├── .DS_Store ├── .gitignore ├── README.md ├── autoscaler ├── addon │ ├── autoscaler-addon.yaml │ └── custom-values.yaml ├── blueprint │ ├── autoscaler-blueprint-v1.yaml │ └── autoscaler-blueprint.yaml ├── cluster │ └── autoscaler-eks-cluster.yaml ├── namespace │ └── autoscaler-namespace.yaml ├── repository │ └── autoscaler-repository.yaml └── workload │ ├── nginx-workload-namespace.yaml │ ├── nginx-workload.yaml │ └── nginx.yaml ├── cloudwatch ├── addon │ ├── cloudwatch-addon.yaml │ └── custom-values.yaml ├── blueprint │ ├── cloudwatch-blueprint-v1.yaml │ └── cloudwatch-blueprint.yaml ├── cluster │ └── cloudwatch-eks-cluster.yaml ├── namespace │ └── cloudwatch-namespace.yaml └── repository │ └── cloudwatch-repository.yaml ├── efseks ├── addon │ ├── addon.yaml │ ├── namespace.yaml │ ├── repository.yaml │ └── values.yaml ├── blueprint │ ├── blueprint-v1.yaml │ └── blueprint.yaml ├── cluster │ └── eks-efs.yaml └── workload │ ├── efsapp.yaml │ ├── efsappspec.yaml │ ├── efspvc.yaml │ ├── efspvcspec.yaml │ ├── efsstorageclass.yaml │ ├── efsstorageclassspec.yaml │ └── namespace.yaml ├── eks-gitops ├── cluster │ └── cluster.yaml ├── eks-gitops-cluster2.yaml ├── main.tf ├── modules │ ├── .gitkeep │ └── rafay_cluster │ │ ├── .gitkeep │ │ ├── providers.tf │ │ ├── rafay_cluster.tf │ │ └── variables.tf ├── providers.tf ├── s3bucket.tf ├── specfiles │ └── pipeline.yaml ├── terraform.tfvars └── variables.tf ├── fleet-plan └── eks │ ├── eks-1-123-upgrade-plan.yaml │ ├── eks-1-124-upgrade-plan.yaml │ ├── eks-fleetplan-blueprint.yaml │ └── eks-fleetplan-custom-ami-upgrade.yaml ├── gitops-workload ├── Helm │ └── webserver │ │ ├── .helmignore │ │ ├── Chart.yaml │ │ ├── custom-values.yaml │ │ └── templates │ │ ├── NOTES.txt │ │ ├── _helpers.tpl │ │ ├── cm.yaml │ │ ├── deployment.yaml │ │ ├── ingress.yaml │ │ └── service.yaml └── YAML │ └── yaml-workload.yaml ├── gpuaks ├── addon │ ├── addon.yaml │ ├── namespace.yaml │ ├── repository.yaml │ └── values.yaml ├── blueprint │ └── blueprint.yaml ├── cluster │ └── aks-gpu.yaml └── workload │ ├── gpu-job.yaml │ ├── gputest.yaml │ └── namespace.yaml ├── gpueks ├── addon │ ├── addon.yaml │ ├── namespace.yaml │ ├── repository.yaml │ └── values.yaml ├── blueprint │ ├── blueprint-v1.yaml │ └── blueprint.yaml ├── cluster │ └── eks-gpu.yaml └── workload │ ├── gpu-job.yaml │ ├── gputest.yaml │ └── namespace.yaml ├── gpumks ├── addon │ ├── addon.yaml │ ├── namespace.yaml │ ├── repository.yaml │ └── values.yaml ├── blueprint │ ├── blueprint-v1.yaml │ └── blueprint.yaml └── workload │ ├── gpu-job.yaml │ ├── gputest.yaml │ └── namespace.yaml ├── gpupaas ├── full-gpu.yaml ├── no-gpu.yaml └── timesliced.yaml ├── karpenter ├── addon │ ├── custom-values.yaml │ ├── karpenter-addon.yaml │ ├── nodepool-addon.yaml │ └── nodepool.yaml ├── blueprint │ └── blueprint.yaml ├── cluster │ └── cluster.yaml ├── namespace │ └── namespace.yaml └── workload │ ├── inflate-workload.yaml │ └── inflate.yaml ├── kubecost ├── addon │ ├── kubecost-addon.yaml │ └── kubecost-values.yaml ├── blueprint │ ├── kubecost-blueprint-v1.yaml │ └── kubecost-blueprint.yaml ├── namespace │ └── kubecost-namespace.yaml └── repository │ └── kubecost-repository.yaml ├── kubernetes ├── 1-pv.yaml ├── 1-pvc.yaml ├── 2-pv.yaml ├── 2-pvc.yaml ├── configMap.yaml ├── daemonset.yaml ├── deployment.yaml ├── ingress.yaml ├── namespace.yaml ├── persistentVolumeClaim.yaml ├── pod.yaml ├── secret.yaml ├── service.yaml └── statefulset-postgres.yaml ├── kubevirt ├── addon │ ├── kubevirt-cr-addon.yaml │ ├── kubevirt-cr.yaml │ ├── kubevirt-operator-addon.yaml │ ├── kubevirt-operator.yaml │ └── namespace.yaml ├── blueprint │ └── blueprint.yaml └── workload │ ├── namespace.yaml │ ├── vm-workload.yaml │ └── vm.yaml ├── metallb ├── addon │ ├── addon.yaml │ ├── addoncm.yaml │ ├── custom-values.yaml │ └── metallb-cm.yaml ├── blueprint │ ├── blueprint-v1.yaml │ └── blueprint.yaml ├── namespace │ ├── metallb-namespace.yaml │ └── nginx-namespace.yaml ├── repository │ └── repository.yaml └── workload │ ├── metallb-nginx.yaml │ └── metallb-test-workload.yaml ├── opa_gatekeeper ├── blueprint │ └── blueprint-v2.yaml ├── constraint_templates │ ├── constraint-template-1.yaml │ ├── constraint-template-2.yaml │ ├── rafay-gatekeeper-allowedrepos-constraint-template.yaml │ └── rafay-request-limit-ratio-constraint-template.yaml ├── constraints │ ├── constraint-1.yaml │ ├── constraint-2.yaml │ ├── rafay-gatekeeper-allowedrepos-constraint.yaml │ └── rafay-request-limit-ratio-constraint.yaml ├── policy │ └── policy.yaml └── workload │ ├── nginx.yaml │ └── workload.yaml ├── progressive-rollouts ├── blue-green.yaml └── canary.yaml ├── terraform ├── aks │ ├── README.md │ ├── artifacts │ │ └── credentials │ │ │ └── config.json │ ├── main.tf │ ├── modules │ │ ├── aks │ │ │ ├── main.tf │ │ │ ├── providers.tf │ │ │ └── variables.tf │ │ ├── cloud-credentials │ │ │ ├── main.tf │ │ │ ├── providers.tf │ │ │ └── variables.tf │ │ └── project │ │ │ ├── main.tf │ │ │ ├── providers.tf │ │ │ └── variables.tf │ ├── providers.tf │ ├── terraform.tfvars │ └── variables.tf ├── blueprints │ ├── README.md │ ├── artifacts │ │ └── credentials │ │ │ └── config.json │ ├── main.tf │ ├── modules │ │ ├── blueprints │ │ │ ├── main.tf │ │ │ ├── providers.tf │ │ │ └── variables.tf │ │ └── project │ │ │ ├── main.tf │ │ │ ├── providers.tf │ │ │ └── variables.tf │ ├── providers.tf │ ├── terraform.tfvars │ └── variables.tf ├── caas_terraform │ ├── aks │ │ ├── README.md │ │ ├── main.tf │ │ ├── modules │ │ │ ├── addons │ │ │ │ ├── main.tf │ │ │ │ ├── providers.tf │ │ │ │ └── variables.tf │ │ │ ├── aks │ │ │ │ ├── main.tf │ │ │ │ ├── providers.tf │ │ │ │ └── variables.tf │ │ │ ├── blueprints │ │ │ │ ├── main.tf │ │ │ │ ├── providers.tf │ │ │ │ └── variables.tf │ │ │ ├── cloud-credentials │ │ │ │ ├── main.tf │ │ │ │ ├── providers.tf │ │ │ │ └── variables.tf │ │ │ ├── cluster-overrides │ │ │ │ ├── main.tf │ │ │ │ ├── providers.tf │ │ │ │ └── variables.tf │ │ │ ├── group-association │ │ │ │ ├── aks │ │ │ │ │ ├── main.tf │ │ │ │ │ ├── providers.tf │ │ │ │ │ └── variables.tf │ │ │ │ ├── main.tf │ │ │ │ ├── providers.tf │ │ │ │ └── variables.tf │ │ │ ├── group │ │ │ │ ├── main.tf │ │ │ │ ├── providers.tf │ │ │ │ └── variables.tf │ │ │ ├── namespace │ │ │ │ ├── main.tf │ │ │ │ ├── providers.tf │ │ │ │ └── variables.tf │ │ │ ├── opa-constraint-template │ │ │ │ ├── main.tf │ │ │ │ ├── providers.tf │ │ │ │ └── variables.tf │ │ │ ├── opa-constraint │ │ │ │ ├── main.tf │ │ │ │ ├── providers.tf │ │ │ │ └── variables.tf │ │ │ ├── opa-installation-profile │ │ │ │ ├── main.tf │ │ │ │ ├── providers.tf │ │ │ │ └── variables.tf │ │ │ ├── opa-policy │ │ │ │ ├── main.tf │ │ │ │ ├── providers.tf │ │ │ │ └── variables.tf │ │ │ ├── project │ │ │ │ ├── main.tf │ │ │ │ ├── providers.tf │ │ │ │ └── variables.tf │ │ │ └── repositories │ │ │ │ ├── main.tf │ │ │ │ ├── providers.tf │ │ │ │ └── variables.tf │ │ ├── providers.tf │ │ ├── terraform.tfvars │ │ └── variables.tf │ ├── artifacts │ │ ├── cert-manager │ │ │ └── custom_values.yaml │ │ └── karpenter │ │ │ ├── custom_values.yaml │ │ │ └── nodepool.yaml │ └── eks │ │ ├── README.md │ │ ├── main.tf │ │ ├── modules │ │ ├── addons │ │ │ ├── main.tf │ │ │ ├── providers.tf │ │ │ └── variables.tf │ │ ├── backup-restore │ │ │ ├── create_resources.sh │ │ │ ├── delete_resources.sh │ │ │ ├── main.tf │ │ │ ├── providers.tf │ │ │ └── variables.tf │ │ ├── blueprints │ │ │ ├── main.tf │ │ │ ├── providers.tf │ │ │ └── variables.tf │ │ ├── cloud-credentials │ │ │ ├── main.tf │ │ │ ├── providers.tf │ │ │ └── variables.tf │ │ ├── cluster-overrides │ │ │ ├── main.tf │ │ │ ├── providers.tf │ │ │ └── variables.tf │ │ ├── eks │ │ │ ├── main.tf │ │ │ ├── providers.tf │ │ │ └── variables.tf │ │ ├── group-association │ │ │ ├── main.tf │ │ │ ├── providers.tf │ │ │ └── variables.tf │ │ ├── group │ │ │ ├── main.tf │ │ │ ├── providers.tf │ │ │ └── variables.tf │ │ ├── namespace │ │ │ ├── main.tf │ │ │ ├── providers.tf │ │ │ └── variables.tf │ │ ├── opa-constraint-template │ │ │ ├── main.tf │ │ │ ├── providers.tf │ │ │ └── variables.tf │ │ ├── opa-constraint │ │ │ ├── main.tf │ │ │ ├── providers.tf │ │ │ └── variables.tf │ │ ├── opa-installation-profile │ │ │ ├── main.tf │ │ │ ├── providers.tf │ │ │ └── variables.tf │ │ ├── opa-policy │ │ │ ├── main.tf │ │ │ ├── providers.tf │ │ │ └── variables.tf │ │ ├── project │ │ │ ├── main.tf │ │ │ ├── providers.tf │ │ │ └── variables.tf │ │ └── repositories │ │ │ ├── main.tf │ │ │ ├── providers.tf │ │ │ └── variables.tf │ │ ├── providers.tf │ │ ├── terraform.tfvars │ │ └── variables.tf ├── eks │ ├── README.md │ ├── main.tf │ ├── modules │ │ ├── cloud-credentials │ │ │ ├── main.tf │ │ │ ├── providers.tf │ │ │ └── variables.tf │ │ ├── eks │ │ │ ├── main.tf │ │ │ ├── providers.tf │ │ │ └── variables.tf │ │ └── project │ │ │ ├── main.tf │ │ │ ├── providers.tf │ │ │ └── variables.tf │ ├── providers.tf │ ├── terraform.tfvars │ └── variables.tf └── pas_terraform │ ├── aks │ └── README.md │ └── eks │ ├── README.md │ ├── modules │ └── eks │ │ └── main.tf │ └── terraform.tfvars ├── tools ├── k8sinsights │ ├── k8s-insights.sh │ └── readme.md └── resize │ ├── Readme.md │ ├── examples │ ├── echo-alpha.yaml │ ├── echo-beta.yaml │ └── stress.yaml │ ├── images │ ├── architecture.png │ ├── cluster.png │ ├── dryrun.png │ ├── kubeconfig.png │ ├── resize-animated.gif │ └── resize.png │ ├── requirements.txt │ └── resize.py ├── tritoneks ├── addon │ ├── gpu-addon.yaml │ ├── gpu-namespace.yaml │ ├── gpu-repository.yaml │ └── gpu-values.yaml ├── blueprint │ ├── blueprint-v1.yaml │ └── blueprint.yaml ├── cluster │ └── eks-gpu-triton.yaml └── workload │ ├── metrics-repository.yaml │ ├── triton-namespace.yaml │ └── triton-repository.yaml ├── turnkey-opa ├── opaconstraints │ ├── allow-privilege-escalation-container-constraint.yaml │ ├── allowed-repos-constraint.yaml │ ├── allowed-users-constraint.yaml │ ├── app-armor-constraint.yaml │ ├── artifacts │ │ ├── allow-privilege-escalation-container-custom │ │ │ └── allow-privilege-escalation-container.yaml │ │ ├── allowed-repos-custom │ │ │ └── allowed-repos.yaml │ │ ├── allowed-users-custom │ │ │ └── allowed-users.yaml │ │ ├── app-armor-custom │ │ │ └── app-armor.yaml │ │ ├── block-nodeport-services-custom │ │ │ └── block-nodeport-services.yaml │ │ ├── container-limits-custom │ │ │ └── container-limits.yaml │ │ ├── container-resource-ratios-custom │ │ │ └── container-resource-ratios.yaml │ │ ├── disallowed-tags-custom │ │ │ └── disallowed-tags.yaml │ │ ├── flexvolume-drivers-custom │ │ │ └── flexvolume-drivers.yaml │ │ ├── forbidden-sysctls-custom │ │ │ └── forbidden-sysctls.yaml │ │ ├── host-filesystem-custom │ │ │ └── host-filesystem.yaml │ │ ├── host-namespace-custom │ │ │ └── host-namespace.yaml │ │ ├── host-network-ports-custom │ │ │ └── host-network-ports.yaml │ │ ├── https-only-custom │ │ │ └── https-only.yaml │ │ ├── image-digests-custom │ │ │ └── image-digests.yaml │ │ ├── linux-capabilities-custom │ │ │ └── linux-capabilities.yaml │ │ ├── privileged-container-custom │ │ │ └── privileged-container.yaml │ │ ├── proc-mount-custom │ │ │ └── proc-mount.yaml │ │ ├── read-only-root-filesystem-custom │ │ │ └── read-only-root-filesystem.yaml │ │ ├── replica-limits-custom │ │ │ └── replica-limits.yaml │ │ ├── required-annotations-custom │ │ │ └── required-annotations.yaml │ │ ├── required-labels-custom │ │ │ └── required-labels.yaml │ │ ├── required-probes-custom │ │ │ └── required-probes.yaml │ │ ├── se-linux-custom │ │ │ └── se-linux.yaml │ │ ├── seccomp-custom │ │ │ └── seccomp.yaml │ │ └── volume-types-custom │ │ │ └── volume-types.yaml │ ├── block-nodeport-services-constraint.yaml │ ├── container-limits-constraint.yaml │ ├── container-resource-ratios-constraint.yaml │ ├── disallowed-tags-constraint.yaml │ ├── flex-volumes-constraint.yaml │ ├── forbidden-sysctls-constraint.yaml │ ├── host-filesystem-constraint.yaml │ ├── host-namespace-constraint.yaml │ ├── host-network-ports-constraint.yaml │ ├── https-only-constraint.yaml │ ├── image-digests-constraint.yaml │ ├── linux-capabilities-constraint.yaml │ ├── privileged-container-constraint.yaml │ ├── proc-mount-constraint.yaml │ ├── read-only-root-filesystem-constraint.yaml │ ├── replica-limits-constraint.yaml │ ├── required-annotations-constraint.yaml │ ├── required-labels-constraint.yaml │ ├── required-probes-constraint.yaml │ ├── se-linux-constraint.yaml │ ├── seccomp-constraint.yaml │ └── volume-types-constraint.yaml ├── opaconstrainttemplates │ ├── allow-privilege-escalation-container-constraint-template.yaml │ ├── allowed-repos-constraint-template.yaml │ ├── allowed-users-constraint-template.yaml │ ├── app-armor-constraint-template.yaml │ ├── artifacts │ │ ├── allow-privilege-escalation-container-custom │ │ │ └── allow-privilege-escalation-container.yaml │ │ ├── allowed-repos-custom │ │ │ └── allowed-repos.yaml │ │ ├── allowed-users-custom │ │ │ └── allowed-users.yaml │ │ ├── app-armor-custom │ │ │ └── app-armor.yaml │ │ ├── block-nodeport-services-custom │ │ │ └── block-nodeport-services.yaml │ │ ├── container-limits-custom │ │ │ └── container-limits.yaml │ │ ├── container-resource-ratios-custom │ │ │ └── container-resource-ratios.yaml │ │ ├── disallowed-tags-custom │ │ │ └── disallowed-tags.yaml │ │ ├── flex-volumes-custom │ │ │ └── flex-volumes.yaml │ │ ├── forbidden-sysctls-custom │ │ │ └── forbidden-sysctls.yaml │ │ ├── host-filesystem-custom │ │ │ └── host-filesystem.yaml │ │ ├── host-namespace-custom │ │ │ └── host-namespace.yaml │ │ ├── host-network-ports-custom │ │ │ └── host-network-ports.yaml │ │ ├── https-only-custom │ │ │ └── https-only.yaml │ │ ├── image-digests-custom │ │ │ └── image-digests.yaml │ │ ├── linux-capabilities-custom │ │ │ └── linux-capabilities.yaml │ │ ├── privileged-container-custom │ │ │ └── privileged-container.yaml │ │ ├── proc-mount-custom │ │ │ └── proc-mount.yaml │ │ ├── read-only-root-filesystem-custom │ │ │ └── read-only-root-filesystem.yaml │ │ ├── replica-limits-custom │ │ │ └── replica-limits.yaml │ │ ├── required-annotations-custom │ │ │ └── required-annotations.yaml │ │ ├── required-labels-custom │ │ │ └── required-labels.yaml │ │ ├── required-probes-custom │ │ │ └── required-probes.yaml │ │ ├── se-linux-custom │ │ │ └── se-linux.yaml │ │ ├── seccomp-custom │ │ │ └── seccomp.yaml │ │ └── volume-types-custom │ │ │ └── volume-types.yaml │ ├── block-nodeport-services-constraint-template.yaml │ ├── container-limits-constraint-template.yaml │ ├── container-resource-ratios-constraint-template.yaml │ ├── disallowed-tags-constraint-template.yaml │ ├── flex-volumes-constraint-template.yaml │ ├── forbidden-sysctls-constraint-template.yaml │ ├── host-filesystem-constraint-template.yaml │ ├── host-namespace-constraint-template.yaml │ ├── host-network-ports-constraint-template.yaml │ ├── https-only-constraint-template.yaml │ ├── image-digests-constraint-template.yaml │ ├── linux-capabilities-constraint-template.yaml │ ├── privileged-container-constraint-template.yaml │ ├── proc-mount-constraint-template.yaml │ ├── read-only-root-filesystem-constraint-template.yaml │ ├── replica-limits-constraint-template.yaml │ ├── required-annotations-constraint-template.yaml │ ├── required-labels-constraint-template.yaml │ ├── required-probes-constraint-template.yaml │ ├── se-linux-constraint-template.yaml │ ├── seccomp-constraint-template.yaml │ └── volume-types-constraint-template.yaml └── opapolicies │ ├── bp-all.yaml │ ├── bp-operational-efficiency.yaml │ ├── bp-psp-restricted.yaml │ ├── bp-reliability.yaml │ └── bp-security.yaml └── workload └── Helm └── webserver ├── .helmignore ├── Chart.yaml ├── custom-values.yaml ├── customer1-custom-values.yaml ├── customer2-custom-values.yaml ├── templates ├── NOTES.txt ├── _helpers.tpl ├── cm.yaml ├── deployment.yaml ├── ingress.yaml └── service.yaml ├── values.yaml └── webserver-custom-values.yaml /.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RafaySystems/getstarted/07eca0bbd36de67e157bc96d2e6a86a854f8f827/.DS_Store -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | 2 | .DS_Store 3 | .DS_Store 4 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Get Started 2 | Git Repo with functioning examples to help you Get Started with the Rafay Kubernetes Operations Platform. 3 | 4 | ## GPU on Amazon EKS 5 | - Provision an Amazon EKS cluster with GPU worker node groups in minutes 6 | - Configure and provision a custom cluster blueprint with the Nvidia GPU Operator 7 | - Deploy a GPU workload to the EKS cluster and view the integrated GPU dashboard 8 | 9 | ## Amazon EKS with Cloudwatch 10 | - Provision an Amazon EKS Cluster with a custom cluster blueprint with the Cloudwatch addon 11 | - View metrics in Container Insights 12 | 13 | ## Amazon EKS with Karpenter 14 | - Provision an Amazon EKS Cluster with a custom cluster blueprint with the Karpenter cluster auto scaler 15 | -------------------------------------------------------------------------------- /autoscaler/addon/autoscaler-addon.yaml: -------------------------------------------------------------------------------- 1 | kind: AddonVersion 2 | metadata: 3 | name: v1 4 | project: defaultproject 5 | spec: 6 | addon: autoscaler-addon 7 | namespace: autoscaler 8 | template: 9 | type: Helm3 10 | valuesFile: custom-values.yaml 11 | repository_ref: autoscaler-repo 12 | repo_artifact_meta: 13 | helm: 14 | chartName: cluster-autoscaler 15 | -------------------------------------------------------------------------------- /autoscaler/addon/custom-values.yaml: -------------------------------------------------------------------------------- 1 | autoDiscovery: 2 | clusterName: autoscaler-cluster 3 | awsRegion: us-west-1 -------------------------------------------------------------------------------- /autoscaler/blueprint/autoscaler-blueprint-v1.yaml: -------------------------------------------------------------------------------- 1 | kind: BlueprintVersion 2 | metadata: 3 | name: v1 4 | project: defaultproject 5 | description: Autoscaler 6 | spec: 7 | blueprint: autoscaler-blueprint 8 | baseSystemBlueprint: default 9 | baseSystemBlueprintVersion: "" 10 | addons: 11 | - name: autoscaler-addon 12 | version: v1 13 | # cluster-scoped or namespace-scoped 14 | pspScope: cluster-scoped 15 | rafayIngress: true 16 | rafayMonitoringAndAlerting: true 17 | kubevirt: false 18 | # BlockAndNotify or DetectAndNotify 19 | driftAction: BlockAndNotify -------------------------------------------------------------------------------- /autoscaler/blueprint/autoscaler-blueprint.yaml: -------------------------------------------------------------------------------- 1 | kind: Blueprint 2 | metadata: 3 | # blueprint name 4 | name: autoscaler-blueprint 5 | #project name 6 | project: defaultproject -------------------------------------------------------------------------------- /autoscaler/namespace/autoscaler-namespace.yaml: -------------------------------------------------------------------------------- 1 | kind: ManagedNamespace 2 | apiVersion: config.rafay.dev/v2 3 | metadata: 4 | name: autoscaler 5 | description: namespace for cluster autoscaler 6 | labels: 7 | annotations: 8 | spec: 9 | type: RafayWizard 10 | resourceQuota: 11 | placement: 12 | placementType: ClusterSpecific 13 | clusterLabels: 14 | - key: rafay.dev/clusterName 15 | value: autoscaler-cluster -------------------------------------------------------------------------------- /autoscaler/repository/autoscaler-repository.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.rafay.dev/v2 2 | kind: Repository 3 | metadata: 4 | name: autoscaler-repo 5 | spec: 6 | repositoryType: HelmRepository 7 | endpoint: https://kubernetes.github.io/autoscaler 8 | credentialType: CredentialTypeNotSet -------------------------------------------------------------------------------- /autoscaler/workload/nginx-workload-namespace.yaml: -------------------------------------------------------------------------------- 1 | kind: ManagedNamespace 2 | apiVersion: config.rafay.dev/v2 3 | metadata: 4 | name: nginx-test 5 | description: namespace for test nginx workload 6 | labels: 7 | annotations: 8 | spec: 9 | type: RafayWizard 10 | resourceQuota: 11 | placement: 12 | placementType: ClusterSpecific 13 | clusterLabels: 14 | - key: rafay.dev/clusterName 15 | value: autoscaler-cluster -------------------------------------------------------------------------------- /autoscaler/workload/nginx-workload.yaml: -------------------------------------------------------------------------------- 1 | name: nginx-workload 2 | namespace: nginx-test 3 | project: defaultproject 4 | type: NativeYaml 5 | clusters: autoscaler-cluster 6 | payload: ./nginx.yaml -------------------------------------------------------------------------------- /autoscaler/workload/nginx.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: nginx-to-scaleout 5 | spec: 6 | replicas: 1 7 | selector: 8 | matchLabels: 9 | app: nginx 10 | template: 11 | metadata: 12 | labels: 13 | service: nginx 14 | app: nginx 15 | spec: 16 | containers: 17 | - image: nginx 18 | name: nginx-to-scaleout 19 | resources: 20 | limits: 21 | cpu: 500m 22 | memory: 512Mi 23 | requests: 24 | cpu: 500m 25 | memory: 512Mi -------------------------------------------------------------------------------- /cloudwatch/addon/cloudwatch-addon.yaml: -------------------------------------------------------------------------------- 1 | kind: AddonVersion 2 | metadata: 3 | name: v1 4 | project: defaultproject 5 | spec: 6 | addon: cloudwatch-addon 7 | namespace: amazon-cloudwatch 8 | template: 9 | type: Helm3 10 | valuesFile: custom-values.yaml 11 | repository_ref: cloudwatch-repo 12 | repo_artifact_meta: 13 | helm: 14 | chartName: aws-cloudwatch-metrics 15 | -------------------------------------------------------------------------------- /cloudwatch/addon/custom-values.yaml: -------------------------------------------------------------------------------- 1 | clusterName: cloudwatch-cluster 2 | serviceAccount: 3 | create: false 4 | name: cloudwatch-irsa -------------------------------------------------------------------------------- /cloudwatch/blueprint/cloudwatch-blueprint-v1.yaml: -------------------------------------------------------------------------------- 1 | kind: BlueprintVersion 2 | metadata: 3 | name: v1 4 | project: defaultproject 5 | description: Amazon CloudWatch Agent 6 | spec: 7 | blueprint: cloudwatch-blueprint 8 | baseSystemBlueprint: default 9 | baseSystemBlueprintVersion: "" 10 | addons: 11 | - name: cloudwatch-addon 12 | version: v1 13 | # cluster-scoped or namespace-scoped 14 | pspScope: cluster-scoped 15 | rafayIngress: true 16 | rafayMonitoringAndAlerting: false 17 | kubevirt: false 18 | # BlockAndNotify or DetectAndNotify 19 | driftAction: BlockAndNotify -------------------------------------------------------------------------------- /cloudwatch/blueprint/cloudwatch-blueprint.yaml: -------------------------------------------------------------------------------- 1 | kind: Blueprint 2 | metadata: 3 | # blueprint name 4 | name: cloudwatch-blueprint 5 | #project name 6 | project: defaultproject -------------------------------------------------------------------------------- /cloudwatch/namespace/cloudwatch-namespace.yaml: -------------------------------------------------------------------------------- 1 | kind: ManagedNamespace 2 | apiVersion: config.rafay.dev/v2 3 | metadata: 4 | name: amazon-cloudwatch 5 | description: namespace for Amazon Cloudwatch 6 | labels: 7 | annotations: 8 | spec: 9 | type: RafayWizard 10 | resourceQuota: 11 | placement: 12 | placementType: ClusterSpecific 13 | clusterLabels: 14 | - key: rafay.dev/clusterName 15 | value: cloudwatch-cluster -------------------------------------------------------------------------------- /cloudwatch/repository/cloudwatch-repository.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.rafay.dev/v2 2 | kind: Repository 3 | metadata: 4 | name: cloudwatch-repo 5 | spec: 6 | repositoryType: HelmRepository 7 | endpoint: https://aws.github.io/eks-charts 8 | credentialType: CredentialTypeNotSet -------------------------------------------------------------------------------- /efseks/addon/addon.yaml: -------------------------------------------------------------------------------- 1 | kind: AddonVersion 2 | metadata: 3 | name: v1 4 | project: defaultproject 5 | spec: 6 | addon: efs-csi-driver 7 | namespace: kube-system 8 | template: 9 | type: Helm3 10 | valuesFile: values.yaml 11 | repository_ref: efs 12 | repo_artifact_meta: 13 | helm: 14 | tag: v2.4.4 15 | chartName: aws-efs-csi-driver -------------------------------------------------------------------------------- /efseks/addon/namespace.yaml: -------------------------------------------------------------------------------- 1 | kind: ManagedNamespace 2 | apiVersion: config.rafay.dev/v2 3 | metadata: 4 | name: kube-system 5 | labels: 6 | annotations: 7 | spec: 8 | type: RafayWizard 9 | resourceQuota: 10 | placement: 11 | placementType: ClusterSpecific 12 | clusterLabels: 13 | - key: rafay.dev/clusterName 14 | value: eks-efs-cluster -------------------------------------------------------------------------------- /efseks/addon/repository.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.rafay.dev/v2 2 | kind: Repository 3 | metadata: 4 | name: efs 5 | spec: 6 | repositoryType: HelmRepository 7 | endpoint: https://kubernetes-sigs.github.io/aws-efs-csi-driver/ 8 | credentialType: CredentialTypeNotSet -------------------------------------------------------------------------------- /efseks/addon/values.yaml: -------------------------------------------------------------------------------- 1 | controller: 2 | serviceAccount: 3 | create: false 4 | name: efs-csi-controller-sa -------------------------------------------------------------------------------- /efseks/blueprint/blueprint-v1.yaml: -------------------------------------------------------------------------------- 1 | kind: BlueprintVersion 2 | metadata: 3 | name: v1 4 | project: defaultproject 5 | description: efs csi driver 6 | spec: 7 | blueprint: efs-blueprint 8 | baseSystemBlueprint: default 9 | baseSystemBlueprintVersion: "" 10 | addons: 11 | - name: efs-csi-driver 12 | version: v1 13 | # cluster-scoped or namespace-scoped 14 | pspScope: cluster-scoped 15 | rafayIngress: false 16 | rafayMonitoringAndAlerting: true 17 | kubevirt: false 18 | # BlockAndNotify or DetectAndNotify 19 | driftAction: BlockAndNotify -------------------------------------------------------------------------------- /efseks/blueprint/blueprint.yaml: -------------------------------------------------------------------------------- 1 | kind: Blueprint 2 | metadata: 3 | # blueprint name 4 | name: efs-blueprint 5 | #project name 6 | project: defaultproject -------------------------------------------------------------------------------- /efseks/workload/efsapp.yaml: -------------------------------------------------------------------------------- 1 | name: efsapp 2 | namespace: efstest 3 | project: defaultproject 4 | type: NativeYaml 5 | clusters: eks-efs-cluster 6 | payload: ./efsappspec.yaml -------------------------------------------------------------------------------- /efseks/workload/efsappspec.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: efs-app 5 | spec: 6 | containers: 7 | - name: app 8 | image: centos 9 | command: ["/bin/sh"] 10 | args: ["-c", "while true; do echo $(date -u) >> /data/out; sleep 5; done"] 11 | volumeMounts: 12 | - name: persistent-storage 13 | mountPath: /data 14 | volumes: 15 | - name: persistent-storage 16 | persistentVolumeClaim: 17 | claimName: efs-claim -------------------------------------------------------------------------------- /efseks/workload/efspvc.yaml: -------------------------------------------------------------------------------- 1 | name: efspvc 2 | namespace: efstest 3 | project: defaultproject 4 | type: NativeYaml 5 | clusters: eks-efs-cluster 6 | payload: ./efspvcspec.yaml -------------------------------------------------------------------------------- /efseks/workload/efspvcspec.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: efs-claim 5 | spec: 6 | accessModes: 7 | - ReadWriteMany 8 | storageClassName: efs-sc 9 | resources: 10 | requests: 11 | storage: 5Gi -------------------------------------------------------------------------------- /efseks/workload/efsstorageclass.yaml: -------------------------------------------------------------------------------- 1 | name: efsstorageclass 2 | namespace: efstest 3 | project: defaultproject 4 | type: NativeYaml 5 | clusters: eks-efs-cluster 6 | payload: ./efsstorageclassspec.yaml -------------------------------------------------------------------------------- /efseks/workload/efsstorageclassspec.yaml: -------------------------------------------------------------------------------- 1 | kind: StorageClass 2 | apiVersion: storage.k8s.io/v1 3 | metadata: 4 | name: efs-sc 5 | provisioner: efs.csi.aws.com 6 | parameters: 7 | provisioningMode: efs-ap 8 | fileSystemId: fs-0e85e5697ed5a7121 9 | directoryPerms: "700" 10 | gidRangeStart: "1000" # optional 11 | gidRangeEnd: "2000" # optional 12 | basePath: "/dynamic_provisioning" # optional -------------------------------------------------------------------------------- /efseks/workload/namespace.yaml: -------------------------------------------------------------------------------- 1 | kind: ManagedNamespace 2 | apiVersion: config.rafay.dev/v2 3 | metadata: 4 | name: efstest 5 | description: namespace for efs test workload 6 | labels: 7 | annotations: 8 | spec: 9 | type: RafayWizard 10 | resourceQuota: 11 | placement: 12 | placementType: ClusterSpecific 13 | clusterLabels: 14 | - key: rafay.dev/clusterName 15 | value: eks-efs-cluster -------------------------------------------------------------------------------- /eks-gitops/eks-gitops-cluster2.yaml: -------------------------------------------------------------------------------- 1 | kind: Cluster 2 | metadata: 3 | name: eks-gitops-cluster2 4 | project: defaultproject 5 | spec: 6 | blueprint: default 7 | cloudprovider: aws-cloud-credential 8 | clusterConfig: null 9 | cniprovider: aws-cni 10 | proxyconfig: {} 11 | type: eks 12 | --- 13 | apiVersion: rafay.io/v1alpha5 14 | availabilityZones: 15 | - us-west-2a 16 | - us-west-2b 17 | kind: ClusterConfig 18 | metadata: 19 | name: eks-gitops-cluster2 20 | region: us-west-2 21 | version: "1.20" 22 | managedNodeGroups: 23 | - amiFamily: AmazonLinux2 24 | availabilityZones: 25 | - us-west-2a 26 | - us-west-2b 27 | desiredCapacity: 1 28 | iam: 29 | withAddonPolicies: 30 | albIngress: true 31 | autoScaler: true 32 | instanceType: t3.large 33 | maxSize: 1 34 | minSize: 1 35 | name: managed-ng1 36 | version: "1.20" 37 | privateNetworking: true 38 | volumeSize: 80 39 | volumeType: gp3 40 | vpc: 41 | cidr: 192.168.0.0/16 42 | clusterEndpoints: 43 | privateAccess: true 44 | publicAccess: true 45 | nat: 46 | gateway: Single 47 | -------------------------------------------------------------------------------- /eks-gitops/main.tf: -------------------------------------------------------------------------------- 1 | module "rafay_cluster" { 2 | source = "./modules/rafay_cluster" 3 | for_each = var.clusters 4 | cluster_name = each.value["cluster_name"] 5 | project_name = each.value["project_name"] 6 | cluster_spec_version = each.value["cluster_spec_version"] 7 | cluster_spec_path = each.value["cluster_spec_path"] 8 | } 9 | 10 | -------------------------------------------------------------------------------- /eks-gitops/modules/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RafaySystems/getstarted/07eca0bbd36de67e157bc96d2e6a86a854f8f827/eks-gitops/modules/.gitkeep -------------------------------------------------------------------------------- /eks-gitops/modules/rafay_cluster/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RafaySystems/getstarted/07eca0bbd36de67e157bc96d2e6a86a854f8f827/eks-gitops/modules/rafay_cluster/.gitkeep -------------------------------------------------------------------------------- /eks-gitops/modules/rafay_cluster/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | version = " >= 0.0.19" 5 | source = "RafaySystems/rafay" 6 | } 7 | } 8 | } -------------------------------------------------------------------------------- /eks-gitops/modules/rafay_cluster/rafay_cluster.tf: -------------------------------------------------------------------------------- 1 | resource "rafay_eks_cluster" "cluster" { 2 | name = var.cluster_name 3 | projectname = var.project_name 4 | yamlfilepath = var.cluster_spec_path 5 | yamlfileversion = var.cluster_spec_version 6 | } 7 | -------------------------------------------------------------------------------- /eks-gitops/modules/rafay_cluster/variables.tf: -------------------------------------------------------------------------------- 1 | variable "cluster_name" { 2 | default = "demo-cluster" 3 | } 4 | variable "project_name" { 5 | default = "demo" 6 | } 7 | variable "cluster_spec_version" { 8 | default = "demo" 9 | } 10 | variable "cluster_spec_path" { 11 | default = "demo" 12 | } -------------------------------------------------------------------------------- /eks-gitops/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | version = ">= 0.0.19" 5 | source = "RafaySystems/rafay" 6 | } 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /eks-gitops/s3bucket.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | backend "s3" { 3 | bucket = "" 4 | key = "terraform.tfstate" 5 | region = "us-west-2" 6 | } 7 | } -------------------------------------------------------------------------------- /eks-gitops/terraform.tfvars: -------------------------------------------------------------------------------- 1 | clusters = {} -------------------------------------------------------------------------------- /eks-gitops/variables.tf: -------------------------------------------------------------------------------- 1 | variable "clusters" { 2 | type = map(object({ 3 | cluster_name = string 4 | project_name = string 5 | cluster_spec_version = string 6 | cluster_spec_path = string 7 | })) 8 | } 9 | -------------------------------------------------------------------------------- /gitops-workload/Helm/webserver/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /gitops-workload/Helm/webserver/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | appVersion: 1.16.0 3 | description: A Helm chart for webserver with nginx in frontend and python webapp backend 4 | name: webserver 5 | type: application 6 | version: 1.0.0 7 | -------------------------------------------------------------------------------- /gitops-workload/Helm/webserver/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | 1. Get the application URL by running these commands: 2 | {{- if .Values.ingress.enabled }} 3 | {{- range $host := .Values.ingress.hosts }} 4 | {{- range .paths }} 5 | http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }} 6 | {{- end }} 7 | {{- end }} 8 | {{- else if contains "NodePort" .Values.service.type }} 9 | export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "webserver.fullname" . }}) 10 | export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") 11 | echo http://$NODE_IP:$NODE_PORT 12 | {{- else if contains "LoadBalancer" .Values.service.type }} 13 | NOTE: It may take a few minutes for the LoadBalancer IP to be available. 14 | You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "webserver.fullname" . }}' 15 | export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "webserver.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") 16 | echo http://$SERVICE_IP:{{ .Values.service.port }} 17 | {{- else if contains "ClusterIP" .Values.service.type }} 18 | export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "webserver.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") 19 | echo "Visit http://127.0.0.1:8080 to use your application" 20 | kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:80 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /gitops-workload/Helm/webserver/templates/cm.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | data: 3 | nginx.conf: | 4 | user nginx; 5 | worker_processes 1; 6 | 7 | error_log /var/log/nginx/error.log warn; 8 | pid /var/run/nginx.pid; 9 | 10 | events { 11 | worker_connections 1024; 12 | } 13 | 14 | http { 15 | include /etc/nginx/mime.types; 16 | default_type application/octet-stream; 17 | 18 | log_format main '$remote_addr - $remote_user [$time_local] "$request" ' 19 | '$status $body_bytes_sent "$http_referer" ' 20 | '"$http_user_agent" "$http_x_forwarded_for"'; 21 | 22 | access_log /var/log/nginx/access.log main; 23 | 24 | sendfile on; 25 | keepalive_timeout 65; 26 | 27 | upstream webapp { 28 | server 127.0.0.1:5000; 29 | } 30 | 31 | server { 32 | listen 80; 33 | 34 | location / { 35 | proxy_pass http://webapp; 36 | proxy_redirect off; 37 | } 38 | } 39 | } 40 | kind: ConfigMap 41 | metadata: 42 | name: {{ include "webserver.fullname" . }} 43 | -------------------------------------------------------------------------------- /gitops-workload/Helm/webserver/templates/ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.ingress.enabled -}} 2 | {{- $fullName := include "webserver.fullname" . -}} 3 | {{- $svcPort := .Values.service.port -}} 4 | {{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} 5 | apiVersion: networking.k8s.io/v1beta1 6 | {{- else -}} 7 | apiVersion: extensions/v1beta1 8 | {{- end }} 9 | kind: Ingress 10 | metadata: 11 | name: {{ $fullName }} 12 | labels: 13 | {{- include "webserver.labels" . | nindent 4 }} 14 | {{- with .Values.ingress.annotations }} 15 | annotations: 16 | {{- toYaml . | nindent 4 }} 17 | {{- end }} 18 | spec: 19 | {{- if .Values.ingress.tls }} 20 | tls: 21 | {{- range .Values.ingress.tls }} 22 | - hosts: 23 | {{- range .hosts }} 24 | - {{ . | quote }} 25 | {{- end }} 26 | secretName: {{ .secretName }} 27 | {{- end }} 28 | {{- end }} 29 | rules: 30 | {{- range .Values.ingress.hosts }} 31 | - host: {{ .host | quote }} 32 | http: 33 | paths: 34 | {{- range .paths }} 35 | - path: {{ . }} 36 | backend: 37 | serviceName: {{ $fullName }} 38 | servicePort: {{ $svcPort }} 39 | {{- end }} 40 | {{- end }} 41 | {{- end }} 42 | -------------------------------------------------------------------------------- /gitops-workload/Helm/webserver/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "webserver.fullname" . }} 5 | labels: 6 | {{- include "webserver.labels" . | nindent 4 }} 7 | spec: 8 | type: {{ .Values.service.type }} 9 | ports: 10 | - port: {{ .Values.service.port }} 11 | targetPort: {{ .Values.service.targetPort }} 12 | protocol: TCP 13 | name: http 14 | selector: 15 | {{- include "webserver.selectorLabels" . | nindent 4 }} 16 | -------------------------------------------------------------------------------- /gitops-workload/YAML/yaml-workload.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: nginx-yaml 5 | labels: 6 | app: nginx 7 | annotations: 8 | spec: 9 | replicas: 1 10 | selector: 11 | matchLabels: 12 | app: nginx 13 | template: 14 | metadata: 15 | labels: 16 | app: nginx 17 | spec: 18 | containers: 19 | - name: nginx-yaml 20 | image: nginx 21 | ports: 22 | - containerPort: 80 23 | -------------------------------------------------------------------------------- /gpuaks/addon/addon.yaml: -------------------------------------------------------------------------------- 1 | kind: AddonVersion 2 | metadata: 3 | name: v1 4 | project: defaultproject 5 | spec: 6 | addon: gpu-operator 7 | namespace: gpu-operator-resources 8 | template: 9 | type: Helm3 10 | valuesFile: values.yaml 11 | repository_ref: gpu 12 | repo_artifact_meta: 13 | helm: 14 | tag: v23.3.1 15 | chartName: gpu-operator -------------------------------------------------------------------------------- /gpuaks/addon/namespace.yaml: -------------------------------------------------------------------------------- 1 | kind: ManagedNamespace 2 | apiVersion: config.rafay.dev/v2 3 | metadata: 4 | name: gpu-operator-resources 5 | description: namespace for gpu-operator 6 | labels: 7 | annotations: 8 | spec: 9 | type: RafayWizard 10 | resourceQuota: 11 | placement: 12 | placementType: ClusterSpecific 13 | clusterLabels: 14 | - key: rafay.dev/clusterName 15 | value: demo-gpu-aks -------------------------------------------------------------------------------- /gpuaks/addon/repository.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.rafay.dev/v2 2 | kind: Repository 3 | metadata: 4 | name: gpu 5 | spec: 6 | repositoryType: HelmRepository 7 | endpoint: https://helm.ngc.nvidia.com/nvidia 8 | credentialType: CredentialTypeNotSet -------------------------------------------------------------------------------- /gpuaks/addon/values.yaml: -------------------------------------------------------------------------------- 1 | driver: 2 | enabled: true 3 | dcgmExporter: 4 | repository: nvcr.io/nvidia/k8s 5 | image: dcgm-exporter 6 | version: 3.1.7-3.1.4-ubuntu20.04 7 | operator: 8 | defaultRuntime: containerd 9 | psp: 10 | enabled: true -------------------------------------------------------------------------------- /gpuaks/blueprint/blueprint.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: infra.k8smgmt.io/v3 2 | kind: Blueprint 3 | metadata: 4 | name: gpu-blueprint 5 | project: defaultproject 6 | spec: 7 | base: 8 | name: default-aks 9 | customAddons: 10 | - name: gpu-operator 11 | version: v1 12 | defaultAddons: 13 | enableIngress: false 14 | enableLogging: true 15 | enableMonitoring: true 16 | enableVM: false 17 | monitoring: 18 | helmExporter: 19 | discovery: {} 20 | enabled: true 21 | kubeStateMetrics: 22 | discovery: {} 23 | enabled: true 24 | metricsServer: 25 | enabled: false 26 | nodeExporter: 27 | discovery: {} 28 | enabled: true 29 | prometheusAdapter: 30 | enabled: false 31 | resources: {} 32 | drift: 33 | enabled: true 34 | sharing: 35 | enabled: false 36 | version: v1 37 | -------------------------------------------------------------------------------- /gpuaks/workload/gpu-job.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: tensorflow 5 | spec: 6 | restartPolicy: OnFailure 7 | containers: 8 | - name: tensorflow 9 | image: "nvcr.io/nvidia/tensorflow:22.02-tf2-py3" 10 | command: ['sh', '-c', 'echo "Hello, Kubernetes!" && ./nvidia-examples/cnn/resnet.py && sleep 3600'] 11 | resources: 12 | limits: 13 | nvidia.com/gpu: 1 -------------------------------------------------------------------------------- /gpuaks/workload/gputest.yaml: -------------------------------------------------------------------------------- 1 | name: gputest 2 | namespace: gputest 3 | project: defaultproject 4 | type: NativeYaml 5 | clusters: demo-gpu-aks 6 | payload: ./gpu-job.yaml -------------------------------------------------------------------------------- /gpuaks/workload/namespace.yaml: -------------------------------------------------------------------------------- 1 | kind: ManagedNamespace 2 | apiVersion: config.rafay.dev/v2 3 | metadata: 4 | name: gputest 5 | description: namespace for gpu cronjob 6 | labels: 7 | annotations: 8 | spec: 9 | type: RafayWizard 10 | resourceQuota: 11 | placement: 12 | placementType: ClusterSpecific 13 | clusterLabels: 14 | - key: rafay.dev/clusterName 15 | value: demo-gpu-aks -------------------------------------------------------------------------------- /gpueks/addon/addon.yaml: -------------------------------------------------------------------------------- 1 | kind: AddonVersion 2 | metadata: 3 | name: v1 4 | project: defaultproject 5 | spec: 6 | addon: gpu-operator 7 | namespace: gpu-operator-resources 8 | template: 9 | type: Helm3 10 | valuesFile: values.yaml 11 | repository_ref: gpu 12 | repo_artifact_meta: 13 | helm: 14 | tag: v23.3.1 15 | chartName: gpu-operator -------------------------------------------------------------------------------- /gpueks/addon/namespace.yaml: -------------------------------------------------------------------------------- 1 | kind: ManagedNamespace 2 | apiVersion: config.rafay.dev/v2 3 | metadata: 4 | name: gpu-operator-resources 5 | description: namespace for gpu-operator 6 | labels: 7 | annotations: 8 | spec: 9 | type: RafayWizard 10 | resourceQuota: 11 | placement: 12 | placementType: ClusterSpecific 13 | clusterLabels: 14 | - key: rafay.dev/clusterName 15 | value: demo-gpu-eks -------------------------------------------------------------------------------- /gpueks/addon/repository.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.rafay.dev/v2 2 | kind: Repository 3 | metadata: 4 | name: gpu 5 | spec: 6 | repositoryType: HelmRepository 7 | endpoint: https://helm.ngc.nvidia.com/nvidia 8 | credentialType: CredentialTypeNotSet -------------------------------------------------------------------------------- /gpueks/addon/values.yaml: -------------------------------------------------------------------------------- 1 | driver: 2 | enabled: true 3 | dcgmExporter: 4 | repository: nvcr.io/nvidia/k8s 5 | image: dcgm-exporter 6 | version: 3.1.7-3.1.4-ubuntu20.04 7 | operator: 8 | defaultRuntime: containerd 9 | psp: 10 | enabled: true -------------------------------------------------------------------------------- /gpueks/blueprint/blueprint-v1.yaml: -------------------------------------------------------------------------------- 1 | kind: BlueprintVersion 2 | metadata: 3 | name: v1 4 | project: defaultproject 5 | description: Nvidia GPU Operator 6 | spec: 7 | blueprint: gpu-blueprint 8 | baseSystemBlueprint: default 9 | baseSystemBlueprintVersion: "" 10 | addons: 11 | - name: gpu-operator 12 | version: v1 13 | # cluster-scoped or namespace-scoped 14 | pspScope: cluster-scoped 15 | rafayIngress: false 16 | rafayMonitoringAndAlerting: true 17 | kubevirt: false 18 | # BlockAndNotify or DetectAndNotify 19 | driftAction: BlockAndNotify -------------------------------------------------------------------------------- /gpueks/blueprint/blueprint.yaml: -------------------------------------------------------------------------------- 1 | kind: Blueprint 2 | metadata: 3 | # blueprint name 4 | name: gpu-blueprint 5 | #project name 6 | project: defaultproject -------------------------------------------------------------------------------- /gpueks/workload/gpu-job.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: tensorflow 5 | spec: 6 | restartPolicy: OnFailure 7 | containers: 8 | - name: tensorflow 9 | image: "nvcr.io/nvidia/tensorflow:22.02-tf2-py3" 10 | command: ['sh', '-c', 'echo "Hello, Kubernetes!" && ./nvidia-examples/cnn/resnet.py && sleep 3600'] 11 | resources: 12 | limits: 13 | nvidia.com/gpu: 1 -------------------------------------------------------------------------------- /gpueks/workload/gputest.yaml: -------------------------------------------------------------------------------- 1 | name: gputest 2 | namespace: gputest 3 | project: defaultproject 4 | type: NativeYaml 5 | clusters: demo-gpu-eks 6 | payload: ./gpu-job.yaml -------------------------------------------------------------------------------- /gpueks/workload/namespace.yaml: -------------------------------------------------------------------------------- 1 | kind: ManagedNamespace 2 | apiVersion: config.rafay.dev/v2 3 | metadata: 4 | name: gputest 5 | description: namespace for gpu cronjob 6 | labels: 7 | annotations: 8 | spec: 9 | type: RafayWizard 10 | resourceQuota: 11 | placement: 12 | placementType: ClusterSpecific 13 | clusterLabels: 14 | - key: rafay.dev/clusterName 15 | value: demo-gpu-eks -------------------------------------------------------------------------------- /gpumks/addon/addon.yaml: -------------------------------------------------------------------------------- 1 | kind: AddonVersion 2 | metadata: 3 | name: v1 4 | project: defaultproject 5 | spec: 6 | addon: gpu-operator 7 | namespace: gpu-operator-resources 8 | template: 9 | type: Helm3 10 | valuesFile: values.yaml 11 | repository_ref: gpu 12 | repo_artifact_meta: 13 | helm: 14 | tag: v24.6.1 15 | chartName: gpu-operator 16 | -------------------------------------------------------------------------------- /gpumks/addon/namespace.yaml: -------------------------------------------------------------------------------- 1 | kind: ManagedNamespace 2 | apiVersion: config.rafay.dev/v2 3 | metadata: 4 | name: gpu-operator-resources 5 | description: namespace for gpu-operator 6 | labels: 7 | annotations: 8 | spec: 9 | type: RafayWizard 10 | resourceQuota: 11 | placement: 12 | placementType: ClusterSpecific 13 | clusterLabels: 14 | - key: rafay.dev/clusterName 15 | value: demo-gpu-mks -------------------------------------------------------------------------------- /gpumks/addon/repository.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.rafay.dev/v2 2 | kind: Repository 3 | metadata: 4 | name: gpu 5 | spec: 6 | repositoryType: HelmRepository 7 | endpoint: https://helm.ngc.nvidia.com/nvidia 8 | credentialType: CredentialTypeNotSet -------------------------------------------------------------------------------- /gpumks/addon/values.yaml: -------------------------------------------------------------------------------- 1 | driver: 2 | enabled: true 3 | dcgmExporter: 4 | repository: nvcr.io/nvidia/k8s 5 | image: dcgm-exporter 6 | version: 3.1.7-3.1.4-ubuntu20.04 7 | operator: 8 | defaultRuntime: containerd -------------------------------------------------------------------------------- /gpumks/blueprint/blueprint-v1.yaml: -------------------------------------------------------------------------------- 1 | kind: BlueprintVersion 2 | metadata: 3 | name: v1 4 | project: defaultproject 5 | description: Nvidia GPU Operator 6 | spec: 7 | blueprint: gpu-blueprint 8 | baseSystemBlueprint: default 9 | baseSystemBlueprintVersion: "" 10 | addons: 11 | - name: gpu-operator 12 | version: v1 13 | # cluster-scoped or namespace-scoped 14 | pspScope: cluster-scoped 15 | rafayIngress: false 16 | rafayMonitoringAndAlerting: true 17 | kubevirt: false 18 | # BlockAndNotify or DetectAndNotify 19 | driftAction: BlockAndNotify -------------------------------------------------------------------------------- /gpumks/blueprint/blueprint.yaml: -------------------------------------------------------------------------------- 1 | kind: Blueprint 2 | metadata: 3 | # blueprint name 4 | name: gpu-blueprint 5 | #project name 6 | project: defaultproject -------------------------------------------------------------------------------- /gpumks/workload/gpu-job.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: tensorflow 5 | spec: 6 | restartPolicy: OnFailure 7 | containers: 8 | - name: tensorflow 9 | image: "nvcr.io/nvidia/tensorflow:22.02-tf2-py3" 10 | command: ['sh', '-c', 'echo "Hello, Kubernetes!" && sleep 3600'] 11 | command: ['sh', '-c', './nvidia-examples/cnn/resnet.py'] 12 | resources: 13 | limits: 14 | nvidia.com/gpu: 1 -------------------------------------------------------------------------------- /gpumks/workload/gputest.yaml: -------------------------------------------------------------------------------- 1 | name: gputest 2 | namespace: gputest 3 | project: defaultproject 4 | type: NativeYaml 5 | clusters: demo-gpu-mks 6 | payload: ./gpu-job.yaml -------------------------------------------------------------------------------- /gpumks/workload/namespace.yaml: -------------------------------------------------------------------------------- 1 | kind: ManagedNamespace 2 | apiVersion: config.rafay.dev/v2 3 | metadata: 4 | name: gputest 5 | description: namespace for gpu test workload 6 | labels: 7 | annotations: 8 | spec: 9 | type: RafayWizard 10 | resourceQuota: 11 | placement: 12 | placementType: ClusterSpecific 13 | clusterLabels: 14 | - key: rafay.dev/clusterName 15 | value: demo-gpu-mks -------------------------------------------------------------------------------- /gpupaas/full-gpu.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: nginx-gpu-deployment 5 | labels: 6 | app: nginx 7 | spec: 8 | replicas: 1 9 | selector: 10 | matchLabels: 11 | app: nginx 12 | template: 13 | metadata: 14 | labels: 15 | app: nginx 16 | spec: 17 | containers: 18 | - name: nginx 19 | image: registry.rafay-edge.net/rafay/nginx-test:1.0 20 | resources: 21 | requests: 22 | cpu: "100m" # Requesting 0.1 vCPU 23 | memory: "128Mi" # Requesting 128 MiB of memory 24 | limits: 25 | cpu: "100m" # Limiting to 0.1 vCPU 26 | memory: "128Mi" # Limiting to 128 MiB of memory 27 | nvidia.com/gpu: 1 # Requesting 1 GPU 28 | ports: 29 | - containerPort: 80 30 | -------------------------------------------------------------------------------- /gpupaas/no-gpu.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: nginx-gpu-deployment 5 | labels: 6 | app: nginx 7 | spec: 8 | replicas: 1 9 | selector: 10 | matchLabels: 11 | app: nginx 12 | template: 13 | metadata: 14 | labels: 15 | app: nginx 16 | spec: 17 | containers: 18 | - name: nginx 19 | image: registry.rafay-edge.net/rafay/nginx-test:1.0 20 | resources: 21 | requests: 22 | cpu: "100m" # Requesting 0.1 vCPU 23 | memory: "128Mi" # Requesting 128 MiB of memory 24 | limits: 25 | cpu: "100m" # Limiting to 0.1 vCPU 26 | memory: "128Mi" # Limiting to 128 MiB of memory 27 | ports: 28 | - containerPort: 80 29 | -------------------------------------------------------------------------------- /gpupaas/timesliced.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: nginx-gpu-deployment 5 | labels: 6 | app: nginx 7 | spec: 8 | replicas: 1 9 | selector: 10 | matchLabels: 11 | app: nginx 12 | template: 13 | metadata: 14 | labels: 15 | app: nginx 16 | spec: 17 | containers: 18 | - name: nginx 19 | image: registry.rafay-edge.net/rafay/nginx-test:1.0 20 | resources: 21 | requests: 22 | cpu: "100m" # Requesting 0.1 vCPU 23 | memory: "128Mi" # Requesting 128 MiB of memory 24 | limits: 25 | cpu: "100m" # Limiting to 0.1 vCPU 26 | memory: "128Mi" # Limiting to 128 MiB of memory 27 | nvidia.com/gpu.shared: 1 # Requesting 1 GPU 28 | ports: 29 | - containerPort: 80 30 | -------------------------------------------------------------------------------- /karpenter/addon/custom-values.yaml: -------------------------------------------------------------------------------- 1 | serviceAccount: 2 | create: false 3 | name: karpenter 4 | settings: 5 | clusterName: {{{ .global.Rafay.ClusterName }}} 6 | controller: 7 | resources: 8 | requests: 9 | cpu: 1 10 | memory: 1Gi 11 | limits: 12 | cpu: 1 13 | memory: 1Gi 14 | additionalAnnotations: 15 | a8r.io/owner: "user@k8s.com" 16 | a8r.io/runbook: "http://www.k8s.com" 17 | replicas: 1 18 | tolerations: 19 | - key: nodeInfra 20 | operator: Exists 21 | effect: NoSchedule 22 | -------------------------------------------------------------------------------- /karpenter/addon/karpenter-addon.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: infra.k8smgmt.io/v3 2 | kind: Addon 3 | metadata: 4 | name: karpenter-addon 5 | project: defaultproject 6 | spec: 7 | artifact: 8 | artifact: 9 | catalog: default-rafay 10 | chartName: karpenter 11 | chartVersion: 0.35.4 12 | valuesPaths: 13 | - name: file://custom-values.yaml 14 | options: 15 | maxHistory: 1 16 | timeout: 1m0s 17 | type: Helm 18 | namespace: karpenter 19 | sharing: 20 | enabled: false 21 | version: v1 22 | -------------------------------------------------------------------------------- /karpenter/addon/nodepool-addon.yaml: -------------------------------------------------------------------------------- 1 | kind: AddonVersion 2 | metadata: 3 | name: v1 4 | project: defaultproject 5 | spec: 6 | addon: nodepool-addon 7 | namespace: karpenter 8 | template: 9 | type: NativeYaml 10 | yamlFile: nodepool.yaml -------------------------------------------------------------------------------- /karpenter/addon/nodepool.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: karpenter.sh/v1beta1 2 | kind: NodePool 3 | metadata: 4 | name: default 5 | spec: 6 | template: 7 | spec: 8 | requirements: 9 | - key: kubernetes.io/arch 10 | operator: In 11 | values: ["amd64"] 12 | - key: kubernetes.io/os 13 | operator: In 14 | values: ["linux"] 15 | - key: karpenter.sh/capacity-type 16 | operator: In 17 | values: ["spot"] 18 | - key: karpenter.k8s.aws/instance-category 19 | operator: In 20 | values: ["t"] 21 | - key: karpenter.k8s.aws/instance-generation 22 | operator: Gt 23 | values: ["2"] 24 | - key: karpenter.k8s.aws/instance-size 25 | operator: In 26 | values: ["medium", "large", "xlarge"] 27 | nodeClassRef: 28 | name: default 29 | limits: 30 | cpu: 1000 31 | disruption: 32 | consolidationPolicy: WhenUnderutilized 33 | expireAfter: 720h # 30 * 24h = 720h 34 | --- 35 | apiVersion: karpenter.k8s.aws/v1beta1 36 | kind: EC2NodeClass 37 | metadata: 38 | name: default 39 | spec: 40 | tags: 41 | email: k8s@k8s.co 42 | env: dev 43 | amiFamily: AL2 # Amazon Linux 2 44 | role: "KarpenterNodeRole-Rafay" 45 | subnetSelectorTerms: 46 | - tags: 47 | cluster-name: "{{{ .global.Rafay.ClusterName }}}" 48 | securityGroupSelectorTerms: 49 | - tags: 50 | cluster-name: "{{{ .global.Rafay.ClusterName }}}" -------------------------------------------------------------------------------- /karpenter/blueprint/blueprint.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: infra.k8smgmt.io/v3 2 | kind: Blueprint 3 | metadata: 4 | name: karpenter-blueprint 5 | project: defaultproject 6 | spec: 7 | base: 8 | name: minimal 9 | type: custom 10 | customAddons: 11 | - name: karpenter-addon 12 | version: v1 13 | - name: nodepool-addon 14 | version: v1 15 | dependson: 16 | - karpenter-addon 17 | version: v1 -------------------------------------------------------------------------------- /karpenter/namespace/namespace.yaml: -------------------------------------------------------------------------------- 1 | kind: ManagedNamespace 2 | apiVersion: config.rafay.dev/v2 3 | metadata: 4 | name: karpenter 5 | description: namespace for karpenter 6 | labels: 7 | annotations: 8 | spec: 9 | type: RafayWizard 10 | resourceQuota: 11 | placement: 12 | placementType: ClusterSpecific 13 | clusterLabels: 14 | - key: rafay.dev/clusterName 15 | value: karpenter-cluster -------------------------------------------------------------------------------- /karpenter/workload/inflate-workload.yaml: -------------------------------------------------------------------------------- 1 | name: inflate-workload 2 | namespace: default 3 | project: defaultproject 4 | type: NativeYaml 5 | clusters: karpenter-cluster 6 | payload: inflate.yaml 7 | 8 | 9 | -------------------------------------------------------------------------------- /karpenter/workload/inflate.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: inflate 5 | spec: 6 | replicas: 0 7 | selector: 8 | matchLabels: 9 | app: inflate 10 | template: 11 | metadata: 12 | labels: 13 | app: inflate 14 | spec: 15 | terminationGracePeriodSeconds: 0 16 | containers: 17 | - name: inflate 18 | image: public.ecr.aws/eks-distro/kubernetes/pause:3.2 19 | resources: 20 | requests: 21 | cpu: 1 -------------------------------------------------------------------------------- /kubecost/addon/kubecost-addon.yaml: -------------------------------------------------------------------------------- 1 | kind: AddonVersion 2 | metadata: 3 | name: v1 4 | project: defaultproject 5 | spec: 6 | addon: kubecost-addon 7 | namespace: kubecost 8 | template: 9 | type: Helm3 10 | valuesFile: kubecost-values.yaml 11 | repository_ref: kubecost-repo 12 | repo_artifact_meta: 13 | helm: 14 | chartName: cost-analyzer 15 | -------------------------------------------------------------------------------- /kubecost/addon/kubecost-values.yaml: -------------------------------------------------------------------------------- 1 | ## Custom values for kubecost 2 | reporting: 3 | valuesReporting: false 4 | ## Change to your kubecost token below. Instructions on how to obtain the token can be found here https://www.kubecost.com/install#show-instructions 5 | kubecostToken: "bW9oYW5AcmFmYXkuY28=xm343yadf98" -------------------------------------------------------------------------------- /kubecost/blueprint/kubecost-blueprint-v1.yaml: -------------------------------------------------------------------------------- 1 | kind: BlueprintVersion 2 | metadata: 3 | name: v1 4 | project: defaultproject 5 | description: Kubecost Blueprint 6 | spec: 7 | blueprint: kubecost-blueprint 8 | baseSystemBlueprint: minimal 9 | baseSystemBlueprintVersion: "" 10 | addons: 11 | - name: kubecost-addon 12 | version: v1 13 | # cluster-scoped or namespace-scoped 14 | pspScope: cluster-scoped 15 | rafayIngress: true 16 | rafayMonitoringAndAlerting: false 17 | kubevirt: false 18 | # BlockAndNotify or DetectAndNotify 19 | driftAction: BlockAndNotify -------------------------------------------------------------------------------- /kubecost/blueprint/kubecost-blueprint.yaml: -------------------------------------------------------------------------------- 1 | kind: Blueprint 2 | metadata: 3 | # blueprint name 4 | name: kubecost-blueprint 5 | #project name 6 | project: defaultproject -------------------------------------------------------------------------------- /kubecost/namespace/kubecost-namespace.yaml: -------------------------------------------------------------------------------- 1 | kind: ManagedNamespace 2 | apiVersion: config.rafay.dev/v2 3 | metadata: 4 | name: kubecost 5 | description: namespace for kubecost 6 | labels: 7 | annotations: 8 | spec: 9 | type: RafayWizard 10 | resourceQuota: 11 | placement: 12 | placementType: ClusterSpecific 13 | clusterLabels: 14 | - key: rafay.dev/clusterName 15 | value: -------------------------------------------------------------------------------- /kubecost/repository/kubecost-repository.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.rafay.dev/v2 2 | kind: Repository 3 | metadata: 4 | name: kubecost-repo 5 | spec: 6 | repositoryType: HelmRepository 7 | endpoint: https://kubecost.github.io/cost-analyzer/ 8 | credentialType: CredentialTypeNotSet -------------------------------------------------------------------------------- /kubernetes/1-pv.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolume 3 | metadata: 4 | name: 1-pv 5 | spec: 6 | capacity: 7 | storage: 5Gi 8 | volumeMode: Filesystem 9 | accessModes: 10 | - ReadWriteOnce 11 | storageClassName: slow 12 | claimRef: 13 | name: 1-pvc 14 | namespace: test 15 | hostPath: 16 | path: /var/lib/pv 17 | -------------------------------------------------------------------------------- /kubernetes/1-pvc.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: 1-pvc 5 | namespace: test 6 | spec: 7 | accessModes: 8 | - ReadWriteOnce 9 | resources: 10 | requests: 11 | storage: 5Gi 12 | storageClassName: slow 13 | volumeName: 1-pv 14 | -------------------------------------------------------------------------------- /kubernetes/2-pv.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolume 3 | metadata: 4 | name: 2-pv 5 | spec: 6 | capacity: 7 | storage: 5Gi 8 | volumeMode: Filesystem 9 | accessModes: 10 | - ReadWriteOnce 11 | storageClassName: slow 12 | claimRef: 13 | name: 2-pvc 14 | namespace: test 15 | hostPath: 16 | path: /var/lib/pv 17 | -------------------------------------------------------------------------------- /kubernetes/2-pvc.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: 2-pvc 5 | namespace: test 6 | spec: 7 | accessModes: 8 | - ReadWriteOnce 9 | resources: 10 | requests: 11 | storage: 5Gi 12 | storageClassName: slow 13 | volumeName: 1-pv 14 | -------------------------------------------------------------------------------- /kubernetes/configMap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: postgres-config 5 | labels: 6 | app: postgres 7 | data: 8 | POSTGRES_DB: postgresdb 9 | 10 | -------------------------------------------------------------------------------- /kubernetes/daemonset.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: DaemonSet 3 | metadata: 4 | name: fluentd 5 | spec: 6 | selector: 7 | matchLabels: 8 | name: fluentd # Label selector that determines which Pods belong to the DaemonSet 9 | template: 10 | metadata: 11 | labels: 12 | name: fluentd # Pod template's label selector 13 | spec: 14 | nodeSelector: 15 | role: logging # Node label selector that determines on which nodes Pod should be scheduled 16 | # In this case, Pods are only scheduled to nodes bearing the label "role=logging" 17 | tolerations: 18 | - key: node-role.kubernetes.io/master 19 | effect: NoSchedule 20 | containers: 21 | - name: fluentd 22 | image: gcr.io/google-containers/fluentd-elasticsearch:1.20 23 | resources: 24 | limits: 25 | memory: 200Mi 26 | requests: 27 | cpu: 100m 28 | memory: 200Mi 29 | 30 | -------------------------------------------------------------------------------- /kubernetes/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: test-deployment 5 | spec: 6 | replicas: 3 7 | selector: 8 | matchLabels: 9 | app: test-pod 10 | template: 11 | metadata: 12 | labels: 13 | app: test-pod 14 | spec: 15 | containers: 16 | - name: python-http-server 17 | image: python:2.7 18 | command: ["/bin/bash"] 19 | args: ["-c", "echo \" Hello from $(hostname)\" > index.html; python -m SimpleHTTPServer 80"] 20 | ports: 21 | - name: http 22 | containerPort: 80 -------------------------------------------------------------------------------- /kubernetes/ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: Ingress 3 | metadata: 4 | name: example-ingress 5 | annotations: 6 | kubernetes.io/ingress.class: "nginx" 7 | spec: 8 | rules: 9 | - host: training-app.gorafay.net 10 | http: 11 | paths: 12 | - path: / 13 | pathType: Prefix 14 | backend: 15 | service: 16 | name: test-service 17 | port: 18 | number: 4000 -------------------------------------------------------------------------------- /kubernetes/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: development 5 | labels: 6 | name: development -------------------------------------------------------------------------------- /kubernetes/persistentVolumeClaim.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: pv-claim-0 5 | labels: 6 | app: postgres 7 | spec: 8 | storageClassName: glusterfs-storage 9 | accessModes: 10 | - ReadWriteOnce 11 | resources: 12 | requests: 13 | storage: 1Gi 14 | -------------------------------------------------------------------------------- /kubernetes/pod.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: busybox-sleep 5 | spec: 6 | containers: 7 | - name: busybox 8 | image: busybox 9 | args: 10 | - sleep 11 | - "1000" -------------------------------------------------------------------------------- /kubernetes/secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: postgres-secrets 5 | type: Opaque 6 | data: 7 | POSTGRES_USER: cG9zdGdyZXNhZG1pbg== # echo -n "postgresadmin" | base64 - 8 | POSTGRES_PASSWORD: YWRtaW4xMjM= # echo -n "admin123" | base64 - 9 | 10 | -------------------------------------------------------------------------------- /kubernetes/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: test-service 5 | spec: 6 | type: NodePort 7 | selector: 8 | app: test-pod 9 | ports: 10 | - port: 4000 11 | targetPort: 80 12 | nodePort: 30007 -------------------------------------------------------------------------------- /kubernetes/statefulset-postgres.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: StatefulSet 3 | metadata: 4 | name: postgres 5 | spec: 6 | replicas: 2 7 | serviceName: "postgres-headless" 8 | selector: 9 | matchLabels: 10 | app: postgres 11 | template: 12 | metadata: 13 | labels: 14 | app: postgres 15 | spec: 16 | containers: 17 | - name: postgres 18 | image: postgres:10.4 19 | imagePullPolicy: "IfNotPresent" 20 | ports: 21 | - containerPort: 5432 22 | envFrom: 23 | - configMapRef: 24 | name: postgres-config 25 | - secretRef: 26 | name: postgres-secrets 27 | volumeMounts: 28 | - mountPath: /var/lib/postgresql/data 29 | name: postgredb 30 | volumeClaimTemplates: 31 | - metadata: 32 | name: postgredb 33 | spec: 34 | storageClassName: glusterfs-storage 35 | accessModes: 36 | - ReadWriteOnce 37 | resources: 38 | requests: 39 | storage: 1Gi 40 | 41 | -------------------------------------------------------------------------------- /kubevirt/addon/kubevirt-cr-addon.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: infra.k8smgmt.io/v3 2 | kind: AddonVersion 3 | metadata: 4 | name: v1 5 | project: defaultproject 6 | spec: 7 | addon: kubevirt-cr-addon 8 | namespace: kubevirt 9 | template: 10 | type: yaml 11 | yamlFile: ./kubevirt-cr.yaml -------------------------------------------------------------------------------- /kubevirt/addon/kubevirt-cr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kubevirt.io/v1 3 | kind: KubeVirt 4 | metadata: 5 | name: kubevirt 6 | namespace: kubevirt 7 | spec: 8 | certificateRotateStrategy: {} 9 | configuration: 10 | developerConfiguration: 11 | featureGates: [] 12 | customizeComponents: {} 13 | imagePullPolicy: IfNotPresent 14 | workloadUpdateStrategy: {} 15 | -------------------------------------------------------------------------------- /kubevirt/addon/kubevirt-operator-addon.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: infra.k8smgmt.io/v3 2 | kind: AddonVersion 3 | metadata: 4 | name: v1 5 | project: defaultproject 6 | spec: 7 | addon: kubevirt-operator-addon 8 | namespace: kubevirt 9 | template: 10 | type: yaml 11 | yamlFile: ./kubevirt-operator.yaml -------------------------------------------------------------------------------- /kubevirt/addon/namespace.yaml: -------------------------------------------------------------------------------- 1 | kind: ManagedNamespace 2 | apiVersion: config.rafay.dev/v2 3 | metadata: 4 | name: kubevirt 5 | description: namespace for kubevirt 6 | labels: 7 | annotations: 8 | spec: 9 | type: RafayWizard 10 | resourceQuota: 11 | placement: 12 | placementType: ClusterSpecific 13 | clusterLabels: 14 | - key: rafay.dev/clusterName 15 | value: kubevirt-cluster -------------------------------------------------------------------------------- /kubevirt/blueprint/blueprint.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: infra.k8smgmt.io/v3 2 | kind: Blueprint 3 | metadata: 4 | name: kubevirt-blueprint 5 | project: defaultproject 6 | spec: 7 | base: 8 | name: minimal 9 | customAddons: 10 | - name: kubevirt-operator-addon 11 | version: v1 12 | - dependsOn: 13 | - kubevirt-operator-addon 14 | name: kubevirt-cr-addon 15 | version: v1 16 | defaultAddons: 17 | enableIngress: false 18 | enableLogging: true 19 | enableMonitoring: true 20 | enableVM: false 21 | monitoring: 22 | helmExporter: 23 | discovery: {} 24 | enabled: true 25 | kubeStateMetrics: 26 | discovery: {} 27 | enabled: true 28 | metricsServer: 29 | enabled: false 30 | nodeExporter: 31 | discovery: {} 32 | enabled: true 33 | prometheusAdapter: 34 | enabled: false 35 | resources: {} 36 | drift: 37 | enabled: true 38 | sharing: 39 | enabled: false 40 | version: v1 -------------------------------------------------------------------------------- /kubevirt/workload/namespace.yaml: -------------------------------------------------------------------------------- 1 | kind: ManagedNamespace 2 | apiVersion: config.rafay.dev/v2 3 | metadata: 4 | name: vm 5 | description: namespace for the VM workload 6 | labels: 7 | annotations: 8 | spec: 9 | type: RafayWizard 10 | resourceQuota: 11 | placement: 12 | placementType: ClusterSpecific 13 | clusterLabels: 14 | - key: rafay.dev/clusterName 15 | value: kubevirt-cluster -------------------------------------------------------------------------------- /kubevirt/workload/vm-workload.yaml: -------------------------------------------------------------------------------- 1 | name: vm 2 | namespace: vm 3 | project: defaultproject 4 | type: NativeYaml 5 | clusters: kubevirt-cluster 6 | payload: ./vm.yaml -------------------------------------------------------------------------------- /kubevirt/workload/vm.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kubevirt.io/v1 2 | kind: VirtualMachine 3 | metadata: 4 | name: testvm 5 | spec: 6 | running: true 7 | template: 8 | metadata: 9 | labels: 10 | kubevirt.io/size: small 11 | kubevirt.io/domain: testvm 12 | spec: 13 | domain: 14 | devices: 15 | disks: 16 | - name: containerdisk 17 | disk: 18 | bus: virtio 19 | - name: cloudinitdisk 20 | disk: 21 | bus: virtio 22 | interfaces: 23 | - name: default 24 | masquerade: {} 25 | resources: 26 | requests: 27 | memory: 64M 28 | networks: 29 | - name: default 30 | pod: {} 31 | volumes: 32 | - name: containerdisk 33 | containerDisk: 34 | image: quay.io/kubevirt/cirros-container-disk-demo 35 | - name: cloudinitdisk 36 | cloudInitNoCloud: 37 | userDataBase64: SGkuXG4= -------------------------------------------------------------------------------- /metallb/addon/addon.yaml: -------------------------------------------------------------------------------- 1 | kind: AddonVersion 2 | metadata: 3 | name: v1 4 | project: defaultproject 5 | spec: 6 | addon: metallb-addon 7 | namespace: metallb 8 | template: 9 | type: Helm3 10 | valuesFile: custom-values.yaml 11 | repository_ref: metallb-repo 12 | repo_artifact_meta: 13 | helm: 14 | chartName: metallb 15 | tag: 0.13.7 16 | -------------------------------------------------------------------------------- /metallb/addon/addoncm.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: infra.k8smgmt.io/v3 2 | kind: AddonVersion 3 | metadata: 4 | name: v1 5 | project: defaultproject 6 | spec: 7 | addon: metallbyaml-addon 8 | namespace: metallb 9 | template: 10 | type: yaml 11 | yamlFile: ./metallb-cm.yaml -------------------------------------------------------------------------------- /metallb/addon/custom-values.yaml: -------------------------------------------------------------------------------- 1 | configInline: 2 | address-pools: 3 | - name: default 4 | protocol: layer2 5 | addresses: 6 | - 192.168.86.210-192.168.86.215 -------------------------------------------------------------------------------- /metallb/addon/metallb-cm.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | namespace: metallb 5 | name: metallb-config 6 | data: 7 | config: | 8 | address-pools: 9 | - name: default 10 | protocol: layer2 11 | addresses: 12 | - 192.168.86.210-192.168.86.215 -------------------------------------------------------------------------------- /metallb/blueprint/blueprint-v1.yaml: -------------------------------------------------------------------------------- 1 | kind: BlueprintVersion 2 | metadata: 3 | name: v1 4 | project: defaultproject 5 | description: metallb 6 | spec: 7 | blueprint: metallb-blueprint 8 | baseSystemBlueprint: default 9 | baseSystemBlueprintVersion: "" 10 | addons: 11 | - name: metallb-addon 12 | version: v1 13 | - name: metallbyaml-addon 14 | version: v1 15 | # cluster-scoped or namespace-scoped 16 | pspScope: cluster-scoped 17 | rafayIngress: true 18 | rafayMonitoringAndAlerting: false 19 | kubevirt: false 20 | # BlockAndNotify or DetectAndNotify 21 | driftAction: BlockAndNotify -------------------------------------------------------------------------------- /metallb/blueprint/blueprint.yaml: -------------------------------------------------------------------------------- 1 | kind: Blueprint 2 | metadata: 3 | # blueprint name 4 | name: metallb-blueprint 5 | #project name 6 | project: defaultproject -------------------------------------------------------------------------------- /metallb/namespace/metallb-namespace.yaml: -------------------------------------------------------------------------------- 1 | kind: ManagedNamespace 2 | apiVersion: config.rafay.dev/v2 3 | metadata: 4 | name: metallb 5 | description: namespace for metallb controller 6 | labels: 7 | annotations: 8 | spec: 9 | type: RafayWizard 10 | resourceQuota: 11 | placement: 12 | placementType: ClusterSpecific 13 | clusterLabels: 14 | - key: rafay.dev/clusterName 15 | value: metallb-cluster -------------------------------------------------------------------------------- /metallb/namespace/nginx-namespace.yaml: -------------------------------------------------------------------------------- 1 | kind: ManagedNamespace 2 | apiVersion: config.rafay.dev/v2 3 | metadata: 4 | name: metallb-test-workload 5 | description: namespace for metallb test workload 6 | labels: 7 | annotations: 8 | spec: 9 | type: RafayWizard 10 | resourceQuota: 11 | placement: 12 | placementType: ClusterSpecific 13 | clusterLabels: 14 | - key: rafay.dev/clusterName 15 | value: metallb-cluster -------------------------------------------------------------------------------- /metallb/repository/repository.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.rafay.dev/v2 2 | kind: Repository 3 | metadata: 4 | name: metallb-repo 5 | spec: 6 | repositoryType: HelmRepository 7 | endpoint: https://metallb.github.io/metallb 8 | credentialType: CredentialTypeNotSet -------------------------------------------------------------------------------- /metallb/workload/metallb-nginx.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | labels: 5 | app: nginx 6 | name: nginx 7 | namespace: metallb-test-workload 8 | spec: 9 | replicas: 3 10 | selector: 11 | matchLabels: 12 | app: nginx 13 | template: 14 | metadata: 15 | labels: 16 | app: nginx 17 | spec: 18 | containers: 19 | - image: nginx 20 | imagePullPolicy: Always 21 | name: nginx 22 | restartPolicy: Always 23 | --- 24 | apiVersion: v1 25 | kind: Service 26 | metadata: 27 | labels: 28 | app: nginx 29 | name: nginx 30 | namespace: metallb-test-workload 31 | spec: 32 | loadBalancerIP: 192.168.86.212 33 | ports: 34 | - port: 80 35 | protocol: TCP 36 | targetPort: 80 37 | selector: 38 | app: nginx 39 | type: LoadBalancer -------------------------------------------------------------------------------- /metallb/workload/metallb-test-workload.yaml: -------------------------------------------------------------------------------- 1 | name: metallb-test-workload 2 | namespace: metallb-test-workload 3 | project: defaultproject 4 | type: NativeYaml 5 | clusters: metallb-cluster 6 | payload: metallb-nginx.yaml -------------------------------------------------------------------------------- /opa_gatekeeper/blueprint/blueprint-v2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: infra.k8smgmt.io/v3 2 | kind: Blueprint 3 | metadata: 4 | name: opa-gs-blueprint 5 | project: defaultproject 6 | description: opa getting started blueprint 7 | spec: 8 | base: 9 | name: default 10 | version: 1.17.0 11 | defaultAddons: 12 | csiSecretStoreConfig: 13 | providers: {} 14 | enableIngress: true 15 | enableLogging: false 16 | enableMonitoring: true 17 | enableVM: false 18 | drift: 19 | enabled: false 20 | networkPolicy: {} 21 | opaPolicy: 22 | opaPolicy: 23 | - name: opa-gs-policy 24 | version: opa-gs-policy-version 25 | profile: 26 | name: default 27 | placement: {} 28 | sharing: 29 | enabled: false 30 | version: v1 31 | -------------------------------------------------------------------------------- /opa_gatekeeper/constraint_templates/constraint-template-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraintTemplate 3 | metadata: 4 | labels: 5 | rafay.dev/opa: template 6 | name: rafay-gatekeeper-allowedrepos-constraint-template 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://rafay-gatekeeper-allowedrepos-constraint-template.yaml 13 | options: {} 14 | type: Yaml -------------------------------------------------------------------------------- /opa_gatekeeper/constraint_templates/constraint-template-2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraintTemplate 3 | metadata: 4 | labels: 5 | rafay.dev/opa: template 6 | name: rafay-request-limit-ratio-constraint-template 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://rafay-request-limit-ratio-constraint-template.yaml 13 | options: {} 14 | type: Yaml -------------------------------------------------------------------------------- /opa_gatekeeper/constraint_templates/rafay-gatekeeper-allowedrepos-constraint-template.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: templates.gatekeeper.sh/v1beta1 2 | kind: ConstraintTemplate 3 | metadata: 4 | name: opak8sallowedrepos 5 | annotations: 6 | description: Requires container images to begin with a repo string from a specified 7 | list. 8 | spec: 9 | crd: 10 | spec: 11 | names: 12 | kind: OPAK8sAllowedRepos 13 | validation: 14 | # Schema for the `parameters` field 15 | openAPIV3Schema: 16 | properties: 17 | repos: 18 | type: array 19 | items: 20 | type: string 21 | targets: 22 | - target: admission.k8s.gatekeeper.sh 23 | rego: | 24 | package k8sallowedrepos 25 | 26 | violation[{"msg": msg}] { 27 | container := input.review.object.spec.containers[_] 28 | satisfied := [good | repo = input.parameters.repos[_] ; good = re_match(repo, container.image)] 29 | not any(satisfied) 30 | msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos]) 31 | } 32 | 33 | violation[{"msg": msg}] { 34 | container := input.review.object.spec.initContainers[_] 35 | satisfied := [good | repo = input.parameters.repos[_] ; good = re_match(repo, container.image)] 36 | not any(satisfied) 37 | msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos]) 38 | } 39 | -------------------------------------------------------------------------------- /opa_gatekeeper/constraints/constraint-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraint 3 | metadata: 4 | labels: 5 | rafay.dev/opa: constraint 6 | name: rafay-gatekeeper-allowedrepos-constraint 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://rafay-gatekeeper-allowedrepos-constraint.yaml 13 | options: {} 14 | type: Yaml 15 | published: true 16 | templateName: rafay-gatekeeper-allowedrepos-constraint-template 17 | version: v1 18 | -------------------------------------------------------------------------------- /opa_gatekeeper/constraints/constraint-2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraint 3 | metadata: 4 | labels: 5 | rafay.dev/opa: constraint 6 | name: rafay-request-limit-ratio-constraint 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://rafay-request-limit-ratio-constraint.yaml 13 | options: {} 14 | type: Yaml 15 | published: true 16 | templateName: rafay-request-limit-ratio-constraint-template 17 | version: v1 18 | -------------------------------------------------------------------------------- /opa_gatekeeper/constraints/rafay-gatekeeper-allowedrepos-constraint.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: constraints.gatekeeper.sh/v1beta1 2 | kind: OPAK8sAllowedRepos 3 | metadata: 4 | name: opa-allowed-repos 5 | spec: 6 | enforcementAction: deny 7 | match: 8 | kinds: 9 | - apiGroups: [""] 10 | kinds: ["Pod"] 11 | parameters: 12 | repos: 13 | - "amazonaws.com" # ECR registry for EKS cluster 14 | - "k8s.gcr.io" # Kubernetes registry 15 | - "docker.io" # bitnami registry 16 | -------------------------------------------------------------------------------- /opa_gatekeeper/constraints/rafay-request-limit-ratio-constraint.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: constraints.gatekeeper.sh/v1beta1 2 | kind: OPAK8sContainerRatios 3 | metadata: 4 | name: opa-container-must-meet-ratio 5 | spec: 6 | enforcementAction: warn 7 | match: 8 | kinds: 9 | - apiGroups: [""] 10 | kinds: ["Pod"] 11 | parameters: 12 | ratio: "1" 13 | -------------------------------------------------------------------------------- /opa_gatekeeper/policy/policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAPolicy 3 | metadata: 4 | name: opa-gs-policy 5 | project: defaultproject 6 | spec: 7 | constraintList: 8 | - name: rafay-request-limit-ratio-constraint 9 | version: v1 10 | - name: rafay-gatekeeper-allowedrepos-constraint 11 | version: v1 12 | sharing: 13 | enabled: true 14 | projects: 15 | - name: defaultproject 16 | version: opa-gs-policy-version 17 | -------------------------------------------------------------------------------- /opa_gatekeeper/workload/nginx.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: opa-gs-nginx 5 | spec: 6 | containers: 7 | - name: opa-gs-nginx 8 | image: nginx 9 | resources: 10 | limits: 11 | cpu: "800m" 12 | requests: 13 | cpu: "500m" -------------------------------------------------------------------------------- /opa_gatekeeper/workload/workload.yaml: -------------------------------------------------------------------------------- 1 | name: opa-gs-workload 2 | namespace: default 3 | project: defaultproject 4 | type: NativeYaml 5 | clusters: opa-gs-cluster 6 | payload: nginx.yaml -------------------------------------------------------------------------------- /progressive-rollouts/canary.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Rollout 3 | metadata: 4 | name: rollout-canary 5 | spec: 6 | replicas: 5 7 | strategy: 8 | canary: 9 | canaryService: rollout-canary-service 10 | stableService: rollout-stable-service 11 | trafficRouting: 12 | nginx: 13 | stableIngress: rollout-stable-ingress 14 | steps: 15 | - setWeight: 40 16 | - pause: {} 17 | revisionHistoryLimit: 2 18 | selector: 19 | matchLabels: 20 | app: rollout-canary 21 | template: 22 | metadata: 23 | labels: 24 | app: rollout-canary 25 | spec: 26 | containers: 27 | - name: rollout-canary-app 28 | image: hashicorp/http-echo 29 | args: 30 | - "-text=Version-1.0.0" 31 | imagePullPolicy: Always 32 | ports: 33 | - containerPort: 8080 34 | --- 35 | apiVersion: v1 36 | kind: Service 37 | metadata: 38 | name: rollout-stable-service 39 | spec: 40 | ports: 41 | - port: 80 42 | targetPort: 5678 43 | selector: 44 | app: rollout-canary 45 | --- 46 | apiVersion: v1 47 | kind: Service 48 | metadata: 49 | name: rollout-canary-service 50 | spec: 51 | ports: 52 | - port: 80 53 | targetPort: 5678 54 | selector: 55 | app: rollout-canary 56 | 57 | --- 58 | apiVersion: networking.k8s.io/v1 59 | kind: Ingress 60 | metadata: 61 | name: rollout-stable-ingress 62 | spec: 63 | rules: 64 | - http: 65 | paths: 66 | - backend: 67 | service: 68 | name: rollout-stable-service 69 | port: 70 | number: 80 71 | path: / 72 | pathType: Prefix -------------------------------------------------------------------------------- /terraform/aks/artifacts/credentials/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "profile": "prod", 3 | "skip_server_cert_check": "false", 4 | "rest_endpoint": "console.rafay.dev", 5 | "ops_endpoint": "ops.rafay.dev", 6 | "api_key": "RAFAY_API_KEY", 7 | "api_secret": "RAFAY_API_SECRET", 8 | "project_id": "PROJETC_ID" 9 | } -------------------------------------------------------------------------------- /terraform/aks/main.tf: -------------------------------------------------------------------------------- 1 | module "project" { 2 | source = "./modules/project" 3 | project = var.project 4 | } 5 | 6 | module "cloud-credentials" { 7 | source = "./modules/cloud-credentials" 8 | cloud_credentials_name = var.cloud_credentials_name 9 | project = var.project 10 | client_id = var.client_id 11 | client_secret = var.client_secret 12 | subscription_id = var.subscription_id 13 | tenant_id = var.tenant_id 14 | depends_on = [ module.project] 15 | } 16 | 17 | module cluster { 18 | source = "./modules/aks" 19 | cluster_name = var.cluster_name 20 | project = var.project 21 | blueprint_name = var.blueprint_name 22 | blueprint_version = var.blueprint_version 23 | cloud_credentials_name = var.cloud_credentials_name 24 | cluster_resource_group = var.cluster_resource_group 25 | k8s_version = var.k8s_version 26 | cluster_location = var.cluster_location 27 | nodePools = var.nodePools 28 | depends_on = [ module.cloud-credentials] 29 | } 30 | -------------------------------------------------------------------------------- /terraform/aks/modules/aks/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | source = "RafaySystems/rafay" 5 | version = ">= 1.0.0" 6 | } 7 | } 8 | } -------------------------------------------------------------------------------- /terraform/aks/modules/aks/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project" { 2 | type = string 3 | } 4 | 5 | variable "cluster_name" { 6 | type = string 7 | } 8 | 9 | variable "blueprint_name" { 10 | type = string 11 | } 12 | 13 | variable "blueprint_version" { 14 | type = string 15 | } 16 | 17 | variable "cloud_credentials_name" { 18 | type = string 19 | } 20 | 21 | variable "cluster_resource_group" { 22 | type = string 23 | } 24 | 25 | variable "cluster_location" { 26 | type = string 27 | } 28 | 29 | variable "k8s_version" { 30 | type = string 31 | } 32 | 33 | variable "nodePools" { 34 | type = map(object({ 35 | name = string 36 | location = string 37 | count = number 38 | maxCount = string 39 | minCount = string 40 | mode = string 41 | k8sVersion = string 42 | vmSize = string 43 | })) 44 | } -------------------------------------------------------------------------------- /terraform/aks/modules/cloud-credentials/main.tf: -------------------------------------------------------------------------------- 1 | resource "rafay_cloud_credential" "credentials" { 2 | name = var.cloud_credentials_name 3 | project = var.project 4 | type = "cluster-provisioning" 5 | providertype = "AZURE" 6 | clientid = var.client_id 7 | clientsecret = var.client_secret 8 | subscriptionid = var.subscription_id 9 | tenantid = var.tenant_id 10 | } -------------------------------------------------------------------------------- /terraform/aks/modules/cloud-credentials/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | source = "RafaySystems/rafay" 5 | version = ">= 1.0.0" 6 | } 7 | } 8 | } -------------------------------------------------------------------------------- /terraform/aks/modules/cloud-credentials/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project" { 2 | type = string 3 | } 4 | 5 | variable "cloud_credentials_name" { 6 | type = string 7 | } 8 | 9 | variable "client_id" { 10 | type = string 11 | } 12 | 13 | variable "client_secret" { 14 | type = string 15 | } 16 | 17 | variable "subscription_id" { 18 | type = string 19 | } 20 | 21 | variable "tenant_id" { 22 | type = string 23 | } -------------------------------------------------------------------------------- /terraform/aks/modules/project/main.tf: -------------------------------------------------------------------------------- 1 | resource "rafay_project" "project" { 2 | metadata { 3 | name = var.project 4 | } 5 | spec { 6 | default = false 7 | } 8 | } -------------------------------------------------------------------------------- /terraform/aks/modules/project/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | source = "RafaySystems/rafay" 5 | version = ">= 1.0.0" 6 | } 7 | } 8 | } -------------------------------------------------------------------------------- /terraform/aks/modules/project/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project" { 2 | type = string 3 | } -------------------------------------------------------------------------------- /terraform/aks/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | source = "RafaySystems/rafay" 5 | version = ">= 1.0.0" 6 | } 7 | } 8 | } 9 | 10 | provider "rafay" { 11 | provider_config_file = var.rafay_config_file 12 | } 13 | -------------------------------------------------------------------------------- /terraform/aks/terraform.tfvars: -------------------------------------------------------------------------------- 1 | #Project name variable 2 | project = "terraform" 3 | 4 | #Cloud Credentials specific variables 5 | cloud_credentials_name = "aks-cloud-credentials" 6 | subscription_id = "" 7 | tenant_id = "" 8 | client_id = "" 9 | client_secret = "" 10 | 11 | #Cluster specific variables 12 | cluster_name = "aks-cluster" 13 | cluster_resource_group = "" 14 | cluster_location = "centralindia" 15 | k8s_version = "1.23.8" 16 | 17 | #Blueprint/Addons specific variables 18 | blueprint_name = "minimal" 19 | blueprint_version = "1.21.0" 20 | 21 | #Nodepool sepcific variables 22 | nodePools = { 23 | "pool1" = { 24 | name = "pool1" 25 | location = "centralindia" 26 | count = 1 27 | maxCount = 3 28 | minCount = 1 29 | mode = "System" 30 | k8sVersion = "1.23.8" 31 | vmSize = "Standard_DS2_v2" 32 | } 33 | } -------------------------------------------------------------------------------- /terraform/aks/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project" { 2 | type = string 3 | } 4 | 5 | variable "rafay_config_file" { 6 | type = string 7 | default = "./artifacts/credentials/config.json" 8 | } 9 | 10 | variable "blueprint_name" { 11 | type = string 12 | } 13 | 14 | variable "blueprint_version" { 15 | type = string 16 | } 17 | 18 | variable "cluster_name" { 19 | type = string 20 | } 21 | 22 | variable "cloud_credentials_name" { 23 | type = string 24 | } 25 | 26 | variable "cluster_resource_group" { 27 | type = string 28 | } 29 | 30 | variable "cluster_location" { 31 | type = string 32 | } 33 | 34 | variable "k8s_version" { 35 | type = string 36 | } 37 | 38 | variable "client_id" { 39 | type = string 40 | } 41 | 42 | variable "client_secret" { 43 | type = string 44 | } 45 | 46 | variable "subscription_id" { 47 | type = string 48 | } 49 | 50 | variable "tenant_id" { 51 | type = string 52 | } 53 | 54 | variable "nodePools" { 55 | type = map(object({ 56 | name = string 57 | location = string 58 | count = number 59 | maxCount = string 60 | minCount = string 61 | mode = string 62 | k8sVersion = string 63 | vmSize = string 64 | })) 65 | } -------------------------------------------------------------------------------- /terraform/blueprints/artifacts/credentials/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "profile": "prod", 3 | "skip_server_cert_check": "false", 4 | "rest_endpoint": "console.rafay.dev", 5 | "ops_endpoint": "ops.rafay.dev", 6 | "api_key": "RAFAY_API_KEY", 7 | "api_secret": "RAFAY_API_SECRET", 8 | "project_id": "PROJETC_ID" 9 | } -------------------------------------------------------------------------------- /terraform/blueprints/main.tf: -------------------------------------------------------------------------------- 1 | module "project" { 2 | source = "./modules/project" 3 | project = var.project 4 | } 5 | 6 | module "blueprint" { 7 | source = "./modules/blueprints" 8 | project = var.project 9 | blueprint_name = var.blueprint_name 10 | blueprint_version = var.blueprint_version 11 | base_blueprint = var.base_blueprint 12 | base_blueprint_version = var.base_blueprint_version 13 | depends_on = [module.project] 14 | } -------------------------------------------------------------------------------- /terraform/blueprints/modules/blueprints/main.tf: -------------------------------------------------------------------------------- 1 | resource "rafay_blueprint" "blueprint" { 2 | metadata { 3 | name = var.blueprint_name 4 | project = var.project 5 | } 6 | spec { 7 | version = "v0" 8 | base { 9 | name = var.base_blueprint 10 | version = var.base_blueprint_version 11 | } 12 | default_addons { 13 | enable_ingress = false 14 | enable_monitoring = true 15 | } 16 | drift { 17 | action = "Deny" 18 | enabled = true 19 | } 20 | sharing { 21 | enabled = false 22 | projects { 23 | name = "defaultprooject" 24 | } 25 | } 26 | placement { 27 | auto_publish = false 28 | } 29 | } 30 | } -------------------------------------------------------------------------------- /terraform/blueprints/modules/blueprints/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | source = "RafaySystems/rafay" 5 | version = ">= 1.0.0" 6 | } 7 | } 8 | } -------------------------------------------------------------------------------- /terraform/blueprints/modules/blueprints/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project" { 2 | type = string 3 | } 4 | 5 | variable "blueprint_name" { 6 | type = string 7 | } 8 | 9 | variable "blueprint_version" { 10 | type = string 11 | } 12 | 13 | variable "base_blueprint" { 14 | type = string 15 | } 16 | 17 | variable "base_blueprint_version" { 18 | type = string 19 | } -------------------------------------------------------------------------------- /terraform/blueprints/modules/project/main.tf: -------------------------------------------------------------------------------- 1 | resource "rafay_project" "project" { 2 | metadata { 3 | name = var.project 4 | } 5 | spec { 6 | default = true 7 | } 8 | } -------------------------------------------------------------------------------- /terraform/blueprints/modules/project/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | source = "RafaySystems/rafay" 5 | version = ">= 1.0.0" 6 | } 7 | } 8 | } -------------------------------------------------------------------------------- /terraform/blueprints/modules/project/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project" { 2 | type = string 3 | } -------------------------------------------------------------------------------- /terraform/blueprints/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | source = "RafaySystems/rafay" 5 | version = ">= 1.0.0" 6 | } 7 | } 8 | } 9 | 10 | provider "rafay" { 11 | provider_config_file = var.rafay_config_file 12 | } 13 | -------------------------------------------------------------------------------- /terraform/blueprints/terraform.tfvars: -------------------------------------------------------------------------------- 1 | #Project name variable 2 | project = "terraform-blueprint" 3 | 4 | #Blueprint/Addons specific variables 5 | blueprint_name = "blueprint-exercise" 6 | blueprint_version = "v1" 7 | base_blueprint = "minimal" 8 | base_blueprint_version = "1.22.0" 9 | -------------------------------------------------------------------------------- /terraform/blueprints/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project" { 2 | type = string 3 | } 4 | 5 | variable "rafay_config_file" { 6 | type = string 7 | default = "./artifacts/credentials/config.json" 8 | } 9 | 10 | variable "blueprint_name" { 11 | type = string 12 | } 13 | 14 | variable "blueprint_version" { 15 | type = string 16 | } 17 | 18 | variable "base_blueprint" { 19 | type = string 20 | } 21 | 22 | variable "base_blueprint_version" { 23 | type = string 24 | } 25 | -------------------------------------------------------------------------------- /terraform/caas_terraform/aks/modules/addons/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | source = "RafaySystems/rafay" 5 | version = ">= 1.0.0" 6 | } 7 | } 8 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/aks/modules/addons/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project" { 2 | type = string 3 | } 4 | 5 | variable "infra_addons" { 6 | type = map(object({ 7 | name = string 8 | namespace = string 9 | type = string 10 | addon_version = string 11 | catalog = optional(string) 12 | chart_name = string 13 | chart_version = string 14 | repository = optional(string) 15 | file_path = string 16 | })) 17 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/aks/modules/aks/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | source = "RafaySystems/rafay" 5 | version = ">= 1.0.0" 6 | } 7 | } 8 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/aks/modules/aks/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project" { 2 | type = string 3 | } 4 | 5 | variable "cluster_name" { 6 | type = string 7 | } 8 | 9 | variable "blueprint_name" { 10 | type = string 11 | } 12 | 13 | variable "blueprint_version" { 14 | type = string 15 | } 16 | 17 | variable "cloud_credentials_name" { 18 | type = string 19 | } 20 | 21 | variable "cluster_resource_group" { 22 | type = string 23 | } 24 | 25 | variable "cluster_location" { 26 | type = string 27 | } 28 | 29 | variable "k8s_version" { 30 | type = string 31 | } 32 | 33 | variable "cluster_tags" { 34 | type = map 35 | } 36 | 37 | variable "nodePools" { 38 | type = map(object({ 39 | name = string 40 | location = string 41 | count = number 42 | maxCount = string 43 | minCount = string 44 | mode = string 45 | k8sVersion = string 46 | vmSize = string 47 | })) 48 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/aks/modules/blueprints/main.tf: -------------------------------------------------------------------------------- 1 | resource "rafay_blueprint" "blueprint" { 2 | metadata { 3 | name = var.blueprint_name 4 | project = var.project 5 | } 6 | spec { 7 | version = var.blueprint_version 8 | base { 9 | name = var.base_blueprint 10 | version = var.base_blueprint_version 11 | } 12 | dynamic "custom_addons" { 13 | for_each = var.infra_addons 14 | content { 15 | name = custom_addons.value.name 16 | version = custom_addons.value.addon_version 17 | depends_on = custom_addons.value.depends_on 18 | 19 | } 20 | } 21 | default_addons { 22 | enable_ingress = false 23 | enable_monitoring = true 24 | } 25 | drift { 26 | action = "Deny" 27 | enabled = true 28 | } 29 | cost_profile { 30 | name = "default-cost-profile-azure" 31 | version = "latest" 32 | } 33 | dynamic "opa_policy" { 34 | for_each = var.opa-repo != null ? [0] : [] 35 | content { 36 | opa_policy { 37 | name = "default-opa-policy" 38 | version = "v1" 39 | } 40 | profile { 41 | name = "default-opa-profile" 42 | version = "v1" 43 | } 44 | } 45 | } 46 | sharing { 47 | enabled = false 48 | } 49 | namespace_config { 50 | enable_sync = true 51 | } 52 | } 53 | } 54 | -------------------------------------------------------------------------------- /terraform/caas_terraform/aks/modules/blueprints/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | source = "RafaySystems/rafay" 5 | version = ">= 1.0.0" 6 | } 7 | } 8 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/aks/modules/blueprints/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project" { 2 | type = string 3 | } 4 | 5 | variable "blueprint_name" { 6 | type = string 7 | } 8 | 9 | variable "blueprint_version" { 10 | type = string 11 | } 12 | 13 | variable "base_blueprint" { 14 | type = string 15 | } 16 | 17 | variable "base_blueprint_version" { 18 | type = string 19 | } 20 | 21 | variable "opa-repo" { 22 | type = string 23 | } 24 | 25 | variable "infra_addons" { 26 | type = map(object({ 27 | name = string 28 | namespace = string 29 | addon_version = string 30 | catalog = optional(string) 31 | chart_name = string 32 | chart_version = string 33 | repository = optional(string) 34 | file_path = string 35 | depends_on = list(string) 36 | })) 37 | } 38 | -------------------------------------------------------------------------------- /terraform/caas_terraform/aks/modules/cloud-credentials/main.tf: -------------------------------------------------------------------------------- 1 | resource "rafay_cloud_credential" "credentials" { 2 | name = var.cloud_credentials_name 3 | project = var.project 4 | type = "cluster-provisioning" 5 | providertype = "AZURE" 6 | clientid = var.client_id 7 | clientsecret = var.client_secret 8 | subscriptionid = var.subscription_id 9 | tenantid = var.tenant_id 10 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/aks/modules/cloud-credentials/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | source = "RafaySystems/rafay" 5 | version = ">= 1.0.0" 6 | } 7 | } 8 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/aks/modules/cloud-credentials/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project" { 2 | type = string 3 | } 4 | 5 | variable "cloud_credentials_name" { 6 | type = string 7 | } 8 | 9 | variable "client_id" { 10 | type = string 11 | } 12 | 13 | variable "client_secret" { 14 | type = string 15 | } 16 | 17 | variable "subscription_id" { 18 | type = string 19 | } 20 | 21 | variable "tenant_id" { 22 | type = string 23 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/aks/modules/cluster-overrides/main.tf: -------------------------------------------------------------------------------- 1 | resource "rafay_cluster_override" "override" { 2 | 3 | for_each = var.overrides_config 4 | metadata { 5 | name = each.key 6 | project = var.project 7 | labels = { 8 | "rafay.dev/overrideScope" = "clusterLabels" 9 | "rafay.dev/overrideType" = "valuesFile" 10 | } 11 | } 12 | spec { 13 | cluster_selector = "rafay.dev/clusterName in (${var.cluster_name})" 14 | cluster_placement { 15 | placement_type = "ClusterSpecific" 16 | cluster_labels { 17 | key = "rafay.dev/clusterName" 18 | value = var.cluster_name 19 | } 20 | } 21 | resource_selector = "rafay.dev/name=${each.value.override_addon_name}" 22 | type = "ClusterOverrideTypeAddon" 23 | override_values = each.value.override_values 24 | } 25 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/aks/modules/cluster-overrides/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | source = "RafaySystems/rafay" 5 | version = ">= 1.0.0" 6 | } 7 | } 8 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/aks/modules/cluster-overrides/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project" { 2 | type = string 3 | } 4 | 5 | variable "cluster_name" { 6 | type = string 7 | } 8 | 9 | variable "overrides_config" { 10 | type = map(object({ 11 | override_addon_name = string 12 | override_values = string 13 | })) 14 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/aks/modules/group-association/aks/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | source = "RafaySystems/rafay" 5 | version = ">= 1.0.0" 6 | } 7 | } 8 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/aks/modules/group-association/aks/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project" { 2 | type = string 3 | } 4 | 5 | variable "cluster_name" { 6 | type = string 7 | } 8 | 9 | variable "blueprint_name" { 10 | type = string 11 | } 12 | 13 | variable "blueprint_version" { 14 | type = string 15 | } 16 | 17 | variable "cloud_credentials_name" { 18 | type = string 19 | } 20 | 21 | variable "cluster_resource_group" { 22 | type = string 23 | } 24 | 25 | variable "cluster_location" { 26 | type = string 27 | } 28 | 29 | variable "k8s_version" { 30 | type = string 31 | } 32 | 33 | variable "nodepool_name" { 34 | type = string 35 | } 36 | 37 | variable "node_count" { 38 | type = string 39 | } 40 | 41 | variable "node_max_count" { 42 | type = string 43 | } 44 | 45 | variable "node_min_count" { 46 | type = string 47 | } 48 | 49 | variable "vm_size" { 50 | type = string 51 | } 52 | 53 | variable "cluster_tags" { 54 | type = map 55 | } 56 | 57 | variable "node_tags" { 58 | type = map 59 | } 60 | 61 | variable "node_labels" { 62 | type = map 63 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/aks/modules/group-association/main.tf: -------------------------------------------------------------------------------- 1 | resource "rafay_groupassociation" "groupassociation" { 2 | group = var.group 3 | project = var.project 4 | roles = ["PROJECT_ADMIN"] 5 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/aks/modules/group-association/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | source = "RafaySystems/rafay" 5 | version = ">= 1.0.0" 6 | } 7 | } 8 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/aks/modules/group-association/variables.tf: -------------------------------------------------------------------------------- 1 | variable "group" { 2 | type = string 3 | } 4 | 5 | variable "project" { 6 | type = string 7 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/aks/modules/group/main.tf: -------------------------------------------------------------------------------- 1 | resource "rafay_group" "group" { 2 | name = var.group 3 | } 4 | -------------------------------------------------------------------------------- /terraform/caas_terraform/aks/modules/group/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | source = "RafaySystems/rafay" 5 | version = ">= 1.0.0" 6 | } 7 | } 8 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/aks/modules/group/variables.tf: -------------------------------------------------------------------------------- 1 | variable "group" { 2 | type = string 3 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/aks/modules/namespace/main.tf: -------------------------------------------------------------------------------- 1 | resource "rafay_namespace" "namespace" { 2 | for_each = toset(var.namespaces) 3 | metadata { 4 | name = each.key 5 | project = var.project 6 | labels = { 7 | "owner" = "kubernetes.agilebank.demo" 8 | } 9 | } 10 | spec { 11 | drift { 12 | enabled = false 13 | } 14 | } 15 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/aks/modules/namespace/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | source = "RafaySystems/rafay" 5 | version = ">= 1.0.0" 6 | } 7 | } 8 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/aks/modules/namespace/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project" { 2 | type = string 3 | } 4 | 5 | variable "namespaces" { 6 | type = list(string) 7 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/aks/modules/opa-constraint-template/main.tf: -------------------------------------------------------------------------------- 1 | resource "rafay_opa_constraint_template" "opa-constraint-template" { 2 | for_each = toset(var.constraint_templates) 3 | metadata { 4 | name = each.key 5 | project = var.project 6 | } 7 | spec { 8 | artifact { 9 | artifact { 10 | repository = var.opa-repo 11 | revision = var.opa-branch 12 | paths { 13 | name = "turnkey-opa/opaconstrainttemplates/artifacts/${each.key}/${trimsuffix(each.key, "-custom")}.yaml" 14 | } 15 | } 16 | options { 17 | force = true 18 | } 19 | type = "Yaml" 20 | } 21 | } 22 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/aks/modules/opa-constraint-template/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | source = "RafaySystems/rafay" 5 | version = ">= 1.0.0" 6 | } 7 | } 8 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/aks/modules/opa-constraint-template/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project" { 2 | type = string 3 | } 4 | 5 | variable "constraint_templates" { 6 | type = list(string) 7 | } 8 | 9 | variable "opa-repo" { 10 | type = string 11 | } 12 | 13 | variable "opa-branch" { 14 | type = string 15 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/aks/modules/opa-constraint/main.tf: -------------------------------------------------------------------------------- 1 | resource "rafay_opa_constraint" "opa-constraint" { 2 | for_each = toset(var.constraint_templates) 3 | metadata { 4 | name = each.key 5 | project = var.project 6 | labels = { 7 | "rafay.dev/opa" = "constraint" 8 | } 9 | } 10 | spec { 11 | artifact { 12 | type = "Yaml" 13 | artifact { 14 | repository = var.opa-repo 15 | revision = var.opa-branch 16 | paths { 17 | name = "turnkey-opa/opaconstraints/artifacts/${each.key}/${trimsuffix(each.key, "-custom")}.yaml" 18 | } 19 | } 20 | } 21 | template_name = each.key 22 | version = "v1" 23 | published = true 24 | } 25 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/aks/modules/opa-constraint/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | source = "RafaySystems/rafay" 5 | version = ">= 1.0.0" 6 | } 7 | } 8 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/aks/modules/opa-constraint/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project" { 2 | type = string 3 | } 4 | 5 | variable "constraint_templates" { 6 | type = list(string) 7 | } 8 | 9 | variable "opa-repo" { 10 | type = string 11 | } 12 | 13 | variable "opa-branch" { 14 | type = string 15 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/aks/modules/opa-installation-profile/main.tf: -------------------------------------------------------------------------------- 1 | resource "rafay_opa_installation_profile" "opa-installation-profile" { 2 | count = var.opa-repo != "" ? 1 : 0 3 | metadata { 4 | name = "default-opa-profile" 5 | project = var.project 6 | } 7 | spec { 8 | version = "v1" 9 | installation_params { 10 | audit_interval = 60 11 | audit_match_kind_only = true 12 | constraint_violations_limit = 20 13 | audit_chunk_size = 20 14 | log_denies = true 15 | emit_audit_events = true 16 | } 17 | dynamic "excluded_namespaces" { 18 | for_each = toset(var.opa_excluded_namespaces) 19 | content { 20 | namespaces { 21 | name = excluded_namespaces.value 22 | } 23 | } 24 | } 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /terraform/caas_terraform/aks/modules/opa-installation-profile/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | source = "RafaySystems/rafay" 5 | version = ">= 1.0.0" 6 | } 7 | } 8 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/aks/modules/opa-installation-profile/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project" { 2 | type = string 3 | } 4 | 5 | variable "opa_excluded_namespaces" { 6 | type = list(string) 7 | } 8 | 9 | variable "opa-repo" { 10 | type = string 11 | } 12 | 13 | variable "opa-branch" { 14 | type = string 15 | } 16 | -------------------------------------------------------------------------------- /terraform/caas_terraform/aks/modules/opa-policy/main.tf: -------------------------------------------------------------------------------- 1 | resource "rafay_opa_policy" "opa-policy" { 2 | count = var.opa-repo != "" ? 1 : 0 3 | metadata { 4 | name = "default-opa-policy" 5 | project = var.project 6 | } 7 | spec { 8 | dynamic "constraint_list" { 9 | for_each = var.constraint_templates 10 | content { 11 | name = constraint_list.value 12 | version = "v1" 13 | } 14 | } 15 | sharing { 16 | enabled = false 17 | } 18 | version = "v1" 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /terraform/caas_terraform/aks/modules/opa-policy/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | source = "RafaySystems/rafay" 5 | version = ">= 1.0.0" 6 | } 7 | } 8 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/aks/modules/opa-policy/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project" { 2 | type = string 3 | } 4 | 5 | variable "constraint_templates" { 6 | type = list(string) 7 | } 8 | 9 | variable "opa-repo" { 10 | type = string 11 | } 12 | 13 | variable "opa-branch" { 14 | type = string 15 | } 16 | -------------------------------------------------------------------------------- /terraform/caas_terraform/aks/modules/project/main.tf: -------------------------------------------------------------------------------- 1 | resource "rafay_project" "project" { 2 | metadata { 3 | name = var.project 4 | } 5 | spec { 6 | default = false 7 | } 8 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/aks/modules/project/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | source = "RafaySystems/rafay" 5 | version = ">= 1.0.0" 6 | } 7 | } 8 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/aks/modules/project/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project" { 2 | type = string 3 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/aks/modules/repositories/main.tf: -------------------------------------------------------------------------------- 1 | resource "rafay_repositories" "public_repositories" { 2 | 3 | for_each = var.public_repositories 4 | metadata { 5 | name = each.key 6 | project = var.project 7 | } 8 | 9 | spec { 10 | endpoint = each.value.endpoint 11 | type = each.value.type 12 | } 13 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/aks/modules/repositories/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | source = "RafaySystems/rafay" 5 | version = ">= 1.0.0" 6 | } 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /terraform/caas_terraform/aks/modules/repositories/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project" { 2 | type = string 3 | } 4 | 5 | variable "public_repositories" { 6 | type = map(object({ 7 | endpoint = string 8 | type = string 9 | })) 10 | } 11 | -------------------------------------------------------------------------------- /terraform/caas_terraform/aks/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | source = "RafaySystems/rafay" 5 | version = ">= 1.0.0" 6 | } 7 | } 8 | } 9 | 10 | provider "rafay" { 11 | provider_config_file = var.rafay_config_file 12 | } 13 | -------------------------------------------------------------------------------- /terraform/caas_terraform/artifacts/cert-manager/custom_values.yaml: -------------------------------------------------------------------------------- 1 | installCRDs: true -------------------------------------------------------------------------------- /terraform/caas_terraform/artifacts/karpenter/custom_values.yaml: -------------------------------------------------------------------------------- 1 | serviceAccount: 2 | create: false 3 | name: karpenter 4 | settings: 5 | clusterName: {{{ .global.Rafay.ClusterName }}} -------------------------------------------------------------------------------- /terraform/caas_terraform/artifacts/karpenter/nodepool.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: karpenter.sh/v1beta1 2 | kind: NodePool 3 | metadata: 4 | name: default 5 | spec: 6 | template: 7 | spec: 8 | requirements: 9 | - key: kubernetes.io/arch 10 | operator: In 11 | values: ["amd64"] 12 | - key: kubernetes.io/os 13 | operator: In 14 | values: ["linux"] 15 | - key: karpenter.sh/capacity-type 16 | operator: In 17 | values: ["spot"] 18 | - key: karpenter.k8s.aws/instance-category 19 | operator: In 20 | values: ["t"] 21 | - key: karpenter.k8s.aws/instance-generation 22 | operator: Gt 23 | values: ["2"] 24 | - key: karpenter.k8s.aws/instance-size 25 | operator: In 26 | values: ["medium", "large", "xlarge"] 27 | nodeClassRef: 28 | name: default 29 | limits: 30 | cpu: 1000 31 | disruption: 32 | consolidationPolicy: WhenUnderutilized 33 | expireAfter: 720h # 30 * 24h = 720h 34 | --- 35 | apiVersion: karpenter.k8s.aws/v1beta1 36 | kind: EC2NodeClass 37 | metadata: 38 | name: default 39 | spec: 40 | tags: 41 | email: david@rafay.co 42 | env: dev 43 | amiFamily: AL2 # Amazon Linux 2 44 | role: "KarpenterNodeRole-Rafay" 45 | subnetSelectorTerms: 46 | - tags: 47 | cluster-name: "{{{ .global.Rafay.ClusterName }}}" 48 | securityGroupSelectorTerms: 49 | - tags: 50 | cluster-name: "{{{ .global.Rafay.ClusterName }}}" -------------------------------------------------------------------------------- /terraform/caas_terraform/eks/modules/addons/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | source = "RafaySystems/rafay" 5 | version = ">= 1.0.0" 6 | } 7 | } 8 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/eks/modules/addons/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project" { 2 | type = string 3 | } 4 | 5 | variable "infra_addons" { 6 | type = map(object({ 7 | name = string 8 | namespace = string 9 | type = string 10 | addon_version = string 11 | catalog = optional(string) 12 | chart_name = optional(string) 13 | chart_version = optional(string) 14 | repository = optional(string) 15 | file_path = string 16 | })) 17 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/eks/modules/backup-restore/delete_resources.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Download rctl binary and configure for use 4 | # (Linux) 5 | #curl -s -o rctl-linux-amd64.tar.bz2 https://s3-us-west-2.amazonaws.com/rafay-prod-cli/publish/rctl-linux-amd64.tar.bz2 6 | #tar -xf rctl-linux-amd64.tar.bz2 7 | # (Mac) 8 | curl -s -o rctl-darwin-amd64.tar.bz2 https://rafay-prod-cli.s3-us-west-2.amazonaws.com/publish/rctl-darwin-amd64.tar.bz2 9 | tar -xf rctl-darwin-amd64.tar.bz2 10 | 11 | chmod 0755 rctl 12 | 13 | # Trigger path in pipeline 14 | path="gitops/specfiles/" 15 | 16 | echo "In Destroy" 17 | echo "PROJECT_NAME: " ${PROJECT_NAME} 18 | echo "CLUSTER_NAME: " ${CLUSTER_NAME} 19 | 20 | ./rctl config init ../artifacts/credentials/config.json 21 | 22 | ./rctl config show 23 | 24 | ./rctl get projects 25 | 26 | echo "./rctl undeploy dp-agent ${CLUSTER_NAME} --cluster-name ${CLUSTER_NAME} -p ${PROJECT_NAME} --wait" 27 | ./rctl undeploy dp-agent ${CLUSTER_NAME} --cluster-name ${CLUSTER_NAME} -p ${PROJECT_NAME} --wait 28 | 29 | sleep 120 30 | 31 | ./rctl delete dp-agent ${CLUSTER_NAME} -p ${PROJECT_NAME} --wait 32 | 33 | 34 | -------------------------------------------------------------------------------- /terraform/caas_terraform/eks/modules/backup-restore/main.tf: -------------------------------------------------------------------------------- 1 | resource "null_resource" "cluster_destroy" { 2 | count = var.s3_bucket != null ? 1 : 0 3 | triggers = { 4 | proj = var.project 5 | cluster = var.cluster_name 6 | s3_bucket = var.s3_bucket 7 | cluster_location = var.cluster_location 8 | } 9 | provisioner "local-exec" { 10 | when = destroy 11 | command = "bash -c ${templatefile("modules/backup-restore/delete_resources.sh", { 12 | PROJECT_NAME="${self.triggers.proj}", 13 | CLUSTER_NAME="${self.triggers.cluster}" 14 | S3_BUCKET_NAME="${self.triggers.s3_bucket}" 15 | CLUSTER_LOCATION="${self.triggers.cluster_location}" 16 | } )}" 17 | } 18 | } 19 | 20 | resource "null_resource" "cluster_apply" { 21 | count = var.s3_bucket != null ? 1 : 0 22 | provisioner "local-exec" { 23 | when = create 24 | command = "bash -c ${templatefile("modules/backup-restore/create_resources.sh", { 25 | PROJECT_NAME="${var.project}", 26 | CLUSTER_NAME="${var.cluster_name}" 27 | S3_BUCKET_NAME="${var.s3_bucket}" 28 | CLUSTER_LOCATION="${var.cluster_location}" 29 | } )}" 30 | } 31 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/eks/modules/backup-restore/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | source = "RafaySystems/rafay" 5 | version = ">= 1.0.0" 6 | } 7 | } 8 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/eks/modules/backup-restore/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project" { 2 | type = string 3 | } 4 | 5 | variable "cluster_name" { 6 | type = string 7 | } 8 | 9 | variable "s3_bucket" { 10 | type = string 11 | default = "null" 12 | description = "The name of the AWS S3 bucket for storing backups" 13 | } 14 | 15 | variable "cluster_location" { 16 | type = string 17 | description = "The AWS region the cluster will be provisioned" 18 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/eks/modules/blueprints/main.tf: -------------------------------------------------------------------------------- 1 | resource "rafay_blueprint" "blueprint" { 2 | metadata { 3 | name = var.blueprint_name 4 | project = var.project 5 | } 6 | spec { 7 | version = var.blueprint_version 8 | base { 9 | name = var.base_blueprint 10 | version = var.base_blueprint_version 11 | } 12 | dynamic "custom_addons" { 13 | for_each = var.infra_addons 14 | content { 15 | name = custom_addons.value.name 16 | version = custom_addons.value.addon_version 17 | depends_on = custom_addons.value.depends_on 18 | 19 | } 20 | } 21 | default_addons { 22 | enable_ingress = false 23 | enable_monitoring = true 24 | } 25 | drift { 26 | action = "Deny" 27 | enabled = true 28 | } 29 | cost_profile { 30 | name = "default-cost-profile-aws" 31 | version = "latest" 32 | } 33 | dynamic "opa_policy" { 34 | for_each = var.opa-repo != null ? [0] : [] 35 | content { 36 | opa_policy { 37 | name = "default-opa-policy" 38 | version = "v1" 39 | } 40 | profile { 41 | name = "default-opa-profile" 42 | version = "v1" 43 | } 44 | } 45 | } 46 | sharing { 47 | enabled = false 48 | } 49 | namespace_config { 50 | enable_sync = true 51 | } 52 | } 53 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/eks/modules/blueprints/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | source = "RafaySystems/rafay" 5 | version = ">= 1.0.0" 6 | } 7 | } 8 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/eks/modules/blueprints/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project" { 2 | type = string 3 | } 4 | 5 | variable "blueprint_name" { 6 | type = string 7 | } 8 | 9 | variable "blueprint_version" { 10 | type = string 11 | } 12 | 13 | variable "base_blueprint" { 14 | type = string 15 | } 16 | 17 | variable "base_blueprint_version" { 18 | type = string 19 | } 20 | 21 | variable "opa-repo" { 22 | type = string 23 | } 24 | 25 | variable "infra_addons" { 26 | type = map(object({ 27 | name = string 28 | namespace = string 29 | addon_version = string 30 | catalog = optional(string) 31 | chart_name = string 32 | chart_version = string 33 | repository = optional(string) 34 | file_path = string 35 | depends_on = list(string) 36 | })) 37 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/eks/modules/cloud-credentials/main.tf: -------------------------------------------------------------------------------- 1 | resource "rafay_cloud_credential" "eks-credentials" { 2 | name = var.cloud_credentials_name 3 | project = var.project 4 | type = "cluster-provisioning" 5 | providertype = "AWS" 6 | awscredtype = "rolearn" 7 | rolearn = var.rolearn 8 | externalid = var.externalid 9 | } 10 | -------------------------------------------------------------------------------- /terraform/caas_terraform/eks/modules/cloud-credentials/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | source = "RafaySystems/rafay" 5 | version = ">= 1.0.0" 6 | } 7 | } 8 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/eks/modules/cloud-credentials/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project" { 2 | type = string 3 | } 4 | 5 | variable "cloud_credentials_name" { 6 | type = string 7 | } 8 | 9 | variable "rolearn" { 10 | type = string 11 | default = "null" 12 | } 13 | 14 | variable "externalid" { 15 | type = string 16 | default = "null" 17 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/eks/modules/cluster-overrides/main.tf: -------------------------------------------------------------------------------- 1 | resource "rafay_cluster_override" "override" { 2 | 3 | for_each = var.overrides_config 4 | metadata { 5 | name = each.key 6 | project = var.project 7 | labels = { 8 | "rafay.dev/overrideScope" = "clusterLabels" 9 | "rafay.dev/overrideType" = "valuesFile" 10 | } 11 | } 12 | spec { 13 | cluster_selector = "rafay.dev/clusterName in (${var.cluster_name})" 14 | cluster_placement { 15 | placement_type = "ClusterSpecific" 16 | cluster_labels { 17 | key = "rafay.dev/clusterName" 18 | value = var.cluster_name 19 | } 20 | } 21 | resource_selector = "rafay.dev/name=${each.value.override_addon_name}" 22 | type = "ClusterOverrideTypeAddon" 23 | override_values = each.value.override_values 24 | } 25 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/eks/modules/cluster-overrides/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | source = "RafaySystems/rafay" 5 | version = ">= 1.0.0" 6 | } 7 | } 8 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/eks/modules/cluster-overrides/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project" { 2 | type = string 3 | } 4 | 5 | variable "cluster_name" { 6 | type = string 7 | } 8 | 9 | variable "overrides_config" { 10 | type = map(object({ 11 | override_addon_name = string 12 | override_values = string 13 | })) 14 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/eks/modules/eks/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | source = "RafaySystems/rafay" 5 | version = ">= 1.0.0" 6 | } 7 | } 8 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/eks/modules/group-association/main.tf: -------------------------------------------------------------------------------- 1 | resource "rafay_groupassociation" "groupassociation" { 2 | group = var.group 3 | project = var.project 4 | roles = ["PROJECT_ADMIN"] 5 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/eks/modules/group-association/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | source = "RafaySystems/rafay" 5 | version = ">= 1.0.0" 6 | } 7 | } 8 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/eks/modules/group-association/variables.tf: -------------------------------------------------------------------------------- 1 | variable "group" { 2 | type = string 3 | } 4 | 5 | variable "project" { 6 | type = string 7 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/eks/modules/group/main.tf: -------------------------------------------------------------------------------- 1 | resource "rafay_group" "group" { 2 | name = var.group 3 | } 4 | -------------------------------------------------------------------------------- /terraform/caas_terraform/eks/modules/group/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | source = "RafaySystems/rafay" 5 | version = ">= 1.0.0" 6 | } 7 | } 8 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/eks/modules/group/variables.tf: -------------------------------------------------------------------------------- 1 | variable "group" { 2 | type = string 3 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/eks/modules/namespace/main.tf: -------------------------------------------------------------------------------- 1 | resource "rafay_namespace" "namespace" { 2 | for_each = toset(var.namespaces) 3 | metadata { 4 | name = each.key 5 | project = var.project 6 | labels = { 7 | "owner" = "kubernetes.agilebank.demo" 8 | } 9 | } 10 | spec { 11 | drift { 12 | enabled = false 13 | } 14 | /*placement { 15 | labels { 16 | key = "rafay.dev/clusterName" 17 | value = var.cluster_name 18 | } 19 | }*/ 20 | } 21 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/eks/modules/namespace/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | source = "RafaySystems/rafay" 5 | version = ">= 1.0.0" 6 | } 7 | } 8 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/eks/modules/namespace/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project" { 2 | type = string 3 | } 4 | 5 | variable "namespaces" { 6 | type = list(string) 7 | } 8 | 9 | variable "cluster_name" { 10 | type = string 11 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/eks/modules/opa-constraint-template/main.tf: -------------------------------------------------------------------------------- 1 | resource "rafay_opa_constraint_template" "opa-constraint-template" { 2 | for_each = toset(var.constraint_templates) 3 | metadata { 4 | name = each.key 5 | project = var.project 6 | } 7 | spec { 8 | artifact { 9 | artifact { 10 | repository = var.opa-repo 11 | revision = var.opa-branch 12 | paths { 13 | name = "turnkey-opa/opaconstrainttemplates/artifacts/${each.key}/${trimsuffix(each.key, "-custom")}.yaml" 14 | } 15 | } 16 | options { 17 | force = true 18 | } 19 | type = "Yaml" 20 | } 21 | } 22 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/eks/modules/opa-constraint-template/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | source = "RafaySystems/rafay" 5 | version = ">= 1.0.0" 6 | } 7 | } 8 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/eks/modules/opa-constraint-template/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project" { 2 | type = string 3 | } 4 | 5 | variable "constraint_templates" { 6 | type = list(string) 7 | } 8 | 9 | variable "opa-repo" { 10 | type = string 11 | } 12 | 13 | variable "opa-branch" { 14 | type = string 15 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/eks/modules/opa-constraint/main.tf: -------------------------------------------------------------------------------- 1 | resource "rafay_opa_constraint" "opa-constraint" { 2 | for_each = toset(var.constraint_templates) 3 | metadata { 4 | name = each.key 5 | project = var.project 6 | labels = { 7 | "rafay.dev/opa" = "constraint" 8 | } 9 | } 10 | spec { 11 | artifact { 12 | type = "Yaml" 13 | artifact { 14 | repository = var.opa-repo 15 | revision = var.opa-branch 16 | paths { 17 | name = "turnkey-opa/opaconstraints/artifacts/${each.key}/${trimsuffix(each.key, "-custom")}.yaml" 18 | } 19 | } 20 | } 21 | template_name = each.key 22 | version = "v1" 23 | published = true 24 | } 25 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/eks/modules/opa-constraint/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | source = "RafaySystems/rafay" 5 | version = ">= 1.0.0" 6 | } 7 | } 8 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/eks/modules/opa-constraint/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project" { 2 | type = string 3 | } 4 | 5 | variable "constraint_templates" { 6 | type = list(string) 7 | } 8 | 9 | variable "opa-repo" { 10 | type = string 11 | } 12 | 13 | variable "opa-branch" { 14 | type = string 15 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/eks/modules/opa-installation-profile/main.tf: -------------------------------------------------------------------------------- 1 | resource "rafay_opa_installation_profile" "opa-installation-profile" { 2 | metadata { 3 | name = "default-opa-profile" 4 | project = var.project 5 | } 6 | spec { 7 | version = "v1" 8 | installation_params { 9 | audit_interval = 60 10 | audit_match_kind_only = true 11 | constraint_violations_limit = 20 12 | audit_chunk_size = 20 13 | log_denies = true 14 | emit_audit_events = true 15 | } 16 | dynamic "excluded_namespaces" { 17 | for_each = toset(var.opa_excluded_namespaces) 18 | content { 19 | namespaces { 20 | name = excluded_namespaces.value 21 | } 22 | } 23 | } 24 | } 25 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/eks/modules/opa-installation-profile/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | source = "RafaySystems/rafay" 5 | version = ">= 1.0.0" 6 | } 7 | } 8 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/eks/modules/opa-installation-profile/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project" { 2 | type = string 3 | } 4 | 5 | variable "opa_excluded_namespaces" { 6 | type = list(string) 7 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/eks/modules/opa-policy/main.tf: -------------------------------------------------------------------------------- 1 | resource "rafay_opa_policy" "opa-policy" { 2 | metadata { 3 | name = "default-opa-policy" 4 | project = var.project 5 | } 6 | spec { 7 | dynamic "constraint_list" { 8 | for_each = var.constraint_templates 9 | content { 10 | name = constraint_list.value 11 | version = "v1" 12 | } 13 | } 14 | sharing { 15 | enabled = false 16 | } 17 | version = "v1" 18 | } 19 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/eks/modules/opa-policy/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | source = "RafaySystems/rafay" 5 | version = ">= 1.0.0" 6 | } 7 | } 8 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/eks/modules/opa-policy/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project" { 2 | type = string 3 | } 4 | 5 | variable "constraint_templates" { 6 | type = list(string) 7 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/eks/modules/project/main.tf: -------------------------------------------------------------------------------- 1 | resource "rafay_project" "project" { 2 | metadata { 3 | name = var.project 4 | } 5 | spec { 6 | default = false 7 | } 8 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/eks/modules/project/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | source = "RafaySystems/rafay" 5 | version = ">= 1.0.0" 6 | } 7 | } 8 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/eks/modules/project/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project" { 2 | type = string 3 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/eks/modules/repositories/main.tf: -------------------------------------------------------------------------------- 1 | resource "rafay_repositories" "public_repositories" { 2 | 3 | for_each = var.public_repositories 4 | metadata { 5 | name = each.key 6 | project = var.project 7 | } 8 | 9 | spec { 10 | endpoint = each.value.endpoint 11 | type = each.value.type 12 | } 13 | } -------------------------------------------------------------------------------- /terraform/caas_terraform/eks/modules/repositories/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | source = "RafaySystems/rafay" 5 | version = ">= 1.0.0" 6 | } 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /terraform/caas_terraform/eks/modules/repositories/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project" { 2 | type = string 3 | } 4 | 5 | variable "public_repositories" { 6 | type = map(object({ 7 | endpoint = string 8 | type = string 9 | })) 10 | } 11 | -------------------------------------------------------------------------------- /terraform/caas_terraform/eks/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | source = "RafaySystems/rafay" 5 | version = ">= 1.0.0" 6 | } 7 | } 8 | } 9 | 10 | provider "rafay" { 11 | provider_config_file = var.rafay_config_file 12 | } 13 | -------------------------------------------------------------------------------- /terraform/eks/main.tf: -------------------------------------------------------------------------------- 1 | module "project" { 2 | source = "./modules/project" 3 | project = var.project 4 | } 5 | 6 | module "cloud-credentials" { 7 | source = "./modules/cloud-credentials" 8 | cloud_credentials_name = var.cloud_credentials_name 9 | project = var.project 10 | rolearn = var.rolearn 11 | externalid = var.externalid 12 | depends_on = [ module.project] 13 | } 14 | 15 | module eks_cluster { 16 | source = "./modules/eks" 17 | cluster_name = var.cluster_name 18 | project = var.project 19 | blueprint_name = var.blueprint_name 20 | blueprint_version = var.blueprint_version 21 | cloud_credentials_name = var.cloud_credentials_name 22 | k8s_version = var.k8s_version 23 | cluster_location = var.cluster_location 24 | managed_nodegroups = var.managed_nodegroups 25 | depends_on = [ module.cloud-credentials] 26 | } -------------------------------------------------------------------------------- /terraform/eks/modules/cloud-credentials/main.tf: -------------------------------------------------------------------------------- 1 | resource "rafay_cloud_credential" "eks-credentials" { 2 | name = var.cloud_credentials_name 3 | project = var.project 4 | type = "cluster-provisioning" 5 | providertype = "AWS" 6 | awscredtype = "rolearn" 7 | rolearn = var.rolearn 8 | externalid = var.externalid 9 | } -------------------------------------------------------------------------------- /terraform/eks/modules/cloud-credentials/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | source = "RafaySystems/rafay" 5 | version = ">= 1.0.0" 6 | } 7 | } 8 | } -------------------------------------------------------------------------------- /terraform/eks/modules/cloud-credentials/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project" { 2 | type = string 3 | } 4 | 5 | variable "cloud_credentials_name" { 6 | type = string 7 | } 8 | 9 | variable "rolearn" { 10 | type = string 11 | } 12 | 13 | variable "externalid" { 14 | type = string 15 | } -------------------------------------------------------------------------------- /terraform/eks/modules/eks/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | source = "RafaySystems/rafay" 5 | version = ">= 1.0.0" 6 | } 7 | } 8 | } -------------------------------------------------------------------------------- /terraform/eks/modules/eks/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project" { 2 | type = string 3 | } 4 | 5 | variable "cluster_name" { 6 | type = string 7 | } 8 | 9 | variable "blueprint_name" { 10 | type = string 11 | } 12 | 13 | variable "blueprint_version" { 14 | type = string 15 | } 16 | 17 | variable "cloud_credentials_name" { 18 | type = string 19 | } 20 | 21 | variable "cluster_location" { 22 | type = string 23 | } 24 | 25 | variable "k8s_version" { 26 | type = string 27 | } 28 | 29 | variable "managed_nodegroups" { 30 | type = map(object({ 31 | ng_name = string 32 | node_count = string 33 | node_max_count = string 34 | node_min_count = string 35 | instance_type = string 36 | k8s_version = string 37 | })) 38 | } -------------------------------------------------------------------------------- /terraform/eks/modules/project/main.tf: -------------------------------------------------------------------------------- 1 | resource "rafay_project" "project" { 2 | metadata { 3 | name = var.project 4 | } 5 | spec { 6 | default = false 7 | } 8 | } -------------------------------------------------------------------------------- /terraform/eks/modules/project/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | source = "RafaySystems/rafay" 5 | version = ">= 1.0.0" 6 | } 7 | } 8 | } -------------------------------------------------------------------------------- /terraform/eks/modules/project/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project" { 2 | type = string 3 | } -------------------------------------------------------------------------------- /terraform/eks/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | rafay = { 4 | source = "RafaySystems/rafay" 5 | version = ">= 1.0.0" 6 | } 7 | } 8 | } 9 | 10 | provider "rafay" { 11 | provider_config_file = var.rafay_config_file 12 | } 13 | -------------------------------------------------------------------------------- /terraform/eks/terraform.tfvars: -------------------------------------------------------------------------------- 1 | #Poject name variable 2 | project = "terraform" 3 | 4 | #Cloud Credentials specific variables 5 | cloud_credentials_name = "cloud-credentials-name" 6 | rolearn = "" 7 | externalid = "" 8 | 9 | #Cluster specific variables 10 | cluster_name = "eks-cluster" 11 | cluster_location = "" 12 | k8s_version = "" 13 | 14 | #Blueprint/Addons specific varaibles 15 | blueprint_name = "minimal" 16 | blueprint_version = "1.21.0" 17 | 18 | #Nodepool specific variables 19 | managed_nodegroups = { 20 | "pool1" = { 21 | ng_name = "pool1" 22 | location = "" 23 | node_count = 1 24 | node_max_count = 3 25 | node_min_count = 1 26 | k8s_version = "" 27 | instance_type = "t3.xlarge" 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /terraform/eks/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project" { 2 | type = string 3 | } 4 | 5 | variable "rafay_config_file" { 6 | type = string 7 | default = "./artifacts/credentials/config.json" 8 | } 9 | 10 | variable "blueprint_name" { 11 | type = string 12 | } 13 | 14 | variable "blueprint_version" { 15 | type = string 16 | } 17 | 18 | variable "cluster_name" { 19 | type = string 20 | } 21 | 22 | variable "cloud_credentials_name" { 23 | type = string 24 | } 25 | 26 | variable "cluster_location" { 27 | type = string 28 | } 29 | 30 | variable "k8s_version" { 31 | type = string 32 | } 33 | 34 | variable "rolearn" { 35 | type = string 36 | } 37 | 38 | variable "externalid" { 39 | type = string 40 | } 41 | 42 | variable "managed_nodegroups" { 43 | type = map(object({ 44 | ng_name = string 45 | node_count = string 46 | node_max_count = string 47 | node_min_count = string 48 | instance_type = string 49 | k8s_version = string 50 | })) 51 | } -------------------------------------------------------------------------------- /terraform/pas_terraform/eks/README.md: -------------------------------------------------------------------------------- 1 | # Cluster as a Service (CaaS) 2 | 3 | This is a reference design and implementation based on Rafay's Terraform Provider to provision a RBAC controlled, dedicated operating environment for an application team/business unit using a dedicated Amazon's EKS cluster. Once successfully provisioned, we will also perform a number of day-two operations (scale node group, add new node group, upgrades) on our cluster. 4 | 5 | Detailed documentation with step-by-step instructions are available in our [docs](https://docs.rafay.co/refarch/caas/eks/terraform/overview/) -------------------------------------------------------------------------------- /tools/k8sinsights/readme.md: -------------------------------------------------------------------------------- 1 | # Usage 2 | 3 | ## Step 1 4 | Clone this repository and update the permissions so that the script can be executed 5 | 6 | ``` 7 | chmod +x k8sinsights.sh 8 | ``` 9 | 10 | ## Step 2 11 | Download the kubeconfig file and add it to the KUBECONFIG environment variable. The kubeconfig file can contain details for multiple clusters in your fleet. 12 | 13 | ``` 14 | export KUBECONFIG=kubeconfig.file 15 | ``` 16 | 17 | ## Step 3 18 | Execute the "k8s-insights" script and provide the cluster name as input 19 | 20 | ``` 21 | bash k8s-insights.sh CLUSTER_NAME 22 | ``` 23 | 24 | --- 25 | 26 | # How it Works 27 | 28 | ## Step 1 29 | 30 | Verifies if given user inputs are valid i.e. cluster name & kubeconfig to access the cluster for discovery 31 | 32 | ## Step 2 33 | 34 | List all namespaces 35 | 36 | ## Step 3 37 | 38 | List all CRDs 39 | 40 | ## Step 4 41 | 42 | Creates a list of all namespace-scoped resources using kubectl api-resources --verbs=list --namespaced=true 43 | 44 | ## Step 5 45 | 46 | Uses the resource list from Step 4 and performs kubectl get $resource -A and saves the output into txt file 47 | 48 | ## Step 6 49 | 50 | Creates a list of all Cluster-Scoped resources using kubectl api-resources --verbs=list --namespaced=false 51 | 52 | ## Step 7 53 | 54 | Uses the resource list from step 6 and performs kubectl get $resource and saves the output into txt file 55 | -------------------------------------------------------------------------------- /tools/resize/examples/echo-alpha.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: echo 5 | spec: 6 | ports: 7 | - port: 80 8 | targetPort: 5678 9 | selector: 10 | app: echo 11 | --- 12 | apiVersion: apps/v1 13 | kind: Deployment 14 | metadata: 15 | name: echo 16 | spec: 17 | selector: 18 | matchLabels: 19 | app: echo 20 | strategy: 21 | type: Recreate 22 | replicas: 1 23 | template: 24 | metadata: 25 | labels: 26 | app: echo 27 | version: "1.0" 28 | spec: 29 | containers: 30 | - name: echo 31 | image: hashicorp/http-echo 32 | resources: 33 | requests: 34 | memory: "64Mi" 35 | cpu: "250m" 36 | limits: 37 | memory: "64Mi" 38 | cpu: "250m" 39 | args: 40 | - "-text=Alpha" 41 | ports: 42 | - containerPort: 5678 43 | -------------------------------------------------------------------------------- /tools/resize/examples/echo-beta.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: echo 5 | spec: 6 | ports: 7 | - port: 80 8 | targetPort: 5678 9 | selector: 10 | app: echo 11 | --- 12 | apiVersion: apps/v1 13 | kind: Deployment 14 | metadata: 15 | name: echo 16 | spec: 17 | selector: 18 | matchLabels: 19 | app: echo 20 | strategy: 21 | type: Recreate 22 | replicas: 1 23 | template: 24 | metadata: 25 | labels: 26 | app: echo 27 | version: "1.0" 28 | spec: 29 | containers: 30 | - name: echo 31 | image: hashicorp/http-echo 32 | resources: 33 | requests: 34 | memory: "64Mi" 35 | cpu: "250m" 36 | limits: 37 | memory: "64Mi" 38 | cpu: "250m" 39 | args: 40 | - "-text=Beta" 41 | ports: 42 | - containerPort: 5678 43 | -------------------------------------------------------------------------------- /tools/resize/examples/stress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: busybox 5 | spec: 6 | replicas: 1 7 | selector: 8 | matchLabels: 9 | app: busybox 10 | template: 11 | metadata: 12 | labels: 13 | app: busybox 14 | spec: 15 | containers: 16 | - name: memory-demo-ctr 17 | image: polinux/stress 18 | resources: 19 | requests: 20 | cpu: "1000m" 21 | memory: "512Mi" 22 | limits: 23 | cpu: "2000m" 24 | memory: "1024Mi" 25 | command: ["stress"] 26 | args: ["--vm", "1", "--vm-bytes", "100M", "--vm-hang", "1"] -------------------------------------------------------------------------------- /tools/resize/images/architecture.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RafaySystems/getstarted/07eca0bbd36de67e157bc96d2e6a86a854f8f827/tools/resize/images/architecture.png -------------------------------------------------------------------------------- /tools/resize/images/cluster.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RafaySystems/getstarted/07eca0bbd36de67e157bc96d2e6a86a854f8f827/tools/resize/images/cluster.png -------------------------------------------------------------------------------- /tools/resize/images/dryrun.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RafaySystems/getstarted/07eca0bbd36de67e157bc96d2e6a86a854f8f827/tools/resize/images/dryrun.png -------------------------------------------------------------------------------- /tools/resize/images/kubeconfig.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RafaySystems/getstarted/07eca0bbd36de67e157bc96d2e6a86a854f8f827/tools/resize/images/kubeconfig.png -------------------------------------------------------------------------------- /tools/resize/images/resize-animated.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RafaySystems/getstarted/07eca0bbd36de67e157bc96d2e6a86a854f8f827/tools/resize/images/resize-animated.gif -------------------------------------------------------------------------------- /tools/resize/images/resize.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RafaySystems/getstarted/07eca0bbd36de67e157bc96d2e6a86a854f8f827/tools/resize/images/resize.png -------------------------------------------------------------------------------- /tools/resize/requirements.txt: -------------------------------------------------------------------------------- 1 | cachetools==5.3.3 2 | certifi==2024.2.2 3 | charset-normalizer==3.3.2 4 | google-auth==2.29.0 5 | idna==3.7 6 | kubernetes==29.0.0 7 | oauthlib==3.2.2 8 | prettytable==3.10.0 9 | pyasn1==0.6.0 10 | pyasn1_modules==0.4.0 11 | python-dateutil==2.9.0.post0 12 | PyYAML==6.0.1 13 | requests==2.31.0 14 | requests-oauthlib==2.0.0 15 | rsa==4.9 16 | six==1.16.0 17 | urllib3==2.2.1 18 | wcwidth==0.2.13 19 | websocket-client==1.7.0 20 | -------------------------------------------------------------------------------- /tritoneks/addon/gpu-addon.yaml: -------------------------------------------------------------------------------- 1 | kind: AddonVersion 2 | metadata: 3 | name: v1 4 | project: defaultproject 5 | spec: 6 | addon: gpu-operator 7 | namespace: gpu-operator-resources 8 | template: 9 | type: Helm3 10 | valuesFile: gpu-values.yaml 11 | repository_ref: gpu 12 | repo_artifact_meta: 13 | helm: 14 | tag: v23.3.1 15 | chartName: gpu-operator -------------------------------------------------------------------------------- /tritoneks/addon/gpu-namespace.yaml: -------------------------------------------------------------------------------- 1 | kind: ManagedNamespace 2 | apiVersion: config.rafay.dev/v2 3 | metadata: 4 | name: gpu-operator-resources 5 | description: namespace for gpu-operator 6 | labels: 7 | annotations: 8 | spec: 9 | type: RafayWizard 10 | resourceQuota: 11 | placement: 12 | placementType: ClusterSpecific 13 | clusterLabels: 14 | - key: rafay.dev/clusterName 15 | value: eks-gpu-triton -------------------------------------------------------------------------------- /tritoneks/addon/gpu-repository.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.rafay.dev/v2 2 | kind: Repository 3 | metadata: 4 | name: gpu 5 | spec: 6 | repositoryType: HelmRepository 7 | endpoint: https://helm.ngc.nvidia.com/nvidia 8 | credentialType: CredentialTypeNotSet -------------------------------------------------------------------------------- /tritoneks/addon/gpu-values.yaml: -------------------------------------------------------------------------------- 1 | driver: 2 | enabled: true 3 | dcgmExporter: 4 | repository: nvcr.io/nvidia/k8s 5 | image: dcgm-exporter 6 | version: 3.1.7-3.1.4-ubuntu20.04 7 | operator: 8 | defaultRuntime: containerd 9 | psp: 10 | enabled: true -------------------------------------------------------------------------------- /tritoneks/blueprint/blueprint-v1.yaml: -------------------------------------------------------------------------------- 1 | kind: BlueprintVersion 2 | metadata: 3 | name: v1 4 | project: defaultproject 5 | description: Nvidia GPU Operator 6 | spec: 7 | blueprint: gpu-blueprint 8 | baseSystemBlueprint: default 9 | baseSystemBlueprintVersion: "" 10 | addons: 11 | - name: gpu-operator 12 | version: v1 13 | # cluster-scoped or namespace-scoped 14 | pspScope: cluster-scoped 15 | rafayIngress: false 16 | rafayMonitoringAndAlerting: true 17 | kubevirt: false 18 | # BlockAndNotify or DetectAndNotify 19 | driftAction: BlockAndNotify -------------------------------------------------------------------------------- /tritoneks/blueprint/blueprint.yaml: -------------------------------------------------------------------------------- 1 | kind: Blueprint 2 | metadata: 3 | # blueprint name 4 | name: gpu-blueprint 5 | #project name 6 | project: defaultproject -------------------------------------------------------------------------------- /tritoneks/workload/metrics-repository.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.rafay.dev/v2 2 | kind: Repository 3 | metadata: 4 | name: triton-metrics 5 | spec: 6 | repositoryType: GitRepository 7 | endpoint: https://github.com/prometheus-community/helm-charts.git 8 | credentialType: CredentialTypeNotSet -------------------------------------------------------------------------------- /tritoneks/workload/triton-namespace.yaml: -------------------------------------------------------------------------------- 1 | kind: ManagedNamespace 2 | apiVersion: config.rafay.dev/v2 3 | metadata: 4 | name: triton 5 | labels: 6 | annotations: 7 | spec: 8 | type: RafayWizard 9 | resourceQuota: 10 | placement: 11 | placementType: ClusterSpecific 12 | clusterLabels: 13 | - key: rafay.dev/clusterName 14 | value: eks-gpu-triton -------------------------------------------------------------------------------- /tritoneks/workload/triton-repository.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.rafay.dev/v2 2 | kind: Repository 3 | metadata: 4 | name: triton-server 5 | spec: 6 | repositoryType: GitRepository 7 | endpoint: https://github.com/triton-inference-server/server.git 8 | credentialType: CredentialTypeNotSet -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/allow-privilege-escalation-container-constraint.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraint 3 | metadata: 4 | labels: 5 | rafay.dev/opa: constraint 6 | name: allow-privilege-escalation-container-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/allow-privilege-escalation-container-custom/allow-privilege-escalation-container.yaml 13 | options: {} 14 | type: Yaml 15 | published: true 16 | templateName: allow-privilege-escalation-container-custom 17 | version: v1 18 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/allowed-repos-constraint.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraint 3 | metadata: 4 | labels: 5 | rafay.dev/opa: constraint 6 | name: allowed-repos-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/allowed-repos-custom/allowed-repos.yaml 13 | options: {} 14 | type: Yaml 15 | published: true 16 | templateName: allowed-repos-custom 17 | version: v1 -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/allowed-users-constraint.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraint 3 | metadata: 4 | labels: 5 | rafay.dev/opa: constraint 6 | name: allowed-users-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/allowed-users-custom/allowed-users.yaml 13 | options: {} 14 | type: Yaml 15 | published: true 16 | templateName: allowed-users-custom 17 | version: v1 -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/app-armor-constraint.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraint 3 | metadata: 4 | labels: 5 | rafay.dev/opa: constraint 6 | name: app-armor-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/app-armor-custom/app-armor.yaml 13 | options: {} 14 | type: Yaml 15 | published: true 16 | templateName: app-armor-custom 17 | version: v1 -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/artifacts/allow-privilege-escalation-container-custom/allow-privilege-escalation-container.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: constraints.gatekeeper.sh/v1beta1 2 | kind: Allow-Privilege-Escalation-Container 3 | metadata: 4 | name: allow-privilege-escalation-container 5 | spec: 6 | enforcementAction: warn 7 | match: 8 | kinds: 9 | - apiGroups: [""] 10 | kinds: ["Pod"] 11 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/artifacts/allowed-repos-custom/allowed-repos.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: constraints.gatekeeper.sh/v1beta1 2 | kind: K8sAllowedRepos 3 | metadata: 4 | name: repo-is-openpolicyagent 5 | spec: 6 | enforcementAction: deny 7 | match: 8 | kinds: 9 | - apiGroups: [""] 10 | kinds: ["Pod"] 11 | namespaces: 12 | - "default" 13 | parameters: 14 | repos: 15 | - "openpolicyagent/" 16 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/artifacts/allowed-users-custom/allowed-users.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: constraints.gatekeeper.sh/v1beta1 2 | kind: Allowed-Users 3 | metadata: 4 | name: pods-allowed-user-ranges 5 | spec: 6 | enforcementAction: warn 7 | match: 8 | kinds: 9 | - apiGroups: [""] 10 | kinds: ["Pod"] 11 | parameters: 12 | runAsUser: 13 | rule: MustRunAsNonRoot # MustRunAsNonRoot # RunAsAny 14 | runAsGroup: 15 | rule: RunAsAny # MayRunAs # RunAsAny 16 | supplementalGroups: 17 | rule: MustRunAs # MayRunAs # RunAsAny 18 | ranges: 19 | - min: 1 20 | max: 65535 21 | fsGroup: 22 | rule: MustRunAs # MayRunAs # RunAsAny 23 | ranges: 24 | - min: 1 25 | max: 65535 26 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/artifacts/app-armor-custom/app-armor.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: constraints.gatekeeper.sh/v1beta1 2 | kind: App-Armor 3 | metadata: 4 | name: app-armor 5 | spec: 6 | enforcementAction: warn 7 | match: 8 | kinds: 9 | - apiGroups: [""] 10 | kinds: ["Pod"] 11 | parameters: 12 | allowedProfiles: 13 | - runtime/default 14 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/artifacts/block-nodeport-services-custom/block-nodeport-services.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: constraints.gatekeeper.sh/v1beta1 2 | kind: K8sBlockNodePort 3 | metadata: 4 | name: block-node-port 5 | spec: 6 | enforcementAction: deny 7 | match: 8 | kinds: 9 | - apiGroups: [""] 10 | kinds: ["Service"] 11 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/artifacts/container-limits-custom/container-limits.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: constraints.gatekeeper.sh/v1beta1 2 | kind: K8sContainerLimits 3 | metadata: 4 | name: container-must-have-limits 5 | spec: 6 | enforcementAction: warn 7 | match: 8 | kinds: 9 | - apiGroups: [""] 10 | kinds: ["Pod"] 11 | parameters: 12 | cpu: "200m" 13 | memory: "1Gi" 14 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/artifacts/container-resource-ratios-custom/container-resource-ratios.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: constraints.gatekeeper.sh/v1beta1 2 | kind: K8sContainerRatios 3 | metadata: 4 | name: container-must-meet-memory-and-cpu-ratio 5 | spec: 6 | enforcementAction: warn 7 | match: 8 | kinds: 9 | - apiGroups: [""] 10 | kinds: ["Pod"] 11 | parameters: 12 | ratio: "1" 13 | cpuRatio: "10" 14 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/artifacts/disallowed-tags-custom/disallowed-tags.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: constraints.gatekeeper.sh/v1beta1 2 | kind: K8sDisallowedTags 3 | metadata: 4 | name: container-image-must-not-have-latest-tag 5 | spec: 6 | enforcementAction: warn 7 | match: 8 | kinds: 9 | - apiGroups: [""] 10 | kinds: ["Pod"] 11 | namespaces: 12 | - "default" 13 | parameters: 14 | tags: ["latest"] 15 | exemptImages: ["openpolicyagent/opa-exp:latest", "openpolicyagent/opa-exp2:latest"] 16 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/artifacts/flexvolume-drivers-custom/flexvolume-drivers.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: constraints.gatekeeper.sh/v1beta1 2 | kind: Flex-Volumes 3 | metadata: 4 | name: flexvolume-drivers 5 | spec: 6 | enforcementAction: warn 7 | match: 8 | kinds: 9 | - apiGroups: [""] 10 | kinds: ["Pod"] 11 | parameters: 12 | allowedFlexVolumes: #[] 13 | - driver: "example/lvm" 14 | - driver: "example/cifs" 15 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/artifacts/forbidden-sysctls-custom/forbidden-sysctls.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: constraints.gatekeeper.sh/v1beta1 2 | kind: Forbidden-Sysctls 3 | metadata: 4 | name: forbidden-sysctls 5 | spec: 6 | enforcementAction: warn 7 | match: 8 | kinds: 9 | - apiGroups: [""] 10 | kinds: ["Pod"] 11 | parameters: 12 | forbiddenSysctls: 13 | # - "*" # * may be used to forbid all sysctls 14 | - kernel.* 15 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/artifacts/host-filesystem-custom/host-filesystem.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: constraints.gatekeeper.sh/v1beta1 2 | kind: Host-Filesystem 3 | metadata: 4 | name: host-filesystem 5 | spec: 6 | enforcementAction: warn 7 | match: 8 | kinds: 9 | - apiGroups: [""] 10 | kinds: ["Pod"] 11 | parameters: 12 | allowedHostPaths: 13 | - readOnly: true 14 | pathPrefix: "/foo" 15 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/artifacts/host-namespace-custom/host-namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: constraints.gatekeeper.sh/v1beta1 2 | kind: Host-Namespace 3 | metadata: 4 | name: host-namespace 5 | spec: 6 | enforcementAction: warn 7 | match: 8 | kinds: 9 | - apiGroups: [""] 10 | kinds: ["Pod"] 11 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/artifacts/host-network-ports-custom/host-network-ports.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: constraints.gatekeeper.sh/v1beta1 2 | kind: Host-Networking-Ports 3 | metadata: 4 | name: host-network-ports 5 | spec: 6 | enforcementAction: warn 7 | match: 8 | kinds: 9 | - apiGroups: [""] 10 | kinds: ["Pod"] 11 | parameters: 12 | hostNetwork: true 13 | min: 80 14 | max: 9000 15 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/artifacts/https-only-custom/https-only.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: constraints.gatekeeper.sh/v1beta1 2 | kind: K8sHttpsOnly 3 | metadata: 4 | name: ingress-https-only 5 | spec: 6 | enforcementAction: deny 7 | match: 8 | kinds: 9 | - apiGroups: ["extensions", "networking.k8s.io"] 10 | kinds: ["Ingress"] 11 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/artifacts/image-digests-custom/image-digests.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: constraints.gatekeeper.sh/v1beta1 2 | kind: K8sImageDigests 3 | metadata: 4 | name: container-image-must-have-digest 5 | spec: 6 | enforcementAction: deny 7 | match: 8 | kinds: 9 | - apiGroups: [""] 10 | kinds: ["Pod"] 11 | namespaces: 12 | - "default" 13 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/artifacts/linux-capabilities-custom/linux-capabilities.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: constraints.gatekeeper.sh/v1beta1 2 | kind: Linux-Capabilities 3 | metadata: 4 | name: linux-capabilities-drop-all 5 | spec: 6 | enforcementAction: warn 7 | match: 8 | kinds: 9 | - apiGroups: [""] 10 | kinds: ["Pod"] 11 | namespaces: 12 | - "default" 13 | parameters: 14 | requiredDropCapabilities: ["AUDIT_CONTROL","AUDIT_READ","AUDIT_WRITE","BLOCK_SUSPEND","BPF","SYS_ADMIN","CHECKPOINT_RESTORE","SYS_ADMIN","CHOWN","DAC_OVERRIDE","DAC_READ_SEARCH","FOWNER","DAC_OVERRIDE","DAC_READ_SEARCH","FSETID","IPC_LOCK","IPC_OWNER","KILL","LEASE","LINUX_IMMUTABLE","MAC_ADMIN","MAC_OVERRIDE","MKNOD","NET_ADMIN","NET_BIND_SERVICE","NET_BROADCAST","NET_RAW","PERFMON","SYS_ADMIN","SETGID","SETFCAP","SETPCAP","SETPCAP","SETPCAP","SETUID","SYS_ADMIN","SYSLOG","CHECKPOINT_RESTORE","BPF","PERFMON","SYS_ADMIN","SYS_BOOT","SYS_CHROOT","SYS_MODULE","SYS_NICE","SYS_PACCT","SYS_PTRACE","SYS_RAWIO","SYS_RESOURCE","SYS_RESOURCE","SYS_TIME","SYS_TTY_CONFIG","SYSLOG","WAKE_ALARM"] 15 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/artifacts/privileged-container-custom/privileged-container.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: constraints.gatekeeper.sh/v1beta1 2 | kind: Privileged-Container 3 | metadata: 4 | name: privileged-container 5 | spec: 6 | enforcementAction: warn 7 | match: 8 | kinds: 9 | - apiGroups: [""] 10 | kinds: ["Pod"] 11 | excludedNamespaces: ["kube-system"] 12 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/artifacts/proc-mount-custom/proc-mount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: constraints.gatekeeper.sh/v1beta1 2 | kind: Proc-Mount 3 | metadata: 4 | name: proc-mount 5 | spec: 6 | enforcementAction: warn 7 | match: 8 | kinds: 9 | - apiGroups: [""] 10 | kinds: ["Pod"] 11 | parameters: 12 | procMount: Default 13 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/artifacts/read-only-root-filesystem-custom/read-only-root-filesystem.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: constraints.gatekeeper.sh/v1beta1 2 | kind: Read-Only-Root-Filesystem 3 | metadata: 4 | name: read-only-root-filesystem 5 | spec: 6 | enforcementAction: warn 7 | match: 8 | kinds: 9 | - apiGroups: [""] 10 | kinds: ["Pod"] 11 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/artifacts/replica-limits-custom/replica-limits.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: constraints.gatekeeper.sh/v1beta1 2 | kind: K8sReplicaLimits 3 | metadata: 4 | name: replica-limits 5 | spec: 6 | enforcementAction: warn 7 | match: 8 | kinds: 9 | - apiGroups: ["apps"] 10 | kinds: ["Deployment"] 11 | parameters: 12 | ranges: 13 | - min_replicas: 3 14 | max_replicas: 50 15 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/artifacts/required-annotations-custom/required-annotations.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: constraints.gatekeeper.sh/v1beta1 2 | kind: K8sRequiredAnnotations 3 | metadata: 4 | name: all-must-have-certain-set-of-annotations 5 | spec: 6 | enforcementAction: warn 7 | match: 8 | kinds: 9 | - apiGroups: [""] 10 | kinds: ["Service"] 11 | parameters: 12 | message: "All services must have a `a8r.io/owner` and `a8r.io/runbook` annotations." 13 | annotations: 14 | - key: a8r.io/owner 15 | # Matches email address or github user 16 | allowedRegex: ^([A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}|[a-z]{1,39})$ 17 | - key: a8r.io/runbook 18 | # Matches urls including or not http/https 19 | allowedRegex: ^(http:\/\/www\.|https:\/\/www\.|http:\/\/|https:\/\/)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}(:[0-9]{1,5})?(\/.*)?$ 20 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/artifacts/required-labels-custom/required-labels.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: constraints.gatekeeper.sh/v1beta1 2 | kind: K8sRequiredLabels 3 | metadata: 4 | name: all-must-have-owner 5 | spec: 6 | enforcementAction: warn 7 | match: 8 | kinds: 9 | - apiGroups: [""] 10 | kinds: ["Namespace"] 11 | parameters: 12 | message: "All namespaces must have an `owner` label that points to your company username" 13 | labels: 14 | - key: owner 15 | allowedRegex: "^[a-zA-Z]+.agilebank.demo$" 16 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/artifacts/required-probes-custom/required-probes.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: constraints.gatekeeper.sh/v1beta1 2 | kind: K8sRequiredProbes 3 | metadata: 4 | name: must-have-probes 5 | spec: 6 | enforcementAction: warn 7 | match: 8 | kinds: 9 | - apiGroups: [""] 10 | kinds: ["Pod"] 11 | parameters: 12 | probes: ["readinessProbe", "livenessProbe"] 13 | probeTypes: ["tcpSocket", "httpGet", "exec"] 14 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/artifacts/se-linux-custom/se-linux.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: constraints.gatekeeper.sh/v1beta1 2 | kind: SE-Linux 3 | metadata: 4 | name: se-linux 5 | spec: 6 | enforcementAction: warn 7 | match: 8 | kinds: 9 | - apiGroups: [""] 10 | kinds: ["Pod"] 11 | parameters: 12 | allowedSELinuxOptions: 13 | - level: s0:c123,c456 14 | role: object_r 15 | type: svirt_sandbox_file_t 16 | user: system_u 17 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/artifacts/seccomp-custom/seccomp.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: constraints.gatekeeper.sh/v1beta1 2 | kind: Seccomp 3 | metadata: 4 | name: seccomp 5 | spec: 6 | enforcementAction: warn 7 | match: 8 | kinds: 9 | - apiGroups: [""] 10 | kinds: ["Pod"] 11 | parameters: 12 | allowedProfiles: 13 | - runtime/default 14 | - docker/default 15 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/artifacts/volume-types-custom/volume-types.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: constraints.gatekeeper.sh/v1beta1 2 | kind: Volume-Types 3 | metadata: 4 | name: volume-types 5 | spec: 6 | enforcementAction: warn 7 | match: 8 | kinds: 9 | - apiGroups: [""] 10 | kinds: ["Pod"] 11 | parameters: 12 | volumes: 13 | # - "*" # * may be used to allow all volume types 14 | - configMap 15 | - emptyDir 16 | - projected 17 | - secret 18 | - downwardAPI 19 | - persistentVolumeClaim 20 | #- hostPath #required for allowedHostPaths 21 | #- flexVolume #required for allowedFlexVolumes 22 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/block-nodeport-services-constraint.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraint 3 | metadata: 4 | labels: 5 | rafay.dev/opa: constraint 6 | name: block-nodeport-services-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/block-nodeport-services-custom/block-nodeport-services.yaml 13 | options: {} 14 | type: Yaml 15 | published: true 16 | templateName: block-nodeport-services-custom 17 | version: v1 -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/container-limits-constraint.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraint 3 | metadata: 4 | labels: 5 | rafay.dev/opa: constraint 6 | name: container-limits-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/container-limits-custom/container-limits.yaml 13 | options: {} 14 | type: Yaml 15 | published: true 16 | templateName: container-limits-custom 17 | version: v1 -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/container-resource-ratios-constraint.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraint 3 | metadata: 4 | labels: 5 | rafay.dev/opa: constraint 6 | name: container-resource-ratios-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/container-resource-ratios-custom/container-resource-ratios.yaml 13 | options: {} 14 | type: Yaml 15 | published: true 16 | templateName: container-resource-ratios-custom 17 | version: v1 -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/disallowed-tags-constraint.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraint 3 | metadata: 4 | labels: 5 | rafay.dev/opa: constraint 6 | name: disallowed-tags-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/disallowed-tags-custom/disallowed-tags.yaml 13 | options: {} 14 | type: Yaml 15 | published: true 16 | templateName: disallowed-tags-custom 17 | version: v1 -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/flex-volumes-constraint.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraint 3 | metadata: 4 | labels: 5 | rafay.dev/opa: constraint 6 | name: flex-volumes-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/flexvolume-drivers-custom/flexvolume-drivers.yaml 13 | options: {} 14 | type: Yaml 15 | published: true 16 | templateName: flex-volumes-custom 17 | version: v1 -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/forbidden-sysctls-constraint.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraint 3 | metadata: 4 | labels: 5 | rafay.dev/opa: constraint 6 | name: forbidden-sysctls-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/forbidden-sysctls-custom/forbidden-sysctls.yaml 13 | options: {} 14 | type: Yaml 15 | published: true 16 | templateName: forbidden-sysctls-custom 17 | version: v1 -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/host-filesystem-constraint.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraint 3 | metadata: 4 | labels: 5 | rafay.dev/opa: constraint 6 | name: host-filesystem-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/host-filesystem-custom/host-filesystem.yaml 13 | options: {} 14 | type: Yaml 15 | published: true 16 | templateName: host-filesystem-custom 17 | version: v1 18 | 19 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/host-namespace-constraint.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraint 3 | metadata: 4 | labels: 5 | rafay.dev/opa: constraint 6 | name: host-namespace-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/host-namespace-custom/host-namespace.yaml 13 | options: {} 14 | type: Yaml 15 | published: true 16 | templateName: host-namespace-custom 17 | version: v1 -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/host-network-ports-constraint.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraint 3 | metadata: 4 | labels: 5 | rafay.dev/opa: constraint 6 | name: host-network-ports-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/host-network-ports-custom/host-network-ports.yaml 13 | options: {} 14 | type: Yaml 15 | published: true 16 | templateName: host-network-ports-custom 17 | version: v1 -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/https-only-constraint.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraint 3 | metadata: 4 | labels: 5 | rafay.dev/opa: constraint 6 | name: https-only-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/https-only-custom/https-only.yaml 13 | options: {} 14 | type: Yaml 15 | published: true 16 | templateName: https-only-custom 17 | version: v1 -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/image-digests-constraint.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraint 3 | metadata: 4 | labels: 5 | rafay.dev/opa: constraint 6 | name: image-digests-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/image-digests-custom/image-digests.yaml 13 | options: {} 14 | type: Yaml 15 | published: true 16 | templateName: image-digests-custom 17 | version: v1 -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/linux-capabilities-constraint.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraint 3 | metadata: 4 | labels: 5 | rafay.dev/opa: constraint 6 | name: linux-capabilities-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/linux-capabilities-custom/linux-capabilities.yaml 13 | options: {} 14 | type: Yaml 15 | published: true 16 | templateName: linux-capabilities-custom 17 | version: v1 -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/privileged-container-constraint.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraint 3 | metadata: 4 | labels: 5 | rafay.dev/opa: constraint 6 | name: privileged-container-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/privileged-container-custom/privileged-container.yaml 13 | options: {} 14 | type: Yaml 15 | published: true 16 | templateName: privileged-container-custom 17 | version: v1 -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/proc-mount-constraint.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraint 3 | metadata: 4 | labels: 5 | rafay.dev/opa: constraint 6 | name: proc-mount-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/proc-mount-custom/proc-mount.yaml 13 | options: {} 14 | type: Yaml 15 | published: true 16 | templateName: proc-mount-custom 17 | version: v1 -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/read-only-root-filesystem-constraint.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraint 3 | metadata: 4 | labels: 5 | rafay.dev/opa: constraint 6 | name: read-only-root-filesystem-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/read-only-root-filesystem-custom/read-only-root-filesystem.yaml 13 | options: {} 14 | type: Yaml 15 | published: true 16 | templateName: read-only-root-filesystem-custom 17 | version: v1 -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/replica-limits-constraint.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraint 3 | metadata: 4 | labels: 5 | rafay.dev/opa: constraint 6 | name: replica-limits-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/replica-limits-custom/replica-limits.yaml 13 | options: {} 14 | type: Yaml 15 | published: true 16 | templateName: replica-limits-custom 17 | version: v1 -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/required-annotations-constraint.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraint 3 | metadata: 4 | labels: 5 | rafay.dev/opa: constraint 6 | name: required-annotations-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/required-annotations-custom/required-annotations.yaml 13 | options: {} 14 | type: Yaml 15 | published: true 16 | templateName: required-annotations-custom 17 | version: v1 -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/required-labels-constraint.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraint 3 | metadata: 4 | labels: 5 | rafay.dev/opa: constraint 6 | name: required-labels-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/required-labels-custom/required-labels.yaml 13 | options: {} 14 | type: Yaml 15 | published: true 16 | templateName: required-labels-custom 17 | version: v1 -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/required-probes-constraint.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraint 3 | metadata: 4 | labels: 5 | rafay.dev/opa: constraint 6 | name: required-probes-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/required-probes-custom/required-probes.yaml 13 | options: {} 14 | type: Yaml 15 | published: true 16 | templateName: required-probes-custom 17 | version: v1 -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/se-linux-constraint.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraint 3 | metadata: 4 | labels: 5 | rafay.dev/opa: constraint 6 | name: se-linux-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/se-linux-custom/se-linux.yaml 13 | options: {} 14 | type: Yaml 15 | published: true 16 | templateName: se-linux-custom 17 | version: v1 -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/seccomp-constraint.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraint 3 | metadata: 4 | labels: 5 | rafay.dev/opa: constraint 6 | name: seccomp-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/seccomp-custom/seccomp.yaml 13 | options: {} 14 | type: Yaml 15 | published: true 16 | templateName: seccomp-custom 17 | version: v1 -------------------------------------------------------------------------------- /turnkey-opa/opaconstraints/volume-types-constraint.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraint 3 | metadata: 4 | labels: 5 | rafay.dev/opa: constraint 6 | name: volume-types-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/volume-types-custom/volume-types.yaml 13 | options: {} 14 | type: Yaml 15 | published: true 16 | templateName: volume-types-custom 17 | version: v1 18 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstrainttemplates/allow-privilege-escalation-container-constraint-template.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraintTemplate 3 | metadata: 4 | labels: 5 | rafay.dev/opa: template 6 | name: allow-privilege-escalation-container-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/allow-privilege-escalation-container-custom/allow-privilege-escalation-container.yaml 13 | options: {} 14 | type: Yaml 15 | 16 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstrainttemplates/allowed-repos-constraint-template.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraintTemplate 3 | metadata: 4 | labels: 5 | rafay.dev/opa: template 6 | name: allowed-repos-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/allowed-repos-custom/allowed-repos.yaml 13 | options: {} 14 | type: Yaml 15 | 16 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstrainttemplates/allowed-users-constraint-template.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraintTemplate 3 | metadata: 4 | labels: 5 | rafay.dev/opa: template 6 | name: allowed-users-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/allowed-users-custom/allowed-users.yaml 13 | options: {} 14 | type: Yaml 15 | 16 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstrainttemplates/app-armor-constraint-template.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraintTemplate 3 | metadata: 4 | labels: 5 | rafay.dev/opa: template 6 | name: app-armor-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/app-armor-custom/app-armor.yaml 13 | options: {} 14 | type: Yaml 15 | 16 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstrainttemplates/artifacts/allowed-repos-custom/allowed-repos.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: templates.gatekeeper.sh/v1beta1 2 | kind: ConstraintTemplate 3 | metadata: 4 | name: k8sallowedrepos 5 | annotations: 6 | description: >- 7 | Requires container images to begin with a string from the specified list. 8 | spec: 9 | crd: 10 | spec: 11 | names: 12 | kind: K8sAllowedRepos 13 | validation: 14 | # Schema for the `parameters` field 15 | openAPIV3Schema: 16 | type: object 17 | properties: 18 | repos: 19 | description: The list of prefixes a container image is allowed to have. 20 | type: array 21 | items: 22 | type: string 23 | targets: 24 | - target: admission.k8s.gatekeeper.sh 25 | rego: | 26 | package k8sallowedrepos 27 | 28 | violation[{"msg": msg}] { 29 | container := input.review.object.spec.containers[_] 30 | satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)] 31 | not any(satisfied) 32 | msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos]) 33 | } 34 | 35 | violation[{"msg": msg}] { 36 | container := input.review.object.spec.initContainers[_] 37 | satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)] 38 | not any(satisfied) 39 | msg := sprintf("initContainer <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos]) 40 | } 41 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstrainttemplates/artifacts/app-armor-custom/app-armor.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: templates.gatekeeper.sh/v1beta1 2 | kind: ConstraintTemplate 3 | metadata: 4 | name: app-armor 5 | annotations: 6 | description: Controls the AppArmor profile used by containers. 7 | spec: 8 | crd: 9 | spec: 10 | names: 11 | kind: App-Armor 12 | validation: 13 | # Schema for the `parameters` field 14 | openAPIV3Schema: 15 | type: object 16 | properties: 17 | allowedProfiles: 18 | type: array 19 | items: 20 | type: string 21 | targets: 22 | - target: admission.k8s.gatekeeper.sh 23 | rego: | 24 | package apparmor 25 | 26 | violation[{"msg": msg, "details": {}}] { 27 | metadata := input.review.object.metadata 28 | container := input_containers[_] 29 | not input_apparmor_allowed(container, metadata) 30 | msg := sprintf("AppArmor profile is not allowed, pod: %v, container: %v. Allowed profiles: %v", [input.review.object.metadata.name, container.name, input.parameters.allowedProfiles]) 31 | } 32 | 33 | input_apparmor_allowed(container, metadata) { 34 | metadata.annotations[key] == input.parameters.allowedProfiles[_] 35 | key == sprintf("container.apparmor.security.beta.kubernetes.io/%v", [container.name]) 36 | } 37 | 38 | input_containers[c] { 39 | c := input.review.object.spec.containers[_] 40 | } 41 | input_containers[c] { 42 | c := input.review.object.spec.initContainers[_] 43 | } 44 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstrainttemplates/artifacts/block-nodeport-services-custom/block-nodeport-services.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: templates.gatekeeper.sh/v1beta1 2 | kind: ConstraintTemplate 3 | metadata: 4 | name: k8sblocknodeport 5 | annotations: 6 | description: >- 7 | Disallows all Services with type NodePort. 8 | 9 | https://kubernetes.io/docs/concepts/services-networking/service/#nodeport 10 | spec: 11 | crd: 12 | spec: 13 | names: 14 | kind: K8sBlockNodePort 15 | targets: 16 | - target: admission.k8s.gatekeeper.sh 17 | rego: | 18 | package k8sblocknodeport 19 | 20 | violation[{"msg": msg}] { 21 | input.review.kind.kind == "Service" 22 | input.review.object.spec.type == "NodePort" 23 | msg := "User is not allowed to create service of type NodePort" 24 | } 25 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstrainttemplates/artifacts/flex-volumes-custom/flex-volumes.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: templates.gatekeeper.sh/v1beta1 2 | kind: ConstraintTemplate 3 | metadata: 4 | name: flex-volumes 5 | annotations: 6 | description: Controls the allowlist of Flexvolume drivers. 7 | spec: 8 | crd: 9 | spec: 10 | names: 11 | kind: Flex-Volumes 12 | validation: 13 | # Schema for the `parameters` field 14 | openAPIV3Schema: 15 | type: object 16 | properties: 17 | allowedFlexVolumes: 18 | type: array 19 | items: 20 | type: object 21 | properties: 22 | driver: 23 | type: string 24 | targets: 25 | - target: admission.k8s.gatekeeper.sh 26 | rego: | 27 | package flexvolumes 28 | 29 | violation[{"msg": msg, "details": {}}] { 30 | volume := input_flexvolumes[_] 31 | not input_flexvolumes_allowed(volume) 32 | msg := sprintf("FlexVolume %v is not allowed, pod: %v. Allowed drivers: %v", [volume, input.review.object.metadata.name, input.parameters.allowedFlexVolumes]) 33 | } 34 | 35 | input_flexvolumes_allowed(volume) { 36 | input.parameters.allowedFlexVolumes[_].driver == volume.flexVolume.driver 37 | } 38 | 39 | input_flexvolumes[v] { 40 | v := input.review.object.spec.volumes[_] 41 | has_field(v, "flexVolume") 42 | } 43 | 44 | # has_field returns whether an object has a field 45 | has_field(object, field) = true { 46 | object[field] 47 | } 48 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstrainttemplates/artifacts/forbidden-sysctls-custom/forbidden-sysctls.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: templates.gatekeeper.sh/v1beta1 2 | kind: ConstraintTemplate 3 | metadata: 4 | name: forbidden-sysctls 5 | annotations: 6 | description: Controls the `sysctl` profile used by containers. 7 | spec: 8 | crd: 9 | spec: 10 | names: 11 | kind: Forbidden-Sysctls 12 | validation: 13 | # Schema for the `parameters` field 14 | openAPIV3Schema: 15 | type: object 16 | properties: 17 | forbiddenSysctls: 18 | type: array 19 | items: 20 | type: string 21 | targets: 22 | - target: admission.k8s.gatekeeper.sh 23 | rego: | 24 | package forbiddensysctls 25 | 26 | violation[{"msg": msg, "details": {}}] { 27 | sysctl := input.review.object.spec.securityContext.sysctls[_].name 28 | forbidden_sysctl(sysctl) 29 | msg := sprintf("The sysctl %v is not allowed, pod: %v. Forbidden sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.forbiddenSysctls]) 30 | } 31 | 32 | # * may be used to forbid all sysctls 33 | forbidden_sysctl(sysctl) { 34 | input.parameters.forbiddenSysctls[_] == "*" 35 | } 36 | 37 | forbidden_sysctl(sysctl) { 38 | input.parameters.forbiddenSysctls[_] == sysctl 39 | } 40 | 41 | forbidden_sysctl(sysctl) { 42 | startswith(sysctl, trim(input.parameters.forbiddenSysctls[_], "*")) 43 | } 44 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstrainttemplates/artifacts/host-namespace-custom/host-namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: templates.gatekeeper.sh/v1beta1 2 | kind: ConstraintTemplate 3 | metadata: 4 | name: host-namespace 5 | annotations: 6 | description: Controls usage of host namespaces. 7 | spec: 8 | crd: 9 | spec: 10 | names: 11 | kind: Host-Namespace 12 | targets: 13 | - target: admission.k8s.gatekeeper.sh 14 | rego: | 15 | package hostnamespace 16 | 17 | violation[{"msg": msg, "details": {}}] { 18 | input_share_hostnamespace(input.review.object) 19 | msg := sprintf("Sharing the host namespace is not allowed: %v", [input.review.object.metadata.name]) 20 | } 21 | 22 | input_share_hostnamespace(o) { 23 | o.spec.hostPID 24 | } 25 | input_share_hostnamespace(o) { 26 | o.spec.hostIPC 27 | } 28 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstrainttemplates/artifacts/https-only-custom/https-only.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: templates.gatekeeper.sh/v1beta1 2 | kind: ConstraintTemplate 3 | metadata: 4 | name: k8shttpsonly 5 | annotations: 6 | description: >- 7 | Requires Ingress resources to be HTTPS only. 8 | 9 | Ingress resources must: 10 | - include a valid TLS configuration 11 | - include the `kubernetes.io/ingress.allow-http` annotation, set to 12 | `false`. 13 | 14 | https://kubernetes.io/docs/concepts/services-networking/ingress/#tls 15 | spec: 16 | crd: 17 | spec: 18 | names: 19 | kind: K8sHttpsOnly 20 | targets: 21 | - target: admission.k8s.gatekeeper.sh 22 | rego: | 23 | package k8shttpsonly 24 | 25 | violation[{"msg": msg}] { 26 | input.review.object.kind == "Ingress" 27 | re_match("^(extensions|networking.k8s.io)/", input.review.object.apiVersion) 28 | ingress := input.review.object 29 | not https_complete(ingress) 30 | msg := sprintf("Ingress should be https. tls configuration and allow-http=false annotation are required for %v", [ingress.metadata.name]) 31 | } 32 | 33 | https_complete(ingress) = true { 34 | ingress.spec["tls"] 35 | count(ingress.spec.tls) > 0 36 | ingress.metadata.annotations["kubernetes.io/ingress.allow-http"] == "false" 37 | } 38 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstrainttemplates/artifacts/privileged-container-custom/privileged-container.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: templates.gatekeeper.sh/v1beta1 2 | kind: ConstraintTemplate 3 | metadata: 4 | name: privileged-container 5 | annotations: 6 | description: Controls running of privileged containers. 7 | spec: 8 | crd: 9 | spec: 10 | names: 11 | kind: Privileged-Container 12 | targets: 13 | - target: admission.k8s.gatekeeper.sh 14 | rego: | 15 | package privileged 16 | 17 | violation[{"msg": msg, "details": {}}] { 18 | c := input_containers[_] 19 | c.securityContext.privileged 20 | msg := sprintf("Privileged container is not allowed: %v, securityContext: %v", [c.name, c.securityContext]) 21 | } 22 | 23 | input_containers[c] { 24 | c := input.review.object.spec.containers[_] 25 | } 26 | 27 | input_containers[c] { 28 | c := input.review.object.spec.initContainers[_] 29 | } 30 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstrainttemplates/artifacts/read-only-root-filesystem-custom/read-only-root-filesystem.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: templates.gatekeeper.sh/v1beta1 2 | kind: ConstraintTemplate 3 | metadata: 4 | name: read-only-root-filesystem 5 | annotations: 6 | description: Requires the use of a read only root file system. 7 | spec: 8 | crd: 9 | spec: 10 | names: 11 | kind: Read-Only-Root-Filesystem 12 | targets: 13 | - target: admission.k8s.gatekeeper.sh 14 | rego: | 15 | package readonlyrootfilesystem 16 | 17 | violation[{"msg": msg, "details": {}}] { 18 | c := input_containers[_] 19 | input_read_only_root_fs(c) 20 | msg := sprintf("only read-only root filesystem container is allowed: %v", [c.name]) 21 | } 22 | 23 | input_read_only_root_fs(c) { 24 | not has_field(c, "securityContext") 25 | } 26 | input_read_only_root_fs(c) { 27 | not c.securityContext.readOnlyRootFilesystem == true 28 | } 29 | 30 | input_containers[c] { 31 | c := input.review.object.spec.containers[_] 32 | } 33 | input_containers[c] { 34 | c := input.review.object.spec.initContainers[_] 35 | } 36 | 37 | # has_field returns whether an object has a field 38 | has_field(object, field) = true { 39 | object[field] 40 | } 41 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstrainttemplates/artifacts/volume-types-custom/volume-types.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: templates.gatekeeper.sh/v1beta1 2 | kind: ConstraintTemplate 3 | metadata: 4 | name: volume-types 5 | annotations: 6 | description: Controls usage of volume types. 7 | spec: 8 | crd: 9 | spec: 10 | names: 11 | kind: Volume-Types 12 | validation: 13 | # Schema for the `parameters` field 14 | openAPIV3Schema: 15 | type: object 16 | properties: 17 | volumes: 18 | type: array 19 | items: 20 | type: string 21 | targets: 22 | - target: admission.k8s.gatekeeper.sh 23 | rego: | 24 | package volumetypes 25 | 26 | violation[{"msg": msg, "details": {}}] { 27 | volume_fields := {x | input.review.object.spec.volumes[_][x]; x != "name"} 28 | field := volume_fields[_] 29 | not input_volume_type_allowed(field) 30 | msg := sprintf("The volume type %v is not allowed, pod: %v. Allowed volume types: %v", [field, input.review.object.metadata.name, input.parameters.volumes]) 31 | } 32 | 33 | # * may be used to allow all volume types 34 | input_volume_type_allowed(field) { 35 | input.parameters.volumes[_] == "*" 36 | } 37 | 38 | input_volume_type_allowed(field) { 39 | field == input.parameters.volumes[_] 40 | } 41 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstrainttemplates/block-nodeport-services-constraint-template.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraintTemplate 3 | metadata: 4 | labels: 5 | rafay.dev/opa: template 6 | name: block-nodeport-services-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/block-nodeport-services-custom/block-nodeport-services.yaml 13 | options: {} 14 | type: Yaml 15 | 16 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstrainttemplates/container-limits-constraint-template.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraintTemplate 3 | metadata: 4 | labels: 5 | rafay.dev/opa: template 6 | name: container-limits-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/container-limits-custom/container-limits.yaml 13 | options: {} 14 | type: Yaml 15 | 16 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstrainttemplates/container-resource-ratios-constraint-template.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraintTemplate 3 | metadata: 4 | labels: 5 | rafay.dev/opa: template 6 | name: container-resource-ratios-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/container-resource-ratios-custom/container-resource-ratios.yaml 13 | options: {} 14 | type: Yaml 15 | 16 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstrainttemplates/disallowed-tags-constraint-template.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraintTemplate 3 | metadata: 4 | labels: 5 | rafay.dev/opa: template 6 | name: disallowed-tags-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/disallowed-tags-custom/disallowed-tags.yaml 13 | options: {} 14 | type: Yaml 15 | 16 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstrainttemplates/flex-volumes-constraint-template.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraintTemplate 3 | metadata: 4 | labels: 5 | rafay.dev/opa: template 6 | name: flex-volumes-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/flex-volumes-custom/flex-volumes.yaml 13 | options: {} 14 | type: Yaml 15 | 16 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstrainttemplates/forbidden-sysctls-constraint-template.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraintTemplate 3 | metadata: 4 | labels: 5 | rafay.dev/opa: template 6 | name: forbidden-sysctls-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/forbidden-sysctls-custom/forbidden-sysctls.yaml 13 | options: {} 14 | type: Yaml 15 | 16 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstrainttemplates/host-filesystem-constraint-template.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraintTemplate 3 | metadata: 4 | labels: 5 | rafay.dev/opa: template 6 | name: host-filesystem-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/host-filesystem-custom/host-filesystem.yaml 13 | options: {} 14 | type: Yaml 15 | 16 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstrainttemplates/host-namespace-constraint-template.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraintTemplate 3 | metadata: 4 | labels: 5 | rafay.dev/opa: template 6 | name: host-namespace-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/host-namespace-custom/host-namespace.yaml 13 | options: {} 14 | type: Yaml 15 | 16 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstrainttemplates/host-network-ports-constraint-template.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraintTemplate 3 | metadata: 4 | labels: 5 | rafay.dev/opa: template 6 | name: host-network-ports-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/host-network-ports-custom/host-network-ports.yaml 13 | options: {} 14 | type: Yaml 15 | 16 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstrainttemplates/https-only-constraint-template.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraintTemplate 3 | metadata: 4 | labels: 5 | rafay.dev/opa: template 6 | name: https-only-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/https-only-custom/https-only.yaml 13 | options: {} 14 | type: Yaml 15 | 16 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstrainttemplates/image-digests-constraint-template.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraintTemplate 3 | metadata: 4 | labels: 5 | rafay.dev/opa: template 6 | name: image-digests-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/image-digests-custom/image-digests.yaml 13 | options: {} 14 | type: Yaml 15 | 16 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstrainttemplates/linux-capabilities-constraint-template.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraintTemplate 3 | metadata: 4 | labels: 5 | rafay.dev/opa: template 6 | name: linux-capabilities-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/linux-capabilities-custom/linux-capabilities.yaml 13 | options: {} 14 | type: Yaml 15 | 16 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstrainttemplates/privileged-container-constraint-template.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraintTemplate 3 | metadata: 4 | labels: 5 | rafay.dev/opa: template 6 | name: privileged-container-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/privileged-container-custom/privileged-container.yaml 13 | options: {} 14 | type: Yaml 15 | 16 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstrainttemplates/proc-mount-constraint-template.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraintTemplate 3 | metadata: 4 | labels: 5 | rafay.dev/opa: template 6 | name: proc-mount-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/proc-mount-custom/proc-mount.yaml 13 | options: {} 14 | type: Yaml 15 | 16 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstrainttemplates/read-only-root-filesystem-constraint-template.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraintTemplate 3 | metadata: 4 | labels: 5 | rafay.dev/opa: template 6 | name: read-only-root-filesystem-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/read-only-root-filesystem-custom/read-only-root-filesystem.yaml 13 | options: {} 14 | type: Yaml 15 | 16 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstrainttemplates/replica-limits-constraint-template.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraintTemplate 3 | metadata: 4 | labels: 5 | rafay.dev/opa: template 6 | name: replica-limits-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/replica-limits-custom/replica-limits.yaml 13 | options: {} 14 | type: Yaml 15 | 16 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstrainttemplates/required-annotations-constraint-template.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraintTemplate 3 | metadata: 4 | labels: 5 | rafay.dev/opa: template 6 | name: required-annotations-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/required-annotations-custom/required-annotations.yaml 13 | options: {} 14 | type: Yaml 15 | 16 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstrainttemplates/required-labels-constraint-template.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraintTemplate 3 | metadata: 4 | labels: 5 | rafay.dev/opa: template 6 | name: required-labels-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/required-labels-custom/required-labels.yaml 13 | options: {} 14 | type: Yaml 15 | 16 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstrainttemplates/required-probes-constraint-template.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraintTemplate 3 | metadata: 4 | labels: 5 | rafay.dev/opa: template 6 | name: required-probes-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/required-probes-custom/required-probes.yaml 13 | options: {} 14 | type: Yaml 15 | 16 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstrainttemplates/se-linux-constraint-template.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraintTemplate 3 | metadata: 4 | labels: 5 | rafay.dev/opa: template 6 | name: se-linux-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/se-linux-custom/se-linux.yaml 13 | options: {} 14 | type: Yaml 15 | 16 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstrainttemplates/seccomp-constraint-template.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraintTemplate 3 | metadata: 4 | labels: 5 | rafay.dev/opa: template 6 | name: seccomp-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/seccomp-custom/seccomp.yaml 13 | options: {} 14 | type: Yaml 15 | 16 | -------------------------------------------------------------------------------- /turnkey-opa/opaconstrainttemplates/volume-types-constraint-template.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAConstraintTemplate 3 | metadata: 4 | labels: 5 | rafay.dev/opa: template 6 | name: volume-types-custom 7 | project: defaultproject 8 | spec: 9 | artifact: 10 | artifact: 11 | paths: 12 | - name: file://artifacts/volume-types-custom/volume-types.yaml 13 | options: {} 14 | type: Yaml 15 | 16 | -------------------------------------------------------------------------------- /turnkey-opa/opapolicies/bp-operational-efficiency.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAPolicy 3 | metadata: 4 | name: bp-operational-efficiency 5 | project: defaultproject 6 | spec: 7 | constraintList: 8 | - name: container-limits-custom 9 | version: v1 10 | - name: container-resource-ratios-custom 11 | version: v1 12 | sharing: 13 | enabled: true 14 | projects: 15 | - name: defaultproject 16 | version: v1 -------------------------------------------------------------------------------- /turnkey-opa/opapolicies/bp-psp-restricted.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAPolicy 3 | metadata: 4 | name: bp-psp-restricted 5 | project: defaultproject 6 | spec: 7 | constraintList: 8 | - name: allow-privilege-escalation-container-custom 9 | version: v1 10 | - name: allowed-users-custom 11 | version: v1 12 | - name: app-armor-custom 13 | version: v1 14 | - name: flex-volumes-custom 15 | version: v1 16 | - name: forbidden-sysctls-custom 17 | version: v1 18 | - name: host-filesystem-custom 19 | version: v1 20 | - name: host-namespace-custom 21 | version: v1 22 | - name: host-network-ports-custom 23 | version: v1 24 | - name: linux-capabilities-custom 25 | version: v1 26 | - name: privileged-container-custom 27 | version: v1 28 | - name: proc-mount-custom 29 | version: v1 30 | - name: read-only-root-filesystem-custom 31 | version: v1 32 | - name: se-linux-custom 33 | version: v1 34 | - name: seccomp-custom 35 | version: v1 36 | - name: volume-types-custom 37 | version: v1 38 | sharing: 39 | enabled: true 40 | projects: 41 | - name: defaultproject 42 | version: v1 -------------------------------------------------------------------------------- /turnkey-opa/opapolicies/bp-reliability.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAPolicy 3 | metadata: 4 | name: bp-reliability 5 | project: defaultproject 6 | spec: 7 | constraintList: 8 | - name: disallowed-tags-custom 9 | version: v1 10 | - name: replica-limits-custom 11 | version: v1 12 | - name: required-annotations-custom 13 | version: v1 14 | - name: required-labels-custom 15 | version: v1 16 | - name: required-probes-custom 17 | version: v1 18 | sharing: 19 | enabled: true 20 | projects: 21 | - name: defaultproject 22 | version: v1 -------------------------------------------------------------------------------- /turnkey-opa/opapolicies/bp-security.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opa.k8smgmt.io/v3 2 | kind: OPAPolicy 3 | metadata: 4 | name: bp-security 5 | project: defaultproject 6 | spec: 7 | constraintList: 8 | - name: allowed-repos-custom 9 | version: v1 10 | - name: block-nodeport-services-custom 11 | version: v1 12 | - name: https-only-custom 13 | version: v1 14 | - name: image-digests-custom 15 | version: v1 16 | sharing: 17 | enabled: true 18 | projects: 19 | - name: defaultproject 20 | version: v1 -------------------------------------------------------------------------------- /workload/Helm/webserver/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /workload/Helm/webserver/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | appVersion: 1.16.0 3 | description: A Helm chart for webserver with nginx in frontend and python webapp backend 4 | name: webserver 5 | type: application 6 | version: 1.0.0 7 | -------------------------------------------------------------------------------- /workload/Helm/webserver/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | 1. Get the application URL by running these commands: 2 | {{- if .Values.ingress.enabled }} 3 | {{- range $host := .Values.ingress.hosts }} 4 | {{- range .paths }} 5 | http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }} 6 | {{- end }} 7 | {{- end }} 8 | {{- else if contains "NodePort" .Values.service.type }} 9 | export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "webserver.fullname" . }}) 10 | export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") 11 | echo http://$NODE_IP:$NODE_PORT 12 | {{- else if contains "LoadBalancer" .Values.service.type }} 13 | NOTE: It may take a few minutes for the LoadBalancer IP to be available. 14 | You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "webserver.fullname" . }}' 15 | export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "webserver.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") 16 | echo http://$SERVICE_IP:{{ .Values.service.port }} 17 | {{- else if contains "ClusterIP" .Values.service.type }} 18 | export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "webserver.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") 19 | echo "Visit http://127.0.0.1:8080 to use your application" 20 | kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:80 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /workload/Helm/webserver/templates/cm.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | data: 3 | nginx.conf: | 4 | user nginx; 5 | worker_processes 1; 6 | 7 | error_log /var/log/nginx/error.log warn; 8 | pid /var/run/nginx.pid; 9 | 10 | events { 11 | worker_connections 1024; 12 | } 13 | 14 | http { 15 | include /etc/nginx/mime.types; 16 | default_type application/octet-stream; 17 | 18 | log_format main '$remote_addr - $remote_user [$time_local] "$request" ' 19 | '$status $body_bytes_sent "$http_referer" ' 20 | '"$http_user_agent" "$http_x_forwarded_for"'; 21 | 22 | access_log /var/log/nginx/access.log main; 23 | 24 | sendfile on; 25 | keepalive_timeout 65; 26 | 27 | upstream webapp { 28 | server 127.0.0.1:5000; 29 | } 30 | 31 | server { 32 | listen 80; 33 | 34 | location / { 35 | proxy_pass http://webapp; 36 | proxy_redirect off; 37 | } 38 | } 39 | } 40 | kind: ConfigMap 41 | metadata: 42 | name: {{ include "webserver.fullname" . }} 43 | -------------------------------------------------------------------------------- /workload/Helm/webserver/templates/ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.ingress.enabled -}} 2 | {{- $fullName := include "webserver.fullname" . -}} 3 | {{- $svcPort := .Values.service.port -}} 4 | {{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} 5 | apiVersion: networking.k8s.io/v1beta1 6 | {{- else -}} 7 | apiVersion: extensions/v1beta1 8 | {{- end }} 9 | kind: Ingress 10 | metadata: 11 | name: {{ $fullName }} 12 | labels: 13 | {{- include "webserver.labels" . | nindent 4 }} 14 | {{- with .Values.ingress.annotations }} 15 | annotations: 16 | {{- toYaml . | nindent 4 }} 17 | {{- end }} 18 | spec: 19 | {{- if .Values.ingress.tls }} 20 | tls: 21 | {{- range .Values.ingress.tls }} 22 | - hosts: 23 | {{- range .hosts }} 24 | - {{ . | quote }} 25 | {{- end }} 26 | secretName: {{ .secretName }} 27 | {{- end }} 28 | {{- end }} 29 | rules: 30 | {{- range .Values.ingress.hosts }} 31 | - host: {{ .host | quote }} 32 | http: 33 | paths: 34 | {{- range .paths }} 35 | - path: {{ . }} 36 | backend: 37 | serviceName: {{ $fullName }} 38 | servicePort: {{ $svcPort }} 39 | {{- end }} 40 | {{- end }} 41 | {{- end }} 42 | -------------------------------------------------------------------------------- /workload/Helm/webserver/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "webserver.fullname" . }} 5 | labels: 6 | {{- include "webserver.labels" . | nindent 4 }} 7 | spec: 8 | type: {{ .Values.service.type }} 9 | ports: 10 | - port: {{ .Values.service.port }} 11 | targetPort: {{ .Values.service.targetPort }} 12 | protocol: TCP 13 | name: http 14 | selector: 15 | {{- include "webserver.selectorLabels" . | nindent 4 }} 16 | --------------------------------------------------------------------------------