├── .github
├── CODEOWNERS
├── PULL_REQUEST_TEMPLATE.md
├── dependabot.yml
└── workflows
│ ├── auto-close.yml
│ ├── auto-update.yml
│ ├── post-merge.yaml
│ └── pre-merge.yml
├── .gitignore
├── .golangci.yml
├── .markdownlint.yml
├── .markdownlintignore
├── .yamllint
├── CODE_OF_CONDUCT.md
├── LICENSES
└── Apache-2.0.txt
├── Makefile
├── README.md
├── REUSE.toml
├── SECURITY.md
├── VERSION
├── catalog-orchestrator-0.1.schema.yaml
├── ci_scripts
├── helm_build.sh
├── helm_push.sh
├── publish_dp.sh
└── publish_manifest.sh
├── common.mk
├── deployment-package
├── base-extensions
│ ├── cert-manager
│ │ ├── applications.yaml
│ │ └── values-cert-manager.yaml
│ ├── deployment-package.yaml
│ ├── fluent-bit
│ │ ├── applications.yaml
│ │ └── values-fluent-bit.yaml
│ ├── gatekeeper
│ │ ├── applications.yaml
│ │ ├── values-gatekeeper-constraints-baseline.yaml
│ │ ├── values-gatekeeper-constraints-privileged.yaml
│ │ ├── values-gatekeeper-constraints-restricted.yaml
│ │ └── values-gatekeeper.yaml
│ ├── network-policies
│ │ ├── applications.yaml
│ │ └── values-network-policies.yaml
│ ├── nfd
│ │ ├── applications.yaml
│ │ └── values-nfd.yaml
│ ├── node-exporter
│ │ ├── applications.yaml
│ │ └── values-node-exporter.yaml
│ ├── observability
│ │ ├── applications.yaml
│ │ └── values-observability-config.yaml
│ ├── openebs
│ │ ├── applications.yaml
│ │ ├── values-openebs-config.yaml
│ │ └── values-openebs.yaml
│ ├── prometheus
│ │ ├── applications.yaml
│ │ └── values-prometheus.yaml
│ └── telegraf
│ │ ├── applications.yaml
│ │ └── values-telegraf.yaml
├── common
│ ├── registry-akri.yaml
│ ├── registry-bitnami-oci.yaml
│ ├── registry-fluent-bit.yaml
│ ├── registry-gatekeeper.yaml
│ ├── registry-gpu.yaml
│ ├── registry-jetstack.yaml
│ ├── registry-kubernetes-ingress.yaml
│ ├── registry-node-exporter.yaml
│ ├── registry-node-feature-discovery.yaml
│ ├── registry-openebs.yaml
│ ├── registry-prometheus.yaml
│ └── registry-telegraf.yaml
├── intel-gpu-debug
│ ├── applications.yaml
│ ├── deployment-package.yaml
│ └── empty-values.yaml
├── intel-gpu
│ ├── applications.yaml
│ ├── deployment-package.yaml
│ ├── values-device-operator.yaml
│ └── values-gpu-plugin.yaml
├── kubernetes-dashboard
│ ├── application.yaml
│ ├── deployment-package.yaml
│ ├── registry-kubernetes.yaml
│ └── values-dash.yaml
├── loadbalancer
│ ├── application.yaml
│ ├── deployment-package.yaml
│ ├── empty-values.yaml
│ ├── values-edgedns-default.yaml
│ ├── values-ingress-nginx-default.yaml
│ └── values-metallb-config-default.yaml
├── skupper
│ ├── application.yaml
│ ├── deployment-package.yaml
│ └── empty-values.yaml
├── sriov
│ ├── application.yaml
│ ├── deployment-package.yaml
│ └── values-default.yaml
├── trusted-compute
│ ├── application.yaml
│ ├── deployment-package.yaml
│ ├── values-attestation-manager-default.yaml
│ ├── values-attestation-verifier-default.yaml
│ ├── values-kubevirt-default-nosm.yaml
│ ├── values-trust-agent-default.yaml
│ └── values-trusted-workload-default.yaml
├── usb
│ ├── akri-values.yaml
│ ├── application.yaml
│ ├── deployment-package.yaml
│ └── usb-device-values.yaml
└── virtualization
│ ├── application.yaml
│ ├── deployment-package.yaml
│ ├── values-cdi-default.yaml
│ ├── values-kubevirt-default-nosm.yaml
│ ├── values-kubevirt-default.yaml
│ ├── values-kubevirt-software-emulation-nosm.yaml
│ ├── values-kubevirt-software-emulation.yaml
│ └── values-kvhelper.yaml
├── go.mod
├── go.sum
├── helm
├── akri
│ ├── .gitignore
│ ├── .helmignore
│ ├── Chart.yaml
│ ├── README.md
│ ├── templates
│ │ ├── akri-configurations.yaml
│ │ └── np.yaml
│ └── values.yaml
├── cdi
│ ├── .helmignore
│ ├── Chart.yaml
│ ├── README.md
│ ├── crds
│ │ └── 01-crds.yaml
│ ├── fleet.yaml
│ ├── templates
│ │ ├── 01-cdi-operator.yaml
│ │ ├── 02-cdi-cr.yaml
│ │ ├── 03-cdi-netpol.yaml
│ │ └── pre-deletion-hook.yaml
│ ├── tests
│ │ ├── cdi_cr_test.yaml
│ │ ├── cdi_operator_test.yaml
│ │ └── values
│ │ │ ├── empty_proxy.yaml
│ │ │ └── proxy.yaml
│ └── values.yaml
├── edgedns
│ ├── .helmignore
│ ├── Chart.yaml
│ ├── README.md
│ ├── templates
│ │ ├── NOTES.txt
│ │ ├── coredns-certs.yaml
│ │ ├── coredns-configmap.yaml
│ │ ├── coredns-svc.yaml
│ │ ├── coredns.yaml
│ │ ├── edgedns-sm.yaml
│ │ ├── etcd-certs.yaml
│ │ ├── etcd-svc.yaml
│ │ ├── etcd.yaml
│ │ ├── external-dns-certs.yaml
│ │ ├── external-dns-cluster-role.yaml
│ │ ├── external-dns-crb.yaml
│ │ ├── external-dns-service-account.yaml
│ │ ├── external-dns.yaml
│ │ ├── issuer-cert.yaml
│ │ ├── issuer-root.yaml
│ │ ├── issuer.yaml
│ │ └── netpol.yaml
│ ├── tests
│ │ ├── coredns-certs_test.yaml
│ │ ├── coredns-configmap_test.yaml
│ │ ├── coredns-svc_test.yaml
│ │ ├── coredns_test.yaml
│ │ ├── edgedns-sm_test.yaml
│ │ ├── etcd-certs_test.yaml
│ │ ├── etcd-svc_test.yaml
│ │ ├── etcd_test.yaml
│ │ ├── external-dns-certs_test.yaml
│ │ ├── external-dns-cluster-role_test.yaml
│ │ ├── external-dns-crb_test.yaml
│ │ ├── external-dns-service-account_test.yaml
│ │ ├── external-dns_test.yaml
│ │ ├── issuer-cert_test.yaml
│ │ ├── issuer-root_test.yaml
│ │ └── issuer_test.yaml
│ └── values.yaml
├── gatekeeper-constraints
│ ├── .helmignore
│ ├── Chart.yaml
│ ├── README.md
│ ├── rego
│ │ ├── capabilities
│ │ │ ├── capabilities_policy.rego
│ │ │ └── capabilities_test.rego
│ │ ├── host_pid_ipc
│ │ │ ├── host_pid_ipc_policy.rego
│ │ │ └── host_pid_ipc_test.rego
│ │ ├── hostnetwork
│ │ │ ├── hostnetwork_policy.rego
│ │ │ └── hostnetwork_test.rego
│ │ ├── hostpath
│ │ │ ├── hostpath_policy.rego
│ │ │ └── hostpath_test.rego
│ │ ├── hostports
│ │ │ ├── hostports_policy.rego
│ │ │ └── hostports_test.rego
│ │ ├── privilegedcontainer
│ │ │ ├── privilegedcontainer_policy.rego
│ │ │ └── privilegedcontainer_test.rego
│ │ ├── privilegeescalation
│ │ │ ├── privilegeescalation_policy.rego
│ │ │ └── privilegeescalation_test.rego
│ │ ├── readonlyrootfs
│ │ │ ├── readonlyrootfs_policy.rego
│ │ │ └── readonlyrootfs_test.rego
│ │ ├── sysctls
│ │ │ ├── sysctls_policy.rego
│ │ │ └── sysctls_test.rego
│ │ └── users
│ │ │ ├── users_policy.rego
│ │ │ └── users_test.rego
│ ├── templates
│ │ ├── capabilities_constraint.yaml
│ │ ├── capabilities_template.yaml
│ │ ├── host_namespace-constraint.yaml
│ │ ├── host_network_constraint.yaml
│ │ ├── host_network_template.yaml
│ │ ├── host_path_template.yaml
│ │ ├── host_pid_ipc_template.yaml
│ │ ├── host_ports_constraint.yaml
│ │ ├── host_ports_template.yaml
│ │ ├── networkpolicy.yaml
│ │ ├── podmonitor.yaml
│ │ ├── privilege_escalation_template.yaml
│ │ ├── privileged_container_constraint.yaml
│ │ ├── privileged_container_template.yaml
│ │ ├── privileged_escalation_constraint.yaml
│ │ ├── read_only_root_fs_constraint.yaml
│ │ ├── read_only_root_fs_template.yaml
│ │ ├── sysctls_constraint.yaml
│ │ ├── sysctls_template.yaml
│ │ ├── users_template.yaml
│ │ └── volume_types_constraint.yaml
│ └── values.yaml
├── intel-gpu-debug
│ ├── Chart.yaml
│ ├── templates
│ │ └── intel-gpu-debug-pod.yaml
│ └── values.yaml
├── kubevirt-helper
│ ├── Chart.yaml
│ ├── templates
│ │ ├── _helpers.tpl
│ │ ├── certificate.yaml
│ │ ├── configmap.yaml
│ │ ├── deployment.yaml
│ │ ├── issuer.yaml
│ │ ├── mutatingwebhookconfiguration.yaml
│ │ ├── rbac.yaml
│ │ ├── service.yaml
│ │ └── serviceaccount.yaml
│ └── values.yaml
├── kubevirt
│ ├── .helmignore
│ ├── Chart.yaml
│ ├── README.md
│ ├── crds
│ │ └── 01-crds.yaml
│ ├── templates
│ │ ├── 01-kubevirt-operator.yaml
│ │ ├── 02-kubevirt-cr.yaml
│ │ ├── 03-kubevirt-sm.yaml
│ │ ├── 04-kubevirt-netpol.yaml
│ │ ├── 05-macvtap-cni.yaml
│ │ └── pre-deletion-hook.yaml
│ ├── tests
│ │ ├── kubevirt_cr_test.yaml
│ │ ├── kubevirt_operator_test.yaml
│ │ └── kubevirt_servicemonitor_test.yaml
│ └── values.yaml
├── metallb-base
│ ├── Chart.yaml
│ ├── templates
│ │ ├── networkpolicy.yaml
│ │ └── pre-deletion-hook.yaml
│ └── values.yaml
├── metallb-config
│ ├── .helmignore
│ ├── Chart.yaml
│ ├── README.md
│ ├── templates
│ │ ├── ip-address-pool.yaml
│ │ └── l2-advertisement.yaml
│ ├── tests
│ │ ├── ip-address-pool_test.yaml
│ │ └── l2-advertisement_test.yaml
│ └── values.yaml
├── network-policies
│ ├── Chart.yaml
│ ├── README.md
│ ├── templates
│ │ ├── 00-default-global-policy.yaml
│ │ ├── 01-default-netpol.yaml
│ │ ├── 02-calico-netpol.yaml
│ │ ├── 03-kube-system-netpol.yaml
│ │ ├── 05-observability-netpol.yaml
│ │ ├── 06-kube-public.yaml
│ │ └── 09-helm-installers.yaml
│ └── values.yaml
├── observability-config
│ ├── Chart.yaml
│ ├── README.md
│ ├── templates
│ │ ├── fluent-bit-cert.yaml
│ │ ├── prometheus-certificate.yaml
│ │ ├── prometheus-kube-state-metrics-clusterrole.yaml
│ │ ├── rbac.yaml
│ │ ├── service.yaml
│ │ ├── serviceAccount.yaml
│ │ ├── serviceMonitor.yaml
│ │ ├── telegraf-certificate.yaml
│ │ └── telegraf-configmap.yaml
│ └── values.yaml
├── openebs-config
│ ├── Chart.yaml
│ ├── README.md
│ ├── templates
│ │ ├── lvmnode.yaml
│ │ ├── lvmsnapshot.yaml
│ │ ├── lvmvolume.yaml
│ │ ├── networkpolicy.yaml
│ │ ├── servicemonitor.yaml
│ │ ├── storageclass-shared.yaml
│ │ └── storageclass.yaml
│ └── values.yaml
├── skupper-sample-app
│ ├── skupper-hello-world-backend
│ │ ├── .helmignore
│ │ ├── Chart.yaml
│ │ ├── templates
│ │ │ ├── _helpers.tpl
│ │ │ ├── deployment.yaml
│ │ │ └── service.yaml
│ │ └── values.yaml
│ └── skupper-hello-world-frontend
│ │ ├── .helmignore
│ │ ├── Chart.yaml
│ │ ├── templates
│ │ ├── _helpers.tpl
│ │ ├── deployment.yaml
│ │ └── service.yaml
│ │ └── values.yaml
├── skupper
│ ├── .helmignore
│ ├── Chart.yaml
│ ├── templates
│ │ └── skupper.yaml
│ └── values.yaml
└── sriov
│ ├── .helmignore
│ ├── Chart.yaml
│ ├── README.md
│ ├── app-README.md
│ ├── crds
│ ├── sriovnetwork.openshift.io_ovsnetworks.yaml
│ ├── sriovnetwork.openshift.io_sriovibnetworks.yaml
│ ├── sriovnetwork.openshift.io_sriovnetworknodepolicies.yaml
│ ├── sriovnetwork.openshift.io_sriovnetworknodestates.yaml
│ ├── sriovnetwork.openshift.io_sriovnetworkpoolconfigs.yaml
│ ├── sriovnetwork.openshift.io_sriovnetworks.yaml
│ └── sriovnetwork.openshift.io_sriovoperatorconfigs.yaml
│ ├── fleet.yaml
│ ├── templates
│ ├── NOTES.txt
│ ├── _helpers.tpl
│ ├── _webhook-certs.tpl
│ ├── certificate.yaml
│ ├── certmanagercerts.yaml
│ ├── clusterrole.yaml
│ ├── clusterrolebinding.yaml
│ ├── configmap.yaml
│ ├── networkpolicy.yaml
│ ├── operator.yaml
│ ├── role.yaml
│ ├── rolebinding.yaml
│ ├── secrets.yaml
│ ├── serviceaccount.yaml
│ ├── sriovoperatorconfig.yaml
│ └── validate-install-crd.yaml
│ ├── tests
│ ├── certmanagercerts_test.yaml
│ ├── clusterrole_test.yaml
│ ├── clusterrolebinding_test.yaml
│ ├── configmap_test.yaml
│ ├── operator_test.yaml
│ ├── role_test.yaml
│ ├── rolebinding_test.yaml
│ ├── secrets_test.yaml
│ └── serviceaccount_test.yaml
│ ├── trivy.yaml
│ └── values.yaml
├── manifest
└── manifest.yaml
├── pkg
├── artifact
│ └── artifact.go
├── edgedns-coredns
│ ├── .golangci.yml
│ ├── Dockerfile
│ ├── Makefile
│ ├── README.md
│ ├── VERSION
│ ├── cmd
│ │ └── edgedns-coredns
│ │ │ ├── main.go
│ │ │ └── main_test.go
│ ├── go.mod
│ └── go.sum
├── intel-gpu-debug
│ ├── Dockerfile
│ ├── Makefile
│ └── VERSION
├── kubevirt-helper
│ ├── .gitignore
│ ├── .golangci.yml
│ ├── Dockerfile
│ ├── Makefile
│ ├── VERSION
│ ├── cmd
│ │ └── kubevirt-helper
│ │ │ └── main.go
│ ├── go.mod
│ ├── go.sum
│ ├── internal
│ │ ├── k8swebhook
│ │ │ ├── mocks
│ │ │ │ ├── k8s_manager_mock.go
│ │ │ │ └── k8swebhookserver_mock.go
│ │ │ ├── webhook.go
│ │ │ └── webhook_test.go
│ │ ├── kubevirt
│ │ │ ├── fuzztests
│ │ │ │ └── kubevirt_fuzz_test.go
│ │ │ ├── kubevirt.go
│ │ │ ├── kubevirt_test.go
│ │ │ └── mocks
│ │ │ │ └── kubevirt_mock.go
│ │ └── manager
│ │ │ ├── manager.go
│ │ │ └── manager_test.go
│ └── trivy.yaml
├── manifest-version-check
│ ├── go.mod
│ ├── go.sum
│ └── manifest-version-check.go
└── manifest
│ └── manifest.go
├── requirements.txt
├── trivy.yaml
└── version.mk
/.github/PULL_REQUEST_TEMPLATE.md:
--------------------------------------------------------------------------------
1 | ## Description
2 |
3 | Describe the purpose of this pull request.
4 |
5 | ## Changes
6 |
7 | List the changes you have made.
8 |
9 | ## Additional Information
10 |
11 | Include any additional information, such as how to test your changes.
12 |
13 | ## Checklist
14 |
15 | - [ ] Tests passed
16 | - [ ] Documentation updated
17 |
--------------------------------------------------------------------------------
/.github/dependabot.yml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 |
4 | ---
5 | version: 2
6 | updates:
7 | - package-ecosystem: "gomod"
8 | directories:
9 | - "/"
10 | schedule:
11 | interval: daily
12 | open-pull-requests-limit: 10
13 | commit-message:
14 | prefix: "[gomod] "
15 | - package-ecosystem: "github-actions"
16 | directory: "/"
17 | schedule:
18 | interval: daily
19 | open-pull-requests-limit: 10
20 | commit-message:
21 | prefix: "[gha] "
22 |
--------------------------------------------------------------------------------
/.github/workflows/auto-close.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
3 | # SPDX-License-Identifier: Apache-2.0
4 |
5 | name: Stale Pull Requests
6 | permissions:
7 | contents: read
8 | pull-requests: write
9 |
10 | # After 30 days of no activity on a PR, the PR should be marked as stale,
11 | # a comment made on the PR informing the author of the new status,
12 | # and closed after 15 days if there is no further activity from the change to stale state.
13 | on:
14 | schedule:
15 | - cron: '30 1 * * *' # run every day
16 | workflow_dispatch: {}
17 |
18 | jobs:
19 | stale-auto-close:
20 | runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
21 | steps:
22 | - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 #v9.1.1
23 | with:
24 | repo-token: ${{ secrets.GITHUB_TOKEN }}
25 | stale-pr-message: 'This pull request is stale because it has been open 30 days with no activity. Make a comment or update the PR to avoid closing PR after 15 days.'
26 | days-before-pr-stale: 30
27 | days-before-pr-close: 15
28 | remove-pr-stale-when-updated: 'true'
29 | close-pr-message: 'This pull request was automatically closed due to inactivity'
--------------------------------------------------------------------------------
/.github/workflows/auto-update.yml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 |
4 | ---
5 |
6 | name: Auto Update PR
7 |
8 | # On push to the main branch and support branches, update any branches that are out of date
9 | # and have auto-merge enabled. If the branch is currently out of date with the base branch,
10 | # it must be first manually updated and then will be kept up to date on future runs.
11 | on:
12 | push:
13 | branches:
14 | - main
15 | - release-*
16 |
17 | permissions: {}
18 |
19 | concurrency:
20 | group: ${{ github.workflow }}-${{ github.ref }}
21 | cancel-in-progress: true
22 |
23 | jobs:
24 | update-pull-requests:
25 | permissions:
26 | contents: read
27 | pull-requests: write
28 | runs-on: ubuntu-latest
29 |
30 | steps:
31 | - name: Checkout repository
32 | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
33 | with:
34 | persist-credentials: false
35 |
36 | - name: Update pull requests
37 | uses: open-edge-platform/orch-ci/.github/actions/pr_updater@f341738d975c38b2b91f25d405baeb2d39bf2ddb # 0.1.14
38 | with:
39 | github_token: ${{ secrets.SYS_ORCH_GITHUB }}
--------------------------------------------------------------------------------
/.github/workflows/post-merge.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
3 | # SPDX-License-Identifier: Apache-2.0
4 |
5 | name: Post-Merge CI Pipeline
6 |
7 | permissions:
8 | contents: read
9 | security-events: write
10 | id-token: write
11 |
12 | on:
13 | push:
14 | branches:
15 | - main
16 | - release-*
17 | workflow_dispatch:
18 |
19 | jobs:
20 | post-merge:
21 | uses: open-edge-platform/orch-ci/.github/workflows/post-merge.yml@3bdd409ccf738472c6e1547d14628b51c70dbe99 # 0.1.21
22 | with:
23 | run_version_tag: true
24 | run_docker_build: true
25 | run_docker_push: true
26 | run_build: false
27 | run_helm_build: true
28 | run_helm_push: true
29 | run_artifact: true
30 | secrets:
31 | SYS_ORCH_GITHUB: ${{ secrets.SYS_ORCH_GITHUB }}
32 | COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
33 | COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
34 | NO_AUTH_ECR_PUSH_USERNAME: ${{ secrets.NO_AUTH_ECR_PUSH_USERNAME }}
35 | NO_AUTH_ECR_PUSH_PASSWD: ${{ secrets.NO_AUTH_ECR_PUSH_PASSWD }}
36 | MSTEAMS_WEBHOOK: ${{ secrets.TEAMS_WEBHOOK }}
37 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2023 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 |
5 | # jetbrains
6 | .idea
7 | .vscode
8 | .DS_Store
9 | .cache
10 |
11 | venv_extensions
12 | artifacts
13 | pkg/edgedns-coredns/edgedns-coredns
14 | pkg/edgedns-coredns/dist/
15 | pkg/edgedns-coredns/out/
16 | pkg/edgedns-coredns/bin/
17 | pkg/edgedns-coredns/vendor/
18 | ci/
19 | vendor/
20 |
--------------------------------------------------------------------------------
/.golangci.yml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | ---
5 | run:
6 | # Autogenerated files take too much time and memory to load,
7 | # even if we skip them with -skip-dirs or -skip-dirs;
8 | # or mark them as generated; or use nolint annotations.
9 | # So we define this tag and use it in the autogenerated files.
10 | build-tags:
11 | - codeanalysis
12 |
13 | linters:
14 | enable:
15 | - gofmt
16 | - gosec
17 | - revive
18 | - misspell
19 | - typecheck
20 | - errcheck
21 | - dogsled
22 | - unconvert
23 | - nakedret
24 | - copyloopvar
25 | - staticcheck
26 |
--------------------------------------------------------------------------------
/.markdownlint.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # SPDX-FileCopyrightText: (C) 2023 Intel Corporation
3 | # SPDX-License-Identifier: Apache-2.0
4 | default: true
5 | MD004:
6 | style: dash
7 | MD010:
8 | # Code blocks may have hard tabs.
9 | code_blocks: false
10 | MD013:
11 | line_length: 120 # Max line length checking.
12 | code_blocks: false
13 | MD025:
14 | # Ignore the front matter title. Pages still need a top level header (#).
15 | front_matter_title: ""
16 | MD029:
17 | style: ordered
18 | MD033:
19 | allowed_elements:
20 | - ref # allow hugo relative reference links
21 | - br # allow mermaid
to create new line
22 | - a # allow anchors created by protoc-gen-doc and similar tools
23 | - span
24 |
--------------------------------------------------------------------------------
/.markdownlintignore:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2023 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 |
5 | docs/api/
6 | venv_extensions/
--------------------------------------------------------------------------------
/.yamllint:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | extends: default
5 | rules:
6 | line-length:
7 | max: 130
8 | ignore: |
9 | **/helm/**/templates/*
10 | .venv-extensions
11 | .cache
12 | catalog-orchestrator-0.1.schema.yaml
13 | .github/**
14 | pkg/**/vendor/
15 | helm/cdi/crds/01-crds.yaml
16 | helm/kubevirt/crds/01-crds.yaml
17 | ci
18 |
19 |
--------------------------------------------------------------------------------
/REUSE.toml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: 2022 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 |
4 | version = 1
5 |
6 | [[annotations]]
7 | path = [
8 | "**/VERSION",
9 | "**.json",
10 | "venv_extensions",
11 | "artifacts",
12 | "**/vendor/**",
13 | "pkg/**/build/**",
14 | "**_mock.go",
15 | "**/go.mod",
16 | "**/go.sum",
17 | "**/.github/workflows/**",
18 | "ci/*",
19 | ".github/PULL_REQUEST_TEMPLATE.md",
20 | ]
21 | precedence = "aggregate"
22 | SPDX-FileCopyrightText = "2022 Intel Corporation"
23 | SPDX-License-Identifier = "Apache-2.0"
24 |
--------------------------------------------------------------------------------
/SECURITY.md:
--------------------------------------------------------------------------------
1 |
5 | # Security Policy
6 | Intel is committed to rapidly addressing security vulnerabilities affecting our customers and providing clear guidance on the solution, impact, severity and mitigation.
7 |
8 | ## Reporting a Vulnerability
9 | Please report any security vulnerabilities in this project utilizing the guidelines [here](https://www.intel.com/content/www/us/en/security-center/vulnerability-handling-guidelines.html).
10 |
--------------------------------------------------------------------------------
/VERSION:
--------------------------------------------------------------------------------
1 | 1.1.4
2 |
--------------------------------------------------------------------------------
/ci_scripts/helm_push.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
3 | # SPDX-License-Identifier: Apache-2.0
4 |
5 | set -xeu -o pipefail
6 |
7 | # search all packages with *.tgz name and then push to remote Helm server
8 |
9 | # when not running under Jenkins, use current dir as workspace
10 | WORKSPACE=${WORKSPACE:-.}
11 | # HELM_CM_NAME=${HELM_CM_NAME:-oie}
12 | REGISTRY=080137407410.dkr.ecr.us-west-2.amazonaws.com
13 | REGISTRY_NO_AUTH=edge-orch
14 | REPOSITORY=en/charts
15 | HELM_REGISTRY=oci://${REGISTRY}/${REGISTRY_NO_AUTH}/${REPOSITORY}
16 | DOCKER_REGISTRY=${REGISTRY_NO_AUTH}/${REPOSITORY}
17 |
18 | # Filter pakage with $name-$version.tgz, and version should be $major.$minor.$patch format
19 | pkg_list=$(find "${WORKSPACE}" -maxdepth 1 -type f -regex ".*tgz" | (grep -E ".*[0-9]+[a-zA-Z]*[+-]*\.[0-9]+[a-zA-Z]*[+-]*\.[0-9]+[a-zA-Z]*[+-]*(-dev)?\.tgz" || echo ""))
20 | if [ -z "$pkg_list" ]; then
21 | echo "# No Packages found, exit #"
22 | exit 0
23 | fi
24 |
25 | for pkg in $pkg_list; do
26 | echo "------$pkg------"
27 | # check if Helm package contains version, fail otherwise
28 | if [ "$(helm show chart "$pkg" | grep -c version)" -eq 0 ]; then
29 | echo "# Package $pkg doesn't contain version!!! #"
30 | exit 1
31 | fi
32 | echo $HELM_REGISTRY
33 | echo "helm pushing $pkg to $HELM_REGISTRY"
34 | chart_name=$(helm show chart "$pkg" | yq e '.name' -)
35 | echo chart_name: "$chart_name"
36 | aws ecr create-repository --region us-west-2 --repository-name $DOCKER_REGISTRY/"$chart_name" || true
37 | helm push "$pkg" $HELM_REGISTRY
38 | done
39 |
40 | echo "# helmpush.sh Success! - all charts have been pushed #"
41 | exit 0
42 |
--------------------------------------------------------------------------------
/ci_scripts/publish_manifest.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
3 | # SPDX-License-Identifier: Apache-2.0
4 |
5 | set -xeu -o pipefail
6 |
7 | # Get the current branch name
8 | current_branch=$(git rev-parse --abbrev-ref HEAD)
9 |
10 | REGISTRY=080137407410.dkr.ecr.us-west-2.amazonaws.com
11 | REGISTRY_NO_AUTH=edge-orch
12 | REPOSITORY=en
13 |
14 | # check if manifest file is changed
15 | changed_files=$(git show --pretty="" --name-only | grep "manifest/manifest.yaml" || true)
16 | echo "changed_files: $changed_files"
17 |
18 | if [ -n "$changed_files" ]; then
19 | manifest_version=$(yq eval '.metadata.release' "manifest/manifest.yaml")
20 | git show HEAD~1:"manifest/manifest.yaml" > previous-manifest.yaml
21 | previous_manifest_version=$(yq eval '.metadata.release' previous-manifest.yaml)
22 | rm previous-manifest.yaml
23 |
24 | # check if release version is updated
25 | if [[ "$manifest_version" == "$previous_manifest_version" && "$manifest_version" != *"-dev"* ]]; then
26 | echo "Manifest version is not changed. Please ensure to upadate the release version"
27 | exit 1
28 | fi
29 |
30 | # create a temporary version file
31 | version="$manifest_version"
32 | echo "version: $version"
33 | echo "$version" > tmp-version
34 |
35 | # publish
36 | echo "publishing manifest"
37 | BRANCH_NAME=$current_branch ./ci/scripts/push_oci_packages.sh -r $REGISTRY -f "manifest" -v tmp-version -s $REGISTRY_NO_AUTH/$REPOSITORY -o "cluster-extension-manifest"
38 | rm tmp-version
39 | fi
40 |
--------------------------------------------------------------------------------
/deployment-package/base-extensions/cert-manager/applications.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | # cert-manager
5 | specSchema: "Application"
6 | schemaVersion: "0.1"
7 | $schema: "https://schema.intel.com/catalog.orchestrator/0.1/schema"
8 |
9 | name: cert-manager
10 | version: 1.16.2
11 | description: "Cert Manager"
12 | kind: extension
13 |
14 | helmRegistry: "jetstack"
15 | chartName: "cert-manager"
16 | chartVersion: "1.16.2"
17 | profiles:
18 | - name: default
19 | displayName: "default"
20 | valuesFileName: "values-cert-manager.yaml"
21 |
--------------------------------------------------------------------------------
/deployment-package/base-extensions/fluent-bit/applications.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | # fluent-bit
5 | specSchema: "Application"
6 | schemaVersion: "0.1"
7 | $schema: "https://schema.intel.com/catalog.orchestrator/0.1/schema"
8 |
9 | name: fluent-bit
10 | version: 0.48.9
11 | description: "Fluent Bit"
12 | kind: extension
13 |
14 | helmRegistry: "fluent-bit"
15 | chartName: "fluent-bit"
16 | chartVersion: "0.48.9"
17 |
18 | profiles:
19 | - name: default
20 | displayName: "default"
21 | valuesFileName: "values-fluent-bit.yaml"
22 |
--------------------------------------------------------------------------------
/deployment-package/base-extensions/gatekeeper/applications.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | # Gatekeeper
5 | specSchema: "Application"
6 | schemaVersion: "0.1"
7 | $schema: "https://schema.intel.com/catalog.orchestrator/0.1/schema"
8 |
9 | name: gatekeeper
10 | version: 3.17.1
11 | description: "Gatekeeper"
12 | kind: extension
13 |
14 | helmRegistry: "gatekeeper"
15 | chartName: "gatekeeper"
16 | chartVersion: "3.17.1"
17 |
18 | profiles:
19 | - name: default
20 | displayName: "default"
21 | valuesFileName: "values-gatekeeper.yaml"
22 | ---
23 | # gatekeeper-constraints
24 | specSchema: "Application"
25 | schemaVersion: "0.1"
26 | $schema: "https://schema.intel.com/catalog.orchestrator/0.1/schema"
27 |
28 | name: gatekeeper-constraints
29 | version: 1.1.0
30 | description: "Gatekeeper Constraints"
31 | kind: extension
32 |
33 | helmRegistry: "intel-rs-helm"
34 | chartName: "edge-orch/en/charts/gatekeeper-constraints"
35 | chartVersion: "1.1.0"
36 |
37 | profiles:
38 | - name: baseline
39 | displayName: "baseline"
40 | valuesFileName: "values-gatekeeper-constraints-baseline.yaml"
41 | - name: restricted
42 | displayName: "restricted"
43 | valuesFileName: "values-gatekeeper-constraints-restricted.yaml"
44 | - name: privileged
45 | displayName: "privileged"
46 | valuesFileName: "values-gatekeeper-constraints-privileged.yaml"
47 |
--------------------------------------------------------------------------------
/deployment-package/base-extensions/gatekeeper/values-gatekeeper-constraints-baseline.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | policies:
5 | constraints:
6 | capabilities:
7 | enabled: true
8 | hostNetwork:
9 | enabled: false
10 | volumeTypes:
11 | enabled: true
12 | hostNamespace:
13 | enabled: true
14 | hostPorts:
15 | enabled: true
16 | privilegedContainer:
17 | enabled: true
18 | privilegedEscalation:
19 | enabled: false
20 | readOnlyFs:
21 | enabled: false
22 | sysctls:
23 | enabled: true
24 | networkPolicies:
25 | enabled: true
26 |
--------------------------------------------------------------------------------
/deployment-package/base-extensions/gatekeeper/values-gatekeeper-constraints-privileged.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | policies:
5 | constraints:
6 | capabilities:
7 | enabled: false
8 | hostNetwork:
9 | enabled: false
10 | volumeTypes:
11 | enabled: false
12 | hostNamespace:
13 | enabled: false
14 | hostPorts:
15 | enabled: false
16 | privilegedContainer:
17 | enabled: false
18 | privilegedEscalation:
19 | enabled: false
20 | readOnlyFs:
21 | enabled: false
22 | sysctls:
23 | enabled: false
24 |
--------------------------------------------------------------------------------
/deployment-package/base-extensions/gatekeeper/values-gatekeeper-constraints-restricted.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | policies:
5 | constraints:
6 | capabilities:
7 | enabled: true
8 | hostNetwork:
9 | enabled: true
10 | volumeTypes:
11 | enabled: true
12 | hostNamespace:
13 | enabled: true
14 | hostPorts:
15 | enabled: true
16 | privilegedContainer:
17 | enabled: true
18 | privilegedEscalation:
19 | enabled: true
20 | readOnlyFs:
21 | enabled: true
22 | sysctls:
23 | enabled: true
24 |
--------------------------------------------------------------------------------
/deployment-package/base-extensions/network-policies/applications.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | # network-policies
5 | specSchema: "Application"
6 | schemaVersion: "0.1"
7 | $schema: "https://schema.intel.com/catalog.orchestrator/0.1/schema"
8 |
9 | name: network-policies
10 | version: 0.2.0
11 | description: "Network Policies"
12 | kind: extension
13 |
14 | helmRegistry: "intel-rs-helm"
15 | chartName: "edge-orch/en/charts/network-policies"
16 | chartVersion: "0.2.0"
17 |
18 | profiles:
19 | - name: default
20 | displayName: "default"
21 | valuesFileName: "values-network-policies.yaml"
22 |
--------------------------------------------------------------------------------
/deployment-package/base-extensions/network-policies/values-network-policies.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 |
--------------------------------------------------------------------------------
/deployment-package/base-extensions/nfd/applications.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | # NFD
5 | specSchema: "Application"
6 | schemaVersion: "0.1"
7 | $schema: "https://schema.intel.com/catalog.orchestrator/0.1/schema"
8 |
9 | name: nfd
10 | version: 0.17.0
11 | description: "NFD"
12 | kind: extension
13 |
14 | helmRegistry: "node-feature-discovery"
15 | chartName: "node-feature-discovery"
16 | chartVersion: "0.17.0"
17 |
18 | profiles:
19 | - name: default
20 | displayName: "default"
21 | valuesFileName: "values-nfd.yaml"
22 |
--------------------------------------------------------------------------------
/deployment-package/base-extensions/nfd/values-nfd.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | fullnameOverride: nfd
5 | master:
6 | resources:
7 | requests:
8 | cpu: 100m
9 | memory: 128Mi
10 | limits:
11 | cpu: 100m
12 | memory: 128Mi
13 | worker:
14 | resources:
15 | requests:
16 | cpu: 100m
17 | memory: 128Mi
18 | limits:
19 | cpu: 100m
20 | memory: 128Mi
21 | gc:
22 | enable: false
23 |
--------------------------------------------------------------------------------
/deployment-package/base-extensions/node-exporter/applications.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | # node-exporter
5 | specSchema: "Application"
6 | schemaVersion: "0.1"
7 | $schema: "https://schema.intel.com/catalog.orchestrator/0.1/schema"
8 |
9 | name: node-exporter
10 | version: 4.45.0
11 | description: "Node Exporter"
12 | kind: extension
13 |
14 | helmRegistry: "node-exporter"
15 | chartName: "prometheus-node-exporter"
16 | chartVersion: "4.45.0"
17 |
18 | profiles:
19 | - name: default
20 | displayName: "default"
21 | valuesFileName: "values-node-exporter.yaml"
22 |
--------------------------------------------------------------------------------
/deployment-package/base-extensions/observability/applications.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | # observability-config
5 | specSchema: "Application"
6 | schemaVersion: "0.1"
7 | $schema: "https://schema.intel.com/catalog.orchestrator/0.1/schema"
8 |
9 | name: observability-config
10 | version: 0.1.0
11 | description: "Observability Config"
12 | kind: extension
13 |
14 | helmRegistry: "intel-rs-helm"
15 | chartName: "edge-orch/en/charts/observability-config"
16 | chartVersion: "0.1.0"
17 |
18 | profiles:
19 | - name: default
20 | displayName: "default"
21 | valuesFileName: "values-observability-config.yaml"
22 |
--------------------------------------------------------------------------------
/deployment-package/base-extensions/observability/values-observability-config.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 |
--------------------------------------------------------------------------------
/deployment-package/base-extensions/openebs/applications.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | # openebs-config
5 | specSchema: "Application"
6 | schemaVersion: "0.1"
7 | $schema: "https://schema.intel.com/catalog.orchestrator/0.1/schema"
8 |
9 | name: openebs-config
10 | version: 0.1.0
11 | description: "OpenEBS Config"
12 | kind: extension
13 |
14 | helmRegistry: "intel-rs-helm"
15 | chartName: "edge-orch/en/charts/openebs-config"
16 | chartVersion: "0.1.0"
17 |
18 | profiles:
19 | - name: default
20 | displayName: "default"
21 | valuesFileName: "values-openebs-config.yaml"
22 | ---
23 | # openebs
24 | specSchema: "Application"
25 | schemaVersion: "0.1"
26 | $schema: "https://schema.intel.com/catalog.orchestrator/0.1/schema"
27 |
28 | name: openebs
29 | version: 4.2.0
30 | description: "Open EBS"
31 | kind: extension
32 |
33 | helmRegistry: "openebs"
34 | chartName: "openebs"
35 | chartVersion: "4.2.0"
36 |
37 | profiles:
38 | - name: default
39 | displayName: "default"
40 | valuesFileName: "values-openebs.yaml"
41 |
--------------------------------------------------------------------------------
/deployment-package/base-extensions/openebs/values-openebs-config.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 |
--------------------------------------------------------------------------------
/deployment-package/base-extensions/prometheus/applications.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | # prometheus
5 | specSchema: "Application"
6 | schemaVersion: "0.1"
7 | $schema: "https://schema.intel.com/catalog.orchestrator/0.1/schema"
8 |
9 | name: prometheus
10 | version: 70.3.0
11 | description: "Prometheus"
12 | kind: extension
13 |
14 | helmRegistry: "prometheus"
15 | chartName: "kube-prometheus-stack"
16 | chartVersion: "70.3.0"
17 |
18 | profiles:
19 | - name: default
20 | displayName: "default"
21 | valuesFileName: "values-prometheus.yaml"
22 |
--------------------------------------------------------------------------------
/deployment-package/base-extensions/telegraf/applications.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | # telegraf
5 | specSchema: "Application"
6 | schemaVersion: "0.1"
7 | $schema: "https://schema.intel.com/catalog.orchestrator/0.1/schema"
8 |
9 | name: telegraf
10 | version: 1.8.55
11 | description: "Telegraf"
12 | kind: extension
13 |
14 | helmRegistry: "telegraf"
15 | chartName: "telegraf"
16 | chartVersion: "1.8.55"
17 |
18 | profiles:
19 | - name: default
20 | displayName: "default"
21 | valuesFileName: "values-telegraf.yaml"
22 |
--------------------------------------------------------------------------------
/deployment-package/base-extensions/telegraf/values-telegraf.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | fullNameOverride: telegraf
5 | volumes:
6 | - name: telegraf-config
7 | configMap:
8 | name: telegraf-config
9 | - name: certs
10 | secret:
11 | secretName: telegraf-tls
12 | mountPoints:
13 | - name: telegraf-config
14 | mountPath: /etc/telegraf/
15 | # subPath: base-ext-telegraf.conf
16 | readOnly: true
17 | - name: certs
18 | mountPath: /opt/telegraf/certs
19 |
20 | resources:
21 | requests:
22 | memory: 128Mi
23 | cpu: 100m
24 | limits:
25 | memory: 128Mi
26 | cpu: 100m
27 |
28 |
29 | containerPorts:
30 | - name: metrics
31 | containerPort: 9105
32 | protocol: TCP
33 |
34 | image:
35 | pullPolicy: IfNotPresent
36 | args:
37 | - "--config=/etc/telegraf/base-ext-telegraf.conf"
38 |
--------------------------------------------------------------------------------
/deployment-package/common/registry-akri.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | specSchema: "Registry"
5 | schemaVersion: "0.1"
6 | $schema: "https://schema.intel.com/catalog.orchestrator/0.1/schema"
7 |
8 | name: "akri-helm-registry"
9 | description: "Public registry for akri chart"
10 | type: "HELM"
11 | rootUrl: "https://project-akri.github.io/akri/"
12 |
--------------------------------------------------------------------------------
/deployment-package/common/registry-bitnami-oci.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | specSchema: "Registry"
5 | schemaVersion: "0.1"
6 | $schema: "https://schema.intel.com/catalog.orchestrator/0.1/schema"
7 |
8 | name: "bitnami-helm-oci"
9 | description: "Bitnami helm registry"
10 | type: "HELM"
11 |
12 | rootUrl: "oci://registry-1.docker.io/bitnamicharts"
13 |
--------------------------------------------------------------------------------
/deployment-package/common/registry-fluent-bit.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | specSchema: "Registry"
5 | schemaVersion: "0.1"
6 | $schema: "https://schema.intel.com/catalog.orchestrator/0.1/schema"
7 |
8 | name: "fluent-bit"
9 | description: "Public registry for fluent bit chart"
10 | type: "HELM"
11 | rootUrl: "https://fluent.github.io/helm-charts"
12 |
--------------------------------------------------------------------------------
/deployment-package/common/registry-gatekeeper.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | specSchema: "Registry"
5 | schemaVersion: "0.1"
6 | $schema: "https://schema.intel.com/catalog.orchestrator/0.1/schema"
7 |
8 | name: "gatekeeper"
9 | description: "Public registry for gatekeeper chart"
10 | type: "HELM"
11 | rootUrl: "https://open-policy-agent.github.io/gatekeeper/charts"
12 |
--------------------------------------------------------------------------------
/deployment-package/common/registry-gpu.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | # Public registry with Intel Device Plugin Operator & GPU Device Plugins
5 | specSchema: "Registry"
6 | schemaVersion: "0.1"
7 | $schema: "https://schema.intel.com/catalog.orchestrator/0.1/schema"
8 |
9 | name: "intel-github-io"
10 | description: "Intel Public registry with device operator & plugins"
11 | type: "HELM"
12 | rootUrl: "https://intel.github.io/helm-charts"
13 |
--------------------------------------------------------------------------------
/deployment-package/common/registry-jetstack.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | specSchema: "Registry"
5 | schemaVersion: "0.1"
6 | $schema: "https://schema.intel.com/catalog.orchestrator/0.1/schema"
7 |
8 | name: "jetstack"
9 | description: "Public registry for cert manager chart"
10 | type: "HELM"
11 | rootUrl: "https://charts.jetstack.io"
12 |
--------------------------------------------------------------------------------
/deployment-package/common/registry-kubernetes-ingress.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | specSchema: "Registry"
5 | schemaVersion: "0.1"
6 | $schema: "https://schema.intel.com/catalog.orchestrator/0.1/schema"
7 |
8 | name: "kubernetes-ingress-helm"
9 | description: "Kubernetes Github helm registry for ingress-nginx"
10 | type: "HELM"
11 |
12 | rootUrl: "https://kubernetes.github.io/ingress-nginx"
13 |
--------------------------------------------------------------------------------
/deployment-package/common/registry-node-exporter.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | specSchema: "Registry"
5 | schemaVersion: "0.1"
6 | $schema: "https://schema.intel.com/catalog.orchestrator/0.1/schema"
7 |
8 | name: "node-exporter"
9 | description: "Public registry for node exporter chart"
10 | type: "HELM"
11 | rootUrl: "https://prometheus-community.github.io/helm-charts"
12 |
--------------------------------------------------------------------------------
/deployment-package/common/registry-node-feature-discovery.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | specSchema: "Registry"
5 | schemaVersion: "0.1"
6 | $schema: "https://schema.intel.com/catalog.orchestrator/0.1/schema"
7 |
8 | name: "node-feature-discovery"
9 | description: "Public registry for node feature discovery chart"
10 | type: "HELM"
11 | rootUrl: "https://kubernetes-sigs.github.io/node-feature-discovery/charts"
12 |
--------------------------------------------------------------------------------
/deployment-package/common/registry-openebs.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | specSchema: "Registry"
5 | schemaVersion: "0.1"
6 | $schema: "https://schema.intel.com/catalog.orchestrator/0.1/schema"
7 |
8 | name: "openebs"
9 | description: "Public registry for openebs chart"
10 | type: "HELM"
11 | rootUrl: "https://openebs.github.io/openebs"
12 |
--------------------------------------------------------------------------------
/deployment-package/common/registry-prometheus.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | specSchema: "Registry"
5 | schemaVersion: "0.1"
6 | $schema: "https://schema.intel.com/catalog.orchestrator/0.1/schema"
7 |
8 | name: "prometheus"
9 | description: "Public registry for prometheus chart"
10 | type: "HELM"
11 | rootUrl: "https://prometheus-community.github.io/helm-charts"
12 |
--------------------------------------------------------------------------------
/deployment-package/common/registry-telegraf.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | specSchema: "Registry"
5 | schemaVersion: "0.1"
6 | $schema: "https://schema.intel.com/catalog.orchestrator/0.1/schema"
7 |
8 | name: "telegraf"
9 | description: "Public registry for telegraf chart"
10 | type: "HELM"
11 | rootUrl: "https://helm.influxdata.com/"
12 |
--------------------------------------------------------------------------------
/deployment-package/intel-gpu-debug/applications.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | # Intel Device Plugin Operator
5 | specSchema: "Application"
6 | schemaVersion: "0.1"
7 | $schema: "https://schema.intel.com/catalog.orchestrator/0.1/schema"
8 |
9 | name: intel-gpu-debug
10 | version: 1.3.0
11 | description: "Intel GPU ext debugging app"
12 |
13 | helmRegistry: "intel-rs-helm"
14 | chartName: "edge-orch/en/charts/intel-gpu-debug"
15 | chartVersion: "1.3.0"
16 |
17 | profiles:
18 | - name: default
19 | displayName: "default"
20 | valuesFileName: "empty-values.yaml"
21 |
--------------------------------------------------------------------------------
/deployment-package/intel-gpu-debug/deployment-package.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | specSchema: "DeploymentPackage"
5 | schemaVersion: "0.1"
6 | $schema: "https://schema.intel.com/catalog.orchestrator/0.1/schema"
7 |
8 | name: "intel-gpu-debug"
9 | description: "Intel GPU K8S extension debugging"
10 | version: 1.3.0
11 |
12 | applications:
13 | - name: intel-gpu-debug
14 | version: 1.3.0
15 |
16 | deploymentProfiles:
17 | - name: "testing"
18 | displayName: "testing"
19 | applicationProfiles:
20 | - application: "intel-gpu-debug"
21 | profile: "default"
22 |
--------------------------------------------------------------------------------
/deployment-package/intel-gpu-debug/empty-values.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 |
--------------------------------------------------------------------------------
/deployment-package/intel-gpu/applications.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | # Intel Device Plugin Operator
5 | specSchema: "Application"
6 | schemaVersion: "0.1"
7 | $schema: "https://schema.intel.com/catalog.orchestrator/0.1/schema"
8 |
9 | name: intel-device-operator
10 | version: 0.29.0
11 | description: "Intel Device Plugin Operator"
12 | kind: extension
13 |
14 | helmRegistry: "intel-github-io"
15 | chartName: "intel-device-plugins-operator"
16 | chartVersion: "0.29.0"
17 |
18 | profiles:
19 | - name: default
20 | displayName: "default"
21 | valuesFileName: "values-device-operator.yaml"
22 | ---
23 | # Intel GPU Device Plugin
24 | specSchema: "Application"
25 | schemaVersion: "0.1"
26 | $schema: "https://schema.intel.com/catalog.orchestrator/0.1/schema"
27 |
28 | name: intel-gpu-plugin
29 | version: 0.29.0
30 | description: "Intel GPU Device Plugin"
31 | kind: extension
32 |
33 | helmRegistry: "intel-github-io"
34 | chartName: "intel-device-plugins-gpu"
35 | chartVersion: "0.29.0"
36 |
37 | profiles:
38 | - name: exclusive-gpu-alloc
39 | displayName: "Exclusive gpu allocation"
40 | valuesFileName: "values-gpu-plugin.yaml"
41 |
--------------------------------------------------------------------------------
/deployment-package/intel-gpu/deployment-package.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | specSchema: "DeploymentPackage"
5 | schemaVersion: "0.1"
6 | $schema: "https://schema.intel.com/catalog.orchestrator/0.1/schema"
7 |
8 | name: "intel-gpu"
9 | description: "Intel GPU K8S extension"
10 | version: 1.3.0
11 | forbidsMultipleDeployments: true
12 | kind: extension
13 |
14 | applications:
15 | - name: intel-device-operator
16 | version: 0.29.0
17 | - name: intel-gpu-plugin
18 | version: 0.29.0
19 |
20 | defaultNamespaces:
21 | intel-gpu-plugin: intel-gpu-extension
22 | intel-device-operator: intel-gpu-extension
23 |
24 | applicationDependencies:
25 | - name: "intel-gpu-plugin"
26 | requires: "intel-device-operator"
27 |
28 | deploymentProfiles:
29 | - name: "exclusive-gpu-alloc"
30 | displayName: "Exclusive gpu allocation"
31 | applicationProfiles:
32 | - application: "intel-device-operator"
33 | profile: "default"
34 | - application: "intel-gpu-plugin"
35 | profile: "exclusive-gpu-alloc"
36 |
--------------------------------------------------------------------------------
/deployment-package/intel-gpu/values-device-operator.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 |
--------------------------------------------------------------------------------
/deployment-package/intel-gpu/values-gpu-plugin.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | sharedDevNum: 1
5 | enableMonitoring: true
6 | allocationPolicy: "none"
7 | nodeFeatureRule: true
8 | logLevel: 2
9 |
--------------------------------------------------------------------------------
/deployment-package/kubernetes-dashboard/application.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | specSchema: "Application"
5 | schemaVersion: "0.1"
6 | $schema: "https://schema.intel.com/catalog.orchestrator/0.1/schema"
7 |
8 | name: kubernetes-dashboard
9 | version: 0.1.0
10 | description: "kubernetes-dashboard"
11 | kind: extension
12 |
13 | helmRegistry: "kubernetes"
14 | chartName: "kubernetes-dashboard"
15 | chartVersion: "7.10.0"
16 |
17 | profiles:
18 | - name: "default"
19 | valuesFileName: "values-dash.yaml"
20 |
--------------------------------------------------------------------------------
/deployment-package/kubernetes-dashboard/deployment-package.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | specSchema: "DeploymentPackage"
5 | schemaVersion: "0.1"
6 | $schema: "https://schema.intel.com/catalog.orchestrator/0.1/schema"
7 |
8 | name: "kubernetes-dashboard"
9 | displayName: "kubernetes-dashboard"
10 | description: "kubernetes-dashboard"
11 | version: 0.1.0
12 | forbidsMultipleDeployments: true
13 | kind: extension
14 |
15 | applications:
16 | - name: kubernetes-dashboard
17 | version: 0.1.0
18 |
19 | deploymentProfiles:
20 | - name: "default"
21 | applicationProfiles:
22 | - application: "kubernetes-dashboard"
23 | profile: "default"
24 |
25 | defaultNamespaces:
26 | kubernetes-dashboard: kubernetes-dashboard
27 |
--------------------------------------------------------------------------------
/deployment-package/kubernetes-dashboard/registry-kubernetes.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | specSchema: "Registry"
5 | schemaVersion: "0.1"
6 | $schema: "https://schema.intel.com/catalog.orchestrator/0.1/schema"
7 |
8 | name: "kubernetes"
9 | description: "Kubernetes dashboard registry"
10 | type: "HELM"
11 |
12 | rootUrl: "https://kubernetes.github.io/dashboard/"
13 |
--------------------------------------------------------------------------------
/deployment-package/loadbalancer/deployment-package.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | specSchema: "DeploymentPackage"
5 | schemaVersion: "0.1"
6 | $schema: "https://schema.intel.com/catalog.orchestrator/0.1/schema"
7 |
8 | name: "loadbalancer"
9 | description: "Enables load balancer and dns services on the edge"
10 | version: 0.5.2
11 |
12 | kind: extension
13 |
14 | applications:
15 | - name: metallb
16 | version: 1.1.1
17 | - name: metallb-base
18 | version: 0.16.1
19 | - name: metallb-config
20 | version: 0.2.0
21 | - name: edgedns
22 | version: 2.1.0
23 | - name: ingress-nginx
24 | version: 5.1.2
25 |
26 | defaultNamespaces:
27 | metallb: metallb-system
28 | metallb-config: metallb-system
29 | edgedns: edge-system
30 | ingress-nginx: ingress-nginx
31 |
32 | deploymentProfiles:
33 | - name: "default-profile"
34 | displayName: "Default Configuration"
35 | applicationProfiles:
36 | - application: "metallb"
37 | profile: "default"
38 | - application: "metallb-base"
39 | profile: "default"
40 | - application: "metallb-config"
41 | profile: "default"
42 | - application: "edgedns"
43 | profile: "default"
44 | - application: "ingress-nginx"
45 | profile: "default"
46 |
--------------------------------------------------------------------------------
/deployment-package/loadbalancer/empty-values.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 |
--------------------------------------------------------------------------------
/deployment-package/loadbalancer/values-edgedns-default.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | staticIp: 10.1.0.80
5 |
--------------------------------------------------------------------------------
/deployment-package/loadbalancer/values-ingress-nginx-default.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | fullnameOverride: ingress-nginx-controller
5 | controller:
6 | service:
7 | loadBalancerIP: 10.1.0.81
8 | allocateLoadBalancerNodePorts: false
9 |
--------------------------------------------------------------------------------
/deployment-package/loadbalancer/values-metallb-config-default.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | ipAddressRange: 10.1.0.30-10.1.0.79
5 | dnsIPAddress: "10.1.0.80/32"
6 | ingressIPAddress: "10.1.0.81/32"
7 |
8 | # sample: "10.1.0.82/32,10.1.0.83/32"
9 | staticIPs: ""
10 |
11 | # sample interface: "enp138s0f0"
12 | L2Advertisement:
13 | enabled: false
14 | interface: ""
15 |
--------------------------------------------------------------------------------
/deployment-package/skupper/application.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | specSchema: "Application"
5 | schemaVersion: "0.1"
6 | $schema: "https://schema.intel.com/catalog.orchestrator/0.1/schema"
7 |
8 | name: skupper
9 | version: 0.2.0
10 | description: "Skupper for interconnecting bare metal k8s clusters"
11 | kind: extension
12 |
13 | helmRegistry: "intel-rs-helm"
14 | chartName: "edge-orch/en/charts/skupper"
15 | chartVersion: "0.2.0"
16 |
17 | profiles:
18 | - name: default
19 | displayName: "Default"
20 | valuesFileName: "empty-values.yaml"
21 |
--------------------------------------------------------------------------------
/deployment-package/skupper/deployment-package.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | specSchema: "DeploymentPackage"
5 | schemaVersion: "0.1"
6 | $schema: "https://schema.intel.com/catalog.orchestrator/0.1/schema"
7 |
8 | name: "skupper"
9 | description: "Enables Skupper service on the edge"
10 | version: 0.2.0
11 | forbidsMultipleDeployments: true
12 | kind: extension
13 |
14 | applications:
15 | - name: skupper
16 | version: 0.2.0
17 |
18 | # namespace for networkpolicies and skupper pods
19 | defaultNamespaces:
20 | skupper: interconnect
21 |
22 | deploymentProfiles:
23 | - name: "default-profile"
24 | displayName: "Default Configuration"
25 | applicationProfiles:
26 | - application: "skupper"
27 | profile: "default"
28 |
--------------------------------------------------------------------------------
/deployment-package/skupper/empty-values.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 |
--------------------------------------------------------------------------------
/deployment-package/sriov/application.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | specSchema: "Application"
5 | schemaVersion: "0.1"
6 | $schema: "https://schema.intel.com/catalog.orchestrator/0.1/schema"
7 |
8 | name: sriov-network-operator
9 | version: 104.3.2
10 | description: "Provisions and configures SR-IOV CNI plugin and Device plugin"
11 | kind: extension
12 |
13 | helmRegistry: "intel-rs-helm"
14 | chartName: "edge-orch/en/charts/sriov"
15 | chartVersion: "104.3.2"
16 |
17 | profiles:
18 | - name: default
19 | displayName: "Default"
20 | valuesFileName: "values-default.yaml"
21 |
--------------------------------------------------------------------------------
/deployment-package/sriov/deployment-package.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | specSchema: "DeploymentPackage"
5 | schemaVersion: "0.1"
6 | $schema: "https://schema.intel.com/catalog.orchestrator/0.1/schema"
7 |
8 | name: "sriov"
9 | description: "Provisions and configures SR-IOV CNI plugin and Device plugin"
10 | version: 0.4.0
11 | forbidsMultipleDeployments: true
12 | kind: extension
13 |
14 | applications:
15 | - name: sriov-network-operator
16 | version: 104.3.2
17 |
18 | defaultNamespaces:
19 | sriov-network-operator: sriov-network-operator
20 |
21 | deploymentProfiles:
22 | - name: "default-profile"
23 | displayName: "Default Configuration"
24 | applicationProfiles:
25 | - application: "sriov-network-operator"
26 | profile: "default"
27 |
--------------------------------------------------------------------------------
/deployment-package/sriov/values-default.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 |
5 | # cert_manager enables integration with cert-manager to generate
6 | # certificates for the operator webhooks. Otherwise the chart will
7 | # generate ad-hoc certificates with no automated renewal at expiration,
8 | # not recommended for production clusters.
9 | cert_manager: true
10 |
--------------------------------------------------------------------------------
/deployment-package/trusted-compute/deployment-package.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | specSchema: "DeploymentPackage"
5 | schemaVersion: "0.1"
6 | $schema: "https://schema.intel.com/catalog.orchestrator/0.1/schema"
7 |
8 | name: "trusted-compute"
9 | description: >
10 | Trusted Compute k8s plugin for trusted workloads. Requires cluster using a "privilege" template.
11 | version: 0.5.0
12 | forbidsMultipleDeployments: true
13 | kind: extension
14 |
15 | applications:
16 | - name: attestation-manager
17 | version: 1.0.0
18 | - name: attestation-verifier
19 | version: 1.0.0
20 | - name: trust-agent
21 | version: 1.0.0
22 | - name: trusted-workload
23 | version: 1.0.1
24 |
25 | defaultNamespaces:
26 | attestation-manager: isecl
27 | attestation-verifier: isecl
28 | trust-agent: isecl
29 | trusted-workload: trusted-compute
30 |
31 | deploymentProfiles:
32 | - name: "default-profile"
33 | displayName: "Default Configuration"
34 | applicationProfiles:
35 | - application: "attestation-manager"
36 | profile: "default"
37 | - application: "attestation-verifier"
38 | profile: "default"
39 | - application: "trust-agent"
40 | profile: "default"
41 | - application: "trusted-workload"
42 | profile: "default"
43 |
--------------------------------------------------------------------------------
/deployment-package/trusted-compute/values-attestation-manager-default.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 |
--------------------------------------------------------------------------------
/deployment-package/trusted-compute/values-attestation-verifier-default.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 |
--------------------------------------------------------------------------------
/deployment-package/trusted-compute/values-kubevirt-default-nosm.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | networkPoliciesEnabled: true
5 | serviceMonitorEnabled: true
6 | useEmulation: false
7 | nodeSelector:
8 | kubernetes.io/os: linux
9 |
10 | serviceMonitor:
11 | enabled: false
12 |
13 | # format: name;vid;pid,name;vid;pid
14 | # sample: kubevirt.io/usb-1;1234;1234,kubevirt.io/usb-2;1234;1234
15 | usbList: ""
16 |
--------------------------------------------------------------------------------
/deployment-package/trusted-compute/values-trust-agent-default.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 |
--------------------------------------------------------------------------------
/deployment-package/trusted-compute/values-trusted-workload-default.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 |
--------------------------------------------------------------------------------
/deployment-package/usb/akri-values.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | useDevelopmentContainers: false
5 | kubernetesDistro: k3s
6 | # agent:
7 | # nodeSelectors:
8 | # kubernetes.io/os: linux
9 | controller:
10 | enabled: false
11 | image:
12 | pullPolicy: IfNotPresent
13 | webhookConfiguration:
14 | image:
15 | pullPolicy: IfNotPresent
16 | udev:
17 | discovery:
18 | enabled: true
19 | # nodeSelectors:
20 | # kubernetes.io/os: linux
21 |
--------------------------------------------------------------------------------
/deployment-package/usb/application.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | specSchema: Application
5 | schemaVersion: "0.1"
6 | $schema: "https://schema.intel.com/catalog.orchestrator/0.1/schema"
7 |
8 | name: akri
9 | version: 0.13.8
10 | description: "akri base application"
11 | kind: extension
12 |
13 | helmRegistry: "akri-helm-registry"
14 | chartName: "akri"
15 | chartVersion: 0.13.8
16 |
17 | profiles:
18 | - name: default
19 | displayName: Default
20 | valuesFileName: akri-values.yaml
21 |
22 | ---
23 | specSchema: Application
24 | schemaVersion: "0.1"
25 | $schema: "https://schema.intel.com/catalog.orchestrator/0.1/schema"
26 |
27 | name: usb-device-plugin
28 | version: 1.1.0
29 | description: "Exposes USB devices to the k8s cluster"
30 | kind: extension
31 |
32 | helmRegistry: "intel-rs-helm"
33 | chartName: "edge-orch/en/charts/akri"
34 | chartVersion: 1.1.0
35 |
36 | profiles:
37 | - name: default
38 | displayName: Default
39 | valuesFileName: usb-device-values.yaml
40 | parameterTemplates:
41 | - name: usbList
42 | displayName: "USB dongle List"
43 | mandatory: true
44 | type: string
45 |
--------------------------------------------------------------------------------
/deployment-package/usb/deployment-package.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | specSchema: "DeploymentPackage"
5 | schemaVersion: "0.1"
6 | $schema: "https://schema.intel.com/catalog.orchestrator/0.1/schema"
7 |
8 | name: "usb"
9 | description: "Brings USB allocation for containers/VMs running on k8s cluster"
10 | version: 0.4.0
11 | forbidsMultipleDeployments: true
12 | kind: extension
13 |
14 | applications:
15 | - name: akri
16 | version: 0.13.8
17 | - name: usb-device-plugin
18 | version: 1.1.0
19 |
20 | defaultNamespaces:
21 | usb-device-plugin: akri
22 | akri: akri
23 |
24 | deploymentProfiles:
25 | - name: "default-profile"
26 | displayName: "Default Configuration"
27 | applicationProfiles:
28 | - application: "usb-device-plugin"
29 | profile: "default"
30 | - application: "akri"
31 | profile: "default"
32 |
--------------------------------------------------------------------------------
/deployment-package/usb/usb-device-values.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 |
5 | # format: name;vid;pid,name;vid;pid
6 | # sample: wifi-dongle;0bda;0811,gsm-dongle;0bda;2838
7 | usbList: ""
8 |
9 | # This block can deliver definitions of akri
10 | extensionImages:
11 | - "ghcr.io/project-akri/akri/agent:v0.12.20"
12 | - "ghcr.io/project-akri/akri/udev-discovery:v0.12.20"
13 | - "ghcr.io/project-akri/akri/controller:v0.12.20"
14 | - "ghcr.io/project-akri/akri/webhook-configuration:v0.12.20"
15 | - "registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.1.1"
16 |
--------------------------------------------------------------------------------
/deployment-package/virtualization/values-cdi-default.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | networkPoliciesEnabled: true
5 | nodeSelector:
6 | kubernetes.io/os: linux
7 |
--------------------------------------------------------------------------------
/deployment-package/virtualization/values-kubevirt-default-nosm.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | networkPoliciesEnabled: true
5 | serviceMonitorEnabled: true
6 | useEmulation: false
7 | nodeSelector:
8 | kubernetes.io/os: linux
9 |
10 | serviceMonitor:
11 | enabled: false
12 |
13 | # format: name;vid;pid,name;vid;pid
14 | # sample: kubevirt.io/usb-1;1234;1234,kubevirt.io/usb-2;1234;1234
15 | usbList: ""
16 |
--------------------------------------------------------------------------------
/deployment-package/virtualization/values-kubevirt-default.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | networkPoliciesEnabled: true
5 | serviceMonitorEnabled: true
6 | useEmulation: false
7 | nodeSelector:
8 | kubernetes.io/os: linux
9 |
10 | serviceMonitor:
11 | enabled: true
12 |
13 | # format: name;vid;pid,name;vid;pid
14 | # sample: kubevirt.io/usb-1;1234;1234,kubevirt.io/usb-2;1234;1234
15 | usbList: ""
16 |
--------------------------------------------------------------------------------
/deployment-package/virtualization/values-kubevirt-software-emulation-nosm.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | networkPoliciesEnabled: true
5 | serviceMonitorEnabled: true
6 | useEmulation: true
7 | nodeSelector:
8 | kubernetes.io/os: linux
9 |
10 | serviceMonitor:
11 | enabled: false
12 |
13 | # format: name;vid;pid,name;vid;pid
14 | # sample: kubevirt.io/usb-1;1234;1234,kubevirt.io/usb-2;1234;1234
15 | usbList: ""
16 |
--------------------------------------------------------------------------------
/deployment-package/virtualization/values-kubevirt-software-emulation.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | networkPoliciesEnabled: true
5 | serviceMonitorEnabled: true
6 | useEmulation: true
7 | nodeSelector:
8 | kubernetes.io/os: linux
9 |
10 | serviceMonitor:
11 | enabled: true
12 |
13 | # format: name;vid;pid,name;vid;pid
14 | # sample: kubevirt.io/usb-1;1234;1234,kubevirt.io/usb-2;1234;1234
15 | usbList: ""
16 |
--------------------------------------------------------------------------------
/deployment-package/virtualization/values-kvhelper.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 |
--------------------------------------------------------------------------------
/go.mod:
--------------------------------------------------------------------------------
1 | module github.com/open-edge-platform/cluster-extensions
2 |
3 | go 1.21
4 |
5 | require (
6 | github.com/stretchr/testify v1.10.0
7 | gopkg.in/yaml.v3 v3.0.1
8 | )
9 |
10 | require (
11 | github.com/davecgh/go-spew v1.1.1 // indirect
12 | github.com/pmezard/go-difflib v1.0.0 // indirect
13 | )
14 |
--------------------------------------------------------------------------------
/go.sum:
--------------------------------------------------------------------------------
1 | github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
2 | github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
3 | github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
4 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
5 | github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
6 | github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
7 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
8 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
9 | gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
10 | gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
11 |
--------------------------------------------------------------------------------
/helm/akri/.gitignore:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2023 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 |
4 | charts/
5 | Chart.lock
6 |
--------------------------------------------------------------------------------
/helm/akri/.helmignore:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | # Patterns to ignore when building packages.
4 | # This supports shell glob matching, relative path matching, and
5 | # negation (prefixed with !). Only one pattern per line.
6 | .DS_Store
7 | # Common VCS dirs
8 | .git/
9 | .gitignore
10 | .bzr/
11 | .bzrignore
12 | .hg/
13 | .hgignore
14 | .svn/
15 | # Common backup files
16 | *.swp
17 | *.bak
18 | *.tmp
19 | *.orig
20 | *~
21 | # Various IDEs
22 | .project
23 | .idea/
24 | *.tmproj
25 | .vscode/
26 |
--------------------------------------------------------------------------------
/helm/akri/Chart.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | apiVersion: v2
5 | name: akri
6 | description: A wrapper Helm chart for Kubernetes
7 |
8 | # A chart can be either an 'application' or a 'library' chart.
9 | #
10 | # Application charts are a collection of templates that can be packaged into versioned archives
11 | # to be deployed.
12 | #
13 | # Library charts provide useful utilities or functions for the chart developer. They're included as
14 | # a dependency of application charts to inject those utilities and functions into the rendering
15 | # pipeline. Library charts do not define any templates and therefore cannot be deployed.
16 | type: application
17 |
18 | # This is the chart version. This version number should be incremented each time you make changes
19 | # to the chart and its templates, including the app version.
20 | # Versions are expected to follow Semantic Versioning (https://semver.org/)
21 | version: 1.1.0
22 |
--------------------------------------------------------------------------------
/helm/akri/README.md:
--------------------------------------------------------------------------------
1 |
5 |
6 | # Akri Helm Chart
7 |
8 | [https://github.com/project-akri/akri](https://github.com/project-akri/akri)
9 |
10 | ## To update deps
11 |
12 | `helm dependency update extensions/usb/helm/akri/`
13 |
14 | ## To package chart
15 |
16 | `helm package extensions/usb/helm/akri`
17 |
--------------------------------------------------------------------------------
/helm/akri/templates/akri-configurations.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | {{ if not (eq .Values.usbList "") }}
4 | {{ $usbs := split "," .Values.usbList }}
5 | {{ range $i, $v := $usbs }}
6 | {{ $parts := split ";" $v }}
7 | ---
8 | apiVersion: akri.sh/v0
9 | kind: Configuration
10 | metadata:
11 | name: {{ $parts._0 }}
12 | namespace: {{ $.Release.Namespace }}
13 | spec:
14 | discoveryHandler:
15 | name: udev
16 | discoveryDetails: |+
17 | udevRules:
18 | - SUBSYSTEM=="usb", ATTR{idVendor}=="{{ $parts._1 }}", ATTR{idProduct}=="{{ $parts._2 }}"
19 | brokerProperties: {}
20 | capacity: 1
21 | {{ end }}
22 | {{ end }}
23 |
--------------------------------------------------------------------------------
/helm/akri/templates/np.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | apiVersion: crd.projectcalico.org/v1
4 | kind: NetworkPolicy
5 | metadata:
6 | name: ingress
7 | namespace: {{ .Release.Namespace }}
8 | spec:
9 | selector: app.kubernetes.io/name == 'akri-webhook-configuration'
10 | types:
11 | - Ingress
12 | ingress:
13 | - action: Deny
14 | source:
15 | namespaceSelector: kubernetes.io/metadata.name not in {'kube-system'}
16 | - action: Allow
17 | destination:
18 | services:
19 | name: akri-webhook-configuration
20 | namespace: akri
21 |
--------------------------------------------------------------------------------
/helm/akri/values.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | # format: name;vid;pid,name;vid;pid
5 | usbList: "" # sample: wifi-dongle;0bda;0811,gsm-dongle;0bda;2838
6 |
7 | # This block can deliver definitions of akri
8 | extensionImages:
9 | - "ghcr.io/project-akri/akri/agent:v0.12.20"
10 | - "ghcr.io/project-akri/akri/udev-discovery:v0.12.20"
11 | - "ghcr.io/project-akri/akri/controller:v0.12.20"
12 | - "ghcr.io/project-akri/akri/webhook-configuration:v0.12.20"
13 | - "registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.1.1"
14 |
--------------------------------------------------------------------------------
/helm/cdi/.helmignore:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2022 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 |
4 | # Patterns to ignore when building packages.
5 | # This supports shell glob matching, relative path matching, and
6 | # negation (prefixed with !). Only one pattern per line.
7 | .DS_Store
8 | # Common VCS dirs
9 | .git/
10 | .gitignore
11 | .bzr/
12 | .bzrignore
13 | .hg/
14 | .hgignore
15 | .svn/
16 | # Common backup files
17 | *.swp
18 | *.bak
19 | *.tmp
20 | *.orig
21 | *~
22 | # Various IDEs
23 | .project
24 | .idea/
25 | *.tmproj
26 | .vscode/
27 |
28 | tests
29 |
--------------------------------------------------------------------------------
/helm/cdi/Chart.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | apiVersion: v2
5 | name: cdi
6 | description: A Helm chart for Kubernetes
7 |
8 | # A chart can be either an 'application' or a 'library' chart.
9 | #
10 | # Application charts are a collection of templates that can be packaged into versioned archives
11 | # to be deployed.
12 | #
13 | # Library charts provide useful utilities or functions for the chart developer. They're included as
14 | # a dependency of application charts to inject those utilities and functions into the rendering
15 | # pipeline. Library charts do not define any templates and therefore cannot be deployed.
16 | type: application
17 |
18 | # This is the chart version. This version number should be incremented each time you make changes
19 | # to the chart and its templates, including the app version.
20 | # Versions are expected to follow Semantic Versioning (https://semver.org/)
21 | version: 1.70.0
22 |
--------------------------------------------------------------------------------
/helm/cdi/README.md:
--------------------------------------------------------------------------------
1 |
5 |
6 | # Helm Chart
7 |
8 | To run this Helm Chart use following command:
9 |
10 | `helm install --create-namespace --namespace=cdi cdi PATH_TO_HELM_CHART`
11 |
12 | and then run following command to make sure that it got installed successfully:
13 |
14 | ```bash
15 | kubectl wait cdi cdi --for condition=Available --timeout=5m
16 | kubectl get all -n cdi
17 | ```
18 |
--------------------------------------------------------------------------------
/helm/cdi/fleet.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | defaultNamespace: cdi
5 |
--------------------------------------------------------------------------------
/helm/cdi/templates/02-cdi-cr.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | apiVersion: cdi.kubevirt.io/v1beta1
5 | kind: CDI
6 | metadata:
7 | name: cdi
8 | annotations:
9 | "helm.sh/hook": "post-install"
10 | spec:
11 | imagePullPolicy: IfNotPresent
12 | infra:
13 | {{- with .Values.nodeSelector }}
14 | nodeSelector:
15 | {{- toYaml . | nindent 6 }}
16 | {{- end }}
17 | tolerations:
18 | - key: CriticalAddonsOnly
19 | operator: Exists
20 | config:
21 | importProxy:
22 | {{- if .Values.proxy}}
23 | {{ toYaml .Values.proxy |indent 6}}
24 | {{- else }}
25 | {}
26 | {{- end }}
27 | workload:
28 | {{- with .Values.nodeSelector }}
29 | nodeSelector:
30 | {{- toYaml . | nindent 6 }}
31 | {{- end }}
32 |
--------------------------------------------------------------------------------
/helm/cdi/tests/cdi_cr_test.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | suite: Test CDI CR
5 | templates:
6 | - 02-cdi-cr.yaml
7 | tests:
8 | - it: should verify metadata
9 | asserts:
10 | - isKind:
11 | of: CDI
12 | - equal:
13 | path: metadata.name
14 | value: cdi
15 | - it: should set default proxy to empty line
16 | asserts:
17 | - equal:
18 | path: spec.config.importProxy
19 | value: {}
20 | - it: should set proxy from test proxy.yaml file
21 | values:
22 | - ./values/proxy.yaml
23 | asserts:
24 | - equal:
25 | path: spec.config.importProxy
26 | value:
27 | HTTPProxy: http://proxy-chain.intel.com:911
28 | HTTPSProxy: http://proxy-chain.intel.com:912
29 | noProxy: localhost,ger.corp.intel.com
30 | - it: should leave import proxy field blank
31 | values:
32 | - ./values/empty_proxy.yaml
33 | asserts:
34 | - equal:
35 | path: spec.config.importProxy
36 | value: {}
37 |
--------------------------------------------------------------------------------
/helm/cdi/tests/values/empty_proxy.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | proxy:
5 |
--------------------------------------------------------------------------------
/helm/cdi/tests/values/proxy.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | proxy:
5 | HTTPProxy: http://proxy-chain.intel.com:911
6 | HTTPSProxy: http://proxy-chain.intel.com:912
7 | noProxy: localhost,ger.corp.intel.com
8 |
--------------------------------------------------------------------------------
/helm/cdi/values.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | networkPoliciesEnabled: true
5 | nodeSelector:
6 | kubernetes.io/os: linux
7 | # proxy:
8 | # HTTPProxy: http://http.com:123
9 | # HTTPSProxy: http://https.com:123
10 | # noProxy: http://no-proxy.com:123
11 |
12 | kubectl:
13 | image: bitnami/kubectl:1.31.3
14 |
15 | extensionImages:
16 | - quay.io/kubevirt/cdi-operator:v1.60.2
17 | - quay.io/kubevirt/cdi-controller:v1.60.2
18 | - quay.io/kubevirt/cdi-importer:v1.60.2
19 | - quay.io/kubevirt/cdi-cloner:v1.60.2
20 | - quay.io/kubevirt/cdi-apiserver:v1.60.2
21 | - quay.io/kubevirt/cdi-uploadserver:v1.60.2
22 | - quay.io/kubevirt/cdi-uploadproxy:v1.60.2
23 | - docker.io/library/alpine:3.20.2
24 | - docker.io/bitnami/kubectl:1.31.3
25 |
--------------------------------------------------------------------------------
/helm/edgedns/.helmignore:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2023 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 |
5 | tests
6 |
--------------------------------------------------------------------------------
/helm/edgedns/Chart.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | apiVersion: v2
5 | name: edgedns
6 | description: A Helm chart for Edge Orchestrator EdgeDNS
7 | type: application
8 | version: 1.4.0
9 | appVersion: 1.4.0
10 | annotations:
11 | revision: fbda91b32f455ad912ad1772860a5ad3f5b8e1c2
12 | created: "2025-04-24T16:02:48Z"
13 |
--------------------------------------------------------------------------------
/helm/edgedns/README.md:
--------------------------------------------------------------------------------
1 |
5 |
6 | # Helm Chart for EdgeDNS
7 |
8 | This chart instantiates following components of EdgeDNS:
9 |
10 | 1. `etcd` - backend storage. It saves A-records.
11 | 2. `coredns` - coredns pod to handle actual DNS queries. It reads available A-records from etcd and returns it to client.
12 | 3. `external-dns` - reads annotation from services and creates A-records to etcd.
13 |
14 | To run this Helm Chart use the following command:
15 |
16 | `helm install --create-namespace --namespace= edgedns PATH_TO_HELM_CHART`
17 |
18 | To confirm that the Helm chart was installed successfully, run the following commands:
19 |
20 | ```sh
21 | kubectl get all -n
22 | ```
23 |
--------------------------------------------------------------------------------
/helm/edgedns/templates/NOTES.txt:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2022 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 |
5 | {{- if .Values.service.externalIPs }}
6 |
7 | Thank you for installing {{ .Chart.Name }} Helm chart.
8 |
9 | To learn more about the release, try:
10 | $ helm -n {{.Release.Namespace}} status {{ .Release.Name }}-coredns
11 | $ helm -n {{.Release.Namespace}} get all {{ .Release.Name }}-coredns
12 |
13 | ---
14 |
15 | revision: {{ .Chart.Annotations.revision }}
16 | created: {{ .Chart.Annotations.created }}
17 |
18 | {{- end }}
--------------------------------------------------------------------------------
/helm/edgedns/templates/coredns-certs.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | apiVersion: cert-manager.io/v1
5 | kind: Certificate
6 | metadata:
7 | name: lp-{{ .Release.Name }}-coredns-tls-cert
8 | spec:
9 | # Secret names are always required
10 | commonName: edgedns-coredns
11 | secretName: edgedns-coredns-client-tls
12 | duration: 720h # 30d
13 | renewBefore: 168h # 7d
14 | subject:
15 | organizations:
16 | - Intel Corporation
17 | countries:
18 | - US
19 | organizationalUnits:
20 | - Edge Orchestrator
21 | usages:
22 | - digital signature
23 | - client auth
24 | dnsNames:
25 | - coredns.edgedns.node.intel.corp
26 | - coredns.edgedns
27 | isCA: false
28 | privateKey:
29 | algorithm: RSA
30 | encoding: PKCS1
31 | size: 4096
32 | issuerRef:
33 | name: edgedns-{{ .Release.Name }}-issuer
34 | kind: Issuer
35 |
--------------------------------------------------------------------------------
/helm/edgedns/templates/coredns-configmap.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | # Coredns configmap with Corefile template definition
5 | apiVersion: v1
6 | kind: ConfigMap
7 | metadata:
8 | name: {{ .Release.Name }}-coredns
9 | data:
10 | Corefile: |
11 | . {
12 | errors
13 | health
14 | reload 10s
15 | etcd {
16 | endpoint https://{{ .Release.Name }}-etcd-dns:2379
17 | tls /certs/tls.crt /certs/tls.key /certs/ca.crt
18 | fallthrough
19 | }
20 | cache 30
21 | prometheus :9153
22 | rrl . {
23 | responses-per-second {{ .Values.coredns.rrl.responsesPerSecond }}
24 | }
25 | }
26 |
--------------------------------------------------------------------------------
/helm/edgedns/templates/coredns-svc.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | # Coredns service template definition
5 | apiVersion: v1
6 | kind: Service
7 | metadata:
8 | name: {{ .Release.Name }}-coredns
9 | labels:
10 | app.kubernetes.io/instance: {{ .Release.Name }}
11 | app.kubernetes.io/component: coredns
12 | annotations:
13 | metallb.universe.tf/loadBalancerIPs: {{ .Values.staticIp }}
14 | spec:
15 | allocateLoadBalancerNodePorts: false
16 | ports:
17 | - name: coredns
18 | port: 53
19 | protocol: UDP
20 | targetPort: dns-port
21 | - name: metrics
22 | port: 9153
23 | protocol: TCP
24 | targetPort: edgedns-metrics
25 | selector:
26 | app.kubernetes.io/instance: {{ .Release.Name }}
27 | app.kubernetes.io/component: coredns
28 | type: LoadBalancer
29 |
--------------------------------------------------------------------------------
/helm/edgedns/templates/edgedns-sm.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | {{- if .Values.edgednsServiceMonitor.enabled }}
5 | apiVersion: monitoring.coreos.com/v1
6 | kind: ServiceMonitor
7 | metadata:
8 | name: edgedns-metrics
9 | namespace: "{{ .Values.observabilityNamespace }}"
10 | labels:
11 | app.kubernetes.io/component: edgedns
12 | spec:
13 | selector:
14 | matchLabels:
15 | app.kubernetes.io/instance: edgedns
16 | app.kubernetes.io/component: coredns
17 | endpoints:
18 | - port: metrics
19 | scheme: http
20 | relabelings:
21 | - action: labelmap
22 | regex: __meta_kubernetes_service_label_(.+)
23 | - sourceLabels: [__meta_kubernetes_service_name]
24 | regex: ".*-coredns"
25 | action: keep
26 | - sourceLabels: [__address__]
27 | regex: ".*:9153"
28 | action: keep
29 | - sourceLabels: [__meta_kubernetes_pod_node_name]
30 | action: replace
31 | targetLabel: instance
32 | - sourceLabels: [__meta_kubernetes_pod_name]
33 | action: replace
34 | targetLabel: kubernetes_pod_name
35 | namespaceSelector:
36 | matchNames:
37 | - "{{ .Release.Namespace }}"
38 | {{- end }}
39 |
--------------------------------------------------------------------------------
/helm/edgedns/templates/etcd-certs.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | apiVersion: cert-manager.io/v1
5 | kind: Certificate
6 | metadata:
7 | name: lp-{{ .Release.Name }}-etcd-tls-cert
8 | spec:
9 | # Secret names are always required
10 | commonName: edgedns-etcd-dns
11 | secretName: edgedns-etcd-client-tls
12 | duration: 720h # 30d
13 | renewBefore: 168h # 7d
14 | subject:
15 | organizations:
16 | - Intel Corporation
17 | countries:
18 | - US
19 | organizationalUnits:
20 | - Edge Orchestrator
21 | usages:
22 | - digital signature
23 | - client auth
24 | - server auth
25 | dnsNames:
26 | - {{ .Release.Name }}-etcd-dns
27 | - etcd.edgedns.node.intel.corp
28 | - etcd.edgedns
29 | {{- range $idx := until (int .Values.replicaCount) }}
30 | - {{ $.Release.Name }}-etcd-dns-{{ $idx }}.{{ $.Release.Name }}-etcd-dns
31 | {{- end }}
32 | isCA: false
33 | privateKey:
34 | algorithm: RSA
35 | encoding: PKCS1
36 | size: 4096
37 | issuerRef:
38 | name: edgedns-{{ .Release.Name }}-issuer
39 | kind: Issuer
40 |
--------------------------------------------------------------------------------
/helm/edgedns/templates/etcd-svc.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | # etcd service template definition
5 | apiVersion: v1
6 | kind: Service
7 | metadata:
8 | name: {{ .Release.Name }}-etcd-dns
9 | spec:
10 | ports:
11 | - name: etcd-client
12 | port: 2379
13 | protocol: TCP
14 | targetPort: client
15 | - name: etcd-peer
16 | port: 2380
17 | protocol: TCP
18 | targetPort: peer
19 | selector:
20 | app.kubernetes.io/instance: {{ .Release.Name }}
21 | app.kubernetes.io/component: etcd-dns
22 | publishNotReadyAddresses: true
23 |
--------------------------------------------------------------------------------
/helm/edgedns/templates/external-dns-certs.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | apiVersion: cert-manager.io/v1
5 | kind: Certificate
6 | metadata:
7 | name: lp-{{ .Release.Name }}-external-dns-tls-cert
8 | spec:
9 | # Secret names are always required
10 | secretName: edgedns-external-dns-client-tls
11 | duration: 720h # 30d
12 | renewBefore: 168h # 7d
13 | subject:
14 | organizations:
15 | - Intel Corporation
16 | countries:
17 | - US
18 | organizationalUnits:
19 | - Edge Orchestrator
20 | usages:
21 | - digital signature
22 | - client auth
23 | dnsNames:
24 | - external-dns.edgedns.node.intel.corp
25 | - external-dns.edgedns
26 | isCA: false
27 | privateKey:
28 | algorithm: RSA
29 | encoding: PKCS1
30 | size: 4096
31 | issuerRef:
32 | name: edgedns-{{ .Release.Name }}-issuer
33 | kind: Issuer
34 |
--------------------------------------------------------------------------------
/helm/edgedns/templates/external-dns-cluster-role.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | # external-dns ClusterRole template definition
5 | apiVersion: rbac.authorization.k8s.io/v1
6 | kind: ClusterRole
7 | metadata:
8 | name: {{ .Release.Name }}-external-dns
9 | rules:
10 | - apiGroups: [""]
11 | resources: ["services"]
12 | verbs: ["get","watch","list"]
13 | - apiGroups: [""]
14 | resources: ["pods"]
15 | verbs: ["get","watch","list"]
16 | - apiGroups: ["networking.k8s.io"]
17 | resources: ["ingresses"]
18 | verbs: ["get","watch","list"]
19 | - apiGroups: [""]
20 | resources: ["nodes"]
21 | verbs: ["list","get","watch"]
22 | - apiGroups: [""]
23 | resources: ["endpoints"]
24 | verbs: ["list","get","watch"]
25 |
--------------------------------------------------------------------------------
/helm/edgedns/templates/external-dns-crb.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | # external-dns cluster role bindiingg template definition
5 | apiVersion: rbac.authorization.k8s.io/v1
6 | kind: ClusterRoleBinding
7 | metadata:
8 | name: {{ .Release.Name }}-external-dns-viewer
9 | roleRef:
10 | apiGroup: rbac.authorization.k8s.io
11 | kind: ClusterRole
12 | name: {{ .Release.Name }}-external-dns
13 | subjects:
14 | - kind: ServiceAccount
15 | name: {{ .Release.Name }}-external-dns
16 | namespace: {{ .Release.Namespace }}
17 |
--------------------------------------------------------------------------------
/helm/edgedns/templates/external-dns-service-account.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | apiVersion: v1
5 | kind: ServiceAccount
6 | metadata:
7 | name: {{ .Release.Name }}-external-dns
8 |
--------------------------------------------------------------------------------
/helm/edgedns/templates/issuer-cert.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | # Certificate generation for selfsigned CA Issuer
5 | apiVersion: cert-manager.io/v1
6 | kind: Certificate
7 | metadata:
8 | name: edgedns-selfsigned-ca
9 | annotations:
10 | helm.sh/hook: pre-install
11 | helm.sh/hook-weight: "2"
12 | spec:
13 | isCA: true
14 | commonName: edgedns-selfsigned-ca
15 | secretName: root-secret
16 | privateKey:
17 | algorithm: ECDSA
18 | size: 256
19 | issuerRef:
20 | name: selfsigned-issuer
21 | kind: Issuer
22 | group: cert-manager.io
23 |
--------------------------------------------------------------------------------
/helm/edgedns/templates/issuer-root.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | # Root issuer with selfsigned cert
5 | apiVersion: cert-manager.io/v1
6 | kind: Issuer
7 | metadata:
8 | name: selfsigned-issuer
9 | annotations:
10 | helm.sh/hook: pre-install
11 | helm.sh/hook-weight: "1"
12 | spec:
13 | selfSigned: {}
14 |
--------------------------------------------------------------------------------
/helm/edgedns/templates/issuer.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | # Issuer for edgedns namespace
5 | apiVersion: cert-manager.io/v1
6 | kind: Issuer
7 | metadata:
8 | name: edgedns-{{ .Release.Name }}-issuer
9 | namespace: {{ .Release.Namespace }}
10 | annotations:
11 | helm.sh/hook: pre-install
12 | helm.sh/hook-weight: "3"
13 | spec:
14 | ca:
15 | secretName: root-secret
16 |
--------------------------------------------------------------------------------
/helm/edgedns/tests/coredns-configmap_test.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | suite: Test EdgeDNS Helm chart
5 | templates:
6 | - coredns-configmap.yaml
7 | release:
8 | name: my-release
9 | tests:
10 | - it: should be a ConfigMap
11 | asserts:
12 | - isKind:
13 | of: ConfigMap
14 | - it: should have correct name
15 | asserts:
16 | - equal:
17 | path: metadata.name
18 | value: my-release-coredns
19 | - it: should have Corefile configuration
20 | asserts:
21 | - isNotEmpty:
22 | path: data.Corefile
23 |
--------------------------------------------------------------------------------
/helm/edgedns/tests/coredns-svc_test.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | suite: Test EdgeDNS Helm chart
5 | templates:
6 | - coredns-svc.yaml
7 | release:
8 | name: my-release
9 | tests:
10 | - it: should be a Service
11 | asserts:
12 | - isKind:
13 | of: Service
14 | - it: should have correct name
15 | asserts:
16 | - equal:
17 | path: metadata.name
18 | value: my-release-coredns
19 | - it: should have correct ports
20 | asserts:
21 | - contains:
22 | path: spec.ports
23 | content:
24 | port: 53
25 | targetPort: dns-port
26 | protocol: UDP
27 | name: coredns
28 | - contains:
29 | path: spec.ports
30 | content:
31 | name: metrics
32 | port: 9153
33 | protocol: TCP
34 | targetPort: edgedns-metrics
35 | - it: should have correct type
36 | asserts:
37 | - equal:
38 | path: spec.type
39 | value: LoadBalancer
40 | - it: should render correct with static IP address
41 | set:
42 | staticIp: 192.168.160.250
43 | asserts:
44 | - equal:
45 | path: metadata.annotations["metallb.universe.tf/loadBalancerIPs"]
46 | value: 192.168.160.250
47 |
--------------------------------------------------------------------------------
/helm/edgedns/tests/edgedns-sm_test.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | suite: Test EdgeDNS Helm chart
5 | templates:
6 | - edgedns-sm.yaml
7 | release:
8 | name: my-release
9 | tests:
10 | - it: should be a ServiceMonitor
11 | asserts:
12 | - isKind:
13 | of: ServiceMonitor
14 | - it: should have correct name
15 | asserts:
16 | - equal:
17 | path: metadata.name
18 | value: edgedns-metrics
19 | - it: should have correct labels
20 | asserts:
21 | - equal:
22 | path: metadata.labels["app.kubernetes.io/component"]
23 | value: edgedns
24 | - it: should have correct selector
25 | asserts:
26 | - equal:
27 | path: spec.selector.matchLabels["app.kubernetes.io/instance"]
28 | value: edgedns
29 | - equal:
30 | path: spec.selector.matchLabels["app.kubernetes.io/component"]
31 | value: coredns
32 | - it: should have correct port name
33 | asserts:
34 | - equal:
35 | path: spec.endpoints[0].port
36 | value: metrics
37 |
--------------------------------------------------------------------------------
/helm/edgedns/tests/etcd-svc_test.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | suite: Test EdgeDNS Helm chart
5 | templates:
6 | - etcd-svc.yaml
7 | release:
8 | name: my-release
9 | tests:
10 | - it: should be a Service
11 | asserts:
12 | - isKind:
13 | of: Service
14 | - it: should have correct name
15 | asserts:
16 | - equal:
17 | path: metadata.name
18 | value: my-release-etcd-dns
19 | - it: should have correct ports exposed
20 | asserts:
21 | - equal:
22 | path: spec.ports[0]
23 | value:
24 | name: etcd-client
25 | port: 2379
26 | protocol: TCP
27 | targetPort: client
28 | - equal:
29 | path: spec.ports[1]
30 | value:
31 | name: etcd-peer
32 | port: 2380
33 | protocol: TCP
34 | targetPort: peer
35 |
--------------------------------------------------------------------------------
/helm/edgedns/tests/external-dns-cluster-role_test.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | suite: Test EdgeDNS Helm chart
5 | templates:
6 | - external-dns-cluster-role.yaml
7 | release:
8 | name: my-release
9 | tests:
10 | - it: should be a ClusterRole
11 | asserts:
12 | - isKind:
13 | of: ClusterRole
14 | - it: should have correct name
15 | asserts:
16 | - equal:
17 | path: metadata.name
18 | value: my-release-external-dns
19 | - it: should have correct rules
20 | asserts:
21 | - isNotEmpty:
22 | path: rules
23 | - contains:
24 | path: rules
25 | content:
26 | apiGroups: [""]
27 | resources: ["services"]
28 | verbs: ["get", "watch", "list"]
29 |
--------------------------------------------------------------------------------
/helm/edgedns/tests/external-dns-crb_test.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | suite: Test EdgeDNS Helm chart
5 | templates:
6 | - external-dns-crb.yaml
7 | release:
8 | name: my-release
9 | tests:
10 | - it: should be a ClusterRoleBinding
11 | asserts:
12 | - isKind:
13 | of: ClusterRoleBinding
14 | - it: should have correct name
15 | asserts:
16 | - equal:
17 | path: metadata.name
18 | value: my-release-external-dns-viewer
19 | - it: should have correct roleRef
20 | asserts:
21 | - equal:
22 | path: roleRef.kind
23 | value: ClusterRole
24 | - equal:
25 | path: roleRef.name
26 | value: my-release-external-dns
27 | - it: should have correct subject
28 | set:
29 | namespace: edge-system
30 | asserts:
31 | - equal:
32 | path: subjects[0].kind
33 | value: ServiceAccount
34 | - equal:
35 | path: subjects[0].namespace
36 | value: NAMESPACE
37 |
--------------------------------------------------------------------------------
/helm/edgedns/tests/external-dns-service-account_test.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | suite: Test EdgeDNS Helm chart
5 | templates:
6 | - external-dns-service-account.yaml
7 | release:
8 | name: my-release
9 | tests:
10 | - it: should be a ServiceAccount
11 | asserts:
12 | - isKind:
13 | of: ServiceAccount
14 | - it: should have correct name
15 | asserts:
16 | - equal:
17 | path: metadata.name
18 | value: my-release-external-dns
19 |
--------------------------------------------------------------------------------
/helm/edgedns/tests/external-dns_test.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | suite: Test EdgeDNS Helm chart
5 | templates:
6 | - external-dns.yaml
7 | release:
8 | name: my-release
9 | tests:
10 | - it: should be a Deployment
11 | asserts:
12 | - isKind:
13 | of: Deployment
14 | - it: should have correct name
15 | asserts:
16 | - equal:
17 | path: metadata.name
18 | value: my-release-external-dns
19 | - it: should have correct labels
20 | asserts:
21 | - equal:
22 | path: spec.template.metadata.labels["app.kubernetes.io/instance"]
23 | value: my-release
24 | - equal:
25 | path: spec.template.metadata.labels["app.kubernetes.io/component"]
26 | value: external-dns
27 | - it: should have correct service account
28 | asserts:
29 | - equal:
30 | path: spec.template.spec.serviceAccountName
31 | value: my-release-external-dns
32 | - it: should have container run as non root
33 | asserts:
34 | - equal:
35 | path: spec.template.spec.containers[0].securityContext.runAsNonRoot
36 | value: true
37 | - it: should have etcd backend
38 | asserts:
39 | - contains:
40 | path: spec.template.spec.containers[0].env
41 | content:
42 | name: ETCD_URLS
43 | value: https://my-release-etcd-dns:2379
44 |
--------------------------------------------------------------------------------
/helm/edgedns/tests/issuer-cert_test.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | suite: Test EdgeDNS Helm chart
5 | templates:
6 | - issuer-cert.yaml
7 | release:
8 | name: my-release
9 | tests:
10 | - it: should be an Certificate
11 | asserts:
12 | - isKind:
13 | of: Certificate
14 | - it: should be CA certificate
15 | asserts:
16 | - equal:
17 | path: spec.isCA
18 | value: true
19 | - it: should create secret
20 | asserts:
21 | - equal:
22 | path: spec.secretName
23 | value: root-secret
24 | - it: should refer to correct Issuer
25 | asserts:
26 | - equal:
27 | path: spec.issuerRef.name
28 | value: selfsigned-issuer
29 |
--------------------------------------------------------------------------------
/helm/edgedns/tests/issuer-root_test.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | suite: Test EdgeDNS Helm chart
5 | templates:
6 | - issuer-root.yaml
7 | release:
8 | name: my-release
9 | tests:
10 | - it: should be an Issuer
11 | asserts:
12 | - isKind:
13 | of: Issuer
14 | - it: should refer to correct Issuer
15 | asserts:
16 | - equal:
17 | path: spec.selfSigned
18 | value: {}
19 |
--------------------------------------------------------------------------------
/helm/edgedns/tests/issuer_test.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | suite: Test EdgeDNS Helm chart
5 | templates:
6 | - issuer.yaml
7 | release:
8 | name: my-release
9 | tests:
10 | - it: should be an Issuer
11 | asserts:
12 | - isKind:
13 | of: Issuer
14 | - it: should have correct name
15 | asserts:
16 | - equal:
17 | path: metadata.name
18 | value: edgedns-my-release-issuer
19 | - it: should have correct secret
20 | asserts:
21 | - equal:
22 | path: spec.ca.secretName
23 | value: root-secret
24 |
--------------------------------------------------------------------------------
/helm/edgedns/values.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | replicaCount: 3
5 | global:
6 | registry:
7 | name: registry-rs.edgeorchestration.intel.com/
8 | image:
9 | # uncomment to set the URL on a specific chart (this overrides global.registry if set)
10 | # registry:
11 | # name: ""
12 | repository: edge-orch/en/edgedns-coredns
13 | pullPolicy: IfNotPresent
14 | tag: ""
15 | staticIp: 192.168.160.250
16 | storageclass: openebs-lvmpv
17 | edgednsServiceMonitor:
18 | enabled: true
19 | observabilityNamespace: observability
20 | coredns:
21 | # https://github.com/coredns/rrl
22 | rrl:
23 | # responses-per-second ALLOWANCE - the number of positive responses allowed per
24 | # second. Default 0
25 | # https://kb.isc.org/docs/aa-01148
26 | responsesPerSecond: 100
27 | service:
28 | externalIPs: []
29 | ###
30 | extensionImages:
31 | - registry-rs.edgeorchestration.intel.com/edge-orch/en/edgedns-coredns:1.4.0
32 | - registry.k8s.io/external-dns/external-dns:v0.14.2
33 | - quay.io/coreos/etcd:v3.5.15
34 |
--------------------------------------------------------------------------------
/helm/gatekeeper-constraints/.helmignore:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | # Patterns to ignore when building packages.
5 | # This supports shell glob matching, relative path matching, and
6 | # negation (prefixed with !). Only one pattern per line.
7 | .DS_Store
8 | # Common VCS dirs
9 | .git/
10 | .gitignore
11 | .bzr/
12 | .bzrignore
13 | .hg/
14 | .hgignore
15 | .svn/
16 | # Common backup files
17 | *.swp
18 | *.bak
19 | *.tmp
20 | *.orig
21 | *~
22 | # Various IDEs
23 | .project
24 | .idea/
25 | *.tmproj
26 | .vscode/
27 | tests/
28 |
--------------------------------------------------------------------------------
/helm/gatekeeper-constraints/Chart.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | ---
5 | apiVersion: v2
6 | description: A Helm chart for Gatekeeper Constraints
7 | name: gatekeeper-constraints
8 |
9 | # A chart can be either an 'application' or a 'library' chart.
10 | #
11 | # Application charts are a collection of templates that can be packaged into versioned archives
12 | # to be deployed.
13 | #
14 | # Library charts provide useful utilities or functions for the chart developer. They're included as
15 | # a dependency of application charts to inject those utilities and functions into the rendering
16 | # pipeline. Library charts do not define any templates and therefore cannot be deployed.
17 | type: application
18 |
19 | # This is the chart version. This version number should be incremented each time you make changes
20 | # to the chart and its templates, including the app version.
21 | # Versions are expected to follow Semantic Versioning (https://semver.org/)
22 | version: 1.1.0
23 |
--------------------------------------------------------------------------------
/helm/gatekeeper-constraints/rego/host_pid_ipc/host_pid_ipc_policy.rego:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | package hostnamespace
5 |
6 | violation[{"msg": msg, "details": {}}] {
7 | input_share_hostnamespace(input.review.object)
8 | msg := sprintf("Sharing the host namespace is not allowed: %v", [input.review.object.metadata.name])
9 | }
10 |
11 | input_share_hostnamespace(o) {
12 | o.spec.hostPID
13 | }
14 |
15 | input_share_hostnamespace(o) {
16 | o.spec.hostIPC
17 | }
18 |
--------------------------------------------------------------------------------
/helm/gatekeeper-constraints/rego/host_pid_ipc/host_pid_ipc_test.rego:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | package hostnamespace
5 |
6 | review_pod(pod_spec) = out {
7 | out = {"object": {
8 | "kind": "Pod",
9 | "apiVersion": "v1",
10 | "metadata": {"name": "my-pod"},
11 | "spec": pod_spec,
12 | }}
13 | }
14 |
15 | pod_spec(hostIPC, hostPID) = out {
16 | out = {
17 | "name": "container1",
18 | "hostIPC": hostIPC,
19 | "hostPID": hostPID,
20 | }
21 | }
22 |
23 | input_obj(review) = out {
24 | out = {"review": review}
25 | }
26 |
27 | test_has_hostIPC_and_hostPID_false {
28 | input := input_obj(review_pod(pod_spec(false, false)))
29 | results := violation with input as input
30 | count(results) == 0
31 | }
32 |
33 | test_has_hostIPC_and_hostPID_true {
34 | input := input_obj(review_pod(pod_spec(true, true)))
35 | results := violation with input as input
36 | count(results) == 1
37 | }
38 |
39 | test_has_hostIPC_true_hostPID_false {
40 | input := input_obj(review_pod(pod_spec(true, false)))
41 | results := violation with input as input
42 | count(results) == 1
43 | }
44 |
45 | test_has_hostIPC_false_hostPID_true {
46 | input := input_obj(review_pod(pod_spec(false, true)))
47 | results := violation with input as input
48 | count(results) == 1
49 | }
50 |
--------------------------------------------------------------------------------
/helm/gatekeeper-constraints/rego/hostnetwork/hostnetwork_policy.rego:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | package rego.hostnetwork
5 |
6 | violation[{"msg": msg, "details": {}}] {
7 | input_share_hostnetwork(input.review.object)
8 | msg := sprintf("HostNetwork is not allowed, pod: %v.", [input.review.object.metadata.name])
9 | }
10 |
11 | input_share_hostnetwork(o) {
12 | o.spec.hostNetwork == true
13 | }
14 |
--------------------------------------------------------------------------------
/helm/gatekeeper-constraints/rego/hostnetwork/hostnetwork_test.rego:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | package rego.hostnetwork
5 |
6 | import data.rego.libs.exempt_container.is_exempt
7 |
8 | review_pod(pod_spec) = out {
9 | out = {"object": {
10 | "kind": "Pod",
11 | "apiVersion": "v1",
12 | "metadata": {"name": "my-pod"},
13 | "spec": pod_spec,
14 | }}
15 | }
16 |
17 | pod_spec(hostnetwork) = out {
18 | out = {
19 | "name": "container1",
20 | "hostNetwork": hostnetwork,
21 | }
22 | }
23 |
24 | input_obj(review) = out {
25 | out = {"review": review}
26 | }
27 |
28 | test_has_hostnetwork_as_false {
29 | input := input_obj(review_pod(pod_spec(false)))
30 | results := violation with input as input
31 | count(results) == 0
32 | }
33 |
34 | test_has_hostnetwork_as_true {
35 | input := input_obj(review_pod(pod_spec(true)))
36 | results := violation with input as input
37 | count(results) == 1
38 | }
39 |
--------------------------------------------------------------------------------
/helm/gatekeeper-constraints/rego/privilegedcontainer/privilegedcontainer_policy.rego:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | package rego.privilegedcontainer
5 |
6 | violation[{"msg": msg, "details": {}}] {
7 | c := input_containers[_]
8 | not is_exempt(c)
9 | not is_exempt_within_namespace(c)
10 | c.securityContext.privileged
11 | msg := sprintf("Privileged container is not allowed: %v, securityContext: %v", [c.name, c.securityContext])
12 | }
13 |
14 | input_containers[c] {
15 | c := input.review.object.spec.containers[_]
16 | }
17 |
18 | input_containers[c] {
19 | c := input.review.object.spec.initContainers[_]
20 | }
21 |
22 | input_containers[c] {
23 | c := input.review.object.spec.ephemeralContainers[_]
24 | }
25 |
26 | ###LIBRARY###
27 |
28 | is_exempt(container) {
29 | exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", [])
30 | img := container.image
31 | exemption := exempt_images[_]
32 | _matches_exemption(img, exemption)
33 | }
34 |
35 | is_exempt_within_namespace(container) {
36 | exemptions := object.get(object.get(input, "parameters", {}), "namespaceOnlyExemptImages", [])
37 | nsimg := concat("/", [input.review.object.metadata.namespace, container.image])
38 | exemption := exemptions[_]
39 | _matches_exemption(nsimg, exemption)
40 | }
41 |
42 | _matches_exemption(img, exemption) {
43 | not endswith(exemption, "*")
44 | exemption == img
45 | }
46 |
47 | _matches_exemption(img, exemption) {
48 | endswith(exemption, "*")
49 | prefix := trim_suffix(exemption, "*")
50 | startswith(img, prefix)
51 | }
52 |
--------------------------------------------------------------------------------
/helm/gatekeeper-constraints/rego/privilegeescalation/privilegeescalation_policy.rego:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | package rego.privilegeescalation
5 |
6 | violation[{"msg": msg, "details": {}}] {
7 | c := input_containers[_]
8 | not is_exempt(c)
9 | not is_exempt_within_namespace(c)
10 | disallow_privilege_escalation(c)
11 | msg := sprintf("Privilege escalation container is not allowed: %v", [c.name])
12 | }
13 |
14 | disallow_privilege_escalation(c) {
15 | c.securityContext.allowPrivilegeEscalation == true
16 | }
17 |
18 | input_containers[c] {
19 | c := input.review.object.spec.containers[_]
20 | }
21 |
22 | input_containers[c] {
23 | c := input.review.object.spec.initContainers[_]
24 | }
25 |
26 | input_containers[c] {
27 | c := input.review.object.spec.ephemeralContainers[_]
28 | }
29 |
30 | ###LIBRARY###
31 |
32 | is_exempt(container) {
33 | exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", [])
34 | img := container.image
35 | exemption := exempt_images[_]
36 | _matches_exemption(img, exemption)
37 | }
38 |
39 | is_exempt_within_namespace(container) {
40 | exemptions := object.get(object.get(input, "parameters", {}), "namespaceOnlyExemptImages", [])
41 | nsimg := concat("/", [input.review.object.metadata.namespace, container.image])
42 | exemption := exemptions[_]
43 | _matches_exemption(nsimg, exemption)
44 | }
45 |
46 | _matches_exemption(img, exemption) {
47 | not endswith(exemption, "*")
48 | exemption == img
49 | }
50 |
51 | _matches_exemption(img, exemption) {
52 | endswith(exemption, "*")
53 | prefix := trim_suffix(exemption, "*")
54 | startswith(img, prefix)
55 | }
56 |
--------------------------------------------------------------------------------
/helm/gatekeeper-constraints/rego/sysctls/sysctls_policy.rego:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | package rego.sysctls
5 |
6 | violation[{"msg": msg, "details": {}}] {
7 | sysctl := input.review.object.spec.securityContext.sysctls[_].name
8 | not allowed_sysctl(sysctl)
9 | msg := sprintf("The sysctl %v is not allowed, pod: %v. Allowed sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.allowedSysctls])
10 | }
11 |
12 | # * may be used to allow all sysctls
13 | allowed_sysctl(sysctl) {
14 | input.parameters.allowedSysctls[_] == "*"
15 | }
16 |
17 | allowed_sysctl(sysctl) {
18 | input.parameters.allowedSysctls[_] == sysctl
19 | }
20 |
21 | allowed_sysctl(sysctl) {
22 | allowed := input.parameters.allowedSysctls[_]
23 | endswith(allowed, "*")
24 | startswith(sysctl, trim_suffix(allowed, "*"))
25 | }
26 |
--------------------------------------------------------------------------------
/helm/gatekeeper-constraints/templates/capabilities_constraint.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | {{- if .Values.policies.constraints.capabilities.enabled }}
5 | apiVersion: constraints.gatekeeper.sh/v1beta1
6 | kind: Capabilities
7 | metadata:
8 | name: capabilities
9 | annotations:
10 | helm.sh/hook: post-install
11 | helm.sh/hook-weight: "3"
12 | spec:
13 | match:
14 | kinds:
15 | - apiGroups: [""]
16 | kinds: ["Pod"]
17 | excludedNamespaces:
18 | {{- range .Values.policies.constraints.capabilities.excludedNamespaces }}
19 | - {{ . | quote }}
20 | {{- end }}
21 | labelSelector:
22 | matchExpressions:
23 | - key: bypass-capabilities
24 | operator: DoesNotExist
25 | namespaceSelector:
26 | matchExpressions:
27 | - key: bypass-capabilities
28 | operator: DoesNotExist
29 | parameters:
30 | allowedCapabilities: {{ .Values.policies.constraints.capabilities.allowedCapabilities }}
31 | exemptImages: {{ .Values.policies.exemptImages }}
32 | enforcementAction: deny
33 | {{- end }}
34 |
--------------------------------------------------------------------------------
/helm/gatekeeper-constraints/templates/host_namespace-constraint.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | {{- if .Values.policies.constraints.hostNamespace.enabled }}
5 | apiVersion: constraints.gatekeeper.sh/v1beta1
6 | kind: HostNamespace
7 | metadata:
8 | name: host-namespace
9 | annotations:
10 | helm.sh/hook: post-install
11 | helm.sh/hook-weight: "3"
12 | spec:
13 | match:
14 | kinds:
15 | - apiGroups: [""]
16 | kinds: ["Pod"]
17 | excludedNamespaces:
18 | {{- range .Values.policies.constraints.hostNamespace.excludedNamespaces }}
19 | - {{ . | quote }}
20 | {{- end }}
21 | labelSelector:
22 | matchExpressions:
23 | - key: bypass-host-namespace
24 | operator: DoesNotExist
25 | namespaceSelector:
26 | matchExpressions:
27 | - key: bypass-host-namespace
28 | operator: DoesNotExist
29 | enforcementAction: deny
30 | {{- end }}
31 |
--------------------------------------------------------------------------------
/helm/gatekeeper-constraints/templates/host_network_constraint.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | {{- if .Values.policies.constraints.hostNetwork.enabled }}
5 | apiVersion: constraints.gatekeeper.sh/v1beta1
6 | kind: HostNetwork
7 | metadata:
8 | name: host-network
9 | annotations:
10 | helm.sh/hook: post-install
11 | helm.sh/hook-weight: "3"
12 | spec:
13 | match:
14 | kinds:
15 | - apiGroups: [""]
16 | kinds: ["Pod"]
17 | excludedNamespaces:
18 | {{- range .Values.policies.constraints.hostNetwork.excludedNamespaces }}
19 | - {{ . | quote }}
20 | {{- end }}
21 | labelSelector:
22 | matchExpressions:
23 | - key: bypass-host-network
24 | operator: DoesNotExist
25 | namespaceSelector:
26 | matchExpressions:
27 | - key: bypass-host-network
28 | operator: DoesNotExist
29 | enforcementAction: deny
30 | {{- end }}
31 |
--------------------------------------------------------------------------------
/helm/gatekeeper-constraints/templates/host_network_template.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | apiVersion: templates.gatekeeper.sh/v1
5 | kind: ConstraintTemplate
6 | metadata:
7 | name: hostnetwork
8 | annotations:
9 | metadata.gatekeeper.sh/title: "Host Network"
10 | description: >-
11 | Controls usage of host network namespace by pod containers.
12 | Corresponds to the `hostNetwork` fields in a PodSecurityPolicy.
13 | spec:
14 | crd:
15 | spec:
16 | names:
17 | kind: HostNetwork
18 | validation:
19 | # Schema for the `parameters` field
20 | openAPIV3Schema:
21 | type: object
22 | description: >-
23 | Controls usage of host network namespace by pod containers.
24 | Corresponds to the `hostNetwork` field in a PodSecurityPolicy.
25 | targets:
26 | - target: admission.k8s.gatekeeper.sh
27 | rego: |
28 | {{.Files.Get "rego/hostnetwork/hostnetwork_policy.rego" | indent 8 }}
29 |
--------------------------------------------------------------------------------
/helm/gatekeeper-constraints/templates/host_path_template.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | apiVersion: templates.gatekeeper.sh/v1
5 | kind: ConstraintTemplate
6 | metadata:
7 | name: volumetypes
8 | annotations:
9 | metadata.gatekeeper.sh/title: "Volume Types"
10 | description: >-
11 | Forbids hostPath volume type.
12 | Corresponds to the `volumes` field in a PodSecurityPolicy.
13 | spec:
14 | crd:
15 | spec:
16 | names:
17 | kind: VolumeTypes
18 | validation:
19 | # Schema for the `parameters` field
20 | openAPIV3Schema:
21 | type: object
22 | description: >-
23 | Forbids hostPath volume type.
24 | Corresponds to the `volumes` field in a PodSecurityPolicy.
25 | properties:
26 | exemptImages:
27 | description: >-
28 | Any container that uses an image that matches an entry in this list will be excluded
29 | from enforcement.
30 | type: array
31 | items:
32 | type: string
33 | namespaceOnlyExemptImages:
34 | description: >-
35 | Any container running in a specific namespace that uses an image that matches an entry
36 | in this list will be excluded from enforcement. Prefix-matching can
37 | be signified with `*`. For example: `my-image-*`.
38 | type: array
39 | items:
40 | type: string
41 | targets:
42 | - target: admission.k8s.gatekeeper.sh
43 | rego: |
44 | {{.Files.Get "rego/hostpath/hostpath_policy.rego" | indent 8 }}
45 |
--------------------------------------------------------------------------------
/helm/gatekeeper-constraints/templates/host_pid_ipc_template.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | apiVersion: templates.gatekeeper.sh/v1
5 | kind: ConstraintTemplate
6 | metadata:
7 | name: hostnamespace
8 | annotations:
9 | metadata.gatekeeper.sh/title: "Host Namespace"
10 | description: >-
11 | Disallows sharing of host PID and IPC namespaces by pod containers.
12 | Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy.
13 | spec:
14 | crd:
15 | spec:
16 | names:
17 | kind: HostNamespace
18 | validation:
19 | # Schema for the `parameters` field
20 | openAPIV3Schema:
21 | type: object
22 | description: >-
23 | Disallows sharing of host PID and IPC namespaces by pod containers.
24 | Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy.
25 | targets:
26 | - target: admission.k8s.gatekeeper.sh
27 | rego: |
28 | {{.Files.Get "rego/host_pid_ipc/host_pid_ipc_policy.rego" | indent 8 }}
29 |
--------------------------------------------------------------------------------
/helm/gatekeeper-constraints/templates/host_ports_constraint.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | {{- if .Values.policies.constraints.hostPorts.enabled }}
5 | apiVersion: constraints.gatekeeper.sh/v1beta1
6 | kind: HostPorts
7 | metadata:
8 | name: host-ports
9 | annotations:
10 | helm.sh/hook: post-install
11 | helm.sh/hook-weight: "3"
12 | spec:
13 | match:
14 | kinds:
15 | - apiGroups: [""]
16 | kinds: ["Pod"]
17 | excludedNamespaces:
18 | {{- range .Values.policies.constraints.hostPorts.excludedNamespaces }}
19 | - {{ . | quote }}
20 | {{- end }}
21 | labelSelector:
22 | matchExpressions:
23 | - key: bypass-host-ports
24 | operator: DoesNotExist
25 | namespaceSelector:
26 | matchExpressions:
27 | - key: bypass-host-ports
28 | operator: DoesNotExist
29 | parameters:
30 | exemptImages: {{ .Values.policies.exemptImages }}
31 | allowHostPort: {{ .Values.policies.constraints.hostPorts.allowedHostPort }}
32 | min: {{ .Values.policies.constraints.hostPorts.allowedHostPortMin }}
33 | max: {{ .Values.policies.constraints.hostPorts.allowedHostPortMax }}
34 | enforcementAction: deny
35 | {{- end }}
36 |
--------------------------------------------------------------------------------
/helm/gatekeeper-constraints/templates/podmonitor.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | ---
5 | {{- if .Values.podMonitor.enabled }}
6 | apiVersion: monitoring.coreos.com/v1
7 | kind: PodMonitor
8 | metadata:
9 | name: gatekeeper-metrics-monitor
10 | namespace: {{ .Release.Namespace }}
11 | spec:
12 | jobLabel: "app.kubernetes.io/name"
13 | selector:
14 | matchLabels:
15 | app: gatekeeper
16 | app_kubernetes_io_name: gatekeeper
17 | podMetricsEndpoints:
18 | - port: metrics
19 | scheme: http
20 | # TODO: Enable HTTPS connection with gatekeeper
21 | #scheme: https
22 | #tlsConfig:
23 | #serverName: gatekeeper
24 | #ca:
25 | #secret:
26 | #key: ca.crt
27 | #name: gatekeeper-tls
28 | #cert:
29 | #secret:
30 | #key: tls.crt
31 | #name: gatekeeper-tls
32 | #keySecret:
33 | #key: tls.key
34 | #name: gatekeeper-tls
35 | relabelings:
36 | - action: labelmap
37 | regex: __meta_kubernetes_pod_label_(.+)
38 | - sourceLabels: [__meta_kubernetes_pod_name]
39 | regex: "gatekeeper.*"
40 | action: keep
41 | - sourceLabels: [__address__]
42 | regex: ".*:{{ .Values.metricsPort }}"
43 | action: keep
44 | - sourceLabels: [__meta_kubernetes_pod_node_name]
45 | action: replace
46 | targetLabel: instance
47 | - sourceLabels: [__meta_kubernetes_pod_name]
48 | action: replace
49 | targetLabel: kubernetes_pod_name
50 | {{- end}}
51 |
--------------------------------------------------------------------------------
/helm/gatekeeper-constraints/templates/privileged_container_constraint.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | {{- if .Values.policies.constraints.privilegedContainer.enabled }}
5 | apiVersion: constraints.gatekeeper.sh/v1beta1
6 | kind: PrivilegedContainer
7 | metadata:
8 | name: privileged-container
9 | annotations:
10 | helm.sh/hook: post-install
11 | helm.sh/hook-weight: "3"
12 | spec:
13 | match:
14 | kinds:
15 | - apiGroups: [""]
16 | kinds: ["Pod"]
17 | excludedNamespaces:
18 | {{- range .Values.policies.constraints.privilegedContainer.excludedNamespaces }}
19 | - {{ . | quote }}
20 | {{- end }}
21 | labelSelector:
22 | matchExpressions:
23 | - key: bypass-privilege-container
24 | operator: DoesNotExist
25 | namespaceSelector:
26 | matchExpressions:
27 | - key: bypass-privilege-container
28 | operator: DoesNotExist
29 | parameters:
30 | exemptImages: {{ .Values.policies.exemptImages }}
31 | enforcementAction: deny
32 | {{- end }}
33 |
--------------------------------------------------------------------------------
/helm/gatekeeper-constraints/templates/privileged_escalation_constraint.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | {{- if .Values.policies.constraints.privilegedEscalation.enabled }}
5 | apiVersion: constraints.gatekeeper.sh/v1beta1
6 | kind: PrivilegeEscalationContainer
7 | metadata:
8 | name: privilege-escalation-container
9 | annotations:
10 | helm.sh/hook: post-install
11 | helm.sh/hook-weight: "3"
12 | spec:
13 | match:
14 | kinds:
15 | - apiGroups: [""]
16 | kinds: ["Pod"]
17 | excludedNamespaces:
18 | {{- range .Values.policies.constraints.privilegedEscalation.excludedNamespaces }}
19 | - {{ . | quote }}
20 | {{- end }}
21 | labelSelector:
22 | matchExpressions:
23 | - key: bypass-privilege-escalation
24 | operator: DoesNotExist
25 | namespaceSelector:
26 | matchExpressions:
27 | - key: bypass-privilege-escalation
28 | operator: DoesNotExist
29 | parameters:
30 | exemptImages: {{ .Values.policies.exemptImages }}
31 | enforcementAction: deny
32 | {{- end }}
33 |
--------------------------------------------------------------------------------
/helm/gatekeeper-constraints/templates/read_only_root_fs_constraint.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | {{- if .Values.policies.constraints.readOnlyFs.enabled }}
5 | apiVersion: constraints.gatekeeper.sh/v1beta1
6 | kind: ReadOnlyRootFileSystem
7 | metadata:
8 | name: readonlyrootfilesystem
9 | annotations:
10 | helm.sh/hook: post-install
11 | helm.sh/hook-weight: "3"
12 | spec:
13 | match:
14 | kinds:
15 | - apiGroups: [""]
16 | kinds: ["Pod"]
17 | excludedNamespaces:
18 | {{- range .Values.policies.constraints.readOnlyFs.excludedNamespaces }}
19 | - {{ . | quote }}
20 | {{- end }}
21 | labelSelector:
22 | matchExpressions:
23 | - key: bypass-read-only-root-filesystem
24 | operator: DoesNotExist
25 | namespaceSelector:
26 | matchExpressions:
27 | - key: bypass-read-only-root-filesystem
28 | operator: DoesNotExist
29 | parameters:
30 | exemptImages: {{ .Values.policies.exemptImages }}
31 | exemptContainerNames: {{ .Values.policies.constraints.readOnlyFs.exemptContainerNames }}
32 | enforcementAction: deny
33 | {{- end }}
34 |
--------------------------------------------------------------------------------
/helm/gatekeeper-constraints/templates/sysctls_constraint.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | {{- if .Values.policies.constraints.sysctls.enabled }}
5 | apiVersion: constraints.gatekeeper.sh/v1beta1
6 | kind: AllowedSysctls
7 | metadata:
8 | name: allowed-sysctls
9 | namespace: gatekeeper-system
10 | annotations:
11 | helm.sh/hook: post-install
12 | helm.sh/hook-weight: "3"
13 | spec:
14 | match:
15 | kinds:
16 | - apiGroups: [""]
17 | kinds: ["Pod"]
18 | excludedNamespaces:
19 | {{- range .Values.policies.constraints.sysctls.excludedNamespaces }}
20 | - {{ . | quote }}
21 | {{- end }}
22 | labelSelector:
23 | matchExpressions:
24 | - key: bypass-allowed-sysctls
25 | operator: DoesNotExist
26 | namespaceSelector:
27 | matchExpressions:
28 | - key: bypass-allowed-sysctls
29 | operator: DoesNotExist
30 | parameters:
31 | allowedSysctls: {{ .Values.policies.constraints.sysctls.allowedSysctls }}
32 | enforcementAction: deny
33 | {{- end }}
34 |
--------------------------------------------------------------------------------
/helm/gatekeeper-constraints/templates/sysctls_template.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | apiVersion: templates.gatekeeper.sh/v1
5 | kind: ConstraintTemplate
6 | metadata:
7 | name: allowedsysctls
8 | annotations:
9 | metadata.gatekeeper.sh/title: "Allowed Sysctls"
10 | description: >-
11 | Controls the `sysctl` profile used by containers.
12 | spec:
13 | crd:
14 | spec:
15 | names:
16 | kind: AllowedSysctls
17 | validation:
18 | # Schema for the `parameters` field
19 | openAPIV3Schema:
20 | type: object
21 | description: >-
22 | "Controls the `sysctl` profile used by containers. Corresponds to the `allowedSysctls` fields in a PodSecurityPolicy."
23 | properties:
24 | allowedSysctls:
25 | type: array
26 | description: "An allow-list of sysctls. `*` allows all sysctls."
27 | items:
28 | type: string
29 | targets:
30 | - target: admission.k8s.gatekeeper.sh
31 | rego: |
32 | {{.Files.Get "rego/sysctls/sysctls_policy.rego" | indent 8 }}
33 |
--------------------------------------------------------------------------------
/helm/gatekeeper-constraints/templates/volume_types_constraint.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | {{- if .Values.policies.constraints.volumeTypes.enabled }}
5 | apiVersion: constraints.gatekeeper.sh/v1beta1
6 | kind: VolumeTypes
7 | metadata:
8 | name: volume-types
9 | annotations:
10 | helm.sh/hook: post-install
11 | helm.sh/hook-weight: "3"
12 | spec:
13 | match:
14 | kinds:
15 | - apiGroups: [""]
16 | kinds: ["Pod"]
17 | excludedNamespaces:
18 | {{- range .Values.policies.constraints.volumeTypes.excludedNamespaces }}
19 | - {{ . | quote }}
20 | {{- end }}
21 | labelSelector:
22 | matchExpressions:
23 | - key: bypass-volume-types
24 | operator: DoesNotExist
25 | namespaceSelector:
26 | matchExpressions:
27 | - key: bypass-volume-types
28 | operator: DoesNotExist
29 | parameters:
30 | exemptImages: {{ .Values.policies.exemptImages }}
31 | enforcementAction: deny
32 | {{- end }}
33 |
--------------------------------------------------------------------------------
/helm/intel-gpu-debug/Chart.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | apiVersion: v2
5 | name: intel-gpu-debug
6 | description: Job for Intel GPU debug
7 | type: application
8 |
9 | version: 1.3.0
10 |
11 | appVersion: 1.3.0
12 |
--------------------------------------------------------------------------------
/helm/intel-gpu-debug/templates/intel-gpu-debug-pod.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | apiVersion: v1
5 | kind: Pod
6 | metadata:
7 | name: gpu-debug
8 | spec:
9 | containers:
10 | - name: gpu-debug
11 | image: {{ .Values.registry }}/{{ .Values.image }}
12 | imagePullPolicy: Always
13 | command: ["/bin/bash", "-c", "ls /dev/dri/; xpu-smi discovery; lshw -C display; python3 /usr/share/openvino/samples/python/hello_query_device/hello_query_device.py; sleep 3600"]
14 | resources:
15 | limits:
16 | gpu.intel.com/i915: 1
17 | securityContext:
18 | privileged: true
19 | #runAsGroup: 110
--------------------------------------------------------------------------------
/helm/intel-gpu-debug/values.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | registry: registry-rs.edgeorchestration.intel.com
5 | image: edge-orch/en/intel-gpu-debug:1.3.0
6 |
--------------------------------------------------------------------------------
/helm/kubevirt-helper/Chart.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | apiVersion: v2
5 | name: kubevirt-helper
6 | description: A Helm chart for KubeVirt Helper service
7 | type: application
8 | version: 1.5.0
9 | appVersion: 1.5.0
10 | annotations: {}
11 |
--------------------------------------------------------------------------------
/helm/kubevirt-helper/templates/certificate.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2023 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 |
4 | apiVersion: cert-manager.io/v1
5 | kind: Certificate
6 | metadata:
7 | name: {{ include "kubevirt-helper.fullname" . }}-certificate
8 | namespace: {{ .Release.Namespace }}
9 | labels:
10 | {{- include "kubevirt-helper.labels" . | nindent 4 }}
11 | spec:
12 | commonName: {{ .Values.config.kubevirtHelper.certificate.commonName }}
13 | duration: {{ .Values.config.kubevirtHelper.certificate.duration }}
14 | renewBefore: {{ .Values.config.kubevirtHelper.certificate.renewBefore }}
15 | privateKey:
16 | algorithm: {{ .Values.config.kubevirtHelper.certificate.privateKey.algorithm }}
17 | encoding: {{ .Values.config.kubevirtHelper.certificate.privateKey.encoding }}
18 | size: {{ .Values.config.kubevirtHelper.certificate.privateKey.size }}
19 | subject:
20 | organizations:
21 | - Intel Corporation
22 | countries:
23 | - US
24 | organizationalUnits:
25 | - Edge Orchestrator
26 | secretName: {{ include "kubevirt-helper.fullname" . }}-certificate
27 | dnsNames:
28 | - {{ include "kubevirt-helper.fullname" . }}
29 | - {{ include "kubevirt-helper.fullname" . }}.{{ .Release.Namespace }}
30 | - {{ include "kubevirt-helper.fullname" . }}.{{ .Release.Namespace }}.svc
31 | usages:
32 | - server auth
33 | - client auth
34 | issuerRef:
35 | name: {{ include "kubevirt-helper.fullname" . }}-issuer
--------------------------------------------------------------------------------
/helm/kubevirt-helper/templates/configmap.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2023 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | apiVersion: v1
5 | kind: ConfigMap
6 | metadata:
7 | name: {{ include "kubevirt-helper.fullname" . }}
8 | labels:
9 | {{- include "kubevirt-helper.labels" . | nindent 4 }}
10 | data:
11 | logging.yaml: |-
12 | {{ toYaml .Values.logging | indent 4 }}
--------------------------------------------------------------------------------
/helm/kubevirt-helper/templates/issuer.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2023 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 |
4 | apiVersion: cert-manager.io/v1
5 | kind: Issuer
6 | metadata:
7 | name: {{ include "kubevirt-helper.fullname" . }}-issuer
8 | namespace: {{ .Release.Namespace }}
9 | labels:
10 | {{- include "kubevirt-helper.labels" . | nindent 4 }}
11 | spec:
12 | selfSigned: {}
--------------------------------------------------------------------------------
/helm/kubevirt-helper/templates/mutatingwebhookconfiguration.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2023 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 |
4 | apiVersion: admissionregistration.k8s.io/v1
5 | kind: MutatingWebhookConfiguration
6 | metadata:
7 | annotations:
8 | cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "kubevirt-helper.fullname" . }}-certificate
9 | name: {{ include "kubevirt-helper.fullname" . }}-mutate
10 | labels:
11 | {{- include "kubevirt-helper.labels" . | nindent 4 }}
12 | webhooks:
13 | - admissionReviewVersions:
14 | - v1
15 | - v1beta1
16 | clientConfig:
17 | service:
18 | name: {{ include "kubevirt-helper.fullname" . }}
19 | namespace: {{ .Release.Namespace }}
20 | path: {{ .Values.config.kubevirtHelper.webhookServer.mutatePath }}
21 | port: {{ .Values.config.kubevirtHelper.webhookServer.port }}
22 | failurePolicy: Fail
23 | matchPolicy: Equivalent
24 | name: {{ .Values.config.kubevirtHelper.webhookServer.name }}
25 | namespaceSelector: {}
26 | objectSelector: {}
27 | reinvocationPolicy: Never
28 | rules:
29 | - apiGroups:
30 | - kubevirt.io
31 | apiVersions:
32 | - v1alpha3
33 | - v1
34 | operations:
35 | - UPDATE
36 | resources:
37 | - virtualmachines
38 | scope: '*'
39 | sideEffects: None
40 | timeoutSeconds: {{ .Values.config.kubevirtHelper.webhookServer.mutateTimeoutSeconds }}
--------------------------------------------------------------------------------
/helm/kubevirt-helper/templates/rbac.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2023 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 |
4 | kind: ClusterRole
5 | apiVersion: rbac.authorization.k8s.io/v1
6 | metadata:
7 | name: {{ include "kubevirt-helper.fullname" . }}-rbac
8 | labels:
9 | {{- include "kubevirt-helper.labels" . | nindent 4 }}
10 | rules:
11 | - apiGroups:
12 | - kubevirt.io
13 | resources:
14 | - virtualmachineinstances
15 | verbs:
16 | - get
17 | - list
18 | - delete
19 | - update
20 | - apiGroups:
21 | - kubevirt.io
22 | resources:
23 | - virtualmachines
24 | verbs:
25 | - get
26 | - list
27 | - patch
28 | - apiGroups:
29 | - subresources.kubevirt.io
30 | resources:
31 | - virtualmachines/restart
32 | verbs:
33 | - "*"
34 | - apiGroups:
35 | - cdi.kubevirt.io
36 | resources:
37 | - datavolumes
38 | verbs:
39 | - delete
40 |
41 | ---
42 | kind: ClusterRoleBinding
43 | apiVersion: rbac.authorization.k8s.io/v1
44 | metadata:
45 | name: {{ include "kubevirt-helper.fullname" . }}-rbac
46 | labels:
47 | {{- include "kubevirt-helper.labels" . | nindent 4 }}
48 | subjects:
49 | - kind: ServiceAccount
50 | name: {{ include "kubevirt-helper.serviceAccountName" . }}
51 | namespace: {{ .Release.Namespace }}
52 | roleRef:
53 | kind: ClusterRole
54 | name: {{ include "kubevirt-helper.fullname" . }}-rbac
55 | apiGroup: rbac.authorization.k8s.io
56 |
--------------------------------------------------------------------------------
/helm/kubevirt-helper/templates/service.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2023 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 |
4 | apiVersion: v1
5 | kind: Service
6 | metadata:
7 | name: {{ include "kubevirt-helper.fullname" . }}
8 | labels:
9 | {{- include "kubevirt-helper.labels" . | nindent 4 }}
10 | spec:
11 | ports:
12 | - port: {{ .Values.service.ports.webhook.port }}
13 | targetPort: {{ .Values.config.kubevirtHelper.webhookServer.port }}
14 | protocol: {{ .Values.service.ports.webhook.protocol }}
15 | name: webhook
16 | selector:
17 | {{- include "kubevirt-helper.selectorLabels" . | nindent 4 }}
--------------------------------------------------------------------------------
/helm/kubevirt-helper/templates/serviceaccount.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2023 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 |
4 | ---
5 | {{- if .Values.serviceAccount.create }}
6 | apiVersion: v1
7 | kind: ServiceAccount
8 | metadata:
9 | name: {{ include "kubevirt-helper.serviceAccountName" . }}
10 | labels:
11 | {{- include "kubevirt-helper.labels" . | nindent 4 }}
12 | {{- end }}
13 |
--------------------------------------------------------------------------------
/helm/kubevirt/.helmignore:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2022 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 |
4 | # Patterns to ignore when building packages.
5 | # This supports shell glob matching, relative path matching, and
6 | # negation (prefixed with !). Only one pattern per line.
7 | .DS_Store
8 | # Common VCS dirs
9 | .git/
10 | .gitignore
11 | .bzr/
12 | .bzrignore
13 | .hg/
14 | .hgignore
15 | .svn/
16 | # Common backup files
17 | *.swp
18 | *.bak
19 | *.tmp
20 | *.orig
21 | *~
22 | # Various IDEs
23 | .project
24 | .idea/
25 | *.tmproj
26 | .vscode/
27 |
28 | tests
29 |
--------------------------------------------------------------------------------
/helm/kubevirt/Chart.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | apiVersion: v2
5 | name: kubevirt
6 | description: A Helm chart for Kubernetes
7 |
8 | # A chart can be either an 'application' or a 'library' chart.
9 | #
10 | # Application charts are a collection of templates that can be packaged into versioned archives
11 | # to be deployed.
12 | #
13 | # Library charts provide useful utilities or functions for the chart developer. They're included as
14 | # a dependency of application charts to inject those utilities and functions into the rendering
15 | # pipeline. Library charts do not define any templates and therefore cannot be deployed.
16 | type: application
17 |
18 | # This is the chart version. This version number should be incremented each time you make changes
19 | # to the chart and its templates, including the app version.
20 | # Versions are expected to follow Semantic Versioning (https://semver.org/)
21 | version: 1.3.0
22 | # This is the version number of the application being deployed. This version number should be
23 | # incremented each time you make changes to the application. Versions are not expected to
24 | # follow Semantic Versioning. They should reflect the version the application is using.
25 | # It is recommended to use it with quotes.
26 | appVersion: "1.4.0"
27 |
--------------------------------------------------------------------------------
/helm/kubevirt/README.md:
--------------------------------------------------------------------------------
1 |
5 |
6 | # Installing Kubevirt
7 |
8 | ## Helm Chart
9 |
10 | To run this Helm Chart use following command:
11 |
12 | `helm install --create-namespace --namespace=kubevirt kubevirt PATH_TO_HELM_CHART`
13 |
14 | and then run following command to make sure that it got installed successfully:
15 |
16 | ```bash
17 | kubectl -n kubevirt wait kv kubevirt --for condition=Available --timeout=5m
18 | kubectl get all -n kubevirt
19 | ```
20 |
--------------------------------------------------------------------------------
/helm/kubevirt/templates/03-kubevirt-sm.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | {{- if .Values.serviceMonitor.enabled }}
5 | apiVersion: monitoring.coreos.com/v1
6 | kind: ServiceMonitor
7 | metadata:
8 | name: kubevirt-servicemonitor
9 | namespace: observability
10 | labels:
11 | app.kubernetes.io/component: kubevirt
12 | name: kubevirt
13 | spec:
14 | jobLabel: "app.kubernetes.io/name"
15 | selector:
16 | matchLabels:
17 | app.kubernetes.io/component: kubevirt
18 | app.kubernetes.io/managed-by: virt-operator
19 | namespaceSelector:
20 | matchNames:
21 | - {{ .Release.Namespace }}
22 | endpoints:
23 | - port: metrics
24 | scheme: https
25 | # Currently kubevirt uses self-generated certs and there is no way to validate them
26 | tlsConfig:
27 | insecureSkipVerify: true
28 | relabelings:
29 | - action: labelmap
30 | regex: __meta_kubernetes_service_label_(.+)
31 | - sourceLabels: [__meta_kubernetes_service_name]
32 | regex: 'kubevirt-prometheus-metrics.*'
33 | action: keep
34 | - sourceLabels: [__address__]
35 | regex: '.*:8443'
36 | action: keep
37 | - sourceLabels: [__meta_kubernetes_pod_node_name]
38 | action: replace
39 | targetLabel: instance
40 | - sourceLabels: [__meta_kubernetes_pod_name]
41 | action: replace
42 | targetLabel: kubernetes_pod_name
43 | {{- end }}
44 |
--------------------------------------------------------------------------------
/helm/kubevirt/tests/kubevirt_cr_test.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | suite: Test KubeVirt CR
5 | templates:
6 | - 02-kubevirt-cr.yaml
7 | tests:
8 | - it: should be a KubeVirt
9 | asserts:
10 | - isKind:
11 | of: KubeVirt
12 | - it: should set CPU Manager label and feature gate
13 | asserts:
14 | - equal:
15 | path: metadata.labels.cpumanager
16 | value: "true"
17 | - contains:
18 | path: spec.configuration.developerConfiguration.featureGates
19 | content: CPUManager
20 |
--------------------------------------------------------------------------------
/helm/kubevirt/values.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | networkPoliciesEnabled: true
5 | useEmulation: false
6 | nodeSelector:
7 | kubernetes.io/os: linux
8 |
9 | extensionImages:
10 | - quay.io/kubevirt/macvtap-cni:v0.11.1
11 | - quay.io/kubevirt/virt-operator:v1.4.0
12 | - quay.io/kubevirt/virt-launcher:v1.4.0
13 | - quay.io/kubevirt/virt-handler:v1.4.0
14 | - quay.io/kubevirt/virt-controller:v1.4.0
15 | - docker.io/library/alpine:3.20.2
16 | - docker.io/bitnami/kubectl:1.31.3
17 |
18 | serviceMonitor:
19 | enabled: true
20 |
21 | kubectl:
22 | image: bitnami/kubectl:1.31.3
23 |
24 | # format: name;vid;pid,name;vid;pid
25 | # example: "kubevirt.io/usb-1;vid;pid,kubevirt.io/usb-2;vid;pid,kubevirt.io/usb-3;vid;pid"
26 | usbList: ""
27 |
--------------------------------------------------------------------------------
/helm/metallb-base/Chart.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | apiVersion: v2
5 | description: A companion Helm chart for network load-balancer for Kubernetes using standard
6 | routing protocols - metallb Helm chart
7 | home: https://metallb.universe.tf
8 | icon: https://metallb.universe.tf/images/logo/metallb-white.png
9 | kubeVersion: '>= 1.19.0-0'
10 | name: metallb-base
11 | type: application
12 | version: 0.16.1
13 |
--------------------------------------------------------------------------------
/helm/metallb-base/values.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | # Default values for metallb.
5 | # This is a YAML-formatted file.
6 | # Declare variables to be passed into your templates.
7 |
8 | metallb:
9 | # speaker contains configuration specific to the MetalLB speaker
10 | # daemonset.
11 | speaker:
12 | # frr contains configuration specific to the MetalLB FRR container,
13 | # for speaker running alongside FRR.
14 | frr:
15 | enabled: false
16 |
17 | extensionImages:
18 | - quay.io/metallb/controller:v0.14.8
19 | - quay.io/metallb/speaker:v0.14.8
20 | - docker.io/bitnami/kubectl:1.31.3
21 |
22 | kubectl:
23 | image: bitnami/kubectl:1.31.3
24 |
--------------------------------------------------------------------------------
/helm/metallb-config/.helmignore:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2023 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 |
5 | tests
6 |
--------------------------------------------------------------------------------
/helm/metallb-config/Chart.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | apiVersion: v2
5 | description: A Helm chart for Kubernetes
6 | name: metallb-config
7 | type: application
8 | version: 0.2.0
9 |
--------------------------------------------------------------------------------
/helm/metallb-config/README.md:
--------------------------------------------------------------------------------
1 |
5 |
6 | # MetalLB configuration helm chart
7 |
8 | This Helm chart creates needed resources for MetalLB to work properly.
9 |
10 | IPAddressPool creates pool of IP addresses which are used for ExternalIP allocation.
11 | L2Advertisement enables new IP address advertisement via L2.
12 |
--------------------------------------------------------------------------------
/helm/metallb-config/templates/ip-address-pool.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | apiVersion: metallb.io/v1beta1
5 | kind: IPAddressPool
6 | metadata:
7 | name: {{ .Release.Name }}-dynamic-ipaddress-pool
8 | spec:
9 | addresses:
10 | - {{ .Values.ipAddressRange }}
11 | ---
12 | apiVersion: metallb.io/v1beta1
13 | kind: IPAddressPool
14 | metadata:
15 | name: {{ .Release.Name }}-static-ipaddress-pool
16 | spec:
17 | addresses:
18 | - {{ .Values.dnsIPAddress }}
19 | - {{ .Values.ingressIPAddress }}
20 | {{ if not (eq .Values.staticIPs "" )}}
21 | {{ $ips := split "," .Values.staticIPs }}
22 | {{ range $i, $v := $ips }}
23 | - {{ $v }}
24 | {{ end }}
25 | {{ end }}
26 | autoAssign: false
27 |
--------------------------------------------------------------------------------
/helm/metallb-config/templates/l2-advertisement.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | apiVersion: metallb.io/v1beta1
5 | kind: L2Advertisement
6 | metadata:
7 | name: {{ .Release.Name }}-advertisement
8 | {{- if .Values.L2Advertisement.enabled }}
9 | spec:
10 | interfaces:
11 | - {{ .Values.L2Advertisement.interface }}
12 | {{- end }}
13 |
--------------------------------------------------------------------------------
/helm/metallb-config/tests/ip-address-pool_test.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | suite: Test MetalLB-Config Helm chart
5 | templates:
6 | - ip-address-pool.yaml
7 | release:
8 | name: my-release
9 | tests:
10 | - it: has 2 IPAddressPool in the file
11 | asserts:
12 | - hasDocuments:
13 | count: 2
14 | - it: should verify metadata
15 | documentIndex: 0
16 | asserts:
17 | - isKind:
18 | of: IPAddressPool
19 | - equal:
20 | path: metadata.name
21 | value: my-release-dynamic-ipaddress-pool
22 | - it: should verify spec
23 | documentIndex: 0
24 | set:
25 | ipAddressRange: 192.168.160.50-192.168.160.100
26 | asserts:
27 | - contains:
28 | path: spec.addresses
29 | content:
30 | 192.168.160.50-192.168.160.100
31 | - it: should verify metadata
32 | documentIndex: 1
33 | asserts:
34 | - isKind:
35 | of: IPAddressPool
36 | - equal:
37 | path: metadata.name
38 | value: my-release-static-ipaddress-pool
39 | - it: should verify spec
40 | documentIndex: 1
41 | set:
42 | staticIp: 192.168.160.250/32
43 | asserts:
44 | - contains:
45 | path: spec.addresses
46 | content:
47 | 192.168.160.250/32
48 | - it: should have correctly assign
49 | documentIndex: 1
50 | asserts:
51 | - equal:
52 | path: spec.autoAssign
53 | value: false
54 |
--------------------------------------------------------------------------------
/helm/metallb-config/tests/l2-advertisement_test.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | suite: Test MetalLB-Config Helm chart
5 | templates:
6 | - l2-advertisement.yaml
7 | release:
8 | name: my-release
9 | tests:
10 | - it: should verify metadata
11 | asserts:
12 | - isKind:
13 | of: L2Advertisement
14 | - equal:
15 | path: metadata.name
16 | value: my-release-advertisement
17 |
--------------------------------------------------------------------------------
/helm/metallb-config/values.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | # ipAddressRange is an IP address range which is used for ExternalIP
5 | # address allocation for service type LoadBalancer
6 | ipAddressRange: 192.168.160.50-192.168.160.100
7 |
8 | # staticIp is used to reserve IP addresses which can be allocated
9 | # as a static IPs for services
10 | dnsIPAddress: "192.168.160.250/32"
11 | ingressIPAddress: "192.168.160.251/32"
12 |
13 | staticIPs: "192.168.160.101/32,192.168.160.102/32"
14 |
15 | # For 5GC flag set for L2Advertisement Interface
16 | L2Advertisement:
17 | enabled: false
18 | interface: enp138s0f1
19 |
--------------------------------------------------------------------------------
/helm/network-policies/Chart.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | ---
5 | apiVersion: v2
6 | name: network-policies
7 | description: Network Policies for Edge Node cluster
8 | type: application
9 | version: 0.2.0
10 |
--------------------------------------------------------------------------------
/helm/network-policies/README.md:
--------------------------------------------------------------------------------
1 |
5 |
6 | # Installing Edge Node Network Policies configuration
7 |
8 | This Helm chart defines Network Policies for Edge Node.
9 |
10 | To install Network Policies for Edge Node:
11 |
12 | ```bash
13 | helm install edge-node-network-policies ./helm/network-policies
14 | ```
15 |
--------------------------------------------------------------------------------
/helm/network-policies/templates/00-default-global-policy.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | ---
5 | apiVersion: crd.projectcalico.org/v1
6 | kind: GlobalNetworkPolicy
7 | metadata:
8 | name: default-deny
9 | spec:
10 | order: 10100
11 | namespaceSelector: >
12 | has(projectcalico.org/name) &&
13 | projectcalico.org/name not in
14 | {"kube-system", "calico-system", "calico-apiserver", "cattle-system",
15 | "cattle-fleet-system", "cattle-impersonation-system", "tigera-operator" }
16 | types:
17 | - Ingress
18 | - Egress
19 | egress:
20 | - action: Allow
21 | protocol: UDP
22 | destination:
23 | selector: 'k8s-app == "kube-dns"'
24 | ports:
25 | - 53
26 | - action: Allow
27 | protocol: TCP
28 | destination:
29 | selector: 'k8s-app == "kube-dns"'
30 | ports:
31 | - 53
32 | - action: Allow
33 | protocol: TCP
34 | destination:
35 | services:
36 | name: kubernetes
37 | namespace: default
38 |
--------------------------------------------------------------------------------
/helm/network-policies/templates/01-default-netpol.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | ---
5 | apiVersion: crd.projectcalico.org/v1
6 | kind: NetworkPolicy
7 | metadata:
8 | name: default-deny-all
9 | namespace: default
10 | spec:
11 | order: 100
12 | selector: all()
13 | ingress:
14 | - action: Deny
15 | egress:
16 | - action: Deny
17 | types:
18 | - Ingress
19 | - Egress
20 |
--------------------------------------------------------------------------------
/helm/network-policies/templates/02-calico-netpol.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | ---
5 | kind: NetworkPolicy
6 | apiVersion: networking.k8s.io/v1
7 | metadata:
8 | namespace: calico-system
9 | name: calico-system-deny-from-other-namespaces-except-tigera-operator
10 | spec:
11 | policyTypes:
12 | - Ingress
13 | podSelector: {}
14 | ingress:
15 | - from:
16 | - namespaceSelector:
17 | matchLabels:
18 | name: calico-system
19 | - namespaceSelector:
20 | matchLabels:
21 | name: tigera-operator
22 | ---
23 | kind: NetworkPolicy
24 | apiVersion: networking.k8s.io/v1
25 | metadata:
26 | namespace: calico-system
27 | name: calico-system-allow-metrics-port-from-observability
28 | spec:
29 | podSelector:
30 | matchLabels:
31 | ingress:
32 | - ports:
33 | - port: 9094
34 | from:
35 | - namespaceSelector:
36 | matchLabels:
37 | kubernetes.io/metadata.name: observability
38 |
--------------------------------------------------------------------------------
/helm/network-policies/templates/03-kube-system-netpol.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | ---
5 | apiVersion: crd.projectcalico.org/v1
6 | kind: NetworkPolicy
7 | metadata:
8 | name: allow-ingress
9 | namespace: kube-system
10 | spec:
11 | selector: all()
12 | types:
13 | - Ingress
14 | ingress:
15 | - action: Allow
16 | protocol: TCP
17 | destination:
18 | ports:
19 | - 4194
20 | - 10250
21 | - 10255
22 | source:
23 | namespaceSelector: kubernetes.io/metadata.name == 'observability'
24 | - action: Pass
25 |
--------------------------------------------------------------------------------
/helm/network-policies/templates/05-observability-netpol.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | ---
5 | kind: NetworkPolicy
6 | apiVersion: networking.k8s.io/v1
7 | metadata:
8 | namespace: observability
9 | name: observability-deny-from-other-namespaces
10 | spec:
11 | policyTypes:
12 | - Ingress
13 | podSelector:
14 | matchLabels:
15 | ingress:
16 | - from:
17 | - podSelector: {}
18 | ---
19 | apiVersion: networking.k8s.io/v1
20 | kind: NetworkPolicy
21 | metadata:
22 | namespace: observability
23 | name: observability-allow-ui
24 | spec:
25 | podSelector: {}
26 | policyTypes:
27 | - Ingress
28 | ingress:
29 | - ports:
30 | - port: 9090
31 | - port: 9200
32 | ---
33 | apiVersion: crd.projectcalico.org/v1
34 | kind: NetworkPolicy
35 | metadata:
36 | name: allow-egress
37 | namespace: observability
38 | spec:
39 | selector: all()
40 | types:
41 | - Egress
42 | egress:
43 | - action: Allow
44 |
--------------------------------------------------------------------------------
/helm/network-policies/templates/06-kube-public.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | ---
5 | apiVersion: crd.projectcalico.org/v1
6 | kind: NetworkPolicy
7 | metadata:
8 | name: default-deny-all
9 | namespace: kube-public
10 | spec:
11 | order: 100
12 | selector: all()
13 | ingress:
14 | - action: Deny
15 | egress:
16 | - action: Deny
17 | types:
18 | - Ingress
19 | - Egress
20 |
--------------------------------------------------------------------------------
/helm/network-policies/templates/09-helm-installers.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | ---
5 | apiVersion: crd.projectcalico.org/v1
6 | kind: GlobalNetworkPolicy
7 | metadata:
8 | name: helmchart-installers-allow-egress
9 | spec:
10 | selector: has(helmcharts.helm.cattle.io/chart)
11 | order: 100
12 | types:
13 | - Egress
14 | egress:
15 | - action: Allow
16 | destination:
17 | notNets: ["{{ .Values.calico_cidr }}"]
18 | - action: Pass
19 |
--------------------------------------------------------------------------------
/helm/network-policies/values.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | ---
5 | # calico_cidr - CIDR used by Calico CNI for Pod-to-Pod communication
6 | calico_cidr: 10.42.0.0/16
7 |
--------------------------------------------------------------------------------
/helm/observability-config/Chart.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | ---
5 | apiVersion: v2
6 | description: A Helm chart for configuring observability extensions
7 | name: observability-config
8 | type: application
9 |
10 | version: 0.1.0
11 |
--------------------------------------------------------------------------------
/helm/observability-config/README.md:
--------------------------------------------------------------------------------
1 |
5 |
6 | # Observability Config
7 |
8 | This chart contains templates to configure observability for the base extensions' deployment.
9 |
--------------------------------------------------------------------------------
/helm/observability-config/templates/fluent-bit-cert.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | apiVersion: cert-manager.io/v1
5 | kind: Certificate
6 | metadata:
7 | name: fluent-bit-tls
8 | namespace: observability
9 | spec:
10 | secretName: fluent-bit-tls
11 | commonName: fluent-bit-logging
12 | duration: 1440h
13 | renewBefore: 168h
14 | isCA: false
15 | privateKey:
16 | algorithm: RSA
17 | encoding: PKCS1
18 | size: 4096
19 | usages:
20 | - server auth
21 | - client auth
22 | dnsNames:
23 | - fluent-bit-logging
24 | issuerRef:
25 | name: edge-node-cluster-issuer
26 | kind: ClusterIssuer
27 |
--------------------------------------------------------------------------------
/helm/observability-config/templates/prometheus-certificate.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | apiVersion: cert-manager.io/v1
5 | kind: Certificate
6 | metadata:
7 | name: prometheus-tls
8 | namespace: observability
9 | spec:
10 | secretName: prometheus-tls
11 | commonName: prometheus
12 | duration: 1440h
13 | renewBefore: 168h
14 | isCA: false
15 | privateKey:
16 | algorithm: RSA
17 | encoding: PKCS1
18 | size: 4096
19 | usages:
20 | - server auth
21 | - client auth
22 | dnsNames:
23 | - prometheus
24 | issuerRef:
25 | name: edge-node-cluster-issuer
26 | kind: ClusterIssuer
27 | ---
28 | apiVersion: cert-manager.io/v1
29 | kind: Certificate
30 | metadata:
31 | name: kube-state-rbac-proxy-tls
32 | namespace: observability
33 | spec:
34 | secretName: kube-state-rbac-proxy-tls
35 | commonName: prometheus-kube-state-metrics
36 | duration: 1440h
37 | renewBefore: 168h
38 | isCA: false
39 | privateKey:
40 | algorithm: RSA
41 | encoding: PKCS1
42 | size: 4096
43 | usages:
44 | - server auth
45 | - client auth
46 | dnsNames:
47 | - prometheus-kube-state-metrics
48 | issuerRef:
49 | name: edge-node-cluster-issuer
50 | kind: ClusterIssuer
51 |
--------------------------------------------------------------------------------
/helm/observability-config/templates/prometheus-kube-state-metrics-clusterrole.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | apiVersion: rbac.authorization.k8s.io/v1
5 | kind: ClusterRole
6 | metadata:
7 | name: read-kube-state-metrics
8 | rules:
9 | - apiGroups: [""]
10 | resources: ["services/kube-state-metrics"]
11 | verbs: ["get"]
12 | ---
13 | apiVersion: rbac.authorization.k8s.io/v1
14 | kind: ClusterRoleBinding
15 | metadata:
16 | name: kube-state-metrics-read
17 | subjects:
18 | - kind: User
19 | name: prometheus
20 | apiGroup: rbac.authorization.k8s.io
21 | roleRef:
22 | kind: ClusterRole
23 | name: read-kube-state-metrics
24 | apiGroup: rbac.authorization.k8s.io
25 |
--------------------------------------------------------------------------------
/helm/observability-config/templates/service.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | ---
5 | apiVersion: v1
6 | kind: Service
7 | metadata:
8 | name: {{ .Values.telegraf.name }}
9 | namespace: {{ .Values.namespace }}
10 | labels:
11 | app.kubernetes.io/name: {{ .Values.telegraf.name }}
12 | app: {{ .Values.telegraf.name }}
13 | heritage: {{ .Release.Service }}
14 | release: {{ .Release.Name }}
15 | chart: {{ .Release.Name }}
16 | spec:
17 | type: ClusterIP
18 | ports:
19 | - port: {{ .Values.telegraf.port }}
20 | targetPort: {{ .Values.telegraf.port }}
21 | protocol: TCP
22 | name: metrics
23 | - port: {{ .Values.telegraf.otelport }}
24 | protocol: TCP
25 | name: opentelemetry
26 | selector:
27 | app.kubernetes.io/name: {{ .Values.telegraf.name }}
28 |
--------------------------------------------------------------------------------
/helm/observability-config/templates/serviceAccount.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | ---
5 | apiVersion: v1
6 | kind: ServiceAccount
7 | metadata:
8 | name: {{.Values.telegraf.name}}
9 | namespace: {{.Values.namespace}}
10 | labels:
11 | app.kubernetes.io/name: {{.Values.telegraf.name}}
12 | app: {{.Values.telegraf.name}}
13 | heritage: {{.Release.Service}}
14 | release: {{.Release.Name}}
15 | chart: {{.Release.Name}}
16 |
--------------------------------------------------------------------------------
/helm/observability-config/templates/serviceMonitor.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | ---
5 | apiVersion: monitoring.coreos.com/v1
6 | kind: ServiceMonitor
7 | metadata:
8 | name: {{.Values.telegraf.name}}
9 | namespace: {{.Values.namespace}}
10 | labels:
11 | app.kubernetes.io/name: {{.Values.telegraf.name}}
12 | app: {{.Values.telegraf.name}}
13 | heritage: {{.Release.Service}}
14 | release: {{.Release.Name}}
15 | chart: {{.Release.Name}}
16 | spec:
17 | jobLabel: "app.kubernetes.io/name"
18 | selector:
19 | matchLabels:
20 | app: {{.Values.telegraf.name}}
21 | release: {{.Release.Name}}
22 | endpoints:
23 | - port: metrics
24 | scheme: https
25 | tlsConfig:
26 | serverName: telegraf
27 | ca:
28 | secret:
29 | key: ca.crt
30 | name: {{ .Values.telegraf.sm.secretName }}
31 | cert:
32 | secret:
33 | key: tls.crt
34 | name: {{ .Values.telegraf.sm.secretName }}
35 | keySecret:
36 | key: tls.key
37 | name: {{ .Values.telegraf.sm.secretName }}
38 | relabelings:
39 | - action: labelmap
40 | regex: __meta_kubernetes_pod_label_(.+)
41 | - sourceLabels: [__meta_kubernetes_pod_name]
42 | regex: "telegraf.*"
43 | action: keep
44 | - sourceLabels: [__address__]
45 | regex: ".*:{{ .Values.telegraf.port }}"
46 | action: keep
47 | - sourceLabels: [__meta_kubernetes_pod_node_name]
48 | action: replace
49 | targetLabel: instance
50 | - sourceLabels: [__meta_kubernetes_pod_name]
51 | action: replace
52 | targetLabel: kubernetes_pod_name
53 |
--------------------------------------------------------------------------------
/helm/observability-config/templates/telegraf-certificate.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | apiVersion: cert-manager.io/v1
5 | kind: Certificate
6 | metadata:
7 | name: {{ .Values.telegraf.certs.secretName }}
8 | namespace: observability
9 | spec:
10 | secretName: {{ .Values.telegraf.certs.secretName }}
11 | commonName: {{ .Values.telegraf.certs.serverName }}
12 | duration: 1440h
13 | renewBefore: 168h
14 | isCA: false
15 | privateKey:
16 | algorithm: RSA
17 | encoding: PKCS1
18 | size: 4096
19 | usages:
20 | - server auth
21 | - client auth
22 | dnsNames:
23 | - {{ .Values.telegraf.certs.serverName }}
24 | issuerRef:
25 | name: edge-node-cluster-issuer
26 | kind: ClusterIssuer
27 |
--------------------------------------------------------------------------------
/helm/observability-config/values.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | ---
5 | telegraf:
6 | certs:
7 | secretName: telegraf-tls
8 | serverName: telegraf
9 | certsDest: /opt/telegraf/certs
10 | sm:
11 | secretName: prometheus-tls
12 |
13 | name: telegraf
14 | namespace: observability
15 | configMap: telegraf-config
16 | interval: 30s
17 | port: 9105
18 | otelport: 4317
19 |
--------------------------------------------------------------------------------
/helm/openebs-config/Chart.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | ---
5 | apiVersion: v2
6 | description: A Helm chart for configuring the openebs extension
7 | name: openebs-config
8 | type: application
9 |
10 | version: 0.1.0
11 | appVersion: 0.1.0
12 |
--------------------------------------------------------------------------------
/helm/openebs-config/README.md:
--------------------------------------------------------------------------------
1 |
5 |
6 | # OpenEBS Config
7 |
8 | A chart for configuring OpenEBS with the base extensions' deployment.
9 |
--------------------------------------------------------------------------------
/helm/openebs-config/templates/networkpolicy.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | ---
5 | kind: NetworkPolicy
6 | apiVersion: networking.k8s.io/v1
7 | metadata:
8 | namespace: openebs
9 | name: openebs-deny-from-other-namespaces
10 | spec:
11 | podSelector:
12 | matchLabels:
13 | ingress:
14 | - from:
15 | - podSelector: {}
16 | ---
17 | kind: NetworkPolicy
18 | apiVersion: networking.k8s.io/v1
19 | metadata:
20 | namespace: openebs
21 | name: openebs-allow-metrics-port-from-observability
22 | spec:
23 | podSelector:
24 | matchLabels:
25 | ingress:
26 | - ports:
27 | - port: 9100
28 | - port: 9101
29 | - port: 9500
30 | from:
31 | - namespaceSelector:
32 | matchLabels:
33 | kubernetes.io/metadata.name: observability
34 |
--------------------------------------------------------------------------------
/helm/openebs-config/templates/servicemonitor.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | ---
5 | apiVersion: monitoring.coreos.com/v1
6 | kind: ServiceMonitor
7 | metadata:
8 | name: openebslvm
9 | namespace: {{ .Release.Namespace }}
10 | spec:
11 | jobLabel: app.kubernetes.io/name
12 | selector:
13 | matchLabels:
14 | openebs.io/component-name: openebs-lvm-node
15 | endpoints:
16 | - port: metrics
17 | scheme: http
18 | relabelings:
19 | - action: labelmap
20 | regex: __meta_kubernetes_service_label_(.+)
21 | - sourceLabels: [__meta_kubernetes_service_label_openebs_io_component_name]
22 | regex: '.*openebs-lvm-node.*'
23 | action: keep
24 | - sourceLabels: [__address__]
25 | regex: '.*:9500'
26 | action: keep
27 | - sourceLabels: [__meta_kubernetes_pod_node_name]
28 | action: replace
29 | targetLabel: instance
30 | - sourceLabels: [__meta_kubernetes_pod_name]
31 | action: replace
32 | targetLabel: kubernetes_pod_name
33 |
--------------------------------------------------------------------------------
/helm/openebs-config/templates/storageclass-shared.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | ---
5 | apiVersion: storage.k8s.io/v1
6 | kind: StorageClass
7 | metadata:
8 | name: openebs-lvmpv-shared
9 | parameters:
10 | storage: "lvm"
11 | volgroup: "lvmvg"
12 | shared: "yes"
13 | provisioner: local.csi.openebs.io
14 | volumeBindingMode: WaitForFirstConsumer
15 |
--------------------------------------------------------------------------------
/helm/openebs-config/templates/storageclass.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | ---
5 | apiVersion: storage.k8s.io/v1
6 | kind: StorageClass
7 | metadata:
8 | name: openebs-lvmpv
9 | annotations:
10 | storageclass.kubernetes.io/is-default-class: "true"
11 | parameters:
12 | storage: "lvm"
13 | volgroup: "lvmvg"
14 | provisioner: local.csi.openebs.io
15 | volumeBindingMode: WaitForFirstConsumer
16 |
--------------------------------------------------------------------------------
/helm/openebs-config/values.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | ---
5 | # file empty as no values required
6 |
--------------------------------------------------------------------------------
/helm/skupper-sample-app/skupper-hello-world-backend/.helmignore:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 |
4 | # Patterns to ignore when building packages.
5 | # This supports shell glob matching, relative path matching, and
6 | # negation (prefixed with !). Only one pattern per line.
7 | .DS_Store
8 | # Common VCS dirs
9 | .git/
10 | .gitignore
11 | .bzr/
12 | .bzrignore
13 | .hg/
14 | .hgignore
15 | .svn/
16 | # Common backup files
17 | *.swp
18 | *.bak
19 | *.tmp
20 | *.orig
21 | *~
22 | # Various IDEs
23 | .project
24 | .idea/
25 | *.tmproj
26 | .vscode/
27 |
--------------------------------------------------------------------------------
/helm/skupper-sample-app/skupper-hello-world-backend/Chart.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | apiVersion: v2
5 | name: skupper-hello-world-backend
6 | description: A Helm chart for Skupper Hello World Backend App
7 |
8 | type: application
9 | version: 0.3.0
10 | appVersion: "1.0"
11 |
--------------------------------------------------------------------------------
/helm/skupper-sample-app/skupper-hello-world-backend/templates/deployment.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | apiVersion: apps/v1
5 | kind: Deployment
6 | metadata:
7 | name: {{ include "skupper-hello-world-backend.fullname" . }}
8 | labels:
9 | {{ include "skupper-hello-world-backend.labels" . | nindent 4 }}
10 | spec:
11 | replicas: {{ .Values.replicaCount }}
12 | selector:
13 | matchLabels:
14 | {{ include "skupper-hello-world-backend.selectorLabels" . | nindent 6 }}
15 | template:
16 | metadata:
17 | labels:
18 | {{ include "skupper-hello-world-backend.selectorLabels" . | nindent 8 }}
19 | spec:
20 | containers:
21 | - name: {{ .Chart.Name }}
22 | image: "{{ .Values.image.repository }}"
23 | imagePullPolicy: {{ .Values.image.pullPolicy }}
24 |
--------------------------------------------------------------------------------
/helm/skupper-sample-app/skupper-hello-world-backend/templates/service.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | apiVersion: v1
5 | kind: Service
6 | metadata:
7 | name: {{ include "skupper-hello-world-backend.fullname" . }}
8 | labels:
9 | {{ include "skupper-hello-world-backend.labels" . | nindent 4 }}
10 | annotations:
11 | {{ toYaml .Values.annotations | nindent 4 }}
12 | spec:
13 | type: {{ .Values.service.type }}
14 | ports:
15 | - port: {{ .Values.service.port }}
16 | targetPort: 8080
17 | protocol: TCP
18 | selector:
19 | {{ include "skupper-hello-world-backend.selectorLabels" . | nindent 4 }}
20 |
--------------------------------------------------------------------------------
/helm/skupper-sample-app/skupper-hello-world-backend/values.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 |
4 | # Default values for skupper-hello-world-backend.
5 | # This is a YAML-formatted file.
6 | # Declare variables to be passed into your templates.
7 | ---
8 | replicaCount: 1
9 |
10 | fullnameOverride: "skupper-hello-world-backend"
11 |
12 | image:
13 | repository: quay.io/skupper/hello-world-backend
14 | pullPolicy: IfNotPresent
15 | # Overrides the image tag whose default is the chart appVersion.
16 | tag: ""
17 |
18 | service:
19 | type: ClusterIP
20 | port: 8080
21 |
22 | # This annotation is overridden by backend deployment package
23 | # annotations:
24 | # skupper.io/proxy: tcp
25 |
--------------------------------------------------------------------------------
/helm/skupper-sample-app/skupper-hello-world-frontend/.helmignore:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 |
4 | # Patterns to ignore when building packages.
5 | # This supports shell glob matching, relative path matching, and
6 | # negation (prefixed with !). Only one pattern per line.
7 | .DS_Store
8 | # Common VCS dirs
9 | .git/
10 | .gitignore
11 | .bzr/
12 | .bzrignore
13 | .hg/
14 | .hgignore
15 | .svn/
16 | # Common backup files
17 | *.swp
18 | *.bak
19 | *.tmp
20 | *.orig
21 | *~
22 | # Various IDEs
23 | .project
24 | .idea/
25 | *.tmproj
26 | .vscode/
27 |
--------------------------------------------------------------------------------
/helm/skupper-sample-app/skupper-hello-world-frontend/Chart.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | apiVersion: v2
5 | name: skupper-hello-world-frontend
6 | description: A Helm chart for Skupper Hello World Frontend App
7 |
8 | type: application
9 | version: 0.3.0
10 | appVersion: "1.0"
11 |
--------------------------------------------------------------------------------
/helm/skupper-sample-app/skupper-hello-world-frontend/templates/deployment.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | apiVersion: apps/v1
5 | kind: Deployment
6 | metadata:
7 | name: {{ include "skupper-hello-world-frontend.fullname" . }}
8 | labels:
9 | {{ include "skupper-hello-world-frontend.labels" . | nindent 4 }}
10 | spec:
11 | replicas: {{ .Values.replicaCount }}
12 | selector:
13 | matchLabels:
14 | {{ include "skupper-hello-world-frontend.selectorLabels" . | nindent 6 }}
15 | template:
16 | metadata:
17 | labels:
18 | {{include "skupper-hello-world-frontend.selectorLabels" . | nindent 8}}
19 | spec:
20 | containers:
21 | - name: {{ .Chart.Name }}
22 | image: "{{ .Values.image.repository }}"
23 | imagePullPolicy: {{ .Values.image.pullPolicy }}
24 | ports:
25 | - containerPort: {{ .Values.service.port }}
26 | args:
27 | - "--backend={{ .Values.backend.address }}"
28 |
--------------------------------------------------------------------------------
/helm/skupper-sample-app/skupper-hello-world-frontend/templates/service.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | apiVersion: v1
5 | kind: Service
6 | metadata:
7 | name: {{ include "skupper-hello-world-frontend.fullname" . }}
8 | labels:
9 | {{ include "skupper-hello-world-frontend.labels" . | nindent 4 }}
10 | spec:
11 | type: {{ .Values.service.type }}
12 | ports:
13 | - port: {{ .Values.service.port }}
14 | targetPort: http
15 | protocol: TCP
16 | name: http
17 | selector:
18 | {{ include "skupper-hello-world-frontend.selectorLabels" . | nindent 4 }}
19 |
--------------------------------------------------------------------------------
/helm/skupper-sample-app/skupper-hello-world-frontend/values.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 |
4 | # Default values for skupper-hello-world-frontend.
5 | # This is a YAML-formatted file.
6 | # Declare variables to be passed into your templates.
7 | ---
8 | replicaCount: 1
9 |
10 | fullnameOverride: "skupper-hello-world-frontend"
11 |
12 | image:
13 | repository: quay.io/skupper/hello-world-frontend
14 | pullPolicy: IfNotPresent
15 | # Overrides the image tag whose default is the chart appVersion.
16 | tag: ""
17 |
18 | service:
19 | port: 8080
20 |
21 | backend:
22 | address:
23 | "http://skupper-hello-world-backend.interconnect.svc.cluster.local:8080"
24 |
--------------------------------------------------------------------------------
/helm/skupper/.helmignore:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | # Patterns to ignore when building packages.
5 | # This supports shell glob matching, relative path matching, and
6 | # negation (prefixed with !). Only one pattern per line.
7 | .DS_Store
8 | # Common VCS dirs
9 | .git/
10 | .gitignore
11 | .bzr/
12 | .bzrignore
13 | .hg/
14 | .hgignore
15 | .svn/
16 | # Common backup files
17 | *.swp
18 | *.bak
19 | *.tmp
20 | *.orig
21 | *~
22 | # Various IDEs
23 | .project
24 | .idea/
25 | *.tmproj
26 | .vscode/
27 |
--------------------------------------------------------------------------------
/helm/skupper/Chart.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | apiVersion: v2
5 | name: skupper
6 | description: A Helm chart for Skupper
7 | type: application
8 | version: 0.2.0
9 |
--------------------------------------------------------------------------------
/helm/skupper/values.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 |
4 | # Default values for interconnect-manager.
5 | # This is a YAML-formatted file.
6 | # Declare variables to be passed into your templates.
7 | ---
8 | namespace: skupper-site-controller
9 | image:
10 | repository: quay.io/skupper/site-controller
11 | tag: 1.8.3
12 |
13 | replicaCount: 1
14 |
--------------------------------------------------------------------------------
/helm/sriov/.helmignore:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 |
4 | # Patterns to ignore when building packages.
5 | # This supports shell glob matching, relative path matching, and
6 | # negation (prefixed with !). Only one pattern per line.
7 | .DS_Store
8 | # Common VCS dirs
9 | .git/
10 | .gitignore
11 | .bzr/
12 | .bzrignore
13 | .hg/
14 | .hgignore
15 | .svn/
16 | # Common backup files
17 | *.swp
18 | *.bak
19 | *.tmp
20 | *.orig
21 | # Various IDEs
22 | .project
23 | .idea/
24 | *.tmproj
25 | .vscode/
26 |
--------------------------------------------------------------------------------
/helm/sriov/Chart.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | annotations:
5 | catalog.cattle.io/auto-install: sriov-crd=match
6 | catalog.cattle.io/certified: rancher
7 | catalog.cattle.io/deprecated: "true"
8 | catalog.cattle.io/experimental: "true"
9 | catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.31.0-0'
10 | catalog.cattle.io/namespace: cattle-sriov-system
11 | catalog.cattle.io/os: linux
12 | catalog.cattle.io/permits-os: linux
13 | catalog.cattle.io/rancher-version: '>= 2.9.0-0 < 2.10.0-0'
14 | catalog.cattle.io/release-name: sriov
15 | catalog.cattle.io/upstream-version: 1.3.0
16 | apiVersion: v2
17 | appVersion: v1.3.0
18 | description: SR-IOV network operator configures and manages SR-IOV networks in the
19 | kubernetes cluster
20 | home: https://github.com/k8snetworkplumbingwg/sriov-network-operator
21 | icon: https://charts.rancher.io/assets/logos/sr-iov.svg
22 | keywords:
23 | - sriov
24 | - Networking
25 | kubeVersion: '>= 1.16.0'
26 | maintainers:
27 | - email: charts@rancher.com
28 | name: Rancher Labs
29 | name: sriov
30 | sources:
31 | - https://github.com/rancher/charts
32 | type: application
33 | version: 104.3.2
34 |
--------------------------------------------------------------------------------
/helm/sriov/app-README.md:
--------------------------------------------------------------------------------
1 |
5 |
6 | # Rancher SR-IOV Network Operator
7 |
8 | This chart is based on the upstream [k8snetworkplumbingwg/sriov-network-operator](https://github.com/k8snetworkplumbingwg/sriov-network-operator)
9 | project. The chart deploys the SR-IOV Operator and its CRDs, which are designed
10 | to help the user provision and configure the SR-IOV CNI in a cluster that uses
11 | [Multus CNI](https://github.com/k8snetworkplumbingwg/multus-cni) to provide high
12 | performing extra network interfaces to pods. This chart is expected to be deployed
13 | on an RKE2 cluster and is only meant for advanced use cases where multiple CNI
14 | plugins and high performing network interfaces on pods are required. Users who
15 | do not need these features are not advised to install this chart.
16 |
17 | The chart installs the following components:
18 |
19 | - SR-IOV Operator: An operator that helps provision and configure the SR-IOV CNI plugin and SR-IOV Device plugin.
20 | - SR-IOV Network Config Daemon: A daemon deployed by the operator that discovers SR-IOV NICs on each node.
21 |
22 | Note that SR-IOV requires NICs that support SR-IOV and the activation of specific
23 | configuration options in the operating system. Nodes that fulfill these requirements
24 | should be labeled with: `feature.node.kubernetes.io/network-sriov.capable=true`.
25 |
26 | The SR-IOV Network Config Daemon will be deployed on such capable nodes. For more
27 | information on how to use this feature, refer to our RKE2 networking documentation.
28 |
--------------------------------------------------------------------------------
/helm/sriov/fleet.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | defaultNamespace: sriov-network-operator
5 |
--------------------------------------------------------------------------------
/helm/sriov/templates/NOTES.txt:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 |
4 | Get Network Operator deployed resources by running the following commands:
5 |
6 | $ kubectl -n {{ .Release.Namespace }} get pods
7 |
8 | For additional instructions on how to use SR-IOV network operator,
9 | refer to: https://github.com/k8snetworkplumbingwg/sriov-network-operator
10 |
11 | {{- if .Values.operator.admissionControllers.enabled }}
12 | {{- if not .Values.cert_manager }}
13 | Thank you for installing {{ .Chart.Name }}.
14 |
15 | WARNING! Self signed certificates have been generated for webhooks.
16 | These certificates have a one-year validity and will not be rotated
17 | automatically. This should not be a production cluster. Please deploy
18 | and use cert-manager for production clusters.
19 | {{- end }}
20 | {{- end }}
21 |
--------------------------------------------------------------------------------
/helm/sriov/templates/_webhook-certs.tpl:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 |
4 | {{/*
5 | Generate TLS certificates for webhooks.
6 | Note: these 2 lines, that are repeated several times below, are a trick to
7 | ensure the CA certs are generated only once:
8 | $ca := .ca | default (genCA "sriov-network-operator.k8s.cni.cncf.io" 365)
9 | $_ := set . "ca" $ca
10 | Please, don't try to "simplify" them as without this trick, every generated
11 | certificate would be signed by a different CA.
12 | */}}
13 | {{- define "sriov_operator_ca_cert" }}
14 | {{- $ca := .ca | default (genCA "sriov-network-operator.k8s.cni.cncf.io" 365) -}}
15 | {{- $_ := set . "ca" $ca -}}
16 | {{- printf "%s" $ca.Cert | b64enc -}}
17 | {{- end }}
18 | {{- define "sriov_operator_cert" }}
19 | {{- $ca := .ca | default (genCA "sriov-network-operator.k8s.cni.cncf.io" 365) -}}
20 | {{- $_ := set . "ca" $ca -}}
21 | {{- $cn := printf "operator-webhook-service.%s.svc" .Release.Namespace -}}
22 | {{- $cert := genSignedCert $cn nil (list $cn) 365 $ca -}}
23 | tls.crt: {{ $cert.Cert | b64enc }}
24 | tls.key: {{ $cert.Key | b64enc }}
25 | {{- end }}
26 | {{- define "sriov_resource_injector_cert" }}
27 | {{- $ca := .ca | default (genCA "sriov-network-operator.k8s.cni.cncf.io" 365) -}}
28 | {{- $_ := set . "ca" $ca -}}
29 | {{- $cn := printf "network-resources-injector-service.%s.svc" .Release.Namespace -}}
30 | {{- $cert := genSignedCert $cn nil (list $cn) 365 $ca -}}
31 | tls.crt: {{ $cert.Cert | b64enc }}
32 | tls.key: {{ $cert.Key | b64enc }}
33 | {{- end }}
34 |
35 |
--------------------------------------------------------------------------------
/helm/sriov/templates/certmanagercerts.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | {{- if and (.Values.operator.admissionControllers.enabled) (.Values.cert_manager) }}
5 | apiVersion: cert-manager.io/v1
6 | kind: Issuer
7 | metadata:
8 | name: sriov-network-operator-selfsigned-issuer
9 | namespace: {{ .Release.Namespace }}
10 | spec:
11 | selfSigned: {}
12 | ---
13 | apiVersion: cert-manager.io/v1
14 | kind: Certificate
15 | metadata:
16 | name: operator-webhook-service
17 | namespace: {{ .Release.Namespace }}
18 | spec:
19 | secretName: operator-webhook-service
20 | dnsNames:
21 | - operator-webhook-service.{{ .Release.Namespace }}.svc
22 | issuerRef:
23 | name: sriov-network-operator-selfsigned-issuer
24 | privateKey:
25 | rotationPolicy: Always
26 | ---
27 | apiVersion: cert-manager.io/v1
28 | kind: Certificate
29 | metadata:
30 | name: network-resources-injector-service
31 | namespace: {{ .Release.Namespace }}
32 | spec:
33 | secretName: network-resources-injector-secret
34 | dnsNames:
35 | - network-resources-injector-service.{{ .Release.Namespace }}.svc
36 | issuerRef:
37 | name: sriov-network-operator-selfsigned-issuer
38 | privateKey:
39 | rotationPolicy: Always
40 | {{- end -}}
41 |
42 |
--------------------------------------------------------------------------------
/helm/sriov/templates/clusterrolebinding.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | apiVersion: rbac.authorization.k8s.io/v1
5 | kind: ClusterRoleBinding
6 | metadata:
7 | name: {{ include "sriov-network-operator.fullname" . }}
8 | labels:
9 | {{- include "sriov-network-operator.labels" . | nindent 4 }}
10 | roleRef:
11 | kind: ClusterRole
12 | name: {{ include "sriov-network-operator.fullname" . }}
13 | apiGroup: rbac.authorization.k8s.io
14 | subjects:
15 | - kind: ServiceAccount
16 | namespace: {{ .Release.Namespace }}
17 | name: {{ include "sriov-network-operator.fullname" . }}
18 | ---
19 | apiVersion: rbac.authorization.k8s.io/v1
20 | kind: ClusterRoleBinding
21 | metadata:
22 | name: sriov-network-config-daemon
23 | labels:
24 | {{- include "sriov-network-operator.labels" . | nindent 4 }}
25 | roleRef:
26 | kind: ClusterRole
27 | name: sriov-network-config-daemon
28 | apiGroup: rbac.authorization.k8s.io
29 | subjects:
30 | - kind: ServiceAccount
31 | namespace: {{ .Release.Namespace }}
32 | name: sriov-network-config-daemon
33 |
--------------------------------------------------------------------------------
/helm/sriov/templates/networkpolicy.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | kind: NetworkPolicy
5 | apiVersion: networking.k8s.io/v1
6 | metadata:
7 | namespace: {{ .Release.Namespace }}
8 | name: sriov-network-operator-deny-from-other-namespaces
9 | spec:
10 | policyTypes:
11 | - Ingress
12 | podSelector: {}
13 | ingress:
14 | - from:
15 | - podSelector: {}
16 | ---
17 | apiVersion: crd.projectcalico.org/v1
18 | kind: NetworkPolicy
19 | metadata:
20 | name: allow-egress
21 | namespace: sriov-network-operator
22 | spec:
23 | selector: name == 'sriov-network-operator' || app == 'network-resources-injector' || app == 'operator-webhook'
24 | types:
25 | - Egress
26 | egress:
27 | - action: Allow
28 | destination:
29 | services:
30 | name: kubernetes
31 | namespace: default
32 |
--------------------------------------------------------------------------------
/helm/sriov/templates/rolebinding.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | kind: RoleBinding
5 | apiVersion: rbac.authorization.k8s.io/v1
6 | metadata:
7 | name: {{ include "sriov-network-operator.fullname" . }}
8 | namespace: {{ .Release.Namespace }}
9 | labels:
10 | {{- include "sriov-network-operator.labels" . | nindent 4 }}
11 | subjects:
12 | - kind: ServiceAccount
13 | name: {{ include "sriov-network-operator.fullname" . }}
14 | namespace: {{ .Release.Namespace }}
15 | roleRef:
16 | kind: Role
17 | name: {{ include "sriov-network-operator.fullname" . }}
18 | apiGroup: rbac.authorization.k8s.io
19 | ---
20 | kind: RoleBinding
21 | apiVersion: rbac.authorization.k8s.io/v1
22 | metadata:
23 | name: sriov-network-config-daemon
24 | namespace: {{ .Release.Namespace }}
25 | labels:
26 | {{- include "sriov-network-operator.labels" . | nindent 4 }}
27 | subjects:
28 | - kind: ServiceAccount
29 | name: sriov-network-config-daemon
30 | namespace: {{ .Release.Namespace }}
31 | roleRef:
32 | kind: Role
33 | name: sriov-network-config-daemon
34 | apiGroup: rbac.authorization.k8s.io
35 | ---
36 | kind: RoleBinding
37 | apiVersion: rbac.authorization.k8s.io/v1
38 | metadata:
39 | name: operator-webhook-sa
40 | namespace: {{ .Release.Namespace }}
41 | subjects:
42 | - kind: ServiceAccount
43 | name: operator-webhook-sa
44 | roleRef:
45 | kind: Role
46 | name: operator-webhook-sa
47 | apiGroup: rbac.authorization.k8s.io
48 |
--------------------------------------------------------------------------------
/helm/sriov/templates/secrets.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | {{- if not .Values.cert_manager -}}
5 | {{- if .Values.operator.admissionControllers.enabled }}
6 | apiVersion: v1
7 | kind: Secret
8 | metadata:
9 | name: operator-webhook-service
10 | namespace: {{ .Release.Namespace }}
11 | data: {{ include "sriov_operator_cert" . | nindent 2 }}
12 | {{- end }}
13 | ---
14 | {{- if .Values.operator.admissionControllers.enabled }}
15 | apiVersion: v1
16 | kind: Secret
17 | metadata:
18 | name: network-resources-injector-secret
19 | namespace: {{ .Release.Namespace }}
20 | data: {{ include "sriov_resource_injector_cert" . | nindent 2 }}
21 | {{- end }}
22 | {{- end }}
23 |
24 |
--------------------------------------------------------------------------------
/helm/sriov/templates/serviceaccount.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | apiVersion: v1
5 | kind: ServiceAccount
6 | metadata:
7 | name: {{ include "sriov-network-operator.fullname" . }}
8 | namespace: {{ .Release.Namespace }}
9 | labels:
10 | {{- include "sriov-network-operator.labels" . | nindent 4 }}
11 | ---
12 | apiVersion: v1
13 | kind: ServiceAccount
14 | metadata:
15 | name: sriov-network-config-daemon
16 | namespace: {{ .Release.Namespace }}
17 | labels:
18 | {{- include "sriov-network-operator.labels" . | nindent 4 }}
19 |
--------------------------------------------------------------------------------
/helm/sriov/templates/sriovoperatorconfig.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | {{ if .Values.sriovOperatorConfig.deploy }}
5 | apiVersion: sriovnetwork.openshift.io/v1
6 | kind: SriovOperatorConfig
7 | metadata:
8 | name: default
9 | namespace: {{ .Release.Namespace }}
10 | spec:
11 | enableInjector: {{ .Values.operator.admissionControllers.enabled }}
12 | enableOperatorWebhook: {{ .Values.operator.admissionControllers.enabled }}
13 | {{- with .Values.sriovOperatorConfig.configDaemonNodeSelector }}
14 | configDaemonNodeSelector:
15 | {{- range $k, $v := .}}{{printf "%s: \"%s\"" $k $v | nindent 4 }}{{ end }}
16 | {{- end }}
17 | logLevel: {{ .Values.sriovOperatorConfig.logLevel }}
18 | disableDrain: {{ .Values.sriovOperatorConfig.disableDrain }}
19 | configurationMode: {{ .Values.sriovOperatorConfig.configurationMode }}
20 | {{ end }}
--------------------------------------------------------------------------------
/helm/sriov/templates/validate-install-crd.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | #{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
5 | # {{- $found := dict -}}
6 | # {{- set $found "sriovnetwork.openshift.io/v1/OVSNetwork" false -}}
7 | # {{- set $found "sriovnetwork.openshift.io/v1/SriovIBNetwork" false -}}
8 | # {{- set $found "sriovnetwork.openshift.io/v1/SriovNetworkNodePolicy" false -}}
9 | # {{- set $found "sriovnetwork.openshift.io/v1/SriovNetworkNodeState" false -}}
10 | # {{- set $found "sriovnetwork.openshift.io/v1/SriovNetworkPoolConfig" false -}}
11 | # {{- set $found "sriovnetwork.openshift.io/v1/SriovNetwork" false -}}
12 | # {{- set $found "sriovnetwork.openshift.io/v1/SriovOperatorConfig" false -}}
13 | # {{- range .Capabilities.APIVersions -}}
14 | # {{- if hasKey $found (toString .) -}}
15 | # {{- set $found (toString .) true -}}
16 | # {{- end -}}
17 | # {{- end -}}
18 | # {{- range $_, $exists := $found -}}
19 | # {{- if (eq $exists false) -}}
20 | # {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}}
21 | # {{- end -}}
22 | # {{- end -}}
23 | #{{- end -}}
24 |
--------------------------------------------------------------------------------
/helm/sriov/tests/certmanagercerts_test.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | suite: Test SRIOV Network Operator Certs
5 | templates:
6 | - certmanagercerts.yaml
7 | capabilities:
8 | apiVersions:
9 | - cert-manager.io/v1
10 | tests:
11 | - it: shouldn't render document as .Values.operator.admissionControllers.enabled and .Values.cert_manager is true
12 | capabilities:
13 | apiVersions:
14 | - cert-manager.io/v1
15 | asserts:
16 | - hasDocuments:
17 | count: 3
18 |
19 | - it: SelfSigned Issuer shall be rendered
20 | documentIndex: 0
21 | asserts:
22 | - isAPIVersion:
23 | of: cert-manager.io/v1
24 | - isKind:
25 | of: Issuer
26 | - equal:
27 | path: metadata.name
28 | value: sriov-network-operator-selfsigned-issuer
29 |
30 | - it: Certificate for webhook shall be rendered
31 | documentIndex: 1
32 | asserts:
33 | - isAPIVersion:
34 | of: cert-manager.io/v1
35 | - isKind:
36 | of: Certificate
37 | - equal:
38 | path: spec.secretName
39 | value: operator-webhook-service
40 | - equal:
41 | path: spec.issuerRef.name
42 | value: sriov-network-operator-selfsigned-issuer
43 |
44 | - it: Certificate for injector shall be rendered
45 | documentIndex: 2
46 | asserts:
47 | - isAPIVersion:
48 | of: cert-manager.io/v1
49 | - isKind:
50 | of: Certificate
51 | - equal:
52 | path: spec.secretName
53 | value: network-resources-injector-secret
54 | - equal:
55 | path: spec.issuerRef.name
56 | value: sriov-network-operator-selfsigned-issuer
57 |
--------------------------------------------------------------------------------
/helm/sriov/tests/clusterrolebinding_test.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | suite: Test SRIOV Network Operator ClusterRoleBinding
5 | templates:
6 | - clusterrolebinding.yaml
7 | tests:
8 | - it: has 2 ClusterRoleBinding in the file
9 | asserts:
10 | - hasDocuments:
11 | count: 2
12 | - it: should verify metadata
13 | documentIndex: 0
14 | asserts:
15 | - isKind:
16 | of: ClusterRoleBinding
17 | - equal:
18 | path: metadata.name
19 | value: RELEASE-NAME-sriov
20 | - it: should verify cluster role binding
21 | documentIndex: 0
22 | asserts:
23 | - equal:
24 | path: roleRef.name
25 | value: RELEASE-NAME-sriov
26 | - it: should verify service account binding
27 | documentIndex: 0
28 | asserts:
29 | - contains:
30 | path: subjects
31 | content:
32 | kind: ServiceAccount
33 | name: RELEASE-NAME-sriov
34 | namespace: NAMESPACE
35 | - it: should verify metadata
36 | documentIndex: 1
37 | asserts:
38 | - isKind:
39 | of: ClusterRoleBinding
40 | - equal:
41 | path: metadata.name
42 | value: sriov-network-config-daemon
43 | - it: should verify cluster role binding
44 | documentIndex: 1
45 | asserts:
46 | - equal:
47 | path: roleRef.name
48 | value: sriov-network-config-daemon
49 | - it: should verify service account binding
50 | documentIndex: 1
51 | asserts:
52 | - contains:
53 | path: subjects
54 | content:
55 | kind: ServiceAccount
56 | name: sriov-network-config-daemon
57 | namespace: NAMESPACE
58 |
--------------------------------------------------------------------------------
/helm/sriov/tests/configmap_test.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | suite: Test SRIOV Network Operator ConfigMap
5 | templates:
6 | - configmap.yaml
7 | tests:
8 | - it: ConfigMap - verification of metadata
9 | asserts:
10 | - isKind:
11 | of: ConfigMap
12 | - equal:
13 | path: metadata.name
14 | value: supported-nic-ids
15 | - it: ConfigMap - verification of data
16 | asserts:
17 | - isNotEmpty:
18 | path: data
19 |
--------------------------------------------------------------------------------
/helm/sriov/tests/operator_test.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | suite: Test SRIOV Network Operator Deployment
5 | templates:
6 | - operator.yaml
7 | capabilities:
8 | apiVersions:
9 | - "k8s.cni.cncf.io/v1/NetworkAttachmentDefinition"
10 | tests:
11 | - it: Deployment - verification of metadata
12 | documentIndex: 0
13 | asserts:
14 | - isAPIVersion:
15 | of: apps/v1
16 | - isKind:
17 | of: Deployment
18 | - equal:
19 | path: metadata.name
20 | value: RELEASE-NAME-sriov
21 | - equal:
22 | path: metadata.namespace
23 | value: NAMESPACE
24 | - it: Deployment - verification of spec
25 | documentIndex: 0
26 | asserts:
27 | - isNotEmpty:
28 | path: spec.template.spec.containers[0]
29 | - isNotEmpty:
30 | path: spec.template.spec.containers[0].resources
31 | - isNotNull:
32 | path: spec.template
33 | - isNull:
34 | path: spec.template.nodeSelector
35 | - equal:
36 | path: spec.strategy.type
37 | value: RollingUpdate
38 | - equal:
39 | path: spec.template.spec.serviceAccountName
40 | value: RELEASE-NAME-sriov
41 | - equal:
42 | path: spec.template.spec.priorityClassName
43 | value: system-node-critical
44 |
--------------------------------------------------------------------------------
/helm/sriov/tests/role_test.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | suite: Test SRIOV Network Operator Role
5 | templates:
6 | - role.yaml
7 | tests:
8 | - it: has 3 Roles in the file
9 | asserts:
10 | - hasDocuments:
11 | count: 3
12 | - it: Roles - verification of metadata
13 | documentIndex: 0
14 | asserts:
15 | - isAPIVersion:
16 | of: rbac.authorization.k8s.io/v1
17 | - isKind:
18 | of: Role
19 | - equal:
20 | path: metadata.name
21 | value: RELEASE-NAME-sriov
22 | - equal:
23 | path: metadata.namespace
24 | value: NAMESPACE
25 | - it: Roles - verification of metadata
26 | documentIndex: 1
27 | asserts:
28 | - isAPIVersion:
29 | of: rbac.authorization.k8s.io/v1
30 | - isKind:
31 | of: Role
32 | - equal:
33 | path: metadata.name
34 | value: sriov-network-config-daemon
35 | - equal:
36 | path: metadata.namespace
37 | value: NAMESPACE
38 | - it: Roles - verification of metadata
39 | documentIndex: 2
40 | asserts:
41 | - isAPIVersion:
42 | of: rbac.authorization.k8s.io/v1
43 | - isKind:
44 | of: Role
45 | - equal:
46 | path: metadata.name
47 | value: operator-webhook-sa
48 | - equal:
49 | path: metadata.namespace
50 | value: NAMESPACE
51 |
--------------------------------------------------------------------------------
/helm/sriov/tests/secrets_test.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | suite: Test SRIOV Network Operator Secrets
5 | templates:
6 | - secrets.yaml
7 | tests:
8 | - it: should render document as .Values.certManager is true.
9 | asserts:
10 | - hasDocuments:
11 | count: 0
12 |
--------------------------------------------------------------------------------
/helm/sriov/tests/serviceaccount_test.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | suite: Test SRIOV Network Operator ServiceAccounts
5 | templates:
6 | - serviceaccount.yaml
7 | tests:
8 | - it: has 2 ServiceAccounts in the file
9 | asserts:
10 | - hasDocuments:
11 | count: 2
12 | - it: ServiceAccount - verification of metadata
13 | documentIndex: 0
14 | asserts:
15 | - isAPIVersion:
16 | of: v1
17 | - isKind:
18 | of: ServiceAccount
19 | - equal:
20 | path: metadata.name
21 | value: RELEASE-NAME-sriov
22 | - equal:
23 | path: metadata.namespace
24 | value: NAMESPACE
25 | - it: ServiceAccount - verification of metadata
26 | documentIndex: 1
27 | asserts:
28 | - isAPIVersion:
29 | of: v1
30 | - isKind:
31 | of: ServiceAccount
32 | - equal:
33 | path: metadata.name
34 | value: sriov-network-config-daemon
35 | - equal:
36 | path: metadata.namespace
37 | value: NAMESPACE
38 |
--------------------------------------------------------------------------------
/helm/sriov/trivy.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | scan:
5 | skip-dirs:
6 | - templates
7 |
--------------------------------------------------------------------------------
/manifest/manifest.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | metadata:
5 | schemaVersion: 0.3.0
6 | release: 1.1.4
7 | lpke:
8 | deploymentPackages:
9 | - dpkg: edge-orch/en/file/base-extensions
10 | version: 0.8.0
11 | - dpkg: edge-orch/en/file/intel-gpu
12 | version: 1.3.0
13 | - dpkg: edge-orch/en/file/kubernetes-dashboard
14 | version: 0.1.0
15 | - dpkg: edge-orch/en/file/loadbalancer
16 | version: 0.5.2
17 | - dpkg: edge-orch/en/file/skupper
18 | version: 0.2.0
19 | - dpkg: edge-orch/en/file/sriov
20 | version: 0.4.0
21 | - dpkg: edge-orch/en/file/trusted-compute
22 | version: 0.5.0
23 | - dpkg: edge-orch/en/file/usb
24 | version: 0.4.0
25 | - dpkg: edge-orch/en/file/virtualization
26 | version: 0.5.1
27 | deploymentList:
28 | - dpName: base-extensions
29 | displayName: base-extensions-baseline
30 | dpProfileName: baseline
31 | dpVersion: 0.8.0
32 | allAppTargetClusters:
33 | - key: default-extension
34 | val: baseline
35 | - dpName: base-extensions
36 | displayName: base-extensions-restricted
37 | dpProfileName: restricted
38 | dpVersion: 0.8.0
39 | allAppTargetClusters:
40 | - key: default-extension
41 | val: restricted
42 | - dpName: base-extensions
43 | displayName: base-extensions-privileged
44 | dpProfileName: privileged
45 | dpVersion: 0.8.0
46 | allAppTargetClusters:
47 | - key: default-extension
48 | val: privileged
49 |
--------------------------------------------------------------------------------
/pkg/artifact/artifact.go:
--------------------------------------------------------------------------------
1 | // SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | //
3 | // SPDX-License-Identifier: Apache-2.0
4 |
5 | package artifact
6 |
7 | import "fmt"
8 |
9 | type KeyProvider interface {
10 | comparable
11 | Key() string
12 | }
13 |
14 | type DeploymentPackage struct {
15 | Description string `yaml:"description,omitempty"`
16 | Registry string `yaml:"registry"`
17 | Version string `yaml:"version"`
18 | DeploymentPackage string `yaml:"dpkg"`
19 | }
20 |
21 | type AllAppTargetCluster struct {
22 | Key string `yaml:"key"`
23 | Val string `yaml:"val"`
24 | }
25 | type DeploymentList struct {
26 | DPName string `yaml:"dpName"`
27 | DPProfileName string `yaml:"dpProfileName"`
28 | DPVersion string `yaml:"dpVersion"`
29 | DisplayName string `yaml:"displayName"`
30 | AllAppTargetClusters []*AllAppTargetCluster `yaml:"allAppTargetClusters"`
31 | }
32 |
33 | func (a DeploymentPackage) Key() string {
34 | return fmt.Sprintf("%s#%s:%s", a.Registry, a.DeploymentPackage, a.Version)
35 | }
36 | func (a DeploymentList) Key() string {
37 | return fmt.Sprintf("%s#%s:%s", a.DPName, a.DPProfileName, a.DPVersion)
38 | }
39 |
--------------------------------------------------------------------------------
/pkg/edgedns-coredns/.golangci.yml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 | ---
5 | run:
6 | # Autogenerated files take too much time and memory to load,
7 | # even if we skip them with -skip-dirs or -skip-dirs;
8 | # or mark them as generated; or use nolint annotations.
9 | # So we define this tag and use it in the autogenerated files.
10 | build-tags:
11 | - codeanalysis
12 |
13 | linters:
14 | enable:
15 | - gofmt
16 | - gosec
17 | - revive
18 | - misspell
19 | - typecheck
20 | - errcheck
21 | - dogsled
22 | - unconvert
23 | - nakedret
24 | - copyloopvar
25 | - staticcheck
26 |
--------------------------------------------------------------------------------
/pkg/edgedns-coredns/Dockerfile:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | #
3 | # SPDX-License-Identifier: Apache-2.0
4 |
5 | FROM debian:stable-slim@sha256:ecf7312e554c5be68880b2675bcff3dfc64e12ae2f67649c3a392df398711371 AS certs
6 | SHELL [ "/bin/sh", "-ec" ]
7 |
8 | # hadolint ignore=DL3008,DL3015
9 | RUN export DEBCONF_NONINTERACTIVE_SEEN=true \
10 | DEBIAN_FRONTEND=noninteractive \
11 | DEBIAN_PRIORITY=critical \
12 | TERM=linux ; \
13 | apt-get -qq update ; \
14 | apt-get -yyqq upgrade ; \
15 | apt-get -yyqq install ca-certificates ; \
16 | apt-get clean
17 |
18 | FROM golang:1.24.2@sha256:d9db32125db0c3a680cfb7a1afcaefb89c898a075ec148fdc2f0f646cc2ed509 AS build
19 |
20 | WORKDIR /workspace
21 |
22 | # Download deps in separate step for caching
23 | COPY go.mod go.sum ./
24 | RUN go mod download
25 |
26 | # Copy sources to the working directory
27 | COPY . .
28 |
29 | # Statically compile binary
30 | RUN CGO_ENABLED=0 \
31 | GOARCH=amd64 \
32 | GOOS=linux \
33 | go build -trimpath -mod=readonly -gcflags="all=-spectre=all -N -l" -asmflags="all=-spectre=all" -ldflags="all=-s -w" -o build/edgedns ./cmd/edgedns-coredns
34 |
35 | FROM scratch
36 |
37 | ARG org_oci_version=unknown
38 | ARG org_oci_source=unknown
39 | ARG org_oci_revision=unknown
40 | ARG org_oci_created=unknown
41 |
42 | LABEL org.opencontainers.image.version=$org_oci_version \
43 | org.opencontainers.image.source=$org_oci_source \
44 | org.opencontainers.image.revision=$org_oci_revision \
45 | org.opencontainers.image.created=$org_oci_created
46 |
47 | COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
48 | COPY --from=build /workspace/build/edgedns /coredns
49 |
50 | EXPOSE 53 53/udp
51 | ENTRYPOINT ["/coredns"]
52 |
--------------------------------------------------------------------------------
/pkg/edgedns-coredns/Makefile:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 |
4 | export GO111MODULE=on
5 |
6 | .PHONY: go-build run test docker-build docker-push lint
7 | BUILD_DIR ?=dist
8 |
9 | # Code Versions
10 | VERSION := $(shell cat VERSION)
11 | GIT_HASH_SHORT := $(shell git rev-parse --short=8 HEAD)
12 | VERSION_DEV_SUFFIX := ${GIT_HASH_SHORT}
13 |
14 | DOCKER_IMG_NAME ?= edgedns-coredns
15 | DOCKER_VERSION ?= $(shell git branch --show-current | sed 's/\//-/g')
16 |
17 | # Add an identifying suffix for `-dev` builds only.
18 | # Release build versions are verified as unique by the CI build process.
19 | ifeq ($(findstring -dev,$(VERSION)), -dev)
20 | VERSION := $(VERSION)-$(VERSION_DEV_SUFFIX)
21 | endif
22 |
23 | # Include shared makefile
24 | include ../../common.mk
25 |
26 | go-build: fmt vet common-go-build-edgedns-coredns
27 |
28 | run: fmt vet ## Run a controller from your host.
29 | go run cmd/edgedns-coredns/main.go
30 |
31 | test:
32 | go test -v ./...
33 |
34 | docker-build: common-docker-build-edgedns-coredns
35 |
36 | docker-push: common-docker-push
37 |
38 | LINT_DIRS := ./...
39 |
40 | lint: go-lint
41 |
--------------------------------------------------------------------------------
/pkg/edgedns-coredns/README.md:
--------------------------------------------------------------------------------
1 |
5 |
6 | # edgedns-coredns
7 |
8 | Edgedns-coredns code allows to build new `edgedns-coredns` image with "rrl" plugin enabled.
9 |
10 | To build new image use:
11 |
12 | ```sh
13 | make docker-build
14 | ```
15 |
16 | To build new image and push it to registry-rs.edgeorchestration.intel.com/edge-orch/en/edgedns-coredns use:
17 |
18 | ```sh
19 | make docker-push
20 | ```
21 |
--------------------------------------------------------------------------------
/pkg/edgedns-coredns/VERSION:
--------------------------------------------------------------------------------
1 | 1.4.0
2 |
--------------------------------------------------------------------------------
/pkg/edgedns-coredns/cmd/edgedns-coredns/main.go:
--------------------------------------------------------------------------------
1 | // SPDX-FileCopyrightText: (C) 2023 Intel Corporation
2 | // SPDX-License-Identifier: Apache-2.0
3 |
4 | package main
5 |
6 | import (
7 | "github.com/coredns/coredns/core/dnsserver"
8 | _ "github.com/coredns/coredns/core/plugin"
9 | "github.com/coredns/coredns/coremain"
10 |
11 | _ "github.com/coredns/rrl/plugins/rrl"
12 | )
13 |
14 | func init() {
15 | dnsserver.Directives = append([]string{"rrl"}, dnsserver.Directives...)
16 | }
17 |
18 | func main() {
19 | coremain.Run()
20 | }
21 |
--------------------------------------------------------------------------------
/pkg/edgedns-coredns/cmd/edgedns-coredns/main_test.go:
--------------------------------------------------------------------------------
1 | // SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | // SPDX-License-Identifier: Apache-2.0
3 |
4 | package main
5 |
6 | import (
7 | "testing"
8 |
9 | "github.com/coredns/coredns/core/dnsserver"
10 | )
11 |
12 | func TestAddPlugin(t *testing.T) {
13 | present := false
14 | for _, v := range dnsserver.Directives {
15 | if v == "rrl" {
16 | present = true
17 | break
18 | }
19 | }
20 | if !present {
21 | t.Error("rrl plugin is not present in configuration")
22 | }
23 | }
24 |
--------------------------------------------------------------------------------
/pkg/intel-gpu-debug/Makefile:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 |
4 | # Code Versions
5 | VERSION := $(shell cat VERSION)
6 | GIT_HASH_SHORT := $(shell git rev-parse --short=8 HEAD)
7 | VERSION_DEV_SUFFIX := ${GIT_HASH_SHORT}
8 |
9 | DOCKER_IMG_NAME ?= intel-gpu-debug
10 | DOCKER_VERSION ?= $(shell git branch --show-current | sed 's/\//-/g')
11 |
12 | # Add an identifying suffix for `-dev` builds only.
13 | # Release build versions are verified as unique by the CI build process.
14 | ifeq ($(findstring -dev,$(VERSION)), -dev)
15 | VERSION := $(VERSION)-$(VERSION_DEV_SUFFIX)
16 | endif
17 |
18 | # Include shared makefile
19 | include ../../common.mk
20 |
21 | .PHONY: docker-build docker-push lint
22 |
23 | docker-build: common-docker-build-intel-gpu-debug
24 |
25 | docker-push: common-docker-push
26 |
27 | lint:
28 |
--------------------------------------------------------------------------------
/pkg/intel-gpu-debug/VERSION:
--------------------------------------------------------------------------------
1 | 1.3.0
2 |
--------------------------------------------------------------------------------
/pkg/kubevirt-helper/.gitignore:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2024 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 |
4 | # jetbrains
5 | .idea
6 | .vscode
7 | .DS_Store
8 | /vendor/
9 | /build/_output/*
10 | /coverage.txt
11 | /coverage.xml
12 | vendor
13 | bin
14 | *.log
15 | build/_output
16 |
--------------------------------------------------------------------------------
/pkg/kubevirt-helper/.golangci.yml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | run:
5 | # Autogenerated files take too much time and memory to load,
6 | # even if we skip them with -skip-dirs or -skip-dirs;
7 | # or mark them as generated; or use nolint annotations.
8 | # So we define this tag and use it in the autogenerated files.
9 | build-tags:
10 | - codeanalysis
11 | # Do not run linters on unit-test files
12 | tests: false
13 |
14 | linters:
15 | enable:
16 | - gofmt
17 | - revive
18 | - misspell
19 | - typecheck
20 | - errcheck
21 | - dogsled
22 | - unconvert
23 | - nakedret
24 | - copyloopvar
25 | - gosec
26 |
27 | issues:
28 | exclude:
29 | - Error return value of `.*Close` is not checked
30 | - Error return value of `.*Flush` is not checked
31 |
--------------------------------------------------------------------------------
/pkg/kubevirt-helper/Dockerfile:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2023 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 |
4 | FROM golang:1.24.2@sha256:d9db32125db0c3a680cfb7a1afcaefb89c898a075ec148fdc2f0f646cc2ed509 AS build
5 | ENV APP_ROOT=$GOPATH/src/github.com/open-edge-platform/cluster-extensions/pkg/kubevirt-helper
6 | ENV CGO_ENABLED=0
7 | ENV GO111MODULE=on
8 |
9 |
10 | RUN mkdir -p $APP_ROOT/
11 |
12 | COPY ./cmd /$APP_ROOT/cmd
13 | COPY ./internal /$APP_ROOT/internal
14 | COPY ./vendor /$APP_ROOT/vendor
15 | COPY ./go.mod /$APP_ROOT/go.mod
16 | COPY ./go.sum /$APP_ROOT/go.sum
17 |
18 | WORKDIR $APP_ROOT
19 | RUN GOARCH=amd64 \
20 | GOOS=linux \
21 | go build \
22 | -trimpath -mod=vendor -gcflags="all=-spectre=all -N -l" -asmflags="all=-spectre=all" -ldflags="all=-s -w" \
23 | -o /go/bin/kubevirt-helper ./cmd/kubevirt-helper
24 |
25 | # Use distroless as minimal base image to package the manager binary
26 | # Refer to https://github.com/GoogleContainerTools/distroless for more details
27 | FROM gcr.io/distroless/static:nonroot@sha256:c0f429e16b13e583da7e5a6ec20dd656d325d88e6819cafe0adb0828976529dc
28 | USER nonroot
29 |
30 | ARG org_oci_version=unknown
31 | ARG org_oci_source=unknown
32 | ARG org_oci_revision=unknown
33 | ARG org_oci_created=unknown
34 |
35 | LABEL org.opencontainers.image.version=$org_oci_version \
36 | org.opencontainers.image.source=$org_oci_source \
37 | org.opencontainers.image.revision=$org_oci_revision \
38 | org.opencontainers.image.created=$org_oci_created
39 |
40 | WORKDIR /
41 |
42 | COPY --from=build --chown=65532:65532 /go/bin/kubevirt-helper /usr/local/bin/
43 |
44 | ENTRYPOINT ["/usr/local/bin/kubevirt-helper"]
45 |
--------------------------------------------------------------------------------
/pkg/kubevirt-helper/VERSION:
--------------------------------------------------------------------------------
1 | 1.5.0
2 |
--------------------------------------------------------------------------------
/pkg/kubevirt-helper/cmd/kubevirt-helper/main.go:
--------------------------------------------------------------------------------
1 | // SPDX-FileCopyrightText: (C) 2023 Intel Corporation
2 | // SPDX-License-Identifier: Apache-2.0
3 |
4 | package main
5 |
6 | import (
7 | "flag"
8 |
9 | "github.com/open-edge-platform/cluster-extensions/kubevirt-helper/internal/manager"
10 | _ "github.com/open-edge-platform/orch-library/go/dazl/zap"
11 | )
12 |
13 | func main() {
14 | port := flag.Int("port", 8443, "Port number for webhook service")
15 | certPath := flag.String("certPath", "/opt/k8s-webhook-server/serving-certs/", "TLS key path for webhook service")
16 | certName := flag.String("certName", "tls.crt", "TLS cert file name")
17 | keyName := flag.String("keyName", "tls.key", "TLS key file name")
18 | mutatePath := flag.String("mutatePath", "/kubevirt-helper-mutate", "Webhook mutate path")
19 | flag.Parse()
20 |
21 | cfg := manager.Config{
22 | Port: *port,
23 | CertPath: *certPath,
24 | CertName: *certName,
25 | KeyName: *keyName,
26 | MutatePath: *mutatePath,
27 | }
28 |
29 | ready := make(chan bool)
30 | mgr := manager.NewManager(cfg)
31 | mgr.Run()
32 | <-ready
33 | }
34 |
--------------------------------------------------------------------------------
/pkg/kubevirt-helper/internal/k8swebhook/mocks/k8swebhookserver_mock.go:
--------------------------------------------------------------------------------
1 | // Code generated by mockery v2.20.0. DO NOT EDIT.
2 |
3 | package mocks
4 |
5 | import (
6 | context "context"
7 |
8 | mock "github.com/stretchr/testify/mock"
9 | )
10 |
11 | // MockServer is an autogenerated mock type for the Server type
12 | type MockServer struct {
13 | mock.Mock
14 | }
15 |
16 | // Run provides a mock function with given fields: ctx
17 | func (_m *MockServer) Run(ctx context.Context) error {
18 | ret := _m.Called(ctx)
19 |
20 | var r0 error
21 | if rf, ok := ret.Get(0).(func(context.Context) error); ok {
22 | r0 = rf(ctx)
23 | } else {
24 | r0 = ret.Error(0)
25 | }
26 |
27 | return r0
28 | }
29 |
30 | type mockConstructorTestingTNewMockServer interface {
31 | mock.TestingT
32 | Cleanup(func())
33 | }
34 |
35 | // NewMockServer creates a new instance of MockServer. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
36 | func NewMockServer(t mockConstructorTestingTNewMockServer) *MockServer {
37 | mock := &MockServer{}
38 | mock.Mock.Test(t)
39 |
40 | t.Cleanup(func() { mock.AssertExpectations(t) })
41 |
42 | return mock
43 | }
44 |
--------------------------------------------------------------------------------
/pkg/kubevirt-helper/internal/manager/manager.go:
--------------------------------------------------------------------------------
1 | // SPDX-FileCopyrightText: (C) 2023 Intel Corporation
2 | // SPDX-License-Identifier: Apache-2.0
3 |
4 | package manager
5 |
6 | import (
7 | "context"
8 |
9 | "github.com/open-edge-platform/cluster-extensions/kubevirt-helper/internal/k8swebhook"
10 | "github.com/open-edge-platform/orch-library/go/dazl"
11 | )
12 |
13 | var log = dazl.GetPackageLogger()
14 |
15 | var newK8sWebhookServer = k8swebhook.NewServer
16 |
17 | type Config struct {
18 | Port int
19 | CertPath string
20 | CertName string
21 | KeyName string
22 | MutatePath string
23 | }
24 |
25 | func NewManager(config Config) Manager {
26 | return &manager{
27 | config: config,
28 | webhookServer: newK8sWebhookServer(config.Port, config.CertPath, config.CertName, config.KeyName, config.MutatePath),
29 | }
30 | }
31 |
32 | type Manager interface {
33 | Run()
34 | }
35 |
36 | type manager struct {
37 | config Config
38 | webhookServer k8swebhook.Server
39 | }
40 |
41 | func (m *manager) Run() {
42 | log.Info("Starting KubeVirt Helper")
43 |
44 | ctx := context.Background()
45 |
46 | err := m.runWebhookServer(ctx)
47 | if err != nil {
48 | log.Fatal(err)
49 | }
50 | }
51 |
52 | func (m *manager) runWebhookServer(ctx context.Context) error {
53 | log.Infof("Starting Webhook Server on the port %d", m.config.Port)
54 |
55 | return m.webhookServer.Run(ctx)
56 | }
57 |
--------------------------------------------------------------------------------
/pkg/kubevirt-helper/internal/manager/manager_test.go:
--------------------------------------------------------------------------------
1 | // SPDX-FileCopyrightText: (C) 2023 Intel Corporation
2 | // SPDX-License-Identifier: Apache-2.0
3 |
4 | package manager
5 |
6 | import (
7 | "context"
8 | "testing"
9 |
10 | "github.com/open-edge-platform/cluster-extensions/kubevirt-helper/internal/k8swebhook"
11 | "github.com/open-edge-platform/cluster-extensions/kubevirt-helper/internal/k8swebhook/mocks"
12 | "github.com/open-edge-platform/orch-library/go/pkg/errors"
13 | "github.com/stretchr/testify/assert"
14 | )
15 |
16 | var (
17 | testCfg = Config{
18 | Port: 80,
19 | CertPath: "",
20 | CertName: "",
21 | KeyName: "",
22 | MutatePath: "",
23 | }
24 | )
25 |
26 | func TestNewManager(t *testing.T) {
27 | mgr := NewManager(testCfg)
28 | assert.NotNil(t, mgr)
29 | }
30 |
31 | func TestManager_Run(t *testing.T) {
32 | origNewK8sWebhookServer := newK8sWebhookServer
33 | defer func() {
34 | newK8sWebhookServer = origNewK8sWebhookServer
35 | }()
36 | newK8sWebhookServer = func(port int, certPath, certName, keyName, mutatePath string) k8swebhook.Server {
37 | s := mocks.NewMockServer(t)
38 | s.On("Run", context.Background()).Return(errors.NewCanceled(""))
39 | return s
40 | }
41 |
42 | mgr := NewManager(testCfg)
43 | assert.NotNil(t, mgr)
44 |
45 | mgr.Run()
46 | }
47 |
--------------------------------------------------------------------------------
/pkg/kubevirt-helper/trivy.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | scan:
5 | # Same as '--skip-dirs'
6 | # Default is empty
7 | skip-dirs:
8 | - vendor
9 |
--------------------------------------------------------------------------------
/pkg/manifest-version-check/go.mod:
--------------------------------------------------------------------------------
1 | module github.com/open-edge-platform/cluster-extensions/manifest-version-check
2 |
3 | go 1.24.2
4 |
5 | require (
6 | github.com/open-edge-platform/cluster-extensions v1.0.29
7 | github.com/sirupsen/logrus v1.9.3
8 | )
9 |
10 | require (
11 | golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 // indirect
12 | gopkg.in/yaml.v3 v3.0.1 // indirect
13 | )
14 |
--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 |
4 | # OpenAPI validator
5 | openapi-spec-validator~=0.7.1
6 |
7 | # YAML linter
8 | yamllint~=1.29.0
9 |
10 | # license checking
11 | python-debian==0.1.44
12 | reuse~=5.0.0
--------------------------------------------------------------------------------
/trivy.yaml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | scan:
5 | skip-dirs:
6 | - helm/cdi/templates
7 | - helm/edgedns/templates
8 | - helm/intel-gpu-debug/templates
9 | - helm/kubevirt/templates
10 | - helm/observability-config/templates
11 | - helm/skupper-sample-app
12 | - helm/skupper/templates
13 | - helm/sriov/templates
14 | skip-files:
15 | - pkg/edgedns-coredns/Dockerfile
16 | - pkg/intel-gpu-debug/Dockerfile
17 |
--------------------------------------------------------------------------------