnami/" .Values.image.repository }} + [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ] +{{- end -}} +{{- end -}} + +{{/* +Return the proper Storage Class +*/}} +{{- define "postgresql.storageClass" -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic. +*/}} +{{- if .Values.global -}} + {{- if .Values.global.storageClass -}} + {{- if (eq "-" .Values.global.storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else }} + {{- printf "storageClassName: %s" .Values.global.storageClass -}} + {{- end -}} + {{- else -}} + {{- if .Values.persistence.storageClass -}} + {{- if (eq "-" .Values.persistence.storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else }} + {{- printf "storageClassName: %s" .Values.persistence.storageClass -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- else -}} + {{- if .Values.persistence.storageClass -}} + {{- if (eq "-" .Values.persistence.storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else }} + {{- printf "storageClassName: %s" .Values.persistence.storageClass -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Renders a value that contains template. +Usage: +{{ include "postgresql.tplValue" ( dict "value" .Values.path.to.the.Value "context" $) }} +*/}} +{{- define "postgresql.tplValue" -}} + {{- if typeIs "string" .value }} + {{- tpl .value .context }} + {{- else }} + {{- tpl (.value | toYaml) .context }} + {{- end }} +{{- end -}} + +{{/* +Return the appropriate apiVersion for statefulset. +*/}} +{{- define "postgresql.statefulset.apiVersion" -}} +{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}} +{{- print "apps/v1beta2" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Compile all warnings into a single message, and call fail. +*/}} +{{- define "postgresql.validateValues" -}} +{{- $messages := list -}} +{{- $messages := append $messages (include "postgresql.validateValues.ldapConfigurationMethod" .) -}} +{{- $messages := without $messages "" -}} +{{- $message := join "\n" $messages -}} + +{{- if $message -}} +{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}} +{{- end -}} +{{- end -}} + +{{/* +Validate values of Postgresql - If ldap.url is used then you don't need the other settings for ldap +*/}} +{{- define "postgresql.validateValues.ldapConfigurationMethod" -}} +{{- if and .Values.ldap.enabled (and (not (empty .Values.ldap.url)) (not (empty .Values.ldap.server))) }} +postgresql: ldap.url, ldap.server + You cannot set both `ldap.url` and `ldap.server` at the same time. + Please provide a unique way to configure LDAP. + More info at https://www.postgresql.org/docs/current/auth-ldap.html +{{- end -}} +{{- end -}} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/configmap.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/configmap.yaml new file mode 100644 index 0000000..d2178c0 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/configmap.yaml @@ -0,0 +1,26 @@ +{{ if and (or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration) (not .Values.configurationConfigMap) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "postgresql.fullname" . }}-configuration + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +data: +{{- if (.Files.Glob "files/postgresql.conf") }} +{{ (.Files.Glob "files/postgresql.conf").AsConfig | indent 2 }} +{{- else if .Values.postgresqlConfiguration }} + postgresql.conf: | +{{- range $key, $value := default dict .Values.postgresqlConfiguration }} + {{ $key | snakecase }}={{ $value }} +{{- end }} +{{- end }} +{{- if (.Files.Glob "files/pg_hba.conf") }} +{{ (.Files.Glob "files/pg_hba.conf").AsConfig | indent 2 }} +{{- else if .Values.pgHbaConfiguration }} + pg_hba.conf: | +{{ .Values.pgHbaConfiguration | indent 4 }} +{{- end }} +{{ end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/extended-config-configmap.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/extended-config-configmap.yaml new file mode 100644 index 0000000..8a41195 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/extended-config-configmap.yaml @@ -0,0 +1,21 @@ +{{- if and (or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf) (not .Values.extendedConfConfigMap)}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "postgresql.fullname" . }}-extended-configuration + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +data: +{{- with .Files.Glob "files/conf.d/*.conf" }} +{{ .AsConfig | indent 2 }} +{{- end }} +{{ with .Values.postgresqlExtendedConf }} + override.conf: | +{{- range $key, $value := . }} + {{ $key | snakecase }}={{ $value }} +{{- end }} +{{- end }} +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/initialization-configmap.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/initialization-configmap.yaml new file mode 100644 index 0000000..8eb5e05 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/initialization-configmap.yaml @@ -0,0 +1,24 @@ +{{- if and (or (.Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql,sql.gz}") .Values.initdbScripts) (not .Values.initdbScriptsConfigMap) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "postgresql.fullname" . }}-init-scripts + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +{{- with .Files.Glob "files/docker-entrypoint-initdb.d/*.sql.gz" }} +binaryData: +{{- range $path, $bytes := . }} + {{ base $path }}: {{ $.Files.Get $path | b64enc | quote }} +{{- end }} +{{- end }} +data: +{{- with .Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql}" }} +{{ .AsConfig | indent 2 }} +{{- end }} +{{- with .Values.initdbScripts }} +{{ toYaml . | indent 2 }} +{{- end }} +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/metrics-configmap.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/metrics-configmap.yaml new file mode 100644 index 0000000..524aa2f --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/metrics-configmap.yaml @@ -0,0 +1,13 @@ +{{- if and .Values.metrics.enabled .Values.metrics.customMetrics }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "postgresql.metricsCM" . }} + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +data: + custom-metrics.yaml: {{ toYaml .Values.metrics.customMetrics | quote }} +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/metrics-svc.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/metrics-svc.yaml new file mode 100644 index 0000000..c610f09 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/metrics-svc.yaml @@ -0,0 +1,26 @@ +{{- if .Values.metrics.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "postgresql.fullname" . }}-metrics + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} + annotations: +{{ toYaml .Values.metrics.service.annotations | indent 4 }} +spec: + type: {{ .Values.metrics.service.type }} + {{- if and (eq .Values.metrics.service.type "LoadBalancer") .Values.metrics.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.metrics.service.loadBalancerIP }} + {{- end }} + ports: + - name: http-metrics + port: 9187 + targetPort: http-metrics + selector: + app: {{ template "postgresql.name" . }} + release: {{ .Release.Name }} + role: master +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/networkpolicy.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/networkpolicy.yaml new file mode 100644 index 0000000..ea1fc9b --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/networkpolicy.yaml @@ -0,0 +1,38 @@ +{{- if .Values.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ template "postgresql.networkPolicy.apiVersion" . }} +metadata: + name: {{ template "postgresql.fullname" . }} + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +spec: + podSelector: + matchLabels: + app: {{ template "postgresql.name" . }} + release: {{ .Release.Name | quote }} + ingress: + # Allow inbound connections + - ports: + - port: {{ template "postgresql.port" . }} + {{- if not .Values.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: + {{ template "postgresql.fullname" . }}-client: "true" + {{- if .Values.networkPolicy.explicitNamespacesSelector }} + namespaceSelector: +{{ toYaml .Values.networkPolicy.explicitNamespacesSelector | indent 12 }} + {{- end }} + - podSelector: + matchLabels: + app: {{ template "postgresql.name" . }} + release: {{ .Release.Name | quote }} + role: slave + {{- end }} + # Allow prometheus scrapes + - ports: + - port: 9187 +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/prometheusrule.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/prometheusrule.yaml new file mode 100644 index 0000000..44f1242 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/prometheusrule.yaml @@ -0,0 +1,23 @@ +{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ template "postgresql.fullname" . }} +{{- with .Values.metrics.prometheusRule.namespace }} + namespace: {{ . }} +{{- end }} + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +{{- with .Values.metrics.prometheusRule.additionalLabels }} +{{ toYaml . | indent 4 }} +{{- end }} +spec: +{{- with .Values.metrics.prometheusRule.rules }} + groups: + - name: {{ template "postgresql.name" $ }} + rules: {{ tpl (toYaml .) $ | nindent 8 }} +{{- end }} +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/secrets.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/secrets.yaml new file mode 100644 index 0000000..094d18b --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/secrets.yaml @@ -0,0 +1,23 @@ +{{- if (include "postgresql.createSecret" .) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "postgresql.fullname" . }} + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +type: Opaque +data: + {{- if and .Values.postgresqlPostgresPassword (not (eq .Values.postgresqlUsername "postgres")) }} + postgresql-postgres-password: {{ include "postgresql.postgres.password" . | b64enc | quote }} + {{- end }} + postgresql-password: {{ include "postgresql.password" . | b64enc | quote }} + {{- if .Values.replication.enabled }} + postgresql-replication-password: {{ include "postgresql.replication.password" . | b64enc | quote }} + {{- end }} + {{- if (and .Values.ldap.enabled .Values.ldap.bind_password)}} + postgresql-ldap-password: {{ .Values.ldap.bind_password | b64enc | quote }} + {{- end }} +{{- end -}} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/serviceaccount.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/serviceaccount.yaml new file mode 100644 index 0000000..27e5b51 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/serviceaccount.yaml @@ -0,0 +1,11 @@ +{{- if and (.Values.serviceAccount.enabled) (not .Values.serviceAccount.name) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} + name: {{ template "postgresql.fullname" . }} +{{- end }} \ No newline at end of file diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/servicemonitor.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/servicemonitor.yaml new file mode 100644 index 0000000..f3a529a --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/servicemonitor.yaml @@ -0,0 +1,33 @@ +{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "postgresql.fullname" . }} + {{- if .Values.metrics.serviceMonitor.namespace }} + namespace: {{ .Values.metrics.serviceMonitor.namespace }} + {{- end }} + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} + {{- if .Values.metrics.serviceMonitor.additionalLabels }} +{{ toYaml .Values.metrics.serviceMonitor.additionalLabels | indent 4 }} + {{- end }} +spec: + endpoints: + - port: http-metrics + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + app: {{ template "postgresql.name" . }} + release: {{ .Release.Name }} +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/statefulset-slaves.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/statefulset-slaves.yaml new file mode 100644 index 0000000..b6d6076 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/statefulset-slaves.yaml @@ -0,0 +1,299 @@ +{{- if .Values.replication.enabled }} +apiVersion: {{ template "postgresql.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: "{{ template "postgresql.fullname" . }}-slave" + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +{{- with .Values.slave.labels }} +{{ toYaml . | indent 4 }} +{{- end }} +{{- with .Values.slave.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: + serviceName: {{ template "postgresql.fullname" . }}-headless + replicas: {{ .Values.replication.slaveReplicas }} + selector: + matchLabels: + app: {{ template "postgresql.name" . }} + release: {{ .Release.Name | quote }} + role: slave + template: + metadata: + name: {{ template "postgresql.fullname" . }} + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} + role: slave +{{- with .Values.slave.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.slave.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + {{- if .Values.schedulerName }} + schedulerName: "{{ .Values.schedulerName }}" + {{- end }} +{{- include "postgresql.imagePullSecrets" . | indent 6 }} + {{- if .Values.slave.nodeSelector }} + nodeSelector: +{{ toYaml .Values.slave.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.slave.affinity }} + affinity: +{{ toYaml .Values.slave.affinity | indent 8 }} + {{- end }} + {{- if .Values.slave.tolerations }} + tolerations: +{{ toYaml .Values.slave.tolerations | indent 8 }} + {{- end }} + {{- if .Values.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + {{- end }} + {{- if .Values.securityContext.enabled }} + securityContext: + fsGroup: {{ .Values.securityContext.fsGroup }} + {{- end }} + {{- if .Values.serviceAccount.enabled }} + serviceAccountName: {{ default (include "postgresql.fullname" . ) .Values.serviceAccount.name}} + {{- end }} + {{- if or .Values.slave.extraInitContainers (and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled))) }} + initContainers: + {{- if and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled)) }} + - name: init-chmod-data + image: {{ template "postgresql.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + command: + - /bin/sh + - -cx + - | + {{ if .Values.persistence.enabled }} + mkdir -p {{ .Values.persistence.mountPath }}/conf {{ .Values.persistence.mountPath }}/data + chmod 700 {{ .Values.persistence.mountPath }}/conf {{ .Values.persistence.mountPath }}/data + find {{ .Values.persistence.mountPath }} -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | \ + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + xargs chown -R `id -u`:`id -G | cut -d " " -f2` + {{- else }} + xargs chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} + {{- end }} + {{- end }} + {{- if and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled }} + chmod -R 777 /dev/shm + {{- end }} + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + securityContext: + {{- else }} + securityContext: + runAsUser: {{ .Values.volumePermissions.securityContext.runAsUser }} + {{- end }} + volumeMounts: + {{ if .Values.persistence.enabled }} + - name: data + mountPath: {{ .Values.persistence.mountPath }} + subPath: {{ .Values.persistence.subPath }} + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + mountPath: /dev/shm + {{- end }} + {{- end }} + {{- if .Values.slave.extraInitContainers }} +{{ tpl .Values.slave.extraInitContainers . | indent 8 }} + {{- end }} + {{- end }} + {{- if .Values.slave.priorityClassName }} + priorityClassName: {{ .Values.slave.priorityClassName }} + {{- end }} + containers: + - name: {{ template "postgresql.fullname" . }} + image: {{ template "postgresql.image" . }} + imagePullPolicy: "{{ .Values.image.pullPolicy }}" + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + {{- if .Values.securityContext.enabled }} + securityContext: + runAsUser: {{ .Values.securityContext.runAsUser }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" .Values.image.debug | quote }} + - name: POSTGRESQL_VOLUME_DIR + value: "{{ .Values.persistence.mountPath }}" + - name: POSTGRESQL_PORT_NUMBER + value: "{{ template "postgresql.port" . }}" + {{- if .Values.persistence.mountPath }} + - name: PGDATA + value: {{ .Values.postgresqlDataDir | quote }} + {{- end }} + - name: POSTGRES_REPLICATION_MODE + value: "slave" + - name: POSTGRES_REPLICATION_USER + value: {{ include "postgresql.replication.username" . | quote }} + {{- if .Values.usePasswordFile }} + - name: POSTGRES_REPLICATION_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-replication-password" + {{- else }} + - name: POSTGRES_REPLICATION_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-replication-password + {{- end }} + - name: POSTGRES_CLUSTER_APP_NAME + value: {{ .Values.replication.applicationName }} + - name: POSTGRES_MASTER_HOST + value: {{ template "postgresql.fullname" . }} + - name: POSTGRES_MASTER_PORT_NUMBER + value: {{ include "postgresql.port" . | quote }} + {{- if and .Values.postgresqlPostgresPassword (not (eq .Values.postgresqlUsername "postgres")) }} + {{- if .Values.usePasswordFile }} + - name: POSTGRES_POSTGRES_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-postgres-password" + {{- else }} + - name: POSTGRES_POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-postgres-password + {{- end }} + {{- end }} + {{- if .Values.usePasswordFile }} + - name: POSTGRES_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-password" + {{- else }} + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-password + {{- end }} + ports: + - name: tcp-postgresql + containerPort: {{ template "postgresql.port" . }} + {{- if .Values.livenessProbe.enabled }} + livenessProbe: + exec: + command: + - /bin/sh + - -c + {{- if (include "postgresql.database" .) }} + - exec pg_isready -U {{ include "postgresql.username" . | quote }} -d {{ (include "postgresql.database" .) | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }} + {{- else }} + - exec pg_isready -U {{ include "postgresql.username" . | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }} + {{- end }} + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + {{- end }} + {{- if .Values.readinessProbe.enabled }} + readinessProbe: + exec: + command: + - /bin/sh + - -c + - -e + {{- include "postgresql.readinessProbeCommand" . | nindent 16 }} + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} + {{- end }} + volumeMounts: + {{- if .Values.usePasswordFile }} + - name: postgresql-password + mountPath: /opt/bitnami/postgresql/secrets/ + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + mountPath: /dev/shm + {{- end }} + {{- if .Values.persistence.enabled }} + - name: data + mountPath: {{ .Values.persistence.mountPath }} + subPath: {{ .Values.persistence.subPath }} + {{ end }} + {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }} + - name: postgresql-extended-config + mountPath: /bitnami/postgresql/conf/conf.d/ + {{- end }} + {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap }} + - name: postgresql-config + mountPath: /bitnami/postgresql/conf + {{- end }} + {{- if .Values.slave.extraVolumeMounts }} + {{- toYaml .Values.slave.extraVolumeMounts | nindent 12 }} + {{- end }} +{{- if .Values.slave.sidecars }} +{{- include "postgresql.tplValue" ( dict "value" .Values.slave.sidecars "context" $ ) | nindent 8 }} +{{- end }} + volumes: + {{- if .Values.usePasswordFile }} + - name: postgresql-password + secret: + secretName: {{ template "postgresql.secretName" . }} + {{- end }} + {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap}} + - name: postgresql-config + configMap: + name: {{ template "postgresql.configurationCM" . }} + {{- end }} + {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }} + - name: postgresql-extended-config + configMap: + name: {{ template "postgresql.extendedConfigurationCM" . }} + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + emptyDir: + medium: Memory + sizeLimit: 1Gi + {{- end }} + {{- if not .Values.persistence.enabled }} + - name: data + emptyDir: {} + {{- end }} + {{- if .Values.slave.extraVolumes }} + {{- toYaml .Values.slave.extraVolumes | nindent 8 }} + {{- end }} + updateStrategy: + type: {{ .Values.updateStrategy.type }} + {{- if (eq "Recreate" .Values.updateStrategy.type) }} + rollingUpdate: null + {{- end }} +{{- if .Values.persistence.enabled }} + volumeClaimTemplates: + - metadata: + name: data + {{- with .Values.persistence.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value }} + {{- end }} + {{- end }} + spec: + accessModes: + {{- range .Values.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{ include "postgresql.storageClass" . }} +{{- end }} +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/statefulset.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/statefulset.yaml new file mode 100644 index 0000000..66eaa01 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/statefulset.yaml @@ -0,0 +1,453 @@ +apiVersion: {{ template "postgresql.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: {{ template "postgresql.master.fullname" . }} + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} + {{- with .Values.master.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.master.annotations }} + annotations: {{ toYaml . | nindent 4 }} + {{- end }} +spec: + serviceName: {{ template "postgresql.fullname" . }}-headless + replicas: 1 + updateStrategy: + type: {{ .Values.updateStrategy.type }} + {{- if (eq "Recreate" .Values.updateStrategy.type) }} + rollingUpdate: null + {{- end }} + selector: + matchLabels: + app: {{ template "postgresql.name" . }} + release: {{ .Release.Name | quote }} + role: master + template: + metadata: + name: {{ template "postgresql.fullname" . }} + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} + role: master + {{- with .Values.master.podLabels }} + {{- toYaml . | indent 8 }} + {{- end }} + {{- with .Values.master.podAnnotations }} + annotations: {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- if .Values.schedulerName }} + schedulerName: "{{ .Values.schedulerName }}" + {{- end }} +{{- include "postgresql.imagePullSecrets" . | indent 6 }} + {{- if .Values.master.nodeSelector }} + nodeSelector: {{- toYaml .Values.master.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.master.affinity }} + affinity: {{- toYaml .Values.master.affinity | nindent 8 }} + {{- end }} + {{- if .Values.master.tolerations }} + tolerations: {{- toYaml .Values.master.tolerations | nindent 8 }} + {{- end }} + {{- if .Values.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + {{- end }} + {{- if .Values.securityContext.enabled }} + securityContext: + fsGroup: {{ .Values.securityContext.fsGroup }} + {{- end }} + {{- if .Values.serviceAccount.enabled }} + serviceAccountName: {{ default (include "postgresql.fullname" . ) .Values.serviceAccount.name }} + {{- end }} + {{- if or .Values.master.extraInitContainers (and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled))) }} + initContainers: + {{- if and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled)) }} + - name: init-chmod-data + image: {{ template "postgresql.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + command: + - /bin/sh + - -cx + - | + {{- if .Values.persistence.enabled }} + mkdir -p {{ .Values.persistence.mountPath }}/conf {{ .Values.persistence.mountPath }}/data + chmod 700 {{ .Values.persistence.mountPath }}/conf {{ .Values.persistence.mountPath }}/data + find {{ .Values.persistence.mountPath }} -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | \ + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + xargs chown -R `id -u`:`id -G | cut -d " " -f2` + {{- else }} + xargs chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} + {{- end }} + {{- end }} + {{- if and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled }} + chmod -R 777 /dev/shm + {{- end }} + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + securityContext: + {{- else }} + securityContext: + runAsUser: {{ .Values.volumePermissions.securityContext.runAsUser }} + {{- end }} + volumeMounts: + {{- if .Values.persistence.enabled }} + - name: data + mountPath: {{ .Values.persistence.mountPath }} + subPath: {{ .Values.persistence.subPath }} + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + mountPath: /dev/shm + {{- end }} + {{- end }} + {{- if .Values.master.extraInitContainers }} + {{- tpl .Values.master.extraInitContainers . | nindent 8 }} + {{- end }} + {{- end }} + {{- if .Values.master.priorityClassName }} + priorityClassName: {{ .Values.master.priorityClassName }} + {{- end }} + containers: + - name: {{ template "postgresql.fullname" . }} + image: {{ template "postgresql.image" . }} + imagePullPolicy: "{{ .Values.image.pullPolicy }}" + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + {{- if .Values.securityContext.enabled }} + securityContext: + runAsUser: {{ .Values.securityContext.runAsUser }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" .Values.image.debug | quote }} + - name: POSTGRESQL_PORT_NUMBER + value: "{{ template "postgresql.port" . }}" + - name: POSTGRESQL_VOLUME_DIR + value: "{{ .Values.persistence.mountPath }}" + {{- if .Values.postgresqlInitdbArgs }} + - name: POSTGRES_INITDB_ARGS + value: {{ .Values.postgresqlInitdbArgs | quote }} + {{- end }} + {{- if .Values.postgresqlInitdbWalDir }} + - name: POSTGRES_INITDB_WALDIR + value: {{ .Values.postgresqlInitdbWalDir | quote }} + {{- end }} + {{- if .Values.initdbUser }} + - name: POSTGRESQL_INITSCRIPTS_USERNAME + value: {{ .Values.initdbUser }} + {{- end }} + {{- if .Values.initdbPassword }} + - name: POSTGRESQL_INITSCRIPTS_PASSWORD + value: {{ .Values.initdbPassword }} + {{- end }} + {{- if .Values.persistence.mountPath }} + - name: PGDATA + value: {{ .Values.postgresqlDataDir | quote }} + {{- end }} + {{- if .Values.replication.enabled }} + - name: POSTGRES_REPLICATION_MODE + value: "master" + - name: POSTGRES_REPLICATION_USER + value: {{ include "postgresql.replication.username" . | quote }} + {{- if .Values.usePasswordFile }} + - name: POSTGRES_REPLICATION_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-replication-password" + {{- else }} + - name: POSTGRES_REPLICATION_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-replication-password + {{- end }} + {{- if not (eq .Values.replication.synchronousCommit "off")}} + - name: POSTGRES_SYNCHRONOUS_COMMIT_MODE + value: {{ .Values.replication.synchronousCommit | quote }} + - name: POSTGRES_NUM_SYNCHRONOUS_REPLICAS + value: {{ .Values.replication.numSynchronousReplicas | quote }} + {{- end }} + - name: POSTGRES_CLUSTER_APP_NAME + value: {{ .Values.replication.applicationName }} + {{- end }} + {{- if and .Values.postgresqlPostgresPassword (not (eq .Values.postgresqlUsername "postgres")) }} + {{- if .Values.usePasswordFile }} + - name: POSTGRES_POSTGRES_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-postgres-password" + {{- else }} + - name: POSTGRES_POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-postgres-password + {{- end }} + {{- end }} + - name: POSTGRES_USER + value: {{ include "postgresql.username" . | quote }} + {{- if .Values.usePasswordFile }} + - name: POSTGRES_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-password" + {{- else }} + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-password + {{- end }} + {{- if (include "postgresql.database" .) }} + - name: POSTGRES_DB + value: {{ (include "postgresql.database" .) | quote }} + {{- end }} + {{- if .Values.extraEnv }} + {{- include "postgresql.tplValue" (dict "value" .Values.extraEnv "context" $) | nindent 12 }} + {{- end }} + - name: POSTGRESQL_ENABLE_LDAP + value: {{ ternary "yes" "no" .Values.ldap.enabled | quote }} + {{- if .Values.ldap.enabled }} + - name: POSTGRESQL_LDAP_SERVER + value: {{ .Values.ldap.server }} + - name: POSTGRESQL_LDAP_PORT + value: {{ .Values.ldap.port | quote }} + - name: POSTGRESQL_LDAP_SCHEME + value: {{ .Values.ldap.scheme }} + {{- if .Values.ldap.tls }} + - name: POSTGRESQL_LDAP_TLS + value: "1" + {{- end}} + - name: POSTGRESQL_LDAP_PREFIX + value: {{ .Values.ldap.prefix | quote }} + - name: POSTGRESQL_LDAP_SUFFIX + value: {{ .Values.ldap.suffix | quote}} + - name: POSTGRESQL_LDAP_BASE_DN + value: {{ .Values.ldap.baseDN }} + - name: POSTGRESQL_LDAP_BIND_DN + value: {{ .Values.ldap.bindDN }} + {{- if (not (empty .Values.ldap.bind_password)) }} + - name: POSTGRESQL_LDAP_BIND_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-ldap-password + {{- end}} + - name: POSTGRESQL_LDAP_SEARCH_ATTR + value: {{ .Values.ldap.search_attr }} + - name: POSTGRESQL_LDAP_SEARCH_FILTER + value: {{ .Values.ldap.search_filter }} + - name: POSTGRESQL_LDAP_URL + value: {{ .Values.ldap.url }} + {{- end}} + {{- if .Values.extraEnvVarsCM }} + envFrom: + - configMapRef: + name: {{ tpl .Values.extraEnvVarsCM . }} + {{- end }} + ports: + - name: tcp-postgresql + containerPort: {{ template "postgresql.port" . }} + {{- if .Values.livenessProbe.enabled }} + livenessProbe: + exec: + command: + - /bin/sh + - -c + {{- if (include "postgresql.database" .) }} + - exec pg_isready -U {{ include "postgresql.username" . | quote }} -d {{ (include "postgresql.database" .) | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }} + {{- else }} + - exec pg_isready -U {{ include "postgresql.username" . | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }} + {{- end }} + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + {{- end }} + {{- if .Values.readinessProbe.enabled }} + readinessProbe: + exec: + command: + - /bin/sh + - -c + - -e + {{- include "postgresql.readinessProbeCommand" . | nindent 16 }} + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} + {{- end }} + volumeMounts: + {{- if or (.Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql,sql.gz}") .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + mountPath: /docker-entrypoint-initdb.d/ + {{- end }} + {{- if .Values.initdbScriptsSecret }} + - name: custom-init-scripts-secret + mountPath: /docker-entrypoint-initdb.d/secret + {{- end }} + {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }} + - name: postgresql-extended-config + mountPath: /bitnami/postgresql/conf/conf.d/ + {{- end }} + {{- if .Values.usePasswordFile }} + - name: postgresql-password + mountPath: /opt/bitnami/postgresql/secrets/ + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + mountPath: /dev/shm + {{- end }} + {{- if .Values.persistence.enabled }} + - name: data + mountPath: {{ .Values.persistence.mountPath }} + subPath: {{ .Values.persistence.subPath }} + {{- end }} + {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap }} + - name: postgresql-config + mountPath: /bitnami/postgresql/conf + {{- end }} + {{- if .Values.master.extraVolumeMounts }} + {{- toYaml .Values.master.extraVolumeMounts | nindent 12 }} + {{- end }} +{{- if .Values.master.sidecars }} +{{- include "postgresql.tplValue" ( dict "value" .Values.master.sidecars "context" $ ) | nindent 8 }} +{{- end }} +{{- if .Values.metrics.enabled }} + - name: metrics + image: {{ template "postgresql.metrics.image" . }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.metrics.securityContext.enabled }} + securityContext: + runAsUser: {{ .Values.metrics.securityContext.runAsUser }} + {{- end }} + env: + {{- $database := required "In order to enable metrics you need to specify a database (.Values.postgresqlDatabase or .Values.global.postgresql.postgresqlDatabase)" (include "postgresql.database" .) }} + - name: DATA_SOURCE_URI + value: {{ printf "127.0.0.1:%d/%s?sslmode=disable" (int (include "postgresql.port" .)) $database | quote }} + {{- if .Values.usePasswordFile }} + - name: DATA_SOURCE_PASS_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-password" + {{- else }} + - name: DATA_SOURCE_PASS + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-password + {{- end }} + - name: DATA_SOURCE_USER + value: {{ template "postgresql.username" . }} + {{- if .Values.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: / + port: http-metrics + initialDelaySeconds: {{ .Values.metrics.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.metrics.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.metrics.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.metrics.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.metrics.livenessProbe.failureThreshold }} + {{- end }} + {{- if .Values.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: / + port: http-metrics + initialDelaySeconds: {{ .Values.metrics.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.metrics.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.metrics.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.metrics.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.metrics.readinessProbe.failureThreshold }} + {{- end }} + volumeMounts: + {{- if .Values.usePasswordFile }} + - name: postgresql-password + mountPath: /opt/bitnami/postgresql/secrets/ + {{- end }} + {{- if .Values.metrics.customMetrics }} + - name: custom-metrics + mountPath: /conf + readOnly: true + args: ["--extend.query-path", "/conf/custom-metrics.yaml"] + {{- end }} + ports: + - name: http-metrics + containerPort: 9187 + {{- if .Values.metrics.resources }} + resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- end }} +{{- end }} + volumes: + {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap}} + - name: postgresql-config + configMap: + name: {{ template "postgresql.configurationCM" . }} + {{- end }} + {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }} + - name: postgresql-extended-config + configMap: + name: {{ template "postgresql.extendedConfigurationCM" . }} + {{- end }} + {{- if .Values.usePasswordFile }} + - name: postgresql-password + secret: + secretName: {{ template "postgresql.secretName" . }} + {{- end }} + {{- if or (.Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql,sql.gz}") .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + configMap: + name: {{ template "postgresql.initdbScriptsCM" . }} + {{- end }} + {{- if .Values.initdbScriptsSecret }} + - name: custom-init-scripts-secret + secret: + secretName: {{ template "postgresql.initdbScriptsSecret" . }} + {{- end }} + {{- if .Values.master.extraVolumes }} + {{- toYaml .Values.master.extraVolumes | nindent 8 }} + {{- end }} + {{- if and .Values.metrics.enabled .Values.metrics.customMetrics }} + - name: custom-metrics + configMap: + name: {{ template "postgresql.metricsCM" . }} + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + emptyDir: + medium: Memory + sizeLimit: 1Gi + {{- end }} +{{- if and .Values.persistence.enabled .Values.persistence.existingClaim }} + - name: data + persistentVolumeClaim: +{{- with .Values.persistence.existingClaim }} + claimName: {{ tpl . $ }} +{{- end }} +{{- else if not .Values.persistence.enabled }} + - name: data + emptyDir: {} +{{- else if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} + volumeClaimTemplates: + - metadata: + name: data + {{- with .Values.persistence.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value }} + {{- end }} + {{- end }} + spec: + accessModes: + {{- range .Values.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{ include "postgresql.storageClass" . }} +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/svc-headless.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/svc-headless.yaml new file mode 100644 index 0000000..5c71f46 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/svc-headless.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "postgresql.fullname" . }}-headless + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +spec: + type: ClusterIP + clusterIP: None + ports: + - name: tcp-postgresql + port: {{ template "postgresql.port" . }} + targetPort: tcp-postgresql + selector: + app: {{ template "postgresql.name" . }} + release: {{ .Release.Name | quote }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/svc-read.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/svc-read.yaml new file mode 100644 index 0000000..92bdda8 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/svc-read.yaml @@ -0,0 +1,42 @@ +{{- if .Values.replication.enabled }} +{{- $serviceAnnotations := coalesce .Values.slave.service.annotations .Values.service.annotations -}} +{{- $serviceType := coalesce .Values.slave.service.type .Values.service.type -}} +{{- $serviceLoadBalancerIP := coalesce .Values.slave.service.loadBalancerIP .Values.service.loadBalancerIP -}} +{{- $serviceLoadBalancerSourceRanges := coalesce .Values.slave.service.loadBalancerSourceRanges .Values.service.loadBalancerSourceRanges -}} +{{- $serviceClusterIP := coalesce .Values.slave.service.clusterIP .Values.service.clusterIP -}} +{{- $serviceNodePort := coalesce .Values.slave.service.nodePort .Values.service.nodePort -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "postgresql.fullname" . }}-read + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} + {{- if $serviceAnnotations }} + annotations: {{- include "postgresql.tplValue" (dict "value" $serviceAnnotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: {{ $serviceType }} + {{- if and $serviceLoadBalancerIP (eq $serviceType "LoadBalancer") }} + loadBalancerIP: {{ $serviceLoadBalancerIP }} + {{- end }} + {{- if and (eq $serviceType "LoadBalancer") $serviceLoadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- include "postgresql.tplValue" (dict "value" $serviceLoadBalancerSourceRanges "context" $) | nindent 4 }} + {{- end }} + {{- if and (eq $serviceType "ClusterIP") $serviceClusterIP }} + clusterIP: {{ $serviceClusterIP }} + {{- end }} + ports: + - name: tcp-postgresql + port: {{ template "postgresql.port" . }} + targetPort: tcp-postgresql + {{- if $serviceNodePort }} + nodePort: {{ $serviceNodePort }} + {{- end }} + selector: + app: {{ template "postgresql.name" . }} + release: {{ .Release.Name | quote }} + role: slave +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/svc.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/svc.yaml new file mode 100644 index 0000000..299e8d0 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/templates/svc.yaml @@ -0,0 +1,40 @@ +{{- $serviceAnnotations := coalesce .Values.master.service.annotations .Values.service.annotations -}} +{{- $serviceType := coalesce .Values.master.service.type .Values.service.type -}} +{{- $serviceLoadBalancerIP := coalesce .Values.master.service.loadBalancerIP .Values.service.loadBalancerIP -}} +{{- $serviceLoadBalancerSourceRanges := coalesce .Values.master.service.loadBalancerSourceRanges .Values.service.loadBalancerSourceRanges -}} +{{- $serviceClusterIP := coalesce .Values.master.service.clusterIP .Values.service.clusterIP -}} +{{- $serviceNodePort := coalesce .Values.master.service.nodePort .Values.service.nodePort -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "postgresql.fullname" . }} + labels: + app: {{ template "postgresql.name" . }} + chart: {{ template "postgresql.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} + {{- if $serviceAnnotations }} + annotations: {{- include "postgresql.tplValue" (dict "value" $serviceAnnotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: {{ $serviceType }} + {{- if and $serviceLoadBalancerIP (eq $serviceType "LoadBalancer") }} + loadBalancerIP: {{ $serviceLoadBalancerIP }} + {{- end }} + {{- if and (eq $serviceType "LoadBalancer") $serviceLoadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- include "postgresql.tplValue" (dict "value" $serviceLoadBalancerSourceRanges "context" $) | nindent 4 }} + {{- end }} + {{- if and (eq $serviceType "ClusterIP") $serviceClusterIP }} + clusterIP: {{ $serviceClusterIP }} + {{- end }} + ports: + - name: tcp-postgresql + port: {{ template "postgresql.port" . }} + targetPort: tcp-postgresql + {{- if $serviceNodePort }} + nodePort: {{ $serviceNodePort }} + {{- end }} + selector: + app: {{ template "postgresql.name" . }} + release: {{ .Release.Name | quote }} + role: master diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/values-production.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/values-production.yaml new file mode 100644 index 0000000..d34e326 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/values-production.yaml @@ -0,0 +1,542 @@ +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry and imagePullSecrets +## +global: + postgresql: {} +# imageRegistry: myRegistryName +# imagePullSecrets: +# - myRegistryKeySecretName +# storageClass: myStorageClass + +## Bitnami PostgreSQL image version +## ref: https://hub.docker.com/r/bitnami/postgresql/tags/ +## +image: + registry: docker.io + repository: bitnami/postgresql + tag: 11.7.0-debian-10-r65 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + + ## Set to true if you would like to see extra information on logs + ## It turns BASH and NAMI debugging in minideb + ## ref: https://github.com/bitnami/minideb-extras/#turn-on-bash-debugging + debug: false + +## String to partially override postgresql.fullname template (will maintain the release name) +## +# nameOverride: + +## String to fully override postgresql.fullname template +## +# fullnameOverride: + +## +## Init containers parameters: +## volumePermissions: Change the owner of the persist volume mountpoint to RunAsUser:fsGroup +## +volumePermissions: + enabled: false + image: + registry: docker.io + repository: bitnami/minideb + tag: buster + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: Always + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + ## Init container Security Context + ## Note: the chown of the data folder is done to securityContext.runAsUser + ## and not the below volumePermissions.securityContext.runAsUser + ## When runAsUser is set to special value "auto", init container will try to chwon the + ## data folder to autodetermined user&group, using commands: `id -u`:`id -G | cut -d" " -f2` + ## "auto" is especially useful for OpenShift which has scc with dynamic userids (and 0 is not allowed). + ## You may want to use this volumePermissions.securityContext.runAsUser="auto" in combination with + ## pod securityContext.enabled=false and shmVolume.chmod.enabled=false + ## + securityContext: + runAsUser: 0 + +## Use an alternate scheduler, e.g. "stork". +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +# schedulerName: + +## Pod Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +## +securityContext: + enabled: true + fsGroup: 1001 + runAsUser: 1001 + +## Pod Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +serviceAccount: + enabled: false + ## Name of an already existing service account. Setting this value disables the automatic service account creation. + # name: + +replication: + enabled: true + user: repl_user + password: repl_password + slaveReplicas: 2 + ## Set synchronous commit mode: on, off, remote_apply, remote_write and local + ## ref: https://www.postgresql.org/docs/9.6/runtime-config-wal.html#GUC-WAL-LEVEL + synchronousCommit: "on" + ## From the number of `slaveReplicas` defined above, set the number of those that will have synchronous replication + ## NOTE: It cannot be > slaveReplicas + numSynchronousReplicas: 1 + ## Replication Cluster application name. Useful for defining multiple replication policies + applicationName: my_application + +## PostgreSQL admin password (used when `postgresqlUsername` is not `postgres`) +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-user-on-first-run (see note!) +# postgresqlPostgresPassword: + +## PostgreSQL user (has superuser privileges if username is `postgres`) +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run +postgresqlUsername: postgres + +## PostgreSQL password +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run +## +# postgresqlPassword: + +## PostgreSQL password using existing secret +## existingSecret: secret + +## Mount PostgreSQL secret as a file instead of passing environment variable +# usePasswordFile: false + +## Create a database +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-on-first-run +## +# postgresqlDatabase: + +## PostgreSQL data dir +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md +## +postgresqlDataDir: /bitnami/postgresql/data + +## An array to add extra environment variables +## For example: +## extraEnv: +## - name: FOO +## value: "bar" +## +# extraEnv: +extraEnv: [] + +## Name of a ConfigMap containing extra env vars +## +# extraEnvVarsCM: + +## Specify extra initdb args +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md +## +# postgresqlInitdbArgs: + +## Specify a custom location for the PostgreSQL transaction log +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md +## +# postgresqlInitdbWalDir: + +## PostgreSQL configuration +## Specify runtime configuration parameters as a dict, using camelCase, e.g. +## {"sharedBuffers": "500MB"} +## Alternatively, you can put your postgresql.conf under the files/ directory +## ref: https://www.postgresql.org/docs/current/static/runtime-config.html +## +# postgresqlConfiguration: + +## PostgreSQL extended configuration +## As above, but _appended_ to the main configuration +## Alternatively, you can put your *.conf under the files/conf.d/ directory +## https://github.com/bitnami/bitnami-docker-postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf +## +# postgresqlExtendedConf: + +## PostgreSQL client authentication configuration +## Specify content for pg_hba.conf +## Default: do not create pg_hba.conf +## Alternatively, you can put your pg_hba.conf under the files/ directory +# pgHbaConfiguration: |- +# local all all trust +# host all all localhost trust +# host mydatabase mysuser 192.168.0.0/24 md5 + +## ConfigMap with PostgreSQL configuration +## NOTE: This will override postgresqlConfiguration and pgHbaConfiguration +# configurationConfigMap: + +## ConfigMap with PostgreSQL extended configuration +# extendedConfConfigMap: + +## initdb scripts +## Specify dictionary of scripts to be run at first boot +## Alternatively, you can put your scripts under the files/docker-entrypoint-initdb.d directory +## +# initdbScripts: +# my_init_script.sh: | +# #!/bin/sh +# echo "Do something." + +## Specify the PostgreSQL username and password to execute the initdb scripts +# initdbUser: +# initdbPassword: + +## ConfigMap with scripts to be run at first boot +## NOTE: This will override initdbScripts +# initdbScriptsConfigMap: + +## Secret with scripts to be run at first boot (in case it contains sensitive information) +## NOTE: This can work along initdbScripts or initdbScriptsConfigMap +# initdbScriptsSecret: + +## Optional duration in seconds the pod needs to terminate gracefully. +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods +## +# terminationGracePeriodSeconds: 30 + +## LDAP configuration +## +ldap: + enabled: false + url: "" + server: "" + port: "" + prefix: "" + suffix: "" + baseDN: "" + bindDN: "" + bind_password: + search_attr: "" + search_filter: "" + scheme: "" + tls: false + +## PostgreSQL service configuration +service: + ## PosgresSQL service type + type: ClusterIP + # clusterIP: None + port: 5432 + + ## Specify the nodePort value for the LoadBalancer and NodePort service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + # nodePort: + + ## Provide any additional annotations which may be required. Evaluated as a template. + ## + annotations: {} + ## Set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + # loadBalancerIP: + + ## Load Balancer sources. Evaluated as a template. + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## + # loadBalancerSourceRanges: + # - 10.10.10.0/24 + +## Start master and slave(s) pod(s) without limitations on shm memory. +## By default docker and containerd (and possibly other container runtimes) +## limit `/dev/shm` to `64M` (see e.g. the +## [docker issue](https://github.com/docker-library/postgres/issues/416) and the +## [containerd issue](https://github.com/containerd/containerd/issues/3654), +## which could be not enough if PostgreSQL uses parallel workers heavily. +## +shmVolume: + ## Set `shmVolume.enabled` to `true` to mount a new tmpfs volume to remove + ## this limitation. + ## + enabled: true + ## Set to `true` to `chmod 777 /dev/shm` on a initContainer. + ## This option is ingored if `volumePermissions.enabled` is `false` + ## + chmod: + enabled: true + +## PostgreSQL data Persistent Volume Storage Class +## If defined, storageClassName: +## If set to "-", storageClassName: "", which disables dynamic provisioning +## If undefined (the default) or set to null, no storageClassName spec is +## set, choosing the default provisioner. (gp2 on AWS, standard on +## GKE, AWS & OpenStack) +## +persistence: + enabled: true + ## A manually managed Persistent Volume and Claim + ## If defined, PVC must be created manually before volume will be bound + ## The value is evaluated as a template, so, for example, the name can depend on .Release or .Chart + ## + # existingClaim: + + ## The path the volume will be mounted at, useful when using different + ## PostgreSQL images. + ## + mountPath: /bitnami/postgresql + + ## The subdirectory of the volume to mount to, useful in dev environments + ## and one PV for multiple services. + ## + subPath: "" + + # storageClass: "-" + accessModes: + - ReadWriteOnce + size: 8Gi + annotations: {} + +## updateStrategy for PostgreSQL StatefulSet and its slaves StatefulSets +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies +updateStrategy: + type: RollingUpdate + +## +## PostgreSQL Master parameters +## +master: + ## Node, affinity, tolerations, and priorityclass settings for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption + nodeSelector: {} + affinity: {} + tolerations: [] + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + priorityClassName: "" + ## Additional PostgreSQL Master Volume mounts + ## + extraVolumeMounts: [] + ## Additional PostgreSQL Master Volumes + ## + extraVolumes: [] + ## Add sidecars to the pod + ## + ## For example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + sidecars: [] + + ## Override the service configuration for master + ## + service: {} + # type: + # nodePort: + # clusterIP: + +## +## PostgreSQL Slave parameters +## +slave: + ## Node, affinity, tolerations, and priorityclass settings for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption + nodeSelector: {} + affinity: {} + tolerations: [] + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + priorityClassName: "" + ## Extra init containers + ## Example + ## + ## extraInitContainers: + ## - name: do-something + ## image: busybox + ## command: ['do', 'something'] + extraInitContainers: [] + ## Additional PostgreSQL Slave Volume mounts + ## + extraVolumeMounts: [] + ## Additional PostgreSQL Slave Volumes + ## + extraVolumes: [] + ## Add sidecars to the pod + ## + ## For example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + sidecars: [] + + ## Override the service configuration for slave + ## + service: {} + # type: + # nodePort: + # clusterIP: + +## Configure resource requests and limits +## ref: http://kubernetes.io/docs/user-guide/compute-resources/ +## +resources: + requests: + memory: 256Mi + cpu: 250m + +networkPolicy: + ## Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now. + ## + enabled: false + + ## The Policy model to apply. When set to false, only pods with the correct + ## client label will have network access to the port PostgreSQL is listening + ## on. When true, PostgreSQL will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + + ## if explicitNamespacesSelector is missing or set to {}, only client Pods that are in the networkPolicy's namespace + ## and that match other criteria, the ones that have the good label, can reach the DB. + ## But sometimes, we want the DB to be accessible to clients from other namespaces, in this case, we can use this + ## LabelSelector to select these namespaces, note that the networkPolicy's namespace should also be explicitly added. + ## + ## Example: + ## explicitNamespacesSelector: + ## matchLabels: + ## role: frontend + ## matchExpressions: + ## - {key: role, operator: In, values: [frontend]} + explicitNamespacesSelector: {} + +## Configure extra options for liveness and readiness probes +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) +livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + +readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + +## Configure metrics exporter +## +metrics: + enabled: true + # resources: {} + service: + type: ClusterIP + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9187" + loadBalancerIP: + serviceMonitor: + enabled: false + additionalLabels: {} + # namespace: monitoring + # interval: 30s + # scrapeTimeout: 10s + ## Custom PrometheusRule to be defined + ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart + ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions + prometheusRule: + enabled: false + additionalLabels: {} + namespace: "" + ## These are just examples rules, please adapt them to your needs. + ## Make sure to constraint the rules to the current postgresql service. + ## rules: + ## - alert: HugeReplicationLag + ## expr: pg_replication_lag{service="{{ template "postgresql.fullname" . }}-metrics"} / 3600 > 1 + ## for: 1m + ## labels: + ## severity: critical + ## annotations: + ## description: replication for {{ template "postgresql.fullname" . }} PostgreSQL is lagging by {{ "{{ $value }}" }} hour(s). + ## summary: PostgreSQL replication is lagging by {{ "{{ $value }}" }} hour(s). + rules: [] + + image: + registry: docker.io + repository: bitnami/postgres-exporter + tag: 0.8.0-debian-10-r72 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + ## Define additional custom metrics + ## ref: https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file + # customMetrics: + # pg_database: + # query: "SELECT d.datname AS name, CASE WHEN pg_catalog.has_database_privilege(d.datname, 'CONNECT') THEN pg_catalog.pg_database_size(d.datname) ELSE 0 END AS size FROM pg_catalog.pg_database d where datname not in ('template0', 'template1', 'postgres')" + # metrics: + # - name: + # usage: "LABEL" + # description: "Name of the database" + # - size_bytes: + # usage: "GAUGE" + # description: "Size of the database in bytes" + ## Pod Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## + securityContext: + enabled: false + runAsUser: 1001 + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## Configure extra options for liveness and readiness probes + livenessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/values.schema.json b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/values.schema.json new file mode 100644 index 0000000..ac2de6e --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/values.schema.json @@ -0,0 +1,103 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "properties": { + "postgresqlUsername": { + "type": "string", + "title": "Admin user", + "form": true + }, + "postgresqlPassword": { + "type": "string", + "title": "Password", + "form": true + }, + "persistence": { + "type": "object", + "properties": { + "size": { + "type": "string", + "title": "Persistent Volume Size", + "form": true, + "render": "slider", + "sliderMin": 1, + "sliderMax": 100, + "sliderUnit": "Gi" + } + } + }, + "resources": { + "type": "object", + "title": "Required Resources", + "description": "Configure resource requests", + "form": true, + "properties": { + "requests": { + "type": "object", + "properties": { + "memory": { + "type": "string", + "form": true, + "render": "slider", + "title": "Memory Request", + "sliderMin": 10, + "sliderMax": 2048, + "sliderUnit": "Mi" + }, + "cpu": { + "type": "string", + "form": true, + "render": "slider", + "title": "CPU Request", + "sliderMin": 10, + "sliderMax": 2000, + "sliderUnit": "m" + } + } + } + } + }, + "replication": { + "type": "object", + "form": true, + "title": "Replication Details", + "properties": { + "enabled": { + "type": "boolean", + "title": "Enable Replication", + "form": true + }, + "slaveReplicas": { + "type": "integer", + "title": "Slave Replicas", + "form": true, + "hidden": { + "condition": false, + "value": "replication.enabled" + } + } + } + }, + "volumePermissions": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable Init Containers", + "description": "Change the owner of the persist volume mountpoint to RunAsUser:fsGroup" + } + } + }, + "metrics": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "title": "Configure metrics exporter", + "form": true + } + } + } + } +} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/values.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/values.yaml new file mode 100644 index 0000000..e14709a --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/postgresql/values.yaml @@ -0,0 +1,548 @@ +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry and imagePullSecrets +## +global: + postgresql: {} +# imageRegistry: myRegistryName +# imagePullSecrets: +# - myRegistryKeySecretName +# storageClass: myStorageClass + +## Bitnami PostgreSQL image version +## ref: https://hub.docker.com/r/bitnami/postgresql/tags/ +## +image: + registry: docker.io + repository: bitnami/postgresql + tag: 11.7.0-debian-10-r65 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + + ## Set to true if you would like to see extra information on logs + ## It turns BASH and NAMI debugging in minideb + ## ref: https://github.com/bitnami/minideb-extras/#turn-on-bash-debugging + debug: false + +## String to partially override postgresql.fullname template (will maintain the release name) +## +# nameOverride: + +## String to fully override postgresql.fullname template +## +# fullnameOverride: + +## +## Init containers parameters: +## volumePermissions: Change the owner of the persist volume mountpoint to RunAsUser:fsGroup +## +volumePermissions: + enabled: false + image: + registry: docker.io + repository: bitnami/minideb + tag: buster + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: Always + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + ## Init container Security Context + ## Note: the chown of the data folder is done to securityContext.runAsUser + ## and not the below volumePermissions.securityContext.runAsUser + ## When runAsUser is set to special value "auto", init container will try to chwon the + ## data folder to autodetermined user&group, using commands: `id -u`:`id -G | cut -d" " -f2` + ## "auto" is especially useful for OpenShift which has scc with dynamic userids (and 0 is not allowed). + ## You may want to use this volumePermissions.securityContext.runAsUser="auto" in combination with + ## pod securityContext.enabled=false and shmVolume.chmod.enabled=false + ## + securityContext: + runAsUser: 0 + +## Use an alternate scheduler, e.g. "stork". +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +# schedulerName: + + +## Pod Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +## +securityContext: + enabled: true + fsGroup: 1001 + runAsUser: 1001 + +## Pod Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +serviceAccount: + enabled: false + ## Name of an already existing service account. Setting this value disables the automatic service account creation. + # name: + +replication: + enabled: false + user: repl_user + password: repl_password + slaveReplicas: 1 + ## Set synchronous commit mode: on, off, remote_apply, remote_write and local + ## ref: https://www.postgresql.org/docs/9.6/runtime-config-wal.html#GUC-WAL-LEVEL + synchronousCommit: "off" + ## From the number of `slaveReplicas` defined above, set the number of those that will have synchronous replication + ## NOTE: It cannot be > slaveReplicas + numSynchronousReplicas: 0 + ## Replication Cluster application name. Useful for defining multiple replication policies + applicationName: my_application + +## PostgreSQL admin password (used when `postgresqlUsername` is not `postgres`) +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-user-on-first-run (see note!) +# postgresqlPostgresPassword: + +## PostgreSQL user (has superuser privileges if username is `postgres`) +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run +postgresqlUsername: postgres + +## PostgreSQL password +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run +## +# postgresqlPassword: + +## PostgreSQL password using existing secret +## existingSecret: secret + +## Mount PostgreSQL secret as a file instead of passing environment variable +# usePasswordFile: false + +## Create a database +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-on-first-run +## +# postgresqlDatabase: + +## PostgreSQL data dir +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md +## +postgresqlDataDir: /bitnami/postgresql/data + +## An array to add extra environment variables +## For example: +## extraEnv: +## - name: FOO +## value: "bar" +## +# extraEnv: +extraEnv: [] + +## Name of a ConfigMap containing extra env vars +## +# extraEnvVarsCM: + +## Specify extra initdb args +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md +## +# postgresqlInitdbArgs: + +## Specify a custom location for the PostgreSQL transaction log +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md +## +# postgresqlInitdbWalDir: + +## PostgreSQL configuration +## Specify runtime configuration parameters as a dict, using camelCase, e.g. +## {"sharedBuffers": "500MB"} +## Alternatively, you can put your postgresql.conf under the files/ directory +## ref: https://www.postgresql.org/docs/current/static/runtime-config.html +## +# postgresqlConfiguration: + +## PostgreSQL extended configuration +## As above, but _appended_ to the main configuration +## Alternatively, you can put your *.conf under the files/conf.d/ directory +## https://github.com/bitnami/bitnami-docker-postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf +## +# postgresqlExtendedConf: + +## PostgreSQL client authentication configuration +## Specify content for pg_hba.conf +## Default: do not create pg_hba.conf +## Alternatively, you can put your pg_hba.conf under the files/ directory +# pgHbaConfiguration: |- +# local all all trust +# host all all localhost trust +# host mydatabase mysuser 192.168.0.0/24 md5 + +## ConfigMap with PostgreSQL configuration +## NOTE: This will override postgresqlConfiguration and pgHbaConfiguration +# configurationConfigMap: + +## ConfigMap with PostgreSQL extended configuration +# extendedConfConfigMap: + +## initdb scripts +## Specify dictionary of scripts to be run at first boot +## Alternatively, you can put your scripts under the files/docker-entrypoint-initdb.d directory +## +# initdbScripts: +# my_init_script.sh: | +# #!/bin/sh +# echo "Do something." + +## ConfigMap with scripts to be run at first boot +## NOTE: This will override initdbScripts +# initdbScriptsConfigMap: + +## Secret with scripts to be run at first boot (in case it contains sensitive information) +## NOTE: This can work along initdbScripts or initdbScriptsConfigMap +# initdbScriptsSecret: + +## Specify the PostgreSQL username and password to execute the initdb scripts +# initdbUser: +# initdbPassword: + +## Optional duration in seconds the pod needs to terminate gracefully. +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods +## +# terminationGracePeriodSeconds: 30 + +## LDAP configuration +## +ldap: + enabled: false + url: "" + server: "" + port: "" + prefix: "" + suffix: "" + baseDN: "" + bindDN: "" + bind_password: + search_attr: "" + search_filter: "" + scheme: "" + tls: false + +## PostgreSQL service configuration +service: + ## PosgresSQL service type + type: ClusterIP + # clusterIP: None + port: 5432 + + ## Specify the nodePort value for the LoadBalancer and NodePort service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + # nodePort: + + ## Provide any additional annotations which may be required. Evaluated as a template. + ## + annotations: {} + ## Set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + # loadBalancerIP: + + ## Load Balancer sources. Evaluated as a template. + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## + # loadBalancerSourceRanges: + # - 10.10.10.0/24 + +## Start master and slave(s) pod(s) without limitations on shm memory. +## By default docker and containerd (and possibly other container runtimes) +## limit `/dev/shm` to `64M` (see e.g. the +## [docker issue](https://github.com/docker-library/postgres/issues/416) and the +## [containerd issue](https://github.com/containerd/containerd/issues/3654), +## which could be not enough if PostgreSQL uses parallel workers heavily. +## +shmVolume: + ## Set `shmVolume.enabled` to `true` to mount a new tmpfs volume to remove + ## this limitation. + ## + enabled: true + ## Set to `true` to `chmod 777 /dev/shm` on a initContainer. + ## This option is ingored if `volumePermissions.enabled` is `false` + ## + chmod: + enabled: true + +## PostgreSQL data Persistent Volume Storage Class +## If defined, storageClassName: +## If set to "-", storageClassName: "", which disables dynamic provisioning +## If undefined (the default) or set to null, no storageClassName spec is +## set, choosing the default provisioner. (gp2 on AWS, standard on +## GKE, AWS & OpenStack) +## +persistence: + enabled: true + ## A manually managed Persistent Volume and Claim + ## If defined, PVC must be created manually before volume will be bound + ## The value is evaluated as a template, so, for example, the name can depend on .Release or .Chart + ## + # existingClaim: + + ## The path the volume will be mounted at, useful when using different + ## PostgreSQL images. + ## + mountPath: /bitnami/postgresql + + ## The subdirectory of the volume to mount to, useful in dev environments + ## and one PV for multiple services. + ## + subPath: "" + + # storageClass: "-" + accessModes: + - ReadWriteOnce + size: 8Gi + annotations: {} + +## updateStrategy for PostgreSQL StatefulSet and its slaves StatefulSets +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies +updateStrategy: + type: RollingUpdate + +## +## PostgreSQL Master parameters +## +master: + ## Node, affinity, tolerations, and priorityclass settings for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption + nodeSelector: {} + affinity: {} + tolerations: [] + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + priorityClassName: "" + ## Extra init containers + ## Example + ## + ## extraInitContainers: + ## - name: do-something + ## image: busybox + ## command: ['do', 'something'] + extraInitContainers: [] + + ## Additional PostgreSQL Master Volume mounts + ## + extraVolumeMounts: [] + ## Additional PostgreSQL Master Volumes + ## + extraVolumes: [] + ## Add sidecars to the pod + ## + ## For example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + sidecars: [] + + ## Override the service configuration for master + ## + service: {} + # type: + # nodePort: + # clusterIP: + +## +## PostgreSQL Slave parameters +## +slave: + ## Node, affinity, tolerations, and priorityclass settings for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption + nodeSelector: {} + affinity: {} + tolerations: [] + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + priorityClassName: "" + extraInitContainers: | + # - name: do-something + # image: busybox + # command: ['do', 'something'] + ## Additional PostgreSQL Slave Volume mounts + ## + extraVolumeMounts: [] + ## Additional PostgreSQL Slave Volumes + ## + extraVolumes: [] + ## Add sidecars to the pod + ## + ## For example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + sidecars: [] + + ## Override the service configuration for slave + ## + service: {} + # type: + # nodePort: + # clusterIP: + +## Configure resource requests and limits +## ref: http://kubernetes.io/docs/user-guide/compute-resources/ +## +resources: + requests: + memory: 256Mi + cpu: 250m + +networkPolicy: + ## Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now. + ## + enabled: false + + ## The Policy model to apply. When set to false, only pods with the correct + ## client label will have network access to the port PostgreSQL is listening + ## on. When true, PostgreSQL will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + + ## if explicitNamespacesSelector is missing or set to {}, only client Pods that are in the networkPolicy's namespace + ## and that match other criteria, the ones that have the good label, can reach the DB. + ## But sometimes, we want the DB to be accessible to clients from other namespaces, in this case, we can use this + ## LabelSelector to select these namespaces, note that the networkPolicy's namespace should also be explicitly added. + ## + ## Example: + ## explicitNamespacesSelector: + ## matchLabels: + ## role: frontend + ## matchExpressions: + ## - {key: role, operator: In, values: [frontend]} + explicitNamespacesSelector: {} + +## Configure extra options for liveness and readiness probes +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) +livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + +readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + +## Configure metrics exporter +## +metrics: + enabled: false + # resources: {} + service: + type: ClusterIP + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9187" + loadBalancerIP: + serviceMonitor: + enabled: false + additionalLabels: {} + # namespace: monitoring + # interval: 30s + # scrapeTimeout: 10s + ## Custom PrometheusRule to be defined + ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart + ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions + prometheusRule: + enabled: false + additionalLabels: {} + namespace: "" + ## These are just examples rules, please adapt them to your needs. + ## Make sure to constraint the rules to the current postgresql service. + ## rules: + ## - alert: HugeReplicationLag + ## expr: pg_replication_lag{service="{{ template "postgresql.fullname" . }}-metrics"} / 3600 > 1 + ## for: 1m + ## labels: + ## severity: critical + ## annotations: + ## description: replication for {{ template "postgresql.fullname" . }} PostgreSQL is lagging by {{ "{{ $value }}" }} hour(s). + ## summary: PostgreSQL replication is lagging by {{ "{{ $value }}" }} hour(s). + rules: [] + + image: + registry: docker.io + repository: bitnami/postgres-exporter + tag: 0.8.0-debian-10-r72 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + ## Define additional custom metrics + ## ref: https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file + # customMetrics: + # pg_database: + # query: "SELECT d.datname AS name, CASE WHEN pg_catalog.has_database_privilege(d.datname, 'CONNECT') THEN pg_catalog.pg_database_size(d.datname) ELSE 0 END AS size FROM pg_catalog.pg_database d where datname not in ('template0', 'template1', 'postgres')" + # metrics: + # - name: + # usage: "LABEL" + # description: "Name of the database" + # - size_bytes: + # usage: "GAUGE" + # description: "Size of the database in bytes" + ## Pod Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## + securityContext: + enabled: false + runAsUser: 1001 + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## Configure extra options for liveness and readiness probes + livenessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/.helmignore b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/.helmignore new file mode 100644 index 0000000..f0c1319 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/Chart.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/Chart.yaml new file mode 100644 index 0000000..4cae13b --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/Chart.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +appVersion: 3.8.3 +description: Open source message broker software that implements the Advanced Message + Queuing Protocol (AMQP) +home: https://www.rabbitmq.com +icon: https://bitnami.com/assets/stacks/rabbitmq/img/rabbitmq-stack-220x234.png +keywords: +- rabbitmq +- message queue +- AMQP +maintainers: +- email: containers@bitnami.com + name: Bitnami +name: rabbitmq +sources: +- https://github.com/bitnami/bitnami-docker-rabbitmq +version: 6.25.0 diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/README.md b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/README.md new file mode 100644 index 0000000..f035af1 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/README.md @@ -0,0 +1,410 @@ +# RabbitMQ + +[RabbitMQ](https://www.rabbitmq.com/) is an open source message broker software that implements the Advanced Message Queuing Protocol (AMQP). + +## TL;DR; + +```bash +$ helm repo add bitnami https://charts.bitnami.com/bitnami +$ helm install my-release bitnami/rabbitmq +``` + +## Introduction + +This chart bootstraps a [RabbitMQ](https://github.com/bitnami/bitnami-docker-rabbitmq) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This chart has been tested to work with NGINX Ingress, cert-manager, fluentd and Prometheus on top of the [BKPR](https://kubeprod.io/). + +## Prerequisites + +- Kubernetes 1.12+ +- Helm 2.11+ or Helm 3.0-beta3+ +- PV provisioner support in the underlying infrastructure + +## Installing the Chart + +To install the chart with the release name `my-release`: + +```bash +$ helm install my-release bitnami/rabbitmq +``` + +The command deploys RabbitMQ on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. + +> **Tip**: List all releases using `helm list` + +## Uninstalling the Chart + +To uninstall/delete the `my-release` deployment: + +```bash +$ helm delete my-release +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Parameters + +The following table lists the configurable parameters of the RabbitMQ chart and their default values. + +| Parameter | Description | Default | +| -------------------------------------------- | ------------------------------------------------ | ------------------------------------------------------- | +| `global.imageRegistry` | Global Docker image registry | `nil` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | +| `global.storageClass` | Global storage class for dynamic provisioning | `nil` | +| `image.registry` | Rabbitmq Image registry | `docker.io` | +| `image.repository` | Rabbitmq Image name | `bitnami/rabbitmq` | +| `image.tag` | Rabbitmq Image tag | `{TAG_NAME}` | +| `image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Specify docker-registry secret names as an array | `nil` | +| `image.debug` | Specify if debug values should be set | `false` | +| `nameOverride` | String to partially override rabbitmq.fullname template with a string (will prepend the release name) | `nil` | +| `fullnameOverride` | String to fully override rabbitmq.fullname template with a string | `nil` | +| `rbacEnabled` | Specify if rbac is enabled in your cluster | `true` | +| `podManagementPolicy` | Pod management policy | `OrderedReady` | +| `rabbitmq.username` | RabbitMQ application username | `user` | +| `rabbitmq.password` | RabbitMQ application password | _random 10 character long alphanumeric string_ | +| `rabbitmq.existingPasswordSecret` | Existing secret with RabbitMQ credentials | `nil` | +| `rabbitmq.erlangCookie` | Erlang cookie | _random 32 character long alphanumeric string_ | +| `rabbitmq.existingErlangSecret` | Existing secret with RabbitMQ Erlang cookie | `nil` | +| `rabbitmq.plugins` | List of plugins to enable | `rabbitmq_management rabbitmq_peer_discovery_k8s` | +| `rabbitmq.extraPlugins` | Extra plugings to enable | `nil` | +| `rabbitmq.clustering.address_type` | Switch clustering mode | `ip` or `hostname` | +| `rabbitmq.clustering.k8s_domain` | Customize internal k8s cluster domain | `cluster.local` | +| `rabbitmq.clustering.rebalance` | Rebalance master for queues in cluster when new replica is created | `false` | +| `rabbitmq.logs` | Value for the RABBITMQ_LOGS environment variable | `-` | +| `rabbitmq.setUlimitNofiles` | Specify if max file descriptor limit should be set | `true` | +| `rabbitmq.ulimitNofiles` | Max File Descriptor limit | `65536` | +| `rabbitmq.maxAvailableSchedulers` | RabbitMQ maximum available scheduler threads | `2` | +| `rabbitmq.onlineSchedulers` | RabbitMQ online scheduler threads | `1` | +| `rabbitmq.env` | RabbitMQ [environment variables](https://www.rabbitmq.com/configure.html#customise-environment) | `{}` | +| `rabbitmq.configuration` | Required cluster configuration | See values.yaml | +| `rabbitmq.extraConfiguration` | Extra configuration to add to rabbitmq.conf | See values.yaml | +| `rabbitmq.advancedConfiguration` | Extra configuration (in classic format) to add to advanced.config | See values.yaml | +| `rabbitmq.tls.enabled` | Enable TLS support to rabbitmq | `false` | +| `rabbitmq.tls.failIfNoPeerCert` | When set to true, TLS connection will be rejected if client fails to provide a certificate | `true` | +| `rabbitmq.tls.sslOptionsVerify` | `verify_peer` | Should [peer verification](https://www.rabbitmq.com/ssl.html#peer-verification) be enabled? | +| `rabbitmq.tls.caCertificate` | Ca certificate | Certificate Authority (CA) bundle content | +| `rabbitmq.tls.serverCertificate` | Server certificate | Server certificate content | +| `rabbitmq.tls.serverKey` | Server Key | Server private key content | +| `rabbitmq.tls.existingSecret` | Existing secret with certificate content to rabbitmq credentials | `nil` | +| `ldap.enabled` | Enable LDAP support | `false` | +| `ldap.server` | LDAP server | `""` | +| `ldap.port` | LDAP port | `389` | +| `ldap.user_dn_pattern` | DN used to bind to LDAP | `cn=${username},dc=example,dc=org` | +| `ldap.tls.enabled` | Enable TLS for LDAP connections | `false` (if set to true, check advancedConfiguration parameter in values.yml) | +| `service.type` | Kubernetes Service type | `ClusterIP` | +| `service.port` | Amqp port | `5672` | +| `service.loadBalancerIP` | LoadBalancerIP for the service | `nil` | +| `service.tlsPort` | Amqp TLS port | `5671` | +| `service.distPort` | Erlang distribution server port | `25672` | +| `service.nodePort` | Node port override, if serviceType NodePort | _random available between 30000-32767_ | +| `service.nodeTlsPort` | Node port override, if serviceType NodePort | _random available between 30000-32767_ | +| `service.managerPort` | RabbitMQ Manager port | `15672` | +| `service.extraPorts` | Extra ports to expose in the service | `nil` | +| `service.extraContainerPorts` | Extra ports to be included in container spec, primarily informational | `nil` | +| `persistence.enabled` | Use a PVC to persist data | `true` | +| `service.annotations` | service annotations | {} | +| `schedulerName` | Name of the k8s service (other than default) | `nil` | +| `persistence.storageClass` | Storage class of backing PVC | `nil` (uses alpha storage class annotation) | +| `persistence.existingClaim` | RabbitMQ data Persistent Volume existing claim name, evaluated as a template | "" | +| `persistence.selector` | Selector to match an existing Persistent Volume | `nil` | +| `persistence.accessMode` | Use volume as ReadOnly or ReadWrite | `ReadWriteOnce` | +| `persistence.size` | Size of data volume | `8Gi` | +| `persistence.path` | Mount path of the data volume | `/opt/bitnami/rabbitmq/var/lib/rabbitmq` | +| `securityContext.enabled` | Enable security context | `true` | +| `securityContext.fsGroup` | Group ID for the container | `1001` | +| `securityContext.runAsUser` | User ID for the container | `1001` | +| `resources` | resource needs and limits to apply to the pod | {} | +| `replicas` | Replica count | `1` | +| `priorityClassName` | Pod priority class name | `` | +| `networkPolicy.enabled` | Enable NetworkPolicy | `false` | +| `networkPolicy.allowExternal` | Don't require client label for connections | `true` | +| `networkPolicy.additionalRules` | Additional NetworkPolicy rules | `nil` | +| `nodeSelector` | Node labels for pod assignment | {} | +| `affinity` | Affinity settings for pod assignment | {} | +| `tolerations` | Toleration labels for pod assignment | [] | +| `updateStrategy` | Statefulset update strategy policy | `RollingUpdate` | +| `ingress.enabled` | Enable ingress resource for Management console | `false` | +| `ingress.hostName` | Hostname to your RabbitMQ installation | `nil` | +| `ingress.path` | Path within the url structure | `/` | +| `ingress.tls` | enable ingress with tls | `false` | +| `ingress.tlsSecret` | tls type secret to be used | `myTlsSecret` | +| `ingress.annotations` | ingress annotations as an array | [] | +| `livenessProbe.enabled` | would you like a livenessProbed to be enabled | `true` | +| `livenessProbe.initialDelaySeconds` | number of seconds | 120 | +| `livenessProbe.timeoutSeconds` | number of seconds | 20 | +| `livenessProbe.periodSeconds` | number of seconds | 30 | +| `livenessProbe.failureThreshold` | number of failures | 6 | +| `livenessProbe.successThreshold` | number of successes | 1 | +| `livenessProbe.commandOverride` | Custom command for liveness probe | [] | +| `podDisruptionBudget` | Pod Disruption Budget settings | {} | +| `readinessProbe.enabled` | would you like a readinessProbe to be enabled | `true` | +| `readinessProbe.initialDelaySeconds` | number of seconds | 10 | +| `readinessProbe.timeoutSeconds` | number of seconds | 20 | +| `readinessProbe.periodSeconds` | number of seconds | 30 | +| `readinessProbe.failureThreshold` | number of failures | 3 | +| `readinessProbe.successThreshold` | number of successes | 1 | +| `readinessProbe.commandOverride` | Custom command for readiness probe | [] | +| `metrics.enabled` | Enable prometheus to access rabbitmq metrics | `false` | +| `metrics.port` | Port where the server will expose Prometheus metrics | `9419` | +| `metrics.plugins` | Plugins to enable prometheus metrics in rabbitmq | `rabbitmq_prometheus` | +| `metrics.podAnnotations` | Annotations for enabling prometheus to access the metrics endpoint | `{prometheus.io/scrape: "true", prometheus.io/port: "9419"}` | +| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using PrometheusOperator | `false` | +| `metrics.serviceMonitor.namespace` | Namespace where servicemonitor resource should be created | `nil` | +| `metrics.serviceMonitor.interval` | Specify the interval at which metrics should be scraped | `30s` | +| `metrics.serviceMonitor.scrapeTimeout` | Specify the timeout after which the scrape is ended | `nil` | +| `metrics.serviceMonitor.relabellings` | Specify Metric Relabellings to add to the scrape endpoint | `nil` | +| `metrics.serviceMonitor.honorLabels` | honorLabels chooses the metric's labels on collisions with target labels. | `false` | +| `metrics.serviceMonitor.additionalLabels` | Used to pass Labels that are required by the Installed Prometheus Operator | `{}` | +| `metrics.serviceMonitor.release` | Used to pass Labels release that sometimes should be custom for Prometheus Operator | `nil` | +| `metrics.prometheusRule.enabled` | Set this to true to create prometheusRules for Prometheus operator | `false` | +| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so prometheusRules will be discovered by Prometheus | `{}` | +| `metrics.prometheusRule.namespace` | namespace where prometheusRules resource should be created | Same namespace as rabbitmq | +| `metrics.prometheusRule.rules` | [rules](https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/) to be created, check values for an example. | `[]` | +| `podLabels` | Additional labels for the statefulset pod(s). | {} | +| `volumePermissions.enabled` | Enable init container that changes volume permissions in the data directory (for cases where the default k8s `runAsUser` and `fsUser` values do not work) | `false | +| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` | +| `volumePermissions.image.repository` | Init container volume-permissions image name | `bitnami/minideb` | +| `volumePermissions.image.tag` | Init container volume-permissions image tag | `buster` | +| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `Always` | +| `volumePermissions.resources` | Init container resource requests/limit | `nil` | +| `forceBoot.enabled` | Executes 'rabbitmqctl force_boot' to force boot cluster shut down unexpectedly in an unknown order. Use it only if you prefer availability over integrity. | `false` | +| `extraSecrets` | Optionally specify extra secrets to be created by the chart. | `{}` | +| `extraVolumeMounts` | Optionally specify extra list of additional volumeMounts . | `{}` | +| `extraVolumes` | Optionally specify extra list of additional volumes . | `{}` | + +The above parameters map to the env variables defined in [bitnami/rabbitmq](http://github.com/bitnami/bitnami-docker-rabbitmq). For more information please refer to the [bitnami/rabbitmq](http://github.com/bitnami/bitnami-docker-rabbitmq) image documentation. + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```bash +$ helm install my-release \ + --set rabbitmq.username=admin,rabbitmq.password=secretpassword,rabbitmq.erlangCookie=secretcookie \ + bitnami/rabbitmq +``` + +The above command sets the RabbitMQ admin username and password to `admin` and `secretpassword` respectively. Additionally the secure erlang cookie is set to `secretcookie`. + +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, + +```bash +$ helm install my-release -f values.yaml bitnami/rabbitmq +``` + +> **Tip**: You can use the default [values.yaml](values.yaml) + +## Configuration and installation details + +### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Production configuration and horizontal scaling + +This chart includes a `values-production.yaml` file where you can find some parameters oriented to production configuration in comparison to the regular `values.yaml`. You can use this file instead of the default one. + +- Resource needs and limits to apply to the pod: +```diff +- resources: {} ++ resources: ++ requests: ++ memory: 256Mi ++ cpu: 100m +``` + +- Replica count: +```diff +- replicas: 1 ++ replicas: 3 +``` + +- Node labels for pod assignment: +```diff +- nodeSelector: {} ++ nodeSelector: ++ beta.kubernetes.io/arch: amd64 +``` + +- Enable ingress with TLS: +```diff +- ingress.tls: false ++ ingress.tls: true +``` + +- Enable prometheus metrics: +```diff +- metrics.enabled: false ++ metrics.enabled: true +``` + +- Enable init container that changes volume permissions in the data directory: +```diff +- volumePermissions.enabled: false ++ volumePermissions.enabled: true +``` + +To horizontally scale this chart once it has been deployed you have two options: + +- Use `kubectl scale` command + +- Upgrading the chart with the following parameters: + +```console +replicas=3 +rabbitmq.password="$RABBITMQ_PASSWORD" +rabbitmq.erlangCookie="$RABBITMQ_ERLANG_COOKIE" +``` + +> Note: please note it's mandatory to indicate the password and erlangCookie that was set the first time the chart was installed to upgrade the chart. Otherwise, new pods won't be able to join the cluster. + +### Load Definitions +It is possible to [load a RabbitMQ definitions file to configure RabbitMQ](http://www.rabbitmq.com/management.html#load-definitions). Because definitions may contain RabbitMQ credentials, [store the JSON as a Kubernetes secret](https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod). Within the secret's data, choose a key name that corresponds with the desired load definitions filename (i.e. `load_definition.json`) and use the JSON object as the value. For example: + +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: rabbitmq-load-definition +type: Opaque +stringData: + load_definition.json: |- + { + "vhosts": [ + { + "name": "/" + } + ] + } +``` + +Then, specify the `management.load_definitions` property as an `extraConfiguration` pointing to the load definition file path within the container (i.e. `/app/load_definition.json`) and set `loadDefinition.enable` to `true`. + +Any load definitions specified will be available within in the container at `/app`. + +> Loading a definition will take precedence over any configuration done through [Helm values](#parameters). + +If needed, you can use `extraSecrets` to let the chart create the secret for you. This way, you don't need to manually create it before deploying a release. For example : + +```yaml +extraSecrets: + load-definition: + load_definition.json: | + { + "vhosts": [ + { + "name": "/" + } + ] + } +rabbitmq: + loadDefinition: + enabled: true + secretName: load-definition + extraConfiguration: | + management.load_definitions = /app/load_definition.json +``` + +### Enabling TLS support + +To enable TLS support you must generate the certificates using RabbitMQ [documentation](https://www.rabbitmq.com/ssl.html#automated-certificate-generation). + +You must include in your values.yaml the caCertificate, serverCertificate and serverKey files. + +```yaml + caCertificate: |- + -----BEGIN CERTIFICATE----- + MIIDRTCCAi2gAwIBAgIJAJPh+paO6a3cMA0GCSqGSIb3DQEBCwUAMDExIDAeBgNV + ... + -----END CERTIFICATE----- + serverCertificate: |- + -----BEGIN CERTIFICATE----- + MIIDqjCCApKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAxMSAwHgYDVQQDDBdUTFNH + ... + -----END CERTIFICATE----- + serverKey: |- + -----BEGIN RSA PRIVATE KEY----- + MIIEpAIBAAKCAQEA2iX3M4d3LHrRAoVUbeFZN3EaGzKhyBsz7GWwTgETiNj+AL7p + .... + -----END RSA PRIVATE KEY----- +``` + +This will be generate a secret with the certs, but is possible specify an existing secret using `existingSecret: name-of-existing-secret-to-rabbitmq`. The secret is of type `kubernetes.io/tls`. + +Disabling [failIfNoPeerCert](https://www.rabbitmq.com/ssl.html#peer-verification-configuration) allows a TLS connection if client fails to provide a certificate + +[sslOptionsVerify](https://www.rabbitmq.com/ssl.html#peer-verification-configuration): When the sslOptionsVerify option is set to verify_peer, the client does send us a certificate, the node must perform peer verification. When set to verify_none, peer verification will be disabled and certificate exchange won't be performed. + +### LDAP + +LDAP support can be enabled in the chart by specifying the `ldap.` parameters while creating a release. The following parameters should be configured to properly enable the LDAP support in the chart. + +- `ldap.enabled`: Enable LDAP support. Defaults to `false`. +- `ldap.server`: LDAP server host. No defaults. +- `ldap.port`: LDAP server port. `389`. +- `ldap.user_dn_pattern`: DN used to bind to LDAP. `cn=${username},dc=example,dc=org`. +- `ldap.tls.enabled`: Enable TLS for LDAP connections. Defaults to `false`. + +For example: + +```console +ldap.enabled="true" +ldap.server="my-ldap-server" +ldap.port="389" +ldap.user_dn_pattern="cn=${username},dc=example,dc=org" +``` + +If `ldap.tls.enabled` is set to true, consider using `ldap.port=636` and checking the settings in the advancedConfiguration. + +### Common issues + +- Changing the password through RabbitMQ's UI can make the pod fail due to the default liveness probes. If you do so, remember to make the chart aware of the new password. Updating the default secret with the password you set through RabbitMQ's UI will automatically recreate the pods. If you are using your own secret, you may have to manually recreate the pods. + +## Persistence + +The [Bitnami RabbitMQ](https://github.com/bitnami/bitnami-docker-rabbitmq) image stores the RabbitMQ data and configurations at the `/opt/bitnami/rabbitmq/var/lib/rabbitmq/` path of the container. + +The chart mounts a [Persistent Volume](http://kubernetes.io/docs/user-guide/persistent-volumes/) at this location. By default, the volume is created using dynamic volume provisioning. An existing PersistentVolumeClaim can also be defined. + +### Existing PersistentVolumeClaims + +1. Create the PersistentVolume +1. Create the PersistentVolumeClaim +1. Install the chart + +```bash +$ helm install my-release --set persistence.existingClaim=PVC_NAME bitnami/rabbitmq +``` + +### Adjust permissions of the persistence volume mountpoint + +As the image runs as non-root by default, it is necessary to adjust the ownership of the persistent volume so that the container can write data into it. + +By default, the chart is configured to use Kubernetes Security Context to automatically change the ownership of the volume. However, this feature does not work in all Kubernetes distributions. +As an alternative, this chart supports using an `initContainer` to change the ownership of the volume before mounting it in the final destination. + +You can enable this `initContainer` by setting `volumePermissions.enabled` to `true`. + +## Upgrading + +### To 6.0.0 + +This new version updates the RabbitMQ image to a [new version based on bash instead of node.js](https://github.com/bitnami/bitnami-docker-rabbitmq#3715-r18-3715-ol-7-r19). However, since this Chart overwrites the container's command, the changes to the container shouldn't affect the Chart. To upgrade, it may be needed to enable the `fastBoot` option, as it is already the case from upgrading from 5.X to 5.Y. + +### To 5.0.0 + +This major release changes the clustering method from `ip` to `hostname`. +This change is needed to fix the persistence. The data dir will now depend on the hostname which is stable instead of the pod IP that might change. + +> IMPORTANT: Note that if you upgrade from a previous version you will lose your data. + +### To 3.0.0 + +Backwards compatibility is not guaranteed unless you modify the labels used on the chart's deployments. +Use the workaround below to upgrade from versions previous to 3.0.0. The following example assumes that the release name is rabbitmq: + +```console +$ kubectl delete statefulset rabbitmq --cascade=false +``` diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/ci/affinity-toleration-values.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/ci/affinity-toleration-values.yaml new file mode 100644 index 0000000..6be0ee1 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/ci/affinity-toleration-values.yaml @@ -0,0 +1,14 @@ +tolerations: + - key: foo + operator: "Equal" + value: bar +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: foo + operator: In + values: + - bar diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/ci/default-values.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/ci/default-values.yaml new file mode 100644 index 0000000..fc2ba60 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/ci/default-values.yaml @@ -0,0 +1 @@ +# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml. diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/ci/networkpolicy-values.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/ci/networkpolicy-values.yaml new file mode 100644 index 0000000..67ef8d1 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/ci/networkpolicy-values.yaml @@ -0,0 +1,11 @@ +networkPolicy: + enable: true + allowExternal: false + additionalRules: + - matchLabels: + - role: foo + - matchExpressions: + - key: role + operator: In + values: + - bar diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/NOTES.txt b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/NOTES.txt new file mode 100644 index 0000000..6c0fdc4 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/NOTES.txt @@ -0,0 +1,79 @@ + +** Please be patient while the chart is being deployed ** + +Credentials: + + echo "Username : {{ .Values.rabbitmq.username }}" + echo "Password : $(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "rabbitmq.fullname" . }} -o jsonpath="{.data.rabbitmq-password}" | base64 --decode)" + echo "ErLang Cookie : $(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "rabbitmq.fullname" . }} -o jsonpath="{.data.rabbitmq-erlang-cookie}" | base64 --decode)" + +RabbitMQ can be accessed within the cluster on port {{ .Values.service.nodePort }} at {{ template "rabbitmq.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.rabbitmq.clustering.k8s_domain }} + +To access for outside the cluster, perform the following steps: + +{{- if contains "NodePort" .Values.service.type }} + +Obtain the NodePort IP and ports: + + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + export NODE_PORT_AMQP=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[1].nodePort}" services {{ template "rabbitmq.fullname" . }}) + export NODE_PORT_STATS=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[3].nodePort}" services {{ template "rabbitmq.fullname" . }}) + +To Access the RabbitMQ AMQP port: + + echo "URL : amqp://$NODE_IP:$NODE_PORT_AMQP/" + +To Access the RabbitMQ Management interface: + + echo "URL : http://$NODE_IP:$NODE_PORT_STATS/" + +{{- else if contains "LoadBalancer" .Values.service.type }} + +Obtain the LoadBalancer IP: + +NOTE: It may take a few minutes for the LoadBalancer IP to be available. + Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "rabbitmq.fullname" . }}' + + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "rabbitmq.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + +To Access the RabbitMQ AMQP port: + + echo "URL : amqp://$SERVICE_IP:{{ .Values.service.port }}/" + +To Access the RabbitMQ Management interface: + + echo "URL : http://$SERVICE_IP:{{ .Values.service.managerPort }}/" + +{{- else if contains "ClusterIP" .Values.service.type }} + +To Access the RabbitMQ AMQP port: + + echo "URL : amqp://127.0.0.1:{{ .Values.service.port }}/" + kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ template "rabbitmq.fullname" . }} {{ .Values.service.port }}:{{ .Values.service.port }} + +To Access the RabbitMQ Management interface: + + echo "URL : http://127.0.0.1:{{ .Values.service.managerPort }}/" + kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ template "rabbitmq.fullname" . }} {{ .Values.service.managerPort }}:{{ .Values.service.managerPort }} + +{{- end }} + +{{- if .Values.metrics.enabled }} + +To access the RabbitMQ Prometheus metrics, get the RabbitMQ Prometheus URL by running: + + echo "Prometheus Metrics URL: http://127.0.0.1:{{ .Values.metrics.port }}/metrics" + kubectl port-forward --namespace {{ .Release.Namespace }} {{ template "rabbitmq.fullname" . }}-0 {{ .Values.metrics.port }}:{{ .Values.metrics.port }} + +Then, open the URL obtained in a browser. + +{{- end }} + +{{- include "rabbitmq.validateValues" . -}} + +{{- if and (contains "bitnami/" .Values.image.repository) (not (.Values.image.tag | toString | regexFind "-r\\d+$|sha256:")) }} + +WARNING: Rolling tag detected ({{ .Values.image.repository }}:{{ .Values.image.tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. ++info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ + +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/_helpers.tpl b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/_helpers.tpl new file mode 100644 index 0000000..00e2eb4 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/_helpers.tpl @@ -0,0 +1,242 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "rabbitmq.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "rabbitmq.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "rabbitmq.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Return the proper RabbitMQ plugin list +*/}} +{{- define "rabbitmq.plugins" -}} +{{- $plugins := .Values.rabbitmq.plugins -}} +{{- if .Values.rabbitmq.extraPlugins -}} +{{- $plugins = printf "%s %s" $plugins .Values.rabbitmq.extraPlugins -}} +{{- end -}} +{{- if .Values.metrics.enabled -}} +{{- $plugins = printf "%s %s" $plugins .Values.metrics.plugins -}} +{{- end -}} +{{- printf "[%s]." $plugins | replace " " ", " | indent 4 -}} +{{- end -}} + +{{/* +Return the proper RabbitMQ image name +*/}} +{{- define "rabbitmq.image" -}} +{{- $registryName := .Values.image.registry -}} +{{- $repositoryName := .Values.image.repository -}} +{{- $tag := .Values.image.tag | toString -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. +Also, we can't use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} + {{- if .Values.global.imageRegistry }} + {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} + {{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} + {{- end -}} +{{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- end -}} +{{- end -}} + +{{/* +Get the password secret. +*/}} +{{- define "rabbitmq.secretPasswordName" -}} + {{- if .Values.rabbitmq.existingPasswordSecret -}} + {{- printf "%s" .Values.rabbitmq.existingPasswordSecret -}} + {{- else -}} + {{- printf "%s" (include "rabbitmq.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{/* +Get the erlang secret. +*/}} +{{- define "rabbitmq.secretErlangName" -}} + {{- if .Values.rabbitmq.existingErlangSecret -}} + {{- printf "%s" .Values.rabbitmq.existingErlangSecret -}} + {{- else -}} + {{- printf "%s" (include "rabbitmq.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "rabbitmq.imagePullSecrets" -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic. +Also, we can not use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- else if or .Values.image.pullSecrets .Values.volumePermissions.image.pullSecrets }} +imagePullSecrets: +{{- range .Values.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- range .Values.volumePermissions.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- end -}} +{{- else if or .Values.image.pullSecrets .Values.volumePermissions.image.pullSecrets }} +imagePullSecrets: +{{- range .Values.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- range .Values.volumePermissions.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- end -}} +{{- end -}} + +{{/* +Return the proper image name (for the init container volume-permissions image) +*/}} +{{- define "rabbitmq.volumePermissions.image" -}} +{{- $registryName := .Values.volumePermissions.image.registry -}} +{{- $repositoryName := .Values.volumePermissions.image.repository -}} +{{- $tag := .Values.volumePermissions.image.tag | toString -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. +Also, we can't use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} + {{- if .Values.global.imageRegistry }} + {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} + {{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} + {{- end -}} +{{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper Storage Class +*/}} +{{- define "rabbitmq.storageClass" -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic. +*/}} +{{- if .Values.global -}} + {{- if .Values.global.storageClass -}} + {{- if (eq "-" .Values.global.storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else }} + {{- printf "storageClassName: %s" .Values.global.storageClass -}} + {{- end -}} + {{- else -}} + {{- if .Values.persistence.storageClass -}} + {{- if (eq "-" .Values.persistence.storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else }} + {{- printf "storageClassName: %s" .Values.persistence.storageClass -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- else -}} + {{- if .Values.persistence.storageClass -}} + {{- if (eq "-" .Values.persistence.storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else }} + {{- printf "storageClassName: %s" .Values.persistence.storageClass -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Compile all warnings into a single message, and call fail. +*/}} +{{- define "rabbitmq.validateValues" -}} +{{- $messages := list -}} +{{- $messages := append $messages (include "rabbitmq.validateValues.ldap" .) -}} +{{- $messages := without $messages "" -}} +{{- $message := join "\n" $messages -}} + +{{- if $message -}} +{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}} +{{- end -}} +{{- end -}} + +{{/* +Validate values of rabbitmq - LDAP support +*/}} +{{- define "rabbitmq.validateValues.ldap" -}} +{{- if .Values.ldap.enabled }} +{{- if not (and .Values.ldap.server .Values.ldap.port .Values.ldap.user_dn_pattern) }} +rabbitmq: LDAP + Invalid LDAP configuration. When enabling LDAP support, the parameters "ldap.server", + "ldap.port", and "ldap. user_dn_pattern" are mandatory. Please provide them: + + $ helm install {{ .Release.Name }} bitnami/rabbitmq \ + --set ldap.enabled=true \ + --set ldap.server="lmy-ldap-server" \ + --set ldap.port="389" \ + --set user_dn_pattern="cn=${username},dc=example,dc=org" +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Renders a value that contains template. +Usage: +{{ include "rabbitmq.tplValue" (dict "value" .Values.path.to.the.Value "context" $) }} +*/}} +{{- define "rabbitmq.tplValue" -}} + {{- if typeIs "string" .value }} + {{- tpl .value .context }} + {{- else }} + {{- tpl (.value | toYaml) .context }} + {{- end }} +{{- end -}} + +{{/* +Return podAnnotations +*/}} +{{- define "rabbitmq.podAnnotations" -}} +{{- if .Values.podAnnotations }} +{{- toYaml .Values.podAnnotations }} +{{- end }} +{{- if .Values.metrics.enabled }} +{{- include "rabbitmq.tplValue" ( dict "value" .Values.metrics.podAnnotations "context" $) }} +{{- end }} +{{- end -}} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/certs.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/certs.yaml new file mode 100644 index 0000000..67d4b93 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/certs.yaml @@ -0,0 +1,20 @@ +{{- if and (not .Values.rabbitmq.tls.existingSecret) ( .Values.rabbitmq.tls.enabled) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "rabbitmq.fullname" . }}-certs + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "rabbitmq.name" . }} + chart: {{ template "rabbitmq.chart" . }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +type: kubernetes.io/tls +data: + ca.crt: + {{ required "A valid .Values.rabbitmq.tls.caCertificate entry required!" .Values.rabbitmq.tls.caCertificate | b64enc | quote }} + tls.crt: + {{ required "A valid .Values.rabbitmq.tls.serverCertificate entry required!" .Values.rabbitmq.tls.serverCertificate| b64enc | quote }} + tls.key: + {{ required "A valid .Values.rabbitmq.tls.serverKey entry required!" .Values.rabbitmq.tls.serverKey | b64enc | quote }} +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/configuration.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/configuration.yaml new file mode 100644 index 0000000..be9982b --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/configuration.yaml @@ -0,0 +1,45 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "rabbitmq.fullname" . }}-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "rabbitmq.name" . }} + chart: {{ template "rabbitmq.chart" . }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +data: + enabled_plugins: |- +{{ template "rabbitmq.plugins" . }} + rabbitmq.conf: |- + ##username and password + default_user={{.Values.rabbitmq.username}} + default_pass=CHANGEME +{{ .Values.rabbitmq.configuration | indent 4 }} +{{ .Values.rabbitmq.extraConfiguration | indent 4 }} +{{- if .Values.rabbitmq.tls.enabled }} + ssl_options.verify={{ .Values.rabbitmq.tls.sslOptionsVerify }} + listeners.ssl.default={{ .Values.service.tlsPort }} + ssl_options.fail_if_no_peer_cert={{ .Values.rabbitmq.tls.failIfNoPeerCert }} + ssl_options.cacertfile = /opt/bitnami/rabbitmq/certs/ca_certificate.pem + ssl_options.certfile = /opt/bitnami/rabbitmq/certs/server_certificate.pem + ssl_options.keyfile = /opt/bitnami/rabbitmq/certs/server_key.pem +{{- end }} +{{- if .Values.ldap.enabled }} + auth_backends.1 = rabbit_auth_backend_ldap + auth_backends.2 = internal + auth_ldap.servers.1 = {{ .Values.ldap.server }} + auth_ldap.port = {{ .Values.ldap.port }} + auth_ldap.user_dn_pattern = {{ .Values.ldap.user_dn_pattern }} +{{- if .Values.ldap.tls.enabled }} + auth_ldap.use_ssl = true +{{- end }} +{{- end }} +{{- if .Values.metrics.enabled }} + prometheus.tcp.port = {{ .Values.metrics.port }} +{{- end }} + +{{ if .Values.rabbitmq.advancedConfiguration}} + advanced.config: |- +{{ .Values.rabbitmq.advancedConfiguration | indent 4 }} +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/healthchecks.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/healthchecks.yaml new file mode 100644 index 0000000..8c5bff4 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/healthchecks.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "rabbitmq.fullname" . }}-healthchecks + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "rabbitmq.name" . }} + chart: {{ template "rabbitmq.chart" . }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +data: + rabbitmq-health-check: |- + #!/bin/sh + START_FLAG=/opt/bitnami/rabbitmq/var/lib/rabbitmq/.start + if [ -f ${START_FLAG} ]; then + rabbitmqctl node_health_check + RESULT=$? + if [ $RESULT -ne 0 ]; then + rabbitmqctl status + exit $? + fi + rm -f ${START_FLAG} + exit ${RESULT} + fi + rabbitmq-api-check $1 $2 + rabbitmq-api-check: |- + #!/bin/sh + set -e + URL=$1 + EXPECTED=$2 + ACTUAL=$(curl --silent --show-error --fail "${URL}") + echo "${ACTUAL}" + test "${EXPECTED}" = "${ACTUAL}" \ No newline at end of file diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/ingress.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/ingress.yaml new file mode 100644 index 0000000..6004e13 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/ingress.yaml @@ -0,0 +1,42 @@ +{{- if .Values.ingress.enabled }} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: "{{ template "rabbitmq.fullname" . }}" + namespace: {{ .Release.Namespace }} + labels: + app: "{{ template "rabbitmq.name" . }}" + chart: "{{ template "rabbitmq.chart" . }}" + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} + annotations: + {{- if .Values.ingress.tls }} + ingress.kubernetes.io/secure-backends: "true" + {{- end }} + {{- range $key, $value := .Values.ingress.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + rules: + {{- if .Values.ingress.hostName }} + - host: {{ .Values.ingress.hostName }} + http: + {{- else }} + - http: + {{- end }} + paths: + - path: {{ .Values.ingress.path }} + backend: + serviceName: {{ template "rabbitmq.fullname" . }} + servicePort: {{ .Values.service.managerPort }} +{{- if .Values.ingress.tls }} + tls: + - hosts: + {{- if .Values.ingress.hostName }} + - {{ .Values.ingress.hostName }} + secretName: {{ .Values.ingress.tlsSecret }} + {{- else}} + - secretName: {{ .Values.ingress.tlsSecret }} + {{- end }} +{{- end }} +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/networkpolicy.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/networkpolicy.yaml new file mode 100644 index 0000000..5136190 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/networkpolicy.yaml @@ -0,0 +1,40 @@ +{{- if .Values.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ template "rabbitmq.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "rabbitmq.name" . }} + chart: {{ template "rabbitmq.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +spec: + podSelector: + matchLabels: + app: {{ template "rabbitmq.name" . }} + release: {{ .Release.Name | quote }} + ingress: + # Allow inbound connections + + - ports: + - port: 4369 # EPMD + - port: {{ .Values.service.port }} + - port: {{ .Values.service.tlsPort }} + - port: {{ .Values.service.distPort }} + - port: {{ .Values.service.managerPort }} + + {{- if not .Values.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: + {{ template "rabbitmq.fullname" . }}-client: "true" + {{- with .Values.networkPolicy.additionalRules }} +{{ toYaml . | indent 8 }} + {{- end }} + {{- end }} + + # Allow prometheus scrapes + - ports: + - port: {{ .Values.metrics.port }} +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/pdb.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/pdb.yaml new file mode 100644 index 0000000..82b731f --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/pdb.yaml @@ -0,0 +1,18 @@ +{{- if .Values.podDisruptionBudget -}} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ template "rabbitmq.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "rabbitmq.name" . }} + chart: {{ template "rabbitmq.chart" . }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +spec: + selector: + matchLabels: + app: {{ template "rabbitmq.name" . }} + release: "{{ .Release.Name }}" +{{ toYaml .Values.podDisruptionBudget | indent 2 }} +{{- end -}} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/prometheusrule.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/prometheusrule.yaml new file mode 100644 index 0000000..1996ef6 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/prometheusrule.yaml @@ -0,0 +1,25 @@ +{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ template "rabbitmq.fullname" . }} +{{- if .Values.metrics.prometheusRule.namespace }} + namespace: {{ .Values.metrics.prometheusRule.namespace }} +{{- else }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: + app: {{ template "rabbitmq.name" . }} + chart: {{ template "rabbitmq.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +{{- with .Values.metrics.prometheusRule.additionalLabels }} +{{ toYaml . | indent 4 }} +{{- end }} +spec: +{{- with .Values.metrics.prometheusRule.rules }} + groups: + - name: {{ template "rabbitmq.name" $ }} + rules: {{ tpl (toYaml .) $ | nindent 8 }} +{{- end }} +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/role.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/role.yaml new file mode 100644 index 0000000..eff9807 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/role.yaml @@ -0,0 +1,19 @@ +{{- if .Values.rbacEnabled }} +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "rabbitmq.fullname" . }}-endpoint-reader + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "rabbitmq.name" . }} + chart: {{ template "rabbitmq.chart" . }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +rules: +- apiGroups: [""] + resources: ["endpoints"] + verbs: ["get"] +- apiGroups: [""] + resources: ["events"] + verbs: ["create"] +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/rolebinding.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/rolebinding.yaml new file mode 100644 index 0000000..87f0753 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/rolebinding.yaml @@ -0,0 +1,19 @@ +{{- if .Values.rbacEnabled }} +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "rabbitmq.fullname" . }}-endpoint-reader + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "rabbitmq.name" . }} + chart: {{ template "rabbitmq.chart" . }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +subjects: +- kind: ServiceAccount + name: {{ template "rabbitmq.fullname" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "rabbitmq.fullname" . }}-endpoint-reader +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/secrets.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/secrets.yaml new file mode 100644 index 0000000..1749013 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/secrets.yaml @@ -0,0 +1,40 @@ +{{- if or (not .Values.rabbitmq.existingErlangSecret) (not .Values.rabbitmq.existingPasswordSecret) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "rabbitmq.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "rabbitmq.name" . }} + chart: {{ template "rabbitmq.chart" . }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +type: Opaque +data: + {{ if not .Values.rabbitmq.existingPasswordSecret }}{{ if .Values.rabbitmq.password }} + rabbitmq-password: {{ .Values.rabbitmq.password | b64enc | quote }} + {{ else }} + rabbitmq-password: {{ randAlphaNum 10 | b64enc | quote }} + {{ end }}{{ end }} + {{ if not .Values.rabbitmq.existingErlangSecret }}{{ if .Values.rabbitmq.erlangCookie }} + rabbitmq-erlang-cookie: {{ .Values.rabbitmq.erlangCookie | b64enc | quote }} + {{ else }} + rabbitmq-erlang-cookie: {{ randAlphaNum 32 | b64enc | quote }} + {{ end }}{{ end }} +{{- end }} +{{- range $key, $value := .Values.extraSecrets }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $key }} + namespace: {{ $.Release.Namespace }} + labels: + app: {{ template "rabbitmq.name" $ }} + chart: {{ template "rabbitmq.chart" $ }} + release: "{{ $.Release.Name }}" + heritage: "{{ $.Release.Service }}" +type: Opaque +stringData: +{{ $value | toYaml | nindent 2 }} +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/serviceaccount.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/serviceaccount.yaml new file mode 100644 index 0000000..ddc9ac1 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/serviceaccount.yaml @@ -0,0 +1,14 @@ +{{- if .Values.rbacEnabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "rabbitmq.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "rabbitmq.name" . }} + chart: {{ template "rabbitmq.chart" . }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +secrets: + - name: "{{ template "rabbitmq.fullname" . }}" +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/servicemonitor.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/servicemonitor.yaml new file mode 100644 index 0000000..bee352d --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/servicemonitor.yaml @@ -0,0 +1,38 @@ +{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "rabbitmq.fullname" . }} + {{- if .Values.metrics.serviceMonitor.namespace }} + namespace: {{ .Values.metrics.serviceMonitor.namespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + app: {{ template "rabbitmq.name" . }} + chart: {{ template "rabbitmq.chart" . }} + heritage: "{{ .Release.Service }}" + release: {{ if .Values.metrics.serviceMonitor.release }}"{{ .Values.metrics.serviceMonitor.release }}"{{ else }}"{{ .Release.Name }}"{{ end }} + {{- if .Values.metrics.serviceMonitor.additionalLabels }} +{{ toYaml .Values.metrics.serviceMonitor.additionalLabels | indent 4 }} + {{- end }} +spec: + endpoints: + - port: metrics + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} + honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }} + {{- if .Values.metrics.serviceMonitor.relabellings }} + metricRelabelings: +{{ toYaml .Values.metrics.serviceMonitor.relabellings | indent 6 }} + {{- end }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + app: {{ template "rabbitmq.name" . }} + release: "{{ .Release.Name }}" +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/statefulset.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/statefulset.yaml new file mode 100644 index 0000000..ddf1a72 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/statefulset.yaml @@ -0,0 +1,345 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "rabbitmq.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "rabbitmq.name" . }} + chart: {{ template "rabbitmq.chart" . }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +spec: + serviceName: {{ template "rabbitmq.fullname" . }}-headless + podManagementPolicy: {{ .Values.podManagementPolicy }} + replicas: {{ .Values.replicas }} + updateStrategy: + type: {{ .Values.updateStrategy.type }} + {{- if (eq "Recreate" .Values.updateStrategy.type) }} + rollingUpdate: null + {{- end }} + selector: + matchLabels: + app: {{ template "rabbitmq.name" . }} + release: "{{ .Release.Name }}" + template: + metadata: + labels: + app: {{ template "rabbitmq.name" . }} + release: "{{ .Release.Name }}" + chart: {{ template "rabbitmq.chart" . }} + {{- if .Values.podLabels }} +{{ toYaml .Values.podLabels | indent 8 }} + {{- end }} + annotations: + {{- if or (not .Values.rabbitmq.existingErlangSecret) (not .Values.rabbitmq.existingPasswordSecret) }} + checksum/secret: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} + {{- end }} + {{- if or .Values.podAnnotations .Values.metrics.enabled }} + {{- include "rabbitmq.podAnnotations" . | nindent 8 }} + {{- end }} + spec: + {{- if .Values.schedulerName }} + schedulerName: "{{ .Values.schedulerName }}" + {{- end }} +{{- include "rabbitmq.imagePullSecrets" . | indent 6 }} + {{- if .Values.rbacEnabled}} + serviceAccountName: {{ template "rabbitmq.fullname" . }} + {{- end }} + {{- if .Values.affinity }} + affinity: {{- include "rabbitmq.tplValue" (dict "value" .Values.affinity "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | indent 8 }} + {{- end }} + terminationGracePeriodSeconds: 10 + {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled .Values.securityContext.enabled }} + initContainers: + - name: volume-permissions + image: "{{ template "rabbitmq.volumePermissions.image" . }}" + imagePullPolicy: {{ default "" .Values.volumePermissions.image.pullPolicy | quote }} + command: ["/bin/chown", "-R", "{{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }}", "{{ .Values.persistence.path }}"] + securityContext: + runAsUser: 0 + resources: +{{ toYaml .Values.volumePermissions.resources | indent 10 }} + volumeMounts: + - name: data + mountPath: "{{ .Values.persistence.path }}" + {{- end }} + containers: + - name: rabbitmq + image: {{ template "rabbitmq.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + command: + - bash + - -ec + - | + mkdir -p /opt/bitnami/rabbitmq/.rabbitmq/ + mkdir -p /opt/bitnami/rabbitmq/etc/rabbitmq/ + touch /opt/bitnami/rabbitmq/var/lib/rabbitmq/.start + #persist the erlang cookie in both places for server and cli tools + echo $RABBITMQ_ERL_COOKIE > /opt/bitnami/rabbitmq/var/lib/rabbitmq/.erlang.cookie + cp /opt/bitnami/rabbitmq/var/lib/rabbitmq/.erlang.cookie /opt/bitnami/rabbitmq/.rabbitmq/ + #change permission so only the user has access to the cookie file + chmod 600 /opt/bitnami/rabbitmq/.rabbitmq/.erlang.cookie /opt/bitnami/rabbitmq/var/lib/rabbitmq/.erlang.cookie + #copy the mounted configuration to both places + cp /opt/bitnami/rabbitmq/conf/* /opt/bitnami/rabbitmq/etc/rabbitmq + # Apply resources limits + {{- if .Values.rabbitmq.setUlimitNofiles }} + ulimit -n "${RABBITMQ_ULIMIT_NOFILES}" + {{- end }} + #replace the default password that is generated + sed -i "/CHANGEME/cdefault_pass=${RABBITMQ_PASSWORD//\\/\\\\}" /opt/bitnami/rabbitmq/etc/rabbitmq/rabbitmq.conf + {{- if and .Values.persistence.enabled .Values.forceBoot.enabled }} + if [ -d "{{ .Values.persistence.path }}/mnesia/${RABBITMQ_NODENAME}" ]; then rabbitmqctl force_boot; fi + {{- end }} + exec rabbitmq-server + {{- if .Values.resources }} + resources: +{{ toYaml .Values.resources | indent 10 }} + {{- end }} + volumeMounts: + {{- if .Values.extraVolumeMounts }} +{{ toYaml .Values.extraVolumeMounts | indent 10 }} + {{- end }} + - name: config-volume + mountPath: /opt/bitnami/rabbitmq/conf + - name: healthchecks + mountPath: /usr/local/sbin/rabbitmq-api-check + subPath: rabbitmq-api-check + - name: healthchecks + mountPath: /usr/local/sbin/rabbitmq-health-check + subPath: rabbitmq-health-check + {{- if .Values.rabbitmq.tls.enabled }} + - name: {{ template "rabbitmq.fullname" . }}-certs + mountPath: /opt/bitnami/rabbitmq/certs + {{- end }} + - name: data + mountPath: "{{ .Values.persistence.path }}" + {{- if .Values.rabbitmq.loadDefinition.enabled }} + - name: load-definition-volume + mountPath: /app + readOnly: true + {{- end }} + ports: + - name: epmd + containerPort: 4369 + - name: amqp + containerPort: {{ .Values.service.port }} + {{- if .Values.rabbitmq.tls.enabled }} + - name: amqp-ssl + containerPort: {{ .Values.service.tlsPort }} + {{- end }} + - name: dist + containerPort: {{ .Values.service.distPort }} + - name: stats + containerPort: {{ .Values.service.managerPort }} + {{- if .Values.metrics.enabled }} + - name: metrics + containerPort: {{ .Values.metrics.port }} + {{- end }} +{{- if .Values.service.extraContainerPorts }} +{{ toYaml .Values.service.extraContainerPorts | indent 8 }} +{{- end }} + {{- if .Values.livenessProbe.enabled }} + livenessProbe: + exec: + command: +{{- if .Values.livenessProbe.commandOverride }} +{{ toYaml .Values.livenessProbe.commandOverride | indent 14 }} +{{- else }} + - sh + - -c + - rabbitmq-api-check "http://{{ .Values.rabbitmq.username }}:$RABBITMQ_PASSWORD@127.0.0.1:{{ .Values.service.managerPort }}/api/healthchecks/node" '{"status":"ok"}' +{{- end }} + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + successThreshold: {{ .Values.livenessProbe.successThreshold }} + {{- end }} + {{- if .Values.readinessProbe.enabled }} + readinessProbe: + exec: + command: +{{- if .Values.readinessProbe.commandOverride }} +{{ toYaml .Values.readinessProbe.commandOverride | indent 14 }} +{{- else }} + - sh + - -c + - rabbitmq-health-check "http://{{ .Values.rabbitmq.username }}:$RABBITMQ_PASSWORD@127.0.0.1:{{ .Values.service.managerPort }}/api/healthchecks/node" '{"status":"ok"}' +{{- end }} + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} + successThreshold: {{ .Values.readinessProbe.successThreshold }} + {{- end }} + {{- if and (gt (.Values.replicas | int) 1) ( eq .Values.rabbitmq.clustering.rebalance true) }} + lifecycle: + postStart: + exec: + command: + - /bin/sh + - -c + - until rabbitmqctl cluster_status >/dev/null; do echo Waiting for + cluster readiness...; sleep 5 ; done; rabbitmq-queues rebalance "all" + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" .Values.image.debug | quote }} + - name: MY_POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: K8S_SERVICE_NAME + value: "{{ template "rabbitmq.fullname" . }}-headless" + - name: K8S_ADDRESS_TYPE + value: {{ .Values.rabbitmq.clustering.address_type }} + {{- if (eq "hostname" .Values.rabbitmq.clustering.address_type) }} + - name: RABBITMQ_NODENAME + value: "rabbit@$(MY_POD_NAME).$(K8S_SERVICE_NAME).$(MY_POD_NAMESPACE).svc.{{ .Values.rabbitmq.clustering.k8s_domain }}" + - name: K8S_HOSTNAME_SUFFIX + value: ".$(K8S_SERVICE_NAME).$(MY_POD_NAMESPACE).svc.{{ .Values.rabbitmq.clustering.k8s_domain }}" + {{- else }} + - name: RABBITMQ_NODENAME + {{- if .Values.rabbitmq.rabbitmqClusterNodeName }} + value: {{ .Values.rabbitmq.rabbitmqClusterNodeName | quote }} + {{- else }} + value: "rabbit@$(MY_POD_NAME)" + {{- end }} + {{- end }} + {{- if .Values.ldap.enabled }} + - name: RABBITMQ_LDAP_ENABLE + value: "yes" + - name: RABBITMQ_LDAP_TLS + value: {{ ternary "yes" "no" .Values.ldap.tls.enabled | quote }} + - name: RABBITMQ_LDAP_SERVER + value: {{ .Values.ldap.server }} + - name: RABBITMQ_LDAP_SERVER_PORT + value: {{ .Values.ldap.port | quote }} + - name: RABBITMQ_LDAP_USER_DN_PATTERN + value: {{ .Values.ldap.user_dn_pattern }} + {{- end }} + - name: RABBITMQ_LOGS + value: {{ .Values.rabbitmq.logs | quote }} + - name: RABBITMQ_ULIMIT_NOFILES + value: {{ .Values.rabbitmq.ulimitNofiles | quote }} + {{- if and .Values.rabbitmq.maxAvailableSchedulers }} + - name: RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS + value: {{ printf "+S %s:%s" (toString .Values.rabbitmq.maxAvailableSchedulers) (toString .Values.rabbitmq.onlineSchedulers) -}} + {{- end }} + - name: RABBITMQ_USE_LONGNAME + value: "true" + - name: RABBITMQ_ERL_COOKIE + valueFrom: + secretKeyRef: + name: {{ template "rabbitmq.secretErlangName" . }} + key: rabbitmq-erlang-cookie + - name: RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "rabbitmq.secretPasswordName" . }} + key: rabbitmq-password + {{- range $key, $value := .Values.rabbitmq.env }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} + {{- if .Values.securityContext.enabled }} + securityContext: + fsGroup: {{ .Values.securityContext.fsGroup }} + runAsUser: {{ .Values.securityContext.runAsUser }} + {{- if .Values.securityContext.extra }} + {{- toYaml .Values.securityContext.extra | nindent 8 }} + {{- end }} + {{- end }} + volumes: + {{- if .Values.rabbitmq.tls.enabled }} + - name: {{ template "rabbitmq.fullname" . }}-certs + secret: + secretName: {{ if .Values.rabbitmq.tls.existingSecret }}{{ .Values.rabbitmq.tls.existingSecret }}{{- else }}{{ template "rabbitmq.fullname" . }}-certs{{- end }} + items: + - key: ca.crt + path: ca_certificate.pem + - key: tls.crt + path: server_certificate.pem + - key: tls.key + path: server_key.pem + {{- end }} + - name: config-volume + configMap: + name: {{ template "rabbitmq.fullname" . }}-config + items: + - key: rabbitmq.conf + path: rabbitmq.conf + {{- if .Values.rabbitmq.advancedConfiguration}} + - key: advanced.config + path: advanced.config + {{- end }} + - key: enabled_plugins + path: enabled_plugins + - name: healthchecks + configMap: + name: {{ template "rabbitmq.fullname" . }}-healthchecks + items: + - key: rabbitmq-health-check + path: rabbitmq-health-check + mode: 111 + - key: rabbitmq-api-check + path: rabbitmq-api-check + mode: 111 + {{- if .Values.rabbitmq.loadDefinition.enabled }} + - name: load-definition-volume + secret: + secretName: {{ .Values.rabbitmq.loadDefinition.secretName | quote }} + {{- end }} + {{- if .Values.extraVolumes }} +{{ toYaml .Values.extraVolumes | indent 8 }} + {{- end }} + {{- if not .Values.persistence.enabled }} + - name: data + emptyDir: {} + {{- else if .Values.persistence.existingClaim }} + - name: data + persistentVolumeClaim: + {{- with .Values.persistence.existingClaim }} + claimName: {{ tpl . $ }} + {{- end }} + {{- else }} + volumeClaimTemplates: + - metadata: + name: data + labels: + app: {{ template "rabbitmq.name" . }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" + spec: + accessModes: + - {{ .Values.persistence.accessMode | quote }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{ include "rabbitmq.storageClass" . }} + {{- if .Values.persistence.selector }} + selector: + {{- with .Values.persistence.selector -}} + {{ toYaml . | nindent 10 }} + {{- end -}} + {{- end -}} + {{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/svc-headless.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/svc-headless.yaml new file mode 100644 index 0000000..9cb3c55 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/svc-headless.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "rabbitmq.fullname" . }}-headless + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "rabbitmq.name" . }} + chart: {{ template "rabbitmq.chart" . }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +spec: + clusterIP: None + ports: + - name: epmd + port: 4369 + targetPort: epmd + - name: amqp + port: {{ .Values.service.port }} + targetPort: amqp +{{- if .Values.rabbitmq.tls.enabled }} + - name: amqp-tls + port: {{ .Values.service.tlsPort }} + targetPort: amqp-tls +{{- end }} + - name: dist + port: {{ .Values.service.distPort }} + targetPort: dist + - name: stats + port: {{ .Values.service.managerPort }} + targetPort: stats + selector: + app: {{ template "rabbitmq.name" . }} + release: "{{ .Release.Name }}" diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/svc.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/svc.yaml new file mode 100644 index 0000000..ce853fe --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/templates/svc.yaml @@ -0,0 +1,74 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "rabbitmq.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "rabbitmq.name" . }} + chart: {{ template "rabbitmq.chart" . }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +{{- if .Values.service.annotations }} + annotations: +{{ toYaml .Values.service.annotations | indent 4 }} +{{- end }} +spec: + type: {{ .Values.service.type }} +{{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{ with .Values.service.loadBalancerSourceRanges }} +{{ toYaml . | indent 4 }} +{{- end }} +{{- end }} + {{- if (and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerIP))) }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} + ports: + - name: epmd + port: 4369 + targetPort: epmd + {{- if (eq .Values.service.type "ClusterIP") }} + nodePort: null + {{- end }} + - name: amqp + port: {{ .Values.service.port }} + targetPort: amqp + {{- if (eq .Values.service.type "ClusterIP") }} + nodePort: null + {{- else if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort))) }} + nodePort: {{ .Values.service.nodePort }} + {{- end }} + {{- if .Values.rabbitmq.tls.enabled }} + - name: amqp-ssl + port: {{ .Values.service.tlsPort }} + targetPort: amqp-ssl + {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodeTlsPort))) }} + nodePort: {{ .Values.service.nodeTlsPort }} + {{- end }} + {{- end }} + - name: dist + port: {{ .Values.service.distPort }} + targetPort: dist + {{- if (eq .Values.service.type "ClusterIP") }} + nodePort: null + {{- end }} + - name: stats + port: {{ .Values.service.managerPort }} + targetPort: stats + {{- if (eq .Values.service.type "ClusterIP") }} + nodePort: null + {{- end }} +{{- if .Values.metrics.enabled }} + - name: metrics + port: {{ .Values.metrics.port }} + targetPort: metrics + {{- if (eq .Values.service.type "ClusterIP") }} + nodePort: null + {{- end }} +{{- end }} +{{- if .Values.service.extraPorts }} +{{ toYaml .Values.service.extraPorts | indent 2 }} +{{- end }} + selector: + app: {{ template "rabbitmq.name" . }} + release: "{{ .Release.Name }}" diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/values-production.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/values-production.yaml new file mode 100644 index 0000000..049a346 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/values-production.yaml @@ -0,0 +1,583 @@ +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry and imagePullSecrets +## +# global: +# imageRegistry: myRegistryName +# imagePullSecrets: +# - myRegistryKeySecretName +# storageClass: myStorageClass + +## Bitnami RabbitMQ image version +## ref: https://hub.docker.com/r/bitnami/rabbitmq/tags/ +## +image: + registry: docker.io + repository: bitnami/rabbitmq + tag: 3.8.3-debian-10-r40 + + ## set to true if you would like to see extra information on logs + ## it turns BASH and NAMI debugging in minideb + ## ref: https://github.com/bitnami/minideb-extras/#turn-on-bash-debugging + debug: false + + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + +## String to partially override rabbitmq.fullname template (will maintain the release name) +## +# nameOverride: + +## String to fully override rabbitmq.fullname template +## +# fullnameOverride: + +## Use an alternate scheduler, e.g. "stork". +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +# schedulerName: + +## does your cluster have rbac enabled? assume yes by default +rbacEnabled: true + +## RabbitMQ should be initialized one by one when building cluster for the first time. +## Therefore, the default value of podManagementPolicy is 'OrderedReady' +## Once the RabbitMQ participates in the cluster, it waits for a response from another +## RabbitMQ in the same cluster at reboot, except the last RabbitMQ of the same cluster. +## If the cluster exits gracefully, you do not need to change the podManagementPolicy +## because the first RabbitMQ of the statefulset always will be last of the cluster. +## However if the last RabbitMQ of the cluster is not the first RabbitMQ due to a failure, +## you must change podManagementPolicy to 'Parallel'. +## ref : https://www.rabbitmq.com/clustering.html#restarting +## +podManagementPolicy: OrderedReady + +## section of specific values for rabbitmq +rabbitmq: + ## RabbitMQ application username + ## ref: https://github.com/bitnami/bitnami-docker-rabbitmq#environment-variables + ## + username: user + + ## RabbitMQ application password + ## ref: https://github.com/bitnami/bitnami-docker-rabbitmq#environment-variables + ## + # password: + # existingPasswordSecret: name-of-existing-secret + + ## Erlang cookie to determine whether different nodes are allowed to communicate with each other + ## ref: https://github.com/bitnami/bitnami-docker-rabbitmq#environment-variables + ## + # erlangCookie: + # existingErlangSecret: name-of-existing-secret + + ## Node name to cluster with. e.g.: `clusternode@hostname` + ## ref: https://github.com/bitnami/bitnami-docker-rabbitmq#environment-variables + ## + # rabbitmqClusterNodeName: + + ## Value for the RABBITMQ_LOGS environment variable + ## ref: https://www.rabbitmq.com/logging.html#log-file-location + ## + logs: '-' + + ## RabbitMQ Max File Descriptors + ## ref: https://github.com/bitnami/bitnami-docker-rabbitmq#environment-variables + ## ref: https://www.rabbitmq.com/install-debian.html#kernel-resource-limits + ## + setUlimitNofiles: true + ulimitNofiles: '65536' + + ## RabbitMQ maximum available scheduler threads and online scheduler threads + ## ref: https://hamidreza-s.github.io/erlang/scheduling/real-time/preemptive/migration/2016/02/09/erlang-scheduler-details.html#scheduler-threads + ## + maxAvailableSchedulers: 2 + onlineSchedulers: 1 + + ## Plugins to enable + plugins: "rabbitmq_management rabbitmq_peer_discovery_k8s rabbitmq_prometheus" + + ## Extra plugins to enable + ## Use this instead of `plugins` to add new plugins + extraPlugins: "rabbitmq_auth_backend_ldap" + + ## Clustering settings + clustering: + address_type: hostname + k8s_domain: cluster.local + ## Rebalance master for queues in cluster when new replica is created + ## ref: https://www.rabbitmq.com/rabbitmq-queues.8.html#rebalance + rebalance: false + + loadDefinition: + enabled: false + secretName: load-definition + + ## environment variables to configure rabbitmq + ## ref: https://www.rabbitmq.com/configure.html#customise-environment + env: {} + + ## Configuration file content: required cluster configuration + ## Do not override unless you know what you are doing. To add more configuration, use `extraConfiguration` of `advancedConfiguration` instead + configuration: |- + ## Clustering + cluster_formation.peer_discovery_backend = rabbit_peer_discovery_k8s + cluster_formation.k8s.host = kubernetes.default.svc.cluster.local + cluster_formation.node_cleanup.interval = 10 + cluster_formation.node_cleanup.only_log_warning = true + cluster_partition_handling = autoheal + # queue master locator + queue_master_locator=min-masters + # enable guest user + loopback_users.guest = false + + ## Configuration file content: extra configuration + ## Use this instead of `configuration` to add more configuration + extraConfiguration: |- + #disk_free_limit.absolute = 50MB + #management.load_definitions = /app/load_definition.json + + ## Configuration file content: advanced configuration + ## Use this as additional configuraton in classic config format (Erlang term configuration format) + ## If you set LDAP with TLS/SSL enabled and you are using self-signed certificates, uncomment these lines. + ## advancedConfiguration: |- + ## [{ + ## rabbitmq_auth_backend_ldap, + ## [{ + ## ssl_options, + ## [{ + ## verify, verify_none + ## }, { + ## fail_if_no_peer_cert, + ## false + ## }] + ## ]} + ## }]. + ## + advancedConfiguration: |- + + ## Enable encryption to rabbitmq + ## ref: https://www.rabbitmq.com/ssl.html + ## + tls: + enabled: false + failIfNoPeerCert: true + sslOptionsVerify: verify_peer + caCertificate: |- + serverCertificate: |- + serverKey: |- + # existingSecret: name-of-existing-secret-to-rabbitmq + +## LDAP configuration +## +ldap: + enabled: false + server: "" + port: "389" + user_dn_pattern: cn=${username},dc=example,dc=org + tls: + # If you enabled TLS/SSL you can set advaced options using the advancedConfiguration parameter. + enabled: false + +## Kubernetes service type +service: + type: ClusterIP + ## Node port + ## ref: https://github.com/bitnami/bitnami-docker-rabbitmq#environment-variables + ## + # nodePort: 30672 + + ## Set the LoadBalancerIP + ## + # loadBalancerIP: + + ## Node port Tls + ## + # nodeTlsPort: 30671 + + ## Amqp port + ## ref: https://github.com/bitnami/bitnami-docker-rabbitmq#environment-variables + ## + port: 5672 + + ## Amqp Tls port + ## + tlsPort: 5671 + + ## Dist port + ## ref: https://github.com/bitnami/bitnami-docker-rabbitmq#environment-variables + ## + distPort: 25672 + + ## RabbitMQ Manager port + ## ref: https://github.com/bitnami/bitnami-docker-rabbitmq#environment-variables + ## + managerPort: 15672 + + ## Service annotations + annotations: {} + # service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 + + ## Load Balancer sources + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## + # loadBalancerSourceRanges: + # - 10.10.10.0/24 + + ## Extra ports to expose + # extraPorts: + # - name: new_svc_name + # port: 1234 + # targetPort: 1234 + + ## Extra ports to be included in container spec, primarily informational + # extraContainerPorts: + # - name: new_svc_name + # port: 1234 + # targetPort: 1234 + +# Additional pod labels to apply +podLabels: {} + +## Pod Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +## +securityContext: + enabled: true + fsGroup: 1001 + runAsUser: 1001 + extra: {} + +persistence: + ## this enables PVC templates that will create one per pod + enabled: true + + ## rabbitmq data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + ## selector can be used to match an existing PersistentVolume + # selector: + # matchLabels: + # app: my-app + accessMode: ReadWriteOnce + + ## Existing PersistentVolumeClaims + ## The value is evaluated as a template + ## So, for example, the name can depend on .Release or .Chart + # existingClaim: "" + + # If you change this value, you might have to adjust `rabbitmq.diskFreeLimit` as well. + size: 8Gi + + # persistence directory, maps to the rabbitmq data directory + path: /opt/bitnami/rabbitmq/var/lib/rabbitmq + +## Configure resource requests and limits +## ref: http://kubernetes.io/docs/user-guide/compute-resources/ +## +resources: + requests: + memory: 256Mi + cpu: 100m + +networkPolicy: + ## Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now. + ## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + enabled: false + + ## The Policy model to apply. When set to false, only pods with the correct + ## client label will have network access to the port RabbitMQ is listening + ## on. When true, RabbitMQ will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + + ## Additional NetworkPolicy Ingress "from" rules to set. Note that all rules are OR-ed. + ## + # additionalRules: + # - matchLabels: + # - role: frontend + # - matchExpressions: + # - key: role + # operator: In + # values: + # - frontend + +## Replica count, set to 3 to provide a default available cluster +replicas: 3 + +## Pod priority +## https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ +# priorityClassName: "" + +## updateStrategy for RabbitMQ statefulset +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies +updateStrategy: + type: RollingUpdate + +## Node labels and tolerations for pod assignment +## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector +## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature +nodeSelector: + beta.kubernetes.io/arch: amd64 +tolerations: [] +affinity: {} + +## affinity: | +## podAntiAffinity: +## requiredDuringSchedulingIgnoredDuringExecution: +## - labelSelector: +## matchLabels: +## app: {{ template "rabbitmq.name" . }} +## release: {{ .Release.Name | quote }} +## topologyKey: kubernetes.io/hostname +## preferredDuringSchedulingIgnoredDuringExecution: +## - weight: 100 +## podAffinityTerm: +## labelSelector: +## matchLabels: +## app: {{ template "rabbitmq.name" . }} +## release: {{ .Release.Name | quote }} +## topologyKey: failure-domain.beta.kubernetes.io/zone + +## annotations for rabbitmq pods +podAnnotations: {} + +## Configure the podDisruptionBudget +podDisruptionBudget: {} +# maxUnavailable: 1 +# minAvailable: 1 + +## Configure the ingress resource that allows you to access the +## Wordpress installation. Set up the URL +## ref: http://kubernetes.io/docs/user-guide/ingress/ +## +ingress: + ## Set to true to enable ingress record generation + enabled: false + + ## The list of hostnames to be covered with this ingress record. + ## Most likely this will be just one host, but in the event more hosts are needed, this is an array + ## hostName: foo.bar.com + path: / + + ## Set this to true in order to enable TLS on the ingress record + ## A side effect of this will be that the backend wordpress service will be connected at port 443 + tls: true + + ## If TLS is set to true, you must declare what secret will store the key/certificate for TLS + tlsSecret: myTlsSecret + + ## Ingress annotations done as key:value pairs + ## If you're using kube-lego, you will want to add: + ## kubernetes.io/tls-acme: true + ## + ## For a full list of possible ingress annotations, please see + ## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md + ## + ## If tls is set to true, annotation ingress.kubernetes.io/secure-backends: "true" will automatically be set + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: true + +## The following settings are to configure the frequency of the lifeness and readiness probes +livenessProbe: + enabled: true + initialDelaySeconds: 120 + timeoutSeconds: 20 + periodSeconds: 30 + failureThreshold: 6 + successThreshold: 1 + commandOverride: [] + +readinessProbe: + enabled: true + initialDelaySeconds: 10 + timeoutSeconds: 20 + periodSeconds: 30 + failureThreshold: 3 + successThreshold: 1 + commandOverride: [] + +## Prometheus Metrics +## +metrics: + enabled: true + port: 9419 + plugins: "rabbitmq_prometheus" + ## Prometheus pod annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.metrics.port }}" + + livenessProbe: + enabled: true + initialDelaySeconds: 15 + timeoutSeconds: 5 + periodSeconds: 30 + failureThreshold: 6 + successThreshold: 1 + + readinessProbe: + enabled: true + initialDelaySeconds: 5 + timeoutSeconds: 5 + periodSeconds: 30 + failureThreshold: 3 + successThreshold: 1 + + ## Prometheus Service Monitor + ## ref: https://github.com/coreos/prometheus-operator + ## https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + serviceMonitor: + ## If the operator is installed in your cluster, set to true to create a Service Monitor Entry + enabled: false + ## Specify the namespace in which the serviceMonitor resource will be created + # namespace: "" + ## Specify the interval at which metrics should be scraped + interval: 30s + ## Specify the timeout after which the scrape is ended + # scrapeTimeout: 30s + ## Specify Metric Relabellings to add to the scrape endpoint + # relabellings: + ## Specify honorLabels parameter to add the scrape endpoint + honorLabels: false + ## Specify the release for ServiceMonitor. Sometimes it should be custom for prometheus operator to work + # release: "" + ## Used to pass Labels that are used by the Prometheus installed in your cluster to select Service Monitors to work with + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec + additionalLabels: {} + + ## Custom PrometheusRule to be defined + ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart + ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions + prometheusRule: + enabled: false + additionalLabels: {} + namespace: "" + rules: [] + ## List of reules, used as template by Helm. + ## These are just examples rules inspired from https://awesome-prometheus-alerts.grep.to/rules.html + ## Please adapt them to your needs. + ## Make sure to constraint the rules to the current rabbitmq service. + ## Also make sure to escape what looks like helm template. + # - alert: RabbitmqDown + # expr: rabbitmq_up{service="{{ template "rabbitmq.fullname" . }}"} == 0 + # for: 5m + # labels: + # severity: error + # annotations: + # summary: Rabbitmq down (instance {{ "{{ $labels.instance }}" }}) + # description: RabbitMQ node down + + # - alert: ClusterDown + # expr: | + # sum(rabbitmq_running{service="{{ template "rabbitmq.fullname" . }}"}) + # < {{ .Values.replicas }} + # for: 5m + # labels: + # severity: error + # annotations: + # summary: Cluster down (instance {{ "{{ $labels.instance }}" }}) + # description: | + # Less than {{ .Values.replicas }} nodes running in RabbitMQ cluster + # VALUE = {{ "{{ $value }}" }} + + # - alert: ClusterPartition + # expr: rabbitmq_partitions{service="{{ template "rabbitmq.fullname" . }}"} > 0 + # for: 5m + # labels: + # severity: error + # annotations: + # summary: Cluster partition (instance {{ "{{ $labels.instance }}" }}) + # description: | + # Cluster partition + # VALUE = {{ "{{ $value }}" }} + + # - alert: OutOfMemory + # expr: | + # rabbitmq_node_mem_used{service="{{ template "rabbitmq.fullname" . }}"} + # / rabbitmq_node_mem_limit{service="{{ template "rabbitmq.fullname" . }}"} + # * 100 > 90 + # for: 5m + # labels: + # severity: warning + # annotations: + # summary: Out of memory (instance {{ "{{ $labels.instance }}" }}) + # description: | + # Memory available for RabbmitMQ is low (< 10%)\n VALUE = {{ "{{ $value }}" }} + # LABELS: {{ "{{ $labels }}" }} + + # - alert: TooManyConnections + # expr: rabbitmq_connectionsTotal{service="{{ template "rabbitmq.fullname" . }}"} > 1000 + # for: 5m + # labels: + # severity: warning + # annotations: + # summary: Too many connections (instance {{ "{{ $labels.instance }}" }}) + # description: | + # RabbitMQ instance has too many connections (> 1000) + # VALUE = {{ "{{ $value }}" }}\n LABELS: {{ "{{ $labels }}" }} + +## +## Init containers parameters: +## volumePermissions: Change the owner of the persist volume mountpoint to RunAsUser:fsGroup +## +volumePermissions: + enabled: true + image: + registry: docker.io + repository: bitnami/minideb + tag: buster + pullPolicy: Always + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + resources: {} + +## forceBoot: executes 'rabbitmqctl force_boot' to force boot cluster shut down unexpectedly in an +## unknown order. +## ref: https://www.rabbitmq.com/rabbitmqctl.8.html#force_boot +## +forceBoot: + enabled: false + +## Optionally specify extra secrets to be created by the chart. +## This can be useful when combined with load_definitions to automatically create the secret containing the definitions to be loaded. +## +extraSecrets: {} + # load-definition: + # load_definition.json: | + # { + # ... + # } + +## Adding optionals volumeMount +extraVolumeMounts: [] + # - name: extras + # mountPath: /usr/share/extras +# readOnly: true + +extraVolumes: [] + # - name: extras +# emptyDir: {} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/values.schema.json b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/values.schema.json new file mode 100644 index 0000000..4bf6c11 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/values.schema.json @@ -0,0 +1,100 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "properties": { + "rabbitmq": { + "type": "object", + "properties": { + "username": { + "type": "string", + "title": "RabbitMQ user", + "form": true + }, + "password": { + "type": "string", + "title": "RabbitMQ password", + "form": true, + "description": "Defaults to a random 10-character alphanumeric string if not set" + }, + "extraConfiguration": { + "type": "string", + "title": "Extra RabbitMQ Configuration", + "form": true, + "render": "textArea", + "description": "Extra configuration to be appended to RabbitMQ Configuration" + } + } + }, + "replicas": { + "type": "integer", + "form": true, + "title": "Number of replicas", + "description": "Number of replicas to deploy" + }, + "persistence": { + "type": "object", + "title": "Persistence configuration", + "form": true, + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable persistence", + "description": "Enable persistence using Persistent Volume Claims" + }, + "size": { + "type": "string", + "title": "Persistent Volume Size", + "form": true, + "render": "slider", + "sliderMin": 1, + "sliderMax": 100, + "sliderUnit": "Gi", + "hidden": { + "condition": false, + "value": "persistence.enabled" + } + } + } + }, + "volumePermissions": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable Init Containers", + "description": "Use an init container to set required folder permissions on the data volume before mounting it in the final destination" + } + } + }, + "metrics": { + "type": "object", + "form": true, + "title": "Prometheus metrics details", + "properties": { + "enabled": { + "type": "boolean", + "title": "Enable Prometheus metrics for RabbitMQ", + "description": "Install Prometheus plugin in the RabbitMQ container", + "form": true + }, + "serviceMonitor": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "title": "Create Prometheus Operator ServiceMonitor", + "description": "Create a ServiceMonitor to track metrics using Prometheus Operator", + "form": true, + "hidden": { + "condition": false, + "value": "metrics.enabled" + } + } + } + } + } + } + } +} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/values.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/values.yaml new file mode 100644 index 0000000..c8f8c31 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/rabbitmq/values.yaml @@ -0,0 +1,544 @@ +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry and imagePullSecrets +## +# global: +# imageRegistry: myRegistryName +# imagePullSecrets: +# - myRegistryKeySecretName +# storageClass: myStorageClass + +## Bitnami RabbitMQ image version +## ref: https://hub.docker.com/r/bitnami/rabbitmq/tags/ +## +image: + registry: docker.io + repository: bitnami/rabbitmq + tag: 3.8.3-debian-10-r40 + + ## set to true if you would like to see extra information on logs + ## it turns BASH and NAMI debugging in minideb + ## ref: https://github.com/bitnami/minideb-extras/#turn-on-bash-debugging + debug: false + + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + +## String to partially override rabbitmq.fullname template (will maintain the release name) +## +# nameOverride: + +## String to fully override rabbitmq.fullname template +## +# fullnameOverride: + +## Use an alternate scheduler, e.g. "stork". +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +# schedulerName: + +## does your cluster have rbac enabled? assume yes by default +rbacEnabled: true + +## RabbitMQ should be initialized one by one when building cluster for the first time. +## Therefore, the default value of podManagementPolicy is 'OrderedReady' +## Once the RabbitMQ participates in the cluster, it waits for a response from another +## RabbitMQ in the same cluster at reboot, except the last RabbitMQ of the same cluster. +## If the cluster exits gracefully, you do not need to change the podManagementPolicy +## because the first RabbitMQ of the statefulset always will be last of the cluster. +## However if the last RabbitMQ of the cluster is not the first RabbitMQ due to a failure, +## you must change podManagementPolicy to 'Parallel'. +## ref : https://www.rabbitmq.com/clustering.html#restarting +## +podManagementPolicy: OrderedReady + +## section of specific values for rabbitmq +rabbitmq: + ## RabbitMQ application username + ## ref: https://github.com/bitnami/bitnami-docker-rabbitmq#environment-variables + ## + username: user + + ## RabbitMQ application password + ## ref: https://github.com/bitnami/bitnami-docker-rabbitmq#environment-variables + ## + # password: + # existingPasswordSecret: name-of-existing-secret + + ## Erlang cookie to determine whether different nodes are allowed to communicate with each other + ## ref: https://github.com/bitnami/bitnami-docker-rabbitmq#environment-variables + ## + # erlangCookie: + # existingErlangSecret: name-of-existing-secret + + ## Node name to cluster with. e.g.: `clusternode@hostname` + ## ref: https://github.com/bitnami/bitnami-docker-rabbitmq#environment-variables + ## + # rabbitmqClusterNodeName: + + ## Value for the RABBITMQ_LOGS environment variable + ## ref: https://www.rabbitmq.com/logging.html#log-file-location + ## + logs: '-' + + ## RabbitMQ Max File Descriptors + ## ref: https://github.com/bitnami/bitnami-docker-rabbitmq#environment-variables + ## ref: https://www.rabbitmq.com/install-debian.html#kernel-resource-limits + ## + setUlimitNofiles: true + ulimitNofiles: '65536' + + ## RabbitMQ maximum available scheduler threads and online scheduler threads + ## ref: https://hamidreza-s.github.io/erlang/scheduling/real-time/preemptive/migration/2016/02/09/erlang-scheduler-details.html#scheduler-threads + ## + maxAvailableSchedulers: 2 + onlineSchedulers: 1 + + ## Plugins to enable + plugins: "rabbitmq_management rabbitmq_peer_discovery_k8s" + + ## Extra plugins to enable + ## Use this instead of `plugins` to add new plugins + extraPlugins: "rabbitmq_auth_backend_ldap" + + ## Clustering settings + clustering: + address_type: hostname + k8s_domain: cluster.local + ## Rebalance master for queues in cluster when new replica is created + ## ref: https://www.rabbitmq.com/rabbitmq-queues.8.html#rebalance + rebalance: false + + loadDefinition: + enabled: false + secretName: load-definition + + ## environment variables to configure rabbitmq + ## ref: https://www.rabbitmq.com/configure.html#customise-environment + env: {} + + ## Configuration file content: required cluster configuration + ## Do not override unless you know what you are doing. To add more configuration, use `extraConfiguration` of `advancedConfiguration` instead + configuration: |- + ## Clustering + cluster_formation.peer_discovery_backend = rabbit_peer_discovery_k8s + cluster_formation.k8s.host = kubernetes.default.svc.cluster.local + cluster_formation.node_cleanup.interval = 10 + cluster_formation.node_cleanup.only_log_warning = true + cluster_partition_handling = autoheal + # queue master locator + queue_master_locator=min-masters + # enable guest user + loopback_users.guest = false + + ## Configuration file content: extra configuration + ## Use this instead of `configuration` to add more configuration + extraConfiguration: |- + #disk_free_limit.absolute = 50MB + #management.load_definitions = /app/load_definition.json + + ## Configuration file content: advanced configuration + ## Use this as additional configuraton in classic config format (Erlang term configuration format) + ## + ## If you set LDAP with TLS/SSL enabled and you are using self-signed certificates, uncomment these lines. + ## advancedConfiguration: |- + ## [{ + ## rabbitmq_auth_backend_ldap, + ## [{ + ## ssl_options, + ## [{ + ## verify, verify_none + ## }, { + ## fail_if_no_peer_cert, + ## false + ## }] + ## ]} + ## }]. + ## + advancedConfiguration: |- + + ## Enable encryption to rabbitmq + ## ref: https://www.rabbitmq.com/ssl.html + ## + tls: + enabled: false + failIfNoPeerCert: true + sslOptionsVerify: verify_peer + caCertificate: |- + serverCertificate: |- + serverKey: |- + # existingSecret: name-of-existing-secret-to-rabbitmq + +## LDAP configuration +## +ldap: + enabled: false + server: "" + port: "389" + user_dn_pattern: cn=${username},dc=example,dc=org + tls: + # If you enabled TLS/SSL you can set advaced options using the advancedConfiguration parameter. + enabled: false + +## Kubernetes service type +service: + type: ClusterIP + ## Node port + ## ref: https://github.com/bitnami/bitnami-docker-rabbitmq#environment-variables + ## + # nodePort: 30672 + + ## Set the LoadBalancerIP + ## + # loadBalancerIP: + + ## Node port Tls + ## + # nodeTlsPort: 30671 + + ## Amqp port + ## ref: https://github.com/bitnami/bitnami-docker-rabbitmq#environment-variables + ## + port: 5672 + + ## Amqp Tls port + ## + tlsPort: 5671 + + ## Dist port + ## ref: https://github.com/bitnami/bitnami-docker-rabbitmq#environment-variables + ## + distPort: 25672 + + ## RabbitMQ Manager port + ## ref: https://github.com/bitnami/bitnami-docker-rabbitmq#environment-variables + ## + managerPort: 15672 + + ## Service annotations + annotations: {} + # service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 + + ## Load Balancer sources + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## + # loadBalancerSourceRanges: + # - 10.10.10.0/24 + + ## Extra ports to expose + # extraPorts: + # - name: new_svc_name + # port: 1234 + # targetPort: 1234 + + ## Extra ports to be included in container spec, primarily informational + # extraContainerPorts: + # - name: new_svc_name + # port: 1234 + # targetPort: 1234 + +# Additional pod labels to apply +podLabels: {} + +## Pod Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +## +securityContext: + enabled: true + fsGroup: 1001 + runAsUser: 1001 + extra: {} + +persistence: + ## this enables PVC templates that will create one per pod + enabled: true + + ## rabbitmq data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + ## selector can be used to match an existing PersistentVolume + # selector: + # matchLabels: + # app: my-app + accessMode: ReadWriteOnce + + ## Existing PersistentVolumeClaims + ## The value is evaluated as a template + ## So, for example, the name can depend on .Release or .Chart + # existingClaim: "" + + # If you change this value, you might have to adjust `rabbitmq.diskFreeLimit` as well. + size: 8Gi + + # persistence directory, maps to the rabbitmq data directory + path: /opt/bitnami/rabbitmq/var/lib/rabbitmq + +## Configure resource requests and limits +## ref: http://kubernetes.io/docs/user-guide/compute-resources/ +## +resources: {} + +networkPolicy: + ## Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now. + ## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + enabled: false + + ## The Policy model to apply. When set to false, only pods with the correct + ## client label will have network access to the ports RabbitMQ is listening + ## on. When true, RabbitMQ will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + + ## Additional NetworkPolicy Ingress "from" rules to set. Note that all rules are OR-ed. + ## + # additionalRules: + # - matchLabels: + # - role: frontend + # - matchExpressions: + # - key: role + # operator: In + # values: + # - frontend + +## Replica count, set to 1 to provide a default available cluster +replicas: 1 + +## Pod priority +## https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ +# priorityClassName: "" + +## updateStrategy for RabbitMQ statefulset +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies +updateStrategy: + type: RollingUpdate + +## Node labels and tolerations for pod assignment +## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector +## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature +nodeSelector: {} +tolerations: [] +affinity: {} +podDisruptionBudget: {} + # maxUnavailable: 1 + # minAvailable: 1 +## annotations for rabbitmq pods +podAnnotations: {} + +## Configure the ingress resource that allows you to access the +## Wordpress installation. Set up the URL +## ref: http://kubernetes.io/docs/user-guide/ingress/ +## +ingress: + ## Set to true to enable ingress record generation + enabled: false + + ## The list of hostnames to be covered with this ingress record. + ## Most likely this will be just one host, but in the event more hosts are needed, this is an array + ## hostName: foo.bar.com + path: / + + ## Set this to true in order to enable TLS on the ingress record + ## A side effect of this will be that the backend wordpress service will be connected at port 443 + tls: false + + ## If TLS is set to true, you must declare what secret will store the key/certificate for TLS + tlsSecret: myTlsSecret + + ## Ingress annotations done as key:value pairs + ## If you're using kube-lego, you will want to add: + ## kubernetes.io/tls-acme: true + ## + ## For a full list of possible ingress annotations, please see + ## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md + ## + ## If tls is set to true, annotation ingress.kubernetes.io/secure-backends: "true" will automatically be set + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: true + +## The following settings are to configure the frequency of the lifeness and readiness probes +livenessProbe: + enabled: true + initialDelaySeconds: 120 + timeoutSeconds: 20 + periodSeconds: 30 + failureThreshold: 6 + successThreshold: 1 + commandOverride: [] + +readinessProbe: + enabled: true + initialDelaySeconds: 10 + timeoutSeconds: 20 + periodSeconds: 30 + failureThreshold: 3 + successThreshold: 1 + commandOverride: [] + +## Prometheus Metrics +## +metrics: + enabled: false + port: 9419 + plugins: "rabbitmq_prometheus" + ## Prometheus pod annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.metrics.port }}" + + ## Prometheus Service Monitor + ## ref: https://github.com/coreos/prometheus-operator + ## https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + serviceMonitor: + ## If the operator is installed in your cluster, set to true to create a Service Monitor Entry + enabled: false + ## Specify the namespace in which the serviceMonitor resource will be created + # namespace: "" + ## Specify the interval at which metrics should be scraped + interval: 30s + ## Specify the timeout after which the scrape is ended + # scrapeTimeout: 30s + ## Specify Metric Relabellings to add to the scrape endpoint + # relabellings: + ## Specify honorLabels parameter to add the scrape endpoint + honorLabels: false + ## Specify the release for ServiceMonitor. Sometimes it should be custom for prometheus operator to work + # release: "" + ## Used to pass Labels that are used by the Prometheus installed in your cluster to select Service Monitors to work with + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec + additionalLabels: {} + + ## Custom PrometheusRule to be defined + ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart + ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions + prometheusRule: + enabled: false + additionalLabels: {} + namespace: "" + rules: [] + ## List of reules, used as template by Helm. + ## These are just examples rules inspired from https://awesome-prometheus-alerts.grep.to/rules.html + ## Please adapt them to your needs. + ## Make sure to constraint the rules to the current rabbitmq service. + ## Also make sure to escape what looks like helm template. + # - alert: RabbitmqDown + # expr: rabbitmq_up{service="{{ template "rabbitmq.fullname" . }}"} == 0 + # for: 5m + # labels: + # severity: error + # annotations: + # summary: Rabbitmq down (instance {{ "{{ $labels.instance }}" }}) + # description: RabbitMQ node down + + # - alert: ClusterDown + # expr: | + # sum(rabbitmq_running{service="{{ template "rabbitmq.fullname" . }}"}) + # < {{ .Values.replicas }} + # for: 5m + # labels: + # severity: error + # annotations: + # summary: Cluster down (instance {{ "{{ $labels.instance }}" }}) + # description: | + # Less than {{ .Values.replicas }} nodes running in RabbitMQ cluster + # VALUE = {{ "{{ $value }}" }} + + # - alert: ClusterPartition + # expr: rabbitmq_partitions{service="{{ template "rabbitmq.fullname" . }}"} > 0 + # for: 5m + # labels: + # severity: error + # annotations: + # summary: Cluster partition (instance {{ "{{ $labels.instance }}" }}) + # description: | + # Cluster partition + # VALUE = {{ "{{ $value }}" }} + + # - alert: OutOfMemory + # expr: | + # rabbitmq_node_mem_used{service="{{ template "rabbitmq.fullname" . }}"} + # / rabbitmq_node_mem_limit{service="{{ template "rabbitmq.fullname" . }}"} + # * 100 > 90 + # for: 5m + # labels: + # severity: warning + # annotations: + # summary: Out of memory (instance {{ "{{ $labels.instance }}" }}) + # description: | + # Memory available for RabbmitMQ is low (< 10%)\n VALUE = {{ "{{ $value }}" }} + # LABELS: {{ "{{ $labels }}" }} + + # - alert: TooManyConnections + # expr: rabbitmq_connectionsTotal{service="{{ template "rabbitmq.fullname" . }}"} > 1000 + # for: 5m + # labels: + # severity: warning + # annotations: + # summary: Too many connections (instance {{ "{{ $labels.instance }}" }}) + # description: | + # RabbitMQ instance has too many connections (> 1000) + # VALUE = {{ "{{ $value }}" }}\n LABELS: {{ "{{ $labels }}" }} + +## +## Init containers parameters: +## volumePermissions: Change the owner of the persist volume mountpoint to RunAsUser:fsGroup +## +volumePermissions: + enabled: false + image: + registry: docker.io + repository: bitnami/minideb + tag: buster + pullPolicy: Always + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + resources: {} + +## forceBoot: executes 'rabbitmqctl force_boot' to force boot cluster shut down unexpectedly in an +## unknown order. +## ref: https://www.rabbitmq.com/rabbitmqctl.8.html#force_boot +## +forceBoot: + enabled: false + +## Optionally specify extra secrets to be created by the chart. +## This can be useful when combined with load_definitions to automatically create the secret containing the definitions to be loaded. +## +extraSecrets: {} + # load-definition: + # load_definition.json: | + # { + # ... + # } + +## Adding optionals volumeMount +extraVolumeMounts: [] + # - name: extras + # mountPath: /usr/share/extras + # readOnly: true + +extraVolumes: [] + # - name: extras + # emptyDir: {} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/.helmignore b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/.helmignore new file mode 100644 index 0000000..f0c1319 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/Chart.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/Chart.yaml new file mode 100644 index 0000000..6582319 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +appVersion: 5.0.8 +description: Open source, advanced key-value store. It is often referred to as a data + structure server since keys can contain strings, hashes, lists, sets and sorted + sets. +home: http://redis.io/ +icon: https://bitnami.com/assets/stacks/redis/img/redis-stack-220x234.png +keywords: +- redis +- keyvalue +- database +maintainers: +- email: containers@bitnami.com + name: Bitnami +- email: cedric@desaintmartin.fr + name: desaintmartin +name: redis +sources: +- https://github.com/bitnami/bitnami-docker-redis +version: 10.6.3 diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/README.md b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/README.md new file mode 100644 index 0000000..c723411 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/README.md @@ -0,0 +1,499 @@ + +# Redis + +[Redis](http://redis.io/) is an advanced key-value cache and store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets, sorted sets, bitmaps and hyperloglogs. + +## TL;DR; + +```bash +# Testing configuration +$ helm repo add bitnami https://charts.bitnami.com/bitnami +$ helm install my-release bitnami/redis +``` + +```bash +# Production configuration +$ helm repo add bitnami https://charts.bitnami.com/bitnami +$ helm install my-release bitnami/redis --values values-production.yaml +``` + +## Introduction + +This chart bootstraps a [Redis](https://github.com/bitnami/bitnami-docker-redis) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This chart has been tested to work with NGINX Ingress, cert-manager, fluentd and Prometheus on top of the [BKPR](https://kubeprod.io/). + +## Prerequisites + +- Kubernetes 1.12+ +- Helm 2.11+ or Helm 3.0-beta3+ +- PV provisioner support in the underlying infrastructure + +## Installing the Chart + +To install the chart with the release name `my-release`: + +```bash +$ helm install my-release bitnami/redis +``` + +The command deploys Redis on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. + +> **Tip**: List all releases using `helm list` + +## Uninstalling the Chart + +To uninstall/delete the `my-release` deployment: + +```bash +$ helm delete my-release +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Parameters + +The following table lists the configurable parameters of the Redis chart and their default values. + +| Parameter | Description | Default | +| --------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------- | +| `global.imageRegistry` | Global Docker image registry | `nil` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | +| `global.storageClass` | Global storage class for dynamic provisioning | `nil` | +| `global.redis.password` | Redis password (overrides `password`) | `nil` | +| `image.registry` | Redis Image registry | `docker.io` | +| `image.repository` | Redis Image name | `bitnami/redis` | +| `image.tag` | Redis Image tag | `{TAG_NAME}` | +| `image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Specify docker-registry secret names as an array | `nil` | +| `nameOverride` | String to partially override redis.fullname template with a string (will prepend the release name) | `nil` | +| `fullnameOverride` | String to fully override redis.fullname template with a string | `nil` | +| `cluster.enabled` | Use master-slave topology | `true` | +| `cluster.slaveCount` | Number of slaves | `2` | +| `existingSecret` | Name of existing secret object (for password authentication) | `nil` | +| `existingSecretPasswordKey` | Name of key containing password to be retrieved from the existing secret | `nil` | +| `usePassword` | Use password | `true` | +| `usePasswordFile` | Mount passwords as files instead of environment variables | `false` | +| `password` | Redis password (ignored if existingSecret set) | Randomly generated | +| `configmap` | Additional common Redis node configuration (this value is evaluated as a template) | See values.yaml | +| `clusterDomain` | Kubernetes DNS Domain name to use | `cluster.local` | +| `networkPolicy.enabled` | Enable NetworkPolicy | `false` | +| `networkPolicy.allowExternal` | Don't require client label for connections | `true` | +| `networkPolicy.ingressNSMatchLabels` | Allow connections from other namespaces | `{}` | +| `networkPolicy.ingressNSPodMatchLabels` | For other namespaces match by pod labels and namespace labels | `{}` | +| `securityContext.enabled` | Enable security context (both redis master and slave pods) | `true` | +| `securityContext.fsGroup` | Group ID for the container (both redis master and slave pods) | `1001` | +| `securityContext.runAsUser` | User ID for the container (both redis master and slave pods) | `1001` | +| `securityContext.sysctls` | Set namespaced sysctls for the container (both redis master and slave pods) | `nil` | +| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `false` | +| `serviceAccount.name` | The name of the ServiceAccount to create | Generated using the fullname template | +| `rbac.create` | Specifies whether RBAC resources should be created | `false` | +| `rbac.role.rules` | Rules to create | `[]` | +| `metrics.enabled` | Start a side-car prometheus exporter | `false` | +| `metrics.image.registry` | Redis exporter image registry | `docker.io` | +| `metrics.image.repository` | Redis exporter image name | `bitnami/redis-exporter` | +| `metrics.image.tag` | Redis exporter image tag | `{TAG_NAME}` | +| `metrics.image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `nil` | +| `metrics.extraArgs` | Extra arguments for the binary; possible values [here](https://github.com/oliver006/redis_exporter#flags) | {} | +| `metrics.podLabels` | Additional labels for Metrics exporter pod | {} | +| `metrics.podAnnotations` | Additional annotations for Metrics exporter pod | {} | +| `metrics.resources` | Exporter resource requests/limit | Memory: `256Mi`, CPU: `100m` | +| `metrics.serviceMonitor.enabled` | if `true`, creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`) | `false` | +| `metrics.serviceMonitor.namespace` | Optional namespace which Prometheus is running in | `nil` | +| `metrics.serviceMonitor.interval` | How frequently to scrape metrics (use by default, falling back to Prometheus' default) | `nil` | +| `metrics.serviceMonitor.selector` | Default to kube-prometheus install (CoreOS recommended), but should be set according to Prometheus install | `{ prometheus: kube-prometheus }` | +| `metrics.service.type` | Kubernetes Service type (redis metrics) | `ClusterIP` | +| `metrics.service.annotations` | Annotations for the services to monitor (redis master and redis slave service) | {} | +| `metrics.service.labels` | Additional labels for the metrics service | {} | +| `metrics.service.loadBalancerIP` | loadBalancerIP if redis metrics service type is `LoadBalancer` | `nil` | +| `metrics.priorityClassName` | Metrics exporter pod priorityClassName | {} | +| `metrics.prometheusRule.enabled` | Set this to true to create prometheusRules for Prometheus operator | `false` | +| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so prometheusRules will be discovered by Prometheus | `{}` | +| `metrics.prometheusRule.namespace` | namespace where prometheusRules resource should be created | Same namespace as redis | +| `metrics.prometheusRule.rules` | [rules](https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/) to be created, check values for an example. | `[]` | +| `persistence.existingClaim` | Provide an existing PersistentVolumeClaim | `nil` | +| `master.persistence.enabled` | Use a PVC to persist data (master node) | `true` | +| `master.persistence.path` | Path to mount the volume at, to use other images | `/data` | +| `master.persistence.subPath` | Subdirectory of the volume to mount at | `""` | +| `master.persistence.storageClass` | Storage class of backing PVC | `generic` | +| `master.persistence.accessModes` | Persistent Volume Access Modes | `[ReadWriteOnce]` | +| `master.persistence.size` | Size of data volume | `8Gi` | +| `master.persistence.matchLabels` | matchLabels persistent volume selector | `{}` | +| `master.persistence.matchExpressions` | matchExpressions persistent volume selector | `{}` | +| `master.statefulset.updateStrategy` | Update strategy for StatefulSet | onDelete | +| `master.statefulset.rollingUpdatePartition` | Partition update strategy | `nil` | +| `master.podLabels` | Additional labels for Redis master pod | {} | +| `master.podAnnotations` | Additional annotations for Redis master pod | {} | +| `redisPort` | Redis port (in both master and slaves) | `6379` | +| `master.command` | Redis master entrypoint string. The command `redis-server` is executed if this is not provided. | `/run.sh` | +| `master.configmap` | Additional Redis configuration for the master nodes (this value is evaluated as a template) | `nil` | +| `master.disableCommands` | Array of Redis commands to disable (master) | `["FLUSHDB", "FLUSHALL"]` | +| `master.extraFlags` | Redis master additional command line flags | [] | +| `master.nodeSelector` | Redis master Node labels for pod assignment | {"beta.kubernetes.io/arch": "amd64"} | +| `master.tolerations` | Toleration labels for Redis master pod assignment | [] | +| `master.affinity` | Affinity settings for Redis master pod assignment | {} | +| `master.schedulerName` | Name of an alternate scheduler | `nil` | +| `master.service.type` | Kubernetes Service type (redis master) | `ClusterIP` | +| `master.service.port` | Kubernetes Service port (redis master) | `6379` | +| `master.service.nodePort` | Kubernetes Service nodePort (redis master) | `nil` | +| `master.service.annotations` | annotations for redis master service | {} | +| `master.service.labels` | Additional labels for redis master service | {} | +| `master.service.loadBalancerIP` | loadBalancerIP if redis master service type is `LoadBalancer` | `nil` | +| `master.service.loadBalancerSourceRanges` | loadBalancerSourceRanges if redis master service type is `LoadBalancer` | `nil` | +| `master.resources` | Redis master CPU/Memory resource requests/limits | Memory: `256Mi`, CPU: `100m` | +| `master.livenessProbe.enabled` | Turn on and off liveness probe (redis master pod) | `true` | +| `master.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated (redis master pod) | `30` | +| `master.livenessProbe.periodSeconds` | How often to perform the probe (redis master pod) | `30` | +| `master.livenessProbe.timeoutSeconds` | When the probe times out (redis master pod) | `5` | +| `master.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed (redis master pod) | `1` | +| `master.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `5` | +| `master.readinessProbe.enabled` | Turn on and off readiness probe (redis master pod) | `true` | +| `master.readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated (redis master pod) | `5` | +| `master.readinessProbe.periodSeconds` | How often to perform the probe (redis master pod) | `10` | +| `master.readinessProbe.timeoutSeconds` | When the probe times out (redis master pod) | `1` | +| `master.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed (redis master pod) | `1` | +| `master.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `5` | +| `master.priorityClassName` | Redis Master pod priorityClassName | {} | +| `volumePermissions.enabled` | Enable init container that changes volume permissions in the registry (for cases where the default k8s `runAsUser` and `fsUser` values do not work) | `false` | +| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` | +| `volumePermissions.image.repository` | Init container volume-permissions image name | `bitnami/minideb` | +| `volumePermissions.image.tag` | Init container volume-permissions image tag | `buster` | +| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `Always` | +| `volumePermissions.resources ` | Init container volume-permissions CPU/Memory resource requests/limits | {} | +| `slave.service.type` | Kubernetes Service type (redis slave) | `ClusterIP` | +| `slave.service.nodePort` | Kubernetes Service nodePort (redis slave) | `nil` | +| `slave.service.annotations` | annotations for redis slave service | {} | +| `slave.service.labels` | Additional labels for redis slave service | {} | +| `slave.service.port` | Kubernetes Service port (redis slave) | `6379` | +| `slave.service.loadBalancerIP` | LoadBalancerIP if Redis slave service type is `LoadBalancer` | `nil` | +| `slave.service.loadBalancerSourceRanges` | loadBalancerSourceRanges if Redis slave service type is `LoadBalancer` | `nil` | +| `slave.command` | Redis slave entrypoint array. The docker image's ENTRYPOINT is used if this is not provided. | `/run.sh` | +| `slave.configmap` | Additional Redis configuration for the slave nodes (this value is evaluated as a template) | `nil` | +| `slave.disableCommands` | Array of Redis commands to disable (slave) | `[FLUSHDB, FLUSHALL]` | +| `slave.extraFlags` | Redis slave additional command line flags | `[]` | +| `slave.livenessProbe.enabled` | Turn on and off liveness probe (redis slave pod) | `true` | +| `slave.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated (redis slave pod) | `30` | +| `slave.livenessProbe.periodSeconds` | How often to perform the probe (redis slave pod) | `10` | +| `slave.livenessProbe.timeoutSeconds` | When the probe times out (redis slave pod) | `5` | +| `slave.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed (redis slave pod) | `1` | +| `slave.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `5` | +| `slave.readinessProbe.enabled` | Turn on and off slave.readiness probe (redis slave pod) | `true` | +| `slave.readinessProbe.initialDelaySeconds` | Delay before slave.readiness probe is initiated (redis slave pod) | `5` | +| `slave.readinessProbe.periodSeconds` | How often to perform the probe (redis slave pod) | `10` | +| `slave.readinessProbe.timeoutSeconds` | When the probe times out (redis slave pod) | `10` | +| `slave.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed (redis slave pod) | `1` | +| `slave.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. (redis slave pod) | `5` | +| `slave.persistence.enabled` | Use a PVC to persist data (slave node) | `true` | +| `slave.persistence.path` | Path to mount the volume at, to use other images | `/data` | +| `slave.persistence.subPath` | Subdirectory of the volume to mount at | `""` | +| `slave.persistence.storageClass` | Storage class of backing PVC | `generic` | +| `slave.persistence.accessModes` | Persistent Volume Access Modes | `[ReadWriteOnce]` | +| `slave.persistence.size` | Size of data volume | `8Gi` | +| `slave.persistence.matchLabels` | matchLabels persistent volume selector | `{}` | +| `slave.persistence.matchExpressions` | matchExpressions persistent volume selector | `{}` | +| `slave.statefulset.updateStrategy` | Update strategy for StatefulSet | onDelete | +| `slave.statefulset.rollingUpdatePartition` | Partition update strategy | `nil` | +| `slave.podLabels` | Additional labels for Redis slave pod | `master.podLabels` | +| `slave.podAnnotations` | Additional annotations for Redis slave pod | `master.podAnnotations` | +| `slave.schedulerName` | Name of an alternate scheduler | `nil` | +| `slave.resources` | Redis slave CPU/Memory resource requests/limits | `{}` | +| `slave.affinity` | Enable node/pod affinity for slaves | {} | +| `slave.priorityClassName` | Redis Slave pod priorityClassName | {} | +| `sentinel.enabled` | Enable sentinel containers | `false` | +| `sentinel.usePassword` | Use password for sentinel containers | `true` | +| `sentinel.masterSet` | Name of the sentinel master set | `mymaster` | +| `sentinel.initialCheckTimeout` | Timeout for querying the redis sentinel service for the active sentinel list | `5` | +| `sentinel.quorum` | Quorum for electing a new master | `2` | +| `sentinel.downAfterMilliseconds` | Timeout for detecting a Redis node is down | `60000` | +| `sentinel.failoverTimeout` | Timeout for performing a election failover | `18000` | +| `sentinel.parallelSyncs` | Number of parallel syncs in the cluster | `1` | +| `sentinel.port` | Redis Sentinel port | `26379` | +| `sentinel.configmap` | Additional Redis configuration for the sentinel nodes (this value is evaluated as a template) | `nil` | +| `sentinel.staticID` | Enable static IDs for sentinel replicas (If disabled IDs will be randomly generated on startup) | `false` | +| `sentinel.service.type` | Kubernetes Service type (redis sentinel) | `ClusterIP` | +| `sentinel.service.nodePort` | Kubernetes Service nodePort (redis sentinel) | `nil` | +| `sentinel.service.annotations` | annotations for redis sentinel service | {} | +| `sentinel.service.labels` | Additional labels for redis sentinel service | {} | +| `sentinel.service.redisPort` | Kubernetes Service port for Redis read only operations | `6379` | +| `sentinel.service.sentinelPort` | Kubernetes Service port for Redis sentinel | `26379` | +| `sentinel.service.redisNodePort` | Kubernetes Service node port for Redis read only operations | `` | +| `sentinel.service.sentinelNodePort` | Kubernetes Service node port for Redis sentinel | `` | +| `sentinel.service.loadBalancerIP` | LoadBalancerIP if Redis sentinel service type is `LoadBalancer` | `nil` | +| `sentinel.livenessProbe.enabled` | Turn on and off liveness probe (redis sentinel pod) | `true` | +| `sentinel.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated (redis sentinel pod) | `5` | +| `sentinel.livenessProbe.periodSeconds` | How often to perform the probe (redis sentinel container) | `5` | +| `sentinel.livenessProbe.timeoutSeconds` | When the probe times out (redis sentinel container) | `5` | +| `sentinel.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed (redis sentinel container) | `1` | +| `sentinel.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `5` | +| `sentinel.readinessProbe.enabled` | Turn on and off sentinel.readiness probe (redis sentinel pod) | `true` | +| `sentinel.readinessProbe.initialDelaySeconds` | Delay before sentinel.readiness probe is initiated (redis sentinel pod) | `5` | +| `sentinel.readinessProbe.periodSeconds` | How often to perform the probe (redis sentinel pod) | `5` | +| `sentinel.readinessProbe.timeoutSeconds` | When the probe times out (redis sentinel container) | `1` | +| `sentinel.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed (redis sentinel container) | `1` | +| `sentinel.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. (redis sentinel container) | `5` | +| `sentinel.resources` | Redis sentinel CPU/Memory resource requests/limits | `{}` | +| `sentinel.image.registry` | Redis Sentinel Image registry | `docker.io` | +| `sentinel.image.repository` | Redis Sentinel Image name | `bitnami/redis-sentinel` | +| `sentinel.image.tag` | Redis Sentinel Image tag | `{TAG_NAME}` | +| `sentinel.image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `sentinel.image.pullSecrets` | Specify docker-registry secret names as an array | `nil` | +| `sysctlImage.enabled` | Enable an init container to modify Kernel settings | `false` | +| `sysctlImage.command` | sysctlImage command to execute | [] | +| `sysctlImage.registry` | sysctlImage Init container registry | `docker.io` | +| `sysctlImage.repository` | sysctlImage Init container name | `bitnami/minideb` | +| `sysctlImage.tag` | sysctlImage Init container tag | `buster` | +| `sysctlImage.pullPolicy` | sysctlImage Init container pull policy | `Always` | +| `sysctlImage.mountHostSys` | Mount the host `/sys` folder to `/host-sys` | `false` | +| `sysctlImage.resources` | sysctlImage Init container CPU/Memory resource requests/limits | {} | +| `podSecurityPolicy.create` | Specifies whether a PodSecurityPolicy should be created | `false` | + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```bash +$ helm install my-release \ + --set password=secretpassword \ + bitnami/redis +``` + +The above command sets the Redis server password to `secretpassword`. + +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, + +```bash +$ helm install my-release -f values.yaml bitnami/redis +``` + +> **Tip**: You can use the default [values.yaml](values.yaml) + +> **Note for minikube users**: Current versions of minikube (v0.24.1 at the time of writing) provision `hostPath` persistent volumes that are only writable by root. Using chart defaults cause pod failure for the Redis pod as it attempts to write to the `/bitnami` directory. Consider installing Redis with `--set persistence.enabled=false`. See minikube issue [1990](https://github.com/kubernetes/minikube/issues/1990) for more information. + +## Configuration and installation details + +### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Production configuration + +This chart includes a `values-production.yaml` file where you can find some parameters oriented to production configuration in comparison to the regular `values.yaml`. You can use this file instead of the default one. + +- Number of slaves: +```diff +- cluster.slaveCount: 2 ++ cluster.slaveCount: 3 +``` + +- Enable NetworkPolicy: +```diff +- networkPolicy.enabled: false ++ networkPolicy.enabled: true +``` + +- Start a side-car prometheus exporter: +```diff +- metrics.enabled: false ++ metrics.enabled: true +``` + +### Cluster topologies + +#### Default: Master-Slave + +When installing the chart with `cluster.enabled=true`, it will deploy a Redis master StatefulSet (only one master node allowed) and a Redis slave StatefulSet. The slaves will be read-replicas of the master. Two services will be exposed: + + - Redis Master service: Points to the master, where read-write operations can be performed + - Redis Slave service: Points to the slaves, where only read operations are allowed. + +In case the master crashes, the slaves will wait until the master node is respawned again by the Kubernetes Controller Manager. + +#### Master-Slave with Sentinel + +When installing the chart with `cluster.enabled=true` and `sentinel.enabled=true`, it will deploy a Redis master StatefulSet (only one master allowed) and a Redis slave StatefulSet. In this case, the pods will contain en extra container with Redis Sentinel. This container will form a cluster of Redis Sentinel nodes, which will promote a new master in case the actual one fails. In addition to this, only one service is exposed: + + - Redis service: Exposes port 6379 for Redis read-only operations and port 26379 for accesing Redis Sentinel. + +For read-only operations, access the service using port 6379. For write operations, it's necessary to access the Redis Sentinel cluster and query the current master using the command below (using redis-cli or similar: + +``` +SENTINEL get-master-addr-by-name +``` +This command will return the address of the current master, which can be accessed from inside the cluster. + +In case the current master crashes, the Sentinel containers will elect a new master node. + +### Using password file +To use a password file for Redis you need to create a secret containing the password. + +> *NOTE*: It is important that the file with the password must be called `redis-password` + +And then deploy the Helm Chart using the secret name as parameter: + +```console +usePassword=true +usePasswordFile=true +existingSecret=redis-password-file +sentinels.enabled=true +metrics.enabled=true +``` + +### Metrics + +The chart optionally can start a metrics exporter for [prometheus](https://prometheus.io). The metrics endpoint (port 9121) is exposed in the service. Metrics can be scraped from within the cluster using something similar as the described in the [example Prometheus scrape configuration](https://github.com/prometheus/prometheus/blob/master/documentation/examples/prometheus-kubernetes.yml). If metrics are to be scraped from outside the cluster, the Kubernetes API proxy can be utilized to access the endpoint. + +### Host Kernel Settings +Redis may require some changes in the kernel of the host machine to work as expected, in particular increasing the `somaxconn` value and disabling transparent huge pages. +To do so, you can set up a privileged initContainer with the `sysctlImage` config values, for example: +``` +sysctlImage: + enabled: true + mountHostSys: true + command: + - /bin/sh + - -c + - |- + install_packages procps + sysctl -w net.core.somaxconn=10000 + echo never > /host-sys/kernel/mm/transparent_hugepage/enabled +``` + +Alternatively, for Kubernetes 1.12+ you can set `securityContext.sysctls` which will configure sysctls for master and slave pods. Example: + +```yaml +securityContext: + sysctls: + - name: net.core.somaxconn + value: "10000" +``` + +Note that this will not disable transparent huge tables. + +## Persistence + +By default, the chart mounts a [Persistent Volume](http://kubernetes.io/docs/user-guide/persistent-volumes/) at the `/data` path. The volume is created using dynamic volume provisioning. If a Persistent Volume Claim already exists, specify it during installation. + +### Existing PersistentVolumeClaim + +1. Create the PersistentVolume +2. Create the PersistentVolumeClaim +3. Install the chart + +```bash +$ helm install my-release --set persistence.existingClaim=PVC_NAME bitnami/redis +``` + +## NetworkPolicy + +To enable network policy for Redis, install +[a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), +and set `networkPolicy.enabled` to `true`. + +For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting +the DefaultDeny namespace annotation. Note: this will enforce policy for _all_ pods in the namespace: + + kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}" + +With NetworkPolicy enabled, only pods with the generated client label will be +able to connect to Redis. This label will be displayed in the output +after a successful install. + +With `networkPolicy.ingressNSMatchLabels` pods from other namespaces can connect to redis. Set `networkPolicy.ingressNSPodMatchLabels` to match pod labels in matched namespace. For example, for a namespace labeled `redis=external` and pods in that namespace labeled `redis-client=true` the fields should be set: + +``` +networkPolicy: + enabled: true + ingressNSMatchLabels: + redis: external + ingressNSPodMatchLabels: + redis-client: true +``` + +## Upgrading an existing Release to a new major version + +A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an +incompatible breaking change needing manual actions. + +### To 10.0.0 + +For releases with `usePassword: true`, the value `sentinel.usePassword` controls whether the password authentication also applies to the sentinel port. This defaults to `true` for a secure configuration, however it is possible to disable to account for the following cases: +* Using a version of redis-sentinel prior to `5.0.1` where the authentication feature was introduced. +* Where redis clients need to be updated to support sentinel authentication. + +If using a master/slave topology, or with `usePassword: false`, no action is required. + +### To 8.0.18 + +For releases with `metrics.enabled: true` the default tag for the exporter image is now `v1.x.x`. This introduces many changes including metrics names. You'll want to use [this dashboard](https://github.com/oliver006/redis_exporter/blob/master/contrib/grafana_prometheus_redis_dashboard.json) now. Please see the [redis_exporter github page](https://github.com/oliver006/redis_exporter#upgrading-from-0x-to-1x) for more details. + +### To 7.0.0 + +This version causes a change in the Redis Master StatefulSet definition, so the command helm upgrade would not work out of the box. As an alternative, one of the following could be done: + + - Recommended: Create a clone of the Redis Master PVC (for example, using projects like [this one](https://github.com/edseymour/pvc-transfer)). Then launch a fresh release reusing this cloned PVC. + + ``` + helm install my-release bitnami/redis --set persistence.existingClaim= + ``` + + - Alternative (not recommended, do at your own risk): `helm delete --purge` does not remove the PVC assigned to the Redis Master StatefulSet. As a consequence, the following commands can be done to upgrade the release + + ``` + helm delete --purge + helm install bitnami/redis + ``` + +Previous versions of the chart were not using persistence in the slaves, so this upgrade would add it to them. Another important change is that no values are inherited from master to slaves. For example, in 6.0.0 `slaves.readinessProbe.periodSeconds`, if empty, would be set to `master.readinessProbe.periodSeconds`. This approach lacked transparency and was difficult to maintain. From now on, all the slave parameters must be configured just as it is done with the masters. + +Some values have changed as well: + + - `master.port` and `slave.port` have been changed to `redisPort` (same value for both master and slaves) + - `master.securityContext` and `slave.securityContext` have been changed to `securityContext`(same values for both master and slaves) + +By default, the upgrade will not change the cluster topology. In case you want to use Redis Sentinel, you must explicitly set `sentinel.enabled` to `true`. + +### To 6.0.0 + +Previous versions of the chart were using an init-container to change the permissions of the volumes. This was done in case the `securityContext` directive in the template was not enough for that (for example, with cephFS). In this new version of the chart, this container is disabled by default (which should not affect most of the deployments). If your installation still requires that init container, execute `helm upgrade` with the `--set volumePermissions.enabled=true`. + +### To 5.0.0 + +The default image in this release may be switched out for any image containing the `redis-server` +and `redis-cli` binaries. If `redis-server` is not the default image ENTRYPOINT, `master.command` +must be specified. + +#### Breaking changes +- `master.args` and `slave.args` are removed. Use `master.command` or `slave.command` instead in order to override the image entrypoint, or `master.extraFlags` to pass additional flags to `redis-server`. +- `disableCommands` is now interpreted as an array of strings instead of a string of comma separated values. +- `master.persistence.path` now defaults to `/data`. + +### 4.0.0 + +This version removes the `chart` label from the `spec.selector.matchLabels` +which is immutable since `StatefulSet apps/v1beta2`. It has been inadvertently +added, causing any subsequent upgrade to fail. See https://github.com/helm/charts/issues/7726. + +It also fixes https://github.com/helm/charts/issues/7726 where a deployment `extensions/v1beta1` can not be upgraded if `spec.selector` is not explicitly set. + +Finally, it fixes https://github.com/helm/charts/issues/7803 by removing mutable labels in `spec.VolumeClaimTemplate.metadata.labels` so that it is upgradable. + +In order to upgrade, delete the Redis StatefulSet before upgrading: +```bash +$ kubectl delete statefulsets.apps --cascade=false my-release-redis-master +``` +And edit the Redis slave (and metrics if enabled) deployment: +```bash +kubectl patch deployments my-release-redis-slave --type=json -p='[{"op": "remove", "path": "/spec/selector/matchLabels/chart"}]' +kubectl patch deployments my-release-redis-metrics --type=json -p='[{"op": "remove", "path": "/spec/selector/matchLabels/chart"}]' +``` + +## Notable changes + +### 9.0.0 +The metrics exporter has been changed from a separate deployment to a sidecar container, due to the latest changes in the Redis exporter code. Check the [official page](https://github.com/oliver006/redis_exporter/) for more information. The metrics container image was changed from oliver006/redis_exporter to bitnami/redis-exporter (Bitnami's maintained package of oliver006/redis_exporter). + +### 7.0.0 +In order to improve the performance in case of slave failure, we added persistence to the read-only slaves. That means that we moved from Deployment to StatefulSets. This should not affect upgrades from previous versions of the chart, as the deployments did not contain any persistence at all. + +This version also allows enabling Redis Sentinel containers inside of the Redis Pods (feature disabled by default). In case the master crashes, a new Redis node will be elected as master. In order to query the current master (no redis master service is exposed), you need to query first the Sentinel cluster. Find more information [in this section](#master-slave-with-sentinel). diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/ci/default-values.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/ci/default-values.yaml new file mode 100644 index 0000000..fc2ba60 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/ci/default-values.yaml @@ -0,0 +1 @@ +# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml. diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/ci/dev-values.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/ci/dev-values.yaml new file mode 100644 index 0000000..be01913 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/ci/dev-values.yaml @@ -0,0 +1,9 @@ +master: + persistence: + enabled: false + +cluster: + enabled: true + slaveCount: 1 + +usePassword: false diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/ci/extra-flags-values.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/ci/extra-flags-values.yaml new file mode 100644 index 0000000..71132f7 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/ci/extra-flags-values.yaml @@ -0,0 +1,11 @@ +master: + extraFlags: + - --maxmemory-policy allkeys-lru + persistence: + enabled: false +slave: + extraFlags: + - --maxmemory-policy allkeys-lru + persistence: + enabled: false +usePassword: false diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/ci/insecure-sentinel-values.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/ci/insecure-sentinel-values.yaml new file mode 100644 index 0000000..2e9174f --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/ci/insecure-sentinel-values.yaml @@ -0,0 +1,524 @@ +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry and imagePullSecrets +## +# global: +# imageRegistry: myRegistryName +# imagePullSecrets: +# - myRegistryKeySecretName + +## Bitnami Redis image version +## ref: https://hub.docker.com/r/bitnami/redis/tags/ +## +image: + registry: docker.io + repository: bitnami/redis + ## Bitnami Redis image tag + ## ref: https://github.com/bitnami/bitnami-docker-redis#supported-tags-and-respective-dockerfile-links + ## + tag: 5.0.5-debian-9-r36 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + +## Redis pod Security Context +securityContext: + enabled: true + fsGroup: 1001 + runAsUser: 1001 + +## Cluster settings +cluster: + enabled: true + slaveCount: 3 + +## Use redis sentinel in the redis pod. This will disable the master and slave services and +## create one redis service with ports to the sentinel and the redis instances +sentinel: + enabled: true + ## Require password authentication on the sentinel itself + ## ref: https://redis.io/topics/sentinel + usePassword: false + ## Bitnami Redis Sentintel image version + ## ref: https://hub.docker.com/r/bitnami/redis-sentinel/tags/ + ## + image: + registry: docker.io + repository: bitnami/redis-sentinel + ## Bitnami Redis image tag + ## ref: https://github.com/bitnami/bitnami-docker-redis-sentinel#supported-tags-and-respective-dockerfile-links + ## + tag: 5.0.5-debian-9-r37 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + masterSet: mymaster + initialCheckTimeout: 5 + quorum: 2 + downAfterMilliseconds: 60000 + failoverTimeout: 18000 + parallelSyncs: 1 + port: 26379 + ## Configure extra options for Redis Sentinel liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## + livenessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 5 + ## Redis Sentinel resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + ## Redis Sentinel Service properties + service: + ## Redis Sentinel Service type + type: ClusterIP + sentinelPort: 26379 + redisPort: 6379 + + ## Specify the nodePort value for the LoadBalancer and NodePort service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + # sentinelNodePort: + # redisNodePort: + + ## Provide any additional annotations which may be required. This can be used to + ## set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + annotations: {} + loadBalancerIP: + +networkPolicy: + ## Specifies whether a NetworkPolicy should be created + ## + enabled: true + + ## The Policy model to apply. When set to false, only pods with the correct + ## client label will have network access to the port Redis is listening + ## on. When true, Redis will accept connections from any source + ## (with the correct destination port). + ## + # allowExternal: true + +serviceAccount: + ## Specifies whether a ServiceAccount should be created + ## + create: false + ## The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the fullname template + name: + +rbac: + ## Specifies whether RBAC resources should be created + ## + create: false + + role: + ## Rules to create. It follows the role specification + # rules: + # - apiGroups: + # - extensions + # resources: + # - podsecuritypolicies + # verbs: + # - use + # resourceNames: + # - gce.unprivileged + rules: [] + + +## Use password authentication +usePassword: true +## Redis password (both master and slave) +## Defaults to a random 10-character alphanumeric string if not set and usePassword is true +## ref: https://github.com/bitnami/bitnami-docker-redis#setting-the-server-password-on-first-run +## +password: +## Use existing secret (ignores previous password) +# existingSecret: +## Password key to be retrieved from Redis secret +## +# existingSecretPasswordKey: + +## Mount secrets as files instead of environment variables +usePasswordFile: false + +## Persist data to a persistent volume +persistence: {} + ## A manually managed Persistent Volume and Claim + ## Requires persistence.enabled: true + ## If defined, PVC must be created manually before volume will be bound + # existingClaim: + +# Redis port +redisPort: 6379 + +## +## Redis Master parameters +## +master: + ## Redis command arguments + ## + ## Can be used to specify command line arguments, for example: + ## + command: "/run.sh" + ## Redis additional command line flags + ## + ## Can be used to specify command line flags, for example: + ## + ## extraFlags: + ## - "--maxmemory-policy volatile-ttl" + ## - "--repl-backlog-size 1024mb" + extraFlags: [] + ## Comma-separated list of Redis commands to disable + ## + ## Can be used to disable Redis commands for security reasons. + ## Commands will be completely disabled by renaming each to an empty string. + ## ref: https://redis.io/topics/security#disabling-of-specific-commands + ## + disableCommands: + - FLUSHDB + - FLUSHALL + + ## Redis Master additional pod labels and annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + podLabels: {} + podAnnotations: {} + + ## Redis Master resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + ## Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + # schedulerName: + + ## Configure extra options for Redis Master liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## + livenessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 5 + + ## Redis Master Node selectors and tolerations for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature + ## + # nodeSelector: {"beta.kubernetes.io/arch": "amd64"} + # tolerations: [] + ## Redis Master pod/node affinity/anti-affinity + ## + affinity: {} + + ## Redis Master Service properties + service: + ## Redis Master Service type + type: ClusterIP + port: 6379 + + ## Specify the nodePort value for the LoadBalancer and NodePort service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + # nodePort: + + ## Provide any additional annotations which may be required. This can be used to + ## set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + annotations: {} + loadBalancerIP: + + ## Enable persistence using Persistent Volume Claims + ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + enabled: true + ## The path the volume will be mounted at, useful when using different + ## Redis images. + path: /data + ## The subdirectory of the volume to mount to, useful in dev environments + ## and one PV for multiple services. + subPath: "" + ## redis data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + accessModes: + - ReadWriteOnce + size: 8Gi + + ## Update strategy, can be set to RollingUpdate or onDelete by default. + ## https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets + statefulset: + updateStrategy: RollingUpdate + ## Partition update strategy + ## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions + # rollingUpdatePartition: + + ## Redis Master pod priorityClassName + # priorityClassName: {} + + +## +## Redis Slave properties +## Note: service.type is a mandatory parameter +## The rest of the parameters are either optional or, if undefined, will inherit those declared in Redis Master +## +slave: + ## Slave Service properties + service: + ## Redis Slave Service type + type: ClusterIP + ## Redis port + port: 6379 + ## Specify the nodePort value for the LoadBalancer and NodePort service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + # nodePort: + + ## Provide any additional annotations which may be required. This can be used to + ## set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + annotations: {} + loadBalancerIP: + + ## Redis slave port + port: 6379 + + ## Can be used to specify command line arguments, for example: + ## + command: "/run.sh" + ## Redis extra flags + extraFlags: [] + ## List of Redis commands to disable + disableCommands: + - FLUSHDB + - FLUSHALL + + ## Redis Slave pod/node affinity/anti-affinity + ## + affinity: {} + + ## Configure extra options for Redis Slave liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## + livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 5 + + ## Redis slave Resource + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + + ## Enable persistence using Persistent Volume Claims + ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + enabled: true + ## The path the volume will be mounted at, useful when using different + ## Redis images. + path: /data + ## The subdirectory of the volume to mount to, useful in dev environments + ## and one PV for multiple services. + subPath: "" + ## redis data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + accessModes: + - ReadWriteOnce + size: 8Gi + + ## Update strategy, can be set to RollingUpdate or onDelete by default. + ## https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets + statefulset: + updateStrategy: RollingUpdate + ## Partition update strategy + ## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions + # rollingUpdatePartition: + + ## Redis slave selectors and tolerations for pod assignment + # nodeSelector: {"beta.kubernetes.io/arch": "amd64"} + # tolerations: [] + + ## Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + # schedulerName: + + ## Redis slave pod Annotation and Labels + podLabels: {} + podAnnotations: {} + + ## Redis slave pod priorityClassName + # priorityClassName: {} + +## Prometheus Exporter / Metrics +## +metrics: + enabled: true + + image: + registry: docker.io + repository: bitnami/redis-exporter + tag: 1.0.3-debian-9-r0 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + + ## Metrics exporter resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + # resources: {} + ## Metrics exporter pod priorityClassName + # priorityClassName: {} + service: + type: ClusterIP + ## Use serviceLoadBalancerIP to request a specific static IP, + ## otherwise leave blank + # loadBalancerIP: + annotations: {} + + ## Extra arguments for Metrics exporter, for example: + ## extraArgs: + ## check-keys: myKey,myOtherKey + # extraArgs: {} + + ## Metrics exporter pod Annotation and Labels + podAnnotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9121" + # podLabels: {} + + # Enable this if you're using https://github.com/coreos/prometheus-operator + serviceMonitor: + enabled: false + ## Specify a namespace if needed + # namespace: monitoring + # fallback to the prometheus default unless specified + # interval: 10s + ## Defaults to what's used if you follow CoreOS [Prometheus Install Instructions](https://github.com/helm/charts/tree/master/stable/prometheus-operator#tldr) + ## [Prometheus Selector Label](https://github.com/helm/charts/tree/master/stable/prometheus-operator#prometheus-operator-1) + ## [Kube Prometheus Selector Label](https://github.com/helm/charts/tree/master/stable/prometheus-operator#exporters) + selector: + prometheus: kube-prometheus +## +## Init containers parameters: +## volumePermissions: Change the owner of the persist volume mountpoint to RunAsUser:fsGroup +## +volumePermissions: + enabled: false + image: + registry: docker.io + repository: bitnami/minideb + tag: buster + pullPolicy: Always + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + resources: {} + # resources: + # requests: + # memory: 128Mi + # cpu: 100m + +## Redis config file +## ref: https://redis.io/topics/config +## +configmap: |- + # maxmemory-policy volatile-lru + +## Sysctl InitContainer +## used to perform sysctl operation to modify Kernel settings (needed sometimes to avoid warnings) +sysctlImage: + enabled: false + command: [] + registry: docker.io + repository: bitnami/minideb + tag: buster + pullPolicy: Always + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + mountHostSys: false + resources: {} + # resources: + # requests: + # memory: 128Mi + # cpu: 100m diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/ci/production-sentinel-values.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/ci/production-sentinel-values.yaml new file mode 100644 index 0000000..36a00e3 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/ci/production-sentinel-values.yaml @@ -0,0 +1,524 @@ +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry and imagePullSecrets +## +# global: +# imageRegistry: myRegistryName +# imagePullSecrets: +# - myRegistryKeySecretName + +## Bitnami Redis image version +## ref: https://hub.docker.com/r/bitnami/redis/tags/ +## +image: + registry: docker.io + repository: bitnami/redis + ## Bitnami Redis image tag + ## ref: https://github.com/bitnami/bitnami-docker-redis#supported-tags-and-respective-dockerfile-links + ## + tag: 5.0.5-debian-9-r36 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + +## Redis pod Security Context +securityContext: + enabled: true + fsGroup: 1001 + runAsUser: 1001 + +## Cluster settings +cluster: + enabled: true + slaveCount: 3 + +## Use redis sentinel in the redis pod. This will disable the master and slave services and +## create one redis service with ports to the sentinel and the redis instances +sentinel: + enabled: true + ## Require password authentication on the sentinel itself + ## ref: https://redis.io/topics/sentinel + usePassword: true + ## Bitnami Redis Sentintel image version + ## ref: https://hub.docker.com/r/bitnami/redis-sentinel/tags/ + ## + image: + registry: docker.io + repository: bitnami/redis-sentinel + ## Bitnami Redis image tag + ## ref: https://github.com/bitnami/bitnami-docker-redis-sentinel#supported-tags-and-respective-dockerfile-links + ## + tag: 5.0.5-debian-9-r37 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + masterSet: mymaster + initialCheckTimeout: 5 + quorum: 2 + downAfterMilliseconds: 60000 + failoverTimeout: 18000 + parallelSyncs: 1 + port: 26379 + ## Configure extra options for Redis Sentinel liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## + livenessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 5 + ## Redis Sentinel resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + ## Redis Sentinel Service properties + service: + ## Redis Sentinel Service type + type: ClusterIP + sentinelPort: 26379 + redisPort: 6379 + + ## Specify the nodePort value for the LoadBalancer and NodePort service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + # sentinelNodePort: + # redisNodePort: + + ## Provide any additional annotations which may be required. This can be used to + ## set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + annotations: {} + loadBalancerIP: + +networkPolicy: + ## Specifies whether a NetworkPolicy should be created + ## + enabled: true + + ## The Policy model to apply. When set to false, only pods with the correct + ## client label will have network access to the port Redis is listening + ## on. When true, Redis will accept connections from any source + ## (with the correct destination port). + ## + # allowExternal: true + +serviceAccount: + ## Specifies whether a ServiceAccount should be created + ## + create: false + ## The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the fullname template + name: + +rbac: + ## Specifies whether RBAC resources should be created + ## + create: false + + role: + ## Rules to create. It follows the role specification + # rules: + # - apiGroups: + # - extensions + # resources: + # - podsecuritypolicies + # verbs: + # - use + # resourceNames: + # - gce.unprivileged + rules: [] + + +## Use password authentication +usePassword: true +## Redis password (both master and slave) +## Defaults to a random 10-character alphanumeric string if not set and usePassword is true +## ref: https://github.com/bitnami/bitnami-docker-redis#setting-the-server-password-on-first-run +## +password: +## Use existing secret (ignores previous password) +# existingSecret: +## Password key to be retrieved from Redis secret +## +# existingSecretPasswordKey: + +## Mount secrets as files instead of environment variables +usePasswordFile: false + +## Persist data to a persistent volume +persistence: {} + ## A manually managed Persistent Volume and Claim + ## Requires persistence.enabled: true + ## If defined, PVC must be created manually before volume will be bound + # existingClaim: + +# Redis port +redisPort: 6379 + +## +## Redis Master parameters +## +master: + ## Redis command arguments + ## + ## Can be used to specify command line arguments, for example: + ## + command: "/run.sh" + ## Redis additional command line flags + ## + ## Can be used to specify command line flags, for example: + ## + ## extraFlags: + ## - "--maxmemory-policy volatile-ttl" + ## - "--repl-backlog-size 1024mb" + extraFlags: [] + ## Comma-separated list of Redis commands to disable + ## + ## Can be used to disable Redis commands for security reasons. + ## Commands will be completely disabled by renaming each to an empty string. + ## ref: https://redis.io/topics/security#disabling-of-specific-commands + ## + disableCommands: + - FLUSHDB + - FLUSHALL + + ## Redis Master additional pod labels and annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + podLabels: {} + podAnnotations: {} + + ## Redis Master resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + ## Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + # schedulerName: + + ## Configure extra options for Redis Master liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## + livenessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 5 + + ## Redis Master Node selectors and tolerations for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature + ## + # nodeSelector: {"beta.kubernetes.io/arch": "amd64"} + # tolerations: [] + ## Redis Master pod/node affinity/anti-affinity + ## + affinity: {} + + ## Redis Master Service properties + service: + ## Redis Master Service type + type: ClusterIP + port: 6379 + + ## Specify the nodePort value for the LoadBalancer and NodePort service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + # nodePort: + + ## Provide any additional annotations which may be required. This can be used to + ## set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + annotations: {} + loadBalancerIP: + + ## Enable persistence using Persistent Volume Claims + ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + enabled: true + ## The path the volume will be mounted at, useful when using different + ## Redis images. + path: /data + ## The subdirectory of the volume to mount to, useful in dev environments + ## and one PV for multiple services. + subPath: "" + ## redis data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + accessModes: + - ReadWriteOnce + size: 8Gi + + ## Update strategy, can be set to RollingUpdate or onDelete by default. + ## https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets + statefulset: + updateStrategy: RollingUpdate + ## Partition update strategy + ## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions + # rollingUpdatePartition: + + ## Redis Master pod priorityClassName + # priorityClassName: {} + + +## +## Redis Slave properties +## Note: service.type is a mandatory parameter +## The rest of the parameters are either optional or, if undefined, will inherit those declared in Redis Master +## +slave: + ## Slave Service properties + service: + ## Redis Slave Service type + type: ClusterIP + ## Redis port + port: 6379 + ## Specify the nodePort value for the LoadBalancer and NodePort service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + # nodePort: + + ## Provide any additional annotations which may be required. This can be used to + ## set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + annotations: {} + loadBalancerIP: + + ## Redis slave port + port: 6379 + + ## Can be used to specify command line arguments, for example: + ## + command: "/run.sh" + ## Redis extra flags + extraFlags: [] + ## List of Redis commands to disable + disableCommands: + - FLUSHDB + - FLUSHALL + + ## Redis Slave pod/node affinity/anti-affinity + ## + affinity: {} + + ## Configure extra options for Redis Slave liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## + livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 5 + + ## Redis slave Resource + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + + ## Enable persistence using Persistent Volume Claims + ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + enabled: true + ## The path the volume will be mounted at, useful when using different + ## Redis images. + path: /data + ## The subdirectory of the volume to mount to, useful in dev environments + ## and one PV for multiple services. + subPath: "" + ## redis data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + accessModes: + - ReadWriteOnce + size: 8Gi + + ## Update strategy, can be set to RollingUpdate or onDelete by default. + ## https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets + statefulset: + updateStrategy: RollingUpdate + ## Partition update strategy + ## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions + # rollingUpdatePartition: + + ## Redis slave selectors and tolerations for pod assignment + # nodeSelector: {"beta.kubernetes.io/arch": "amd64"} + # tolerations: [] + + ## Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + # schedulerName: + + ## Redis slave pod Annotation and Labels + podLabels: {} + podAnnotations: {} + + ## Redis slave pod priorityClassName + # priorityClassName: {} + +## Prometheus Exporter / Metrics +## +metrics: + enabled: true + + image: + registry: docker.io + repository: bitnami/redis-exporter + tag: 1.0.3-debian-9-r0 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + + ## Metrics exporter resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + # resources: {} + ## Metrics exporter pod priorityClassName + # priorityClassName: {} + service: + type: ClusterIP + ## Use serviceLoadBalancerIP to request a specific static IP, + ## otherwise leave blank + # loadBalancerIP: + annotations: {} + + ## Extra arguments for Metrics exporter, for example: + ## extraArgs: + ## check-keys: myKey,myOtherKey + # extraArgs: {} + + ## Metrics exporter pod Annotation and Labels + podAnnotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9121" + # podLabels: {} + + # Enable this if you're using https://github.com/coreos/prometheus-operator + serviceMonitor: + enabled: false + ## Specify a namespace if needed + # namespace: monitoring + # fallback to the prometheus default unless specified + # interval: 10s + ## Defaults to what's used if you follow CoreOS [Prometheus Install Instructions](https://github.com/helm/charts/tree/master/stable/prometheus-operator#tldr) + ## [Prometheus Selector Label](https://github.com/helm/charts/tree/master/stable/prometheus-operator#prometheus-operator-1) + ## [Kube Prometheus Selector Label](https://github.com/helm/charts/tree/master/stable/prometheus-operator#exporters) + selector: + prometheus: kube-prometheus +## +## Init containers parameters: +## volumePermissions: Change the owner of the persist volume mountpoint to RunAsUser:fsGroup +## +volumePermissions: + enabled: false + image: + registry: docker.io + repository: bitnami/minideb + tag: buster + pullPolicy: Always + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + resources: {} + # resources: + # requests: + # memory: 128Mi + # cpu: 100m + +## Redis config file +## ref: https://redis.io/topics/config +## +configmap: |- + # maxmemory-policy volatile-lru + +## Sysctl InitContainer +## used to perform sysctl operation to modify Kernel settings (needed sometimes to avoid warnings) +sysctlImage: + enabled: false + command: [] + registry: docker.io + repository: bitnami/minideb + tag: buster + pullPolicy: Always + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + mountHostSys: false + resources: {} + # resources: + # requests: + # memory: 128Mi + # cpu: 100m diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/ci/production-values.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/ci/production-values.yaml new file mode 100644 index 0000000..6fa9c88 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/ci/production-values.yaml @@ -0,0 +1,525 @@ +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry and imagePullSecrets +## +# global: +# imageRegistry: myRegistryName +# imagePullSecrets: +# - myRegistryKeySecretName + +## Bitnami Redis image version +## ref: https://hub.docker.com/r/bitnami/redis/tags/ +## +image: + registry: docker.io + repository: bitnami/redis + ## Bitnami Redis image tag + ## ref: https://github.com/bitnami/bitnami-docker-redis#supported-tags-and-respective-dockerfile-links + ## + tag: 5.0.5-debian-9-r36 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + +## Redis pod Security Context +securityContext: + enabled: true + fsGroup: 1001 + runAsUser: 1001 + +## Cluster settings +cluster: + enabled: true + slaveCount: 3 + +## Use redis sentinel in the redis pod. This will disable the master and slave services and +## create one redis service with ports to the sentinel and the redis instances +sentinel: + enabled: false + ## Require password authentication on the sentinel itself + ## ref: https://redis.io/topics/sentinel + usePassword: true + ## Bitnami Redis Sentintel image version + ## ref: https://hub.docker.com/r/bitnami/redis-sentinel/tags/ + ## + image: + registry: docker.io + repository: bitnami/redis-sentinel + ## Bitnami Redis image tag + ## ref: https://github.com/bitnami/bitnami-docker-redis-sentinel#supported-tags-and-respective-dockerfile-links + ## + tag: 5.0.5-debian-9-r37 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + masterSet: mymaster + initialCheckTimeout: 5 + quorum: 2 + downAfterMilliseconds: 60000 + failoverTimeout: 18000 + parallelSyncs: 1 + port: 26379 + ## Configure extra options for Redis Sentinel liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## + livenessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 5 + ## Redis Sentinel resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + ## Redis Sentinel Service properties + service: + ## Redis Sentinel Service type + type: ClusterIP + sentinelPort: 26379 + redisPort: 6379 + + ## Specify the nodePort value for the LoadBalancer and NodePort service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + # sentinelNodePort: + # redisNodePort: + + ## Provide any additional annotations which may be required. This can be used to + ## set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + annotations: {} + loadBalancerIP: + +networkPolicy: + ## Specifies whether a NetworkPolicy should be created + ## + enabled: true + + ## The Policy model to apply. When set to false, only pods with the correct + ## client label will have network access to the port Redis is listening + ## on. When true, Redis will accept connections from any source + ## (with the correct destination port). + ## + # allowExternal: true + +serviceAccount: + ## Specifies whether a ServiceAccount should be created + ## + create: false + ## The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the fullname template + name: + +rbac: + ## Specifies whether RBAC resources should be created + ## + create: false + + role: + ## Rules to create. It follows the role specification + # rules: + # - apiGroups: + # - extensions + # resources: + # - podsecuritypolicies + # verbs: + # - use + # resourceNames: + # - gce.unprivileged + rules: [] + + +## Use password authentication +usePassword: true +## Redis password (both master and slave) +## Defaults to a random 10-character alphanumeric string if not set and usePassword is true +## ref: https://github.com/bitnami/bitnami-docker-redis#setting-the-server-password-on-first-run +## +password: +## Use existing secret (ignores previous password) +# existingSecret: +## Password key to be retrieved from Redis secret +## +# existingSecretPasswordKey: + +## Mount secrets as files instead of environment variables +usePasswordFile: false + +## Persist data to a persistent volume +persistence: {} + ## A manually managed Persistent Volume and Claim + ## Requires persistence.enabled: true + ## If defined, PVC must be created manually before volume will be bound + # existingClaim: + +# Redis port +redisPort: 6379 + +## +## Redis Master parameters +## +master: + ## Redis command arguments + ## + ## Can be used to specify command line arguments, for example: + ## + command: "/run.sh" + ## Redis additional command line flags + ## + ## Can be used to specify command line flags, for example: + ## + ## extraFlags: + ## - "--maxmemory-policy volatile-ttl" + ## - "--repl-backlog-size 1024mb" + extraFlags: [] + ## Comma-separated list of Redis commands to disable + ## + ## Can be used to disable Redis commands for security reasons. + ## Commands will be completely disabled by renaming each to an empty string. + ## ref: https://redis.io/topics/security#disabling-of-specific-commands + ## + disableCommands: + - FLUSHDB + - FLUSHALL + + ## Redis Master additional pod labels and annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + podLabels: {} + podAnnotations: {} + + ## Redis Master resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + ## Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + # schedulerName: + + ## Configure extra options for Redis Master liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## + livenessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 5 + + ## Redis Master Node selectors and tolerations for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature + ## + # nodeSelector: {"beta.kubernetes.io/arch": "amd64"} + # tolerations: [] + ## Redis Master pod/node affinity/anti-affinity + ## + affinity: {} + + ## Redis Master Service properties + service: + ## Redis Master Service type + type: ClusterIP + port: 6379 + + ## Specify the nodePort value for the LoadBalancer and NodePort service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + # nodePort: + + ## Provide any additional annotations which may be required. This can be used to + ## set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + annotations: {} + loadBalancerIP: + + ## Enable persistence using Persistent Volume Claims + ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + enabled: true + ## The path the volume will be mounted at, useful when using different + ## Redis images. + path: /data + ## The subdirectory of the volume to mount to, useful in dev environments + ## and one PV for multiple services. + subPath: "" + ## redis data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + accessModes: + - ReadWriteOnce + size: 8Gi + + ## Update strategy, can be set to RollingUpdate or onDelete by default. + ## https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets + statefulset: + updateStrategy: RollingUpdate + ## Partition update strategy + ## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions + # rollingUpdatePartition: + + ## Redis Master pod priorityClassName + # priorityClassName: {} + + +## +## Redis Slave properties +## Note: service.type is a mandatory parameter +## The rest of the parameters are either optional or, if undefined, will inherit those declared in Redis Master +## +slave: + ## Slave Service properties + service: + ## Redis Slave Service type + type: ClusterIP + ## Redis port + port: 6379 + ## Specify the nodePort value for the LoadBalancer and NodePort service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + # nodePort: + + ## Provide any additional annotations which may be required. This can be used to + ## set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + annotations: {} + loadBalancerIP: + + ## Redis slave port + port: 6379 + + ## Can be used to specify command line arguments, for example: + ## + command: "/run.sh" + ## Redis extra flags + extraFlags: [] + ## List of Redis commands to disable + disableCommands: + - FLUSHDB + - FLUSHALL + + ## Redis Slave pod/node affinity/anti-affinity + ## + affinity: {} + + ## Configure extra options for Redis Slave liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## + livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 5 + + ## Redis slave Resource + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + + ## Enable persistence using Persistent Volume Claims + ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + enabled: true + ## The path the volume will be mounted at, useful when using different + ## Redis images. + path: /data + ## The subdirectory of the volume to mount to, useful in dev environments + ## and one PV for multiple services. + subPath: "" + ## redis data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + accessModes: + - ReadWriteOnce + size: 8Gi + + ## Update strategy, can be set to RollingUpdate or onDelete by default. + ## https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets + statefulset: + updateStrategy: RollingUpdate + ## Partition update strategy + ## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions + # rollingUpdatePartition: + + ## Redis slave selectors and tolerations for pod assignment + # nodeSelector: {"beta.kubernetes.io/arch": "amd64"} + # tolerations: [] + + ## Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + # schedulerName: + + ## Redis slave pod Annotation and Labels + podLabels: {} + podAnnotations: {} + + ## Redis slave pod priorityClassName + # priorityClassName: {} + +## Prometheus Exporter / Metrics +## +metrics: + enabled: true + + image: + registry: docker.io + repository: bitnami/redis-exporter + tag: 1.0.3-debian-9-r0 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + + ## Metrics exporter resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + # resources: {} + + ## Extra arguments for Metrics exporter, for example: + ## extraArgs: + ## check-keys: myKey,myOtherKey + # extraArgs: {} + ## Metrics exporter pod priorityClassName + # priorityClassName: {} + service: + type: ClusterIP + ## Use serviceLoadBalancerIP to request a specific static IP, + ## otherwise leave blank + # loadBalancerIP: + annotations: {} + + ## Metrics exporter pod Annotation and Labels + podAnnotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9121" + # podLabels: {} + + # Enable this if you're using https://github.com/coreos/prometheus-operator + serviceMonitor: + enabled: false + ## Specify a namespace if needed + # namespace: monitoring + # fallback to the prometheus default unless specified + # interval: 10s + ## Defaults to what's used if you follow CoreOS [Prometheus Install Instructions](https://github.com/helm/charts/tree/master/stable/prometheus-operator#tldr) + ## [Prometheus Selector Label](https://github.com/helm/charts/tree/master/stable/prometheus-operator#prometheus-operator-1) + ## [Kube Prometheus Selector Label](https://github.com/helm/charts/tree/master/stable/prometheus-operator#exporters) + selector: + prometheus: kube-prometheus + +## +## Init containers parameters: +## volumePermissions: Change the owner of the persist volume mountpoint to RunAsUser:fsGroup +## +volumePermissions: + enabled: false + image: + registry: docker.io + repository: bitnami/minideb + tag: buster + pullPolicy: Always + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + resources: {} + # resources: + # requests: + # memory: 128Mi + # cpu: 100m + +## Redis config file +## ref: https://redis.io/topics/config +## +configmap: |- + # maxmemory-policy volatile-lru + +## Sysctl InitContainer +## used to perform sysctl operation to modify Kernel settings (needed sometimes to avoid warnings) +sysctlImage: + enabled: false + command: [] + registry: docker.io + repository: bitnami/minideb + tag: buster + pullPolicy: Always + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + mountHostSys: false + resources: {} + # resources: + # requests: + # memory: 128Mi + # cpu: 100m diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/ci/redis-lib-values.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/ci/redis-lib-values.yaml new file mode 100644 index 0000000..e03382b --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/ci/redis-lib-values.yaml @@ -0,0 +1,13 @@ +## Redis library image +## ref: https://hub.docker.com/r/library/redis/ +## +image: + registry: docker.io + repository: redis + tag: '5.0.5' + +master: + command: "redis-server" + +slave: + command: "redis-server" diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/ci/redisgraph-module-values.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/ci/redisgraph-module-values.yaml new file mode 100644 index 0000000..8096020 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/ci/redisgraph-module-values.yaml @@ -0,0 +1,10 @@ +image: + registry: docker.io + repository: redislabs/redisgraph + tag: '1.0.0' + +master: + command: "redis-server" + +slave: + command: "redis-server" diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/NOTES.txt b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/NOTES.txt new file mode 100644 index 0000000..5b1089e --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/NOTES.txt @@ -0,0 +1,104 @@ +** Please be patient while the chart is being deployed ** + +{{- if contains .Values.master.service.type "LoadBalancer" }} +{{- if not .Values.usePassword }} +{{ if and (not .Values.networkPolicy.enabled) (.Values.networkPolicy.allowExternal) }} + +------------------------------------------------------------------------------- + WARNING + + By specifying "master.service.type=LoadBalancer" and "usePassword=false" you have + most likely exposed the Redis service externally without any authentication + mechanism. + + For security reasons, we strongly suggest that you switch to "ClusterIP" or + "NodePort". As alternative, you can also switch to "usePassword=true" + providing a valid password on "password" parameter. + +------------------------------------------------------------------------------- +{{- end }} +{{- end }} +{{- end }} + +{{- if .Values.cluster.enabled }} +{{- if .Values.sentinel.enabled }} +Redis can be accessed via port {{ .Values.sentinel.service.redisPort }} on the following DNS name from within your cluster: + +{{ template "redis.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} for read only operations + +For read/write operations, first access the Redis Sentinel cluster, which is available in port {{ .Values.sentinel.service.sentinelPort }} using the same domain name above. + +{{- else }} +Redis can be accessed via port {{ .Values.redisPort }} on the following DNS names from within your cluster: + +{{ template "redis.fullname" . }}-master.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} for read/write operations +{{ template "redis.fullname" . }}-slave.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} for read-only operations +{{- end }} + +{{- else }} +Redis can be accessed via port {{ .Values.redisPort }} on the following DNS name from within your cluster: + +{{ template "redis.fullname" . }}-master.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} + +{{- end }} + +{{ if .Values.usePassword }} +To get your password run: + + export REDIS_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "redis.secretName" . }} -o jsonpath="{.data.redis-password}" | base64 --decode) +{{- end }} + +To connect to your Redis server: + +1. Run a Redis pod that you can use as a client: + + kubectl run --namespace {{ .Release.Namespace }} {{ template "redis.fullname" . }}-client --rm --tty -i --restart='Never' \ + {{ if .Values.usePassword }} --env REDIS_PASSWORD=$REDIS_PASSWORD \{{ end }} + {{- if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }}--labels="{{ template "redis.fullname" . }}-client=true" \{{- end }} + --image {{ template "redis.image" . }} -- bash + +2. Connect using the Redis CLI: + +{{- if .Values.cluster.enabled }} + {{- if .Values.sentinel.enabled }} + redis-cli -h {{ template "redis.fullname" . }} -p {{ .Values.sentinel.service.redisPort }}{{ if .Values.usePassword }} -a $REDIS_PASSWORD{{ end }} # Read only operations + redis-cli -h {{ template "redis.fullname" . }} -p {{ .Values.sentinel.service.sentinelPort }}{{ if .Values.usePassword }} -a $REDIS_PASSWORD{{ end }} # Sentinel access + {{- else }} + redis-cli -h {{ template "redis.fullname" . }}-master{{ if .Values.usePassword }} -a $REDIS_PASSWORD{{ end }} + redis-cli -h {{ template "redis.fullname" . }}-slave{{ if .Values.usePassword }} -a $REDIS_PASSWORD{{ end }} + {{- end }} +{{- else }} + redis-cli -h {{ template "redis.fullname" . }}-master{{ if .Values.usePassword }} -a $REDIS_PASSWORD{{ end }} +{{- end }} + +{{ if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }} +Note: Since NetworkPolicy is enabled, only pods with label +{{ template "redis.fullname" . }}-client=true" +will be able to connect to redis. +{{- else -}} + +To connect to your database from outside the cluster execute the following commands: + +{{- if contains "NodePort" .Values.master.service.type }} + + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "redis.fullname" . }}-master) + redis-cli -h $NODE_IP -p $NODE_PORT {{- if .Values.usePassword }} -a $REDIS_PASSWORD{{ end }} + +{{- else if contains "LoadBalancer" .Values.master.service.type }} + + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "redis.fullname" . }}' + + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "redis.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + redis-cli -h $SERVICE_IP -p {{ .Values.master.service.port }} {{- if .Values.usePassword }} -a $REDIS_PASSWORD{{ end }} + +{{- else if contains "ClusterIP" .Values.master.service.type }} + + kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ template "redis.fullname" . }}-master {{ .Values.redisPort }}:{{ .Values.redisPort }} & + redis-cli -h 127.0.0.1 -p {{ .Values.redisPort }} {{- if .Values.usePassword }} -a $REDIS_PASSWORD{{ end }} + +{{- end }} +{{- end }} + +{{ include "redis.checkRollingTags" . }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/_helpers.tpl b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/_helpers.tpl new file mode 100644 index 0000000..3397a7b --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/_helpers.tpl @@ -0,0 +1,355 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "redis.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Expand the chart plus release name (used by the chart label) +*/}} +{{- define "redis.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "redis.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for networkpolicy. +*/}} +{{- define "networkPolicy.apiVersion" -}} +{{- if semverCompare ">=1.4-0, <1.7-0" .Capabilities.KubeVersion.GitVersion -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiGroup for PodSecurityPolicy. +*/}} +{{- define "podSecurityPolicy.apiGroup" -}} +{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +{{- print "policy" -}} +{{- else -}} +{{- print "extensions" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for PodSecurityPolicy. +*/}} +{{- define "podSecurityPolicy.apiVersion" -}} +{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +{{- print "policy/v1beta1" -}} +{{- else -}} +{{- print "extensions/v1beta1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper Redis image name +*/}} +{{- define "redis.image" -}} +{{- $registryName := .Values.image.registry -}} +{{- $repositoryName := .Values.image.repository -}} +{{- $tag := .Values.image.tag | toString -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. +Also, we can't use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} + {{- if .Values.global.imageRegistry }} + {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} + {{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} + {{- end -}} +{{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper Redis Sentinel image name +*/}} +{{- define "sentinel.image" -}} +{{- $registryName := .Values.sentinel.image.registry -}} +{{- $repositoryName := .Values.sentinel.image.repository -}} +{{- $tag := .Values.sentinel.image.tag | toString -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. +Also, we can't use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} + {{- if .Values.global.imageRegistry }} + {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} + {{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} + {{- end -}} +{{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper image name (for the metrics image) +*/}} +{{- define "redis.metrics.image" -}} +{{- $registryName := .Values.metrics.image.registry -}} +{{- $repositoryName := .Values.metrics.image.repository -}} +{{- $tag := .Values.metrics.image.tag | toString -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. +Also, we can't use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} + {{- if .Values.global.imageRegistry }} + {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} + {{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} + {{- end -}} +{{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper image name (for the init container volume-permissions image) +*/}} +{{- define "redis.volumePermissions.image" -}} +{{- $registryName := .Values.volumePermissions.image.registry -}} +{{- $repositoryName := .Values.volumePermissions.image.repository -}} +{{- $tag := .Values.volumePermissions.image.tag | toString -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. +Also, we can't use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} + {{- if .Values.global.imageRegistry }} + {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} + {{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} + {{- end -}} +{{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "redis.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "redis.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Get the password secret. +*/}} +{{- define "redis.secretName" -}} +{{- if .Values.existingSecret -}} +{{- printf "%s" .Values.existingSecret -}} +{{- else -}} +{{- printf "%s" (include "redis.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Get the password key to be retrieved from Redis secret. +*/}} +{{- define "redis.secretPasswordKey" -}} +{{- if and .Values.existingSecret .Values.existingSecretPasswordKey -}} +{{- printf "%s" .Values.existingSecretPasswordKey -}} +{{- else -}} +{{- printf "redis-password" -}} +{{- end -}} +{{- end -}} + +{{/* +Return Redis password +*/}} +{{- define "redis.password" -}} +{{- if not (empty .Values.global.redis.password) }} + {{- .Values.global.redis.password -}} +{{- else if not (empty .Values.password) -}} + {{- .Values.password -}} +{{- else -}} + {{- randAlphaNum 10 -}} +{{- end -}} +{{- end -}} + +{{/* +Return sysctl image +*/}} +{{- define "redis.sysctl.image" -}} +{{- $registryName := default "docker.io" .Values.sysctlImage.registry -}} +{{- $repositoryName := .Values.sysctlImage.repository -}} +{{- $tag := default "buster" .Values.sysctlImage.tag | toString -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. +Also, we can't use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} + {{- if .Values.global.imageRegistry }} + {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} + {{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} + {{- end -}} +{{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "redis.imagePullSecrets" -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic. +Also, we can not use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- else if or .Values.image.pullSecrets .Values.metrics.image.pullSecrets .Values.sysctlImage.pullSecrets .Values.volumePermissions.image.pullSecrets }} +imagePullSecrets: +{{- range .Values.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- range .Values.metrics.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- range .Values.sysctlImage.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- range .Values.volumePermissions.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- end -}} +{{- else if or .Values.image.pullSecrets .Values.metrics.image.pullSecrets .Values.sysctlImage.pullSecrets .Values.volumePermissions.image.pullSecrets }} +imagePullSecrets: +{{- range .Values.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- range .Values.metrics.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- range .Values.sysctlImage.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- range .Values.volumePermissions.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- end -}} +{{- end -}} + +{{/* Check if there are rolling tags in the images */}} +{{- define "redis.checkRollingTags" -}} +{{- if and (contains "bitnami/" .Values.image.repository) (not (.Values.image.tag | toString | regexFind "-r\\d+$|sha256:")) }} +WARNING: Rolling tag detected ({{ .Values.image.repository }}:{{ .Values.image.tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. ++info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ +{{- end }} +{{- if and (contains "bitnami/" .Values.sentinel.image.repository) (not (.Values.sentinel.image.tag | toString | regexFind "-r\\d+$|sha256:")) }} +WARNING: Rolling tag detected ({{ .Values.sentinel.image.repository }}:{{ .Values.sentinel.image.tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. ++info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ +{{- end }} +{{- end -}} + +{{/* +Return the proper Storage Class for master +*/}} +{{- define "redis.master.storageClass" -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic. +*/}} +{{- if .Values.global -}} + {{- if .Values.global.storageClass -}} + {{- if (eq "-" .Values.global.storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else }} + {{- printf "storageClassName: %s" .Values.global.storageClass -}} + {{- end -}} + {{- else -}} + {{- if .Values.master.persistence.storageClass -}} + {{- if (eq "-" .Values.master.persistence.storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else }} + {{- printf "storageClassName: %s" .Values.master.persistence.storageClass -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- else -}} + {{- if .Values.master.persistence.storageClass -}} + {{- if (eq "-" .Values.master.persistence.storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else }} + {{- printf "storageClassName: %s" .Values.master.persistence.storageClass -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper Storage Class for slave +*/}} +{{- define "redis.slave.storageClass" -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic. +*/}} +{{- if .Values.global -}} + {{- if .Values.global.storageClass -}} + {{- if (eq "-" .Values.global.storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else }} + {{- printf "storageClassName: %s" .Values.global.storageClass -}} + {{- end -}} + {{- else -}} + {{- if .Values.slave.persistence.storageClass -}} + {{- if (eq "-" .Values.slave.persistence.storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else }} + {{- printf "storageClassName: %s" .Values.slave.persistence.storageClass -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- else -}} + {{- if .Values.slave.persistence.storageClass -}} + {{- if (eq "-" .Values.slave.persistence.storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else }} + {{- printf "storageClassName: %s" .Values.slave.persistence.storageClass -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- end -}} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/configmap.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/configmap.yaml new file mode 100644 index 0000000..ecfc063 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/configmap.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "redis.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "redis.name" . }} + chart: {{ template "redis.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: + redis.conf: |- +{{- if .Values.configmap }} + # User-supplied configuration: +{{ tpl .Values.configmap . | indent 4 }} +{{- end }} + master.conf: |- + dir {{ .Values.master.persistence.path }} +{{- if .Values.master.configmap }} + # User-supplied master configuration: +{{ tpl .Values.master.configmap . | indent 4 }} +{{- end }} +{{- if .Values.master.disableCommands }} +{{- range .Values.master.disableCommands }} + rename-command {{ . }} "" +{{- end }} +{{- end }} + replica.conf: |- + dir {{ .Values.slave.persistence.path }} + slave-read-only yes +{{- if .Values.slave.configmap }} + # User-supplied slave configuration: +{{ tpl .Values.slave.configmap . | indent 4 }} +{{- end }} +{{- if .Values.slave.disableCommands }} +{{- range .Values.slave.disableCommands }} + rename-command {{ . }} "" +{{- end }} +{{- end }} +{{- if .Values.sentinel.enabled }} + sentinel.conf: |- + dir "/tmp" + bind 0.0.0.0 + port {{ .Values.sentinel.port }} + sentinel monitor {{ .Values.sentinel.masterSet }} {{ template "redis.fullname" . }}-master-0.{{ template "redis.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} {{ .Values.redisPort }} {{ .Values.sentinel.quorum }} + sentinel down-after-milliseconds {{ .Values.sentinel.masterSet }} {{ .Values.sentinel.downAfterMilliseconds }} + sentinel failover-timeout {{ .Values.sentinel.masterSet }} {{ .Values.sentinel.failoverTimeout }} + sentinel parallel-syncs {{ .Values.sentinel.masterSet }} {{ .Values.sentinel.parallelSyncs }} +{{- if .Values.sentinel.configmap }} + # User-supplied sentinel configuration: +{{ tpl .Values.sentinel.configmap . | indent 4 }} +{{- end }} +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/headless-svc.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/headless-svc.yaml new file mode 100644 index 0000000..21082b2 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/headless-svc.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "redis.fullname" . }}-headless + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "redis.name" . }} + chart: {{ template "redis.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + type: ClusterIP + clusterIP: None + ports: + - name: redis + port: {{ .Values.redisPort }} + targetPort: redis +{{- if .Values.sentinel.enabled }} + - name: redis-sentinel + port: {{ .Values.sentinel.port }} + targetPort: redis-sentinel +{{- end }} + selector: + app: {{ template "redis.name" . }} + release: {{ .Release.Name }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/health-configmap.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/health-configmap.yaml new file mode 100644 index 0000000..dd322fd --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/health-configmap.yaml @@ -0,0 +1,155 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "redis.fullname" . }}-health + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "redis.name" . }} + chart: {{ template "redis.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: + ping_readiness_local.sh: |- + #!/bin/bash +{{- if .Values.usePasswordFile }} + password_aux=`cat ${REDIS_PASSWORD_FILE}` + export REDIS_PASSWORD=$password_aux +{{- end }} +{{- if .Values.usePassword }} + no_auth_warning=$([[ "$(redis-cli --version)" =~ (redis-cli 5.*) ]] && echo --no-auth-warning) +{{- end }} + response=$( + timeout -s 9 $1 \ + redis-cli \ +{{- if .Values.usePassword }} + -a $REDIS_PASSWORD $no_auth_warning \ +{{- end }} + -h localhost \ + -p $REDIS_PORT \ + ping + ) + if [ "$response" != "PONG" ]; then + echo "$response" + exit 1 + fi + ping_liveness_local.sh: |- + #!/bin/bash +{{- if .Values.usePasswordFile }} + password_aux=`cat ${REDIS_PASSWORD_FILE}` + export REDIS_PASSWORD=$password_aux +{{- end }} +{{- if .Values.usePassword }} + no_auth_warning=$([[ "$(redis-cli --version)" =~ (redis-cli 5.*) ]] && echo --no-auth-warning) +{{- end }} + response=$( + timeout -s 9 $1 \ + redis-cli \ +{{- if .Values.usePassword }} + -a $REDIS_PASSWORD $no_auth_warning \ +{{- end }} + -h localhost \ + -p $REDIS_PORT \ + ping + ) + if [ "$response" != "PONG" ] && [ "$response" != "LOADING Redis is loading the dataset in memory" ]; then + echo "$response" + exit 1 + fi +{{- if .Values.sentinel.enabled }} + ping_sentinel.sh: |- + #!/bin/bash +{{- if .Values.usePasswordFile }} + password_aux=`cat ${REDIS_PASSWORD_FILE}` + export REDIS_PASSWORD=$password_aux +{{- end }} +{{- if .Values.usePassword }} + no_auth_warning=$([[ "$(redis-cli --version)" =~ (redis-cli 5.*) ]] && echo --no-auth-warning) +{{- end }} + response=$( + timeout -s 9 $1 \ + redis-cli \ +{{- if .Values.usePassword }} + -a $REDIS_PASSWORD $no_auth_warning \ +{{- end }} + -h localhost \ + -p $REDIS_SENTINEL_PORT \ + ping + ) + if [ "$response" != "PONG" ]; then + echo "$response" + exit 1 + fi + parse_sentinels.awk: |- + /ip/ {FOUND_IP=1} + /port/ {FOUND_PORT=1} + /runid/ {FOUND_RUNID=1} + !/ip|port|runid/ { + if (FOUND_IP==1) { + IP=$1; FOUND_IP=0; + } + else if (FOUND_PORT==1) { + PORT=$1; + FOUND_PORT=0; + } else if (FOUND_RUNID==1) { + printf "\nsentinel known-sentinel {{ .Values.sentinel.masterSet }} %s %s %s", IP, PORT, $0; FOUND_RUNID=0; + } + } +{{- end }} + ping_readiness_master.sh: |- + #!/bin/bash +{{- if .Values.usePasswordFile }} + password_aux=`cat ${REDIS_MASTER_PASSWORD_FILE}` + export REDIS_MASTER_PASSWORD=$password_aux +{{- end }} +{{- if .Values.usePassword }} + no_auth_warning=$([[ "$(redis-cli --version)" =~ (redis-cli 5.*) ]] && echo --no-auth-warning) +{{- end }} + response=$( + timeout -s 9 $1 \ + redis-cli \ +{{- if .Values.usePassword }} + -a $REDIS_MASTER_PASSWORD $no_auth_warning \ +{{- end }} + -h $REDIS_MASTER_HOST \ + -p $REDIS_MASTER_PORT_NUMBER \ + ping + ) + if [ "$response" != "PONG" ]; then + echo "$response" + exit 1 + fi + ping_liveness_master.sh: |- + #!/bin/bash +{{- if .Values.usePasswordFile }} + password_aux=`cat ${REDIS_MASTER_PASSWORD_FILE}` + export REDIS_MASTER_PASSWORD=$password_aux +{{- end }} +{{- if .Values.usePassword }} + no_auth_warning=$([[ "$(redis-cli --version)" =~ (redis-cli 5.*) ]] && echo --no-auth-warning) +{{- end }} + response=$( + timeout -s 9 $1 \ + redis-cli \ +{{- if .Values.usePassword }} + -a $REDIS_MASTER_PASSWORD $no_auth_warning \ +{{- end }} + -h $REDIS_MASTER_HOST \ + -p $REDIS_MASTER_PORT_NUMBER \ + ping + ) + if [ "$response" != "PONG" ] && [ "$response" != "LOADING Redis is loading the dataset in memory" ]; then + echo "$response" + exit 1 + fi + ping_readiness_local_and_master.sh: |- + script_dir="$(dirname "$0")" + exit_status=0 + "$script_dir/ping_readiness_local.sh" $1 || exit_status=$? + "$script_dir/ping_readiness_master.sh" $1 || exit_status=$? + exit $exit_status + ping_liveness_local_and_master.sh: |- + script_dir="$(dirname "$0")" + exit_status=0 + "$script_dir/ping_liveness_local.sh" $1 || exit_status=$? + "$script_dir/ping_liveness_master.sh" $1 || exit_status=$? + exit $exit_status diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/metrics-prometheus.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/metrics-prometheus.yaml new file mode 100644 index 0000000..af9a669 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/metrics-prometheus.yaml @@ -0,0 +1,32 @@ +{{- if and (.Values.metrics.enabled) (.Values.metrics.serviceMonitor.enabled) }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "redis.fullname" . }} + {{- if .Values.metrics.serviceMonitor.namespace }} + namespace: {{ .Values.metrics.serviceMonitor.namespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + app: {{ template "redis.name" . }} + chart: {{ template "redis.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- range $key, $value := .Values.metrics.serviceMonitor.selector }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + endpoints: + - port: metrics + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + selector: + matchLabels: + app: {{ template "redis.name" . }} + release: {{ .Release.Name }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} +{{- end -}} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/metrics-svc.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/metrics-svc.yaml new file mode 100644 index 0000000..141c8fc --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/metrics-svc.yaml @@ -0,0 +1,31 @@ +{{- if .Values.metrics.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "redis.fullname" . }}-metrics + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "redis.name" . }} + chart: {{ template "redis.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- if .Values.metrics.service.labels -}} + {{ toYaml .Values.metrics.service.labels | nindent 4 }} + {{- end -}} + {{- if .Values.metrics.service.annotations }} + annotations: {{ toYaml .Values.metrics.service.annotations | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.metrics.service.type }} + {{ if eq .Values.metrics.service.type "LoadBalancer" -}} {{ if .Values.metrics.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.metrics.service.loadBalancerIP }} + {{ end -}} + {{- end -}} + ports: + - name: metrics + port: 9121 + targetPort: metrics + selector: + app: {{ template "redis.name" . }} + release: {{ .Release.Name }} +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/networkpolicy.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/networkpolicy.yaml new file mode 100644 index 0000000..fb75681 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/networkpolicy.yaml @@ -0,0 +1,74 @@ +{{- if .Values.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ template "networkPolicy.apiVersion" . }} +metadata: + name: {{ template "redis.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "redis.name" . }} + chart: {{ template "redis.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: {{ template "redis.name" . }} + release: {{ .Release.Name }} + {{- if .Values.cluster.enabled }} + policyTypes: + - Ingress + - Egress + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + # Allow outbound connections to other cluster pods + - ports: + - port: {{ .Values.redisPort }} + {{- if .Values.sentinel.enabled }} + - port: {{ .Values.sentinel.port }} + {{- end }} + to: + - podSelector: + matchLabels: + app: {{ template "redis.name" . }} + release: {{ .Release.Name }} + {{- end }} + ingress: + # Allow inbound connections + - ports: + - port: {{ .Values.redisPort }} + {{- if .Values.sentinel.enabled }} + - port: {{ .Values.sentinel.port }} + {{- end }} + {{- if not .Values.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: + {{ template "redis.fullname" . }}-client: "true" + - podSelector: + matchLabels: + app: {{ template "redis.name" . }} + release: {{ .Release.Name }} + {{- if .Values.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.metrics.enabled }} + # Allow prometheus scrapes for metrics + - ports: + - port: 9121 + {{- end }} +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/prometheusrule.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/prometheusrule.yaml new file mode 100644 index 0000000..b955946 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/prometheusrule.yaml @@ -0,0 +1,25 @@ +{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ template "redis.fullname" . }} + {{- if .Values.metrics.prometheusRule.namespace }} + namespace: {{ .Values.metrics.prometheusRule.namespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + app: {{ template "redis.name" . }} + chart: {{ template "redis.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +{{- with .Values.metrics.prometheusRule.additionalLabels }} +{{ toYaml . | indent 4 }} +{{- end }} +spec: +{{- with .Values.metrics.prometheusRule.rules }} + groups: + - name: {{ template "redis.name" $ }} + rules: {{ tpl (toYaml .) $ | nindent 8 }} +{{- end }} +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/psp.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/psp.yaml new file mode 100644 index 0000000..08e0840 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/psp.yaml @@ -0,0 +1,43 @@ +{{- if .Values.podSecurityPolicy.create }} +apiVersion: {{ template "podSecurityPolicy.apiVersion" . }} +kind: PodSecurityPolicy +metadata: + name: {{ template "redis.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "redis.name" . }} + chart: {{ template "redis.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + allowPrivilegeEscalation: false + fsGroup: + rule: 'MustRunAs' + ranges: + - min: {{ .Values.securityContext.fsGroup }} + max: {{ .Values.securityContext.fsGroup }} + hostIPC: false + hostNetwork: false + hostPID: false + privileged: false + readOnlyRootFilesystem: false + requiredDropCapabilities: + - ALL + runAsUser: + rule: 'MustRunAs' + ranges: + - min: {{ .Values.securityContext.runAsUser }} + max: {{ .Values.securityContext.runAsUser }} + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: {{ .Values.securityContext.runAsUser }} + max: {{ .Values.securityContext.runAsUser }} + volumes: + - 'configMap' + - 'secret' + - 'emptyDir' + - 'persistentVolumeClaim' +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/redis-master-statefulset.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/redis-master-statefulset.yaml new file mode 100644 index 0000000..1e5b4cb --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/redis-master-statefulset.yaml @@ -0,0 +1,420 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "redis.fullname" . }}-master + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "redis.name" . }} + chart: {{ template "redis.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + selector: + matchLabels: + app: {{ template "redis.name" . }} + release: {{ .Release.Name }} + role: master + serviceName: {{ template "redis.fullname" . }}-headless + template: + metadata: + labels: + app: {{ template "redis.name" . }} + chart: {{ template "redis.chart" . }} + release: {{ .Release.Name }} + role: master +{{- if .Values.master.podLabels }} +{{ toYaml .Values.master.podLabels | indent 8 }} +{{- end }} +{{- if and .Values.metrics.enabled .Values.metrics.podLabels }} +{{ toYaml .Values.metrics.podLabels | indent 8 }} +{{- end }} + annotations: + checksum/health: {{ include (print $.Template.BasePath "/health-configmap.yaml") . | sha256sum }} + checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} + {{- if .Values.master.podAnnotations }} +{{ toYaml .Values.master.podAnnotations | indent 8 }} + {{- end }} + {{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }} +{{ toYaml .Values.metrics.podAnnotations | indent 8 }} + {{- end }} + spec: +{{- include "redis.imagePullSecrets" . | indent 6 }} + {{- if .Values.securityContext.enabled }} + securityContext: + fsGroup: {{ .Values.securityContext.fsGroup }} + {{- if .Values.securityContext.sysctls }} + sysctls: +{{ toYaml .Values.securityContext.sysctls | indent 8 }} + {{- end }} + {{- end }} + serviceAccountName: "{{ template "redis.serviceAccountName" . }}" + {{- if .Values.master.priorityClassName }} + priorityClassName: "{{ .Values.master.priorityClassName }}" + {{- end }} + {{- with .Values.master.affinity }} + affinity: +{{ tpl (toYaml .) $ | indent 8 }} + {{- end }} + {{- if .Values.master.nodeSelector }} + nodeSelector: +{{ toYaml .Values.master.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.master.tolerations }} + tolerations: +{{ toYaml .Values.master.tolerations | indent 8 }} + {{- end }} + {{- if .Values.master.schedulerName }} + schedulerName: "{{ .Values.master.schedulerName }}" + {{- end }} + containers: + - name: {{ template "redis.name" . }} + image: "{{ template "redis.image" . }}" + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.securityContext.enabled }} + securityContext: + runAsUser: {{ .Values.securityContext.runAsUser }} + {{- end }} + command: + - /bin/bash + - -c + - | + {{- if (eq (.Values.securityContext.runAsUser | int) 0) }} + useradd redis + chown -R redis {{ .Values.master.persistence.path }} + {{- end }} + if [[ -n $REDIS_PASSWORD_FILE ]]; then + password_aux=`cat ${REDIS_PASSWORD_FILE}` + export REDIS_PASSWORD=$password_aux + fi + if [[ ! -f /opt/bitnami/redis/etc/master.conf ]];then + cp /opt/bitnami/redis/mounted-etc/master.conf /opt/bitnami/redis/etc/master.conf + fi + if [[ ! -f /opt/bitnami/redis/etc/redis.conf ]];then + cp /opt/bitnami/redis/mounted-etc/redis.conf /opt/bitnami/redis/etc/redis.conf + fi + ARGS=("--port" "${REDIS_PORT}") + {{- if .Values.usePassword }} + ARGS+=("--requirepass" "${REDIS_PASSWORD}") + ARGS+=("--masterauth" "${REDIS_PASSWORD}") + {{- else }} + ARGS+=("--protected-mode" "no") + {{- end }} + ARGS+=("--include" "/opt/bitnami/redis/etc/redis.conf") + ARGS+=("--include" "/opt/bitnami/redis/etc/master.conf") + {{- if .Values.master.extraFlags }} + {{- range .Values.master.extraFlags }} + ARGS+=({{ . | quote }}) + {{- end }} + {{- end }} + {{- if .Values.master.command }} + {{ .Values.master.command }} ${ARGS[@]} + {{- else }} + redis-server "${ARGS[@]}" + {{- end }} + env: + - name: REDIS_REPLICATION_MODE + value: master + {{- if .Values.usePassword }} + {{- if .Values.usePasswordFile }} + - name: REDIS_PASSWORD_FILE + value: "/opt/bitnami/redis/secrets/redis-password" + {{- else }} + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "redis.secretName" . }} + key: {{ template "redis.secretPasswordKey" . }} + {{- end }} + {{- else }} + - name: ALLOW_EMPTY_PASSWORD + value: "yes" + {{- end }} + - name: REDIS_PORT + value: {{ .Values.redisPort | quote }} + ports: + - name: redis + containerPort: {{ .Values.redisPort }} + {{- if .Values.master.livenessProbe.enabled }} + livenessProbe: + initialDelaySeconds: {{ .Values.master.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.master.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.master.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.master.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.master.livenessProbe.failureThreshold }} + exec: + command: + - sh + - -c + - /health/ping_liveness_local.sh {{ .Values.master.livenessProbe.timeoutSeconds }} + {{- end }} + {{- if .Values.master.readinessProbe.enabled}} + readinessProbe: + initialDelaySeconds: {{ .Values.master.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.master.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.master.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.master.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.master.readinessProbe.failureThreshold }} + exec: + command: + - sh + - -c + - /health/ping_readiness_local.sh {{ .Values.master.livenessProbe.timeoutSeconds }} + {{- end }} + resources: +{{ toYaml .Values.master.resources | indent 10 }} + volumeMounts: + - name: health + mountPath: /health + {{- if .Values.usePasswordFile }} + - name: redis-password + mountPath: /opt/bitnami/redis/secrets/ + {{- end }} + - name: redis-data + mountPath: {{ .Values.master.persistence.path }} + subPath: {{ .Values.master.persistence.subPath }} + - name: config + mountPath: /opt/bitnami/redis/mounted-etc + - name: redis-tmp-conf + mountPath: /opt/bitnami/redis/etc/ + {{- if and .Values.cluster.enabled .Values.sentinel.enabled }} + - name: sentinel + image: "{{ template "sentinel.image" . }}" + imagePullPolicy: {{ .Values.sentinel.image.pullPolicy | quote }} + {{- if .Values.securityContext.enabled }} + securityContext: + runAsUser: {{ .Values.securityContext.runAsUser }} + {{- end }} + command: + - /bin/bash + - -c + - | + if [[ -n $REDIS_PASSWORD_FILE ]]; then + password_aux=`cat ${REDIS_PASSWORD_FILE}` + export REDIS_PASSWORD=$password_aux + fi + if [[ ! -f /opt/bitnami/redis-sentinel/etc/sentinel.conf ]];then + cp /opt/bitnami/redis-sentinel/mounted-etc/sentinel.conf /opt/bitnami/redis-sentinel/etc/sentinel.conf + {{- if .Values.usePassword }} + printf "\nsentinel auth-pass {{ .Values.sentinel.masterSet }} $REDIS_PASSWORD" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf + {{- if .Values.sentinel.usePassword }} + printf "\nrequirepass $REDIS_PASSWORD" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf + {{- end }} + {{- end }} + {{- if .Values.sentinel.staticID }} + printf "\nsentinel myid $(echo $HOSTNAME | openssl sha1 | awk '{ print $2 }')" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf + {{- end }} + fi + echo "Getting information about current running sentinels" + # Get information from existing sentinels + existing_sentinels=$(timeout -s 9 {{ .Values.sentinel.initialCheckTimeout }} redis-cli --raw -h {{ template "redis.fullname" . }} -a "$REDIS_PASSWORD" -p {{ .Values.sentinel.service.sentinelPort }} SENTINEL sentinels {{ .Values.sentinel.masterSet }}) + echo "$existing_sentinels" | awk -f /health/parse_sentinels.awk | tee -a /opt/bitnami/redis-sentinel/etc/sentinel.conf + + redis-server /opt/bitnami/redis-sentinel/etc/sentinel.conf --sentinel + env: + {{- if .Values.usePassword }} + {{- if .Values.usePasswordFile }} + - name: REDIS_PASSWORD_FILE + value: "/opt/bitnami/redis/secrets/redis-password" + {{- else }} + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "redis.secretName" . }} + key: {{ template "redis.secretPasswordKey" . }} + {{- end }} + {{- else }} + - name: ALLOW_EMPTY_PASSWORD + value: "yes" + {{- end }} + - name: REDIS_SENTINEL_PORT + value: {{ .Values.sentinel.port | quote }} + ports: + - name: redis-sentinel + containerPort: {{ .Values.sentinel.port }} + {{- if .Values.sentinel.livenessProbe.enabled }} + livenessProbe: + initialDelaySeconds: {{ .Values.sentinel.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.sentinel.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.sentinel.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.sentinel.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.sentinel.livenessProbe.failureThreshold }} + exec: + command: + - sh + - -c + - /health/ping_sentinel.sh {{ .Values.sentinel.livenessProbe.timeoutSeconds }} + {{- end }} + {{- if .Values.sentinel.readinessProbe.enabled}} + readinessProbe: + initialDelaySeconds: {{ .Values.sentinel.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.sentinel.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.sentinel.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.sentinel.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.sentinel.readinessProbe.failureThreshold }} + exec: + command: + - sh + - -c + - /health/ping_sentinel.sh {{ .Values.sentinel.livenessProbe.timeoutSeconds }} + {{- end }} + resources: +{{ toYaml .Values.sentinel.resources | indent 10 }} + volumeMounts: + - name: health + mountPath: /health + {{- if .Values.usePasswordFile }} + - name: redis-password + mountPath: /opt/bitnami/redis/secrets/ + {{- end }} + - name: redis-data + mountPath: {{ .Values.master.persistence.path }} + subPath: {{ .Values.master.persistence.subPath }} + - name: config + mountPath: /opt/bitnami/redis-sentinel/mounted-etc + - name: sentinel-tmp-conf + mountPath: /opt/bitnami/redis-sentinel/etc/ + {{- end }} +{{- if .Values.metrics.enabled }} + - name: metrics + image: {{ template "redis.metrics.image" . }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + command: + - /bin/bash + - -c + - | + if [[ -f '/secrets/redis-password' ]]; then + export REDIS_PASSWORD=$(cat /secrets/redis-password) + fi + redis_exporter{{- range $key, $value := .Values.metrics.extraArgs }} --{{ $key }}={{ $value }}{{- end }} + env: + - name: REDIS_ALIAS + value: {{ template "redis.fullname" . }} + {{- if and .Values.usePassword (not .Values.usePasswordFile) }} + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "redis.secretName" . }} + key: {{ template "redis.secretPasswordKey" . }} + {{- end }} + volumeMounts: + {{- if .Values.usePasswordFile }} + - name: redis-password + mountPath: /secrets/ + {{- end }} + ports: + - name: metrics + containerPort: 9121 + resources: +{{ toYaml .Values.metrics.resources | indent 10 }} +{{- end }} + {{- $needsVolumePermissions := and .Values.volumePermissions.enabled (and ( and .Values.master.persistence.enabled (not .Values.persistence.existingClaim) ) .Values.securityContext.enabled) }} + {{- if or $needsVolumePermissions .Values.sysctlImage.enabled }} + initContainers: + {{- if $needsVolumePermissions }} + - name: volume-permissions + image: "{{ template "redis.volumePermissions.image" . }}" + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + command: ["/bin/chown", "-R", "{{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }}", "{{ .Values.master.persistence.path }}"] + securityContext: + runAsUser: 0 + resources: +{{ toYaml .Values.volumePermissions.resources | indent 10 }} + volumeMounts: + - name: redis-data + mountPath: {{ .Values.master.persistence.path }} + subPath: {{ .Values.master.persistence.subPath }} + {{- end }} + {{- if .Values.sysctlImage.enabled }} + - name: init-sysctl + image: {{ template "redis.sysctl.image" . }} + imagePullPolicy: {{ default "" .Values.sysctlImage.pullPolicy | quote }} + resources: +{{ toYaml .Values.sysctlImage.resources | indent 10 }} + {{- if .Values.sysctlImage.mountHostSys }} + volumeMounts: + - name: host-sys + mountPath: /host-sys + {{- end }} + command: +{{ toYaml .Values.sysctlImage.command | indent 10 }} + securityContext: + privileged: true + runAsUser: 0 + {{- end }} + {{- end }} + volumes: + - name: health + configMap: + name: {{ template "redis.fullname" . }}-health + defaultMode: 0755 + {{- if .Values.usePasswordFile }} + - name: redis-password + secret: + secretName: {{ template "redis.secretName" . }} + items: + - key: {{ template "redis.secretPasswordKey" . }} + path: redis-password + {{- end }} + - name: config + configMap: + name: {{ template "redis.fullname" . }} + {{- if not .Values.master.persistence.enabled }} + - name: "redis-data" + emptyDir: {} + {{- else }} + {{- if .Values.persistence.existingClaim }} + - name: "redis-data" + persistentVolumeClaim: + claimName: {{ .Values.persistence.existingClaim }} + {{- end }} + {{- end }} + {{- if .Values.sysctlImage.mountHostSys }} + - name: host-sys + hostPath: + path: /sys + {{- end }} + - name: redis-tmp-conf + emptyDir: {} + {{- if and .Values.cluster.enabled .Values.sentinel.enabled }} + - name: sentinel-tmp-conf + emptyDir: {} + {{- end }} + {{- if and .Values.master.persistence.enabled (not .Values.persistence.existingClaim) }} + volumeClaimTemplates: + - metadata: + name: redis-data + labels: + app: {{ template "redis.name" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + component: master + spec: + accessModes: + {{- range .Values.master.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.master.persistence.size | quote }} + {{ include "redis.master.storageClass" . }} + selector: + {{- if .Values.master.persistence.matchLabels }} + matchLabels: +{{ toYaml .Values.master.persistence.matchLabels | indent 12 }} + {{- end -}} + {{- if .Values.master.persistence.matchExpressions }} + matchExpressions: +{{ toYaml .Values.master.persistence.matchExpressions | indent 12 }} + {{- end -}} + {{- end }} + updateStrategy: + type: {{ .Values.master.statefulset.updateStrategy }} + {{- if .Values.master.statefulset.rollingUpdatePartition }} + {{- if (eq "Recreate" .Values.master.statefulset.updateStrategy) }} + rollingUpdate: null + {{- else }} + rollingUpdate: + partition: {{ .Values.master.statefulset.rollingUpdatePartition }} + {{- end }} + {{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/redis-master-svc.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/redis-master-svc.yaml new file mode 100644 index 0000000..6f9ae0d --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/redis-master-svc.yaml @@ -0,0 +1,40 @@ +{{- if not .Values.sentinel.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "redis.fullname" . }}-master + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "redis.name" . }} + chart: {{ template "redis.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- if .Values.master.service.labels -}} + {{ toYaml .Values.master.service.labels | nindent 4 }} + {{- end -}} +{{- if .Values.master.service.annotations }} + annotations: {{ toYaml .Values.master.service.annotations | nindent 4 }} +{{- end }} +spec: + type: {{ .Values.master.service.type }} + {{- if and (eq .Values.master.service.type "LoadBalancer") .Values.master.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.master.service.loadBalancerIP }} + {{- end }} + {{- if and (eq .Values.master.service.type "LoadBalancer") .Values.master.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- with .Values.master.service.loadBalancerSourceRanges }} +{{ toYaml . | indent 4 }} +{{- end }} + {{- end }} + ports: + - name: redis + port: {{ .Values.master.service.port }} + targetPort: redis + {{- if .Values.master.service.nodePort }} + nodePort: {{ .Values.master.service.nodePort }} + {{- end }} + selector: + app: {{ template "redis.name" . }} + release: {{ .Release.Name }} + role: master +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/redis-role.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/redis-role.yaml new file mode 100644 index 0000000..38d08e2 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/redis-role.yaml @@ -0,0 +1,22 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "redis.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "redis.name" . }} + chart: {{ template "redis.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: +{{- if .Values.podSecurityPolicy.create }} + - apiGroups: ['{{ template "podSecurityPolicy.apiGroup" . }}'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: [{{ template "redis.fullname" . }}] +{{- end -}} +{{- if .Values.rbac.role.rules }} +{{ toYaml .Values.rbac.role.rules | indent 2 }} +{{- end -}} +{{- end -}} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/redis-rolebinding.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/redis-rolebinding.yaml new file mode 100644 index 0000000..3657f14 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/redis-rolebinding.yaml @@ -0,0 +1,19 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "redis.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "redis.name" . }} + chart: {{ template "redis.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "redis.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ template "redis.serviceAccountName" . }} +{{- end -}} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/redis-serviceaccount.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/redis-serviceaccount.yaml new file mode 100644 index 0000000..5c9707f --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/redis-serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "redis.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "redis.name" . }} + chart: {{ template "redis.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- end -}} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/redis-slave-statefulset.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/redis-slave-statefulset.yaml new file mode 100644 index 0000000..b19b933 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/redis-slave-statefulset.yaml @@ -0,0 +1,438 @@ +{{- if .Values.cluster.enabled }} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "redis.fullname" . }}-slave + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "redis.name" . }} + chart: {{ template "redis.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: +{{- if .Values.slave.updateStrategy }} + strategy: +{{ toYaml .Values.slave.updateStrategy | indent 4 }} +{{- end }} + replicas: {{ .Values.cluster.slaveCount }} + serviceName: {{ template "redis.fullname" . }}-headless + selector: + matchLabels: + app: {{ template "redis.name" . }} + release: {{ .Release.Name }} + role: slave + template: + metadata: + labels: + app: {{ template "redis.name" . }} + release: {{ .Release.Name }} + chart: {{ template "redis.chart" . }} + role: slave + {{- if .Values.slave.podLabels }} +{{ toYaml .Values.slave.podLabels | indent 8 }} + {{- end }} + {{- if and .Values.metrics.enabled .Values.metrics.podLabels }} +{{ toYaml .Values.metrics.podLabels | indent 8 }} + {{- end }} + annotations: + checksum/health: {{ include (print $.Template.BasePath "/health-configmap.yaml") . | sha256sum }} + checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} + {{- if .Values.slave.podAnnotations }} +{{ toYaml .Values.slave.podAnnotations | indent 8 }} + {{- end }} + {{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }} +{{ toYaml .Values.metrics.podAnnotations | indent 8 }} + {{- end }} + spec: +{{- include "redis.imagePullSecrets" . | indent 6 }} + {{- if .Values.securityContext.enabled }} + securityContext: + fsGroup: {{ .Values.securityContext.fsGroup }} + {{- if .Values.securityContext.sysctls }} + sysctls: +{{ toYaml .Values.securityContext.sysctls | indent 8 }} + {{- end }} + {{- end }} + serviceAccountName: "{{ template "redis.serviceAccountName" . }}" + {{- if .Values.slave.priorityClassName }} + priorityClassName: "{{ .Values.slave.priorityClassName }}" + {{- end }} + {{- if .Values.slave.nodeSelector }} + nodeSelector: +{{ toYaml .Values.slave.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.slave.tolerations }} + tolerations: +{{ toYaml .Values.slave.tolerations | indent 8 }} + {{- end }} + {{- if .Values.slave.schedulerName }} + schedulerName: "{{ .Values.slave.schedulerName }}" + {{- end }} + {{- with .Values.slave.affinity }} + affinity: +{{ tpl (toYaml .) $ | indent 8 }} + {{- end }} + containers: + - name: {{ template "redis.name" . }} + image: {{ template "redis.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.securityContext.enabled }} + securityContext: + runAsUser: {{ .Values.securityContext.runAsUser }} + {{- end }} + command: + - /bin/bash + - -c + - | + {{- if (eq (.Values.securityContext.runAsUser | int) 0) }} + useradd redis + chown -R redis {{ .Values.slave.persistence.path }} + {{- end }} + if [[ -n $REDIS_PASSWORD_FILE ]]; then + password_aux=`cat ${REDIS_PASSWORD_FILE}` + export REDIS_PASSWORD=$password_aux + fi + if [[ -n $REDIS_MASTER_PASSWORD_FILE ]]; then + password_aux=`cat ${REDIS_MASTER_PASSWORD_FILE}` + export REDIS_MASTER_PASSWORD=$password_aux + fi + if [[ ! -f /opt/bitnami/redis/etc/replica.conf ]];then + cp /opt/bitnami/redis/mounted-etc/replica.conf /opt/bitnami/redis/etc/replica.conf + fi + if [[ ! -f /opt/bitnami/redis/etc/redis.conf ]];then + cp /opt/bitnami/redis/mounted-etc/redis.conf /opt/bitnami/redis/etc/redis.conf + fi + ARGS=("--port" "${REDIS_PORT}") + ARGS+=("--slaveof" "${REDIS_MASTER_HOST}" "${REDIS_MASTER_PORT_NUMBER}") + {{- if .Values.usePassword }} + ARGS+=("--requirepass" "${REDIS_PASSWORD}") + ARGS+=("--masterauth" "${REDIS_MASTER_PASSWORD}") + {{- else }} + ARGS+=("--protected-mode" "no") + {{- end }} + ARGS+=("--include" "/opt/bitnami/redis/etc/redis.conf") + ARGS+=("--include" "/opt/bitnami/redis/etc/replica.conf") + {{- if .Values.slave.extraFlags }} + {{- range .Values.slave.extraFlags }} + ARGS+=({{ . | quote }}) + {{- end }} + {{- end }} + {{- if .Values.slave.command }} + {{ .Values.slave.command }} "${ARGS[@]}" + {{- else }} + redis-server "${ARGS[@]}" + {{- end }} + env: + - name: REDIS_REPLICATION_MODE + value: slave + - name: REDIS_MASTER_HOST + value: {{ template "redis.fullname" . }}-master-0.{{ template "redis.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} + - name: REDIS_PORT + value: {{ .Values.redisPort | quote }} + - name: REDIS_MASTER_PORT_NUMBER + value: {{ .Values.redisPort | quote }} + {{- if .Values.usePassword }} + {{- if .Values.usePasswordFile }} + - name: REDIS_PASSWORD_FILE + value: "/opt/bitnami/redis/secrets/redis-password" + - name: REDIS_MASTER_PASSWORD_FILE + value: "/opt/bitnami/redis/secrets/redis-password" + {{- else }} + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "redis.secretName" . }} + key: {{ template "redis.secretPasswordKey" . }} + - name: REDIS_MASTER_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "redis.secretName" . }} + key: {{ template "redis.secretPasswordKey" . }} + {{- end }} + {{- else }} + - name: ALLOW_EMPTY_PASSWORD + value: "yes" + {{- end }} + ports: + - name: redis + containerPort: {{ .Values.redisPort }} + {{- if .Values.slave.livenessProbe.enabled }} + livenessProbe: + initialDelaySeconds: {{ .Values.slave.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.slave.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.slave.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.slave.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.slave.livenessProbe.failureThreshold}} + exec: + command: + - sh + - -c + {{- if .Values.sentinel.enabled }} + - /health/ping_liveness_local.sh {{ .Values.slave.livenessProbe.timeoutSeconds }} + {{- else }} + - /health/ping_liveness_local_and_master.sh {{ .Values.slave.livenessProbe.timeoutSeconds }} + {{- end }} + {{- end }} + + {{- if .Values.slave.readinessProbe.enabled }} + readinessProbe: + initialDelaySeconds: {{ .Values.slave.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.slave.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.slave.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.slave.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.slave.readinessProbe.failureThreshold }} + exec: + command: + - sh + - -c + {{- if .Values.sentinel.enabled }} + - /health/ping_readiness_local.sh {{ .Values.slave.livenessProbe.timeoutSeconds }} + {{- else }} + - /health/ping_readiness_local_and_master.sh {{ .Values.slave.livenessProbe.timeoutSeconds }} + {{- end }} + {{- end }} + resources: +{{ toYaml .Values.slave.resources | indent 10 }} + volumeMounts: + - name: health + mountPath: /health + {{- if .Values.usePasswordFile }} + - name: redis-password + mountPath: /opt/bitnami/redis/secrets/ + {{- end }} + - name: redis-data + mountPath: /data + - name: config + mountPath: /opt/bitnami/redis/mounted-etc + - name: redis-tmp-conf + mountPath: /opt/bitnami/redis/etc + {{- if and .Values.cluster.enabled .Values.sentinel.enabled }} + - name: sentinel + image: "{{ template "sentinel.image" . }}" + imagePullPolicy: {{ .Values.sentinel.image.pullPolicy | quote }} + {{- if .Values.securityContext.enabled }} + securityContext: + runAsUser: {{ .Values.securityContext.runAsUser }} + {{- end }} + command: + - /bin/bash + - -c + - | + if [[ -n $REDIS_PASSWORD_FILE ]]; then + password_aux=`cat ${REDIS_PASSWORD_FILE}` + export REDIS_PASSWORD=$password_aux + fi + if [[ ! -f /opt/bitnami/redis-sentinel/etc/sentinel.conf ]];then + cp /opt/bitnami/redis-sentinel/mounted-etc/sentinel.conf /opt/bitnami/redis-sentinel/etc/sentinel.conf + {{- if .Values.usePassword }} + printf "\nsentinel auth-pass {{ .Values.sentinel.masterSet }} $REDIS_PASSWORD" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf + {{- if .Values.sentinel.usePassword }} + printf "\nrequirepass $REDIS_PASSWORD" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf + {{- end }} + {{- end }} + {{- if .Values.sentinel.staticID }} + printf "\nsentinel myid $(echo $HOSTNAME | openssl sha1 | awk '{ print $2 }')" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf + {{- end }} + fi + + redis-server /opt/bitnami/redis-sentinel/etc/sentinel.conf --sentinel + env: + {{- if .Values.usePassword }} + {{- if .Values.usePasswordFile }} + - name: REDIS_PASSWORD_FILE + value: "/opt/bitnami/redis/secrets/redis-password" + {{- else }} + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "redis.secretName" . }} + key: {{ template "redis.secretPasswordKey" . }} + {{- end }} + {{- else }} + - name: ALLOW_EMPTY_PASSWORD + value: "yes" + {{- end }} + - name: REDIS_SENTINEL_PORT + value: {{ .Values.sentinel.port | quote }} + ports: + - name: redis-sentinel + containerPort: {{ .Values.sentinel.port }} + {{- if .Values.sentinel.livenessProbe.enabled }} + livenessProbe: + initialDelaySeconds: {{ .Values.sentinel.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.sentinel.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.sentinel.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.sentinel.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.sentinel.livenessProbe.failureThreshold }} + exec: + command: + - sh + - -c + - /health/ping_sentinel.sh {{ .Values.sentinel.livenessProbe.timeoutSeconds }} + {{- end }} + {{- if .Values.sentinel.readinessProbe.enabled}} + readinessProbe: + initialDelaySeconds: {{ .Values.sentinel.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.sentinel.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.sentinel.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.sentinel.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.sentinel.readinessProbe.failureThreshold }} + exec: + command: + - sh + - -c + - /health/ping_sentinel.sh {{ .Values.sentinel.livenessProbe.timeoutSeconds }} + {{- end }} + resources: +{{ toYaml .Values.sentinel.resources | indent 10 }} + volumeMounts: + - name: health + mountPath: /health + {{- if .Values.usePasswordFile }} + - name: redis-password + mountPath: /opt/bitnami/redis/secrets/ + {{- end }} + - name: redis-data + mountPath: {{ .Values.master.persistence.path }} + subPath: {{ .Values.master.persistence.subPath }} + - name: config + mountPath: /opt/bitnami/redis-sentinel/mounted-etc + - name: sentinel-tmp-conf + mountPath: /opt/bitnami/redis-sentinel/etc + {{- end }} +{{- if .Values.metrics.enabled }} + - name: metrics + image: {{ template "redis.metrics.image" . }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + command: + - /bin/bash + - -c + - | + if [[ -f '/secrets/redis-password' ]]; then + export REDIS_PASSWORD=$(cat /secrets/redis-password) + fi + redis_exporter{{- range $key, $value := .Values.metrics.extraArgs }} --{{ $key }}={{ $value }}{{- end }} + env: + - name: REDIS_ALIAS + value: {{ template "redis.fullname" . }} + {{- if and .Values.usePassword (not .Values.usePasswordFile) }} + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "redis.secretName" . }} + key: {{ template "redis.secretPasswordKey" . }} + {{- end }} + volumeMounts: + {{- if .Values.usePasswordFile }} + - name: redis-password + mountPath: /secrets/ + {{- end }} + ports: + - name: metrics + containerPort: 9121 + resources: +{{ toYaml .Values.metrics.resources | indent 10 }} +{{- end }} + {{- $needsVolumePermissions := and .Values.volumePermissions.enabled (and .Values.slave.persistence.enabled .Values.securityContext.enabled) }} + {{- if or $needsVolumePermissions .Values.sysctlImage.enabled }} + initContainers: + {{- if $needsVolumePermissions }} + - name: volume-permissions + image: "{{ template "redis.volumePermissions.image" . }}" + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + command: ["/bin/chown", "-R", "{{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }}", "{{ .Values.slave.persistence.path }}"] + securityContext: + runAsUser: 0 + resources: +{{ toYaml .Values.volumePermissions.resources | indent 10 }} + volumeMounts: + - name: redis-data + mountPath: {{ .Values.slave.persistence.path }} + subPath: {{ .Values.slave.persistence.subPath }} + {{- end }} + {{- if .Values.sysctlImage.enabled }} + - name: init-sysctl + image: {{ template "redis.sysctl.image" . }} + imagePullPolicy: {{ default "" .Values.sysctlImage.pullPolicy | quote }} + resources: +{{ toYaml .Values.sysctlImage.resources | indent 10 }} + {{- if .Values.sysctlImage.mountHostSys }} + volumeMounts: + - name: host-sys + mountPath: /host-sys + {{- end }} + command: +{{ toYaml .Values.sysctlImage.command | indent 10 }} + securityContext: + privileged: true + runAsUser: 0 + {{- end }} + {{- end }} + volumes: + - name: health + configMap: + name: {{ template "redis.fullname" . }}-health + defaultMode: 0755 + {{- if .Values.usePasswordFile }} + - name: redis-password + secret: + secretName: {{ template "redis.secretName" . }} + items: + - key: {{ template "redis.secretPasswordKey" . }} + path: redis-password + {{- end }} + - name: config + configMap: + name: {{ template "redis.fullname" . }} + {{- if .Values.sysctlImage.mountHostSys }} + - name: host-sys + hostPath: + path: /sys + {{- end }} + - name: sentinel-tmp-conf + emptyDir: {} + - name: redis-tmp-conf + emptyDir: {} + {{- if not .Values.slave.persistence.enabled }} + - name: redis-data + emptyDir: {} + {{- else }} + volumeClaimTemplates: + - metadata: + name: redis-data + labels: + app: {{ template "redis.name" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + component: slave + spec: + accessModes: + {{- range .Values.slave.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.slave.persistence.size | quote }} + {{ include "redis.slave.storageClass" . }} + selector: + {{- if .Values.slave.persistence.matchLabels }} + matchLabels: +{{ toYaml .Values.slave.persistence.matchLabels | indent 12 }} + {{- end -}} + {{- if .Values.slave.persistence.matchExpressions }} + matchExpressions: +{{ toYaml .Values.slave.persistence.matchExpressions | indent 12 }} + {{- end -}} + {{- end }} + updateStrategy: + type: {{ .Values.slave.statefulset.updateStrategy }} + {{- if .Values.slave.statefulset.rollingUpdatePartition }} + {{- if (eq "Recreate" .Values.slave.statefulset.updateStrategy) }} + rollingUpdate: null + {{- else }} + rollingUpdate: + partition: {{ .Values.slave.statefulset.rollingUpdatePartition }} + {{- end }} + {{- end }} +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/redis-slave-svc.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/redis-slave-svc.yaml new file mode 100644 index 0000000..c29dcf4 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/redis-slave-svc.yaml @@ -0,0 +1,41 @@ +{{- if and .Values.cluster.enabled (not .Values.sentinel.enabled) }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "redis.fullname" . }}-slave + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "redis.name" . }} + chart: {{ template "redis.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- if .Values.slave.service.labels -}} + {{ toYaml .Values.slave.service.labels | nindent 4 }} + {{- end -}} +{{- if .Values.slave.service.annotations }} + annotations: +{{ toYaml .Values.slave.service.annotations | indent 4 }} +{{- end }} +spec: + type: {{ .Values.slave.service.type }} + {{- if and (eq .Values.slave.service.type "LoadBalancer") .Values.slave.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.slave.service.loadBalancerIP }} + {{- end }} + {{- if and (eq .Values.slave.service.type "LoadBalancer") .Values.slave.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- with .Values.slave.service.loadBalancerSourceRanges }} +{{ toYaml . | indent 4 }} +{{- end }} + {{- end }} + ports: + - name: redis + port: {{ .Values.slave.service.port }} + targetPort: redis + {{- if .Values.slave.service.nodePort }} + nodePort: {{ .Values.slave.service.nodePort }} + {{- end }} + selector: + app: {{ template "redis.name" . }} + release: {{ .Release.Name }} + role: slave +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/redis-with-sentinel-svc.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/redis-with-sentinel-svc.yaml new file mode 100644 index 0000000..3c2de3d --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/redis-with-sentinel-svc.yaml @@ -0,0 +1,41 @@ +{{- if .Values.sentinel.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "redis.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "redis.name" . }} + chart: {{ template "redis.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- if .Values.sentinel.service.labels }} + {{ toYaml .Values.sentinel.service.labels | nindent 4 }} + {{- end }} +{{- if .Values.sentinel.service.annotations }} + annotations: +{{ toYaml .Values.sentinel.service.annotations | indent 4 }} +{{- end }} +spec: + type: {{ .Values.sentinel.service.type }} + {{ if eq .Values.sentinel.service.type "LoadBalancer" -}} {{ if .Values.sentinel.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.sentinel.service.loadBalancerIP }} + {{ end -}} + {{- end -}} + ports: + - name: redis + port: {{ .Values.sentinel.service.redisPort }} + targetPort: redis + {{- if .Values.sentinel.service.redisNodePort }} + nodePort: {{ .Values.sentinel.service.redisNodePort }} + {{- end }} + - name: redis-sentinel + port: {{ .Values.sentinel.service.sentinelPort }} + targetPort: redis-sentinel + {{- if .Values.sentinel.service.sentinelNodePort }} + nodePort: {{ .Values.sentinel.service.sentinelNodePort }} + {{- end }} + selector: + app: {{ template "redis.name" . }} + release: {{ .Release.Name }} +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/secret.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/secret.yaml new file mode 100644 index 0000000..4c39ffd --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/templates/secret.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.usePassword (not .Values.existingSecret) -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "redis.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "redis.name" . }} + chart: {{ template "redis.chart" . }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +type: Opaque +data: + redis-password: {{ include "redis.password" . | b64enc | quote }} +{{- end -}} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/values-production.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/values-production.yaml new file mode 100644 index 0000000..ae4d3f6 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/values-production.yaml @@ -0,0 +1,633 @@ +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry and imagePullSecrets +## +global: +# imageRegistry: myRegistryName +# imagePullSecrets: +# - myRegistryKeySecretName +# storageClass: myStorageClass + redis: {} + +## Bitnami Redis image version +## ref: https://hub.docker.com/r/bitnami/redis/tags/ +## +image: + registry: docker.io + repository: bitnami/redis + ## Bitnami Redis image tag + ## ref: https://github.com/bitnami/bitnami-docker-redis#supported-tags-and-respective-dockerfile-links + ## + tag: 5.0.8-debian-10-r32 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + +## String to partially override redis.fullname template (will maintain the release name) +## +# nameOverride: + +## String to fully override redis.fullname template +## +# fullnameOverride: + +## Cluster settings +cluster: + enabled: true + slaveCount: 3 + +## Use redis sentinel in the redis pod. This will disable the master and slave services and +## create one redis service with ports to the sentinel and the redis instances +sentinel: + enabled: false + ## Require password authentication on the sentinel itself + ## ref: https://redis.io/topics/sentinel + usePassword: true + ## Bitnami Redis Sentintel image version + ## ref: https://hub.docker.com/r/bitnami/redis-sentinel/tags/ + ## + image: + registry: docker.io + repository: bitnami/redis-sentinel + ## Bitnami Redis image tag + ## ref: https://github.com/bitnami/bitnami-docker-redis-sentinel#supported-tags-and-respective-dockerfile-links + ## + tag: 5.0.8-debian-10-r25 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + masterSet: mymaster + initialCheckTimeout: 5 + quorum: 2 + downAfterMilliseconds: 60000 + failoverTimeout: 18000 + parallelSyncs: 1 + port: 26379 + ## Additional Redis configuration for the sentinel nodes + ## ref: https://redis.io/topics/config + ## + configmap: + ## Enable or disable static sentinel IDs for each replicas + ## If disabled each sentinel will generate a random id at startup + ## If enabled, each replicas will have a constant ID on each start-up + ## + staticID: false + ## Configure extra options for Redis Sentinel liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## + livenessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 5 + ## Redis Sentinel resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + ## Redis Sentinel Service properties + service: + ## Redis Sentinel Service type + type: ClusterIP + sentinelPort: 26379 + redisPort: 6379 + + ## Specify the nodePort value for the LoadBalancer and NodePort service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + # sentinelNodePort: + # redisNodePort: + + ## Provide any additional annotations which may be required. This can be used to + ## set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + annotations: {} + labels: {} + loadBalancerIP: + +## Specifies the Kubernetes Cluster's Domain Name. +## +clusterDomain: cluster.local + +networkPolicy: + ## Specifies whether a NetworkPolicy should be created + ## + enabled: true + + ## The Policy model to apply. When set to false, only pods with the correct + ## client label will have network access to the port Redis is listening + ## on. When true, Redis will accept connections from any source + ## (with the correct destination port). + ## + # allowExternal: true + + ## Allow connections from other namespacess. Just set label for namespace and set label for pods (optional). + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} + +serviceAccount: + ## Specifies whether a ServiceAccount should be created + ## + create: false + ## The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the fullname template + name: + +rbac: + ## Specifies whether RBAC resources should be created + ## + create: false + + role: + ## Rules to create. It follows the role specification + # rules: + # - apiGroups: + # - extensions + # resources: + # - podsecuritypolicies + # verbs: + # - use + # resourceNames: + # - gce.unprivileged + rules: [] + +## Redis pod Security Context +securityContext: + enabled: true + fsGroup: 1001 + runAsUser: 1001 + ## sysctl settings for master and slave pods + ## + ## Uncomment the setting below to increase the net.core.somaxconn value + ## + # sysctls: + # - name: net.core.somaxconn + # value: "10000" + +## Use password authentication +usePassword: true +## Redis password (both master and slave) +## Defaults to a random 10-character alphanumeric string if not set and usePassword is true +## ref: https://github.com/bitnami/bitnami-docker-redis#setting-the-server-password-on-first-run +## +password: +## Use existing secret (ignores previous password) +# existingSecret: +## Password key to be retrieved from Redis secret +## +# existingSecretPasswordKey: + +## Mount secrets as files instead of environment variables +usePasswordFile: false + +## Persist data to a persistent volume (Redis Master) +persistence: {} + ## A manually managed Persistent Volume and Claim + ## Requires persistence.enabled: true + ## If defined, PVC must be created manually before volume will be bound + # existingClaim: + +# Redis port +redisPort: 6379 + +## +## Redis Master parameters +## +master: + ## Redis command arguments + ## + ## Can be used to specify command line arguments, for example: + ## + command: "/run.sh" + ## Additional Redis configuration for the master nodes + ## ref: https://redis.io/topics/config + ## + configmap: + ## Redis additional command line flags + ## + ## Can be used to specify command line flags, for example: + ## + ## extraFlags: + ## - "--maxmemory-policy volatile-ttl" + ## - "--repl-backlog-size 1024mb" + extraFlags: [] + ## Comma-separated list of Redis commands to disable + ## + ## Can be used to disable Redis commands for security reasons. + ## Commands will be completely disabled by renaming each to an empty string. + ## ref: https://redis.io/topics/security#disabling-of-specific-commands + ## + disableCommands: + - FLUSHDB + - FLUSHALL + + ## Redis Master additional pod labels and annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + podLabels: {} + podAnnotations: {} + + ## Redis Master resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + ## Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + # schedulerName: + + ## Configure extra options for Redis Master liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## + livenessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 5 + + ## Redis Master Node selectors and tolerations for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature + ## + # nodeSelector: {"beta.kubernetes.io/arch": "amd64"} + # tolerations: [] + ## Redis Master pod/node affinity/anti-affinity + ## + affinity: {} + + ## Redis Master Service properties + service: + ## Redis Master Service type + type: ClusterIP + port: 6379 + + ## Specify the nodePort value for the LoadBalancer and NodePort service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + # nodePort: + + ## Provide any additional annotations which may be required. This can be used to + ## set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + annotations: {} + labels: {} + loadBalancerIP: + # loadBalancerSourceRanges: ["10.0.0.0/8"] + + ## Enable persistence using Persistent Volume Claims + ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + enabled: true + ## The path the volume will be mounted at, useful when using different + ## Redis images. + path: /data + ## The subdirectory of the volume to mount to, useful in dev environments + ## and one PV for multiple services. + subPath: "" + ## redis data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + accessModes: + - ReadWriteOnce + size: 8Gi + ## Persistent Volume selectors + ## https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector + matchLabels: {} + matchExpressions: {} + + ## Update strategy, can be set to RollingUpdate or onDelete by default. + ## https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets + statefulset: + updateStrategy: RollingUpdate + ## Partition update strategy + ## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions + # rollingUpdatePartition: + + ## Redis Master pod priorityClassName + # priorityClassName: {} + +## +## Redis Slave properties +## Note: service.type is a mandatory parameter +## The rest of the parameters are either optional or, if undefined, will inherit those declared in Redis Master +## +slave: + ## Slave Service properties + service: + ## Redis Slave Service type + type: ClusterIP + ## Redis port + port: 6379 + ## Specify the nodePort value for the LoadBalancer and NodePort service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + # nodePort: + + ## Provide any additional annotations which may be required. This can be used to + ## set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + annotations: {} + labels: {} + loadBalancerIP: + # loadBalancerSourceRanges: ["10.0.0.0/8"] + + ## Redis slave port + port: 6379 + ## Can be used to specify command line arguments, for example: + ## + command: "/run.sh" + ## Additional Redis configuration for the slave nodes + ## ref: https://redis.io/topics/config + ## + configmap: + ## Redis extra flags + extraFlags: [] + ## List of Redis commands to disable + disableCommands: + - FLUSHDB + - FLUSHALL + + ## Redis Slave pod/node affinity/anti-affinity + ## + affinity: {} + + ## Configure extra options for Redis Slave liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## + livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 5 + + ## Redis slave Resource + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + + ## Redis slave selectors and tolerations for pod assignment + # nodeSelector: {"beta.kubernetes.io/arch": "amd64"} + # tolerations: [] + + ## Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + # schedulerName: + + ## Redis slave pod Annotation and Labels + podLabels: {} + podAnnotations: {} + + ## Redis slave pod priorityClassName + # priorityClassName: {} + + ## Enable persistence using Persistent Volume Claims + ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + enabled: true + ## The path the volume will be mounted at, useful when using different + ## Redis images. + path: /data + ## The subdirectory of the volume to mount to, useful in dev environments + ## and one PV for multiple services. + subPath: "" + ## redis data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + accessModes: + - ReadWriteOnce + size: 8Gi + ## Persistent Volume selectors + ## https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector + matchLabels: {} + matchExpressions: {} + + ## Update strategy, can be set to RollingUpdate or onDelete by default. + ## https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets + statefulset: + updateStrategy: RollingUpdate + ## Partition update strategy + ## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions + # rollingUpdatePartition: + +## Prometheus Exporter / Metrics +## +metrics: + enabled: true + + image: + registry: docker.io + repository: bitnami/redis-exporter + tag: 1.5.2-debian-10-r21 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + + ## Metrics exporter resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + # resources: {} + + ## Extra arguments for Metrics exporter, for example: + ## extraArgs: + ## check-keys: myKey,myOtherKey + # extraArgs: {} + + ## Metrics exporter pod Annotation and Labels + podAnnotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9121" + # podLabels: {} + + # Enable this if you're using https://github.com/coreos/prometheus-operator + serviceMonitor: + enabled: false + ## Specify a namespace if needed + # namespace: monitoring + # fallback to the prometheus default unless specified + # interval: 10s + ## Defaults to what's used if you follow CoreOS [Prometheus Install Instructions](https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#tldr) + ## [Prometheus Selector Label](https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-operator-1) + ## [Kube Prometheus Selector Label](https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#exporters) + selector: + prometheus: kube-prometheus + + ## Metrics exporter pod priorityClassName + # priorityClassName: {} + service: + type: ClusterIP + ## Use serviceLoadBalancerIP to request a specific static IP, + ## otherwise leave blank + # loadBalancerIP: + annotations: {} + labels: {} + + ## Custom PrometheusRule to be defined + ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart + ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions + prometheusRule: + enabled: false + additionalLabels: {} + namespace: "" + rules: [] + ## These are just examples rules, please adapt them to your needs. + ## Make sure to constraint the rules to the current postgresql service. + # - alert: RedisDown + # expr: redis_up{service="{{ template "redis.fullname" . }}-metrics"} == 0 + # for: 2m + # labels: + # severity: error + # annotations: + # summary: Redis instance {{ "{{ $labels.instance }}" }} down + # description: Redis instance {{ "{{ $labels.instance }}" }} is down + # - alert: RedisMemoryHigh + # expr: > + # redis_memory_used_bytes{service="{{ template "redis.fullname" . }}-metrics"} * 100 + # / + # redis_memory_max_bytes{service="{{ template "redis.fullname" . }}-metrics"} + # > 90 =< 100 + # for: 2m + # labels: + # severity: error + # annotations: + # summary: Redis instance {{ "{{ $labels.instance }}" }} is using too much memory + # description: | + # Redis instance {{ "{{ $labels.instance }}" }} is using {{ "{{ $value }}" }}% of its available memory. + # - alert: RedisKeyEviction + # expr: | + # increase(redis_evicted_keys_total{service="{{ template "redis.fullname" . }}-metrics"}[5m]) > 0 + # for: 1s + # labels: + # severity: error + # annotations: + # summary: Redis instance {{ "{{ $labels.instance }}" }} has evicted keys + # description: | + # Redis instance {{ "{{ $labels.instance }}" }} has evicted {{ "{{ $value }}" }} keys in the last 5 minutes. + +## +## Init containers parameters: +## volumePermissions: Change the owner of the persist volume mountpoint to RunAsUser:fsGroup +## +volumePermissions: + enabled: false + image: + registry: docker.io + repository: bitnami/minideb + tag: buster + pullPolicy: Always + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + resources: {} + # resources: + # requests: + # memory: 128Mi + # cpu: 100m + +## Redis config file +## ref: https://redis.io/topics/config +## +configmap: |- + # Enable AOF https://redis.io/topics/persistence#append-only-file + appendonly yes + # Disable RDB persistence, AOF persistence already enabled. + save "" + +## Sysctl InitContainer +## used to perform sysctl operation to modify Kernel settings (needed sometimes to avoid warnings) +sysctlImage: + enabled: false + command: [] + registry: docker.io + repository: bitnami/minideb + tag: buster + pullPolicy: Always + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + mountHostSys: false + resources: {} + # resources: + # requests: + # memory: 128Mi + # cpu: 100m + +## PodSecurityPolicy configuration +## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +## +podSecurityPolicy: + ## Specifies whether a PodSecurityPolicy should be created + ## + create: false diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/values.schema.json b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/values.schema.json new file mode 100644 index 0000000..2138e45 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/values.schema.json @@ -0,0 +1,168 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "properties": { + "usePassword": { + "type": "boolean", + "title": "Use password authentication", + "form": true + }, + "password": { + "type": "string", + "title": "Password", + "form": true, + "description": "Defaults to a random 10-character alphanumeric string if not set", + "hidden": { + "condition": false, + "value": "usePassword" + } + }, + "cluster": { + "type": "object", + "title": "Cluster Settings", + "form": true, + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable master-slave", + "description": "Enable master-slave architecture" + }, + "slaveCount": { + "type": "integer", + "title": "Slave Replicas", + "form": true, + "hidden": { + "condition": false, + "value": "cluster.enabled" + } + } + } + }, + "master": { + "type": "object", + "title": "Master replicas settings", + "form": true, + "properties": { + "persistence": { + "type": "object", + "title": "Persistence for master replicas", + "form": true, + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable persistence", + "description": "Enable persistence using Persistent Volume Claims" + }, + "size": { + "type": "string", + "title": "Persistent Volume Size", + "form": true, + "render": "slider", + "sliderMin": 1, + "sliderMax": 100, + "sliderUnit": "Gi", + "hidden": { + "condition": false, + "value": "master.persistence.enabled" + } + }, + "matchLabels": { + "type": "object", + "title": "Persistent Match Labels Selector" + }, + "matchExpressions": { + "type": "object", + "title": "Persistent Match Expressions Selector" + } + } + } + } + }, + "slave": { + "type": "object", + "title": "Slave replicas settings", + "form": true, + "hidden": { + "condition": false, + "value": "cluster.enabled" + }, + "properties": { + "persistence": { + "type": "object", + "title": "Persistence for slave replicas", + "form": true, + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable persistence", + "description": "Enable persistence using Persistent Volume Claims" + }, + "size": { + "type": "string", + "title": "Persistent Volume Size", + "form": true, + "render": "slider", + "sliderMin": 1, + "sliderMax": 100, + "sliderUnit": "Gi", + "hidden": { + "condition": false, + "value": "slave.persistence.enabled" + } + }, + "matchLabels": { + "type": "object", + "title": "Persistent Match Labels Selector" + }, + "matchExpressions": { + "type": "object", + "title": "Persistent Match Expressions Selector" + } + } + } + } + }, + "volumePermissions": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable Init Containers", + "description": "Use an init container to set required folder permissions on the data volume before mounting it in the final destination" + } + } + }, + "metrics": { + "type": "object", + "form": true, + "title": "Prometheus metrics details", + "properties": { + "enabled": { + "type": "boolean", + "title": "Create Prometheus metrics exporter", + "description": "Create a side-car container to expose Prometheus metrics", + "form": true + }, + "serviceMonitor": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "title": "Create Prometheus Operator ServiceMonitor", + "description": "Create a ServiceMonitor to track metrics using Prometheus Operator", + "form": true, + "hidden": { + "condition": false, + "value": "metrics.enabled" + } + } + } + } + } + } + } +} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/values.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/values.yaml new file mode 100644 index 0000000..e44b742 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/charts/redis/values.yaml @@ -0,0 +1,633 @@ +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry and imagePullSecrets +## +global: +# imageRegistry: myRegistryName +# imagePullSecrets: +# - myRegistryKeySecretName +# storageClass: myStorageClass + redis: {} + +## Bitnami Redis image version +## ref: https://hub.docker.com/r/bitnami/redis/tags/ +## +image: + registry: docker.io + repository: bitnami/redis + ## Bitnami Redis image tag + ## ref: https://github.com/bitnami/bitnami-docker-redis#supported-tags-and-respective-dockerfile-links + ## + tag: 5.0.8-debian-10-r32 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + +## String to partially override redis.fullname template (will maintain the release name) +## +# nameOverride: + +## String to fully override redis.fullname template +## +# fullnameOverride: + +## Cluster settings +cluster: + enabled: true + slaveCount: 2 + +## Use redis sentinel in the redis pod. This will disable the master and slave services and +## create one redis service with ports to the sentinel and the redis instances +sentinel: + enabled: false + ## Require password authentication on the sentinel itself + ## ref: https://redis.io/topics/sentinel + usePassword: true + ## Bitnami Redis Sentintel image version + ## ref: https://hub.docker.com/r/bitnami/redis-sentinel/tags/ + ## + image: + registry: docker.io + repository: bitnami/redis-sentinel + ## Bitnami Redis image tag + ## ref: https://github.com/bitnami/bitnami-docker-redis-sentinel#supported-tags-and-respective-dockerfile-links + ## + tag: 5.0.8-debian-10-r25 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + masterSet: mymaster + initialCheckTimeout: 5 + quorum: 2 + downAfterMilliseconds: 60000 + failoverTimeout: 18000 + parallelSyncs: 1 + port: 26379 + ## Additional Redis configuration for the sentinel nodes + ## ref: https://redis.io/topics/config + ## + configmap: + ## Enable or disable static sentinel IDs for each replicas + ## If disabled each sentinel will generate a random id at startup + ## If enabled, each replicas will have a constant ID on each start-up + ## + staticID: false + ## Configure extra options for Redis Sentinel liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## + livenessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 5 + ## Redis Sentinel resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + ## Redis Sentinel Service properties + service: + ## Redis Sentinel Service type + type: ClusterIP + sentinelPort: 26379 + redisPort: 6379 + + ## Specify the nodePort value for the LoadBalancer and NodePort service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + # sentinelNodePort: + # redisNodePort: + + ## Provide any additional annotations which may be required. This can be used to + ## set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + annotations: {} + labels: {} + loadBalancerIP: + +## Specifies the Kubernetes Cluster's Domain Name. +## +clusterDomain: cluster.local + +networkPolicy: + ## Specifies whether a NetworkPolicy should be created + ## + enabled: false + + ## The Policy model to apply. When set to false, only pods with the correct + ## client label will have network access to the port Redis is listening + ## on. When true, Redis will accept connections from any source + ## (with the correct destination port). + ## + # allowExternal: true + + ## Allow connections from other namespacess. Just set label for namespace and set label for pods (optional). + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} + +serviceAccount: + ## Specifies whether a ServiceAccount should be created + ## + create: false + ## The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the fullname template + name: + +rbac: + ## Specifies whether RBAC resources should be created + ## + create: false + + role: + ## Rules to create. It follows the role specification + # rules: + # - apiGroups: + # - extensions + # resources: + # - podsecuritypolicies + # verbs: + # - use + # resourceNames: + # - gce.unprivileged + rules: [] + +## Redis pod Security Context +securityContext: + enabled: true + fsGroup: 1001 + runAsUser: 1001 + ## sysctl settings for master and slave pods + ## + ## Uncomment the setting below to increase the net.core.somaxconn value + ## + # sysctls: + # - name: net.core.somaxconn + # value: "10000" + +## Use password authentication +usePassword: true +## Redis password (both master and slave) +## Defaults to a random 10-character alphanumeric string if not set and usePassword is true +## ref: https://github.com/bitnami/bitnami-docker-redis#setting-the-server-password-on-first-run +## +password: "" +## Use existing secret (ignores previous password) +# existingSecret: +## Password key to be retrieved from Redis secret +## +# existingSecretPasswordKey: + +## Mount secrets as files instead of environment variables +usePasswordFile: false + +## Persist data to a persistent volume (Redis Master) +persistence: {} + ## A manually managed Persistent Volume and Claim + ## Requires persistence.enabled: true + ## If defined, PVC must be created manually before volume will be bound + # existingClaim: + +# Redis port +redisPort: 6379 + +## +## Redis Master parameters +## +master: + ## Redis command arguments + ## + ## Can be used to specify command line arguments, for example: + ## + command: "/run.sh" + ## Additional Redis configuration for the master nodes + ## ref: https://redis.io/topics/config + ## + configmap: + ## Redis additional command line flags + ## + ## Can be used to specify command line flags, for example: + ## + ## extraFlags: + ## - "--maxmemory-policy volatile-ttl" + ## - "--repl-backlog-size 1024mb" + extraFlags: [] + ## Comma-separated list of Redis commands to disable + ## + ## Can be used to disable Redis commands for security reasons. + ## Commands will be completely disabled by renaming each to an empty string. + ## ref: https://redis.io/topics/security#disabling-of-specific-commands + ## + disableCommands: + - FLUSHDB + - FLUSHALL + + ## Redis Master additional pod labels and annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + podLabels: {} + podAnnotations: {} + + ## Redis Master resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + ## Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + # schedulerName: + + ## Configure extra options for Redis Master liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## + livenessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 5 + + ## Redis Master Node selectors and tolerations for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature + ## + # nodeSelector: {"beta.kubernetes.io/arch": "amd64"} + # tolerations: [] + ## Redis Master pod/node affinity/anti-affinity + ## + affinity: {} + + ## Redis Master Service properties + service: + ## Redis Master Service type + type: ClusterIP + port: 6379 + + ## Specify the nodePort value for the LoadBalancer and NodePort service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + # nodePort: + + ## Provide any additional annotations which may be required. This can be used to + ## set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + annotations: {} + labels: {} + loadBalancerIP: + # loadBalancerSourceRanges: ["10.0.0.0/8"] + + ## Enable persistence using Persistent Volume Claims + ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + enabled: true + ## The path the volume will be mounted at, useful when using different + ## Redis images. + path: /data + ## The subdirectory of the volume to mount to, useful in dev environments + ## and one PV for multiple services. + subPath: "" + ## redis data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + accessModes: + - ReadWriteOnce + size: 8Gi + ## Persistent Volume selectors + ## https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector + matchLabels: {} + matchExpressions: {} + + ## Update strategy, can be set to RollingUpdate or onDelete by default. + ## https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets + statefulset: + updateStrategy: RollingUpdate + ## Partition update strategy + ## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions + # rollingUpdatePartition: + + ## Redis Master pod priorityClassName + # priorityClassName: {} + +## +## Redis Slave properties +## Note: service.type is a mandatory parameter +## The rest of the parameters are either optional or, if undefined, will inherit those declared in Redis Master +## +slave: + ## Slave Service properties + service: + ## Redis Slave Service type + type: ClusterIP + ## Redis port + port: 6379 + ## Specify the nodePort value for the LoadBalancer and NodePort service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + # nodePort: + + ## Provide any additional annotations which may be required. This can be used to + ## set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + annotations: {} + labels: {} + loadBalancerIP: + # loadBalancerSourceRanges: ["10.0.0.0/8"] + + ## Redis slave port + port: 6379 + ## Can be used to specify command line arguments, for example: + ## + command: "/run.sh" + ## Additional Redis configuration for the slave nodes + ## ref: https://redis.io/topics/config + ## + configmap: + ## Redis extra flags + extraFlags: [] + ## List of Redis commands to disable + disableCommands: + - FLUSHDB + - FLUSHALL + + ## Redis Slave pod/node affinity/anti-affinity + ## + affinity: {} + + ## Configure extra options for Redis Slave liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## + livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 5 + + ## Redis slave Resource + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + + ## Redis slave selectors and tolerations for pod assignment + # nodeSelector: {"beta.kubernetes.io/arch": "amd64"} + # tolerations: [] + + ## Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + # schedulerName: + + ## Redis slave pod Annotation and Labels + podLabels: {} + podAnnotations: {} + + ## Redis slave pod priorityClassName + # priorityClassName: {} + + ## Enable persistence using Persistent Volume Claims + ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + enabled: true + ## The path the volume will be mounted at, useful when using different + ## Redis images. + path: /data + ## The subdirectory of the volume to mount to, useful in dev environments + ## and one PV for multiple services. + subPath: "" + ## redis data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + accessModes: + - ReadWriteOnce + size: 8Gi + ## Persistent Volume selectors + ## https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector + matchLabels: {} + matchExpressions: {} + + ## Update strategy, can be set to RollingUpdate or onDelete by default. + ## https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets + statefulset: + updateStrategy: RollingUpdate + ## Partition update strategy + ## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions + # rollingUpdatePartition: + +## Prometheus Exporter / Metrics +## +metrics: + enabled: false + + image: + registry: docker.io + repository: bitnami/redis-exporter + tag: 1.5.2-debian-10-r21 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + + ## Metrics exporter resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + # resources: {} + + ## Extra arguments for Metrics exporter, for example: + ## extraArgs: + ## check-keys: myKey,myOtherKey + # extraArgs: {} + + ## Metrics exporter pod Annotation and Labels + podAnnotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9121" + # podLabels: {} + + # Enable this if you're using https://github.com/coreos/prometheus-operator + serviceMonitor: + enabled: false + ## Specify a namespace if needed + # namespace: monitoring + # fallback to the prometheus default unless specified + # interval: 10s + ## Defaults to what's used if you follow CoreOS [Prometheus Install Instructions](https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#tldr) + ## [Prometheus Selector Label](https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-operator-1) + ## [Kube Prometheus Selector Label](https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#exporters) + selector: + prometheus: kube-prometheus + + ## Custom PrometheusRule to be defined + ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart + ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions + prometheusRule: + enabled: false + additionalLabels: {} + namespace: "" + rules: [] + ## These are just examples rules, please adapt them to your needs. + ## Make sure to constraint the rules to the current postgresql service. + # - alert: RedisDown + # expr: redis_up{service="{{ template "redis.fullname" . }}-metrics"} == 0 + # for: 2m + # labels: + # severity: error + # annotations: + # summary: Redis instance {{ "{{ $labels.instance }}" }} down + # description: Redis instance {{ "{{ $labels.instance }}" }} is down + # - alert: RedisMemoryHigh + # expr: > + # redis_memory_used_bytes{service="{{ template "redis.fullname" . }}-metrics"} * 100 + # / + # redis_memory_max_bytes{service="{{ template "redis.fullname" . }}-metrics"} + # > 90 =< 100 + # for: 2m + # labels: + # severity: error + # annotations: + # summary: Redis instance {{ "{{ $labels.instance }}" }} is using too much memory + # description: | + # Redis instance {{ "{{ $labels.instance }}" }} is using {{ "{{ $value }}" }}% of its available memory. + # - alert: RedisKeyEviction + # expr: | + # increase(redis_evicted_keys_total{service="{{ template "redis.fullname" . }}-metrics"}[5m]) > 0 + # for: 1s + # labels: + # severity: error + # annotations: + # summary: Redis instance {{ "{{ $labels.instance }}" }} has evicted keys + # description: | + # Redis instance {{ "{{ $labels.instance }}" }} has evicted {{ "{{ $value }}" }} keys in the last 5 minutes. + + ## Metrics exporter pod priorityClassName + # priorityClassName: {} + service: + type: ClusterIP + ## Use serviceLoadBalancerIP to request a specific static IP, + ## otherwise leave blank + # loadBalancerIP: + annotations: {} + labels: {} + +## +## Init containers parameters: +## volumePermissions: Change the owner of the persist volume mountpoint to RunAsUser:fsGroup +## +volumePermissions: + enabled: false + image: + registry: docker.io + repository: bitnami/minideb + tag: buster + pullPolicy: Always + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + resources: {} + # resources: + # requests: + # memory: 128Mi + # cpu: 100m + +## Redis config file +## ref: https://redis.io/topics/config +## +configmap: |- + # Enable AOF https://redis.io/topics/persistence#append-only-file + appendonly yes + # Disable RDB persistence, AOF persistence already enabled. + save "" + +## Sysctl InitContainer +## used to perform sysctl operation to modify Kernel settings (needed sometimes to avoid warnings) +sysctlImage: + enabled: false + command: [] + registry: docker.io + repository: bitnami/minideb + tag: buster + pullPolicy: Always + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + mountHostSys: false + resources: {} + # resources: + # requests: + # memory: 128Mi + # cpu: 100m + +## PodSecurityPolicy configuration +## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +## +podSecurityPolicy: + ## Specifies whether a PodSecurityPolicy should be created + ## + create: false diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/ci/default-values.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/ci/default-values.yaml new file mode 100644 index 0000000..a915e07 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/ci/default-values.yaml @@ -0,0 +1,21 @@ +# CI values for Pipelines + +pipelines: + jfrogUrl: http://artifactory-artifactory.rt:8082 + jfrogUrlUI: http://artifactory-artifactory.rt:8082 + + api: + externalUrl: http://pipelines.test.com + + www: + externalUrl: http://pipelines.test.com + + msg: + uiUserPassword: password + +postgresql: + postgresqlPassword: password + +rabbitmq: + rabbitmq: + password: password diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/icon/pipelines-logo.png b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/icon/pipelines-logo.png new file mode 100644 index 0000000000000000000000000000000000000000..7358966b2522a5af2b885ff416c7a1a577f023bd GIT binary patch literal 77148 zcmZU)1yq!6*ES5p&{ERf(%s$Npdww;-3>!4NC^Vc-Q8V+fHVk#bax{i-!*qV@A`k& zQpTC{I%jtrd-G9URSpe>2n7ZP22DX;S`!8a&IJYr%!z~mymLf93I_x8LeW}EN?k!p zibCDR(Zbr!90o@I;}>njcUnVunR=QERzXPe$Q>Uw^OcZuWH93x=a3XAa{A&hr4N7P z2HWCeRh!7*7#P6nFzxH&_aEz$4d&L?vf|klw<`p>FP(H;cU<_po@8i-LQoGs4oq%p${|f8W>u^V z9DCND#75fkgNft+zy)>*AnOwYL6T1kYC$j`MAaQd>cmU?v?zGvdcc%PjLu0!$@I?Q zMB1fxFE<1*Pv9WR8)xrzV66D0M9Si_;JxclBo7&}KG4GK#!;egMtOlgP*ak9N#>LK zm_zC`coRu?;FwPMEnV1fmi_Io+?OuJ?^s8-M(@NH&bnyXv^j9Tp`)kD;}KSs6J8xT zjD4b~EtFVf8v5`t>>c^~wQ0}~GSfsxP3c!9M;cn4>2SUXDVS|2UO5_=X_6$YL(v~+ zceyzG*YrQEp-4pa!7oZjpJ?U?GfRBap-#gh7YgMvCu#iN6hx=h|K@krn@yS;o(E4E z$z#mtG*b=JNI}a_y7a0sLGOr73x(+@741XjaiaJ+qKRkwh{(#9N#>=9G zM^;snyfqZD-=7rOw@83i$%siSYvXlw=3V*_P2qs2IHw>bEP0#1o1+WvonUuAn&Zi# zQP5(WrDQ?+`0J+g^Y(Y^L+4UJk&wI!0IoaAo56? z-vTI0btvgW@5aCB{+WS)UuuE+hD=};xzC#dWwUn$)x+3YrsaKtvpELY4?(gL~b4LZ=*uag>nN_IxI>%F_12% zj9UAbVZezm(9y~6mGB#|A>T@1)E%D+>Yia%`e$ME=SH*#QDy}7y(wWBCxX-xIoJ_r zyJ2TH(AyzmNC+mz!XMy2Qs63w7~u8%VTR-CA*sep40fqTDMx%`j5>#Y1$kV>v;qxu zTc2_@zo-n-TNTw8Sy~m?g>&qI38tV4jbX<$>jTxuq+@yZAtFon##zyjDacI4GfM~4 z#|aFY=9B1zyrx`;6Wm1Hq<0}|`A|=N9jBU)=pE)K&5;;RlxJuAdJlA{5b!Y~dFr4jgx9{zXCN#W+EoOWby!`~P; zyn~wsJ?{{|L!6EB@BYXSXSv4e1TVL)z)wCtu(LLN#^{H!{2{B~aW%t>{3%SFF6Cu9 zasZgs&aZ5vMo7}ab?H}|dmX$;$I#mM{ z$+CAf?HB?Q-$g<=qiR3bhD=GeDDD-$Q2$eW^%KU1iYKi#PFKM`J2Ou-yK{DGs&?vp zCbgJ$RyX@iiM#qi@Y|wU#8lDIkKc1tau}?btlF%Ltgfx9_S{-YMN%?l*|Mv$e@%{0 zkWa4Ia@EV(x;DW7zGx_GAa1C#?V8Bho!hT=FWkd9c)d$9+fq7RrZm|wy|sJpwzK#4 zfNZ8CZ=q^n!gV@oW_Vh!vPt_ScbUuob7w|CN~d_2bYR;P;Ug=;_i76#0>AI3-_gGd z$Tq=Fb}vJ0 z9FiO}@g)2D-3L!u>geF;P+4B4p z$cMx~QQuMz%aRe@mND4uzbA4OTySgK!<`P`a;-z+Dw&t9IrW^5P zCcq2AGmUb`qhkrMB&?k)*MCcUz+5&y^^xPP5caOS;XvXTk-?t z1NYgAS$|$UUTnMVxt|LUHcB;rYH;Trszn^{$Htaf`yD+Yl=de4X6#yI`@UyOZ!x-kykZtLNKh#9W_i^_JzjHYJJs078<$UWbrb46oDeaxenL@kXL;B4H@~6-} zWMAy%SK&03%I#U3aryE#DzgfipY@X;SZTS@6ZGi0tx`jyo)T0FG7 z;d(=SGY;Pq>>f;J0&$8ywYCu7P93q-fz`3C^O2UwMbW5Ap{{({H4-zj{P~fUj@Qz2 z%-BKkI7ryV&}UiWV<(NAi%0nFr(D7#O-t*Ndg>LnK>vU&X2nLOn8BhSX{aw&!yhAi zCC)N(>)5NSTTdTHHorzhT}IN#Xj=%3>hc~~JA0jt&EMEP9nK0Qx#ErOr4MJe*^_ay znHe7V9o*7hwBbuL&(+1XvRkgPMd{;L=v-Pj|5#6YS@#*9)?h`(Pur-}fRU-At}k#X zso+NQY^u?mY?znzUh@@w+v{UpLyaeEfxz2>lcmn8hX5y;?a0P2hD>}_RF$90TRQ}; z{$%p_*hcS->bTUC5A&u6~U@R)O-MyyZNNNP+*FNTE9i2n2> zb%)V}Awy~-a_HK;CbvLt8^a!x$U_xfM|7VmtwK6lGI}I8KyGh;<|uGJy_@AhUMKw4 zfARF@2lh{FS~>(ZysSepT9FxF!2>t#gUi`_%U2mK-X81ojjkFytPdnl7hf+9FX-67 z`urY~C+m|+qRFYOz6K8M>)u;~Y?)mo))zLm?fd=>x2Y!$NmtHCbd`t(V*b>Z-^ck{ z_}Eq=TV?`;_O6zMw2s{taTonP*shm{jZgzgo4ZzF*CghpmLhOtmC0wGhR=);1=|H< zJi|Q{KZ2wI*JyL>A4 zUOQbM5DR&3pW-X2x-U4~S}ohEiZ(h4;JQ+=4b*?mYw~tPT>jF*7tpm6G9Gb3t|cl; znsWQ`vgEvOV<(AC!-(v~HX6F3H)o~|6Qn1|!UA+^!w2Km>}jkYavw3Y@0zKI`Dgxh zSa)FWeqFX=JB$^CZ_6XY6$KLFG{>S&ssM2*%OrTAjuE?-gXLWq(Uuy8pe7u89THMC z3PaHVbE?D3&tGlrbb5iFawr0$x>YuwtVr2g*E1_l+iFhp4yH3c5YD4MkitYbkrQYx zke%dpTw!4FXrX^$6*Os1VPIf0tzW-$d#9o-Xy$0oYVzLE)ST7J-U&Dj10(Du2)wj6 zcQc{zvbS?^74#CJ`s;)s@EZCy8x_T0N8D^hsNSilQ%E_wm{ahuap+kbZhj|xNI6;!wOGPiptZEbJv;0k<)C_g`^@L%Wuf1mvC8~@LfI{$l;gPo82 z|33PEKKkcTVKyiS|A(W$#r4;_fV@OegxUU+y(mh6oHjb34ial=wb#H;5L7q74?^G{ z`oDidUpKhVs5m6Uz=*>rNK3r-f<0V9^uq1OLp;Tvl9#8X%omrWxWq&12*JUH^<`75 z$pP^uQZX{36w?O>=gzem!{g=?_?(D@#)Wdfls}2)Ya>9S+)84pt9$k*H*z>$`YN!) z=RG)dJjS1HiMR%V0aH+X=uXO)zdIj{aN!lL>~zyAYb)`b5SOTxBEp1z4g-rMz8VaH zLlJnO7l#2+A*Zv*7wo0c8765Wt~j;U%oyP8<9f{B-ynegJx}lkCM;dU65Uw}2E>EX zUTrO$!6fY4zau3jTN`|=>f&A=*l+0t_rLQB!1;I!)EY?`5FWChvlpek%Ch=V%dslj z+)<-M!3Jir$ZgS;w$5BLuEmzxVpcEykqOYh z;E7Wf)zjaFz<`^vQd-ZPf6yy7F=c*tfIZ(&T7tX#J%d5?KVoPBVi-z3b^^pyf<=Wc zMeWt*^W~M-0+yg6*Q~ZIrh3f5{!cK*v4CKFFDLK-aq1dtt?S<1?G8kK_j2DQxb;xt zqw|!xm$Cd;|Ki<5usANWR%`l5;@#??y)aAb--Tz91BYAdEL9HkRYREl_p%ZHJN*(k zokYJz0-UY}Y0bI1eDx5e)7Cn-_ZJ*&(rdJvYb?|{75$%JWB|c1mha*Kw8*S#U8OIg zhh-*|F%9pH02#qvEetQM-Dj}z<>f1M6~ zNSf}F40USss{tR?)=#k#|5A;q1#p>i5m`_%j

XJqP+W0Jy2GDT97y8XwcVdX zF06OHvV2*Y`qSX}D0_aCG?h!w|L^4xNCP14a@=pXfTL2v^U?x#9?QDTdKF`r794NK zbvBE(;EGQS3jQayK#TyXJdB}H0d|XnGsvu1#6V20T`gzcMl^dU=B?%y@Zu8255&l&WIY7%z3ZgVDERq$) z=}^zL)vvD=M4#TTU{Q4gIY9dto>L-#7+s1o`jA(Sek1Avf&%jq2lKq4%`NXZUeB32LZzd-=v0+63rC#?pE9v0k4BQupO zC(13J-w?qsc=-0SL(`?xRr#Z|AIiV%#zEOle@g=oi}aHw&LCZ3+>tX2p~RXax|WTDP6rZrqF3a`H-|)gn^W zdg=b59|?&TBB@%uC(Q{EL<^FgR~!4R&zQxPJ8#umI^XcKIAG(4;|9;a$_1fh$6-5Z z#=itpsJC^`0$E8Cva?w_Jhf1eY{d%wFSCt$dg6cEbSSuPgd1qNk~c9o=WICDz(o# z5*`9NqE?K&jP91h>>1Y9cNra7*476N>rOJ}ukn|Y4V6x6PUf|(?~(WP`RMqr?DCTz z{NDRt5&dnADNqL$*df)C>i!85=-0Vi43`Vzwc451=v=C;GvZ^tU}j)537ZQuEzd3& zXZ?}iTfW)_st{+L$_KGT;M%k#YBT$HTt0dWj+-0mBGMjl?XIme;Jdpxd!F(5j&DiU z(D@(tqdbIHivEO&+OQIlA;19C0I>md_Bu~y0Fd!GC;^C;nkE!?9L0N1K!$onMp;^v znnJ7w#9W0|##gxJ_$YOeR4iGz*3TUSqRCO5Zvk{*Z9-L?@u6Kuf)3Yx>Q|%~nobVz zl_;V|ufWvMU{x&za7OB71(*qew((HUZT-av-o`6qnaw|>2g7L}m74TgYxOREih6MT zDj4X>9a(?T5Fz=@h%7Hgr$Q8}u62b9c||rlmxWqYz~uY4yFf4iSMeKx%LOc(8*eVD zJyTSyU4BF34{2qXHj_u&7X3cfgj$05+dk%kEskMsLevl|YKkL0dR+I8x$l<-559v< zb~ap`vO&admP+^KA_D^}*`osl z&RC8F>)xDoPUbv;G9Ibu)9nK%b2RYJT`zu#QAk6pif(D(K4tECd0Y@?v;OM*U<7>? z_w_lS%6SHyz=S)CLoVf^hY}mU<4m1sQox5KS$_rOLjge&Qxy4oLUeoH&%bXy@VF%2 z1AZh9;Q}~KS3&9pD6PkS=i&tGtLjka0q4T6nSjs(M9ast7c(@igVSZZbZ;jVl&&{0 zwXy>fD7m@c)4==k;{SUMHuM^0a4#URdVD}&K_YZb>i0ncBsI1hnZPwienKT=1{NBE zkN*37k;?B1?%olIlf&-#jJa^o8RXdR?w6@y5&#TAAgcg(;4I^OAU*tKreFzTvzLNw zeC|HA_%#Hdk)_vN!1u<-o$7+Vg1_Zcj5&#>HQ24J339o(7|n8$pBeP{2OWL`S~_5= z0*2wF6&VTyds}d3v|pSEU9zPL_S(4p>y_AWK4KPpH*|FL(w#OQhR*>}Pp}KP#jF)8 zFyH1XlA4SJ(|zOomzG^Ai7o; zv9-pX3{-no3Cz5c`BTFV5d}?M;cNMJc$hySObd5~v#JU4d_!!R`1Ct!wP%@l>X#9~Yc@PYcAwf|^ zlbmVr9EZj-IwSoX$;Ycs!$m@SWk}`EW>b+}exT`dw+DQwlC79{il=Sr)P?&I;`a~G zI0wcClH*(`6)9jwE86D(@mfe|jczo1^FxWAvHdfiM119#LR4E)vOa z(o3$Kc8$zo1DnKsDhHVI``JLRRpFPQrZb@raJaomfC-e!TH>wlnvAO+`F4e_Vb(V2 zVVz}2Zf6Iq_-;qUVcNISw~p8@>zk$yT2oy=JY&dsa0y6+gO44qs|(Fc*`YNF6_6LP zP4MF3z{;%Z>Zxoe@J)2?LZnJ!?_JOyr<3t&<0>a^+Yn31MzrNbb4Tg7Uwgjwg$(p& z6(Bt?+hBw|L5r;a9(15g(xHb^^$V`KBNt5730=kcD$y)V=%$MSFmy$egYd3xBZh>(b1X1kp>E=#TJm zf>8e%2HaT3A&d)<<`?)MKa}QCLgVdLn$Vj4HO*~1TB}apWf|^Y@G3;*%(=YBHJ=!< zPhcpbSxDNp`qmqPFJf!>e4`b6NkV74nU#| zl7v8X;5kvoYe1};tgF@DO*dljQ=Kksb!EOsA5ZXnLgzNfe zx2-HOVM{(FL<*2VSpkX{7?hUZ{-+FJitKE0KaWojFVbIk<0j)X&2hD^8)UnGySmhm z)wV;|(tX$t@pt^aNQM?oJ<&ZBvP^nj;tZ0_hhF3M66oi!g~P)jU%{&HNjjY1S-m^H zPRUk&0e|=Ws=OB6rtLG(ntXET6PC*vtNRPdlKAcFXb`!kl(x~g@3Gxb8@HkaTo~2- z6D({33W;Ewb^wBd=RR)&3WdEwww$<;PyWR;ubG{qzLF97zdjPyeR}$!W8><}&0W~dlk;nOwBm%r;`9ShWJ4gbK*;9~{?3kxsYCI_ zfF&NKIdDG9MUc&cMx?Y%M`r z9$oE(1fX@)O&m)j=GAk>i#|01LS0%X*Rr;~)NQ_ZGll0vD`WLA z=bh-MA;(yf6nc7gSwLB8gjCs5r;0em*CdEvLe=~l+O~7Dw?;s$Kxr?34Qa2b?tK54 zM0Bp9z8VyxroNKh!+YIq^}J9oW}iHIG&wN`QbmuccbfD3t_qrjsz_Z2;N?g6E*U5n z=}@#z1+ezyWO}YrL$V`(q3P)*!+LK>27{i}P|huHlbjR>cpL30adF-?>F>%c+Xt}q znYL8}0Ot{d-NS2Ya1NY$s%tX=!A5~IBU4mKiNf^U9A*+Cha-10mZ~)Eu7*m<*L)L@ z+kamhpx90Pe6K?dJPZR$Ld}k=TST#x?0yZhJWsH)e=w>Sg^f~4u~|P-Zd98PCt7e0 z9_=VM6LS@l^|uDZfg=Z#7990=3Raf`*buDT#RY}q#wGa}VLuo7;i5BX5P1-}BQFL; zGurb_{LK5RvXKParTGDo2y@%mDeOqja@^8WMp}T-46s6ACeb=cRjO!gu=U zU4)hf2l}Pfy{wWR82uFU_WM(%5s2U`6Y!M23Suzu6h96Sde-tOXppQ}oNg9Hb-!hX z2z?F^Kgi+8qyV8A`0X}4oy3=!`KNJ44n^iRd3266CJcn1^TMLcA%&$w5+W0UU?>9x zRDOIMqcCO;0yl@gD=lB{m)d~Hn_Z(u0Q${=Vu)emgCRwChq&7|$KCzUDz^_J7!hzF zMP#?DsBC0|qTh>42#p>6O#?}DK*Z{Yf&#~jR9rx~Bm|`SgFhD^$%%==zWTxQu*wB1 z!knf#~#ifXgv#m0x+St?uazwI%njR_X`XTWGeR3{!usoVIjM*ZJ{guMV~7_5_F(V zhDcVvBK!*iS`7vi_&_5rjv16vj_m^Lxq9dz!6`}9j&d{OsOiZGhn`BiQ!{PR$@yxZMK%y`X0WKh(m;i%>krR`W4fRLz5B&($awzd6;DLGv6Aiud z_x7Qv;3@i%%96?7S15I?QC$@4_hlFp`)xoVNgz#FI$W1VvNF@aBBR`{x(0#YUzJxoD6gp{CR=2@ruNxyFsO%Ruo+eZ%L$wAERk;S(NIqr%J{%HrUH zueaGZYi9j3x&GA?n_gO8#t=B2B;9JQ+EFEmXDSS;6DS0H(C)+w=Ek2(Z;lBt(_X8M zs^canhLaS3>E!B`HxGwD@0Yf4cKPkx1CDl!7A6cL142tDnrM>}t=rX42ig(w?sC9J zM+7eh(|m&t*OjlB7h~%gtVyqHsKjgF9gK+sjRtsOn*Q8ePJn*L*Um#r2uWD-U$Wd0 zkLNId;|o8T0ZX$W_5;B#fv*aV6SKmUOq*V>Lm-);pktNYnScvBbQ3zJ)ud`k03R#I zs=nSCORaHYg;r*HKse#rAE9)hgs-lE#7*1m=0E)kAo=4c__L5C@&}4F)`G+8yYD7x zznPW>gGdH5DuU@NLU*?pySMdZY@^D`+Y=*yL>8xPvHE{`kzchl|LpXRm4c;|nx!)2 z|C9V6g&;bvyxm{Bj>rorRzG5TY_P00rh{I&XK4%*HU!ouu{fM#>upMxd~3<9)Auu= z|IUhIdOW6S;<4878mOh)El!O59#`)FWGp74^p^(YQyrT+Yx{TyX*aAUpmeP(!W;Kr z%Z(isxnSdlR1i1j?fA6YeBn|Jhw6$K(6>dJ^X70tcX;Sb{bAp)bFr)D7nl-XHCOi> z*ff1t#(1|f-#W>55?LM{^>qGuEUwXmJPfGa?H`XDBG!sMZ5|(*Xfac9`?xGU7Z@n$ ztw6rf{Pz{6d4$zB7<;9uuZtCAQoDR%;CYZbZw4}!jz8r21SuSl7cPEI-xtF+101Tf`+ZX&B5^17IL>!WDWGiql<@D5+Y;u7Kvq8|h$sA!c%pMH!#WD<)F{ z&p?%Ls(~I7A~&&gMAit{bzhgbgEOy;C25hA<+Y~1$0z;nt;F}g2%2B_DJ*1uLL!w? z{gZAZj6p8meF(MwCv3b?ET5LIVcGZz_pQ_R%Yu&kz>NDa?=>Pziztf3iN8KEa8_{SIdTGCT9voCy+o? zK&gT4?GaC`4Ql@Kxol6Iod;=g>W-{c@bZpGw12?|d1Rg=L)BdFfTw+XBgVlQHQL&{ zZF|F1{2rbWr8yeemZ6US+Y`DDhJ#)I`~lDn!8GDV))TRyL#JK;gmpOBMa2?W&hTnI zin%<(j-NaBZTAw0KTzB24sauX2$%W|q+fk7qIVMHXb7cUa;_D05Ma>henYC-YG(Yd z?%+2kwVnK8zEOC&OGKSaDq#VV1v5a_S(zh!!CbM+zv)uDy^E*4|G>0gj8=r;fu z3_qmo z^Ip6arHRizf|anrVJ_3b(N~P;!Y*g{h5!fT1BiFp7lFMq4kV<-JB=|QW_B;Sh4PjB z^GmgVihkwxKJbv$Kj5H5ZHZ9yz#N$i7Qh3^14?=1V@SZqr?=NI9dj%I^y3ZjLAd%Q zf(M3y{dWo$ihpzPlkM_;h&*f@8#$7CBH7^93t|A<(^J(AbnW@03h@sJ#ZK?lWZT6_ ziQP4twcUzByIXp>@3#7y>H*|}wpFVfgE=mbfL4$*4$v5!3ZCSap12R$al}T}G%(Zb zgp+Z@ET&P9-JcW+NsepddK+BU*Sj=)66>!RkNoU}pR5aOu<#(;S~6o`;~pDek29Ct zD%FYN`6_E%1kD$GX|BC@SGt#8OTgYjIV7=^E?&{8cX)5H|a5U(oQRJLs|tePb?sVyyLhP!AhYdGvFF z$n_)cHAxRy&bg~AFy?Y0X99&nIsmUZ#Fh4)Mm;p|%6W)4_&7|j$kzc6^NE(C;(^z4 zHR3zU@BGQ9fOEvVgP&D}!=2G;h^?^_qW6}|pRY?+d!Ja}}7bZfHNfE8;(NxfC(Dvd7tf}BGtTNSWo_m^v6Bz*?;fKKHAG6(2S`_L!tI7eNAA}djqc8Vo6%q~73zjK}t`>_s zv)W}Ow4XDHVj^=WvO58j`4i0%EDnkoJN{DDSAd(2MbDIP${Xa=b6Ve%G(* zRYeh73^S)2x+22LJX^3q2C>YMb6dgZau*|H0cUR4wv<3Id8Qmird%L1(*p{W{;IH< z(+U$nT`9`^DuCMtT9`O*M+W}v(9+vWmG2oV_dOS0jR zv?WFH$ZPu@*`?Y2J0ro{`8SeCU!uiP%=hSfT zroy%b5oOBE(P(ULsxWaLfaFq%9zD!r=F^#Y3~N`-_ghWCKr0zp{vaoe?^xn~+QZ;V z)N!S`T83(w{Eo-bgpv#u98*A^@9k^Yw5oiOIW^HAfq;M^C1Lq3R@}u9)X|&yk!zY# zgwHcDg08rN?JA9Hx;-k12}NMi0_T>Vkv(vnI8;UjhZeWAj-nAo7yoUy!gxAv67EEB zhhG)QTWVNnw-t{Ml?Ty6Vf(!WPDjH5ZC$>tb|(F9`G$~QoZ>W}T76|ag=L#S>*OOT zc@Y5W1-}pF9s%&mF*~jpKbDt+@6&vhWb|L&v(Ta=y~cBLD;_{;A}fa+r~-IgyqlhO zKZnC8DK1;f{qMQaEW?v$QBP+|iea$oPT$nQLeV=9&auz%>Ju}MA#raK6%zPj%I>9m z#+$1i`H3dnidS{0M6dvreB>`19AXX9(xIFC@|DC!907=EsECgBZLOxXli@8hLoVnQ+`@o?&pRpTCQc z3N+qfsN5X0RGbu)Ne!g1yXM=y2OLf|Q>3r5x%-%FVeW_11r$pp(h~n2`p)M{rS+&# zPu$VP&8eIxJ}b8~zu_!!#wUi1yz$&YY5dwxB{qknQ1ahFJjx%7F^Bx%N?^G6vuMZ| z#R-Fxt~XF8IVpMS#{D|wcXsQhTx|ui!+SlPRR}}_a704$Ld>FlknQ^0i7D)NNRsYW za4#^|v3{U5iT;enbqYEZ;8%*J-a(&u=x}`J(`vD!a&U{lbL~(t??oW*9kjS^ms-Du zwI#%B5o z+b4>Vr>7*e^al0^xcuU*%f0g#j*TQ+JHvZt4StWj+KjRTVPdvQf>z(+#Wi#&MQ%?X zNn~hb>8GB>@`F`%>j#+!ZW^xD_ii--Gt$cZw`MD0A(9YR0tBmTW5&!1|4*CMV{V6} z=no6bdTyI8{O6C}D%vqV{Ft?55Ma}I>}DZZ%ji)W{5C(`Tjxwv1=^WsLnhleOa`~> z&cD^?2Jz{l4v$I83t$5n4+82Q7+%mltoT`m6g@ zoKn=X6+(=!Fq(RPHVsjnyI2h4s*Qr6>a!q{s84l)Y0%RPvmpEAu1fLbG=viwds&##p0F3g4!y%)PYb9m>B| z6mh76?6upKX<7SK9vST8ysMl2i>!uvwe)%;67&Q3hb7S7R;R0iPvc8Ouoo~88Cdv4 zL8b!E)O$t(YD8O3JcKo=Y+!EX0{d&GtEd$AO9opW-RyG3K0%UOfaOAs+nd3Lr1VJF z7gVRndK#YidOG+Kji3x7_b*MyyFHm{E~Pv9N2@5Gu7HR>hdrYzhhd4~Q!>8rb7JP# zSmp%De*lUz(5AEqJ1_aa9(#)TMgoFMeeuOH!Dgwt!veXh@kl^%M5JQg>kT4`DU*HY z)b&!SVw}p@g1E*OHUoU!wu|l&^fN)o?^z!@o5`M4%>U~$l;HZru1tAP85i5 zM>=FwL{gEnm|k+n04Zc+1edBoiy}>g_*B?e7A8Uf41`@-xHR-C=L-iOT+==PXFlEr5i#uR$5YbyLtaRHV;-M0t#_cW`_dT z)8b4bHi3YwGMW46=t@iusxyKVfht{is~ppmi(EGty9(}Xt<5%oVN{tYI>Llpc6B`@ zGty5ytB0es9|S;}b$V>`k;#XQ82}^~wZPy^70FMF!*a5*{nm4uXVkH}9TtEQdV#!# zgCOJifMllvEH>f85L0SXW5VbjyCNSzL^C{-BVqH(AGl2ilH;0dF794*e0i9?9 zI52UOE<+iAqk!t|4~!Thn@e|z0s;*#(ssk&dfM<) zg$H-T15xWn0aJB#JjMJ{ZbWnKoYPlwiqYg-TJ*Zlm*yX?ul3(5V?TFPo$Hl$T)CVT zHX-_#>pt(MkO%c6E*FTDEZia^#lNGSC^gXo8iJIHVxf^z51x$l)GXyJazl9z9XcC9 z_!C*LH*N3})e{=rG&e-wX#ae_ zD#6KeRs7RTe#jr>gNXLppX5b$7lf?oa6hZT3k%%JX9B-O0nCtCS_E3=6IbJ1@2#zW z{<5oce7q{JXK)H4HXs!Ycd)J)m(&K;Q8nlSMn4lA68ni3vcM3{W8^M#aJbrs(mZ+o zhF=Z8s#SI8`~rZA+&Vsu__OzK?mY5@!xahp|8X9up0< zC5EVlr;&f-O-1w#F^=VnJH#1_v+ak(zBbRy$KD?Hx!n2;V%x_>93-ktH?hR~D(|7E-l;-eG zfxC}qAh|wmB!VM>W~P_L=i&9A7ZaXKuhZto0El^<}YiDn7yVsq}>7xB`5lCAA_Js{6X|7>T4#EQ93 z`07MsRwNtaNO@ja37rK~*z9bI_@^8H()1J7*-I(eMPMMiVZn&`p#dbM$vasTvE0;1 zIJP4%9=fx-zpg*_R^6cIt>&9M0wT`OORX1>sij;oIHdND19PCycYw%a<-P<(FFi0+ zP`vqAIT3*l4ci6xf}f^M-oLO$0F2!t#T?dk(ba;OMU-Eydt@ZxGyQna43F8=50{JU zvC;$XGEq-Ar+k@jopq&Xs(5m%z(VLGuo&8}fb>;d+$ku)ZusN9kSL{BlDryp6UC?4 zOt}pTnC8mduQZlnaL=lV*8{YEW@cu|E}|kYhThnfHwwpHKQCYQd-c6Dm||N{yno3*X?^`nKS;%oLlXz3kh4 zMVG%;8?=`E_v*2F=&w-9qn^_OKHc>$J4}!PBYcT$;(N!9=2Hd1PoF4dplc7mKcS?k z0SkB{U27V!T-bcHj>+NNjE8tcBUh6>5PH!dw|#n)fvzf#bRpmKDKNJ?NtA;1=7 zI3F2^L=^ZcK1c_?mG@X8*0YDLcvSFNaVuIJLJ7RJM{1-!Tfh6vgl)X zy~+kd$7%U1GZV~v@WY&;T%PWt&Xr>#b zQEtrz_lh1z4TVqwVicqr-8$9x!TJH=!(cNovK#nwnIgph&^XV3Ay&P|-tyt1WMz|^0;m%(VV2j2wf^%%XQ4>L!a2NI0hpPjh-Zg5@{7#aw<2@O zL@EM!i&^(Okh&1>~*^zHi`S8DG{Z)=o&Ci)v3nk(hypBDx-Gg@Z0$QG`n)?e)PMYbgO zso@YZLKi|f6y5SeVFKF9LvvgG!Oe)1XuyupF|7YjQu*%Xe-i8H`Uq$dZm%KWf<=^^ zE>#OA&@t6@IldtU9Ta#~be})S%&#@o;&H6y zKZ9e6$dmA=8CcnZk%47+hRi)}o4NrxW*_J-+IfoYu72*Wnp~OuF}K3j zp)p!k7F?Ahv>@_sln$7kH=vfs==C^gJhxsYKsOAG34(z7YRdm;fbf+exU>RDVD=px zy0k&l0yXtBxGq7{ec}g{&u^S{k4O~0%9;I z)zhFmm)?1&z*0^_M))`YOot%7FzH%sL+x7R8nm+}e)ZSgzXPEgcP?0-j6y`O(ve>{ z@+z{f>ysGpM=5`D0!Agfz*g>T%80%FliU;u&_RlTc2K6|bw^#4&V77aCG>!iA9fJd zVHavs?X&1A23d`vkb4An|Ed__px*T zJ@6|ES19sb{0o`w@mGaw_*PfCxgy|890F_)rfBpwm2pgVUOC`){?r#-p|z1L=clN8 zhp>oZps9}QrWz(^01m%JRy>u@4}7hpUBE;>+MzpDZ&=6J74{2LU4IpTHjY%66gBMH zf~Q-YBd=r8fpO#?cn4GMtx5oTbP@+p`TzuO?6?5phxs)OZek3$8P-+JahcAQ0QRf! zGE&7bwF0zsI!C|5+DyyKuSzPylB~WME8^lRL0q>AZp@Dp{bIKT-ZtnFoxsiT@D664 zlP@qxD~w}ze|!Mw{={#K@JWDiqt~KA#(b_kDPk|7@<~3*rru^QCc;UX@SC2Hk;OO* zX|n4H;Y2Li@k1g5X&kp0=wr(n&S>UR;`4iwyvtnI2XKTuu(!qpKDN21KtpcXj=Vk# z_Xdiaua=eW!`wV#I)*u%VgCI&UE*D@q;?x;pQ$}}5bhAo){&BA{8h>}v?__+BpowUv0kntE$8t4v5xYuF)q{m@;z=Rd3 zHMUb7Rq7sD?tJfruJ}|2`i!+v>aUNKr~EHr(NgtqDVHbT7%OSgC^WSK5F!!?zTno4 zYGXHSJqFjKW}Z$)9#ufRn;jJE=^X=PO6wFatl~#Nd53(`7&AzAs`_$9qz3vxXi!oL zl2D15&Nw2Y0e)SDC8GZwbg)X#A||tZ^Tf}zACn;@|Fxe`9oTqyjh8a#&UoCZF`rU& ztTA}TO&r`uwPaXle8Sv|^5sr-m!;x3r!38=$`O-*6uSD2P0zqqm{*=6lo}9c@97j* z?SvA*Op%@0&9!8h>(QC<6BswSQUePJX(gD{afj>7K7l88k>diivXTfRz0mb-+{&~- zM>yHoIKUFQkmS2g6Ho+8s-wo*tI;9|&t+pUClvo3ER?OW$EX4vx&`CA&(R|8OpkHt zNvp)(x9fU0naeD`LpihS@h?XLHVGjRnz)fhp18_cQvNnQ*28R5QP@5F*eS(M{zTlA znP)hg&DnSJs*}K!2-uTIMK?pNd)QQ~U;jD&UA4D+Qb`G8W!{4sXhn$mQA5#zL7&bl zcUziS;BVGjH9ytzuMElw_aUTo>Q&va^-j-vZl{N2)0-7jv@x-a0ZyIp!mwHmm2f!&2s}j5j_gHKWl}xeu2Sk}+8=>~=I$FQ-rH`c+)!Eo%6I z)Kl4Ofa_9m1!pD=-MAq_!b!$8Xjh~&s9>@{Em~#o><-CzrRnHFTX`No@I+ek!QksR z*Mu)`4g-&le?qp=ZbzPCCg41w;z)aG22XQDTn}M!c$t7}UfvD=VYVfc>#^$F#$i(8 z6X<;i4sn-cPM~!98S?ptLhnI+%U-A&naWNoM{ zfB_)L+T!`Pkw=!v0Vs-{g?PRr9Y%eNva&t*F#|KHCj!4>cBx)OSJI&78&oUF2sKe= z{J6{_U<&^6ao*0GI=!R~LaX%Gl8;PziqeQsg>O3*Jm&UHWZ|WcRDPmz7AlIs^fS^N z`ssCv(Oy%6*xWL#?r$2*LoCIF)^Q3TwD2~_QA4Feg-o;k-H3TNpUH#&2DkXw<40<) z%9v7ORLjrc#8lOudtRi!He2kbok&cfE2U;+JmaQn`@Fh-#+ln2ss7#n6jW&$u(!}n zt7b{@)|uyC+*Xz5qjMC}$Cc)WKONjuZlB%+rCTs1vo2o0GRG;<1ID($SSOMzTpq;- z&Kj~p)zE-7yfMt_KJB+ijohr?U8A zV$#j_;NA{J(Feh(b(FJ+W}xuO>UBr=2aCMjS>ETeC#iN@0wA=6e`O2+JsO{o2zoiN ziNSuQ_`EO|2oq8FjJXa77Es?XJflO~Vk*x6qv|Wes%qY^<#1?08bLr1X-Vml25Cv@ z5(ETk={R(QAl==Kbg6WANp}l~q`*7JM}Pn8{m2Jq&)ze4ueHug%}&iY?vBI|G-*Z^ znL5=ud(vT^XGHe?CjMs*zO`!5_m(cS;g+^4u};UOAA#>CHm~Iga+DZQ)*`PC^OYXJ z`>KL7UMQAr^Ydw#9I#Za>K`bP4SCM+)|O5^8A}&LiUBhQbFcFrB>lL z;uF5~kgNgH!i$m&?c6tY+r=a>8cb0$$)$!#ccW|V>#+}Gf!DDI<7Z|a=Df_mHFr0c zv{U@#KB1xW;>p(v7H(F#jc*;Ky+muUg}Hyg(noFaz<|rip50?dyQGjdRV04%f z>c(Z-8$Px<%W*DwfWj}r=R7Q+)>V%P#cypXA`Fu#w4&WP3@pz(Y zwVAiE(!ZDMWBY{tUW^*<9qiTpWy$rlB+ojs(0)?!*D^2paw#md_xoqcZk#7IePEXi z@0NcNK;Yvk>tVU*_oW?~Wx|X&S5U<;EK zBy#oIp5Bz6TGq^pdVT>dA{MG8QBpZqUiu3;Xgx*NgTqF>0VD{ZY%E1S0gSm*gq6N` zwkbjjQQzw?wGvuGwNgOBMmR{y-nDW#xz8~uO%(^!0qDiY{GIBEa|0_0724(wGgkjF z?ZWLAFw5GH^$v~-47(??KTF@UxFWWM)}t@!&#E=V?(dRfZ9rY2r@2ymFG_U+w_n-< zD+`GsX%n;L%orri3L5Vs&IXo>tt1K`OX`f=^m7q*+lqL{KPfX3imTe%n5x*?w4tN@ z2Oj&hhb>6Y0P2WW3T%Ae)Dd@wsX}7*d!P5(eUhAw+;Zv71hxb=OO>(D zrmG2W~il_Dre6mWLh{P%^x|$skR`mNDfcsXYP~QY>BOMbo>VrqDh9qb$zOnewy|!srFx zDg#1-)=;~Y791_0m9lm$B-n8~X6&}T46vLM|6w`7y?6jIovB(5zs2YoX7WZk30d|^kB3UocSOLwBH5W(vwS$;MNpLZ%)h9OMR{uWyzyPkOXg@jcG z-xfKA!|xByO9tUp-7~Z8Rk3l`VL07WJ!IR>)mF1oXMl{aPH{;XO40%bDz3HH{p&lc zOiJoq@<{$Ewp$97Ju!BQ{dKCFpWZM|(egDu^?q^~jr8Z5vHE(~n0!G#!x;Mu4jG}Z zvzUn^|8XMV!sAB59{D?32Q>d>yVM?Nd|R|rCNvwF zqy0eHN%f9$@v|)W1iJ2j2)gYf5KReU;4{JvF&ddY7k0i3DJpw(Uj?M26ejQ|5}0fY zIHR{JE(3t9IYf~%k)05LMN-aWUzP)?fM>|n?${&e+=TYYOyljisdI*@$9(^>Cymh` zR%YxSE(MbB3Vb9bO9>0squ#AXDm;m8xJXe^6Z%qDi+&%I_@z^gM>~L+<->UbNZ8?X z5;`C5H|3tFF+5}But1;hTA($<4nN>Y`+kA_5PmOF%~%Zld=wh}?Hp!G;iH*3#6kfh z8NDYS9c2RmT3sLz?b6ttDs?r)iO%bB<4AVn>tVmWJloRPMX|d4ciJT(hspb&{X!th zBD4qgwVW=3slAHo8B!*Vpg*O-yy`RKLzqRLZ*R1Lq%<}|z(?ALDnKX{46xet#b0I7x5(pVV`Ta!&Q zsXneH*(j*chDV&n&Ww$A(9T{rVvZr0;MpfK8>r2R@`N#gdgQ-ax#8i#n@!uxxW2KU zCOREdGT4jEm^-B+p%O1qT;P`O?HvGdQ>p8hSZJ-$C5e!kh!;d>4Ox&eul4eiG9fjr z(`*%Uu~d^KJ;M;^IFyKVOnl=dwf%(wI1Y8&VB3@Ch3B*E&4C@#0Wr@=dtgE&w}`Z( z6!+or9-FnOJvb~IL^(yb8H+Jcs}<#}=nN;iBAvbULRR8mVo;jz`=Q8aq&&D~CaZtSOipqOCM6FN=7A?Ljs zOF4`-3i}qM5&cLXQfEceNmINolP`v70J?mE$aR>;DgRH7wg+6A=9bBJHBq(Omt1X5 zxZC`^wKws#=`-Bp{rN)P!c36aPR&nIcv8U)wkOljopMqWtcMyX@ptR6ivprc^@n;F2;MkI7WSlq?MUH{4S@(xal#eMonXsrDJ z@h>A0ev{}ZE7)u?J?u~Ms2kZG9|I;a94Ya}0^%+obbLw+R zG;!?8YT@0*gSOzd3=FWX$4jjan@$j$5y5T#bKh2w)H`oQfPU1w3xQL)<;m6`$_Bo9 zt^o!im9Kixga*6E9*i{$mSd#le%Seix-Ayz;3?UJzy@fuaD%u9Ny7L|{PXz@&d-?5 zwGj4YGAr_o%t6VJXskLH(5C-j@d<6eMezBK8Q)o$is+aQ^~yYrC@Ju7gI5UYFZ= z_axyMTKG1E?O`VSORtJ&+wyH*)3Wk7L$#0A4fjY^EQ^76*OWI6LoU4RJ%P}Uv3CNq zOqlzLSvx4qc+D^R;LoiBYXGFrwQ;)go3AedLNtFETtl&PDpP5;$pVhnvZL@ELfZIF zD6JGi@HzOc#z}~7?|*-g8~Klw1z)2c=OV;vr6$p8!|xkAtSsDZY)v<FWFE&r0j zsa##WUw>$w9~j4SQGMuA(b9Xeq)eRbF$U()?q)sGjoAl?-f+A4?=Whv2e_^-mIb6= zQ;ZC@aff4gP5C^x4G{zva({HK;vgg;w?+Ucd3_{i%&`HSsMbAvW2A61c!~|b4N4Lq zj5wBP`0L0z)dFoHsuU~ujHU;I-0(U(&wH0hZxTT7Y=d8VDBHelOAh1-)H{ps z|D!R19VBRjr(6BJ6AtVyw2q;Kmvy1=)068w5B_@#f0E@OWHkX08b`(sE24M^_WyRS z0{-`)QBeZm_edNoTM%n%q=7@1ko%o}`lXc@6w`XQh#Nd#-z6^zbAN73UPHwp`S;PZ zP&0z66iQ1s8A1da5zUUqT z697ve^7UMAQN0#Q=_zBW1`2mYaR@WJ(m8CIbev9k}?$hxr$n$92@o5 z{p?^ImEQ5rrd1~QfA_cD4-zJsV0_|KNlcxA!mp6AD1sP{%e)Hj8Nkn97zqw8TIWwu-JVm`b!~7S9q`0B za!--0ju2I#GUE)mT)Egf{jn2k;b0XaR9PQPpGW-iFIgWXHq20$I zehDbJ?Nu?haSQOfM>CP{yFFlhdR9h!b)UJtAoZrP5;)HI+IuR&e+qwa`?xT2)~QFs zN{8Wm4;HwMI$FTG)tIGT9rNScF{~EN{#r%+F_JbxW`RX%xfH(3otNL(B8+e-?>C4O z{O=P0E`Ng$hpXXFzd6OP`GgpN>ZzdUkZO5+$usH+qU6~li^Xqc&$V}Ae1Dh=mC+#z z5#BzNxHu=ICR+!(4gdMXSP%sgPk#s4s@Hzq`HUv;AC9W6R^=%1zfu2WRulK^2Sm30 zOdZlGj4;Fgl?c=R)xTvh0OY4YKzKcsTld|R)5|T(APl$m?$FQiyolTTrJLt7cig7$h4C+| zr&+AR6Ch4;WN$ODe=f=|6M^H{P8AS;>+VrdN0R`Cazm}0l@UU(ZYkadz zebobkGB%^&Jf+06G@!po1NR#@z_s9Z-9u(Jse?#stl|Dt(4NMAJN_3)CJgy!BQfX$ z^IVCzc58A;Ew1K~hI?3Hrh5;TN8k)Bp+oh^M&?_VE4E$P;_rzqBI0Xlr?2C;28O)< z?*(4h+%e6i*M6_LERJ;ss3(p>{xc5s{^@AXS3R0pIX`(NOe8pxb;D(c6eoCbjWK_$ z?28OnwHYM2ay(aG4*H)Sh6L18;FhqzegL>Y&cz@Fz6j283LTRN%ABeX^O z72K`BO*!^y*R^__LrFR9{l7qkhyD+@gZ5nGg~_~fVQVEd72u$WzwEY0pAl=Q{vek< z@f)8kn{{zS5OOs}m730_w;c5F-*;$2@{GKN-GDi40!Lq6lSve6#;r z*?;xw5I}k*JzYLnWdd%#r<&J zdr!HTyMEAnS?11p2uwY1jl`qE?fVN+01o2**DiqHEJh^Ia>%0&Bz!%Kp0CY7v2gHo z;g_H9e}V~OpI`m<*wwf?Sbs3-8Ngjkv`xn2O}@`jdG+A<57h&1A79Zs-bjq1xNRxv znWt6o?k3I%9*}2>e7TTlNV8XRw8Xblli;}&%IA@7C5hK_j))1mc<`2`5WJiE$Ln;$5%^$$X-_9at6nKII!X;o)?SdG=4e|1RY)fsA;g@w(noO{cA0n^ zbh*>_;7B1Ha<_N%@RzlnT6p>z;=kD0fq!9hr!yB{t1__eFtn?s-oDU*4$$FfAPKQn zkiII7u2D9jxefubxmCn>2ap}%xXXXKFv1UEf02x6F%J}j?;E|tn*TOM-u@*Y>;P*E zNn@=f8DD=Vu8+JtDm}T)5!06IU-SqdoQbLkXcasQ&a_|Vbhg~+*c;FZ!SJ7_#$eV1 ziYwzK2P*U}sKZ^Fe3a+4UY|;pc?ZVEZOQ-rKLoYIRBGJKO)uYP41!R#!s!1OQSXlA zZ&n88j7~_wt=0y)GJC&|zd!lI75dLzLt#}vP3&-pz#QJsp}sHkKc+Y#AT}iIg0QLf zBdfpZq}6ucVt)23hi(`5Tn3mtZ1vmjuKF|rj% z#4tz8M|I+Gmeb%H@BLL6_pFpB=GtU+K5?lRNik*@Sl@EfLYrlB9UgE4 z`UL#x_n-q*|7Fwo#i|UvYYJEjfU#O9^C7sE15Rtkaj^OZI@i4#Ysx1v7W|m$H?%fD zcx-!all$xc%sU2c*&?M1?{ITn@(1RnDCpxSn}XeQWS6;QI9lTMKb|#> z>=5zw;Wzz1fF+M|HXn&k|BjE22IOYK<(8>Auf0qU=|)=6TIQ_N64Cs6$^26yR5U$X zQ%oyk85Fm=b{_h(1z;ImCkZSW(|`^oF_nQh+P|1*1Q|=S9b2^J*~ddYHdA0Za~W?{ z7)g2rTnnEL_1^(N@m|A;oJFld9mdx4g&{I(4>X~dD?>EEmso3*gLp3^CT!`@`<{kJKi zgpMiVcFH(lda0ZC`nw8ON9{VPlH5}jWBLMP`ojN{L}E=B7BLqB5aucOV8%~uAw2#R zy!*)hDGD(sf5n&h!r!MD1_F5c`*-$j|G4h(r_wQiGBPgDilp2u-E`-^M9R!_fCUM> zl0$68exa9X^SKy#k*63AC{p_7jO(r z3TrNN3BddCo&|ShlUUd1H?>HEqWBSujrjj$npPoWMzmvDv^*9>!Z;dDk!I;xQRB{% zOS3l&5+M?q2mrkF1YVFpOLXgt+Xh#} zhs|65Vr`W9u0zPfkQHr4FyPQ)do-*#sQ8hH7w~*5D^ZSk$C(^8=@ zyPD4kd*}qDp4SSAfi!`zj;%j#m;RegW+cKnA59G0 zu>;MyD#o=Y<9jzt(*vZ4$8hvarweaXZ79IU0I9$aLJ5h}hFc<`3x#O64szm?A|T1Aj{v_9$q z)PW#qm{-F7L$k1nWhiYmInHg%cIDAaQ~Ad(aM31)n}(T#qBol-}8_XtAL+K@Il3xxa5E7zFh8N_|m~oLA_jc z%0D9#VQjK7?HG9 zgTs-#W1(%$1=RF{k?P|nfQkD9a6HBnK?W^a8b~ZgT})y(J=b*(%^Ha#_DpnC66P#-kShy&W{N?9~wzH0s!YUg3s_n3!m{G=I53Hv4av&szzm8xaErer&!?RE%-HvC`8YE$3T$)pYNF?$IrZZZA1_f`)dHKuH= zGE3o#U!#!#4+Sbt7**B>c=&|8om%$aWR^dlpk7m=^ZMt1I8U@XJ^tc?e$F82gaaB< z#=2>ERK#z9Tcdjdl#CSFG)v5kHNG>1a6h*`DMq#6O!adOs4R9^C}^=JvY4%q=X|@& zg!)k1K&p@C>NLuQyN4X8BsR7T-gKpji(CKK8nUpiSYL+BxtQ7?&?cUa2kYi5)3%|; zm`2u6-h-hd>u+#p$cznDdHtx@Ue_Rp5&u!E#M(^k=V1nuAMx7SKo4>h-xn5*dQs zK!FAdZY~&*P1^V>&#C||FNah2*oPK1WVpiF0i(fBFFt}E6XrP7D zV)H9p*Cn(+xUvLiXiO(V=zB#ok@hbz-P5|RnRa)-kBX2B1yXZSwba&1Mf_sF#>bj4 z%%p4<}(tFD&2edf#E z@1v)_G`(6W9Q;+^nR9&<81{kiKuF9(b~b-uz=dum6XA_bezH{bQo+FKg`=sH$O>y9 z_(=Yny!7WBEsdBME~?#^O8LPjFVKsw@BaYJ5hGOTVtJY2rrzP!%JSST*-q(!4o%Q9 zU|6!FCvcqUYwrNRE+OY(KA{1`3KS6~-+T1{iJ~z8@R(V`ab<;*Dg5)y)%G8s%AVGt z|DsXgt{-3-(s_c1s!B^iV0}IN+!|%(D>dkzPXaa6`+uNgwk5wi9C$Fk}M+J z$Y?M$w3GLnzjri~yk-6^Gg6g)$1=7)FlkYH0jFt32cYF3+7diI2mpqoKm+p+p!yy} z^|h8T7(|-O+C64G2VPQK@sbEZ#|Oz?R_qr zVcqO^%(+JZ)|LW^!5=>C_B8J1Kyt+`4#loTI5-uujz+wG3<`+$3rM2G4iS2NjOJRcrr6*fZrO_26A8;AfYOJo7YvoF{#7-V{yDjR{NKq?s+ z^$8w)y*Ja@UW`9xdqF=E^IF${Sf_FmZ#F>#$T=MwA;hahTj`;`@$`p7(#*uGM<@KO zj6r9i8O>7qwfqvf_E+uKNgdDs3;NPAm8?OYARgmaq*ojB0mD|$ptWrTxV%%NAKYNd zqLz{qg$9+Q!A|ywCa}5dlhAqT65LxQ)fk6fUs;L~P+e?4M!=`heHF*`%>{cz+~BZ` zcz-nBI4P`ioC1)Xa)WW|wZrmxUr~X<--n{K0RaW;1J~Ihy^eRD_Qh`7Nt@H5@ekR3 zywTvq%jnR$1NukuQB2CJGJu$#s59~llcYp7ej5ey0b`%HI-Kxv%3G%wlKTdBk<$ex z-)bfAld);TMaD!6k`%6)u229FZ8}MaYva1LEPVa#nm~%6eBz7f0Pj~wpm+KSgU6ge z1`eR6m@jW~cPs-WW9=qkevqIa0l;WY{LPJN?OIXPyX~Rc2T4p;DjT7q;0~oVSg}*D zcg@a*z8>tZn2eS*{`|C(hF}(zse;MHSEro};7uITq!qMb#iC`g7>$y@9=+pdmGl)R zK-l?F3kK2Z8@k7Bv7VXCOs=aNV@ki@$R`1x$xn03({!`FAo%=XTVx=w{L~}RhXfj$ zNLuCNEevTIvdr`{idWH52ou(%BuImjG+yYqdq(8fV~1WsTZO6;xTs5?>#o+-HKYe{ zHVrwrBvTuLPdsq?mtM#3id}C0r`LD!e3d#NjDjKxUP{2B3bpx`xPTD+wOW`zUBN-D zn4cchP{W2#xL`=D_6no>2jc}PLl`L=v4x+HEF?g>ZM%WuEQJd4h!1jWVNAnHGM>?7 zfon)c{1N|NA$c^A)DqHKc^bBFkCrfM$@} zG^PWg7t;jvI%B;kIlmGL{aWKP36l_7&VHF%rz0uRvF zV*rL#0gO8@FtBhEW#AfLjhP#%fFEvF)cmpJ7BaSgTJ0p49etvF<2%agqX)a$$y88; zlZwXR)7J2@7wH!Px53));j0^d#ADkc&?MGgzTfoD063bO!~+x{2-J*vF?F8(NRw@v z-;9EVk`gNh^|!-s3@x`S>zFrgl=3Kc8S%4Ov|}vuwn0DucBt#p-S}EH`mnCc_T|0M z6rHMeMxYW?k#tk_l3~?Orpg5sg-v)F9Y*;@qknj)fuFN}^?5S_Ku0K_M6Vay0gRG` z!?0C4K<&#-*ERcsDRqJsutrOp7<8V(sBizb=r)th_P*YwW_`gxwrilzF{M(zFwj0e zskR3S0;NB7Qtly8LkFBSV%xMc+|`DFAPKJDwl7?0lS|IeK{od^{$7ME%3Jj>0|H=?E9lNC1c~)=qOmqn=+F!!j&0xqT$+Z zp)W(zQolj&Z1P#4L+5p_khKa`U6<)g&20hDTxM%A*^)KC$_w^;tHhis*iN2u5Q_4a z1-488P_1;&7^BL+TFL1YpGX5aG$Mcub0@4Azj3v)@sXkoE{m#FxXwT?! z8mq1lL5ctM^&FHm6kP}6#%@Gnh&U}v?u-O1BuBe3SB-wU^6jb(Ty>@FmyWsJa3cOb zvBd}U_3{kRjA?E5F#+12J}oB;YA8!XKp2GR5({^95>#hp3RxJm(nu+)JuCGT06*DB z9_N7pW`Euxkg+9x(2Fls2nOA_`lsIdPxXM&nn2aNOEZ8Pq1;7 z4HnU5G0b+mx(mITuETu`00XC~+?9_G6ru#szoP&(|FltRXa|0M^}*{#hIK8r7%}xE zbfC`Fr?CMhCY)p%!(Svn*C&=)y9B0D8d$>h!!*5}*5^Hw+MME$-X^Vm0OVGf*&DQ~{Zh-262Gpb#F? zZoiNp57lA^NIs-5<&f<(hc1UC=W{mc!&lcSxsoADFIzF}S3@#G9QhjF7S!RIn zD9HP6Hk5?p6JwK8)3xVX;PAr1P_s+hk7st)PNs_j#~gOvnoxQ6m?Y`6<4o6 zH=*5C0Y(lp23_KV+!r$W2-HM54$-6C%5W)3d?8 z&&C}&vX8iCU)Z@;^C`&DJ=I0EXEZ#}pa6>CkM>N6!#4}}jD8+t!1o>tvVK(-2&_|bS4a6?H}KVNbpg+W<1b|RiGwOE8AzW<)F$9$W2#ltgwLa=5W_QSd@yv7bQw|BCy zGnr5mWHVGV4X(f_&Cb?_a~e9wMtign99y&U`-df6^YR@@3)w_mxSk-Y1XzmhY+)W@ zZw;C)u=>^~L0$8yS0(rnMGmkr1t@Z8%BSE5?>AMEw%~{OgknSRhR)$$t$KVgE%$Sx zA049?Exxlo%Bym@0dGs5B^Ou|dpQRJgP8Y^LMvou%TM}%7&4y7b zjTe)9yw1#LQ+tI1O{2ti+oKztdvTa(?0UPb&*~j8nUeK3xN$5%m^pAI^@YYJf6!)W>^M9lfY{dBW{-5bIAC5-cdq=BDpB*5nLUzL+~~UwLw& zYK1~qFrz4R@Yce?Qiflz>b;hs4gNvmAC2uO{8j$E=4%@pbP4^)zC(@(-+QR9KekK7 zA}hsaahA+bHI5;|3NBh|E{>iFO0&uMmWRFwFW?+3Xe@Z64ZlSzUbknONe|hcCRaCO z)zM8xC!sWV%5qHjc;5$%^JlrGMAQ8SXf)uJ*D01)R68mbzZZK)l5QIK;=qVMX79W) zy8o!Nw9g?&vX!NBv{)?@tV!GuZqzhu-C0{rCoc9*E-Sh$*Bb&AZihl%8^41*Q$<2x z#BJZyRrf2+F8iP}Cte)MGWszqB^RGX$wzWJEzzDj%b^qA zeOkg6tnMrgAw;a)D(s;8M&DK*c6~x^RtSWG;st`ahLE|F5I#0*oOg}pC&t35o-Z%V0KAHH?XHRWp{5?#Kvm&$?sAqFUg`noJ^e z)Q4irK{NFhtuyT*D(1xVFp}$*ftOWzHBX}Yjq0&NnM_|0Xb;-4ypK5Ks2p;y8cvSn zN8d(4$Ob)3I#&k&sp|Bu@%c#*Cr+m?ExPx#iEOcbJ~w}$yS4yV0QtN$XC6Llu!-tE+E zNHf><&CUe(soOlC6`yt9bZP$wT$c?!)@sfq`j_`$I)n~eVlS+N%NZZAw$$jE>?+9+=-zs&$m%-`6>=Xv83QH zh4uWdBcEI`cwbKWsYC6CF~`#wznfi-DyH-I{a8!RUCNJ_Y5k(egYOH9ZbGso1r)p| z@@BB2S{kLEFX174Zp08S#Vw=ZW~W*ficq(m$T0~Ur!8|ErxgWK!OI5c^OR>E?Lq8N zJv8S~J(fvj;`9hQx7#COqeUq+{Pn(XRvMAs}aN5I_htnh2?P1r! z8q(x()sWpRbX9*bR-pCV`OigydDn0mo!uUPqP)#42=vzfau3~x$*LZWU|&yfp7%^O z(!Rm@$;|@qhc#?6f)~olF8JSZ3YK3bx~dUd@S}`W)1Vq4$I}Gt5Yy_Cp%eS?@3@tH zdci)zl+cXv$vH1#N(eZ94x_Quu}H3(J_o<8?=-C}<8CH=NB9pWDWWi7HDQ4P6o;zH zmdu>CTIP_k)aj_Nv2-2TS+hF*Td)XPY=7Esm;Cr@$Ra8J{sa!#iFGlkfM? zr#*w|{2`GPM=Y@Kg~1%|Qi?JJUU*71vcgI4AFq>(-Wr9Mw7tt%>F#B2Glf!uji|nj zQ5gH=F|(ZguCrCO^!0(BPK3N$g&;rhv{JZnM6-$J`r6#j(ug#|lVgY5|L{W+MB zF)i~Q>re+@C0C~CwuB-wDT;V=XD;0f->I&$9{6|Yb$l^7m}-?qg*qvN6E!6!z4t_^ zL{_*_mOp@h7ZDxpdq%sSKxCBzlgq zd-viv<%PArGaQt9XL&)Ch0kT$zpo#zXEIcRXJK|HEZpq$wa6w$9Jzg;Ij6SJ%%gg- zqI4h9fc@Imf%2fWiZfn|hY1CyrT42q{rD zF;zYDkX+eTpA(V*&IOPfxl!mg1}+IM+&9A#4dHcD2~{rbILX%Hov1pbhuTHDybaQ! zSm3U$W%eLAn<^BwwmrvjYE$Fku;~qe*6Qjg>UTc-oQZPvqtRQsi%HOW7fj_34FZKxLj4{i}u3{AgLsod#pGWv;!kKGf}&RyAW{?q?OHJ`sRAN5hz-QKCX z(j&D3F^Y5NheJ!evUulMuR1ek#)8d%#VJuracehvw~7d>L75kMrK%rk3=jPY<7CX*Cj6$X)RWI!G zcq6f*vA-&Va;&Q=xuvCJ=PqTGTbOzhJGFf3s!mSRGL?nGM%cYMk>wXqb#h(trZUUR zVO!FQFk!vEcc{xGArxf=31vP{SYV%O-iWc%A~{ZfY;8BH7kSd+&(VpC1Wlv0QJi0Y z)LKnT9lFGeuLq#A1K<(vgC1U@;P-md&f``wWt)Y6#2<9*)nQwRP@q8Ap2SbX^Xvkc z$|iP!N;4(rvt!)L2IPcsQY$$MoAVX2Zw|8Nb0(|4+B7xdlUr!b`kP|W?*%fv+kgJ^ z!Rar;hVP@+(0}*ejW@G+o{PFpo}KPy@Wgg$s6o5aQ&mj@gU9Mj8x|q5%m$MPG!1$& zblomS1DOn&!q@lH&oVf-W7qT}Hb&D?jL1({EH`O;UR~K-RYYs${^VeH-)!sCq&cav zoWZxtrR^rX;)i(4OgC#IF#KI&Q#@4gFyqHHrH`m{Y3ANwPmJx9Aj=ls`>?6pZ`1zZ z5ng*E$|Z7!U+Ci&^Q|8o5&Z z<0%Y~Ak}A)xvxJKV|21Zz*m+o52a9;i^Y{7gE9x}GI`;CnWvOPdhQ~O9!jb_royX% zVu^0bE|ALouob9oW$(I&*+)+cEX#{o_@wO8* z9C;nd2BEre&OlUJ9{@7+T9KS_$lbe?

mbZ&(zaUp8lcfBL$bA_}i2m;c8Yne&i| zXsXM4V%x*F&=D*MGGuS~MrJ8p2b07Un{IX8{56J#?9(&JQ9^{@WE@t_QBUVN^hhme zpXz7h@VnVZp@+|6AK{rd2Waz#6G3>{9>!1wyqZ54pS>S?`#|=chAHQT=$&XLHq?&N z24tFf;`h7x0(E#y9JTuLf9lz|3FP*mM@UAL@_!Dv4ZD6xwKz8=4|0~(!g+B9%GUZ! z?{+*$w$rcN;`4HW%OH&a=-(W*GRY2V2XP#hx7so65-S$b(3aW|6fJa$HMFqDxb^l1 z->d2J=EIqn`VWmgvexZ8z7~QB$vyVvHj0Ydd6w1S(|7|zC=59D0xM|^DvK<1BFH5c~AuEyb>1_MR`R%Y{9PA#fk)(qdJn`x0`ccQ9R&% zFBXXsD4)?TD#CSoPnS_*S>y_lq@g;#r#vY~m8h{oJNq@+t}4!6mIGS?dr;KLbF7&; zO=MZtOcThD_{%7gt5!1tH1IO|!|qaTDVK{36_azlr&qFoK2qw7*j6ICe6oPS@nKlF z_%t_A0pvR4+jGz9+ghs0*M-Hfpr(=$nRvn7a1S*$1~m_cprcAdC4cPFPW9>{-|vE2 zxN&D-ZM>*OM>vDcvwu7{W?5@~>`x|WX4m4c-Y_$QhFTEo{fYF_sU-Zlg|p8>|ERY` zc6d>!%oPPIy%Ak%lZWJEBYdS-h0>h6uUw)aafZsFQ1#H%5hvCqG~LiOn*8BgBt-Mq zgS~c1154LY@l6Asx_vJhYQ?Qhp-r$;9wCPpgI^+wUM;5zpBO_eV zm=asHUJyyY5xXa%!)0KT&}e0bhCYmQWXG&P)v3bkRw;z+&kX~~U@k}sH!)!iSJ-Ud zOUn~}~-Gq7Ok`z3qoe-BR1= zKa=0?b~pdp#&PR0-KyinmRhvZhH?}^4Xb`h+Zk4l^X#+O=?kb18T#nyRXTlyuOmgb z;IH;#BlMnkMhvLvs5Vb4j(`6+JqV5^&D|<$@NU5vw78Hc`=tcqhS}FCj^_j!Hd6}Z zFKRihr0)?vR+G-S?mDMmdli5#=qo$*gtcx|#twJyZS1oWMBc+flt#5(MYYf=)srh9 zD{LhuSmEmX9b(&Q{Eaqf-n71G8P@wdK^PUq5h<+aUDNi@?S^5pjhjmA*cJTMSHaxS zg8aXouP6gK1Dy*}hRyv_I`EZA&nFPqI+4^>S1{y8i;22KK(l3Z`oV~gugaih=?_y~ zhSSVly_G9MG{-93i?w~etK(Dds=0}(%DF|%0caE-%1>xbY zQgvE16(HcvxwurvQTJ>%>83RY$SZ2*XNU?+Ax8*DmSp3)Xs)I!U-!rXCAK?M5H5oN0dgqm89pm^9{WvjW^%{ z{D(p&PEj~O#-A50h&~dIqh=R%$!)#}|A2>%;6e*1ENLoOH)N zlil~oiUQjs^IHk`);(1t#g00PpcX;qv8f%WGSnE~g(KW{VX(T|UL8&ctl)QQ`Yl}YX&W!rfOluct-7P;vrIRq2y0yi3+bdAsM%Y-~V02Y6t0Vy588J)GN*TiIb{8qS%U*unaOY zHIhbE1?IY|m4#FxaiL6=TB()XxzfQ%I~x+3PK#5ptT*eHHxUdzn&wt;8E+K zbiZg0)3{sab0qd}6`%IJpKarFczuh+DqpRsEuZM8;Hnz_bb-*~MUD^jRGv!zUegJf zP7(D)Lgb+`D7~5U_;_M^E-Y96#+6{eygudRJ3nJynhAx|!7TyF=i+iBrOEdf;mW1k z8{XWLhcv$t5j4>TB9la=-WwnWjQRIH%u}7)`Wzq25(X1ihaPeGZ2waJG0KQw{nj6) zI{{R9rz&$ECXetwMEm4vq@`q|{sj+gDiRQ+VDXYFUQVG+|5T(%NYKly(Fh z2))?vHN7hhG6@s(_^k+pt5Wgh!*Bc?yhaao-!{_dekEPjN(z`rFr!}GmJEkREb>T$ za8o?Wd6B~kJ6^FbEU1n*YN@!tey0CjK3#&bDKyN8ipF;ZHYu@-z@0-Lg+MK5=GT4} z`e?g9VVHBZ)b2gknMa~l+)joLO2vJMCbsZ<-mEW%YxEULHiQl~K^XtqtwaqYmkI4X zN#h0LB3_-&;1PeT_CH6USawZM@PQ%g1NX{f)E-HLBojRYWZoqSgeKnX!8p49CF3(QMcZiS6xEDhpj9@`aqz$@r z!)vZC-m34v($&3eyciGC8lTv}Z?5En4Py=G-5k4>EVA&`kilBjq?DvrLPB`k*`u@_ zEpZN-nmmF71x!7y)j^d8nt65+08#`T!V9Rd^<_V-d;m=0?7E(qzxJq zv_6C!Pq3FLs;x+vn*h0#U@G$v6B*Z#ST{+h+9w$fMUUfPq+1JnKJ$HJpcb-n6wKDg zuHb{QL=5By74w%YmM8JKw+#eNjGRkwHbC_s;s!O>h6+Wd^($Szh)%w2k@*3wGcJDo z^^WqWd)D!EZO7W%7Y#N<;0kX|bWT*=U#B@F6W#ieqISP133K|iNb0frcA+WJ$|KYs z8H0<6GzURy5%pv(cA)xP!76Q8;|+mWP*e!#AOxExA$RmQ@PuQgmj)PmKj5PAc7Sq` z-(&o6CnC*Vv^M^_l3Wwn&bQ7>9E?lok<|tRDwnkevk{lpX>2wYsY$Av+U89;P0D3E zg;ZN!*XOwhR9{isuzEgb;u8>SgV?{C%I{-k*uqJYWlGr;_P+MSB<*@VHY2l-zaYK; zuvFEMxW}U=lRyynjwh~`Qnw&YQ6*w5Gm#R(Tqc*}bM(7H)f|Rj1p)~mKT)Sg7<#v% z^~vJpAmXC(PER}2JG>c(TPH0yqukFx#zXz-k?GDk$ndP`rl^{P4;3tMG3Te$*fK1* z=e6fCpG7voEFRNb(BgrHRtacmdByf7oeemY&O{aw6z2+duT++y*(`oxpQz@0nfw@3 z=Xj9ovcsIVRnIJpuyK05liK!Yk3 z%Nl)r#Ho~d&BoWInqRB>4hOet4Fg{z&`~L(VqCBzmcsIQQ7$|i5+@Dl39y4!7ay*myN5qa%qK(Z}YM)QCjD}@9m`&Y-y^vs@c6^f0*v($j_2$G0bDfSX$)3{Y z#R0h$0m1?y&WP>c4Z$VFoI=Z_bucD{T& zP7b7(Y^HhIy{AO|;3ew%8}co(c&^diHQ6_{MVR*F3TaP>FCbPt7%cGuaYgs;anipO z7f}^y7lmju|CZ42X09Fy;Yv0ZL$Zo^#9iL@qEe>B@FqOjvglyJoA1+ILh5@|u5@qw ziI)fq$B#xG4*wrdSHTcf)3#+@Z~^I(UPM4Tq&p-8>29POBqanE1eEUX?hXM7l?F-a zlu{b$5cmck-|r8cnVmgz#})S(B0j>%&YwU9hedpG>D)eYM%NxUQ^Gw+l^Ms~jcU*@ zVKftsTz9tR<`HJq8zLu6^mUxqoem4b14EM!_v4$NWZ_E!@6%oOA;O#mr%Z0mR9X~} zsXfE&qsHM7?_P_HwnfDj*2vdd(dqXfe96%_E}qQSKBvAMx)VW7po39ql>OvvZDo?T zoKFUo+S`%;-8Z$ymJjr7*9O_{0U{%D!;T582;>Kn{s-I2JNI6eHYTC*HP?<~eD24N zvJdH85SIVh8Ch3s7}Fb{7MCJ3rt=zq4i})>&u$%z6GqLe-^ZC)tzE^)yqt~(|FF3f zd{gW(#_VEv@|N#f1isCxEdH@YF?kMvHnzLkt>g!ZW}WB7BSmm|)Jxx|mOh1NJwdW6 z*HJ3Ddc~h!s@kEC*9zW+g7L#<@p{|dw>gNg2U}>SnM2z%Aa082q0Db zRga123N}|!6MyH*ulj;jtF|Hr;YX@LjqP>x^cz3hko9$OK6U;rORXGCSjY)KT{cX8 z;9O@SQdm7mnJ-eQ^z_4!Xa^zmBP}E`qx*&8x{|1<9MsKV@nvbmZ`l~T#GVL3ZtdLs zSN@f7BOIg(k2IWKZI_upjlcgmwQ1k*Voe(iBOSQQ!tta;g*^PK@jABfi@O~ zBByN?r1cj2BQv+zqo!Kc{5-mCiKu7>l>guWsYxj=>=AB6E)VADr=l0Lgs+0mU~7YZ z397MFb1mb{(co`SrfFLvz&1PuTib_%hOF5A!|kZ%e;R}yj??skcU zdhy?+t=zS(61DNMmqkTq(=}%E6LbMOb@cvhaXurjD`h?el>WvfJyY|h608yso)|pK z>7k6BxJDuyqp#H{2@4;$B@Y%E=d5N%kv*eL;v)E0&Q1WW5(}cMzXkVlV^^(IFuJ|2=rW+jo|H$gYS2z-i&9(&HT4A< zq+`qAKQjxmy-fmqr=F})wh;*#cSfk*FH?nOBX20k8nNWaP$v$|i-ll!%Z|w*4xR52 z^uvE7t;EwWW?w(b@CV-wbu(NPXN+LxsIBKt^&mRPX0Nxf8uxgE0f|I)oC_PAX}kB$ z{^P?{EC>^f?ER7i;DyYyxoTygPRUkU=fXd3)JdvKBLg++X674>UXUm|mvE;CPr;2K zi2va$?+9lrXQzRSRJ$PHG*A@D268KKL2&K5XQA=%Uq4vJDZ!)&i8jXA`Dx6|)aWm& z(2XPFe)Uj3*W`tu4+1!Q^&-f(V*avV+f5hCgHZx6vWSaqdj!2aGL!!TfEu-~WxGylO?t7<2lH7X2=X17 z1S*)(!`#db6*=ERoZdd(f*uD7kWy&-EtLfdtUaa*Bi6kvdtSW(Uqr=SPLRO-5cutr z(#XqrsQEsnB70**(HIX+n)TxX$@XBYQQ53O`FNb^x5-PFu2wMY-WT|$4AKr{_y5mP@%j2QDezdXkGHcFmrN;!nCPh4E}S4(#Dj3|FYO!O#4>AsJ^ z7ej;nN$k*Jw=;=NYWtiIXq<3B<8(^0xNuN)Fu!)J&*3Vz$-j9iMa0pBdww-PeEhYq za=K3%9Bb4*wr*yH`NxyucaDzJ(CP?U8L1S2vTjjVT~6c9zV?W{Bvb9p{Ri6xmVIS{ zO$Xg;OlOQ1@8q5$_N-^QW0>p(3mJZ4AkxADs&-dAFB!~>!wBn5thK`X*7iw? z$b)~-!;-{6wQvEd1i6NBi3K|RR43ie9?8wwr~JtHETMfh!@{&CqNy%e%f-@1;Q`#jZ&`(Bek z4-)+|`l*vZxrUc-_w^G(oeJeruaHZw;yuWr}f-b!e%x+Ws|pI zmzkU_pf+Ivbbf9^ipU0eFEM|_=Z>p)Z*+2u@7v*<+t$Rr^RQ`$LJVR^Xrop&I z8`(*ZNJmz4_`m*IzZxAiNK6z1+P#1Aj%87(5=9gL>@!OwIkWATqwcsB$5F&LRL3hX zfIEnyojk1NbLYJWk;OR|8+?DII~caAq4Stv=$>YE?;%n3bd1U8bgziq zA;qKK^tVriFBs5&Om9YXvDFeZU5`m!9-dp+9yela%AR^-jWLZ z_$RL_PO{fPkbzJ(Hu0?G2ZvJwYu0oi^ea3I1tQVlUZ{&@U-Frt>+MsTf>#*0i zw$`9`9@-Y6UvRh7P2F!z)66M@Z!BMUu&a_pE9G~ea#2qh3+S*Zjn(60l(WD1-%=-Q zZ%Eo|6Z>}SX5nR8ysj0~(syMfc5i$~3K$x6vT~`ny;=T6H-GNE=$`A}mE7L*os|-Q zYZ~^RV6wl&SjV{qhco=Q7P9adwq*RVqDXBc@3rwr*w4=ZCMe@8+REdbMa0*%^>iCx zhw7wY^J@2y%5kG6Kgrq{HpMpv%#NYoRMOL?s>2(v`ZaW3yJQ=)P1rtCT>CD_e<05S zdCTpd6?bgfG*~~#dWcjxDe_+gyTa4 zsp`AAxI?XY-y>2k+DqP91;}e4=G#hJEH|T@LO!e2{%8W!MC@B1t`^vmXooT6UsJ7Z zD~*lxRu|^>Y~bB>6IaFTvnX*=Ho)_Jnkt5F}>oD2hB8EVYmEpqI!h@Tq)y zw{s!_O0iI^VYP<^DHzn(eksxq+WI7ojw^gzPHxQp?!3k1Rf>v3^k2rn2o*^Ik=AMT zV!Zx;`~C+N|F>_V`HYlvF3m4>pJ_`)SuQ>CnR$67*^{if1)KH?)uxNzr|7?PfE%$R z`f$EJ-8;1k-L?FDZ*SS=Rorqe4U`wz$<1TO@>ML?{~n${dStm&pI&mRjQUdt#XYOr zhn4ZwtWm5w-2IO^=Qln!vA+)&_QoV|J=Fl(QVb{)E!$Pcn~)}t&bt?9*><1lP=aO3 zzw`hHI{3JQKFYawTl9$Z=w+noWEVmzh5Eqbm@MQ|gRZlW?v`UI2YGSyzFa~|UxN_1 zwx%nuQ*iibbsu>OvzJV|9KQZNUi;kgK9Y{NC5j}?j)@q=@Q>ERXExDk5I(w=Kb(!D zXp^fLzb|R4)()8XvD-D59@i?J`6Oc%XYYqX)f8%L$jVP zj)WwHcZcy+CwZo3&8>0bm#>*aE4l3CrwiXq|LXb3_Z zqb&<^p;x!U@&^i3z>a8ZdgOXmo^N+_tj3W2`%}QD7CsldoL?fzUoZvN+V#5?T+*cU zy<(6fErT>Mp0SK2E!?kxW}gMTEyXMZdZIhtEeY@Z_xGt|>G??8rw{*=Wz~Wh_UZ2F zzzA$*-P-jD<&m{EPSSsB(q7rxCk=KoL?u7R)z}xnbKkAma2i`UbQzV*I7W_$srA*S z{O@fMk;HCPfI92-2NQTI%U3qvr5)~4$3j`T#x#8}?GBMCH&rfU6*;j!xu zhe@eT+oBC(f20(#Z*A}ZdMB??py?ht?j0SboZS7Ha}hdv&VS@miuFa*C}LXuk~daA z|5@be1FD6h2*uUGVAHq53{fqyo~b}l`Iu3({LxjFw_?erz9Qq^7e#Eg&<={~(LSf@ zAE=3sg~DSq`m_D~7Gclz7Q_t6k}G+%XSRL=n#|;@g@qRdov7$G)O?pxuDUV8NNx3dOUaN7Q-89QOzp2R4o*`puw6!N%Z@C)__Zdvxfg9FbxM_!UEiXGc`#YksIk z`TGrPIjiv757W79?s;&>$Pu6wh`m~!`4y<-1ErOGnD5*;T!mM0OhEt;y6icTf>bQ~ zs+K4Nh8h1wriBy$9BoJ&eXnQ(02=}KmuP>#Z%Vbe4CNMyll9K@pY5qQvo0U8IAzCD zAwGCL7{3sBy%Xn-OByqw#3qm3B5MEX)+h_a#!*8X+^x-_z zPGQqrKR+6aPFVB)&5FG?yHPql5FdKEMiz{{<`qgA2w1ij)7Q zWYQiK`dj*DN!Hf^CU7_rqMYcqfQ#L**G%EW?H}t}yr{?vgLLD9wt)w<4Gbow+c}GK z`Ew)aG=@`wgzxVm%3xuO6Ok2*?P(MA`jp!`)vW4_8oKP^;N%IUiN^LAbqVg5XnaKk z`dd0a%CwuA;Kw|W^MLe7qWSZMsbI@I?+G5x&lxi4|0)T1Lu5#41anS$Vxv|z-HA)~ zF+a)4(?B{s)Uf%P;FZ|Qn%Jds6_FC1x&-6q8DyuW5GzemV)+(Nr}Z~{M1|EqYBRk% z8DYN?I>O_iBn`QR_9tdEWuYHeHT6FW_-LPeFuCK*|K+ay!P2okpkbh&ZcSr&8=wk@ zKS2Bt@EQfR3ExYr{%&dGT^oXG6pi99EKye{gJ;JB$@_6D#X2p4Wb>9f*EA(3SP=-n zG^nSot-Mv_*g9viwJz&ryMhC9y>fk|BPNJSBhIS2o=Lw)rnj1lc!a$p-jwW>qcdY8 zL9}rmHRL{6kZH>JduRq$_taT*B>oNHK4kcTQPM8H|~y zG|blJQj5NJsy8Dw5b0C$NQsLy0m4V0B>}D@o|cOx3i-?FLic3Fll4aT0%GH@cwT>e zM9lnoW}jdav?l_+OTPTiZ^yI$fhvQ8la?ruS@^$B1%PrKo-@?PcqMDv`ck38DaJ&- z77Lb(VOa-pkIs@Q{~ z5cg$swTQBCT_c^${t?5JIrb`%12ozKqh32C`yrGAC+VX*EWO>CdmQJwz3W)^I1&UQ009>YE4doV|~2#I%@!!r8qg5Z&fRS-x5 z&adj~@ZS9t^JE;1hCN+ZXdpfiW&Q*lpJIb+_FVBFw;_*O&}S5bK7)n!5egC)&a{`A z0JA`|s62~y7tzbgIy7^a$IlRUL{sCM>~dyzjKb;{3sv@?E3=M-26qTyv%{NAj!qH# z{LJ3pIvQ)9>Lq}zlnOP?)s!4lw$J~o27KvdUz43kj{rr{D3IvR6!#p<9`(~yNlf}<%B68EJTlaMXf#mZ^$OR}f#;7sK6#t5+#}c;{-cR{APF816d|Z8vyZ*l zJseMyV*I}Q1PuQrM*SZu0+8IG;(tn!x*trROcjl!)-3sxAAOCH=s6TBN^pOhFiSPd z2?5u&@G1NC`Ipt@T_9?=LQ$Hdg<|*8`@IDK#pYFPDOklPwwAm(GiL7DbAfMz%Ok%0*s5a3!4zkV|q((yZWl=Ei?R3qhCD7n533W59YZ{Dzdu?|uA zsxp7qydZ;54hE8*_aRr*C>&US&>qerY`iRA9NQu@l`gFvki>Q+wuqhxpkaxLqCm!) z{lw;4`ix$9(WacYF>&*3WdY`poe^S4aU0fPINJ*h4b{L+w>eI0CN=oeV@=nwudh=D?1bQ8t`}tozI=Z;+SEVec>0PP9PTE`6i} zUj|C6wHq_QAj}oNIPPnxsF@j$$#(ajRe5$hRkz0Bjf@luE8_?DLW4!yXpC}hd*u=u zF040lca3;D-ZVUc&%4JZIe@e7PKCRlc&+p^_n}7<&ij_PDGed_>;anHq~7I$0r;uH zkt|SXPDY)HQyrCX&B^@vVHqewRzgn6ODlpjB(Os8ZQtw-!%w)AI;fUsVJ~r>nGA8f zL_Rhp6MlMz0|Mr+KIu;!PyRu1^b+gdPpG3*Ez9!LxTYS_B3EkVp`DZoKBp=H0NEC` zBlqSL`57MZw-MTXx!h&~s@J&R%D$5}BO$H+qb63;F)f~dD_+yB%6r|RBHV)$ye9?q-NM= z_z#1hHy2KnTS=T-*_sY;1?hZ0CapM}*)||;5zqU486flk^B#CHIr~c^nX}0gdFV~` zTg}N2`A7bA3#zgfxvMQFk3nzT4;e4F=Z9t8b9JuvQR;IGZYoPAMR>bIJN}`hpPq{p zHsnnUc@|Aek_1xz52@UsODi@8FC@mFe{RguC|B3ibmiM;48N3Q78Je+02`lQT(AZA zs-C*!ArY5gymOzXl2i%6MGNp`24wJ5(}P3vx?dOYOe%-|gGR~e{qap;X$pd3|w{hd1;{tR(P?s*@oCzo6I%>S>! z0#reX9K<*CD$s}bBA=x``EiMJ;3EEpdQTi}QR!4gI4`0>XZ0&vExmi;^^N6JUiL?Nn`UTV?j;2a#N1;i5N9Dtp z(2id^&x$^VRvPEbpg2v%u3DWB8H6CzYk%;_H5MewHYojt98BpP*QX;-?*a&-o%M5@U&&#C%Mi*V_l2_;^GQJgc1tS)yT;Eic-6s7UX^J zWEwi;HO=fMcuoj656Lr0-#aMfi^A9;>K+!A@x{r=Lx?F{7?TY1t@H2)cP+rG@s;?mF zE%T#_|9Eq)I}nZ>M~i+kZy(oYT=_liWHMa=FVTH8T4>&b2SBQA(khkOr({9z43Het z#2%IbXD2dK@?LqoPz6Q0uKv%;s@!S2=~ixE*HaFOhy4A>pr-~i3Ih==QD5Tn0&kw2)lYPRD@b)+w_3!St-|OU$x?1TK zymJt(BlDCm;xerL>Q)hWenbOWs6Mt<4#^#g?xv3+$JEzAdb1Cq;WhDdV+2fMtpSiW zca6XADKlibKxtJ@`B{U>sApfY19>K<#>b@by2MCWGi7uceD>QI$Wsm8Fu(o4NKL4h z>vxX_5{mULujn1jzUDT!QFfH%SUDf*mM`Ky98QO*jPO;MW3h`G&nvK_ZzX6d`0;Dx z0#tHAslmXDH=4~a(;x0vI8EaTNXaJk+Fyd(q7g?fk&|Wu$^p2nS}wn{*kP8@9o*H| zN1Dc@miRd!_9{QS)kHv`_*B>)c06w>grsribU3%xcjQgJewGL|v8Wins@%;U&ap_H zBirRv=$Putl=_}hP=p3lz<~l5R$msWLLeHYzq{L5l?OP;C$=d5K#;m%Po5Y)o2ODQ zyN^Na*1K(#WK0a_76q^rAF7NZ{7(1{I>CM`jqwJ+$;p)Wdly+@I4*KR{spY$Nm#wB z1iZJL38SpScF1}Xp?8_5$ewxt@yB;Vo`ZK_8K zmyM_@D+9^xhn*ySV2Zky3lZ1IeeK@!g)@KgF;_E6rl{y^$b*%$k(jSZdxy~Df6+$x zE|XTh??9@STf*HLJ9{X>Bki7|;!d^R7kiexdY)zYKUwVwBX++N&4K5#*RkyKT+?K2 z9^^`N@7ZrN`}T8{p6WrHx)`$Ev^#kVcGhbzl(GC4BGDCg1Ry_^nD;N2ksyRPys<7Z z8&miNa~kQTTdBc-onr3 zk|}@ve73}Zrd{40Jel;IMqjRYLg*YB5`ufaTXw!6^6ki7gt1D&?V?ySo=Qz;a8nuy z$r&c2+Ixo+q4xdW;GA+zRRAa%MrCvJB<%GtZc@E3S=S=}<&K!Qv82%(z)<}pDJn8Q zMa+MG_qOiW$U{l0(h1(Zj#5|C+LFyUv{|C%b*K;O3ggB->XZa0oa+#S!&|5fN_GW!CdA@m` zx#EjLi-SPv! z(9-_kg7rQ(T3G}WBNWnJP9B?Vyp7&3$?o+Egh2Rk&i6VQW*u)D(@Ls@HCwgpwp6NF zZBWR%DzSNZ+*UVGda`{>n(Tjff3MJMEX<7e3=ma_(tm4PEi?U5o4&iGp(SrqNB!!- zPf<}T2%x@XwiVu%yYQsc0SM!+)GMHU8$8~Rr{!*qaZP*{dq{5eF?bIc=ht(%ILq!; zq)Hgg+gCFl3hjj0VhXg@d1ww=TQQh7KGnzWMg2nBMSb9qEDWIppCONTV$3~uMY)1! z=|IN#wSgZcm>5faJGY#ycGyI5LHtTJ|FMj*Z7I8wO}mz1%2n?<(Zj4)T!m`}I9x80 ze`TdcHWvC;{*T5{A7YX!0;opb!O|EV9GlkQH)>7*$K#D|=3WAk?=K+oJ)uHjxEmOt zwHhnLOBZcZ14w&~i-5RRBHmnDh%?s9JQE(Q(mopX%R@IM-QQ;?Tlr5Yo7Su zMBd*s;QKOL^(pIjqH*D@cZfi!r~GFOZ%*>{wDnF_jfLwL#pMSQ{QyO{5!e6j zbopfFB)?N17zi4IK??Bb`VIa+@yQ)8qv`I-ULe8BZ2EIL#MwOg(8>L9B$M}Pe{@Hs zMO&`nkawmDdD?d#1Tfxk^4j{VKYt9|f)}xN`kQXnG3r^R#j*YudR9^a!xL+`-bhHP z*hysUVJlJh8Ff!puzBhiS8Rt@-?iPz*6HZGIyUq0E(sZ8oBvi)uwl|p4yx~E$;iq8 z=ah;wzYbnaz_VNd77KKHhbAg&CQxfWv>HO7y8JP(!|6TNH2Y@^5P78ph0tP8dsyL> z^H+Ee5#i~n=ubRWkhC&hxF|V7#{`hy>^0-D!HDLB+cU}~4YW=wUrQGGS_IimF9o&c(VRa?-fey3UykTQ>aEU7l z_*VucnAFCAsRT%4jhkJF1P+M3_~KkEMXyW3IUD%5Hs5#ro&p;`Fxl;r!vCKleBKyy3Lp}Rg{7VxK2XbMj`hWfhfCf`*L zjU~L5uOMUlUuTon?`$|h>RL-DZdCfk6^eMqJ54zl-dE~bF>9)#FbZoM=ek-dh ziC&W5N63(Dr;Qe)Ja`GRmFq2{V)cEF9%jWCpnBiYr3U8`<0Q+U%%BE;ONGm~17S%c zBnUlPElN8}$;eKT2(y1$d!VmFL0H^LhveiiSG&8PDLI{w{8yd|29xmS(?9@dln*-I z7oH@+#{38#+4`Ks`-_~dR64)>JI;kNM}TYAH5>WyAoag#FteY!&FjSBiKw$67P*|B z7Qd7}|Fo;^!KTin5`Q=413?C3!sheKkz|46ufjeNo@2I>oL2y_SgszLcjBmm-E*>^ zm49DVTrfSMfy}+ix$ZmutWA{YSb#34<&`waF&WE%WR~r#YTBwvgq|7 zBe7U$m9RqWSK89?fA+JdrQhbmfJ^+j<MU}p9p-60geUlRF)`jM;{oCq>@ zENhiQ6Y?9HM~4f5(CkBs_;81JDcm#%aG}7-%qwKnFlMqqr$9#K%#yFnb^aSVv+s6Nv z3!)qArh8g|XQ{j;WKD6CBr-xFYEHhq|3XakEgCnUb z5SKgwBz1_}vXWC2+OgS*7j%z>fl6FI!s>e}u$~v2Tu_jlP}mQMEyqkRo2E_wf(Ftd zX$Ff2om7Lyte*cKn8iSqiNlwoK-(?o9@o?JkHX&51U z#vvc@2Pcjz5`k&AmIE00Uj*ITb6^KfSc<=sdK|-1*EHEgDFUi;Ui?omI}X^eStp1? zC=D{}dAofR)w8<*ggN_f7KYH>q9czdey#Qgym=oei_I1Tr08;%J?rv7gIHe% z;DAzJ0E%)mSCXDGQKPx8lPAcIV75cq2x%sZ0lwj4o@@5gPpIA$LcxzKcY*t>`0`$~ zwUN^Fn|{WGr!zTVy@<nR6BJrSVCI(259=4N{5}LFTCTNmVxGac9o}4q;Z&xfR?O)c8-<;9BVxr zRO+FAdo&DS$iX_wtIv0MQxMggIeN&)XD{f)B*h>|D^l-{Iaw4l1kp|*<2vwz)nbQV zksn=k90`Q`WwL@afhjb*F^urrvp}${y)))ZBQK&_kO#I5F;WFgUu!R8J3|1&I97JO znxq<~>GRpUBFLyB8ny*oECV)a(e=RP9^=omiAtt|s%5b(p#Dpe>(iD_;j`l$YsmO% zc+U8X>XK8Op*}e{Q1qUZbENGY&JNg2KePb@QT!VA04Z!SAE}-8fDf31LrgM2nr{0m%) z*aNSn*bE|aTadWKqZ~fRd!Ihzu)zN)GG|FdOm2A%Q zzC?uiGrNY1xzQF-$HPjw$O$PII76PH8%p+M;u4knoBs$&UY_nNUU-;K%{A@`2; zYE!ETq&ib2v~+|)r}5s0L}K%Jn%DfydUCHt&@J+QGynAZA^R__YT=_O@JB}CLu3uS zo2KmzD+B_G9Fp!V4&p`^qsVnX``uWaX13zo^b;T-ohZNuQo+2hRH_S8UCo%7LMJ8~ z{rgsy;eBNJ63<|dB$rE9<*erNPoyR!X$D}>mcaLPE@P_A{5zAQFBE<93+>17cm#@%|~0jLjvlm z!lr5PN2W5uO(7wv)@rWvLE|qqGU$@{Cb=c!*bvz!fy ze9>6+GD`5vUjT%h;FlP2EO?K8c=EF+6i6N}1hr=<;#rf9agp-#J_J*maI{E-5>NH# zkRNeB0i$kqld}|d6<<>1iLgQKzyK5K%?RPc)|rD9_L}V}$WpfE{Uxp%?vmG3Y_Epl z&5mbeL`}`(o4|+HPgrqqT$nU1q#cTk(8J7~v{4n1{U-A*JIF`z#T+6M_-OuuJsj8{ zz0droyPPey&O{&bAMxN<8px)))R?m9( zYD(Lxxs3u1(nKcp8Vv6W(*NRAl(Vh+wKItBWw6HB&0(cTN3UOz8E zTJlGlB|sV`pgM>@7x7I!Z_m^vREVeR{;cdA+)-vS2YJB$Q!aMU_t7 zZ*uO-Td8$sn@Csr#vyUtqUF;qMdHm;!sH8);#5`#;pl+xpAS}z=vswum=?EPg-&8^ zun_ZjxZ0oWn-3n8hwDdo5mN*&g0TQ8=dE8r`Reb73~eL0RkX#wHO#V%^y6&Z$m|%3 z&l6}&zW)gXJlPjSA}d@Mzqi|aR384UD||#jDwiccGo;r3{FzBp$DX9S? zjJv^Pw({`#7NmOC+v@TK(OZTm9j>{hzzP2T#FRjt_wgrvQ1T6&V=XSG<92DRl7$Am zc`1}Vc*Ne{bEfWiJrf=rODA8_ zBFbLCW-AQ%iKZ&u|DPIjDRlknB13JwCBp|5S4#INwMdAiw_&RS^&*(3Z*3KO7L*8N{c!d4POjUsG5ALCX~ zV=ZjpirP~-_hplV8DFBQHTs>+9}61Xp%g_i9h4SRqmhN}%J~km{Pm#MrTO-?0r~DB z5Z3?X^@=R@$6m7w)ok+ktvRlf2*;m2&M!28G8itf3@@Xh_46V zx1hAr4|6}x6_zhnG7H%LYo+9fM%*#)9)0g;U-2DeLsNYdXtVjBxHa&vZ#@=OX50EF zdD8R5z2DcqUrjA7!AIVnjHvC5{Hd5OCPs$VP-9bb*QUHR5_cqI+0d8zbR!BOCCNB{%2(tAK11!H_p>&?kk!UFumol4+evFDWJ zk3o*7g;yKbV4zoN5_lW0@i~{{q=e(RozC$&7uYT_J3heka7Z5wa_1BXm&Q5%E{v`( z*iQJ1W zitP%s3H_;4!|f6q-7W)BNy(ko?UFJZZPJRzIq=pq0|-@K6jWRsLiK0=VMyFP509gb z1%Wf3t3Fx}hmA$&HaZBMs(t)|HD1G4w6(;wzFoXZ;T>Ty-=hd&>OA%I1~J9hKiCI) z%Z73W@tI>i9>Og5ANz^EflQQW#NzY_(Ycn;1@d4^KQLH6Qol{8ob)C;7d(?^oruVPQU+gYQ~NQe0TYp$}c$@7ZOeIl$kO9=g)|^ zuBIbu0i0ZFKT#RT*@>?>$&@wW82gTGX2$b)< zoK6H~vxSTzQ4W(n8lPJO8g+ZtSe#TVy#f*+5mPM(bZqR-9RB$f9n)slidD;w41tlo zSWYlFdvUckBt08`h7(0O=}S$?;x*3yAu%|jn#BSSuOPbAXo7HUFyZHShY7pIAj+${ z@0Ft?<`5_8tT9MwBa{2^pxsSw7PdQwaRo@HOLk?A~t5ph;Z`KHLC(t~2zr1_;Gr~6(As>vw%FZF) zL5G;p9$#C(P`u37SNL`g>ktKEHn>Smlh# z&LUEjOh}rrOOAKaq)mTpG*OY^l<9lrpC&T4EZ~>r^`anUBHOmU?6EK}kXVKzhFn|v z!ljp7N47utb!0;`Qm=}bdXt@t8t-3to_V&e%~ISxG_@Cd86w5b`}Zp-=v>vAM6Dp$2 zaje#H(RJ-uzb2YIUH|=%CcQGjgcR%ad(3B`45TK?sSFPlr;u^cY?sdW*wuK@Hh2bu zE1@DD6fXAHK;s=(v7r%9I{3AuaaXP-P`y8`2wk`>5CwY*L{(}=GaQbMVBJsFjf%~Q zMz3xj%2^&-S>|>qY`o0<)AlXXmKN>~6(sn$-oyCL3{{ZEjBNn9V%I0trE+P`33;qC ztRo>tkXU%vZKl~o&J2_1G)YzW#^7e;^s&imBbOsdldRg!4Ly&X)GJS#h=<)&;Wpgy zR}sVnVWzzhBzb5BrEm4l)4A*yobM2R$&e4PT|2E-bSA7U%puRoT@kFBzE2FxZWO<- z9til+p|mm7uf9o2U)uXIBu%Y}`k8%TF%D$b;?C&Ld}}Ftjk1xKZ~bGjli^v24%mtA za-DxY$#ZcSEQxNUPQ!Vk^IBB}cPo`h5XXjUIW64l%`98rQgorDpbzqBt&d?-^A)p? ze2*Xn+DNZD#M$SR$-`&SB%YUpH<)bPGD~lEy?Ob`b6S|?&+pA|1 z8H8yK_B11lplj%3oXZ` z9>($zc_dlKi4HbL=(8Q+-DER%GAUvfv0cJ=ali8wOijtiW6{{dZHRjER$En!#jRF! z`PX-!JzQQ48}4ejuFA1Q$7JnmCc5<=MNQM6S<&cU&jLLn2R`j2zX~(D$<~`R_QB{A z^+jOJP4>-&8Z3WExJ(RzQ9o4@Drip2pJXGS{SyWo`ZCghI_=3lRD4t||?0R>bYb7~OWQ=U?JJ`Yz4%d4maz7P~r~j?$dE~N#^up6t zQZmw@C&3`?NJ2r(Y_Zrdw~#OG-P;Keg+qO&F7^0oPdpI4flrQct1fKk$=?Q*8iv)4 zm%^Xp)qsH8YkEb=X1#G;Bk0?A!>V(d?%e)GeZjtg$!1Iv?g=rO@@B{^zhv`7VtWP= zhSka1ZZD!w(dVavToD-l_a)IN4V+(C+B=B~I6P9ICNigKH#qw6$9*D+O`84opyg7C z;hRk(hX@XbXa_cerU`v*Jbr(mxx5tPLlPTK(MLaL$~0&Cd}l*4Qb;uR-4@sNZ&YQ;+YXIpZH;{miD@n2LHhh&OGZv&QW#Vt+pLY5Bt=gcFox z(vqoNa{!GjeYQQ#-2)YAA8IQ^N~Fo9kRkM2e;-avUjpHDqBw|5Iq~C-gf)7|RTyaQ z32mSj4#e1nwwSm~UWAj){)0hzzg`@eUx#L?NW!q@t-!tHDDe^Gt?nu3sduDfe~z;XWqn9c zr@gr=9KNoug;elZs$qzuYJwBg`)nBDYjyK9IhJc7cXW_^BPio*o}4U}GalRt3V~Ny z9_d|xiTpJN%uj}b{Olp>`5_OjUI)!}(i9IIg868w9UHZ;zg|W}C2Uz$*?z_WyDUmj zBjW5rT`rdQ;!$+jc`S{hiUjH%S zfK70+J^+VUU$mgJw{!O1Ly~&sD~NvN356>Tgzh4`R;my>a2%_f`QQEM+S zrGWMm^s@HFOBXEAUkDubzZL0a?e2NfJ07rv<`goyAw~W3)h1CUDGf%nGWro z_0;;?@{u;Nxy`c4p993@!>BqsYq?O%HNhM9kG}oiVw98ieiv%pNV&j%s@ZWtGnqTS9}`m(<9JqE1yJg)7Y-mJ^x>As~xj@V|A*DmE95+JhB^!o3#)2%CfP=JYcpK<|RlmG58~m zYdwv0eg<1q)DX#ne9&Ra$9`AD>9{%-|c<^uOGsEyurXeHbCHPe^)O?~GihibH@uNhem}J2yi5&42_NjT9J~^3hoy`k+RzCS*ckQ(8 zYd|VI`E{h;6Caec;Jb39Rpz1H_oN{esQU>ieYg$RGX{Hq$qsWwCeICg{26WEm>>y% zsxM~$K&yh@SVpZwiHD7Pp}t4U0SQD0b#OR?W_Z}^Wogo%ha0!ei$y*^oXRp)ITD8< zY0;tg-k2)~>8S2e)(AjMQn}Y&d>f8)o-?%7neGhrJAs5w5I1k8()Mvqe2*`_t)5{V z(a?W-5$$N-a2yq~(+B2R}yDe^_pF3~US^b%nKteK1X+F@&JBT|l=3_FQ`4^t(G890JfEcvMJLZv5e-w#Q+6#7F2uW>Srk1je#_yIER?+( zwsnp8Q}OM>99g~&2CvHWtBpF(c;Y*P499+f_`TiJpJe7B>4a9^ zBP>Q$^WoXC8BcRFRir3aRxUt1YUI-)oS-I&aY4A3(VbI=*x9St>Fo}E7RIQMST zPK==rd9++9d0PD<|Ml1>uHp&3(rFk9!VwzcM%YjNY%i`XNB+k{ljCal6EC%tDSI;) zOsF9{sDVQG)U7M)%1g~UT?o6}4nWS?5&q1Z)_EPO%rO2)#q9duw7Dutdg`M7!HE{IBvTWMj#Yvqw~K~o>QSpHtS zR!YIOt4}ygU^Up(QT#=&na1RI*syW;0g>BBJq1g*5aQ3cG!U4YtY1NeiY*Rbk%9Ny zO@sDGm-4CcR@0c1#m8R;vq(_aY=>i{3zz7Tw@wLl8yO=ngO9Bp!^$^7pAfG1PHt~r z?$F=UpC(lX-8JP_!L>OP1cV*ztm32gp`mp(A+@8)avxSJjh6gdBsOY@GXA;c#oSgx zLS^nFF_*#$eP-p1N5|GK0Y+|y$d+r~%M^U86x!cZ7xgyf1PrNrIE6nya4itMhm;Pr z+;p-7?NbSE{Id9yy&nFVD!X!k z1YB@5R>XFe`iAj^&sNIoqMx|x4>fG+u&jjCbd>xtJDeW$$|aL@DHKuA-#ylJoxn@g z2k)ow#MNE#!((&1J#Oo%IL?(HthW?f=&_|wlOq9dhA24y6ufXxztpN^N!Br}VyRO6 zTE?KR_O&2|+cn{v&}uwZ&PfV7aj|#Ty0U%{-*NtlY(4vyKkdu3{1v&&(u&GHY5^S z;hSA#^I}ms4i(Y#OsQt3N8+E=I!Edrbxy8Rc9z26j?WSKP3UIFJHZhj4WryG6Td4j zH2hzCU;S3q)`bfj5TqoOQt9sQMnJktQfZ`9nk^P3(j7{7N!LbExd)-FlI9zD?o1z@Ox@1s)aKgZ`r|0#qIi)bK2QJ&*N*r~+M{svDGt zJ~~!+#G{P*1cI*QJi7m~S_SE+MbD7$Wb_DBU*XBgijbskCNIJdYJlqjLq_%?c;z&W z&&lWguCHQ^XNv5%5q(aTuzpGUho5|iBmy(JM~d7G7v7#89ZaHq`CG33HvU1$W9P2E zNYtD+cfjdaHj%!>^L(*%@%zW3hj<^hpX~gL{4)`jJ!?u}?=BSX>x>boBT_2m)t0Bi z6{$m6wA`+Jon-`(sRtB{H#c#;Z!*Onff%L|9U^3$W$O8%gAP1BE&V8EDFmQQY`=UO zwiLAeeYO9BS{^ir?8JA`$O91I>fnHee#2Umo4txQtoP7b4+z+FQ@Lu(v@Rk*?D_bW z5iCImmnQtkiS+YDf3&{&@}_#YEUydya@k~Wqw@it`gMi_7X^+uj1Q`!eXej>z3DQu zH01Q3u{U`-^HbUb1jy>|XPmu$O_!6L3#QW_qx*E)Wd zGg+7_T5q1FvvIb&X3wY4H|%#vqx|#iZh!km+uRIa!ERiaDVLt?hR)6yV;QGnO3ce= z^@}BJJH+rMz}GRRV)8p%ZoaVV<(a$j6thR7BHO(RV+n}9Vm{eTHdtNcA-j`Q8hTkYY(u2Jqjp#eWkd`E* z4iK{GBbtKd&6wZD#p~`-BX_97;aUI!K*ey>TWq1_J8V!8%yAVu#xg3C1cA5HJT-+! z$td;8EIOnA<>|}%8QQ78N25&iUnH(&jsVR?hhKPpx9l#bq~Qy_if0>vGYc^=jQ)0O z)p<3pt+>S#1?~?|!f}4nx_z4P63dlke*(RI=rgp*gS~^u3K4}6U03uk{vc)7i~H+} z9;EAo2QvD*r;bC4~Y zd51@&_MFd?rxf_M#Ax@{uR_#CCSkM#PsA`SBewkyJ)f$-&h3|tU;BX~>_S3xz^Ql?yaeRk1S=Po!OzFSsYCgM5 zNpY)iG$nwgnl2RZq`h(fWbWDBJvkncAHV8a$yIj;Uzxnc?=-~RyuB>ADN$mDkFh3 zV%~(bKG*kH=-SS!?jkry*x-Zijl77H8vYVzdn-$m98i8+xmhyg^fxF@CCMmPboy59 zN)gu|YV>>ww&#~~>TuRiL(MXhv~fjx?tc6FAA;dmt-H-fF7*0^KUF`d`~0|lS_W(w zYwco?v}`sy|ELe<31P0A!?f{=G#K8w`tlIDg6c*C;+k-0XX%hICiCvVmwz8g;2RO} z9asuHG9r!64PL=C6PFNRl^Vb*XRf51q;Aa)hS9+75Z&F8N_s5Zs9b7!(d6uQq~Aaq zyTc7~x}i**vv*}pCPkP!Dy3!<#_6V0#m++mN9$LVGZeQEo<;Hd&8~b|xjzD1CJsXG zv+-?89ym>YirEvdMgVr6Ga@$61*(E^+}(#wBEu7-O@0#ZyUZLbG>UrCT5+$pdZ`+D zhGXEQ*jp}zn4-o#WXEN>S=$z1xFpukfI{qc#VJnf5;ZApB}BT>Vg&bwOpOh@`4z@nF`ogPbyijd}5HG9hFS!Qo1R#f*FrO%Hnel!`p zu$E4c!@G9Cpxiir?alU<&bYtZ^BYl&gw?{AZ=|Q0GdaF2S4NlaE2z&Lk>hlqshX+Z zJZY8?ahbv~!(y6k_3dAdou{)2En80y;@3#SezN-kBR-*dyd<1uo(0VKVO0@^OQs2F zFHLMqA(P&XA*rUqLY1NxE8nWb9TAjhshhMq^~pEB8I~vQc|HKplaO~_G|R~~&yyRf z_ebPOAFqF}Y2_R{pb@$eCieYT-a8?jo`2pT884l&BX6#7835py@F&`%HLx9%(|(h7 z^Em&UD);I_zbAt}jbreFxFIp}*7?83YuEm}A5iy#(8$Z!raM+kljjxdC815MT0HmsS>GX>+4+39s{HE4*C zAq`SuvhKjtIGa518fvfaS^lQ86ru0hC3wsA#3XzXuL~9%+jotkskRD_Wu6fbf&;Q>5E~iB0#( zIFd=Fhm@80?dto9up>qa_OB3N z;?bkIZPXXYeQ-=AW8Xi0a^BX{_Ge>cPBE4xlkx1=Sj(<)J2vJkB_rv7yxiSe;DE-_ zbM=#I4dQSfzf#kzJSbIEu){>Z>O?c2CleYbC_(Ku#0lzIaP%*-Y@mJ4cVXox}1T(za z`?`_j&Q+nI*WN9l7;>c4B**)}ZkR{-&mXUqu^gI88L2;e>^wjn8cZJIlUL7n6VIbB zrw~haH<}>Ka-}7AjBg@?$$MC-+%GwMr;m?2WGK2O&M@Of-F{0yx5&$sJ zYN6A2UqGd%+8Q#EgKQ}g-^+E<1a=L)i7P{P7|6x@mSVk}9Yv6EzE-^|a|F zfc~0^7!ur9bnV3qXjV0p1rD!ehBSJKLh#L#un~}t@2>bNz}Ca>ysoOd?;g{fWqINi%^4yS6zdh z^)?Z)V%+W@o-q4f#jTXV#aBqX7Ps*IRJ3q2E`*Ekt`ucX1Xrf&=XWO?b!-cN9&Ek! zig!D^r{2s__w-`v!>uHc*YRJySn@5W^w0ARlI8#7GI1fTY_n63*7t3j+Zpka_|`1- z0=V{REB7X@wBB)xeNSp3Lb)~EP`p=0BKjsxUOy3%z?TKh|E;%NwE02f#Ya!|m|C35 z14qu$C_YX^!zljfl_OrT3GJ_=8mYR`zr-!XM4*Xu?Vem8yfU4u;Itc}HvG=TSv*rI zs?%%hn;KD;gvTA0%n*}rmQ2R%Ye;K*Tooxh;i79JDOGDEa!w6Q)H{+^^M7H%X#qBJt`1msg9&guoZ+TPv9 zcXxE3+Z0MDDqMUt9Q&0-v5f zn(8LNo8-cNy%deODkd?t+V^_vt59;5>FaFS_!?c68wiqdX-?hK(C|zo7T^hkHjlz22umx>54!B%Sd65^@ zCYBPPhW4qe#~3+)2N22v`BG|V8~HzpVJfWVYso^!;#NFijSTKkyL1&1w{yh7h|T_v zwQ*PcqQlDvQN=CXdE?!_$9I3Z{e4C;e`Av5yAZL$D;ZIPLyHAE^c75S6$^8ifthdR z!;9M5@XpuC0>6J`nTi9*ymMsAet?7f#Xq*3hD>WuM7PD_JCZa0ngX5?lRhG1S^0c1m^@*8EJX!IlCNKTTh3(nC)vWr54IC-eaGy%yqJh0 zn(N0ty676YieS_B&os9cyyK?6$F(?lNcb1jh_`uRfC^-YleY6=Na~(7?_Q3zT7Bi@ z_!jOS{s2D`i9lEgeqMj4dt9yMqPCqLK^_ByZ&S~%H;(IB3Vuz)Q?y&tV`OFLatQ{$ zJ1>~bWG7WBDeZHt>uJFcNQ6p?4D0UCXT7EDmc_zCaWj!`)RQp;4QKpWuAs}8LS4A)6aXDp}n~PRwYJL@rbE{Q8Owmpu!{}ec~BBQxGtd zE7ihiowqo`6-F32?#MW3w{tsNj4)9SG&LSeCp0)oKKY5gmVPj=Vcr^G8JI}wd7~ne zM%Yigzf)XJz<5XX-#{F-UmgV1j0%&p-mmD~RG`w)t3`Mm2XcxGOA+d%VBS0Q1?@S5 zh3*Qq^)v15Dy^8eRy|t)15Lk4E+>H><4wIUPtD*Q8SgVOiaZ{Y#MEHiouPJOwd{6O z0lJrU4cz{kz<|dvdjnOHQPTk=bgd|Hc4X}ZHm9T-(4Rx5q9Ci_FB`Ys&B2a4<o|iqT&JcJAq&y5&Eeb3nAi2bNj+@0;Ri^j zs%+_X>0VY9ehTJ&q)hb-01Nwej>)d_s}@40wI_W&sdKze_3m4YN4`eF4X`V>Mu}5y z;mvKKo#Gtey;7YM#p3tkzO9Vklj|tP+l$%}2>hq)T-Hm#hHnP)6$pw@RcB!#11FP9 zK7W`&jXvP<*h?*+X9$V%QcTW4oP4uO0rd$xZCMrn^MSnNXl|aeQ$6n*u9c;Z>SX>3W#_NKoJ*+W9TN z$?=H<$cWHaXcZImlmAS!#Z~%7-JP=`{DUR370t>pRT&ZzaP6S>A2?oax{+Yy1Tjr( zt$U|SC8n_ER0-r?5?=Nq{oz=T@|^|vQzbCCUU zEB@hc-eN^&i8-oSec-1Gz!fxYb+bUYRnFFmL%q5ihZ>Z0uZo_`<8`V+?9)fD1VPt* zuzD^)6`RX`rbOGHIj!Wf+R5qfeMhieokP6j&7+?6xS@CD>sl=oGJ33Z2sY-A!{G2O!MSTEkbgV zGv8-Yp(4B>v3d-3vAfi$AdOtKaZ;@6yo)JzXq{K$_r2pLPzF%Vo=>guI<8?(W`7C$ z{e}NX#Bg{A9bhOj6GT#2>oZ+5v0Fn;*az%~V&b!zOP1}m8&_Vi0-wLtph%jTztdaI z=$}we-O^j0az~~_wmtlwkKUBar_6uQCLA89-0C0mZ||;x_MXV&^Dg^sVQ6s?zCrnM zRk@&b!r+^Hcl}x0E6v8#-6K*DtH&8EEnxequd?qwiaU()`FfthE?aiCZF#4eWyExT zLx$WN7&lBE(X!0i(lZV0v`~C2-Hft{ZnwgTk(x1otm7W(zOLcWG{1}3zL@)tB&QF( zu%m`a!Wac0?{7K@7O*xiyOtqNDi>#1MX0S8y!Iczdy~71GeKic6sGRjYmaIc&7&;zc)c%3< z_6&KPFq|!9xk6#xzJM>&-Vw`2TB6Tkz2I8#VQGiopGXumnwQkp$ViX6SBV2ozdOlf(^23C+&CYhkgi)@WjlTTuNJ5RJSspa5d<{(~eaED>W^Y9BorRks zx3hL!vvY?_v%%sdws3Hc9x44dz}X527>D$VI4UE>HHr+aKVihV2%x3w{E!%GB3L6yK=M1RsOM2`l$~92XnmyY>ehmbW-l` zOJT5}9_1J@x0-H{sMEXvJ{mWp(sH)!rD#l_wy%}SH{9<1LDpZL9AS4rv-90`S%ao! zqA@2k0`vXL>zGxqASE)HcoDAU?{E0!l621{DNbZa1Yf7Tpta8$Nkm7*ZR^iS;?xH zH)8%bP|+jlNd& zHyZa=(YZ_K!~AW%Ba#Pqk0MA?ovv?)^e3Kg1CQd0g618|~ni~CPjKq-$^err(epW%YFD59O*w2U=DIZpX=sZzgV!}pzn z?T9YbJk3+!M#U|mS|?qHsn8*T-t<=YMYXF>Mpz&3GClT_dqglpaZglhD*Ou7%~&)k z0T`VH_&USfJq71QJ-6n`JC#e=NqmrArFLa59loYiJ|s@~a!nFok&`F86@q8HQX(6l zdW@l<;m8OYj+!=uSIqvhO$ulE>TS;bpHWVEg_Xgc{QlWv_VETtpT4q1)FKvl8ngEG zJAd*NmAs!;Xtx+kxH0zz6v7wgK3a^u39uwgdRN-M+e8Y`#6d$BO%3 zu$Q_wA_Y5(8p+TsoC(aOsVvpXG9uOryYqHCUk?n#3--Gh{kljSEb=Q6Uw-Ng--i5< zUi|1BbH(UY;wZC&(Fb#wKgvkaC&%_!SCa>eB&nJjSELh?IX+9Cm23P!AsMlqXXR4e zp&HZB0Z57=6MlNlPXKV5#x_4r58Z#dIIpbJ89*zwkM@op?x2*AInnuQu#$&b7h`Ql zsTseG>A)G)@@EUIXH8#cegSxMH`WWn8wcBLoA2NYathi#hUth9he&*31Ax~Bi7svn z9n&SvmHtufgWA)Ch1-(n&vJD4Taa>CG0aY0@hYYGx{%ax9*FV!qU7iHgMuaftK6ES z>Zb{XkV*5<8q7oT#8Ts2My-V(pUK{dU?Z(iiBsjMut3N<9%7`$SSQh3x8f^ zaDLv_bT8`|ir;3x%lWdefAk0yi0jSDIR4t4FIu`7dPfBeUPy_1L*Y1uK}v>i z!Z++sGOV_ecL3^o1|SBI=iP;)uA$-pjX8;`b0{vbS-TFhDS!xL?~+vgBWbw{@1P~o zK~U?xt|9?{LFKc=Tpk7d1cUFvKb5I;)EEv!;$gBjW!p|R1CCYgcavv;SIs;jjz|iK z0NRG4qb)pexXkiQTIO|loAveqf3P8rc={Iz9j{Q&1&Y1&k)>D#a0K1O#wK6#m%+L>|)RwzEtW|1pX>U{IrUDNgSaN8?afozbC}{qb%NSDD?#3;#RM2NM zOuYhz1 z*CW40o;5@oroFh%pWm?R-Yfc`>C%bgTN-wBDaFea8xR-`OTcOkmW$IoPa};hiSlFV z9D93zXa?=PlwSfN5er$q%RRUvcH+gs6S-w)ITAjsV8DfcBojcp$<80!2)wgii;{xJ z#%RoL`+mJ5#>CjGl;%gh)@PR1dO1a90yz9&0!0segG$YEtMF3ZlW~7s*E`vUSx;(Dw?=%h*flP*r9BK+pUL zfCgS$eY&V2y7s<&DARPM2$5U_3WVTpf2*G6I*vLZb|Z!uW-zhehWLz!Z_F#I6>VAk zHRGPS=T3~2cgqn%P0)Y`0ZiSn2vAsODY~OlF_eqLI1v;1yUp;s8QDYtd9)=eb!s0-^$n)jTtc56Tdj z!6Cn2ze=?|9jODS*`6Ys$x#EcKrEMj8WSK~ms6V#K7kn^=0MLtb8(4Qd;yJ|oZIOf z=aF21%;r*C3{4Ltl5Pq^^o=oUt5M^MDsOa0=EFh^%Z{;7<1ObuIH7M0+_ zg5cgy4+=z|fVjQ&<+LWNv{}3L_?6L7cSyOj>LLl;p_Y88jiGfylQJ)fYZ> zg8*4V>u*iaV0ugmij2?btvInTrajrN!os}gVJ$5&ge#GQQ+6xQepwrzNbrMJ_%7h%B*R=~;lM(#b0`5wKT|G9!vGfM5C}>nEUha3HUJGQPSLRGGpFmUZH!2% zCc7=y<)i!n#9?w_Xq)9U6L3Fo`Osvk0s=}PJvP2Nob@9zBo*|R zJ!Lw?1u?pNQYqMay(O1%ib7cOyvmaY=a~h{PF6=3mA|3AVPY5EcYz$s&C}eeL5ICf=sq_&;-&jB%N7dKelLD!uVMRL{Dxxn+YNCii z>;h{)pExC;t~Ww%=dl{$eF7L05M>E9aT^-+nnt?+T&C4V{}Uaz$Pe%qKYvxQxa~@l zQ$q*KQ=F%co8P!%3W0$?S7ef0I$p6?>lySNZp*l#|H}%t2}9Z=m0CT{5Y9rLet{hso}`+dNf4L+KB6t7 zzUVpuBFsyS6lue&ubdZDs-z^6-p)^)Vp=*IOD@wx*^~qHP0RQ%81) zEFf$MMdECsKARmE2yg$^y#2+FyqmP#xWv}ZYf*^XAB}|wM79-toCsuiv00i$Qx=R4 zNJL5}&oB5MOr>0WA@7$KLHkiVxtr@HEBo9%`-wOk^o(wXnOJ(&3q_jyIR>{*$dj~z zwMVNFzn4FlPF)U-L^e}xeK;!%yn=MB5kO_b{Rggs5(eaf_L#bq2T{>OZzul%lfb(N z*^7_=r`-ww28WqBze&KzpoZpI&Kt*KXI#V;$CR^$Ebj7MGYYvnq?l=^DtgU!DPWvY z?g#Q(D@}(fl5z1^@A}&SRNx~>$vK~}BhxyZ!)K|~*(2}1A^;?)d0tngVX=TQoKiWH zsZp)n?R_CTd4bYe!6V2$JHL0Bs{W~3?%p@7@#gaPF3Im9l?61N_<=?Tj!)i6&cY#H zS>6}-LXeltl;Yx+Dok?j(v)adCQft<#2J*ELGM1Gl3_#k({6V3dT-3{DM4Jxk=!;Q z)K!$+zitL_LE3fxX@lcr#VKx%8|Md@m62+JMkVJ6kAlQ$;7Iu0w&yJmbYrWZ8pWT* z-``@ywvR;YWacRTh-vE;d0KQB6lowrBc2d}4%ly@dWW$96+4{ednN4+ty}BMk;wOS zNvt^@Lst27(YNcdSpStx0({yU14iEqm@PwxSY zNq-Yn0sKFBQwq_^UD4{prfK6iXkP*oRr;iNAI%yc(w@)Zn{ zy;qXo_3DMjU_r_6PV%g7MQS8J&Wwg6DGWVhnS=vzcrRWaM=lSCk}WD7C_Jrd$IuMV zV+CYmx?Ow@B*=TflM=$jcA!wze72IBkd!2XkNF)r*`Hq^PG3;TFpwk+D}G z&55wx{<^FK)})FxX;K|jK&j<(&vj?Xb9X=ay>HsD?7J!6U(j`!E!rj^TRos4A5d5M2F>d zeYQ$P`LESj;3&KI!@J0~(-^JVK{3nk9q$$#m51sQ1AMbH*C{jxGE;meDQeW>FssPY zwD(YR88c<5Um#AnjKU-l2CB8)4596vL;L<25u{(zJkEl4pcm0zBxabW@$_e# zx>kN?h?E$+=si5Nk8nS3BS$NW*4>-TNXG0fRh8dNKHh!*L!P?Z7I7T_EfNxt)$|$I zSxmn)l&uIbx%^_WUXGMoUQgN^;LXdhpW7hpQ^IGB`ZD=ue@*ly|xNvN7t40-%TknOt6*M3vJs7*f-Gf~c?WWrL-&|CQIqB^ax! z5a)4mXz%Xsz)cOByTGvmvkE+}ZE|D>YWhVAZSMj;Lcs8mG;OwjiK!Jdyu%Yxyl45w zhCD;ustr}qX=0lxyeKJJMP+rc zWD#6u1~RYAA7XVpiTE@QQRyS42yt0XN_itO@GG>424sKEePcpt1^E@6*$ySFL`8mx z0wep}J|WGq&w4F}(|`FUg$LoF-PX~vvk1^MUZ3UE6sD+hH~}RJrS8|?MP65B4X}1> z$WdO`A6_Rh=-TrElbPmV_F9-M4iR@- zJwT>cLFs3?wn@aZ>SZan8H3S7#g|yG6JJFo_8juM0tRtlBCRJe`S#I{e*|EL114Gn z&IFy?Z|^0RN*Ss>JT#8^8|LN0YRLN+1%$@NGMKY1lJ9rt+XjrZA&TQpx-i8 z;V||0AU4+Rw-;Y21(j0IvD~!5egnn8DWL_J;#!27%AWC2a8cmA16n3}^(Yw3m&3_u z_$+jGkNju#eaOf`m=jz-K~4AiZT>w`2@*}5x5B7eurZ#rPRjyOOqcuE ze4w_9>(y&YuRqOw3_G({%!OicEIn|D6{0nKDV3kPOaz7*FZh0UT{sM%Yz=#&Qvd)N zPW5letG+mVon>69XiEjyBevFunRfXg-O7uhvfqH?@zhs(m&LZ@5hcEb$V5%zpaONA&uwVj|JI}EdAZOD$AyXtlh82!@UdN1Xk)o-1g$Q-m6 zPZ3zK*{B_XgmeqFs5>RI2T(V;>iwRS)CTM&^}_k!1oo)~o|$i!vjC*3hzUz4hS(m3pX`svH=b&dRZw)s@Vgx9?4byNd5a@8yaG&t49VN?puv zByJ{0e9c>u=!}tJeL6x-Xor%V6DXi^*R(?lCn--9^*oUv>kDTo;I; z({2`wc3&OdF@DRk-FZI1$;32<@!oiPacdBi)z9@g5Fi79)*O;8>Y`6K%dECtRyXWy zbg1~(nQra^MUdJfg0-334J5deS4vG%U^{w(spq$zDv!4FQ)a5*v!dK$QeHeO4s-!3 zdj9F7GAX5V`e_z>9*Lm4rQv^hxb2~CAw>=WZ-6Uq{uIpHZ~s^eUjUQ~fkFEQhoFGH zdm77%DMMpU#^E&5_c(fpll)?T5s2c?tF`ma#z9~p~!a}61S_tBkc%)KNyj9Ap9MIjrm=Q*b@BJ=1OwD_l zHYt#4IxbKHi5hI{s#h?=wtxM;gIPudanyRY*T$tuQ$yiy=?T;J$XfW~-pJLV#~@nw z(qxGb7#SV@ofbyLE+|C_&<>K?l^QN4NHP3S3P6{e?_bry zrz}?uKxt)R_WHme6c!RAVVkrV{3?xZseUiJmd?MQt@9E- z1>-MOnT5WofCtv$tza}F+KYs=KH(T}Ub#22W@}%GG&Apw97+iGK+_v)ocqwX0xpvk zE)OyIkZEXkKcvH}uh!cALB0JN4f$%c-qwCWG@qumncb1Za5uCcaYRO>f({xc<8d3a{)TqccdQ~<+5R)1RTtMqY51x0I*s6*;-I6 zh-$b=RFhECg4WKrU|bndNf{G9BP0G2=((s%%CQRFr({#s(GSTOV4K>IU2Lgz>!PL2 zMmJ@RWo8$cMH386-*p}z%*3ZXMd1P%u)mz`$Qb%&kG&s;Ssv}?MOH}%n9%f7@ohZ; z^KsOKxwOR^QyCv?*o4SU>VQ{TeL#H)Lob}D>$F<}{^H@-BRS?>h|?N_e{WV?FCJ>q zh-^~k;hLhX;sTw;9Tk*m{oPB*5HEmR~X>HZVHNa?GZdoL2dcVpjzz}{8ig>ZL-3B%|)Sd8ZXHRQqoPv!powu zyMNa~&d2t(ku-Ut6uKhdO4JKWs96tC90d(ObQ_L@8Pl#|GfkfrdKX40YTNkDmQ0w;CtxB24t#>hAX;{Pq#8r{hw{w!XulzQjCZur* zMN5TFdw>T%4I4|8SvJw%{);i%8MoFwIk`^Ul;vmp2Y-S4z^qe~HEX{oIcOiwp)VkP z5(vXZA+SrOGcF{ddO0lOYKwLZ0z=Dit_8kzE&+pw=+;@KF~^v2pGL*|0#pU&(s#2R z;J5>&18!~JJ>({pvu8Z6WOCGfy*vd|gLboU&qa!ZOEvo$==^;==Gy>c2u-~_zejoMnXt*i)y>6NKqyB_Ad^dAftQ=yx#MGv%v{pGDPLIo z3ggm6+j4fp_i+@?w!c0vFE(-eAe&HsX4=-w3s!R*c$fL>ld@Ri`sqL}@_MS+Bf$xVx zIW1>d0}5(kMj{7ZVK$Rwl@8`)@y;QD@>RN}0KN2D*kO|g6C2Rpf$W7P^FG&yb>K7` zN%?x{GyGyOj$@D1HsmJt#ne&(q&mzD+}3xDO-{4rHpgoLpxL4li;2Yc2}l3C-R7F6 ziuMuckcSzv9J%z2iKL~-^m$HQsFnz9p`Mie@woB{9NV8cq(VxK13?^es;4SkVHI^&>*}#;bZ7Z)wDMkTzUVXRD)+u`KYp}s_@=P|G|V5o>xIZMHev>f zbBN1iQn%Z)^bsr7*L?CY>q|eo^+RrdR6cL-B(WTU^DKtYB9a2%)M}N6XS)i!U&DtA z5XeL~1>6|yeM{b%J_~{}X570kV0rE*Fi~xcw9;gxG4Eqgdb&hb;&@f&eXRI;Z*%)kY6O@m zy*_yb0EW15@;?Hj6lHqg_56Lp!}=wzO30M`V@b+8$Pk)Y=8o-`NHs@;Dmfh*WW6L- zs6777-0x!aR!(mj$k1IO1I~Mo&!W9Or{)glMBt1Qci<8y{2}dP+mM1`s;;*DclHv! z$*^Vl*J$zNs?sRL8Z_FztxpxT4nB+OxHVrcR{9!w9BG^t_8POA6I@6xK}}ONUlQ7M`DL(Bb zv%UaiAhm6!e-689>S=od@5cp!rPFGM#p7=4nYfQ?x^*n_fjTXykBbWoFOI=`?4~0f zVEj<>0XQs1EA#@lRM+IiDgO~^UD(@)%-ZB`0D=7q>^t)oGz@Bs5=O;i6K}j}8Po^`tOiy*x>wG;= za7Fz|5Hby5IZubq4**sb2A`ZAi4Mit)*>%52|Ih!)j^E!lM>ef0Mr_A!tUsF%6m@l#TOmxG)IW9AbsxBxyk-%`RsObG~@uan0)!2oMQ zlE~06&jd`cd>}f)J|tLw2rjRe!R{lJ(c`M|mJ zIHf9}25d@<;(#=v^T!zoTCTuBJU1g+piCF=sqUi35dhcq2T#4!G^~ zb`924-$VaxPjCPj0-_;GD$#N9@W+CTm#a4dqU5z2lx0J5W*(sd|wd)0t}vRxo6WvzmoYX zBrIQ&9_TqU~BtEdWo{&bcY$+&br2%v=Q(@UuZ~6rm6*V;o2)VG@4c1t27@QuUIo|_1D+M@i z@9)7Ven`uGc&`r*TY^I`T0M6`;)@nfp|Q?3k*EW6g) z*%AoQV6@@lSb7yquS&}L@_TSvOe4s94#Xe`o)QTeQW>Vj@v$CTui{-fPo2SFg#3o927|bCsRa#CCPrm1Z3L7yP0_htH~9v%BIy8f91~*+KCYF zp|Gy{ggu%#M!qL&Mh{mt{1}v$VzzPM;Zz`CK)lv+l^|DveWZWJz>?1GENr?r&Xct@*!Dj&sp;XaCZWH2`Z6C}0TUZ55OMPYb9+W0`MT~unHWf+* z*EETM-yOJxprIFzm#YKHx%*a*%Vr+axE5Z^I2d^0LfKq9%H=MZ>I9uVxFSA80*4l>onlpRUfu!+u-Gb8+=GVV@{6Y%e@Aro{Pp+Vs~87(3wq;y*|4?mKX+vi@~War2B~hs*XY_&8y3D0~9^6*C-p=5-Aj zLDGm_WQk1P&?D`GIifw$A!lIKBjw*@2nr7hwE zjPJhGh$|Yc>>5vH5RldbZKpm90%yRx24uq@Cst9za{(U5z_P%{6@ZZ0c!=TYUa6{y zR!^`^UXo9Uh&zX{Hg)*;_CmR}t1QKklT4$u&{Z4!B~nD zZdd>NXcxQ=Wa3|iOaJDDz^*v~y9Ry&-v2%YJ`Y$WBm!ON%60#I3jX>3mieDFZ;a$W z+x%|}-FSxo9MXS&^CrIh7lr-{mN!Yof2qfRiQG-n`Cq>IPxgN9f97VZuZ45xc{E*w z_ygqoQdW4>B)Xt5Nb*BcsLqLQe_Y$%%^ltTIpy7~<2f+V; zhEt;m`&3`(*hllvAIQaLeGsKK&#@bCKLP(JvU(}ZHxZY^r$^SD>QChCpnLv58G>J6XBa+Lr$e8-uSlr>{daL7@wym= ze~ArE5skaXU!b+Yd3~d$n_C*fKK<2Zz59;>fF{@} zOxl%($&s&BdHdYD0E%Bl26+Ekg^48WQ&O%3+P_!fiYQgAUrYUewH^R_6F|YI7Kroj zRjfeX8B{yV{d=i*5vAPU(h!DBi=j}9f zvj6rW@wn^@7Wp`D{_P%=V4q$p7ysLbuv3||_h?d}{o6ex0#BA~fcw8!Cl@!70iG;R z66fEZj2n0|fm+J{*$QyRp}>=Aye0qlDy)Dfb8(jb-{t}_jTow9L07AzSa$vc0sJQ? Mt^A}|(&Y930rJQD-T(jq literal 0 HcmV?d00001 diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/requirements.lock b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/requirements.lock new file mode 100644 index 0000000..16911ad --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/requirements.lock @@ -0,0 +1,12 @@ +dependencies: +- name: postgresql + repository: https://charts.bitnami.com/bitnami + version: 8.7.3 +- name: redis + repository: https://charts.bitnami.com/bitnami + version: 10.6.3 +- name: rabbitmq + repository: https://charts.bitnami.com/bitnami + version: 6.25.0 +digest: sha256:cc7282a82d8640100139cde2dd6d9ef646662e4987adeb04c1a23276023ac3ce +generated: "2020-04-09T21:52:55.377842+03:00" diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/requirements.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/requirements.yaml new file mode 100644 index 0000000..383d11e --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/requirements.yaml @@ -0,0 +1,13 @@ +dependencies: +- name: postgresql + version: 8.7.3 + repository: https://charts.bitnami.com/bitnami + condition: postgresql.enabled +- name: redis + version: 10.6.3 + repository: https://charts.bitnami.com/bitnami + condition: redis.enabled +- name: rabbitmq + version: 6.25.0 + repository: https://charts.bitnami.com/bitnami + condition: rabbitmq.enabled diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/NOTES.txt b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/NOTES.txt new file mode 100644 index 0000000..c072287 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/NOTES.txt @@ -0,0 +1,13 @@ +The Pipelines Dashboard can be accessed via URL: + +{{- if (and .Values.pipelines.www.ingress.enabled .Values.pipelines.www.ingress.tls) }} +{{- range .Values.pipelines.www.ingress.hosts }} + https://{{ . }} +{{- end }} +{{- else if .Values.pipelines.www.ingress.enabled }} +{{- range .Values.pipelines.www.ingress.hosts }} + http://{{ . }} +{{- end }} +{{- else }} + {{ .Values.pipelines.www.externalUrl }} +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/_helpers.tpl b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/_helpers.tpl new file mode 100644 index 0000000..2d70eaa --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/_helpers.tpl @@ -0,0 +1,116 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "pipelines.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "pipelines.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +The services name +*/}} +{{- define "pipelines.services.name" -}} +{{- $name := .Release.Name | trunc 29 -}} +{{- printf "%s-%s-services" $name .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +The api name +*/}} +{{- define "pipelines.api.name" -}} +{{- $name := .Release.Name | trunc 29 -}} +{{- printf "%s-%s-api" $name .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +The www name +*/}} +{{- define "pipelines.www.name" -}} +{{- $name := .Release.Name | trunc 29 -}} +{{- printf "%s-%s-www" $name .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +The msg name +*/}} +{{- define "pipelines.msg.name" -}} +{{- $name := .Release.Name | trunc 29 -}} +{{- printf "%s-%s-msg" $name .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +The vault name +*/}} +{{- define "pipelines.vault.name" -}} +{{- $name := .Release.Name | trunc 29 -}} +{{- printf "%s-%s-vault" $name .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "pipelines.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} +{{ default (include "pipelines.fullname" .) .Values.serviceAccount.name }} +{{- else -}} +{{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "pipelines.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "pipelines.labels" -}} +helm.sh/chart: {{ include "pipelines.chart" . }} +{{ include "pipelines.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "pipelines.selectorLabels" -}} +app.kubernetes.io/name: {{ include "pipelines.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Set grcp url +*/}} +{{- define "pipelines.grpc.url" -}} +{{- if (hasPrefix "https://" .Values.pipelines.jfrogUrl) }} +{{- printf "%s" (tpl .Values.pipelines.jfrogUrl . ) | replace "https://" "" }} +{{- else if (hasPrefix "http://" .Values.pipelines.jfrogUrl) }} +{{- printf "%s" (tpl .Values.pipelines.jfrogUrl . ) | replace "http://" "" }} +{{- else }} +{{- printf "%s" (tpl .Values.pipelines.jfrogUrl . ) }} +{{- end }} +{{- end -}} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/api-ingress.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/api-ingress.yaml new file mode 100644 index 0000000..3eb5e87 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/api-ingress.yaml @@ -0,0 +1,40 @@ +{{- if .Values.pipelines.api.ingress.enabled -}} +{{- $fullName := include "pipelines.api.name" . -}} +{{- $ingressPath := .Values.pipelines.api.ingress.path -}} +{{- if semverCompare ">=v1.14.0" .Capabilities.KubeVersion.GitVersion }} +apiVersion: networking.k8s.io/v1beta1 +{{- else }} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "pipelines.labels" . | nindent 4 }} + component: {{ include "pipelines.api.name" . }} + {{- with .Values.pipelines.api.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: +{{- if .Values.pipelines.api.ingress.tls }} + tls: + {{- range .Values.pipelines.api.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.pipelines.api.ingress.hosts }} + - host: {{ . | quote }} + http: + paths: + - path: {{ $ingressPath }} + backend: + serviceName: {{ $fullName }} + servicePort: api + {{- end }} +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/api-service.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/api-service.yaml new file mode 100644 index 0000000..761fcd7 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/api-service.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "pipelines.api.name" . }} + labels: + {{- include "pipelines.labels" . | nindent 4 }} + component: {{ include "pipelines.api.name" . }} +{{- if .Values.pipelines.api.service.annotations }} + annotations: + {{- range $key, $value := .Values.pipelines.api.service.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +{{- end }} +spec: + type: {{ .Values.pipelines.api.service.type }} +{{- if .Values.pipelines.api.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.pipelines.api.service.loadBalancerIP }} + {{- end }} +{{- if .Values.pipelines.api.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.pipelines.api.service.loadBalancerSourceRanges | indent 4 }} +{{- end }} + ports: + - port: {{ .Values.pipelines.api.service.port }} +{{- if eq .Values.pipelines.api.service.type "NodePort" }} + nodePort: 30000 +{{- end }} + targetPort: 30000 + protocol: TCP + name: api + selector: + {{- include "pipelines.selectorLabels" . | nindent 4 }} + component: {{ include "pipelines.services.name" . }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/buildplane-config-aws.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/buildplane-config-aws.yaml new file mode 100644 index 0000000..53bf663 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/buildplane-config-aws.yaml @@ -0,0 +1,20 @@ +{{- if .Values.buildPlane.dynamic.provider.aws.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "pipelines.fullname" . }}-dynamic-buildplane-config-aws + labels: + {{- include "pipelines.labels" . | nindent 4 }} +data: + provider: aws + accountId: {{ default "userId" .Values.buildPlane.dynamic.customer.accountId | quote }} + nodePoolName: {{ default .Values.buildPlane.dynamic.provider.aws.nodePoolName .Values.buildPlane.dynamic.customer.nodePoolName | quote }} + nodelimit: {{ default .Values.buildPlane.dynamic.provider.aws.nodelimit .Values.buildPlane.dynamic.customer.nodelimit | quote }} + setAsDefault: '"true"' + instanceType: {{ .Values.buildPlane.dynamic.provider.aws.instanceType | quote }} + securityGroupId: {{ .Values.buildPlane.dynamic.provider.aws.securityGroupId | quote }} + subnetId: {{ .Values.buildPlane.dynamic.provider.aws.subnetId | quote }} + keyPairName: {{ .Values.buildPlane.dynamic.provider.aws.keyPairName | quote }} + vpcId: {{ .Values.buildPlane.dynamic.provider.aws.vpcId | quote }} + region: {{ .Values.buildPlane.dynamic.provider.aws.region | quote }} +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/buildplane-config-k8s.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/buildplane-config-k8s.yaml new file mode 100644 index 0000000..f1ceb59 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/buildplane-config-k8s.yaml @@ -0,0 +1,19 @@ +{{- if .Values.buildPlane.dynamic.provider.k8s.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "pipelines.fullname" . }}-dynamic-buildplane-config-k8s + labels: + {{- include "pipelines.labels" . | nindent 4 }} +data: + provider: k8s + accountId: {{ default "userId" .Values.buildPlane.dynamic.customer.accountId | quote }} + nodePoolName: {{ default .Values.buildPlane.dynamic.provider.k8s.nodePoolName .Values.buildPlane.dynamic.customer.nodePoolName | quote }} + nodelimit: {{ default .Values.buildPlane.dynamic.provider.k8s.nodelimit .Values.buildPlane.dynamic.customer.nodelimit | quote }} + setAsDefault: '"true"' + cpu: {{ .Values.buildPlane.dynamic.provider.k8s.cpu | quote }} + memory: {{ .Values.buildPlane.dynamic.provider.k8s.memory | quote }} + namespace: {{ .Values.buildPlane.dynamic.provider.k8s.namespace | quote }} + labels: {{ .Values.buildPlane.dynamic.provider.k8s.labels | quote }} + storageClass: {{ .Values.buildPlane.dynamic.provider.k8s.storageClass | quote }} +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/buildplane-secret-aws.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/buildplane-secret-aws.yaml new file mode 100644 index 0000000..c8c1400 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/buildplane-secret-aws.yaml @@ -0,0 +1,12 @@ +{{- if and .Values.buildPlane.dynamic.provider.aws.enabled ( not .Values.buildPlane.dynamic.provider.aws.existingSecret ) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "pipelines.fullname" . }}-dynamic-buildplane-creds-aws + labels: + {{- include "pipelines.labels" . | nindent 4 }} +type: Opaque +data: + accessKey: {{ .Values.buildPlane.dynamic.provider.aws.accessKey | b64enc | quote }} + secretKey: {{ .Values.buildPlane.dynamic.provider.aws.secretKey | b64enc | quote }} +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/buildplane-secret-k8s.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/buildplane-secret-k8s.yaml new file mode 100644 index 0000000..530ee08 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/buildplane-secret-k8s.yaml @@ -0,0 +1,11 @@ +{{- if and .Values.buildPlane.dynamic.provider.k8s.enabled ( not .Values.buildPlane.dynamic.provider.k8s.existingSecret ) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "pipelines.fullname" . }}-dynamic-buildplane-creds-k8s + labels: + {{- include "pipelines.labels" . | nindent 4 }} +type: Opaque +data: + kubeconfig: {{ .Values.buildPlane.dynamic.provider.k8s.kubeconfig | quote }} +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/database-secret.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/database-secret.yaml new file mode 100644 index 0000000..dd05594 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/database-secret.yaml @@ -0,0 +1,20 @@ +{{- if and (not .Values.global.postgresql.existingSecret) (not .Values.postgresql.existingSecret) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "pipelines.fullname" . }}-database + labels: + {{- include "pipelines.labels" . | nindent 4 }} +type: Opaque +data: +{{- if .Values.postgresql.enabled }} + postgresql-password: {{ .Values.postgresql.postgresqlPassword | b64enc | quote }} + postgresql-url: {{ (printf "postgres://%s:%s@%s-postgresql:%v/%s?sslmode=disable" .Values.postgresql.postgresqlUsername .Values.postgresql.postgresqlPassword .Release.Name .Values.postgresql.service.port .Values.postgresql.postgresqlDatabase) | b64enc }} +{{- else if and (not .Values.postgresql.enabled) (.Values.global.postgresql.ssl) }} + postgresql-password: {{ tpl .Values.global.postgresql.password . | b64enc | quote }} + postgresql-url: {{ tpl (printf "postgres://%s:%s@%v:%v/%s?sslmode=require" .Values.global.postgresql.user .Values.global.postgresql.password .Values.global.postgresql.host .Values.global.postgresql.port .Values.global.postgresql.database) . | b64enc }} +{{- else }} + postgresql-password: {{ tpl .Values.global.postgresql.password . | b64enc | quote }} + postgresql-url: {{ tpl (printf "postgres://%s:%s@%v:%v/%s?sslmode=disable" .Values.global.postgresql.user .Values.global.postgresql.password .Values.global.postgresql.host .Values.global.postgresql.port .Values.global.postgresql.database) . | b64enc }} +{{- end }} +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/filebeat-config.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/filebeat-config.yaml new file mode 100644 index 0000000..cffc4a9 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/filebeat-config.yaml @@ -0,0 +1,11 @@ +{{- if .Values.filebeat.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "pipelines.fullname" . }}-filebeat-config + labels: + {{- include "pipelines.labels" . | nindent 4 }} +data: + filebeat.yml: | +{{ tpl .Values.filebeat.filebeatYml . | indent 4 }} +{{- end -}} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/pipelines-configmaps.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/pipelines-configmaps.yaml new file mode 100644 index 0000000..6b8a4ce --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/pipelines-configmaps.yaml @@ -0,0 +1,10 @@ +{{ if .Values.pipelines.configMaps }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "pipelines.fullname" . }}-configmaps + labels: + {{- include "pipelines.labels" . | nindent 4 }} +data: +{{ tpl .Values.pipelines.configMaps . | nindent 2 }} +{{ end -}} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/pipelines-hpa.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/pipelines-hpa.yaml new file mode 100644 index 0000000..90b1f4e --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/pipelines-hpa.yaml @@ -0,0 +1,20 @@ +{{- if .Values.pipelines.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "pipelines.services.name" . }} + labels: + {{- include "pipelines.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: StatefulSet + name: {{ include "pipelines.services.name" . }} + minReplicas: {{ .Values.pipelines.autoscaling.minReplicas }} + maxReplicas: {{ .Values.pipelines.autoscaling.maxReplicas }} + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.pipelines.autoscaling.targetCPUUtilizationPercentage }} +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/pipelines-role.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/pipelines-role.yaml new file mode 100644 index 0000000..a03a4be --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/pipelines-role.yaml @@ -0,0 +1,10 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "pipelines.fullname" . }} + labels: + {{- include "pipelines.labels" . | nindent 4 }} +rules: +{{ toYaml .Values.pipelines.rbac.role.rules }} +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/pipelines-rolebinding.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/pipelines-rolebinding.yaml new file mode 100644 index 0000000..19b36d9 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/pipelines-rolebinding.yaml @@ -0,0 +1,16 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "pipelines.fullname" . }} + labels: + {{- include "pipelines.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ include "pipelines.fullname" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io + name: {{ include "pipelines.fullname" . }} +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/pipelines-service-headless.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/pipelines-service-headless.yaml new file mode 100644 index 0000000..fcd2f51 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/pipelines-service-headless.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "pipelines.services.name" . }}-headless + labels: + {{- include "pipelines.labels" . | nindent 4 }} +spec: + type: ClusterIP + clusterIP: None + ports: + - port: {{ .Values.pipelines.api.service.port }} + targetPort: 30000 + protocol: TCP + name: api + - port: {{ .Values.pipelines.www.service.port }} + targetPort: 30001 + protocol: TCP + name: www + selector: + {{- include "pipelines.selectorLabels" . | nindent 4 }} + component: {{ include "pipelines.services.name" . }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/pipelines-statefulset.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/pipelines-statefulset.yaml new file mode 100644 index 0000000..baca7f2 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/pipelines-statefulset.yaml @@ -0,0 +1,468 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "pipelines.services.name" . }} + labels: + {{- include "pipelines.labels" . | nindent 4 }} +spec: + serviceName: {{ include "pipelines.services.name" . }}-headless +{{- if not .Values.pipelines.autoscaling.enabled }} + replicas: {{ .Values.pipelines.replicaCount }} +{{- end }} + updateStrategy: + type: {{ .Values.pipelines.updateStrategy }} + selector: + matchLabels: + {{- include "pipelines.selectorLabels" . | nindent 6 }} + component: {{ include "pipelines.services.name" . }} + template: + metadata: + labels: + {{- include "pipelines.selectorLabels" . | nindent 8 }} + component: {{ include "pipelines.services.name" . }} + annotations: + checksum/systemyaml: {{ include (print $.Template.BasePath "/pipelines-system-yaml.yaml") . | sha256sum }} + checksum/secretdb: {{ include (print $.Template.BasePath "/database-secret.yaml") . | sha256sum }} + checksum/secretaws: {{ include (print $.Template.BasePath "/buildplane-secret-aws.yaml") . | sha256sum }} + checksum/configaws: {{ include (print $.Template.BasePath "/buildplane-config-aws.yaml") . | sha256sum }} + checksum/secretk8s: {{ include (print $.Template.BasePath "/buildplane-secret-k8s.yaml") . | sha256sum }} + checksum/configk8s: {{ include (print $.Template.BasePath "/buildplane-config-k8s.yaml") . | sha256sum }} + checksum/configfilebeat: {{ include (print $.Template.BasePath "/filebeat-config.yaml") . | sha256sum }} + spec: + serviceAccountName: {{ include "pipelines.fullname" . }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + initContainers: + {{- with .Values.pipelines.customInitContainersBegin }} + {{- tpl . $ | nindent 8 }} + {{- end }} + - name: copy-system-yaml + image: "{{ .Values.initContainer.image }}" + imagePullPolicy: {{ .Values.initContainer.pullPolicy }} + resources: +{{ toYaml .Values.initContainers.resources | nindent 12 }} + securityContext: + allowPrivilegeEscalation: false + command: + - '/bin/sh' + - '-c' + - > + echo "Copy system.yaml to {{ .Values.pipelines.mountPath }}"; + cp -fv /tmp/etc/system.yaml {{ .Values.pipelines.mountPath }}/system.yaml; + volumeMounts: + - name: jfrog-pipelines-folder + mountPath: {{ .Values.pipelines.mountPath }} + - name: systemyaml + mountPath: "/tmp/etc/system.yaml" + subPath: system.yaml + - name: wait-for-vault + image: "{{ .Values.initContainer.image }}" + imagePullPolicy: {{ .Values.initContainer.pullPolicy }} + resources: +{{ toYaml .Values.initContainers.resources | nindent 12 }} + securityContext: + allowPrivilegeEscalation: false + command: + - 'sh' + - '-c' + - > + echo "Waiting for Vault to come up..."; + {{- if .Values.vault.enabled }} + until nc -z -w 2 {{ include "pipelines.vault.name" . }} {{ .Values.vault.service.port }} && echo Vault ok; do + {{- else }} + until nc -z -w 2 {{ tpl .Values.global.vault.host . }} {{ .Values.global.vault.port }} && echo Vault ok; do + {{- end }} + sleep 2; + done; + - name: pipelines-installer + image: "{{ .Values.imageRegistry }}/{{ .Values.pipelines.pipelinesInit.image.repository }}:{{ default .Chart.AppVersion .Values.pipelines.version }}" + imagePullPolicy: {{ .Values.pipelines.pipelinesInit.image.pullPolicy }} + resources: +{{ toYaml .Values.initContainers.resources | nindent 12 }} + securityContext: + allowPrivilegeEscalation: false + runAsUser: 0 + env: + - name: VAULT_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.global.vault.existingSecret | default (printf "%s" "root-vault-secret") }} + key: token + {{- if .Values.vault.enabled }} + - name: PIPELINES_SHARED_DB_CONNECTIONSTRING + valueFrom: + secretKeyRef: + name: {{ .Values.global.postgresql.existingSecret | default (printf "%s-%s" (include "pipelines.fullname" .) "database") }} + key: postgresql-url + {{- end }} + - name: PIPELINES_NODE_ID + valueFrom: + fieldRef: + fieldPath: "metadata.name" + command: + - 'sh' + - '-c' + - > + {{- if .Values.rabbitmq.enabled }} + echo "Waiting for RabbitMQ to come up..."; + until nc -z -w 2 {{ .Release.Name }}-rabbitmq {{ .Values.rabbitmq.service.port }} && echo rabbitmq ok; do + sleep 2; + done; + {{- end }} + {{- if .Values.redis.enabled }} + echo "Waiting for Redis to come up..."; + until nc -z -w 2 {{ .Release.Name }}-redis-master {{ .Values.redis.redisPort }} && echo redis ok; do + sleep 2; + done; + {{- end }} + sleep 20; + ./pipelines-k8s; + volumeMounts: + - name: jfrog-pipelines-folder + mountPath: {{ .Values.pipelines.mountPath }} + {{- if .Values.buildPlane.dynamic.provider.aws.enabled }} + - name: buildplane-creds-aws + mountPath: {{ .Values.pipelines.mountPath }}/buildplane-creds + readOnly: true + - name: buildplane-config-aws + mountPath: {{ .Values.pipelines.mountPath }}/buildplane-config + readOnly: true + {{- end }} + {{- if .Values.buildPlane.dynamic.provider.k8s.enabled }} + - name: buildplane-creds-k8s + mountPath: {{ .Values.pipelines.mountPath }}/buildplane-creds + readOnly: true + - name: buildplane-config-k8s + mountPath: {{ .Values.pipelines.mountPath }}/buildplane-config + readOnly: true + {{- end }} + {{- with .Values.pipelines.customInitContainers }} + {{- tpl . $ | nindent 8 }} + {{- end }} + containers: + {{- if .Values.filebeat.enabled }} + - name: {{ .Values.filebeat.name }} + image: "{{ .Values.filebeat.image.repository }}:{{ .Values.filebeat.image.version }}" + imagePullPolicy: {{ .Values.filebeat.image.pullPolicy }} + args: + - "-e" + - "-E" + - "http.enabled=true" + securityContext: + runAsUser: 0 + resources: + {{ toYaml .Values.filebeat.resources | nindent 12 }} + volumeMounts: + - name: filebeat-config + mountPath: /usr/share/filebeat/filebeat.yml + readOnly: true + subPath: filebeat.yml + - name: jfrog-pipelines-logs + mountPath: {{ .Values.pipelines.logPath }} + {{- end }} + - name: router + image: "{{ .Values.imageRegistry }}/{{ .Values.pipelines.router.image.repository }}:{{ default .Chart.AppVersion .Values.pipelines.version }}" + imagePullPolicy: {{ .Values.pipelines.router.image.pullPolicy }} + env: + {{- if not .Values.router.routerConfiguration }} + - name: JF_ROUTER_SERVICEREGISTRY_URL + value: "{{ tpl .Values.pipelines.jfrogUrl . }}/access" + {{- end }} + - name: JF_ROUTER_SERVICEREGISTRY_GRPCADDRESS + value: "{{ include "pipelines.grpc.url" . }}" + - name: JF_ROUTER_ENTRYPOINTS_INTERNALPORT + value: "{{ .Values.pipelines.router.internalPort }}" + - name: JF_ROUTER_ENTRYPOINTS_EXTERNALPORT + value: "{{ .Values.pipelines.router.externalPort }}" + - name: JF_ROUTER_LOGGING_ROUTER_LOGLEVEL + value: "DEBUG" + - name: JF_SHARED_NODE_ID + valueFrom: + fieldRef: + fieldPath: "metadata.name" + - name: JF_SHARED_NODE_IP + valueFrom: + fieldRef: + fieldPath: "status.podIP" + - name: JF_SHARED_SECURITY_JOINKEY + value: "{{ .Values.pipelines.joinKey }}" + - name: JF_ROUTER_ENCRYPTSYSTEMCONFIG + value: "true" + ports: + - name: router + containerPort: {{ .Values.pipelines.router.internalPort }} + securityContext: + allowPrivilegeEscalation: false + resources: + {{ toYaml .Values.pipelines.router.resources | nindent 12 }} + volumeMounts: + - name: jfrog-pipelines-folder + mountPath: {{ .Values.pipelines.router.mountPath }} + - name: api + image: "{{ .Values.imageRegistry }}/{{ .Values.pipelines.api.image.repository }}:{{ default .Chart.AppVersion .Values.pipelines.version }}" + imagePullPolicy: {{ .Values.pipelines.api.image.pullPolicy }} + securityContext: + allowPrivilegeEscalation: false + runAsUser: 0 + env: + - name: PIPELINES_NODE_ID + valueFrom: + fieldRef: + fieldPath: "metadata.name" + ports: + - name: api + containerPort: 30000 + + {{- if .Values.pipelines.api.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: {{ .Values.pipelines.api.livenessProbe.path}} + port: {{ .Values.pipelines.api.livenessProbe.port}} + initialDelaySeconds: {{ .Values.pipelines.api.livenessProbe.initialDelaySeconds }} + timeoutSeconds: {{ .Values.pipelines.api.livenessProbe.timeoutSeconds }} + periodSeconds: {{ .Values.pipelines.api.livenessProbe.timeoutSeconds }} + failureThreshold: {{ .Values.pipelines.api.livenessProbe.failureThreshold }} + successThreshold: {{ .Values.pipelines.api.livenessProbe.successThreshold }} + {{- end }} + {{- if .Values.pipelines.api.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: {{ .Values.pipelines.api.readinessProbe.path}} + port: {{ .Values.pipelines.api.readinessProbe.port}} + initialDelaySeconds: {{ .Values.pipelines.api.readinessProbe.initialDelaySeconds }} + timeoutSeconds: {{ .Values.pipelines.api.readinessProbe.timeoutSeconds }} + periodSeconds: {{ .Values.pipelines.api.readinessProbe.timeoutSeconds }} + failureThreshold: {{ .Values.pipelines.api.readinessProbe.failureThreshold }} + successThreshold: {{ .Values.pipelines.api.readinessProbe.successThreshold }} + {{- end }} + resources: + {{- toYaml .Values.pipelines.api.resources | nindent 12 }} + volumeMounts: + - name: jfrog-pipelines-folder + mountPath: {{ .Values.pipelines.mountPath }} + - name: jfrog-pipelines-logs + mountPath: {{ .Values.pipelines.logPath }} + {{- with .Values.pipelines.customVolumeMounts }} +{{ tpl . $ | nindent 10 }} + {{- end }} + - name: www + image: "{{ .Values.imageRegistry }}/{{ .Values.pipelines.www.image.repository }}:{{ default .Chart.AppVersion .Values.pipelines.version }}" + imagePullPolicy: {{ .Values.pipelines.www.image.pullPolicy }} + ports: + - name: www + containerPort: 30001 + {{- if .Values.pipelines.www.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: {{ .Values.pipelines.www.livenessProbe.path}} + port: {{ .Values.pipelines.www.livenessProbe.port}} + initialDelaySeconds: {{ .Values.pipelines.www.livenessProbe.initialDelaySeconds }} + timeoutSeconds: {{ .Values.pipelines.www.livenessProbe.timeoutSeconds }} + periodSeconds: {{ .Values.pipelines.www.livenessProbe.timeoutSeconds }} + failureThreshold: {{ .Values.pipelines.www.livenessProbe.failureThreshold }} + successThreshold: {{ .Values.pipelines.www.livenessProbe.successThreshold }} + {{- end }} + {{- if .Values.pipelines.www.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: {{ .Values.pipelines.www.readinessProbe.path}} + port: {{ .Values.pipelines.www.readinessProbe.port}} + initialDelaySeconds: {{ .Values.pipelines.www.readinessProbe.initialDelaySeconds }} + timeoutSeconds: {{ .Values.pipelines.www.readinessProbe.timeoutSeconds }} + periodSeconds: {{ .Values.pipelines.www.readinessProbe.timeoutSeconds }} + failureThreshold: {{ .Values.pipelines.www.readinessProbe.failureThreshold }} + successThreshold: {{ .Values.pipelines.www.readinessProbe.successThreshold }} + {{- end }} + resources: + {{- toYaml .Values.pipelines.www.resources | nindent 12 }} + volumeMounts: + - name: jfrog-pipelines-folder + mountPath: {{ .Values.pipelines.mountPath }} + - name: jfrog-pipelines-logs + mountPath: {{ .Values.pipelines.logPath }} + {{- with .Values.pipelines.customVolumeMounts }} +{{ tpl . $ | indent 10 }} + {{- end }} + - name: pipelinesync + image: "{{ .Values.imageRegistry }}/{{ .Values.pipelines.pipelineSync.image.repository }}:{{ default .Chart.AppVersion .Values.pipelines.version }}" + imagePullPolicy: {{ .Values.pipelines.pipelineSync.image.pullPolicy }} + workingDir: /opt/jfrog/pipelines/app/micro/pipelineSync + securityContext: + allowPrivilegeEscalation: false + runAsUser: 0 + env: + - name: COMPONENT + value: pipelinesync + resources: + {{- toYaml .Values.pipelines.pipelineSync.resources | nindent 12 }} + volumeMounts: + - name: jfrog-pipelines-folder + mountPath: {{ .Values.pipelines.mountPath }} + - name: jfrog-pipelines-logs + mountPath: {{ .Values.pipelines.logPath }} + - name: runtrigger + image: "{{ .Values.imageRegistry }}/{{ .Values.pipelines.runTrigger.image.repository }}:{{ default .Chart.AppVersion .Values.pipelines.version }}" + imagePullPolicy: {{ .Values.pipelines.runTrigger.image.pullPolicy }} + workingDir: /opt/jfrog/pipelines/app/micro/runTrigger + env: + - name: COMPONENT + value: runtrigger + resources: + {{- toYaml .Values.pipelines.runTrigger.resources | nindent 12 }} + volumeMounts: + - name: jfrog-pipelines-folder + mountPath: {{ .Values.pipelines.mountPath }} + - name: jfrog-pipelines-logs + mountPath: {{ .Values.pipelines.logPath }} + - name: steptrigger + image: "{{ .Values.imageRegistry }}/{{ .Values.pipelines.stepTrigger.image.repository }}:{{ default .Chart.AppVersion .Values.pipelines.version }}" + imagePullPolicy: {{ .Values.pipelines.stepTrigger.image.pullPolicy }} + workingDir: /opt/jfrog/pipelines/app/micro/stepTrigger + env: + - name: COMPONENT + value: steptrigger + resources: + {{- toYaml .Values.pipelines.stepTrigger.resources | nindent 12 }} + volumeMounts: + - name: jfrog-pipelines-folder + mountPath: {{ .Values.pipelines.mountPath }} + - name: jfrog-pipelines-logs + mountPath: {{ .Values.pipelines.logPath }} + - name: cron + image: "{{ .Values.imageRegistry }}/{{ .Values.pipelines.cron.image.repository }}:{{ default .Chart.AppVersion .Values.pipelines.version }}" + imagePullPolicy: {{ .Values.pipelines.cron.image.pullPolicy }} + workingDir: /opt/jfrog/pipelines/app/micro/cron + env: + - name: COMPONENT + value: cron + resources: + {{- toYaml .Values.pipelines.cron.resources | nindent 12 }} + volumeMounts: + - name: jfrog-pipelines-folder + mountPath: {{ .Values.pipelines.mountPath }} + - name: jfrog-pipelines-logs + mountPath: {{ .Values.pipelines.logPath }} + - name: nexec + image: "{{ .Values.imageRegistry }}/{{ .Values.pipelines.nexec.image.repository }}:{{ default .Chart.AppVersion .Values.pipelines.version }}" + imagePullPolicy: {{ .Values.pipelines.nexec.image.pullPolicy }} + workingDir: /opt/jfrog/pipelines/app/micro/nexec + env: + - name: COMPONENT + value: nexec + resources: + {{- toYaml .Values.pipelines.nexec.resources | nindent 12 }} + volumeMounts: + - name: jfrog-pipelines-folder + mountPath: {{ .Values.pipelines.mountPath }} + - name: jfrog-pipelines-logs + mountPath: {{ .Values.pipelines.logPath }} + - name: hookhandler + image: "{{ .Values.imageRegistry }}/{{ .Values.pipelines.hookHandler.image.repository }}:{{ default .Chart.AppVersion .Values.pipelines.version }}" + imagePullPolicy: {{ .Values.pipelines.hookHandler.image.pullPolicy }} + workingDir: /opt/jfrog/pipelines/app/micro/hookHandler + env: + - name: COMPONENT + value: hookhandler + resources: + {{- toYaml .Values.pipelines.hookHandler.resources | nindent 12 }} + volumeMounts: + - name: jfrog-pipelines-folder + mountPath: {{ .Values.pipelines.mountPath }} + - name: jfrog-pipelines-logs + mountPath: {{ .Values.pipelines.logPath }} + - name: marshaller + image: "{{ .Values.imageRegistry }}/{{ .Values.pipelines.marshaller.image.repository }}:{{ default .Chart.AppVersion .Values.pipelines.version }}" + imagePullPolicy: {{ .Values.pipelines.marshaller.image.pullPolicy }} + workingDir: /opt/jfrog/pipelines/app/micro/marshaller + env: + - name: COMPONENT + value: marshaller + resources: + {{- toYaml .Values.pipelines.marshaller.resources | nindent 12 }} + volumeMounts: + - name: jfrog-pipelines-folder + mountPath: {{ .Values.pipelines.mountPath }} + - name: jfrog-pipelines-logs + mountPath: {{ .Values.pipelines.logPath }} + - name: logup + image: "{{ .Values.imageRegistry }}/{{ .Values.pipelines.logup.image.repository }}:{{ default .Chart.AppVersion .Values.pipelines.version }}" + imagePullPolicy: {{ .Values.pipelines.logup.image.pullPolicy }} + workingDir: /opt/jfrog/pipelines/app/micro/logup + env: + - name: COMPONENT + value: logup + resources: + {{- toYaml .Values.pipelines.logup.resources | nindent 12 }} + volumeMounts: + - name: jfrog-pipelines-folder + mountPath: {{ .Values.pipelines.mountPath }} + - name: jfrog-pipelines-logs + mountPath: {{ .Values.pipelines.logPath }} + - name: extensionsync + image: "{{ .Values.imageRegistry }}/{{ .Values.pipelines.extensionSync.image.repository }}:{{ default .Chart.AppVersion .Values.pipelines.version }}" + imagePullPolicy: {{ .Values.pipelines.extensionSync.image.pullPolicy }} + workingDir: /opt/jfrog/pipelines/app/micro/extensionSync + env: + - name: COMPONENT + value: extensionsync + resources: + {{- toYaml .Values.pipelines.extensionSync.resources | nindent 12 }} + volumeMounts: + - name: jfrog-pipelines-folder + mountPath: {{ .Values.pipelines.mountPath }} + - name: jfrog-pipelines-logs + mountPath: {{ .Values.pipelines.logPath }} + {{- with .Values.pipelines.customSidecarContainers }} + {{ tpl . $ | nindent 8 }} + {{- end }} + {{- with .Values.pipelines.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.pipelines.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.pipelines.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + {{- with .Values.pipelines.customVolumes }} + {{ tpl . $ | nindent 6 }} + {{- end }} + - name: jfrog-pipelines-folder + emptyDir: {} + - name: jfrog-pipelines-logs + emptyDir: {} + - name: systemyaml + secret: + secretName: {{ .Values.existingSecret | default (printf "%s-%s" (include "pipelines.fullname" .) "system-yaml") }} + {{- if .Values.pipelines.configMaps }} + - name: pipelines-configmaps + configMap: + name: {{ include "pipelines.fullname" . }}-configmaps + {{- end }} + {{- if .Values.buildPlane.dynamic.provider.aws.enabled }} + - name: buildplane-creds-aws + secret: + secretName: {{ .Values.buildPlane.dynamic.provider.aws.existingSecret | default (printf "%s-dynamic-buildplane-creds-aws" (include "pipelines.fullname" .)) }} + - name: buildplane-config-aws + configMap: + name: {{ include "pipelines.fullname" . }}-dynamic-buildplane-config-aws + {{- end }} + {{- if .Values.buildPlane.dynamic.provider.k8s.enabled }} + - name: buildplane-creds-k8s + secret: + secretName: {{ .Values.buildPlane.dynamic.provider.k8s.existingSecret | default (printf "%s-dynamic-buildplane-creds-k8s" (include "pipelines.fullname" .)) }} + - name: buildplane-config-k8s + configMap: + name: {{ include "pipelines.fullname" . }}-dynamic-buildplane-config-k8s + {{- end }} + {{- if .Values.filebeat.enabled }} + - name: filebeat-config + configMap: + name: {{ include "pipelines.fullname" . }}-filebeat-config + {{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/pipelines-system-yaml.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/pipelines-system-yaml.yaml new file mode 100644 index 0000000..c7cf0fb --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/pipelines-system-yaml.yaml @@ -0,0 +1,13 @@ +{{- if not .Values.existingSecret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "pipelines.fullname" . }}-system-yaml + labels: + {{- include "pipelines.labels" . | nindent 4 }} +type: Opaque +data: +stringData: + system.yaml: | +{{ tpl .Values.pipelines.systemYaml . | indent 4 }} +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/rabbitmq-secret.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/rabbitmq-secret.yaml new file mode 100644 index 0000000..8acd655 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/rabbitmq-secret.yaml @@ -0,0 +1,12 @@ +{{- if and (not .Values.rabbitmq.rabbitmq.existingErlangSecret) (not .Values.rabbitmq.rabbitmq.existingPasswordSecret) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "pipelines.fullname" . }}-rabbitmq-secret + labels: + {{- include "pipelines.labels" . | nindent 4 }} +type: Opaque +data: + rabbitmq-erlang-cookie: {{ .Values.rabbitmq.rabbitmq.erlangCookie | b64enc | quote }} + rabbitmq-password: {{ .Values.rabbitmq.rabbitmq.password | b64enc | quote }} +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/rabbitmq-service-vm-int-lb.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/rabbitmq-service-vm-int-lb.yaml new file mode 100644 index 0000000..cfac58e --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/rabbitmq-service-vm-int-lb.yaml @@ -0,0 +1,34 @@ +{{- if and (.Values.rabbitmq.serviceVmLb.enabled) (.Values.rabbitmq.serviceVmLb.loadBalancerIP) }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "pipelines.name" . }}-rabbitmq-vm-int-lb + labels: + {{- include "pipelines.labels" . | nindent 4 }} + component: rabbitmq-vm-int-lb +{{- if (.Values.rabbitmq.serviceVmLb.annotations) }} + annotations: + {{- range $key, $value := .Values.rabbitmq.serviceVmLb.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +{{- end }} +spec: + type: LoadBalancer + loadBalancerIP: {{ .Values.rabbitmq.serviceVmLb.loadBalancerIP }} +{{- if (.Values.rabbitmq.serviceVmLb.loadBalancerSourceRanges) }} + loadBalancerSourceRanges: +{{ toYaml (.Values.rabbitmq.serviceVmLb.loadBalancerSourceRanges) | indent 4 }} +{{- end }} + ports: + - name: stats + port: 15672 + protocol: TCP + targetPort: stats + - name: amqp + port: 5672 + protocol: TCP + targetPort: amqp + selector: + app: rabbitmq + release: {{ .Release.Name }} +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/service-account.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/service-account.yaml new file mode 100644 index 0000000..bc238ce --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/service-account.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "pipelines.fullname" . }} + labels: + {{- include "pipelines.labels" . | nindent 4 }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/vault-configmaps.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/vault-configmaps.yaml new file mode 100644 index 0000000..a218385 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/vault-configmaps.yaml @@ -0,0 +1,10 @@ +{{- if and .Values.vault.enabled .Values.vault.configMaps }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "pipelines.vault.name" . }}-configmaps + labels: + {{- include "pipelines.labels" . | nindent 4 }} +data: +{{ tpl .Values.vault.configMaps . | nindent 2 }} +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/vault-role.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/vault-role.yaml new file mode 100644 index 0000000..67eb2be --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/vault-role.yaml @@ -0,0 +1,11 @@ +{{- if and .Values.vault.enabled .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "pipelines.vault.name" . }} + labels: + {{- include "pipelines.labels" . | nindent 4 }} + component: {{ include "pipelines.vault.name" . }} +rules: +{{ toYaml .Values.vault.rbac.role.rules }} +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/vault-rolebinding.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/vault-rolebinding.yaml new file mode 100644 index 0000000..2942f50 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/vault-rolebinding.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.vault.enabled .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "pipelines.vault.name" . }} + labels: + {{- include "pipelines.labels" . | nindent 4 }} + component: {{ include "pipelines.vault.name" . }} +subjects: +- kind: ServiceAccount + name: {{ include "pipelines.vault.name" . }} +roleRef: + kind: Role + apiGroup: rbac.authorization.k8s.io + name: {{ include "pipelines.vault.name" . }} +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/vault-secret.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/vault-secret.yaml new file mode 100644 index 0000000..a457cf2 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/vault-secret.yaml @@ -0,0 +1,11 @@ +{{- if and (not .Values.global.vault.existingSecret) (not .Values.vault.enabled) }} +apiVersion: v1 +kind: Secret +metadata: + name: root-vault-secret + labels: + {{- include "pipelines.labels" . | nindent 4 }} +type: Opaque +data: + token: {{ tpl .Values.global.vault.token . | b64enc | quote }} +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/vault-service-headless.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/vault-service-headless.yaml new file mode 100644 index 0000000..fa20564 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/vault-service-headless.yaml @@ -0,0 +1,23 @@ +{{- if .Values.vault.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "pipelines.vault.name" . }}-headless + labels: + {{- include "pipelines.labels" . | nindent 4 }} + component: {{ include "pipelines.vault.name" . }} +spec: + type: ClusterIP + clusterIP: None + ports: + - name: http + port: {{ .Values.vault.service.port }} + targetPort: 30100 + protocol: TCP + - name: server + port: 30101 + protocol: TCP + selector: + {{- include "pipelines.selectorLabels" . | nindent 4 }} + component: {{ include "pipelines.vault.name" . }} +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/vault-service.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/vault-service.yaml new file mode 100644 index 0000000..48230da --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/vault-service.yaml @@ -0,0 +1,22 @@ +{{- if .Values.vault.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "pipelines.vault.name" . }} + labels: + {{- include "pipelines.labels" . | nindent 4 }} + component: {{ include "pipelines.vault.name" . }} +spec: + type: ClusterIP + ports: + - name: http + port: {{ .Values.vault.service.port }} + targetPort: 30100 + protocol: TCP + - name: server + port: 30101 + protocol: TCP + selector: + {{- include "pipelines.selectorLabels" . | nindent 4 }} + component: {{ include "pipelines.vault.name" . }} +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/vault-serviceaccount.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/vault-serviceaccount.yaml new file mode 100644 index 0000000..3e94454 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/vault-serviceaccount.yaml @@ -0,0 +1,9 @@ +{{- if .Values.vault.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "pipelines.vault.name" . }} + labels: + {{- include "pipelines.labels" . | nindent 4 }} + component: {{ include "pipelines.vault.name" . }} +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/vault-statefulset.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/vault-statefulset.yaml new file mode 100644 index 0000000..a704627 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/vault-statefulset.yaml @@ -0,0 +1,197 @@ +{{- if .Values.vault.enabled }} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "pipelines.vault.name" . }} + labels: + {{- include "pipelines.labels" . | nindent 4 }} + component: {{ include "pipelines.vault.name" . }} +spec: + serviceName: {{ include "pipelines.vault.name" . }}-headless + replicas: 1 + updateStrategy: + type: {{ .Values.vault.updateStrategy }} + selector: + matchLabels: + {{- include "pipelines.selectorLabels" . | nindent 6 }} + component: {{ include "pipelines.vault.name" . }} + template: + metadata: + labels: + {{- include "pipelines.selectorLabels" . | nindent 8 }} + component: {{ include "pipelines.vault.name" . }} + spec: + serviceAccountName: {{ include "pipelines.vault.name" . }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + initContainers: + {{- with .Values.vault.customInitContainersBegin }} + {{- tpl . $ | nindent 8 }} + {{- end }} + - name: config + image: '{{ .Values.initContainer.image }}' + imagePullPolicy: {{ .Values.initContainer.pullPolicy }} + resources: +{{ toYaml .Values.initContainers.resources | nindent 12 }} + env: + - name: PIPELINES_SHARED_DB_CONNECTIONSTRING + valueFrom: + secretKeyRef: + name: {{ .Values.global.postgresql.existingSecret | default (printf "%s-%s" (include "pipelines.fullname" .) "database") }} + key: postgresql-url + command: ["/bin/sh", "-c"] + args: + - | + cat > /etc/vault/config/vault.hcl < + echo "Waiting for Postgres to come up..."; + {{- if .Values.postgresql.enabled }} + until nc -z -w 2 {{ .Release.Name }}-postgresql {{ .Values.postgresql.service.port }} && echo database ok; do + {{- else }} + until nc -z -w 2 {{ tpl .Values.global.postgresql.host . }} {{ .Values.global.postgresql.port }} && echo database ok; do + {{- end }} + sleep 2; + done; + sleep 10; + - name: create-vault-table + image: "{{ .Values.imageRegistry }}/{{ .Values.pipelines.pipelinesInit.image.repository }}:{{ default .Chart.AppVersion .Values.pipelines.version }}" + imagePullPolicy: {{ .Values.pipelines.pipelinesInit.image.pullPolicy }} + resources: +{{ toYaml .Values.initContainers.resources | nindent 12 }} + env: + - name: PIPELINES_SHARED_DB_CONNECTIONSTRING + valueFrom: + secretKeyRef: + name: {{ .Values.global.postgresql.existingSecret | default (printf "%s-%s" (include "pipelines.fullname" .) "database") }} + key: postgresql-url + command: + - 'sh' + - '-c' + - > + echo "Copy system.yaml to {{ .Values.pipelines.mountPath }}"; + cp -fv /tmp/etc/system.yaml {{ .Values.pipelines.mountPath }}/system.yaml; + echo "Creating Vault Table..."; + ./pipelines-k8s initVault; + volumeMounts: + - name: jfrog-pipelines-folder + mountPath: {{ .Values.pipelines.mountPath }} + - name: systemyaml + mountPath: "/tmp/etc/system.yaml" + subPath: system.yaml + {{- with .Values.vault.customInitContainers }} + {{- tpl . $ | nindent 8 }} + {{- end }} + containers: + - name: vault-init + image: "{{ .Values.imageRegistry }}/{{ .Values.vault.init.image.repository }}:{{ default .Chart.AppVersion .Values.pipelines.version }}" + imagePullPolicy: {{ .Values.vault.init.image.pullPolicy }} + env: + - name: CHECK_INTERVAL + value: "10s" + - name: VAULT_NAMESPACE + value: {{ .Release.Namespace }} + - name: VAULT_ADDRESS + value: "http://localhost:30100" + resources: + requests: + memory: 10Mi + cpu: 10m + limits: + memory: 50Mi + cpu: 50m + - name: vault + image: "{{ .Values.vault.image.repository }}:{{ .Values.vault.image.tag }}" + imagePullPolicy: {{ .Values.vault.image.pullPolicy }} + env: + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: "status.podIP" + - name: "VAULT_API_ADDR" + value: "http://$(POD_IP):30100" + - name: "VAULT_CLUSTER_ADDR" + value: "http://$(POD_IP):30101" + args: + - "server" + - "-config=/etc/vault/config/vault.hcl" + ports: + - name: http + containerPort: 30100 + protocol: "TCP" + - name: server + containerPort: 30101 + protocol: "TCP" + readinessProbe: + httpGet: + path: "/v1/sys/health?standbyok=true" + port: 30100 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + {{- toYaml .Values.vault.resources | nindent 12 }} + securityContext: + capabilities: + add: + - IPC_LOCK + volumeMounts: + - name: vault-config + mountPath: /etc/vault/config + {{- with .Values.vault.customVolumeMounts }} +{{ tpl . $ | indent 12 }} + {{- end }} + {{- with .Values.vault.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.vault.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.vault.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + volumes: + {{- with .Values.vault.customVolumes }} +{{ tpl . $ | nindent 8 }} + {{- end }} + - name: vault-config + emptyDir: {} + - name: jfrog-pipelines-folder + emptyDir: {} + - name: systemyaml + secret: + secretName: {{ .Values.existingSecret | default (printf "%s-%s" (include "pipelines.fullname" .) "system-yaml") }} + {{- if .Values.vault.configMaps }} + - name: vault-configmaps + configMap: + name: {{ include "pipelines.vault.name" . }}-configmaps + {{- end }} +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/www-ingress.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/www-ingress.yaml new file mode 100644 index 0000000..ec59d75 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/www-ingress.yaml @@ -0,0 +1,40 @@ +{{- if .Values.pipelines.www.ingress.enabled }} +{{- $fullName := include "pipelines.www.name" . -}} +{{- $ingressPath := .Values.pipelines.www.ingress.path -}} +{{- if semverCompare ">=v1.14.0" .Capabilities.KubeVersion.GitVersion }} +apiVersion: networking.k8s.io/v1beta1 +{{- else }} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "pipelines.labels" . | nindent 4 }} + component: {{ include "pipelines.www.name" . }} + {{- with .Values.pipelines.www.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: +{{- if .Values.pipelines.www.ingress.tls }} + tls: + {{- range .Values.pipelines.www.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.pipelines.www.ingress.hosts }} + - host: {{ . | quote }} + http: + paths: + - path: {{ $ingressPath }} + backend: + serviceName: {{ $fullName }} + servicePort: www + {{- end }} +{{- end }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/www-service.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/www-service.yaml new file mode 100644 index 0000000..8d4d994 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/templates/www-service.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "pipelines.www.name" . }} + labels: + {{- include "pipelines.labels" . | nindent 4 }} + component: {{ include "pipelines.www.name" . }} +{{- if .Values.pipelines.www.service.annotations }} + annotations: + {{- range $key, $value := .Values.pipelines.www.service.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +{{- end }} +spec: + type: {{ .Values.pipelines.www.service.type }} +{{- if .Values.pipelines.www.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.pipelines.www.service.loadBalancerIP }} + {{- end }} +{{- if .Values.pipelines.www.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.pipelines.www.service.loadBalancerSourceRanges | indent 4 }} +{{- end }} + ports: + - port: {{ .Values.pipelines.www.service.port }} +{{- if eq .Values.pipelines.www.service.type "NodePort" }} + nodePort: 30001 +{{- end }} + targetPort: 30001 + protocol: TCP + name: www + selector: + {{- include "pipelines.selectorLabels" . | nindent 4 }} + component: {{ include "pipelines.services.name" . }} diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/values-ingress-external-secret.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/values-ingress-external-secret.yaml new file mode 100644 index 0000000..cb6f2ef --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/values-ingress-external-secret.yaml @@ -0,0 +1,105 @@ +# Override values for Pipelines. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# Existing secret with Pipelines system.yaml +existingSecret: pipelines-system-yaml + +pipelines: + + jfrogUrl: https://artifactory.example.com + jfrogUrlUI: https://artifactory.example.com + + replicaCount: 1 + + ## JFrog Pipelines API server + api: + + ingress: + enabled: true + annotations: + ## If NOT using letsencrypt, you can omit these two lines + cert-manager.io/cluster-issuer: "letsencrypt-prod" + kubernetes.io/tls-acme: "true" + ## If NOT using letsencrypt, you can omit two lines above + + ingress.kubernetes.io/force-ssl-redirect: "true" + ingress.kubernetes.io/proxy-body-size: "0" + ingress.kubernetes.io/proxy-read-timeout: "600" + ingress.kubernetes.io/proxy-send-timeout: "600" + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/proxy-body-size: "0" + + ## Set a custom whitelist IP CIDRs. Comma delimited. + # nginx.ingress.kubernetes.io/whitelist-source-range: "1.2.3.4/32,2.3.4.5/32" + path: / + hosts: + - pipelines-api.example.com + tls: + - secretName: pipelines-api.example.com + hosts: + - pipelines-api.example.com + + ## JFrog Pipelines web server + www: + + ingress: + enabled: true + annotations: + ## If NOT using letsencrypt, you can omit these two lines + cert-manager.io/cluster-issuer: "letsencrypt-prod" + kubernetes.io/tls-acme: "true" + ## If NOT using letsencrypt, you can omit two lines above + + ingress.kubernetes.io/force-ssl-redirect: "true" + ingress.kubernetes.io/proxy-body-size: "0" + ingress.kubernetes.io/proxy-read-timeout: "600" + ingress.kubernetes.io/proxy-send-timeout: "600" + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/proxy-body-size: "0" + + ## Set a custom whitelist IP CIDRs. Comma delimited. + # nginx.ingress.kubernetes.io/whitelist-source-range: "1.2.3.4/32,2.3.4.5/32" + path: / + hosts: + - pipelines.example.com + tls: + - secretName: pipelines.example.com + hosts: + - pipelines.example.com + +postgresql: + ## PostgreSQL password using existing secret + existingSecret: pipelines-database + + +## RabbitMQ server +rabbitmq: + + # Existing password secret + existingPasswordSecret: pipelines-rabbitmq-secret + existingErlangSecret: pipelines-rabbitmq-secret + + ingress: + enabled: true + + hostName: pipelines-msg.example.com + path: / + tls: true + tlsSecret: pipelines-msg.example.com + + annotations: + ## If NOT using letsencrypt, you can omit these two lines + cert-manager.io/cluster-issuer: "letsencrypt-prod" + kubernetes.io/tls-acme: "true" + ## If NOT using letsencrypt, you can omit two lines above + + ingress.kubernetes.io/force-ssl-redirect: "true" + ingress.kubernetes.io/proxy-body-size: "0" + ingress.kubernetes.io/proxy-read-timeout: "600" + ingress.kubernetes.io/proxy-send-timeout: "600" + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/proxy-body-size: "0" + + ## Set a custom whitelist IP CIDRs. Comma delimited. + # nginx.ingress.kubernetes.io/whitelist-source-range: "1.2.3.4/32,2.3.4.5/32" diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/values-ingress-passwords.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/values-ingress-passwords.yaml new file mode 100644 index 0000000..e74186d --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/values-ingress-passwords.yaml @@ -0,0 +1,25 @@ + +# Override values for Pipelines. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +existingSecret: "" + +pipelines: + + masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF + joinKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF + authToken: 99eb7537-d920-4f8a-8180-fa297a1263ac + serviceId: jfpip@1234567890 + + msg: + uiUserPassword: somepassword + +# PostgreSQL +postgresql: + postgresqlPassword: somepassword + +# RabbitMQ +rabbitmq: + rabbitmq: + password: somepassword diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/values-ingress.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/values-ingress.yaml new file mode 100644 index 0000000..3f022bd --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/values-ingress.yaml @@ -0,0 +1,93 @@ +# Override values for pipelines. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +pipelines: + + jfrogUrl: https://artifactory.example.com + jfrogUrlUI: https://artifactory.example.com + + replicaCount: 1 + + ## JFrog Pipelines API server + api: + + ingress: + enabled: true + annotations: + ## If NOT using letsencrypt, you can omit these two lines + cert-manager.io/cluster-issuer: "letsencrypt-prod" + kubernetes.io/tls-acme: "true" + ## If NOT using letsencrypt, you can omit two lines above + + ingress.kubernetes.io/force-ssl-redirect: "true" + ingress.kubernetes.io/proxy-body-size: "0" + ingress.kubernetes.io/proxy-read-timeout: "600" + ingress.kubernetes.io/proxy-send-timeout: "600" + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/proxy-body-size: "0" + + ## Set a custom whitelist IP CIDRs. Comma delimited. + # nginx.ingress.kubernetes.io/whitelist-source-range: "1.2.3.4/32,2.3.4.5/32" + path: / + hosts: + - pipelines-api.example.com + tls: + - secretName: pipelines-api.example.com + hosts: + - pipelines-api.example.com + + ## JFrog Pipelines web server + www: + + ingress: + enabled: true + annotations: + ## If NOT using letsencrypt, you can omit these two lines + cert-manager.io/cluster-issuer: "letsencrypt-prod" + kubernetes.io/tls-acme: "true" + ## If NOT using letsencrypt, you can omit two lines above + + ingress.kubernetes.io/force-ssl-redirect: "true" + ingress.kubernetes.io/proxy-body-size: "0" + ingress.kubernetes.io/proxy-read-timeout: "600" + ingress.kubernetes.io/proxy-send-timeout: "600" + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/proxy-body-size: "0" + + ## Set a custom whitelist IP CIDRs. Comma delimited. + # nginx.ingress.kubernetes.io/whitelist-source-range: "1.2.3.4/32,2.3.4.5/32" + path: / + hosts: + - pipelines.example.com + tls: + - secretName: pipelines.example.com + hosts: + - pipelines.example.com + +## RabbitMQ server +rabbitmq: + + ingress: + enabled: true + + hostName: pipelines-msg.example.com + path: / + tls: true + tlsSecret: pipelines-msg.example.com + + annotations: + ## If NOT using letsencrypt, you can omit these two lines + cert-manager.io/cluster-issuer: "letsencrypt-prod" + kubernetes.io/tls-acme: "true" + ## If NOT using letsencrypt, you can omit two lines above + + ingress.kubernetes.io/force-ssl-redirect: "true" + ingress.kubernetes.io/proxy-body-size: "0" + ingress.kubernetes.io/proxy-read-timeout: "600" + ingress.kubernetes.io/proxy-send-timeout: "600" + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/proxy-body-size: "0" + + ## Set a custom whitelist IP CIDRs. Comma delimited. + # nginx.ingress.kubernetes.io/whitelist-source-range: "1.2.3.4/32,2.3.4.5/32" diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/values.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/values.yaml new file mode 100644 index 0000000..d942e08 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/charts/pipelines/values.yaml @@ -0,0 +1,1317 @@ +## Default values for pipelines + +## Common +initContainer: + image: "docker.bintray.io/alpine:3.12" + pullPolicy: IfNotPresent + +# Init containers +initContainers: + resources: {} +# requests: +# memory: "64Mi" +# cpu: "10m" +# limits: +# memory: "128Mi" +# cpu: "250m" + + +## Available modes: devmode (enable it for debuging) and production +runMode: production + +## Image Registry to pull images for Pipelines components from +## You can override it with your private Artifactory registry +imageRegistry: docker.bintray.io + +## For supporting pulling from private registries +## Secret type: kubernetes.io/dockerconfigjson +imagePullSecrets: + +## Existing secret with Pipelines system.yaml +existingSecret: + +## String to partially override pipelines.fullname template (will maintain the release name) +# nameOverride: + +## String to fully override pipelines.fullname template +# fullnameOverride: + +## Set user/group to run Pipelines components with +securityContext: + enabled: true + uid: 1030 + gid: 1030 + +## Pipelines components +pipelines: + + # version: + + ## Artifactory URL - Mandatory + jfrogUrl: + ## Artifactory UI URL - Mandatory + jfrogUrlUI: + + ## Join Key to connect to Artifactory + ## IMPORTANT: You should NOT use the example joinKey for a production deployment! + joinKey: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE + + ## Pipelines requires a unique master key + ## You can generate one with the command: "openssl rand -hex 32" + ## IMPORTANT: You should NOT use the example masterKey for a production deployment! + masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF + + ## Installer Authentication Token + ## The unique token can be generated with: uuidgen | tr '[:upper:]' '[:lower:]' + authToken: "c7595edd-b63d-4fd6-9e1e-13924d6637f0" + + ## Pipelines ID in Artifactory + ## For production, the unique ID should be generated instead of using 12345: openssl rand | tr -dc 1-9 | head -c 10 + serviceId: jfpip@12345 + + ## Artifactory Service ID + ## This should be set to the Artifactory Service ID + artifactoryServiceId: "FFFFFFFFFFFF" + + ## Artifactory License ID + ## + licenseId: "FFFFFFFFF" + + ## A name must be unique if the same Artifactory is shared between different Pipelines + ## Repository type `Generic` with layout `maven-2-default` must be precreated in advance + rootBucket: jfrogpipelines + + mountPath: /opt/jfrog/pipelines/var/etc + + logPath: /opt/jfrog/pipelines/var/log + + replicaCount: 1 + + # CORS configuration. Default values are artifactory url and www external url + accessControlAllowOrigins_0: "update_with_artifactory_url" + accessControlAllowOrigins_1: "update_with_www_external_url" + + # RabbitMQ health check interval in mins + rabbitmqHealthCheckIntervalInMins: 1 + # Artifactory health check interval in mins + artifactoryHealthCheckIntervalInMins: 1 + + updateStrategy: RollingUpdate + + nodeSelector: {} + tolerations: [] + affinity: {} + + ## Apply horizontal pod auto scaling on Pipelines pods + ## Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 3 + targetCPUUtilizationPercentage: 70 + + api: + image: + repository: jfrog/pipelines-api + pullPolicy: IfNotPresent + + service: + ## Supported service types: ClusterIP, NodePort and LoadBalancer + type: ClusterIP + port: 30000 + + annotations: + # external-dns.alpha.kubernetes.io/hostname: example.org + # service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp + # service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-1:XXXXXX:certificate/XXXXXX + + ## Set LB static IP + loadBalancerIP: + + ## Whitelist IPs allowed to LoadBalancer type services + ## Example: loadBalancerSourceRanges={82.82.190.51/32,141.141.8.8/32} + loadBalancerSourceRanges: [] + livenessProbe: + enabled: true + initialDelaySeconds: 20 + timeoutSeconds: 10 + periodSeconds: 10 + failureThreshold: 10 + successThreshold: 1 + path: / + port: api + + readinessProbe: + enabled: true + initialDelaySeconds: 20 + timeoutSeconds: 10 + periodSeconds: 10 + failureThreshold: 10 + successThreshold: 1 + path: / + port: api + + ## External URL, it is ignored if ingress is enabled + externalUrl: + + ingress: + enabled: false + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + path: / + hosts: + - chart-example.local + + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + router: + image: + repository: jfrog/pipelines-router + pullPolicy: IfNotPresent + + internalPort: 8046 + externalPort: 8082 + + mountPath: "/opt/jfrog/router/var/etc" + + resources: {} + # requests: + # memory: "2Gi" + # cpu: "500m" + # limits: + # memory: "4Gi" + # cpu: "2" + + www: + image: + repository: jfrog/pipelines-www + pullPolicy: IfNotPresent + + service: + ## Supported service types: ClusterIP, NodePort and LoadBalancer + type: ClusterIP + port: 30001 + + annotations: + # external-dns.alpha.kubernetes.io/hostname: example.org + # service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp + # service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-1:XXXXXX:certificate/XXXXXX + + ## Set LB static IP + loadBalancerIP: + + ## Whitelist IPs allowed to LoadBalancer type services + ## Example: loadBalancerSourceRanges={82.82.190.51/32,141.141.8.8/32} + loadBalancerSourceRanges: [] + livenessProbe: + enabled: true + initialDelaySeconds: 20 + failureThreshold: 10 + timeoutSeconds: 10 + periodSeconds: 10 + successThreshold: 1 + path: / + port: www + + + readinessProbe: + enabled: true + initialDelaySeconds: 20 + failureThreshold: 10 + timeoutSeconds: 10 + periodSeconds: 10 + successThreshold: 1 + path: / + port: www + + ## External URL, it is ignored if ingress is enabled + externalUrl: + + ingress: + enabled: false + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + path: / + hosts: + - chart-example.local + + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + msg: + uiUser: monitor + # Password must be set + uiUserPassword: "" + + pipelineSync: + image: + repository: jfrog/pipelines-micro + pullPolicy: IfNotPresent + + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + runTrigger: + image: + repository: jfrog/pipelines-micro + pullPolicy: IfNotPresent + + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + stepTrigger: + image: + repository: jfrog/pipelines-micro + pullPolicy: IfNotPresent + + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + cron: + image: + repository: jfrog/pipelines-micro + pullPolicy: IfNotPresent + + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + nexec: + image: + repository: jfrog/pipelines-micro + pullPolicy: IfNotPresent + + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + hookHandler: + image: + repository: jfrog/pipelines-micro + pullPolicy: IfNotPresent + + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + marshaller: + image: + repository: jfrog/pipelines-micro + pullPolicy: IfNotPresent + + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + logup: + image: + repository: jfrog/pipelines-micro + pullPolicy: IfNotPresent + + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + extensionSync: + image: + repository: jfrog/pipelines-micro + pullPolicy: IfNotPresent + + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + ## Pipelines installer + pipelinesInit: + image: + repository: jfrog/pipelines-installer + pullPolicy: IfNotPresent + + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + ## Cluster Role Based Access + ## Ref: https://kubernetes.io/docs/admin/authorization/rbac/ + rbac: + role: + ## Rules to create. It follows the role specification + rules: + - apiGroups: ["", "extensions", "apps"] + resources: + - deployments + - persistentvolumes + - persistentvolumeclaims + - pods + - deployments/scale + verbs: ["*"] + + # Add any list of configmaps to Pipelines + configMaps: | + # posthook-start.sh: |- + # echo "This is a post start script" + # posthook-end.sh: |- + # echo "This is a post end script" + + ## Add custom volumes + customVolumes: | + # - name: custom-script + # configMap: + # name: custom-script + + ## Add custom volumesMounts + customVolumeMounts: | + # - name: custom-script + # mountPath: /scripts/script.sh + # subPath: script.sh + + ## Add custom init begin containers - first init container to run + customInitContainersBegin: | + # - name: "custom-begin-setup" + # image: "{{ .Values.initContainer.image }}" + # imagePullPolicy: "{{ .Values.initContainer.pullPolicy}}" + # command: + # - 'sh' + # - '-c' + # - 'touch {{ .Values.pipelines.mountPath }}/example-custom-setup' + # volumeMounts: + # - mountPath: "{{ .Values.pipelines.mountPath}}" + # name: jfrog-pipelines-folder + + ## Add custom init containers - last init container to run + customInitContainers: | + # - name: "custom-setup" + # image: "{{ .Values.initContainer.image }}" + # imagePullPolicy: "{{ .Values.initContainer.pullPolicy}}" + # command: + # - 'sh' + # - '-c' + # - 'touch {{ .Values.pipelines.mountPath }}/example-custom-setup' + # volumeMounts: + # - mountPath: "{{ .Values.pipelines.mountPath}}" + # name: jfrog-pipelines-folder + + ## Add custom sidecar containers + # - The provided example uses a custom volume (customVolumes) + customSidecarContainers: | + # - name: "sidecar-list-etc" + # image: "{{ .Values.initContainer.image }}" + # imagePullPolicy: "{{ .Values.initContainer.pullPolicy }}" + # securityContext: + # allowPrivilegeEscalation: false + # command: + # - 'sh' + # - '-c' + # - 'sh /scripts/script.sh' + # volumeMounts: + # - mountPath: "{{ .Values.pipelines.mountPath }}" + # name: volume + # - mountPath: "/scripts/script.sh" + # name: custom-script + # subPath: script.sh + # resources: + # requests: + # memory: "32Mi" + # cpu: "50m" + # limits: + # memory: "128Mi" + # cpu: "100m" + + systemYaml: | + {{- if .Values.router.routerConfiguration }} + router: + ## Router configuration + topology: + external: + refresh: + interval: "{{ .Values.router.topology.external.refresh.interval }}" + serviceRegistry: + url: "{{ .Values.router.serviceRegistry.url }}" + {{- end }} + shared: + ## Artifactory configuration + ## + artifactory: + ## Artifactory URL + ## + baseUrl: "{{ tpl (required "\n\npipelines.jfrogUrl is required!\n" .Values.pipelines.jfrogUrl) . }}" + ## Unified UI URL + ## + baseUrlUI: "{{ tpl (required "\n\npipelines.jfrogUrlUI is required!\n" .Values.pipelines.jfrogUrlUI) . }}" + ## Pipelines Service ID + ## + serviceId: "{{ .Values.pipelines.serviceId }}" + ## Artifactory Service ID + ## + artifactoryServiceId: "{{ .Values.pipelines.artifactoryServiceId }}" + ## Artifactory License ID + ## + licenseId: "{{ .Values.pipelines.licenseId }}" + ## Proxy to connect to Artifactory + ## + proxy: + url: "" + username: "" + password: "" + + ## Router configuration + ## + router: + ip: "" + accessPort: {{ .Values.pipelines.router.internalPort }} + dataPort: {{ .Values.pipelines.router.externalPort }} + joinKey: "{{ .Values.pipelines.joinKey }}" + + security: + masterKey: "{{ .Values.pipelines.masterKey }}" + + ## Database configuration + ## + db: + type: "postgres" + {{- if .Values.postgresql.enabled }} + ip: {{ tpl .Release.Name . }}-postgresql + port: "{{ .Values.postgresql.service.port }}" + name: {{ .Values.postgresql.postgresqlDatabase }} + username: {{ .Values.postgresql.postgresqlUsername }} + password: {{ .Values.postgresql.postgresqlPassword }} + {{- else }} + ip: {{ tpl .Values.global.postgresql.host . }} + port: "{{ .Values.global.postgresql.port }}" + name: {{ .Values.global.postgresql.database }} + username: {{ .Values.global.postgresql.user }} + password: {{ .Values.global.postgresql.password }} + {{- end }} + externalUrl: "" + {{- if .Values.postgresql.enabled }} + connectionString: "{{ tpl (printf "postgres://%s:%s@%s-postgresql:%v/%s" .Values.postgresql.postgresqlUsername .Values.postgresql.postgresqlPassword .Release.Name .Values.postgresql.service.port .Values.postgresql.postgresqlDatabase) . }}" + {{- else if and (not .Values.postgresql.enabled) (.Values.global.postgresql.ssl) }} + connectionString: "{{ tpl (printf "postgres://%s:%s@%v:%v/%s?sslmode=require" .Values.global.postgresql.user .Values.global.postgresql.password .Values.global.postgresql.host .Values.global.postgresql.port .Values.global.postgresql.database) . }}" + {{- else }} + connectionString: "{{ tpl (printf "postgres://%s:%s@%v:%v/%s" .Values.global.postgresql.user .Values.global.postgresql.password .Values.global.postgresql.host .Values.global.postgresql.port .Values.global.postgresql.database) . }}" + {{- end }} + + ## RabbitMQ configuration + ## + msg: + {{- if .Values.rabbitmq.enabled }} + ip: {{ .Release.Name }}-rabbitmq + port: {{ .Values.rabbitmq.service.port }} + adminPort: {{ .Values.rabbitmq.service.managerPort }} + erlangCookie: {{ .Values.rabbitmq.rabbitmq.erlangCookie }} + username: {{ .Values.rabbitmq.rabbitmq.username }} + password: {{ .Values.rabbitmq.rabbitmq.password }} + defaultExchange: pipelinesEx + amqpVhost: pipelines + amqpRootVhost: pipelinesRoot + {{- else }} + ip: {{ tpl .Values.rabbitmq.internal_ip . }} + port: {{ .Values.rabbitmq.port}} + adminPort: {{ .Values.rabbitmq.manager_port }} + erlangCookie: {{ .Values.rabbitmq.erlang_cookie }} + username: {{ .Values.rabbitmq.ms_username }} + password: {{ .Values.rabbitmq.ms_password }} + defaultExchange: {{ .Values.rabbitmq.root_vhost_exchange_name }} + amqpVhost: {{ .Values.rabbitmq.build_vhost_name}} + amqpRootVhost: {{ .Values.rabbitmq.root_vhost_name }} + protocol: {{ .Values.rabbitmq.protocol }} + {{- end }} + queues: + - "core.pipelineSync" + - "core.runTrigger" + - "core.stepTrigger" + - "core.marshaller" + - "cluster.init" + - "core.logup" + - "www.signals" + - "core.nexec" + - "core.hookHandler" + - "core.extensionSync" + ui: + {{- if .Values.rabbitmq.enabled }} + username: {{ .Values.pipelines.msg.uiUser }} + password: {{ .Values.pipelines.msg.uiUserPassword }} + {{- else }} + protocol: http + username: {{ .Values.rabbitmq.cp_username }} + password: {{ .Values.rabbitmq.cp_password }} + {{- end }} + external: + ## URL for build plane VMs to access RabbitMQ + {{- if .Values.rabbitmq.externalUrl }} + url: {{ .Values.rabbitmq.externalUrl }} + {{- else if (and .Values.rabbitmq.serviceVmLb.enabled .Values.rabbitmq.serviceVmLb.loadBalancerIP) }} + url: amqp://{{ .Values.rabbitmq.serviceVmLb.loadBalancerIP }} + {{- else if .Values.rabbitmq.enabled }} + url: amqp://{{ tpl .Release.Name . }}-rabbitmq + {{- else }} + url: {{ .Values.rabbitmq.protocol }}://{{ tpl .Values.rabbitmq.msg_hostname . }}:{{ .Values.rabbitmq.port }} + {{- end }} + rootUrl: "" + adminUrl: "" + {{- if not .Values.rabbitmq.enabled }} + build: + username: {{ .Values.rabbitmq.build_username }} + password: {{ .Values.rabbitmq.build_password }} + {{- end }} + + ## Vault configuration + ## + vault: + {{- if .Values.vault.enabled }} + ip: {{ include "pipelines.vault.name" . }} + port: {{ .Values.vault.service.port }} + {{- else }} + ip: {{ .Values.global.vault.host }} + port: {{ .Values.global.vault.port }} + {{- end }} + ## DO NOT CHANGE THE TOKEN VALUE!!! + token: "_VAULT_TOKEN_" + unsealKeys: + - "" + - "" + - "" + - "" + - "" + + ## Redis configuration + ## + redis: + ip: {{ .Release.Name }}-redis-master + port: 6379 + clusterEnabled: false + + ## This section is used for bringing up the core services and setting up + ## configurations required by the installer & the services + ## + core: + ## id is automatically determined based on the current hostname + ## or set using the SHARED_NODE_ID environment variable. + ## + id: "afd8df9d08bf257ae9b7d7dbbf348b7a3a574ebdd3a61d350d4b64e3129dee85" + installerIP: "1.2.3.4" + installerAuthToken: "{{ .Values.pipelines.authToken }}" + installerImage: "jfrog/pipelines-installer" + registryUrl: "{{ .Values.imageRegistry }}" + os: "Ubuntu_16.04" + osDistribution: "xenial" + architecture: "x86_64" + dockerVersion: "" + runMode: "{{ .Values.runMode }}" + user: "" + group: "" + noVerifySsl: false + ignoreTLSErrors: false + controlplaneVersion: "{{ default .Chart.AppVersion .Values.pipelines.version }}" + buildplaneVersion: "{{ default .Chart.AppVersion .Values.pipelines.version }}" + accessControlAllowOrigins: + - {{ .Values.pipelines.accessControlAllowOrigins_0 }} + - {{ .Values.pipelines.accessControlAllowOrigins_1 }} + rabbitmqHealthCheckIntervalInMins: {{ .Values.pipelines.rabbitmqHealthCheckIntervalInMins}} + artifactoryHealthCheckIntervalInMins: {{ .Values.pipelines.artifactoryHealthCheckIntervalInMins}} + ## Global proxy settings, to be applied to all services + ## + proxy: + httpProxy: "" + httpsProxy: "" + noProxy: "" + username: "" + password: "" + + ## Mailserver settings + ## + mailserver: + host: "" + port: "" + username: "" + password: "" + tls: "" + ssl: "" + apiRetryIntervalMs: 3000 + accountSyncFrequencyHr: 1 + imageRegistrySecret: "{{ .Values.imagePullSecrets }}" + hardDeleteIntervalInMins: 60 + configBackupCount: 5 + lastUpdateTime: "" + callHomeUrl: "https://api.bintray.com/products/jfrog/pipelines/stats/usage" + allowCallHome: true + serviceInstanceHealthCheckIntervalInMins: 1 + serviceInstanceStatsCutOffIntervalInHours: 24 + + ## Service configuration + ## + services: + api: + name: {{ include "pipelines.api.name" . }} + port: {{ .Values.pipelines.api.service.port }} + {{- if (and .Values.pipelines.api.ingress.enabled .Values.pipelines.api.ingress.tls) }} + {{- range .Values.pipelines.api.ingress.hosts }} + externalUrl: https://{{ . }} + {{- end }} + {{- else if .Values.pipelines.api.ingress.enabled }} + {{- range .Values.pipelines.api.ingress.hosts }} + externalUrl: http://{{ . }} + {{- end }} + {{- else }} + externalUrl: {{ .Values.pipelines.api.externalUrl }} + {{- end }} + www: + name: {{ include "pipelines.www.name" . }} + port: {{ .Values.pipelines.www.service.port }} + {{- if (and .Values.pipelines.www.ingress.enabled .Values.pipelines.www.ingress.tls) }} + {{- range .Values.pipelines.www.ingress.hosts }} + externalUrl: https://{{ . }} + {{- end }} + {{- else if .Values.pipelines.www.ingress.enabled }} + {{- range .Values.pipelines.www.ingress.hosts }} + externalUrl: http://{{ . }} + {{- end }} + {{- else }} + externalUrl: {{ .Values.pipelines.www.externalUrl }} + {{- end }} + sessionSecret: "{{ .Values.pipelines.authToken }}" + pipelineSync: + name: pipelineSync + runTrigger: + name: runTrigger + stepTrigger: + name: stepTrigger + cron: + name: cron + nexec: + name: nexec + hookHandler: + name: hookHandler + marshaller: + name: marshaller + extensionSync: + name: extensionSync + + ## Runtime configuration + ## + runtime: + rootBucket: "{{ .Values.pipelines.rootBucket }}" + defaultMinionCount: 1 + nodeCacheIntervalMS: 600000 + jobConsoleBatchSize: 10 + jobConsoleBufferIntervalMs: 3 + maxDiskUsagePercentage: 90 + stepTimeoutMS: 3600000 + nodeStopDayOfWeek: 0 + nodeStopIntervalDays: 30 + maxNodeCheckInDelayMin: 15 + defaultMinionInstanceSize: "c4.large" + allowDynamicNodes: true + allowCustomNodes: true + {{- range $key, $value := .Values.runtimeOverride }} + {{ $key }}: {{ $value | quote }} + {{- end }} + languageImages: + - architecture: x86_64 + os: Ubuntu_16.04 + language: node + registryUrl: docker.bintray.io + image: jfrog/pipelines-u16node + isDefault: true + defaultVersion: 10.18.0 + - architecture: x86_64 + os: Ubuntu_16.04 + language: java + registryUrl: docker.bintray.io + image: jfrog/pipelines-u16java + defaultVersion: 13 + - architecture: x86_64 + os: Ubuntu_16.04 + language: cpp + registryUrl: docker.bintray.io + image: jfrog/pipelines-u16cpp + defaultVersion: 9.0.0 + - architecture: x86_64 + os: Ubuntu_16.04 + language: go + registryUrl: docker.bintray.io + image: jfrog/pipelines-u16go + defaultVersion: 1.12.14 + - architecture: x86_64 + os: Ubuntu_18.04 + language: node + registryUrl: docker.bintray.io + image: jfrog/pipelines-u18node + isDefault: true + defaultVersion: 10.18.0 + - architecture: x86_64 + os: Ubuntu_18.04 + language: java + registryUrl: docker.bintray.io + image: jfrog/pipelines-u18java + defaultVersion: 13 + - architecture: x86_64 + os: Ubuntu_18.04 + language: cpp + registryUrl: docker.bintray.io + image: jfrog/pipelines-u18cpp + defaultVersion: 9.0.0 + - architecture: x86_64 + os: Ubuntu_18.04 + language: go + registryUrl: docker.bintray.io + image: jfrog/pipelines-u18go + defaultVersion: 1.12.14 + - architecture: x86_64 + os: CentOS_7 + language: node + registryUrl: docker.bintray.io + image: jfrog/pipelines-c7node + isDefault: true + defaultVersion: 10.18.0 + - architecture: x86_64 + os: CentOS_7 + language: java + registryUrl: docker.bintray.io + image: jfrog/pipelines-c7java + defaultVersion: 11 + - architecture: x86_64 + os: CentOS_7 + language: cpp + registryUrl: docker.bintray.io + image: jfrog/pipelines-c7cpp + defaultVersion: 3.4.2 + - architecture: x86_64 + os: CentOS_7 + language: go + registryUrl: docker.bintray.io + image: jfrog/pipelines-c7go + defaultVersion: 1.12.14 + - architecture: x86_64 + os: WindowsServer_2019 + language: node + registryUrl: docker.bintray.io + image: jfrog/pipelines-w19node + defaultVersion: 10.18.0 + - architecture: x86_64 + os: WindowsServer_2019 + language: java + registryUrl: docker.bintray.io + image: jfrog/pipelines-w19java + defaultVersion: 11 + - architecture: x86_64 + os: WindowsServer_2019 + language: cpp + registryUrl: docker.bintray.io + image: jfrog/pipelines-w19cpp + defaultVersion: 9.0.0 + - architecture: x86_64 + os: WindowsServer_2019 + language: go + registryUrl: docker.bintray.io + image: jfrog/pipelines-w19go + defaultVersion: 1.12.14 + - architecture: x86_64 + os: WindowsServer_2019 + language: dotnetcore + registryUrl: docker.bintray.io + image: jfrog/pipelines-w19dotnetcore + isDefault: true + defaultVersion: 3.1 + - architecture: x86_64 + os: RHEL_7 + language: node + registryUrl: docker.bintray.io + image: jfrog/pipelines-c7node + isDefault: true + defaultVersion: 10.18.0 + - architecture: x86_64 + os: RHEL_7 + language: java + registryUrl: docker.bintray.io + image: jfrog/pipelines-c7java + defaultVersion: 11 + - architecture: x86_64 + os: RHEL_7 + language: cpp + registryUrl: docker.bintray.io + image: jfrog/pipelines-c7cpp + defaultVersion: 3.4.2 + - architecture: x86_64 + os: RHEL_7 + language: go + registryUrl: docker.bintray.io + image: jfrog/pipelines-c7go + defaultVersion: 1.12.14 + +## Runtime Override Properties Section +runtimeOverride: {} + +## For setting up external services +global: + ## Internal Postgres must be set to false + postgresql: + host: + port: 5432 + database: "pipelinesdb" + user: "apiuser" + # Password must be set + password: "" + ssl: false + ## PostgreSQL password using existing secret + # existingSecret: secret + + ## Internal Vault must be set to false + vault: + host: + port: + token: + ## Vault token using existing secret + # existingSecret: secret + +# Router Configuration +router: + routerConfiguration: false + topology: + external: + refresh: + interval: "3s" + serviceRegistry: + url: + +# PostgreSQL +## https://hub.helm.sh/charts/bitnami/postgresql +## Configuration values for the postgresql dependency +## ref: https://github.com/kubernetes/charts/blob/master/stable/postgresql/README.md +## +postgresql: + enabled: true + + image: + registry: docker.bintray.io + repository: bitnami/postgresql + tag: 9.6.18-debian-10-r7 + + postgresqlDatabase: "pipelinesdb" + postgresqlUsername: "apiuser" + # Password must be set + postgresqlPassword: "" + + ## PostgreSQL password using existing secret + # existingSecret: secret + ## Mount PostgreSQL secret as a file instead of passing environment variable + # usePasswordFile: false + + service: + port: 5432 + + persistence: + enabled: true + size: 50Gi + existingClaim: + + master: + resources: {} + # requests: + # memory: "1Gi" + # cpu: "250m" + # limits: + # memory: "2Gi" + # cpu: "1" + nodeSelector: {} + affinity: {} + tolerations: [] + +## RabbitMQ HA +## https://hub.helm.sh/charts/bitnami/rabbitmq +## Configuration values for the rabbitmq dependency +## ref: https://github.com/kubernetes/charts/blob/master/stable/rabbitmq/README.md +## +rabbitmq: + enabled: true + protocol: amqps + replicas: 1 + + rabbitmq: + username: admin + + ## RabbitMQ application password + ## ref: https://github.com/bitnami/bitnami-docker-rabbitmq#environment-variables + # Password must be set + password: "" + # existingPasswordSecret: name-of-existing-secret + + ## Erlang cookie to determine whether different nodes are allowed to communicate with each other + erlangCookie: PIPELINESRABBITMQCLUSTER + # existingErlangSecret: name-of-existing-secret + + extraPlugins: "" + + service: + + type: ClusterIP + + ## Service annotations + annotations: {} + + ## Load Balancer sources + # loadBalancerSourceRanges: + # - 10.10.10.0/24 + + persistence: + enabled: true + size: 20Gi + + resources: {} + + affinity: {} + + ingress: + ## Set to true to enable ingress record generation + enabled: false + + ## The list of hostnames to be covered with this ingress record. + ## Most likely this will be just one host, but in the event more hosts are needed, this is an array + # hostName: foo.bar.com + path: / + + ## Set this to true in order to enable TLS on the ingress record + ## A side effect of this will be that the backend wordpress service will be connected at port 443 + tls: true + + ## If TLS is set to true, you must declare what secret will store the key/certificate for TLS + tlsSecret: myTlsSecret + + ## Ingress annotations done as key:value pairs + annotations: + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: true + + ## External URL for Build Plane VMs to access RabbitMQ + ## e.g. amqps://pipelines-msg.doamin.com + ## It should be set for the LoadBalancer below IP with proper domain name and TLS if external IP is used. + externalUrl: + + ## Service with external/internal LoadBalancer to access RabbitMQ by Node-pool VMs + serviceVmLb: + enabled: false + + annotations: + ## Set internal LB for Azure + # service.beta.kubernetes.io/azure-load-balancer-internal: "true" + ## Set internal LB for AWS + # service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 + ## Set internal LB for GCP + # cloud.google.com/load-balancer-type: "Internal" + + ## You must to provide internal LB static IP + loadBalancerIP: + + ## Whitelist IPs allowed to LoadBalancer type services + ## Example: loadBalancerSourceRanges={82.82.190.51/32,141.141.8.8/32} + loadBalancerSourceRanges: [] + +## Redis +## Configuration values for the redis dependency +## ref: https://github.com/bitnami/charts/tree/master/bitnami/redis +## +redis: + enabled: true + + redisPort: 6379 + + cluster: + enabled: false + slaveCount: 2 + + usePassword: false + + master: + configmap: |- + appendonly yes + loglevel notice + + resources: {} + # requests: + # memory: 200Mi + # cpu: 100m + # limits: + # memory: 700Mi + + affinity: {} + + slave: + resources: {} + # requests: + # memory: 200Mi + # cpu: 100m + # limits: + # memory: 200Mi + + affinity: {} + +## Vault +vault: + enabled: true + updateStrategy: RollingUpdate + + image: + repository: vault + tag: 1.3.4 + pullPolicy: IfNotPresent + + init: + image: + repository: jfrog/pipelines-vault-init + + pullPolicy: IfNotPresent + + service: + # Supported service types: ClusterIP and NodePort + type: ClusterIP + port: 30100 + + # Disable mlock only in non-prod environments + disablemlock: true + + resources: {} + # requests: + # memory: 256Mi + # cpu: 200m + # limits: + # memory: 1Gi + # cpu: 600m + + affinity: {} + nodeSelector: {} + tolerations: [] + + ## Role Based Access + ## Ref: https://kubernetes.io/docs/admin/authorization/rbac/ + rbac: + role: + ## Rules to create. It follows the role specification + rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - "*" + + # Add any list of configmaps to vault + configMaps: | + # posthook-start.sh: |- + # echo "This is a post start script" + # posthook-end.sh: |- + # echo "This is a post end script" + + ## Add custom volumes + customVolumes: | + # - name: custom-script + # configMap: + # name: custom-script + + ## Add custom volumesMounts + customVolumeMounts: | + # - name: custom-script + # mountPath: /scripts/script.sh + # subPath: script.sh + + ## Add custom init begin containers - first init container to run + customInitContainersBegin: | + # - name: "custom-begin-setup" + # image: "{{ .Values.initContainer.image }}" + # imagePullPolicy: "{{ .Values.initContainer.pullPolicy}}" + # command: + # - 'sh' + # - '-c' + # - 'touch {{ .Values.pipelines.mountPath }}/example-custom-setup' + # volumeMounts: + # - mountPath: "{{ .Values.pipelines.mountPath}}" + # name: jfrog-pipelines-folder + + ## Add custom init containers - last init container to run + customInitContainers: | + # - name: "custom-setup" + # image: "{{ .Values.initContainer.image }}" + # imagePullPolicy: "{{ .Values.initContainer.pullPolicy}}" + # command: + # - 'sh' + # - '-c' + # - 'touch {{ .Values.pipelines.mountPath }}/example-custom-setup' + # volumeMounts: + # - mountPath: "{{ .Values.pipelines.mountPath}}" + # name: jfrog-pipelines-folder + + +# Filebeat Sidecar container +## The provided filebeat configuration is for Pipeline logs. It assumes you have a logstash installed and configured properly. +filebeat: + enabled: false + name: pipelines-filebeat + image: + repository: "docker.elastic.co/beats/filebeat" + version: 7.5.1 + logstashUrl: "logstash:5044" + + terminationGracePeriod: 10 + + livenessProbe: + exec: + command: + - sh + - -c + - | + #!/usr/bin/env bash -e + curl --fail 127.0.0.1:5066 + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 + + readinessProbe: + exec: + command: + - sh + - -c + - | + #!/usr/bin/env bash -e + filebeat test output + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 + + resources: {} +# requests: +# memory: "100Mi" +# cpu: "100m" +# limits: +# memory: "100Mi" +# cpu: "100m" + + filebeatYml: | + logging.level: info + path.data: {{ .Values.pipelines.logPath }}/filebeat + name: pipelines-filebeat + queue.spool: ~ + filebeat.inputs: + - type: log + enabled: true + close_eof: ${CLOSE:false} + paths: + - {{ .Values.pipelines.logPath }}/*.log + fields: + service: "jfpip" + log_type: "pipelines" + output: + logstash: + hosts: ["{{ .Values.filebeat.logstashUrl }}"] + +## +rbac: + create: true + +## The Build Plane is where the actual builds will run +buildPlane: + ## Dynamic Build Plane integration for the initial bootstrapping of the build planes. + ## Any required changes post install need to be done in UI: Administration/Pipelines/Integrations + dynamic: + ## customer part is not needed for on-prem install + customer: + accountId: "" + nodePoolName: "" + nodelimit: "" + provider: + aws: + enabled: false + ## Replace the dummy values with the real ones + nodePoolName: "aws-dynamic-node-pool" + nodelimit: "3" + instanceType: c4.xlarge + securityGroupId: testsecuritygroupId + subnetId: test-subnetId + keyPairName: testaccountSSHKeyPair + vpcId: testVPCId + region: us-east-1 + ## + accessKey: "" + secretKey: "" + ## Existing secret with AWS keys + existingSecret: + k8s: + enabled: false + ## Replace the dummy values with the real ones + nodePoolName: "k8s-dynamic-node-pool" + nodelimit: "3" + cpu: "1" + memory: "1000" + namespace: default + storageClass: standard + ## Node Affinity values: {key1:value1,key2:value2} + labels: + ## Kubernetes node pool kubeconfig base64 encoded + kubeconfig: "" + ## Existing secret with kubeconfig + existingSecret: diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/requirements.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/requirements.yaml new file mode 100644 index 0000000..b26505c --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/requirements.yaml @@ -0,0 +1,4 @@ +dependencies: + - name: pipelines + version: 1.5.4 + repository: https://charts.jfrog.io/ diff --git a/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/values.yaml b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/values.yaml new file mode 100644 index 0000000..f465a37 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/helm-charts/openshift-pipelines/values.yaml @@ -0,0 +1,1199 @@ +pipelines: + + # MUST SET FOR EXTERNAL POSTGRESQL AND VAULT + global: + postgresql: + host: OVERRIDE + port: OVERRIDE + database: OVERRIDE + user: OVERRIDE + password: OVERRIDE + ssl: OVERRIDE + + ## Common + initContainer: + image: registry.connect.redhat.com/jfrog/pipelines-init:1.8.0 + pullPolicy: IfNotPresent + + # Init containers + initContainers: + resources: {} + # requests: + # memory: "64Mi" + # cpu: "10m" + # limits: + # memory: "128Mi" + # cpu: "250m" + + + ## Available modes: devmode (enable it for debuging) and production + runMode: production + + ## Image Registry to pull images for Pipelines components from + ## You can override it with your private Artifactory registry + imageRegistry: registry.connect.redhat.com + + ## For supporting pulling from private registries + ## Secret type: kubernetes.io/dockerconfigjson + imagePullSecrets: + + ## Existing secret with Pipelines system.yaml + existingSecret: + + ## String to partially override pipelines.fullname template (will maintain the release name) + # nameOverride: + + ## String to fully override pipelines.fullname template + # fullnameOverride: + + ## Set user/group to run Pipelines components with + securityContext: + enabled: true + uid: '1000721117' + gid: '1000721117' + + ## Pipelines components + pipelines: + version: 1.8.0 + ## Artifactory URL - Mandatory + jfrogUrl: OVERRIDE + jfrogUrlUI: OVERRIDE + + ## Pipelines requires the join key from Artifactory + joinKey: OVERRIDE + + ## Pipelines requires a unique master key + ## You can generate one with the command: "openssl rand -hex 32" + masterKey: OVERRIDE + + ## Installer Authentication Token + ## The unique token can be generated with: uuidgen | tr '[:upper:]' '[:lower:]' + authToken: "c7595edd-b63d-4fd6-9e1e-13924d6637f0" + + ## Pipelines ID in Artifactory + ## For production, the unique ID should be generated instead of using 12345: openssl rand | tr -dc 1-9 | head -c 10 + serviceId: jfpip@12345 + + ## Artifactory Service ID + ## This should be set to the Artifactory Service ID + artifactoryServiceId: "FFFFFFFFFFFF" + + ## Artifactory License ID + ## + licenseId: "FFFFFFFFF" + + ## A name must be unique if the same Artifactory is shared between different Pipelines + ## Repository type `Generic` with layout `maven-2-default` must be precreated in advance + rootBucket: jfrogpipelines + + mountPath: /opt/jfrog/pipelines/var/etc + + logPath: /opt/jfrog/pipelines/var/log + + replicaCount: 1 + + # CORS configuration. Default values are artifactory url and www external url + accessControlAllowOrigins_0: OVERRIDE + accessControlAllowOrigins_1: OVERRIDE + + # RabbitMQ health check interval in mins + rabbitmqHealthCheckIntervalInMins: 1 + # Artifactory health check interval in mins + artifactoryHealthCheckIntervalInMins: 1 + + updateStrategy: RollingUpdate + + nodeSelector: {} + tolerations: [] + affinity: {} + + ## Apply horizontal pod auto scaling on Pipelines pods + ## Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 3 + targetCPUUtilizationPercentage: 70 + + api: + image: + repository: jfrog/pipelines-api + pullPolicy: IfNotPresent + + service: + ## Supported service types: ClusterIP, NodePort and LoadBalancer + type: ClusterIP + port: 30000 + + annotations: + # external-dns.alpha.kubernetes.io/hostname: example.org + # service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp + # service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-1:XXXXXX:certificate/XXXXXX + + ## Set LB static IP + loadBalancerIP: + + ## Whitelist IPs allowed to LoadBalancer type services + ## Example: loadBalancerSourceRanges={82.82.190.51/32,141.141.8.8/32} + loadBalancerSourceRanges: [] + livenessProbe: + enabled: true + initialDelaySeconds: 20 + timeoutSeconds: 10 + periodSeconds: 10 + failureThreshold: 10 + successThreshold: 1 + path: / + port: api + + readinessProbe: + enabled: true + initialDelaySeconds: 20 + timeoutSeconds: 10 + periodSeconds: 10 + failureThreshold: 10 + successThreshold: 1 + path: / + port: api + + ## External URL, it is ignored if ingress is enabled + externalUrl: + + ingress: + enabled: false + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + path: / + hosts: + - chart-example.local + + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + router: + image: + repository: jfrog/pipelines-router + pullPolicy: IfNotPresent + + internalPort: 8046 + externalPort: 8082 + + mountPath: "/opt/jfrog/router/var/etc" + + resources: {} + # requests: + # memory: "2Gi" + # cpu: "500m" + # limits: + # memory: "4Gi" + # cpu: "2" + + www: + image: + repository: jfrog/pipelines-www + pullPolicy: IfNotPresent + + service: + ## Supported service types: ClusterIP, NodePort and LoadBalancer + type: ClusterIP + port: 30001 + + annotations: + # external-dns.alpha.kubernetes.io/hostname: example.org + # service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp + # service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-1:XXXXXX:certificate/XXXXXX + + ## Set LB static IP + loadBalancerIP: + + ## Whitelist IPs allowed to LoadBalancer type services + ## Example: loadBalancerSourceRanges={82.82.190.51/32,141.141.8.8/32} + loadBalancerSourceRanges: [] + livenessProbe: + enabled: true + initialDelaySeconds: 20 + failureThreshold: 10 + timeoutSeconds: 10 + periodSeconds: 10 + successThreshold: 1 + path: / + port: www + + + readinessProbe: + enabled: true + initialDelaySeconds: 20 + failureThreshold: 10 + timeoutSeconds: 10 + periodSeconds: 10 + successThreshold: 1 + path: / + port: www + + ## External URL, it is ignored if ingress is enabled + externalUrl: + + ingress: + enabled: false + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + path: / + hosts: + - chart-example.local + + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + msg: + uiUser: OVERRIDE + uiUserPassword: OVERRIDE + + pipelineSync: + image: + repository: jfrog/pipelines-micro + pullPolicy: Always + + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + runTrigger: + image: + repository: jfrog/pipelines-micro + pullPolicy: IfNotPresent + + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + stepTrigger: + image: + repository: jfrog/pipelines-micro + pullPolicy: IfNotPresent + + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + cron: + image: + repository: jfrog/pipelines-micro + pullPolicy: IfNotPresent + + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + nexec: + image: + repository: jfrog/pipelines-micro + pullPolicy: IfNotPresent + + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + hookHandler: + image: + repository: jfrog/pipelines-micro + pullPolicy: IfNotPresent + + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + marshaller: + image: + repository: jfrog/pipelines-micro + pullPolicy: IfNotPresent + + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + logup: + image: + repository: jfrog/pipelines-micro + pullPolicy: IfNotPresent + + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + extensionSync: + image: + repository: jfrog/pipelines-micro + pullPolicy: IfNotPresent + + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + ## Pipelines installer + pipelinesInit: + image: + repository: jfrog/pipelines-installer + pullPolicy: IfNotPresent + + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + ## Cluster Role Based Access + ## Ref: https://kubernetes.io/docs/admin/authorization/rbac/ + rbac: + role: + ## Rules to create. It follows the role specification + rules: + - apiGroups: ["", "extensions", "apps"] + resources: + - deployments + - persistentvolumes + - persistentvolumeclaims + - pods + - deployments/scale + verbs: ["*"] + + # Add any list of configmaps to Pipelines + configMaps: | + # posthook-start.sh: |- + # echo "This is a post start script" + # posthook-end.sh: |- + # echo "This is a post end script" + + ## Add custom volumes + customVolumes: | + # - name: custom-script + # configMap: + # name: custom-script + + ## Add custom volumesMounts + customVolumeMounts: | + # - name: custom-script + # mountPath: /scripts/script.sh + # subPath: script.sh + + ## Add custom init begin containers - first init container to run + customInitContainersBegin: | + - name: "redhat-custom-setup" + image: {{ .Values.initContainer.image }} + imagePullPolicy: Always + command: + - 'sh' + - '-c' + - 'chown -R {{ .Values.securityContext.uid }}:{{ .Values.securityContext.gid }} {{ .Values.pipelines.mountPath }} && chown -R {{ .Values.securityContext.uid }}:{{ .Values.securityContext.gid }} {{ .Values.pipelines.logPath }}' + securityContext: + runAsUser: 0 + volumeMounts: + - name: jfrog-pipelines-folder + mountPath: "{{ .Values.pipelines.mountPath }}" + - name: jfrog-pipelines-logs + mountPath: {{ .Values.pipelines.logPath }} + + ## Add custom init containers - last init container to run + customInitContainers: | + # - name: "custom-setup" + # image: "{{ .Values.initContainer.image }}" + # imagePullPolicy: "{{ .Values.initContainer.pullPolicy}}" + # command: + # - 'sh' + # - '-c' + # - 'touch {{ .Values.pipelines.mountPath }}/example-custom-setup' + # volumeMounts: + # - mountPath: "{{ .Values.pipelines.mountPath}}" + # name: jfrog-pipelines-folder + + ## Add custom sidecar containers + # - The provided example uses a custom volume (customVolumes) + customSidecarContainers: | + # - name: "sidecar-list-etc" + # image: "{{ .Values.initContainer.image }}" + # imagePullPolicy: "{{ .Values.initContainer.pullPolicy }}" + # securityContext: + # allowPrivilegeEscalation: false + # command: + # - 'sh' + # - '-c' + # - 'sh /scripts/script.sh' + # volumeMounts: + # - mountPath: "{{ .Values.pipelines.mountPath }}" + # name: volume + # - mountPath: "/scripts/script.sh" + # name: custom-script + # subPath: script.sh + # resources: + # requests: + # memory: "32Mi" + # cpu: "50m" + # limits: + # memory: "128Mi" + # cpu: "100m" + + systemYaml: | + {{- if .Values.router.routerConfiguration }} + router: + ## Router configuration + topology: + external: + refresh: + interval: "{{ .Values.router.topology.external.refresh.interval }}" + serviceRegistry: + url: "{{ .Values.router.serviceRegistry.url }}" + {{- end }} + shared: + ## Artifactory configuration + ## + artifactory: + ## Artifactory URL + ## + baseUrl: "{{ tpl (required "\n\npipelines.jfrogUrl is required!\n" .Values.pipelines.jfrogUrl) . }}" + ## Unified UI URL + ## + baseUrlUI: "{{ tpl (required "\n\npipelines.jfrogUrlUI is required!\n" .Values.pipelines.jfrogUrlUI) . }}" + ## Pipelines Service ID + ## + serviceId: "{{ .Values.pipelines.serviceId }}" + ## Artifactory Service ID + ## + artifactoryServiceId: "{{ .Values.pipelines.artifactoryServiceId }}" + ## Artifactory License ID + ## + licenseId: "{{ .Values.pipelines.licenseId }}" + ## Proxy to connect to Artifactory + ## + proxy: + url: "" + username: "" + password: "" + + ## Router configuration + ## + router: + ip: "" + accessPort: {{ .Values.pipelines.router.internalPort }} + dataPort: {{ .Values.pipelines.router.externalPort }} + joinKey: "{{ .Values.pipelines.joinKey }}" + + security: + masterKey: "{{ .Values.pipelines.masterKey }}" + + ## Database configuration + ## + db: + type: "postgres" + {{- if .Values.postgresql.enabled }} + ip: {{ tpl .Release.Name . }}-postgresql + port: "{{ .Values.postgresql.service.port }}" + name: {{ .Values.postgresql.postgresqlDatabase }} + username: {{ .Values.postgresql.postgresqlUsername }} + password: {{ .Values.postgresql.postgresqlPassword }} + {{- else }} + ip: {{ tpl .Values.global.postgresql.host . }} + port: "{{ .Values.global.postgresql.port }}" + name: {{ .Values.global.postgresql.database }} + username: {{ .Values.global.postgresql.user }} + password: {{ .Values.global.postgresql.password }} + {{- end }} + externalUrl: "" + {{- if .Values.postgresql.enabled }} + connectionString: "{{ tpl (printf "postgres://%s:%s@%s-postgresql:%v/%s" .Values.postgresql.postgresqlUsername .Values.postgresql.postgresqlPassword .Release.Name .Values.postgresql.service.port .Values.postgresql.postgresqlDatabase) . }}" + {{- else if and (not .Values.postgresql.enabled) (.Values.global.postgresql.ssl) }} + connectionString: "{{ tpl (printf "postgres://%s:%s@%v:%v/%s?sslmode=require" .Values.global.postgresql.user .Values.global.postgresql.password .Values.global.postgresql.host .Values.global.postgresql.port .Values.global.postgresql.database) . }}" + {{- else }} + connectionString: "{{ tpl (printf "postgres://%s:%s@%v:%v/%s" .Values.global.postgresql.user .Values.global.postgresql.password .Values.global.postgresql.host .Values.global.postgresql.port .Values.global.postgresql.database) . }}" + {{- end }} + + ## RabbitMQ configuration + ## + msg: + {{- if .Values.rabbitmq.enabled }} + ip: {{ .Release.Name }}-rabbitmq + port: {{ .Values.rabbitmq.service.port }} + adminPort: {{ .Values.rabbitmq.service.managerPort }} + erlangCookie: {{ .Values.rabbitmq.rabbitmq.erlangCookie }} + username: {{ .Values.rabbitmq.rabbitmq.username }} + password: {{ .Values.rabbitmq.rabbitmq.password }} + defaultExchange: pipelinesEx + amqpVhost: pipelines + amqpRootVhost: pipelinesRoot + {{- else }} + ip: {{ tpl .Values.rabbitmq.internal_ip . }} + port: {{ .Values.rabbitmq.port}} + adminPort: {{ .Values.rabbitmq.manager_port }} + erlangCookie: {{ .Values.rabbitmq.erlang_cookie }} + username: {{ .Values.rabbitmq.ms_username }} + password: {{ .Values.rabbitmq.ms_password }} + defaultExchange: {{ .Values.rabbitmq.root_vhost_exchange_name }} + amqpVhost: {{ .Values.rabbitmq.build_vhost_name}} + amqpRootVhost: {{ .Values.rabbitmq.root_vhost_name }} + protocol: {{ .Values.rabbitmq.protocol }} + {{- end }} + queues: + - "core.pipelineSync" + - "core.runTrigger" + - "core.stepTrigger" + - "core.marshaller" + - "cluster.init" + - "core.logup" + - "www.signals" + - "core.nexec" + - "core.hookHandler" + - "core.extensionSync" + ui: + {{- if .Values.rabbitmq.enabled }} + username: {{ .Values.pipelines.msg.uiUser }} + password: {{ .Values.pipelines.msg.uiUserPassword }} + {{- else }} + protocol: http + username: {{ .Values.rabbitmq.cp_username }} + password: {{ .Values.rabbitmq.cp_password }} + {{- end }} + external: + ## URL for build plane VMs to access RabbitMQ + {{- if .Values.rabbitmq.externalUrl }} + url: {{ .Values.rabbitmq.externalUrl }} + {{- else if (and .Values.rabbitmq.serviceVmLb.enabled .Values.rabbitmq.serviceVmLb.loadBalancerIP) }} + url: amqp://{{ .Values.rabbitmq.serviceVmLb.loadBalancerIP }} + {{- else if .Values.rabbitmq.enabled }} + url: amqp://{{ tpl .Release.Name . }}-rabbitmq + {{- else }} + url: {{ .Values.rabbitmq.protocol }}://{{ tpl .Values.rabbitmq.msg_hostname . }}:{{ .Values.rabbitmq.port }} + {{- end }} + rootUrl: "" + adminUrl: "" + {{- if not .Values.rabbitmq.enabled }} + build: + username: {{ .Values.rabbitmq.build_username }} + password: {{ .Values.rabbitmq.build_password }} + {{- end }} + + ## Vault configuration + ## + vault: + {{- if .Values.vault.enabled }} + ip: {{ include "pipelines.vault.name" . }} + port: {{ .Values.vault.service.port }} + {{- else }} + ip: {{ .Values.global.vault.host }} + port: {{ .Values.global.vault.port }} + {{- end }} + ## DO NOT CHANGE THE TOKEN VALUE!!! + token: "_VAULT_TOKEN_" + unsealKeys: + - "" + - "" + - "" + - "" + - "" + + ## Redis configuration + ## + redis: + ip: {{ .Release.Name }}-redis-master + port: 6379 + clusterEnabled: false + + ## This section is used for bringing up the core services and setting up + ## configurations required by the installer & the services + ## + core: + ## id is automatically determined based on the current hostname + ## or set using the SHARED_NODE_ID environment variable. + ## + id: "afd8df9d08bf257ae9b7d7dbbf348b7a3a574ebdd3a61d350d4b64e3129dee85" + installerIP: "1.2.3.4" + installerAuthToken: "{{ .Values.pipelines.authToken }}" + installerImage: "jfrog/pipelines-installer" + registryUrl: "{{ .Values.imageRegistry }}" + os: "Ubuntu_16.04" + osDistribution: "xenial" + architecture: "x86_64" + dockerVersion: "" + runMode: "{{ .Values.runMode }}" + user: "" + group: "" + noVerifySsl: false + ignoreTLSErrors: false + controlplaneVersion: "{{ default .Chart.AppVersion .Values.pipelines.version }}" + buildplaneVersion: "{{ default .Chart.AppVersion .Values.pipelines.version }}" + accessControlAllowOrigins: + - {{ .Values.pipelines.accessControlAllowOrigins_0 }} + - {{ .Values.pipelines.accessControlAllowOrigins_1 }} + rabbitmqHealthCheckIntervalInMins: {{ .Values.pipelines.rabbitmqHealthCheckIntervalInMins}} + artifactoryHealthCheckIntervalInMins: {{ .Values.pipelines.artifactoryHealthCheckIntervalInMins}} + ## Global proxy settings, to be applied to all services + ## + proxy: + httpProxy: "" + httpsProxy: "" + noProxy: "" + username: "" + password: "" + + ## Mailserver settings + ## + mailserver: + host: "" + port: "" + username: "" + password: "" + tls: "" + ssl: "" + apiRetryIntervalMs: 3000 + accountSyncFrequencyHr: 1 + imageRegistrySecret: "{{ .Values.imagePullSecrets }}" + hardDeleteIntervalInMins: 60 + configBackupCount: 5 + lastUpdateTime: "" + callHomeUrl: "https://api.bintray.com/products/jfrog/pipelines/stats/usage" + allowCallHome: true + serviceInstanceHealthCheckIntervalInMins: 1 + serviceInstanceStatsCutOffIntervalInHours: 24 + + ## Service configuration + ## + services: + api: + name: {{ include "pipelines.api.name" . }} + port: {{ .Values.pipelines.api.service.port }} + {{- if (and .Values.pipelines.api.ingress.enabled .Values.pipelines.api.ingress.tls) }} + {{- range .Values.pipelines.api.ingress.hosts }} + externalUrl: https://{{ . }} + {{- end }} + {{- else if .Values.pipelines.api.ingress.enabled }} + {{- range .Values.pipelines.api.ingress.hosts }} + externalUrl: http://{{ . }} + {{- end }} + {{- else }} + externalUrl: {{ .Values.pipelines.api.externalUrl }} + {{- end }} + www: + name: {{ include "pipelines.www.name" . }} + port: {{ .Values.pipelines.www.service.port }} + {{- if (and .Values.pipelines.www.ingress.enabled .Values.pipelines.www.ingress.tls) }} + {{- range .Values.pipelines.www.ingress.hosts }} + externalUrl: https://{{ . }} + {{- end }} + {{- else if .Values.pipelines.www.ingress.enabled }} + {{- range .Values.pipelines.www.ingress.hosts }} + externalUrl: http://{{ . }} + {{- end }} + {{- else }} + externalUrl: {{ .Values.pipelines.www.externalUrl }} + {{- end }} + sessionSecret: "{{ .Values.pipelines.authToken }}" + pipelineSync: + name: pipelineSync + runTrigger: + name: runTrigger + stepTrigger: + name: stepTrigger + cron: + name: cron + nexec: + name: nexec + hookHandler: + name: hookHandler + marshaller: + name: marshaller + extensionSync: + name: extensionSync + + ## Runtime configuration + ## + runtime: + rootBucket: "{{ .Values.pipelines.rootBucket }}" + defaultMinionCount: 1 + nodeCacheIntervalMS: 600000 + jobConsoleBatchSize: 10 + jobConsoleBufferIntervalMs: 3 + maxDiskUsagePercentage: 90 + stepTimeoutMS: 3600000 + nodeStopDayOfWeek: 0 + nodeStopIntervalDays: 30 + maxNodeCheckInDelayMin: 15 + defaultMinionInstanceSize: "c4.large" + allowDynamicNodes: true + allowCustomNodes: true + {{- range $key, $value := .Values.runtimeOverride }} + {{ $key }}: {{ $value | quote }} + {{- end }} + languageImages: + - architecture: x86_64 + os: Ubuntu_16.04 + language: node + registryUrl: docker.bintray.io + image: jfrog/pipelines-u16node + isDefault: true + defaultVersion: 10.18.0 + - architecture: x86_64 + os: Ubuntu_16.04 + language: java + registryUrl: docker.bintray.io + image: jfrog/pipelines-u16java + defaultVersion: 13 + - architecture: x86_64 + os: Ubuntu_16.04 + language: cpp + registryUrl: docker.bintray.io + image: jfrog/pipelines-u16cpp + defaultVersion: 9.0.0 + - architecture: x86_64 + os: Ubuntu_16.04 + language: go + registryUrl: docker.bintray.io + image: jfrog/pipelines-u16go + defaultVersion: 1.12.14 + - architecture: x86_64 + os: Ubuntu_18.04 + language: node + registryUrl: docker.bintray.io + image: jfrog/pipelines-u18node + isDefault: true + defaultVersion: 10.18.0 + - architecture: x86_64 + os: Ubuntu_18.04 + language: java + registryUrl: docker.bintray.io + image: jfrog/pipelines-u18java + defaultVersion: 13 + - architecture: x86_64 + os: Ubuntu_18.04 + language: cpp + registryUrl: docker.bintray.io + image: jfrog/pipelines-u18cpp + defaultVersion: 9.0.0 + - architecture: x86_64 + os: Ubuntu_18.04 + language: go + registryUrl: docker.bintray.io + image: jfrog/pipelines-u18go + defaultVersion: 1.12.14 + - architecture: x86_64 + os: CentOS_7 + language: node + registryUrl: docker.bintray.io + image: jfrog/pipelines-c7node + isDefault: true + defaultVersion: 10.18.0 + - architecture: x86_64 + os: CentOS_7 + language: java + registryUrl: docker.bintray.io + image: jfrog/pipelines-c7java + defaultVersion: 11 + - architecture: x86_64 + os: CentOS_7 + language: cpp + registryUrl: docker.bintray.io + image: jfrog/pipelines-c7cpp + defaultVersion: 3.4.2 + - architecture: x86_64 + os: CentOS_7 + language: go + registryUrl: docker.bintray.io + image: jfrog/pipelines-c7go + defaultVersion: 1.12.14 + - architecture: x86_64 + os: WindowsServer_2019 + language: node + registryUrl: docker.bintray.io + image: jfrog/pipelines-w19node + defaultVersion: 10.18.0 + - architecture: x86_64 + os: WindowsServer_2019 + language: java + registryUrl: docker.bintray.io + image: jfrog/pipelines-w19java + defaultVersion: 11 + - architecture: x86_64 + os: WindowsServer_2019 + language: cpp + registryUrl: docker.bintray.io + image: jfrog/pipelines-w19cpp + defaultVersion: 9.0.0 + - architecture: x86_64 + os: WindowsServer_2019 + language: go + registryUrl: docker.bintray.io + image: jfrog/pipelines-w19go + defaultVersion: 1.12.14 + - architecture: x86_64 + os: WindowsServer_2019 + language: dotnetcore + registryUrl: docker.bintray.io + image: jfrog/pipelines-w19dotnetcore + isDefault: true + defaultVersion: 3.1 + - architecture: x86_64 + os: RHEL_7 + language: node + registryUrl: docker.bintray.io + image: jfrog/pipelines-c7node + isDefault: true + defaultVersion: 10.18.0 + - architecture: x86_64 + os: RHEL_7 + language: java + registryUrl: docker.bintray.io + image: jfrog/pipelines-c7java + defaultVersion: 11 + - architecture: x86_64 + os: RHEL_7 + language: cpp + registryUrl: docker.bintray.io + image: jfrog/pipelines-c7cpp + defaultVersion: 3.4.2 + - architecture: x86_64 + os: RHEL_7 + language: go + registryUrl: docker.bintray.io + image: jfrog/pipelines-c7go + defaultVersion: 1.12.14 + + ## Runtime Override Properties Section + runtimeOverride: {} + + # Router Configuration + router: + routerConfiguration: false + topology: + external: + refresh: + interval: "3s" + serviceRegistry: + url: + + # PostgreSQL + ## https://hub.helm.sh/charts/bitnami/postgresql + ## Configuration values for the postgresql dependency + ## ref: https://github.com/kubernetes/charts/blob/master/stable/postgresql/README.md + ## + postgresql: + enabled: false + + ## RabbitMQ HA + ## https://hub.helm.sh/charts/bitnami/rabbitmq + ## Configuration values for the rabbitmq dependency + ## ref: https://github.com/kubernetes/charts/blob/master/stable/rabbitmq/README.md + ## + rabbitmq: + enabled: true + protocol: amqps + replicas: 1 + + image: + registry: registry.connect.redhat.com + repository: jfrog/pipelines-rabbitmq + tag: 3.8.9 + + # DO NOT CHANGE CUSTOM INIT USER + rabbitmq: + username: user + password: bitnami + erlangCookie: PIPELINESRABBITMQCLUSTER + extraPlugins: "" + + service: + type: ClusterIP + annotations: {} + + persistence: + enabled: true + size: 20Gi + + resources: {} + affinity: {} + ingress: + ## Set to true to enable ingress record generation + enabled: false + + ## The list of hostnames to be covered with this ingress record. + ## Most likely this will be just one host, but in the event more hosts are needed, this is an array + # hostName: foo.bar.com + path: / + + ## Set this to true in order to enable TLS on the ingress record + ## A side effect of this will be that the backend wordpress service will be connected at port 443 + tls: true + + ## If TLS is set to true, you must declare what secret will store the key/certificate for TLS + tlsSecret: myTlsSecret + + ## Ingress annotations done as key:value pairs + annotations: + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: true + + + externalUrl: OVERRIDE + + ## Service with external/internal LoadBalancer to access RabbitMQ by Node-pool VMs + serviceVmLb: + enabled: false + + annotations: + ## Set internal LB for Azure + # service.beta.kubernetes.io/azure-load-balancer-internal: "true" + ## Set internal LB for AWS + # service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 + ## Set internal LB for GCP + # cloud.google.com/load-balancer-type: "Internal" + + ## You must to provide internal LB static IP + loadBalancerIP: + + ## Whitelist IPs allowed to LoadBalancer type services + ## Example: loadBalancerSourceRanges={82.82.190.51/32,141.141.8.8/32} + loadBalancerSourceRanges: [] + + ## Redis + ## Configuration values for the redis dependency + ## ref: https://github.com/bitnami/charts/tree/master/bitnami/redis + ## + redis: + enabled: true + image: + registry: registry.redhat.io + repository: rhel8/redis-5 + tag: 1-98 + + redisPort: 6379 + + cluster: + enabled: false + slaveCount: 2 + + usePassword: false + + master: + command: "container-entrypoint run-redis" + configmap: |- + appendonly yes + loglevel notice + + resources: {} + # requests: + # memory: 200Mi + # cpu: 100m + # limits: + # memory: 700Mi + + affinity: {} + + slave: + resources: {} + # requests: + # memory: 200Mi + # cpu: 100m + # limits: + # memory: 200Mi + + affinity: {} + + ## Vault + vault: + enabled: true + updateStrategy: RollingUpdate + + image: + repository: registry.connect.redhat.com/jfrog/pipelines-vault + tag: 1.8.0 + pullPolicy: IfNotPresent + + init: + image: + repository: jfrog/pipelines-vault-init + pullPolicy: IfNotPresent + + service: + # Supported service types: ClusterIP and NodePort + type: ClusterIP + port: 30100 + + # Disable mlock only in non-prod environments + disablemlock: false + + resources: {} + # requests: + # memory: 256Mi + # cpu: 200m + # limits: + # memory: 1Gi + # cpu: 600m + + affinity: {} + nodeSelector: {} + tolerations: [] + + ## Role Based Access + ## Ref: https://kubernetes.io/docs/admin/authorization/rbac/ + rbac: + role: + ## Rules to create. It follows the role specification + rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - "*" + + # Add any list of configmaps to vault + configMaps: | + # posthook-start.sh: |- + # echo "This is a post start script" + # posthook-end.sh: |- + # echo "This is a post end script" + + ## Add custom volumes + customVolumes: | + # - name: custom-script + # configMap: + # name: custom-script + + ## Add custom volumesMounts + customVolumeMounts: | + # - name: custom-script + # mountPath: /scripts/script.sh + # subPath: script.sh + + ## Add custom init begin containers - first init container to run + customInitContainersBegin: | + # - name: "custom-begin-setup" + # image: "{{ .Values.initContainer.image }}" + # imagePullPolicy: "{{ .Values.initContainer.pullPolicy}}" + # command: + # - 'sh' + # - '-c' + # - 'touch {{ .Values.pipelines.mountPath }}/example-custom-setup' + # volumeMounts: + # - mountPath: "{{ .Values.pipelines.mountPath}}" + # name: jfrog-pipelines-folder + + ## Add custom init containers - last init container to run + customInitContainers: | + # - name: "custom-setup" + # image: "{{ .Values.initContainer.image }}" + # imagePullPolicy: "{{ .Values.initContainer.pullPolicy}}" + # command: + # - 'sh' + # - '-c' + # - 'touch {{ .Values.pipelines.mountPath }}/example-custom-setup' + # volumeMounts: + # - mountPath: "{{ .Values.pipelines.mountPath}}" + # name: jfrog-pipelines-folder + + + # Filebeat Sidecar container + ## The provided filebeat configuration is for Pipeline logs. It assumes you have a logstash installed and configured properly. + filebeat: + enabled: false + + ## + rbac: + create: true + + ## The Build Plane is where the actual builds will run + buildPlane: + ## Dynamic Build Plane integration for the initial bootstrapping of the build planes. + ## Any required changes post install need to be done in UI: Administration/Pipelines/Integrations + dynamic: + ## customer part is not needed for on-prem install + customer: + accountId: "" + nodePoolName: "" + nodelimit: "" + provider: + aws: + enabled: false + ## Replace the dummy values with the real ones + nodePoolName: "aws-dynamic-node-pool" + nodelimit: "3" + instanceType: c4.xlarge + securityGroupId: testsecuritygroupId + subnetId: test-subnetId + keyPairName: testaccountSSHKeyPair + vpcId: testVPCId + region: us-east-1 + ## + accessKey: "" + secretKey: "" + ## Existing secret with AWS keys + existingSecret: + k8s: + enabled: false + ## Replace the dummy values with the real ones + nodePoolName: "k8s-dynamic-node-pool" + nodelimit: "3" + cpu: "1" + memory: "1000" + namespace: default + storageClass: standard + ## Node Affinity values: {key1:value1,key2:value2} + labels: + ## Kubernetes node pool kubeconfig base64 encoded + kubeconfig: "" + ## Existing secret with kubeconfig + existingSecret: diff --git a/Openshift4/operator/pipeline-operator/licenses/LICENSE b/Openshift4/operator/pipeline-operator/licenses/LICENSE new file mode 100755 index 0000000..d645695 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/licenses/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/Openshift4/operator/pipeline-operator/watches.yaml b/Openshift4/operator/pipeline-operator/watches.yaml new file mode 100644 index 0000000..d9ad469 --- /dev/null +++ b/Openshift4/operator/pipeline-operator/watches.yaml @@ -0,0 +1,6 @@ +# Use the 'create api' subcommand to add watches to this file. +- group: charts.my.domain + version: v1alpha1 + kind: OpenshiftPipelines + chart: helm-charts/openshift-pipelines +# +kubebuilder:scaffold:watch