treasuremap/global/software/charts/ucp/drydock/drydock.yaml

---
schema: armada/Chart/v1
metadata:
  schema: metadata/Document/v1
  name: ucp-drydock
  layeringDefinition:
    abstract: false
    layer: global
  labels:
    name: ucp-drydock-global
  storagePolicy: cleartext
  substitutions:

    # Chart source
    - src:
        schema: pegleg/SoftwareVersions/v1
        name: software-versions
        path: .charts.ucp.drydock
      dest:
        path: .source

    # Images
    - src:
        schema: pegleg/SoftwareVersions/v1
        name: software-versions
        path: .images.ucp.drydock
      dest:
        path: .values.images.tags

    # Endpoints

    - src:
        schema: pegleg/EndpointCatalogue/v1
        name: ucp_endpoints
        path: .ucp.identity
      dest:
        path: .values.endpoints.identity
    - src:
        schema: pegleg/EndpointCatalogue/v1
        name: ucp_endpoints
        path: .ucp.postgresql
      dest:
        path: .values.endpoints.postgresql
    - src:
        schema: pegleg/EndpointCatalogue/v1
        name: ucp_endpoints
        path: .ucp.physicalprovisioner
      dest:
        path: .values.endpoints.physicalprovisioner
    - src:
        schema: pegleg/EndpointCatalogue/v1
        name: ucp_endpoints
        path: .ucp.maas_region
      dest:
        path: .values.endpoints.maas_region

    # Drydock log level
    - src:
        schema: nc/CorridorConfig/v1
        name: corridor-config
        path: .airship.log_level
      dest:
        path: .values.conf.drydock.logging.log_level

    # Credentials

    - src:
        schema: pegleg/AccountCatalogue/v1
        name: ucp_service_accounts
        path: .ucp.postgres.admin
      dest:
        path: .values.endpoints.postgresql.auth.admin
    - src:
        schema: pegleg/AccountCatalogue/v1
        name: ucp_service_accounts
        path: .ucp.drydock.postgres
      dest:
        path: .values.endpoints.postgresql.auth.user
    - src:
        schema: pegleg/AccountCatalogue/v1
        name: ucp_service_accounts
        path: .ucp.drydock.postgres.database
      dest:
        path: .values.endpoints.postgresql.path
        pattern: DB_NAME
    - src:
        schema: pegleg/AccountCatalogue/v1
        name: ucp_service_accounts
        path: .ucp.drydock.keystone
      dest:
        path: .values.endpoints.identity.drydock.user

    # Secrets
    - dest:
        path: .values.endpoints.identity.auth.admin.password
      src:
        schema: deckhand/Passphrase/v1
        name: ucp_keystone_admin_password
        path: .
    - dest:
        path: .values.endpoints.postgresql.auth.admin.password
      src:
        schema: deckhand/Passphrase/v1
        name: ucp_postgres_admin_password
        path: .
    - dest:
        path: .values.endpoints.identity.auth.drydock.password
      src:
        schema: deckhand/Passphrase/v1
        name: ucp_drydock_keystone_password
        path: .
    - dest:
        path: .values.endpoints.postgresql.auth.user.password
      src:
        schema: deckhand/Passphrase/v1
        name: ucp_drydock_postgres_password
        path: .

data:
  chart_name: drydock
  release: drydock
  namespace: ucp
  wait:
    timeout: 1800
    labels:
      release_group: clcp-drydock
  test:
    enabled: true
  install:
    no_hooks: false
  upgrade:
    no_hooks: false
    pre:
      delete:
        - type: job
          labels:
            release_group: clcp-drydock
  values:
    replicas:
      drydock: 2
    labels:
      node_selector_key: ucp-control-plane
      node_selector_value: enabled
    # TODO(sh8121): Refactor chart to support stricter security
    # but still support libvirt+ssh for virtual testing
    pod:
      mandatory_access_control:
        type: apparmor
        drydock-api:
          init: runtime/default
          drydock-api: runtime/default
        drydock-db-init:
          init: runtime/default
          drydock-db-init: runtime/default
        drydock-db-sync:
          init: runtime/default
          drydock-db-sync: runtime/default
        drydock-api-test:
          drydock-api-test: runtime/default
        drydock-auth-test:
          drydock-auth-test: runtime/default
      security_context:
        drydock:
          pod:
            runAsUser: 0
          container:
            drydock_api:
              readOnlyRootFilesystem: false
    network:
      api:
        ingress:
          annotations:
            nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
            nginx.ingress.kubernetes.io/configuration-snippet: |
              more_set_headers "X-XSS-Protection: 1; mode=block";
              more_set_headers "X-Frame-Options: deny";              
      drydock:
        node_port:
          enabled: false
    conf:
      uwsgi:
        threads: 1
        workers: 1
      drydock:
        DEFAULT:
          poll_interval: 30
        database:
          pool_size: 200
        plugins:
          ingester: drydock_provisioner.ingester.plugins.deckhand.DeckhandIngester
        policy.override:
          admin_api: role:admin or role:admin_ucp
          admin_viewer: role:admin_ucp_viewer or rule:admin_api
          drydock:read_task: rule:admin_viewer
          drydock:create_task: rule:admin_api
          drydock:validate_design: rule:admin_viewer
          drydock:verify_site: rule:admin_viewer
          drydock:prepare_site: rule:admin_api
          drydock:verify_node: rule:admin_viewer
          drydock:prepare_node: rule:admin_api
          drydock:deploy_node: rule:admin_api
          drydock:destroy_node: rule:admin_api
          drydock:relabel_node: rule:admin_api
          drydock:read_build_data: rule:admin_viewer
          drydockd:read_data: rule:admin_viewer
          drydock:ingest_data: rule:admin_api
          drydock:health_data: rule:admin_api
          drydock:validate_site_design: rule:admin_viewer
  dependencies:
    - drydock-htk
...