├── _config.yml ├── charts ├── traefik-charts │ ├── traefik │ │ ├── .helmignore │ │ ├── templates │ │ │ ├── configmap.yaml │ │ │ ├── gatewayclass.yaml │ │ │ ├── tlsoption.yaml │ │ │ ├── rbac │ │ │ │ ├── serviceaccount.yaml │ │ │ │ ├── rolebinding.yaml │ │ │ │ ├── clusterrolebinding.yaml │ │ │ │ ├── role.yaml │ │ │ │ ├── podsecuritypolicy.yaml │ │ │ │ └── clusterrole.yaml │ │ │ ├── hpa.yaml │ │ │ ├── poddisruptionbudget.yaml │ │ │ ├── pvc.yaml │ │ │ ├── dashboard-hook-ingressroute.yaml │ │ │ ├── gateway.yaml │ │ │ ├── ingressclass.yaml │ │ │ ├── daemonset.yaml │ │ │ ├── deployment.yaml │ │ │ └── _helpers.tpl │ │ ├── tests │ │ │ ├── gatewayclass-config_test.yaml │ │ │ ├── default-install_test.yaml │ │ │ ├── daemonset-config_test.yaml │ │ │ ├── poddisruptionbudget-config_test.yaml │ │ │ ├── gateway-config_test.yaml │ │ │ ├── podsecuritypolicy-config_test.yaml │ │ │ └── deployment-config_test.yaml │ │ ├── Chart.yaml │ │ └── crds │ │ │ ├── middlewarestcp.yaml │ │ │ └── tlsstores.yaml │ ├── lint │ │ ├── ct.yaml │ │ ├── chart_schema.yaml │ │ └── lintconf.yaml │ ├── artifacthub-repo.yml │ ├── CONTRIBUTING.md │ ├── ziti.README │ └── TESTING.md ├── prometheus │ ├── .gitignore │ ├── templates │ │ ├── secret-config-reloadz-ziti.id.yaml │ │ ├── secret-server.scrape.id.yaml │ │ ├── secret-server.ziti.id.yaml │ │ ├── secret-alertmanager-config-reloadz-ziti.id.yaml │ │ ├── server │ │ │ ├── serviceaccount.yaml │ │ │ ├── pdb.yaml │ │ │ ├── netpol.yaml │ │ │ ├── clusterrolebinding.yaml │ │ │ ├── rolebinding.yaml │ │ │ ├── vpa.yaml │ │ │ ├── clusterrole.yaml │ │ │ ├── headless-svc.yaml │ │ │ ├── pvc.yaml │ │ │ ├── psp.yaml │ │ │ ├── service.yaml │ │ │ └── ingress.yaml │ │ ├── pushgateway │ │ │ ├── serviceaccount.yaml │ │ │ ├── pdb.yaml │ │ │ ├── clusterrole.yaml │ │ │ ├── clusterrolebinding.yaml │ │ │ ├── netpol.yaml │ │ │ ├── vpa.yaml │ │ │ ├── pvc.yaml │ │ │ ├── psp.yaml │ │ │ ├── service.yaml │ │ │ └── ingress.yaml │ │ ├── alertmanager │ │ │ ├── serviceaccount.yaml │ │ │ ├── pdb.yaml │ │ │ ├── clusterrole.yaml │ │ │ ├── cm.yaml │ │ │ ├── netpol.yaml │ │ │ ├── role.yaml │ │ │ ├── clusterrolebinding.yaml │ │ │ ├── rolebinding.yaml │ │ │ ├── headless-svc.yaml │ │ │ ├── psp.yaml │ │ │ ├── pvc.yaml │ │ │ ├── service.yaml │ │ │ └── ingress.yaml │ │ └── node-exporter │ │ │ ├── serviceaccount.yaml │ │ │ ├── role.yaml │ │ │ ├── rolebinding.yaml │ │ │ ├── psp.yaml │ │ │ └── svc.yaml │ ├── .helmignore │ └── Chart.yaml ├── ziti-browzer-bootstrapper │ ├── .gitignore │ ├── Chart.yaml │ ├── .helmignore │ ├── templates │ │ ├── NOTES.txt │ │ ├── ingress.yaml │ │ └── service.yaml │ └── values-browzer.yaml ├── httpbin │ ├── Chart.yaml │ ├── .helmignore │ ├── templates │ │ ├── tests │ │ │ └── test-connection.yaml │ │ ├── secrets.yaml │ │ ├── hpa.yaml │ │ ├── serviceaccount.yaml │ │ ├── _helpers.tpl │ │ ├── pre-delete-hook .yaml │ │ ├── NOTES.txt │ │ └── post-install-hook.yaml │ └── README.md.gotmpl ├── ziti-router │ ├── Chart.yaml │ ├── .helmignore │ ├── ziti-router-init.python │ ├── templates │ │ ├── NOTES.txt │ │ ├── alt-certificate.yaml │ │ └── pvc.yaml │ ├── values-browzer.yaml │ ├── examples │ │ ├── scenario-1-dynamic.yaml │ │ ├── scenario-2-single-default.yaml │ │ ├── scenario-5-one-additional-only.yaml │ │ ├── scenario-3-two-default.yaml │ │ ├── scenario-6-one-explicit-one-implicit-default.yaml │ │ └── scenario-4-mixed-one-each.yaml │ └── values-ingress-nginx.yaml ├── reflect │ ├── templates │ │ ├── configmap.yaml │ │ ├── serviceaccount.yaml │ │ ├── service.yaml │ │ ├── tests │ │ │ └── test-connection.yaml │ │ ├── hpa.yaml │ │ ├── _helpers.tpl │ │ ├── ingress.yaml │ │ ├── NOTES.txt │ │ └── deployment.yaml │ ├── Chart.yaml │ ├── .helmignore │ ├── README.md.gotmpl │ └── values.yaml ├── ziti-controller │ ├── Chart.yaml │ ├── .helmignore │ ├── templates │ │ ├── ca-selfsigned-issuer.yaml │ │ ├── NOTES.txt │ │ ├── pvc.yaml │ │ ├── alt-certificate.yaml │ │ ├── ca-bundle.yaml │ │ ├── secrets.yaml │ │ └── servicemonitor.yaml │ ├── values-browzer.yaml │ ├── values-ingress-nginx.yaml │ └── files │ │ └── chown-cert-manager.bash ├── ziti-host │ ├── Chart.yaml │ ├── templates │ │ ├── identity-migrate-role.yaml │ │ ├── identity-pvc.yaml │ │ ├── serviceaccount.yaml │ │ ├── identity-migrate-rolebinding.yaml │ │ ├── NOTES.txt │ │ ├── identity-migrate-script-cm.yaml │ │ ├── identity-migrate-job.yaml │ │ └── _helpers.tpl │ └── .helmignore ├── ziti-edge-tunnel │ ├── Chart.yaml │ ├── templates │ │ ├── serviceaccount.yaml │ │ ├── identity-pvc.yaml │ │ ├── validation.yaml │ │ └── _helpers.tpl │ └── .helmignore ├── hello-toy │ ├── templates │ │ ├── serviceaccount.yaml │ │ ├── service.yaml │ │ ├── deployment.yaml │ │ ├── _helpers.tpl │ │ └── NOTES.txt │ ├── .helmignore │ ├── Chart.yaml │ ├── README.md │ └── values.yaml └── zrok │ ├── .helmignore │ ├── templates │ ├── controller-service.yaml │ ├── frontend-service.yaml │ ├── tests │ │ └── test-connection.yaml │ ├── serviceaccount.yaml │ ├── hpa.yaml │ ├── pvc.yaml │ ├── test-job.yml │ ├── _helpers.tpl │ └── controller-ingress.yaml │ ├── values-ingress-nginx.yaml │ └── Chart.yaml ├── SECURITY.md ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── .github ├── workflows │ ├── linters.yml │ ├── helm-docs.yml │ ├── bump-version.yml │ ├── readme.yml │ ├── release-notes.yml │ ├── mattermost-ziti-webhook.yml │ └── release-charts.yml └── release.yml └── .gitignore /_config.yml: -------------------------------------------------------------------------------- 1 | theme: jekyll-theme-cayman 2 | -------------------------------------------------------------------------------- /charts/traefik-charts/traefik/.helmignore: -------------------------------------------------------------------------------- 1 | tests/ 2 | -------------------------------------------------------------------------------- /charts/prometheus/.gitignore: -------------------------------------------------------------------------------- 1 | requirements.lock 2 | Chart.lock 3 | -------------------------------------------------------------------------------- /charts/ziti-browzer-bootstrapper/.gitignore: -------------------------------------------------------------------------------- 1 | /browzer-values.yaml 2 | /cluster-issuer.yaml 3 | -------------------------------------------------------------------------------- /charts/traefik-charts/lint/ct.yaml: -------------------------------------------------------------------------------- 1 | chart-dirs: 2 | - ./ 3 | remote: traefik 4 | target-branch: master 5 | debug: true 6 | check-version-increment: true 7 | -------------------------------------------------------------------------------- /charts/httpbin/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | appVersion: 2.18.3-ziti 3 | description: Run the Ziti fork of go-httpbin 4 | name: httpbin 5 | type: application 6 | version: 0.2.0 7 | -------------------------------------------------------------------------------- /charts/ziti-router/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | appVersion: 1.7.2 3 | description: Host an OpenZiti router in Kubernetes 4 | name: ziti-router 5 | type: application 6 | version: 1.6.1 7 | -------------------------------------------------------------------------------- /charts/reflect/templates/configmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: reflect-identity-file 5 | data: 6 | reflect-server.json: {{ .Values.reflectIdentity | quote }} -------------------------------------------------------------------------------- /charts/ziti-controller/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | appVersion: 1.7.2 3 | description: Host an OpenZiti controller in Kubernetes 4 | name: ziti-controller 5 | type: application 6 | version: 2.1.1 7 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | # Security Policy 2 | 3 | Please refer to the [openziti-security repository](https://github.com/openziti/openziti-security) for details of the security policies and processes for this repository. -------------------------------------------------------------------------------- /charts/reflect/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | appVersion: 0.0.4 3 | description: Deploy a pod running the Ziti-embeded version of go-httpbin, a REST API 4 | server. 5 | name: reflect 6 | type: application 7 | version: 0.3.9 8 | -------------------------------------------------------------------------------- /charts/ziti-browzer-bootstrapper/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | appVersion: 0.76.0 3 | description: Deploy OpenZiti BrowZer Bootstrapper as Kubernetes Service 4 | name: ziti-browzer-bootstrapper 5 | type: application 6 | version: 0.1.1 7 | -------------------------------------------------------------------------------- /charts/traefik-charts/traefik/templates/configmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: traefik-identity-file 5 | data: 6 | {{ .Values.ports.prometheuz.identityName }}.json: {{ .Values.traefikIdentity | quote }} -------------------------------------------------------------------------------- /charts/ziti-host/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | appVersion: 1.7.19 3 | description: Reverse proxy cluster services with an OpenZiti tunneler pod 4 | kubeVersion: '>= 1.20.0-0' 5 | name: ziti-host 6 | type: application 7 | version: 1.2.1 8 | -------------------------------------------------------------------------------- /charts/traefik-charts/artifacthub-repo.yml: -------------------------------------------------------------------------------- 1 | # Artifact Hub repository metadata file. 2 | # The ID of the Artifact Hub repository where the packages will be published to (enables verified publisher). 3 | repositoryID: 5cf43a0d-3e93-4959-8973-54824aafa423 4 | -------------------------------------------------------------------------------- /charts/ziti-host/templates/identity-migrate-role.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: Role 3 | metadata: 4 | name: {{ include "ziti-host.fullname" . }}-identity-migrate 5 | rules: 6 | - apiGroups: [""] 7 | resources: ["secrets"] 8 | verbs: ["get", "delete"] 9 | -------------------------------------------------------------------------------- /charts/ziti-host/templates/identity-pvc.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: {{ include "ziti-host.fullname" . }}-identity-pvc 5 | spec: 6 | accessModes: 7 | - ReadWriteOnce 8 | resources: 9 | requests: 10 | storage: 2Gi 11 | -------------------------------------------------------------------------------- /charts/prometheus/templates/secret-config-reloadz-ziti.id.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.server.ziti.enabled -}} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: configmap-reloadz-identity-secret 6 | type: Opaque 7 | data: 8 | zid: {{ .Values.configmapReload.ziti.id.contents | b64enc }} 9 | {{- end }} -------------------------------------------------------------------------------- /charts/prometheus/templates/secret-server.scrape.id.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.server.scrape.id -}} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: prometheus-scrape-identity-secret 6 | type: Opaque 7 | data: 8 | zid: {{ .Values.server.scrape.id.contents | b64enc }} 9 | {{- end }} 10 | -------------------------------------------------------------------------------- /charts/prometheus/templates/secret-server.ziti.id.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.server.ziti.enabled -}} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: prometheus-server-identity-secret 6 | type: Opaque 7 | data: 8 | zid: {{ .Values.server.ziti.id.contents | b64enc }} 9 | {{- end }} 10 | -------------------------------------------------------------------------------- /charts/traefik-charts/traefik/templates/gatewayclass.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.experimental.kubernetesGateway.enabled }} 2 | --- 3 | kind: GatewayClass 4 | apiVersion: networking.x-k8s.io/v1alpha1 5 | metadata: 6 | name: traefik 7 | spec: 8 | controller: traefik.io/gateway-controller 9 | {{- end }} 10 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Code of Conduct 2 | 3 | All open source projects managed by OpenZiti share a common [code of conduct](https://docs.openziti.io/policies/CODE_OF_CONDUCT.html) 4 | which all contributors are expected to follow. Please be sure you read, understand and adhere to the guidelines expressed therein. 5 | -------------------------------------------------------------------------------- /charts/prometheus/templates/secret-alertmanager-config-reloadz-ziti.id.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.alertmanager.zitified -}} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: alertmanager-configmap-reloadz-ziti-identity 6 | type: Opaque 7 | data: 8 | identityFileName: {{ .Values.alertmanager.ziti.id | b64enc }} 9 | {{- end }} -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing 2 | 3 | NetFoundry welcomes all and any contributions. All open source projects managed by NetFoundry share a common 4 | [guide for contributions](https://docs.openziti.io/policies/CONTRIBUTING.html). 5 | 6 | If you are eager to contribute to a NetFoundry-managed open source project please read and act accordingly. 7 | -------------------------------------------------------------------------------- /.github/workflows/linters.yml: -------------------------------------------------------------------------------- 1 | name: Linters 2 | 3 | on: pull_request 4 | 5 | jobs: 6 | codespell: 7 | runs-on: ubuntu-latest 8 | steps: 9 | - name: Checkout Code 10 | uses: actions/checkout@v4 11 | with: 12 | fetch-depth: 0 13 | 14 | - name: Run code spelling check 15 | uses: codespell-project/actions-codespell@v2 16 | -------------------------------------------------------------------------------- /charts/reflect/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "reflect.serviceAccountName" . }} 6 | labels: 7 | {{- include "reflect.labels" . | nindent 4 }} 8 | {{- with .Values.serviceAccount.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- end }} 13 | -------------------------------------------------------------------------------- /charts/ziti-host/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "ziti-host.serviceAccountName" . }} 6 | labels: 7 | {{- include "ziti-host.labels" . | nindent 4 }} 8 | {{- with .Values.serviceAccount.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- end }} 13 | -------------------------------------------------------------------------------- /charts/ziti-edge-tunnel/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | appVersion: 1.7.13 3 | description: Dial OpenZiti services with a tunneler daemonset 4 | kubeVersion: '>= 1.20.0-0' 5 | name: ziti-edge-tunnel 6 | type: application 7 | version: 1.3.0 8 | icon: https://openziti.io/img/ziti-logo-dark.svg 9 | sources: 10 | - https://github.com/openziti/ziti-tunnel-sdk-c 11 | keywords: 12 | - openziti 13 | - coredns 14 | - node-local-dns 15 | -------------------------------------------------------------------------------- /charts/hello-toy/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "hello-openziti.serviceAccountName" . }} 6 | labels: 7 | {{- include "hello-openziti.labels" . | nindent 4 }} 8 | {{- with .Values.serviceAccount.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- end }} 13 | -------------------------------------------------------------------------------- /charts/ziti-edge-tunnel/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "ziti-edge-tunnel.serviceAccountName" . }} 6 | labels: 7 | {{- include "ziti-edge-tunnel.labels" . | nindent 4 }} 8 | {{- with .Values.serviceAccount.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- end }} 13 | -------------------------------------------------------------------------------- /charts/ziti-host/templates/identity-migrate-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: RoleBinding 3 | metadata: 4 | name: {{ include "ziti-host.fullname" . }}-identity-migrate 5 | subjects: 6 | - kind: ServiceAccount 7 | name: default 8 | namespace: {{ .Release.Namespace }} 9 | roleRef: 10 | kind: Role 11 | name: {{ include "ziti-host.fullname" . }}-identity-migrate 12 | apiGroup: rbac.authorization.k8s.io 13 | -------------------------------------------------------------------------------- /charts/reflect/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "reflect.fullname" . }} 5 | labels: 6 | {{- include "reflect.labels" . | nindent 4 }} 7 | spec: 8 | type: {{ .Values.service.type }} 9 | ports: 10 | - port: {{ .Values.service.port }} 11 | targetPort: http 12 | protocol: TCP 13 | name: http 14 | selector: 15 | {{- include "reflect.selectorLabels" . | nindent 4 }} 16 | -------------------------------------------------------------------------------- /charts/traefik-charts/traefik/tests/gatewayclass-config_test.yaml: -------------------------------------------------------------------------------- 1 | suite: Gatewayclass configuration 2 | templates: 3 | - gatewayclass.yaml 4 | tests: 5 | - it: should have one gatewayclass with controller value traefik.io/gateway-controller 6 | set: 7 | experimental: 8 | kubernetesGateway: 9 | enabled: true 10 | asserts: 11 | - equal: 12 | path: spec.controller 13 | value: traefik.io/gateway-controller 14 | -------------------------------------------------------------------------------- /charts/prometheus/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | 23 | OWNERS 24 | -------------------------------------------------------------------------------- /charts/zrok/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /charts/hello-toy/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /charts/httpbin/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /charts/reflect/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /charts/ziti-host/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /charts/hello-toy/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "hello-openziti.fullname" . }} 5 | labels: 6 | {{- include "hello-openziti.labels" . | nindent 4 }} 7 | spec: 8 | type: {{ .Values.service.type }} 9 | ports: 10 | - port: {{ .Values.service.port }} 11 | targetPort: http 12 | protocol: TCP 13 | name: http 14 | selector: 15 | {{- include "hello-openziti.selectorLabels" . | nindent 4 }} 16 | -------------------------------------------------------------------------------- /charts/ziti-router/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /charts/ziti-controller/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /charts/ziti-edge-tunnel/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /charts/httpbin/templates/tests/test-connection.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: "{{ include "httpbin.fullname" . }}-test-connection" 5 | labels: 6 | {{- include "httpbin.labels" . | nindent 4 }} 7 | annotations: 8 | "helm.sh/hook": test 9 | spec: 10 | containers: 11 | - name: wget 12 | image: busybox 13 | command: ['wget'] 14 | args: ['{{ include "httpbin.fullname" . }}:{{ .Values.service.port }}'] 15 | restartPolicy: Never 16 | -------------------------------------------------------------------------------- /charts/reflect/templates/tests/test-connection.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: "{{ include "reflect.fullname" . }}-test-connection" 5 | labels: 6 | {{- include "reflect.labels" . | nindent 4 }} 7 | annotations: 8 | "helm.sh/hook": test 9 | spec: 10 | containers: 11 | - name: wget 12 | image: busybox 13 | command: ['wget'] 14 | args: ['{{ include "reflect.fullname" . }}:{{ .Values.service.port }}'] 15 | restartPolicy: Never 16 | -------------------------------------------------------------------------------- /charts/ziti-browzer-bootstrapper/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /charts/zrok/templates/controller-service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "zrok.fullname" . }} 5 | labels: 6 | {{- include "zrok.labelsController" . | nindent 4 }} 7 | spec: 8 | type: {{ .Values.controller.service.type }} 9 | ports: 10 | - port: {{ .Values.controller.service.advertisedPort }} 11 | targetPort: http 12 | protocol: TCP 13 | name: http 14 | selector: 15 | {{- include "zrok.selectorLabelsController" . | nindent 4 }} 16 | -------------------------------------------------------------------------------- /charts/zrok/templates/frontend-service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "zrok.fullname" . }}-frontend 5 | labels: 6 | {{- include "zrok.labelsFrontend" . | nindent 4 }} 7 | spec: 8 | type: {{ .Values.frontend.service.type }} 9 | ports: 10 | - port: {{ .Values.frontend.service.advertisedPort }} 11 | targetPort: http 12 | protocol: TCP 13 | name: http 14 | selector: 15 | {{- include "zrok.selectorLabelsFrontend" . | nindent 4 }} 16 | -------------------------------------------------------------------------------- /charts/zrok/templates/tests/test-connection.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: "{{ include "zrok.fullname" . }}-test-connection" 5 | labels: 6 | {{- include "zrok.labelsController" . | nindent 4 }} 7 | annotations: 8 | "helm.sh/hook": test 9 | spec: 10 | containers: 11 | - name: wget 12 | image: busybox 13 | command: ['wget'] 14 | args: ['{{ include "zrok.fullname" . }}:{{ .Values.controller.service.advertisedPort }}'] 15 | restartPolicy: Never 16 | -------------------------------------------------------------------------------- /charts/prometheus/templates/server/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.server.enabled -}} 2 | {{- if .Values.serviceAccounts.server.create }} 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | labels: 7 | {{- include "prometheus.server.labels" . | nindent 4 }} 8 | name: {{ template "prometheus.serviceAccountName.server" . }} 9 | {{ include "prometheus.namespace" . | indent 2 }} 10 | annotations: 11 | {{ toYaml .Values.serviceAccounts.server.annotations | indent 4 }} 12 | {{- end }} 13 | {{- end }} 14 | -------------------------------------------------------------------------------- /charts/prometheus/templates/pushgateway/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.pushgateway.enabled .Values.serviceAccounts.pushgateway.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | {{- include "prometheus.pushgateway.labels" . | nindent 4 }} 7 | name: {{ template "prometheus.serviceAccountName.pushgateway" . }} 8 | {{ include "prometheus.namespace" . | indent 2 }} 9 | annotations: 10 | {{ toYaml .Values.serviceAccounts.pushgateway.annotations | indent 4 }} 11 | {{- end -}} 12 | -------------------------------------------------------------------------------- /charts/ziti-edge-tunnel/templates/identity-pvc.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.secret.existingSecretName }} 2 | --- 3 | apiVersion: v1 4 | kind: PersistentVolumeClaim 5 | metadata: 6 | name: {{ include "ziti-edge-tunnel.fullname" . }}-identity-pvc 7 | spec: 8 | accessModes: 9 | - {{ .Values.pvc.accessMode }} 10 | {{- if .Values.pvc.storageClass }} 11 | storageClassName: {{ .Values.pvc.storageClass }} 12 | {{- end }} 13 | resources: 14 | requests: 15 | storage: {{ .Values.pvc.storageSize }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /charts/prometheus/templates/alertmanager/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.alertmanager.enabled .Values.serviceAccounts.alertmanager.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | {{- include "prometheus.alertmanager.labels" . | nindent 4 }} 7 | name: {{ template "prometheus.serviceAccountName.alertmanager" . }} 8 | {{ include "prometheus.namespace" . | indent 2 }} 9 | annotations: 10 | {{ toYaml .Values.serviceAccounts.alertmanager.annotations | indent 4 }} 11 | {{- end -}} 12 | -------------------------------------------------------------------------------- /charts/prometheus/templates/node-exporter/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.nodeExporter.enabled .Values.serviceAccounts.nodeExporter.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | {{- include "prometheus.nodeExporter.labels" . | nindent 4 }} 7 | name: {{ template "prometheus.serviceAccountName.nodeExporter" . }} 8 | {{ include "prometheus.namespace" . | indent 2 }} 9 | annotations: 10 | {{ toYaml .Values.serviceAccounts.nodeExporter.annotations | indent 4 }} 11 | {{- end -}} 12 | -------------------------------------------------------------------------------- /charts/traefik-charts/traefik/templates/tlsoption.yaml: -------------------------------------------------------------------------------- 1 | {{- range $name, $config := .Values.tlsOptions }} 2 | apiVersion: traefik.containo.us/v1alpha1 3 | kind: TLSOption 4 | metadata: 5 | name: {{ $name }} 6 | labels: 7 | app.kubernetes.io/name: {{ template "traefik.name" $ }} 8 | helm.sh/chart: {{ template "traefik.chart" $ }} 9 | app.kubernetes.io/managed-by: {{ $.Release.Service }} 10 | app.kubernetes.io/instance: {{ $.Release.Name }} 11 | spec: 12 | {{- toYaml $config | nindent 2 }} 13 | --- 14 | {{- end -}} 15 | -------------------------------------------------------------------------------- /charts/prometheus/templates/server/pdb.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.server.podDisruptionBudget.enabled }} 2 | apiVersion: policy/v1beta1 3 | kind: PodDisruptionBudget 4 | metadata: 5 | name: {{ template "prometheus.server.fullname" . }} 6 | {{ include "prometheus.namespace" . | indent 2 }} 7 | labels: 8 | {{- include "prometheus.server.labels" . | nindent 4 }} 9 | spec: 10 | maxUnavailable: {{ .Values.server.podDisruptionBudget.maxUnavailable }} 11 | selector: 12 | matchLabels: 13 | {{- include "prometheus.server.labels" . | nindent 6 }} 14 | {{- end }} 15 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Chart dependencies 2 | /charts/**/charts 3 | # Binaries for programs and plugins 4 | *.exe 5 | *.exe~ 6 | *.dll 7 | *.so 8 | *.dylib 9 | gh-pages.zip 10 | 11 | # Test binary, build with `go test -c` 12 | *.test 13 | 14 | # Output of the go coverage tool, specifically when used with LiteIDE 15 | *.out 16 | 17 | # Outputs directories 18 | dist/ 19 | repo/ 20 | 21 | # Unit test for helm 22 | __snapshot__ 23 | 24 | .idea 25 | 26 | # Unit test for helm 27 | __snapshot__ 28 | .cr-release-packages/ 29 | .cr-index/ 30 | 31 | # top-level directory with local test data 32 | /valuestest/ 33 | -------------------------------------------------------------------------------- /charts/prometheus/templates/pushgateway/pdb.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.pushgateway.podDisruptionBudget.enabled }} 2 | apiVersion: policy/v1beta1 3 | kind: PodDisruptionBudget 4 | metadata: 5 | name: {{ template "prometheus.pushgateway.fullname" . }} 6 | {{ include "prometheus.namespace" . | indent 2 }} 7 | labels: 8 | {{- include "prometheus.pushgateway.labels" . | nindent 4 }} 9 | spec: 10 | maxUnavailable: {{ .Values.pushgateway.podDisruptionBudget.maxUnavailable }} 11 | selector: 12 | matchLabels: 13 | {{- include "prometheus.pushgateway.labels" . | nindent 6 }} 14 | {{- end }} 15 | -------------------------------------------------------------------------------- /charts/prometheus/templates/alertmanager/pdb.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.alertmanager.podDisruptionBudget.enabled }} 2 | apiVersion: policy/v1beta1 3 | kind: PodDisruptionBudget 4 | metadata: 5 | name: {{ template "prometheus.alertmanager.fullname" . }} 6 | {{ include "prometheus.namespace" . | indent 2 }} 7 | labels: 8 | {{- include "prometheus.alertmanager.labels" . | nindent 4 }} 9 | spec: 10 | maxUnavailable: {{ .Values.alertmanager.podDisruptionBudget.maxUnavailable }} 11 | selector: 12 | matchLabels: 13 | {{- include "prometheus.alertmanager.labels" . | nindent 6 }} 14 | {{- end }} 15 | -------------------------------------------------------------------------------- /charts/traefik-charts/traefik/templates/rbac/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.serviceAccount.name -}} 2 | kind: ServiceAccount 3 | apiVersion: v1 4 | metadata: 5 | name: {{ include "traefik.serviceAccountName" . }} 6 | labels: 7 | app.kubernetes.io/name: {{ template "traefik.name" . }} 8 | helm.sh/chart: {{ template "traefik.chart" . }} 9 | app.kubernetes.io/managed-by: {{ .Release.Service }} 10 | app.kubernetes.io/instance: {{ .Release.Name }} 11 | annotations: 12 | {{- with .Values.serviceAccountAnnotations }} 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | {{- end -}} 16 | -------------------------------------------------------------------------------- /charts/ziti-edge-tunnel/templates/validation.yaml: -------------------------------------------------------------------------------- 1 | {{/* 2 | Validation: Ensure required identity configuration is provided for new installations 3 | */}} 4 | {{- if not .Values.secret.existingSecretName }} 5 | {{- if .Release.IsInstall }} 6 | {{- if not (or .Values.zitiIdentity .Values.zitiEnrollToken) }} 7 | {{- fail "ERROR: For new installations without an existing secret, you must supply either 'zitiIdentity' (enrolled identity JSON) or 'zitiEnrollToken' (JWT for enrollment). Use --set-file zitiIdentity= or --set-file zitiEnrollToken=" }} 8 | {{- end }} 9 | {{- end }} 10 | {{- end }} 11 | -------------------------------------------------------------------------------- /charts/prometheus/templates/server/netpol.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.server.enabled -}} 2 | {{- if .Values.networkPolicy.enabled }} 3 | apiVersion: {{ template "prometheus.networkPolicy.apiVersion" . }} 4 | kind: NetworkPolicy 5 | metadata: 6 | name: {{ template "prometheus.server.fullname" . }} 7 | {{ include "prometheus.namespace" . | indent 2 }} 8 | labels: 9 | {{- include "prometheus.server.labels" . | nindent 4 }} 10 | spec: 11 | podSelector: 12 | matchLabels: 13 | {{- include "prometheus.server.matchLabels" . | nindent 6 }} 14 | ingress: 15 | - ports: 16 | - port: 9090 17 | {{- end }} 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /charts/ziti-controller/templates/ca-selfsigned-issuer.yaml: -------------------------------------------------------------------------------- 1 | # generate an empty Issuer for creating root CAs unless all the controller's other PKIs are configured with an alternative issuer 2 | {{- if or (eq (len .Values.ctrlPlane.alternativeIssuer) 0) (eq (len .Values.webBindingPki.alternativeIssuer) 0) (eq (len .Values.edgeSignerPki.alternativeIssuer) 0) }} 3 | --- 4 | apiVersion: cert-manager.io/v1 5 | kind: Issuer 6 | metadata: 7 | name: {{ include "ziti-controller.fullname" . }}-selfsigned-ca-issuer 8 | labels: 9 | {{- include "ziti-controller.labels" . | nindent 4 }} 10 | spec: 11 | selfSigned: {} 12 | {{- end }} 13 | -------------------------------------------------------------------------------- /charts/traefik-charts/lint/chart_schema.yaml: -------------------------------------------------------------------------------- 1 | name: str() 2 | home: str() 3 | version: str() 4 | appVersion: any(str(), num()) 5 | description: str() 6 | keywords: list(str(), required=False) 7 | sources: list(str(), required=False) 8 | maintainers: list(include('maintainer'), required=False) 9 | icon: str(required=False) 10 | engine: str(required=False) 11 | condition: str(required=False) 12 | tags: str(required=False) 13 | deprecated: bool(required=False) 14 | kubeVersion: str(required=False) 15 | annotations: map(str(), str(), required=False) 16 | --- 17 | maintainer: 18 | name: str() 19 | email: str(required=False) 20 | url: str(required=False) 21 | -------------------------------------------------------------------------------- /charts/ziti-router/ziti-router-init.python: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import sys 4 | sys.path.insert(0, '/tmp/kubernetes-client') 5 | 6 | from kubernetes import client, config 7 | 8 | def main(): 9 | # config.load_incluster_config() 10 | config.load_kube_config() # FIXME: load config from pod after testing 11 | 12 | v1 = client.CoreV1Api() 13 | print("Listing secrets:") 14 | ret = v1.update_namespaced_secret(namespace="ziti-router", watch=False) 15 | for i in ret.items: 16 | print("%s\t%s\t%s" % 17 | (i.type, i.metadata.namespace, i.metadata.name)) 18 | 19 | 20 | if __name__ == '__main__': 21 | main() 22 | -------------------------------------------------------------------------------- /charts/ziti-browzer-bootstrapper/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | {{ if .Release.IsUpgrade }} 2 | Your release {{ .Release.Name }} was upgraded. 3 | {{ else if .Release.IsInstall }} 4 | This is the first install of release {{ .Release.Name }}. 5 | {{ else }} 6 | {{ .Chart.Name }} was neither installed nor upgraded. 7 | {{ end }} 8 | 9 | You have chart version {{ .Chart.Version }} and app version {{ .Chart.AppVersion }}. 10 | 11 | To learn more about the release, try: 12 | 13 | $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} 14 | $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} 15 | 16 | This deployment provides an OpenZiti browzer bootstrapper. 17 | -------------------------------------------------------------------------------- /charts/prometheus/templates/pushgateway/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.pushgateway.enabled .Values.rbac.create -}} 2 | apiVersion: {{ template "rbac.apiVersion" . }} 3 | kind: ClusterRole 4 | metadata: 5 | labels: 6 | {{- include "prometheus.pushgateway.labels" . | nindent 4 }} 7 | name: {{ template "prometheus.pushgateway.fullname" . }} 8 | rules: 9 | {{- if .Values.podSecurityPolicy.enabled }} 10 | - apiGroups: 11 | - extensions 12 | resources: 13 | - podsecuritypolicies 14 | verbs: 15 | - use 16 | resourceNames: 17 | - {{ template "prometheus.pushgateway.fullname" . }} 18 | {{- else }} 19 | [] 20 | {{- end }} 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /charts/traefik-charts/traefik/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: traefik 3 | description: A Traefik based Kubernetes ingress controller 4 | type: application 5 | version: 0.0.4 6 | appVersion: 1.2.0 7 | keywords: 8 | - traefik 9 | - ingress 10 | home: https://traefik.io/ 11 | sources: 12 | - https://github.com/traefik/traefik 13 | - https://github.com/traefik/traefik-helm-chart 14 | maintainers: 15 | - name: emilevauge 16 | email: emile@vauge.com 17 | - name: dtomcej 18 | email: daniel.tomcej@gmail.com 19 | - name: ldez 20 | email: ldez@traefik.io 21 | icon: https://raw.githubusercontent.com/traefik/traefik/v2.3/docs/content/assets/img/traefik.logo.png 22 | -------------------------------------------------------------------------------- /charts/zrok/values-ingress-nginx.yaml: -------------------------------------------------------------------------------- 1 | 2 | # minimal input values for ingress-nginx; to enable tls, add cert manager issuer annotation and tls.secretName to each ingress dict 3 | 4 | controller: 5 | ingress: 6 | enabled: true 7 | scheme: http 8 | className: nginx 9 | # annotations: 10 | # cert-manager.io/cluster-issuer: cloudflare-dns-issuer-prod 11 | # tls: 12 | # secretName: zrok-api-tls 13 | 14 | frontend: 15 | ingress: 16 | enabled: true 17 | scheme: http 18 | className: nginx 19 | # annotations: 20 | # cert-manager.io/cluster-issuer: cloudflare-dns-issuer-prod 21 | # tls: 22 | # secretName: zrok-wildcard-tls 23 | -------------------------------------------------------------------------------- /charts/prometheus/templates/pushgateway/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.pushgateway.enabled .Values.rbac.create -}} 2 | apiVersion: {{ template "rbac.apiVersion" . }} 3 | kind: ClusterRoleBinding 4 | metadata: 5 | labels: 6 | {{- include "prometheus.pushgateway.labels" . | nindent 4 }} 7 | name: {{ template "prometheus.pushgateway.fullname" . }} 8 | subjects: 9 | - kind: ServiceAccount 10 | name: {{ template "prometheus.serviceAccountName.pushgateway" . }} 11 | {{ include "prometheus.namespace" . | indent 4 }} 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | name: {{ template "prometheus.pushgateway.fullname" . }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /charts/ziti-controller/values-browzer.yaml: -------------------------------------------------------------------------------- 1 | clientApi: 2 | altDnsNames: 3 | - "" # client.ziti.example.com 4 | 5 | webBindingPki: 6 | altServerCerts: 7 | - mode: certManager 8 | secretName: ziti-controller-alt-server-cert1 9 | dnsNames: 10 | # ensure the DNS SAN matches altDnsNames 11 | - "{{ .Values.clientApi.altDnsNames[0] }}" 12 | issuerRef: 13 | group: cert-manager.io 14 | # ClusterIssuer or Issuer 15 | kind: ClusterIssuer 16 | # some cert-manager issuer that can solve ACME challenges for the requested DNS SAN 17 | name: cloudflare-dns01-issuer-prod 18 | mountPath: /etc/ziti/ziti-controller-alt-server-cert1 19 | -------------------------------------------------------------------------------- /charts/ziti-router/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | {{ if .Release.IsUpgrade }} 2 | Your release {{ .Release.Name }} was upgraded. 3 | {{ else if .Release.IsInstall }} 4 | This is the first install of release {{ .Release.Name }}. 5 | {{ else }} 6 | {{ .Chart.Name }} was neither installed nor upgraded. 7 | {{ end }} 8 | 9 | You have chart version {{ .Chart.Version }} and app version {{ .Chart.AppVersion }}. 10 | 11 | To learn more about the release, try: 12 | 13 | $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} 14 | $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} 15 | 16 | This deployment provides an OpenZiti router to accept/forward communication data within a OpenZiti Overlay network. 17 | -------------------------------------------------------------------------------- /charts/httpbin/templates/secrets.yaml: -------------------------------------------------------------------------------- 1 | {{ if or (.Values.zitiIdentity) (.Values.zitiIdentityEncoding) }} 2 | --- 3 | apiVersion: v1 4 | kind: Secret 5 | metadata: 6 | name: {{ include "httpbin.fullname" . }}-identity 7 | type: Opaque 8 | data: 9 | {{- if .Values.zitiIdentityEncoding }} 10 | ziti_identity_json: {{ .Values.zitiIdentityEncoding }} 11 | {{- else }} 12 | ziti_identity_json: {{ .Values.zitiIdentity | b64enc }} 13 | {{- end }} 14 | {{- end }} 15 | 16 | {{- if .Values.zitiEnrollment }} 17 | --- 18 | apiVersion: v1 19 | kind: Secret 20 | metadata: 21 | name: {{ include "httpbin.fullname" . }}-enrollment 22 | data: 23 | ziti_enrollment_jwt: {{ .Values.zitiEnrollment | b64enc }} 24 | {{- end }} 25 | -------------------------------------------------------------------------------- /.github/workflows/helm-docs.yml: -------------------------------------------------------------------------------- 1 | name: Generate Helm docs 2 | on: 3 | push: 4 | branches: 5 | - '**' 6 | tags-ignore: 7 | - '**' 8 | workflow_dispatch: 9 | jobs: 10 | docs: 11 | permissions: 12 | contents: write 13 | runs-on: ubuntu-latest 14 | steps: 15 | - uses: actions/checkout@v4 16 | with: 17 | ref: ${{ github.event.pull_request.head.ref }} 18 | 19 | - name: Render helm docs inside the README.md and push changes back to branch 20 | uses: netfoundry/helm-docs-action@v1 21 | with: 22 | # recursively generate README.md for all charts in comma-sep list of 23 | # parent dirs 24 | search-roots: charts 25 | git-push: "true" 26 | -------------------------------------------------------------------------------- /charts/prometheus/templates/node-exporter/role.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.nodeExporter.enabled .Values.rbac.create }} 2 | {{- if or (default .Values.nodeExporter.podSecurityPolicy.enabled false) (.Values.podSecurityPolicy.enabled) }} 3 | apiVersion: {{ template "rbac.apiVersion" . }} 4 | kind: Role 5 | metadata: 6 | name: {{ template "prometheus.nodeExporter.fullname" . }} 7 | labels: 8 | {{- include "prometheus.nodeExporter.labels" . | nindent 4 }} 9 | {{ include "prometheus.namespace" . | indent 2 }} 10 | rules: 11 | - apiGroups: ['extensions'] 12 | resources: ['podsecuritypolicies'] 13 | verbs: ['use'] 14 | resourceNames: 15 | - {{ template "prometheus.nodeExporter.fullname" . }} 16 | {{- end }} 17 | {{- end }} 18 | -------------------------------------------------------------------------------- /charts/prometheus/templates/server/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.server.enabled .Values.rbac.create (empty .Values.server.namespaces) (empty .Values.server.useExistingClusterRoleName) -}} 2 | apiVersion: {{ template "rbac.apiVersion" . }} 3 | kind: ClusterRoleBinding 4 | metadata: 5 | labels: 6 | {{- include "prometheus.server.labels" . | nindent 4 }} 7 | name: {{ template "prometheus.server.fullname" . }} 8 | subjects: 9 | - kind: ServiceAccount 10 | name: {{ template "prometheus.serviceAccountName.server" . }} 11 | {{ include "prometheus.namespace" . | indent 4 }} 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | name: {{ template "prometheus.server.fullname" . }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /.github/release.yml: -------------------------------------------------------------------------------- 1 | # .github/release.yml 2 | 3 | changelog: 4 | exclude: 5 | labels: 6 | - notes:ignore 7 | categories: 8 | - title: Controller Changes 9 | labels: 10 | - notes:ziti-controller 11 | - title: Router Changes 12 | labels: 13 | - notes:ziti-router 14 | - title: Tunneler Daemonset Changes 15 | labels: 16 | - notes:ziti-edge-tunnel 17 | - title: Hosting Pod Changes 18 | labels: 19 | - notes:ziti-host 20 | - title: zrok Changes 21 | labels: 22 | - notes:zrok 23 | - title: BrowZer Bootstrapper Changes 24 | labels: 25 | - notes:ziti-browzer-bootstrapper 26 | - title: Other Changes 27 | labels: 28 | - "*" 29 | -------------------------------------------------------------------------------- /charts/prometheus/templates/alertmanager/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.alertmanager.enabled .Values.rbac.create .Values.alertmanager.useClusterRole (not .Values.alertmanager.useExistingRole) -}} 2 | apiVersion: {{ template "rbac.apiVersion" . }} 3 | kind: ClusterRole 4 | metadata: 5 | labels: 6 | {{- include "prometheus.alertmanager.labels" . | nindent 4 }} 7 | name: {{ template "prometheus.alertmanager.fullname" . }} 8 | rules: 9 | {{- if .Values.podSecurityPolicy.enabled }} 10 | - apiGroups: 11 | - extensions 12 | resources: 13 | - podsecuritypolicies 14 | verbs: 15 | - use 16 | resourceNames: 17 | - {{ template "prometheus.alertmanager.fullname" . }} 18 | {{- else }} 19 | [] 20 | {{- end }} 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /charts/ziti-controller/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | {{ if .Release.IsUpgrade }} 2 | Your release {{ .Release.Name }} was upgraded. 3 | {{ else if .Release.IsInstall }} 4 | This is the first install of release {{ .Release.Name }}. 5 | {{ else }} 6 | {{ .Chart.Name }} was neither installed nor upgraded. 7 | {{ end }} 8 | 9 | You have chart version {{ .Chart.Version }} and app version {{ .Chart.AppVersion }}. 10 | 11 | To learn more about the release, try: 12 | 13 | $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} 14 | $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} 15 | 16 | This deployment provides an OpenZiti controller to manage an OpenZiti network. 17 | 18 | Visit the console in a web browser: {{ include "ziti-controller.console" . }} 19 | -------------------------------------------------------------------------------- /charts/prometheus/templates/alertmanager/cm.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.alertmanager.enabled (and (empty .Values.alertmanager.configMapOverrideName) (empty .Values.alertmanager.configFromSecret)) -}} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | labels: 6 | {{- include "prometheus.alertmanager.labels" . | nindent 4 }} 7 | name: {{ template "prometheus.alertmanager.fullname" . }} 8 | {{ include "prometheus.namespace" . | indent 2 }} 9 | data: 10 | {{- $root := . -}} 11 | {{- range $key, $value := .Values.alertmanagerFiles }} 12 | {{- if $key | regexMatch ".*\\.ya?ml$" }} 13 | {{ $key }}: | 14 | {{ toYaml $value | default "{}" | indent 4 }} 15 | {{- else }} 16 | {{ $key }}: {{ toYaml $value | indent 4 }} 17 | {{- end }} 18 | {{- end -}} 19 | {{- end -}} 20 | -------------------------------------------------------------------------------- /charts/prometheus/templates/pushgateway/netpol.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.pushgateway.enabled .Values.networkPolicy.enabled -}} 2 | apiVersion: {{ template "prometheus.networkPolicy.apiVersion" . }} 3 | kind: NetworkPolicy 4 | metadata: 5 | name: {{ template "prometheus.pushgateway.fullname" . }} 6 | {{ include "prometheus.namespace" . | indent 2 }} 7 | labels: 8 | {{- include "prometheus.pushgateway.labels" . | nindent 4 }} 9 | spec: 10 | podSelector: 11 | matchLabels: 12 | {{- include "prometheus.pushgateway.matchLabels" . | nindent 6 }} 13 | ingress: 14 | - from: 15 | - podSelector: 16 | matchLabels: 17 | {{- include "prometheus.server.matchLabels" . | nindent 12 }} 18 | - ports: 19 | - port: 9091 20 | {{- end -}} 21 | -------------------------------------------------------------------------------- /charts/prometheus/templates/alertmanager/netpol.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.alertmanager.enabled .Values.networkPolicy.enabled -}} 2 | apiVersion: {{ template "prometheus.networkPolicy.apiVersion" . }} 3 | kind: NetworkPolicy 4 | metadata: 5 | name: {{ template "prometheus.alertmanager.fullname" . }} 6 | {{ include "prometheus.namespace" . | indent 2 }} 7 | labels: 8 | {{- include "prometheus.alertmanager.labels" . | nindent 4 }} 9 | spec: 10 | podSelector: 11 | matchLabels: 12 | {{- include "prometheus.alertmanager.matchLabels" . | nindent 6 }} 13 | ingress: 14 | - from: 15 | - podSelector: 16 | matchLabels: 17 | {{- include "prometheus.server.matchLabels" . | nindent 12 }} 18 | - ports: 19 | - port: 9093 20 | {{- end -}} 21 | -------------------------------------------------------------------------------- /charts/traefik-charts/traefik/templates/rbac/rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.rbac.enabled .Values.rbac.namespaced }} 2 | kind: RoleBinding 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ template "traefik.fullname" . }} 6 | labels: 7 | app.kubernetes.io/name: {{ template "traefik.name" . }} 8 | helm.sh/chart: {{ template "traefik.chart" . }} 9 | app.kubernetes.io/managed-by: {{ .Release.Service }} 10 | app.kubernetes.io/instance: {{ .Release.Name }} 11 | roleRef: 12 | apiGroup: rbac.authorization.k8s.io 13 | kind: Role 14 | name: {{ template "traefik.fullname" . }} 15 | subjects: 16 | - kind: ServiceAccount 17 | name: {{ include "traefik.serviceAccountName" . }} 18 | namespace: {{ .Release.Namespace }} 19 | {{- end -}} 20 | -------------------------------------------------------------------------------- /charts/prometheus/templates/node-exporter/rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.nodeExporter.enabled .Values.rbac.create }} 2 | {{- if .Values.podSecurityPolicy.enabled }} 3 | apiVersion: {{ template "rbac.apiVersion" . }} 4 | kind: RoleBinding 5 | metadata: 6 | name: {{ template "prometheus.nodeExporter.fullname" . }} 7 | labels: 8 | {{- include "prometheus.nodeExporter.labels" . | nindent 4 }} 9 | {{ include "prometheus.namespace" . | indent 2 }} 10 | roleRef: 11 | kind: Role 12 | name: {{ template "prometheus.nodeExporter.fullname" . }} 13 | apiGroup: rbac.authorization.k8s.io 14 | subjects: 15 | - kind: ServiceAccount 16 | name: {{ template "prometheus.serviceAccountName.nodeExporter" . }} 17 | {{ include "prometheus.namespace" . | indent 2 }} 18 | {{- end }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /charts/traefik-charts/traefik/templates/hpa.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.autoscaling.enabled }} 2 | apiVersion: autoscaling/v2beta1 3 | kind: HorizontalPodAutoscaler 4 | metadata: 5 | name: {{ template "traefik.fullname" . }} 6 | labels: 7 | app.kubernetes.io/name: {{ template "traefik.name" . }} 8 | helm.sh/chart: {{ template "traefik.chart" . }} 9 | app.kubernetes.io/managed-by: {{ .Release.Service }} 10 | app.kubernetes.io/instance: {{ .Release.Name }} 11 | spec: 12 | scaleTargetRef: 13 | apiVersion: apps/v1 14 | kind: Deployment 15 | name: {{ template "traefik.fullname" . }} 16 | minReplicas: {{ .Values.autoscaling.minReplicas }} 17 | maxReplicas: {{ .Values.autoscaling.maxReplicas }} 18 | metrics: 19 | {{ toYaml .Values.autoscaling.metrics | indent 4 }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /charts/traefik-charts/traefik/templates/rbac/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.rbac.enabled (not .Values.rbac.namespaced) }} 2 | kind: ClusterRoleBinding 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ template "traefik.fullname" . }} 6 | labels: 7 | app.kubernetes.io/name: {{ template "traefik.name" . }} 8 | helm.sh/chart: {{ template "traefik.chart" . }} 9 | app.kubernetes.io/managed-by: {{ .Release.Service }} 10 | app.kubernetes.io/instance: {{ .Release.Name }} 11 | roleRef: 12 | apiGroup: rbac.authorization.k8s.io 13 | kind: ClusterRole 14 | name: {{ template "traefik.fullname" . }} 15 | subjects: 16 | - kind: ServiceAccount 17 | name: {{ include "traefik.serviceAccountName" . }} 18 | namespace: {{ .Release.Namespace }} 19 | {{- end -}} 20 | -------------------------------------------------------------------------------- /charts/prometheus/templates/server/rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.server.enabled .Values.rbac.create .Values.server.useExistingClusterRoleName .Values.server.namespaces -}} 2 | {{ range $.Values.server.namespaces -}} 3 | --- 4 | apiVersion: {{ template "rbac.apiVersion" $ }} 5 | kind: RoleBinding 6 | metadata: 7 | labels: 8 | {{- include "prometheus.server.labels" $ | nindent 4 }} 9 | name: {{ template "prometheus.server.fullname" $ }} 10 | namespace: {{ . }} 11 | subjects: 12 | - kind: ServiceAccount 13 | name: {{ template "prometheus.serviceAccountName.server" $ }} 14 | {{ include "prometheus.namespace" $ | indent 4 }} 15 | roleRef: 16 | apiGroup: rbac.authorization.k8s.io 17 | kind: ClusterRole 18 | name: {{ $.Values.server.useExistingClusterRoleName }} 19 | {{ end -}} 20 | {{ end -}} 21 | -------------------------------------------------------------------------------- /charts/ziti-controller/values-ingress-nginx.yaml: -------------------------------------------------------------------------------- 1 | 2 | clientApi: 3 | service: 4 | enabled: true 5 | type: ClusterIP 6 | ingress: 7 | enabled: true 8 | ingressClassName: nginx 9 | annotations: 10 | kubernetes.io/ingress.allow-http: "false" 11 | nginx.ingress.kubernetes.io/ssl-passthrough: "true" 12 | 13 | # shares a TLS listener with the client API by default; these values override the defaults and configure a separate 14 | # ingress for the ctrl plane for reverse compatibility with existing router deployments 15 | ctrlPlane: 16 | service: 17 | enabled: true 18 | type: ClusterIP 19 | ingress: 20 | enabled: true 21 | ingressClassName: nginx 22 | annotations: 23 | kubernetes.io/ingress.allow-http: "false" 24 | nginx.ingress.kubernetes.io/ssl-passthrough: "true" 25 | -------------------------------------------------------------------------------- /charts/prometheus/templates/alertmanager/role.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.alertmanager.enabled .Values.rbac.create (eq .Values.alertmanager.useClusterRole false) (not .Values.alertmanager.useExistingRole) -}} 2 | {{- range $.Values.alertmanager.namespaces }} 3 | apiVersion: {{ template "rbac.apiVersion" . }} 4 | kind: Role 5 | metadata: 6 | labels: 7 | {{- include "prometheus.alertmanager.labels" $ | nindent 4 }} 8 | name: {{ template "prometheus.alertmanager.fullname" $ }} 9 | namespace: {{ . }} 10 | rules: 11 | {{- if $.Values.podSecurityPolicy.enabled }} 12 | - apiGroups: 13 | - extensions 14 | resources: 15 | - podsecuritypolicies 16 | verbs: 17 | - use 18 | resourceNames: 19 | - {{ template "prometheus.alertmanager.fullname" $ }} 20 | {{- else }} 21 | [] 22 | {{- end }} 23 | {{- end }} 24 | {{- end }} 25 | -------------------------------------------------------------------------------- /charts/zrok/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: {{ include "zrok.serviceAccountName" . }} 5 | namespace: {{ .Release.Namespace }} 6 | 7 | --- 8 | apiVersion: rbac.authorization.k8s.io/v1 9 | kind: Role 10 | metadata: 11 | name: {{ include "zrok.fullname" . }}-role 12 | rules: 13 | - apiGroups: [""] 14 | resources: ["secrets"] 15 | verbs: ["get", "create", "delete"] 16 | 17 | --- 18 | apiVersion: rbac.authorization.k8s.io/v1 19 | kind: RoleBinding 20 | metadata: 21 | name: {{ include "zrok.fullname" . }}-rolebinding 22 | roleRef: 23 | apiGroup: rbac.authorization.k8s.io 24 | kind: Role 25 | name: {{ include "zrok.fullname" . }}-role 26 | subjects: 27 | - kind: ServiceAccount 28 | name: {{ include "zrok.serviceAccountName" . }} 29 | namespace: {{ .Release.Namespace }} 30 | -------------------------------------------------------------------------------- /charts/prometheus/templates/alertmanager/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.alertmanager.enabled .Values.rbac.create .Values.alertmanager.useClusterRole -}} 2 | apiVersion: {{ template "rbac.apiVersion" . }} 3 | kind: ClusterRoleBinding 4 | metadata: 5 | labels: 6 | {{- include "prometheus.alertmanager.labels" . | nindent 4 }} 7 | name: {{ template "prometheus.alertmanager.fullname" . }} 8 | subjects: 9 | - kind: ServiceAccount 10 | name: {{ template "prometheus.serviceAccountName.alertmanager" . }} 11 | {{ include "prometheus.namespace" . | indent 4 }} 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | {{- if (not .Values.alertmanager.useExistingRole) }} 16 | name: {{ template "prometheus.alertmanager.fullname" . }} 17 | {{- else }} 18 | name: {{ .Values.alertmanager.useExistingRole }} 19 | {{- end }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /charts/ziti-router/values-browzer.yaml: -------------------------------------------------------------------------------- 1 | edge: 2 | additionalListeners: 3 | - name: "" # router1-wss 4 | protocol: wss 5 | containerPort: 3023 6 | advertisedHost: "" # router1.ziti.example.com 7 | advertisedPort: 443 8 | service: 9 | enabled: true 10 | type: ClusterIP 11 | ingress: 12 | enabled: true 13 | annotations: {} # annotate as per ingress controller to enable ssl passthrough 14 | ingressClassName: "" 15 | 16 | identity: 17 | altServerCerts: 18 | - mode: certManager 19 | secretName: ziti-router-alt-server-cert1 20 | additionalListenerName: "" # router1-wss 21 | mountPath: /etc/ziti/ziti-router-alt-server-cert1 22 | issuerRef: 23 | group: cert-manager.io 24 | kind: ClusterIssuer # ClusterIssuer or Issuer 25 | name: "" # cloudflare-dns01-issuer-prod 26 | -------------------------------------------------------------------------------- /.github/workflows/bump-version.yml: -------------------------------------------------------------------------------- 1 | name: Bump Changed Charts' Versions 2 | on: 3 | pull_request: 4 | types: 5 | - opened 6 | workflow_dispatch: 7 | jobs: 8 | chart-version-checker: 9 | strategy: 10 | matrix: 11 | charts: 12 | - hello-toy 13 | - httpbin 14 | - reflect 15 | - ziti-controller 16 | - ziti-edge-tunnel 17 | - ziti-host 18 | - ziti-router 19 | - zrok 20 | - ziti-browzer-bootstrapper 21 | runs-on: ubuntu-latest 22 | steps: 23 | - name: Bump Chart Versions if Changed 24 | id: bumper 25 | uses: netfoundry/chart-version-bumper-action@main 26 | with: 27 | chart_dir: ./charts/${{ matrix.charts }} 28 | 29 | # grant write permission to GITHUB_TOKEN for version bumper to push commits to current branch 30 | permissions: 31 | contents: write 32 | -------------------------------------------------------------------------------- /charts/prometheus/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: prometheus 3 | appVersion: 0.0.13 4 | version: 0.0.11 5 | description: Prometheus is a monitoring system and time series database. 6 | home: https://prometheus.io/ 7 | icon: https://raw.githubusercontent.com/prometheus/prometheus.github.io/master/assets/prometheus_logo-cb55bb5c346.png 8 | sources: 9 | - https://github.com/prometheus/alertmanager 10 | - https://github.com/prometheus/prometheus 11 | - https://github.com/prometheus/pushgateway 12 | - https://github.com/prometheus/node_exporter 13 | - https://github.com/kubernetes/kube-state-metrics 14 | maintainers: 15 | - name: OpenZiti 16 | email: help.openziti.org 17 | engine: gotpl 18 | type: application 19 | dependencies: 20 | - name: kube-state-metrics 21 | version: "4.0.*" 22 | repository: https://prometheus-community.github.io/helm-charts 23 | condition: kubeStateMetrics.enabled 24 | -------------------------------------------------------------------------------- /charts/prometheus/templates/alertmanager/rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.alertmanager.enabled .Values.rbac.create (eq .Values.alertmanager.useClusterRole false) -}} 2 | {{ range $.Values.alertmanager.namespaces }} 3 | apiVersion: {{ template "rbac.apiVersion" . }} 4 | kind: RoleBinding 5 | metadata: 6 | labels: 7 | {{- include "prometheus.alertmanager.labels" $ | nindent 4 }} 8 | name: {{ template "prometheus.alertmanager.fullname" $ }} 9 | namespace: {{ . }} 10 | subjects: 11 | - kind: ServiceAccount 12 | name: {{ template "prometheus.serviceAccountName.alertmanager" $ }} 13 | {{ include "prometheus.namespace" $ | indent 4 }} 14 | roleRef: 15 | apiGroup: rbac.authorization.k8s.io 16 | kind: Role 17 | {{- if (not $.Values.alertmanager.useExistingRole) }} 18 | name: {{ template "prometheus.alertmanager.fullname" $ }} 19 | {{- else }} 20 | name: {{ $.Values.alertmanager.useExistingRole }} 21 | {{- end }} 22 | {{- end }} 23 | {{ end }} 24 | -------------------------------------------------------------------------------- /charts/traefik-charts/traefik/templates/poddisruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.podDisruptionBudget.enabled -}} 2 | apiVersion: policy/v1beta1 3 | kind: PodDisruptionBudget 4 | metadata: 5 | name: {{ template "traefik.fullname" . }} 6 | labels: 7 | app.kubernetes.io/name: {{ template "traefik.name" . }} 8 | helm.sh/chart: {{ template "traefik.chart" . }} 9 | app.kubernetes.io/managed-by: {{ .Release.Service }} 10 | app.kubernetes.io/instance: {{ .Release.Name }} 11 | spec: 12 | selector: 13 | matchLabels: 14 | app.kubernetes.io/name: {{ template "traefik.name" . }} 15 | app.kubernetes.io/instance: {{ .Release.Name }} 16 | {{- if .Values.podDisruptionBudget.minAvailable }} 17 | minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} 18 | {{- end }} 19 | {{- if .Values.podDisruptionBudget.maxUnavailable }} 20 | maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} 21 | {{- end }} 22 | {{- end -}} 23 | -------------------------------------------------------------------------------- /charts/ziti-router/examples/scenario-1-dynamic.yaml: -------------------------------------------------------------------------------- 1 | # Scenario: Dynamic Proxy Mode 2 | # Test: Dynamic port allocation - httpbin-service should bind to port 2171 automatically 3 | # Expected: Headless service, no static port definitions 4 | 5 | ctrl: 6 | endpoint: ziti-controller-client.miniziti.svc:443 7 | 8 | edge: 9 | advertisedHost: "" 10 | advertisedPort: 443 11 | service: 12 | enabled: false 13 | 14 | linkListeners: 15 | transport: 16 | enabled: false 17 | service: 18 | enabled: false 19 | 20 | tunnel: 21 | mode: proxy 22 | proxyServices: [] 23 | proxyDefaultK8sService: 24 | enabled: true 25 | type: ClusterIP 26 | 27 | # Expected K8s Resources: 28 | # - Headless Service: ziti-router1-proxy-default (clusterIP: None, ports: []) 29 | # - Service resolves to pod IP 30 | # - httpbin-service binds dynamically to pod IP:2171 31 | # 32 | # Test with: wgetter-dynamic.yaml 33 | # Target: ziti-router1-proxy-default.kentest.svc:2171 34 | -------------------------------------------------------------------------------- /charts/prometheus/templates/pushgateway/vpa.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.pushgateway.enabled -}} 2 | {{- if .Values.pushgateway.verticalAutoscaler.enabled -}} 3 | apiVersion: autoscaling.k8s.io/v1beta2 4 | kind: VerticalPodAutoscaler 5 | metadata: 6 | labels: 7 | {{- include "prometheus.pushgateway.labels" . | nindent 4 }} 8 | name: {{ template "prometheus.pushgateway.fullname" . }}-vpa 9 | {{ include "prometheus.namespace" . | indent 2 }} 10 | spec: 11 | targetRef: 12 | apiVersion: "apps/v1" 13 | kind: Deployment 14 | name: {{ template "prometheus.pushgateway.fullname" . }} 15 | updatePolicy: 16 | updateMode: {{ .Values.pushgateway.verticalAutoscaler.updateMode | default "Off" | quote }} 17 | resourcePolicy: 18 | containerPolicies: {{ .Values.pushgateway.verticalAutoscaler.containerPolicies | default list | toYaml | trim | nindent 4 }} 19 | {{- end -}} {{/* if .Values.pushgateway.verticalAutoscaler.enabled */}} 20 | {{- end -}} {{/* .Values.pushgateway.enabled */}} 21 | -------------------------------------------------------------------------------- /charts/traefik-charts/traefik/templates/pvc.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: {{ template "traefik.fullname" . }} 6 | annotations: 7 | {{- with .Values.persistence.annotations }} 8 | {{ toYaml . | nindent 4 }} 9 | {{- end }} 10 | helm.sh/resource-policy: keep 11 | labels: 12 | app.kubernetes.io/name: {{ template "traefik.name" . }} 13 | helm.sh/chart: {{ template "traefik.chart" . }} 14 | app.kubernetes.io/managed-by: {{ .Release.Service }} 15 | app.kubernetes.io/instance: {{ .Release.Name }} 16 | spec: 17 | accessModes: 18 | - {{ .Values.persistence.accessMode | quote }} 19 | resources: 20 | requests: 21 | storage: {{ .Values.persistence.size | quote }} 22 | {{- if .Values.persistence.storageClass }} 23 | storageClassName: {{ .Values.persistence.storageClass | quote }} 24 | {{- end }} 25 | {{- end -}} 26 | 27 | -------------------------------------------------------------------------------- /charts/ziti-browzer-bootstrapper/values-browzer.yaml: -------------------------------------------------------------------------------- 1 | zitiBrowzer: 2 | bootstrapper: 3 | loadBalancer: 4 | host: "" # browzer.ziti.example.com 5 | port: 443 6 | scheme: http 7 | targets: 8 | - vhost: "" # httpbin.ziti.example.com 9 | service: "" # httpbin-service 10 | path: / 11 | scheme: http 12 | idp_issuer_base_url: "" # https://dev-3doprsvtymjqimsq.us.auth0.com 13 | idp_client_id: "" # pbBJJAamodtkhAAfsBI0fsTzEn4w0raE 14 | controller: 15 | host: "" # client.ziti.example.com 16 | port: 443 17 | runtime: 18 | originTrailToken: "" # 19 | 20 | ingress: 21 | tlsSecret: "" # ziti-browzer-tls 22 | ingressClassName: "" # nginx 23 | # annotate to bind a publicly trusted ingress cert and use plain HTTP for upstream requests 24 | # to the target service 25 | annotations: {} 26 | # cert-manager.io/cluster-issuer: "" # cloudflare-dns01-issuer-prod 27 | # nginx.ingress.kubernetes.io/backend-protocol: "HTTP" 28 | -------------------------------------------------------------------------------- /charts/traefik-charts/CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing Guide 2 | 3 | This Helm Chart accepts contributions from GitHub pull requests. 4 | You can find help in this document to get your contribution accepted. 5 | 6 | ## Helm Chart Guidelines 7 | 8 | Please read the [Helm Chart Guidelines](./traefik/Guidelines.md) before editing this chart. 9 | 10 | ## Testing 11 | 12 | Please read the [testing guidelines](./TESTING.md) to learn how testing is done with this chart. 13 | 14 | ## Guidelines 15 | 16 | According to the Traefik HelmChart [philosophy](./README.md#philosophy), 17 | the guidelines for future evolutions are: 18 | 19 | * fix bugs 20 | * improve security 21 | * improve HelmChart support 22 | * improve Kubernetes features support 23 | * improve Traefik default configuration 24 | 25 | While encouraging contributions, the philosophy leads to avoid introducing: 26 | 27 | * specific use cases 28 | * third party CRD 29 | * dashboard exposition tuning 30 | * helm chart variables that shortcuts/expose static or dynamic Traefik configuration -------------------------------------------------------------------------------- /charts/prometheus/templates/server/vpa.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.server.enabled -}} 2 | {{- if .Values.server.verticalAutoscaler.enabled -}} 3 | apiVersion: autoscaling.k8s.io/v1beta2 4 | kind: VerticalPodAutoscaler 5 | metadata: 6 | labels: 7 | {{- include "prometheus.server.labels" . | nindent 4 }} 8 | name: {{ template "prometheus.server.fullname" . }}-vpa 9 | {{ include "prometheus.namespace" . | indent 2 }} 10 | spec: 11 | targetRef: 12 | apiVersion: "apps/v1" 13 | {{- if .Values.server.statefulSet.enabled }} 14 | kind: StatefulSet 15 | {{- else }} 16 | kind: Deployment 17 | {{- end }} 18 | name: {{ template "prometheus.server.fullname" . }} 19 | updatePolicy: 20 | updateMode: {{ .Values.server.verticalAutoscaler.updateMode | default "Off" | quote }} 21 | resourcePolicy: 22 | containerPolicies: {{ .Values.server.verticalAutoscaler.containerPolicies | default list | toYaml | trim | nindent 4 }} 23 | {{- end -}} {{/* if .Values.server.verticalAutoscaler.enabled */}} 24 | {{- end -}} {{/* .Values.server.enabled */}} 25 | -------------------------------------------------------------------------------- /charts/traefik-charts/traefik/templates/dashboard-hook-ingressroute.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.ingressRoute.dashboard.enabled -}} 2 | apiVersion: traefik.containo.us/v1alpha1 3 | kind: IngressRoute 4 | metadata: 5 | name: {{ template "traefik.fullname" . }}-dashboard 6 | annotations: 7 | helm.sh/hook: "post-install,post-upgrade" 8 | {{- with .Values.ingressRoute.dashboard.annotations }} 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | labels: 12 | app.kubernetes.io/name: {{ template "traefik.name" . }} 13 | helm.sh/chart: {{ template "traefik.chart" . }} 14 | app.kubernetes.io/managed-by: {{ .Release.Service }} 15 | app.kubernetes.io/instance: {{ .Release.Name }} 16 | {{- with .Values.ingressRoute.dashboard.labels }} 17 | {{- toYaml . | nindent 4 }} 18 | {{- end }} 19 | spec: 20 | entryPoints: 21 | - traefik 22 | routes: 23 | - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) 24 | kind: Rule 25 | services: 26 | - name: api@internal 27 | kind: TraefikService 28 | {{- end -}} 29 | -------------------------------------------------------------------------------- /charts/ziti-router/examples/scenario-2-single-default.yaml: -------------------------------------------------------------------------------- 1 | # Scenario: Single Service on Default 2 | # Test: Static port mapping for httpbin-service 3 | # Expected: Regular ClusterIP service with port 2171 4 | 5 | ctrl: 6 | endpoint: ziti-controller-client.miniziti.svc:443 7 | 8 | edge: 9 | advertisedHost: "" 10 | advertisedPort: 443 11 | service: 12 | enabled: false 13 | 14 | linkListeners: 15 | transport: 16 | enabled: false 17 | service: 18 | enabled: false 19 | 20 | tunnel: 21 | mode: proxy 22 | proxyServices: 23 | - zitiService: httpbin-service 24 | advertisedPort: 2172 25 | containerPort: 2172 26 | proxyDefaultK8sService: 27 | enabled: true 28 | type: ClusterIP 29 | 30 | # Expected K8s Resources: 31 | # - ClusterIP Service: ziti-router1-proxy-default 32 | # - port: 2172 -> targetPort: 2172 33 | # 34 | # Expected Router Config: 35 | # services: 36 | # - "httpbin-service:2172" 37 | # 38 | # Test with: wgetter-single-default.yaml 39 | # Target: ziti-router1-proxy-default.kentest.svc:2172 40 | -------------------------------------------------------------------------------- /charts/zrok/templates/hpa.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.autoscaling.enabled }} 2 | apiVersion: autoscaling/v2beta1 3 | kind: HorizontalPodAutoscaler 4 | metadata: 5 | name: {{ include "zrok.fullname" . }} 6 | labels: 7 | {{- include "zrok.labelsController" . | nindent 4 }} 8 | spec: 9 | scaleTargetRef: 10 | apiVersion: apps/v1 11 | kind: Deployment 12 | name: {{ include "zrok.fullname" . }} 13 | minReplicas: {{ .Values.autoscaling.minReplicas }} 14 | maxReplicas: {{ .Values.autoscaling.maxReplicas }} 15 | metrics: 16 | {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} 17 | - type: Resource 18 | resource: 19 | name: cpu 20 | targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} 21 | {{- end }} 22 | {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} 23 | - type: Resource 24 | resource: 25 | name: memory 26 | targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} 27 | {{- end }} 28 | {{- end }} 29 | -------------------------------------------------------------------------------- /charts/httpbin/templates/hpa.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.autoscaling.enabled }} 2 | apiVersion: autoscaling/v2beta1 3 | kind: HorizontalPodAutoscaler 4 | metadata: 5 | name: {{ include "httpbin.fullname" . }} 6 | labels: 7 | {{- include "httpbin.labels" . | nindent 4 }} 8 | spec: 9 | scaleTargetRef: 10 | apiVersion: apps/v1 11 | kind: Deployment 12 | name: {{ include "httpbin.fullname" . }} 13 | minReplicas: {{ .Values.autoscaling.minReplicas }} 14 | maxReplicas: {{ .Values.autoscaling.maxReplicas }} 15 | metrics: 16 | {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} 17 | - type: Resource 18 | resource: 19 | name: cpu 20 | targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} 21 | {{- end }} 22 | {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} 23 | - type: Resource 24 | resource: 25 | name: memory 26 | targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} 27 | {{- end }} 28 | {{- end }} 29 | -------------------------------------------------------------------------------- /charts/reflect/templates/hpa.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.autoscaling.enabled }} 2 | apiVersion: autoscaling/v2beta1 3 | kind: HorizontalPodAutoscaler 4 | metadata: 5 | name: {{ include "reflect.fullname" . }} 6 | labels: 7 | {{- include "reflect.labels" . | nindent 4 }} 8 | spec: 9 | scaleTargetRef: 10 | apiVersion: apps/v1 11 | kind: Deployment 12 | name: {{ include "reflect.fullname" . }} 13 | minReplicas: {{ .Values.autoscaling.minReplicas }} 14 | maxReplicas: {{ .Values.autoscaling.maxReplicas }} 15 | metrics: 16 | {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} 17 | - type: Resource 18 | resource: 19 | name: cpu 20 | targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} 21 | {{- end }} 22 | {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} 23 | - type: Resource 24 | resource: 25 | name: memory 26 | targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} 27 | {{- end }} 28 | {{- end }} 29 | -------------------------------------------------------------------------------- /charts/ziti-router/values-ingress-nginx.yaml: -------------------------------------------------------------------------------- 1 | 2 | ctrl: 3 | # DNS name:port of the Ziti "ctrl" server, i.e., the router control plane 4 | endpoint: # ziti-controller-ctrl.ziti-controller.svc:443 5 | 6 | # 7 | ## services and ingresses 8 | # 9 | 10 | edge: 11 | # DNS name edge clients and other routers will use to reach this router 12 | advertisedHost: # router1.zitik8s 13 | # TCP port to pair with advertisedHost 14 | advertisedPort: 443 15 | service: 16 | enabled: true 17 | type: ClusterIP 18 | ingress: 19 | enabled: true 20 | ingressClassName: nginx 21 | annotations: 22 | kubernetes.io/ingress.allow-http: "false" 23 | nginx.ingress.kubernetes.io/ssl-passthrough: "true" 24 | linkListeners: 25 | transport: 26 | advertisedPort: 443 27 | service: 28 | enabled: true 29 | type: ClusterIP 30 | ingress: 31 | enabled: true 32 | ingressClassName: nginx 33 | annotations: 34 | kubernetes.io/ingress.allow-http: "false" 35 | nginx.ingress.kubernetes.io/ssl-passthrough: "true" 36 | -------------------------------------------------------------------------------- /charts/httpbin/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "httpbin.fullname" . }}-hook-serviceaccount 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | {{- include "httpbin.labels" . | nindent 4 }} 9 | {{- with .Values.serviceAccount.annotations }} 10 | annotations: 11 | {{- toYaml . | nindent 4 }} 12 | {{- end }} 13 | 14 | --- 15 | apiVersion: rbac.authorization.k8s.io/v1 16 | kind: Role 17 | metadata: 18 | name: {{ include "httpbin.fullname" . }}-hook-role 19 | rules: 20 | - apiGroups: [""] 21 | resources: ["secrets"] 22 | verbs: ["get", "create", "delete"] 23 | 24 | --- 25 | apiVersion: rbac.authorization.k8s.io/v1 26 | kind: RoleBinding 27 | metadata: 28 | name: {{ include "httpbin.fullname" . }}-hook-rolebinding 29 | roleRef: 30 | apiGroup: rbac.authorization.k8s.io 31 | kind: Role 32 | name: {{ include "httpbin.fullname" . }}-hook-role 33 | subjects: 34 | - kind: ServiceAccount 35 | name: {{ include "httpbin.fullname" . }}-hook-serviceaccount 36 | namespace: {{ .Release.Namespace }} 37 | -------------------------------------------------------------------------------- /charts/ziti-router/templates/alt-certificate.yaml: -------------------------------------------------------------------------------- 1 | # openziti-helm-charts/charts/ziti-router/templates/alt-certificate.yaml 2 | {{- if gt (len $.Values.identity.altServerCerts) 0 -}} 3 | {{- $root := . }} 4 | {{- $values := $.Values }} 5 | {{- $certs := ((include "ziti-router.getCertManagerAltServerCerts" $values.identity.altServerCerts) | fromJson).certManagerCerts -}} 6 | 7 | {{- if gt (len $certs) 0 }} 8 | {{- range $index, $cert := $certs }} 9 | --- 10 | apiVersion: cert-manager.io/v1 11 | kind: Certificate 12 | metadata: 13 | name: {{ printf "%s-alt-cert-%d" (include "ziti-router.fullname" $root) $index }} 14 | namespace: {{ $root.Release.Namespace }} 15 | spec: 16 | secretName: {{ $cert.secretName | quote }} 17 | issuerRef: 18 | {{- toYaml $cert.issuerRef | nindent 4 }} 19 | dnsNames: 20 | - {{ (include "ziti-router.lookupAltServerCertHost" (dict "additionalListenerName" $cert.additionalListenerName "additionalListeners" $values.edge.additionalListeners)) | quote }} 21 | usages: 22 | - digital signature 23 | - key encipherment 24 | - server auth 25 | {{- end }} 26 | {{- end }} 27 | {{- end }} 28 | -------------------------------------------------------------------------------- /charts/ziti-host/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | {{ if .Release.IsUpgrade }} 2 | Your release {{ .Release.Name }} was upgraded. 3 | {{ else if .Release.IsInstall }} 4 | This is the first install of release {{ .Release.Name }}. 5 | {{ else }} 6 | {{ .Chart.Name }} was neither installed nor upgraded. 7 | {{ end }} 8 | 9 | You have chart version {{ .Chart.Version }} and app version {{ .Chart.AppVersion }}. 10 | 11 | To learn more about the release, try: 12 | 13 | $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} 14 | $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} 15 | 16 | This deployment provides an OpenZiti tunneler pod to which you may bind OpenZiti Services to provide cluster ingress to those cluster services. 17 | 18 | To bind a service to this tunneler you must create a Bind Service Policy matching the role of a service to the role of the identity you used to install this chart. 19 | 20 | export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "ziti-host.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") 21 | -------------------------------------------------------------------------------- /charts/reflect/README.md.gotmpl: -------------------------------------------------------------------------------- 1 | 2 | {{ template "chart.header" . }} 3 | {{ template "chart.deprecationWarning" . }} 4 | 5 | {{ template "chart.badgesSection" . }} 6 | 7 | {{ template "chart.description" . }} 8 | 9 | {{ template "chart.homepageLine" . }} 10 | 11 | {{ template "chart.maintainersSection" . }} 12 | 13 | {{ template "chart.sourcesSection" . }} 14 | 15 | {{ template "chart.requirementsSection" . }} 16 | 17 | This chart provides a simple byte echoing server for demos and testing Ziti. You may read more about how this app can be used in [the PrometheuZ tutorial](https://docs.openziti.io/blog/zitification/prometheus/part2/#deploy-reflectz-1). 18 | 19 | ```bash 20 | helm install reflectz openziti-test-kitchen/reflect \ 21 | --set-file reflectIdentity="/tmp/prometheus/kubeB.reflect.id.json" \ 22 | --set serviceName="kubeB.reflect.svc" \ 23 | --set prometheusServiceName="kubeB.reflect.scrape.svc" 24 | ``` 25 | 26 | ## Values Reference 27 | 28 | {{ template "chart.valuesTable" . }} 29 | 30 | 31 | -------------------------------------------------------------------------------- /charts/ziti-router/templates/pvc.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: {{ include "ziti-router.fullname" . }} 6 | namespace: {{ .Release.Namespace | quote }} 7 | labels: 8 | {{- include "ziti-router.labels" . | nindent 4 }} 9 | app.kubernetes.io/component: "ziti-router" 10 | {{- if .Values.persistence.annotations }} 11 | {{ toYaml .Values.persistence.annotations | trimSuffix "\n" | indent 4 }} 12 | {{- end }} 13 | spec: 14 | accessModes: 15 | - {{ .Values.persistence.accessMode | quote }} 16 | resources: 17 | requests: 18 | storage: {{ .Values.persistence.size | quote }} 19 | 20 | {{- if .Values.persistence.storageClass }} 21 | {{- if or (eq "-" .Values.persistence.storageClass) (eq "" .Values.persistence.storageClass) }} 22 | storageClassName: "" 23 | {{- else }} 24 | storageClassName: "{{ .Values.persistence.storageClass }}" 25 | {{- end }} 26 | {{- end }} 27 | {{- if .Values.persistence.VolumeName }} 28 | volumeName: "{{ .Values.persistence.volumeName }}" 29 | {{- end }} 30 | {{- end }} 31 | -------------------------------------------------------------------------------- /charts/zrok/templates/pvc.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.controller.persistence.enabled (not .Values.controller.persistence.existingClaim) }} 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: {{ include "zrok.fullname" . }}-persistence 6 | namespace: {{ .Release.Namespace | quote }} 7 | labels: 8 | {{- include "zrok.labelsController" . | nindent 4 }} 9 | app.kubernetes.io/component: "zrok" 10 | {{- if .Values.controller.persistence.annotations }} 11 | annotations: 12 | {{ toYaml .Values.controller.persistence.annotations | trimSuffix "\n" | indent 4 }} 13 | {{- end }} 14 | spec: 15 | accessModes: 16 | - {{ .Values.controller.persistence.accessMode | quote }} 17 | resources: 18 | requests: 19 | storage: {{ .Values.controller.persistence.size | quote }} 20 | 21 | {{- if .Values.controller.persistence.storageClass }} 22 | {{- if or (eq "-" .Values.controller.persistence.storageClass) (eq "" .Values.controller.persistence.storageClass) }} 23 | storageClassName: "" 24 | {{- else }} 25 | storageClassName: "{{ .Values.controller.persistence.storageClass }}" 26 | {{- end }} 27 | {{- end }} 28 | {{- end }} 29 | -------------------------------------------------------------------------------- /charts/traefik-charts/traefik/templates/gateway.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.experimental.kubernetesGateway.enabled }} 2 | --- 3 | apiVersion: networking.x-k8s.io/v1alpha1 4 | kind: Gateway 5 | metadata: 6 | name: traefik-gateway 7 | namespace: {{ default .Release.Namespace .Values.experimental.kubernetesGateway.namespace }} 8 | spec: 9 | gatewayClassName: traefik 10 | listeners: 11 | - port: {{ .Values.ports.web.port }} 12 | protocol: HTTP 13 | routes: 14 | kind: HTTPRoute 15 | selector: 16 | matchLabels: 17 | app: {{ .Values.experimental.kubernetesGateway.appLabelSelector }} 18 | 19 | {{- range $index, $cert:= .Values.experimental.kubernetesGateway.certificates }} 20 | - port: {{ $.Values.ports.websecure.port }} 21 | protocol: HTTPS 22 | tls: 23 | certificateRef: 24 | name: {{ $cert.name }} 25 | group: {{ $cert.group }} 26 | kind: {{ $cert.kind }} 27 | routes: 28 | kind: HTTPRoute 29 | selector: 30 | matchLabels: 31 | app: {{ $.Values.experimental.kubernetesGateway.appLabelSelector }} 32 | {{- end }} 33 | {{- end }} 34 | -------------------------------------------------------------------------------- /charts/httpbin/README.md.gotmpl: -------------------------------------------------------------------------------- 1 | 2 | 3 | {{ template "chart.header" . }} 4 | {{ template "chart.deprecationWarning" . }} 5 | 6 | {{ template "chart.badgesSection" . }} 7 | 8 | {{ template "chart.description" . }} 9 | 10 | {{ template "chart.homepageLine" . }} 11 | 12 | {{ template "chart.maintainersSection" . }} 13 | 14 | {{ template "chart.sourcesSection" . }} 15 | 16 | {{ template "chart.requirementsSection" . }} 17 | 18 | This chart deploys a pod running the Ziti-embeded version of go-httpbin, a REST API server. 19 | 20 | Install with an enrollment token to generate a private key in-place. 21 | 22 | ```bash 23 | helm install httpbinz openziti/httpbin \ 24 | --set zitiServiceName="my httpbin service" \ 25 | --set-file zitiEnrollment=id.jwt 26 | ``` 27 | 28 | Install with an enrolled identity. 29 | 30 | ```bash 31 | helm install httpbinz openziti/httpbin \ 32 | --set zitiServiceName="my httpbin service" \ 33 | --set-file zitiIdentity=id.json 34 | ``` 35 | 36 | ## Values Reference 37 | 38 | {{ template "chart.valuesTable" . }} 39 | 40 | 41 | -------------------------------------------------------------------------------- /.github/workflows/readme.yml: -------------------------------------------------------------------------------- 1 | name: Deploy README to GitHub Pages 2 | 3 | on: 4 | push: 5 | branches: 6 | - main 7 | paths: 8 | - README.md 9 | 10 | workflow_dispatch: 11 | 12 | jobs: 13 | deploy: 14 | runs-on: ubuntu-24.04 15 | steps: 16 | - name: Checkout code 17 | uses: actions/checkout@v5 18 | 19 | - name: Install pandoc 20 | shell: bash 21 | run: | 22 | set -o pipefail 23 | set -o xtrace 24 | sudo apt-get update 25 | sudo apt-get install -y pandoc 26 | 27 | - name: Prepare file for deployment 28 | shell: bash 29 | run: | 30 | set -o pipefail 31 | set -o xtrace 32 | rm -rf ./public 33 | mkdir -p ./public 34 | pandoc -f gfm -t html5 -s ./README.md -o ./public/index.html 35 | echo "Staged files:" && find ./public -type f -ls || true 36 | 37 | - name: Deploy to GitHub Pages 38 | uses: peaceiris/actions-gh-pages@v4 39 | with: 40 | github_token: ${{ secrets.GITHUB_TOKEN }} 41 | publish_dir: ./public 42 | publish_branch: gh-pages 43 | keep_files: true 44 | -------------------------------------------------------------------------------- /.github/workflows/release-notes.yml: -------------------------------------------------------------------------------- 1 | name: Release Notes Labeler 2 | 3 | on: 4 | pull_request_target: 5 | types: [opened, synchronize, reopened] 6 | 7 | # Set default permissions as read only 8 | permissions: read-all 9 | 10 | jobs: 11 | release-notes-labeler: 12 | permissions: 13 | contents: read 14 | pull-requests: write 15 | 16 | runs-on: ubuntu-latest 17 | steps: 18 | - name: Checkout repository 19 | uses: actions/checkout@v4 20 | 21 | # GitHub's release notes generator uses these lables to select PRs to include 22 | - name: Label Pull Request by Changed Charts 23 | id: labeler 24 | uses: maxisam/changed-files-labeler@v0.1.1 25 | with: 26 | authToken: ${{ secrets.GITHUB_TOKEN }} 27 | basePaths: charts 28 | prefixes: notes|skip 29 | includedGlob: "" # no filter 30 | debugShowPaths: true 31 | layers: 1 32 | 33 | - name: Debug Labeler 34 | run: | 35 | echo "Labels: ${{ steps.labeler.outputs.labels }}" 36 | echo "Paths: ${{ steps.labeler.outputs.paths }}" 37 | echo "Changed: ${{ steps.labeler.outputs.changed }}" 38 | -------------------------------------------------------------------------------- /charts/ziti-controller/templates/pvc.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq .Values.highAvailability.mode "standalone" }} 2 | {{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} 3 | apiVersion: v1 4 | kind: PersistentVolumeClaim 5 | metadata: 6 | name: {{ include "ziti-controller.fullname" . }} 7 | namespace: {{ .Release.Namespace | quote }} 8 | labels: 9 | {{- include "ziti-controller.labels" . | nindent 4 }} 10 | app.kubernetes.io/component: "ziti-controller" 11 | {{- if .Values.persistence.annotations }} 12 | annotations: 13 | {{ toYaml .Values.persistence.annotations | trimSuffix "\n" | indent 4 }} 14 | {{- end }} 15 | spec: 16 | accessModes: 17 | - {{ .Values.persistence.accessMode | quote }} 18 | resources: 19 | requests: 20 | storage: {{ .Values.persistence.size | quote }} 21 | 22 | {{- if .Values.persistence.storageClass }} 23 | {{- if (eq "-" .Values.persistence.storageClass) }} 24 | storageClassName: "" 25 | {{- else }} 26 | storageClassName: "{{ .Values.persistence.storageClass }}" 27 | {{- end }} 28 | {{- end }} 29 | {{- if .Values.persistence.VolumeName }} 30 | volumeName: "{{ .Values.persistence.VolumeName }}" 31 | {{- end }} 32 | {{- end }} 33 | {{- end }} -------------------------------------------------------------------------------- /.github/workflows/mattermost-ziti-webhook.yml: -------------------------------------------------------------------------------- 1 | name: ziti-mattermost-action-py 2 | on: 3 | create: 4 | delete: 5 | issues: 6 | issue_comment: 7 | pull_request_review: 8 | types: [submitted] 9 | pull_request_review_comment: 10 | pull_request: 11 | types: [opened, reopened] 12 | push: 13 | fork: 14 | release: 15 | types: [released] 16 | workflow_dispatch: 17 | 18 | jobs: 19 | ziti-webhook: 20 | runs-on: ubuntu-latest 21 | name: Ziti Mattermost Action - Py 22 | steps: 23 | - uses: openziti/ziti-mattermost-action-py@main 24 | if: ${{ env.ZHOOK_URL_DEV_NOTIFICATIONS != null }} 25 | env: 26 | ZHOOK_URL: ${{ secrets.ZHOOK_URL_DEV_NOTIFICATIONS }} 27 | with: 28 | # Identity JSON containing key to access a Ziti network 29 | zitiId: ${{ secrets.ZITI_MATTERMOST_IDENTITY }} 30 | 31 | # URL to post the payload. Note that the `zitiId` must provide access to a service 32 | # intercepting `my-mattermost-ziti-server` 33 | webhookUrl: ${{ secrets.ZHOOK_URL_DEV_NOTIFICATIONS }} 34 | 35 | eventJson: ${{ toJson(github.event) }} 36 | senderUsername: "GitHubZ" 37 | destChannel: "dev-notifications" 38 | -------------------------------------------------------------------------------- /charts/prometheus/templates/alertmanager/headless-svc.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.alertmanager.enabled .Values.alertmanager.statefulSet.enabled -}} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | {{- if .Values.alertmanager.statefulSet.headless.annotations }} 6 | annotations: 7 | {{ toYaml .Values.alertmanager.statefulSet.headless.annotations | indent 4 }} 8 | {{- end }} 9 | labels: 10 | {{- include "prometheus.alertmanager.labels" . | nindent 4 }} 11 | {{- if .Values.alertmanager.statefulSet.headless.labels }} 12 | {{ toYaml .Values.alertmanager.statefulSet.headless.labels | indent 4 }} 13 | {{- end }} 14 | name: {{ template "prometheus.alertmanager.fullname" . }}-headless 15 | {{ include "prometheus.namespace" . | indent 2 }} 16 | spec: 17 | clusterIP: None 18 | ports: 19 | - name: http 20 | port: {{ .Values.alertmanager.statefulSet.headless.servicePort }} 21 | protocol: TCP 22 | targetPort: 9093 23 | {{- if .Values.alertmanager.statefulSet.headless.enableMeshPeer }} 24 | - name: meshpeer 25 | port: 6783 26 | protocol: TCP 27 | targetPort: 6783 28 | {{- end }} 29 | selector: 30 | {{- include "prometheus.alertmanager.matchLabels" . | nindent 4 }} 31 | {{- end }} 32 | -------------------------------------------------------------------------------- /charts/traefik-charts/traefik/templates/ingressclass.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.ingressClass.enabled -}} 2 | {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass" }} 3 | apiVersion: networking.k8s.io/v1 4 | {{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/IngressClass" }} 5 | apiVersion: networking.k8s.io/v1beta1 6 | {{- else if or (eq .Values.ingressClass.fallbackApiVersion "v1beta1") (eq .Values.ingressClass.fallbackApiVersion "v1") }} 7 | apiVersion: {{ printf "networking.k8s.io/%s" .Values.ingressClass.fallbackApiVersion }} 8 | {{- else }} 9 | {{- fail "\n\n ERROR: You must have at least networking.k8s.io/v1beta1 to use ingressClass" }} 10 | {{- end }} 11 | kind: IngressClass 12 | metadata: 13 | annotations: 14 | ingressclass.kubernetes.io/is-default-class: {{ .Values.ingressClass.isDefaultClass | quote }} 15 | labels: 16 | app.kubernetes.io/name: {{ template "traefik.name" . }} 17 | helm.sh/chart: {{ template "traefik.chart" . }} 18 | app.kubernetes.io/managed-by: {{ .Release.Service }} 19 | app.kubernetes.io/instance: {{ .Release.Name }} 20 | name: {{ template "traefik.fullname" . }} 21 | spec: 22 | controller: traefik.io/ingress-controller 23 | {{- end }} 24 | -------------------------------------------------------------------------------- /charts/traefik-charts/lint/lintconf.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | rules: 3 | braces: 4 | min-spaces-inside: 0 5 | max-spaces-inside: 0 6 | min-spaces-inside-empty: -1 7 | max-spaces-inside-empty: -1 8 | brackets: 9 | min-spaces-inside: 0 10 | max-spaces-inside: 0 11 | min-spaces-inside-empty: -1 12 | max-spaces-inside-empty: -1 13 | colons: 14 | max-spaces-before: 0 15 | max-spaces-after: 1 16 | commas: 17 | max-spaces-before: 0 18 | min-spaces-after: 1 19 | max-spaces-after: 1 20 | comments: 21 | require-starting-space: true 22 | min-spaces-from-content: 2 23 | document-end: disable 24 | document-start: disable # No --- to start a file 25 | empty-lines: 26 | max: 2 27 | max-start: 0 28 | max-end: 0 29 | hyphens: 30 | max-spaces-after: 1 31 | indentation: 32 | spaces: consistent 33 | indent-sequences: whatever # - list indentation will handle both indentation and without 34 | check-multi-line-strings: false 35 | key-duplicates: enable 36 | line-length: disable # Lines can be any length 37 | new-line-at-end-of-file: enable 38 | new-lines: 39 | type: unix 40 | trailing-spaces: enable 41 | truthy: 42 | level: warning 43 | -------------------------------------------------------------------------------- /charts/ziti-router/examples/scenario-5-one-additional-only.yaml: -------------------------------------------------------------------------------- 1 | # Scenario: One Additional Service Only (No Default) 2 | # Test: Single service on additional K8s service, default disabled 3 | # Expected: One additional K8s service, no default service 4 | 5 | ctrl: 6 | endpoint: ziti-controller-client.miniziti.svc:443 7 | 8 | edge: 9 | advertisedHost: "" 10 | advertisedPort: 443 11 | service: 12 | enabled: false 13 | 14 | linkListeners: 15 | transport: 16 | enabled: false 17 | service: 18 | enabled: false 19 | 20 | tunnel: 21 | mode: proxy 22 | proxyServices: 23 | - zitiService: httpbin-service 24 | advertisedPort: 2175 25 | containerPort: 2175 26 | k8sService: custom 27 | proxyDefaultK8sService: 28 | enabled: false 29 | proxyAdditionalK8sServices: 30 | - name: custom 31 | type: ClusterIP 32 | 33 | # Expected K8s Resources: 34 | # - ClusterIP Service: ziti-router1-proxy-custom 35 | # - port: 2175 -> targetPort: 2175 (httpbin-service) 36 | # - NO ziti-router1-proxy-default service 37 | # 38 | # Expected Router Config: 39 | # services: 40 | # - "httpbin-service:2175" 41 | # 42 | # Test with: wgetter-one-additional-only.yaml 43 | # Target: ziti-router1-proxy-custom.kentest.svc:2175 44 | -------------------------------------------------------------------------------- /charts/prometheus/templates/server/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.server.enabled .Values.rbac.create (empty .Values.server.useExistingClusterRoleName) -}} 2 | apiVersion: {{ template "rbac.apiVersion" . }} 3 | kind: ClusterRole 4 | metadata: 5 | labels: 6 | {{- include "prometheus.server.labels" . | nindent 4 }} 7 | name: {{ template "prometheus.server.fullname" . }} 8 | rules: 9 | {{- if .Values.podSecurityPolicy.enabled }} 10 | - apiGroups: 11 | - extensions 12 | resources: 13 | - podsecuritypolicies 14 | verbs: 15 | - use 16 | resourceNames: 17 | - {{ template "prometheus.server.fullname" . }} 18 | {{- end }} 19 | - apiGroups: 20 | - "" 21 | resources: 22 | - nodes 23 | - nodes/proxy 24 | - nodes/metrics 25 | - services 26 | - endpoints 27 | - pods 28 | - ingresses 29 | - configmaps 30 | verbs: 31 | - get 32 | - list 33 | - watch 34 | - apiGroups: 35 | - "extensions" 36 | - "networking.k8s.io" 37 | resources: 38 | - ingresses/status 39 | - ingresses 40 | verbs: 41 | - get 42 | - list 43 | - watch 44 | - nonResourceURLs: 45 | - "/metrics" 46 | verbs: 47 | - get 48 | {{- end }} 49 | -------------------------------------------------------------------------------- /charts/ziti-controller/templates/alt-certificate.yaml: -------------------------------------------------------------------------------- 1 | # openziti-helm-charts/charts/ziti-controller/templates/alt-certificate.yaml 2 | {{- if gt (len $.Values.webBindingPki.altServerCerts) 0 -}} 3 | {{- $certs := ((include "ziti-controller.getCertManagerAltServerCerts" $.Values.webBindingPki.altServerCerts) | fromJson).certManagerCerts -}} 4 | {{- if gt (len $certs) 0 }} 5 | {{- range $index, $cert := $certs }} 6 | --- 7 | apiVersion: cert-manager.io/v1 8 | kind: Certificate 9 | metadata: 10 | name: {{ printf "%s-alt-cert-%d" (include "ziti-controller.fullname" $) $index }} 11 | namespace: {{ $.Release.Namespace }} 12 | spec: 13 | {{- if $cert.secretName }} 14 | secretName: {{ $cert.secretName | quote }} 15 | {{- else }} 16 | {{- fail (printf "No secretName found for cert %d" $index) -}} 17 | {{- end }} 18 | issuerRef: 19 | {{- toYaml $cert.issuerRef | nindent 4 }} 20 | {{- if gt (len $cert.altDnsNames) 0 }} 21 | dnsNames: 22 | {{- range $cert.altDnsNames }} 23 | - {{ include "ziti-controller.tplOrLiteral" (dict "value" . "context" $) }} 24 | {{- end }} 25 | {{- else }} 26 | [] 27 | {{- end }} 28 | usages: 29 | - digital signature 30 | - key encipherment 31 | - server auth 32 | {{- end }} 33 | {{- end }} 34 | {{- end }} 35 | -------------------------------------------------------------------------------- /charts/zrok/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: zrok 3 | description: Run the zrok controller and zrok frontend components as a K8s deployment 4 | 5 | # A chart can be either an 'application' or a 'library' chart. 6 | # 7 | # Application charts are a collection of templates that can be packaged into versioned archives 8 | # to be deployed. 9 | # 10 | # Library charts provide useful utilities or functions for the chart developer. They're included as 11 | # a dependency of application charts to inject those utilities and functions into the rendering 12 | # pipeline. Library charts do not define any templates and therefore cannot be deployed. 13 | type: application 14 | 15 | # This is the chart version. This version number should be incremented each time you make changes 16 | # to the chart and its templates, including the app version. 17 | # Versions are expected to follow Semantic Versioning (https://semver.org/) 18 | version: 1.1.0 19 | 20 | # This is the version number of the application being deployed. This version number should be 21 | # incremented each time you make changes to the application. Versions are not expected to 22 | # follow Semantic Versioning. They should reflect the version the application is using. 23 | # It is recommended to use it with quotes. 24 | appVersion: 1.1.10 25 | 26 | dependencies: [] 27 | -------------------------------------------------------------------------------- /charts/prometheus/templates/pushgateway/pvc.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.pushgateway.persistentVolume.enabled -}} 2 | {{- if not .Values.pushgateway.persistentVolume.existingClaim -}} 3 | apiVersion: v1 4 | kind: PersistentVolumeClaim 5 | metadata: 6 | {{- if .Values.pushgateway.persistentVolume.annotations }} 7 | annotations: 8 | {{ toYaml .Values.pushgateway.persistentVolume.annotations | indent 4 }} 9 | {{- end }} 10 | labels: 11 | {{- include "prometheus.pushgateway.labels" . | nindent 4 }} 12 | name: {{ template "prometheus.pushgateway.fullname" . }} 13 | {{ include "prometheus.namespace" . | indent 2 }} 14 | spec: 15 | accessModes: 16 | {{ toYaml .Values.pushgateway.persistentVolume.accessModes | indent 4 }} 17 | {{- if .Values.pushgateway.persistentVolume.storageClass }} 18 | {{- if (eq "-" .Values.pushgateway.persistentVolume.storageClass) }} 19 | storageClassName: "" 20 | {{- else }} 21 | storageClassName: "{{ .Values.pushgateway.persistentVolume.storageClass }}" 22 | {{- end }} 23 | {{- end }} 24 | {{- if .Values.pushgateway.persistentVolume.volumeBindingMode }} 25 | volumeBindingModeName: "{{ .Values.pushgateway.persistentVolume.volumeBindingMode }}" 26 | {{- end }} 27 | resources: 28 | requests: 29 | storage: "{{ .Values.pushgateway.persistentVolume.size }}" 30 | {{- end -}} 31 | {{- end -}} 32 | -------------------------------------------------------------------------------- /charts/ziti-router/examples/scenario-3-two-default.yaml: -------------------------------------------------------------------------------- 1 | # Scenario: Two Services on Default 2 | # Test: Two Ziti services on same default K8s service 3 | # Expected: Regular ClusterIP service with two ports 4 | 5 | ctrl: 6 | endpoint: ziti-controller-client.miniziti.svc:443 7 | 8 | edge: 9 | advertisedHost: "" 10 | advertisedPort: 443 11 | service: 12 | enabled: false 13 | 14 | linkListeners: 15 | transport: 16 | enabled: false 17 | service: 18 | enabled: false 19 | 20 | tunnel: 21 | mode: proxy 22 | proxyServices: 23 | - zitiService: httpbin-service 24 | advertisedPort: 2173 25 | containerPort: 2173 26 | - zitiService: httpbin-service-alt 27 | advertisedPort: 2174 28 | containerPort: 2174 29 | proxyDefaultK8sService: 30 | enabled: true 31 | type: ClusterIP 32 | 33 | # Expected K8s Resources: 34 | # - ClusterIP Service: ziti-router1-proxy-default 35 | # - port: 2173 -> targetPort: 2173 (httpbin-service) 36 | # - port: 2174 -> targetPort: 2174 (httpbin-service-alt) 37 | # 38 | # Expected Router Config: 39 | # services: 40 | # - "httpbin-service:2173" 41 | # - "httpbin-service-alt:2174" 42 | # 43 | # Test with: wgetter-two-default.yaml (tests both ports) 44 | # Targets: 45 | # - ziti-router1-proxy-default.kentest.svc:2173 46 | # - ziti-router1-proxy-default.kentest.svc:2174 47 | -------------------------------------------------------------------------------- /charts/ziti-host/templates/identity-migrate-script-cm.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: {{ include "ziti-host.fullname" . }}-identity-migrate 5 | labels: 6 | app.kubernetes.io/name: {{ include "ziti-host.name" . }} 7 | helm.sh/chart: {{ include "ziti-host.chart" . }} 8 | app.kubernetes.io/instance: {{ .Release.Name }} 9 | app.kubernetes.io/managed-by: {{ .Release.Service }} 10 | data: 11 | migrate.sh: | 12 | #!/bin/bash 13 | set -e 14 | SECRET_NAME="{{ include "ziti-host.fullname" . }}-identity" 15 | NAMESPACE="{{ .Release.Namespace }}" 16 | PVC_MOUNT="{{ include "ziti-host.identityMountPath" . }}" 17 | IDENTITY_FILE="${PVC_MOUNT}/{{ include "ziti-host.fullname" . }}-identity.json" 18 | if [ -f "$IDENTITY_FILE" ]; then 19 | echo "Identity file already exists in PVC, skipping migration." 20 | exit 0 21 | fi 22 | if kubectl get secret "$SECRET_NAME" -n "$NAMESPACE" &>/dev/null; then 23 | IDENTITY=$(kubectl get secret "$SECRET_NAME" -n "$NAMESPACE" -o jsonpath='{.data.persisted-identity}' | base64 -d) 24 | echo "$IDENTITY" > "$IDENTITY_FILE" 25 | kubectl delete secret "$SECRET_NAME" -n "$NAMESPACE" 26 | echo "Identity migrated to PVC and secret deleted." 27 | else 28 | echo "Secret $SECRET_NAME not found, nothing to migrate." 29 | fi 30 | -------------------------------------------------------------------------------- /charts/prometheus/templates/pushgateway/psp.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.pushgateway.enabled .Values.rbac.create .Values.podSecurityPolicy.enabled }} 2 | apiVersion: {{ template "prometheus.podSecurityPolicy.apiVersion" . }} 3 | kind: PodSecurityPolicy 4 | metadata: 5 | name: {{ template "prometheus.pushgateway.fullname" . }} 6 | labels: 7 | {{- include "prometheus.pushgateway.labels" . | nindent 4 }} 8 | annotations: 9 | {{- if .Values.pushgateway.podSecurityPolicy.annotations }} 10 | {{ toYaml .Values.pushgateway.podSecurityPolicy.annotations | indent 4 }} 11 | {{- end }} 12 | spec: 13 | privileged: false 14 | allowPrivilegeEscalation: false 15 | requiredDropCapabilities: 16 | - ALL 17 | volumes: 18 | - 'persistentVolumeClaim' 19 | - 'secret' 20 | allowedHostPaths: 21 | - pathPrefix: {{ .Values.pushgateway.persistentVolume.mountPath }} 22 | hostNetwork: false 23 | hostPID: false 24 | hostIPC: false 25 | runAsUser: 26 | rule: 'RunAsAny' 27 | seLinux: 28 | rule: 'RunAsAny' 29 | supplementalGroups: 30 | rule: 'MustRunAs' 31 | ranges: 32 | # Forbid adding the root group. 33 | - min: 1 34 | max: 65535 35 | fsGroup: 36 | rule: 'MustRunAs' 37 | ranges: 38 | # Forbid adding the root group. 39 | - min: 1 40 | max: 65535 41 | readOnlyRootFilesystem: true 42 | {{- end }} 43 | -------------------------------------------------------------------------------- /charts/zrok/templates/test-job.yml: -------------------------------------------------------------------------------- 1 | {{ if .Values.test.enabled -}} 2 | apiVersion: batch/v1 3 | kind: Job 4 | metadata: 5 | name: zrok-test-job 6 | namespace: {{ .Release.Namespace }} 7 | spec: 8 | backoffLimit: {{ .Values.test.backoffLimit }} 9 | template: 10 | spec: 11 | containers: 12 | - name: zrok 13 | image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" 14 | command: ["/bin/bash", "-c", "/zrok/test.bash"] 15 | env: 16 | - name: ZROK_API_ENDPOINT 17 | value: http://{{ include "zrok.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.controller.service.advertisedPort }} 18 | - name: HOME 19 | value: /tmp 20 | - name: ZROK_ENABLE_TOKEN 21 | valueFrom: 22 | secretKeyRef: 23 | name: {{ include "zrok.fullname" . }}-ziggy-account-token 24 | key: token 25 | volumeMounts: 26 | - name: test-script 27 | mountPath: /zrok/test.bash 28 | subPath: test.bash 29 | readOnly: true 30 | volumes: 31 | - name: test-script 32 | configMap: 33 | name: {{ include "zrok.fullname" . }}-config 34 | defaultMode: 0555 35 | items: 36 | - key: test.bash 37 | path: test.bash 38 | 39 | restartPolicy: Never 40 | {{- end }} -------------------------------------------------------------------------------- /charts/prometheus/templates/server/headless-svc.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.server.enabled -}} 2 | {{- if .Values.server.statefulSet.enabled -}} 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | {{- if .Values.server.statefulSet.headless.annotations }} 7 | annotations: 8 | {{ toYaml .Values.server.statefulSet.headless.annotations | indent 4 }} 9 | {{- end }} 10 | labels: 11 | {{- include "prometheus.server.labels" . | nindent 4 }} 12 | {{- if .Values.server.statefulSet.headless.labels }} 13 | {{ toYaml .Values.server.statefulSet.headless.labels | indent 4 }} 14 | {{- end }} 15 | name: {{ template "prometheus.server.fullname" . }}-headless 16 | {{ include "prometheus.namespace" . | indent 2 }} 17 | spec: 18 | clusterIP: None 19 | ports: 20 | - name: http 21 | port: {{ .Values.server.statefulSet.headless.servicePort }} 22 | protocol: TCP 23 | targetPort: 9090 24 | {{- if .Values.server.statefulSet.headless.gRPC.enabled }} 25 | - name: grpc 26 | port: {{ .Values.server.statefulSet.headless.gRPC.servicePort }} 27 | protocol: TCP 28 | targetPort: 10901 29 | {{- if .Values.server.statefulSet.headless.gRPC.nodePort }} 30 | nodePort: {{ .Values.server.statefulSet.headless.gRPC.nodePort }} 31 | {{- end }} 32 | {{- end }} 33 | 34 | selector: 35 | {{- include "prometheus.server.matchLabels" . | nindent 4 }} 36 | {{- end -}} 37 | {{- end -}} 38 | -------------------------------------------------------------------------------- /charts/hello-toy/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: hello-toy 3 | description: > 4 | Run the lightweight toy web server, optionally with a custom service domain name 5 | in cluster DNS e.g. 6 | helm install my-toy-release openziti/hello-toy --set serviceDomainName=my-toy-service-dns 7 | 8 | # A chart can be either an 'application' or a 'library' chart. 9 | # 10 | # Application charts are a collection of templates that can be packaged into versioned archives 11 | # to be deployed. 12 | # 13 | # Library charts provide useful utilities or functions for the chart developer. They're included as 14 | # a dependency of application charts to inject those utilities and functions into the rendering 15 | # pipeline. Library charts do not define any templates and therefore cannot be deployed. 16 | type: application 17 | 18 | # This is the chart version. This version number should be incremented each time you make changes 19 | # to the chart and its templates, including the app version. 20 | # Versions are expected to follow Semantic Versioning (https://semver.org/) 21 | version: 3.0.2 22 | 23 | # This is the version number of the application being deployed. This version number should be 24 | # incremented each time you make changes to the application. Versions are not expected to 25 | # follow Semantic Versioning. They should reflect the version the application is using. 26 | # It is recommended to use it with quotes. 27 | appVersion: v1 28 | -------------------------------------------------------------------------------- /charts/ziti-browzer-bootstrapper/templates/ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.ingress.enabled }} 2 | {{- $ingressHttpDef := include "ingress-http-def" . -}} 3 | 4 | --- 5 | apiVersion: networking.k8s.io/v1 6 | kind: Ingress 7 | metadata: 8 | name: {{ include "ziti-browzer-bootstrapper.fullname" . }} 9 | labels: 10 | {{- include "ziti-browzer-bootstrapper.labels" . | nindent 4 }} 11 | {{- with .Values.ingress.labels }} 12 | {{- toYaml . | nindent 4 }} 13 | {{- end }} 14 | {{- with .Values.ingress.annotations }} 15 | annotations: 16 | {{ toYaml . | nindent 4 }} 17 | {{- end }} 18 | spec: 19 | {{- if .Values.ingress.ingressClassName }} 20 | ingressClassName: {{ .Values.ingress.ingressClassName }} 21 | {{- end }} 22 | {{- if .Values.ingress.tlsSecret }} 23 | tls: 24 | - hosts: 25 | - {{ .Values.zitiBrowzer.bootstrapper.loadBalancer.host | quote }} 26 | secretName: {{ .Values.ingress.tlsSecret }} 27 | {{- range .Values.zitiBrowzer.bootstrapper.targets }} 28 | - hosts: 29 | - {{ .vhost | quote }} 30 | secretName: {{ $.Values.ingress.tlsSecret }}-{{ .vhost }} 31 | {{- end }} 32 | {{- end }} 33 | rules: 34 | - host: {{ .Values.zitiBrowzer.bootstrapper.loadBalancer.host | quote }} 35 | {{ $ingressHttpDef }} 36 | {{- range .Values.zitiBrowzer.bootstrapper.targets }} 37 | - host: {{ .vhost | quote }} 38 | {{ $ingressHttpDef }} 39 | {{- end }} 40 | 41 | {{- end }} 42 | -------------------------------------------------------------------------------- /.github/workflows/release-charts.yml: -------------------------------------------------------------------------------- 1 | name: Release Helm Charts 2 | 3 | on: 4 | push: 5 | branches: 6 | - main 7 | 8 | jobs: 9 | release: 10 | name: Release Helm Charts 11 | runs-on: ubuntu-latest 12 | permissions: 13 | contents: write 14 | steps: 15 | - name: Checkout 16 | uses: actions/checkout@v4 17 | with: 18 | fetch-depth: 0 19 | 20 | - name: Install Helm 21 | uses: azure/setup-helm@v4 22 | with: 23 | version: v3.16.2 24 | 25 | - name: Add dependency repositories 26 | run: | 27 | for dir in $(ls -d charts/*/); do 28 | helm dependency list $dir 2> /dev/null | tail +2 | head -n -1 | awk '{ print "helm repo add " $1 " " $3 }' | while read cmd; do $cmd; done 29 | done 30 | 31 | - name: Configure Git for Chart Releaser 32 | run: | 33 | git config user.name "$GITHUB_ACTOR" 34 | git config user.email "$GITHUB_ACTOR@users.noreply.github.com" 35 | 36 | - name: Run chart-releaser 37 | uses: netfoundry/chart-releaser-action@v0 38 | with: 39 | version: v0.1.6110 40 | charts_dir: charts 41 | skip_existing: true 42 | mark_as_latest: true 43 | pages_branch: gh-pages 44 | generate_release_notes: true 45 | env: 46 | CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" 47 | -------------------------------------------------------------------------------- /charts/prometheus/templates/alertmanager/psp.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.alertmanager.enabled .Values.rbac.create .Values.podSecurityPolicy.enabled }} 2 | apiVersion: {{ template "prometheus.podSecurityPolicy.apiVersion" . }} 3 | kind: PodSecurityPolicy 4 | metadata: 5 | name: {{ template "prometheus.alertmanager.fullname" . }} 6 | labels: 7 | {{- include "prometheus.alertmanager.labels" . | nindent 4 }} 8 | annotations: 9 | {{- if .Values.alertmanager.podSecurityPolicy.annotations }} 10 | {{ toYaml .Values.alertmanager.podSecurityPolicy.annotations | indent 4 }} 11 | {{- end }} 12 | spec: 13 | privileged: false 14 | allowPrivilegeEscalation: false 15 | requiredDropCapabilities: 16 | - ALL 17 | volumes: 18 | - 'configMap' 19 | - 'persistentVolumeClaim' 20 | - 'emptyDir' 21 | - 'secret' 22 | allowedHostPaths: 23 | - pathPrefix: /etc 24 | readOnly: true 25 | - pathPrefix: {{ .Values.alertmanager.persistentVolume.mountPath }} 26 | hostNetwork: false 27 | hostPID: false 28 | hostIPC: false 29 | runAsUser: 30 | rule: 'RunAsAny' 31 | seLinux: 32 | rule: 'RunAsAny' 33 | supplementalGroups: 34 | rule: 'MustRunAs' 35 | ranges: 36 | # Forbid adding the root group. 37 | - min: 1 38 | max: 65535 39 | fsGroup: 40 | rule: 'MustRunAs' 41 | ranges: 42 | # Forbid adding the root group. 43 | - min: 1 44 | max: 65535 45 | readOnlyRootFilesystem: true 46 | {{- end }} 47 | -------------------------------------------------------------------------------- /charts/traefik-charts/ziti.README: -------------------------------------------------------------------------------- 1 | This helm chart has been updated to work with a version of traefik that has been configured to allow for the use of ziti when serving prometheus metrics 2 | 3 | Configuring the chart 4 | 5 | This chart uses the latest version of the zitified verzion of traefik image. See the zitified traefik project for more details 6 | https://github.com/nf-npieros/traefik 7 | 8 | Once the zitified traefik image has been created, the appVersion must be changed in Charts.yml to match the version you set when tagging the image 9 | 10 | by default the chart is set to use 'prometheuz' as the entrypoint name for prometheus. 11 | By default, the service name and identity file name are set to 'traefikPrometheus' and 'traefik' respectively. 12 | 13 | In order to change the service name, the following argument can be added to the install 14 | --set ports.prometheuz.serviceName=newServiceName 15 | 16 | In order to change the identity name, the following argument can be added to the install 17 | 18 | --set ports.prometheuz.identityName=newIdentityName 19 | 20 | If you need to change the entry point name, be sure to change all references to .Values.ports.prometheuz.identityName to use your new entry point name in place of prometheuz 21 | 22 | The identity file is set using the --set-file flag 23 | 24 | to install when using the chart locally the following command can be used 25 | 26 | helm install prometheus ./traefik --set-file traefikIdentity=./traefik.json 27 | -------------------------------------------------------------------------------- /charts/traefik-charts/traefik/tests/default-install_test.yaml: -------------------------------------------------------------------------------- 1 | suite: default install 2 | tests: 3 | - it: should generate the default objects for Traefik Ingress Controller 4 | asserts: 5 | - isKind: 6 | of: Deployment 7 | template: deployment.yaml 8 | - equal: 9 | path: items[0].kind 10 | value: Service 11 | template: service.yaml 12 | - isKind: 13 | of: ClusterRole 14 | template: rbac/clusterrole.yaml 15 | - isKind: 16 | of: ClusterRoleBinding 17 | template: rbac/clusterrolebinding.yaml 18 | - isKind: 19 | of: ServiceAccount 20 | template: rbac/serviceaccount.yaml 21 | - it: should have the correct naming for each object 22 | asserts: 23 | - equal: 24 | path: metadata.name 25 | value: RELEASE-NAME-traefik 26 | template: deployment.yaml 27 | - equal: 28 | path: items[0].metadata.name 29 | value: RELEASE-NAME-traefik 30 | template: service.yaml 31 | - equal: 32 | path: metadata.name 33 | value: RELEASE-NAME-traefik 34 | template: rbac/clusterrole.yaml 35 | - equal: 36 | path: metadata.name 37 | value: RELEASE-NAME-traefik 38 | template: rbac/clusterrolebinding.yaml 39 | - equal: 40 | path: metadata.name 41 | value: RELEASE-NAME-traefik 42 | template: rbac/serviceaccount.yaml 43 | -------------------------------------------------------------------------------- /charts/traefik-charts/traefik/tests/daemonset-config_test.yaml: -------------------------------------------------------------------------------- 1 | suite: DaemonSet configuration 2 | templates: 3 | - daemonset.yaml 4 | tests: 5 | - it: should have a rollingUpdate strategy with default values 6 | set: 7 | deployment: 8 | kind: DaemonSet 9 | asserts: 10 | - equal: 11 | path: spec.updateStrategy.type 12 | value: RollingUpdate 13 | - equal: 14 | path: spec.updateStrategy.rollingUpdate.maxUnavailable 15 | value: 1 16 | - it: should have annotations with specified values 17 | set: 18 | deployment: 19 | kind: DaemonSet 20 | annotations: 21 | traefik/powpow: annotations 22 | podAnnotations: 23 | traefik/powpow: podAnnotations 24 | asserts: 25 | - equal: 26 | path: metadata.annotations.traefik/powpow 27 | value: annotations 28 | - equal: 29 | path: spec.template.metadata.annotations.traefik/powpow 30 | value: podAnnotations 31 | - it: should have labels with specified values 32 | set: 33 | deployment: 34 | kind: DaemonSet 35 | labels: 36 | traefik/powpow: labels 37 | podLabels: 38 | traefik/powpow: podLabels 39 | asserts: 40 | - equal: 41 | path: metadata.labels.traefik/powpow 42 | value: labels 43 | - equal: 44 | path: spec.template.metadata.labels.traefik/powpow 45 | value: podLabels 46 | -------------------------------------------------------------------------------- /charts/ziti-router/examples/scenario-6-one-explicit-one-implicit-default.yaml: -------------------------------------------------------------------------------- 1 | # Scenario: One Explicit, One Implicit Default 2 | # Test: Verify explicit k8sService: default behaves same as implicit 3 | # Expected: Single default K8s service with two ports 4 | 5 | ctrl: 6 | endpoint: ziti-controller-client.miniziti.svc:443 7 | 8 | edge: 9 | advertisedHost: "" 10 | advertisedPort: 443 11 | service: 12 | enabled: false 13 | 14 | linkListeners: 15 | transport: 16 | enabled: false 17 | service: 18 | enabled: false 19 | 20 | tunnel: 21 | mode: proxy 22 | proxyServices: 23 | - zitiService: httpbin-service 24 | advertisedPort: 2176 25 | containerPort: 2176 26 | k8sService: default # Explicit default 27 | - zitiService: httpbin-service-alt 28 | advertisedPort: 2177 29 | containerPort: 2177 30 | # No k8sService = implicit default 31 | proxyDefaultK8sService: 32 | enabled: true 33 | type: ClusterIP 34 | 35 | # Expected K8s Resources: 36 | # - ClusterIP Service: ziti-router1-proxy-default 37 | # - port: 2176 -> targetPort: 2176 (httpbin-service) 38 | # - port: 2177 -> targetPort: 2177 (httpbin-service-alt) 39 | # 40 | # Expected Router Config: 41 | # services: 42 | # - "httpbin-service:2176" 43 | # - "httpbin-service-alt:2177" 44 | # 45 | # Test with: wgetter-one-explicit-one-implicit-default.yaml 46 | # Targets: 47 | # - ziti-router1-proxy-default.kentest.svc:2176 48 | # - ziti-router1-proxy-default.kentest.svc:2177 49 | -------------------------------------------------------------------------------- /charts/traefik-charts/traefik/tests/poddisruptionbudget-config_test.yaml: -------------------------------------------------------------------------------- 1 | suite: PodDisruptionBudget configuration 2 | templates: 3 | - poddisruptionbudget.yaml 4 | tests: 5 | - it: should be disabled by default 6 | asserts: 7 | - hasDocuments: 8 | count: 0 9 | - it: should have minAvailable set as int 10 | set: 11 | podDisruptionBudget: 12 | enabled: true 13 | minAvailable: 2 14 | asserts: 15 | - equal: 16 | path: spec.minAvailable 17 | value: 2 18 | - isEmpty: 19 | path: spec.maxUnavailable 20 | - it: should have maxUnavailable set as int 21 | set: 22 | podDisruptionBudget: 23 | enabled: true 24 | maxUnavailable: 1 25 | asserts: 26 | - equal: 27 | path: spec.maxUnavailable 28 | value: 1 29 | - isEmpty: 30 | path: spec.minAvailable 31 | - it: should have minAvailable set as percentage 32 | set: 33 | podDisruptionBudget: 34 | enabled: true 35 | minAvailable: 25% 36 | asserts: 37 | - equal: 38 | path: spec.minAvailable 39 | value: 25% 40 | - isEmpty: 41 | path: spec.maxUnavailable 42 | - it: should have maxUnavailable set as percentage 43 | set: 44 | podDisruptionBudget: 45 | enabled: true 46 | maxUnavailable: 33% 47 | asserts: 48 | - equal: 49 | path: spec.maxUnavailable 50 | value: 33% 51 | - isEmpty: 52 | path: spec.minAvailable 53 | -------------------------------------------------------------------------------- /charts/prometheus/templates/server/pvc.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.server.enabled -}} 2 | {{- if not .Values.server.statefulSet.enabled -}} 3 | {{- if .Values.server.persistentVolume.enabled -}} 4 | {{- if not .Values.server.persistentVolume.existingClaim -}} 5 | apiVersion: v1 6 | kind: PersistentVolumeClaim 7 | metadata: 8 | {{- if .Values.server.persistentVolume.annotations }} 9 | annotations: 10 | {{ toYaml .Values.server.persistentVolume.annotations | indent 4 }} 11 | {{- end }} 12 | labels: 13 | {{- include "prometheus.server.labels" . | nindent 4 }} 14 | name: {{ template "prometheus.server.fullname" . }} 15 | {{ include "prometheus.namespace" . | indent 2 }} 16 | spec: 17 | accessModes: 18 | {{ toYaml .Values.server.persistentVolume.accessModes | indent 4 }} 19 | {{- if .Values.server.persistentVolume.storageClass }} 20 | {{- if (eq "-" .Values.server.persistentVolume.storageClass) }} 21 | storageClassName: "" 22 | {{- else }} 23 | storageClassName: "{{ .Values.server.persistentVolume.storageClass }}" 24 | {{- end }} 25 | {{- end }} 26 | {{- if .Values.server.persistentVolume.volumeBindingMode }} 27 | volumeBindingModeName: "{{ .Values.server.persistentVolume.volumeBindingMode }}" 28 | {{- end }} 29 | resources: 30 | requests: 31 | storage: "{{ .Values.server.persistentVolume.size }}" 32 | {{- if .Values.server.persistentVolume.selector }} 33 | selector: 34 | {{- toYaml .Values.server.persistentVolume.selector | nindent 4 }} 35 | {{- end -}} 36 | {{- end -}} 37 | {{- end -}} 38 | {{- end -}} 39 | {{- end -}} 40 | -------------------------------------------------------------------------------- /charts/traefik-charts/traefik/templates/daemonset.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.deployment.enabled (eq .Values.deployment.kind "DaemonSet") -}} 2 | {{- with .Values.additionalArguments -}} 3 | {{- range . -}} 4 | {{- if contains ".acme." . -}} 5 | {{- fail (printf "ACME functionality is not supported when running Traefik as a DaemonSet") -}} 6 | {{- end -}} 7 | {{- end -}} 8 | {{- end -}} 9 | {{- if eq (default .Chart.AppVersion .Values.image.tag) "latest" }} 10 | {{- fail "\n\n ERROR: latest tag should not be used" }} 11 | {{- end }} 12 | 13 | --- 14 | apiVersion: apps/v1 15 | kind: DaemonSet 16 | metadata: 17 | name: {{ template "traefik.fullname" . }} 18 | labels: 19 | app.kubernetes.io/name: {{ template "traefik.name" . }} 20 | helm.sh/chart: {{ template "traefik.chart" . }} 21 | app.kubernetes.io/managed-by: {{ .Release.Service }} 22 | app.kubernetes.io/instance: {{ .Release.Name }} 23 | {{- with .Values.deployment.labels }} 24 | {{- toYaml . | nindent 4 }} 25 | {{- end }} 26 | annotations: 27 | {{- with .Values.deployment.annotations }} 28 | {{- toYaml . | nindent 4 }} 29 | {{- end }} 30 | spec: 31 | selector: 32 | matchLabels: 33 | app.kubernetes.io/name: {{ template "traefik.name" . }} 34 | app.kubernetes.io/instance: {{ .Release.Name }} 35 | updateStrategy: 36 | type: RollingUpdate 37 | rollingUpdate: 38 | maxUnavailable: {{ .Values.rollingUpdate.maxUnavailable }} 39 | template: {{ template "traefik.podTemplate" . }} 40 | {{- end -}} 41 | -------------------------------------------------------------------------------- /charts/ziti-router/examples/scenario-4-mixed-one-each.yaml: -------------------------------------------------------------------------------- 1 | # Scenario: Mixed - One Default, One Additional 2 | # Test: One service on default, one on additional K8s service 3 | # Expected: Two K8s services 4 | 5 | ctrl: 6 | endpoint: ziti-controller-client.miniziti.svc:443 7 | 8 | edge: 9 | advertisedHost: "" 10 | advertisedPort: 443 11 | service: 12 | enabled: false 13 | 14 | linkListeners: 15 | transport: 16 | enabled: false 17 | service: 18 | enabled: false 19 | 20 | tunnel: 21 | mode: proxy 22 | proxyServices: 23 | - zitiService: httpbin-service 24 | advertisedPort: 2174 25 | containerPort: 2174 26 | # No k8sService = maps to default 27 | - zitiService: httpbin-service-alt 28 | advertisedPort: 2175 29 | containerPort: 2175 30 | k8sService: alternate 31 | proxyDefaultK8sService: 32 | enabled: true 33 | type: ClusterIP 34 | proxyAdditionalK8sServices: 35 | - name: alternate 36 | type: ClusterIP 37 | 38 | # Expected K8s Resources: 39 | # - ClusterIP Service: ziti-router1-proxy-default 40 | # - port: 2174 -> targetPort: 2174 (httpbin-service) 41 | # - ClusterIP Service: ziti-router1-proxy-alternate 42 | # - port: 2175 -> targetPort: 2175 (httpbin-service-alt) 43 | # 44 | # Expected Router Config: 45 | # services: 46 | # - "httpbin-service:2174" 47 | # - "httpbin-service-alt:2175" 48 | # 49 | # Test with: wgetter-mixed-one-each.yaml (tests both services) 50 | # Targets: 51 | # - ziti-router1-proxy-default.kentest.svc:2174 52 | # - ziti-router1-proxy-alternate.kentest.svc:2175 53 | -------------------------------------------------------------------------------- /charts/prometheus/templates/server/psp.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.server.enabled .Values.rbac.create .Values.podSecurityPolicy.enabled }} 2 | apiVersion: {{ template "prometheus.podSecurityPolicy.apiVersion" . }} 3 | kind: PodSecurityPolicy 4 | metadata: 5 | name: {{ template "prometheus.server.fullname" . }} 6 | labels: 7 | {{- include "prometheus.server.labels" . | nindent 4 }} 8 | annotations: 9 | {{- if .Values.server.podSecurityPolicy.annotations }} 10 | {{ toYaml .Values.server.podSecurityPolicy.annotations | indent 4 }} 11 | {{- end }} 12 | spec: 13 | privileged: false 14 | allowPrivilegeEscalation: false 15 | allowedCapabilities: 16 | - 'CHOWN' 17 | volumes: 18 | - 'configMap' 19 | - 'persistentVolumeClaim' 20 | - 'emptyDir' 21 | - 'secret' 22 | - 'hostPath' 23 | allowedHostPaths: 24 | - pathPrefix: /etc 25 | readOnly: true 26 | - pathPrefix: {{ .Values.server.persistentVolume.mountPath }} 27 | {{- range .Values.server.extraHostPathMounts }} 28 | - pathPrefix: {{ .hostPath }} 29 | readOnly: {{ .readOnly }} 30 | {{- end }} 31 | hostNetwork: false 32 | hostPID: false 33 | hostIPC: false 34 | runAsUser: 35 | rule: 'RunAsAny' 36 | seLinux: 37 | rule: 'RunAsAny' 38 | supplementalGroups: 39 | rule: 'MustRunAs' 40 | ranges: 41 | # Forbid adding the root group. 42 | - min: 1 43 | max: 65535 44 | fsGroup: 45 | rule: 'MustRunAs' 46 | ranges: 47 | # Forbid adding the root group. 48 | - min: 1 49 | max: 65535 50 | readOnlyRootFilesystem: false 51 | {{- end }} 52 | -------------------------------------------------------------------------------- /charts/prometheus/templates/pushgateway/service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.pushgateway.enabled -}} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | {{- if .Values.pushgateway.service.annotations }} 6 | annotations: 7 | {{ toYaml .Values.pushgateway.service.annotations | indent 4}} 8 | {{- end }} 9 | labels: 10 | {{- include "prometheus.pushgateway.labels" . | nindent 4 }} 11 | {{- if .Values.pushgateway.service.labels }} 12 | {{ toYaml .Values.pushgateway.service.labels | indent 4}} 13 | {{- end }} 14 | name: {{ template "prometheus.pushgateway.fullname" . }} 15 | {{ include "prometheus.namespace" . | indent 2 }} 16 | spec: 17 | {{- if .Values.pushgateway.service.clusterIP }} 18 | clusterIP: {{ .Values.pushgateway.service.clusterIP }} 19 | {{- end }} 20 | {{- if .Values.pushgateway.service.externalIPs }} 21 | externalIPs: 22 | {{ toYaml .Values.pushgateway.service.externalIPs | indent 4 }} 23 | {{- end }} 24 | {{- if .Values.pushgateway.service.loadBalancerIP }} 25 | loadBalancerIP: {{ .Values.pushgateway.service.loadBalancerIP }} 26 | {{- end }} 27 | {{- if .Values.pushgateway.service.loadBalancerSourceRanges }} 28 | loadBalancerSourceRanges: 29 | {{- range $cidr := .Values.pushgateway.service.loadBalancerSourceRanges }} 30 | - {{ $cidr }} 31 | {{- end }} 32 | {{- end }} 33 | ports: 34 | - name: http 35 | port: {{ .Values.pushgateway.service.servicePort }} 36 | protocol: TCP 37 | targetPort: 9091 38 | selector: 39 | {{- include "prometheus.pushgateway.matchLabels" . | nindent 4 }} 40 | type: "{{ .Values.pushgateway.service.type }}" 41 | {{- end }} 42 | -------------------------------------------------------------------------------- /charts/prometheus/templates/alertmanager/pvc.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.alertmanager.statefulSet.enabled -}} 2 | {{- if and .Values.alertmanager.enabled .Values.alertmanager.persistentVolume.enabled -}} 3 | {{- if not .Values.alertmanager.persistentVolume.existingClaim -}} 4 | apiVersion: v1 5 | kind: PersistentVolumeClaim 6 | metadata: 7 | {{- if .Values.alertmanager.persistentVolume.annotations }} 8 | annotations: 9 | {{ toYaml .Values.alertmanager.persistentVolume.annotations | indent 4 }} 10 | {{- end }} 11 | labels: 12 | {{- include "prometheus.alertmanager.labels" . | nindent 4 }} 13 | name: {{ template "prometheus.alertmanager.fullname" . }} 14 | {{ include "prometheus.namespace" . | indent 2 }} 15 | spec: 16 | accessModes: 17 | {{ toYaml .Values.alertmanager.persistentVolume.accessModes | indent 4 }} 18 | {{- if .Values.alertmanager.persistentVolume.storageClass }} 19 | {{- if (eq "-" .Values.alertmanager.persistentVolume.storageClass) }} 20 | storageClassName: "" 21 | {{- else }} 22 | storageClassName: "{{ .Values.alertmanager.persistentVolume.storageClass }}" 23 | {{- end }} 24 | {{- end }} 25 | {{- if .Values.alertmanager.persistentVolume.volumeBindingMode }} 26 | volumeBindingModeName: "{{ .Values.alertmanager.persistentVolume.volumeBindingMode }}" 27 | {{- end }} 28 | resources: 29 | requests: 30 | storage: "{{ .Values.alertmanager.persistentVolume.size }}" 31 | {{- if .Values.alertmanager.persistentVolume.selector }} 32 | selector: 33 | {{- toYaml .Values.alertmanager.persistentVolume.selector | nindent 4 }} 34 | {{- end -}} 35 | {{- end -}} 36 | {{- end -}} 37 | {{- end -}} 38 | -------------------------------------------------------------------------------- /charts/ziti-controller/templates/ca-bundle.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: trust.cert-manager.io/v1alpha1 3 | kind: Bundle 4 | metadata: 5 | name: {{ include "ziti-controller.fullname" . }}-ctrl-plane-cas 6 | spec: 7 | sources: 8 | # this secret holds the ctrl plane intermediate issuer cert whose issuer is 9 | # the ctrl plane root CA, or alternative issuer, if configured 10 | - secret: 11 | name: {{ include "ziti-controller.fullname" . }}-ctrl-plane-intermediate-secret 12 | key: ca.crt 13 | {{- if (eq .Values.edgeSignerPki.enabled true) }} 14 | # this secret holds the edge signer intermediate CA's cert whose issuer is 15 | # the edge signer root CA 16 | - secret: 17 | name: {{ include "ziti-controller.fullname" . }}-edge-signer-secret 18 | key: ca.crt 19 | {{- end }} 20 | {{- if (eq .Values.webBindingPki.enabled true) }} 21 | # this secret holds the web identity's server cert whose issuer is the web 22 | # intermediate CA 23 | - secret: 24 | name: {{ include "ziti-controller.fullname" . }}-web-identity-secret 25 | key: ca.crt 26 | # this secret holds the web intermediate CA's certificate whose issuer is 27 | # the web root CA 28 | - secret: 29 | name: {{ include "ziti-controller.fullname" . }}-web-intermediate-secret 30 | key: ca.crt 31 | {{- end }} 32 | target: 33 | configMap: 34 | key: {{ include "ziti-controller.ctrlPlaneCasFile" . }} 35 | {{- with .Values.ctrlPlaneCasBundle.namespaceSelector }} 36 | namespaceSelector: 37 | {{- toYaml . | nindent 8 }} 38 | {{- end }} 39 | -------------------------------------------------------------------------------- /charts/traefik-charts/traefik/templates/rbac/role.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.rbac.enabled .Values.rbac.namespaced }} 2 | kind: Role 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ template "traefik.fullname" . }} 6 | labels: 7 | app.kubernetes.io/name: {{ template "traefik.name" . }} 8 | helm.sh/chart: {{ template "traefik.chart" . }} 9 | app.kubernetes.io/managed-by: {{ .Release.Service }} 10 | app.kubernetes.io/instance: {{ .Release.Name }} 11 | rules: 12 | - apiGroups: 13 | - "" 14 | resources: 15 | - services 16 | - endpoints 17 | - secrets 18 | verbs: 19 | - get 20 | - list 21 | - watch 22 | - apiGroups: 23 | - extensions 24 | - networking.k8s.io 25 | resources: 26 | - ingresses 27 | verbs: 28 | - get 29 | - list 30 | - watch 31 | - apiGroups: 32 | - extensions 33 | - networking.k8s.io 34 | resources: 35 | - ingresses/status 36 | verbs: 37 | - update 38 | - apiGroups: 39 | - traefik.containo.us 40 | resources: 41 | - ingressroutes 42 | - ingressroutetcps 43 | - ingressrouteudps 44 | - middlewares 45 | - middlewaretcps 46 | - tlsoptions 47 | - tlsstores 48 | - traefikservices 49 | - serverstransports 50 | verbs: 51 | - get 52 | - list 53 | - watch 54 | {{- if .Values.podSecurityPolicy.enabled }} 55 | - apiGroups: 56 | - extensions 57 | resourceNames: 58 | - {{ template "traefik.fullname" . }} 59 | resources: 60 | - podsecuritypolicies 61 | verbs: 62 | - use 63 | {{- end -}} 64 | {{- end -}} 65 | -------------------------------------------------------------------------------- /charts/prometheus/templates/node-exporter/psp.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.nodeExporter.enabled .Values.rbac.create .Values.podSecurityPolicy.enabled }} 2 | apiVersion: {{ template "prometheus.podSecurityPolicy.apiVersion" . }} 3 | kind: PodSecurityPolicy 4 | metadata: 5 | name: {{ template "prometheus.nodeExporter.fullname" . }} 6 | labels: 7 | {{- include "prometheus.nodeExporter.labels" . | nindent 4 }} 8 | annotations: 9 | {{- if .Values.nodeExporter.podSecurityPolicy.annotations }} 10 | {{ toYaml .Values.nodeExporter.podSecurityPolicy.annotations | indent 4 }} 11 | {{- end }} 12 | spec: 13 | privileged: false 14 | allowPrivilegeEscalation: false 15 | requiredDropCapabilities: 16 | - ALL 17 | volumes: 18 | - 'configMap' 19 | - 'hostPath' 20 | - 'secret' 21 | allowedHostPaths: 22 | - pathPrefix: /proc 23 | readOnly: true 24 | - pathPrefix: /sys 25 | readOnly: true 26 | - pathPrefix: / 27 | readOnly: true 28 | {{- range .Values.nodeExporter.extraHostPathMounts }} 29 | - pathPrefix: {{ .hostPath }} 30 | readOnly: {{ .readOnly }} 31 | {{- end }} 32 | hostNetwork: {{ .Values.nodeExporter.hostNetwork }} 33 | hostPID: {{ .Values.nodeExporter.hostPID }} 34 | hostIPC: false 35 | runAsUser: 36 | rule: 'RunAsAny' 37 | seLinux: 38 | rule: 'RunAsAny' 39 | supplementalGroups: 40 | rule: 'MustRunAs' 41 | ranges: 42 | # Forbid adding the root group. 43 | - min: 1 44 | max: 65535 45 | fsGroup: 46 | rule: 'MustRunAs' 47 | ranges: 48 | # Forbid adding the root group. 49 | - min: 1 50 | max: 65535 51 | readOnlyRootFilesystem: false 52 | hostPorts: 53 | - min: 1 54 | max: 65535 55 | {{- end }} 56 | -------------------------------------------------------------------------------- /charts/traefik-charts/traefik/templates/deployment.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.deployment.enabled (eq .Values.deployment.kind "Deployment") -}} 2 | {{- if gt (int .Values.deployment.replicas) 1 -}} 3 | {{- with .Values.additionalArguments -}} 4 | {{- range . -}} 5 | {{- if contains ".acme." . -}} 6 | {{- fail (printf "You can not enable acme if you set more than one traefik replica") -}} 7 | {{- end -}} 8 | {{- end -}} 9 | {{- end -}} 10 | {{- end -}} 11 | {{- if eq (default .Chart.AppVersion .Values.image.tag) "latest" }} 12 | {{- fail "\n\n ERROR: latest tag should not be used" }} 13 | {{- end }} 14 | 15 | --- 16 | apiVersion: apps/v1 17 | kind: Deployment 18 | metadata: 19 | name: {{ template "traefik.fullname" . }} 20 | labels: 21 | app.kubernetes.io/name: {{ template "traefik.name" . }} 22 | helm.sh/chart: {{ template "traefik.chart" . }} 23 | app.kubernetes.io/managed-by: {{ .Release.Service }} 24 | app.kubernetes.io/instance: {{ .Release.Name }} 25 | {{- with .Values.deployment.labels }} 26 | {{- toYaml . | nindent 4 }} 27 | {{- end }} 28 | annotations: 29 | {{- with .Values.deployment.annotations }} 30 | {{- toYaml . | nindent 4 }} 31 | {{- end }} 32 | spec: 33 | {{- if not .Values.autoscaling.enabled }} 34 | replicas: {{ default 1 .Values.deployment.replicas }} 35 | {{- end }} 36 | selector: 37 | matchLabels: 38 | app.kubernetes.io/name: {{ template "traefik.name" . }} 39 | app.kubernetes.io/instance: {{ .Release.Name }} 40 | strategy: 41 | type: RollingUpdate 42 | rollingUpdate: 43 | {{- with .Values.rollingUpdate }} 44 | {{- toYaml . | nindent 6 }} 45 | {{- end }} 46 | template: {{ template "traefik.podTemplate" . }} 47 | {{- end -}} 48 | -------------------------------------------------------------------------------- /charts/ziti-host/templates/identity-migrate-job.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: batch/v1 2 | kind: Job 3 | metadata: 4 | name: {{ include "ziti-host.fullname" . }}-identity-migrate 5 | annotations: 6 | "helm.sh/hook": post-install,post-upgrade 7 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded 8 | spec: 9 | template: 10 | spec: 11 | restartPolicy: OnFailure 12 | serviceAccountName: default 13 | initContainers: 14 | - name: chown-identity-dir 15 | image: busybox 16 | imagePullPolicy: {{ .Values.image.pullPolicy }} 17 | command: ["sh", "-c", "chown -R {{ .Values.podSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.runAsGroup }} {{ include "ziti-host.identityMountPath" . }}"] 18 | volumeMounts: 19 | - name: identity-pvc 20 | mountPath: {{ include "ziti-host.identityMountPath" . }} 21 | containers: 22 | - name: migrate-identity 23 | image: portainer/kubectl-shell 24 | imagePullPolicy: {{ .Values.image.pullPolicy }} 25 | command: ["/bin/bash", "/scripts/migrate.sh"] 26 | securityContext: 27 | runAsUser: {{ .Values.podSecurityContext.runAsUser }} 28 | runAsGroup: {{ .Values.podSecurityContext.runAsGroup }} 29 | volumeMounts: 30 | - name: identity-pvc 31 | mountPath: {{ include "ziti-host.identityMountPath" . }} 32 | - name: migrate-script 33 | mountPath: /scripts 34 | volumes: 35 | - name: identity-pvc 36 | persistentVolumeClaim: 37 | claimName: {{ include "ziti-host.fullname" . }}-identity-pvc 38 | - name: migrate-script 39 | configMap: 40 | name: {{ include "ziti-host.fullname" . }}-identity-migrate 41 | defaultMode: 0755 42 | -------------------------------------------------------------------------------- /charts/traefik-charts/traefik/tests/gateway-config_test.yaml: -------------------------------------------------------------------------------- 1 | suite: Gateway configuration 2 | templates: 3 | - gateway.yaml 4 | tests: 5 | - it: should have one gateway with the correct class and an http port 6 | set: 7 | experimental: 8 | kubernetesGateway: 9 | enabled: true 10 | asserts: 11 | - equal: 12 | path: spec.gatewayClassName 13 | value: "traefik" 14 | - equal: 15 | path: spec.listeners[0].port 16 | value: 8000 17 | - equal: 18 | path: metadata.namespace 19 | value: "NAMESPACE" 20 | - it: should have one gateway with the correct class and an http port as well as an https port 21 | set: 22 | experimental: 23 | kubernetesGateway: 24 | enabled: true 25 | certificates: 26 | - name: "my-name" 27 | group: "my-group" 28 | kind: "my-kind" 29 | asserts: 30 | - equal: 31 | path: spec.gatewayClassName 32 | value: "traefik" 33 | - equal: 34 | path: spec.listeners[0].port 35 | value: 8000 36 | - equal: 37 | path: spec.listeners[1].port 38 | value: 8443 39 | - equal: 40 | path: spec.listeners[1].tls.certificateRef.name 41 | value: "my-name" 42 | - equal: 43 | path: spec.listeners[1].tls.certificateRef.group 44 | value: "my-group" 45 | - equal: 46 | path: spec.listeners[1].tls.certificateRef.kind 47 | value: "my-kind" 48 | - it: should install gateway in custom namespace 49 | set: 50 | experimental: 51 | kubernetesGateway: 52 | enabled: true 53 | namespace: "default" 54 | asserts: 55 | - equal: 56 | path: metadata.namespace 57 | value: "default" 58 | -------------------------------------------------------------------------------- /charts/prometheus/templates/node-exporter/svc.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.nodeExporter.enabled -}} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | {{- if .Values.nodeExporter.service.annotations }} 6 | annotations: 7 | {{ toYaml .Values.nodeExporter.service.annotations | indent 4 }} 8 | {{- end }} 9 | labels: 10 | {{- include "prometheus.nodeExporter.labels" . | nindent 4 }} 11 | {{- if .Values.nodeExporter.service.labels }} 12 | {{ toYaml .Values.nodeExporter.service.labels | indent 4 }} 13 | {{- end }} 14 | name: {{ template "prometheus.nodeExporter.fullname" . }} 15 | {{ include "prometheus.namespace" . | indent 2 }} 16 | spec: 17 | {{- if .Values.nodeExporter.service.clusterIP }} 18 | clusterIP: {{ .Values.nodeExporter.service.clusterIP }} 19 | {{- end }} 20 | {{- if .Values.nodeExporter.service.externalIPs }} 21 | externalIPs: 22 | {{ toYaml .Values.nodeExporter.service.externalIPs | indent 4 }} 23 | {{- end }} 24 | {{- if .Values.nodeExporter.service.loadBalancerIP }} 25 | loadBalancerIP: {{ .Values.nodeExporter.service.loadBalancerIP }} 26 | {{- end }} 27 | {{- if .Values.nodeExporter.service.loadBalancerSourceRanges }} 28 | loadBalancerSourceRanges: 29 | {{- range $cidr := .Values.nodeExporter.service.loadBalancerSourceRanges }} 30 | - {{ $cidr }} 31 | {{- end }} 32 | {{- end }} 33 | ports: 34 | - name: metrics 35 | {{- if .Values.nodeExporter.hostNetwork }} 36 | port: {{ .Values.nodeExporter.service.hostPort }} 37 | protocol: TCP 38 | targetPort: {{ .Values.nodeExporter.service.hostPort }} 39 | {{- else }} 40 | port: {{ .Values.nodeExporter.service.servicePort }} 41 | protocol: TCP 42 | targetPort: 9100 43 | {{- end }} 44 | selector: 45 | {{- include "prometheus.nodeExporter.matchLabels" . | nindent 4 }} 46 | type: "{{ .Values.nodeExporter.service.type }}" 47 | {{- end -}} 48 | -------------------------------------------------------------------------------- /charts/ziti-controller/templates/secrets.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.useCustomAdminSecret }} 2 | --- 3 | apiVersion: v1 4 | kind: Secret 5 | metadata: 6 | name: {{ include "ziti-controller.fullname" . }}-admin-secret 7 | labels: 8 | {{- include "ziti-controller.labels" . | nindent 4 }} 9 | annotations: 10 | # "helm.sh/resource-policy": "keep" 11 | type: Opaque 12 | data: 13 | # retrieve the secret data using lookup function and when not exists, return an empty dictionary / map as result 14 | {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace (print (include "ziti-controller.fullname" . ) "-admin-secret")) | default dict }} 15 | {{- $secretData := (get $secretObj "data") | default dict }} 16 | # set $adminPassword / adminuser to existing secret data or generate a random one when not exists 17 | {{- $adminPassword := (get $secretData "admin-password") | default (randAlphaNum 32 | b64enc) }} 18 | {{- $adminUser := (get $secretData "admin-user") | default ("admin" | b64enc) }} 19 | # set the secret values.. 20 | admin-password: {{ $adminPassword | quote }} 21 | admin-user: {{ $adminUser | quote }} 22 | {{- end }} 23 | 24 | --- 25 | apiVersion: v1 26 | kind: Secret 27 | metadata: 28 | name: {{ include "ziti-controller.fullname" . }}-trust-domain 29 | labels: 30 | {{- include "ziti-controller.labels" . | nindent 4 }} 31 | annotations: 32 | # "helm.sh/resource-policy": "keep" 33 | type: Opaque 34 | data: 35 | {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace (print (include "ziti-controller.fullname" . ) "-trust-domain")) | default dict }} 36 | {{- $secretData := (get $secretObj "data") | default dict }} 37 | {{- $trustDomain := coalesce (.Values.trustDomain | default "" | b64enc) (get $secretData "trustDomain" | default ((printf "spiffe://%s" (randAlphaNum 32)) | b64enc)) }} 38 | trustDomain: {{ $trustDomain | quote }} 39 | -------------------------------------------------------------------------------- /charts/hello-toy/README.md: -------------------------------------------------------------------------------- 1 | # hello-toy 2 | 3 | ![Version: 3.0.2](https://img.shields.io/badge/Version-3.0.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1](https://img.shields.io/badge/AppVersion-v1-informational?style=flat-square) 4 | 5 | Run the lightweight toy web server, optionally with a custom service domain name in cluster DNS e.g. 6 | helm install my-toy-release openziti/hello-toy --set serviceDomainName=my-toy-service-dns 7 | 8 | ## Values 9 | 10 | | Key | Type | Default | Description | 11 | |-----|------|---------|-------------| 12 | | affinity | object | `{}` | | 13 | | dnsPolicy | string | `"ClusterFirstWithHostNet"` | | 14 | | hostNetwork | bool | `false` | | 15 | | image.args | list | `[]` | | 16 | | image.pullPolicy | string | `"IfNotPresent"` | | 17 | | image.repository | string | `"openziti/hello-world"` | | 18 | | imagePullSecrets | list | `[]` | | 19 | | ingress.enabled | bool | `false` | | 20 | | nodeSelector | object | `{}` | | 21 | | persistence.enabled | bool | `false` | | 22 | | podAnnotations | object | `{}` | | 23 | | podSecurityContext | object | `{}` | | 24 | | ports[0].containerPort | int | `8000` | | 25 | | ports[0].name | string | `"http"` | | 26 | | ports[0].protocol | string | `"TCP"` | | 27 | | replicas | int | `1` | | 28 | | resources | object | `{}` | | 29 | | securityContext | object | `{}` | | 30 | | service.port | int | `80` | | 31 | | service.type | string | `"ClusterIP"` | | 32 | | serviceAccount.annotations | object | `{}` | | 33 | | serviceAccount.create | bool | `false` | | 34 | | serviceAccount.name | string | `""` | | 35 | | tolerations | list | `[]` | | 36 | 37 | ---------------------------------------------- 38 | Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) 39 | -------------------------------------------------------------------------------- /charts/traefik-charts/traefik/tests/podsecuritypolicy-config_test.yaml: -------------------------------------------------------------------------------- 1 | suite: PodSecurityPolicy configuration 2 | tests: 3 | - it: should be disabled by default 4 | asserts: 5 | - hasDocuments: 6 | count: 0 7 | template: rbac/podsecuritypolicy.yaml 8 | - it: should have privileged set to false 9 | set: 10 | podSecurityPolicy: 11 | enabled: true 12 | asserts: 13 | - equal: 14 | path: spec.privileged 15 | value: false 16 | template: rbac/podsecuritypolicy.yaml 17 | - it: should have hostNetwork set to false by default 18 | set: 19 | podSecurityPolicy: 20 | enabled: true 21 | asserts: 22 | - equal: 23 | path: spec.hostNetwork 24 | value: false 25 | template: rbac/podsecuritypolicy.yaml 26 | - it: should have hostNetwork set to true when enabled 27 | set: 28 | podSecurityPolicy: 29 | enabled: true 30 | hostNetwork: true 31 | asserts: 32 | - equal: 33 | path: spec.hostNetwork 34 | value: true 35 | template: rbac/podsecuritypolicy.yaml 36 | - it: should be enabled in clusterrole 37 | set: 38 | podSecurityPolicy: 39 | enabled: true 40 | asserts: 41 | - equal: 42 | path: rules[4].resources[0] 43 | value: podsecuritypolicies 44 | template: rbac/clusterrole.yaml 45 | - equal: 46 | path: rules[4].verbs[0] 47 | value: use 48 | template: rbac/clusterrole.yaml 49 | - it: should allow persistentVolumeClaim when persistence is enabled 50 | set: 51 | podSecurityPolicy: 52 | enabled: true 53 | persistence: 54 | enabled: true 55 | asserts: 56 | - equal: 57 | path: spec.volumes[5] 58 | value: persistentVolumeClaim 59 | template: rbac/podsecuritypolicy.yaml 60 | -------------------------------------------------------------------------------- /charts/traefik-charts/traefik/templates/rbac/podsecuritypolicy.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.podSecurityPolicy.enabled }} 2 | --- 3 | apiVersion: policy/v1beta1 4 | kind: PodSecurityPolicy 5 | metadata: 6 | annotations: 7 | seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default 8 | seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default 9 | name: {{ template "traefik.fullname" . }} 10 | labels: 11 | app.kubernetes.io/name: {{ template "traefik.name" . }} 12 | helm.sh/chart: {{ template "traefik.chart" . }} 13 | app.kubernetes.io/managed-by: {{ .Release.Service }} 14 | app.kubernetes.io/instance: {{ .Release.Name }} 15 | spec: 16 | privileged: false 17 | allowPrivilegeEscalation: false 18 | requiredDropCapabilities: 19 | - ALL 20 | {{- if not .Values.securityContext.runAsNonRoot }} 21 | allowedCapabilities: 22 | - NET_BIND_SERVICE 23 | {{- end }} 24 | hostNetwork: {{ .Values.hostNetwork }} 25 | hostIPC: false 26 | hostPID: false 27 | fsGroup: 28 | {{- if .Values.securityContext.runAsNonRoot }} 29 | ranges: 30 | - max: 65535 31 | min: 1 32 | rule: MustRunAs 33 | {{- else }} 34 | rule: RunAsAny 35 | {{- end }} 36 | {{- if .Values.hostNetwork }} 37 | hostPorts: 38 | - max: 65535 39 | min: 1 40 | {{- end }} 41 | readOnlyRootFilesystem: true 42 | runAsUser: 43 | {{- if .Values.securityContext.runAsNonRoot }} 44 | rule: MustRunAsNonRoot 45 | {{- else }} 46 | rule: RunAsAny 47 | {{- end }} 48 | seLinux: 49 | rule: RunAsAny 50 | supplementalGroups: 51 | {{- if .Values.securityContext.runAsNonRoot }} 52 | ranges: 53 | - max: 65535 54 | min: 1 55 | rule: MustRunAs 56 | {{- else }} 57 | rule: RunAsAny 58 | {{- end }} 59 | volumes: 60 | - configMap 61 | - downwardAPI 62 | - secret 63 | - emptyDir 64 | - projected 65 | {{- if .Values.persistence.enabled }} 66 | - persistentVolumeClaim 67 | {{- end -}} 68 | {{- end -}} -------------------------------------------------------------------------------- /charts/ziti-controller/templates/servicemonitor.yaml: -------------------------------------------------------------------------------- 1 | {{- with .Values.prometheus }} 2 | {{- if and .service.enabled .serviceMonitor.enabled }} 3 | apiVersion: monitoring.coreos.com/v1 4 | kind: ServiceMonitor 5 | metadata: 6 | name: {{ include "ziti-controller.fullname" $ }} 7 | {{- with .serviceMonitor.namespace }} 8 | namespace: {{ . }} 9 | {{- end }} 10 | {{- with .serviceMonitor.annotations }} 11 | annotations: 12 | {{- toYaml . | nindent 4 }} 13 | {{- end }} 14 | labels: 15 | {{- include "ziti-controller.labels" $ | nindent 4 }} 16 | {{- with .serviceMonitor.labels }} 17 | {{- toYaml . | nindent 4 }} 18 | {{- end }} 19 | spec: 20 | {{- with .serviceMonitor.namespaceSelector }} 21 | namespaceSelector: 22 | {{- toYaml . | nindent 4 }} 23 | {{- end }} 24 | selector: 25 | matchLabels: 26 | {{- include "ziti-controller.selectorLabels" $ | nindent 6 }} 27 | {{- with .service.labels }} 28 | {{- toYaml . | nindent 6 }} 29 | {{- end }} 30 | endpoints: 31 | - port: prometheus 32 | {{- with $.Values.httpPathPrefix }} 33 | path: {{ printf "%s/metrics" . }} 34 | {{- end }} 35 | {{- with .serviceMonitor.interval }} 36 | interval: {{ . }} 37 | {{- end }} 38 | {{- with .serviceMonitor.scrapeTimeout }} 39 | scrapeTimeout: {{ . }} 40 | {{- end }} 41 | {{- with .serviceMonitor.relabelings }} 42 | relabelings: 43 | {{- toYaml . | nindent 8 }} 44 | {{- end }} 45 | {{- with .serviceMonitor.metricRelabelings }} 46 | metricRelabelings: 47 | {{- toYaml . | nindent 8 }} 48 | {{- end }} 49 | {{- with .serviceMonitor.scheme }} 50 | scheme: {{ . }} 51 | {{- end }} 52 | {{- with .serviceMonitor.tlsConfig }} 53 | tlsConfig: 54 | {{- toYaml . | nindent 8 }} 55 | {{- end }} 56 | {{- with .serviceMonitor.targetLabels }} 57 | targetLabels: 58 | {{- toYaml . | nindent 4 }} 59 | {{- end }} 60 | {{- end }} 61 | {{- end }} 62 | -------------------------------------------------------------------------------- /charts/httpbin/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Expand the name of the chart. 3 | */}} 4 | {{- define "httpbin.name" -}} 5 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} 6 | {{- end }} 7 | 8 | {{/* 9 | Create a default fully qualified app name. 10 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 11 | If release name contains chart name it will be used as a full name. 12 | */}} 13 | {{- define "httpbin.fullname" -}} 14 | {{- if .Values.fullnameOverride }} 15 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} 16 | {{- else }} 17 | {{- $name := default .Chart.Name .Values.nameOverride }} 18 | {{- if contains $name .Release.Name }} 19 | {{- .Release.Name | trunc 63 | trimSuffix "-" }} 20 | {{- else }} 21 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} 22 | {{- end }} 23 | {{- end }} 24 | {{- end }} 25 | 26 | {{/* 27 | Create chart name and version as used by the chart label. 28 | */}} 29 | {{- define "httpbin.chart" -}} 30 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} 31 | {{- end }} 32 | 33 | {{/* 34 | Common labels 35 | */}} 36 | {{- define "httpbin.labels" -}} 37 | helm.sh/chart: {{ include "httpbin.chart" . }} 38 | {{ include "httpbin.selectorLabels" . }} 39 | {{- if .Chart.AppVersion }} 40 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 41 | {{- end }} 42 | app.kubernetes.io/managed-by: {{ .Release.Service }} 43 | {{- end }} 44 | 45 | {{/* 46 | Selector labels 47 | */}} 48 | {{- define "httpbin.selectorLabels" -}} 49 | app.kubernetes.io/name: {{ include "httpbin.name" . }} 50 | app.kubernetes.io/instance: {{ .Release.Name }} 51 | {{- end }} 52 | 53 | {{/* 54 | Create the name of the service account to use 55 | */}} 56 | {{- define "httpbin.serviceAccountName" -}} 57 | {{- if .Values.serviceAccount.create }} 58 | {{- default (include "httpbin.fullname" .) .Values.serviceAccount.name }} 59 | {{- else }} 60 | {{- default "default" .Values.serviceAccount.name }} 61 | {{- end }} 62 | {{- end }} 63 | -------------------------------------------------------------------------------- /charts/reflect/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Expand the name of the chart. 3 | */}} 4 | {{- define "reflect.name" -}} 5 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} 6 | {{- end }} 7 | 8 | {{/* 9 | Create a default fully qualified app name. 10 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 11 | If release name contains chart name it will be used as a full name. 12 | */}} 13 | {{- define "reflect.fullname" -}} 14 | {{- if .Values.fullnameOverride }} 15 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} 16 | {{- else }} 17 | {{- $name := default .Chart.Name .Values.nameOverride }} 18 | {{- if contains $name .Release.Name }} 19 | {{- .Release.Name | trunc 63 | trimSuffix "-" }} 20 | {{- else }} 21 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} 22 | {{- end }} 23 | {{- end }} 24 | {{- end }} 25 | 26 | {{/* 27 | Create chart name and version as used by the chart label. 28 | */}} 29 | {{- define "reflect.chart" -}} 30 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} 31 | {{- end }} 32 | 33 | {{/* 34 | Common labels 35 | */}} 36 | {{- define "reflect.labels" -}} 37 | helm.sh/chart: {{ include "reflect.chart" . }} 38 | {{ include "reflect.selectorLabels" . }} 39 | {{- if .Chart.AppVersion }} 40 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 41 | {{- end }} 42 | app.kubernetes.io/managed-by: {{ .Release.Service }} 43 | {{- end }} 44 | 45 | {{/* 46 | Selector labels 47 | */}} 48 | {{- define "reflect.selectorLabels" -}} 49 | app.kubernetes.io/name: {{ include "reflect.name" . }} 50 | app.kubernetes.io/instance: {{ .Release.Name }} 51 | {{- end }} 52 | 53 | {{/* 54 | Create the name of the service account to use 55 | */}} 56 | {{- define "reflect.serviceAccountName" -}} 57 | {{- if .Values.serviceAccount.create }} 58 | {{- default (include "reflect.fullname" .) .Values.serviceAccount.name }} 59 | {{- else }} 60 | {{- default "default" .Values.serviceAccount.name }} 61 | {{- end }} 62 | {{- end }} 63 | -------------------------------------------------------------------------------- /charts/ziti-browzer-bootstrapper/templates/service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: {{ include "ziti-browzer-bootstrapper.fullname" . }} 6 | labels: 7 | {{- include "ziti-browzer-bootstrapper.labels" . | nindent 4 }} 8 | {{- with .Values.service.labels }} 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | {{- with .Values.service.annotations }} 12 | annotations: 13 | {{ toYaml . | nindent 4 }} 14 | {{- end }} 15 | spec: 16 | {{- $type := default "ClusterIP" .Values.service.type }} 17 | type: {{ $type }} 18 | {{- if eq $type "ClusterIP" }} 19 | {{- with .Values.service.clusterIP }} 20 | clusterIP: {{ . }} 21 | {{- end }} 22 | {{- else if eq $type "LoadBalancer" }} 23 | {{- with .Values.service.loadBalancerIP }} 24 | loadBalancerIP: {{ . }} 25 | {{- end }} 26 | {{- with .Values.service.externalTrafficPolicy }} 27 | externalTrafficPolicy: {{ . }} 28 | {{- end }} 29 | {{- with .Values.service.loadBalancerSourceRanges }} 30 | loadBalancerSourceRanges: 31 | {{- toYaml . | nindent 4 }} 32 | {{- end }} 33 | {{- end }} 34 | {{- if .Values.service.sessionAffinity }} 35 | sessionAffinity: {{ .Values.service.sessionAffinity }} 36 | {{- with .Values.service.sessionAffinityConfig }} 37 | sessionAffinityConfig: 38 | {{- toYaml . | nindent 4 }} 39 | {{- end }} 40 | {{- end }} 41 | {{- with .Values.service.externalIPs }} 42 | externalIPs: 43 | {{- toYaml . | nindent 4 }} 44 | {{- end }} 45 | {{- with .Values.service.publishNotReadyAddresses }} 46 | publishNotReadyAddresses: {{ . }} 47 | {{- end }} 48 | ports: 49 | - port: {{ .Values.service.advertisedPort }} 50 | targetPort: {{ .Values.service.containerPort }} 51 | protocol: TCP 52 | name: {{ .Values.service.portName }} 53 | {{- if (eq $type "NodePort") }} 54 | nodePort: {{ .Values.service.advertisedPort }} 55 | {{- end }} 56 | selector: 57 | {{- include "ziti-browzer-bootstrapper.selectorLabels" . | nindent 4 }} 58 | app.kubernetes.io/component: "ziti-browzer-bootstrapper" 59 | -------------------------------------------------------------------------------- /charts/prometheus/templates/alertmanager/service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.alertmanager.enabled -}} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | {{- if .Values.alertmanager.service.annotations }} 6 | annotations: 7 | {{ toYaml .Values.alertmanager.service.annotations | indent 4 }} 8 | {{- end }} 9 | labels: 10 | {{- include "prometheus.alertmanager.labels" . | nindent 4 }} 11 | {{- if .Values.alertmanager.service.labels }} 12 | {{ toYaml .Values.alertmanager.service.labels | indent 4 }} 13 | {{- end }} 14 | name: {{ template "prometheus.alertmanager.fullname" . }} 15 | {{ include "prometheus.namespace" . | indent 2 }} 16 | spec: 17 | {{- if .Values.alertmanager.service.clusterIP }} 18 | clusterIP: {{ .Values.alertmanager.service.clusterIP }} 19 | {{- end }} 20 | {{- if .Values.alertmanager.service.externalIPs }} 21 | externalIPs: 22 | {{ toYaml .Values.alertmanager.service.externalIPs | indent 4 }} 23 | {{- end }} 24 | {{- if .Values.alertmanager.service.loadBalancerIP }} 25 | loadBalancerIP: {{ .Values.alertmanager.service.loadBalancerIP }} 26 | {{- end }} 27 | {{- if .Values.alertmanager.service.loadBalancerSourceRanges }} 28 | loadBalancerSourceRanges: 29 | {{- range $cidr := .Values.alertmanager.service.loadBalancerSourceRanges }} 30 | - {{ $cidr }} 31 | {{- end }} 32 | {{- end }} 33 | ports: 34 | - name: http 35 | port: {{ .Values.alertmanager.service.servicePort }} 36 | protocol: TCP 37 | targetPort: 9093 38 | {{- if .Values.alertmanager.service.nodePort }} 39 | nodePort: {{ .Values.alertmanager.service.nodePort }} 40 | {{- end }} 41 | {{- if .Values.alertmanager.service.enableMeshPeer }} 42 | - name: meshpeer 43 | port: 6783 44 | protocol: TCP 45 | targetPort: 6783 46 | {{- end }} 47 | selector: 48 | {{- include "prometheus.alertmanager.matchLabels" . | nindent 4 }} 49 | {{- if .Values.alertmanager.service.sessionAffinity }} 50 | sessionAffinity: {{ .Values.alertmanager.service.sessionAffinity }} 51 | {{- end }} 52 | type: "{{ .Values.alertmanager.service.type }}" 53 | {{- end }} 54 | -------------------------------------------------------------------------------- /charts/hello-toy/values.yaml: -------------------------------------------------------------------------------- 1 | # Default values for hello-openziti. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | service: 6 | type: ClusterIP 7 | port: 80 8 | 9 | #releaseNameOverride: hello-acme # default is .Chart.Name 10 | #serviceDomainName: hello-acme-domain-name # default is {{release name}}-{{.Chart.Name}} 11 | 12 | ingress: 13 | enabled: false 14 | 15 | image: 16 | repository: openziti/hello-world 17 | pullPolicy: IfNotPresent 18 | # Overrides the image tag whose default is the chart appVersion. 19 | # tag: 20 | args: [] 21 | 22 | dnsPolicy: ClusterFirstWithHostNet 23 | 24 | imagePullSecrets: [] 25 | 26 | podAnnotations: {} 27 | 28 | podSecurityContext: {} 29 | # fsGroup: 2000 30 | 31 | hostNetwork: False 32 | securityContext: {} 33 | # capabilities: 34 | # add: 35 | # - NET_ADMIN 36 | 37 | resources: {} 38 | # We usually recommend not to specify default resources and to leave this as a conscious 39 | # choice for the user. This also increases chances charts run on environments with little 40 | # resources, such as Minikube. If you do want to specify resources, uncomment the following 41 | # lines, adjust them as necessary, and remove the curly braces after 'resources:'. 42 | # limits: 43 | # cpu: 100m 44 | # memory: 128Mi 45 | # requests: 46 | # cpu: 100m 47 | # memory: 128Mi 48 | 49 | ports: 50 | - name: http 51 | containerPort: 8000 52 | protocol: TCP 53 | 54 | nodeSelector: {} 55 | # kubernetes.io/role: master 56 | 57 | tolerations: [] 58 | # - key: node-role.kubernetes.io/master 59 | # operator: Exists 60 | # effect: NoSchedule 61 | 62 | affinity: {} 63 | 64 | replicas: 1 65 | 66 | persistence: 67 | enabled: false 68 | 69 | serviceAccount: 70 | # Specifies whether a service account should be created 71 | create: false 72 | # Annotations to add to the service account 73 | annotations: {} 74 | # The name of the service account to use. 75 | # If not set and create is true, a name is generated using the fullname template 76 | name: "" 77 | -------------------------------------------------------------------------------- /charts/hello-toy/templates/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: {{ include "hello-openziti.name" . }} 5 | labels: 6 | {{- include "hello-openziti.labels" . | nindent 4 }} 7 | spec: 8 | replicas: {{ .Values.replicas }} 9 | selector: 10 | matchLabels: 11 | {{- include "hello-openziti.selectorLabels" . | nindent 6 }} 12 | template: 13 | metadata: 14 | {{- with .Values.podAnnotations }} 15 | annotations: 16 | {{- toYaml . | nindent 8 }} 17 | {{- end }} 18 | labels: 19 | {{- include "hello-openziti.selectorLabels" . | nindent 8 }} 20 | spec: 21 | {{- with .Values.imagePullSecrets }} 22 | imagePullSecrets: 23 | {{- toYaml . | nindent 8 }} 24 | {{- end }} 25 | serviceAccountName: {{ include "hello-openziti.serviceAccountName" . }} 26 | securityContext: 27 | {{- toYaml .Values.podSecurityContext | nindent 8 }} 28 | dnsPolicy: {{ .Values.dnsPolicy }} 29 | containers: 30 | - name: {{ .Chart.Name }} 31 | securityContext: 32 | {{- toYaml .Values.securityContext | nindent 12 }} 33 | image: {{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }} 34 | imagePullPolicy: {{ .Values.image.pullPolicy }} 35 | ports: 36 | {{- toYaml .Values.ports | nindent 12 }} 37 | resources: 38 | {{- toYaml .Values.resources | nindent 12 }} 39 | {{ if .Values.image.command }} 40 | command: {{ .Values.image.command }} 41 | {{ end }} 42 | args: 43 | {{- toYaml .Values.image.args | nindent 12 }} 44 | hostNetwork: {{ .Values.hostNetwork }} 45 | {{- with .Values.nodeSelector }} 46 | nodeSelector: 47 | {{- toYaml . | nindent 8 }} 48 | {{- end }} 49 | {{- with .Values.affinity }} 50 | affinity: 51 | {{- toYaml . | nindent 8 }} 52 | {{- end }} 53 | {{- with .Values.tolerations }} 54 | tolerations: 55 | {{- toYaml . | nindent 8 }} 56 | {{- end }} 57 | 58 | -------------------------------------------------------------------------------- /charts/hello-toy/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Expand the name of the chart. 3 | */}} 4 | {{- define "hello-openziti.name" -}} 5 | {{- default .Chart.Name .Values.releaseNameOverride | trunc 63 | trimSuffix "-" }} 6 | {{- end }} 7 | 8 | {{/* 9 | Create a default fully qualified app name. 10 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 11 | If release name contains chart name it will be used as a full name. 12 | */}} 13 | {{- define "hello-openziti.fullname" -}} 14 | {{- if .Values.serviceDomainName }} 15 | {{- .Values.serviceDomainName | trunc 63 | trimSuffix "-" }} 16 | {{- else }} 17 | {{- $name := default .Chart.Name .Values.releaseNameOverride }} 18 | {{- if contains $name .Release.Name }} 19 | {{- .Release.Name | trunc 63 | trimSuffix "-" }} 20 | {{- else }} 21 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} 22 | {{- end }} 23 | {{- end }} 24 | {{- end }} 25 | 26 | {{/* 27 | Create chart name and version as used by the chart label. 28 | */}} 29 | {{- define "hello-openziti.chart" -}} 30 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} 31 | {{- end }} 32 | 33 | {{/* 34 | Common labels 35 | */}} 36 | {{- define "hello-openziti.labels" -}} 37 | helm.sh/chart: {{ include "hello-openziti.chart" . }} 38 | {{ include "hello-openziti.selectorLabels" . }} 39 | {{- if .Chart.AppVersion }} 40 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 41 | {{- end }} 42 | app.kubernetes.io/managed-by: {{ .Release.Service }} 43 | {{- end }} 44 | 45 | {{/* 46 | Selector labels 47 | */}} 48 | {{- define "hello-openziti.selectorLabels" -}} 49 | app.kubernetes.io/name: {{ include "hello-openziti.name" . }} 50 | app.kubernetes.io/instance: {{ .Release.Name }} 51 | {{- end }} 52 | 53 | {{/* 54 | Create the name of the service account to use 55 | */}} 56 | {{- define "hello-openziti.serviceAccountName" -}} 57 | {{- if .Values.serviceAccount.create }} 58 | {{- default (include "hello-openziti.fullname" .) .Values.serviceAccount.name }} 59 | {{- else }} 60 | {{- default "default" .Values.serviceAccount.name }} 61 | {{- end }} 62 | {{- end }} 63 | -------------------------------------------------------------------------------- /charts/httpbin/templates/pre-delete-hook .yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.zitiEnrollment }} 2 | --- 3 | apiVersion: batch/v1 4 | kind: Job 5 | metadata: 6 | name: {{ .Release.Name }}-pre-delete-job 7 | labels: 8 | app.kubernetes.io/managed-by: {{ .Release.Service | quote }} 9 | app.kubernetes.io/instance: {{ .Release.Name | quote }} 10 | app.kubernetes.io/version: {{ .Chart.AppVersion }} 11 | helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" 12 | annotations: 13 | # This is what defines this resource as a hook. Without this line, the 14 | # job is considered part of the release. 15 | "helm.sh/hook": pre-delete 16 | "helm.sh/hook-weight": "-5" 17 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded 18 | spec: 19 | backoffLimit: 0 20 | completions: 1 21 | template: 22 | metadata: 23 | name: {{ .Release.Name }} 24 | labels: 25 | app.kubernetes.io/managed-by: {{ .Release.Service | quote }} 26 | app.kubernetes.io/instance: {{ .Release.Name | quote }} 27 | helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" 28 | {{- include "httpbin.labels" . | nindent 8 }} 29 | {{- with .Values.podAnnotations }} 30 | annotations: 31 | {{- toYaml . | nindent 8 }} 32 | {{- end }} 33 | spec: 34 | restartPolicy: Never 35 | serviceAccountName: {{ include "httpbin.fullname" . }}-hook-serviceaccount 36 | containers: 37 | - name: pre-delete-job 38 | image: {{ .Values.zitiImage.repository }} 39 | imagePullPolicy: {{ .Values.zitiImage.pullPolicy }} 40 | volumeMounts: 41 | - name: httpbin-config 42 | mountPath: /usr/local/bin/{{ .Values.deleteIdentityScriptFile }} 43 | subPath: {{ .Values.deleteIdentityScriptFile }} 44 | readOnly: true 45 | command: ["{{ .Values.deleteIdentityScriptFile }}"] 46 | volumes: 47 | - name: httpbin-config 48 | configMap: 49 | name: {{ include "httpbin.fullname" . }}-config 50 | items: 51 | - key: {{ .Values.deleteIdentityScriptFile }} 52 | path: {{ .Values.deleteIdentityScriptFile }} 53 | mode: 0555 54 | {{- end -}} 55 | -------------------------------------------------------------------------------- /charts/ziti-controller/files/chown-cert-manager.bash: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # 3 | # set owner labels and annotations for existing cert-manager and trust-manager CRDs and resources to allow a future 4 | # cert-manager and trust-manager Helm releases to import them 5 | # 6 | 7 | set -o errexit 8 | set -o pipefail 9 | set -o nounset 10 | 11 | : "${CM_NAMESPACE:=cert-manager}" 12 | : "${CM_RELEASE_NAME:=cert-manager}" 13 | : "${TM_NAMESPACE:=cert-manager}" 14 | : "${TM_RELEASE_NAME:=trust-manager}" 15 | : "${ZITI_NAMESPACE:=ziti}" 16 | 17 | # cert-manager CRDs, not trust-manager CRD 18 | while read 19 | do 20 | kubectl annotate crds "$REPLY" --overwrite \ 21 | meta.helm.sh/release-name="${CM_RELEASE_NAME}" \ 22 | meta.helm.sh/release-namespace="${CM_NAMESPACE}" 23 | kubectl label crds "$REPLY" \ 24 | app.kubernetes.io/managed-by=Helm 25 | done< <(kubectl get crds | grep -v 'bundles\.trust\.cert-manager\.io' | grep -w 'cert-manager\.io' | cut -f 1 -d ' ') 26 | 27 | # trust-manager CRD 28 | kubectl annotate crds bundles.trust.cert-manager.io --overwrite \ 29 | meta.helm.sh/release-name="${TM_RELEASE_NAME}" \ 30 | meta.helm.sh/release-namespace="${CM_NAMESPACE}" 31 | kubectl label crds bundles.trust.cert-manager.io \ 32 | app.kubernetes.io/managed-by=Helm 33 | 34 | # cluster-wide core resources to be imported by trust-manager 35 | for R in ClusterRole{,Binding} ValidatingWebhookConfiguration 36 | do 37 | kubectl annotate "$R" "${TM_RELEASE_NAME}" --overwrite \ 38 | meta.helm.sh/release-name="${TM_RELEASE_NAME}" \ 39 | meta.helm.sh/release-namespace="${CM_NAMESPACE}" 40 | kubectl label "$R" "${TM_RELEASE_NAME}" \ 41 | app.kubernetes.io/managed-by=Helm 42 | done 43 | 44 | # namespaced core resources to be imported by trust-manager 45 | for R in Role{,Binding} 46 | do 47 | kubectl annotate -n "${ZITI_NAMESPACE}" "$R" "${TM_RELEASE_NAME}" --overwrite \ 48 | meta.helm.sh/release-name="${TM_RELEASE_NAME}" \ 49 | meta.helm.sh/release-namespace="${CM_NAMESPACE}" 50 | kubectl label -n "${ZITI_NAMESPACE}" "$R" "${TM_RELEASE_NAME}" \ 51 | app.kubernetes.io/managed-by=Helm 52 | done 53 | -------------------------------------------------------------------------------- /charts/traefik-charts/traefik/crds/middlewarestcp.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | annotations: 5 | controller-gen.kubebuilder.io/version: v0.4.1 6 | creationTimestamp: null 7 | name: middlewaretcps.traefik.containo.us 8 | spec: 9 | group: traefik.containo.us 10 | names: 11 | kind: MiddlewareTCP 12 | listKind: MiddlewareTCPList 13 | plural: middlewaretcps 14 | singular: middlewaretcp 15 | scope: Namespaced 16 | versions: 17 | - name: v1alpha1 18 | schema: 19 | openAPIV3Schema: 20 | description: MiddlewareTCP is a specification for a MiddlewareTCP resource. 21 | properties: 22 | apiVersion: 23 | description: 'APIVersion defines the versioned schema of this representation 24 | of an object. Servers should convert recognized schemas to the latest 25 | internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 26 | type: string 27 | kind: 28 | description: 'Kind is a string value representing the REST resource this 29 | object represents. Servers may infer this from the endpoint the client 30 | submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 31 | type: string 32 | metadata: 33 | type: object 34 | spec: 35 | description: MiddlewareTCPSpec holds the MiddlewareTCP configuration. 36 | properties: 37 | ipWhiteList: 38 | description: TCPIPWhiteList holds the TCP ip white list configuration. 39 | properties: 40 | sourceRange: 41 | items: 42 | type: string 43 | type: array 44 | type: object 45 | type: object 46 | required: 47 | - metadata 48 | - spec 49 | type: object 50 | served: true 51 | storage: true 52 | status: 53 | acceptedNames: 54 | kind: "" 55 | plural: "" 56 | conditions: [] 57 | storedVersions: [] 58 | -------------------------------------------------------------------------------- /charts/traefik-charts/traefik/templates/rbac/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.rbac.enabled (not .Values.rbac.namespaced) -}} 2 | kind: ClusterRole 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ template "traefik.fullname" . }} 6 | labels: 7 | app.kubernetes.io/name: {{ template "traefik.name" . }} 8 | helm.sh/chart: {{ template "traefik.chart" . }} 9 | app.kubernetes.io/managed-by: {{ .Release.Service }} 10 | app.kubernetes.io/instance: {{ .Release.Name }} 11 | rules: 12 | - apiGroups: 13 | - "" 14 | resources: 15 | - services 16 | - endpoints 17 | - secrets 18 | verbs: 19 | - get 20 | - list 21 | - watch 22 | - apiGroups: 23 | - extensions 24 | - networking.k8s.io 25 | resources: 26 | - ingresses 27 | - ingressclasses 28 | verbs: 29 | - get 30 | - list 31 | - watch 32 | - apiGroups: 33 | - extensions 34 | - networking.k8s.io 35 | resources: 36 | - ingresses/status 37 | verbs: 38 | - update 39 | - apiGroups: 40 | - traefik.containo.us 41 | resources: 42 | - ingressroutes 43 | - ingressroutetcps 44 | - ingressrouteudps 45 | - middlewares 46 | - middlewaretcps 47 | - tlsoptions 48 | - tlsstores 49 | - traefikservices 50 | - serverstransports 51 | verbs: 52 | - get 53 | - list 54 | - watch 55 | {{- if .Values.podSecurityPolicy.enabled }} 56 | - apiGroups: 57 | - policy 58 | resourceNames: 59 | - {{ template "traefik.fullname" . }} 60 | resources: 61 | - podsecuritypolicies 62 | verbs: 63 | - use 64 | {{- end -}} 65 | {{- if .Values.experimental.kubernetesGateway.enabled }} 66 | - apiGroups: 67 | - networking.x-k8s.io 68 | resources: 69 | - gatewayclasses 70 | - gateways 71 | - httproutes 72 | - tcproutes 73 | - tlsroutes 74 | verbs: 75 | - get 76 | - list 77 | - watch 78 | - apiGroups: 79 | - networking.x-k8s.io 80 | resources: 81 | - gatewayclasses/status 82 | - gateways/status 83 | - httproutes/status 84 | - tcproutes/status 85 | - tlsroutes/status 86 | verbs: 87 | - update 88 | {{- end -}} 89 | {{- end -}} 90 | -------------------------------------------------------------------------------- /charts/ziti-host/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Expand the name of the chart. 3 | */}} 4 | 5 | {{- define "ziti-host.name" -}} 6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} 7 | {{- end }} 8 | 9 | {{/* 10 | Create a default fully qualified app name. 11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 12 | If release name contains chart name it will be used as a full name. 13 | */}} 14 | {{- define "ziti-host.fullname" -}} 15 | {{- if .Values.fullnameOverride }} 16 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} 17 | {{- else }} 18 | {{- $name := default .Chart.Name .Values.nameOverride }} 19 | {{- if contains $name .Release.Name }} 20 | {{- .Release.Name | trunc 63 | trimSuffix "-" }} 21 | {{- else }} 22 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} 23 | {{- end }} 24 | {{- end }} 25 | {{- end }} 26 | 27 | {{/* 28 | Create chart name and version as used by the chart label. 29 | */}} 30 | {{- define "ziti-host.chart" -}} 31 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} 32 | {{- end }} 33 | 34 | {{/* 35 | Common labels 36 | */}} 37 | {{- define "ziti-host.labels" -}} 38 | helm.sh/chart: {{ include "ziti-host.chart" . }} 39 | {{ include "ziti-host.selectorLabels" . }} 40 | {{- if .Chart.AppVersion }} 41 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 42 | {{- end }} 43 | app.kubernetes.io/managed-by: {{ .Release.Service }} 44 | {{- end }} 45 | 46 | {{/* 47 | Selector labels 48 | */}} 49 | {{- define "ziti-host.selectorLabels" -}} 50 | app.kubernetes.io/name: {{ include "ziti-host.name" . }} 51 | app.kubernetes.io/instance: {{ .Release.Name }} 52 | {{- end }} 53 | 54 | {{/* 55 | Create the name of the service account to use 56 | */}} 57 | {{- define "ziti-host.serviceAccountName" -}} 58 | {{- if .Values.serviceAccount.create }} 59 | {{- default (include "ziti-host.fullname" .) .Values.serviceAccount.name }} 60 | {{- else }} 61 | {{- default "default" .Values.serviceAccount.name }} 62 | {{- end }} 63 | {{- end }} 64 | 65 | {{/* 66 | Define the mount path for the identity PVC. 67 | */}} 68 | {{- define "ziti-host.identityMountPath" -}} 69 | /ziti-edge-tunnel 70 | {{- end }} 71 | -------------------------------------------------------------------------------- /charts/reflect/values.yaml: -------------------------------------------------------------------------------- 1 | # Default values for reflect. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | replicaCount: 1 6 | 7 | image: 8 | repository: nfnpieros/reflect 9 | pullPolicy: IfNotPresent 10 | # Overrides the image tag whose default is the chart appVersion. 11 | tag: "" 12 | 13 | imagePullSecrets: [] 14 | nameOverride: "" 15 | fullnameOverride: "" 16 | 17 | serviceAccount: 18 | # Specifies whether a service account should be created 19 | create: true 20 | # Annotations to add to the service account 21 | annotations: {} 22 | # The name of the service account to use. 23 | # If not set and create is true, a name is generated using the fullname template 24 | name: "" 25 | 26 | podAnnotations: {} 27 | 28 | podSecurityContext: {} 29 | # fsGroup: 2000 30 | 31 | securityContext: {} 32 | # capabilities: 33 | # drop: 34 | # - ALL 35 | # readOnlyRootFilesystem: true 36 | # runAsNonRoot: true 37 | # runAsUser: 1000 38 | 39 | service: 40 | type: ClusterIP 41 | port: 80 42 | 43 | ingress: 44 | enabled: false 45 | className: "" 46 | annotations: {} 47 | # kubernetes.io/ingress.class: nginx 48 | # kubernetes.io/tls-acme: "true" 49 | hosts: 50 | - host: chart-example.local 51 | paths: 52 | - path: / 53 | pathType: ImplementationSpecific 54 | tls: [] 55 | # - secretName: chart-example-tls 56 | # hosts: 57 | # - chart-example.local 58 | 59 | resources: {} 60 | # We usually recommend not to specify default resources and to leave this as a conscious 61 | # choice for the user. This also increases chances charts run on environments with little 62 | # resources, such as Minikube. If you do want to specify resources, uncomment the following 63 | # lines, adjust them as necessary, and remove the curly braces after 'resources:'. 64 | # limits: 65 | # cpu: 100m 66 | # memory: 128Mi 67 | # requests: 68 | # cpu: 100m 69 | # memory: 128Mi 70 | 71 | autoscaling: 72 | enabled: false 73 | minReplicas: 1 74 | maxReplicas: 100 75 | targetCPUUtilizationPercentage: 80 76 | # targetMemoryUtilizationPercentage: 80 77 | 78 | nodeSelector: {} 79 | 80 | tolerations: [] 81 | 82 | affinity: {} 83 | 84 | serviceName: "reflect" 85 | prometheusServiceName: "metrics" 86 | -------------------------------------------------------------------------------- /charts/reflect/templates/ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.ingress.enabled -}} 2 | {{- $fullName := include "reflect.fullname" . -}} 3 | {{- $svcPort := .Values.service.port -}} 4 | {{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} 5 | {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} 6 | {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} 7 | {{- end }} 8 | {{- end }} 9 | {{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} 10 | apiVersion: networking.k8s.io/v1 11 | {{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} 12 | apiVersion: networking.k8s.io/v1beta1 13 | {{- else -}} 14 | apiVersion: extensions/v1beta1 15 | {{- end }} 16 | kind: Ingress 17 | metadata: 18 | name: {{ $fullName }} 19 | labels: 20 | {{- include "reflect.labels" . | nindent 4 }} 21 | {{- with .Values.ingress.annotations }} 22 | annotations: 23 | {{- toYaml . | nindent 4 }} 24 | {{- end }} 25 | spec: 26 | {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} 27 | ingressClassName: {{ .Values.ingress.className }} 28 | {{- end }} 29 | {{- if .Values.ingress.tls }} 30 | tls: 31 | {{- range .Values.ingress.tls }} 32 | - hosts: 33 | {{- range .hosts }} 34 | - {{ . | quote }} 35 | {{- end }} 36 | secretName: {{ .secretName }} 37 | {{- end }} 38 | {{- end }} 39 | rules: 40 | {{- range .Values.ingress.hosts }} 41 | - host: {{ .host | quote }} 42 | http: 43 | paths: 44 | {{- range .paths }} 45 | - path: {{ .path }} 46 | {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} 47 | pathType: {{ .pathType }} 48 | {{- end }} 49 | backend: 50 | {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} 51 | service: 52 | name: {{ $fullName }} 53 | port: 54 | number: {{ $svcPort }} 55 | {{- else }} 56 | serviceName: {{ $fullName }} 57 | servicePort: {{ $svcPort }} 58 | {{- end }} 59 | {{- end }} 60 | {{- end }} 61 | {{- end }} 62 | -------------------------------------------------------------------------------- /charts/prometheus/templates/pushgateway/ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.pushgateway.enabled .Values.pushgateway.ingress.enabled -}} 2 | {{- $ingressApiIsStable := eq (include "ingress.isStable" .) "true" -}} 3 | {{- $ingressSupportsIngressClassName := eq (include "ingress.supportsIngressClassName" .) "true" -}} 4 | {{- $ingressSupportsPathType := eq (include "ingress.supportsPathType" .) "true" -}} 5 | {{- $releaseName := .Release.Name -}} 6 | {{- $serviceName := include "prometheus.pushgateway.fullname" . }} 7 | {{- $servicePort := .Values.pushgateway.service.servicePort -}} 8 | {{- $ingressPath := .Values.pushgateway.ingress.path -}} 9 | {{- $ingressPathType := .Values.pushgateway.ingress.pathType -}} 10 | {{- $extraPaths := .Values.pushgateway.ingress.extraPaths -}} 11 | apiVersion: {{ template "ingress.apiVersion" . }} 12 | kind: Ingress 13 | metadata: 14 | {{- if .Values.pushgateway.ingress.annotations }} 15 | annotations: 16 | {{ toYaml .Values.pushgateway.ingress.annotations | indent 4}} 17 | {{- end }} 18 | labels: 19 | {{- include "prometheus.pushgateway.labels" . | nindent 4 }} 20 | name: {{ template "prometheus.pushgateway.fullname" . }} 21 | {{ include "prometheus.namespace" . | indent 2 }} 22 | spec: 23 | {{- if and $ingressSupportsIngressClassName .Values.pushgateway.ingress.ingressClassName }} 24 | ingressClassName: {{ .Values.pushgateway.ingress.ingressClassName }} 25 | {{- end }} 26 | rules: 27 | {{- range .Values.pushgateway.ingress.hosts }} 28 | {{- $url := splitList "/" . }} 29 | - host: {{ first $url }} 30 | http: 31 | paths: 32 | {{ if $extraPaths }} 33 | {{ toYaml $extraPaths | indent 10 }} 34 | {{- end }} 35 | - path: {{ $ingressPath }} 36 | {{- if $ingressSupportsPathType }} 37 | pathType: {{ $ingressPathType }} 38 | {{- end }} 39 | backend: 40 | {{- if $ingressApiIsStable }} 41 | service: 42 | name: {{ $serviceName }} 43 | port: 44 | number: {{ $servicePort }} 45 | {{- else }} 46 | serviceName: {{ $serviceName }} 47 | servicePort: {{ $servicePort }} 48 | {{- end }} 49 | {{- end -}} 50 | {{- if .Values.pushgateway.ingress.tls }} 51 | tls: 52 | {{ toYaml .Values.pushgateway.ingress.tls | indent 4 }} 53 | {{- end -}} 54 | {{- end -}} -------------------------------------------------------------------------------- /charts/httpbin/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | {{ if .Release.IsUpgrade }} 2 | Your release {{ .Release.Name }} was upgraded. 3 | {{ else if .Release.IsInstall }} 4 | This is the first install of release {{ .Release.Name }}. 5 | {{ else }} 6 | {{ .Chart.Name }} was neither installed nor upgraded. 7 | {{ end }} 8 | 9 | You have chart version {{ .Chart.Version }} and app version {{ .Chart.AppVersion }}. 10 | 11 | To learn more about the release, try: 12 | 13 | $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} 14 | $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} 15 | 16 | 1. Get the application URL by running these commands: 17 | {{- if .Values.ingress.enabled }} 18 | {{- range $host := .Values.ingress.hosts }} 19 | {{- range .paths }} 20 | http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} 21 | {{- end }} 22 | {{- end }} 23 | {{- else if contains "NodePort" .Values.service.type }} 24 | export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "httpbin.fullname" . }}) 25 | export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") 26 | echo http://$NODE_IP:$NODE_PORT 27 | {{- else if contains "LoadBalancer" .Values.service.type }} 28 | NOTE: It may take a few minutes for the LoadBalancer IP to be available. 29 | You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "httpbin.fullname" . }}' 30 | export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "httpbin.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") 31 | echo http://$SERVICE_IP:{{ .Values.service.port }} 32 | {{- else if contains "ClusterIP" .Values.service.type }} 33 | export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "httpbin.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") 34 | export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") 35 | echo "Visit http://127.0.0.1:8080 to use your application" 36 | kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT 37 | {{- end }} 38 | -------------------------------------------------------------------------------- /charts/prometheus/templates/server/service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.server.enabled -}} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | {{- if .Values.server.service.annotations }} 6 | annotations: 7 | {{ toYaml .Values.server.service.annotations | indent 4 }} 8 | {{- end }} 9 | labels: 10 | {{- include "prometheus.server.labels" . | nindent 4 }} 11 | {{- if .Values.server.service.labels }} 12 | {{ toYaml .Values.server.service.labels | indent 4 }} 13 | {{- end }} 14 | name: {{ template "prometheus.server.fullname" . }} 15 | {{ include "prometheus.namespace" . | indent 2 }} 16 | spec: 17 | {{- if .Values.server.service.clusterIP }} 18 | clusterIP: {{ .Values.server.service.clusterIP }} 19 | {{- end }} 20 | {{- if .Values.server.service.externalIPs }} 21 | externalIPs: 22 | {{ toYaml .Values.server.service.externalIPs | indent 4 }} 23 | {{- end }} 24 | {{- if .Values.server.service.loadBalancerIP }} 25 | loadBalancerIP: {{ .Values.server.service.loadBalancerIP }} 26 | {{- end }} 27 | {{- if .Values.server.service.loadBalancerSourceRanges }} 28 | loadBalancerSourceRanges: 29 | {{- range $cidr := .Values.server.service.loadBalancerSourceRanges }} 30 | - {{ $cidr }} 31 | {{- end }} 32 | {{- end }} 33 | ports: 34 | - name: http 35 | port: {{ .Values.server.service.servicePort }} 36 | protocol: TCP 37 | targetPort: 9090 38 | {{- if .Values.server.service.nodePort }} 39 | nodePort: {{ .Values.server.service.nodePort }} 40 | {{- end }} 41 | {{- if .Values.server.service.gRPC.enabled }} 42 | - name: grpc 43 | port: {{ .Values.server.service.gRPC.servicePort }} 44 | protocol: TCP 45 | targetPort: 10901 46 | {{- if .Values.server.service.gRPC.nodePort }} 47 | nodePort: {{ .Values.server.service.gRPC.nodePort }} 48 | {{- end }} 49 | {{- end }} 50 | selector: 51 | {{- if and .Values.server.statefulSet.enabled .Values.server.service.statefulsetReplica.enabled }} 52 | statefulset.kubernetes.io/pod-name: {{ template "prometheus.server.fullname" . }}-{{ .Values.server.service.statefulsetReplica.replica }} 53 | {{- else -}} 54 | {{- include "prometheus.server.matchLabels" . | nindent 4 }} 55 | {{- if .Values.server.service.sessionAffinity }} 56 | sessionAffinity: {{ .Values.server.service.sessionAffinity }} 57 | {{- end }} 58 | {{- end }} 59 | type: "{{ .Values.server.service.type }}" 60 | {{- end -}} 61 | -------------------------------------------------------------------------------- /charts/reflect/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | {{ if .Release.IsUpgrade }} 2 | Your release {{ .Release.Name }} was upgraded. 3 | {{ else if .Release.IsInstall }} 4 | This is the first install of release {{ .Release.Name }}. 5 | {{ else }} 6 | {{ .Chart.Name }} was neither installed nor upgraded. 7 | {{ end }} 8 | 9 | You have chart version {{ .Chart.Version }} and app version {{ .Chart.AppVersion }}. 10 | 11 | To learn more about the release, try: 12 | 13 | $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} 14 | $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} 15 | 16 | 1. Get the application URL by running these commands: 17 | {{- if .Values.ingress.enabled }} 18 | {{- range $host := .Values.ingress.hosts }} 19 | {{- range .paths }} 20 | http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} 21 | {{- end }} 22 | {{- end }} 23 | {{- else if contains "NodePort" .Values.service.type }} 24 | export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "reflect.fullname" . }}) 25 | export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") 26 | echo http://$NODE_IP:$NODE_PORT 27 | {{- else if contains "LoadBalancer" .Values.service.type }} 28 | NOTE: It may take a few minutes for the LoadBalancer IP to be available. 29 | You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "reflect.fullname" . }}' 30 | export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "reflect.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") 31 | echo http://$SERVICE_IP:{{ .Values.service.port }} 32 | {{- else if contains "ClusterIP" .Values.service.type }} 33 | export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "reflect.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") 34 | export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") 35 | echo "Visit http://127.0.0.1:8080 to use your application" 36 | kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT 37 | {{- end }} 38 | -------------------------------------------------------------------------------- /charts/ziti-edge-tunnel/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Expand the name of the chart. 3 | */}} 4 | 5 | {{- define "ziti-edge-tunnel.name" -}} 6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} 7 | {{- end }} 8 | 9 | {{/* 10 | Create a default fully qualified app name. 11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 12 | If release name contains chart name it will be used as a full name. 13 | */}} 14 | {{- define "ziti-edge-tunnel.fullname" -}} 15 | {{- if .Values.fullnameOverride }} 16 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} 17 | {{- else }} 18 | {{- $name := default .Chart.Name .Values.nameOverride }} 19 | {{- if contains $name .Release.Name }} 20 | {{- .Release.Name | trunc 63 | trimSuffix "-" }} 21 | {{- else }} 22 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} 23 | {{- end }} 24 | {{- end }} 25 | {{- end }} 26 | 27 | {{/* 28 | Create chart name and version as used by the chart label. 29 | */}} 30 | {{- define "ziti-edge-tunnel.chart" -}} 31 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} 32 | {{- end }} 33 | 34 | {{/* 35 | Common labels 36 | */}} 37 | {{- define "ziti-edge-tunnel.labels" -}} 38 | helm.sh/chart: {{ include "ziti-edge-tunnel.chart" . }} 39 | {{ include "ziti-edge-tunnel.selectorLabels" . }} 40 | {{- if .Chart.AppVersion }} 41 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 42 | {{- end }} 43 | app.kubernetes.io/managed-by: {{ .Release.Service }} 44 | {{- end }} 45 | 46 | {{/* 47 | Selector labels 48 | */}} 49 | {{- define "ziti-edge-tunnel.selectorLabels" -}} 50 | app.kubernetes.io/name: {{ include "ziti-edge-tunnel.name" . }} 51 | app.kubernetes.io/instance: {{ .Release.Name }} 52 | {{- end }} 53 | 54 | {{/* 55 | Define the mount path for the identity PVC. 56 | */}} 57 | {{- define "ziti-edge-tunnel.identityMountPath" -}} 58 | /ziti-edge-tunnel 59 | {{- end }} 60 | 61 | {{/* 62 | Create the name of the service account to use 63 | */}} 64 | {{- define "ziti-edge-tunnel.serviceAccountName" -}} 65 | {{- if .Values.serviceAccount.create }} 66 | {{- default (include "ziti-edge-tunnel.fullname" .) .Values.serviceAccount.name }} 67 | {{- else }} 68 | {{- default "default" .Values.serviceAccount.name }} 69 | {{- end }} 70 | {{- end }} 71 | -------------------------------------------------------------------------------- /charts/reflect/templates/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: {{ include "reflect.fullname" . }} 5 | labels: 6 | {{- include "reflect.labels" . | nindent 4 }} 7 | spec: 8 | {{- if not .Values.autoscaling.enabled }} 9 | replicas: {{ .Values.replicaCount }} 10 | {{- end }} 11 | selector: 12 | matchLabels: 13 | {{- include "reflect.selectorLabels" . | nindent 6 }} 14 | template: 15 | metadata: 16 | {{- with .Values.podAnnotations }} 17 | annotations: 18 | {{- toYaml . | nindent 8 }} 19 | {{- end }} 20 | labels: 21 | {{- include "reflect.selectorLabels" . | nindent 8 }} 22 | spec: 23 | {{- with .Values.imagePullSecrets }} 24 | imagePullSecrets: 25 | {{- toYaml . | nindent 8 }} 26 | {{- end }} 27 | serviceAccountName: {{ include "reflect.serviceAccountName" . }} 28 | securityContext: 29 | {{- toYaml .Values.podSecurityContext | nindent 8 }} 30 | containers: 31 | - name: {{ .Chart.Name }} 32 | securityContext: 33 | {{- toYaml .Values.securityContext | nindent 12 }} 34 | volumeMounts: 35 | - name: identity-file 36 | mountPath: /app/reflect-server.json 37 | subPath: reflect-server.json 38 | image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" 39 | imagePullPolicy: {{ .Values.image.pullPolicy }} 40 | resources: 41 | {{- toYaml .Values.resources | nindent 12 }} 42 | env: 43 | - name: SERVICE_NAME 44 | value: "{{ .Values.serviceName }}" 45 | - name: PROMETHEUS_SERVICE_NAME 46 | value: "{{ .Values.prometheusServiceName }}" 47 | volumes: 48 | - name: identity-file 49 | configMap: 50 | name: reflect-identity-file 51 | items: 52 | - key: reflect-server.json 53 | path: reflect-server.json 54 | {{- with .Values.nodeSelector }} 55 | nodeSelector: 56 | {{- toYaml . | nindent 8 }} 57 | {{- end }} 58 | {{- with .Values.affinity }} 59 | affinity: 60 | {{- toYaml . | nindent 8 }} 61 | {{- end }} 62 | {{- with .Values.tolerations }} 63 | tolerations: 64 | {{- toYaml . | nindent 8 }} 65 | {{- end }} 66 | -------------------------------------------------------------------------------- /charts/hello-toy/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | {{ if .Release.IsUpgrade }} 2 | Your release {{ .Release.Name }} was upgraded. 3 | {{ else if .Release.IsInstall }} 4 | This is the first install of release {{ .Release.Name }}. 5 | {{ else }} 6 | {{ .Chart.Name }} was neither installed nor upgraded. 7 | {{ end }} 8 | 9 | You have chart version {{ .Chart.Version }} and app version {{ .Chart.AppVersion }}. 10 | 11 | To learn more about the release, try: 12 | 13 | $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} 14 | $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} 15 | 16 | 1. Get the application URL by running these commands: 17 | {{- if .Values.ingress.enabled }} 18 | {{- range $host := .Values.ingress.hosts }} 19 | {{- range .paths }} 20 | http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} 21 | {{- end }} 22 | {{- end }} 23 | {{- else if contains "NodePort" .Values.service.type }} 24 | export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "hello-openziti.fullname" . }}) 25 | export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") 26 | echo http://$NODE_IP:$NODE_PORT 27 | {{- else if contains "LoadBalancer" .Values.service.type }} 28 | NOTE: It may take a few minutes for the LoadBalancer IP to be available. 29 | You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "hello-openziti.fullname" . }}' 30 | export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "hello-openziti.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") 31 | echo http://$SERVICE_IP:{{ .Values.service.port }} 32 | {{- else if contains "ClusterIP" .Values.service.type }} 33 | export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "hello-openziti.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") 34 | export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") 35 | echo "Visit http://127.0.0.1:8080 to use your application" 36 | kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT 37 | {{- end }} 38 | -------------------------------------------------------------------------------- /charts/traefik-charts/traefik/tests/deployment-config_test.yaml: -------------------------------------------------------------------------------- 1 | suite: Deployment configuration 2 | templates: 3 | - deployment.yaml 4 | tests: 5 | - it: should have 1 replica by default 6 | asserts: 7 | - equal: 8 | path: spec.replicas 9 | value: 1 10 | - it: should have the specified amount of replicas when specified via values 11 | set: 12 | deployment: 13 | replicas: 3 14 | asserts: 15 | - equal: 16 | path: spec.replicas 17 | value: 3 18 | - it: should have a rollingUpdate strategy with default values 19 | asserts: 20 | - equal: 21 | path: spec.strategy.type 22 | value: RollingUpdate 23 | - equal: 24 | path: spec.strategy.rollingUpdate.maxUnavailable 25 | value: 1 26 | - equal: 27 | path: spec.strategy.rollingUpdate.maxSurge 28 | value: 1 29 | - it: should have a custom merged rollingUpdate strategy with specified values 30 | set: 31 | rollingUpdate: 32 | maxUnavailable: 4 33 | vegetaForce: 9000 34 | asserts: 35 | - equal: 36 | path: spec.strategy.type 37 | value: RollingUpdate 38 | - equal: 39 | path: spec.strategy.rollingUpdate.maxUnavailable 40 | value: 4 41 | - equal: 42 | path: spec.strategy.rollingUpdate.maxSurge 43 | value: 1 44 | - equal: 45 | path: spec.strategy.rollingUpdate.vegetaForce 46 | value: 9000 47 | - it: should have annotations with specified values 48 | set: 49 | deployment: 50 | annotations: 51 | traefik/powpow: annotations 52 | podAnnotations: 53 | traefik/powpow: podAnnotations 54 | asserts: 55 | - equal: 56 | path: metadata.annotations.traefik/powpow 57 | value: annotations 58 | - equal: 59 | path: spec.template.metadata.annotations.traefik/powpow 60 | value: podAnnotations 61 | - it: should have labels with specified values 62 | set: 63 | deployment: 64 | labels: 65 | traefik/powpow: labels 66 | podLabels: 67 | traefik/powpow: podLabels 68 | asserts: 69 | - equal: 70 | path: metadata.labels.traefik/powpow 71 | value: labels 72 | - equal: 73 | path: spec.template.metadata.labels.traefik/powpow 74 | value: podLabels 75 | -------------------------------------------------------------------------------- /charts/prometheus/templates/server/ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.server.enabled -}} 2 | {{- if .Values.server.ingress.enabled -}} 3 | {{- $ingressApiIsStable := eq (include "ingress.isStable" .) "true" -}} 4 | {{- $ingressSupportsIngressClassName := eq (include "ingress.supportsIngressClassName" .) "true" -}} 5 | {{- $ingressSupportsPathType := eq (include "ingress.supportsPathType" .) "true" -}} 6 | {{- $releaseName := .Release.Name -}} 7 | {{- $serviceName := include "prometheus.server.fullname" . }} 8 | {{- $servicePort := .Values.server.service.servicePort -}} 9 | {{- $ingressPath := .Values.server.ingress.path -}} 10 | {{- $ingressPathType := .Values.server.ingress.pathType -}} 11 | {{- $extraPaths := .Values.server.ingress.extraPaths -}} 12 | apiVersion: {{ template "ingress.apiVersion" . }} 13 | kind: Ingress 14 | metadata: 15 | {{- if .Values.server.ingress.annotations }} 16 | annotations: 17 | {{ toYaml .Values.server.ingress.annotations | indent 4 }} 18 | {{- end }} 19 | labels: 20 | {{- include "prometheus.server.labels" . | nindent 4 }} 21 | {{- range $key, $value := .Values.server.ingress.extraLabels }} 22 | {{ $key }}: {{ $value }} 23 | {{- end }} 24 | name: {{ template "prometheus.server.fullname" . }} 25 | {{ include "prometheus.namespace" . | indent 2 }} 26 | spec: 27 | {{- if and $ingressSupportsIngressClassName .Values.server.ingress.ingressClassName }} 28 | ingressClassName: {{ .Values.server.ingress.ingressClassName }} 29 | {{- end }} 30 | rules: 31 | {{- range .Values.server.ingress.hosts }} 32 | {{- $url := splitList "/" . }} 33 | - host: {{ first $url }} 34 | http: 35 | paths: 36 | {{ if $extraPaths }} 37 | {{ toYaml $extraPaths | indent 10 }} 38 | {{- end }} 39 | - path: {{ $ingressPath }} 40 | {{- if $ingressSupportsPathType }} 41 | pathType: {{ $ingressPathType }} 42 | {{- end }} 43 | backend: 44 | {{- if $ingressApiIsStable }} 45 | service: 46 | name: {{ $serviceName }} 47 | port: 48 | number: {{ $servicePort }} 49 | {{- else }} 50 | serviceName: {{ $serviceName }} 51 | servicePort: {{ $servicePort }} 52 | {{- end }} 53 | {{- end -}} 54 | {{- if .Values.server.ingress.tls }} 55 | tls: 56 | {{ toYaml .Values.server.ingress.tls | indent 4 }} 57 | {{- end -}} 58 | {{- end -}} 59 | {{- end -}} 60 | -------------------------------------------------------------------------------- /charts/traefik-charts/traefik/crds/tlsstores.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | annotations: 5 | controller-gen.kubebuilder.io/version: v0.4.1 6 | creationTimestamp: null 7 | name: tlsstores.traefik.containo.us 8 | spec: 9 | group: traefik.containo.us 10 | names: 11 | kind: TLSStore 12 | listKind: TLSStoreList 13 | plural: tlsstores 14 | singular: tlsstore 15 | scope: Namespaced 16 | versions: 17 | - name: v1alpha1 18 | schema: 19 | openAPIV3Schema: 20 | description: TLSStore is a specification for a TLSStore resource. 21 | properties: 22 | apiVersion: 23 | description: 'APIVersion defines the versioned schema of this representation 24 | of an object. Servers should convert recognized schemas to the latest 25 | internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 26 | type: string 27 | kind: 28 | description: 'Kind is a string value representing the REST resource this 29 | object represents. Servers may infer this from the endpoint the client 30 | submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 31 | type: string 32 | metadata: 33 | type: object 34 | spec: 35 | description: TLSStoreSpec configures a TLSStore resource. 36 | properties: 37 | defaultCertificate: 38 | description: DefaultCertificate holds a secret name for the TLSOption 39 | resource. 40 | properties: 41 | secretName: 42 | description: SecretName is the name of the referenced Kubernetes 43 | Secret to specify the certificate details. 44 | type: string 45 | required: 46 | - secretName 47 | type: object 48 | required: 49 | - defaultCertificate 50 | type: object 51 | required: 52 | - metadata 53 | - spec 54 | type: object 55 | served: true 56 | storage: true 57 | status: 58 | acceptedNames: 59 | kind: "" 60 | plural: "" 61 | conditions: [] 62 | storedVersions: [] 63 | -------------------------------------------------------------------------------- /charts/traefik-charts/TESTING.md: -------------------------------------------------------------------------------- 1 | # Testing Guide 2 | 3 | This Helm Chart requires extensive testing to ensure expected behavior are met for everyone. 4 | 5 | ## Test Driven Development 6 | 7 | "TDD" practise (Test Driven Development) should be followed when adding a new feature or fixing a bug. 8 | 9 | It means that you are expected to: 10 | 11 | 1. Start by adding a test describing the expected behaviour, that should fails (either because the bug exists in initial state, or because the new feature had not been implemented), 12 | 2. Then, change the code according to your intent (fixing a bug, adding a feature or refactoring), 13 | 3. Finally, the test suite (including the new test you added earlier) must pass. 14 | 15 | ## Test Kinds 16 | 17 | Please note that this chart has the following kind of tests (see respective sections below for description): 18 | 19 | - [Unit Testing](#unit-testing) 20 | - [Static Testing](#static-testing) 21 | 22 | ### Unit Testing 23 | 24 | Before you can run the unit tests you need to set some `ENV`. This is required to download the binary for the given platform. You don't need it on subsequent runs. 25 | 26 | ``` 27 | export CATTLE_HELM_UNITTEST_VERSION=v0.1.6-rancher1 28 | export ARCH=amd64 29 | make unit-test 30 | ``` 31 | 32 | 33 | 34 | ### Static Testing 35 | 36 | The static test suite has the following properties: 37 | 38 | - Static tests are about linting the YAML files, shell scripts and Helm elements. It is also a set of verifications around versions, names, etc. 39 | - Static tests are fast to run, hence it must be run for each commit and pull requests and are considered blocking when failing. 40 | - Static test suite is run by inovking the make target `lint`: `make lint`. It is run by default on the CI. 41 | 42 | The static test suite is implemented with the tool [`ct` (Chart Testing)](https://github.com/helm/chart-testing): 43 | 44 | - The Docker image of `ct` is used to ensure all sub-dependencies (helm, kubectl, yamale, etc.) are met for an easier experience for contributor. 45 | - All configuration of `ct` and linters are stored in the directory `lint/`. In particular, the file `lint/ct.yaml` contains 46 | the `ct` configuration. 47 | - Version Increment Check is done against the against the original repository, with the branch `master`. This repository is added as an additional git remote named `traefik` by the make target `lint`. If you wish to temporarily change this behavior, please edit the files `Makefile` and `lint/ct.yaml`. 48 | -------------------------------------------------------------------------------- /charts/prometheus/templates/alertmanager/ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.alertmanager.enabled .Values.alertmanager.ingress.enabled -}} 2 | {{- $ingressApiIsStable := eq (include "ingress.isStable" .) "true" -}} 3 | {{- $ingressSupportsIngressClassName := eq (include "ingress.supportsIngressClassName" .) "true" -}} 4 | {{- $ingressSupportsPathType := eq (include "ingress.supportsPathType" .) "true" -}} 5 | {{- $releaseName := .Release.Name -}} 6 | {{- $serviceName := include "prometheus.alertmanager.fullname" . }} 7 | {{- $servicePort := .Values.alertmanager.service.servicePort -}} 8 | {{- $ingressPath := .Values.alertmanager.ingress.path -}} 9 | {{- $ingressPathType := .Values.alertmanager.ingress.pathType -}} 10 | {{- $extraPaths := .Values.alertmanager.ingress.extraPaths -}} 11 | apiVersion: {{ template "ingress.apiVersion" . }} 12 | kind: Ingress 13 | metadata: 14 | {{- if .Values.alertmanager.ingress.annotations }} 15 | annotations: 16 | {{ toYaml .Values.alertmanager.ingress.annotations | indent 4 }} 17 | {{- end }} 18 | labels: 19 | {{- include "prometheus.alertmanager.labels" . | nindent 4 }} 20 | {{- range $key, $value := .Values.alertmanager.ingress.extraLabels }} 21 | {{ $key }}: {{ $value }} 22 | {{- end }} 23 | name: {{ template "prometheus.alertmanager.fullname" . }} 24 | {{ include "prometheus.namespace" . | indent 2 }} 25 | spec: 26 | {{- if and $ingressSupportsIngressClassName .Values.alertmanager.ingress.ingressClassName }} 27 | ingressClassName: {{ .Values.alertmanager.ingress.ingressClassName }} 28 | {{- end }} 29 | rules: 30 | {{- range .Values.alertmanager.ingress.hosts }} 31 | {{- $url := splitList "/" . }} 32 | - host: {{ first $url }} 33 | http: 34 | paths: 35 | {{ if $extraPaths }} 36 | {{ toYaml $extraPaths | indent 10 }} 37 | {{- end }} 38 | - path: {{ $ingressPath }} 39 | {{- if $ingressSupportsPathType }} 40 | pathType: {{ $ingressPathType }} 41 | {{- end }} 42 | backend: 43 | {{- if $ingressApiIsStable }} 44 | service: 45 | name: {{ $serviceName }} 46 | port: 47 | number: {{ $servicePort }} 48 | {{- else }} 49 | serviceName: {{ $serviceName }} 50 | servicePort: {{ $servicePort }} 51 | {{- end }} 52 | {{- end -}} 53 | {{- if .Values.alertmanager.ingress.tls }} 54 | tls: 55 | {{ toYaml .Values.alertmanager.ingress.tls | indent 4 }} 56 | {{- end -}} 57 | {{- end -}} -------------------------------------------------------------------------------- /charts/zrok/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Expand the name of the chart. 3 | */}} 4 | {{- define "zrok.name" -}} 5 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} 6 | {{- end }} 7 | 8 | {{/* 9 | Create a default fully qualified app name. 10 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 11 | If release name contains chart name it will be used as a full name. 12 | */}} 13 | {{- define "zrok.fullname" -}} 14 | {{- if .Values.fullnameOverride }} 15 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} 16 | {{- else }} 17 | {{- $name := default .Chart.Name .Values.nameOverride }} 18 | {{- if contains $name .Release.Name }} 19 | {{- .Release.Name | trunc 63 | trimSuffix "-" }} 20 | {{- else }} 21 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} 22 | {{- end }} 23 | {{- end }} 24 | {{- end }} 25 | 26 | {{/* 27 | Create chart name and version as used by the chart label. 28 | */}} 29 | {{- define "zrok.chart" -}} 30 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} 31 | {{- end }} 32 | 33 | {{/* 34 | Common labels 35 | */}} 36 | {{- define "zrok.commonLabels" -}} 37 | helm.sh/chart: {{ include "zrok.chart" . }} 38 | {{- if .Chart.AppVersion }} 39 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 40 | {{- end }} 41 | app.kubernetes.io/managed-by: {{ .Release.Service }} 42 | {{- end }} 43 | 44 | {{- define "zrok.labelsController" -}} 45 | {{ include "zrok.commonLabels" . }} 46 | {{ include "zrok.selectorLabelsController" . }} 47 | {{- end }} 48 | 49 | {{- define "zrok.labelsFrontend" -}} 50 | {{ include "zrok.commonLabels" . }} 51 | {{ include "zrok.selectorLabelsFrontend" . }} 52 | {{- end }} 53 | 54 | {{/* 55 | Selector labels 56 | */}} 57 | {{- define "zrok.selectorLabelsController" -}} 58 | app.kubernetes.io/name: {{ include "zrok.name" . }}-controller 59 | app.kubernetes.io/instance: {{ .Release.Name }} 60 | {{- end }} 61 | {{- define "zrok.selectorLabelsFrontend" -}} 62 | app.kubernetes.io/name: {{ include "zrok.name" . }}-frontend 63 | app.kubernetes.io/instance: {{ .Release.Name }} 64 | {{- end }} 65 | 66 | {{/* 67 | Create the name of the service account to use 68 | */}} 69 | {{- define "zrok.serviceAccountName" -}} 70 | {{/* 71 | {{- if .Values.serviceAccount.create }} 72 | */}} 73 | {{- default (include "zrok.fullname" .) .Values.serviceAccount.name }} 74 | {{/* 75 | {{- else }} 76 | {{- default "default" .Values.serviceAccount.name }} 77 | {{- end }} 78 | */}} 79 | {{- end }} 80 | -------------------------------------------------------------------------------- /charts/httpbin/templates/post-install-hook.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.zitiEnrollment }} 2 | --- 3 | apiVersion: batch/v1 4 | kind: Job 5 | metadata: 6 | name: {{ .Release.Name }}-post-install-job 7 | labels: 8 | app.kubernetes.io/managed-by: {{ .Release.Service | quote }} 9 | app.kubernetes.io/instance: {{ .Release.Name | quote }} 10 | app.kubernetes.io/version: {{ .Chart.AppVersion }} 11 | helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" 12 | annotations: 13 | # This is what defines this resource as a hook. Without this line, the 14 | # job is considered part of the release. 15 | "helm.sh/hook": post-install 16 | "helm.sh/hook-weight": "-5" 17 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded 18 | spec: 19 | backoffLimit: 0 20 | completions: 1 21 | template: 22 | metadata: 23 | name: {{ .Release.Name }} 24 | labels: 25 | app.kubernetes.io/managed-by: {{ .Release.Service | quote }} 26 | app.kubernetes.io/instance: {{ .Release.Name | quote }} 27 | helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" 28 | {{- include "httpbin.labels" . | nindent 8 }} 29 | {{- with .Values.podAnnotations }} 30 | annotations: 31 | {{- toYaml . | nindent 8 }} 32 | {{- end }} 33 | spec: 34 | restartPolicy: Never 35 | serviceAccountName: {{ include "httpbin.fullname" . }}-hook-serviceaccount 36 | containers: 37 | - name: post-install-job 38 | image: {{ .Values.zitiImage.repository }} 39 | imagePullPolicy: {{ .Values.zitiImage.pullPolicy }} 40 | volumeMounts: 41 | - name: httpbin-config 42 | mountPath: /usr/local/bin/{{ .Values.initScriptFile }} 43 | subPath: {{ .Values.initScriptFile }} 44 | readOnly: true 45 | - name: ziti-jwt 46 | mountPath: /etc/ziti/id.jwt 47 | subPath: id.jwt 48 | readOnly: true 49 | command: ["{{ .Values.initScriptFile }}"] 50 | volumes: 51 | - name: httpbin-config 52 | configMap: 53 | name: {{ include "httpbin.fullname" . }}-config 54 | items: 55 | - key: {{ .Values.initScriptFile }} 56 | path: {{ .Values.initScriptFile }} 57 | mode: 0555 58 | - name: ziti-jwt 59 | secret: 60 | secretName: {{ include "httpbin.fullname" . }}-enrollment 61 | defaultMode: 0444 62 | items: 63 | - key: ziti_enrollment_jwt 64 | path: id.jwt 65 | {{- end -}} -------------------------------------------------------------------------------- /charts/traefik-charts/traefik/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | 3 | {{/* 4 | Expand the name of the chart. 5 | */}} 6 | {{- define "traefik.name" -}} 7 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} 8 | {{- end -}} 9 | 10 | {{/* 11 | Create chart name and version as used by the chart label. 12 | */}} 13 | {{- define "traefik.chart" -}} 14 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} 15 | {{- end -}} 16 | 17 | {{/* 18 | Create a default fully qualified app name. 19 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 20 | If release name contains chart name it will be used as a full name. 21 | */}} 22 | {{- define "traefik.fullname" -}} 23 | {{- if .Values.fullnameOverride -}} 24 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} 25 | {{- else -}} 26 | {{- $name := default .Chart.Name .Values.nameOverride -}} 27 | {{- if contains $name .Release.Name -}} 28 | {{- .Release.Name | trunc 63 | trimSuffix "-" -}} 29 | {{- else -}} 30 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 31 | {{- end -}} 32 | {{- end -}} 33 | {{- end -}} 34 | 35 | {{/* 36 | The name of the service account to use 37 | */}} 38 | {{- define "traefik.serviceAccountName" -}} 39 | {{- default (include "traefik.fullname" .) .Values.serviceAccount.name -}} 40 | {{- end -}} 41 | 42 | {{/* 43 | Construct the path for the providers.kubernetesingress.ingressendpoint.publishedservice. 44 | By convention this will simply use the / to match the name of the 45 | service generated. 46 | Users can provide an override for an explicit service they want bound via `.Values.providers.kubernetesIngress.publishedService.pathOverride` 47 | */}} 48 | {{- define "providers.kubernetesIngress.publishedServicePath" -}} 49 | {{- $defServiceName := printf "%s/%s" .Release.Namespace (include "traefik.fullname" .) -}} 50 | {{- $servicePath := default $defServiceName .Values.providers.kubernetesIngress.publishedService.pathOverride }} 51 | {{- print $servicePath | trimSuffix "-" -}} 52 | {{- end -}} 53 | 54 | {{/* 55 | Construct a comma-separated list of whitelisted namespaces 56 | */}} 57 | {{- define "providers.kubernetesIngress.namespaces" -}} 58 | {{- default .Release.Namespace (join "," .Values.providers.kubernetesIngress.namespaces) }} 59 | {{- end -}} 60 | {{- define "providers.kubernetesCRD.namespaces" -}} 61 | {{- default .Release.Namespace (join "," .Values.providers.kubernetesCRD.namespaces) }} 62 | {{- end -}} 63 | -------------------------------------------------------------------------------- /charts/zrok/templates/controller-ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.controller.ingress.enabled -}} 2 | {{- $fullName := include "zrok.fullname" . -}} 3 | {{- $svcPort := .Values.controller.service.advertisedPort -}} 4 | {{- if and .Values.controller.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} 5 | {{- if not (hasKey .Values.controller.ingress.annotations "kubernetes.io/ingress.class") }} 6 | {{- $_ := set .Values.controller.ingress.annotations "kubernetes.io/ingress.class" .Values.controller.ingress.className}} 7 | {{- end }} 8 | {{- end }} 9 | {{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} 10 | apiVersion: networking.k8s.io/v1 11 | {{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} 12 | apiVersion: networking.k8s.io/v1beta1 13 | {{- else -}} 14 | apiVersion: extensions/v1beta1 15 | {{- end }} 16 | kind: Ingress 17 | metadata: 18 | name: {{ $fullName }} 19 | labels: 20 | {{- include "zrok.labelsController" . | nindent 4 }} 21 | {{- with .Values.controller.ingress.annotations }} 22 | annotations: 23 | {{- toYaml . | nindent 4 }} 24 | {{- end }} 25 | spec: 26 | {{- if and .Values.controller.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} 27 | ingressClassName: {{ .Values.controller.ingress.className }} 28 | {{- end }} 29 | {{- if .Values.controller.ingress.tls }} 30 | tls: 31 | {{- range .Values.controller.ingress.tls }} 32 | - hosts: 33 | {{- if .hosts }} 34 | {{- range .hosts }} 35 | - {{ . | quote }} 36 | {{- end }} 37 | {{- else }} 38 | {{- range $.Values.controller.ingress.hosts }} 39 | - {{ . | quote }} 40 | {{- end }} 41 | {{- end }} 42 | secretName: {{ .secretName }} 43 | {{- end }} 44 | {{- end }} 45 | rules: 46 | {{- range .Values.controller.ingress.hosts }} 47 | - host: {{ . | quote }} 48 | http: 49 | paths: 50 | - path: / 51 | {{- if (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} 52 | pathType: Prefix 53 | {{- end }} 54 | backend: 55 | {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} 56 | service: 57 | name: {{ $fullName }} 58 | port: 59 | number: {{ $svcPort }} 60 | {{- else }} 61 | serviceName: {{ $fullName }} 62 | servicePort: {{ $svcPort }} 63 | {{- end }} 64 | {{- end }} 65 | {{- end }} 66 | --------------------------------------------------------------------------------