├── .circleci └── config.yml ├── .gitignore ├── LICENSE ├── README.md ├── blueprint ├── demo.yard └── stack │ ├── exec.hcl │ ├── helm.hcl │ ├── helm │ ├── consul-helm-0.16.2 │ │ ├── .circleci │ │ │ └── config.yml │ │ ├── .gitignore │ │ ├── .helmignore │ │ ├── CHANGELOG.md │ │ ├── CONTRIBUTING.md │ │ ├── Chart.yaml │ │ ├── LICENSE.md │ │ ├── Makefile │ │ ├── README.md │ │ ├── templates │ │ │ ├── NOTES.txt │ │ │ ├── _helpers.tpl │ │ │ ├── client-clusterrole.yaml │ │ │ ├── client-clusterrolebinding.yaml │ │ │ ├── client-config-configmap.yaml │ │ │ ├── client-daemonset.yaml │ │ │ ├── client-podsecuritypolicy.yaml │ │ │ ├── client-serviceaccount.yaml │ │ │ ├── client-snapshot-agent-clusterrole.yaml │ │ │ ├── client-snapshot-agent-clusterrolebinding.yaml │ │ │ ├── client-snapshot-agent-deployment.yaml │ │ │ ├── client-snapshot-agent-podsecuritypolicy.yaml │ │ │ ├── client-snapshot-agent-serviceaccount.yaml │ │ │ ├── connect-inject-authmethod-clusterrole.yaml │ │ │ ├── connect-inject-authmethod-clusterrolebinding.yaml │ │ │ ├── connect-inject-authmethod-serviceaccount.yaml │ │ │ ├── connect-inject-clusterrole.yaml │ │ │ ├── connect-inject-clusterrolebinding.yaml │ │ │ ├── connect-inject-deployment.yaml │ │ │ ├── connect-inject-mutatingwebhook.yaml │ │ │ ├── connect-inject-podsecuritypolicy.yaml │ │ │ ├── connect-inject-service.yaml │ │ │ ├── connect-inject-serviceaccount.yaml │ │ │ ├── dns-service.yaml │ │ │ ├── enterprise-license-clusterrole.yaml │ │ │ ├── enterprise-license-clusterrolebinding.yaml │ │ │ ├── enterprise-license-job.yaml │ │ │ ├── enterprise-license-podsecuritypolicy.yaml │ │ │ ├── enterprise-license-serviceaccount.yaml │ │ │ ├── mesh-gateway-clusterrole.yaml │ │ │ ├── mesh-gateway-clusterrolebinding.yaml │ │ │ ├── mesh-gateway-deployment.yaml │ │ │ ├── mesh-gateway-podsecuritypolicy.yaml │ │ │ ├── mesh-gateway-service.yaml │ │ │ ├── mesh-gateway-serviceaccount.yaml │ │ │ ├── server-acl-init-cleanup-clusterrole.yaml │ │ │ ├── server-acl-init-cleanup-clusterrolebinding.yaml │ │ │ ├── server-acl-init-cleanup-job.yaml │ │ │ ├── server-acl-init-cleanup-podsecuritypolicy.yaml │ │ │ ├── server-acl-init-cleanup-serviceaccount.yaml │ │ │ ├── server-acl-init-clusterrole.yaml │ │ │ ├── server-acl-init-clusterrolebinding.yaml │ │ │ ├── server-acl-init-job.yaml │ │ │ ├── server-acl-init-podsecuritypolicy.yaml │ │ │ ├── server-acl-init-serviceaccount.yaml │ │ │ ├── server-clusterrole.yaml │ │ │ ├── server-clusterrolebinding.yaml │ │ │ ├── server-config-configmap.yaml │ │ │ ├── server-disruptionbudget.yaml │ │ │ ├── server-podsecuritypolicy.yaml │ │ │ ├── server-service.yaml │ │ │ ├── server-serviceaccount.yaml │ │ │ ├── server-statefulset.yaml │ │ │ ├── sync-catalog-clusterrole.yaml │ │ │ ├── sync-catalog-clusterrolebinding.yaml │ │ │ ├── sync-catalog-deployment.yaml │ │ │ ├── sync-catalog-podsecuritypolicy.yaml │ │ │ ├── sync-catalog-serviceaccount.yaml │ │ │ ├── tests │ │ │ │ └── test-runner.yaml │ │ │ ├── tls-init-cleanup-clusterrole.yaml │ │ │ ├── tls-init-cleanup-clusterrolebinding.yaml │ │ │ ├── tls-init-cleanup-job.yaml │ │ │ ├── tls-init-cleanup-podsecuritypolicy.yaml │ │ │ ├── tls-init-cleanup-serviceaccount.yaml │ │ │ ├── tls-init-clusterrole.yaml │ │ │ ├── tls-init-clusterrolebinding.yaml │ │ │ ├── tls-init-job.yaml │ │ │ ├── tls-init-podsecuritypolicy.yaml │ │ │ ├── tls-init-serviceaccount.yaml │ │ │ └── ui-service.yaml │ │ ├── test │ │ │ ├── acceptance │ │ │ │ ├── _helpers.bash │ │ │ │ └── server.bats │ │ │ ├── docker │ │ │ │ └── Test.dockerfile │ │ │ ├── terraform │ │ │ │ ├── main.tf │ │ │ │ ├── outputs.tf │ │ │ │ ├── service-account.yaml │ │ │ │ └── variables.tf │ │ │ └── unit │ │ │ │ ├── _helpers.bash │ │ │ │ ├── client-clusterrole.bats │ │ │ │ ├── client-clusterrolebinding.bats │ │ │ │ ├── client-configmap.bats │ │ │ │ ├── client-daemonset.bats │ │ │ │ ├── client-podsecuritypolicy.bats │ │ │ │ ├── client-serviceaccount.bats │ │ │ │ ├── client-snapshot-agent-clusterrole.bats │ │ │ │ ├── client-snapshot-agent-clusterrolebinding.bats │ │ │ │ ├── client-snapshot-agent-deployment.bats │ │ │ │ ├── client-snapshot-agent-podsecuritypolicy.bats │ │ │ │ ├── client-snapshot-agent-serviceaccount.bats │ │ │ │ ├── connect-inject-authmethod-clusterrole.bats │ │ │ │ ├── connect-inject-authmethod-clusterrolebinding.bats │ │ │ │ ├── connect-inject-authmethod-serviceaccount.bats │ │ │ │ ├── connect-inject-clusterrole.bats │ │ │ │ ├── connect-inject-clusterrolebinding.bats │ │ │ │ ├── connect-inject-deployment.bats │ │ │ │ ├── connect-inject-mutatingwebhook.bats │ │ │ │ ├── connect-inject-podsecuritypolicy.bats │ │ │ │ ├── connect-inject-service.bats │ │ │ │ ├── connect-inject-serviceaccount.bats │ │ │ │ ├── dns-service.bats │ │ │ │ ├── enterprise-license-clusterrole.bats │ │ │ │ ├── enterprise-license-clusterrolebinding.bats │ │ │ │ ├── enterprise-license-job.bats │ │ │ │ ├── enterprise-license-podsecuritypolicy.bats │ │ │ │ ├── enterprise-license-serviceaccount.bats │ │ │ │ ├── helpers.bats │ │ │ │ ├── mesh-gateway-clusterrole.bats │ │ │ │ ├── mesh-gateway-clusterrolebinding.bats │ │ │ │ ├── mesh-gateway-deployment.bats │ │ │ │ ├── mesh-gateway-podsecuritypolicy.bats │ │ │ │ ├── mesh-gateway-service.bats │ │ │ │ ├── mesh-gateway-serviceaccount.bats │ │ │ │ ├── server-acl-init-cleanup-clusterrole.bats │ │ │ │ ├── server-acl-init-cleanup-clusterrolebinding.bats │ │ │ │ ├── server-acl-init-cleanup-job.bats │ │ │ │ ├── server-acl-init-cleanup-podsecuritypolicy.bats │ │ │ │ ├── server-acl-init-cleanup-serviceaccount.bats │ │ │ │ ├── server-acl-init-clusterrole.bats │ │ │ │ ├── server-acl-init-clusterrolebinding.bats │ │ │ │ ├── server-acl-init-job.bats │ │ │ │ ├── server-acl-init-podsecuritypolicy.bats │ │ │ │ ├── server-acl-init-serviceaccount.bats │ │ │ │ ├── server-clusterrole.bats │ │ │ │ ├── server-clusterrolebinding.bats │ │ │ │ ├── server-configmap.bats │ │ │ │ ├── server-disruptionbudget.bats │ │ │ │ ├── server-podsecuritypolicy.bats │ │ │ │ ├── server-service.bats │ │ │ │ ├── server-serviceaccount.bats │ │ │ │ ├── server-statefulset.bats │ │ │ │ ├── sync-catalog-clusterrole.bats │ │ │ │ ├── sync-catalog-clusterrolebinding.bats │ │ │ │ ├── sync-catalog-deployment.bats │ │ │ │ ├── sync-catalog-podsecuritypolicy.bats │ │ │ │ ├── sync-catalog-serviceaccount.bats │ │ │ │ ├── test-runner.bats │ │ │ │ ├── tls-init-cleanup-clusterrole.bats │ │ │ │ ├── tls-init-cleanup-clusterrolebinding.bats │ │ │ │ ├── tls-init-cleanup-job.bats │ │ │ │ ├── tls-init-cleanup-podsecuritypolicy.bats │ │ │ │ ├── tls-init-cleanup-serviceaccount.bats │ │ │ │ ├── tls-init-clusterrole.bats │ │ │ │ ├── tls-init-clusterrolebinding.bats │ │ │ │ ├── tls-init-job.bats │ │ │ │ ├── tls-init-podsecuritypolicy.bats │ │ │ │ ├── tls-init-serviceaccount.bats │ │ │ │ └── ui-service.bats │ │ └── values.yaml │ ├── consul-values.yaml │ ├── grafana-values.yaml │ ├── grafana │ │ ├── .helmignore │ │ ├── Chart.yaml │ │ ├── OWNERS │ │ ├── README.md │ │ ├── ci │ │ │ ├── default-values.yaml │ │ │ ├── with-dashboard-json-values.yaml │ │ │ └── with-dashboard-values.yaml │ │ ├── dashboards │ │ │ └── custom-dashboard.json │ │ ├── templates │ │ │ ├── NOTES.txt │ │ │ ├── _helpers.tpl │ │ │ ├── _pod.tpl │ │ │ ├── clusterrole.yaml │ │ │ ├── clusterrolebinding.yaml │ │ │ ├── configmap-dashboard-provider.yaml │ │ │ ├── configmap.yaml │ │ │ ├── dashboards-json-configmap.yaml │ │ │ ├── deployment.yaml │ │ │ ├── headless-service.yaml │ │ │ ├── ingress.yaml │ │ │ ├── poddisruptionbudget.yaml │ │ │ ├── podsecuritypolicy.yaml │ │ │ ├── pvc.yaml │ │ │ ├── role.yaml │ │ │ ├── rolebinding.yaml │ │ │ ├── secret-env.yaml │ │ │ ├── secret.yaml │ │ │ ├── service.yaml │ │ │ ├── serviceaccount.yaml │ │ │ ├── statefulset.yaml │ │ │ └── tests │ │ │ │ ├── test-configmap.yaml │ │ │ │ ├── test-podsecuritypolicy.yaml │ │ │ │ ├── test-role.yaml │ │ │ │ ├── test-rolebinding.yaml │ │ │ │ ├── test-serviceaccount.yaml │ │ │ │ └── test.yaml │ │ └── values.yaml │ ├── prometheus-values.yaml │ ├── prometheus │ │ ├── .helmignore │ │ ├── Chart.yaml │ │ ├── OWNERS │ │ ├── README.md │ │ ├── templates │ │ │ ├── NOTES.txt │ │ │ ├── _helpers.tpl │ │ │ ├── alertmanager-clusterrole.yaml │ │ │ ├── alertmanager-clusterrolebinding.yaml │ │ │ ├── alertmanager-configmap.yaml │ │ │ ├── alertmanager-deployment.yaml │ │ │ ├── alertmanager-ingress.yaml │ │ │ ├── alertmanager-networkpolicy.yaml │ │ │ ├── alertmanager-pdb.yaml │ │ │ ├── alertmanager-podsecuritypolicy.yaml │ │ │ ├── alertmanager-pvc.yaml │ │ │ ├── alertmanager-service-headless.yaml │ │ │ ├── alertmanager-service.yaml │ │ │ ├── alertmanager-serviceaccount.yaml │ │ │ ├── alertmanager-statefulset.yaml │ │ │ ├── kube-state-metrics-clusterrole.yaml │ │ │ ├── kube-state-metrics-clusterrolebinding.yaml │ │ │ ├── kube-state-metrics-deployment.yaml │ │ │ ├── kube-state-metrics-networkpolicy.yaml │ │ │ ├── kube-state-metrics-pdb.yaml │ │ │ ├── kube-state-metrics-podsecuritypolicy.yaml │ │ │ ├── kube-state-metrics-serviceaccount.yaml │ │ │ ├── kube-state-metrics-svc.yaml │ │ │ ├── node-exporter-daemonset.yaml │ │ │ ├── node-exporter-podsecuritypolicy.yaml │ │ │ ├── node-exporter-role.yaml │ │ │ ├── node-exporter-rolebinding.yaml │ │ │ ├── node-exporter-service.yaml │ │ │ ├── node-exporter-serviceaccount.yaml │ │ │ ├── pushgateway-clusterrole.yaml │ │ │ ├── pushgateway-clusterrolebinding.yaml │ │ │ ├── pushgateway-deployment.yaml │ │ │ ├── pushgateway-ingress.yaml │ │ │ ├── pushgateway-networkpolicy.yaml │ │ │ ├── pushgateway-pdb.yaml │ │ │ ├── pushgateway-podsecuritypolicy.yaml │ │ │ ├── pushgateway-pvc.yaml │ │ │ ├── pushgateway-service.yaml │ │ │ ├── pushgateway-serviceaccount.yaml │ │ │ ├── server-clusterrole.yaml │ │ │ ├── server-clusterrolebinding.yaml │ │ │ ├── server-configmap.yaml │ │ │ ├── server-deployment.yaml │ │ │ ├── server-ingress.yaml │ │ │ ├── server-networkpolicy.yaml │ │ │ ├── server-pdb.yaml │ │ │ ├── server-podsecuritypolicy.yaml │ │ │ ├── server-pvc.yaml │ │ │ ├── server-service-headless.yaml │ │ │ ├── server-service.yaml │ │ │ ├── server-serviceaccount.yaml │ │ │ ├── server-statefulset.yaml │ │ │ └── server-vpa.yaml │ │ └── values.yaml │ ├── vault-helm-0.3.3 │ │ ├── .circleci │ │ │ └── config.yml │ │ ├── .gitignore │ │ ├── .helmignore │ │ ├── CHANGELOG.md │ │ ├── CONTRIBUTING.md │ │ ├── Chart.yaml │ │ ├── LICENSE.md │ │ ├── Makefile │ │ ├── README.md │ │ ├── templates │ │ │ ├── NOTES.txt │ │ │ ├── _helpers.tpl │ │ │ ├── injector-clusterrole.yaml │ │ │ ├── injector-clusterrolebinding.yaml │ │ │ ├── injector-deployment.yaml │ │ │ ├── injector-mutating-webhook.yaml │ │ │ ├── injector-service.yaml │ │ │ ├── injector-serviceaccount.yaml │ │ │ ├── server-clusterrolebinding.yaml │ │ │ ├── server-config-configmap.yaml │ │ │ ├── server-disruptionbudget.yaml │ │ │ ├── server-ingress.yaml │ │ │ ├── server-service.yaml │ │ │ ├── server-serviceaccount.yaml │ │ │ ├── server-statefulset.yaml │ │ │ └── ui-service.yaml │ │ ├── test │ │ │ ├── acceptance │ │ │ │ ├── _helpers.bash │ │ │ │ ├── injector-test │ │ │ │ │ ├── bootstrap.sh │ │ │ │ │ ├── job.yaml │ │ │ │ │ ├── pg-deployment.yaml │ │ │ │ │ └── pgdump-policy.hcl │ │ │ │ ├── injector.bats │ │ │ │ ├── server-dev.bats │ │ │ │ ├── server-ha.bats │ │ │ │ └── server.bats │ │ │ ├── docker │ │ │ │ └── Test.dockerfile │ │ │ ├── terraform │ │ │ │ ├── .gitignore │ │ │ │ ├── main.tf │ │ │ │ ├── outputs.tf │ │ │ │ ├── service-account.yaml │ │ │ │ └── variables.tf │ │ │ └── unit │ │ │ │ ├── _helpers.bash │ │ │ │ ├── injector-clusterrole.bats │ │ │ │ ├── injector-clusterrolebinding.bats │ │ │ │ ├── injector-deployment.bats │ │ │ │ ├── injector-mutating-webhook.bats │ │ │ │ ├── injector-service.bats │ │ │ │ ├── injector-serviceaccount.bats │ │ │ │ ├── server-clusterrolebinding.bats │ │ │ │ ├── server-configmap.bats │ │ │ │ ├── server-dev-statefulset.bats │ │ │ │ ├── server-ha-disruptionbudget.bats │ │ │ │ ├── server-ha-statefulset.bats │ │ │ │ ├── server-ingress.bats │ │ │ │ ├── server-service.bats │ │ │ │ ├── server-serviceaccount.bats │ │ │ │ ├── server-statefulset.bats │ │ │ │ └── ui-service.bats │ │ └── values.yaml │ └── vault-values.yaml │ ├── ingress.hcl │ ├── k3s.hcl │ ├── k8s_config.hcl │ ├── k8s_config │ ├── frontend.yml │ ├── jaeger.yml │ ├── products-api.yml │ ├── products-db.yml │ └── public-api.yml │ ├── network.hcl │ └── scripts │ ├── products_policy.hcl │ └── setup_vault.sh ├── cloud ├── .gitignore ├── Makefile ├── azure_db │ ├── database.tf │ ├── outputs.tf │ └── variables.tf ├── gcp_k8s │ ├── kubernetes.tf │ └── variables.tf ├── helm │ ├── consul-helm-0.16.2 │ │ ├── .circleci │ │ │ └── config.yml │ │ ├── .gitignore │ │ ├── .helmignore │ │ ├── CHANGELOG.md │ │ ├── CONTRIBUTING.md │ │ ├── Chart.yaml │ │ ├── LICENSE.md │ │ ├── Makefile │ │ ├── README.md │ │ ├── templates │ │ │ ├── NOTES.txt │ │ │ ├── _helpers.tpl │ │ │ ├── client-clusterrole.yaml │ │ │ ├── client-clusterrolebinding.yaml │ │ │ ├── client-config-configmap.yaml │ │ │ ├── client-daemonset.yaml │ │ │ ├── client-podsecuritypolicy.yaml │ │ │ ├── client-serviceaccount.yaml │ │ │ ├── client-snapshot-agent-clusterrole.yaml │ │ │ ├── client-snapshot-agent-clusterrolebinding.yaml │ │ │ ├── client-snapshot-agent-deployment.yaml │ │ │ ├── client-snapshot-agent-podsecuritypolicy.yaml │ │ │ ├── client-snapshot-agent-serviceaccount.yaml │ │ │ ├── connect-inject-authmethod-clusterrole.yaml │ │ │ ├── connect-inject-authmethod-clusterrolebinding.yaml │ │ │ ├── connect-inject-authmethod-serviceaccount.yaml │ │ │ ├── connect-inject-clusterrole.yaml │ │ │ ├── connect-inject-clusterrolebinding.yaml │ │ │ ├── connect-inject-deployment.yaml │ │ │ ├── connect-inject-mutatingwebhook.yaml │ │ │ ├── connect-inject-podsecuritypolicy.yaml │ │ │ ├── connect-inject-service.yaml │ │ │ ├── connect-inject-serviceaccount.yaml │ │ │ ├── dns-service.yaml │ │ │ ├── enterprise-license-clusterrole.yaml │ │ │ ├── enterprise-license-clusterrolebinding.yaml │ │ │ ├── enterprise-license-job.yaml │ │ │ ├── enterprise-license-podsecuritypolicy.yaml │ │ │ ├── enterprise-license-serviceaccount.yaml │ │ │ ├── mesh-gateway-clusterrole.yaml │ │ │ ├── mesh-gateway-clusterrolebinding.yaml │ │ │ ├── mesh-gateway-deployment.yaml │ │ │ ├── mesh-gateway-podsecuritypolicy.yaml │ │ │ ├── mesh-gateway-service.yaml │ │ │ ├── mesh-gateway-serviceaccount.yaml │ │ │ ├── server-acl-init-cleanup-clusterrole.yaml │ │ │ ├── server-acl-init-cleanup-clusterrolebinding.yaml │ │ │ ├── server-acl-init-cleanup-job.yaml │ │ │ ├── server-acl-init-cleanup-podsecuritypolicy.yaml │ │ │ ├── server-acl-init-cleanup-serviceaccount.yaml │ │ │ ├── server-acl-init-clusterrole.yaml │ │ │ ├── server-acl-init-clusterrolebinding.yaml │ │ │ ├── server-acl-init-job.yaml │ │ │ ├── server-acl-init-podsecuritypolicy.yaml │ │ │ ├── server-acl-init-serviceaccount.yaml │ │ │ ├── server-clusterrole.yaml │ │ │ ├── server-clusterrolebinding.yaml │ │ │ ├── server-config-configmap.yaml │ │ │ ├── server-disruptionbudget.yaml │ │ │ ├── server-podsecuritypolicy.yaml │ │ │ ├── server-service.yaml │ │ │ ├── server-serviceaccount.yaml │ │ │ ├── server-statefulset.yaml │ │ │ ├── sync-catalog-clusterrole.yaml │ │ │ ├── sync-catalog-clusterrolebinding.yaml │ │ │ ├── sync-catalog-deployment.yaml │ │ │ ├── sync-catalog-podsecuritypolicy.yaml │ │ │ ├── sync-catalog-serviceaccount.yaml │ │ │ ├── tests │ │ │ │ └── test-runner.yaml │ │ │ ├── tls-init-cleanup-clusterrole.yaml │ │ │ ├── tls-init-cleanup-clusterrolebinding.yaml │ │ │ ├── tls-init-cleanup-job.yaml │ │ │ ├── tls-init-cleanup-podsecuritypolicy.yaml │ │ │ ├── tls-init-cleanup-serviceaccount.yaml │ │ │ ├── tls-init-clusterrole.yaml │ │ │ ├── tls-init-clusterrolebinding.yaml │ │ │ ├── tls-init-job.yaml │ │ │ ├── tls-init-podsecuritypolicy.yaml │ │ │ ├── tls-init-serviceaccount.yaml │ │ │ └── ui-service.yaml │ │ ├── test │ │ │ ├── acceptance │ │ │ │ ├── _helpers.bash │ │ │ │ └── server.bats │ │ │ ├── docker │ │ │ │ └── Test.dockerfile │ │ │ ├── terraform │ │ │ │ ├── main.tf │ │ │ │ ├── outputs.tf │ │ │ │ ├── service-account.yaml │ │ │ │ └── variables.tf │ │ │ └── unit │ │ │ │ ├── _helpers.bash │ │ │ │ ├── client-clusterrole.bats │ │ │ │ ├── client-clusterrolebinding.bats │ │ │ │ ├── client-configmap.bats │ │ │ │ ├── client-daemonset.bats │ │ │ │ ├── client-podsecuritypolicy.bats │ │ │ │ ├── client-serviceaccount.bats │ │ │ │ ├── client-snapshot-agent-clusterrole.bats │ │ │ │ ├── client-snapshot-agent-clusterrolebinding.bats │ │ │ │ ├── client-snapshot-agent-deployment.bats │ │ │ │ ├── client-snapshot-agent-podsecuritypolicy.bats │ │ │ │ ├── client-snapshot-agent-serviceaccount.bats │ │ │ │ ├── connect-inject-authmethod-clusterrole.bats │ │ │ │ ├── connect-inject-authmethod-clusterrolebinding.bats │ │ │ │ ├── connect-inject-authmethod-serviceaccount.bats │ │ │ │ ├── connect-inject-clusterrole.bats │ │ │ │ ├── connect-inject-clusterrolebinding.bats │ │ │ │ ├── connect-inject-deployment.bats │ │ │ │ ├── connect-inject-mutatingwebhook.bats │ │ │ │ ├── connect-inject-podsecuritypolicy.bats │ │ │ │ ├── connect-inject-service.bats │ │ │ │ ├── connect-inject-serviceaccount.bats │ │ │ │ ├── dns-service.bats │ │ │ │ ├── enterprise-license-clusterrole.bats │ │ │ │ ├── enterprise-license-clusterrolebinding.bats │ │ │ │ ├── enterprise-license-job.bats │ │ │ │ ├── enterprise-license-podsecuritypolicy.bats │ │ │ │ ├── enterprise-license-serviceaccount.bats │ │ │ │ ├── helpers.bats │ │ │ │ ├── mesh-gateway-clusterrole.bats │ │ │ │ ├── mesh-gateway-clusterrolebinding.bats │ │ │ │ ├── mesh-gateway-deployment.bats │ │ │ │ ├── mesh-gateway-podsecuritypolicy.bats │ │ │ │ ├── mesh-gateway-service.bats │ │ │ │ ├── mesh-gateway-serviceaccount.bats │ │ │ │ ├── server-acl-init-cleanup-clusterrole.bats │ │ │ │ ├── server-acl-init-cleanup-clusterrolebinding.bats │ │ │ │ ├── server-acl-init-cleanup-job.bats │ │ │ │ ├── server-acl-init-cleanup-podsecuritypolicy.bats │ │ │ │ ├── server-acl-init-cleanup-serviceaccount.bats │ │ │ │ ├── server-acl-init-clusterrole.bats │ │ │ │ ├── server-acl-init-clusterrolebinding.bats │ │ │ │ ├── server-acl-init-job.bats │ │ │ │ ├── server-acl-init-podsecuritypolicy.bats │ │ │ │ ├── server-acl-init-serviceaccount.bats │ │ │ │ ├── server-clusterrole.bats │ │ │ │ ├── server-clusterrolebinding.bats │ │ │ │ ├── server-configmap.bats │ │ │ │ ├── server-disruptionbudget.bats │ │ │ │ ├── server-podsecuritypolicy.bats │ │ │ │ ├── server-service.bats │ │ │ │ ├── server-serviceaccount.bats │ │ │ │ ├── server-statefulset.bats │ │ │ │ ├── sync-catalog-clusterrole.bats │ │ │ │ ├── sync-catalog-clusterrolebinding.bats │ │ │ │ ├── sync-catalog-deployment.bats │ │ │ │ ├── sync-catalog-podsecuritypolicy.bats │ │ │ │ ├── sync-catalog-serviceaccount.bats │ │ │ │ ├── test-runner.bats │ │ │ │ ├── tls-init-cleanup-clusterrole.bats │ │ │ │ ├── tls-init-cleanup-clusterrolebinding.bats │ │ │ │ ├── tls-init-cleanup-job.bats │ │ │ │ ├── tls-init-cleanup-podsecuritypolicy.bats │ │ │ │ ├── tls-init-cleanup-serviceaccount.bats │ │ │ │ ├── tls-init-clusterrole.bats │ │ │ │ ├── tls-init-clusterrolebinding.bats │ │ │ │ ├── tls-init-job.bats │ │ │ │ ├── tls-init-podsecuritypolicy.bats │ │ │ │ ├── tls-init-serviceaccount.bats │ │ │ │ └── ui-service.bats │ │ └── values.yaml │ ├── consul-values.yaml │ ├── vault-helm-0.3.3 │ │ ├── .circleci │ │ │ └── config.yml │ │ ├── .gitignore │ │ ├── .helmignore │ │ ├── CHANGELOG.md │ │ ├── CONTRIBUTING.md │ │ ├── Chart.yaml │ │ ├── LICENSE.md │ │ ├── Makefile │ │ ├── README.md │ │ ├── templates │ │ │ ├── NOTES.txt │ │ │ ├── _helpers.tpl │ │ │ ├── injector-clusterrole.yaml │ │ │ ├── injector-clusterrolebinding.yaml │ │ │ ├── injector-deployment.yaml │ │ │ ├── injector-mutating-webhook.yaml │ │ │ ├── injector-service.yaml │ │ │ ├── injector-serviceaccount.yaml │ │ │ ├── server-clusterrolebinding.yaml │ │ │ ├── server-config-configmap.yaml │ │ │ ├── server-disruptionbudget.yaml │ │ │ ├── server-ingress.yaml │ │ │ ├── server-service.yaml │ │ │ ├── server-serviceaccount.yaml │ │ │ ├── server-statefulset.yaml │ │ │ └── ui-service.yaml │ │ ├── test │ │ │ ├── acceptance │ │ │ │ ├── _helpers.bash │ │ │ │ ├── injector-test │ │ │ │ │ ├── bootstrap.sh │ │ │ │ │ ├── job.yaml │ │ │ │ │ ├── pg-deployment.yaml │ │ │ │ │ └── pgdump-policy.hcl │ │ │ │ ├── injector.bats │ │ │ │ ├── server-dev.bats │ │ │ │ ├── server-ha.bats │ │ │ │ └── server.bats │ │ │ ├── docker │ │ │ │ └── Test.dockerfile │ │ │ ├── terraform │ │ │ │ ├── .gitignore │ │ │ │ ├── main.tf │ │ │ │ ├── outputs.tf │ │ │ │ ├── service-account.yaml │ │ │ │ └── variables.tf │ │ │ └── unit │ │ │ │ ├── _helpers.bash │ │ │ │ ├── injector-clusterrole.bats │ │ │ │ ├── injector-clusterrolebinding.bats │ │ │ │ ├── injector-deployment.bats │ │ │ │ ├── injector-mutating-webhook.bats │ │ │ │ ├── injector-service.bats │ │ │ │ ├── injector-serviceaccount.bats │ │ │ │ ├── server-clusterrolebinding.bats │ │ │ │ ├── server-configmap.bats │ │ │ │ ├── server-dev-statefulset.bats │ │ │ │ ├── server-ha-disruptionbudget.bats │ │ │ │ ├── server-ha-statefulset.bats │ │ │ │ ├── server-ingress.bats │ │ │ │ ├── server-service.bats │ │ │ │ ├── server-serviceaccount.bats │ │ │ │ ├── server-statefulset.bats │ │ │ │ └── ui-service.bats │ │ └── values.yaml │ └── vault-values.yaml ├── k8s_config │ └── tools.yml ├── local.auto.tfvars ├── local.backend ├── main.tf ├── outputs.tf ├── policy │ ├── opa │ │ ├── azure.rego │ │ ├── azure │ │ │ ├── azure.rego │ │ │ ├── policy.rego │ │ │ ├── policy_test.rego │ │ │ ├── security.rego │ │ │ └── security_test.rego │ │ ├── gcp.rego │ │ ├── gcp │ │ │ ├── gcp.rego │ │ │ ├── policy.rego │ │ │ ├── policy_test.rego │ │ │ ├── security.rego │ │ │ └── security_test.rego │ │ ├── mock │ │ │ └── tfplan.json │ │ ├── terraform.rego │ │ └── terraform │ │ │ ├── output.rego │ │ │ └── output_test.rego │ └── sentinel │ │ ├── database.sentinel │ │ ├── gke-container-cluster.sentinel │ │ ├── gke-node-pool.sentinel │ │ ├── sentinel.hcl │ │ ├── tags.sentinel │ │ ├── terraform.sentinel │ │ └── test │ │ ├── database │ │ ├── fail.json │ │ └── good.json │ │ ├── gke-container-cluster │ │ ├── fail.json │ │ └── good.json │ │ ├── gke-node-pool │ │ ├── fail.json │ │ └── good.json │ │ ├── tags │ │ ├── fail.json │ │ └── good.json │ │ ├── terraform │ │ ├── fail.json │ │ └── good.json │ │ └── testdata │ │ ├── mock-tfconfig-v2.sentinel │ │ ├── mock-tfconfig.sentinel │ │ ├── mock-tfplan-fail.sentinel │ │ ├── mock-tfplan-v2.sentinel │ │ ├── mock-tfplan.sentinel │ │ ├── mock-tfrun.sentinel │ │ ├── mock-tfstate-v2.sentinel │ │ └── mock-tfstate.sentinel ├── remote.backend ├── scripts │ ├── products_policy.hcl │ └── setup_vault.sh ├── variables.tf └── vault │ ├── agent.hcl │ ├── gcpbindings.hcl │ └── policy.hcl ├── images ├── HashiCupsDiagrams.pptx ├── infa.png └── infra-new.png └── infa.png /.gitignore: -------------------------------------------------------------------------------- 1 | # Local .terraform directories 2 | **/.terraform/* 3 | 4 | # .tfstate files 5 | *.tfstate 6 | *.tfstate.* 7 | 8 | # Crash log files 9 | crash.log 10 | 11 | # Ignore any .tfvars files that are generated automatically for each Terraform run. Most 12 | # .tfvars files are managed as part of configuration and so should be included in 13 | # version control. 14 | # 15 | # example.tfvars 16 | 17 | # Ignore override files as they are usually used to override resources locally and so 18 | # are not checked in 19 | override.tf 20 | override.tf.json 21 | *_override.tf 22 | *_override.tf.json 23 | 24 | # Include override files you do wish to add to version control using negated pattern 25 | # 26 | # !example_override.tf 27 | 28 | # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan 29 | # example: *tfplan* 30 | 31 | products.sql 32 | backend.conf 33 | 34 | # Vault Credentials for Secrets Engins 35 | vault-gcp-engine.json 36 | vault/role-id 37 | vault/secret-id -------------------------------------------------------------------------------- /blueprint/demo.yard: -------------------------------------------------------------------------------- 1 | title = "HashiCorp Demo Application" 2 | author = "Nic Jackson" 3 | slug = "demo" 4 | 5 | // Shown in the command output when yard apply is run 6 | intro = < 0' | tee /dev/stderr) 11 | [ "${actual}" = "false" ] 12 | } 13 | 14 | @test "meshGateway/PodSecurityPolicy: enabled with meshGateway, connectInject and client.grpc enabled and global.enablePodSecurityPolicies=true" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/mesh-gateway-podsecuritypolicy.yaml \ 18 | --set 'meshGateway.enabled=true' \ 19 | --set 'connectInject.enabled=true' \ 20 | --set 'client.grpc=true' \ 21 | --set 'global.enablePodSecurityPolicies=true' \ 22 | . | tee /dev/stderr | 23 | yq 'length > 0' | tee /dev/stderr) 24 | [ "${actual}" = "true" ] 25 | } 26 | -------------------------------------------------------------------------------- /blueprint/stack/helm/consul-helm-0.16.2/test/unit/mesh-gateway-serviceaccount.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "meshGateway/ServiceAccount: disabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/mesh-gateway-serviceaccount.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "false" ] 12 | } 13 | 14 | @test "meshGateway/ServiceAccount: enabled with meshGateway, connectInject and client.grpc enabled" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/mesh-gateway-serviceaccount.yaml \ 18 | --set 'meshGateway.enabled=true' \ 19 | --set 'connectInject.enabled=true' \ 20 | --set 'client.grpc=true' \ 21 | . | tee /dev/stderr | 22 | yq 'length > 0' | tee /dev/stderr) 23 | [ "${actual}" = "true" ] 24 | } 25 | 26 | -------------------------------------------------------------------------------- /blueprint/stack/helm/consul-helm-0.16.2/test/unit/server-podsecuritypolicy.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "server/PodSecurityPolicy: disabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/server-podsecuritypolicy.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "false" ] 12 | } 13 | 14 | @test "server/PodSecurityPolicy: disabled with server disabled and global.enablePodSecurityPolicies=true" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/server-podsecuritypolicy.yaml \ 18 | --set 'server.enabled=false' \ 19 | --set 'global.enablePodSecurityPolicies=true' \ 20 | . | tee /dev/stderr | 21 | yq 'length > 0' | tee /dev/stderr) 22 | [ "${actual}" = "false" ] 23 | } 24 | 25 | @test "server/PodSecurityPolicy: enabled with global.enablePodSecurityPolicies=true" { 26 | cd `chart_dir` 27 | local actual=$(helm template \ 28 | -x templates/server-podsecuritypolicy.yaml \ 29 | --set 'global.enablePodSecurityPolicies=true' \ 30 | . | tee /dev/stderr | 31 | yq -s 'length > 0' | tee /dev/stderr) 32 | [ "${actual}" = "true" ] 33 | } 34 | -------------------------------------------------------------------------------- /blueprint/stack/helm/consul-helm-0.16.2/test/unit/test-runner.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "testRunner/Pod: enabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/tests/test-runner.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "true" ] 12 | } 13 | 14 | @test "testRunner/Pod: disabled when tests.enabled=false" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/tests/test-runner.yaml \ 18 | --set 'tests.enabled=false' \ 19 | . | tee /dev/stderr | 20 | yq 'length > 0' | tee /dev/stderr) 21 | [ "${actual}" = "false" ] 22 | } 23 | -------------------------------------------------------------------------------- /blueprint/stack/helm/grafana-values.yaml: -------------------------------------------------------------------------------- 1 | adminPassword: password 2 | 3 | datasources: 4 | datasources.yaml: 5 | apiVersion: 1 6 | datasources: 7 | - name: Prometheus 8 | type: prometheus 9 | url: http://prometheus-server 10 | access: proxy 11 | isDefault: true -------------------------------------------------------------------------------- /blueprint/stack/helm/grafana/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .vscode 20 | .project 21 | .idea/ 22 | *.tmproj 23 | OWNERS 24 | -------------------------------------------------------------------------------- /blueprint/stack/helm/grafana/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: grafana 3 | version: 4.3.0 4 | appVersion: 6.5.2 5 | kubeVersion: "^1.8.0-0" 6 | description: The leading tool for querying and visualizing time series and metrics. 7 | home: https://grafana.net 8 | icon: https://raw.githubusercontent.com/grafana/grafana/master/public/img/logo_transparent_400x.png 9 | sources: 10 | - https://github.com/grafana/grafana 11 | maintainers: 12 | - name: zanhsieh 13 | email: zanhsieh@gmail.com 14 | - name: rtluckie 15 | email: rluckie@cisco.com 16 | - name: maorfr 17 | email: maor.friedman@redhat.com 18 | engine: gotpl 19 | tillerVersion: ">=2.12.0" 20 | -------------------------------------------------------------------------------- /blueprint/stack/helm/grafana/OWNERS: -------------------------------------------------------------------------------- 1 | approvers: 2 | - zanhsieh 3 | - rtluckie 4 | - maorfr 5 | reviewers: 6 | - zanhsieh 7 | - rtluckie 8 | - maorfr 9 | -------------------------------------------------------------------------------- /blueprint/stack/helm/grafana/ci/default-values.yaml: -------------------------------------------------------------------------------- 1 | # Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml. 2 | -------------------------------------------------------------------------------- /blueprint/stack/helm/grafana/ci/with-dashboard-values.yaml: -------------------------------------------------------------------------------- 1 | dashboards: 2 | my-provider: 3 | my-awesome-dashboard: 4 | gnetId: 10000 5 | revision: 1 6 | datasource: Prometheus 7 | dashboardProviders: 8 | dashboardproviders.yaml: 9 | apiVersion: 1 10 | providers: 11 | - name: 'my-provider' 12 | orgId: 1 13 | folder: '' 14 | type: file 15 | updateIntervalSeconds: 10 16 | disableDeletion: true 17 | editable: true 18 | options: 19 | path: /var/lib/grafana/dashboards/my-provider 20 | -------------------------------------------------------------------------------- /blueprint/stack/helm/grafana/dashboards/custom-dashboard.json: -------------------------------------------------------------------------------- 1 | {} -------------------------------------------------------------------------------- /blueprint/stack/helm/grafana/templates/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.rbac.create (not .Values.rbac.namespaced) }} 2 | kind: ClusterRole 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | labels: 6 | app: {{ template "grafana.name" . }} 7 | chart: {{ template "grafana.chart" . }} 8 | release: {{ .Release.Name }} 9 | heritage: {{ .Release.Service }} 10 | {{- with .Values.annotations }} 11 | annotations: 12 | {{ toYaml . | indent 4 }} 13 | {{- end }} 14 | name: {{ template "grafana.fullname" . }}-clusterrole 15 | {{- if or .Values.sidecar.dashboards.enabled (or .Values.sidecar.datasources.enabled .Values.rbac.extraClusterRoleRules) }} 16 | rules: 17 | {{- if or .Values.sidecar.dashboards.enabled .Values.sidecar.datasources.enabled }} 18 | - apiGroups: [""] # "" indicates the core API group 19 | resources: ["configmaps", "secrets"] 20 | verbs: ["get", "watch", "list"] 21 | {{- end}} 22 | {{- with .Values.rbac.extraClusterRoleRules }} 23 | {{ toYaml . | indent 0 }} 24 | {{- end}} 25 | {{- else }} 26 | rules: [] 27 | {{- end}} 28 | {{- end}} 29 | -------------------------------------------------------------------------------- /blueprint/stack/helm/grafana/templates/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.rbac.create (not .Values.rbac.namespaced) }} 2 | kind: ClusterRoleBinding 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ template "grafana.fullname" . }}-clusterrolebinding 6 | labels: 7 | app: {{ template "grafana.name" . }} 8 | chart: {{ template "grafana.chart" . }} 9 | release: {{ .Release.Name }} 10 | heritage: {{ .Release.Service }} 11 | {{- with .Values.annotations }} 12 | annotations: 13 | {{ toYaml . | indent 4 }} 14 | {{- end }} 15 | subjects: 16 | - kind: ServiceAccount 17 | name: {{ template "grafana.serviceAccountName" . }} 18 | namespace: {{ template "grafana.namespace" . }} 19 | roleRef: 20 | kind: ClusterRole 21 | name: {{ template "grafana.fullname" . }}-clusterrole 22 | apiGroup: rbac.authorization.k8s.io 23 | {{- end -}} 24 | -------------------------------------------------------------------------------- /blueprint/stack/helm/grafana/templates/configmap-dashboard-provider.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.sidecar.dashboards.enabled }} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | labels: 6 | app: {{ template "grafana.name" . }} 7 | chart: {{ template "grafana.chart" . }} 8 | release: {{ .Release.Name }} 9 | heritage: {{ .Release.Service }} 10 | {{- with .Values.annotations }} 11 | annotations: 12 | {{ toYaml . | indent 4 }} 13 | {{- end }} 14 | name: {{ template "grafana.fullname" . }}-config-dashboards 15 | namespace: {{ template "grafana.namespace" . }} 16 | data: 17 | provider.yaml: |- 18 | apiVersion: 1 19 | providers: 20 | - name: '{{ .Values.sidecar.dashboards.provider.name }}' 21 | orgId: {{ .Values.sidecar.dashboards.provider.orgid }} 22 | folder: '{{ .Values.sidecar.dashboards.provider.folder }}' 23 | type: {{ .Values.sidecar.dashboards.provider.type }} 24 | disableDeletion: {{ .Values.sidecar.dashboards.provider.disableDelete }} 25 | allowUiUpdates: {{ .Values.sidecar.dashboards.provider.allowUiUpdates }} 26 | options: 27 | path: {{ .Values.sidecar.dashboards.folder }}{{- with .Values.sidecar.dashboards.defaultFolderName }}/{{ . }}{{- end }} 28 | {{- end}} 29 | -------------------------------------------------------------------------------- /blueprint/stack/helm/grafana/templates/dashboards-json-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.dashboards }} 2 | {{ $files := .Files }} 3 | {{- range $provider, $dashboards := .Values.dashboards }} 4 | apiVersion: v1 5 | kind: ConfigMap 6 | metadata: 7 | name: {{ template "grafana.fullname" $ }}-dashboards-{{ $provider }} 8 | namespace: {{ template "grafana.namespace" $ }} 9 | labels: 10 | app: {{ template "grafana.name" $ }} 11 | chart: {{ template "grafana.chart" $ }} 12 | release: {{ $.Release.Name }} 13 | heritage: {{ $.Release.Service }} 14 | dashboard-provider: {{ $provider }} 15 | {{- if $dashboards }} 16 | data: 17 | {{- $dashboardFound := false }} 18 | {{- range $key, $value := $dashboards }} 19 | {{- if (or (hasKey $value "json") (hasKey $value "file")) }} 20 | {{- $dashboardFound = true }} 21 | {{ print $key | indent 2 }}.json: 22 | {{- if hasKey $value "json" }} 23 | |- 24 | {{ $value.json | indent 6 }} 25 | {{- end }} 26 | {{- if hasKey $value "file" }} 27 | {{ toYaml ( $files.Get $value.file ) | indent 4}} 28 | {{- end }} 29 | {{- end }} 30 | {{- end }} 31 | {{- if not $dashboardFound }} 32 | {} 33 | {{- end }} 34 | {{- end }} 35 | --- 36 | {{- end }} 37 | 38 | {{- end }} 39 | -------------------------------------------------------------------------------- /blueprint/stack/helm/grafana/templates/headless-service.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) (eq .Values.persistence.type "statefulset")}} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: {{ template "grafana.fullname" . }}-headless 6 | namespace: {{ template "grafana.namespace" . }} 7 | labels: 8 | app: {{ template "grafana.name" . }} 9 | chart: {{ template "grafana.chart" . }} 10 | release: {{ .Release.Name }} 11 | heritage: {{ .Release.Service }} 12 | {{- with .Values.annotations }} 13 | annotations: 14 | {{ toYaml . | indent 4 }} 15 | {{- end }} 16 | spec: 17 | clusterIP: None 18 | selector: 19 | app: {{ template "grafana.name" . }} 20 | release: {{ .Release.Name }} 21 | type: ClusterIP 22 | {{- end }} 23 | -------------------------------------------------------------------------------- /blueprint/stack/helm/grafana/templates/poddisruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.podDisruptionBudget }} 2 | apiVersion: policy/v1beta1 3 | kind: PodDisruptionBudget 4 | metadata: 5 | name: {{ template "grafana.name" . }} 6 | namespace: {{ template "grafana.namespace" . }} 7 | labels: 8 | app: {{ template "grafana.name" . }} 9 | chart: {{ template "grafana.chart" . }} 10 | release: {{ .Release.Name }} 11 | heritage: {{ .Release.Service }} 12 | {{- if .Values.labels }} 13 | {{ toYaml .Values.labels | indent 4 }} 14 | {{- end }} 15 | spec: 16 | {{- if .Values.podDisruptionBudget.minAvailable }} 17 | minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} 18 | {{- end }} 19 | {{- if .Values.podDisruptionBudget.maxUnavailable }} 20 | maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} 21 | {{- end }} 22 | selector: 23 | matchLabels: 24 | app: {{ template "grafana.name" . }} 25 | release: {{ .Release.Name }} 26 | {{- end }} 27 | -------------------------------------------------------------------------------- /blueprint/stack/helm/grafana/templates/pvc.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) (eq .Values.persistence.type "pvc")}} 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: {{ template "grafana.fullname" . }} 6 | namespace: {{ template "grafana.namespace" . }} 7 | labels: 8 | app: {{ template "grafana.name" . }} 9 | chart: {{ template "grafana.chart" . }} 10 | release: {{ .Release.Name }} 11 | heritage: {{ .Release.Service }} 12 | {{- with .Values.persistence.annotations }} 13 | annotations: 14 | {{ toYaml . | indent 4 }} 15 | {{- end }} 16 | {{- with .Values.persistence.finalizers }} 17 | finalizers: 18 | {{ toYaml . | indent 4 }} 19 | {{- end }} 20 | spec: 21 | accessModes: 22 | {{- range .Values.persistence.accessModes }} 23 | - {{ . | quote }} 24 | {{- end }} 25 | resources: 26 | requests: 27 | storage: {{ .Values.persistence.size | quote }} 28 | storageClassName: {{ .Values.persistence.storageClassName }} 29 | {{- end -}} 30 | -------------------------------------------------------------------------------- /blueprint/stack/helm/grafana/templates/rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.create -}} 2 | apiVersion: rbac.authorization.k8s.io/v1beta1 3 | kind: RoleBinding 4 | metadata: 5 | name: {{ template "grafana.fullname" . }} 6 | namespace: {{ template "grafana.namespace" . }} 7 | labels: 8 | app: {{ template "grafana.name" . }} 9 | chart: {{ .Chart.Name }}-{{ .Chart.Version }} 10 | heritage: {{ .Release.Service }} 11 | release: {{ .Release.Name }} 12 | {{- with .Values.annotations }} 13 | annotations: 14 | {{ toYaml . | indent 4 }} 15 | {{- end }} 16 | roleRef: 17 | apiGroup: rbac.authorization.k8s.io 18 | kind: Role 19 | name: {{ template "grafana.fullname" . }} 20 | subjects: 21 | - kind: ServiceAccount 22 | name: {{ template "grafana.serviceAccountName" . }} 23 | namespace: {{ template "grafana.namespace" . }} 24 | {{- if .Values.rbac.namespaced }} 25 | roleRef: 26 | kind: Role 27 | name: {{ template "grafana.fullname" . }} 28 | apiGroup: rbac.authorization.k8s.io 29 | {{- end }} 30 | {{- end -}} 31 | -------------------------------------------------------------------------------- /blueprint/stack/helm/grafana/templates/secret-env.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.envRenderSecret }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ template "grafana.fullname" . }}-env 6 | namespace: {{ template "grafana.namespace" . }} 7 | labels: 8 | app: {{ template "grafana.name" . }} 9 | chart: {{ template "grafana.chart" . }} 10 | release: {{ .Release.Name }} 11 | heritage: {{ .Release.Service }} 12 | type: Opaque 13 | data: 14 | {{- range $key, $val := .Values.envRenderSecret }} 15 | {{ $key }}: {{ $val | b64enc | quote }} 16 | {{- end -}} 17 | {{- end }} 18 | -------------------------------------------------------------------------------- /blueprint/stack/helm/grafana/templates/secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.admin.existingSecret }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ template "grafana.fullname" . }} 6 | namespace: {{ template "grafana.namespace" . }} 7 | labels: 8 | app: {{ template "grafana.name" . }} 9 | chart: {{ template "grafana.chart" . }} 10 | release: {{ .Release.Name }} 11 | heritage: {{ .Release.Service }} 12 | type: Opaque 13 | data: 14 | admin-user: {{ .Values.adminUser | b64enc | quote }} 15 | {{- if .Values.adminPassword }} 16 | admin-password: {{ .Values.adminPassword | b64enc | quote }} 17 | {{- else }} 18 | admin-password: {{ randAlphaNum 40 | b64enc | quote }} 19 | {{- end }} 20 | {{- if not .Values.ldap.existingSecret }} 21 | ldap-toml: {{ .Values.ldap.config | b64enc | quote }} 22 | {{- end }} 23 | {{- end }} 24 | -------------------------------------------------------------------------------- /blueprint/stack/helm/grafana/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | app: {{ template "grafana.name" . }} 7 | chart: {{ .Chart.Name }}-{{ .Chart.Version }} 8 | heritage: {{ .Release.Service }} 9 | release: {{ .Release.Name }} 10 | {{- with .Values.serviceAccount.annotations }} 11 | annotations: 12 | {{ toYaml . | indent 4 }} 13 | {{- end }} 14 | name: {{ template "grafana.serviceAccountName" . }} 15 | namespace: {{ template "grafana.namespace" . }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /blueprint/stack/helm/grafana/templates/tests/test-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.testFramework.enabled }} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ template "grafana.fullname" . }}-test 6 | namespace: {{ template "grafana.namespace" . }} 7 | labels: 8 | app: {{ template "grafana.fullname" . }} 9 | chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" 10 | heritage: "{{ .Release.Service }}" 11 | release: "{{ .Release.Name }}" 12 | data: 13 | run.sh: |- 14 | @test "Test Health" { 15 | url="http://{{ template "grafana.fullname" . }}/api/health" 16 | 17 | code=$(curl -s -o /dev/null -I -w "%{http_code}" $url) 18 | [ "$code" == "200" ] 19 | } 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /blueprint/stack/helm/grafana/templates/tests/test-podsecuritypolicy.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.testFramework.enabled .Values.rbac.pspEnabled }} 2 | apiVersion: policy/v1beta1 3 | kind: PodSecurityPolicy 4 | metadata: 5 | name: {{ template "grafana.fullname" . }}-test 6 | namespace: {{ template "grafana.namespace" . }} 7 | labels: 8 | app: {{ template "grafana.name" . }} 9 | chart: {{ .Chart.Name }}-{{ .Chart.Version }} 10 | heritage: {{ .Release.Service }} 11 | release: {{ .Release.Name }} 12 | spec: 13 | allowPrivilegeEscalation: true 14 | privileged: false 15 | hostNetwork: false 16 | hostIPC: false 17 | hostPID: false 18 | fsGroup: 19 | rule: RunAsAny 20 | seLinux: 21 | rule: RunAsAny 22 | supplementalGroups: 23 | rule: RunAsAny 24 | runAsUser: 25 | rule: RunAsAny 26 | volumes: 27 | - configMap 28 | - downwardAPI 29 | - emptyDir 30 | - projected 31 | - secret 32 | {{- end }} 33 | -------------------------------------------------------------------------------- /blueprint/stack/helm/grafana/templates/tests/test-role.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.testFramework.enabled .Values.rbac.pspEnabled -}} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: Role 4 | metadata: 5 | name: {{ template "grafana.fullname" . }}-test 6 | namespace: {{ template "grafana.namespace" . }} 7 | labels: 8 | app: {{ template "grafana.name" . }} 9 | chart: {{ .Chart.Name }}-{{ .Chart.Version }} 10 | heritage: {{ .Release.Service }} 11 | release: {{ .Release.Name }} 12 | rules: 13 | - apiGroups: ['policy'] 14 | resources: ['podsecuritypolicies'] 15 | verbs: ['use'] 16 | resourceNames: [{{ template "grafana.fullname" . }}-test] 17 | {{- end }} 18 | -------------------------------------------------------------------------------- /blueprint/stack/helm/grafana/templates/tests/test-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.testFramework.enabled .Values.rbac.pspEnabled -}} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: RoleBinding 4 | metadata: 5 | name: {{ template "grafana.fullname" . }}-test 6 | namespace: {{ template "grafana.namespace" . }} 7 | labels: 8 | app: {{ template "grafana.name" . }} 9 | chart: {{ .Chart.Name }}-{{ .Chart.Version }} 10 | heritage: {{ .Release.Service }} 11 | release: {{ .Release.Name }} 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: Role 15 | name: {{ template "grafana.fullname" . }}-test 16 | subjects: 17 | - kind: ServiceAccount 18 | name: {{ template "grafana.serviceAccountNameTest" . }} 19 | namespace: {{ template "grafana.namespace" . }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /blueprint/stack/helm/grafana/templates/tests/test-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.testFramework.enabled .Values.serviceAccount.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | app: {{ template "grafana.name" . }} 7 | chart: {{ .Chart.Name }}-{{ .Chart.Version }} 8 | heritage: {{ .Release.Service }} 9 | release: {{ .Release.Name }} 10 | name: {{ template "grafana.serviceAccountNameTest" . }} 11 | namespace: {{ template "grafana.namespace" . }} 12 | {{- end }} 13 | -------------------------------------------------------------------------------- /blueprint/stack/helm/prometheus-values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | server: 3 | persistentVolume: 4 | enabled: false 5 | 6 | alertmanager: 7 | enabled: false -------------------------------------------------------------------------------- /blueprint/stack/helm/prometheus/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | 23 | OWNERS 24 | -------------------------------------------------------------------------------- /blueprint/stack/helm/prometheus/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: prometheus 3 | version: 10.0.1 4 | appVersion: 2.15.2 5 | description: Prometheus is a monitoring system and time series database. 6 | home: https://prometheus.io/ 7 | icon: https://raw.githubusercontent.com/prometheus/prometheus.github.io/master/assets/prometheus_logo-cb55bb5c346.png 8 | sources: 9 | - https://github.com/prometheus/alertmanager 10 | - https://github.com/prometheus/prometheus 11 | - https://github.com/prometheus/pushgateway 12 | - https://github.com/prometheus/node_exporter 13 | - https://github.com/kubernetes/kube-state-metrics 14 | maintainers: 15 | - name: gianrubio 16 | email: gianrubio@gmail.com 17 | - name: zanhsieh 18 | email: zanhsieh@gmail.com 19 | engine: gotpl 20 | tillerVersion: ">=2.8.0" 21 | -------------------------------------------------------------------------------- /blueprint/stack/helm/prometheus/OWNERS: -------------------------------------------------------------------------------- 1 | approvers: 2 | - gianrubio 3 | - zanhsieh 4 | reviewers: 5 | - gianrubio 6 | - zanhsieh 7 | -------------------------------------------------------------------------------- /blueprint/stack/helm/prometheus/templates/alertmanager-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.alertmanager.enabled .Values.rbac.create -}} 2 | apiVersion: rbac.authorization.k8s.io/v1beta1 3 | kind: ClusterRole 4 | metadata: 5 | labels: 6 | {{- include "prometheus.alertmanager.labels" . | nindent 4 }} 7 | name: {{ template "prometheus.alertmanager.fullname" . }} 8 | rules: 9 | {{- if .Values.podSecurityPolicy.enabled }} 10 | - apiGroups: 11 | - extensions 12 | resources: 13 | - podsecuritypolicies 14 | verbs: 15 | - use 16 | resourceNames: 17 | - {{ template "prometheus.alertmanager.fullname" . }} 18 | {{- else }} 19 | [] 20 | {{- end }} 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /blueprint/stack/helm/prometheus/templates/alertmanager-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.alertmanager.enabled .Values.rbac.create -}} 2 | apiVersion: rbac.authorization.k8s.io/v1beta1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | labels: 6 | {{- include "prometheus.alertmanager.labels" . | nindent 4 }} 7 | name: {{ template "prometheus.alertmanager.fullname" . }} 8 | subjects: 9 | - kind: ServiceAccount 10 | name: {{ template "prometheus.serviceAccountName.alertmanager" . }} 11 | namespace: {{ .Release.Namespace }} 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | name: {{ template "prometheus.alertmanager.fullname" . }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /blueprint/stack/helm/prometheus/templates/alertmanager-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.alertmanager.enabled (and (empty .Values.alertmanager.configMapOverrideName) (empty .Values.alertmanager.configFromSecret)) -}} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | labels: 6 | {{- include "prometheus.alertmanager.labels" . | nindent 4 }} 7 | name: {{ template "prometheus.alertmanager.fullname" . }} 8 | data: 9 | {{- $root := . -}} 10 | {{- range $key, $value := .Values.alertmanagerFiles }} 11 | {{ $key }}: | 12 | {{ toYaml $value | default "{}" | indent 4 }} 13 | {{- end -}} 14 | {{- end -}} 15 | -------------------------------------------------------------------------------- /blueprint/stack/helm/prometheus/templates/alertmanager-networkpolicy.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.alertmanager.enabled .Values.networkPolicy.enabled -}} 2 | apiVersion: {{ template "prometheus.networkPolicy.apiVersion" . }} 3 | kind: NetworkPolicy 4 | metadata: 5 | name: {{ template "prometheus.alertmanager.fullname" . }} 6 | labels: 7 | {{- include "prometheus.alertmanager.labels" . | nindent 4 }} 8 | spec: 9 | podSelector: 10 | matchLabels: 11 | {{- include "prometheus.alertmanager.matchLabels" . | nindent 6 }} 12 | ingress: 13 | - from: 14 | - podSelector: 15 | matchLabels: 16 | {{- include "prometheus.server.matchLabels" . | nindent 12 }} 17 | - ports: 18 | - port: 9093 19 | {{- end -}} 20 | -------------------------------------------------------------------------------- /blueprint/stack/helm/prometheus/templates/alertmanager-pdb.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.alertmanager.podDisruptionBudget.enabled }} 2 | apiVersion: policy/v1beta1 3 | kind: PodDisruptionBudget 4 | metadata: 5 | name: {{ template "prometheus.alertmanager.fullname" . }} 6 | labels: 7 | {{- include "prometheus.alertmanager.labels" . | nindent 4 }} 8 | spec: 9 | maxUnavailable: {{ .Values.alertmanager.podDisruptionBudget.maxUnavailable }} 10 | selector: 11 | matchLabels: 12 | {{- include "prometheus.alertmanager.labels" . | nindent 6 }} 13 | {{- end }} 14 | -------------------------------------------------------------------------------- /blueprint/stack/helm/prometheus/templates/alertmanager-service-headless.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.alertmanager.enabled .Values.alertmanager.statefulSet.enabled -}} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | {{- if .Values.alertmanager.statefulSet.headless.annotations }} 6 | annotations: 7 | {{ toYaml .Values.alertmanager.statefulSet.headless.annotations | indent 4 }} 8 | {{- end }} 9 | labels: 10 | {{- include "prometheus.alertmanager.labels" . | nindent 4 }} 11 | {{- if .Values.alertmanager.statefulSet.headless.labels }} 12 | {{ toYaml .Values.alertmanager.statefulSet.headless.labels | indent 4 }} 13 | {{- end }} 14 | name: {{ template "prometheus.alertmanager.fullname" . }}-headless 15 | spec: 16 | clusterIP: None 17 | ports: 18 | - name: http 19 | port: {{ .Values.alertmanager.statefulSet.headless.servicePort }} 20 | protocol: TCP 21 | targetPort: 9093 22 | {{- if .Values.alertmanager.statefulSet.headless.enableMeshPeer }} 23 | - name: meshpeer 24 | port: 6783 25 | protocol: TCP 26 | targetPort: 6783 27 | {{- end }} 28 | selector: 29 | {{- include "prometheus.alertmanager.matchLabels" . | nindent 4 }} 30 | {{- end }} 31 | -------------------------------------------------------------------------------- /blueprint/stack/helm/prometheus/templates/alertmanager-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.alertmanager.enabled .Values.serviceAccounts.alertmanager.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | {{- include "prometheus.alertmanager.labels" . | nindent 4 }} 7 | name: {{ template "prometheus.serviceAccountName.alertmanager" . }} 8 | {{- end -}} 9 | -------------------------------------------------------------------------------- /blueprint/stack/helm/prometheus/templates/kube-state-metrics-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.kubeStateMetrics.enabled .Values.rbac.create -}} 2 | apiVersion: rbac.authorization.k8s.io/v1beta1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | labels: 6 | {{- include "prometheus.kubeStateMetrics.labels" . | nindent 4 }} 7 | name: {{ template "prometheus.kubeStateMetrics.fullname" . }} 8 | subjects: 9 | - kind: ServiceAccount 10 | name: {{ template "prometheus.serviceAccountName.kubeStateMetrics" . }} 11 | namespace: {{ .Release.Namespace }} 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | name: {{ template "prometheus.kubeStateMetrics.fullname" . }} 16 | {{- end -}} 17 | -------------------------------------------------------------------------------- /blueprint/stack/helm/prometheus/templates/kube-state-metrics-networkpolicy.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.kubeStateMetrics.enabled .Values.networkPolicy.enabled -}} 2 | apiVersion: {{ template "prometheus.networkPolicy.apiVersion" . }} 3 | kind: NetworkPolicy 4 | metadata: 5 | name: {{ template "prometheus.kubeStateMetrics.fullname" . }} 6 | labels: 7 | {{- include "prometheus.kubeStateMetrics.labels" . | nindent 4 }} 8 | spec: 9 | podSelector: 10 | matchLabels: 11 | {{- include "prometheus.kubeStateMetrics.matchLabels" . | nindent 6 }} 12 | ingress: 13 | - from: 14 | - podSelector: 15 | matchLabels: 16 | {{- include "prometheus.server.matchLabels" . | nindent 10 }} 17 | - ports: 18 | - port: 8080 19 | {{- end -}} 20 | -------------------------------------------------------------------------------- /blueprint/stack/helm/prometheus/templates/kube-state-metrics-pdb.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.kubeStateMetrics.podDisruptionBudget.enabled }} 2 | apiVersion: policy/v1beta1 3 | kind: PodDisruptionBudget 4 | metadata: 5 | name: {{ template "prometheus.kubeStateMetrics.fullname" . }} 6 | labels: 7 | {{- include "prometheus.kubeStateMetrics.labels" . | nindent 4 }} 8 | spec: 9 | maxUnavailable: {{ .Values.kubeStateMetrics.podDisruptionBudget.maxUnavailable }} 10 | selector: 11 | matchLabels: 12 | {{- include "prometheus.kubeStateMetrics.labels" . | nindent 6 }} 13 | {{- end }} 14 | -------------------------------------------------------------------------------- /blueprint/stack/helm/prometheus/templates/kube-state-metrics-podsecuritypolicy.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.create }} 2 | {{- if .Values.podSecurityPolicy.enabled }} 3 | apiVersion: {{ template "prometheus.podSecurityPolicy.apiVersion" . }} 4 | kind: PodSecurityPolicy 5 | metadata: 6 | name: {{ template "prometheus.kubeStateMetrics.fullname" . }} 7 | labels: 8 | {{- include "prometheus.kubeStateMetrics.labels" . | nindent 4 }} 9 | annotations: 10 | {{- if .Values.kubeStateMetrics.podSecurityPolicy.annotations }} 11 | {{ toYaml .Values.kubeStateMetrics.podSecurityPolicy.annotations | indent 4 }} 12 | {{- end }} 13 | spec: 14 | privileged: false 15 | allowPrivilegeEscalation: false 16 | requiredDropCapabilities: 17 | - ALL 18 | volumes: 19 | - 'secret' 20 | allowedHostPaths: [] 21 | hostNetwork: false 22 | hostPID: false 23 | hostIPC: false 24 | runAsUser: 25 | rule: 'RunAsAny' 26 | seLinux: 27 | rule: 'RunAsAny' 28 | supplementalGroups: 29 | rule: 'MustRunAs' 30 | ranges: 31 | # Forbid adding the root group. 32 | - min: 1 33 | max: 65535 34 | fsGroup: 35 | rule: 'MustRunAs' 36 | ranges: 37 | # Forbid adding the root group. 38 | - min: 1 39 | max: 65535 40 | readOnlyRootFilesystem: true 41 | {{- end }} 42 | {{- end }} 43 | -------------------------------------------------------------------------------- /blueprint/stack/helm/prometheus/templates/kube-state-metrics-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.kubeStateMetrics.enabled .Values.serviceAccounts.kubeStateMetrics.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | {{- include "prometheus.kubeStateMetrics.labels" . | nindent 4 }} 7 | name: {{ template "prometheus.serviceAccountName.kubeStateMetrics" . }} 8 | {{- end -}} 9 | -------------------------------------------------------------------------------- /blueprint/stack/helm/prometheus/templates/node-exporter-role.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.nodeExporter.enabled .Values.rbac.create }} 2 | {{- if or (default .Values.nodeExporter.podSecurityPolicy.enabled false) (.Values.podSecurityPolicy.enabled) }} 3 | apiVersion: rbac.authorization.k8s.io/v1beta1 4 | kind: Role 5 | metadata: 6 | name: {{ template "prometheus.nodeExporter.fullname" . }} 7 | labels: 8 | {{- include "prometheus.nodeExporter.labels" . | nindent 4 }} 9 | namespace: {{ .Release.Namespace }} 10 | rules: 11 | - apiGroups: ['extensions'] 12 | resources: ['podsecuritypolicies'] 13 | verbs: ['use'] 14 | resourceNames: 15 | - {{ template "prometheus.nodeExporter.fullname" . }} 16 | {{- end }} 17 | {{- end }} 18 | -------------------------------------------------------------------------------- /blueprint/stack/helm/prometheus/templates/node-exporter-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.nodeExporter.enabled .Values.rbac.create }} 2 | {{- if .Values.podSecurityPolicy.enabled }} 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: RoleBinding 5 | metadata: 6 | name: {{ template "prometheus.nodeExporter.fullname" . }} 7 | labels: 8 | {{- include "prometheus.nodeExporter.labels" . | nindent 4 }} 9 | namespace: {{ .Release.Namespace }} 10 | roleRef: 11 | kind: Role 12 | name: {{ template "prometheus.nodeExporter.fullname" . }} 13 | apiGroup: rbac.authorization.k8s.io 14 | subjects: 15 | - kind: ServiceAccount 16 | name: {{ template "prometheus.serviceAccountName.nodeExporter" . }} 17 | namespace: {{ .Release.Namespace }} 18 | {{- end }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /blueprint/stack/helm/prometheus/templates/node-exporter-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.nodeExporter.enabled .Values.serviceAccounts.nodeExporter.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | {{- include "prometheus.nodeExporter.labels" . | nindent 4 }} 7 | name: {{ template "prometheus.serviceAccountName.nodeExporter" . }} 8 | {{- end -}} 9 | -------------------------------------------------------------------------------- /blueprint/stack/helm/prometheus/templates/pushgateway-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.pushgateway.enabled .Values.rbac.create -}} 2 | apiVersion: rbac.authorization.k8s.io/v1beta1 3 | kind: ClusterRole 4 | metadata: 5 | labels: 6 | {{- include "prometheus.pushgateway.labels" . | nindent 4 }} 7 | name: {{ template "prometheus.pushgateway.fullname" . }} 8 | rules: 9 | {{- if .Values.podSecurityPolicy.enabled }} 10 | - apiGroups: 11 | - extensions 12 | resources: 13 | - podsecuritypolicies 14 | verbs: 15 | - use 16 | resourceNames: 17 | - {{ template "prometheus.pushgateway.fullname" . }} 18 | {{- else }} 19 | [] 20 | {{- end }} 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /blueprint/stack/helm/prometheus/templates/pushgateway-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.pushgateway.enabled .Values.rbac.create -}} 2 | apiVersion: rbac.authorization.k8s.io/v1beta1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | labels: 6 | {{- include "prometheus.pushgateway.labels" . | nindent 4 }} 7 | name: {{ template "prometheus.pushgateway.fullname" . }} 8 | subjects: 9 | - kind: ServiceAccount 10 | name: {{ template "prometheus.serviceAccountName.pushgateway" . }} 11 | namespace: {{ .Release.Namespace }} 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | name: {{ template "prometheus.pushgateway.fullname" . }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /blueprint/stack/helm/prometheus/templates/pushgateway-networkpolicy.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.pushgateway.enabled .Values.networkPolicy.enabled -}} 2 | apiVersion: {{ template "prometheus.networkPolicy.apiVersion" . }} 3 | kind: NetworkPolicy 4 | metadata: 5 | name: {{ template "prometheus.pushgateway.fullname" . }} 6 | labels: 7 | {{- include "prometheus.pushgateway.labels" . | nindent 4 }} 8 | spec: 9 | podSelector: 10 | matchLabels: 11 | {{- include "prometheus.pushgateway.matchLabels" . | nindent 6 }} 12 | ingress: 13 | - from: 14 | - podSelector: 15 | matchLabels: 16 | {{- include "prometheus.server.matchLabels" . | nindent 12 }} 17 | - ports: 18 | - port: 9091 19 | {{- end -}} 20 | -------------------------------------------------------------------------------- /blueprint/stack/helm/prometheus/templates/pushgateway-pdb.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.pushgateway.podDisruptionBudget.enabled }} 2 | apiVersion: policy/v1beta1 3 | kind: PodDisruptionBudget 4 | metadata: 5 | name: {{ template "prometheus.pushgateway.fullname" . }} 6 | labels: 7 | {{- include "prometheus.pushgateway.labels" . | nindent 4 }} 8 | spec: 9 | maxUnavailable: {{ .Values.pushgateway.podDisruptionBudget.maxUnavailable }} 10 | selector: 11 | matchLabels: 12 | {{- include "prometheus.pushgateway.labels" . | nindent 6 }} 13 | {{- end }} 14 | -------------------------------------------------------------------------------- /blueprint/stack/helm/prometheus/templates/pushgateway-pvc.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.pushgateway.persistentVolume.enabled -}} 2 | {{- if not .Values.pushgateway.persistentVolume.existingClaim -}} 3 | apiVersion: v1 4 | kind: PersistentVolumeClaim 5 | metadata: 6 | {{- if .Values.pushgateway.persistentVolume.annotations }} 7 | annotations: 8 | {{ toYaml .Values.pushgateway.persistentVolume.annotations | indent 4 }} 9 | {{- end }} 10 | labels: 11 | {{- include "prometheus.pushgateway.labels" . | nindent 4 }} 12 | name: {{ template "prometheus.pushgateway.fullname" . }} 13 | spec: 14 | accessModes: 15 | {{ toYaml .Values.pushgateway.persistentVolume.accessModes | indent 4 }} 16 | {{- if .Values.pushgateway.persistentVolume.storageClass }} 17 | {{- if (eq "-" .Values.pushgateway.persistentVolume.storageClass) }} 18 | storageClassName: "" 19 | {{- else }} 20 | storageClassName: "{{ .Values.pushgateway.persistentVolume.storageClass }}" 21 | {{- end }} 22 | {{- end }} 23 | {{- if .Values.pushgateway.persistentVolume.volumeBindingMode }} 24 | volumeBindingModeName: "{{ .Values.pushgateway.persistentVolume.volumeBindingMode }}" 25 | {{- end }} 26 | resources: 27 | requests: 28 | storage: "{{ .Values.pushgateway.persistentVolume.size }}" 29 | {{- end -}} 30 | {{- end -}} 31 | -------------------------------------------------------------------------------- /blueprint/stack/helm/prometheus/templates/pushgateway-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.pushgateway.enabled .Values.serviceAccounts.pushgateway.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | {{- include "prometheus.pushgateway.labels" . | nindent 4 }} 7 | name: {{ template "prometheus.serviceAccountName.pushgateway" . }} 8 | {{- end -}} 9 | -------------------------------------------------------------------------------- /blueprint/stack/helm/prometheus/templates/server-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.server.enabled .Values.rbac.create -}} 2 | apiVersion: rbac.authorization.k8s.io/v1beta1 3 | kind: ClusterRole 4 | metadata: 5 | labels: 6 | {{- include "prometheus.server.labels" . | nindent 4 }} 7 | name: {{ template "prometheus.server.fullname" . }} 8 | rules: 9 | {{- if .Values.podSecurityPolicy.enabled }} 10 | - apiGroups: 11 | - extensions 12 | resources: 13 | - podsecuritypolicies 14 | verbs: 15 | - use 16 | resourceNames: 17 | - {{ template "prometheus.server.fullname" . }} 18 | {{- end }} 19 | - apiGroups: 20 | - "" 21 | resources: 22 | - nodes 23 | - nodes/proxy 24 | - nodes/metrics 25 | - services 26 | - endpoints 27 | - pods 28 | - ingresses 29 | - configmaps 30 | verbs: 31 | - get 32 | - list 33 | - watch 34 | - apiGroups: 35 | - "extensions" 36 | resources: 37 | - ingresses/status 38 | - ingresses 39 | verbs: 40 | - get 41 | - list 42 | - watch 43 | - nonResourceURLs: 44 | - "/metrics" 45 | verbs: 46 | - get 47 | {{- end }} 48 | -------------------------------------------------------------------------------- /blueprint/stack/helm/prometheus/templates/server-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.server.enabled .Values.rbac.create -}} 2 | apiVersion: rbac.authorization.k8s.io/v1beta1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | labels: 6 | {{- include "prometheus.server.labels" . | nindent 4 }} 7 | name: {{ template "prometheus.server.fullname" . }} 8 | subjects: 9 | - kind: ServiceAccount 10 | name: {{ template "prometheus.serviceAccountName.server" . }} 11 | namespace: {{ .Release.Namespace }} 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | name: {{ template "prometheus.server.fullname" . }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /blueprint/stack/helm/prometheus/templates/server-networkpolicy.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.server.enabled -}} 2 | {{- if .Values.networkPolicy.enabled }} 3 | apiVersion: {{ template "prometheus.networkPolicy.apiVersion" . }} 4 | kind: NetworkPolicy 5 | metadata: 6 | name: {{ template "prometheus.server.fullname" . }} 7 | labels: 8 | {{- include "prometheus.server.labels" . | nindent 4 }} 9 | spec: 10 | podSelector: 11 | matchLabels: 12 | {{- include "prometheus.server.matchLabels" . | nindent 6 }} 13 | ingress: 14 | - ports: 15 | - port: 9090 16 | {{- end }} 17 | {{- end }} 18 | -------------------------------------------------------------------------------- /blueprint/stack/helm/prometheus/templates/server-pdb.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.server.podDisruptionBudget.enabled }} 2 | apiVersion: policy/v1beta1 3 | kind: PodDisruptionBudget 4 | metadata: 5 | name: {{ template "prometheus.server.fullname" . }} 6 | labels: 7 | {{- include "prometheus.server.labels" . | nindent 4 }} 8 | spec: 9 | maxUnavailable: {{ .Values.server.podDisruptionBudget.maxUnavailable }} 10 | selector: 11 | matchLabels: 12 | {{- include "prometheus.server.labels" . | nindent 6 }} 13 | {{- end }} 14 | -------------------------------------------------------------------------------- /blueprint/stack/helm/prometheus/templates/server-pvc.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.server.enabled -}} 2 | {{- if not .Values.server.statefulSet.enabled -}} 3 | {{- if .Values.server.persistentVolume.enabled -}} 4 | {{- if not .Values.server.persistentVolume.existingClaim -}} 5 | apiVersion: v1 6 | kind: PersistentVolumeClaim 7 | metadata: 8 | {{- if .Values.server.persistentVolume.annotations }} 9 | annotations: 10 | {{ toYaml .Values.server.persistentVolume.annotations | indent 4 }} 11 | {{- end }} 12 | labels: 13 | {{- include "prometheus.server.labels" . | nindent 4 }} 14 | name: {{ template "prometheus.server.fullname" . }} 15 | spec: 16 | accessModes: 17 | {{ toYaml .Values.server.persistentVolume.accessModes | indent 4 }} 18 | {{- if .Values.server.persistentVolume.storageClass }} 19 | {{- if (eq "-" .Values.server.persistentVolume.storageClass) }} 20 | storageClassName: "" 21 | {{- else }} 22 | storageClassName: "{{ .Values.server.persistentVolume.storageClass }}" 23 | {{- end }} 24 | {{- end }} 25 | {{- if .Values.server.persistentVolume.volumeBindingMode }} 26 | volumeBindingModeName: "{{ .Values.server.persistentVolume.volumeBindingMode }}" 27 | {{- end }} 28 | resources: 29 | requests: 30 | storage: "{{ .Values.server.persistentVolume.size }}" 31 | {{- end -}} 32 | {{- end -}} 33 | {{- end -}} 34 | {{- end -}} 35 | -------------------------------------------------------------------------------- /blueprint/stack/helm/prometheus/templates/server-service-headless.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.server.enabled -}} 2 | {{- if .Values.server.statefulSet.enabled -}} 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | {{- if .Values.server.statefulSet.headless.annotations }} 7 | annotations: 8 | {{ toYaml .Values.server.statefulSet.headless.annotations | indent 4 }} 9 | {{- end }} 10 | labels: 11 | {{- include "prometheus.server.labels" . | nindent 4 }} 12 | {{- if .Values.server.statefulSet.headless.labels }} 13 | {{ toYaml .Values.server.statefulSet.headless.labels | indent 4 }} 14 | {{- end }} 15 | name: {{ template "prometheus.server.fullname" . }}-headless 16 | spec: 17 | clusterIP: None 18 | ports: 19 | - name: http 20 | port: {{ .Values.server.statefulSet.headless.servicePort }} 21 | protocol: TCP 22 | targetPort: 9090 23 | selector: 24 | {{- include "prometheus.server.matchLabels" . | nindent 4 }} 25 | {{- end -}} 26 | {{- end -}} 27 | -------------------------------------------------------------------------------- /blueprint/stack/helm/prometheus/templates/server-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.server.enabled -}} 2 | {{- if .Values.serviceAccounts.server.create }} 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | labels: 7 | {{- include "prometheus.server.labels" . | nindent 4 }} 8 | name: {{ template "prometheus.serviceAccountName.server" . }} 9 | {{- end }} 10 | {{- end }} 11 | -------------------------------------------------------------------------------- /blueprint/stack/helm/prometheus/templates/server-vpa.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.server.enabled -}} 2 | {{- if .Values.server.verticalAutoscaler.enabled -}} 3 | apiVersion: autoscaling.k8s.io/v1beta2 4 | kind: VerticalPodAutoscaler 5 | metadata: 6 | labels: 7 | {{- include "prometheus.server.labels" . | nindent 4 }} 8 | name: {{ template "prometheus.server.fullname" . }}-vpa 9 | spec: 10 | targetRef: 11 | {{- if .Values.server.statefulSet.enabled }} 12 | apiVersion: "apps/v1" 13 | kind: StatefulSet 14 | {{- else }} 15 | apiVersion: "extensions/v1beta1" 16 | kind: Deployment 17 | {{- end }} 18 | name: {{ template "prometheus.server.fullname" . }} 19 | updatePolicy: 20 | updateMode: {{ .Values.server.verticalAutoscaler.updateMode | default "Off" | quote }} 21 | resourcePolicy: 22 | containerPolicies: {{ .Values.server.verticalAutoscaler.containerPolicies | default list | toYaml | trim | nindent 4 }} 23 | {{- end -}} {{/* if .Values.server.verticalAutoscaler.enabled */}} 24 | {{- end -}} {{/* .Values.server.enabled */}} 25 | -------------------------------------------------------------------------------- /blueprint/stack/helm/vault-helm-0.3.3/.circleci/config.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | jobs: 3 | bats-unit-test: 4 | machine: true 5 | steps: 6 | - checkout 7 | - run: make test-image 8 | - run: make test-unit 9 | workflows: 10 | version: 2 11 | build_and_test: 12 | jobs: 13 | - bats-unit-test 14 | -------------------------------------------------------------------------------- /blueprint/stack/helm/vault-helm-0.3.3/.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | .terraform/ 3 | .terraform.tfstate* 4 | terraform.tfstate* 5 | terraform.tfvars 6 | values.dev.yaml 7 | vaul-helm-dev-creds.json 8 | ./test/acceptance/vaul-helm-dev-creds.json 9 | ./test/terraform/vaul-helm-dev-creds.json 10 | ./test/unit/vaul-helm-dev-creds.json 11 | ./test/acceptance/values.yaml 12 | ./test/acceptance/values.yml 13 | -------------------------------------------------------------------------------- /blueprint/stack/helm/vault-helm-0.3.3/.helmignore: -------------------------------------------------------------------------------- 1 | .git/ 2 | .terraform/ 3 | bin/ 4 | test/ 5 | -------------------------------------------------------------------------------- /blueprint/stack/helm/vault-helm-0.3.3/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: vault 3 | version: 0.3.3 4 | description: Install and configure Vault on Kubernetes. 5 | home: https://www.vaultproject.io 6 | icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png 7 | sources: 8 | - https://github.com/hashicorp/vault 9 | - https://github.com/hashicorp/vault-helm 10 | - https://github.com/hashicorp/vault-k8s 11 | -------------------------------------------------------------------------------- /blueprint/stack/helm/vault-helm-0.3.3/Makefile: -------------------------------------------------------------------------------- 1 | TEST_IMAGE?=vault-helm-test 2 | 3 | test-image: 4 | @docker build --rm -t '$(TEST_IMAGE)' -f $(CURDIR)/test/docker/Test.dockerfile $(CURDIR) 5 | 6 | test-unit: 7 | @docker run -it -v ${PWD}:/helm-test vault-helm-test bats /helm-test/test/unit 8 | 9 | test-acceptance: 10 | @docker run -it -v ${PWD}:/helm-test vault-helm-test bats /helm-test/test/acceptance 11 | 12 | test-bats: test-unit test-acceptance 13 | 14 | test: test-image test-bats 15 | 16 | 17 | .PHONY: test-docker 18 | -------------------------------------------------------------------------------- /blueprint/stack/helm/vault-helm-0.3.3/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | 2 | Thank you for installing HashiCorp Vault! 3 | 4 | Now that you have deployed Vault, you should look over the docs on using 5 | Vault with Kubernetes available here: 6 | 7 | https://www.vaultproject.io/docs/ 8 | 9 | 10 | Your release is named {{ .Release.Name }}. To learn more about the release, try: 11 | 12 | $ helm status {{ .Release.Name }} 13 | $ helm get {{ .Release.Name }} 14 | 15 | -------------------------------------------------------------------------------- /blueprint/stack/helm/vault-helm-0.3.3/templates/injector-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: {{ template "vault.fullname" . }}-agent-injector-clusterrole 6 | labels: 7 | app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector 8 | app.kubernetes.io/instance: {{ .Release.Name }} 9 | app.kubernetes.io/managed-by: {{ .Release.Service }} 10 | rules: 11 | - apiGroups: ["admissionregistration.k8s.io"] 12 | resources: ["mutatingwebhookconfigurations"] 13 | verbs: 14 | - "get" 15 | - "list" 16 | - "watch" 17 | - "patch" 18 | {{ end }} 19 | -------------------------------------------------------------------------------- /blueprint/stack/helm/vault-helm-0.3.3/templates/injector-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: {{ template "vault.fullname" . }}-agent-injector-binding 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector 9 | app.kubernetes.io/instance: {{ .Release.Name }} 10 | app.kubernetes.io/managed-by: {{ .Release.Service }} 11 | roleRef: 12 | apiGroup: rbac.authorization.k8s.io 13 | kind: ClusterRole 14 | name: {{ template "vault.fullname" . }}-agent-injector-clusterrole 15 | subjects: 16 | - kind: ServiceAccount 17 | name: {{ template "vault.fullname" . }}-agent-injector 18 | namespace: {{ .Release.Namespace }} 19 | {{ end }} 20 | -------------------------------------------------------------------------------- /blueprint/stack/helm/vault-helm-0.3.3/templates/injector-mutating-webhook.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} 2 | apiVersion: admissionregistration.k8s.io/v1beta1 3 | kind: MutatingWebhookConfiguration 4 | metadata: 5 | name: {{ template "vault.fullname" . }}-agent-injector-cfg 6 | labels: 7 | app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector 8 | app.kubernetes.io/instance: {{ .Release.Name }} 9 | app.kubernetes.io/managed-by: {{ .Release.Service }} 10 | webhooks: 11 | - name: vault.hashicorp.com 12 | clientConfig: 13 | service: 14 | name: {{ template "vault.fullname" . }}-agent-injector-svc 15 | namespace: {{ .Release.Namespace }} 16 | path: "/mutate" 17 | caBundle: {{ .Values.injector.certs.caBundle }} 18 | rules: 19 | - operations: ["CREATE", "UPDATE"] 20 | apiGroups: [""] 21 | apiVersions: ["v1"] 22 | resources: ["pods"] 23 | {{- if .Values.injector.namespaceSelector }} 24 | namespaceSelector: 25 | {{ toYaml .Values.injector.namespaceSelector | indent 6}} 26 | {{ end }} 27 | {{ end }} 28 | -------------------------------------------------------------------------------- /blueprint/stack/helm/vault-helm-0.3.3/templates/injector-service.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: {{ template "vault.fullname" . }}-agent-injector-svc 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector 9 | app.kubernetes.io/instance: {{ .Release.Name }} 10 | app.kubernetes.io/managed-by: {{ .Release.Service }} 11 | spec: 12 | ports: 13 | - port: 443 14 | targetPort: 8080 15 | selector: 16 | app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector 17 | app.kubernetes.io/instance: {{ .Release.Name }} 18 | component: webhook 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /blueprint/stack/helm/vault-helm-0.3.3/templates/injector-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ template "vault.fullname" . }}-agent-injector 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector 9 | app.kubernetes.io/instance: {{ .Release.Name }} 10 | app.kubernetes.io/managed-by: {{ .Release.Service }} 11 | {{ end }} 12 | -------------------------------------------------------------------------------- /blueprint/stack/helm/vault-helm-0.3.3/templates/server-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{ template "vault.mode" . }} 2 | {{- if and (ne .mode "") (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.authDelegator.enabled | toString) "true")) }} 3 | apiVersion: rbac.authorization.k8s.io/v1beta1 4 | kind: ClusterRoleBinding 5 | metadata: 6 | name: {{ template "vault.fullname" . }}-server-binding 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | helm.sh/chart: {{ include "vault.chart" . }} 10 | app.kubernetes.io/name: {{ include "vault.name" . }} 11 | app.kubernetes.io/instance: {{ .Release.Name }} 12 | app.kubernetes.io/managed-by: {{ .Release.Service }} 13 | roleRef: 14 | apiGroup: rbac.authorization.k8s.io 15 | kind: ClusterRole 16 | name: system:auth-delegator 17 | subjects: 18 | - kind: ServiceAccount 19 | name: {{ template "vault.fullname" . }} 20 | namespace: {{ .Release.Namespace }} 21 | {{ end }} 22 | -------------------------------------------------------------------------------- /blueprint/stack/helm/vault-helm-0.3.3/templates/server-config-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{ template "vault.mode" . }} 2 | {{- if and (eq (.Values.global.enabled | toString) "true") (ne .mode "dev") -}} 3 | {{ if or (ne .Values.server.standalone.config "") (ne .Values.server.ha.config "") -}} 4 | apiVersion: v1 5 | kind: ConfigMap 6 | metadata: 7 | name: {{ template "vault.fullname" . }}-config 8 | namespace: {{ .Release.Namespace }} 9 | labels: 10 | helm.sh/chart: {{ include "vault.chart" . }} 11 | app.kubernetes.io/name: {{ include "vault.name" . }} 12 | app.kubernetes.io/instance: {{ .Release.Name }} 13 | app.kubernetes.io/managed-by: {{ .Release.Service }} 14 | data: 15 | extraconfig-from-values.hcl: |- 16 | disable_mlock = true 17 | {{- if eq .mode "standalone" }} 18 | {{ tpl .Values.server.standalone.config . | nindent 4 | trim }} 19 | {{- else if eq .mode "ha" }} 20 | {{ tpl .Values.server.ha.config . | nindent 4 | trim }} 21 | {{ end }} 22 | {{- end }} 23 | {{- end }} 24 | -------------------------------------------------------------------------------- /blueprint/stack/helm/vault-helm-0.3.3/templates/server-disruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | # PodDisruptionBudget to prevent degrading the server cluster through 2 | # voluntary cluster changes. 3 | {{ template "vault.mode" . }} 4 | {{- if and (and (eq (.Values.global.enabled | toString) "true") (eq .mode "ha")) (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}} 5 | apiVersion: policy/v1beta1 6 | kind: PodDisruptionBudget 7 | metadata: 8 | name: {{ template "vault.fullname" . }} 9 | namespace: {{ .Release.Namespace }} 10 | labels: 11 | helm.sh/chart: {{ include "vault.chart" . }} 12 | app.kubernetes.io/name: {{ include "vault.name" . }} 13 | app.kubernetes.io/instance: {{ .Release.Name }} 14 | app.kubernetes.io/managed-by: {{ .Release.Service }} 15 | spec: 16 | maxUnavailable: {{ template "vault.pdb.maxUnavailable" . }} 17 | selector: 18 | matchLabels: 19 | app.kubernetes.io/name: {{ include "vault.name" . }} 20 | app.kubernetes.io/instance: {{ .Release.Name }} 21 | component: server 22 | {{- end -}} 23 | -------------------------------------------------------------------------------- /blueprint/stack/helm/vault-helm-0.3.3/templates/server-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{ template "vault.mode" . }} 2 | {{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }} 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: {{ template "vault.fullname" . }} 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | helm.sh/chart: {{ include "vault.chart" . }} 10 | app.kubernetes.io/name: {{ include "vault.name" . }} 11 | app.kubernetes.io/instance: {{ .Release.Name }} 12 | app.kubernetes.io/managed-by: {{ .Release.Service }} 13 | {{ template "vault.serviceAccount.annotations" . }} 14 | {{ end }} 15 | -------------------------------------------------------------------------------- /blueprint/stack/helm/vault-helm-0.3.3/test/acceptance/injector-test/job.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: pgdump 6 | labels: 7 | app: pgdump 8 | --- 9 | apiVersion: batch/v1 10 | kind: Job 11 | metadata: 12 | name: pgdump 13 | spec: 14 | backoffLimit: 0 15 | template: 16 | metadata: 17 | name: pgdump 18 | labels: 19 | app: pgdump 20 | annotations: 21 | vault.hashicorp.com/agent-inject: "true" 22 | vault.hashicorp.com/agent-inject-secret-db-creds: "database/creds/db-backup" 23 | vault.hashicorp.com/agent-inject-template-db-creds: | 24 | {{- with secret "database/creds/db-backup" -}} 25 | postgresql://{{ .Data.username }}:{{ .Data.password }}@postgres.acceptance.svc.cluster.local:5432/mydb 26 | {{- end }} 27 | vault.hashicorp.com/role: "db-backup" 28 | vault.hashicorp.com/agent-pre-populate-only: "true" 29 | spec: 30 | serviceAccountName: pgdump 31 | containers: 32 | - name: pgdump 33 | image: postgres:11.5 34 | command: 35 | - "/bin/sh" 36 | - "-ec" 37 | args: 38 | - "/usr/bin/pg_dump $(cat /vault/secrets/db-creds) --no-owner > /dev/stdout" 39 | restartPolicy: Never 40 | -------------------------------------------------------------------------------- /blueprint/stack/helm/vault-helm-0.3.3/test/acceptance/injector-test/pgdump-policy.hcl: -------------------------------------------------------------------------------- 1 | path "database/creds/db-backup" { 2 | capabilities = ["read"] 3 | } 4 | -------------------------------------------------------------------------------- /blueprint/stack/helm/vault-helm-0.3.3/test/terraform/.gitignore: -------------------------------------------------------------------------------- 1 | vault-helm-dev-creds.json 2 | -------------------------------------------------------------------------------- /blueprint/stack/helm/vault-helm-0.3.3/test/terraform/outputs.tf: -------------------------------------------------------------------------------- 1 | output "cluster_id" { 2 | value = "${google_container_cluster.cluster.id}" 3 | } 4 | 5 | output "cluster_name" { 6 | value = "${google_container_cluster.cluster.name}" 7 | } 8 | -------------------------------------------------------------------------------- /blueprint/stack/helm/vault-helm-0.3.3/test/terraform/service-account.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: helm 5 | namespace: kube-system 6 | --- 7 | apiVersion: rbac.authorization.k8s.io/v1beta1 8 | kind: ClusterRoleBinding 9 | metadata: 10 | name: helm 11 | roleRef: 12 | apiGroup: rbac.authorization.k8s.io 13 | kind: ClusterRole 14 | name: cluster-admin 15 | subjects: 16 | - kind: ServiceAccount 17 | name: helm 18 | namespace: kube-system 19 | -------------------------------------------------------------------------------- /blueprint/stack/helm/vault-helm-0.3.3/test/terraform/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project" { 2 | default = "vault-helm-dev-246514" 3 | 4 | description = < 0' | tee /dev/stderr) 11 | [ "${actual}" = "true" ] 12 | } 13 | 14 | @test "injector/ClusterRole: disable with global.enabled" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/injector-clusterrole.yaml \ 18 | --set 'global.enabled=false' \ 19 | . | tee /dev/stderr | 20 | yq 'length > 0' | tee /dev/stderr) 21 | [ "${actual}" = "false" ] 22 | } 23 | -------------------------------------------------------------------------------- /blueprint/stack/helm/vault-helm-0.3.3/test/unit/injector-clusterrolebinding.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "injector/ClusterRoleBinding: enabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/injector-clusterrolebinding.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "true" ] 12 | } 13 | 14 | @test "injector/ClusterRoleBinding: disable with global.enabled" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/injector-clusterrolebinding.yaml \ 18 | --set 'global.enabled=false' \ 19 | . | tee /dev/stderr | 20 | yq 'length > 0' | tee /dev/stderr) 21 | [ "${actual}" = "false" ] 22 | } 23 | -------------------------------------------------------------------------------- /blueprint/stack/helm/vault-helm-0.3.3/test/unit/injector-service.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "injector/Service: service enabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/injector-service.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "true" ] 12 | 13 | local actual=$(helm template \ 14 | -x templates/injector-service.yaml \ 15 | --set 'injector.enabled=true' \ 16 | . | tee /dev/stderr | 17 | yq 'length > 0' | tee /dev/stderr) 18 | [ "${actual}" = "true" ] 19 | } 20 | 21 | @test "injector/Service: disable with global.enabled false" { 22 | cd `chart_dir` 23 | local actual=$(helm template \ 24 | -x templates/injector-service.yaml \ 25 | --set 'global.enabled=false' \ 26 | . | tee /dev/stderr | 27 | yq 'length > 0' | tee /dev/stderr) 28 | [ "${actual}" = "false" ] 29 | 30 | local actual=$(helm template \ 31 | -x templates/injector-service.yaml \ 32 | --set 'global.enabled=false' \ 33 | --set 'injector.enabled=true' \ 34 | . | tee /dev/stderr | 35 | yq 'length > 0' | tee /dev/stderr) 36 | [ "${actual}" = "false" ] 37 | } 38 | -------------------------------------------------------------------------------- /blueprint/stack/helm/vault-helm-0.3.3/test/unit/injector-serviceaccount.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "injector/ServiceAccount: enabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/injector-serviceaccount.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "true" ] 12 | } 13 | 14 | @test "injector/ServiceAccount: disable with global.enabled" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/injector-serviceaccount.yaml \ 18 | --set 'global.enabled=false' \ 19 | . | tee /dev/stderr | 20 | yq 'length > 0' | tee /dev/stderr) 21 | [ "${actual}" = "false" ] 22 | } 23 | -------------------------------------------------------------------------------- /blueprint/stack/helm/vault-helm-0.3.3/test/unit/server-serviceaccount.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "server/ServiceAccount: specify annotations" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/server-serviceaccount.yaml \ 9 | --set 'server.dev.enabled=true' \ 10 | --set 'server.serviceAccount.annotations.foo=bar' \ 11 | . | tee /dev/stderr | 12 | yq -r '.metadata.annotations["foo"]' | tee /dev/stderr) 13 | [ "${actual}" = "null" ] 14 | 15 | local actual=$(helm template \ 16 | -x templates/server-serviceaccount.yaml \ 17 | --set 'server.ha.enabled=true' \ 18 | --set 'server.serviceAccount.annotations.foo=bar' \ 19 | . | tee /dev/stderr | 20 | yq -r '.metadata.annotations["foo"]' | tee /dev/stderr) 21 | [ "${actual}" = "bar" ] 22 | 23 | local actual=$(helm template \ 24 | -x templates/server-serviceaccount.yaml \ 25 | --set 'server.ha.enabled=true' \ 26 | . | tee /dev/stderr | 27 | yq -r '.metadata.annotations["foo"]' | tee /dev/stderr) 28 | [ "${actual}" = "null" ] 29 | } 30 | -------------------------------------------------------------------------------- /blueprint/stack/helm/vault-values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | server: 3 | dataStorage: 4 | size: 512Mb 5 | dev: 6 | enabled: true 7 | standalone: 8 | enabled: true 9 | authDelegator: 10 | enabled: true 11 | ui: 12 | enabled: true 13 | -------------------------------------------------------------------------------- /blueprint/stack/k3s.hcl: -------------------------------------------------------------------------------- 1 | k8s_cluster "k3s" { 2 | driver = "k3s" // default 3 | version = "v1.0.1" 4 | 5 | nodes = 1 // default 6 | 7 | network { 8 | name = "network.cloud" 9 | } 10 | 11 | // push images from local docker to k3s on create 12 | image { 13 | name = "hashicorpdemoapp/product-api:v0.0.11" 14 | } 15 | 16 | image { 17 | name = "hashicorpdemoapp/product-api-db:v0.0.11" 18 | } 19 | 20 | image { 21 | name = "hashicorpdemoapp/frontend:v0.0.3" 22 | } 23 | 24 | image { 25 | name = "hashicorpdemoapp/public-api:v0.0.1" 26 | } 27 | 28 | image { 29 | name = "jaegertracing/all-in-one:1.13" 30 | } 31 | 32 | image { 33 | name = "hashicorp/vault-k8s:0.1.0" 34 | } 35 | 36 | image { 37 | name = "vault:1.3.1" 38 | } 39 | 40 | image { 41 | name = "consul:1.6.2" 42 | } 43 | 44 | image { 45 | name = "hashicorp/consul-k8s:0.9.2" 46 | } 47 | } 48 | -------------------------------------------------------------------------------- /blueprint/stack/k8s_config.hcl: -------------------------------------------------------------------------------- 1 | k8s_config "application" { 2 | depends_on = ["helm.consul", "helm.vault"] 3 | 4 | cluster = "k8s_cluster.k3s" 5 | paths = ["./k8s_config"] 6 | wait_until_ready = true 7 | 8 | health_check { 9 | timeout = "60s" 10 | pods = ["service=postgres"] 11 | } 12 | } -------------------------------------------------------------------------------- /blueprint/stack/k8s_config/products-db.yml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: postgres 6 | labels: 7 | app: postgres 8 | spec: 9 | type: ClusterIP 10 | ports: 11 | - port: 5432 12 | targetPort: 5432 13 | selector: 14 | app: postgres 15 | 16 | --- 17 | apiVersion: apps/v1 18 | kind: Deployment 19 | metadata: 20 | name: postgres 21 | spec: 22 | replicas: 1 23 | selector: 24 | matchLabels: 25 | service: postgres 26 | app: postgres 27 | template: 28 | metadata: 29 | labels: 30 | service: postgres 31 | app: postgres 32 | annotations: 33 | consul.hashicorp.com/connect-inject: "true" 34 | spec: 35 | containers: 36 | - name: postgres 37 | image: hashicorpdemoapp/product-api-db:v0.0.11 38 | ports: 39 | - containerPort: 5432 40 | env: 41 | - name: POSTGRES_DB 42 | value: products 43 | - name: POSTGRES_USER 44 | value: postgres 45 | - name: POSTGRES_PASSWORD 46 | value: password 47 | volumeMounts: 48 | - mountPath: "/var/lib/postgresql/data" 49 | name: "pgdata" 50 | volumes: 51 | - name: pgdata 52 | emptyDir: {} 53 | -------------------------------------------------------------------------------- /blueprint/stack/k8s_config/public-api.yml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: public-api-service 6 | labels: 7 | app: public-api 8 | spec: 9 | type: ClusterIP 10 | ports: 11 | - port: 8080 12 | targetPort: 8080 13 | selector: 14 | app: public-api 15 | 16 | --- 17 | apiVersion: apps/v1 18 | kind: Deployment 19 | metadata: 20 | name: public-api 21 | spec: 22 | replicas: 1 23 | selector: 24 | matchLabels: 25 | service: public-api 26 | app: public-api 27 | template: 28 | metadata: 29 | labels: 30 | service: public-api 31 | app: public-api 32 | annotations: 33 | prometheus.io/scrape: "true" 34 | consul.hashicorp.com/connect-inject: "true" 35 | consul.hashicorp.com/connect-service-upstreams: "products-api:9090" 36 | spec: 37 | containers: 38 | - name: public-api 39 | image: hashicorpdemoapp/public-api:v0.0.1 40 | ports: 41 | - containerPort: 8080 42 | env: 43 | - name: BIND_ADDRESS 44 | value: ":8080" 45 | - name: PRODUCTS_API_URI 46 | value: "http://localhost:9090" -------------------------------------------------------------------------------- /blueprint/stack/network.hcl: -------------------------------------------------------------------------------- 1 | network "cloud" { 2 | subnet = "10.5.0.0/16" 3 | } -------------------------------------------------------------------------------- /blueprint/stack/scripts/products_policy.hcl: -------------------------------------------------------------------------------- 1 | path "database/creds/db-products" { 2 | capabilities = ["read"] 3 | } -------------------------------------------------------------------------------- /cloud/.gitignore: -------------------------------------------------------------------------------- 1 | backend.conf 2 | products.sql -------------------------------------------------------------------------------- /cloud/azure_db/outputs.tf: -------------------------------------------------------------------------------- 1 | output "endpoint" { 2 | value = azurerm_postgresql_server.example.fqdn 3 | } 4 | 5 | output "server" { 6 | value = azurerm_postgresql_server.example.name 7 | } 8 | 9 | output "name" { 10 | value = azurerm_postgresql_database.example.name 11 | } -------------------------------------------------------------------------------- /cloud/azure_db/variables.tf: -------------------------------------------------------------------------------- 1 | variable "location" { 2 | type = string 3 | description = "Azure region" 4 | } 5 | 6 | variable "name" { 7 | type = string 8 | description = "Name of database and server" 9 | } 10 | variable "username" { 11 | type = string 12 | description = "Database username" 13 | } 14 | 15 | variable "password" { 16 | type = string 17 | description = "Database password" 18 | } -------------------------------------------------------------------------------- /cloud/gcp_k8s/kubernetes.tf: -------------------------------------------------------------------------------- 1 | resource "google_container_cluster" "engineering" { 2 | provider = google-beta 3 | name = var.cluster_name 4 | location = var.location 5 | 6 | remove_default_node_pool = true 7 | initial_node_count = 1 8 | 9 | master_auth { 10 | username = var.username 11 | password = var.password 12 | 13 | client_certificate_config { 14 | issue_client_certificate = false 15 | } 16 | } 17 | } 18 | 19 | resource "google_container_node_pool" "engineering_preemptible_nodes" { 20 | provider = google-beta 21 | name = "${var.cluster_name}-node-pool" 22 | location = var.location 23 | cluster = google_container_cluster.engineering.name 24 | node_count = 1 25 | 26 | autoscaling { 27 | min_node_count = 1 28 | max_node_count = 3 29 | } 30 | 31 | node_config { 32 | preemptible = true 33 | machine_type = "n1-standard-1" 34 | 35 | metadata = { 36 | disable-legacy-endpoints = "true" 37 | } 38 | 39 | oauth_scopes = [ 40 | "https://www.googleapis.com/auth/logging.write", 41 | "https://www.googleapis.com/auth/monitoring", 42 | ] 43 | } 44 | } -------------------------------------------------------------------------------- /cloud/gcp_k8s/variables.tf: -------------------------------------------------------------------------------- 1 | variable "location" { 2 | type = string 3 | description = "Google region to deploy cluster" 4 | } 5 | 6 | variable "cluster_name" { 7 | type = string 8 | description = "Name of cluster" 9 | } 10 | 11 | variable "google_project" { 12 | type = string 13 | description = "Google project to deploy cluster" 14 | } 15 | 16 | variable "username" { 17 | type = string 18 | default = "" 19 | description = "username for cluster" 20 | } 21 | 22 | variable "password" { 23 | type = string 24 | default = "" 25 | description = "password for cluster" 26 | } -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | .terraform/ 3 | .terraform.tfstate* 4 | terraform.tfstate* 5 | terraform.tfvars 6 | values.dev.yaml 7 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/.helmignore: -------------------------------------------------------------------------------- 1 | .git/ 2 | .terraform/ 3 | bin/ 4 | test/ 5 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: consul 3 | version: 0.16.2 4 | description: Install and configure Consul on Kubernetes. 5 | home: https://www.consul.io 6 | sources: 7 | - https://github.com/hashicorp/consul 8 | - https://github.com/hashicorp/consul-helm 9 | - https://github.com/hashicorp/consul-k8s 10 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/Makefile: -------------------------------------------------------------------------------- 1 | TEST_IMAGE?=consul-helm-test 2 | 3 | test-docker: 4 | @docker build --rm -t '$(TEST_IMAGE)' -f $(CURDIR)/test/docker/Test.dockerfile $(CURDIR) 5 | 6 | .PHONY: test-docker 7 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | 2 | Thank you for installing HashiCorp Consul! 3 | 4 | Now that you have deployed Consul, you should look over the docs on using 5 | Consul with Kubernetes available here: 6 | 7 | https://www.consul.io/docs/platform/k8s/index.html 8 | 9 | 10 | Your release is named {{ .Release.Name }}. To learn more about the release, try: 11 | 12 | $ helm status {{ .Release.Name }} 13 | $ helm get {{ .Release.Name }} 14 | 15 | 16 | {{- if (and .Values.global.bootstrapACLs (gt (len .Values.server.extraConfig) 3)) }} 17 | Warning: Defining server extraConfig potentially disrupts the automatic ACL 18 | bootstrapping required settings. This may cause future issues if 19 | there are conflicts. 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/templates/client-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: {{ template "consul.fullname" . }}-client 6 | labels: 7 | app: {{ template "consul.name" . }} 8 | chart: {{ template "consul.chart" . }} 9 | heritage: {{ .Release.Service }} 10 | release: {{ .Release.Name }} 11 | {{- if (or .Values.global.enablePodSecurityPolicies .Values.global.bootstrapACLs) }} 12 | rules: 13 | {{- if .Values.global.enablePodSecurityPolicies }} 14 | - apiGroups: ["policy"] 15 | resources: ["podsecuritypolicies"] 16 | resourceNames: 17 | - {{ template "consul.fullname" . }}-client 18 | verbs: 19 | - use 20 | {{- end }} 21 | {{- if .Values.global.bootstrapACLs }} 22 | - apiGroups: [""] 23 | resources: 24 | - secrets 25 | resourceNames: 26 | - {{ template "consul.fullname" . }}-client-acl-token 27 | verbs: 28 | - get 29 | {{- end }} 30 | {{- else}} 31 | rules: [] 32 | {{- end }} 33 | {{- end }} 34 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/templates/client-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: {{ template "consul.fullname" . }}-client 6 | labels: 7 | app: {{ template "consul.name" . }} 8 | chart: {{ template "consul.chart" . }} 9 | heritage: {{ .Release.Service }} 10 | release: {{ .Release.Name }} 11 | roleRef: 12 | apiGroup: rbac.authorization.k8s.io 13 | kind: ClusterRole 14 | name: {{ template "consul.fullname" . }}-client 15 | subjects: 16 | - kind: ServiceAccount 17 | name: {{ template "consul.fullname" . }}-client 18 | namespace: {{ .Release.Namespace }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/templates/client-config-configmap.yaml: -------------------------------------------------------------------------------- 1 | # ConfigMap with extra configuration specified directly to the chart 2 | # for client agents only. 3 | {{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} 4 | apiVersion: v1 5 | kind: ConfigMap 6 | metadata: 7 | name: {{ template "consul.fullname" . }}-client-config 8 | namespace: {{ .Release.Namespace }} 9 | labels: 10 | app: {{ template "consul.name" . }} 11 | chart: {{ template "consul.chart" . }} 12 | heritage: {{ .Release.Service }} 13 | release: {{ .Release.Name }} 14 | data: 15 | extra-from-values.json: |- 16 | {{ tpl .Values.client.extraConfig . | trimAll "\"" | indent 4 }} 17 | {{- if (and .Values.connectInject.enabled .Values.connectInject.centralConfig.enabled) }} 18 | central-config.json: |- 19 | { 20 | "enable_central_service_config": true 21 | } 22 | {{- end }} 23 | {{- end }} 24 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/templates/client-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ template "consul.fullname" . }}-client 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: {{ template "consul.name" . }} 9 | chart: {{ template "consul.chart" . }} 10 | heritage: {{ .Release.Service }} 11 | release: {{ .Release.Name }} 12 | {{- end }} 13 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/templates/client-snapshot-agent-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} 2 | {{- if .Values.client.snapshotAgent.enabled }} 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: ClusterRole 5 | metadata: 6 | name: {{ template "consul.fullname" . }}-snapshot-agent 7 | labels: 8 | app: {{ template "consul.name" . }} 9 | chart: {{ template "consul.chart" . }} 10 | heritage: {{ .Release.Service }} 11 | release: {{ .Release.Name }} 12 | {{- if not (or .Values.global.enablePodSecurityPolicies .Values.global.bootstrapACLs) }} 13 | rules: [] 14 | {{- else }} 15 | rules: 16 | {{- end }} 17 | {{- if .Values.global.enablePodSecurityPolicies }} 18 | - apiGroups: ["policy"] 19 | resources: ["podsecuritypolicies"] 20 | resourceNames: 21 | - {{ template "consul.fullname" . }}-snapshot-agent 22 | verbs: 23 | - use 24 | {{- end }} 25 | {{- if .Values.global.bootstrapACLs }} 26 | - apiGroups: [""] 27 | resources: 28 | - secrets 29 | resourceNames: 30 | - {{ template "consul.fullname" . }}-client-snapshot-agent-acl-token 31 | verbs: 32 | - get 33 | {{- end }} 34 | {{- else }} 35 | {{- end }} 36 | {{- end }} 37 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/templates/client-snapshot-agent-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} 2 | {{- if .Values.client.snapshotAgent.enabled }} 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: ClusterRoleBinding 5 | metadata: 6 | name: {{ template "consul.fullname" . }}-snapshot-agent 7 | labels: 8 | app: {{ template "consul.name" . }} 9 | chart: {{ template "consul.chart" . }} 10 | heritage: {{ .Release.Service }} 11 | release: {{ .Release.Name }} 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | name: {{ template "consul.fullname" . }}-snapshot-agent 16 | subjects: 17 | - kind: ServiceAccount 18 | name: {{ template "consul.fullname" . }}-snapshot-agent 19 | namespace: {{ .Release.Namespace }} 20 | {{- end }} 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/templates/client-snapshot-agent-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} 2 | {{- if .Values.client.snapshotAgent.enabled }} 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: {{ template "consul.fullname" . }}-snapshot-agent 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | app: {{ template "consul.name" . }} 10 | chart: {{ template "consul.chart" . }} 11 | heritage: {{ .Release.Service }} 12 | release: {{ .Release.Name }} 13 | {{- end }} 14 | {{- end }} 15 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/templates/connect-inject-authmethod-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (not .Values.connectInject.certs.secretName) (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} 2 | {{- if .Values.global.bootstrapACLs }} 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: ClusterRole 5 | metadata: 6 | name: {{ template "consul.fullname" . }}-connect-injector-authmethod-role 7 | labels: 8 | app: {{ template "consul.name" . }} 9 | chart: {{ template "consul.chart" . }} 10 | heritage: {{ .Release.Service }} 11 | release: {{ .Release.Name }} 12 | rules: 13 | - apiGroups: [""] 14 | resources: 15 | - serviceaccounts 16 | verbs: 17 | - get 18 | {{- end }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/templates/connect-inject-authmethod-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (not .Values.connectInject.certs.secretName) (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} 2 | {{- if .Values.global.bootstrapACLs }} 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: {{ template "consul.fullname" . }}-connect-injector-authmethod-svc-account 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | app: {{ template "consul.name" . }} 10 | chart: {{ template "consul.chart" . }} 11 | heritage: {{ .Release.Service }} 12 | release: {{ .Release.Name }} 13 | {{- end }} 14 | {{- end }} 15 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/templates/connect-inject-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | # The ClusterRole to enable the Connect injector to get, list, watch and patch MutatingWebhookConfiguration. 2 | {{- if and (not .Values.connectInject.certs.secretName) (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: ClusterRole 5 | metadata: 6 | name: {{ template "consul.fullname" . }}-connect-injector-webhook 7 | labels: 8 | app: {{ template "consul.name" . }} 9 | chart: {{ template "consul.chart" . }} 10 | heritage: {{ .Release.Service }} 11 | release: {{ .Release.Name }} 12 | rules: 13 | - apiGroups: ["admissionregistration.k8s.io"] 14 | resources: ["mutatingwebhookconfigurations"] 15 | verbs: 16 | - "get" 17 | - "list" 18 | - "watch" 19 | - "patch" 20 | {{- if .Values.global.enablePodSecurityPolicies }} 21 | - apiGroups: ["policy"] 22 | resources: ["podsecuritypolicies"] 23 | resourceNames: 24 | - {{ template "consul.fullname" . }}-connect-injector-webhook 25 | verbs: 26 | - use 27 | {{- end }} 28 | {{- end }} 29 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/templates/connect-inject-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (not .Values.connectInject.certs.secretName) (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: {{ template "consul.fullname" . }}-connect-injector-webhook-admin-role-binding 6 | labels: 7 | app: {{ template "consul.name" . }} 8 | chart: {{ template "consul.chart" . }} 9 | heritage: {{ .Release.Service }} 10 | release: {{ .Release.Name }} 11 | roleRef: 12 | apiGroup: rbac.authorization.k8s.io 13 | kind: ClusterRole 14 | name: {{ template "consul.fullname" . }}-connect-injector-webhook 15 | subjects: 16 | - kind: ServiceAccount 17 | name: {{ template "consul.fullname" . }}-connect-injector-webhook-svc-account 18 | namespace: {{ .Release.Namespace }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/templates/connect-inject-service.yaml: -------------------------------------------------------------------------------- 1 | # The service for the Connect sidecar injector 2 | {{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: {{ template "consul.fullname" . }}-connect-injector-svc 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | app: {{ template "consul.name" . }} 10 | chart: {{ template "consul.chart" . }} 11 | heritage: {{ .Release.Service }} 12 | release: {{ .Release.Name }} 13 | spec: 14 | ports: 15 | - port: 443 16 | targetPort: 8080 17 | selector: 18 | app: {{ template "consul.name" . }} 19 | release: "{{ .Release.Name }}" 20 | component: connect-injector 21 | {{- end }} 22 | 23 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/templates/connect-inject-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (not .Values.connectInject.certs.secretName) (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ template "consul.fullname" . }}-connect-injector-webhook-svc-account 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: {{ template "consul.name" . }} 9 | chart: {{ template "consul.chart" . }} 10 | heritage: {{ .Release.Service }} 11 | release: {{ .Release.Name }} 12 | {{- end }} 13 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/templates/dns-service.yaml: -------------------------------------------------------------------------------- 1 | # Service for Consul DNS. 2 | {{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.global.enabled)) }} 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: {{ template "consul.fullname" . }}-dns 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | app: {{ template "consul.name" . }} 10 | chart: {{ template "consul.chart" . }} 11 | heritage: {{ .Release.Service }} 12 | release: {{ .Release.Name }} 13 | {{- if .Values.dns.annotations }} 14 | annotations: 15 | {{ tpl .Values.dns.annotations . | nindent 4 | trim }} 16 | {{- end }} 17 | spec: 18 | {{- if .Values.dns.clusterIP }} 19 | clusterIP: {{ .Values.dns.clusterIP }} 20 | {{- end }} 21 | ports: 22 | - name: dns-tcp 23 | port: 53 24 | protocol: "TCP" 25 | targetPort: dns-tcp 26 | - name: dns-udp 27 | port: 53 28 | protocol: "UDP" 29 | targetPort: dns-udp 30 | selector: 31 | app: {{ template "consul.name" . }} 32 | release: "{{ .Release.Name }}" 33 | hasDNS: "true" 34 | {{- end }} 35 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/templates/enterprise-license-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} 2 | {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }} 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: ClusterRoleBinding 5 | metadata: 6 | name: {{ template "consul.fullname" . }}-enterprise-license 7 | labels: 8 | app: {{ template "consul.name" . }} 9 | chart: {{ template "consul.chart" . }} 10 | heritage: {{ .Release.Service }} 11 | release: {{ .Release.Name }} 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | name: {{ template "consul.fullname" . }}-enterprise-license 16 | subjects: 17 | - kind: ServiceAccount 18 | name: {{ template "consul.fullname" . }}-enterprise-license 19 | namespace: {{ .Release.Namespace }} 20 | {{- end }} 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/templates/enterprise-license-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} 2 | {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }} 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: {{ template "consul.fullname" . }}-enterprise-license 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | app: {{ template "consul.name" . }} 10 | chart: {{ template "consul.chart" . }} 11 | heritage: {{ .Release.Service }} 12 | release: {{ .Release.Name }} 13 | {{- end }} 14 | {{- end }} 15 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/templates/mesh-gateway-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.meshGateway.enabled }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: {{ template "consul.fullname" . }}-mesh-gateway 6 | labels: 7 | app: {{ template "consul.name" . }} 8 | chart: {{ template "consul.chart" . }} 9 | heritage: {{ .Release.Service }} 10 | release: {{ .Release.Name }} 11 | component: mesh-gateway 12 | {{- if or .Values.global.bootstrapACLs .Values.global.enablePodSecurityPolicies }} 13 | rules: 14 | {{- if .Values.global.enablePodSecurityPolicies }} 15 | - apiGroups: ["policy"] 16 | resources: ["podsecuritypolicies"] 17 | resourceNames: 18 | - {{ template "consul.fullname" . }}-mesh-gateway 19 | verbs: 20 | - use 21 | {{- end }} 22 | {{- if .Values.global.bootstrapACLs }} 23 | - apiGroups: [""] 24 | resources: 25 | - secrets 26 | resourceNames: 27 | - {{ template "consul.fullname" . }}-mesh-gateway-acl-token 28 | verbs: 29 | - get 30 | {{- end }} 31 | {{- else }} 32 | rules: [] 33 | {{- end }} 34 | {{- end }} 35 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/templates/mesh-gateway-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.meshGateway.enabled }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: {{ template "consul.fullname" . }}-mesh-gateway 6 | labels: 7 | app: {{ template "consul.name" . }} 8 | chart: {{ template "consul.chart" . }} 9 | heritage: {{ .Release.Service }} 10 | release: {{ .Release.Name }} 11 | component: mesh-gateway 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | name: {{ template "consul.fullname" . }}-mesh-gateway 16 | subjects: 17 | - kind: ServiceAccount 18 | name: {{ template "consul.fullname" . }}-mesh-gateway 19 | namespace: {{ .Release.Namespace }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/templates/mesh-gateway-podsecuritypolicy.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.global.enablePodSecurityPolicies .Values.meshGateway.enabled }} 2 | apiVersion: policy/v1beta1 3 | kind: PodSecurityPolicy 4 | metadata: 5 | name: {{ template "consul.fullname" . }}-mesh-gateway 6 | labels: 7 | app: {{ template "consul.name" . }} 8 | chart: {{ template "consul.chart" . }} 9 | heritage: {{ .Release.Service }} 10 | release: {{ .Release.Name }} 11 | component: mesh-gateway 12 | spec: 13 | privileged: false 14 | # Required to prevent escalations to root. 15 | allowPrivilegeEscalation: false 16 | # This is redundant with non-root + disallow privilege escalation, 17 | # but we can provide it for defense in depth. 18 | requiredDropCapabilities: 19 | - ALL 20 | # Allow core volume types. 21 | volumes: 22 | - 'configMap' 23 | - 'emptyDir' 24 | - 'projected' 25 | - 'secret' 26 | - 'downwardAPI' 27 | hostNetwork: false 28 | hostIPC: false 29 | hostPID: false 30 | runAsUser: 31 | rule: 'RunAsAny' 32 | seLinux: 33 | rule: 'RunAsAny' 34 | supplementalGroups: 35 | rule: 'RunAsAny' 36 | fsGroup: 37 | rule: 'RunAsAny' 38 | readOnlyRootFilesystem: false 39 | {{- end }} 40 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/templates/mesh-gateway-service.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.meshGateway.enabled .Values.meshGateway.service.enabled }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: {{ template "consul.fullname" . }}-mesh-gateway 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: {{ template "consul.name" . }} 9 | chart: {{ template "consul.chart" . }} 10 | heritage: {{ .Release.Service }} 11 | release: {{ .Release.Name }} 12 | component: mesh-gateway 13 | {{- if .Values.meshGateway.service.annotations }} 14 | annotations: 15 | {{ tpl .Values.meshGateway.service.annotations . | nindent 4 | trim }} 16 | {{- end }} 17 | spec: 18 | selector: 19 | app: {{ template "consul.name" . }} 20 | release: "{{ .Release.Name }}" 21 | component: mesh-gateway 22 | ports: 23 | - name: gateway 24 | port: {{ .Values.meshGateway.service.port }} 25 | targetPort: {{ .Values.meshGateway.containerPort }} 26 | {{- if .Values.meshGateway.service.nodePort }} 27 | nodePort: {{ .Values.meshGateway.service.nodePort }} 28 | {{- end}} 29 | type: {{ .Values.meshGateway.service.type }} 30 | {{- if .Values.meshGateway.service.additionalSpec }} 31 | {{ tpl .Values.meshGateway.service.additionalSpec . | nindent 2 | trim }} 32 | {{- end }} 33 | {{- end }} 34 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/templates/mesh-gateway-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.meshGateway.enabled }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ template "consul.fullname" . }}-mesh-gateway 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: {{ template "consul.name" . }} 9 | chart: {{ template "consul.chart" . }} 10 | heritage: {{ .Release.Service }} 11 | release: {{ .Release.Name }} 12 | component: mesh-gateway 13 | {{- end }} 14 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/templates/server-acl-init-cleanup-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} 2 | {{- if .Values.global.bootstrapACLs }} 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: ClusterRole 5 | metadata: 6 | name: {{ template "consul.fullname" . }}-server-acl-init-cleanup 7 | labels: 8 | app: {{ template "consul.name" . }} 9 | chart: {{ template "consul.chart" . }} 10 | heritage: {{ .Release.Service }} 11 | release: {{ .Release.Name }} 12 | rules: 13 | - apiGroups: ["batch"] 14 | resources: ["jobs"] 15 | verbs: ["get", "delete"] 16 | {{- if .Values.global.enablePodSecurityPolicies }} 17 | - apiGroups: ["policy"] 18 | resources: ["podsecuritypolicies"] 19 | resourceNames: 20 | - {{ template "consul.fullname" . }}-server-acl-init-cleanup 21 | verbs: 22 | - use 23 | {{- end }} 24 | {{- end }} 25 | {{- end }} 26 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/templates/server-acl-init-cleanup-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} 2 | {{- if .Values.global.bootstrapACLs }} 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: ClusterRoleBinding 5 | metadata: 6 | name: {{ template "consul.fullname" . }}-server-acl-init-cleanup 7 | labels: 8 | app: {{ template "consul.name" . }} 9 | chart: {{ template "consul.chart" . }} 10 | heritage: {{ .Release.Service }} 11 | release: {{ .Release.Name }} 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | name: {{ template "consul.fullname" . }}-server-acl-init-cleanup 16 | subjects: 17 | - kind: ServiceAccount 18 | name: {{ template "consul.fullname" . }}-server-acl-init-cleanup 19 | namespace: {{ .Release.Namespace }} 20 | {{- end }} 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/templates/server-acl-init-cleanup-podsecuritypolicy.yaml: -------------------------------------------------------------------------------- 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} 2 | {{- if .Values.global.bootstrapACLs }} 3 | {{- if .Values.global.enablePodSecurityPolicies }} 4 | apiVersion: policy/v1beta1 5 | kind: PodSecurityPolicy 6 | metadata: 7 | name: {{ template "consul.fullname" . }}-server-acl-init-cleanup 8 | labels: 9 | app: {{ template "consul.name" . }} 10 | chart: {{ template "consul.chart" . }} 11 | heritage: {{ .Release.Service }} 12 | release: {{ .Release.Name }} 13 | spec: 14 | privileged: false 15 | # Allow core volume types. 16 | volumes: 17 | - 'secret' 18 | allowPrivilegeEscalation: false 19 | # This is redundant with non-root + disallow privilege escalation, 20 | # but we can provide it for defense in depth. 21 | requiredDropCapabilities: 22 | - ALL 23 | hostNetwork: false 24 | hostIPC: false 25 | hostPID: false 26 | runAsUser: 27 | rule: 'RunAsAny' 28 | seLinux: 29 | rule: 'RunAsAny' 30 | supplementalGroups: 31 | rule: 'RunAsAny' 32 | fsGroup: 33 | rule: 'RunAsAny' 34 | readOnlyRootFilesystem: false 35 | {{- end }} 36 | {{- end }} 37 | {{- end }} 38 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/templates/server-acl-init-cleanup-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} 2 | {{- if .Values.global.bootstrapACLs }} 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: {{ template "consul.fullname" . }}-server-acl-init-cleanup 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | app: {{ template "consul.name" . }} 10 | chart: {{ template "consul.chart" . }} 11 | heritage: {{ .Release.Service }} 12 | release: {{ .Release.Name }} 13 | {{- end }} 14 | {{- end }} 15 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/templates/server-acl-init-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} 2 | {{- if .Values.global.bootstrapACLs }} 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: ClusterRoleBinding 5 | metadata: 6 | name: {{ template "consul.fullname" . }}-server-acl-init 7 | labels: 8 | app: {{ template "consul.name" . }} 9 | chart: {{ template "consul.chart" . }} 10 | heritage: {{ .Release.Service }} 11 | release: {{ .Release.Name }} 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | name: {{ template "consul.fullname" . }}-server-acl-init 16 | subjects: 17 | - kind: ServiceAccount 18 | name: {{ template "consul.fullname" . }}-server-acl-init 19 | namespace: {{ .Release.Namespace }} 20 | {{- end }} 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/templates/server-acl-init-podsecuritypolicy.yaml: -------------------------------------------------------------------------------- 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} 2 | {{- if .Values.global.bootstrapACLs }} 3 | {{- if .Values.global.enablePodSecurityPolicies }} 4 | apiVersion: policy/v1beta1 5 | kind: PodSecurityPolicy 6 | metadata: 7 | name: {{ template "consul.fullname" . }}-server-acl-init 8 | labels: 9 | app: {{ template "consul.name" . }} 10 | chart: {{ template "consul.chart" . }} 11 | heritage: {{ .Release.Service }} 12 | release: {{ .Release.Name }} 13 | spec: 14 | privileged: false 15 | # Allow core volume types. 16 | volumes: 17 | - 'secret' 18 | allowPrivilegeEscalation: false 19 | # This is redundant with non-root + disallow privilege escalation, 20 | # but we can provide it for defense in depth. 21 | requiredDropCapabilities: 22 | - ALL 23 | hostNetwork: false 24 | hostIPC: false 25 | hostPID: false 26 | runAsUser: 27 | rule: 'RunAsAny' 28 | seLinux: 29 | rule: 'RunAsAny' 30 | supplementalGroups: 31 | rule: 'RunAsAny' 32 | fsGroup: 33 | rule: 'RunAsAny' 34 | readOnlyRootFilesystem: false 35 | {{- end }} 36 | {{- end }} 37 | {{- end }} 38 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/templates/server-acl-init-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} 2 | {{- if .Values.global.bootstrapACLs }} 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: {{ template "consul.fullname" . }}-server-acl-init 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | app: {{ template "consul.name" . }} 10 | chart: {{ template "consul.chart" . }} 11 | heritage: {{ .Release.Service }} 12 | release: {{ .Release.Name }} 13 | {{- end }} 14 | {{- end }} 15 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/templates/server-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: {{ template "consul.fullname" . }}-server 6 | labels: 7 | app: {{ template "consul.name" . }} 8 | chart: {{ template "consul.chart" . }} 9 | heritage: {{ .Release.Service }} 10 | release: {{ .Release.Name }} 11 | {{- if .Values.global.enablePodSecurityPolicies }} 12 | rules: 13 | - apiGroups: ["policy"] 14 | resources: ["podsecuritypolicies"] 15 | resourceNames: 16 | - {{ template "consul.fullname" . }}-server 17 | verbs: 18 | - use 19 | {{- else }} 20 | rules: [] 21 | {{- end }} 22 | {{- end }} 23 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/templates/server-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: {{ template "consul.fullname" . }}-server 6 | labels: 7 | app: {{ template "consul.name" . }} 8 | chart: {{ template "consul.chart" . }} 9 | heritage: {{ .Release.Service }} 10 | release: {{ .Release.Name }} 11 | roleRef: 12 | apiGroup: rbac.authorization.k8s.io 13 | kind: ClusterRole 14 | name: {{ template "consul.fullname" . }}-server 15 | subjects: 16 | - kind: ServiceAccount 17 | name: {{ template "consul.fullname" . }}-server 18 | namespace: {{ .Release.Namespace }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/templates/server-disruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | # PodDisruptionBudget to prevent degrading the server cluster through 2 | # voluntary cluster changes. 3 | {{- if (and .Values.server.disruptionBudget.enabled (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }} 4 | apiVersion: policy/v1beta1 5 | kind: PodDisruptionBudget 6 | metadata: 7 | name: {{ template "consul.fullname" . }}-server 8 | namespace: {{ .Release.Namespace }} 9 | labels: 10 | app: {{ template "consul.name" . }} 11 | chart: {{ template "consul.chart" . }} 12 | heritage: {{ .Release.Service }} 13 | release: {{ .Release.Name }} 14 | spec: 15 | maxUnavailable: {{ template "consul.pdb.maxUnavailable" . }} 16 | selector: 17 | matchLabels: 18 | app: {{ template "consul.name" . }} 19 | release: "{{ .Release.Name }}" 20 | component: server 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/templates/server-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ template "consul.fullname" . }}-server 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: {{ template "consul.name" . }} 9 | chart: {{ template "consul.chart" . }} 10 | heritage: {{ .Release.Service }} 11 | release: {{ .Release.Name }} 12 | {{- end }} 13 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/templates/sync-catalog-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} 2 | {{- if $syncEnabled }} 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: ClusterRoleBinding 5 | metadata: 6 | name: {{ template "consul.fullname" . }}-sync-catalog 7 | labels: 8 | app: {{ template "consul.name" . }} 9 | chart: {{ template "consul.chart" . }} 10 | heritage: {{ .Release.Service }} 11 | release: {{ .Release.Name }} 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | name: {{ template "consul.fullname" . }}-sync-catalog 16 | subjects: 17 | - kind: ServiceAccount 18 | name: {{ template "consul.fullname" . }}-sync-catalog 19 | namespace: {{ .Release.Namespace }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/templates/sync-catalog-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} 2 | {{- if $syncEnabled }} 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: {{ template "consul.fullname" . }}-sync-catalog 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | app: {{ template "consul.name" . }} 10 | chart: {{ template "consul.chart" . }} 11 | heritage: {{ .Release.Service }} 12 | release: {{ .Release.Name }} 13 | {{- end }} 14 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/templates/tls-init-cleanup-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} 2 | {{- if .Values.global.tls.enabled }} 3 | apiVersion: rbac.authorization.k8s.io/v1beta1 4 | kind: ClusterRole 5 | metadata: 6 | name: {{ template "consul.fullname" . }}-tls-init-cleanup 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | app: {{ template "consul.name" . }} 10 | chart: {{ template "consul.chart" . }} 11 | heritage: {{ .Release.Service }} 12 | release: {{ .Release.Name }} 13 | rules: 14 | - apiGroups: [""] 15 | resources: 16 | - secrets 17 | resourceNames: 18 | - {{ template "consul.fullname" . }}-ca-cert 19 | - {{ template "consul.fullname" . }}-ca-key 20 | - {{ template "consul.fullname" . }}-server-cert 21 | verbs: 22 | - delete 23 | {{- if .Values.global.enablePodSecurityPolicies }} 24 | - apiGroups: ["policy"] 25 | resources: 26 | - podsecuritypolicies 27 | verbs: 28 | - use 29 | resourceNames: 30 | - {{ template "consul.fullname" . }}-tls-init-cleanup 31 | {{- end }} 32 | {{- end }} 33 | {{- end }} 34 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/templates/tls-init-cleanup-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} 2 | {{- if .Values.global.tls.enabled }} 3 | apiVersion: rbac.authorization.k8s.io/v1beta1 4 | kind: ClusterRoleBinding 5 | metadata: 6 | name: {{ template "consul.fullname" . }}-tls-init-cleanup 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | app: {{ template "consul.name" . }} 10 | chart: {{ template "consul.chart" . }} 11 | heritage: {{ .Release.Service }} 12 | release: {{ .Release.Name }} 13 | roleRef: 14 | apiGroup: rbac.authorization.k8s.io 15 | kind: ClusterRole 16 | name: {{ template "consul.fullname" . }}-tls-init-cleanup 17 | subjects: 18 | - kind: ServiceAccount 19 | name: {{ template "consul.fullname" . }}-tls-init-cleanup 20 | namespace: {{ .Release.Namespace }} 21 | {{- end }} 22 | {{- end }} 23 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/templates/tls-init-cleanup-podsecuritypolicy.yaml: -------------------------------------------------------------------------------- 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} 2 | {{- if (and .Values.global.tls.enabled .Values.global.enablePodSecurityPolicies) }} 3 | apiVersion: policy/v1beta1 4 | kind: PodSecurityPolicy 5 | metadata: 6 | name: {{ template "consul.fullname" . }}-tls-init-cleanup 7 | labels: 8 | app: {{ template "consul.name" . }} 9 | chart: {{ template "consul.chart" . }} 10 | heritage: {{ .Release.Service }} 11 | release: {{ .Release.Name }} 12 | spec: 13 | privileged: false 14 | # Required to prevent escalations to root. 15 | allowPrivilegeEscalation: false 16 | # This is redundant with non-root + disallow privilege escalation, 17 | # but we can provide it for defense in depth. 18 | requiredDropCapabilities: 19 | - ALL 20 | # Allow core volume types. 21 | volumes: 22 | - 'secret' 23 | hostNetwork: false 24 | hostIPC: false 25 | hostPID: false 26 | runAsUser: 27 | rule: 'RunAsAny' 28 | seLinux: 29 | rule: 'RunAsAny' 30 | supplementalGroups: 31 | rule: 'RunAsAny' 32 | fsGroup: 33 | rule: 'RunAsAny' 34 | readOnlyRootFilesystem: false 35 | {{- end }} 36 | {{- end }} 37 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/templates/tls-init-cleanup-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} 2 | {{- if .Values.global.tls.enabled }} 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: {{ template "consul.fullname" . }}-tls-init-cleanup 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | app: {{ template "consul.name" . }} 10 | chart: {{ template "consul.chart" . }} 11 | heritage: {{ .Release.Service }} 12 | release: {{ .Release.Name }} 13 | {{- end }} 14 | {{- end }} 15 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/templates/tls-init-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} 2 | {{- if .Values.global.tls.enabled }} 3 | apiVersion: rbac.authorization.k8s.io/v1beta1 4 | kind: ClusterRole 5 | metadata: 6 | name: {{ template "consul.fullname" . }}-tls-init 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | app: {{ template "consul.name" . }} 10 | chart: {{ template "consul.chart" . }} 11 | heritage: {{ .Release.Service }} 12 | release: {{ .Release.Name }} 13 | annotations: 14 | "helm.sh/hook": pre-install,pre-upgrade 15 | "helm.sh/hook-delete-policy": before-hook-creation 16 | rules: 17 | - apiGroups: [""] 18 | resources: 19 | - secrets 20 | verbs: 21 | - create 22 | {{- if .Values.global.enablePodSecurityPolicies }} 23 | - apiGroups: ["policy"] 24 | resources: 25 | - podsecuritypolicies 26 | verbs: 27 | - use 28 | resourceNames: 29 | - {{ template "consul.fullname" . }}-tls-init 30 | {{- end }} 31 | {{- end }} 32 | {{- end }} 33 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/templates/tls-init-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} 2 | {{- if .Values.global.tls.enabled }} 3 | apiVersion: rbac.authorization.k8s.io/v1beta1 4 | kind: ClusterRoleBinding 5 | metadata: 6 | name: {{ template "consul.fullname" . }}-tls-init 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | app: {{ template "consul.name" . }} 10 | chart: {{ template "consul.chart" . }} 11 | heritage: {{ .Release.Service }} 12 | release: {{ .Release.Name }} 13 | annotations: 14 | "helm.sh/hook": pre-install,pre-upgrade 15 | "helm.sh/hook-delete-policy": before-hook-creation 16 | roleRef: 17 | apiGroup: rbac.authorization.k8s.io 18 | kind: ClusterRole 19 | name: {{ template "consul.fullname" . }}-tls-init 20 | subjects: 21 | - kind: ServiceAccount 22 | name: {{ template "consul.fullname" . }}-tls-init 23 | namespace: {{ .Release.Namespace }} 24 | {{- end }} 25 | {{- end }} 26 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/templates/tls-init-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} 2 | {{- if .Values.global.tls.enabled }} 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: {{ template "consul.fullname" . }}-tls-init 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | app: {{ template "consul.name" . }} 10 | chart: {{ template "consul.chart" . }} 11 | heritage: {{ .Release.Service }} 12 | release: {{ .Release.Name }} 13 | annotations: 14 | "helm.sh/hook": pre-install,pre-upgrade 15 | "helm.sh/hook-delete-policy": before-hook-creation 16 | {{- end }} 17 | {{- end }} 18 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/test/acceptance/server.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "server: default, comes up healthy" { 6 | helm_install 7 | wait_for_ready $(name_prefix)-consul-server-0 8 | 9 | # Verify there are three servers 10 | local server_count=$(kubectl exec "$(name_prefix)-consul-server-0" consul members | 11 | grep server | 12 | wc -l) 13 | [ "${server_count}" -eq "3" ] 14 | 15 | helm test consul 16 | 17 | # Clean up 18 | helm_delete 19 | } 20 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/test/terraform/outputs.tf: -------------------------------------------------------------------------------- 1 | output "cluster_id" { 2 | value = google_container_cluster.cluster.id 3 | } 4 | 5 | output "cluster_name" { 6 | value = google_container_cluster.cluster.name 7 | } 8 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/test/terraform/service-account.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: helm 5 | namespace: kube-system 6 | --- 7 | apiVersion: rbac.authorization.k8s.io/v1 8 | kind: ClusterRoleBinding 9 | metadata: 10 | name: helm 11 | roleRef: 12 | apiGroup: rbac.authorization.k8s.io 13 | kind: ClusterRole 14 | name: cluster-admin 15 | subjects: 16 | - kind: ServiceAccount 17 | name: helm 18 | namespace: kube-system 19 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/test/terraform/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project" { 2 | description = < 0' | tee /dev/stderr) 11 | [ "${actual}" = "false" ] 12 | } 13 | 14 | @test "meshGateway/PodSecurityPolicy: enabled with meshGateway, connectInject and client.grpc enabled and global.enablePodSecurityPolicies=true" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/mesh-gateway-podsecuritypolicy.yaml \ 18 | --set 'meshGateway.enabled=true' \ 19 | --set 'connectInject.enabled=true' \ 20 | --set 'client.grpc=true' \ 21 | --set 'global.enablePodSecurityPolicies=true' \ 22 | . | tee /dev/stderr | 23 | yq 'length > 0' | tee /dev/stderr) 24 | [ "${actual}" = "true" ] 25 | } 26 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/test/unit/mesh-gateway-serviceaccount.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "meshGateway/ServiceAccount: disabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/mesh-gateway-serviceaccount.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "false" ] 12 | } 13 | 14 | @test "meshGateway/ServiceAccount: enabled with meshGateway, connectInject and client.grpc enabled" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/mesh-gateway-serviceaccount.yaml \ 18 | --set 'meshGateway.enabled=true' \ 19 | --set 'connectInject.enabled=true' \ 20 | --set 'client.grpc=true' \ 21 | . | tee /dev/stderr | 22 | yq 'length > 0' | tee /dev/stderr) 23 | [ "${actual}" = "true" ] 24 | } 25 | 26 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/test/unit/server-podsecuritypolicy.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "server/PodSecurityPolicy: disabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/server-podsecuritypolicy.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "false" ] 12 | } 13 | 14 | @test "server/PodSecurityPolicy: disabled with server disabled and global.enablePodSecurityPolicies=true" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/server-podsecuritypolicy.yaml \ 18 | --set 'server.enabled=false' \ 19 | --set 'global.enablePodSecurityPolicies=true' \ 20 | . | tee /dev/stderr | 21 | yq 'length > 0' | tee /dev/stderr) 22 | [ "${actual}" = "false" ] 23 | } 24 | 25 | @test "server/PodSecurityPolicy: enabled with global.enablePodSecurityPolicies=true" { 26 | cd `chart_dir` 27 | local actual=$(helm template \ 28 | -x templates/server-podsecuritypolicy.yaml \ 29 | --set 'global.enablePodSecurityPolicies=true' \ 30 | . | tee /dev/stderr | 31 | yq -s 'length > 0' | tee /dev/stderr) 32 | [ "${actual}" = "true" ] 33 | } 34 | -------------------------------------------------------------------------------- /cloud/helm/consul-helm-0.16.2/test/unit/test-runner.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "testRunner/Pod: enabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/tests/test-runner.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "true" ] 12 | } 13 | 14 | @test "testRunner/Pod: disabled when tests.enabled=false" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/tests/test-runner.yaml \ 18 | --set 'tests.enabled=false' \ 19 | . | tee /dev/stderr | 20 | yq 'length > 0' | tee /dev/stderr) 21 | [ "${actual}" = "false" ] 22 | } 23 | -------------------------------------------------------------------------------- /cloud/helm/vault-helm-0.3.3/.circleci/config.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | jobs: 3 | bats-unit-test: 4 | machine: true 5 | steps: 6 | - checkout 7 | - run: make test-image 8 | - run: make test-unit 9 | workflows: 10 | version: 2 11 | build_and_test: 12 | jobs: 13 | - bats-unit-test 14 | -------------------------------------------------------------------------------- /cloud/helm/vault-helm-0.3.3/.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | .terraform/ 3 | .terraform.tfstate* 4 | terraform.tfstate* 5 | terraform.tfvars 6 | values.dev.yaml 7 | vaul-helm-dev-creds.json 8 | ./test/acceptance/vaul-helm-dev-creds.json 9 | ./test/terraform/vaul-helm-dev-creds.json 10 | ./test/unit/vaul-helm-dev-creds.json 11 | ./test/acceptance/values.yaml 12 | ./test/acceptance/values.yml 13 | -------------------------------------------------------------------------------- /cloud/helm/vault-helm-0.3.3/.helmignore: -------------------------------------------------------------------------------- 1 | .git/ 2 | .terraform/ 3 | bin/ 4 | test/ 5 | -------------------------------------------------------------------------------- /cloud/helm/vault-helm-0.3.3/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: vault 3 | version: 0.3.3 4 | description: Install and configure Vault on Kubernetes. 5 | home: https://www.vaultproject.io 6 | icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png 7 | sources: 8 | - https://github.com/hashicorp/vault 9 | - https://github.com/hashicorp/vault-helm 10 | - https://github.com/hashicorp/vault-k8s 11 | -------------------------------------------------------------------------------- /cloud/helm/vault-helm-0.3.3/Makefile: -------------------------------------------------------------------------------- 1 | TEST_IMAGE?=vault-helm-test 2 | 3 | test-image: 4 | @docker build --rm -t '$(TEST_IMAGE)' -f $(CURDIR)/test/docker/Test.dockerfile $(CURDIR) 5 | 6 | test-unit: 7 | @docker run -it -v ${PWD}:/helm-test vault-helm-test bats /helm-test/test/unit 8 | 9 | test-acceptance: 10 | @docker run -it -v ${PWD}:/helm-test vault-helm-test bats /helm-test/test/acceptance 11 | 12 | test-bats: test-unit test-acceptance 13 | 14 | test: test-image test-bats 15 | 16 | 17 | .PHONY: test-docker 18 | -------------------------------------------------------------------------------- /cloud/helm/vault-helm-0.3.3/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | 2 | Thank you for installing HashiCorp Vault! 3 | 4 | Now that you have deployed Vault, you should look over the docs on using 5 | Vault with Kubernetes available here: 6 | 7 | https://www.vaultproject.io/docs/ 8 | 9 | 10 | Your release is named {{ .Release.Name }}. To learn more about the release, try: 11 | 12 | $ helm status {{ .Release.Name }} 13 | $ helm get {{ .Release.Name }} 14 | 15 | -------------------------------------------------------------------------------- /cloud/helm/vault-helm-0.3.3/templates/injector-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: {{ template "vault.fullname" . }}-agent-injector-clusterrole 6 | labels: 7 | app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector 8 | app.kubernetes.io/instance: {{ .Release.Name }} 9 | app.kubernetes.io/managed-by: {{ .Release.Service }} 10 | rules: 11 | - apiGroups: ["admissionregistration.k8s.io"] 12 | resources: ["mutatingwebhookconfigurations"] 13 | verbs: 14 | - "get" 15 | - "list" 16 | - "watch" 17 | - "patch" 18 | {{ end }} 19 | -------------------------------------------------------------------------------- /cloud/helm/vault-helm-0.3.3/templates/injector-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: {{ template "vault.fullname" . }}-agent-injector-binding 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector 9 | app.kubernetes.io/instance: {{ .Release.Name }} 10 | app.kubernetes.io/managed-by: {{ .Release.Service }} 11 | roleRef: 12 | apiGroup: rbac.authorization.k8s.io 13 | kind: ClusterRole 14 | name: {{ template "vault.fullname" . }}-agent-injector-clusterrole 15 | subjects: 16 | - kind: ServiceAccount 17 | name: {{ template "vault.fullname" . }}-agent-injector 18 | namespace: {{ .Release.Namespace }} 19 | {{ end }} 20 | -------------------------------------------------------------------------------- /cloud/helm/vault-helm-0.3.3/templates/injector-mutating-webhook.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} 2 | apiVersion: admissionregistration.k8s.io/v1beta1 3 | kind: MutatingWebhookConfiguration 4 | metadata: 5 | name: {{ template "vault.fullname" . }}-agent-injector-cfg 6 | labels: 7 | app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector 8 | app.kubernetes.io/instance: {{ .Release.Name }} 9 | app.kubernetes.io/managed-by: {{ .Release.Service }} 10 | webhooks: 11 | - name: vault.hashicorp.com 12 | clientConfig: 13 | service: 14 | name: {{ template "vault.fullname" . }}-agent-injector-svc 15 | namespace: {{ .Release.Namespace }} 16 | path: "/mutate" 17 | caBundle: {{ .Values.injector.certs.caBundle }} 18 | rules: 19 | - operations: ["CREATE", "UPDATE"] 20 | apiGroups: [""] 21 | apiVersions: ["v1"] 22 | resources: ["pods"] 23 | {{- if .Values.injector.namespaceSelector }} 24 | namespaceSelector: 25 | {{ toYaml .Values.injector.namespaceSelector | indent 6}} 26 | {{ end }} 27 | {{ end }} 28 | -------------------------------------------------------------------------------- /cloud/helm/vault-helm-0.3.3/templates/injector-service.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: {{ template "vault.fullname" . }}-agent-injector-svc 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector 9 | app.kubernetes.io/instance: {{ .Release.Name }} 10 | app.kubernetes.io/managed-by: {{ .Release.Service }} 11 | spec: 12 | ports: 13 | - port: 443 14 | targetPort: 8080 15 | selector: 16 | app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector 17 | app.kubernetes.io/instance: {{ .Release.Name }} 18 | component: webhook 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /cloud/helm/vault-helm-0.3.3/templates/injector-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ template "vault.fullname" . }}-agent-injector 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector 9 | app.kubernetes.io/instance: {{ .Release.Name }} 10 | app.kubernetes.io/managed-by: {{ .Release.Service }} 11 | {{ end }} 12 | -------------------------------------------------------------------------------- /cloud/helm/vault-helm-0.3.3/templates/server-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{ template "vault.mode" . }} 2 | {{- if and (ne .mode "") (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.authDelegator.enabled | toString) "true")) }} 3 | apiVersion: rbac.authorization.k8s.io/v1beta1 4 | kind: ClusterRoleBinding 5 | metadata: 6 | name: {{ template "vault.fullname" . }}-server-binding 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | helm.sh/chart: {{ include "vault.chart" . }} 10 | app.kubernetes.io/name: {{ include "vault.name" . }} 11 | app.kubernetes.io/instance: {{ .Release.Name }} 12 | app.kubernetes.io/managed-by: {{ .Release.Service }} 13 | roleRef: 14 | apiGroup: rbac.authorization.k8s.io 15 | kind: ClusterRole 16 | name: system:auth-delegator 17 | subjects: 18 | - kind: ServiceAccount 19 | name: {{ template "vault.fullname" . }} 20 | namespace: {{ .Release.Namespace }} 21 | {{ end }} 22 | -------------------------------------------------------------------------------- /cloud/helm/vault-helm-0.3.3/templates/server-config-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{ template "vault.mode" . }} 2 | {{- if and (eq (.Values.global.enabled | toString) "true") (ne .mode "dev") -}} 3 | {{ if or (ne .Values.server.standalone.config "") (ne .Values.server.ha.config "") -}} 4 | apiVersion: v1 5 | kind: ConfigMap 6 | metadata: 7 | name: {{ template "vault.fullname" . }}-config 8 | namespace: {{ .Release.Namespace }} 9 | labels: 10 | helm.sh/chart: {{ include "vault.chart" . }} 11 | app.kubernetes.io/name: {{ include "vault.name" . }} 12 | app.kubernetes.io/instance: {{ .Release.Name }} 13 | app.kubernetes.io/managed-by: {{ .Release.Service }} 14 | data: 15 | extraconfig-from-values.hcl: |- 16 | disable_mlock = true 17 | {{- if eq .mode "standalone" }} 18 | {{ tpl .Values.server.standalone.config . | nindent 4 | trim }} 19 | {{- else if eq .mode "ha" }} 20 | {{ tpl .Values.server.ha.config . | nindent 4 | trim }} 21 | {{ end }} 22 | {{- end }} 23 | {{- end }} 24 | -------------------------------------------------------------------------------- /cloud/helm/vault-helm-0.3.3/templates/server-disruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | # PodDisruptionBudget to prevent degrading the server cluster through 2 | # voluntary cluster changes. 3 | {{ template "vault.mode" . }} 4 | {{- if and (and (eq (.Values.global.enabled | toString) "true") (eq .mode "ha")) (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}} 5 | apiVersion: policy/v1beta1 6 | kind: PodDisruptionBudget 7 | metadata: 8 | name: {{ template "vault.fullname" . }} 9 | namespace: {{ .Release.Namespace }} 10 | labels: 11 | helm.sh/chart: {{ include "vault.chart" . }} 12 | app.kubernetes.io/name: {{ include "vault.name" . }} 13 | app.kubernetes.io/instance: {{ .Release.Name }} 14 | app.kubernetes.io/managed-by: {{ .Release.Service }} 15 | spec: 16 | maxUnavailable: {{ template "vault.pdb.maxUnavailable" . }} 17 | selector: 18 | matchLabels: 19 | app.kubernetes.io/name: {{ include "vault.name" . }} 20 | app.kubernetes.io/instance: {{ .Release.Name }} 21 | component: server 22 | {{- end -}} 23 | -------------------------------------------------------------------------------- /cloud/helm/vault-helm-0.3.3/templates/server-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{ template "vault.mode" . }} 2 | {{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }} 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: {{ template "vault.fullname" . }} 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | helm.sh/chart: {{ include "vault.chart" . }} 10 | app.kubernetes.io/name: {{ include "vault.name" . }} 11 | app.kubernetes.io/instance: {{ .Release.Name }} 12 | app.kubernetes.io/managed-by: {{ .Release.Service }} 13 | {{ template "vault.serviceAccount.annotations" . }} 14 | {{ end }} 15 | -------------------------------------------------------------------------------- /cloud/helm/vault-helm-0.3.3/test/acceptance/injector-test/job.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: pgdump 6 | labels: 7 | app: pgdump 8 | --- 9 | apiVersion: batch/v1 10 | kind: Job 11 | metadata: 12 | name: pgdump 13 | spec: 14 | backoffLimit: 0 15 | template: 16 | metadata: 17 | name: pgdump 18 | labels: 19 | app: pgdump 20 | annotations: 21 | vault.hashicorp.com/agent-inject: "true" 22 | vault.hashicorp.com/agent-inject-secret-db-creds: "database/creds/db-backup" 23 | vault.hashicorp.com/agent-inject-template-db-creds: | 24 | {{- with secret "database/creds/db-backup" -}} 25 | postgresql://{{ .Data.username }}:{{ .Data.password }}@postgres.acceptance.svc.cluster.local:5432/mydb 26 | {{- end }} 27 | vault.hashicorp.com/role: "db-backup" 28 | vault.hashicorp.com/agent-pre-populate-only: "true" 29 | spec: 30 | serviceAccountName: pgdump 31 | containers: 32 | - name: pgdump 33 | image: postgres:11.5 34 | command: 35 | - "/bin/sh" 36 | - "-ec" 37 | args: 38 | - "/usr/bin/pg_dump $(cat /vault/secrets/db-creds) --no-owner > /dev/stdout" 39 | restartPolicy: Never 40 | -------------------------------------------------------------------------------- /cloud/helm/vault-helm-0.3.3/test/acceptance/injector-test/pgdump-policy.hcl: -------------------------------------------------------------------------------- 1 | path "database/creds/db-backup" { 2 | capabilities = ["read"] 3 | } 4 | -------------------------------------------------------------------------------- /cloud/helm/vault-helm-0.3.3/test/terraform/.gitignore: -------------------------------------------------------------------------------- 1 | vault-helm-dev-creds.json 2 | -------------------------------------------------------------------------------- /cloud/helm/vault-helm-0.3.3/test/terraform/outputs.tf: -------------------------------------------------------------------------------- 1 | output "cluster_id" { 2 | value = "${google_container_cluster.cluster.id}" 3 | } 4 | 5 | output "cluster_name" { 6 | value = "${google_container_cluster.cluster.name}" 7 | } 8 | -------------------------------------------------------------------------------- /cloud/helm/vault-helm-0.3.3/test/terraform/service-account.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: helm 5 | namespace: kube-system 6 | --- 7 | apiVersion: rbac.authorization.k8s.io/v1beta1 8 | kind: ClusterRoleBinding 9 | metadata: 10 | name: helm 11 | roleRef: 12 | apiGroup: rbac.authorization.k8s.io 13 | kind: ClusterRole 14 | name: cluster-admin 15 | subjects: 16 | - kind: ServiceAccount 17 | name: helm 18 | namespace: kube-system 19 | -------------------------------------------------------------------------------- /cloud/helm/vault-helm-0.3.3/test/terraform/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project" { 2 | default = "vault-helm-dev-246514" 3 | 4 | description = < 0' | tee /dev/stderr) 11 | [ "${actual}" = "true" ] 12 | } 13 | 14 | @test "injector/ClusterRole: disable with global.enabled" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/injector-clusterrole.yaml \ 18 | --set 'global.enabled=false' \ 19 | . | tee /dev/stderr | 20 | yq 'length > 0' | tee /dev/stderr) 21 | [ "${actual}" = "false" ] 22 | } 23 | -------------------------------------------------------------------------------- /cloud/helm/vault-helm-0.3.3/test/unit/injector-clusterrolebinding.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "injector/ClusterRoleBinding: enabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/injector-clusterrolebinding.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "true" ] 12 | } 13 | 14 | @test "injector/ClusterRoleBinding: disable with global.enabled" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/injector-clusterrolebinding.yaml \ 18 | --set 'global.enabled=false' \ 19 | . | tee /dev/stderr | 20 | yq 'length > 0' | tee /dev/stderr) 21 | [ "${actual}" = "false" ] 22 | } 23 | -------------------------------------------------------------------------------- /cloud/helm/vault-helm-0.3.3/test/unit/injector-service.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "injector/Service: service enabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/injector-service.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "true" ] 12 | 13 | local actual=$(helm template \ 14 | -x templates/injector-service.yaml \ 15 | --set 'injector.enabled=true' \ 16 | . | tee /dev/stderr | 17 | yq 'length > 0' | tee /dev/stderr) 18 | [ "${actual}" = "true" ] 19 | } 20 | 21 | @test "injector/Service: disable with global.enabled false" { 22 | cd `chart_dir` 23 | local actual=$(helm template \ 24 | -x templates/injector-service.yaml \ 25 | --set 'global.enabled=false' \ 26 | . | tee /dev/stderr | 27 | yq 'length > 0' | tee /dev/stderr) 28 | [ "${actual}" = "false" ] 29 | 30 | local actual=$(helm template \ 31 | -x templates/injector-service.yaml \ 32 | --set 'global.enabled=false' \ 33 | --set 'injector.enabled=true' \ 34 | . | tee /dev/stderr | 35 | yq 'length > 0' | tee /dev/stderr) 36 | [ "${actual}" = "false" ] 37 | } 38 | -------------------------------------------------------------------------------- /cloud/helm/vault-helm-0.3.3/test/unit/injector-serviceaccount.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "injector/ServiceAccount: enabled by default" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/injector-serviceaccount.yaml \ 9 | . | tee /dev/stderr | 10 | yq 'length > 0' | tee /dev/stderr) 11 | [ "${actual}" = "true" ] 12 | } 13 | 14 | @test "injector/ServiceAccount: disable with global.enabled" { 15 | cd `chart_dir` 16 | local actual=$(helm template \ 17 | -x templates/injector-serviceaccount.yaml \ 18 | --set 'global.enabled=false' \ 19 | . | tee /dev/stderr | 20 | yq 'length > 0' | tee /dev/stderr) 21 | [ "${actual}" = "false" ] 22 | } 23 | -------------------------------------------------------------------------------- /cloud/helm/vault-helm-0.3.3/test/unit/server-serviceaccount.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | 3 | load _helpers 4 | 5 | @test "server/ServiceAccount: specify annotations" { 6 | cd `chart_dir` 7 | local actual=$(helm template \ 8 | -x templates/server-serviceaccount.yaml \ 9 | --set 'server.dev.enabled=true' \ 10 | --set 'server.serviceAccount.annotations.foo=bar' \ 11 | . | tee /dev/stderr | 12 | yq -r '.metadata.annotations["foo"]' | tee /dev/stderr) 13 | [ "${actual}" = "null" ] 14 | 15 | local actual=$(helm template \ 16 | -x templates/server-serviceaccount.yaml \ 17 | --set 'server.ha.enabled=true' \ 18 | --set 'server.serviceAccount.annotations.foo=bar' \ 19 | . | tee /dev/stderr | 20 | yq -r '.metadata.annotations["foo"]' | tee /dev/stderr) 21 | [ "${actual}" = "bar" ] 22 | 23 | local actual=$(helm template \ 24 | -x templates/server-serviceaccount.yaml \ 25 | --set 'server.ha.enabled=true' \ 26 | . | tee /dev/stderr | 27 | yq -r '.metadata.annotations["foo"]' | tee /dev/stderr) 28 | [ "${actual}" = "null" ] 29 | } 30 | -------------------------------------------------------------------------------- /cloud/helm/vault-values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | server: 3 | dataStorage: 4 | size: 512Mb 5 | dev: 6 | enabled: true 7 | standalone: 8 | enabled: true 9 | authDelegator: 10 | enabled: true 11 | ui: 12 | enabled: true 13 | -------------------------------------------------------------------------------- /cloud/local.auto.tfvars: -------------------------------------------------------------------------------- 1 | gcp = { 2 | project = "hc-da-test" 3 | location = "us-central1-f" 4 | } 5 | 6 | azure = { 7 | location = "Central US" 8 | } 9 | 10 | service = "demoapp" 11 | 12 | db_username = "postgres" -------------------------------------------------------------------------------- /cloud/local.backend: -------------------------------------------------------------------------------- 1 | hostname = "app.terraform.io" 2 | organization = "hashicorp-team-demo" 3 | 4 | workspaces { 5 | name = "hashicorp-demoapp" 6 | } -------------------------------------------------------------------------------- /cloud/main.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = "~>0.12" 3 | backend "remote" {} 4 | } 5 | 6 | provider "google" { 7 | version = "~> 3.10" 8 | project = var.gcp.project 9 | } 10 | 11 | provider "google-beta" { 12 | version = "~> 3.12" 13 | project = var.gcp.project 14 | } 15 | 16 | provider "azurerm" { 17 | version = "~> 2.0" 18 | features {} 19 | } 20 | 21 | module "kubernetes" { 22 | source = "./gcp_k8s" 23 | location = var.gcp.location 24 | google_project = var.gcp.project 25 | cluster_name = var.service 26 | username = "admin" 27 | password = var.db_password 28 | } 29 | 30 | module "database" { 31 | source = "./azure_db" 32 | location = var.azure.location 33 | name = var.service 34 | username = var.db_username 35 | password = var.db_password 36 | } -------------------------------------------------------------------------------- /cloud/outputs.tf: -------------------------------------------------------------------------------- 1 | output "db_name" { 2 | value = module.database.name 3 | } 4 | 5 | output "db_endpoint" { 6 | value = module.database.endpoint 7 | } 8 | 9 | output "db_username" { 10 | value = var.db_username 11 | sensitive = true 12 | } 13 | 14 | output "db_password" { 15 | value = var.db_password 16 | sensitive = true 17 | } 18 | 19 | output "db_server" { 20 | value = module.database.server 21 | } 22 | 23 | output "google_location" { 24 | value = var.gcp.location 25 | } 26 | 27 | output "cluster_name" { 28 | value = var.service 29 | } -------------------------------------------------------------------------------- /cloud/policy/opa/azure.rego: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import data.azure.database.length_of_database_server_password 4 | import data.azure.database.number_of_non_permissive_database_firewall_rules 5 | import data.azure.database.plan_will_delete_protected_resources 6 | import data.azure.database.number_of_resources_missing_tags 7 | 8 | do_not_delete_these_resources = ["module.database.azurerm_postgresql_database.example"] 9 | 10 | deny[msg] { 11 | plan_will_delete_protected_resources(do_not_delete_these_resources) 12 | msg = sprintf("plan will delete a protected resource: %v", [do_not_delete_these_resources[_]]) 13 | } 14 | 15 | deny[msg] { 16 | count(number_of_resources_missing_tags[_]) > 0 17 | msg = sprintf("resource %v must have tags", [number_of_resources_missing_tags[_]]) 18 | } 19 | 20 | deny[msg] { 21 | count(number_of_non_permissive_database_firewall_rules[_]) > 0 22 | msg = "database firewall must have specific CIDR and avoid 0.0.0.0-255.255.255.255" 23 | } 24 | 25 | deny[msg] { 26 | length_of_database_server_password[_] < 8 27 | msg = "database server password must be between 8 and 128 characters. see https://docs.microsoft.com/en-us/azure/postgresql/quickstart-create-server-database-portal" 28 | } -------------------------------------------------------------------------------- /cloud/policy/opa/azure/azure.rego: -------------------------------------------------------------------------------- 1 | package azure.database 2 | 3 | azure[r] { 4 | resources := input.planned_values.root_module.child_modules[_].resources[_] 5 | resources.provider_name == "azurerm" 6 | r := resources 7 | } 8 | 9 | azure_resource_changes[r] { 10 | resources := input.resource_changes[_] 11 | resources.provider_name == "azurerm" 12 | r := resources 13 | } 14 | -------------------------------------------------------------------------------- /cloud/policy/opa/azure/policy.rego: -------------------------------------------------------------------------------- 1 | package azure.database 2 | 3 | plan_will_delete_protected_resources(do_not_delete_these_resources) { 4 | types := [res | res := azure_resource_changes[_]; res.address == do_not_delete_these_resources[_]] 5 | r := [res.address | res := types[_]; res.change.actions[_] == "delete"] 6 | count(r) > 0 7 | } 8 | 9 | number_of_resources_missing_tags[r] { 10 | r := [res.address | res := azure[_]; is_null(res.values.tags)] 11 | } 12 | -------------------------------------------------------------------------------- /cloud/policy/opa/azure/security.rego: -------------------------------------------------------------------------------- 1 | package azure.database 2 | 3 | number_of_non_permissive_database_firewall_rules[r] { 4 | firewall_rules := [res | res := azure[_]; res.type == "azurerm_postgresql_firewall_rule"] 5 | start_ip := [res | res := firewall_rules[_]; res.values.start_ip_address == "0.0.0.0"] 6 | r := [res | res := start_ip[_]; res.values.end_ip_address == "255.255.255.255"] 7 | } 8 | 9 | length_of_database_server_password[r] { 10 | databases := [res | res := azure[_]; res.type == "azurerm_postgresql_server"] 11 | r := count(databases[i].values.administrator_login_password) 12 | } 13 | -------------------------------------------------------------------------------- /cloud/policy/opa/gcp/gcp.rego: -------------------------------------------------------------------------------- 1 | package gcp.kubernetes 2 | 3 | gcp[r] { 4 | resources := input.planned_values.root_module.child_modules[_].resources[_] 5 | resources.provider_name = "google-beta" 6 | r := resources 7 | } 8 | -------------------------------------------------------------------------------- /cloud/policy/opa/gcp/policy.rego: -------------------------------------------------------------------------------- 1 | package gcp.kubernetes 2 | 3 | resources_with_null_tags[r] { 4 | r := [res.address | res := gcp[_]; is_null(res.values.node_config[i].tags)] 5 | } 6 | 7 | node_pool_max_node_count[r] { 8 | resource := gcp[_] 9 | r := resource.values.autoscaling[_].max_node_count 10 | } 11 | -------------------------------------------------------------------------------- /cloud/policy/opa/gcp/security.rego: -------------------------------------------------------------------------------- 1 | package gcp.kubernetes 2 | 3 | cluster_node_pool_oauth_scopes[r] { 4 | resources := gcp[_] 5 | r := resources.values.node_config[_].oauth_scopes 6 | } 7 | 8 | resources_with_legacy_abac_enabled[r] { 9 | r := [res.address | res := gcp[_]; res.values.enable_legacy_abac] 10 | } 11 | 12 | clusters_with_username_and_password_defined[r] { 13 | usernames := [res | res := gcp[_]; count(res.values.master_auth[_].username) > 0] 14 | r := [res.address | res := usernames[_]; count(res.values.master_auth[_].password) > 0] 15 | } 16 | 17 | clusters_with_client_certificate_defined[r] { 18 | r := [res | res := gcp[_]; res.values.master_auth[_].client_certificate_config[_].issue_client_certificate] 19 | } -------------------------------------------------------------------------------- /cloud/policy/opa/terraform.rego: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import data.terraform.all_expected_sensitive_outputs_marked_as_sensitive 4 | 5 | sensitive_outputs = ["db_password", "db_username"] 6 | 7 | deny[msg] { 8 | not all_expected_sensitive_outputs_marked_as_sensitive(sensitive_outputs) 9 | msg = sprintf("certain outputs must be marked as sensitive: %v", [sensitive_outputs]) 10 | } -------------------------------------------------------------------------------- /cloud/policy/opa/terraform/output.rego: -------------------------------------------------------------------------------- 1 | package terraform 2 | 3 | outputs[r] { 4 | r := input.planned_values.outputs 5 | } 6 | 7 | check_if_output_is_not_sensitive(outputs) { 8 | some key 9 | val := outputs[key] 10 | not val.sensitive 11 | } 12 | 13 | all_expected_sensitive_outputs_marked_as_sensitive(sensitive_outputs) { 14 | should_be_sensitive := object.filter(outputs[_], sensitive_outputs) 15 | not check_if_output_is_not_sensitive(should_be_sensitive) 16 | } -------------------------------------------------------------------------------- /cloud/policy/opa/terraform/output_test.rego: -------------------------------------------------------------------------------- 1 | package terraform 2 | 3 | test_should_pass_because_test_output_is_marked_sensitive { 4 | sensitive_outputs := ["test"] 5 | all_expected_sensitive_outputs_marked_as_sensitive(sensitive_outputs) with input as {"planned_values": {"outputs": {"test": {"sensitive": true}}}} 6 | } 7 | 8 | test_should_deny_because_test_output_is_marked_sensitive { 9 | sensitive_outputs := ["test"] 10 | not all_expected_sensitive_outputs_marked_as_sensitive(sensitive_outputs) with input as {"planned_values": {"outputs": {"test": {"sensitive": false}}}} 11 | } -------------------------------------------------------------------------------- /cloud/policy/sentinel/database.sentinel: -------------------------------------------------------------------------------- 1 | import "tfplan/v2" as tfplan 2 | 3 | resources = values(tfplan.planned_values.resources) 4 | 5 | database_firewall_rules = filter resources as _, v { v.type is "azurerm_postgresql_firewall_rule" } 6 | database_servers = filter resources as _, v { v.type is "azurerm_postgresql_server" } 7 | 8 | database_only_has_non_permissive_firewall_rules = rule { 9 | all database_firewall_rules as firewall_rule { 10 | firewall_rule.values.start_ip_address is not "0.0.0.0" and firewall_rule.values.end_ip_address is not "255.255.255.255" 11 | } 12 | } 13 | 14 | database_has_conformant_password_length = rule { 15 | all database_servers as database_server { 16 | length(database_server.values.administrator_login_password) > 8 and length(database_server.values.administrator_login_password) < 128 17 | } 18 | } 19 | 20 | main = rule { 21 | database_only_has_non_permissive_firewall_rules and 22 | database_has_conformant_password_length 23 | } 24 | -------------------------------------------------------------------------------- /cloud/policy/sentinel/gke-node-pool.sentinel: -------------------------------------------------------------------------------- 1 | import "tfplan/v2" as tfplan 2 | 3 | google_container_node_pool_allowed_oauth_scopes = [ 4 | "https://www.googleapis.com/auth/logging.write", 5 | "https://www.googleapis.com/auth/monitoring", 6 | ] 7 | 8 | resources = values(tfplan.planned_values.resources) 9 | 10 | google_container_node_pools = filter resources as _, v { v.type is "google_container_node_pool" } 11 | 12 | google_container_node_pool_does_not_scale_above_3_nodes = rule { 13 | all google_container_node_pools as node_pool { 14 | all node_pool.values.autoscaling as autoscaling_config { 15 | autoscaling_config.max_node_count <= 3 16 | } 17 | } 18 | } 19 | 20 | google_container_node_pool_has_minimum_allowed_oauth_scopes = rule { 21 | all google_container_node_pools as node_pool { 22 | all node_pool.values.node_config as node_config { 23 | node_config.oauth_scopes is google_container_node_pool_allowed_oauth_scopes 24 | } 25 | } 26 | } 27 | 28 | main = rule { 29 | google_container_node_pool_does_not_scale_above_3_nodes and 30 | google_container_node_pool_has_minimum_allowed_oauth_scopes 31 | } 32 | -------------------------------------------------------------------------------- /cloud/policy/sentinel/sentinel.hcl: -------------------------------------------------------------------------------- 1 | policy "database" { 2 | enforcement_level = "hard-mandatory" 3 | } 4 | 5 | policy "terraform" { 6 | enforcement_level = "hard-mandatory" 7 | } 8 | 9 | policy "gke-container-cluster" { 10 | enforcement_level = "hard-mandatory" 11 | } 12 | 13 | policy "gke-node-pool" { 14 | enforcement_level = "soft-mandatory" 15 | } 16 | 17 | policy "tags" { 18 | enforcement_level = "soft-mandatory" 19 | } -------------------------------------------------------------------------------- /cloud/policy/sentinel/tags.sentinel: -------------------------------------------------------------------------------- 1 | import "tfplan/v2" as tfplan 2 | 3 | resources = values(tfplan.planned_values.resources) 4 | 5 | resources_with_tag_field = filter resources as _, v { v.values contains "tags" } 6 | gcp_node_pools_with_tag_field = filter resources as _, v { v.values contains "node_config" } 7 | 8 | resources_with_tag_field_have_defined_tags = rule { 9 | all resources_with_tag_field as resource { 10 | resource.values.tags is not null 11 | } 12 | } 13 | 14 | gcp_node_pools_with_tag_field_have_defined_tags = rule { 15 | all gcp_node_pools_with_tag_field as node_pool { 16 | all node_pool.values.node_config as node_config { 17 | node_config.tags is not null 18 | } 19 | } 20 | } 21 | 22 | main = rule { 23 | resources_with_tag_field_have_defined_tags and 24 | gcp_node_pools_with_tag_field_have_defined_tags 25 | } 26 | -------------------------------------------------------------------------------- /cloud/policy/sentinel/terraform.sentinel: -------------------------------------------------------------------------------- 1 | import "tfplan/v2" as tfplan 2 | 3 | expected_sensitive_outputs = ["db_password", "db_username"] 4 | do_not_delete_these_resources = ["module.database.azurerm_postgresql_database.example"] 5 | 6 | outputs = tfplan.planned_values.outputs 7 | changes_to_delete_protected_resources = values(filter tfplan.resource_changes as resource, _ { do_not_delete_these_resources contains resource }) 8 | 9 | expected_outputs_all_marked_as_sensitive = rule { 10 | all expected_sensitive_outputs as sensitive_output { 11 | outputs[sensitive_output].sensitive 12 | } 13 | } 14 | 15 | resource_changes_do_not_delete_protected_resources = rule { 16 | all changes_to_delete_protected_resources as list_of_changes { 17 | "delete" not in list_of_changes.change.actions 18 | } 19 | } 20 | 21 | main = rule { 22 | expected_outputs_all_marked_as_sensitive and 23 | resource_changes_do_not_delete_protected_resources 24 | } 25 | -------------------------------------------------------------------------------- /cloud/policy/sentinel/test/database/fail.json: -------------------------------------------------------------------------------- 1 | { 2 | "mock": { 3 | "tfplan/v2": "../testdata/mock-tfplan-fail.sentinel" 4 | }, 5 | "test": { 6 | "main": false 7 | } 8 | } -------------------------------------------------------------------------------- /cloud/policy/sentinel/test/database/good.json: -------------------------------------------------------------------------------- 1 | { 2 | "mock": { 3 | "tfplan/v2": "../testdata/mock-tfplan-v2.sentinel" 4 | } 5 | } -------------------------------------------------------------------------------- /cloud/policy/sentinel/test/gke-container-cluster/fail.json: -------------------------------------------------------------------------------- 1 | { 2 | "mock": { 3 | "tfplan/v2": "../testdata/mock-tfplan-fail.sentinel" 4 | }, 5 | "test": { 6 | "main": false 7 | } 8 | } -------------------------------------------------------------------------------- /cloud/policy/sentinel/test/gke-container-cluster/good.json: -------------------------------------------------------------------------------- 1 | { 2 | "mock": { 3 | "tfplan/v2": "../testdata/mock-tfplan-v2.sentinel" 4 | } 5 | } -------------------------------------------------------------------------------- /cloud/policy/sentinel/test/gke-node-pool/fail.json: -------------------------------------------------------------------------------- 1 | { 2 | "mock": { 3 | "tfplan/v2": "../testdata/mock-tfplan-fail.sentinel" 4 | }, 5 | "test": { 6 | "main": false 7 | } 8 | } -------------------------------------------------------------------------------- /cloud/policy/sentinel/test/gke-node-pool/good.json: -------------------------------------------------------------------------------- 1 | { 2 | "mock": { 3 | "tfplan/v2": "../testdata/mock-tfplan-v2.sentinel" 4 | } 5 | } -------------------------------------------------------------------------------- /cloud/policy/sentinel/test/tags/fail.json: -------------------------------------------------------------------------------- 1 | { 2 | "mock": { 3 | "tfplan/v2": "../testdata/mock-tfplan-fail.sentinel" 4 | }, 5 | "test": { 6 | "main": false 7 | } 8 | } -------------------------------------------------------------------------------- /cloud/policy/sentinel/test/tags/good.json: -------------------------------------------------------------------------------- 1 | { 2 | "mock": { 3 | "tfplan/v2": "../testdata/mock-tfplan-v2.sentinel" 4 | } 5 | } -------------------------------------------------------------------------------- /cloud/policy/sentinel/test/terraform/fail.json: -------------------------------------------------------------------------------- 1 | { 2 | "mock": { 3 | "tfplan/v2": "../testdata/mock-tfplan-fail.sentinel" 4 | }, 5 | "test": { 6 | "main": false 7 | } 8 | } -------------------------------------------------------------------------------- /cloud/policy/sentinel/test/terraform/good.json: -------------------------------------------------------------------------------- 1 | { 2 | "mock": { 3 | "tfplan/v2": "../testdata/mock-tfplan-v2.sentinel" 4 | } 5 | } -------------------------------------------------------------------------------- /cloud/policy/sentinel/test/testdata/mock-tfstate-v2.sentinel: -------------------------------------------------------------------------------- 1 | terraform_version = "0.12.23" 2 | 3 | outputs = { 4 | "cluster_name": { 5 | "name": "cluster_name", 6 | "sensitive": false, 7 | "value": "products", 8 | }, 9 | "db_password": { 10 | "name": "db_password", 11 | "sensitive": true, 12 | "value": "Testing!123", 13 | }, 14 | "db_username": { 15 | "name": "db_username", 16 | "sensitive": true, 17 | "value": "postgres", 18 | }, 19 | "google_location": { 20 | "name": "google_location", 21 | "sensitive": false, 22 | "value": "us-central1-f", 23 | }, 24 | } 25 | 26 | resources = {} 27 | -------------------------------------------------------------------------------- /cloud/policy/sentinel/test/testdata/mock-tfstate.sentinel: -------------------------------------------------------------------------------- 1 | import "strings" 2 | import "types" 3 | 4 | outputs = { 5 | "cluster_name": { 6 | "sensitive": false, 7 | "type": "string", 8 | "value": "products", 9 | }, 10 | "db_password": { 11 | "sensitive": true, 12 | "type": "string", 13 | "value": "Testing!123", 14 | }, 15 | "db_username": { 16 | "sensitive": true, 17 | "type": "string", 18 | "value": "postgres", 19 | }, 20 | "google_location": { 21 | "sensitive": false, 22 | "type": "string", 23 | "value": "us-central1-f", 24 | }, 25 | } 26 | 27 | _modules = { 28 | "root": { 29 | "data": {}, 30 | "path": [], 31 | "resources": {}, 32 | }, 33 | } 34 | 35 | module_paths = [ 36 | [], 37 | ] 38 | 39 | terraform_version = "0.12.23" 40 | 41 | module = func(path) { 42 | if types.type_of(path) is not "list" { 43 | error("expected list, got", types.type_of(path)) 44 | } 45 | 46 | if length(path) < 1 { 47 | return _modules.root 48 | } 49 | 50 | addr = [] 51 | for path as p { 52 | append(addr, "module") 53 | append(addr, p) 54 | } 55 | 56 | return _modules[strings.join(addr, ".")] 57 | } 58 | 59 | data = _modules.root.data 60 | path = _modules.root.path 61 | resources = _modules.root.resources 62 | -------------------------------------------------------------------------------- /cloud/remote.backend: -------------------------------------------------------------------------------- 1 | hostname = "app.terraform.io" 2 | organization = "hashicorp-team-demo" 3 | 4 | workspaces { 5 | name = "hashicorp-demoapp-tfcloud" 6 | } -------------------------------------------------------------------------------- /cloud/scripts/products_policy.hcl: -------------------------------------------------------------------------------- 1 | path "database/creds/db-products" { 2 | capabilities = ["read"] 3 | } -------------------------------------------------------------------------------- /cloud/variables.tf: -------------------------------------------------------------------------------- 1 | variable "service" { 2 | type = string 3 | } 4 | 5 | variable "gcp" { 6 | type = map 7 | default = { 8 | project = "" 9 | location = "" 10 | } 11 | } 12 | 13 | variable "azure" { 14 | type = map 15 | default = { 16 | location = "" 17 | } 18 | } 19 | 20 | variable "db_username" { 21 | type = string 22 | } 23 | 24 | variable "db_password" { 25 | type = string 26 | } -------------------------------------------------------------------------------- /cloud/vault/agent.hcl: -------------------------------------------------------------------------------- 1 | pid_file = "./pidfile" 2 | exit_after_auth = true 3 | 4 | auto_auth { 5 | method "approle" { 6 | config = { 7 | role_id_file_path = "vault/role-id" 8 | secret_id_file_path = "vault/secret-id" 9 | } 10 | } 11 | 12 | sink "file" { 13 | config = { 14 | path = "/tmp/vault-demoapp-infra" 15 | } 16 | } 17 | } 18 | 19 | template { 20 | contents = <