airship
/
maas
Code Issues Proposed changes

MAAS region & rack controller upgrade v3.2 

Signed-off-by: Anselme, Schubert (sa246v) <sa246v@att.com>
Change-Id: If5fffa59f547d4b19d7c0f086204800e9144d952
This commit is contained in:
Anselme, Schubert (sa246v) 2023-04-03 09:54:18 -04:00
parent eaabbb2722
commit 12555c6a06
No known key found for this signature in database
GPG Key ID: 4E0F7ECFE90D344C
139 changed files with 9862 additions and 275 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
charts/deps/helm-toolkit/Chart.yaml Normal file
View File

@ -0,0 +1,26 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
apiVersion: v1
appVersion: v1.0.0
description: OpenStack-Helm Helm-Toolkit
name: helm-toolkit
version: 0.2.54
home: https://docs.openstack.org/openstack-helm
icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
sources:
- https://opendev.org/openstack/openstack-helm-infra
- https://opendev.org/openstack/openstack-helm
maintainers:
- name: OpenStack-Helm Authors
...

15
charts/deps/helm-toolkit/requirements.yaml Normal file
View File

@ -0,0 +1,15 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
dependencies: []
...

58
charts/deps/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl Normal file
View File

@ -0,0 +1,58 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Resolves database, or basic auth, style endpoints
values: |
endpoints:
cluster_domain_suffix: cluster.local
oslo_db:
auth:
admin:
username: root
password: password
service_username:
username: username
password: password
hosts:
default: mariadb
host_fqdn_override:
default: null
path: /dbname
scheme: mysql+pymysql
port:
mysql:
default: 3306
usage: |
{{ tuple "oslo_db" "internal" "service_username" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
return: |
mysql+pymysql://serviceuser:password@mariadb.default.svc.cluster.local:3306/dbname
*/}}
{{- define "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
{{- $type := index . 0 -}}
{{- $endpoint := index . 1 -}}
{{- $userclass := index . 2 -}}
{{- $port := index . 3 -}}
{{- $context := index . 4 -}}
{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
{{- $endpointUser := index $userMap "username" }}
{{- $endpointPass := index $userMap "password" }}
{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
{{- printf "%s://%s:%s@%s:%s%s" $endpointScheme $endpointUser $endpointPass $endpointHost $endpointPort $endpointPath -}}
{{- end -}}

121
charts/deps/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl Normal file
View File

@ -0,0 +1,121 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Resolves endpoint string suitible for use with oslo.messaging transport url
See: https://docs.openstack.org/oslo.messaging/latest/reference/transport.html#oslo_messaging.TransportURL
examples:
- values: |
endpoints:
cluster_domain_suffix: cluster.local
oslo_messaging:
auth:
cinder:
username: cinder
password: password
statefulset:
replicas: 2
name: rabbitmq-rabbitmq
hosts:
default: rabbitmq
host_fqdn_override:
default: null
path: /cinder
scheme: rabbit
port:
amqp:
default: 5672
usage: |
{{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
return: |
rabbit://cinder:password@rabbitmq-rabbitmq-0.rabbitmq.default.svc.cluster.local:5672,cinder:password@rabbitmq-rabbitmq-1.rabbitmq.default.svc.cluster.local:5672/cinder
- values: |
endpoints:
cluster_domain_suffix: cluster.local
oslo_messaging:
auth:
cinder:
username: cinder
password: password
statefulset: null
hosts:
default: rabbitmq
host_fqdn_override:
default: null
path: /cinder
scheme: rabbit
port:
amqp:
default: 5672
usage: |
{{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
return: |
rabbit://cinder:password@rabbitmq.default.svc.cluster.local:5672/cinder
- values: |
endpoints:
cluster_domain_suffix: cluster.local
oslo_messaging:
auth:
cinder:
username: cinder
password: password
statefulset:
replicas: 2
name: rabbitmq-rabbitmq
hosts:
default: rabbitmq
host_fqdn_override:
default: rabbitmq.openstackhelm.org
path: /cinder
scheme: rabbit
port:
amqp:
default: 5672
usage: |
{{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
return: |
rabbit://cinder:password@rabbitmq.openstackhelm.org:5672/cinder
*/}}
{{- define "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" -}}
{{- $type := index . 0 -}}
{{- $endpoint := index . 1 -}}
{{- $userclass := index . 2 -}}
{{- $port := index . 3 -}}
{{- $context := index . 4 -}}
{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
{{- $ssMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "statefulset" | default false}}
{{- $hostFqdnOverride := index $context.Values.endpoints ( $type | replace "-" "_" ) "host_fqdn_override" }}
{{- $endpointUser := index $userMap "username" }}
{{- $endpointPass := index $userMap "password" }}
{{- $endpointHostSuffix := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{- $local := dict "endpointCredsAndHosts" list -}}
{{- if not (or (index $hostFqdnOverride $endpoint | default ( index $hostFqdnOverride "default" ) ) ( not $ssMap ) ) }}
{{- $endpointHostPrefix := $ssMap.name }}
{{- range $podInt := until ( atoi (print $ssMap.replicas ) ) }}
{{- $endpointCredAndHost := printf "%s:%s@%s-%d.%s:%s" $endpointUser $endpointPass $endpointHostPrefix $podInt $endpointHostSuffix $endpointPort }}
{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
{{- end }}
{{- else }}
{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
{{- $endpointCredAndHost := printf "%s:%s@%s:%s" $endpointUser $endpointPass $endpointHost $endpointPort }}
{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
{{- end }}
{{- $endpointCredsAndHosts := include "helm-toolkit.utils.joinListWithComma" $local.endpointCredsAndHosts }}
{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
{{- printf "%s://%s%s" $endpointScheme $endpointCredsAndHosts $endpointPath }}
{{- end -}}

90
charts/deps/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl Normal file
View File

@ -0,0 +1,90 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Resolves either the fully qualified hostname, of if defined in the host field
IPv4 for an endpoint.
examples:
- values: |
endpoints:
cluster_domain_suffix: cluster.local
oslo_db:
hosts:
default: mariadb
host_fqdn_override:
default: null
usage: |
{{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
return: |
mariadb.default.svc.cluster.local
- values: |
endpoints:
cluster_domain_suffix: cluster.local
oslo_db:
hosts:
default:
host: mariadb
host_fqdn_override:
default: null
usage: |
{{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
return: |
mariadb.default.svc.cluster.local
- values: |
endpoints:
cluster_domain_suffix: cluster.local
oslo_db:
hosts:
default: 127.0.0.1
host_fqdn_override:
default: null
usage: |
{{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
return: |
127.0.0.1
- values: |
endpoints:
cluster_domain_suffix: cluster.local
oslo_db:
hosts:
default:
host: 127.0.0.1
host_fqdn_override:
default: null
usage: |
{{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
return: |
127.0.0.1
*/}}
{{- define "helm-toolkit.endpoints.endpoint_host_lookup" -}}
{{- $type := index . 0 -}}
{{- $endpoint := index . 1 -}}
{{- $context := index . 2 -}}
{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
{{- $endpointScheme := $endpointMap.scheme }}
{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
{{- if kindIs "map" $context.Values.__endpointHost }}
{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
{{- end }}
{{- $endpointHost := $context.Values.__endpointHost }}
{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
{{- $endpointHostname := printf "%s" $endpointHost }}
{{- printf "%s" $endpointHostname -}}
{{- else }}
{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
{{- printf "%s" $endpointHostname -}}
{{- end }}
{{- end -}}

41
charts/deps/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl Normal file
View File

@ -0,0 +1,41 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Resolves the port for an endpoint
values: |
endpoints:
cluster_domain_suffix: cluster.local
oslo_db:
port:
mysql:
default: 3306
usage: |
{{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
return: |
3306
*/}}
{{- define "helm-toolkit.endpoints.endpoint_port_lookup" -}}
{{- $type := index . 0 -}}
{{- $endpoint := index . 1 -}}
{{- $port := index . 2 -}}
{{- $context := index . 3 -}}
{{- $typeYamlSafe := $type | replace "-" "_" }}
{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
{{- $endpointPortMAP := index $endpointMap.port $port }}
{{- $endpointPort := index $endpointPortMAP $endpoint | default ( index $endpointPortMAP "default" ) }}
{{- printf "%1.f" $endpointPort -}}
{{- end -}}

36
charts/deps/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl Normal file
View File

@ -0,0 +1,36 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Gets the token for an endpoint
values: |
endpoints:
keystone:
auth:
admin:
token: zh78JzXgw6YUKy2e
usage: |
{{ tuple "keystone" "admin" . | include "helm-toolkit.endpoints.endpoint_token_lookup" }}
return: |
zh78JzXgw6YUKy2e
*/}}
{{- define "helm-toolkit.endpoints.endpoint_token_lookup" -}}
{{- $type := index . 0 -}}
{{- $userName := index . 1 -}}
{{- $context := index . 2 -}}
{{- $serviceToken := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userName "token" }}
{{- printf "%s" $serviceToken -}}
{{- end -}}

59
charts/deps/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl Normal file
View File

@ -0,0 +1,59 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Resolves 'hostname:port' for an endpoint
examples:
- values: |
endpoints:
cluster_domain_suffix: cluster.local
oslo_db:
hosts:
default: mariadb
host_fqdn_override:
default: null
port:
mysql:
default: 3306
usage: |
{{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
return: |
mariadb.default.svc.cluster.local:3306
- values: |
endpoints:
cluster_domain_suffix: cluster.local
oslo_db:
hosts:
default: 127.0.0.1
host_fqdn_override:
default: null
port:
mysql:
default: 3306
usage: |
{{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
return: |
127.0.0.1:3306
*/}}
{{- define "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
{{- $type := index . 0 -}}
{{- $endpoint := index . 1 -}}
{{- $port := index . 2 -}}
{{- $context := index . 3 -}}
{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
{{- printf "%s:%s" $endpointHostname $endpointPort -}}
{{- end -}}

76
charts/deps/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl Normal file
View File

@ -0,0 +1,76 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Resolves the fully qualified hostname for an endpoint
examples:
- values: |
endpoints:
cluster_domain_suffix: cluster.local
oslo_db:
hosts:
default: mariadb
host_fqdn_override:
default: null
usage: |
{{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
return: |
mariadb.default.svc.cluster.local
- values: |
endpoints:
cluster_domain_suffix: cluster.local
oslo_db:
hosts:
default: mariadb
host_fqdn_override:
default: mariadb.openstackhelm.openstack.org
usage: |
{{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
return: |
mariadb.openstackhelm.openstack.org
- values: |
endpoints:
cluster_domain_suffix: cluster.local
oslo_db:
hosts:
default: mariadb
host_fqdn_override:
default:
host: mariadb.openstackhelm.openstack.org
usage: |
{{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
return: |
mariadb.openstackhelm.openstack.org
*/}}
{{- define "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" -}}
{{- $type := index . 0 -}}
{{- $endpoint := index . 1 -}}
{{- $context := index . 2 -}}
{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
{{- $endpointHostNamespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
{{- $endpointClusterHostname := printf "%s.svc.%s" $endpointHostNamespaced $context.Values.endpoints.cluster_domain_suffix }}
{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $endpointMap.host_fqdn_override "default" | default "" ) }}
{{- if kindIs "map" $context.Values.__FQDNendpointHostDefault }}
{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $context.Values.__FQDNendpointHostDefault "host" ) }}
{{- end }}
{{- if kindIs "map" (index $endpointMap.host_fqdn_override $endpoint) }}
{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint "host" | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
{{- printf "%s" $endpointHostname -}}
{{- else }}
{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
{{- printf "%s" $endpointHostname -}}
{{- end -}}
{{- end -}}

40
charts/deps/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl Normal file
View File

@ -0,0 +1,40 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Resolves the namespace scoped hostname for an endpoint
values: |
endpoints:
oslo_db:
hosts:
default: mariadb
host_fqdn_override:
default: null
usage: |
{{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
return: |
mariadb.default
*/}}
{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" -}}
{{- $type := index . 0 -}}
{{- $endpoint := index . 1 -}}
{{- $context := index . 2 -}}
{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
{{- $endpointClusterHostname := printf "%s.%s" $endpointHost $namespace }}
{{- printf "%s" $endpointClusterHostname -}}
{{- end -}}

38
charts/deps/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl Normal file
View File

@ -0,0 +1,38 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Resolves the namespace scoped hostname for an endpoint
values: |
endpoints:
oslo_db:
hosts:
default: mariadb
host_fqdn_override:
default: null
usage: |
{{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" }}
return: |
default
*/}}
{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" -}}
{{- $type := index . 0 -}}
{{- $endpoint := index . 1 -}}
{{- $context := index . 2 -}}
{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
{{- printf "%s" $namespace -}}
{{- end -}}

61
charts/deps/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl Normal file
View File

@ -0,0 +1,61 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Resolves the short hostname for an endpoint
examples:
- values: |
endpoints:
oslo_db:
hosts:
default: mariadb
host_fqdn_override:
default: null
usage: |
{{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
return: |
mariadb
- values: |
endpoints:
oslo_db:
hosts:
default:
host: mariadb
host_fqdn_override:
default: null
usage: |
{{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
return: |
mariadb
*/}}
{{- define "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
{{- $type := index . 0 -}}
{{- $endpoint := index . 1 -}}
{{- $context := index . 2 -}}
{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
{{- $endpointScheme := $endpointMap.scheme }}
{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
{{- if kindIs "map" $context.Values.__endpointHost }}
{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
{{- end }}
{{- $endpointHost := $context.Values.__endpointHost }}
{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
{{- printf "%s" $type -}}
{{- else }}
{{- $endpointHostname := printf "%s" $endpointHost }}
{{- printf "%s" $endpointHostname -}}
{{- end }}
{{- end -}}

34
charts/deps/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl Normal file
View File

@ -0,0 +1,34 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Resolves the service name for an service type
values: |
endpoints:
identity:
name: keystone
usage: |
{{ tuple identity . | include "keystone_endpoint_name_lookup" }}
return: |
"keystone"
*/}}
{{- define "helm-toolkit.endpoints.keystone_endpoint_name_lookup" -}}
{{- $type := index . 0 -}}
{{- $context := index . 1 -}}
{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
{{- $endpointName := index $endpointMap "name" }}
{{- $endpointName | quote -}}
{{- end -}}

48
charts/deps/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl Normal file
View File

@ -0,0 +1,48 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
# FIXME(portdirect): it appears the port input here serves no purpose,
# and should be removed. In addition this function is bugged, do we use it?
{{/*
abstract: |
Resolves the path for an endpoint
values: |
endpoints:
cluster_domain_suffix: cluster.local
oslo_db:
path:
default: /dbname
port:
mysql:
default: 3306
usage: |
{{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
return: |
/dbname
*/}}
{{- define "helm-toolkit.endpoints.keystone_endpoint_path_lookup" -}}
{{- $type := index . 0 -}}
{{- $endpoint := index . 1 -}}
{{- $port := index . 2 -}}
{{- $context := index . 3 -}}
{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
{{- if kindIs "string" $endpointMap.path }}
{{- printf "%s" $endpointMap.path | default "/" -}}
{{- else -}}
{{- $endpointPath := index $endpointMap.path $endpoint | default $endpointMap.path.default | default "/" }}
{{- printf "%s" $endpointPath -}}
{{- end -}}
{{- end -}}

55
charts/deps/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl Normal file
View File

@ -0,0 +1,55 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
# FIXME(portdirect): it appears the port input here serves no purpose,
# and should be removed. In addition this function is bugged, do we use it?
{{/*
abstract: |
Resolves the scheme for an endpoint
values: |
endpoints:
cluster_domain_suffix: cluster.local
oslo_db:
scheme:
default:
mysql+pymysql
port:
mysql:
default: 3306
usage: |
{{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
return: |
mysql+pymysql
*/}}
# This function returns the scheme for a service, it takes an tuple
# input in the form: service-type, endpoint-class, port-name. eg:
# { tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_scheme_lookup" }
# will return the scheme setting for this particular endpoint. In other words, for most endpoints
# it will return either 'http' or 'https'
{{- define "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" -}}
{{- $type := index . 0 -}}
{{- $endpoint := index . 1 -}}
{{- $port := index . 2 -}}
{{- $context := index . 3 -}}
{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
{{- if kindIs "string" $endpointMap.scheme }}
{{- printf "%s" $endpointMap.scheme | default "http" -}}
{{- else -}}
{{- $endpointScheme := index $endpointMap.scheme $endpoint | default $endpointMap.scheme.default | default "http" }}
{{- printf "%s" $endpointScheme -}}
{{- end -}}
{{- end -}}

52
charts/deps/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl Normal file
View File

@ -0,0 +1,52 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
This function helps resolve uri style endpoints. It will omit the port for
http when 80 is used, and 443 in the case of https.
values: |
endpoints:
cluster_domain_suffix: cluster.local
oslo_db:
hosts:
default: mariadb
host_fqdn_override:
default: null
path: /dbname
scheme: mysql+pymysql
port:
mysql:
default: 3306
usage: |
{{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
return: |
mysql+pymysql://mariadb.default.svc.cluster.local:3306/dbname
*/}}
{{- define "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" -}}
{{- $type := index . 0 -}}
{{- $endpoint := index . 1 -}}
{{- $port := index . 2 -}}
{{- $context := index . 3 -}}
{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
{{- if or ( and ( eq $endpointScheme "http" ) ( eq $endpointPort "80" ) ) ( and ( eq $endpointScheme "https" ) ( eq $endpointPort "443" ) ) -}}
{{- printf "%s://%s%s" $endpointScheme $endpointHost $endpointPath -}}
{{- else -}}
{{- printf "%s://%s:%s%s" $endpointScheme $endpointHost $endpointPort $endpointPath -}}
{{- end -}}
{{- end -}}

61
charts/deps/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl Normal file
View File

@ -0,0 +1,61 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
This function returns endpoint "<namespace>:<name>" pair from an endpoint
definition. This is used in kubernetes-entrypoint to support dependencies
between different services in different namespaces.
returns: the endpoint namespace and the service name, delimited by a colon
Normally, the service name is constructed dynamically from the hostname
however when an ip address is used as the hostname, we default to
namespace:endpointCategoryName in order to construct a valid service name
however this can be overridden to a custom service name by defining
.service.name within the endpoint definition
values: |
endpoints:
cluster_domain_suffix: cluster.local
oslo_db:
namespace: foo
hosts:
default: mariadb
host_fqdn_override:
default: null
usage: |
{{ tuple oslo_db internal . | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}
return: |
foo:mariadb
*/}}
{{- define "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" -}}
{{- $type := index . 0 -}}
{{- $endpoint := index . 1 -}}
{{- $context := index . 2 -}}
{{- $typeYamlSafe := $type | replace "-" "_" }}
{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
{{- with $endpointMap -}}
{{- $endpointName := index .hosts $endpoint | default .hosts.default }}
{{- $endpointNamespace := .namespace | default $context.Release.Namespace }}
{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointName }}
{{- if .service.name }}
{{- printf "%s:%s" $endpointNamespace .service.name -}}
{{- else -}}
{{- printf "%s:%s" $endpointNamespace $typeYamlSafe -}}
{{- end -}}
{{- else -}}
{{- printf "%s:%s" $endpointNamespace $endpointName -}}
{{- end -}}
{{- end -}}
{{- end -}}

111
charts/deps/helm-toolkit/templates/manifests/_ceph-storageclass.tpl Normal file
View File

@ -0,0 +1,111 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Creates a manifest for kubernete ceph storageclass
examples:
- values: |
manifests:
storageclass: true
storageclass:
rbd:
provision_storage_class: true
provisioner: "ceph.com/rbd"
metadata:
default_storage_class: true
name: general
parameters:
#We will grab the monitors value based on helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup
pool: rbd
admin_id: admin
ceph_configmap_name: "ceph-etc"
admin_secret_name: "pvc-ceph-conf-combined-storageclass"
admin_secret_namespace: ceph
user_id: admin
user_secret_name: "pvc-ceph-client-key"
image_format: "2"
image_features: layering
cephfs:
provision_storage_class: true
provisioner: "ceph.com/cephfs"
metadata:
name: cephfs
parameters:
admin_id: admin
admin_secret_name: "pvc-ceph-cephfs-client-key"
admin_secret_namespace: ceph
usage: |
{{- range $storageclass, $val := .Values.storageclass }}
{{ dict "storageclass_data" $val "envAll" $ | include "helm-toolkit.manifests.ceph-storageclass" }}
{{- end }}
return: |
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
annotations:
storageclass.kubernetes.io/is-default-class: "true"
name: general
provisioner: ceph.com/rbd
parameters:
monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
adminId: admin
adminSecretName: pvc-ceph-conf-combined-storageclass
adminSecretNamespace: ceph
pool: rbd
userId: admin
userSecretName: pvc-ceph-client-key
image_format: "2"
image_features: layering
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: cephfs
provisioner: ceph.com/cephfs
parameters:
monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
adminId: admin
adminSecretName: pvc-ceph-cephfs-client-key
adminSecretNamespace: ceph
*/}}
{{- define "helm-toolkit.manifests.ceph-storageclass" -}}
{{- $envAll := index . "envAll" -}}
{{- $monHost := $envAll.Values.conf.ceph.global.mon_host -}}
{{- if empty $monHost -}}
{{- $monHost = tuple "ceph_mon" "internal" "mon" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
{{- end -}}
{{- $storageclassData := index . "storageclass_data" -}}
---
{{- if $storageclassData.provision_storage_class }}
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
{{- if $storageclassData.metadata.default_storage_class }}
annotations:
storageclass.kubernetes.io/is-default-class: "true"
{{- end }}
name: {{ $storageclassData.metadata.name }}
provisioner: {{ $storageclassData.provisioner }}
parameters:
monitors: {{ $monHost }}
{{- range $attr, $value := $storageclassData.parameters }}
{{ $attr }}: {{ $value | quote }}
{{- end }}
allowVolumeExpansion: true
{{- end }}
{{- end }}

108
charts/deps/helm-toolkit/templates/manifests/_certificates.tpl Normal file
View File

@ -0,0 +1,108 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Creates a certificate using jetstack
examples:
- values: |
endpoints:
dashboard:
host_fqdn_override:
default:
host: null
tls:
secretName: keystone-tls-api
issuerRef:
name: ca-issuer
duration: 2160h
organization:
- ACME
commonName: keystone-api.openstack.svc.cluster.local
privateKey:
size: 2048
usages:
- server auth
- client auth
dnsNames:
- cluster.local
issuerRef:
name: ca-issuer
usage: |
{{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
{{ $opts | include "helm-toolkit.manifests.certificates" }}
return: |
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: keystone-tls-api
namespace: NAMESPACE
spec:
commonName: keystone-api.openstack.svc.cluster.local
dnsNames:
- cluster.local
duration: 2160h
issuerRef:
name: ca-issuer
privateKey:
size: 2048
organization:
- ACME
secretName: keystone-tls-api
usages:
- server auth
- client auth
*/}}
{{- define "helm-toolkit.manifests.certificates" -}}
{{- $envAll := index . "envAll" -}}
{{- $service := index . "service" -}}
{{- $type := index . "type" | default "" -}}
{{- $slice := index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" -}}
{{/* Put in some sensible default value if one is not provided by values.yaml */}}
{{/* If a dnsNames list is not in the values.yaml, it can be overridden by a passed-in parameter.
This allows user to use other HTK method to determine the URI and pass that into this method.*/}}
{{- if not (hasKey $slice "dnsNames") -}}
{{- $hostName := tuple $service $type $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
{{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}}
{{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "dnsNames" -}}
{{- end -}}
{{/* Default privateKey size to 4096. This can be overridden. */}}
{{- if not (hasKey $slice "privateKey") -}}
{{- $_ := dict "size" ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "privateKey" -}}
{{- else if empty (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey" "size") -}}
{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey") "size" -}}
{{- end -}}
{{/* Default duration to 3 months. Note the min is 720h. This can be overridden. */}}
{{- if not (hasKey $slice "duration") -}}
{{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "duration" -}}
{{- end -}}
{{/* Default renewBefore to 15 days. This can be overridden. */}}
{{- if not (hasKey $slice "renewBefore") -}}
{{- $_ := printf "%s" "360h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "renewBefore" -}}
{{- end -}}
{{/* Default the usage to server auth and client auth. This can be overridden. */}}
{{- if not (hasKey $slice "usages") -}}
{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}}
{{- end -}}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }}
namespace: {{ $envAll.Release.Namespace }}
spec:
{{ $slice | toYaml | indent 2 }}
{{- end -}}

727
charts/deps/helm-toolkit/templates/manifests/_ingress.tpl Normal file
View File

@ -0,0 +1,727 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Creates a manifest for a services ingress rules.
examples:
- values: |
network:
api:
ingress:
public: true
classes:
namespace: "nginx"
cluster: "nginx-cluster"
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
secrets:
tls:
key_manager:
api:
public: barbican-tls-public
endpoints:
cluster_domain_suffix: cluster.local
key_manager:
name: barbican
hosts:
default: barbican-api
public: barbican
host_fqdn_override:
default: null
public:
host: barbican.openstackhelm.example
tls:
crt: |
FOO-CRT
key: |
FOO-KEY
ca: |
FOO-CA_CRT
path:
default: /
scheme:
default: http
public: https
port:
api:
default: 9311
public: 80
usage: |
{{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
return: |
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: barbican
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: barbican
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: barbican-api
port:
name: b-api
- host: barbican.default
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: barbican-api
port:
name: b-api
- host: barbican.default.svc.cluster.local
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: barbican-api
port:
name: b-api
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: barbican-namespace-fqdn
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
tls:
- secretName: barbican-tls-public
hosts:
- barbican.openstackhelm.example
rules:
- host: barbican.openstackhelm.example
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: barbican-api
port:
name: b-api
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: barbican-cluster-fqdn
annotations:
kubernetes.io/ingress.class: "nginx-cluster"
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
tls:
- secretName: barbican-tls-public
hosts:
- barbican.openstackhelm.example
rules:
- host: barbican.openstackhelm.example
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: barbican-api
port:
name: b-api
- values: |
network:
api:
ingress:
public: true
classes:
namespace: "nginx"
cluster: "nginx-cluster"
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
secrets:
tls:
key_manager:
api:
public: barbican-tls-public
endpoints:
cluster_domain_suffix: cluster.local
key_manager:
name: barbican
hosts:
default: barbican-api
public:
host: barbican
tls:
crt: |
FOO-CRT
key: |
FOO-KEY
ca: |
FOO-CA_CRT
host_fqdn_override:
default: null
path:
default: /
scheme:
default: http
public: https
port:
api:
default: 9311
public: 80
usage: |
{{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
return: |
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: barbican
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
tls:
- secretName: barbican-tls-public
hosts:
- barbican
- barbican.default
- barbican.default.svc.cluster.local
rules:
- host: barbican
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: barbican-api
port:
name: b-api
- host: barbican.default
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: barbican-api
port:
name: b-api
- host: barbican.default.svc.cluster.local
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: barbican-api
port:
name: b-api
- values: |
cert_issuer_type: issuer
network:
api:
ingress:
public: true
classes:
namespace: "nginx"
cluster: "nginx-cluster"
annotations:
nginx.ingress.kubernetes.io/secure-backends: "true"
nginx.ingress.kubernetes.io/backend-protocol: "https"
secrets:
tls:
key_manager:
api:
public: barbican-tls-public
internal: barbican-tls-api
endpoints:
cluster_domain_suffix: cluster.local
key_manager:
name: barbican
hosts:
default: barbican-api
public:
host: barbican
tls:
crt: |
FOO-CRT
key: |
FOO-KEY
ca: |
FOO-CA_CRT
host_fqdn_override:
default: null
path:
default: /
scheme:
default: http
public: https
port:
api:
default: 9311
public: 80
certs:
barbican_tls_api:
secretName: barbican-tls-api
issuerRef:
name: ca-issuer
kind: Issuer
usage: |
{{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" ) -}}
return: |
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: barbican
annotations:
kubernetes.io/ingress.class: "nginx"
cert-manager.io/issuer: ca-issuer
certmanager.k8s.io/issuer: ca-issuer
nginx.ingress.kubernetes.io/backend-protocol: https
nginx.ingress.kubernetes.io/secure-backends: "true"
spec:
tls:
- secretName: barbican-tls-public-certmanager
hosts:
- barbican
- barbican.default
- barbican.default.svc.cluster.local
rules:
- host: barbican
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: barbican-api
port:
name: b-api
- host: barbican.default
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: barbican-api
port:
name: b-api
- host: barbican.default.svc.cluster.local
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: barbican-api
port:
name: b-api
- values: |
network:
api:
ingress:
public: true
classes:
namespace: "nginx"
cluster: "nginx-cluster"
annotations:
nginx.ingress.kubernetes.io/secure-backends: "true"
nginx.ingress.kubernetes.io/backend-protocol: "https"
secrets:
tls:
key_manager:
api:
public: barbican-tls-public
internal: barbican-tls-api
endpoints:
cluster_domain_suffix: cluster.local
key_manager:
name: barbican
hosts:
default: barbican-api
public:
host: barbican
tls:
crt: |
FOO-CRT
key: |
FOO-KEY
ca: |
FOO-CA_CRT
host_fqdn_override:
default: null
path:
default: /
scheme:
default: http
public: https
port:
api:
default: 9311
public: 80
certs:
barbican_tls_api:
secretName: barbican-tls-api
issuerRef:
name: ca-issuer
kind: ClusterIssuer
usage: |
{{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer") -}}
return: |
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: barbican
annotations:
kubernetes.io/ingress.class: "nginx"
cert-manager.io/cluster-issuer: ca-issuer
certmanager.k8s.io/cluster-issuer: ca-issuer
nginx.ingress.kubernetes.io/backend-protocol: https
nginx.ingress.kubernetes.io/secure-backends: "true"
spec:
tls:
- secretName: barbican-tls-public-certmanager
hosts:
- barbican
- barbican.default
- barbican.default.svc.cluster.local
rules:
- host: barbican
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: barbican-api
port:
name: b-api
- host: barbican.default
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: barbican-api
port:
name: b-api
- host: barbican.default.svc.cluster.local
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: barbican-api
port:
name: b-api
# Sample usage for multiple DNS names associated with the same public
# endpoint and certificate
- values: |
endpoints:
cluster_domain_suffix: cluster.local
grafana:
name: grafana
hosts:
default: grafana-dashboard
public: grafana
host_fqdn_override:
public:
host: grafana.openstackhelm.example
tls:
dnsNames:
- grafana-alt.openstackhelm.example
crt: "BASE64 ENCODED CERT"
key: "BASE64 ENCODED KEY"
network:
grafana:
ingress:
classes:
namespace: "nginx"
cluster: "nginx-cluster"
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
secrets:
tls:
grafana:
grafana:
public: grafana-tls-public
usage: |
{{- $ingressOpts := dict "envAll" . "backendService" "grafana" "backendServiceType" "grafana" "backendPort" "dashboard" -}}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
return: |
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: grafana
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: grafana
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: grafana-dashboard
port:
name: dashboard
- host: grafana.default
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: grafana-dashboard
port:
name: dashboard
- host: grafana.default.svc.cluster.local
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: grafana-dashboard
port:
name: dashboard
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: grafana-namespace-fqdn
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
tls:
- secretName: grafana-tls-public
hosts:
- grafana.openstackhelm.example
- grafana-alt.openstackhelm.example
rules:
- host: grafana.openstackhelm.example
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: grafana-dashboard
port:
name: dashboard
- host: grafana-alt.openstackhelm.example
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: grafana-dashboard
port:
name: dashboard
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: grafana-cluster-fqdn
annotations:
kubernetes.io/ingress.class: "nginx-cluster"
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
tls:
- secretName: grafana-tls-public
hosts:
- grafana.openstackhelm.example
- grafana-alt.openstackhelm.example
rules:
- host: grafana.openstackhelm.example
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: grafana-dashboard
port:
name: dashboard
- host: grafana-alt.openstackhelm.example
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: grafana-dashboard
port:
name: dashboard
*/}}
{{- define "helm-toolkit.manifests.ingress._host_rules" -}}
{{- $vHost := index . "vHost" -}}
{{- $backendName := index . "backendName" -}}
{{- $backendPort := index . "backendPort" -}}
- host: {{ $vHost }}
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: {{ $backendName }}
port:
{{- if or (kindIs "int" $backendPort) (regexMatch "^[0-9]{1,5}$" $backendPort) }}
number: {{ $backendPort | int }}
{{- else }}
name: {{ $backendPort | quote }}
{{- end }}
{{- end }}
{{- define "helm-toolkit.manifests.ingress" -}}
{{- $envAll := index . "envAll" -}}
{{- $backendService := index . "backendService" | default "api" -}}
{{- $backendServiceType := index . "backendServiceType" -}}
{{- $backendPort := index . "backendPort" -}}
{{- $endpoint := index . "endpoint" | default "public" -}}
{{- $certIssuer := index . "certIssuer" | default "" -}}
{{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
{{- $hostName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
{{- $hostNameFull := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
{{- $certIssuerType := "cluster-issuer" -}}
{{- if $envAll.Values.cert_issuer_type }}
{{- $certIssuerType = $envAll.Values.cert_issuer_type }}
{{- end }}
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ $ingressName }}
annotations:
kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" "namespace" | quote }}
{{- if $certIssuer }}
cert-manager.io/{{ $certIssuerType }}: {{ $certIssuer }}
certmanager.k8s.io/{{ $certIssuerType }}: {{ $certIssuer }}
{{- $slice := index $envAll.Values.endpoints $backendServiceType "host_fqdn_override" "default" "tls" -}}
{{- if (hasKey $slice "duration") }}
cert-manager.io/duration: {{ index $slice "duration" }}
{{- end }}
{{- end }}
{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
spec:
{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "hosts" }}
{{- if $certIssuer }}
{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
tls:
- secretName: {{ printf "%s-ing" $secretName }}
hosts:
{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
- {{ $vHost }}
{{- end }}
{{- else }}
{{- if hasKey $host $endpoint }}
{{- $endpointHost := index $host $endpoint }}
{{- if kindIs "map" $endpointHost }}
{{- if hasKey $endpointHost "tls" }}
{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
tls:
- secretName: {{ $secretName }}
hosts:
{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
- {{ $vHost }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
rules:
{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
{{- $hostRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
{{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
{{- end }}
{{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
{{- $ingressConf := $envAll.Values.network -}}
{{- $ingressClasses := ternary (tuple "namespace") (tuple "namespace" "cluster") (and (hasKey $ingressConf "use_external_ingress_controller") $ingressConf.use_external_ingress_controller) }}
{{- range $key2, $ingressController := $ingressClasses }}
{{- $vHosts := list $hostNameFull }}
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ printf "%s-%s-%s" $ingressName $ingressController "fqdn" }}
annotations:
kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" $ingressController | quote }}
{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
spec:
{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
{{- if hasKey $host $endpoint }}
{{- $endpointHost := index $host $endpoint }}
{{- if kindIs "map" $endpointHost }}
{{- if hasKey $endpointHost "tls" }}
{{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
{{- $vHosts = append $vHosts $v }}
{{- end }}
{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
tls:
- secretName: {{ $secretName }}
hosts:
{{- range $vHost := $vHosts }}
- {{ $vHost }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
rules:
{{- range $vHost := $vHosts }}
{{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
{{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

141
charts/deps/helm-toolkit/templates/manifests/_job-bootstrap.tpl Normal file
View File

@ -0,0 +1,141 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
# This function creates a manifest for db creation and user management.
# It can be used in charts dict created similar to the following:
# {- $bootstrapJob := dict "envAll" . "serviceName" "senlin" -}
# { $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }
{{- define "helm-toolkit.manifests.job_bootstrap" -}}
{{- $envAll := index . "envAll" -}}
{{- $serviceName := index . "serviceName" -}}
{{- $jobAnnotations := index . "jobAnnotations" -}}
{{- $jobLabels := index . "jobLabels" -}}
{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
{{- $podVolMounts := index . "podVolMounts" | default false -}}
{{- $podVols := index . "podVols" | default false -}}
{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
{{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}}
{{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}}
{{- $tlsSecret := index . "tlsSecret" | default "" -}}
{{- $keystoneUser := index . "keystoneUser" | default $serviceName -}}
{{- $openrc := index . "openrc" | default "true" -}}
{{- $secretBin := index . "secretBin" -}}
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "bootstrap" }}
{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ printf "%s-%s" $serviceNamePretty "bootstrap" | quote }}
labels:
{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
{{- if $jobLabels }}
{{ toYaml $jobLabels | indent 4 }}
{{- end }}
annotations:
{{- if $jobAnnotations }}
{{ toYaml $jobAnnotations | indent 4 }}
{{- end }}
spec:
backoffLimit: {{ $backoffLimit }}
{{- if $activeDeadlineSeconds }}
activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
{{- end }}
template:
metadata:
labels:
{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
{{- if $jobLabels }}
{{ toYaml $jobLabels | indent 8 }}
{{- end }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
restartPolicy: OnFailure
{{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
nodeSelector:
{{ toYaml $nodeSelector | indent 8 }}
{{- if $tolerationsEnabled }}
{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
{{- end}}
initContainers:
{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
containers:
- name: bootstrap
image: {{ $envAll.Values.images.tags.bootstrap }}
imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{- if eq $openrc "true" }}
env:
{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
{{- end }}
command:
- /bin/bash
- -c
- /tmp/bootstrap.sh
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: bootstrap-sh
mountPath: /tmp/bootstrap.sh
subPath: bootstrap.sh
readOnly: true
- name: etc-service
mountPath: {{ dir $configFile | quote }}
- name: bootstrap-conf
mountPath: {{ $configFile | quote }}
subPath: {{ base $configFile | quote }}
readOnly: true
- name: bootstrap-conf
mountPath: {{ $logConfigFile | quote }}
subPath: {{ base $logConfigFile | quote }}
readOnly: true
{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- if $podVolMounts }}
{{ $podVolMounts | toYaml | indent 12 }}
{{- end }}
volumes:
- name: pod-tmp
emptyDir: {}
- name: bootstrap-sh
{{- if $secretBin }}
secret:
secretName: {{ $secretBin | quote }}
defaultMode: 0555
{{- else }}
configMap:
name: {{ $configMapBin | quote }}
defaultMode: 0555
{{- end }}
- name: etc-service
emptyDir: {}
- name: bootstrap-conf
secret:
secretName: {{ $configMapEtc | quote }}
defaultMode: 0444
{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- if $podVols }}
{{ $podVols | toYaml | indent 8 }}
{{- end }}
{{- end }}

170
charts/deps/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl Normal file
View File

@ -0,0 +1,170 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
# This function creates a manifest for db creation and user management.
# It can be used in charts dict created similar to the following:
# {- $dbToDropJob := dict "envAll" . "serviceName" "senlin" -}
# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
#
# If the service does not use oslo then the db can be managed with:
# {- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
# {- $dbToDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -}
# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
{{- define "helm-toolkit.manifests.job_db_drop_mysql" -}}
{{- $envAll := index . "envAll" -}}
{{- $serviceName := index . "serviceName" -}}
{{- $jobAnnotations := index . "jobAnnotations" -}}
{{- $jobLabels := index . "jobLabels" -}}
{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
{{- $dbToDrop := index . "dbToDrop" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
{{- $dbsToDrop := default (list $dbToDrop) (index . "dbsToDrop") }}
{{- $secretBin := index . "secretBin" -}}
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
{{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ printf "%s-%s" $serviceNamePretty "db-drop" | quote }}
labels:
{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
{{- if $jobLabels }}
{{ toYaml $jobLabels | indent 4 }}
{{- end }}
annotations:
"helm.sh/hook": pre-delete
"helm.sh/hook-delete-policy": hook-succeeded
{{- if $jobAnnotations }}
{{ toYaml $jobAnnotations | indent 4 }}
{{- end }}
spec:
backoffLimit: {{ $backoffLimit }}
{{- if $activeDeadlineSeconds }}
activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
{{- end }}
template:
metadata:
labels:
{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
{{- if $jobLabels }}
{{ toYaml $jobLabels | indent 8 }}
{{- end }}
spec:
serviceAccountName: {{ $serviceAccountName }}
restartPolicy: OnFailure
{{ tuple $envAll "db_drop" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
nodeSelector:
{{ toYaml $nodeSelector | indent 8 }}
{{- if $tolerationsEnabled }}
{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
{{- end}}
initContainers:
{{ tuple $envAll "db_drop" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
containers:
{{- range $key1, $dbToDrop := $dbsToDrop }}
{{ $dbToDropType := default "oslo" $dbToDrop.inputType }}
- name: {{ printf "%s-%s-%d" $serviceNamePretty "db-drop" $key1 | quote }}
image: {{ $envAll.Values.images.tags.db_drop }}
imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_drop | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
env:
- name: ROOT_DB_CONNECTION
valueFrom:
secretKeyRef:
name: {{ $dbToDrop.adminSecret | quote }}
key: DB_CONNECTION
{{- if eq $dbToDropType "oslo" }}
- name: OPENSTACK_CONFIG_FILE
value: {{ $dbToDrop.configFile | quote }}
- name: OPENSTACK_CONFIG_DB_SECTION
value: {{ $dbToDrop.configDbSection | quote }}
- name: OPENSTACK_CONFIG_DB_KEY
value: {{ $dbToDrop.configDbKey | quote }}
{{- end }}
{{- if $envAll.Values.manifests.certificates }}
- name: MARIADB_X509
value: "REQUIRE X509"
{{- end }}
{{- if eq $dbToDropType "secret" }}
- name: DB_CONNECTION
valueFrom:
secretKeyRef:
name: {{ $dbToDrop.userSecret | quote }}
key: DB_CONNECTION
{{- end }}
command:
- /tmp/db-drop.py
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: db-drop-sh
mountPath: /tmp/db-drop.py
subPath: db-drop.py
readOnly: true
{{- if eq $dbToDropType "oslo" }}
- name: etc-service
mountPath: {{ dir $dbToDrop.configFile | quote }}
- name: db-drop-conf
mountPath: {{ $dbToDrop.configFile | quote }}
subPath: {{ base $dbToDrop.configFile | quote }}
readOnly: true
- name: db-drop-conf
mountPath: {{ $dbToDrop.logConfigFile | quote }}
subPath: {{ base $dbToDrop.logConfigFile | quote }}
readOnly: true
{{- end }}
{{- if $envAll.Values.manifests.certificates }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- end }}
{{- end }}
volumes:
- name: pod-tmp
emptyDir: {}
- name: db-drop-sh
{{- if $secretBin }}
secret:
secretName: {{ $secretBin | quote }}
defaultMode: 0555
{{- else }}
configMap:
name: {{ $configMapBin | quote }}
defaultMode: 0555
{{- end }}
{{- if $envAll.Values.manifests.certificates }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end }}
{{- $local := dict "configMapBinFirst" true -}}
{{- range $key1, $dbToDrop := $dbsToDrop }}
{{- $dbToDropType := default "oslo" $dbToDrop.inputType }}
{{- if and (eq $dbToDropType "oslo") $local.configMapBinFirst }}
{{- $_ := set $local "configMapBinFirst" false }}
- name: etc-service
emptyDir: {}
- name: db-drop-conf
secret:
secretName: {{ $configMapEtc | quote }}
defaultMode: 0444
{{- end -}}
{{- end -}}
{{- end -}}

169
charts/deps/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl Normal file
View File

@ -0,0 +1,169 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
# This function creates a manifest for db creation and user management.
# It can be used in charts dict created similar to the following:
# {- $dbToInitJob := dict "envAll" . "serviceName" "senlin" -}
# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
#
# If the service does not use oslo then the db can be managed with:
# {- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
# {- $dbToInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -}
# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
{{- define "helm-toolkit.manifests.job_db_init_mysql" -}}
{{- $envAll := index . "envAll" -}}
{{- $serviceName := index . "serviceName" -}}
{{- $jobAnnotations := index . "jobAnnotations" -}}
{{- $jobLabels := index . "jobLabels" -}}
{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
{{- $dbToInit := index . "dbToInit" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
{{- $dbsToInit := default (list $dbToInit) (index . "dbsToInit") }}
{{- $secretBin := index . "secretBin" -}}
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
{{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ printf "%s-%s" $serviceNamePretty "db-init" | quote }}
labels:
{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
{{- if $jobLabels }}
{{ toYaml $jobLabels | indent 4 }}
{{- end }}
annotations:
{{- if $jobAnnotations }}
{{ toYaml $jobAnnotations | indent 4 }}
{{- end }}
spec:
backoffLimit: {{ $backoffLimit }}
{{- if $activeDeadlineSeconds }}
activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
{{- end }}
template:
metadata:
labels:
{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
{{- if $jobLabels }}
{{ toYaml $jobLabels | indent 8 }}
{{- end }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
restartPolicy: OnFailure
{{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
nodeSelector:
{{ toYaml $nodeSelector | indent 8 }}
{{- if $tolerationsEnabled }}
{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
{{- end}}
initContainers:
{{ tuple $envAll "db_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
containers:
{{- range $key1, $dbToInit := $dbsToInit }}
{{ $dbToInitType := default "oslo" $dbToInit.inputType }}
- name: {{ printf "%s-%s-%d" $serviceNamePretty "db-init" $key1 | quote }}
image: {{ $envAll.Values.images.tags.db_init }}
imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
env:
- name: ROOT_DB_CONNECTION
valueFrom:
secretKeyRef:
name: {{ $dbToInit.adminSecret | quote }}
key: DB_CONNECTION
{{- if eq $dbToInitType "oslo" }}
- name: OPENSTACK_CONFIG_FILE
value: {{ $dbToInit.configFile | quote }}
- name: OPENSTACK_CONFIG_DB_SECTION
value: {{ $dbToInit.configDbSection | quote }}
- name: OPENSTACK_CONFIG_DB_KEY
value: {{ $dbToInit.configDbKey | quote }}
{{- end }}
{{- if eq $dbToInitType "secret" }}
- name: DB_CONNECTION
valueFrom:
secretKeyRef:
name: {{ $dbToInit.userSecret | quote }}
key: DB_CONNECTION
{{- end }}
{{- if $envAll.Values.manifests.certificates }}
- name: MARIADB_X509
value: "REQUIRE X509"
{{- end }}
command:
- /tmp/db-init.py
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: db-init-sh
mountPath: /tmp/db-init.py
subPath: db-init.py
readOnly: true
{{- if eq $dbToInitType "oslo" }}
- name: etc-service
mountPath: {{ dir $dbToInit.configFile | quote }}
- name: db-init-conf
mountPath: {{ $dbToInit.configFile | quote }}
subPath: {{ base $dbToInit.configFile | quote }}
readOnly: true
- name: db-init-conf
mountPath: {{ $dbToInit.logConfigFile | quote }}
subPath: {{ base $dbToInit.logConfigFile | quote }}
readOnly: true
{{- end }}
{{- if $envAll.Values.manifests.certificates }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- end }}
{{- end }}
volumes:
- name: pod-tmp
emptyDir: {}
- name: db-init-sh
{{- if $secretBin }}
secret:
secretName: {{ $secretBin | quote }}
defaultMode: 0555
{{- else }}
configMap:
name: {{ $configMapBin | quote }}
defaultMode: 0555
{{- end }}
{{- if $envAll.Values.manifests.certificates }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end }}
{{- $local := dict "configMapBinFirst" true -}}
{{- range $key1, $dbToInit := $dbsToInit }}
{{- $dbToInitType := default "oslo" $dbToInit.inputType }}
{{- if and (eq $dbToInitType "oslo") $local.configMapBinFirst }}
{{- $_ := set $local "configMapBinFirst" false }}
- name: etc-service
emptyDir: {}
- name: db-init-conf
secret:
secretName: {{ $configMapEtc | quote }}
defaultMode: 0444
{{- end -}}
{{- end -}}
{{- end -}}

137
charts/deps/helm-toolkit/templates/manifests/_job-db-sync.tpl Normal file
View File

@ -0,0 +1,137 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
# This function creates a manifest for db migration and management.
# It can be used in charts dict created similar to the following:
# {- $dbSyncJob := dict "envAll" . "serviceName" "senlin" -}
# { $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }
{{- define "helm-toolkit.manifests.job_db_sync" -}}
{{- $envAll := index . "envAll" -}}
{{- $serviceName := index . "serviceName" -}}
{{- $jobAnnotations := index . "jobAnnotations" -}}
{{- $jobLabels := index . "jobLabels" -}}
{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
{{- $podVolMounts := index . "podVolMounts" | default false -}}
{{- $podVols := index . "podVols" | default false -}}
{{- $podEnvVars := index . "podEnvVars" | default false -}}
{{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "image" ( index $envAll.Values.images.tags ( printf "%s_db_sync" $serviceName )) ) -}}
{{- $secretBin := index . "secretBin" -}}
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
labels:
{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
{{- if $jobLabels }}
{{ toYaml $jobLabels | indent 4 }}
{{- end }}
annotations:
{{- if $jobAnnotations }}
{{ toYaml $jobAnnotations | indent 4 }}
{{- end }}
spec:
backoffLimit: {{ $backoffLimit }}
{{- if $activeDeadlineSeconds }}
activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
{{- end }}
template:
metadata:
labels:
{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
{{- if $jobLabels }}
{{ toYaml $jobLabels | indent 8 }}
{{- end }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
restartPolicy: OnFailure
{{ tuple $envAll "db_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
nodeSelector:
{{ toYaml $nodeSelector | indent 8 }}
{{- if $tolerationsEnabled }}
{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
{{- end}}
initContainers:
{{ tuple $envAll "db_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
containers:
- name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
image: {{ $dbToSync.image | quote }}
imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{- if $podEnvVars }}
env:
{{ $podEnvVars | toYaml | indent 12 }}
{{- end }}
command:
- /bin/bash
- -c
- /tmp/db-sync.sh
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: db-sync-sh
mountPath: /tmp/db-sync.sh
subPath: db-sync.sh
readOnly: true
- name: etc-service
mountPath: {{ dir $dbToSync.configFile | quote }}
- name: db-sync-conf
mountPath: {{ $dbToSync.configFile | quote }}
subPath: {{ base $dbToSync.configFile | quote }}
readOnly: true
- name: db-sync-conf
mountPath: {{ $dbToSync.logConfigFile | quote }}
subPath: {{ base $dbToSync.logConfigFile | quote }}
readOnly: true
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- if $podVolMounts }}
{{ $podVolMounts | toYaml | indent 12 }}
{{- end }}
volumes:
- name: pod-tmp
emptyDir: {}
- name: db-sync-sh
{{- if $secretBin }}
secret:
secretName: {{ $secretBin | quote }}
defaultMode: 0555
{{- else }}
configMap:
name: {{ $configMapBin | quote }}
defaultMode: 0555
{{- end }}
- name: etc-service
emptyDir: {}
- name: db-sync-conf
secret:
secretName: {{ $configMapEtc | quote }}
defaultMode: 0444
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- if $podVols }}
{{ $podVols | toYaml | indent 8 }}
{{- end }}
{{- end }}

130
charts/deps/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl Normal file
View File

@ -0,0 +1,130 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
# This function creates a manifest for keystone service management.
# It can be used in charts dict created similar to the following:
# {- $ksEndpointJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
# { $ksEndpointJob | include "helm-toolkit.manifests.job_ks_endpoints" }
{{- define "helm-toolkit.manifests.job_ks_endpoints" -}}
{{- $envAll := index . "envAll" -}}
{{- $serviceName := index . "serviceName" -}}
{{- $serviceTypes := index . "serviceTypes" -}}
{{- $jobAnnotations := index . "jobAnnotations" -}}
{{- $jobLabels := index . "jobLabels" -}}
{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
{{- $secretBin := index . "secretBin" -}}
{{- $tlsSecret := index . "tlsSecret" | default "" -}}
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
{{- $restartPolicy_ := "OnFailure" -}}
{{- if hasKey $envAll.Values "jobs" -}}
{{- if hasKey $envAll.Values.jobs "ks_endpoints" -}}
{{- $restartPolicy_ = $envAll.Values.jobs.ks_endpoints.restartPolicy | default $restartPolicy_ }}
{{- end }}
{{- end }}
{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-endpoints" }}
{{ tuple $envAll "ks_endpoints" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ printf "%s-%s" $serviceNamePretty "ks-endpoints" | quote }}
labels:
{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
{{- if $jobLabels }}
{{ toYaml $jobLabels | indent 4 }}
{{- end }}
annotations:
{{- if $jobAnnotations }}
{{ toYaml $jobAnnotations | indent 4 }}
{{- end }}
spec:
backoffLimit: {{ $backoffLimit }}
{{- if $activeDeadlineSeconds }}
activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
{{- end }}
template:
metadata:
labels:
{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
{{- if $jobLabels }}
{{ toYaml $jobLabels | indent 8 }}
{{- end }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
restartPolicy: {{ $restartPolicy }}
{{ tuple $envAll "ks_endpoints" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
nodeSelector:
{{ toYaml $nodeSelector | indent 8 }}
{{- if $tolerationsEnabled }}
{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
{{- end}}
initContainers:
{{ tuple $envAll "ks_endpoints" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
containers:
{{- range $key1, $osServiceType := $serviceTypes }}
{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
- name: {{ printf "%s-%s-%s" $osServiceType "ks-endpoints" $osServiceEndPoint | quote }}
image: {{ $envAll.Values.images.tags.ks_endpoints }}
imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
command:
- /bin/bash
- -c
- /tmp/ks-endpoints.sh
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: ks-endpoints-sh
mountPath: /tmp/ks-endpoints.sh
subPath: ks-endpoints.sh
readOnly: true
{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
env:
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: OS_SVC_ENDPOINT
value: {{ $osServiceEndPoint | quote }}
- name: OS_SERVICE_NAME
value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
- name: OS_SERVICE_TYPE
value: {{ $osServiceType | quote }}
- name: OS_SERVICE_ENDPOINT
value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
{{- end }}
{{- end }}
volumes:
- name: pod-tmp
emptyDir: {}
- name: ks-endpoints-sh
{{- if $secretBin }}
secret:
secretName: {{ $secretBin | quote }}
defaultMode: 0555
{{- else }}
configMap:
name: {{ $configMapBin | quote }}
defaultMode: 0555
{{- end }}
{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end }}

124
charts/deps/helm-toolkit/templates/manifests/_job-ks-service.tpl Normal file
View File

@ -0,0 +1,124 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
# This function creates a manifest for keystone service management.
# It can be used in charts dict created similar to the following:
# {- $ksServiceJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
# { $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }
{{- define "helm-toolkit.manifests.job_ks_service" -}}
{{- $envAll := index . "envAll" -}}
{{- $serviceName := index . "serviceName" -}}
{{- $serviceTypes := index . "serviceTypes" -}}
{{- $jobAnnotations := index . "jobAnnotations" -}}
{{- $jobLabels := index . "jobLabels" -}}
{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
{{- $secretBin := index . "secretBin" -}}
{{- $tlsSecret := index . "tlsSecret" | default "" -}}
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
{{- $restartPolicy_ := "OnFailure" -}}
{{- if hasKey $envAll.Values "jobs" -}}
{{- if hasKey $envAll.Values.jobs "ks_service" -}}
{{- $restartPolicy_ = $envAll.Values.jobs.ks_service.restartPolicy | default $restartPolicy_ }}
{{- end }}
{{- end }}
{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-service" }}
{{ tuple $envAll "ks_service" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ printf "%s-%s" $serviceNamePretty "ks-service" | quote }}
labels:
{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
{{- if $jobLabels }}
{{ toYaml $jobLabels | indent 4 }}
{{- end }}
annotations:
{{- if $jobAnnotations }}
{{ toYaml $jobAnnotations | indent 4 }}
{{- end }}
spec:
backoffLimit: {{ $backoffLimit }}
{{- if $activeDeadlineSeconds }}
activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
{{- end }}
template:
metadata:
labels:
{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
{{- if $jobLabels }}
{{ toYaml $jobLabels | indent 8 }}
{{- end }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
restartPolicy: {{ $restartPolicy }}
{{ tuple $envAll "ks_service" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
nodeSelector:
{{ toYaml $nodeSelector | indent 8 }}
{{- if $tolerationsEnabled }}
{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
{{- end}}
initContainers:
{{ tuple $envAll "ks_service" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
containers:
{{- range $key1, $osServiceType := $serviceTypes }}
- name: {{ printf "%s-%s" $osServiceType "ks-service-registration" | quote }}
image: {{ $envAll.Values.images.tags.ks_service }}
imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
command:
- /bin/bash
- -c
- /tmp/ks-service.sh
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: ks-service-sh
mountPath: /tmp/ks-service.sh
subPath: ks-service.sh
readOnly: true
{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
env:
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: OS_SERVICE_NAME
value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
- name: OS_SERVICE_TYPE
value: {{ $osServiceType | quote }}
{{- end }}
volumes:
- name: pod-tmp
emptyDir: {}
- name: ks-service-sh
{{- if $secretBin }}
secret:
secretName: {{ $secretBin | quote }}
defaultMode: 0555
{{- else }}
configMap:
name: {{ $configMapBin | quote }}
defaultMode: 0555
{{- end }}
{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end }}

154
charts/deps/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl Normal file
View File

@ -0,0 +1,154 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
# This function creates a manifest for keystone user management.
# It can be used in charts dict created similar to the following:
# {- $ksUserJob := dict "envAll" . "serviceName" "senlin" }
# { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }
{{/*
# To enable PodSecuritycontext (PodSecurityContext/v1) define the below in values.yaml:
# example:
# values: |
# pod:
# security_context:
# ks_user:
# pod:
# runAsUser: 65534
# To enable Container SecurityContext(SecurityContext/v1) for ks-user container define the values:
# example:
# values: |
# pod:
# security_context:
# ks_user:
# container:
# ks-user:
# runAsUser: 65534
# readOnlyRootFilesystem: true
# allowPrivilegeEscalation: false
*/}}
{{- define "helm-toolkit.manifests.job_ks_user" -}}
{{- $envAll := index . "envAll" -}}
{{- $serviceName := index . "serviceName" -}}
{{- $jobAnnotations := index . "jobAnnotations" -}}
{{- $jobLabels := index . "jobLabels" -}}
{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
{{- $secretBin := index . "secretBin" -}}
{{- $tlsSecret := index . "tlsSecret" | default "" -}}
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
{{- $restartPolicy_ := "OnFailure" -}}
{{- if hasKey $envAll.Values "jobs" -}}
{{- if hasKey $envAll.Values.jobs "ks_user" -}}
{{- $restartPolicy_ = $envAll.Values.jobs.ks_user.restartPolicy | default $restartPolicy_ }}
{{- end }}
{{- end }}
{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "ks-user" }}
{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ printf "%s-%s" $serviceUserPretty "ks-user" | quote }}
labels:
{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
{{- if $jobLabels }}
{{ toYaml $jobLabels | indent 4 }}
{{- end }}
annotations:
{{- if $jobAnnotations }}
{{ toYaml $jobAnnotations | indent 4 }}
{{- end }}
spec:
backoffLimit: {{ $backoffLimit }}
{{- if $activeDeadlineSeconds }}
activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
{{- end }}
template:
metadata:
labels:
{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
{{- if $jobLabels }}
{{ toYaml $jobLabels | indent 8 }}
{{- end }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName | quote }}
{{ dict "envAll" $envAll "application" "ks_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
restartPolicy: {{ $restartPolicy }}
{{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
nodeSelector:
{{ toYaml $nodeSelector | indent 8 }}
{{- if $tolerationsEnabled }}
{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
{{- end}}
initContainers:
{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
containers:
- name: ks-user
image: {{ $envAll.Values.images.tags.ks_user }}
imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "ks_user" "container" "ks_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- /bin/bash
- -c
- /tmp/ks-user.sh
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: ks-user-sh
mountPath: /tmp/ks-user.sh
subPath: ks-user.sh
readOnly: true
{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
env:
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: SERVICE_OS_SERVICE_NAME
value: {{ $serviceName | quote }}
{{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }}
{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
{{- end }}
- name: SERVICE_OS_ROLES
{{- $serviceOsRoles := index $envAll.Values.endpoints.identity.auth $serviceUser "role" }}
{{- if kindIs "slice" $serviceOsRoles }}
value: {{ include "helm-toolkit.utils.joinListWithComma" $serviceOsRoles | quote }}
{{- else }}
value: {{ $serviceOsRoles | quote }}
{{- end }}
volumes:
- name: pod-tmp
emptyDir: {}
- name: ks-user-sh
{{- if $secretBin }}
secret:
secretName: {{ $secretBin | quote }}
defaultMode: 0555
{{- else }}
configMap:
name: {{ $configMapBin | quote }}
defaultMode: 0555
{{- end }}
{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end -}}

129
charts/deps/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl Normal file
View File

@ -0,0 +1,129 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- define "helm-toolkit.manifests.job_rabbit_init" -}}
{{- $envAll := index . "envAll" -}}
{{- $serviceName := index . "serviceName" -}}
{{- $jobAnnotations := index . "jobAnnotations" -}}
{{- $jobLabels := index . "jobLabels" -}}
{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
{{- $secretBin := index . "secretBin" -}}
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}}
{{- $tlsSecret := index . "tlsSecret" | default "" -}}
{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ printf "%s-%s" $serviceUserPretty "rabbit-init" | quote }}
labels:
{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
{{- if $jobLabels }}
{{ toYaml $jobLabels | indent 4 }}
{{- end }}
annotations:
{{- if $jobAnnotations }}
{{ toYaml $jobAnnotations | indent 4 }}
{{- end }}
spec:
backoffLimit: {{ $backoffLimit }}
{{- if $activeDeadlineSeconds }}
activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
{{- end }}
template:
metadata:
labels:
{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
{{- if $jobLabels }}
{{ toYaml $jobLabels | indent 8 }}
{{- end }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName | quote }}
restartPolicy: OnFailure
{{ tuple $envAll "rabbit_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
nodeSelector:
{{ toYaml $nodeSelector | indent 8 }}
{{- if $tolerationsEnabled }}
{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
{{- end}}
initContainers:
{{ tuple $envAll "rabbit_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
containers:
- name: rabbit-init
image: {{ $envAll.Values.images.tags.rabbit_init | quote }}
imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.rabbit_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
command:
- /bin/bash
- -c
- /tmp/rabbit-init.sh
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: rabbit-init-sh
mountPath: /tmp/rabbit-init.sh
subPath: rabbit-init.sh
readOnly: true
{{- if $envAll.Values.manifests.certificates }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- end }}
env:
- name: RABBITMQ_ADMIN_CONNECTION
valueFrom:
secretKeyRef:
name: {{ $envAll.Values.secrets.oslo_messaging.admin }}
key: RABBITMQ_CONNECTION
- name: RABBITMQ_USER_CONNECTION
valueFrom:
secretKeyRef:
name: {{ index $envAll.Values.secrets.oslo_messaging $serviceName }}
key: RABBITMQ_CONNECTION
{{- if $envAll.Values.conf.rabbitmq }}
- name: RABBITMQ_AUXILIARY_CONFIGURATION
value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
{{- end }}
{{- if and $envAll.Values.manifests.certificates (ne $tlsSecret "") }}
- name: RABBITMQ_X509
value: "REQUIRE X509"
- name: USER_CERT_PATH
value: {{ $tlsPath | quote }}
{{- end }}
volumes:
- name: pod-tmp
emptyDir: {}
- name: rabbit-init-sh
{{- if $secretBin }}
secret:
secretName: {{ $secretBin | quote }}
defaultMode: 0555
{{- else }}
configMap:
name: {{ $configMapBin | quote }}
defaultMode: 0555
{{- end }}
{{- if $envAll.Values.manifests.certificates }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end }}
{{- end -}}

147
charts/deps/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl Normal file
View File

@ -0,0 +1,147 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
# This function creates a manifest for linking an s3 bucket to an s3 user.
# It can be used in charts dict created similar to the following:
# {- $s3BucketJob := dict "envAll" . "serviceName" "elasticsearch" }
# { $s3BucketJob | include "helm-toolkit.manifests.job_s3_bucket" }
{{- define "helm-toolkit.manifests.job_s3_bucket" -}}
{{- $envAll := index . "envAll" -}}
{{- $serviceName := index . "serviceName" -}}
{{- $jobAnnotations := index . "jobAnnotations" -}}
{{- $jobLabels := index . "jobLabels" -}}
{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
{{- $secretBin := index . "secretBin" -}}
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
{{- $s3Bucket := index . "s3Bucket" | default $serviceName }}
{{- $tlsCertificateSecret := index . "tlsCertificateSecret" -}}
{{- $tlsCertificatePath := index . "tlsCertificatePath" -}}
{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-bucket" }}
{{ tuple $envAll "s3_bucket" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ printf "%s-%s" $serviceNamePretty "s3-bucket" | quote }}
labels:
{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
{{- if $jobLabels }}
{{ toYaml $jobLabels | indent 4 }}
{{- end }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
{{- if $jobAnnotations }}
{{ toYaml $jobAnnotations | indent 4 }}
{{- end }}
spec:
backoffLimit: {{ $backoffLimit }}
{{- if $activeDeadlineSeconds }}
activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
{{- end }}
template:
metadata:
labels:
{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
{{- if $jobLabels }}
{{ toYaml $jobLabels | indent 8 }}
{{- end }}
spec:
serviceAccountName: {{ $serviceAccountName | quote }}
restartPolicy: OnFailure
{{ tuple $envAll "s3_bucket" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
nodeSelector:
{{ toYaml $nodeSelector | indent 8 }}
{{- if $tolerationsEnabled }}
{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
{{- end}}
initContainers:
{{ tuple $envAll "s3_bucket" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
containers:
- name: s3-bucket
image: {{ $envAll.Values.images.tags.s3_bucket }}
imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_bucket | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
command:
- /bin/bash
- -c
- /tmp/create-s3-bucket.sh
env:
{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
{{- end }}
{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: s3-bucket-sh
mountPath: /tmp/create-s3-bucket.sh
subPath: create-s3-bucket.sh
readOnly: true
- name: etcceph
mountPath: /etc/ceph
- name: ceph-etc
mountPath: /etc/ceph/ceph.conf
subPath: ceph.conf
readOnly: true
{{- if empty $envAll.Values.conf.ceph.admin_keyring }}
- name: ceph-keyring
mountPath: /tmp/client-keyring
subPath: key
readOnly: true
{{ end }}
{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
- name: {{ $tlsCertificateSecret }}
mountPath: {{ $tlsCertificatePath }}
subPath: ca.crt
readOnly: true
{{- end }}
volumes:
- name: pod-tmp
emptyDir: {}
- name: s3-bucket-sh
{{- if $secretBin }}
secret:
secretName: {{ $secretBin | quote }}
defaultMode: 0555
{{- else }}
configMap:
name: {{ $configMapBin | quote }}
defaultMode: 0555
{{- end }}
- name: etcceph
emptyDir: {}
- name: ceph-etc
configMap:
name: {{ $configMapCeph | quote }}
defaultMode: 0444
{{- if empty $envAll.Values.conf.ceph.admin_keyring }}
- name: ceph-keyring
secret:
secretName: pvc-ceph-client-key
{{ end }}
{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
- name: {{ $tlsCertificateSecret }}
secret:
secretName: {{ $tlsCertificateSecret }}
defaultMode: 292
{{- end }}
{{- end -}}

159
charts/deps/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl Normal file
View File

@ -0,0 +1,159 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
# This function creates a manifest for s3 user management.
# It can be used in charts dict created similar to the following:
# {- $s3UserJob := dict "envAll" . "serviceName" "elasticsearch" }
# { $s3UserJob | include "helm-toolkit.manifests.job_s3_user" }
{{- define "helm-toolkit.manifests.job_s3_user" -}}
{{- $envAll := index . "envAll" -}}
{{- $serviceName := index . "serviceName" -}}
{{- $jobAnnotations := index . "jobAnnotations" -}}
{{- $jobLabels := index . "jobLabels" -}}
{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
{{- $secretBin := index . "secretBin" -}}
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-user" }}
{{ tuple $envAll "s3_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ printf "%s-%s" $serviceNamePretty "s3-user" | quote }}
labels:
{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
{{- if $jobLabels }}
{{ toYaml $jobLabels | indent 4 }}
{{- end }}
annotations:
"helm.sh/hook-delete-policy": before-hook-creation
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
{{- if $jobAnnotations }}
{{ toYaml $jobAnnotations | indent 4 }}
{{- end }}
spec:
backoffLimit: {{ $backoffLimit }}
{{- if $activeDeadlineSeconds }}
activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
{{- end }}
template:
metadata:
labels:
{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
{{- if $jobLabels }}
{{ toYaml $jobLabels | indent 8 }}
{{- end }}
spec:
serviceAccountName: {{ $serviceAccountName | quote }}
restartPolicy: OnFailure
{{ tuple $envAll "s3_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
nodeSelector:
{{ toYaml $nodeSelector | indent 8 }}
{{- if $tolerationsEnabled }}
{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
{{- end}}
initContainers:
{{ tuple $envAll "s3_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
- name: ceph-keyring-placement
image: {{ $envAll.Values.images.tags.ceph_key_placement }}
imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
command:
- /tmp/ceph-admin-keyring.sh
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: etcceph
mountPath: /etc/ceph
- name: ceph-keyring-sh
mountPath: /tmp/ceph-admin-keyring.sh
subPath: ceph-admin-keyring.sh
readOnly: true
{{- if empty $envAll.Values.conf.ceph.admin_keyring }}
- name: ceph-keyring
mountPath: /tmp/client-keyring
subPath: key
readOnly: true
{{ end }}
containers:
- name: s3-user
image: {{ $envAll.Values.images.tags.s3_user }}
imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
command:
- /bin/bash
- -c
- /tmp/create-s3-user.sh
env:
{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
{{- end }}
{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
- name: RGW_HOST
value: {{ tuple "ceph_object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: create-s3-user-sh
mountPath: /tmp/create-s3-user.sh
subPath: create-s3-user.sh
readOnly: true
- name: etcceph
mountPath: /etc/ceph
- name: ceph-etc
mountPath: /etc/ceph/ceph.conf
subPath: ceph.conf
readOnly: true
{{- if empty $envAll.Values.conf.ceph.admin_keyring }}
- name: ceph-keyring
mountPath: /tmp/client-keyring
subPath: key
readOnly: true
{{ end }}
volumes:
- name: pod-tmp
emptyDir: {}
- name: create-s3-user-sh
{{- if $secretBin }}
secret:
secretName: {{ $secretBin | quote }}
defaultMode: 0555
{{- else }}
configMap:
name: {{ $configMapBin | quote }}
defaultMode: 0555
{{- end }}
- name: ceph-keyring-sh
configMap:
name: {{ $configMapBin | quote }}
defaultMode: 0555
- name: etcceph
emptyDir: {}
- name: ceph-etc
configMap:
name: {{ $configMapCeph | quote }}
defaultMode: 0444
{{- if empty $envAll.Values.conf.ceph.admin_keyring }}
- name: ceph-keyring
secret:
secretName: pvc-ceph-client-key
{{ end }}
{{- end -}}

119
charts/deps/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl Normal file
View File

@ -0,0 +1,119 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
# This function creates a manifest for the image repo sync jobs.
# It can be used in charts dict created similar to the following:
# {- $imageRepoSyncJob := dict "envAll" . "serviceName" "prometheus" -}
# { $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }
{{- define "helm-toolkit.manifests.job_image_repo_sync" -}}
{{- $envAll := index . "envAll" -}}
{{- $serviceName := index . "serviceName" -}}
{{- $jobAnnotations := index . "jobAnnotations" -}}
{{- $jobLabels := index . "jobLabels" -}}
{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
{{- $podVolMounts := index . "podVolMounts" | default false -}}
{{- $podVols := index . "podVols" | default false -}}
{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
{{- $secretBin := index . "secretBin" -}}
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "image-repo-sync" }}
{{ tuple $envAll "image_repo_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ printf "%s-%s" $serviceNamePretty "image-repo-sync" | quote }}
labels:
{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
{{- if $jobLabels }}
{{ toYaml $jobLabels | indent 4 }}
{{- end }}
annotations:
"helm.sh/hook-delete-policy": before-hook-creation
{{- if $jobAnnotations }}
{{ toYaml $jobAnnotations | indent 4 }}
{{- end }}
spec:
backoffLimit: {{ $backoffLimit }}
{{- if $activeDeadlineSeconds }}
activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
{{- end }}
template:
metadata:
labels:
{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
{{- if $jobLabels }}
{{ toYaml $jobLabels | indent 8 }}
{{- end }}
spec:
serviceAccountName: {{ $serviceAccountName }}
restartPolicy: OnFailure
{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
nodeSelector:
{{ toYaml $nodeSelector | indent 8 }}
{{- if $tolerationsEnabled }}
{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
{{- end}}
initContainers:
{{ tuple $envAll "image_repo_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
containers:
- name: image-repo-sync
{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
env:
- name: LOCAL_REPO
value: "{{ tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
- name: IMAGE_SYNC_LIST
value: "{{ include "helm-toolkit.utils.image_sync_list" $envAll }}"
command:
- /bin/bash
- -c
- /tmp/image-repo-sync.sh
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: bootstrap-sh
mountPath: /tmp/image-repo-sync.sh
subPath: image-repo-sync.sh
readOnly: true
- name: docker-socket
mountPath: /var/run/docker.sock
{{- if $podVolMounts }}
{{ $podVolMounts | toYaml | indent 12 }}
{{- end }}
volumes:
- name: pod-tmp
emptyDir: {}
- name: bootstrap-sh
{{- if $secretBin }}
secret:
secretName: {{ $secretBin | quote }}
defaultMode: 0555
{{- else }}
configMap:
name: {{ $configMapBin | quote }}
defaultMode: 0555
{{- end }}
- name: docker-socket
hostPath:
path: /var/run/docker.sock
{{- if $podVols }}
{{ $podVols | toYaml | indent 8 }}
{{- end }}
{{- end }}

238
charts/deps/helm-toolkit/templates/manifests/_network_policy.tpl Normal file
View File

@ -0,0 +1,238 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Creates a network policy manifest for services.
values: |
endpoints:
kube_dns:
namespace: kube-system
name: kubernetes-dns
hosts:
default: kube-dns
host_fqdn_override:
default: null
path:
default: null
scheme: http
port:
dns_tcp:
default: 53
dns:
default: 53
protocol: UDP
network_policy:
myLabel:
podSelector:
matchLabels:
component: api
ingress:
- from:
- podSelector:
matchLabels:
application: keystone
ports:
- protocol: TCP
port: 80
egress:
- to:
- namespaceSelector:
matchLabels:
name: default
- namespaceSelector:
matchLabels:
name: kube-public
ports:
- protocol: TCP
port: 53
- protocol: UDP
port: 53
usage: |
{{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}}
return: |
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: RELEASE-NAME
namespace: NAMESPACE
spec:
policyTypes:
- Ingress
- Egress
podSelector:
matchLabels:
application: myLabel
component: api
ingress:
- from:
- podSelector:
matchLabels:
application: keystone
ports:
- protocol: TCP
port: 80
egress:
- to:
- podSelector:
matchLabels:
name: default
- namespaceSelector:
matchLabels:
name: kube-public
ports:
- protocol: TCP
port: 53
- protocol: UDP
port: 53
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: RELEASE-NAME
namespace: NAMESPACE
spec:
policyTypes:
- Ingress
- Egress
podSelector:
matchLabels:
application: myApp
component: myComp
ingress:
- from:
- podSelector:
matchLabels:
application: keystone
ports:
- protocol: TCP
port: 80
egress:
- to:
- podSelector:
matchLabels:
name: default
- namespaceSelector:
matchLabels:
name: kube-public
ports:
- protocol: TCP
port: 53
- protocol: UDP
port: 53
*/}}
{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
{{- $envAll := index . "envAll" -}}
{{- $name := index . "name" -}}
{{- $labels := index . "labels" | default nil -}}
{{- $label := index . "key" | default (index . "label") -}}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ $label | replace "_" "-" }}-netpol
namespace: {{ $envAll.Release.Namespace }}
spec:
{{- if hasKey (index $envAll.Values "network_policy") $label }}
policyTypes:
{{- $is_egress := false -}}
{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}}
{{- $is_egress = true -}}
{{- end -}}
{{- end -}}
{{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }}
- Egress
{{ end -}}
{{- $is_ingress := false -}}
{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}}
{{- $is_ingress = true -}}
{{- end -}}
{{- end -}}
{{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }}
- Ingress
{{ end -}}
{{- end }}
podSelector:
matchLabels:
{{- if empty $labels }}
{{ $name }}: {{ $label }}
{{- else }}
{{ range $k, $v := $labels }}
{{ $k }}: {{ $v }}
{{- end }}
{{- end }}
{{- if hasKey (index $envAll.Values "network_policy") $label }}
{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }}
{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }}
{{ index $envAll.Values.network_policy $label "podSelector" "matchLabels" | toYaml | indent 6 }}
{{ end }}
{{ end }}
{{ end }}
{{- if hasKey (index $envAll.Values "network_policy") $label }}
egress:
{{- range $key, $value := $envAll.Values.endpoints }}
{{- if kindIs "map" $value }}
{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }}
- to:
{{- if index $value "namespace" }}
- namespaceSelector:
matchLabels:
name: {{ index $value "namespace" }}
{{- else if index $value "hosts" }}
{{- $defaultValue := index $value "hosts" "internal" }}
{{- if hasKey (index $value "hosts") "internal" }}
{{- $a := split "-" $defaultValue }}
- podSelector:
matchLabels:
application: {{ printf "%s" (index $a._0) | default $defaultValue }}
{{- else }}
{{- $defaultValue := index $value "hosts" "default" }}
{{- $a := split "-" $defaultValue }}
- podSelector:
matchLabels:
application: {{ printf "%s" (index $a._0) | default $defaultValue }}
{{- end }}
{{- end }}
{{- if index $value "port" }}
ports:
{{- range $k, $v := index $value "port" }}
{{- if $k }}
{{- range $pk, $pv := $v }}
{{- if and $pv (ne $pk "protocol") }}
- port: {{ $pv }}
protocol: {{ $v.protocol | default "TCP" }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if index $envAll.Values.network_policy $label "egress" }}
{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
{{- end }}
{{- end }}
{{- if hasKey (index $envAll.Values "network_policy") $label }}
{{- if index $envAll.Values.network_policy $label "ingress" }}
ingress:
{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }}
{{- end }}
{{- end }}
{{- end }}

93
charts/deps/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl Normal file
View File

@ -0,0 +1,93 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Creates a manifest for a authenticating a registry with a secret
examples:
- values: |
secrets:
oci_image_registry:
{{ $serviceName }}: {{ $keyName }}
endpoints:
oci_image_registry:
name: oci-image-registry
auth:
enabled: true
{{ $serviceName }}:
name: {{ $userName }}
password: {{ $password }}
usage: |
{{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
return: |
---
apiVersion: v1
kind: Secret
metadata:
name: {{ $secretName }}
type: kubernetes.io/dockerconfigjson
data:
dockerconfigjson: {{ $dockerAuth }}
- values: |
secrets:
oci_image_registry:
{{ $serviceName }}: {{ $keyName }}
endpoints:
oci_image_registry:
name: oci-image-registry
auth:
enabled: true
{{ $serviceName }}:
name: {{ $userName }}
password: {{ $password }}
usage: |
{{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
return: |
---
apiVersion: v1
kind: Secret
metadata:
name: {{ $secretName }}
type: kubernetes.io/dockerconfigjson
data:
dockerconfigjson: {{ $dockerAuth }}
*/}}
{{- define "helm-toolkit.manifests.secret_registry" }}
{{- $envAll := index . "envAll" }}
{{- $registryUser := index . "registryUser" }}
{{- $secretName := index $envAll.Values.secrets.oci_image_registry $registryUser }}
{{- $registryHost := tuple "oci_image_registry" "internal" $envAll | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
{{/*
We only use "host:port" when port is non-null, else just use "host"
*/}}
{{- $registryPort := "" }}
{{- $port := $envAll.Values.endpoints.oci_image_registry.port.registry.default }}
{{- if $port }}
{{- $port = tuple "oci_image_registry" "internal" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{- $registryPort = printf ":%s" $port }}
{{- end }}
{{- $imageCredentials := index $envAll.Values.endpoints.oci_image_registry.auth $registryUser }}
{{- $dockerAuthToken := printf "%s:%s" $imageCredentials.username $imageCredentials.password | b64enc }}
{{- $dockerAuth := printf "{\"auths\": {\"%s%s\": {\"auth\": \"%s\"}}}" $registryHost $registryPort $dockerAuthToken | b64enc }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ $secretName }}
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: {{ $dockerAuth }}
{{- end -}}

108
charts/deps/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl Normal file
View File

@ -0,0 +1,108 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Creates a manifest for a services public tls secret
examples:
- values: |
secrets:
tls:
key_manager:
api:
public: barbican-tls-public
endpoints:
key_manager:
host_fqdn_override:
public:
tls:
crt: |
FOO-CRT
key: |
FOO-KEY
ca: |
FOO-CA_CRT
usage: |
{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
return: |
---
apiVersion: v1
kind: Secret
metadata:
name: barbican-tls-public
type: kubernetes.io/tls
data:
tls.key: Rk9PLUtFWQo=
tls.crt: Rk9PLUNSVAoKRk9PLUNBX0NSVAo=
- values: |
secrets:
tls:
key_manager:
api:
public: barbican-tls-public
endpoints:
key_manager:
host_fqdn_override:
public:
tls:
crt: |
FOO-CRT
FOO-INTERMEDIATE_CRT
FOO-CA_CRT
key: |
FOO-KEY
usage: |
{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
return: |
---
apiVersion: v1
kind: Secret
metadata:
name: barbican-tls-public
type: kubernetes.io/tls
data:
tls.key: Rk9PLUtFWQo=
tls.crt: Rk9PLUNSVApGT08tSU5URVJNRURJQVRFX0NSVApGT08tQ0FfQ1JUCg==
*/}}
{{- define "helm-toolkit.manifests.secret_ingress_tls" }}
{{- $envAll := index . "envAll" }}
{{- $endpoint := index . "endpoint" | default "public" }}
{{- $backendServiceType := index . "backendServiceType" }}
{{- $backendService := index . "backendService" | default "api" }}
{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
{{- if hasKey $host $endpoint }}
{{- $endpointHost := index $host $endpoint }}
{{- if kindIs "map" $endpointHost }}
{{- if hasKey $endpointHost "tls" }}
{{- if and $endpointHost.tls.key $endpointHost.tls.crt }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ index $envAll.Values.secrets.tls ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
type: kubernetes.io/tls
data:
tls.key: {{ $endpointHost.tls.key | b64enc }}
{{- if $endpointHost.tls.ca }}
tls.crt: {{ list $endpointHost.tls.crt $endpointHost.tls.ca | join "\n" | b64enc }}
{{- else }}
tls.crt: {{ $endpointHost.tls.crt | b64enc }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

43
charts/deps/helm-toolkit/templates/manifests/_service-ingress.tpl Normal file
View File

@ -0,0 +1,43 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
# This function creates a manifest for a services ingress rules.
# It can be used in charts dict created similar to the following:
# {- $serviceIngressOpts := dict "envAll" . "backendServiceType" "key-manager" -}
# { $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }
{{- define "helm-toolkit.manifests.service_ingress" -}}
{{- $envAll := index . "envAll" -}}
{{- $backendServiceType := index . "backendServiceType" -}}
---
apiVersion: v1
kind: Service
metadata:
name: {{ tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
spec:
ports:
- name: http
port: 80
- name: https
port: 443
selector:
app: ingress-api
{{- if index $envAll.Values.endpoints $backendServiceType }}
{{- if index $envAll.Values.endpoints $backendServiceType "ip" }}
{{- if index $envAll.Values.endpoints $backendServiceType "ip" "ingress" }}
clusterIP: {{ (index $envAll.Values.endpoints $backendServiceType "ip" "ingress") }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

35
charts/deps/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl Normal file
View File

@ -0,0 +1,35 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- define "helm-toolkit.scripts.create_s3_bucket" }}
#!/bin/bash
set -e
CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST"
if [ "$RGW_PROTO" = "http" ]; then
CONNECTION_ARGS+=" --no-ssl"
else
CONNECTION_ARGS+=" --no-check-certificate"
fi
ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY"
USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY"
function check_rgw_s3_bucket () {
s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS ls s3://$S3_BUCKET
}
function create_rgw_s3_bucket () {
s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS mb s3://$S3_BUCKET
}
function modify_bucket_acl () {
s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME
}
check_rgw_s3_bucket || ( create_rgw_s3_bucket && modify_bucket_acl )
{{- end }}

65
charts/deps/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl Normal file
View File

@ -0,0 +1,65 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- define "helm-toolkit.scripts.create_s3_user" }}
#!/bin/bash
set -e
function create_s3_user () {
echo "Creating s3 user and key pair"
radosgw-admin user create \
--uid=${S3_USERNAME} \
--display-name=${S3_USERNAME} \
--key-type=s3 \
--access-key ${S3_ACCESS_KEY} \
--secret-key ${S3_SECRET_KEY}
}
function update_s3_user () {
# Retrieve old access keys, if they exist
old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \
| jq -r '.keys[].access_key' || true)
if [[ ! -z ${old_access_keys} ]]; then
for access_key in $old_access_keys; do
# If current access key is the same as the key supplied, do nothing.
if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then
echo "Current user and key pair exists."
continue
else
# If keys differ, remove previous key
radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key
fi
done
fi
# Perform one more additional check to account for scenarios where multiple
# key pairs existed previously, but one existing key was the supplied key
current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \
| jq -r '.keys[].access_key' || true)
# If the supplied key does not exist, modify the user
if [[ -z ${current_access_key} ]]; then
# Modify user with new access and secret keys
echo "Updating existing user's key pair"
radosgw-admin user modify \
--uid=${S3_USERNAME}\
--access-key ${S3_ACCESS_KEY} \
--secret-key ${S3_SECRET_KEY}
fi
}
user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true)
if [[ -z ${user_exists} ]]; then
create_s3_user
else
update_s3_user
fi
{{- end }}

142
charts/deps/helm-toolkit/templates/scripts/_db-drop.py.tpl Normal file
View File

@ -0,0 +1,142 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- define "helm-toolkit.scripts.db_drop" }}
#!/usr/bin/env python
# Drops db and user for an OpenStack Service:
# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
# SQLAlchemy strings for the root connection to the database and the one you
# wish the service to use. Alternatively, you can use an ini formatted config
# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
# OPENSTACK_CONFIG_DB_SECTION.
import os
import sys
try:
import ConfigParser
PARSER_OPTS = {}
except ImportError:
import configparser as ConfigParser
PARSER_OPTS = {"strict": False}
import logging
from sqlalchemy import create_engine
# Create logger, console handler and formatter
logger = logging.getLogger('OpenStack-Helm DB Drop')
logger.setLevel(logging.DEBUG)
ch = logging.StreamHandler()
ch.setLevel(logging.DEBUG)
formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
# Set the formatter and add the handler
ch.setFormatter(formatter)
logger.addHandler(ch)
# Get the connection string for the service db root user
if "ROOT_DB_CONNECTION" in os.environ:
db_connection = os.environ['ROOT_DB_CONNECTION']
logger.info('Got DB root connection')
else:
logger.critical('environment variable ROOT_DB_CONNECTION not set')
sys.exit(1)
mysql_x509 = os.getenv('MARIADB_X509', "")
ssl_args = {}
if mysql_x509:
ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
'key': '/etc/mysql/certs/tls.key',
'cert': '/etc/mysql/certs/tls.crt'}}
# Get the connection string for the service db
if "OPENSTACK_CONFIG_FILE" in os.environ:
os_conf = os.environ['OPENSTACK_CONFIG_FILE']
if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
else:
logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
sys.exit(1)
if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
else:
logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
sys.exit(1)
try:
config = ConfigParser.RawConfigParser(**PARSER_OPTS)
logger.info("Using {0} as db config source".format(os_conf))
config.read(os_conf)
logger.info("Trying to load db config from {0}:{1}".format(
os_conf_section, os_conf_key))
user_db_conn = config.get(os_conf_section, os_conf_key)
logger.info("Got config from {0}".format(os_conf))
except:
logger.critical("Tried to load config from {0} but failed.".format(os_conf))
raise
elif "DB_CONNECTION" in os.environ:
user_db_conn = os.environ['DB_CONNECTION']
logger.info('Got config from DB_CONNECTION env var')
else:
logger.critical('Could not get db config, either from config file or env var')
sys.exit(1)
# Root DB engine
try:
root_engine_full = create_engine(db_connection)
root_user = root_engine_full.url.username
root_password = root_engine_full.url.password
drivername = root_engine_full.url.drivername
host = root_engine_full.url.host
port = root_engine_full.url.port
root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
root_engine = create_engine(root_engine_url, connect_args=ssl_args)
connection = root_engine.connect()
connection.close()
logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
host, port, root_user))
except:
logger.critical('Could not connect to database as root user')
raise
# User DB engine
try:
user_engine = create_engine(user_db_conn, connect_args=ssl_args)
# Get our user data out of the user_engine
database = user_engine.url.database
user = user_engine.url.username
password = user_engine.url.password
logger.info('Got user db config')
except:
logger.critical('Could not get user database config')
raise
# Delete DB
try:
root_engine.execute("DROP DATABASE IF EXISTS {0}".format(database))
logger.info("Deleted database {0}".format(database))
except:
logger.critical("Could not drop database {0}".format(database))
raise
# Delete DB User
try:
root_engine.execute("DROP USER IF EXISTS {0}".format(user))
logger.info("Deleted user {0}".format(user))
except:
logger.critical("Could not delete user {0}".format(user))
raise
logger.info('Finished DB Management')
{{- end }}

156
charts/deps/helm-toolkit/templates/scripts/_db-init.py.tpl Normal file
View File

@ -0,0 +1,156 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- define "helm-toolkit.scripts.db_init" }}
#!/usr/bin/env python
# Creates db and user for an OpenStack Service:
# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
# SQLAlchemy strings for the root connection to the database and the one you
# wish the service to use. Alternatively, you can use an ini formatted config
# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
# OPENSTACK_CONFIG_DB_SECTION.
import os
import sys
try:
import ConfigParser
PARSER_OPTS = {}
except ImportError:
import configparser as ConfigParser
PARSER_OPTS = {"strict": False}
import logging
from sqlalchemy import create_engine
# Create logger, console handler and formatter
logger = logging.getLogger('OpenStack-Helm DB Init')
logger.setLevel(logging.DEBUG)
ch = logging.StreamHandler()
ch.setLevel(logging.DEBUG)
formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
# Set the formatter and add the handler
ch.setFormatter(formatter)
logger.addHandler(ch)
# Get the connection string for the service db root user
if "ROOT_DB_CONNECTION" in os.environ:
db_connection = os.environ['ROOT_DB_CONNECTION']
logger.info('Got DB root connection')
else:
logger.critical('environment variable ROOT_DB_CONNECTION not set')
sys.exit(1)
mysql_x509 = os.getenv('MARIADB_X509', "")
ssl_args = {}
if mysql_x509:
ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
'key': '/etc/mysql/certs/tls.key',
'cert': '/etc/mysql/certs/tls.crt'}}
# Get the connection string for the service db
if "OPENSTACK_CONFIG_FILE" in os.environ:
os_conf = os.environ['OPENSTACK_CONFIG_FILE']
if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
else:
logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
sys.exit(1)
if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
else:
logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
sys.exit(1)
try:
config = ConfigParser.RawConfigParser(**PARSER_OPTS)
logger.info("Using {0} as db config source".format(os_conf))
config.read(os_conf)
logger.info("Trying to load db config from {0}:{1}".format(
os_conf_section, os_conf_key))
user_db_conn = config.get(os_conf_section, os_conf_key)
logger.info("Got config from {0}".format(os_conf))
except:
logger.critical("Tried to load config from {0} but failed.".format(os_conf))
raise
elif "DB_CONNECTION" in os.environ:
user_db_conn = os.environ['DB_CONNECTION']
logger.info('Got config from DB_CONNECTION env var')
else:
logger.critical('Could not get db config, either from config file or env var')
sys.exit(1)
# Root DB engine
try:
root_engine_full = create_engine(db_connection)
root_user = root_engine_full.url.username
root_password = root_engine_full.url.password
drivername = root_engine_full.url.drivername
host = root_engine_full.url.host
port = root_engine_full.url.port
root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
root_engine = create_engine(root_engine_url, connect_args=ssl_args)
connection = root_engine.connect()
connection.close()
logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
host, port, root_user))
except:
logger.critical('Could not connect to database as root user')
raise
# User DB engine
try:
user_engine = create_engine(user_db_conn, connect_args=ssl_args)
# Get our user data out of the user_engine
database = user_engine.url.database
user = user_engine.url.username
password = user_engine.url.password
logger.info('Got user db config')
except:
logger.critical('Could not get user database config')
raise
# Create DB
try:
root_engine.execute("CREATE DATABASE IF NOT EXISTS {0}".format(database))
logger.info("Created database {0}".format(database))
except:
logger.critical("Could not create database {0}".format(database))
raise
# Create DB User
try:
root_engine.execute(
"CREATE USER IF NOT EXISTS \'{0}\'@\'%%\' IDENTIFIED BY \'{1}\' {2}".format(
user, password, mysql_x509))
root_engine.execute(
"GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\'".format(database, user))
logger.info("Created user {0} for {1}".format(user, database))
except:
logger.critical("Could not create user {0} for {1}".format(user, database))
raise
# Test connection
try:
connection = user_engine.connect()
connection.close()
logger.info("Tested connection to DB @ {0}:{1}/{2} as {3}".format(
host, port, database, user))
except:
logger.critical('Could not connect to database as user')
raise
logger.info('Finished DB Management')
{{- end }}

69
charts/deps/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl Normal file
View File

@ -0,0 +1,69 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- define "helm-toolkit.scripts.pg_db_init" }}
#!/bin/bash
set -ex
if [[ ! -v DB_HOST ]]; then
echo "environment variable DB_HOST not set"
exit 1
elif [[ ! -v DB_ADMIN_USER ]]; then
echo "environment variable DB_ADMIN_USER not set"
exit 1
elif [[ ! -v PGPASSWORD ]]; then
echo "environment variable PGPASSWORD not set"
exit 1
elif [[ ! -v DB_PORT ]]; then
echo "environment variable DB_PORT not set"
exit 1
elif [[ ! -v USER_DB_USER ]]; then
echo "environment variable USER_DB_USER not set"
exit 1
elif [[ ! -v USER_DB_PASS ]]; then
echo "environment variable USER_DB_PASS not set"
exit 1
elif [[ ! -v USER_DB_NAME ]]; then
echo "environment variable USER_DB_NAME not set"
exit 1
else
echo "Got DB connection info"
fi
pgsql_superuser_cmd () {
DB_COMMAND="$1"
if [[ ! -z $2 ]]; then
EXPORT PGDATABASE=$2
fi
/usr/bin/psql \
-h ${DB_HOST} \
-p ${DB_PORT} \
-U ${DB_ADMIN_USER} \
--command="${DB_COMMAND}"
}
#create db
pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q "(1 row)" || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME"
#create db user
pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | grep -q "(1 row)" || \
pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';"
#Set password everytime. This is required for cases when we would want password rotation to take effect and set the updated password for a user.
pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} with password '$USER_DB_PASS'"
#give permissions to user
pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;"
#revoke all privileges from PUBLIC role
pgsql_superuser_cmd "REVOKE ALL ON DATABASE $USER_DB_NAME FROM PUBLIC;"
{{- end }}

24
charts/deps/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl Normal file
View File

@ -0,0 +1,24 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- define "helm-toolkit.scripts.image_repo_sync" }}
#!/bin/sh
set -ex
IFS=','; for IMAGE in ${IMAGE_SYNC_LIST}; do
docker pull ${IMAGE}
docker tag ${IMAGE} ${LOCAL_REPO}/${IMAGE}
docker push ${LOCAL_REPO}/${IMAGE}
done
{{- end }}

72
charts/deps/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl Normal file
View File

@ -0,0 +1,72 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- define "helm-toolkit.scripts.keystone_domain_user" }}
#!/bin/bash
# Copyright 2017 Pete Birley
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -ex
# Manage domain
SERVICE_OS_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
--description="Service Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
"${SERVICE_OS_DOMAIN_NAME}")
# Display domain
openstack domain show "${SERVICE_OS_DOMAIN_ID}"
# Manage user
SERVICE_OS_USERID=$(openstack user create --or-show --enable -f value -c id \
--domain="${SERVICE_OS_DOMAIN_ID}" \
--description "Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
--password="${SERVICE_OS_PASSWORD}" \
"${SERVICE_OS_USERNAME}")
# Manage user password (we do this to ensure the password is updated if required)
openstack user set --password="${SERVICE_OS_PASSWORD}" "${SERVICE_OS_USERID}"
# Display user
openstack user show "${SERVICE_OS_USERID}"
# Manage role
SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \
"${SERVICE_OS_ROLE}" || openstack role create -f value -c id \
"${SERVICE_OS_ROLE}" )
# Manage user role assignment
openstack role add \
--domain="${SERVICE_OS_DOMAIN_ID}" \
--user="${SERVICE_OS_USERID}" \
--user-domain="${SERVICE_OS_DOMAIN_ID}" \
"${SERVICE_OS_ROLE_ID}"
# Display user role assignment
openstack role assignment list \
--role="${SERVICE_OS_ROLE_ID}" \
--user-domain="${SERVICE_OS_DOMAIN_ID}" \
--user="${SERVICE_OS_USERID}"
{{- end }}

79
charts/deps/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl Executable file
View File

@ -0,0 +1,79 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- define "helm-toolkit.scripts.keystone_endpoints" }}
#!/bin/bash
# Copyright 2017 Pete Birley
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -ex
# Get Service ID
OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
# Get Endpoint ID if it exists
OS_ENDPOINT_ID=$( openstack endpoint list -f csv --quote none | \
grep "^[a-z0-9]*,${OS_REGION_NAME},${OS_SERVICE_NAME},${OS_SERVICE_TYPE},True,${OS_SVC_ENDPOINT}," | \
awk -F ',' '{ print $1 }' )
# Making sure only a single endpoint exists for a service within a region
if [ "$(echo $OS_ENDPOINT_ID | wc -w)" -gt "1" ]; then
echo "More than one endpoint found, cleaning up"
for ENDPOINT_ID in $OS_ENDPOINT_ID; do
openstack endpoint delete ${ENDPOINT_ID}
done
unset OS_ENDPOINT_ID
fi
# Determine if Endpoint needs updated
if [[ ${OS_ENDPOINT_ID} ]]; then
OS_ENDPOINT_URL_CURRENT=$(openstack endpoint show ${OS_ENDPOINT_ID} -f value -c url)
if [ "${OS_ENDPOINT_URL_CURRENT}" == "${OS_SERVICE_ENDPOINT}" ]; then
echo "Endpoints Match: no action required"
OS_ENDPOINT_UPDATE="False"
else
echo "Endpoints Dont Match: removing existing entries"
openstack endpoint delete ${OS_ENDPOINT_ID}
OS_ENDPOINT_UPDATE="True"
fi
else
OS_ENDPOINT_UPDATE="True"
fi
# Update Endpoint if required
if [[ "${OS_ENDPOINT_UPDATE}" == "True" ]]; then
OS_ENDPOINT_ID=$( openstack endpoint create -f value -c id \
--region="${OS_REGION_NAME}" \
"${OS_SERVICE_ID}" \
${OS_SVC_ENDPOINT} \
"${OS_SERVICE_ENDPOINT}" )
fi
# Display the Endpoint
openstack endpoint show ${OS_ENDPOINT_ID}
{{- end }}

76
charts/deps/helm-toolkit/templates/scripts/_ks-service.sh.tpl Normal file
View File

@ -0,0 +1,76 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- define "helm-toolkit.scripts.keystone_service" }}
#!/bin/bash
# Copyright 2017 Pete Birley
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -ex
# Service boilerplate description
OS_SERVICE_DESC="${OS_REGION_NAME}: ${OS_SERVICE_NAME} (${OS_SERVICE_TYPE}) service"
# Get Service ID if it exists
unset OS_SERVICE_ID
# FIXME - There seems to be an issue once in a while where the
# openstack service list fails and encounters an error message such as:
# Unable to establish connection to
# https://keystone-api.openstack.svc.cluster.local:5000/v3/auth/tokens:
# ('Connection aborted.', OSError("(104, 'ECONNRESET')",))
# During an upgrade scenario, this would cause the OS_SERVICE_ID to be blank
# and it would attempt to create a new service when it was not needed.
# This duplciate service would sometimes be used by other services such as
# Horizon and would give an 'Invalid Service Catalog' error.
# This loop allows for a 'retry' of the openstack service list in an
# attempt to get the service list as expected if it does ecounter an error.
# This loop and recheck can be reverted once the underlying issue is addressed.
# If OS_SERVICE_ID is blank then wait a few seconds to give it
# additional time and try again
for i in $(seq 3)
do
OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
# If the service was found, go ahead and exit successfully.
if [[ -n "${OS_SERVICE_ID}" ]]; then
exit 0
fi
sleep 2
done
# If we've reached this point and a Service ID was not found,
# then create the service
OS_SERVICE_ID=$(openstack service create -f value -c id \
--name="${OS_SERVICE_NAME}" \
--description "${OS_SERVICE_DESC}" \
--enable \
"${OS_SERVICE_TYPE}")
{{- end }}

108
charts/deps/helm-toolkit/templates/scripts/_ks-user.sh.tpl Normal file
View File

@ -0,0 +1,108 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- define "helm-toolkit.scripts.keystone_user" }}
#!/bin/bash
# Copyright 2017 Pete Birley
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -ex
shopt -s nocasematch
if [[ "${SERVICE_OS_PROJECT_DOMAIN_NAME}" == "Default" ]]
then
PROJECT_DOMAIN_ID="default"
else
# Manage project domain
PROJECT_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
--description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
"${SERVICE_OS_PROJECT_DOMAIN_NAME}")
fi
if [[ "${SERVICE_OS_USER_DOMAIN_NAME}" == "Default" ]]
then
USER_DOMAIN_ID="default"
else
# Manage user domain
USER_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
--description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}" \
"${SERVICE_OS_USER_DOMAIN_NAME}")
fi
shopt -u nocasematch
# Manage user project
USER_PROJECT_DESC="Service Project for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}"
USER_PROJECT_ID=$(openstack project create --or-show --enable -f value -c id \
--domain="${PROJECT_DOMAIN_ID}" \
--description="${USER_PROJECT_DESC}" \
"${SERVICE_OS_PROJECT_NAME}");
# Manage user
USER_DESC="Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}/${SERVICE_OS_SERVICE_NAME}"
USER_ID=$(openstack user create --or-show --enable -f value -c id \
--domain="${USER_DOMAIN_ID}" \
--project-domain="${PROJECT_DOMAIN_ID}" \
--project="${USER_PROJECT_ID}" \
--description="${USER_DESC}" \
"${SERVICE_OS_USERNAME}");
# Manage user password (we do this in a seperate step to ensure the password is updated if required)
set +x
echo "Setting user password via: openstack user set --password=xxxxxxx ${USER_ID}"
openstack user set --password="${SERVICE_OS_PASSWORD}" "${USER_ID}"
set -x
function ks_assign_user_role () {
if [[ "$SERVICE_OS_ROLE" == "admin" ]]
then
USER_ROLE_ID="$SERVICE_OS_ROLE"
else
USER_ROLE_ID=$(openstack role create --or-show -f value -c id "${SERVICE_OS_ROLE}");
fi
# Manage user role assignment
openstack role add \
--user="${USER_ID}" \
--user-domain="${USER_DOMAIN_ID}" \
--project-domain="${PROJECT_DOMAIN_ID}" \
--project="${USER_PROJECT_ID}" \
"${USER_ROLE_ID}"
}
# Manage user service role
IFS=','
for SERVICE_OS_ROLE in ${SERVICE_OS_ROLES}; do
ks_assign_user_role
done
# Manage user member role
: ${MEMBER_OS_ROLE:="member"}
export USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
"${MEMBER_OS_ROLE}");
ks_assign_user_role
{{- end }}

111
charts/deps/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl Normal file
View File

@ -0,0 +1,111 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- define "helm-toolkit.scripts.rabbit_init" }}
#!/bin/bash
set -e
# Extract connection details
RABBIT_HOSTNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
awk -F'[@]' '{print $2}' | \
awk -F'[:/]' '{print $1}')
RABBIT_PORT=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
awk -F'[@]' '{print $2}' | \
awk -F'[:/]' '{print $2}')
# Extract Admin User creadential
RABBITMQ_ADMIN_USERNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
awk -F'[@]' '{print $1}' | \
awk -F'[//:]' '{print $4}')
RABBITMQ_ADMIN_PASSWORD=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
awk -F'[@]' '{print $1}' | \
awk -F'[//:]' '{print $5}')
# Extract User creadential
RABBITMQ_USERNAME=$(echo "${RABBITMQ_USER_CONNECTION}" | \
awk -F'[@]' '{print $1}' | \
awk -F'[//:]' '{print $4}')
RABBITMQ_PASSWORD=$(echo "${RABBITMQ_USER_CONNECTION}" | \
awk -F'[@]' '{print $1}' | \
awk -F'[//:]' '{print $5}')
# Extract User vHost
RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
awk -F'[@]' '{print $2}' | \
awk -F'[:/]' '{print $3}')
# Resolve vHost to / if no value is set
RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
function rabbitmqadmin_cli () {
if [ -n "$RABBITMQ_X509" ]
then
rabbitmqadmin \
--ssl \
--ssl-disable-hostname-verification \
--ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \
--ssl-cert-file="${USER_CERT_PATH}/tls.crt" \
--ssl-key-file="${USER_CERT_PATH}/tls.key" \
--host="${RABBIT_HOSTNAME}" \
--port="${RABBIT_PORT}" \
--username="${RABBITMQ_ADMIN_USERNAME}" \
--password="${RABBITMQ_ADMIN_PASSWORD}" \
${@}
else
rabbitmqadmin \
--host="${RABBIT_HOSTNAME}" \
--port="${RABBIT_PORT}" \
--username="${RABBITMQ_ADMIN_USERNAME}" \
--password="${RABBITMQ_ADMIN_PASSWORD}" \
${@}
fi
}
echo "Managing: User: ${RABBITMQ_USERNAME}"
rabbitmqadmin_cli \
declare user \
name="${RABBITMQ_USERNAME}" \
password="${RABBITMQ_PASSWORD}" \
tags="user"
echo "Deleting Guest User"
rabbitmqadmin_cli \
delete user \
name="guest" || true
if [ "${RABBITMQ_VHOST}" != "/" ]
then
echo "Managing: vHost: ${RABBITMQ_VHOST}"
rabbitmqadmin_cli \
declare vhost \
name="${RABBITMQ_VHOST}"
else
echo "Skipping root vHost declaration: vHost: ${RABBITMQ_VHOST}"
fi
echo "Managing: Permissions: ${RABBITMQ_USERNAME} on ${RABBITMQ_VHOST}"
rabbitmqadmin_cli \
declare permission \
vhost="${RABBITMQ_VHOST}" \
user="${RABBITMQ_USERNAME}" \
configure=".*" \
write=".*" \
read=".*"
if [ ! -z "$RABBITMQ_AUXILIARY_CONFIGURATION" ]
then
echo "Applying additional configuration"
echo "${RABBITMQ_AUXILIARY_CONFIGURATION}" > /tmp/rmq_definitions.json
rabbitmqadmin_cli import /tmp/rmq_definitions.json
fi
{{- end }}

88
charts/deps/helm-toolkit/templates/scripts/_rally_test.sh.tpl Normal file
View File

@ -0,0 +1,88 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- define "helm-toolkit.scripts.rally_test" -}}
#!/bin/bash
set -ex
{{- $rallyTests := index . 0 }}
: "${RALLY_ENV_NAME:="openstack-helm"}"
: "${OS_INTERFACE:="public"}"
: "${RALLY_CLEANUP:="true"}"
if [ "x$RALLY_CLEANUP" == "xtrue" ]; then
function rally_cleanup {
openstack user delete \
--domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
"${SERVICE_OS_USERNAME}"
{{ $rallyTests.clean_up | default "" | indent 4 }}
}
trap rally_cleanup EXIT
fi
function create_or_update_db () {
revisionResults=$(rally db revision)
if [ $revisionResults = "None" ]
then
rally db create
else
rally db upgrade
fi
}
create_or_update_db
cat > /tmp/rally-config.json << EOF
{
"openstack": {
"auth_url": "${OS_AUTH_URL}",
"region_name": "${OS_REGION_NAME}",
"endpoint_type": "${OS_INTERFACE}",
"admin": {
"username": "${OS_USERNAME}",
"password": "${OS_PASSWORD}",
"user_domain_name": "${OS_USER_DOMAIN_NAME}",
"project_name": "${OS_PROJECT_NAME}",
"project_domain_name": "${OS_PROJECT_DOMAIN_NAME}"
},
"users": [
{
"username": "${SERVICE_OS_USERNAME}",
"password": "${SERVICE_OS_PASSWORD}",
"project_name": "${SERVICE_OS_PROJECT_NAME}",
"user_domain_name": "${SERVICE_OS_USER_DOMAIN_NAME}",
"project_domain_name": "${SERVICE_OS_PROJECT_DOMAIN_NAME}"
}
],
"https_insecure": false,
"https_cacert": "${OS_CACERT}"
}
}
EOF
rally deployment create --file /tmp/rally-config.json --name "${RALLY_ENV_NAME}"
rm -f /tmp/rally-config.json
rally deployment use "${RALLY_ENV_NAME}"
rally deployment check
{{- if $rallyTests.run_tempest }}
rally verify create-verifier --name "${RALLY_ENV_NAME}-tempest" --type tempest
SERVICE_TYPE="$(rally deployment check | grep "${RALLY_ENV_NAME}" | awk -F \| '{print $3}' | tr -d ' ' | tr -d '\n')"
rally verify start --pattern "tempest.api.${SERVICE_TYPE}*"
rally verify delete-verifier --id "${RALLY_ENV_NAME}-tempest" --force
{{- end }}
rally task validate /etc/rally/rally_tests.yaml
rally task start /etc/rally/rally_tests.yaml
rally task sla-check
rally env cleanup
rally deployment destroy --deployment "${RALLY_ENV_NAME}"
{{- end }}

567
charts/deps/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl Executable file
View File

@ -0,0 +1,567 @@
{{- define "helm-toolkit.scripts.db-backup-restore.backup_main" }}
#!/bin/bash
# This file contains a database backup framework which database scripts
# can use to perform a backup. The idea here is that the database-specific
# functions will be implemented by the various databases using this script
# (like mariadb, postgresql or etcd for example). The database-specific
# script will need to first "source" this file like this:
# source /tmp/backup_main.sh
#
# Then the script should call the main backup function (backup_databases):
# backup_databases [scope]
# [scope] is an optional parameter, defaulted to "all". If only one specific
# database is required to be backed up then this parameter will
# contain the name of the database; otherwise all are backed up.
#
# The framework will require the following variables to be exported:
#
# export DB_NAMESPACE Namespace where the database(s) reside
# export DB_NAME Name of the database system
# export LOCAL_DAYS_TO_KEEP Number of days to keep the local backups
# export REMOTE_DAYS_TO_KEEP Number of days to keep the remote backups
# export ARCHIVE_DIR Local location where the backup tarballs should
# be stored. (full directory path)
# export BACK_UP_MODE Determines the mode of backup taken.
# export REMOTE_BACKUP_ENABLED "true" if remote backup enabled; false
# otherwise
# export CONTAINER_NAME Name of the container on the RGW to store
# the backup tarball.
# export STORAGE_POLICY Name of the storage policy defined on the
# RGW which is intended to store backups.
# RGW access variables:
# export OS_REGION_NAME Name of the region the RGW resides in
# export OS_AUTH_URL Keystone URL associated with the RGW
# export OS_PROJECT_NAME Name of the project associated with the
# keystone user
# export OS_USERNAME Name of the keystone user
# export OS_PASSWORD Password of the keystone user
# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to
# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to
# export OS_IDENTITY_API_VERSION Keystone API version to use
#
# export REMOTE_BACKUP_RETRIES Number of retries to send backup to remote
# in case of any temporary failures.
# export MIN_DELAY_SEND_REMOTE Minimum seconds to delay before sending backup
# to remote to stagger backups being sent to RGW
# export MAX_DELAY_SEND_REMOTE Maximum seconds to delay before sending backup
# to remote to stagger backups being sent to RGW.
# A random number between min and max delay is generated
# to set the delay.
#
# The database-specific functions that need to be implemented are:
# dump_databases_to_directory <directory> <err_logfile> [scope]
# where:
# <directory> is the full directory path to dump the database files
# into. This is a temporary directory for this backup only.
# <err_logfile> is the full directory path where error logs are to be
# written by the application.
# [scope] set to "all" if all databases are to be backed up; or
# set to the name of a specific database to be backed up.
# This optional parameter is defaulted to "all".
# returns: 0 if no errors; 1 if any errors occurred
#
# This function is expected to dump the database file(s) to the specified
# directory path. If this function completes successfully (returns 0), the
# framework will automatically tar/zip the files in that directory and
# name the tarball appropriately according to the proper conventions.
#
# verify_databases_backup_archives [scope]
# returns: 0 if no errors; 1 if any errors occurred
#
# This function is expected to verify the database backup archives. If this function
# completes successfully (returns 0), the
# framework will automatically starts remote backup upload.
#
#
# The functions in this file will take care of:
# 1) Calling "dump_databases_to_directory" and then compressing the files,
# naming the tarball properly, and then storing it locally at the specified
# local directory.
# 2) Sending the tarball built to the remote gateway, to be stored in the
# container configured to store database backups.
# 3) Removing local backup tarballs which are older than the number of days
# specified by the "LOCAL_DAYS_TO_KEEP" variable.
# 4) Removing remote backup tarballs (from the remote gateway) which are older
# than the number of days specified by the "REMOTE_DAYS_TO_KEEP" variable.
#
# Note: not using set -e in this script because more elaborate error handling
# is needed.
log_backup_error_exit() {
MSG=$1
ERRCODE=${2:-0}
log ERROR "${DB_NAME}_backup" "${DB_NAMESPACE} namespace: ${MSG}"
rm -f $ERR_LOG_FILE
rm -rf $TMP_DIR
exit $ERRCODE
}
log_verify_backup_exit() {
MSG=$1
ERRCODE=${2:-0}
log ERROR "${DB_NAME}_verify_backup" "${DB_NAMESPACE} namespace: ${MSG}"
rm -f $ERR_LOG_FILE
# rm -rf $TMP_DIR
exit $ERRCODE
}
log() {
#Log message to a file or stdout
#TODO: This can be convert into mail alert of alert send to a monitoring system
#Params: $1 log level
#Params: $2 service
#Params: $3 message
#Params: $4 Destination
LEVEL=$1
SERVICE=$2
MSG=$3
DEST=$4
DATE=$(date +"%m-%d-%y %H:%M:%S")
if [[ -z "$DEST" ]]; then
echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}"
else
echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}" >>$DEST
fi
}
# Generate a random number between MIN_DELAY_SEND_REMOTE and
# MAX_DELAY_SEND_REMOTE
random_number() {
diff=$((${MAX_DELAY_SEND_REMOTE} - ${MIN_DELAY_SEND_REMOTE} + 1))
echo $(($(( ${RANDOM} % ${diff} )) + ${MIN_DELAY_SEND_REMOTE} ))
}
#Get the day delta since the archive file backup
seconds_difference() {
ARCHIVE_DATE=$( date --date="$1" +%s )
if [[ $? -ne 0 ]]; then
SECOND_DELTA=0
fi
CURRENT_DATE=$( date +%s )
SECOND_DELTA=$(($CURRENT_DATE-$ARCHIVE_DATE))
if [[ "$SECOND_DELTA" -lt 0 ]]; then
SECOND_DELTA=0
fi
echo $SECOND_DELTA
}
# Send the specified tarball file at the specified filepath to the
# remote gateway.
send_to_remote_server() {
FILEPATH=$1
FILE=$2
# Grab the list of containers on the remote site
RESULT=$(openstack container list 2>&1)
if [[ $? -eq 0 ]]; then
echo $RESULT | grep $CONTAINER_NAME
if [[ $? -ne 0 ]]; then
# Find the swift URL from the keystone endpoint list
SWIFT_URL=$(openstack catalog show object-store -c endpoints | grep public | awk '{print $4}')
if [[ $? -ne 0 ]]; then
log WARN "${DB_NAME}_backup" "Unable to get object-store enpoints from keystone catalog."
return 2
fi
# Get a token from keystone
TOKEN=$(openstack token issue -f value -c id)
if [[ $? -ne 0 ]]; then
log WARN "${DB_NAME}_backup" "Unable to get keystone token."
return 2
fi
# Create the container
RES_FILE=$(mktemp -p /tmp)
curl -g -i -X PUT ${SWIFT_URL}/${CONTAINER_NAME} \
-H "X-Auth-Token: ${TOKEN}" \
-H "X-Storage-Policy: ${STORAGE_POLICY}" 2>&1 > $RES_FILE
if [[ $? -ne 0 || $(grep "HTTP" $RES_FILE | awk '{print $2}') -ge 400 ]]; then
log WARN "${DB_NAME}_backup" "Unable to create container ${CONTAINER_NAME}"
cat $RES_FILE
rm -f $RES_FILE
return 2
fi
rm -f $RES_FILE
swift stat $CONTAINER_NAME
if [[ $? -ne 0 ]]; then
log WARN "${DB_NAME}_backup" "Unable to retrieve container ${CONTAINER_NAME} details after creation."
return 2
fi
fi
else
echo $RESULT | grep -E "HTTP 401|HTTP 403"
if [[ $? -eq 0 ]]; then
log ERROR "${DB_NAME}_backup" "Access denied by keystone: ${RESULT}"
return 1
else
echo $RESULT | grep -E "ConnectionError|Failed to discover available identity versions|Service Unavailable|HTTP 50"
if [[ $? -eq 0 ]]; then
log WARN "${DB_NAME}_backup" "Could not reach the RGW: ${RESULT}"
# In this case, keystone or the site/node may be temporarily down.
# Return slightly different error code so the calling code can retry
return 2
else
log ERROR "${DB_NAME}_backup" "Could not get container list: ${RESULT}"
return 1
fi
fi
fi
# load balance delay
DELAY=$((1 + ${RANDOM} % 30))
echo "Sleeping for ${DELAY} seconds to spread the load in time..."
sleep ${DELAY}
# Create an object to store the file
openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE
if [[ $? -ne 0 ]]; then
log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
return 2
fi
openstack object show $CONTAINER_NAME $FILE
if [[ $? -ne 0 ]]; then
log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
return 2
fi
# Remote backup verification
MD5_REMOTE=$(openstack object show $CONTAINER_NAME $FILE -f json | jq -r ".etag")
MD5_LOCAL=$(cat ${FILEPATH}/${FILE} | md5sum | awk '{print $1}')
log INFO "${DB_NAME}_backup" "Obtained MD5 hash for the file $FILE in container $CONTAINER_NAME."
log INFO "${DB_NAME}_backup" "Local MD5 hash is ${MD5_LOCAL}."
log INFO "${DB_NAME}_backup" "Remote MD5 hash is ${MD5_REMOTE}."
if [[ "${MD5_LOCAL}" == "${MD5_REMOTE}" ]]; then
log INFO "${DB_NAME}_backup" "The local backup & remote backup MD5 hash values are matching for file $FILE in container $CONTAINER_NAME."
else
log ERROR "${DB_NAME}_backup" "Mismatch between the local backup & remote backup MD5 hash values"
return 2
fi
rm -rf ${REMOTE_FILE}
log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
return 0
}
# This function attempts to store the built tarball to the remote gateway,
# with built-in logic to handle error cases like:
# 1) Network connectivity issues - retries for a specific amount of time
# 2) Authorization errors - immediately logs an ERROR and returns
store_backup_remotely() {
FILEPATH=$1
FILE=$2
count=1
while [[ ${count} -le ${REMOTE_BACKUP_RETRIES} ]]; do
# Store the new archive to the remote backup storage facility.
send_to_remote_server $FILEPATH $FILE
SEND_RESULT="$?"
# Check if successful
if [[ $SEND_RESULT -eq 0 ]]; then
log INFO "${DB_NAME}_backup" "Backup file ${FILE} successfully sent to RGW."
return 0
elif [[ $SEND_RESULT -eq 2 ]]; then
if [[ ${count} -ge ${REMOTE_BACKUP_RETRIES} ]]; then
log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW in " \
"${REMOTE_BACKUP_RETRIES} retries. Errors encountered. Exiting."
break
fi
# Temporary failure occurred. We need to retry
log WARN "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to RGW due to connection issue."
sleep_time=$(random_number)
log INFO "${DB_NAME}_backup" "Sleeping ${sleep_time} seconds waiting for RGW to become available..."
sleep ${sleep_time}
log INFO "${DB_NAME}_backup" "Retrying..."
else
log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW. Errors encountered. Exiting."
break
fi
# Increment the counter
count=$((count+1))
done
return 1
}
function get_archive_date(){
# get_archive_date function returns correct archive date
# for different formats of archives' names
# the old one: <database name>.<namespace>.<table name | all>.<date-time>.tar.gz
# the new one: <database name>.<namespace>.<table name | all>.<backup mode>.<date-time>.tar.gz
local A_FILE="$1"
awk -F. '{print $(NF-2)}' <<< ${A_FILE} | tr -d "Z"
}
# This function takes a list of archives' names as an input
# and creates a hash table where keys are number of seconds
# between current date and archive date (see seconds_difference),
# and values are space separated archives' names
#
# +------------+---------------------------------------------------------------------------------------------------------+
# | 1265342678 | "tmp/mysql.backup.auto.2022-02-14T10:13:13Z.tar.gz" |
# +------------+---------------------------------------------------------------------------------------------------------+
# | 2346254257 | "tmp/mysql.backup.auto.2022-02-11T10:13:13Z.tar.gz tmp/mysql.backup.manual.2022-02-11T10:13:13Z.tar.gz" |
# +------------+---------------------------------------------------------------------------------------------------------+
# <...>
# +------------+---------------------------------------------------------------------------------------------------------+
# | 6253434567 | "tmp/mysql.backup.manual.2022-02-01T10:13:13Z.tar.gz" |
# +------------+---------------------------------------------------------------------------------------------------------+
# We will use the explained above data stracture to cover rare, but still
# possible case, when we have several backups of the same date. E.g.
# one manual, and one automatic.
declare -A fileTable
create_hash_table() {
unset fileTable
fileList=$@
for ARCHIVE_FILE in ${fileList}; do
# Creating index, we will round given ARCHIVE_DATE to the midnight (00:00:00)
# to take in account a possibility, that we can have more than one scheduled
# backup per day.
ARCHIVE_DATE=$(get_archive_date ${ARCHIVE_FILE})
ARCHIVE_DATE=$(date --date=${ARCHIVE_DATE} +%D)
log INFO "${DB_NAME}_backup" "Archive date to build index: ${ARCHIVE_DATE}"
INDEX=$(seconds_difference ${ARCHIVE_DATE})
if [[ -z fileTable[${INDEX}] ]]; then
fileTable[${INDEX}]=${ARCHIVE_FILE}
else
fileTable[${INDEX}]="${fileTable[${INDEX}]} ${ARCHIVE_FILE}"
fi
echo "INDEX: ${INDEX} VALUE: ${fileTable[${INDEX}]}"
done
}
function get_backup_prefix() {
# Create list of all possible prefixes in a format:
# <db_name>.<namespace> to cover a possible situation
# when different backups of different databases and/or
# namespaces share the same local or remote storage.
ALL_FILES=($@)
PREFIXES=()
for fname in ${ALL_FILES[@]}; do
prefix=$(basename ${fname} | cut -d'.' -f1,2 )
for ((i=0; i<${#PREFIXES[@]}; i++)) do
if [[ ${PREFIXES[${i}]} == ${prefix} ]]; then
prefix=""
break
fi
done
if [[ ! -z ${prefix} ]]; then
PREFIXES+=(${prefix})
fi
done
}
remove_old_local_archives() {
SECONDS_TO_KEEP=$(( $((${LOCAL_DAYS_TO_KEEP}))*86400))
log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
if [[ -d $ARCHIVE_DIR ]]; then
count=0
# We iterate over the hash table, checking the delta in seconds (hash keys),
# and minimum number of backups we must have in place. List of keys has to be sorted.
for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
ARCHIVE_FILE=${fileTable[${INDEX}]}
if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
((count++))
log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
else
log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
rm -f ${ARCHIVE_FILE}
if [[ $? -ne 0 ]]; then
# Log error but don't exit so we can finish the script
# because at this point we haven't sent backup to RGW yet
log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
fi
fi
done
else
log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
fi
}
prepare_list_of_remote_backups() {
BACKUP_FILES=$(mktemp -p /tmp)
DB_BACKUP_FILES=$(mktemp -p /tmp)
openstack object list $CONTAINER_NAME > $BACKUP_FILES
if [[ $? -ne 0 ]]; then
log_backup_error_exit \
"Failed to cleanup remote backup. Could not obtain a list of current backup files in the RGW"
fi
# Filter out other types of backup files
cat $BACKUP_FILES | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $DB_BACKUP_FILES
}
# The logic implemented with this function is absolutely similar
# to the function remove_old_local_archives (see above)
remove_old_remote_archives() {
count=0
SECONDS_TO_KEEP=$((${REMOTE_DAYS_TO_KEEP}*86400))
log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
ARCHIVE_FILE=${fileTable[${INDEX}]}
if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then
((count++))
log INFO "${DB_NAME}_backup" "Keeping remote backup(s) ${ARCHIVE_FILE}."
else
log INFO "${DB_NAME}_backup" "Deleting remote backup(s) ${ARCHIVE_FILE} from the RGW"
openstack object delete ${CONTAINER_NAME} ${ARCHIVE_FILE} || log WARN "${DB_NAME}_backup" \
"Failed to cleanup remote backup. Cannot delete container object ${ARCHIVE_FILE}"
fi
done
# Cleanup now that we're done.
for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
if [[ -f ${fd} ]]; then
rm -f ${fd}
else
log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
fi
done
}
# Main function to backup the databases. Calling functions need to supply:
# 1) The directory where the final backup will be kept after it is compressed.
# 2) A temporary directory to use for placing database files to be compressed.
# Note: this temp directory will be deleted after backup is done.
# 3) Optional "scope" parameter indicating what database to back up. Defaults
# to "all".
backup_databases() {
SCOPE=${1:-"all"}
# Create necessary directories if they do not exist.
mkdir -p $ARCHIVE_DIR || log_backup_error_exit \
"Backup of the ${DB_NAME} database failed. Cannot create directory ${ARCHIVE_DIR}!"
export TMP_DIR=$(mktemp -d) || log_backup_error_exit \
"Backup of the ${DB_NAME} database failed. Cannot create temp directory!"
# Create temporary log file
export ERR_LOG_FILE=$(mktemp -p /tmp) || log_backup_error_exit \
"Backup of the ${DB_NAME} database failed. Cannot create log file!"
# It is expected that this function will dump the database files to the $TMP_DIR
dump_databases_to_directory $TMP_DIR $ERR_LOG_FILE $SCOPE
# If successful, there should be at least one file in the TMP_DIR
if [[ $? -ne 0 || $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
cat $ERR_LOG_FILE
log_backup_error_exit "Backup of the ${DB_NAME} database failed and needs attention."
fi
log INFO "${DB_NAME}_backup" "Databases dumped successfully. Creating tarball..."
NOW=$(date +"%Y-%m-%dT%H:%M:%SZ")
if [[ -z "${BACK_UP_MODE}" ]]; then
TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${NOW}.tar.gz"
else
TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${BACK_UP_MODE}.${NOW}.tar.gz"
fi
cd $TMP_DIR || log_backup_error_exit \
"Backup of the ${DB_NAME} database failed. Cannot change to directory $TMP_DIR"
#Archive the current database files
tar zcvf $ARCHIVE_DIR/$TARBALL_FILE *
if [[ $? -ne 0 ]]; then
log_backup_error_exit \
"Backup ${DB_NAME} to local file system failed. Backup tarball could not be created."
fi
# Get the size of the file
ARCHIVE_SIZE=$(ls -l $ARCHIVE_DIR/$TARBALL_FILE | awk '{print $5}')
log INFO "${DB_NAME}_backup" "Tarball $TARBALL_FILE created successfully."
cd $ARCHIVE_DIR
#Only delete the old archive after a successful archive
export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
get_backup_prefix $(ls -1 ${ARCHIVE_DIR}/*.gz)
for ((i=0; i<${#PREFIXES[@]}; i++)); do
echo "Working with prefix: ${PREFIXES[i]}"
create_hash_table $(ls -1 ${ARCHIVE_DIR}/${PREFIXES[i]}*.gz)
remove_old_local_archives
done
fi
# Local backup verification process
# It is expected that this function will verify the database backup files
if verify_databases_backup_archives ${SCOPE}; then
log INFO "${DB_NAME}_backup_verify" "Databases backup verified successfully. Uploading verified backups to remote location..."
else
# If successful, there should be at least one file in the TMP_DIR
if [[ $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
cat $ERR_LOG_FILE
fi
log_verify_backup_exit "Verify of the ${DB_NAME} database backup failed and needs attention."
exit 1
fi
# Remove the temporary directory and files as they are no longer needed.
rm -rf $TMP_DIR
rm -f $ERR_LOG_FILE
# Remote backup
REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
if $REMOTE_BACKUP; then
# Remove Quotes from the constants which were added due to reading
# from secret.
export REMOTE_BACKUP_RETRIES=$(echo $REMOTE_BACKUP_RETRIES | sed 's/"//g')
export MIN_DELAY_SEND_REMOTE=$(echo $MIN_DELAY_SEND_REMOTE | sed 's/"//g')
export MAX_DELAY_SEND_REMOTE=$(echo $MAX_DELAY_SEND_REMOTE | sed 's/"//g')
export REMOTE_DAYS_TO_KEEP=$(echo $REMOTE_DAYS_TO_KEEP | sed 's/"//g')
store_backup_remotely $ARCHIVE_DIR $TARBALL_FILE
if [[ $? -ne 0 ]]; then
# This error should print first, then print the summary as the last
# thing that the user sees in the output.
log ERROR "${DB_NAME}_backup" "Backup ${TARBALL_FILE} could not be sent to remote RGW."
echo "=================================================================="
echo "Local backup successful, but could not send to remote RGW."
echo "Backup archive name: $TARBALL_FILE"
echo "Backup archive size: $ARCHIVE_SIZE"
echo "=================================================================="
# Because the local backup was successful, exit with 0 so the pod will not
# continue to restart and fill the disk with more backups. The ERRORs are
# logged and alerting system should catch those errors and flag the operator.
exit 0
fi
#Only delete the old archive after a successful archive
if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then
prepare_list_of_remote_backups
get_backup_prefix $(cat $DB_BACKUP_FILES)
for ((i=0; i<${#PREFIXES[@]}; i++)); do
echo "Working with prefix: ${PREFIXES[i]}"
create_hash_table $(cat ${DB_BACKUP_FILES} | grep ${PREFIXES[i]})
remove_old_remote_archives
done
fi
echo "=================================================================="
echo "Local backup and backup to remote RGW successful!"
echo "Backup archive name: $TARBALL_FILE"
echo "Backup archive size: $ARCHIVE_SIZE"
echo "=================================================================="
else
# Remote backup is not enabled. This is ok; at least we have a local backup.
log INFO "${DB_NAME}_backup" "Skipping remote backup, as it is not enabled."
echo "=================================================================="
echo "Local backup successful!"
echo "Backup archive name: $TARBALL_FILE"
echo "Backup archive size: $ARCHIVE_SIZE"
echo "=================================================================="
fi
}
{{- end }}

616
charts/deps/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl Executable file
View File

@ -0,0 +1,616 @@
{{- define "helm-toolkit.scripts.db-backup-restore.restore_main" }}
#!/bin/bash
# This file contains a database restore framework which database scripts
# can use to perform a backup. The idea here is that the database-specific
# functions will be implemented by the various databases using this script
# (like mariadb, postgresql or etcd for example). The database-specific
# script will need to first "source" this file like this:
# source /tmp/restore_main.sh
#
# Then the script should call the main CLI function (cli_main):
# cli_main <arg_list>
# where:
# <arg_list> is the list of arguments given by the user
#
# The framework will require the following variables to be exported:
#
# export DB_NAMESPACE Namespace where the database(s) reside
# export DB_NAME Name of the database system
# export ARCHIVE_DIR Location where the backup tarballs should
# be stored. (full directory path which
# should already exist)
# export CONTAINER_NAME Name of the container on the RGW where
# the backups are stored.
# RGW access variables:
# export OS_REGION_NAME Name of the region the RGW resides in
# export OS_AUTH_URL Keystone URL associated with the RGW
# export OS_PROJECT_NAME Name of the project associated with the
# keystone user
# export OS_USERNAME Name of the keystone user
# export OS_PASSWORD Password of the keystone user
# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to
# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to
# export OS_IDENTITY_API_VERSION Keystone API version to use
#
# The database-specific functions that need to be implemented are:
# get_databases
# where:
# <tmp_dir> is the full directory path where the decompressed
# database files reside
# <db_file> is the full path of the file to write the database
# names into, one database per line
# returns: 0 if no errors; 1 if any errors occurred
#
# This function is expected to extract the database names from the
# uncompressed database files found in the given "tmp_dir", which is
# the staging directory for database restore. The database names
# should be written to the given "db_file", one database name per
# line.
#
# get_tables
# <db_name> is the name of the database to get the tables from
# <tmp_dir> is the full directory path where the decompressed
# database files reside
# <table_file> is the full path of the file to write the table
# names into, one table per line
# returns: 0 if no errors; 1 if any errors occurred
#
# This function is expected to extract the table names from the given
# database, found in the uncompressed database files located in the
# given "tmp_dir", which is the staging directory for database restore.
# The table names should be written to the given "table_file", one
# table name per line.
#
# get_rows
# <table_name> is the name of the table to get the rows from
# <db_name> is the name of the database the table resides in
# <tmp_dir> is the full directory path where the decompressed
# database files reside
# <rows_file> is the full path of the file to write the table
# row data into, one row (INSERT statement) per line
# returns: 0 if no errors; 1 if any errors occurred
#
# This function is expected to extract the rows from the given table
# in the given database, found in the uncompressed database files
# located in the given "tmp_dir", which is the staging directory for
# database restore. The table rows should be written to the given
# "rows_file", one row (INSERT statement) per line.
#
# get_schema
# <table_name> is the name of the table to get the schema from
# <db_name> is the name of the database the table resides in
# <tmp_dir> is the full directory path where the decompressed
# database files reside
# <schema_file> is the full path of the file to write the table
# schema data into
# returns: 0 if no errors; 1 if any errors occurred
#
# This function is expected to extract the schema from the given table
# in the given database, found in the uncompressed database files
# located in the given "tmp_dir", which is the staging directory for
# database restore. The table schema and related alterations and
# grant information should be written to the given "schema_file".
#
# restore_single_db
# where:
# <db_name> is the name of the database to be restored
# <tmp_dir> is the full directory path where the decompressed
# database files reside
# returns: 0 if no errors; 1 if any errors occurred
#
# This function is expected to restore the database given as "db_name"
# using the database files located in the "tmp_dir". The framework
# will delete the "tmp_dir" and the files in it after the restore is
# complete.
#
# restore_all_dbs
# where:
# <tmp_dir> is the full directory path where the decompressed
# database files reside
# returns: 0 if no errors; 1 if any errors occurred
#
# This function is expected to restore all of the databases which
# are backed up in the database files located in the "tmp_dir". The
# framework will delete the "tmp_dir" and the files in it after the
# restore is complete.
#
# The functions in this file will take care of:
# 1) The CLI parameter parsing for the arguments passed in by the user.
# 2) The listing of either local or remote archive files at the request
# of the user.
# 3) The retrieval/download of an archive file located either in the local
# file system or remotely stored on an RGW.
# 4) Calling either "restore_single_db" or "restore_all_dbs" when the user
# chooses to restore a database or all databases.
# 5) The framework will call "get_databases" when it needs a list of
# databases when the user requests a database list or when the user
# requests to restore a single database (to ensure it exists in the
# archive). Similarly, the framework will call "get_tables", "get_rows",
# or "get_schema" when it needs that data requested by the user.
#
usage() {
ret_val=$1
echo "Usage:"
echo "Restore command options"
echo "============================="
echo "help"
echo "list_archives [remote]"
echo "list_databases <archive_filename> [remote]"
echo "list_tables <archive_filename> <dbname> [remote]"
echo "list_rows <archive_filename> <dbname> <table_name> [remote]"
echo "list_schema <archive_filename> <dbname> <table_name> [remote]"
echo "restore <archive_filename> <db_specifier> [remote]"
echo " where <db_specifier> = <dbname> | ALL"
echo "delete_archive <archive_filename> [remote]"
clean_and_exit $ret_val ""
}
#Exit cleanly with some message and return code
clean_and_exit() {
RETCODE=$1
MSG=$2
# Clean/remove temporary directories/files
rm -rf $TMP_DIR
rm -f $RESULT_FILE
if [[ "x${MSG}" != "x" ]]; then
echo $MSG
fi
exit $RETCODE
}
determine_resulting_error_code() {
RESULT="$1"
echo ${RESULT} | grep "HTTP 404"
if [[ $? -eq 0 ]]; then
echo "Could not find the archive: ${RESULT}"
return 1
else
echo ${RESULT} | grep "HTTP 401"
if [[ $? -eq 0 ]]; then
echo "Could not access the archive: ${RESULT}"
return 1
else
echo ${RESULT} | grep "HTTP 503"
if [[ $? -eq 0 ]]; then
echo "RGW service is unavailable. ${RESULT}"
# In this case, the RGW may be temporarily down.
# Return slightly different error code so the calling code can retry
return 2
else
echo ${RESULT} | grep "ConnectionError"
if [[ $? -eq 0 ]]; then
echo "Could not reach the RGW: ${RESULT}"
# In this case, keystone or the site/node may be temporarily down.
# Return slightly different error code so the calling code can retry
return 2
else
echo "Archive ${ARCHIVE} could not be retrieved: ${RESULT}"
return 1
fi
fi
fi
fi
return 0
}
# Retrieve a list of archives from the RGW.
retrieve_remote_listing() {
RESULT=$(openstack container show $CONTAINER_NAME 2>&1)
if [[ $? -eq 0 ]]; then
# Get the list, ensureing that we only pick up the right kind of backups from the
# requested namespace
openstack object list $CONTAINER_NAME | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $TMP_DIR/archive_list
if [[ $? -ne 0 ]]; then
echo "Container object listing could not be obtained."
return 1
else
echo "Archive listing successfully retrieved."
fi
else
determine_resulting_error_code "${RESULT}"
return $?
fi
return 0
}
# Retrieve a single archive from the RGW.
retrieve_remote_archive() {
ARCHIVE=$1
RESULT=$(openstack object save --file $TMP_DIR/$ARCHIVE $CONTAINER_NAME $ARCHIVE 2>&1)
if [[ $? -ne 0 ]]; then
determine_resulting_error_code "${RESULT}"
return $?
else
echo "Archive $ARCHIVE successfully retrieved."
fi
return 0
}
# Delete an archive from the RGW.
delete_remote_archive() {
ARCHIVE=$1
RESULT=$(openstack object delete ${CONTAINER_NAME} ${ARCHIVE} 2>&1)
if [[ $? -ne 0 ]]; then
determine_resulting_error_code "${RESULT}"
return $?
else
echo "Archive ${ARCHIVE} successfully deleted."
fi
return 0
}
# Display all archives
list_archives() {
REMOTE=$1
if [[ "x${REMOTE^^}" == "xREMOTE" ]]; then
retrieve_remote_listing
if [[ $? -eq 0 && -e $TMP_DIR/archive_list ]]; then
echo
echo "All Archives from RGW Data Store"
echo "=============================================="
cat $TMP_DIR/archive_list | sort
clean_and_exit 0 ""
else
clean_and_exit 1 "ERROR: Archives could not be retrieved from the RGW."
fi
elif [[ "x${REMOTE}" == "x" ]]; then
if [[ -d $ARCHIVE_DIR ]]; then
archives=$(find $ARCHIVE_DIR/ -iname "*.gz" -print | sort)
echo
echo "All Local Archives"
echo "=============================================="
for archive in $archives
do
echo $archive | cut -d '/' -f8-
done
clean_and_exit 0 ""
else
clean_and_exit 1 "ERROR: Local archive directory is not available."
fi
else
usage 1
fi
}
# Retrieve the archive from the desired location and decompress it into
# the restore directory
get_archive() {
ARCHIVE_FILE=$1
REMOTE=$2
if [[ "x$REMOTE" == "xremote" ]]; then
echo "Retrieving archive ${ARCHIVE_FILE} from the remote RGW..."
retrieve_remote_archive $ARCHIVE_FILE
if [[ $? -ne 0 ]]; then
clean_and_exit 1 "ERROR: Could not retrieve remote archive: $ARCHIVE_FILE"
fi
elif [[ "x$REMOTE" == "x" ]]; then
if [[ -e $ARCHIVE_DIR/$ARCHIVE_FILE ]]; then
cp $ARCHIVE_DIR/$ARCHIVE_FILE $TMP_DIR/$ARCHIVE_FILE
if [[ $? -ne 0 ]]; then
clean_and_exit 1 "ERROR: Could not copy local archive to restore directory."
fi
else
clean_and_exit 1 "ERROR: Local archive file could not be found."
fi
else
usage 1
fi
echo "Decompressing archive $ARCHIVE_FILE..."
cd $TMP_DIR
tar zxvf - < $TMP_DIR/$ARCHIVE_FILE 1>/dev/null
if [[ $? -ne 0 ]]; then
clean_and_exit 1 "ERROR: Archive decompression failed."
fi
}
# Display all databases from an archive
list_databases() {
ARCHIVE_FILE=$1
REMOTE=$2
WHERE="local"
if [[ -n ${REMOTE} ]]; then
WHERE="remote"
fi
# Get the archive from the source location (local/remote)
get_archive $ARCHIVE_FILE $REMOTE
# Expectation is that the database listing will be put into
# the given file one database per line
get_databases $TMP_DIR $RESULT_FILE
if [[ "$?" -ne 0 ]]; then
clean_and_exit 1 "ERROR: Could not retrieve databases from $WHERE archive $ARCHIVE_FILE."
fi
if [[ -f "$RESULT_FILE" ]]; then
echo " "
echo "Databases in the $WHERE archive $ARCHIVE_FILE"
echo "================================================================================"
cat $RESULT_FILE
else
clean_and_exit 1 "ERROR: Databases file missing. Could not list databases from $WHERE archive $ARCHIVE_FILE."
fi
}
# Display all tables of a database from an archive
list_tables() {
ARCHIVE_FILE=$1
DATABASE=$2
REMOTE=$3
WHERE="local"
if [[ -n ${REMOTE} ]]; then
WHERE="remote"
fi
# Get the archive from the source location (local/remote)
get_archive $ARCHIVE_FILE $REMOTE
# Expectation is that the database listing will be put into
# the given file one table per line
get_tables $DATABASE $TMP_DIR $RESULT_FILE
if [[ "$?" -ne 0 ]]; then
clean_and_exit 1 "ERROR: Could not retrieve tables for database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
fi
if [[ -f "$RESULT_FILE" ]]; then
echo " "
echo "Tables in database $DATABASE from $WHERE archive $ARCHIVE_FILE"
echo "================================================================================"
cat $RESULT_FILE
else
clean_and_exit 1 "ERROR: Tables file missing. Could not list tables of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
fi
}
# Display all rows of the given database table from an archive
list_rows() {
ARCHIVE_FILE=$1
DATABASE=$2
TABLE=$3
REMOTE=$4
WHERE="local"
if [[ -n ${REMOTE} ]]; then
WHERE="remote"
fi
# Get the archive from the source location (local/remote)
get_archive $ARCHIVE_FILE $REMOTE
# Expectation is that the database listing will be put into
# the given file one table per line
get_rows $DATABASE $TABLE $TMP_DIR $RESULT_FILE
if [[ "$?" -ne 0 ]]; then
clean_and_exit 1 "ERROR: Could not retrieve rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
fi
if [[ -f "$RESULT_FILE" ]]; then
echo " "
echo "Rows in table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
echo "================================================================================"
cat $RESULT_FILE
else
clean_and_exit 1 "ERROR: Rows file missing. Could not list rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
fi
}
# Display the schema information of the given database table from an archive
list_schema() {
ARCHIVE_FILE=$1
DATABASE=$2
TABLE=$3
REMOTE=$4
WHERE="local"
if [[ -n ${REMOTE} ]]; then
WHERE="remote"
fi
# Get the archive from the source location (local/remote)
get_archive $ARCHIVE_FILE $REMOTE
# Expectation is that the schema information will be placed into
# the given schema file.
get_schema $DATABASE $TABLE $TMP_DIR $RESULT_FILE
if [[ "$?" -ne 0 ]]; then
clean_and_exit 1 "ERROR: Could not retrieve schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
fi
if [[ -f "$RESULT_FILE" ]]; then
echo " "
echo "Schema for table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
echo "================================================================================"
cat $RESULT_FILE
else
clean_and_exit 1 "ERROR: Schema file missing. Could not list schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
fi
}
# Delete an archive
delete_archive() {
ARCHIVE_FILE=$1
REMOTE=$2
WHERE="local"
if [[ -n ${REMOTE} ]]; then
WHERE="remote"
fi
if [[ "${WHERE}" == "remote" ]]; then
delete_remote_archive ${ARCHIVE_FILE}
if [[ $? -ne 0 ]]; then
clean_and_exit 1 "ERROR: Could not delete remote archive: ${ARCHIVE_FILE}"
fi
else # Local
if [[ -e ${ARCHIVE_DIR}/${ARCHIVE_FILE} ]]; then
rm -f ${ARCHIVE_DIR}/${ARCHIVE_FILE}
if [[ $? -ne 0 ]]; then
clean_and_exit 1 "ERROR: Could not delete local archive."
fi
else
clean_and_exit 1 "ERROR: Local archive file could not be found."
fi
fi
echo "Successfully deleted archive ${ARCHIVE_FILE} from ${WHERE} storage."
}
# Return 1 if the given database exists in the database file. 0 otherwise.
database_exists() {
DB=$1
grep "${DB}" ${RESULT_FILE}
if [[ $? -eq 0 ]]; then
return 1
fi
return 0
}
# This is the main CLI interpreter function
cli_main() {
ARGS=("$@")
# Create the ARCHIVE DIR if it's not already there.
mkdir -p $ARCHIVE_DIR
# Create temp directory for a staging area to decompress files into
export TMP_DIR=$(mktemp -d)
# Create a temp file for storing list of databases (if needed)
export RESULT_FILE=$(mktemp -p /tmp)
case "${ARGS[0]}" in
"help")
usage 0
;;
"list_archives")
if [[ ${#ARGS[@]} -gt 2 ]]; then
usage 1
elif [[ ${#ARGS[@]} -eq 1 ]]; then
list_archives
else
list_archives ${ARGS[1]}
fi
clean_and_exit 0
;;
"list_databases")
if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
usage 1
elif [[ ${#ARGS[@]} -eq 2 ]]; then
list_databases ${ARGS[1]}
else
list_databases ${ARGS[1]} ${ARGS[2]}
fi
;;
"list_tables")
if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
usage 1
elif [[ ${#ARGS[@]} -eq 3 ]]; then
list_tables ${ARGS[1]} ${ARGS[2]}
else
list_tables ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
fi
;;
"list_rows")
if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
usage 1
elif [[ ${#ARGS[@]} -eq 4 ]]; then
list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
else
list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
fi
;;
"list_schema")
if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
usage 1
elif [[ ${#ARGS[@]} -eq 4 ]]; then
list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
else
list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
fi
;;
"restore")
REMOTE=""
if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
usage 1
elif [[ ${#ARGS[@]} -eq 4 ]]; then
REMOTE=${ARGS[3]}
fi
ARCHIVE=${ARGS[1]}
DB_SPEC=${ARGS[2]}
#Get all the databases in that archive
get_archive $ARCHIVE $REMOTE
if [[ "$( echo $DB_SPEC | tr '[a-z]' '[A-Z]')" != "ALL" ]]; then
# Expectation is that the database listing will be put into
# the given file one database per line
get_databases $TMP_DIR $RESULT_FILE
if [[ "$?" -ne 0 ]]; then
clean_and_exit 1 "ERROR: Could not get the list of databases to restore."
fi
if [[ ! $DB_NAMESPACE == "kube-system" ]]; then
#check if the requested database is available in the archive
database_exists $DB_SPEC
if [[ $? -ne 1 ]]; then
clean_and_exit 1 "ERROR: Database ${DB_SPEC} does not exist."
fi
fi
echo "Restoring Database $DB_SPEC And Grants"
restore_single_db $DB_SPEC $TMP_DIR
if [[ "$?" -eq 0 ]]; then
echo "Single database restored successfully."
else
clean_and_exit 1 "ERROR: Single database restore failed."
fi
clean_and_exit 0 ""
else
echo "Restoring All The Databases. This could take a few minutes..."
restore_all_dbs $TMP_DIR
if [[ "$?" -eq 0 ]]; then
echo "All databases restored successfully."
else
clean_and_exit 1 "ERROR: Database restore failed."
fi
clean_and_exit 0 ""
fi
;;
"delete_archive")
if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
usage 1
elif [[ ${#ARGS[@]} -eq 2 ]]; then
delete_archive ${ARGS[1]}
else
delete_archive ${ARGS[1]} ${ARGS[2]}
fi
;;
*)
usage 1
;;
esac
clean_and_exit 0 ""
}
{{- end }}

60
charts/deps/helm-toolkit/templates/snippets/_image.tpl Normal file
View File

@ -0,0 +1,60 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Resolves an image reference to a string, and its pull policy
values: |
images:
tags:
test_image: docker.io/port/test:version-foo
image_foo: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
pull_policy: IfNotPresent
local_registry:
active: true
exclude:
- image_foo
endpoints:
cluster_domain_suffix: cluster.local
local_image_registry:
name: docker-registry
namespace: docker-registry
hosts:
default: localhost
internal: docker-registry
node: localhost
host_fqdn_override:
default: null
port:
registry:
node: 5000
usage: |
{{ tuple . "test_image" | include "helm-toolkit.snippets.image" }}
return: |
image: "localhost:5000/docker.io/port/test:version-foo"
imagePullPolicy: IfNotPresent
*/}}
{{- define "helm-toolkit.snippets.image" -}}
{{- $envAll := index . 0 -}}
{{- $image := index . 1 -}}
{{- $imageTag := index $envAll.Values.images.tags $image -}}
{{- if and ($envAll.Values.images.local_registry.active) (not (has $image $envAll.Values.images.local_registry.exclude )) -}}
{{- $registryPrefix := printf "%s:%s" (tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup") (tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup") -}}
image: {{ printf "%s/%s" $registryPrefix $imageTag | quote }}
{{- else -}}
image: {{ $imageTag | quote }}
{{- end }}
imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
{{- end -}}

142
charts/deps/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl Normal file
View File

@ -0,0 +1,142 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Returns a set of container enviorment variables, equivlant to an openrc for
use with keystone based command line clients.
values: |
secrets:
identity:
admin: example-keystone-admin
usage: |
{{ include "helm-toolkit.snippets.keystone_openrc_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.admin ) }}
return: |
- name: OS_IDENTITY_API_VERSION
value: "3"
- name: OS_AUTH_URL
valueFrom:
secretKeyRef:
name: example-keystone-admin
key: OS_AUTH_URL
- name: OS_REGION_NAME
valueFrom:
secretKeyRef:
name: example-keystone-admin
key: OS_REGION_NAME
- name: OS_INTERFACE
valueFrom:
secretKeyRef:
name: example-keystone-admin
key: OS_INTERFACE
- name: OS_ENDPOINT_TYPE
valueFrom:
secretKeyRef:
name: example-keystone-admin
key: OS_INTERFACE
- name: OS_PROJECT_DOMAIN_NAME
valueFrom:
secretKeyRef:
name: example-keystone-admin
key: OS_PROJECT_DOMAIN_NAME
- name: OS_PROJECT_NAME
valueFrom:
secretKeyRef:
name: example-keystone-admin
key: OS_PROJECT_NAME
- name: OS_USER_DOMAIN_NAME
valueFrom:
secretKeyRef:
name: example-keystone-admin
key: OS_USER_DOMAIN_NAME
- name: OS_USERNAME
valueFrom:
secretKeyRef:
name: example-keystone-admin
key: OS_USERNAME
- name: OS_PASSWORD
valueFrom:
secretKeyRef:
name: example-keystone-admin
key: OS_PASSWORD
- name: OS_CACERT
valueFrom:
secretKeyRef:
name: example-keystone-admin
key: OS_CACERT
*/}}
{{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }}
{{- $useCA := .useCA -}}
{{- $ksUserSecret := .ksUserSecret }}
- name: OS_IDENTITY_API_VERSION
value: "3"
- name: OS_AUTH_URL
valueFrom:
secretKeyRef:
name: {{ $ksUserSecret }}
key: OS_AUTH_URL
- name: OS_REGION_NAME
valueFrom:
secretKeyRef:
name: {{ $ksUserSecret }}
key: OS_REGION_NAME
- name: OS_INTERFACE
valueFrom:
secretKeyRef:
name: {{ $ksUserSecret }}
key: OS_INTERFACE
- name: OS_ENDPOINT_TYPE
valueFrom:
secretKeyRef:
name: {{ $ksUserSecret }}
key: OS_INTERFACE
- name: OS_PROJECT_DOMAIN_NAME
valueFrom:
secretKeyRef:
name: {{ $ksUserSecret }}
key: OS_PROJECT_DOMAIN_NAME
- name: OS_PROJECT_NAME
valueFrom:
secretKeyRef:
name: {{ $ksUserSecret }}
key: OS_PROJECT_NAME
- name: OS_USER_DOMAIN_NAME
valueFrom:
secretKeyRef:
name: {{ $ksUserSecret }}
key: OS_USER_DOMAIN_NAME
- name: OS_USERNAME
valueFrom:
secretKeyRef:
name: {{ $ksUserSecret }}
key: OS_USERNAME
- name: OS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ $ksUserSecret }}
key: OS_PASSWORD
- name: OS_DEFAULT_DOMAIN
valueFrom:
secretKeyRef:
name: {{ $ksUserSecret }}
key: OS_DEFAULT_DOMAIN
{{- if $useCA }}
- name: OS_CACERT
valueFrom:
secretKeyRef:
name: {{ $ksUserSecret }}
key: OS_CACERT
{{- end }}
{{- end }}

32
charts/deps/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl Normal file
View File

@ -0,0 +1,32 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- define "helm-toolkit.snippets.keystone_secret_openrc" }}
{{- $userClass := index . 0 -}}
{{- $identityEndpoint := index . 1 -}}
{{- $context := index . 2 -}}
{{- $userContext := index $context.Values.endpoints.identity.auth $userClass }}
OS_AUTH_URL: {{ tuple "identity" $identityEndpoint "api" $context | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
OS_REGION_NAME: {{ $userContext.region_name | b64enc }}
OS_INTERFACE: {{ $userContext.interface | default "internal" | b64enc }}
OS_PROJECT_DOMAIN_NAME: {{ $userContext.project_domain_name | b64enc }}
OS_PROJECT_NAME: {{ $userContext.project_name | b64enc }}
OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }}
OS_USERNAME: {{ $userContext.username | b64enc }}
OS_PASSWORD: {{ $userContext.password | b64enc }}
OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }}
{{- if $userContext.cacert }}
OS_CACERT: {{ $userContext.cacert | b64enc }}
{{- end }}
{{- end }}

90
charts/deps/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl Normal file
View File

@ -0,0 +1,90 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Returns a set of container enviorment variables, for use with the keystone
user management jobs.
values: |
secrets:
identity:
service_user: example-keystone-user
usage: |
{{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }}
return: |
- name: SERVICE_OS_REGION_NAME
valueFrom:
secretKeyRef:
name: example-keystone-user
key: OS_REGION_NAME
- name: SERVICE_OS_PROJECT_DOMAIN_NAME
valueFrom:
secretKeyRef:
name: example-keystone-user
key: OS_PROJECT_DOMAIN_NAME
- name: SERVICE_OS_PROJECT_NAME
valueFrom:
secretKeyRef:
name: example-keystone-user
key: OS_PROJECT_NAME
- name: SERVICE_OS_USER_DOMAIN_NAME
valueFrom:
secretKeyRef:
name: example-keystone-user
key: OS_USER_DOMAIN_NAME
- name: SERVICE_OS_USERNAME
valueFrom:
secretKeyRef:
name: example-keystone-user
key: OS_USERNAME
- name: SERVICE_OS_PASSWORD
valueFrom:
secretKeyRef:
name: example-keystone-user
key: OS_PASSWORD
*/}}
{{- define "helm-toolkit.snippets.keystone_user_create_env_vars" }}
{{- $ksUserSecret := .ksUserSecret }}
- name: SERVICE_OS_REGION_NAME
valueFrom:
secretKeyRef:
name: {{ $ksUserSecret }}
key: OS_REGION_NAME
- name: SERVICE_OS_PROJECT_DOMAIN_NAME
valueFrom:
secretKeyRef:
name: {{ $ksUserSecret }}
key: OS_PROJECT_DOMAIN_NAME
- name: SERVICE_OS_PROJECT_NAME
valueFrom:
secretKeyRef:
name: {{ $ksUserSecret }}
key: OS_PROJECT_NAME
- name: SERVICE_OS_USER_DOMAIN_NAME
valueFrom:
secretKeyRef:
name: {{ $ksUserSecret }}
key: OS_USER_DOMAIN_NAME
- name: SERVICE_OS_USERNAME
valueFrom:
secretKeyRef:
name: {{ $ksUserSecret }}
key: OS_USERNAME
- name: SERVICE_OS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ $ksUserSecret }}
key: OS_PASSWORD
{{- end }}

68
charts/deps/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl Normal file
View File

@ -0,0 +1,68 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Renders a configmap used for loading custom AppArmor profiles.
values: |
pod:
mandatory_access_control:
type: apparmor
configmap_apparmor: true
apparmor_profiles: |-
my_apparmor-v1.profile: |-
#include <tunables/global>
profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
<profile_data>
}
usage: |
{{ dict "envAll" . "component" "myComponent" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }}
return: |
apiVersion: v1
kind: ConfigMap
metadata:
name: releaseName-myComponent-apparmor
namespace: myNamespace
data:
my_apparmor-v1.profile: |-
#include <tunables/global>
profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
<profile_data>
}
*/}}
{{- define "helm-toolkit.snippets.kubernetes_apparmor_configmap" -}}
{{- $envAll := index . "envAll" -}}
{{- $component := index . "component" -}}
{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
{{- $mapName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
{{- if $envAll.Values.conf.apparmor_profiles }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $mapName }}
namespace: {{ $envAll.Release.Namespace }}
data:
{{ $envAll.Values.conf.apparmor_profiles | toYaml | indent 2 }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

75
charts/deps/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl Normal file
View File

@ -0,0 +1,75 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Renders the init container used for apparmor loading.
values: |
images:
tags:
apparmor_loader: my-repo.io/apparmor-loader:1.0.0
pod:
mandatory_access_control:
type: apparmor
configmap_apparmor: true
apparmor-loader: unconfined
usage: |
{{ dict "envAll" . | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" }}
return: |
- name: apparmor-loader
image: my-repo.io/apparmor-loader:1.0.0
args:
- /profiles
securityContext:
privileged: true
volumeMounts:
- name: sys
mountPath: /sys
readOnly: true
- name: includes
mountPath: /etc/apparmor.d
readOnly: true
- name: profiles
mountPath: /profiles
readOnly: true
*/}}
{{- define "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" -}}
{{- $envAll := index . "envAll" -}}
{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
- name: apparmor-loader
image: {{ $envAll.Values.images.tags.apparmor_loader }}
args:
- /profiles
securityContext:
privileged: true
volumeMounts:
- name: sys
mountPath: /sys
readOnly: true
- name: includes
mountPath: /etc/apparmor.d
readOnly: true
- name: profiles
mountPath: /profiles
readOnly: true
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

68
charts/deps/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl Normal file
View File

@ -0,0 +1,68 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Renders the volumes used by the apparmor loader.
values: |
pod:
mandatory_access_control:
type: apparmor
configmap_apparmor: true
inputs: |
envAll: "Environment or Context."
component: "Name of the component used for the name of configMap."
requireSys: "Boolean. True if it needs the hostpath /sys in volumes."
usage: |
{{ dict "envAll" . "component" "keystone" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" }}
return: |
- name: sys
hostPath:
path: /sys
- name: includes
hostPath:
path: /etc/apparmor.d
- name: profiles
configMap:
name: RELEASENAME-keystone-apparmor
defaultMode: 0555
*/}}
{{- define "helm-toolkit.snippets.kubernetes_apparmor_volumes" -}}
{{- $envAll := index . "envAll" -}}
{{- $component := index . "component" -}}
{{- $requireSys := index . "requireSys" | default false -}}
{{- $configName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
{{- if $requireSys }}
- name: sys
hostPath:
path: /sys
{{- end }}
- name: includes
hostPath:
path: /etc/apparmor.d
- name: profiles
configMap:
name: {{ $configName | quote }}
defaultMode: 0555
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

48
charts/deps/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl Normal file
View File

@ -0,0 +1,48 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Renders securityContext for a Kubernetes container.
For container level, see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#securitycontext-v1-core
examples:
- values: |
pod:
security_context:
myApp:
container:
foo:
runAsUser: 34356
readOnlyRootFilesystem: true
usage: |
{{ dict "envAll" . "application" "myApp" "container" "foo" | include "helm-toolkit.snippets.kubernetes_container_security_context" }}
return: |
securityContext:
readOnlyRootFilesystem: true
runAsUser: 34356
*/}}
{{- define "helm-toolkit.snippets.kubernetes_container_security_context" -}}
{{- $envAll := index . "envAll" -}}
{{- $application := index . "application" -}}
{{- $container := index . "container" -}}
{{- if hasKey $envAll.Values.pod "security_context" }}
{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
{{- if hasKey ( index $envAll.Values.pod.security_context $application "container" ) $container }}
securityContext:
{{ toYaml ( index $envAll.Values.pod.security_context $application "container" $container ) | indent 2 }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}

209
charts/deps/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl Normal file
View File

@ -0,0 +1,209 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Returns a container definition for use with the kubernetes-entrypoint image
from stackanetes.
values: |
images:
tags:
dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
pull_policy: IfNotPresent
local_registry:
active: true
exclude:
- dep_check
dependencies:
dynamic:
common:
local_image_registry:
jobs:
- calico-image-repo-sync
services:
- endpoint: node
service: local_image_registry
static:
calico_node:
services:
- endpoint: internal
service: etcd
custom_resources:
- apiVersion: argoproj.io/v1alpha1
kind: Workflow
name: wf-example
fields:
- key: "status.phase"
value: "Succeeded"
endpoints:
local_image_registry:
namespace: docker-registry
hosts:
default: localhost
node: localhost
etcd:
hosts:
default: etcd
# NOTE (portdirect): if the stanza, or a portion of it, under `pod` is not
# specififed then the following will be used as defaults:
# pod:
# security_context:
# kubernetes_entrypoint:
# container:
# kubernetes_entrypoint:
# runAsUser: 65534
# readOnlyRootFilesystem: true
# allowPrivilegeEscalation: false
pod:
security_context:
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
runAsUser: 0
readOnlyRootFilesystem: false
usage: |
{{ tuple . "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" }}
return: |
- name: init
image: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
imagePullPolicy: IfNotPresent
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
runAsUser: 0
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INTERFACE_NAME
value: eth0
- name: PATH
value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
- name: DEPENDENCY_SERVICE
value: "default:etcd,docker-registry:localhost"
- name: DEPENDENCY_JOBS
value: "calico-image-repo-sync"
- name: DEPENDENCY_DAEMONSET
value: ""
- name: DEPENDENCY_CONTAINER
value: ""
- name: DEPENDENCY_POD_JSON
value: ""
- name: DEPENDENCY_CUSTOM_RESOURCE
value: "[{\"apiVersion\":\"argoproj.io/v1alpha1\",\"kind\":\"Workflow\",\"namespace\":\"default\",\"name\":\"wf-example\",\"fields\":[{\"key\":\"status.phase\",\"value\":\"Succeeded\"}]}]"
command:
- kubernetes-entrypoint
volumeMounts:
[]
*/}}
{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" -}}
Values:
pod:
security_context:
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
runAsUser: 65534
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
{{- end -}}
{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container" -}}
{{- $envAll := index . 0 -}}
{{- $component := index . 1 -}}
{{- $mounts := index . 2 -}}
{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
{{- if eq $component "pod_dependency" -}}
{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
{{- else -}}
{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
{{- end -}}
{{- else -}}
{{- if eq $component "pod_dependency" -}}
{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
{{- else -}}
{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
{{- end -}}
{{- end -}}
{{- if and ($envAll.Values.manifests.job_rabbit_init) (hasKey $envAll.Values.dependencies "dynamic") -}}
{{- if $envAll.Values.dependencies.dynamic.job_rabbit_init -}}
{{- if eq $component "pod_dependency" -}}
{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component) ) -}}
{{- else -}}
{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component)) -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
{{- range $deps.custom_resources }}
{{- $_ := set . "namespace" $envAll.Release.Namespace -}}
{{- end -}}
{{- $default_security_context := include "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" . | fromYaml }}
{{- $patchedEnvAll := mergeOverwrite $default_security_context $envAll }}
- name: init
{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }}
{{- dict "envAll" $patchedEnvAll "application" "kubernetes_entrypoint" "container" "kubernetes_entrypoint" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 2 }}
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INTERFACE_NAME
value: eth0
- name: PATH
value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
- name: DEPENDENCY_SERVICE
value: "{{ tuple $deps.services $envAll | include "helm-toolkit.utils.comma_joined_service_list" }}"
{{- if $deps.jobs -}}
{{- if kindIs "string" (index $deps.jobs 0) }}
- name: DEPENDENCY_JOBS
value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.jobs }}"
{{- else }}
- name: DEPENDENCY_JOBS_JSON
value: {{- toJson $deps.jobs | quote -}}
{{- end -}}
{{- end }}
- name: DEPENDENCY_DAEMONSET
value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.daemonset }}"
- name: DEPENDENCY_CONTAINER
value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.container }}"
- name: DEPENDENCY_POD_JSON
value: {{ if $deps.pod }}{{ toJson $deps.pod | quote }}{{ else }}""{{ end }}
- name: DEPENDENCY_CUSTOM_RESOURCE
value: {{ if $deps.custom_resources }}{{ toJson $deps.custom_resources | quote }}{{ else }}""{{ end }}
command:
- kubernetes-entrypoint
volumeMounts:
{{ toYaml $mounts | indent 4 }}
{{- end -}}

20
charts/deps/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl Normal file
View File

@ -0,0 +1,20 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- define "helm-toolkit.snippets.kubernetes_kubectl_params" -}}
{{- $envAll := index . 0 -}}
{{- $application := index . 1 -}}
{{- $component := index . 2 -}}
{{ print "-l application=" $application " -l component=" $component }}
{{- end -}}

60
charts/deps/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl Normal file
View File

@ -0,0 +1,60 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Renders mandatory access control annotations for a list of containers
driven by values.yaml. As of now, it can only generate an apparmor
annotation, but in the future could generate others.
values: |
pod:
mandatory_access_control:
type: apparmor
myPodName:
myContainerName: localhost/myAppArmor
mySecondContainerName: localhost/secondProfile # optional
myThirdContainerName: localhost/thirdProfile # optional
usage: |
{{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" }}
return: |
container.apparmor.security.beta.kubernetes.io/myContainerName: localhost/myAppArmor
container.apparmor.security.beta.kubernetes.io/mySecondContainerName: localhost/secondProfile
container.apparmor.security.beta.kubernetes.io/myThirdContainerName: localhost/thirdProfile
note: |
The number of container underneath is a variable arguments. It loops through
all the container names specified.
*/}}
{{- define "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" -}}
{{- $envAll := index . "envAll" -}}
{{- $podName := index . "podName" -}}
{{- $containerNames := index . "containerNames" -}}
{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
{{- $macType := $envAll.Values.pod.mandatory_access_control.type -}}
{{- if $macType -}}
{{- if eq $macType "apparmor" -}}
{{- if hasKey $envAll.Values.pod.mandatory_access_control $podName -}}
{{- range $name := $containerNames -}}
{{- $apparmorProfile := index $envAll.Values.pod.mandatory_access_control $podName $name -}}
{{- if $apparmorProfile }}
container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}

51
charts/deps/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl Normal file
View File

@ -0,0 +1,51 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Renders a set of standardised labels
values: |
release_group: null
pod:
labels:
default:
label1.example.com: value
bar:
label2.example.com: bar
usage: |
{{ tuple . "foo" "bar" | include "helm-toolkit.snippets.kubernetes_metadata_labels" }}
return: |
release_group: RELEASE-NAME
application: foo
component: bar
label1.example.com: value
label2.example.com: bar
*/}}
{{- define "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
{{- $envAll := index . 0 -}}
{{- $application := index . 1 -}}
{{- $component := index . 2 -}}
release_group: {{ $envAll.Values.release_group | default $envAll.Release.Name }}
application: {{ $application }}
component: {{ $component }}
{{- if ($envAll.Values.pod).labels }}
{{- if hasKey $envAll.Values.pod.labels $component }}
{{ index $envAll.Values.pod "labels" $component | toYaml }}
{{- end -}}
{{- if hasKey $envAll.Values.pod.labels "default" }}
{{ $envAll.Values.pod.labels.default | toYaml }}
{{- end -}}
{{- end -}}
{{- end -}}

89
charts/deps/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl Normal file
View File

@ -0,0 +1,89 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Renders kubernetes anti affinity rules, this function supports both hard
'requiredDuringSchedulingIgnoredDuringExecution' and soft
'preferredDuringSchedulingIgnoredDuringExecution' types.
values: |
pod:
affinity:
anti:
topologyKey:
default: kubernetes.io/hostname
type:
default: requiredDuringSchedulingIgnoredDuringExecution
weight:
default: 10
usage: |
{{ tuple . "appliction_x" "component_y" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" }}
return: |
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: release_group
operator: In
values:
- RELEASE-NAME
- key: application
operator: In
values:
- appliction_x
- key: component
operator: In
values:
- component_y
topologyKey: kubernetes.io/hostname
*/}}
{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" -}}
{{- $envAll := index . "envAll" -}}
{{- $application := index . "application" -}}
{{- $component := index . "component" -}}
{{- $expressionRelease := dict "key" "release_group" "operator" "In" "values" ( list ( $envAll.Values.release_group | default $envAll.Release.Name ) ) -}}
{{- $expressionApplication := dict "key" "application" "operator" "In" "values" ( list $application ) -}}
{{- $expressionComponent := dict "key" "component" "operator" "In" "values" ( list $component ) -}}
{{- list $expressionRelease $expressionApplication $expressionComponent | toYaml }}
{{- end -}}
{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity" -}}
{{- $envAll := index . 0 -}}
{{- $application := index . 1 -}}
{{- $component := index . 2 -}}
{{- $antiAffinityType := index $envAll.Values.pod.affinity.anti.type $component | default $envAll.Values.pod.affinity.anti.type.default }}
{{- $antiAffinityKey := index $envAll.Values.pod.affinity.anti.topologyKey $component | default $envAll.Values.pod.affinity.anti.topologyKey.default }}
podAntiAffinity:
{{- $matchExpressions := include "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" ( dict "envAll" $envAll "application" $application "component" $component ) -}}
{{- if eq $antiAffinityType "preferredDuringSchedulingIgnoredDuringExecution" }}
{{ $antiAffinityType }}:
- podAffinityTerm:
labelSelector:
matchExpressions:
{{ $matchExpressions | indent 10 }}
topologyKey: {{ $antiAffinityKey }}
{{- if $envAll.Values.pod.affinity.anti.weight }}
weight: {{ index $envAll.Values.pod.affinity.anti.weight $component | default $envAll.Values.pod.affinity.anti.weight.default }}
{{- else }}
weight: 10
{{- end -}}
{{- else if eq $antiAffinityType "requiredDuringSchedulingIgnoredDuringExecution" }}
{{ $antiAffinityType }}:
- labelSelector:
matchExpressions:
{{ $matchExpressions | indent 8 }}
topologyKey: {{ $antiAffinityKey }}
{{- end -}}
{{- end -}}

45
charts/deps/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl Normal file
View File

@ -0,0 +1,45 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Renders image pull secrets for a pod
values: |
pod:
image_pull_secrets:
default:
- name: some-pull-secret
bar:
- name: another-pull-secret
usage: |
{{ tuple . "bar" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" }}
return: |
imagePullSecrets:
- name: some-pull-secret
- name: another-pull-secret
*/}}
{{- define "helm-toolkit.snippets.kubernetes_image_pull_secrets" -}}
{{- $envAll := index . 0 -}}
{{- $application := index . 1 -}}
{{- if ($envAll.Values.pod).image_pull_secrets }}
imagePullSecrets:
{{- if hasKey $envAll.Values.pod.image_pull_secrets $application }}
{{ index $envAll.Values.pod "image_pull_secrets" $application | toYaml | indent 2 }}
{{- end -}}
{{- if hasKey $envAll.Values.pod.image_pull_secrets "default" }}
{{ $envAll.Values.pod.image_pull_secrets.default | toYaml | indent 2 }}
{{- end -}}
{{- end -}}
{{- end -}}

69
charts/deps/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl Normal file
View File

@ -0,0 +1,69 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}}
{{- $envAll := index . 0 -}}
{{- $deps := index . 1 -}}
{{- $saName := index . 2 | replace "_" "-" }}
{{- $saNamespace := index . 3 -}}
{{- $releaseName := $envAll.Release.Name }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ $releaseName }}-{{ $saName }}
namespace: {{ $saNamespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
subjects:
- kind: ServiceAccount
name: {{ $saName }}
namespace: {{ $saNamespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
namespace: {{ $saNamespace }}
rules:
- apiGroups:
- ""
- extensions
- batch
- apps
verbs:
- get
- list
resources:
{{- range $k, $v := $deps -}}
{{ if eq $v "daemonsets" }}
- daemonsets
{{- end -}}
{{ if eq $v "jobs" }}
- jobs
{{- end -}}
{{ if or (eq $v "pods") (eq $v "daemonsets") (eq $v "jobs") }}
- pods
{{- end -}}
{{ if eq $v "services" }}
- services
- endpoints
{{- end -}}
{{ if eq $v "secrets" }}
- secrets
{{- end -}}
{{- end -}}
{{- end -}}

75
charts/deps/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl Normal file
View File

@ -0,0 +1,75 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}}
{{- $envAll := index . 0 -}}
{{- $component := index . 1 -}}
{{- $saName := index . 2 -}}
{{- $saNamespace := $envAll.Release.Namespace }}
{{- $randomKey := randAlphaNum 32 }}
{{- $allNamespace := dict $randomKey "" }}
{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
{{- if eq $component "pod_dependency" -}}
{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
{{- else -}}
{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
{{- end -}}
{{- else -}}
{{- if eq $component "pod_dependency" -}}
{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
{{- else -}}
{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
{{- end -}}
{{- end -}}
{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ $saName }}
namespace: {{ $saNamespace }}
{{- if $envAll.Values.manifests.secret_registry }}
{{- if $envAll.Values.endpoints.oci_image_registry.auth.enabled }}
imagePullSecrets:
- name: {{ index $envAll.Values.secrets.oci_image_registry $envAll.Chart.Name }}
{{- end -}}
{{- end -}}
{{- range $k, $v := $deps -}}
{{- if eq $k "services" }}
{{- range $serv := $v }}
{{- $endpointMap := index $envAll.Values.endpoints $serv.service }}
{{- $endpointNS := $endpointMap.namespace | default $saNamespace }}
{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }}
{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }}
{{- end -}}
{{- end -}}
{{- else if and (eq $k "jobs") $v }}
{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }}
{{- else if and (eq $k "daemonset") $v }}
{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }}
{{- else if and (eq $k "pod") $v }}
{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "pods," ((index $allNamespace $saNamespace) | default "")) }}
{{- else if and (eq $k "secret") $v }}
{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "secrets," ((index $allNamespace $saNamespace) | default "")) }}
{{- end -}}
{{- end -}}
{{- $_ := unset $allNamespace $randomKey }}
{{- range $ns, $vv := $allNamespace }}
{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }}
{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }}
{{- end -}}
{{- end -}}

67
charts/deps/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl Normal file
View File

@ -0,0 +1,67 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Renders securityContext for a Kubernetes pod.
For pod level, seurity context see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#podsecuritycontext-v1-core
examples:
- values: |
pod:
# NOTE: The 'user' key is deprecated, and will be removed shortly.
user:
myApp:
uid: 34356
security_context:
myApp:
pod:
runAsNonRoot: true
usage: |
{{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
return: |
securityContext:
runAsUser: 34356
runAsNonRoot: true
- values: |
pod:
security_context:
myApp:
pod:
runAsUser: 34356
runAsNonRoot: true
usage: |
{{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
return: |
securityContext:
runAsNonRoot: true
runAsUser: 34356
*/}}
{{- define "helm-toolkit.snippets.kubernetes_pod_security_context" -}}
{{- $envAll := index . "envAll" -}}
{{- $application := index . "application" -}}
securityContext:
{{- if hasKey $envAll.Values.pod "user" }}
{{- if hasKey $envAll.Values.pod.user $application }}
{{- if hasKey ( index $envAll.Values.pod.user $application ) "uid" }}
runAsUser: {{ index $envAll.Values.pod.user $application "uid" }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- if hasKey $envAll.Values.pod "security_context" }}
{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
{{ toYaml ( index $envAll.Values.pod.security_context $application "pod" ) | indent 2 }}
{{- end -}}
{{- end -}}
{{- end -}}

55
charts/deps/helm-toolkit/templates/snippets/_kubernetes_probes.tpl Normal file
View File

@ -0,0 +1,55 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Renders kubernetes liveness and readiness probes for containers
values: |
pod:
probes:
api:
default:
readiness:
enabled: true
params:
initialDelaySeconds: 30
timeoutSeconds: 30
usage: |
{{- define "probeTemplate" }}
httpGet:
path: /status
port: 9090
{{- end }}
{{ dict "envAll" . "component" "api" "container" "default" "type" "readiness" "probeTemplate" (include "probeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" }}
return: |
readinessProbe:
httpGet:
path: /status
port: 9090
initialDelaySeconds: 30
timeoutSeconds: 30
*/}}
{{- define "helm-toolkit.snippets.kubernetes_probe" -}}
{{- $envAll := index . "envAll" -}}
{{- $component := index . "component" -}}
{{- $container := index . "container" -}}
{{- $type := index . "type" -}}
{{- $probeTemplate := index . "probeTemplate" -}}
{{- $probeOpts := index $envAll.Values.pod.probes $component $container $type -}}
{{- if $probeOpts.enabled -}}
{{- $probeOverides := index $probeOpts "params" | default dict -}}
{{ dict ( printf "%sProbe" $type ) (mergeOverwrite $probeTemplate $probeOverides ) | toYaml }}
{{- end -}}
{{- end -}}

53
charts/deps/helm-toolkit/templates/snippets/_kubernetes_resources.tpl Normal file
View File

@ -0,0 +1,53 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
Note: This function is deprecated and will be removed in the future.
abstract: |
Renders kubernetes resource limits for pods
values: |
pod:
resources:
enabled: true
api:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
hugepages-1Gi: "1Gi"
usage: |
{{ include "helm-toolkit.snippets.kubernetes_resources" ( tuple . .Values.pod.resources.api ) }}
return: |
resources:
limits:
cpu: "2000m"
memory: "1024Mi"
hugepages-1Gi: "1Gi"
requests:
cpu: "100m"
memory: "128Mi
*/}}
{{- define "helm-toolkit.snippets.kubernetes_resources" -}}
{{- $envAll := index . 0 -}}
{{- $component := index . 1 -}}
{{- if $envAll.Values.pod.resources.enabled -}}
resources:
{{ toYaml $component | trim | indent 2 }}
{{- end -}}
{{- end -}}

47
charts/deps/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl Normal file
View File

@ -0,0 +1,47 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Renders seccomp annotations for a list of containers driven by values.yaml.
values: |
pod:
seccomp:
myPodName:
myContainerName: localhost/mySeccomp
mySecondContainerName: localhost/secondProfile # optional
myThirdContainerName: localhost/thirdProfile # optional
usage: |
{{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_seccomp_annotation" }}
return: |
container.seccomp.security.alpha.kubernetes.io/myContainerName: localhost/mySeccomp
container.seccomp.security.alpha.kubernetes.io/mySecondContainerName: localhost/secondProfile
container.seccomp.security.alpha.kubernetes.io/myThirdContainerName: localhost/thirdProfile
note: |
The number of container underneath is a variable arguments. It loops through
all the container names specified.
*/}}
{{- define "helm-toolkit.snippets.kubernetes_seccomp_annotation" -}}
{{- $envAll := index . "envAll" -}}
{{- $podName := index . "podName" -}}
{{- $containerNames := index . "containerNames" -}}
{{- if hasKey (index $envAll.Values.pod "seccomp") $podName -}}
{{- range $name := $containerNames -}}
{{- $seccompProfile := index $envAll.Values.pod.seccomp $podName $name -}}
{{- if $seccompProfile }}
container.seccomp.security.alpha.kubernetes.io/{{ $name }}: {{ $seccompProfile }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}

45
charts/deps/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl Normal file
View File

@ -0,0 +1,45 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Renders kubernetes tolerations for pods
values: |
pod:
tolerations:
api:
enabled: true
tolerations:
- key: node-role.kubernetes.io/master
operator: Exists
- key: node-role.kubernetes.io/node
operator: Exists
usage: |
{{ include "helm-toolkit.snippets.kubernetes_tolerations" ( tuple . .Values.pod.tolerations.api ) }}
return: |
tolerations:
- key: node-role.kubernetes.io/master
operator: Exists
- key: node-role.kubernetes.io/node
operator: Exists
*/}}
{{- define "helm-toolkit.snippets.kubernetes_tolerations" -}}
{{- $envAll := index . 0 -}}
{{- $component := index . 1 -}}
{{- $pod := index $envAll.Values.pod.tolerations $component }}
tolerations:
{{ toYaml $pod.tolerations }}
{{- end -}}

33
charts/deps/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl Normal file
View File

@ -0,0 +1,33 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- define "helm-toolkit.snippets.kubernetes_upgrades_daemonset" -}}
{{- $envAll := index . 0 -}}
{{- $component := index . 1 -}}
{{- $upgradeMap := index $envAll.Values.pod.lifecycle.upgrades.daemonsets $component -}}
{{- $pod_replacement_strategy := $envAll.Values.pod.lifecycle.upgrades.daemonsets.pod_replacement_strategy -}}
{{- with $upgradeMap -}}
{{- if .enabled }}
minReadySeconds: {{ .min_ready_seconds }}
updateStrategy:
type: {{ $pod_replacement_strategy }}
{{- if $pod_replacement_strategy }}
{{- if eq $pod_replacement_strategy "RollingUpdate" }}
rollingUpdate:
maxUnavailable: {{ .max_unavailable }}
{{- end }}
{{- end }}
{{- end }}
{{- end -}}
{{- end -}}

27
charts/deps/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl Normal file
View File

@ -0,0 +1,27 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- define "helm-toolkit.snippets.kubernetes_upgrades_deployment" -}}
{{- $envAll := index . 0 -}}
{{- with $envAll.Values.pod.lifecycle.upgrades.deployments -}}
revisionHistoryLimit: {{ .revision_history }}
strategy:
type: {{ .pod_replacement_strategy }}
{{- if eq .pod_replacement_strategy "RollingUpdate" }}
rollingUpdate:
maxUnavailable: {{ .rolling_update.max_unavailable }}
maxSurge: {{ .rolling_update.max_surge }}
{{- end }}
{{- end -}}
{{- end -}}

51
charts/deps/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl Normal file
View File

@ -0,0 +1,51 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Renders upgradeStrategy configuration for Kubernetes statefulsets.
See: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
Types:
- RollingUpdate (default)
- OnDelete
Partitions:
- Stage updates to a statefulset by keeping pods at current version while
allowing mutations to statefulset's .spec.template
values: |
pod:
lifecycle:
upgrades:
statefulsets:
pod_replacement_strategy: RollingUpdate
partition: 2
usage: |
{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_statefulset" | indent 2 }}
return: |
updateStrategy:
type: RollingUpdate
rollingUpdate:
partition: 2
*/}}
{{- define "helm-toolkit.snippets.kubernetes_upgrades_statefulset" -}}
{{- $envAll := index . 0 -}}
{{- with $envAll.Values.pod.lifecycle.upgrades.statefulsets -}}
updateStrategy:
type: {{ .pod_replacement_strategy }}
{{ if .partition -}}
rollingUpdate:
partition: {{ .partition }}
{{- end -}}
{{- end -}}
{{- end -}}

68
charts/deps/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl Normal file
View File

@ -0,0 +1,68 @@
{{- define "helm-toolkit.snippets.mon_host_from_k8s_ep" -}}
{{/*
Inserts a bash function definition mon_host_from_k8s_ep() which can be used
to construct a mon_hosts value from the given namespaced endpoint.
Usage (e.g. in _script.sh.tpl):
#!/bin/bash
: "${NS:=ceph}"
: "${EP:=ceph-mon-discovery}"
{{ include "helm-toolkit.snippets.mon_host_from_k8s_ep" . }}
MON_HOST=$(mon_host_from_k8s_ep "$NS" "$EP")
if [ -z "$MON_HOST" ]; then
# deal with failure
else
sed -i -e "s/^mon_host = /mon_host = $MON_HOST/" /etc/ceph/ceph.conf
fi
*/}}
{{`
# Construct a mon_hosts value from the given namespaced endpoint
# IP x.x.x.x with port p named "mon-msgr2" will appear as [v2:x.x.x.x/p/0]
# IP x.x.x.x with port q named "mon" will appear as [v1:x.x.x.x/q/0]
# IP x.x.x.x with ports p and q will appear as [v2:x.x.x.x/p/0,v1:x.x.x.x/q/0]
# The entries for all IPs will be joined with commas
mon_host_from_k8s_ep() {
local ns=$1
local ep=$2
if [ -z "$ns" ] || [ -z "$ep" ]; then
return 1
fi
# We don't want shell expansion for the go-template expression
# shellcheck disable=SC2016
kubectl get endpoints -n "$ns" "$ep" -o go-template='
{{- $sep := "" }}
{{- range $_,$s := .subsets }}
{{- $v2port := 0 }}
{{- $v1port := 0 }}
{{- range $_,$port := index $s "ports" }}
{{- if (eq $port.name "mon-msgr2") }}
{{- $v2port = $port.port }}
{{- else if (eq $port.name "mon") }}
{{- $v1port = $port.port }}
{{- end }}
{{- end }}
{{- range $_,$address := index $s "addresses" }}
{{- $v2endpoint := printf "v2:%s:%d/0" $address.ip $v2port }}
{{- $v1endpoint := printf "v1:%s:%d/0" $address.ip $v1port }}
{{- if (and $v2port $v1port) }}
{{- printf "%s[%s,%s]" $sep $v2endpoint $v1endpoint }}
{{- $sep = "," }}
{{- else if $v2port }}
{{- printf "%s[%s]" $sep $v2endpoint }}
{{- $sep = "," }}
{{- else if $v1port }}
{{- printf "%s[%s]" $sep $v1endpoint }}
{{- $sep = "," }}
{{- end }}
{{- end }}
{{- end }}'
}
`}}
{{- end -}}

33
charts/deps/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl Normal file
View File

@ -0,0 +1,33 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
# Appends annotations for configuring prometheus scrape jobs via pod
# annotations. The required annotations are:
# * `prometheus.io/scrape`: Only scrape pods that have a value of `true`
# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
# * `prometheus.io/port`: Scrape the pod on the indicated port instead of the
# pod's declared ports (default is a port-free target if none are declared).
{{- define "helm-toolkit.snippets.prometheus_pod_annotations" -}}
{{- $config := index . 0 -}}
{{- if $config.scrape }}
prometheus.io/scrape: {{ $config.scrape | quote }}
{{- end }}
{{- if $config.path }}
prometheus.io/path: {{ $config.path | quote }}
{{- end }}
{{- if $config.port }}
prometheus.io/port: {{ $config.port | quote }}
{{- end }}
{{- end -}}

35
charts/deps/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl Normal file
View File

@ -0,0 +1,35 @@
{{/*
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
# Appends annotations for configuring prometheus scrape endpoints via
# annotations. The required annotations are:
# * `prometheus.io/scrape`: Only scrape services that have a value of `true`
# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
# to set this to `https` & most likely set the `tls_config` of the scrape config.
# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
# * `prometheus.io/port`: If the metrics are exposed on a different port to the
# service then set this appropriately.
{{- define "helm-toolkit.snippets.prometheus_service_annotations" -}}
{{- $config := index . 0 -}}
{{- if $config.scrape }}
prometheus.io/scrape: {{ $config.scrape | quote }}
{{- end }}
{{- if $config.scheme }}
prometheus.io/scheme: {{ $config.scheme | quote }}
{{- end }}
{{- if $config.path }}
prometheus.io/path: {{ $config.path | quote }}
{{- end }}
{{- if $config.port }}
prometheus.io/port: {{ $config.port | quote }}
{{- end }}
{{- end -}}

29
charts/deps/helm-toolkit/templates/snippets/_release_uuid.tpl Normal file
View File

@ -0,0 +1,29 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Reneders an attonation key and value for a release
values: |
release_uuid: null
usage: |
{{ tuple . | include "helm-toolkit.snippets.release_uuid" }}
return: |
"openstackhelm.openstack.org/release_uuid": ""
*/}}
{{- define "helm-toolkit.snippets.release_uuid" -}}
{{- $envAll := index . 0 -}}
"openstackhelm.openstack.org/release_uuid": {{ $envAll.Values.release_uuid | default "" | quote }}
{{- end -}}

32
charts/deps/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl Normal file
View File

@ -0,0 +1,32 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- define "helm-toolkit.snippets.rgw_s3_admin_env_vars" }}
{{- $s3AdminSecret := .s3AdminSecret }}
- name: S3_ADMIN_USERNAME
valueFrom:
secretKeyRef:
name: {{ $s3AdminSecret }}
key: S3_ADMIN_USERNAME
- name: S3_ADMIN_ACCESS_KEY
valueFrom:
secretKeyRef:
name: {{ $s3AdminSecret }}
key: S3_ADMIN_ACCESS_KEY
- name: S3_ADMIN_SECRET_KEY
valueFrom:
secretKeyRef:
name: {{ $s3AdminSecret }}
key: S3_ADMIN_SECRET_KEY
{{- end }}

29
charts/deps/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl Normal file
View File

@ -0,0 +1,29 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- define "helm-toolkit.snippets.rgw_s3_secret_creds" }}
{{- range $client, $config := .Values.storage.s3.clients -}}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
type: Opaque
data:
{{- range $key, $value := $config.auth }}
{{ $key | upper }}: {{ $value | toString | b64enc}}
{{- end }}
{{ end }}
{{- end }}

34
charts/deps/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl Normal file
View File

@ -0,0 +1,34 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- define "helm-toolkit.snippets.rgw_s3_user_env_vars" }}
{{- range $client, $user := .Values.storage.s3.clients }}
{{- $s3secret := printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
- name: {{ printf "%s_S3_USERNAME" ($client | replace "-" "_" | upper) }}
valueFrom:
secretKeyRef:
name: {{ $s3secret }}
key: USERNAME
- name: {{ printf "%s_S3_ACCESS_KEY" ($client | replace "-" "_" | upper) }}
valueFrom:
secretKeyRef:
name: {{ $s3secret }}
key: ACCESS_KEY
- name: {{ printf "%s_S3_SECRET_KEY" ($client | replace "-" "_" | upper) }}
valueFrom:
secretKeyRef:
name: {{ $s3secret }}
key: SECRET_KEY
{{- end }}
{{- end }}

47
charts/deps/helm-toolkit/templates/snippets/_tls_volume.tpl Normal file
View File

@ -0,0 +1,47 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Renders a secret volume for tls.
Dictionary Parameters:
enabled: boolean check if you want to conditional disable this snippet (optional)
name: name of the volume (required)
secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional)
values: |
manifests:
certificates: true
usage: |
{{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}}
{{- $opts | include "helm-toolkit.snippets.tls_volume" -}}
return: |
- name: glance-tls-api
secret:
secretName: glance-tls-api
defaultMode: 292
*/}}
{{- define "helm-toolkit.snippets.tls_volume" }}
{{- $enabled := index . "enabled" -}}
{{- $name := index . "name" -}}
{{- $secretName := index . "secretName" | default $name -}}
{{- if and $enabled (ne $name "") }}
- name: {{ $name }}
secret:
secretName: {{ $secretName }}
defaultMode: 292
{{- end }}
{{- end }}

82
charts/deps/helm-toolkit/templates/snippets/_tls_volume_mount.tpl Normal file
View File

@ -0,0 +1,82 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Renders a volume mount for TLS key, cert and CA.
Dictionary Parameters:
enabled: boolean check if you want to conditional disable this snippet (optional)
name: name that of the volume and should match the volume name (required)
path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required)
certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}.
the default is the full set. (optional)
values: |
manifests:
certificates: true
usage: |
{{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}}
{{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
return: |
- name: glance-tls-api
mountPath: /etc/glance/certs/tls.crt
subPath: tls.crt
readOnly: true
- name: glance-tls-api
mountPath: /etc/glance/certs/tls.key
subPath: tls.key
readOnly: true
- name: glance-tls-api
mountPath: /etc/glance/certs/ca.crt
subPath: ca.crt
readOnly: true
abstract: |
This mounts a specific issuing CA only for service validation
usage: |
{{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}}
{{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
return: |
- name: glance-tls-api
mountPath: /etc/ssl/certs/openstack-helm.crt
subPath: ca.crt
readOnly: true
*/}}
{{- define "helm-toolkit.snippets.tls_volume_mount" }}
{{- $enabled := index . "enabled" -}}
{{- $name := index . "name" -}}
{{- $path := index . "path" | default "" -}}
{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }}
{{- if $enabled }}
{{- if and (eq $path "") (ne $name "") }}
- name: {{ $name }}
mountPath: "/etc/ssl/certs/openstack-helm.crt"
subPath: ca.crt
readOnly: true
{{- else }}
{{- if ne $name "" }}
{{- range $key, $value := $certs }}
- name: {{ $name }}
mountPath: {{ printf "%s/%s" $path $value }}
subPath: {{ $value }}
readOnly: true
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

87
charts/deps/helm-toolkit/templates/snippets/_values_template_renderer.tpl Normal file
View File

@ -0,0 +1,87 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Renders out configuration sections into a format suitable for incorporation
into a config-map. Allowing various forms of input to be rendered out as
appropriate.
values: |
conf:
inputs:
- foo
- bar
some:
config_to_render: |
#We can use all of gotpl here: eg macros, ranges etc.
{{ include "helm-toolkit.utils.joinListWithComma" .Values.conf.inputs }}
config_to_complete:
#here we can fill out params, but things need to be valid yaml as input
'{{ .Release.Name }}': '{{ printf "%s-%s" .Release.Namespace "namespace" }}'
static_config:
#this is just passed though as yaml to the configmap
foo: bar
usage: |
{{- $envAll := . }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: application-etc
data:
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_render "key" "config_to_render.conf") | indent 2 }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_complete "key" "config_to_complete.yaml") | indent 2 }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.static_config "key" "static_config.yaml") | indent 2 }}
return: |
---
apiVersion: v1
kind: ConfigMap
metadata:
name: application-etc
data:
config_to_render.conf: |
#We can use all of gotpl here: eg macros, ranges etc.
foo,bar
config_to_complete.yaml: |
'RELEASE-NAME': 'default-namespace'
static_config.yaml: |
foo: bar
*/}}
{{- define "helm-toolkit.snippets.values_template_renderer" -}}
{{- $envAll := index . "envAll" -}}
{{- $template := index . "template" -}}
{{- $key := index . "key" -}}
{{- $format := index . "format" | default "configMap" -}}
{{- with $envAll -}}
{{- $templateRendered := tpl ( $template | toYaml ) . }}
{{- if eq $format "Secret" }}
{{- if hasPrefix "|\n" $templateRendered }}
{{ $key }}: {{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | b64enc }}
{{- else }}
{{ $key }}: {{ $templateRendered | b64enc }}
{{- end -}}
{{- else }}
{{- if hasPrefix "|\n" $templateRendered }}
{{ $key }}: |
{{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | indent 2 }}
{{- else }}
{{ $key }}: |
{{ $templateRendered | indent 2 }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}

94
charts/deps/helm-toolkit/templates/tls/_tls_generate_certs.tpl Normal file
View File

@ -0,0 +1,94 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Produces a certificate from a certificate authority. If the "encode" parameter
is true, base64 encode the values for inclusion in a Kubernetes secret.
values: |
test:
hosts:
names:
- barbican.openstackhelm.example
- barbican.openstack.svc.cluster.local
ips:
- 127.0.0.1
- 192.168.0.1
life: 3
# Use ca.crt and ca.key to build a customized ca, if they are provided.
# Use hosts.names[0] and life to auto-generate a ca, if ca is not provided.
ca:
crt: |
<CA CRT>
key: |
<CA PRIVATE KEY>
usage: |
{{ include "helm-toolkit.utils.tls_generate_certs" (dict "params" .Values.test) }}
return: |
ca: |
<CA CRT>
crt: |
<CRT>
exp: 2018-09-01T10:56:07.895392915-00:00
key: |
<CRT PRIVATE KEY>
*/}}
{{- define "helm-toolkit.utils.tls_generate_certs" -}}
{{- $params := index . "params" -}}
{{- $encode := index . "encode" | default false -}}
{{- $local := dict -}}
{{- $_hosts := $params.hosts.names | default list }}
{{- if kindIs "string" $params.hosts.names }}
{{- $_ := set $local "certHosts" (list $params.hosts.names) }}
{{- else }}
{{- $_ := set $local "certHosts" $_hosts }}
{{- end }}
{{- $_ips := $params.hosts.ips | default list }}
{{- if kindIs "string" $params.hosts.ips }}
{{- $_ := set $local "certIps" (list $params.hosts.ips) }}
{{- else }}
{{- $_ := set $local "certIps" $_ips }}
{{- end }}
{{- if hasKey $params "ca" }}
{{- if and (hasKey $params.ca "crt") (hasKey $params.ca "key") }}
{{- $ca := buildCustomCert ($params.ca.crt | b64enc ) ($params.ca.key | b64enc ) }}
{{- $_ := set $local "ca" $ca }}
{{- end }}
{{- else }}
{{- $ca := genCA (first $local.certHosts) (int $params.life) }}
{{- $_ := set $local "ca" $ca }}
{{- end }}
{{- $expDate := date_in_zone "2006-01-02T15:04:05Z07:00" ( date_modify (printf "+%sh" (mul $params.life 24 |toString)) now ) "UTC" }}
{{- $rawCert := genSignedCert (first $local.certHosts) ($local.certIps) ($local.certHosts) (int $params.life) $local.ca }}
{{- $certificate := dict -}}
{{- if $encode -}}
{{- $_ := b64enc $rawCert.Cert | set $certificate "crt" -}}
{{- $_ := b64enc $rawCert.Key | set $certificate "key" -}}
{{- $_ := b64enc $local.ca.Cert | set $certificate "ca" -}}
{{- $_ := b64enc $local.ca.Key | set $certificate "caKey" -}}
{{- $_ := b64enc $expDate | set $certificate "exp" -}}
{{- else -}}
{{- $_ := set $certificate "crt" $rawCert.Cert -}}
{{- $_ := set $certificate "key" $rawCert.Key -}}
{{- $_ := set $certificate "ca" $local.ca.Cert -}}
{{- $_ := set $certificate "caKey" $local.ca.Key -}}
{{- $_ := set $certificate "exp" $expDate -}}
{{- end -}}
{{- $certificate | toYaml }}
{{- end -}}

46
charts/deps/helm-toolkit/templates/utils/_comma_joined_service_list.tpl Normal file
View File

@ -0,0 +1,46 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Returns a comma separated list of namespace:service pairs.
values: |
dependencies:
static:
api:
services:
- endpoint: internal
service: oslo_cache
- endpoint: internal
service: oslo_db
endpoints:
oslo_db:
namespace: foo
hosts:
default: mariadb
oslo_cache:
namespace: bar
hosts:
default: memcache
usage: |
{{ tuple .Values.dependencies.static.api.services . | include "helm-toolkit.utils.comma_joined_service_list" }}
return: |
bar:memcache,foo:mariadb
*/}}
{{- define "helm-toolkit.utils.comma_joined_service_list" -}}
{{- $deps := index . 0 -}}
{{- $envAll := index . 1 -}}
{{- range $k, $v := $deps -}}{{- if $k -}},{{- end -}}{{ tuple $v.service $v.endpoint $envAll | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}{{- end -}}
{{- end -}}

30
charts/deps/helm-toolkit/templates/utils/_configmap_templater.tpl Normal file
View File

@ -0,0 +1,30 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- define "helm-toolkit.utils.configmap_templater" }}
{{- $keyRoot := index . 0 -}}
{{- $configTemplate := index . 1 -}}
{{- $context := index . 2 -}}
{{ if $keyRoot.override -}}
{{ $keyRoot.override | indent 4 }}
{{- else -}}
{{- if $keyRoot.prefix -}}
{{ $keyRoot.prefix | indent 4 }}
{{- end }}
{{ tuple $configTemplate $context | include "helm-toolkit.utils.template" | indent 4 }}
{{- end }}
{{- if $keyRoot.append -}}
{{ $keyRoot.append | indent 4 }}
{{- end }}
{{- end -}}

269
charts/deps/helm-toolkit/templates/utils/_daemonset_overrides.tpl Normal file
View File

@ -0,0 +1,269 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- define "helm-toolkit.utils.daemonset_overrides" }}
{{- $daemonset := index . 0 }}
{{- $daemonset_yaml := index . 1 }}
{{- $configmap_include := index . 2 }}
{{- $configmap_name := index . 3 }}
{{- $context := index . 4 }}
{{- $_ := unset $context ".Files" }}
{{- $daemonset_root_name := printf (print $context.Chart.Name "_" $daemonset) }}
{{- $_ := set $context.Values "__daemonset_list" list }}
{{- $_ := set $context.Values "__default" dict }}
{{- if hasKey $context.Values.conf "overrides" }}
{{- range $key, $val := $context.Values.conf.overrides }}
{{- if eq $key $daemonset_root_name }}
{{- range $type, $type_data := . }}
{{- if eq $type "hosts" }}
{{- range $host_data := . }}
{{/* dictionary that will contain all info needed to generate this
iteration of the daemonset */}}
{{- $current_dict := dict }}
{{/* set daemonset name */}}
{{/* Note: long hostnames can cause the 63 char name limit to be
exceeded. Truncate the hostname if hostname > 20 char */}}
{{- if gt (len $host_data.name) 20 }}
{{- $_ := set $current_dict "name" (substr 0 20 $host_data.name) }}
{{- else }}
{{- $_ := set $current_dict "name" $host_data.name }}
{{- end }}
{{/* apply overrides */}}
{{- $override_conf_copy := $host_data.conf }}
{{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
{{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
{{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
{{- $root_conf_copy2 := dict "conf" $merged_dict }}
{{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
{{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
{{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
{{- $_ := set $current_dict "nodeData" $root_conf_copy4 }}
{{/* Schedule to this host explicitly. */}}
{{- $nodeSelector_dict := dict }}
{{- $_ := set $nodeSelector_dict "key" "kubernetes.io/hostname" }}
{{- $_ := set $nodeSelector_dict "operator" "In" }}
{{- $values_list := list $host_data.name }}
{{- $_ := set $nodeSelector_dict "values" $values_list }}
{{- $list_aggregate := list $nodeSelector_dict }}
{{- $_ := set $current_dict "matchExpressions" $list_aggregate }}
{{/* store completed daemonset entry/info into global list */}}
{{- $list_aggregate := append $context.Values.__daemonset_list $current_dict }}
{{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
{{- end }}
{{- end }}
{{- if eq $type "labels" }}
{{- $_ := set $context.Values "__label_list" . }}
{{- range $label_data := . }}
{{/* dictionary that will contain all info needed to generate this
iteration of the daemonset. */}}
{{- $_ := set $context.Values "__current_label" dict }}
{{/* set daemonset name */}}
{{- $_ := set $context.Values.__current_label "name" $label_data.label.key }}
{{/* apply overrides */}}
{{- $override_conf_copy := $label_data.conf }}
{{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
{{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
{{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
{{- $root_conf_copy2 := dict "conf" $merged_dict }}
{{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
{{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
{{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
{{- $_ := set $context.Values.__current_label "nodeData" $root_conf_copy4 }}
{{/* Schedule to the provided label value(s) */}}
{{- $label_dict := omit $label_data.label "NULL" }}
{{- $_ := set $label_dict "operator" "In" }}
{{- $list_aggregate := list $label_dict }}
{{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
{{/* Do not schedule to other specified labels, with higher
precedence as the list position increases. Last defined label
is highest priority. */}}
{{- $other_labels := without $context.Values.__label_list $label_data }}
{{- range $label_data2 := $other_labels }}
{{- $label_dict := omit $label_data2.label "NULL" }}
{{- $_ := set $label_dict "operator" "NotIn" }}
{{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
{{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
{{- end }}
{{- $_ := set $context.Values "__label_list" $other_labels }}
{{/* Do not schedule to any other specified hosts */}}
{{- range $type, $type_data := $val }}
{{- if eq $type "hosts" }}
{{- range $host_data := . }}
{{- $label_dict := dict }}
{{- $_ := set $label_dict "key" "kubernetes.io/hostname" }}
{{- $_ := set $label_dict "operator" "NotIn" }}
{{- $values_list := list $host_data.name }}
{{- $_ := set $label_dict "values" $values_list }}
{{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
{{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
{{- end }}
{{- end }}
{{- end }}
{{/* store completed daemonset entry/info into global list */}}
{{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__current_label }}
{{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
{{- $_ := unset $context.Values "__current_label" }}
{{- end }}
{{- end }}
{{- end }}
{{/* scheduler exceptions for the default daemonset */}}
{{- $_ := set $context.Values.__default "matchExpressions" list }}
{{- range $type, $type_data := . }}
{{/* Do not schedule to other specified labels */}}
{{- if eq $type "labels" }}
{{- range $label_data := . }}
{{- $default_dict := omit $label_data.label "NULL" }}
{{- $_ := set $default_dict "operator" "NotIn" }}
{{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
{{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
{{- end }}
{{- end }}
{{/* Do not schedule to other specified hosts */}}
{{- if eq $type "hosts" }}
{{- range $host_data := . }}
{{- $default_dict := dict }}
{{- $_ := set $default_dict "key" "kubernetes.io/hostname" }}
{{- $_ := set $default_dict "operator" "NotIn" }}
{{- $values_list := list $host_data.name }}
{{- $_ := set $default_dict "values" $values_list }}
{{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
{{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{/* generate the default daemonset */}}
{{/* set name */}}
{{- $_ := set $context.Values.__default "name" "default" }}
{{/* no overrides apply, so copy as-is */}}
{{- $root_conf_copy1 := omit $context.Values.conf "overrides" }}
{{- $root_conf_copy2 := dict "conf" $root_conf_copy1 }}
{{- $context_values := omit $context.Values "conf" }}
{{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
{{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
{{- $_ := set $context.Values.__default "nodeData" $root_conf_copy4 }}
{{/* add to global list */}}
{{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__default }}
{{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
{{- range $current_dict := $context.Values.__daemonset_list }}
{{- $context_novalues := omit $context "Values" }}
{{- $merged_dict := mergeOverwrite $context_novalues $current_dict.nodeData }}
{{- $_ := set $current_dict "nodeData" $merged_dict }}
{{/* Deep copy original daemonset_yaml */}}
{{- $_ := set $context.Values "__daemonset_yaml" ($daemonset_yaml | toYaml | fromYaml) }}
{{/* name needs to be a DNS-1123 compliant name. Ensure lower case */}}
{{- $name_format1 := printf (print $daemonset_root_name "-" $current_dict.name) | lower }}
{{/* labels may contain underscores which would be invalid here, so we replace them with dashes
there may be other valid label names which would make for an invalid DNS-1123 name
but these will be easier to handle in future with sprig regex* functions
(not availabile in helm 2.5.1) */}}
{{- $name_format2 := $name_format1 | replace "_" "-" }}
{{/* To account for the case where the same label is defined multiple times in overrides
(but with different label values), we add a sha of the scheduling data to ensure
name uniqueness */}}
{{- $_ := set $current_dict "dns_1123_name" dict }}
{{- if hasKey $current_dict "matchExpressions" }}
{{- $_ := set $current_dict "dns_1123_name" (printf (print $name_format2 "-" ($current_dict.matchExpressions | quote | sha256sum | trunc 8))) }}
{{- else }}
{{- $_ := set $current_dict "dns_1123_name" $name_format2 }}
{{- end }}
{{/* set daemonset metadata name */}}
{{- if not $context.Values.__daemonset_yaml.metadata }}{{- $_ := set $context.Values.__daemonset_yaml "metadata" dict }}{{- end }}
{{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }}
{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }}
{{/* cross-reference configmap name to container volume definitions */}}
{{- $_ := set $context.Values "__volume_list" list }}
{{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }}
{{- $_ := set $context.Values "__volume" $current_volume }}
{{- if hasKey $context.Values.__volume "secret" }}
{{- if eq $context.Values.__volume.secret.secretName $configmap_name }}
{{- $_ := set $context.Values.__volume.secret "secretName" $current_dict.dns_1123_name }}
{{- end }}
{{- end }}
{{- $updated_list := append $context.Values.__volume_list $context.Values.__volume }}
{{- $_ := set $context.Values "__volume_list" $updated_list }}
{{- end }}
{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "volumes" $context.Values.__volume_list }}
{{/* populate scheduling restrictions */}}
{{- if hasKey $current_dict "matchExpressions" }}
{{- if not $context.Values.__daemonset_yaml.spec.template.spec }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "spec" dict }}{{- end }}
{{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "affinity" dict }}{{- end }}
{{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity "nodeAffinity" dict }}{{- end }}
{{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity "requiredDuringSchedulingIgnoredDuringExecution" dict }}{{- end }}
{{- $match_exprs := dict }}
{{- $_ := set $match_exprs "matchExpressions" $current_dict.matchExpressions }}
{{- $appended_match_expr := list $match_exprs }}
{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution "nodeSelectorTerms" $appended_match_expr }}
{{- end }}
{{/* input value hash for current set of values overrides */}}
{{- if not $context.Values.__daemonset_yaml.spec }}{{- $_ := set $context.Values.__daemonset_yaml "spec" dict }}{{- end }}
{{- if not $context.Values.__daemonset_yaml.spec.template }}{{- $_ := set $context.Values.__daemonset_yaml.spec "template" dict }}{{- end }}
{{- if not $context.Values.__daemonset_yaml.spec.template.metadata }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "metadata" dict }}{{- end }}
{{- if not $context.Values.__daemonset_yaml.spec.template.metadata.annotations }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata "annotations" dict }}{{- end }}
{{- $cmap := list $current_dict.dns_1123_name $current_dict.nodeData | include $configmap_include }}
{{- $values_hash := $cmap | quote | sha256sum }}
{{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata.annotations "configmap-etc-hash" $values_hash }}
{{/* generate configmap */}}
---
{{ $cmap }}
{{/* generate daemonset yaml */}}
---
{{ $context.Values.__daemonset_yaml | toYaml }}
{{- end }}
{{- end }}

40
charts/deps/helm-toolkit/templates/utils/_dependency_resolver.tpl Normal file
View File

@ -0,0 +1,40 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- define "helm-toolkit.utils.dependency_resolver" }}
{{- $envAll := index . "envAll" -}}
{{- $dependencyMixinParam := index . "dependencyMixinParam" -}}
{{- $dependencyKey := index . "dependencyKey" -}}
{{- if $dependencyMixinParam -}}
{{- $_ := set $envAll.Values "pod_dependency" dict -}}
{{- if kindIs "string" $dependencyMixinParam }}
{{- if ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam ) }}
{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency ( index $envAll.Values.dependencies.static $dependencyKey ) ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam $dependencyKey ) ) -}}
{{- else }}
{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
{{- end }}
{{- else if kindIs "slice" $dependencyMixinParam }}
{{- $_ := set $envAll.Values "__deps" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
{{- range $k, $v := $dependencyMixinParam -}}
{{- if ( index $envAll.Values.dependencies.dynamic.targeted $v ) }}
{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency $envAll.Values.__deps ( index $envAll.Values.dependencies.dynamic.targeted $v $dependencyKey ) ) -}}
{{- $_ := set $envAll.Values "__deps" $envAll.Values.pod_dependency -}}
{{- end }}
{{- end }}
{{- end }}
{{- else -}}
{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) -}}
{{- end -}}
{{ $envAll.Values.pod_dependency | toYaml }}
{{- end }}

21
charts/deps/helm-toolkit/templates/utils/_hash.tpl Normal file
View File

@ -0,0 +1,21 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- define "helm-toolkit.utils.hash" -}}
{{- $name := index . 0 -}}
{{- $context := index . 1 -}}
{{- $last := base $context.Template.Name }}
{{- $wtf := $context.Template.Name | replace $last $name -}}
{{- include $wtf $context | sha256sum | quote -}}
{{- end -}}

44
charts/deps/helm-toolkit/templates/utils/_host_list.tpl Normal file
View File

@ -0,0 +1,44 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Returns a list of unique hosts for an endpoint, in yaml.
values: |
endpoints:
cluster_domain_suffix: cluster.local
oslo_db:
hosts:
default: mariadb
host_fqdn_override:
default: mariadb
usage: |
{{ tuple "oslo_db" "internal" . | include "helm-toolkit.utils.host_list" }}
return: |
hosts:
- mariadb
- mariadb.default
*/}}
{{- define "helm-toolkit.utils.host_list" -}}
{{- $type := index . 0 -}}
{{- $endpoint := index . 1 -}}
{{- $context := index . 2 -}}
{{- $host_fqdn := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
{{- $host_namespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
{{- $host_short := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
{{/* It is important that the FQDN host is 1st in this list, to ensure other function can use the 1st element for cert gen CN etc */}}
{{- $host_list := list $host_fqdn $host_namespaced $host_short | uniq }}
{{- dict "hosts" $host_list | toYaml }}
{{- end -}}

25
charts/deps/helm-toolkit/templates/utils/_image_sync_list.tpl Normal file
View File

@ -0,0 +1,25 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- define "helm-toolkit.utils.image_sync_list" -}}
{{- $imageExcludeList := .Values.images.local_registry.exclude -}}
{{- $imageDict := .Values.images.tags -}}
{{- $local := dict "first" true -}}
{{- range $k, $v := $imageDict -}}
{{- if not $local.first -}},{{- end -}}
{{- if (not (has $k $imageExcludeList )) -}}
{{- index $imageDict $k -}}
{{- $_ := set $local "first" false -}}
{{- end -}}{{- end -}}
{{- end -}}

31
charts/deps/helm-toolkit/templates/utils/_joinListWithComma.tpl Normal file
View File

@ -0,0 +1,31 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Joins a list of values into a comma separated string
values: |
test:
- foo
- bar
usage: |
{{ include "helm-toolkit.utils.joinListWithComma" .Values.test }}
return: |
foo,bar
*/}}
{{- define "helm-toolkit.utils.joinListWithComma" -}}
{{- $local := dict "first" true -}}
{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
{{- end -}}

32
charts/deps/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl Normal file
View File

@ -0,0 +1,32 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Joins a list of values into a comma seperated string with single quotes
around each value.
values: |
test:
- foo
- bar
usage: |
{{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.test }}
return: |
'foo','bar'
*/}}
{{- define "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" -}}
{{- $local := dict "first" true -}}
{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}'{{- $v -}}'{{- $_ := set $local "first" false -}}{{- end -}}
{{- end -}}

32
charts/deps/helm-toolkit/templates/utils/_joinListWithPrefix.tpl Normal file
View File

@ -0,0 +1,32 @@
{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Joins a list of prefixed values into a space separated string
values: |
test:
- foo
- bar
usage: |
{{ tuple "prefix" .Values.test | include "helm-toolkit.utils.joinListWithPrefix" }}
return: |
prefixfoo prefixbar
*/}}
{{- define "helm-toolkit.utils.joinListWithPrefix" -}}
{{- $prefix := index . 0 -}}
{{- $local := dict "first" true -}}
{{- range $k, $v := index . 1 -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $prefix -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
{{- end -}}

31
charts/deps/helm-toolkit/templates/utils/_joinListWithSpace.tpl Normal file
View File

@ -0,0 +1,31 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Joins a list of values into a space separated string
values: |
test:
- foo
- bar
usage: |
{{ include "helm-toolkit.utils.joinListWithSpace" .Values.test }}
return: |
foo bar
*/}}
{{- define "helm-toolkit.utils.joinListWithSpace" -}}
{{- $local := dict "first" true -}}
{{- range $k, $v := . -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
{{- end -}}

135
charts/deps/helm-toolkit/templates/utils/_merge.tpl Normal file
View File

@ -0,0 +1,135 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
Takes a tuple of values and merges into the first (target) one each subsequent
(source) one in order. If all values to merge are maps, then the tuple can be
passed as is and the target will be the result, otherwise pass a map with a
"values" key containing the tuple of values to merge, and the merge result will
be assigned to the "result" key of the passed map.
When merging maps, for each key in the source, if the target does not define
that key, the source value is assigned. If both define the key, then the key
values are merged using this algorithm (recursively) and the result is assigned
to the target key. Slices are merged by appending them and removing any
duplicates, and when passing a map to this function and including a
"merge_same_named" key set to true, then map items from the slices with the same
value for the "name" key will be merged with each other. Any other values are
merged by simply keeping the source, and throwing away the target.
*/}}
{{- define "helm-toolkit.utils.merge" -}}
{{- $local := dict -}}
{{- $_ := set $local "merge_same_named" false -}}
{{- if kindIs "map" $ -}}
{{- $_ := set $local "values" $.values -}}
{{- if hasKey $ "merge_same_named" -}}
{{- $_ := set $local "merge_same_named" $.merge_same_named -}}
{{- end -}}
{{- else -}}
{{- $_ := set $local "values" $ -}}
{{- end -}}
{{- $target := first $local.values -}}
{{- range $item := rest $local.values -}}
{{- $call := dict "target" $target "source" . "merge_same_named" $local.merge_same_named -}}
{{- $_ := include "helm-toolkit.utils._merge" $call -}}
{{- $_ := set $local "result" $call.result -}}
{{- end -}}
{{- if kindIs "map" $ -}}
{{- $_ := set $ "result" $local.result -}}
{{- end -}}
{{- end -}}
{{- define "helm-toolkit.utils._merge" -}}
{{- $local := dict -}}
{{- $_ := set $ "result" $.source -}}
{{/*
TODO: Should we `fail` when trying to merge a collection (map or slice) with
either a different kind of collection or a scalar?
*/}}
{{- if and (kindIs "map" $.target) (kindIs "map" $.source) -}}
{{- range $key, $sourceValue := $.source -}}
{{- if not (hasKey $.target $key) -}}
{{- $_ := set $local "newTargetValue" $sourceValue -}}
{{- if kindIs "map" $sourceValue -}}
{{- $copy := dict -}}
{{- $call := dict "target" $copy "source" $sourceValue -}}
{{- $_ := include "helm-toolkit.utils._merge.shallow" $call -}}
{{- $_ := set $local "newTargetValue" $copy -}}
{{- end -}}
{{- else -}}
{{- $targetValue := index $.target $key -}}
{{- $call := dict "target" $targetValue "source" $sourceValue "merge_same_named" $.merge_same_named -}}
{{- $_ := include "helm-toolkit.utils._merge" $call -}}
{{- $_ := set $local "newTargetValue" $call.result -}}
{{- end -}}
{{- $_ := set $.target $key $local.newTargetValue -}}
{{- end -}}
{{- $_ := set $ "result" $.target -}}
{{- else if and (kindIs "slice" $.target) (kindIs "slice" $.source) -}}
{{- $call := dict "target" $.target "source" $.source -}}
{{- $_ := include "helm-toolkit.utils._merge.append_slice" $call -}}
{{- if $.merge_same_named -}}
{{- $_ := set $local "result" list -}}
{{- $_ := set $local "named_items" dict -}}
{{- range $item := $call.result -}}
{{- $_ := set $local "has_name_key" false -}}
{{- if kindIs "map" $item -}}
{{- if hasKey $item "name" -}}
{{- $_ := set $local "has_name_key" true -}}
{{- end -}}
{{- end -}}
{{- if $local.has_name_key -}}
{{- if hasKey $local.named_items $item.name -}}
{{- $named_item := index $local.named_items $item.name -}}
{{- $call := dict "target" $named_item "source" $item "merge_same_named" $.merge_same_named -}}
{{- $_ := include "helm-toolkit.utils._merge" $call -}}
{{- else -}}
{{- $copy := dict -}}
{{- $copy_call := dict "target" $copy "source" $item -}}
{{- $_ := include "helm-toolkit.utils._merge.shallow" $copy_call -}}
{{- $_ := set $local.named_items $item.name $copy -}}
{{- $_ := set $local "result" (append $local.result $copy) -}}
{{- end -}}
{{- else -}}
{{- $_ := set $local "result" (append $local.result $item) -}}
{{- end -}}
{{- end -}}
{{- else -}}
{{- $_ := set $local "result" $call.result -}}
{{- end -}}
{{- $_ := set $ "result" (uniq $local.result) -}}
{{- end -}}
{{- end -}}
{{- define "helm-toolkit.utils._merge.shallow" -}}
{{- range $key, $value := $.source -}}
{{- $_ := set $.target $key $value -}}
{{- end -}}
{{- end -}}
{{- define "helm-toolkit.utils._merge.append_slice" -}}
{{- $local := dict -}}
{{- $_ := set $local "result" $.target -}}
{{- range $value := $.source -}}
{{- $_ := set $local "result" (append $local.result $value) -}}
{{- end -}}
{{- $_ := set $ "result" $local.result -}}
{{- end -}}

21
charts/deps/helm-toolkit/templates/utils/_template.tpl Normal file
View File

@ -0,0 +1,21 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- define "helm-toolkit.utils.template" -}}
{{- $name := index . 0 -}}
{{- $context := index . 1 -}}
{{- $last := base $context.Template.Name }}
{{- $wtf := $context.Template.Name | replace $last $name -}}
{{ include $wtf $context }}
{{- end -}}

51
charts/deps/helm-toolkit/templates/utils/_to_ini.tpl Normal file
View File

@ -0,0 +1,51 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Returns INI formatted output from yaml input
values: |
conf:
paste:
filter:debug:
use: egg:oslo.middleware#debug
filter:request_id:
use: egg:oslo.middleware#request_id
filter:build_auth_context:
use: egg:keystone#build_auth_context
usage: |
{{ include "helm-toolkit.utils.to_ini" .Values.conf.paste }}
return: |
[filter:build_auth_context]
use = egg:keystone#build_auth_context
[filter:debug]
use = egg:oslo.middleware#debug
[filter:request_id]
use = egg:oslo.middleware#request_id
*/}}
{{- define "helm-toolkit.utils.to_ini" -}}
{{- range $section, $values := . -}}
{{- if kindIs "map" $values -}}
[{{ $section }}]
{{range $key, $value := $values -}}
{{- if kindIs "slice" $value -}}
{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
{{else -}}
{{ $key }} = {{ $value }}
{{end -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}

46
charts/deps/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl Normal file
View File

@ -0,0 +1,46 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Returns yaml formatted to be used in k8s templates as container
env vars injected via secrets. This requires a secret-<chartname> template to
be defined in the chart that can be used to house the desired secret
variables. For reference, see the fluentd chart.
values: |
test:
secrets:
foo: bar
usage: |
{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
return: |
- name: foo
valueFrom:
secretKeyRef:
name: "my-release-name-env-secret"
key: foo
*/}}
{{- define "helm-toolkit.utils.to_k8s_env_secret_vars" -}}
{{- $context := index . 0 -}}
{{- $secrets := index . 1 -}}
{{ range $key, $config := $secrets -}}
- name: {{ $key }}
valueFrom:
secretKeyRef:
name: {{ printf "%s-%s" $context.Release.Name "env-secret" | quote }}
key: {{ $key }}
{{ end -}}
{{- end -}}

39
charts/deps/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl Normal file
View File

@ -0,0 +1,39 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
abstract: |
Returns key value pair formatted to be used in k8s templates as container
env vars.
values: |
test:
foo: bar
usage: |
{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
return: |
- name: foo
value: "bar"
*/}}
{{- define "helm-toolkit.utils.to_k8s_env_vars" -}}
{{range $key, $value := . -}}
{{- if kindIs "slice" $value -}}
- name: {{ $key }}
value: {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
{{else -}}
- name: {{ $key }}
value: {{ $value | quote }}
{{ end -}}
{{- end -}}
{{- end -}}

Some files were not shown because too many files have changed in this diff Show More