├── .github └── workflows │ └── release.yaml ├── .gitignore ├── .helmignore ├── CHANGELOG.md ├── CODEOWNERS ├── Chart.lock ├── Chart.yaml ├── LICENSE ├── Makefile ├── README.md ├── init ├── README.md └── puppet-certs │ ├── puppetdb │ └── .gitignore │ └── puppetserver │ └── .gitignore ├── templates ├── NOTES.txt ├── _helpers.tpl ├── hiera-configmap.yaml ├── jmx-configmap.yaml ├── jmx-servicemonitor.yaml ├── postgresql-configmap.yaml ├── private_key.pkcs7.pem.yaml ├── public_key.pkcs7.pem.yaml ├── puppet-crl-updater-cronjob.yaml ├── puppet-preInstall.job.yaml ├── puppet-r10k-deployment.yaml ├── puppetboard-ingress.yaml ├── puppetdb-customconfigs-configmap.yaml ├── puppetdb-deployment.yaml ├── puppetdb-metrics-configmap.yaml ├── puppetdb-podsecuritypolicy.yaml ├── puppetdb-preInstall.configMap.yaml ├── puppetdb-pvc.yaml ├── puppetdb-role.yaml ├── puppetdb-rolebinding.yaml ├── puppetdb-secret.yaml ├── puppetdb-service.yaml ├── puppetdb-serviceaccount.yaml ├── puppetdb-servicemonitor.yaml ├── puppetdb.networkpolicy.yaml ├── puppetserver-ca-backup-cronjob.yaml ├── puppetserver-ca-backup-secret.yaml ├── puppetserver-ca-pvc.yaml ├── puppetserver-code-pvc.yaml ├── puppetserver-compilers.networkpolicy.yaml ├── puppetserver-compilers.pdb.yaml ├── puppetserver-confd-pvc.yaml ├── puppetserver-custom-entrypoints-configmap.yaml ├── puppetserver-customconfigs-configmap.yaml ├── puppetserver-data-pvc.yaml ├── puppetserver-deployment-compilers.yaml ├── puppetserver-deployment-masters.yaml ├── puppetserver-hpa-compilers.yaml ├── puppetserver-hpa-masters.yaml ├── puppetserver-ingress-compilers.yaml ├── puppetserver-ingress-masters.yaml ├── puppetserver-init-configmap.yaml ├── puppetserver-manifests-configmap.yaml ├── puppetserver-masters.networkpolicy.yaml ├── puppetserver-masters.pdb.yaml ├── puppetserver-podsecuritypolicy.yaml ├── puppetserver-preInstall.configMap.yaml ├── puppetserver-puppetserver-pvc.yaml ├── puppetserver-pvc.yaml ├── puppetserver-role.yaml ├── puppetserver-rolebinding.yaml ├── puppetserver-service-agents-to-masters.yaml ├── puppetserver-service-compilers-headless.yaml ├── puppetserver-service-compilers.yaml ├── puppetserver-service-masters.yaml ├── puppetserver-serviceaccount.yaml ├── puppetserver-setup.configmap.yaml ├── puppetserver-statefulset-compilers.yaml ├── r10k-code-secret.yaml ├── r10k-code.configmap.yaml ├── r10k-hiera-secret.yaml ├── r10k-hiera.configmap.yaml └── update-crl-configmap.yaml ├── tests ├── __snapshot__ │ ├── jmx-servicemonitor_test.yaml.snap │ ├── puppetdb-pvc_test.yaml.snap │ ├── puppetdb-servicemonitor_test.yaml.snap │ ├── puppetdb.networkpolicy_test.yaml.snap │ ├── puppetserver-ca-pvc_test.yaml.snap │ ├── puppetserver-code-pvc_test.yaml.snap │ ├── puppetserver-compilers.deployment_test.yaml.snap │ ├── puppetserver-compilers.networkpolicy_test.yaml.snap │ ├── puppetserver-compilers.pdb_test.yaml.snap │ ├── puppetserver-compilers.statefulset_test.yaml.snap │ ├── puppetserver-data-pvc_test.yaml.snap │ ├── puppetserver-masters.networkpolicy_test.yaml.snap │ ├── puppetserver-masters.pdb_test.yaml.snap │ ├── puppetserver-pvc_test.yaml.snap │ └── puppetserver-statefulset.compilers_test.yaml.snap ├── jmx-servicemonitor_test.yaml ├── puppetdb-pvc_test.yaml ├── puppetdb-servicemonitor_test.yaml ├── puppetdb.networkpolicy_test.yaml ├── puppetserver-ca-pvc_test.yaml ├── puppetserver-code-pvc_test.yaml ├── puppetserver-compilers.deployment_test.yaml ├── puppetserver-compilers.networkpolicy_test.yaml ├── puppetserver-compilers.pdb_test.yaml ├── puppetserver-compilers.statefulset_test.yaml ├── puppetserver-data-pvc_test.yaml ├── puppetserver-masters.networkpolicy_test.yaml ├── puppetserver-masters.pdb_test.yaml └── puppetserver-pvc_test.yaml └── values.yaml /.github/workflows/release.yaml: -------------------------------------------------------------------------------- 1 | name: CI / Release 2 | 3 | on: 4 | pull_request: 5 | workflow_dispatch: 6 | 7 | jobs: 8 | test: 9 | name: Lint and Build Helm chart 10 | runs-on: ubuntu-latest 11 | steps: 12 | - name: Checkout 13 | uses: actions/checkout@v3 14 | with: 15 | fetch-depth: 0 16 | - name: Install Helm 17 | uses: azure/setup-helm@v3 18 | - uses: actions/setup-python@v4 19 | with: 20 | python-version: '3.10' 21 | check-latest: true 22 | - name: Set up chart-testing 23 | uses: helm/chart-testing-action@v2.6.0 24 | 25 | - name: Run helm unit tests 26 | run: | 27 | helm repo add bitnami https://charts.bitnami.com/bitnami 28 | helm plugin install https://github.com/helm-unittest/helm-unittest.git 29 | helm unittest ./ 30 | 31 | - name: Create testing cluster 32 | uses: helm/kind-action@v1.8.0 33 | 34 | - name: Run chart-testing (lint) 35 | run: ct lint --target-branch ${{ github.event.repository.default_branch }} --charts ./ 36 | 37 | - name: Run chart-testing (install) 38 | run: ct install --target-branch ${{ github.event.repository.default_branch }} --charts ./ 39 | 40 | publish: 41 | name: Publish Helm chart 42 | runs-on: ubuntu-latest 43 | needs: test 44 | if: github.event_name == 'workflow_dispatch' 45 | env: 46 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 47 | steps: 48 | - uses: actions/checkout@v3 49 | - name: Fetch history 50 | run: git fetch --prune --unshallow 51 | - name: Install Helm 52 | uses: azure/setup-helm@v3 53 | - name: Configure Git 54 | run: | 55 | git config user.name "$GITHUB_ACTOR" 56 | git config user.email "$GITHUB_ACTOR@users.noreply.github.com" 57 | 58 | - name: Set the version 59 | run: echo "VERSION=$(grep '^version:' ./Chart.yaml| awk '{print $2}')" >> $GITHUB_ENV 60 | 61 | - name: Package the chart 62 | run: helm package . --destination .release-packages --dependency-update 63 | 64 | - name: Prep release notes 65 | run: | 66 | release_notes=`sed -n '/^## \['v${{ env.VERSION }}'\]/,/^## /p' CHANGELOG.md | sed -n '/^- /p'` 67 | echo "RELEASE NOTES: $release_notes" 68 | echo "$release_notes" > body.md 69 | release_name=`echo "$release_notes"| head -1 | sed 's/^- //'` 70 | echo "RELEASE_NAME=$release_name" >> $GITHUB_ENV 71 | 72 | - name: Make the release 73 | id: create_release 74 | uses: actions/create-release@v1 75 | with: 76 | tag_name: v${{ env.VERSION }} 77 | release_name: ${{ env.RELEASE_NAME }} 78 | body_path: body.md 79 | 80 | - name: upload artifacts to the release 81 | uses: actions/upload-release-asset@v1 82 | with: 83 | upload_url: ${{ steps.create_release.outputs.upload_url }} 84 | asset_path: ./.release-packages/puppetserver-${{ env.VERSION }}.tgz 85 | asset_name: puppetserver-${{ env.VERSION }}.tgz 86 | asset_content_type: application/gzip 87 | 88 | - name: update ghpages 89 | run: | 90 | gh_pages_worktree=$(mktemp -d) 91 | git worktree add "$gh_pages_worktree" gh-pages 92 | cp .release-packages/puppetserver-${{ env.VERSION }}.tgz $gh_pages_worktree 93 | cp CHANGELOG.md README.md LICENSE CODEOWNERS $gh_pages_worktree 94 | find "$gh_pages_worktree" -type f ! -name "puppetserver-${{ env.VERSION }}.tgz" -name 'puppetserver*.tgz' -delete 95 | helm repo index $gh_pages_worktree --url https://${{ github.repository_owner }}.github.io/${{ github.event.repository.name }} --merge "$gh_pages_worktree/index.yaml" 96 | pushd "$gh_pages_worktree" > /dev/null 97 | git add index.yaml puppetserver-${{ env.VERSION }}.tgz 98 | git commit --message "puppetserver-${{ env.VERSION }} release" 99 | git checkout 'puppetserver*.tgz' # reset the files removed to make the index accurate 100 | git commit --all --message "Sync files from master branch" ||: 101 | repo_url="https://x-access-token:$GITHUB_TOKEN@github.com/${{ github.repository }}" 102 | git push "$repo_url" gh-pages 103 | popd > /dev/null 104 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | charts 2 | requirements.lock 3 | -------------------------------------------------------------------------------- /.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | # helm/charts 23 | OWNERS 24 | hack/ 25 | ci/ 26 | puppetserver-*.tgz 27 | test/ -------------------------------------------------------------------------------- /CODEOWNERS: -------------------------------------------------------------------------------- 1 | # This repository is owned by community partners 2 | 3 | * @Xtigyro @slconley @raphink @davidphay @skoef @nielshojen @ldaneliukas @anthonysomerset 4 | -------------------------------------------------------------------------------- /Chart.lock: -------------------------------------------------------------------------------- 1 | dependencies: 2 | - name: postgresql 3 | repository: https://charts.bitnami.com/bitnami 4 | version: 12.1.11 5 | digest: sha256:0a99be66d88c73aacfb668d7d44d3d4a4fd490237ab44b50a1f700df297ab120 6 | generated: "2023-11-20T16:31:23.66513+02:00" 7 | -------------------------------------------------------------------------------- /Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: puppetserver 3 | version: 9.5.2 4 | appVersion: 7.17.0 5 | description: Puppet automates the delivery and operation of software. 6 | keywords: ["puppet", "puppetserver", "automation", "iac", "infrastructure", "cm", "ci", "cd"] 7 | home: https://puppet.com/ 8 | icon: https://secure.gravatar.com/avatar/fdd009b7c1ec96e088b389f773e87aec.jpg?s=80&r=g&d=mm 9 | dependencies: 10 | - name: postgresql 11 | version: 12.1.11 12 | repository: https://charts.bitnami.com/bitnami 13 | condition: postgresql.enabled 14 | sources: 15 | - https://github.com/puppetlabs/pupperware/ 16 | - https://github.com/postgres/postgres 17 | - https://github.com/bitnami/charts/tree/master/bitnami/postgresql 18 | maintainers: 19 | - name: Xtigyro 20 | email: miroslav.hadzhiev@gmail.com 21 | - name: underscorgan 22 | email: morgan@puppet.com 23 | - name: slconley 24 | email: slconley@gmail.com 25 | - name: raphink 26 | email: raphael.pinson@camptocamp.com 27 | - name: davidphay 28 | email: david.phayanouvong@gmail.com 29 | - name: skoef 30 | email: reinier@skoef.nl 31 | - name: nielshojen 32 | email: niels@hojen.net 33 | - name: ldaneliukas 34 | email: linas@daneliukas.eu 35 | - name: anthonysomerset 36 | email: anthony@sts.io 37 | engine: gotpl 38 | kubeVersion: ">=1.10.0-0" 39 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: lint test 2 | 3 | test: 4 | docker run ${DOCKER_ARGS} --rm -v $(CURDIR):/charts -w /charts quintush/helm-unittest:3.11.0-0.3.0 --color /charts; 5 | -------------------------------------------------------------------------------- /init/README.md: -------------------------------------------------------------------------------- 1 | # How-To Instruction for Using Your Pre-Generated Puppet Certs 2 | 3 | Please archive the contents of your `/etc/puppetlabs/puppet/ssl/*` of your bare-metal Puppet Server master and `/opt/puppetlabs/server/data/puppetdb/certs/*` of your bare-metal PuppetDB instance into two separate `.gz` files and place them respectively into the `puppet-certs/puppetserver` and `puppet-certs/puppetdb` directories. 4 | 5 | > **NOTE**: Please keep only your archive files in each `puppet-certs/` subdir. 6 | 7 | The content of the two archives should be very similar to: 8 | 9 | ```console 10 | root@puppet:/# ll /etc/puppetlabs/puppet/ssl/ 11 | total 36 12 | drwxr-x--- 4 puppet puppet 4096 Nov 26 20:21 ca/ 13 | drwxr-xr-x 2 puppet puppet 4096 Nov 26 20:21 certificate_requests/ 14 | drwxr-xr-x 2 puppet puppet 4096 Nov 26 20:21 certs/ 15 | -rw-r----- 1 puppet puppet 950 Nov 26 20:21 crl.pem 16 | drwxr-x--- 2 puppet puppet 4096 Nov 26 20:21 private/ 17 | drwxr-x--- 2 puppet puppet 4096 Nov 26 20:21 private_keys/ 18 | drwxr-xr-x 2 puppet puppet 4096 Nov 26 20:21 public_keys/ 19 | 20 | root@puppetdb:/opt/puppetlabs/server/data/puppetdb/certs# ls -l 21 | total 20 22 | drwxr-xr-x 2 puppetdb puppetdb 4096 Dec 5 21:49 certificate_requests 23 | drwx------ 2 puppetdb puppetdb 4096 Dec 5 22:36 certs 24 | -rw-r--r-- 1 puppetdb puppetdb 950 Dec 5 21:49 crl.pem 25 | drwx------ 2 puppetdb puppetdb 4096 Dec 5 22:36 private_keys 26 | drwxr-xr-x 2 puppetdb puppetdb 4096 Dec 5 21:49 public_keys 27 | ``` 28 | 29 | The content of the `init/puppet-certs/puppetserver` and `init/puppet-certs/puppetdb` chart's dirs should be similar to: 30 | 31 | ```console 32 | /repos/xtigyro/puppetserver-helm-chart # ll init/puppet-certs/puppetserver/ 33 | total 24 34 | drwxrws--- 2 xtigyro-samba sambashare 4096 Dec 5 22:00 ./ 35 | drwxrws--- 4 xtigyro-samba sambashare 4096 Dec 5 21:45 ../ 36 | -rw-rw---- 1 xtigyro-samba sambashare 71 Dec 5 21:45 .gitignore 37 | -rw-r--r-- 1 xtigyro-samba sambashare 10013 Dec 5 22:00 puppetserver-certs.gz 38 | 39 | /repos/xtigyro/puppetserver-helm-chart # ll init/puppet-certs/puppetdb/ 40 | total 24 41 | drwxrws--- 2 xtigyro-samba sambashare 4096 Dec 5 22:00 ./ 42 | drwxrws--- 4 xtigyro-samba sambashare 4096 Dec 5 21:45 ../ 43 | -rw-rw---- 1 xtigyro-samba sambashare 71 Dec 5 21:45 .gitignore 44 | -rw-r--r-- 1 xtigyro-samba sambashare 10158 Dec 5 22:00 puppetdb-certs.gz 45 | ``` 46 | -------------------------------------------------------------------------------- /init/puppet-certs/puppetdb/.gitignore: -------------------------------------------------------------------------------- 1 | # Ignore everything in this directory 2 | * 3 | # Except this file 4 | !.gitignore 5 | -------------------------------------------------------------------------------- /init/puppet-certs/puppetserver/.gitignore: -------------------------------------------------------------------------------- 1 | # Ignore everything in this directory 2 | * 3 | # Except this file 4 | !.gitignore 5 | -------------------------------------------------------------------------------- /templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | Puppet Server has been installed/upgraded. 2 | 3 | Release Name: "{{ template "puppetserver.fullname" . }}" 4 | {{- if .Values.puppetserver.compilers.enabled }} 5 | Masters Service Name: "{{ template "puppetserver.puppetserver.agents-to-masters.serviceName" . }}" 6 | {{- else }} 7 | Masters Service Name: "{{ template "puppetserver.puppetserver-masters.serviceName" . }}" 8 | {{- end }} 9 | Masters Service Type: "{{.Values.puppetserver.masters.service.type}}" 10 | Masters Service Port: "{{.Values.puppetserver.masters.service.ports.puppetserver.port}}" 11 | Masters Ingress Enabled: "{{.Values.puppetserver.masters.ingress.enabled}}" 12 | {{- if .Values.puppetserver.compilers.enabled }} 13 | Compilers Service Name: "{{ template "puppetserver.puppetserver-compilers.serviceName" . }}" 14 | Compilers Service Type: "{{.Values.puppetserver.compilers.service.type}}" 15 | Compilers Service Port: "{{.Values.puppetserver.compilers.service.ports.puppetserver.port}}" 16 | Compilers Headless Service Port: "{{.Values.puppetserver.compilers.service.headless.ports.https.port}}" 17 | Compilers Ingress Enabled: "{{.Values.puppetserver.compilers.ingress.enabled}}" 18 | {{- end }} 19 | Control Repo: "{{.Values.puppetserver.puppeturl}}" 20 | {{- if .Values.hiera.hieradataurl }} 21 | Hieradata Repo: "{{.Values.hiera.hieradataurl}}" 22 | {{- end }} 23 | 24 | {{ if .Values.hiera.eyaml.existingMap -}} 25 | WARNING: you specified a ConfigMap for eyaml secret and it unsecure 26 | {{- end }} 27 | {{- if or (.Values.hiera.eyaml.public_key) (.Values.hiera.eyaml.private_key) }} 28 | WARNING: you specified a eyaml keys inside the values.yaml and it unsecure 29 | {{- end }} 30 | 31 | If you need to get your password for PuppetDB and PostgreSQL: 32 | $ printf $(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "puppetdb.secret" . }} -o jsonpath="{.data.password}" | base64 --decode);echo 33 | -------------------------------------------------------------------------------- /templates/hiera-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.hiera.config }} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ template "puppetserver.fullname" . }}-hiera-config 6 | labels: 7 | {{- include "puppetserver.hiera.labels" . | nindent 4 }} 8 | data: 9 | hiera.yaml: |- 10 | {{ .Values.hiera.config | nindent 4 }} 11 | {{- end }} 12 | -------------------------------------------------------------------------------- /templates/jmx-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.metrics.prometheus.jmx.enabled }} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ template "puppetserver.fullname" . }}-jmx-config 6 | labels: 7 | {{- include "puppetserver.puppetserver.labels" . | nindent 4 }} 8 | {{- include "puppetserver.puppetserver-compilers.labels" . | nindent 4 }} 9 | data: 10 | jmx_exporter.yaml: |- 11 | {{ .Values.metrics.prometheus.jmx.config | nindent 4 }} 12 | {{- end }} 13 | 14 | -------------------------------------------------------------------------------- /templates/jmx-servicemonitor.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.metrics.prometheus.jmx.enabled .Values.metrics.prometheus.jmx.serviceMonitor.enabled }} 2 | {{- if (not (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1")) }} 3 | {{- if (not (.Values.metrics.prometheus.disableAPICheck)) }} 4 | {{- fail "ERROR: You have to deploy monitoring.coreos.com/v1 first" }} 5 | {{- end }} 6 | {{- end }} 7 | apiVersion: monitoring.coreos.com/v1 8 | kind: ServiceMonitor 9 | metadata: 10 | name: {{ template "puppetserver.fullname" . }}-jmx 11 | namespace: {{ default .Release.Namespace .Values.metrics.prometheus.jmx.serviceMonitor.namespace | quote }} 12 | labels: 13 | {{- include "puppetserver.puppetserver.labels" . | nindent 4 }} 14 | {{- with .Values.metrics.prometheus.jmx.serviceMonitor.additionalLabels }} 15 | {{- toYaml . | nindent 4 }} 16 | {{- end }} 17 | release: kube-prometheus-stack 18 | spec: 19 | jobLabel: {{ .Values.metrics.prometheus.jmx.serviceMonitor.jobLabel | default "{{.Release.Name }}-jmx" }} 20 | endpoints: 21 | - port: metrics 22 | path: /metrics 23 | {{- with .Values.metrics.prometheus.jmx.serviceMonitor.honorLabels }} 24 | honorLabels: {{ . }} 25 | {{- end }} 26 | {{- with .Values.metrics.prometheus.jmx.serviceMonitor.honorTimestamps }} 27 | honorTimestamps: {{ . }} 28 | {{- end }} 29 | {{- with .Values.metrics.prometheus.jmx.serviceMonitor.enableHttp2 }} 30 | enableHttp2: {{ . }} 31 | {{- end }} 32 | {{- with .Values.metrics.prometheus.jmx.serviceMonitor.followRedirects }} 33 | followRedirects: {{ . }} 34 | {{- end }} 35 | {{- with .Values.metrics.prometheus.jmx.serviceMonitor.interval }} 36 | interval: {{ . }} 37 | {{- end }} 38 | {{- with .Values.metrics.prometheus.jmx.serviceMonitor.scrapeTimeout }} 39 | scrapeTimeout: {{ . }} 40 | {{- end }} 41 | {{- if .Values.metrics.prometheus.jmx.serviceMonitor.metricRelabelings }} 42 | metricRelabelings: 43 | {{ tpl (toYaml .Values.metrics.prometheus.jmx.serviceMonitor.metricRelabelings | indent 6) . }} 44 | {{- end }} 45 | {{- if .Values.metrics.prometheus.jmx.serviceMonitor.relabelings }} 46 | relabelings: 47 | {{ toYaml .Values.metrics.prometheus.jmx.serviceMonitor.relabelings | indent 6 }} 48 | {{- end }} 49 | namespaceSelector: 50 | matchNames: 51 | - {{ .Release.Namespace | quote }} 52 | selector: 53 | matchLabels: 54 | {{- include "puppetserver.puppetserver.matchLabels" . | nindent 6 }} 55 | {{- end }} 56 | -------------------------------------------------------------------------------- /templates/postgresql-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.postgresql.enabled }} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: postgresql-custom-extensions 6 | labels: 7 | {{- include "puppetserver.postgresql.labels" . | nindent 4 }} 8 | data: 9 | extensions.sql: | 10 | CREATE EXTENSION IF NOT EXISTS pg_trgm; 11 | CREATE EXTENSION IF NOT EXISTS pgcrypto; 12 | {{- end }} 13 | -------------------------------------------------------------------------------- /templates/private_key.pkcs7.pem.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (.Values.hiera.eyaml.public_key) (not .Values.r10k.hiera.viaSsh.credentials.existingSecret) (not .Values.hiera.eyaml.existingSecret) }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ include "puppetserver.hiera.privateSecret" . }} 6 | labels: 7 | {{- include "puppetserver.hiera.labels" . | nindent 4 }} 8 | data: 9 | private_key.pkcs7.pem: {{ required "A valid .Values.hiera.eyaml.private_key required!" .Values.hiera.eyaml.private_key | nindent 4 | b64enc }} 10 | {{- end }} 11 | 12 | 13 | -------------------------------------------------------------------------------- /templates/public_key.pkcs7.pem.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (.Values.hiera.eyaml.private_key) (not .Values.r10k.hiera.viaSsh.credentials.existingSecret) (not .Values.hiera.eyaml.existingSecret) }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ include "puppetserver.hiera.publicSecret" . }} 6 | labels: 7 | {{- include "puppetserver.hiera.labels" . | nindent 4 }} 8 | data: 9 | public_key.pkcs7.pem: {{ required "A valid .Values.hiera.eyaml.public_key required!" .Values.hiera.eyaml.public_key | nindent 4 | b64enc }} 10 | {{- end }} 11 | 12 | 13 | -------------------------------------------------------------------------------- /templates/puppet-crl-updater-cronjob.yaml: -------------------------------------------------------------------------------- 1 | {{- if and ( not .Values.singleCA.crl.asSidecar ) .Values.singleCA.enabled }} 2 | apiVersion: batch/v1 3 | kind: CronJob 4 | metadata: 5 | name: {{ template "puppetserver.fullname" . }}-crl-updater 6 | labels: 7 | {{- include "puppetserver.puppetserver.labels" . | nindent 4 }} 8 | {{- with .Values.singleCA.crl.extraLabels -}} 9 | {{ toYaml . | nindent 4 }} 10 | {{- end }} 11 | spec: 12 | concurrencyPolicy: Forbid 13 | suspend: false 14 | failedJobsHistoryLimit: {{ .Values.singleCA.crl.cronJob.failedJobsHistoryLimit }} 15 | schedule: "{{ .Values.singleCA.crl.cronJob.schedule }}" 16 | successfulJobsHistoryLimit: {{ .Values.singleCA.crl.cronJob.successfulJobsHistoryLimit }} 17 | jobTemplate: 18 | metadata: 19 | labels: 20 | {{- include "puppetserver.puppetserver.labels" . | nindent 8 }} 21 | {{- with .Values.singleCA.crl.extraLabels -}} 22 | {{ toYaml . | nindent 8 }} 23 | {{- end }} 24 | spec: 25 | template: 26 | spec: 27 | restartPolicy: OnFailure 28 | containers: 29 | - name: crl-updater 30 | image: "{{ tpl .Values.singleCA.crl.image . }}:{{ tpl .Values.singleCA.crl.tag . }}" 31 | imagePullPolicy: {{ tpl .Values.singleCA.crl.imagePullPolicy . }} 32 | command: 33 | - /bin/sh 34 | - -c 35 | args: 36 | - /tmp/crl/crl_kubernetes_cronjob.sh 37 | yes | cp -i /crl/crl.pem /etc/puppetlabs/puppet/ssl/crl.pem; 38 | yes | cp -i /crl/crl.pem /opt/puppetlabs/server/data/puppetdb/certs/crl.pem; 39 | ls -la /etc/puppetlabs/puppet/ssl/crl.pem; 40 | ls -la /opt/puppetlabs/server/data/puppetdb/certs/crl.pem; 41 | resources: 42 | {{- toYaml .Values.singleCA.crl.resources | nindent 16 }} 43 | env: 44 | {{- range $key, $value := .Values.global.extraEnv }} 45 | - name: {{ $key }} 46 | value: "{{ $value }}" 47 | {{- end }} 48 | {{- range $key, $value := .Values.singleCA.crl.extraEnv }} 49 | - name: {{ $key }} 50 | value: "{{ $value }}" 51 | {{- end }} 52 | envFrom: 53 | {{- if .Values.global.extraEnvSecret }} 54 | - secretRef: 55 | name: {{ .Values.global.extraEnvSecret }} 56 | {{- end }} 57 | {{- if .Values.singleCA.crl.extraEnvSecret }} 58 | - secretRef: 59 | name: {{ .Values.singleCA.crl.extraEnvSecret }} 60 | {{- end }} 61 | volumeMounts: 62 | - name: crl-volume 63 | mountPath: /tmp/crl 64 | - name: puppet-crl-storage 65 | mountPath: /crl/ 66 | - name: puppet-puppet-storage 67 | mountPath: /etc/puppetlabs/puppet/ 68 | - name: puppetdb-storage 69 | mountPath: /opt/puppetlabs/server/data/puppetdb 70 | securityContext: 71 | runAsUser: {{ .Values.global.securityContext.runAsUser }} 72 | runAsGroup: {{ .Values.global.securityContext.runAsGroup }} 73 | {{- toYaml .Values.singleCA.crl.securityContext | nindent 16 }} 74 | volumes: 75 | - name: crl-volume 76 | configMap: 77 | name: {{ template "puppetserver.fullname" . }}-crl-config 78 | defaultMode: 0550 79 | - name: puppet-crl-storage 80 | emptyDir: {} 81 | - name: puppet-puppet-storage 82 | persistentVolumeClaim: 83 | claimName: {{ template "puppetserver.persistence.puppet.claimName" . }} 84 | - name: puppetdb-storage 85 | persistentVolumeClaim: 86 | claimName: {{ template "puppetdb.persistence.claimName" . }} 87 | {{- end }} 88 | -------------------------------------------------------------------------------- /templates/puppet-preInstall.job.yaml: -------------------------------------------------------------------------------- 1 | {{- if or .Values.puppetserver.preGeneratedCertsJob.enabled .Values.singleCA.enabled .Values.global.runAsNonRoot }} 2 | apiVersion: batch/v1 3 | kind: Job 4 | metadata: 5 | name: "{{ template "puppetserver.fullname" . }}-puppet-preinstall" 6 | labels: 7 | {{- include "puppetserver.puppet.labels" . | nindent 4 }} 8 | annotations: 9 | helm.sh/hook: pre-install 10 | helm.sh/hook-weight: "10" 11 | helm.sh/hook-delete-policy: hook-succeeded,hook-failed 12 | spec: 13 | activeDeadlineSeconds: {{.Values.puppetserver.preGeneratedCertsJob.jobDeadline}} 14 | template: 15 | metadata: 16 | name: "{{ template "puppetserver.fullname" . }}-preinstall" 17 | labels: 18 | {{- include "puppetserver.puppet.labels" . | nindent 8 }} 19 | spec: 20 | restartPolicy: Never 21 | {{- if .Values.puppetserver.serviceAccount.enabled }} 22 | serviceAccountName: {{ include "puppetserver.serviceAccountName" . }} 23 | {{- end }} 24 | initContainers: 25 | {{- if .Values.global.runAsNonRoot }} 26 | - name: puppetserver-perms-and-dirs 27 | image: "{{.Values.puppetserver.image}}:{{.Values.puppetserver.tag}}" 28 | imagePullPolicy: "{{.Values.puppetserver.pullPolicy}}" 29 | resources: 30 | requests: 31 | memory: 128Mi 32 | cpu: 200m 33 | limits: 34 | memory: 256Mi 35 | cpu: 300m 36 | env: 37 | {{- range $key, $value := .Values.global.extraEnv }} 38 | - name: {{ $key }} 39 | value: "{{ $value }}" 40 | {{- end }} 41 | {{- range $key, $value := .Values.puppetserver.masters.extraEnv }} 42 | - name: {{ $key }} 43 | value: "{{ $value }}" 44 | {{- end }} 45 | envFrom: 46 | {{- if .Values.global.extraEnvSecret }} 47 | - secretRef: 48 | name: {{ .Values.global.extraEnvSecret }} 49 | {{- end }} 50 | {{- if .Values.puppetserver.masters.extraEnvSecret }} 51 | - secretRef: 52 | name: {{ .Values.puppetserver.masters.extraEnvSecret }} 53 | {{- end }} 54 | command: [ "sh", "-c" ] 55 | args: 56 | - echo "create folder"; 57 | mkdir -p /etc/puppetlabs/puppet/eyaml/keys; 58 | mkdir -p /etc/puppetlabs/code/environments; 59 | mkdir -p /etc/puppetlabs/puppet/manifests; 60 | mkdir -p /etc/puppetlabs/code/r10k_cache; 61 | mkdir -p /opt/puppetlabs/server/data/puppetserver/dropsonde/bin/; 62 | touch /opt/puppetlabs/server/data/puppetserver/dropsonde/bin/dropsonde; 63 | {{- if or (.Values.hiera.eyaml.public_key) (.Values.hiera.eyaml.private_key) (.Values.hiera.eyaml.existingMap) (.Values.hiera.eyaml.existingSecret) }} 64 | echo "Copy eyaml config" 65 | cp /tmp/puppet/configmap/eyaml/*private_key.pkcs7.pem /etc/puppetlabs/puppet/eyaml/keys/; 66 | cp /tmp/puppet/configmap/eyaml/*public_key.pkcs7.pem /etc/puppetlabs/puppet/eyaml/keys/; 67 | {{- end }} 68 | echo "Update files owner to puppet:puppet in /etc/puppetlabs/"; 69 | chown -R puppet:puppet /etc/puppetlabs/ -v; 70 | echo "Update files owner to puppet:puppet in /opt/puppetlabs/server/data/puppetserver/"; 71 | chown -R puppet:puppet /opt/puppetlabs/server/data/puppetserver/ -v; 72 | {{- if .Values.puppetserver.extraInitArgs }} 73 | {{- .Values.puppetserver.extraInitArgs | nindent 14 }} 74 | {{- end }} 75 | echo "copy puppetserver files"; 76 | cp -rp /etc/puppetlabs/puppetserver/* /puppetserver/; 77 | echo "copy puppet files"; 78 | cp -rp /etc/puppetlabs/puppet/* /puppet/; 79 | volumeMounts: 80 | - name: puppet-puppetserver 81 | mountPath: /puppetserver/ 82 | - name: puppet-puppet-storage 83 | mountPath: /puppet/ 84 | {{- if and .Values.puppetserver.puppeturl (not .Values.puppetserver.compilers.enabled) }} 85 | - name: puppet-code-storage 86 | mountPath: /etc/puppetlabs/code/ 87 | {{- if and (or (.Values.hiera.eyaml.public_key) (.Values.hiera.eyaml.private_key)) (not .Values.hiera.eyaml.existingSecret)}} 88 | - name: eyamlpub-volume 89 | mountPath: /tmp/puppet/configmap/eyaml/public_key.pkcs7.pem 90 | subPath: public_key.pkcs7.pem 91 | - name: eyamlpriv-volume 92 | mountPath: /tmp/puppet/configmap/eyaml/private_key.pkcs7.pem 93 | subPath: private_key.pkcs7.pem 94 | {{- end }} 95 | {{- end }} 96 | {{- if eq .Values.puppetserver.persistence.data.enabled true }} 97 | - name: puppet-serverdata-storage 98 | mountPath: /opt/puppetlabs/server/data/puppetserver/ 99 | {{- end}} 100 | securityContext: 101 | runAsUser: 0 102 | runAsNonRoot: false 103 | capabilities: 104 | drop: 105 | - all 106 | add: 107 | - CAP_CHOWN 108 | - CAP_SETUID 109 | - CAP_SETGID 110 | - CAP_DAC_OVERRIDE 111 | - CAP_AUDIT_WRITE 112 | - CAP_FOWNER 113 | - CHOWN 114 | - SETUID 115 | - SETGID 116 | - DAC_OVERRIDE 117 | - AUDIT_WRITE 118 | - FOWNER 119 | {{- end }} 120 | containers: 121 | {{- if or .Values.puppetserver.preGeneratedCertsJob.enabled .Values.singleCA.enabled }} 122 | - name: copy-ro-puppetserver-certs 123 | image: "{{.Values.puppetserver.image}}:{{.Values.puppetserver.tag}}" 124 | imagePullPolicy: "{{.Values.puppetserver.pullPolicy}}" 125 | command: [ "sh", "-c" ] 126 | args: 127 | - mkdir -p /etc/puppetlabs/puppet/ssl; 128 | {{- if .Values.singleCA.enabled }} 129 | mkdir -p /etc/puppetlabs/puppet/ssl/certs/; 130 | mkdir -p /etc/puppetlabs/puppet/ssl/private_keys/; 131 | cp /tmp/puppetserver/ca.pem /etc/puppetlabs/puppet/ssl/certs/ca.pem; 132 | cp /tmp/puppetserver/{{ template "singleCA.puppetserver.certname" . }}.pem /etc/puppetlabs/puppet/ssl/certs/puppet.pem; 133 | cp /tmp/puppetserver/{{ template "singleCA.puppetserver.certname" . }}.key /etc/puppetlabs/puppet/ssl/private_keys/puppet.pem; 134 | chown puppet:puppet /etc/puppetlabs/puppet/ssl/certs/puppet.pem /etc/puppetlabs/puppet/ssl/private_keys/puppet.pem /etc/puppetlabs/puppet/ssl/certs/ca.pem; 135 | {{- if .Values.singleCA.crl.asSidecar }} 136 | cp /tmp/crl/crl_entrypoint.sh /etc/puppetlabs/puppet/ssl/crl_entrypoint.sh; 137 | cp /tmp/crl/crl_cronjob.sh /etc/puppetlabs/puppet/ssl/crl_cronjob.sh; 138 | cp /tmp/crl/crl.sh /etc/puppetlabs/puppet/ssl/crl.sh; 139 | chown puppet:puppet /etc/puppetlabs/puppet/ssl/crl_entrypoint.sh /etc/puppetlabs/puppet/ssl/crl_cronjob.sh /etc/puppetlabs/puppet/ssl/crl.sh; 140 | chmod +x /etc/puppetlabs/puppet/ssl/crl_entrypoint.sh /etc/puppetlabs/puppet/ssl/crl_cronjob.sh /etc/puppetlabs/puppet/ssl/crl.sh; 141 | {{- else }} 142 | /tmp/crl/crl_kubernetes_cronjob.sh; 143 | cp -i /crl/crl.pem /etc/puppetlabs/puppet/ssl/crl.pem; 144 | {{- end }} 145 | {{- else if .Values.puppetserver.preGeneratedCertsJob.enabled }} 146 | CERTS_FILE=`ls /tmp/puppetserver`; 147 | tar xf /tmp/puppetserver/"$CERTS_FILE" -C /etc/puppetlabs/puppet/ssl; 148 | {{- end }} 149 | env: 150 | {{- range $key, $value := .Values.global.extraEnv }} 151 | - name: {{ $key }} 152 | value: "{{ $value }}" 153 | {{- end }} 154 | envFrom: 155 | {{- if .Values.global.extraEnvSecret }} 156 | - secretRef: 157 | name: {{ .Values.global.extraEnvSecret }} 158 | {{- end }} 159 | volumeMounts: 160 | - name: puppetserver-certs 161 | mountPath: /tmp/puppetserver 162 | - name: puppet-puppet-storage 163 | mountPath: /etc/puppetlabs/puppet/ 164 | {{- if .Values.singleCA.enabled }} 165 | - name: crl-volume 166 | mountPath: /tmp/crl 167 | {{- if not .Values.singleCA.crl.asSidecar }} 168 | - name: puppet-crl-storage 169 | mountPath: /crl 170 | {{- end }} 171 | {{- end }} 172 | {{- if .Values.global.runAsNonRoot }} 173 | securityContext: 174 | runAsUser: {{ .Values.global.securityContext.runAsUser }} 175 | runAsGroup: {{ .Values.global.securityContext.runAsGroup }} 176 | {{- end }} 177 | {{- if and .Values.puppetdb.enabled .Values.puppetserver.preGeneratedCertsJob.importPuppetdb }} 178 | - name: copy-ro-puppetdb-certs 179 | image: "{{.Values.puppetdb.image}}:{{.Values.puppetdb.tag}}" 180 | imagePullPolicy: "{{.Values.puppetdb.pullPolicy}}" 181 | command: [ "sh", "-c" ] 182 | args: 183 | - mkdir -p /opt/puppetlabs/server/data/puppetdb/certs; 184 | {{- if .Values.singleCA.enabled }} 185 | mkdir -p /opt/puppetlabs/server/data/puppetdb/certs/certs/; 186 | mkdir -p /opt/puppetlabs/server/data/puppetdb/certs/private_keys/; 187 | mkdir -p /opt/puppetlabs/server/data/puppetdb/scripts/; 188 | cp /tmp/puppetdb/ca.pem /opt/puppetlabs/server/data/puppetdb/certs/certs/ca.pem; 189 | cp /tmp/puppetdb/{{ template "singleCA.puppetdb.certname" . }}.pem /opt/puppetlabs/server/data/puppetdb/certs/certs/{{ template "singleCA.puppetdb.certname" . }}.pem; 190 | cp /tmp/puppetdb/{{ template "singleCA.puppetdb.certname" . }}.key /opt/puppetlabs/server/data/puppetdb/certs/private_keys/{{ template "singleCA.puppetdb.certname" . }}.pem; 191 | chown puppetdb:puppetdb /opt/puppetlabs/server/data/puppetdb/certs/certs/ca.pem /opt/puppetlabs/server/data/puppetdb/certs/certs/{{ template "singleCA.puppetdb.certname" . }}.pem /opt/puppetlabs/server/data/puppetdb/certs/private_keys/{{ template "singleCA.puppetdb.certname" . }}.pem; 192 | {{- if .Values.singleCA.crl.asSidecar }} 193 | cp /tmp/crl/crl_entrypoint.sh /opt/puppetlabs/server/data/puppetdb/scripts/crl_entrypoint.sh; 194 | cp /tmp/crl/crl_cronjob.sh /opt/puppetlabs/server/data/puppetdb/scripts/crl_cronjob.sh; 195 | cp /tmp/crl/crl.sh /opt/puppetlabs/server/data/puppetdb/scripts/crl.sh; 196 | chown -R puppetdb:puppetdb /opt/puppetlabs/server/data/puppetdb/scripts; 197 | chmod +x /opt/puppetlabs/server/data/puppetdb/scripts/*.sh; 198 | ls -la /opt/puppetlabs/server/data/puppetdb/scripts/; 199 | {{- else }} 200 | /tmp/crl/crl_kubernetes_cronjob.sh; 201 | cp -i /crl/crl.pem /opt/puppetlabs/server/data/puppetdb/certs/crl.pem; 202 | {{- end }} 203 | {{- else if .Values.puppetserver.preGeneratedCertsJob.enabled }} 204 | CERTS_FILE=`ls /tmp/puppetdb`; 205 | tar xf /tmp/puppetdb/"$CERTS_FILE" -C /opt/puppetlabs/server/data/puppetdb/certs --strip-components 1; 206 | {{- end }} 207 | env: 208 | {{- range $key, $value := .Values.global.extraEnv }} 209 | - name: {{ $key }} 210 | value: "{{ $value }}" 211 | {{- end }} 212 | envFrom: 213 | {{- if .Values.global.extraEnvSecret }} 214 | - secretRef: 215 | name: {{ .Values.global.extraEnvSecret }} 216 | {{- end }} 217 | volumeMounts: 218 | - name: puppetdb-certs 219 | mountPath: /tmp/puppetdb 220 | - name: puppetdb-storage 221 | mountPath: /opt/puppetlabs/server/data/puppetdb 222 | {{- if .Values.singleCA.enabled }} 223 | - name: crl-volume 224 | mountPath: /tmp/crl 225 | {{- if not .Values.singleCA.crl.asSidecar }} 226 | - name: puppet-crl-storage 227 | mountPath: /crl 228 | {{- end }} 229 | {{- end }} 230 | {{- if .Values.global.runAsNonRoot }} 231 | securityContext: 232 | runAsUser: {{ .Values.global.securityContext.runAsUser }} 233 | runAsGroup: {{ .Values.global.securityContext.runAsGroup }} 234 | {{- end }} 235 | {{- end }} 236 | {{- end }} 237 | {{- if .Values.global.runAsNonRoot }} 238 | - name: {{ template "puppetserver.fullname" . }} 239 | image: "{{.Values.puppetserver.image}}:{{.Values.puppetserver.tag}}" 240 | imagePullPolicy: "{{.Values.puppetserver.pullPolicy}}" 241 | resources: 242 | {{- toYaml .Values.puppetserver.masters.resources | nindent 12 }} 243 | env: 244 | - name: PUPPETSERVER_HOSTNAME 245 | value: puppet 246 | # necessary to set certname and server in puppet.conf, required by 247 | # puppetserver ca cli application 248 | {{- if .Values.singleCA.enabled }} 249 | - name: CA_ENABLED 250 | value: "false" 251 | # set the hostname to puppet to identify easily the certificate 252 | {{- end }} 253 | - name: PUPPET_MASTERPORT 254 | value: "{{ template "puppetserver.puppetserver-masters.port" . }}" 255 | - name: DNS_ALT_NAMES 256 | value: "{{ template "puppetserver.master.san" . }}" 257 | - name: PUPPETDB_SERVER_URLS 258 | value: "https://{{ default ( include "puppetdb.fullname" . ) .Values.singleCA.puppetdb.overrideHostname }}:8081" 259 | - name: CA_ALLOW_SUBJECT_ALT_NAMES 260 | value: "true" 261 | {{- range $key, $value := .Values.global.extraEnv }} 262 | - name: {{ $key }} 263 | value: "{{ $value }}" 264 | {{- end }} 265 | {{- range $key, $value := .Values.puppetserver.masters.extraEnv }} 266 | - name: {{ $key }} 267 | value: "{{ $value }}" 268 | {{- end }} 269 | envFrom: 270 | {{- if .Values.global.extraEnvSecret }} 271 | - secretRef: 272 | name: {{ .Values.global.extraEnvSecret }} 273 | {{- end }} 274 | {{- if .Values.puppetserver.masters.extraEnvSecret }} 275 | - secretRef: 276 | name: {{ .Values.puppetserver.masters.extraEnvSecret }} 277 | {{- end }} 278 | ports: 279 | - containerPort: {{ template "puppetserver.puppetserver-masters.port" .}} 280 | volumeMounts: 281 | - name: puppet-puppetserver 282 | mountPath: /etc/puppetlabs/puppetserver/ 283 | - name: puppet-docker-entrypoint-config 284 | mountPath: /docker-entrypoint.sh 285 | subPath: docker-entrypoint.sh 286 | - name: puppet-code-storage 287 | mountPath: /etc/puppetlabs/code/ 288 | - name: puppet-puppet-storage 289 | mountPath: /etc/puppetlabs/puppet/ 290 | {{- if eq .Values.puppetserver.persistence.data.enabled true }} 291 | - name: puppet-serverdata-storage 292 | mountPath: /opt/puppetlabs/server/data/puppetserver/ 293 | {{- end }} 294 | - name: puppet-ca-storage 295 | mountPath: /etc/puppetlabs/puppetserver/ca/ 296 | {{- range $key, $value := .Values.puppetserver.customconfigs.configmaps }} 297 | - name: puppetserver-custom-configs 298 | mountPath: /etc/puppetlabs/puppetserver/conf.d/{{ $key }} 299 | subPath: {{ $key }} 300 | {{- end }} 301 | {{- range $key, $value := .Values.puppetserver.customentrypoints.configmaps }} 302 | - name: puppetserver-customentrypoints 303 | mountPath: /docker-custom-entrypoint.d/{{ $key }} 304 | subPath: {{ $key }} 305 | {{- end }} 306 | securityContext: 307 | runAsUser: 0 308 | runAsNonRoot: false 309 | capabilities: 310 | drop: 311 | - all 312 | add: 313 | - CAP_CHOWN 314 | - CAP_SETUID 315 | - CAP_SETGID 316 | - CAP_DAC_OVERRIDE 317 | - CAP_AUDIT_WRITE 318 | - CAP_FOWNER 319 | - CHOWN 320 | - SETUID 321 | - SETGID 322 | - DAC_OVERRIDE 323 | - AUDIT_WRITE 324 | - FOWNER 325 | {{- end }} 326 | hostAliases: 327 | - ip: 127.0.0.1 328 | hostnames: 329 | - {{ template "puppetserver.puppetserver-masters.serviceName" . }} 330 | imagePullSecrets: 331 | {{- with .Values.global.imagePullSecrets }} 332 | {{ toYaml . }} 333 | {{- end }} 334 | volumes: 335 | - name: puppet-puppet-storage 336 | persistentVolumeClaim: 337 | claimName: {{ template "puppetserver.persistence.puppet.claimName" . }} 338 | {{- if .Values.global.runAsNonRoot }} 339 | - name: puppet-puppetserver 340 | persistentVolumeClaim: 341 | claimName: {{ template "puppetserver.persistence.server.claimName" . }} 342 | - name: puppet-code-storage 343 | persistentVolumeClaim: 344 | claimName: {{ template "puppetserver.persistence.code.claimName" . }} 345 | - name: puppet-ca-storage 346 | persistentVolumeClaim: 347 | claimName: {{ template "puppetserver.persistence.ca.claimName" . }} 348 | {{- if eq .Values.puppetserver.persistence.data.enabled true }} 349 | - name: puppet-serverdata-storage 350 | persistentVolumeClaim: 351 | claimName: {{ template "puppetserver.persistence.data.claimName" . }} 352 | {{- end }} 353 | - name: puppet-docker-entrypoint-config 354 | configMap: 355 | name: {{ template "puppetserver.fullname" . }}-docker-entrypoint-config 356 | defaultMode: 0550 357 | {{- if .Values.puppetserver.customconfigs.enabled }} 358 | - name: puppetserver-custom-configs 359 | configMap: 360 | name: {{ template "puppetserver.fullname" . }}-custom-configs 361 | {{- end }} 362 | {{- if .Values.puppetserver.customentrypoints.enabled }} 363 | - name: puppetserver-customentrypoints 364 | configMap: 365 | name: {{ template "puppetserver.fullname" . }}-customentrypoints 366 | defaultMode: 0777 367 | {{- end }} 368 | {{- if or (.Values.hiera.eyaml.public_key) (.Values.hiera.eyaml.private_key) }} 369 | - name: eyamlpub-volume 370 | secret: 371 | secretName: {{ template "puppetserver.hiera.publicSecret" . }} 372 | - name: eyamlpriv-volume 373 | secret: 374 | secretName: {{ template "puppetserver.hiera.privateSecret" . }} 375 | {{- end }} 376 | {{- end }} 377 | {{- range $extraSecret := .Values.puppetserver.extraSecrets }} 378 | - name: {{ $extraSecret.name }} 379 | secret: 380 | secretName: {{ $extraSecret.name }} 381 | {{- end }} 382 | {{- if or .Values.puppetserver.preGeneratedCertsJob.enabled .Values.singleCA.enabled }} 383 | - name: puppetserver-certs 384 | {{- if not .Values.singleCA.enabled }} 385 | configMap: 386 | name: "{{ template "puppetserver.fullname" . }}-preinstall" 387 | {{- else }} 388 | secret: 389 | secretName: {{ .Values.singleCA.certificates.existingSecret.puppetserver }} 390 | {{- end }} 391 | {{- end }} 392 | {{- if and ( or .Values.puppetserver.preGeneratedCertsJob.enabled .Values.singleCA.enabled) .Values.puppetdb.enabled}} 393 | - name: puppetdb-storage 394 | persistentVolumeClaim: 395 | claimName: {{ include "puppetdb.persistence.claimName" . }} 396 | - name: puppetdb-certs 397 | {{- if not .Values.singleCA.enabled }} 398 | configMap: 399 | name: "{{ template "puppetserver.fullname" . }}-puppetdb-preinstall" 400 | {{- else }} 401 | secret: 402 | secretName: {{ .Values.singleCA.certificates.existingSecret.puppetdb }} 403 | {{- end }} 404 | {{- end }} 405 | {{- if .Values.singleCA.enabled }} 406 | - name: crl-volume 407 | configMap: 408 | name: {{ template "puppetserver.fullname" . }}-crl-config 409 | defaultMode: 0550 410 | {{- end }} 411 | {{- if and .Values.singleCA.enabled ( not .Values.singleCA.crl.asSidecar ) }} 412 | - name: puppet-crl-storage 413 | emptyDir: {} 414 | {{- end }} 415 | {{- end }} 416 | -------------------------------------------------------------------------------- /templates/puppet-r10k-deployment.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.puppetserver.puppeturl (not .Values.r10k.asSidecar) (or ( eq .Values.puppetserver.compilers.kind "Deployment" ) ( not .Values.puppetserver.compilers.enabled ) ) }} 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: {{ template "puppetserver.fullname" . }}-r10k 6 | labels: 7 | {{- include "puppetserver.r10k.labels" . | nindent 4 }} 8 | {{- with .Values.r10k.code.extraLabels -}} 9 | {{ toYaml . | nindent 4 }} 10 | {{- end }} 11 | spec: 12 | selector: 13 | matchLabels: 14 | {{- include "puppetserver.r10k.matchLabels" . | nindent 6 }} 15 | {{- if .Values.r10k.updateStrategy }} 16 | strategy: {{- toYaml .Values.r10k.updateStrategy | nindent 4 }} 17 | {{- end }} 18 | template: 19 | metadata: 20 | labels: 21 | {{- include "puppetserver.r10k.labels" . | nindent 8 }} 22 | {{- with .Values.r10k.code.extraLabels -}} 23 | {{ toYaml . | nindent 8 }} 24 | {{- end }} 25 | annotations: 26 | checksum/r10k-code.configmap: {{ include (print $.Template.BasePath "/r10k-code.configmap.yaml") . | sha256sum }} 27 | checksum/r10k-hiera.configmap: {{ include (print $.Template.BasePath "/r10k-hiera.configmap.yaml") . | sha256sum }} 28 | {{- if .Values.podAnnotations }} 29 | {{- toYaml .Values.podAnnotations | nindent 8 }} 30 | {{- end }} 31 | spec: 32 | # restartPolicy: OnFailure 33 | securityContext: 34 | {{- toYaml .Values.r10k.podSecurityContext | nindent 8 }} 35 | runAsUser: {{ .Values.global.securityContext.runAsUser }} 36 | runAsGroup: {{ .Values.global.securityContext.runAsGroup }} 37 | fsGroup: {{ .Values.global.securityContext.fsGroup }} 38 | containers: 39 | - name: r10k-code 40 | image: "{{ tpl .Values.r10k.image . }}:{{ tpl .Values.r10k.tag . }}" 41 | imagePullPolicy: {{ tpl .Values.r10k.imagePullPolicy . }} 42 | command: 43 | {{- range .Values.r10k.code.command }} 44 | - {{ . | quote }} 45 | {{- end}} 46 | args: 47 | {{- range .Values.r10k.code.args }} 48 | - {{ . | quote }} 49 | {{- end }} 50 | resources: 51 | {{- toYaml .Values.r10k.code.resources | nindent 12 }} 52 | env: 53 | {{- range $key, $value := .Values.global.extraEnv }} 54 | - name: {{ $key }} 55 | value: "{{ $value }}" 56 | {{- end }} 57 | {{- range $key, $value := .Values.r10k.code.extraEnv }} 58 | - name: {{ $key }} 59 | value: "{{ $value }}" 60 | {{- end }} 61 | envFrom: 62 | {{- if .Values.global.extraEnvSecret }} 63 | - secretRef: 64 | name: {{ .Values.global.extraEnvSecret }} 65 | {{- end }} 66 | {{- if .Values.r10k.code.extraEnvSecret }} 67 | - secretRef: 68 | name: {{ .Values.r10k.code.extraEnvSecret }} 69 | {{- end }} 70 | volumeMounts: 71 | {{- with .Values.r10k.code.viaSsh.credentials }} 72 | {{- if or (.existingSecret) (and (.ssh.value) (.known_hosts.value)) }} 73 | - name: r10k-code-ssh 74 | mountPath: /home/puppet/.ssh 75 | {{- end }} 76 | {{- end }} 77 | {{- with .Values.r10k.code.viaHttps.credentials }} 78 | {{- if or .existingSecret .netrc.value }} 79 | - name: r10k-code-netrc 80 | mountPath: /home/puppet/.netrc 81 | subPath: .netrc 82 | {{- end }} 83 | {{- end }} 84 | {{- with .Values.r10k.code.viaHttps.customCa }} 85 | {{- if or .existingSecret .cert.value }} 86 | - name: r10k-code-cert 87 | mountPath: /home/puppet/code-certs/ca.pem 88 | subPath: ca.pem 89 | {{- end }} 90 | {{- end }} 91 | - name: puppet-code-storage 92 | mountPath: /etc/puppetlabs/code/ 93 | - name: r10k-code-volume 94 | mountPath: /etc/puppetlabs/puppet/r10k_code_entrypoint.sh 95 | subPath: r10k_code_entrypoint.sh 96 | - name: r10k-code-volume 97 | mountPath: /etc/puppetlabs/puppet/r10k_code_cronjob.sh 98 | subPath: r10k_code_cronjob.sh 99 | - name: r10k-code-volume 100 | mountPath: /etc/puppetlabs/puppet/r10k_code.yaml 101 | subPath: r10k_code.yaml 102 | readinessProbe: 103 | exec: 104 | command: 105 | {{- include "r10k.code.readinessProbe" . | nindent 16 }} 106 | failureThreshold: 2 107 | initialDelaySeconds: 5 108 | periodSeconds: 20 109 | successThreshold: 1 110 | timeoutSeconds: 5 111 | securityContext: 112 | {{- toYaml .Values.r10k.containerSecurityContext | nindent 12 }} 113 | {{- if (include "hiera.enable" .) }} 114 | - name: r10k-hiera 115 | image: "{{ tpl .Values.r10k.image . }}:{{ tpl .Values.r10k.tag . }}" 116 | imagePullPolicy: {{ tpl .Values.r10k.imagePullPolicy . }} 117 | command: 118 | - /bin/sh 119 | - -c 120 | args: 121 | - /etc/puppetlabs/puppet/r10k_hiera_entrypoint.sh; 122 | resources: 123 | {{- toYaml .Values.r10k.hiera.resources | nindent 12 }} 124 | env: 125 | {{- range $key, $value := .Values.global.extraEnv }} 126 | - name: {{ $key }} 127 | value: "{{ $value }}" 128 | {{- end }} 129 | {{- range $key, $value := .Values.r10k.hiera.extraEnv }} 130 | - name: {{ $key }} 131 | value: "{{ $value }}" 132 | {{- end }} 133 | envFrom: 134 | {{- if .Values.global.extraEnvSecret }} 135 | - secretRef: 136 | name: {{ .Values.global.extraEnvSecret }} 137 | {{- end }} 138 | {{- if .Values.r10k.hiera.extraEnvSecret }} 139 | - secretRef: 140 | name: {{ .Values.r10k.hiera.extraEnvSecret }} 141 | {{- end }} 142 | volumeMounts: 143 | {{- with .Values.r10k.hiera.viaSsh.credentials }} 144 | {{- if or (.existingSecret) (and (.ssh.value) (.known_hosts.value)) }} 145 | - name: r10k-hiera-ssh 146 | mountPath: /home/puppet/.ssh 147 | {{- end }} 148 | {{- end }} 149 | {{- with .Values.r10k.hiera.viaHttps.credentials }} 150 | {{- if or .existingSecret .netrc.value }} 151 | - name: r10k-hiera-netrc 152 | mountPath: /home/puppet/.netrc 153 | subPath: .netrc 154 | {{- end }} 155 | {{- end }} 156 | - name: puppet-code-storage 157 | mountPath: /etc/puppetlabs/code/ 158 | - name: r10k-hiera-volume 159 | mountPath: /etc/puppetlabs/puppet/r10k_hiera_entrypoint.sh 160 | subPath: r10k_hiera_entrypoint.sh 161 | - name: r10k-hiera-volume 162 | mountPath: /etc/puppetlabs/puppet/r10k_hiera_cronjob.sh 163 | subPath: r10k_hiera_cronjob.sh 164 | - name: r10k-hiera-volume 165 | mountPath: /etc/puppetlabs/puppet/r10k_hiera.yaml 166 | subPath: r10k_hiera.yaml 167 | {{- if and (or (.Values.hiera.eyaml.existingMap) (.Values.hiera.eyaml.existingSecret)) (not .Values.hiera.eyaml.public_key) (not .Values.hiera.eyaml.private_key) }} 168 | - name: eyaml-volume 169 | mountPath: /etc/puppetlabs/puppet/eyaml/keys 170 | {{- end }} 171 | {{- if and (or (.Values.hiera.eyaml.public_key) (.Values.hiera.eyaml.private_key)) (not .Values.hiera.eyaml.existingSecret)}} 172 | - name: eyamlpub-volume 173 | mountPath: /etc/puppetlabs/puppet/eyaml/keys/public_key.pkcs7.pem 174 | subPath: public_key.pkcs7.pem 175 | - name: eyamlpriv-volume 176 | mountPath: /etc/puppetlabs/puppet/eyaml/keys/private_key.pkcs7.pem 177 | subPath: private_key.pkcs7.pem 178 | {{- end }} 179 | readinessProbe: 180 | exec: 181 | command: ["/bin/sh", "-ec", "test -f {{ .Values.r10k.hiera.cronJob.successFile }}"] 182 | failureThreshold: 2 183 | initialDelaySeconds: 5 184 | periodSeconds: 20 185 | successThreshold: 1 186 | timeoutSeconds: 5 187 | securityContext: 188 | {{- toYaml .Values.r10k.containerSecurityContext | nindent 12 }} 189 | {{- end }} 190 | volumes: 191 | - name: puppet-code-storage 192 | persistentVolumeClaim: 193 | claimName: {{ template "puppetserver.persistence.code.claimName" . }} 194 | - name: r10k-code-volume 195 | configMap: 196 | name: {{ template "puppetserver.fullname" . }}-r10k-code-config 197 | defaultMode: 0550 198 | {{- if or (.Values.r10k.code.viaSsh.credentials.existingSecret) (and (.Values.r10k.code.viaSsh.credentials.ssh.value) (.Values.r10k.code.viaSsh.credentials.known_hosts.value)) }} 199 | - name: r10k-code-ssh 200 | secret: 201 | secretName: {{ template "r10k.code.viaSsh.secret" . }} 202 | defaultMode: 288 # = mode 0440 203 | items: 204 | - key: id_rsa 205 | path: id_rsa 206 | - key: known_hosts 207 | path: known_hosts 208 | {{- end }} 209 | {{- if or .Values.r10k.code.viaHttps.customCa.existingSecret .Values.r10k.code.viaHttps.customCa.cert.value }} 210 | - name: r10k-code-cert 211 | secret: 212 | secretName: {{ template "r10k.code.viaHttps.customCa.secret" . }} 213 | defaultMode: 288 # = mode 0440 214 | items: 215 | - key: cert 216 | path: ca.pem 217 | {{- end }} 218 | {{- if or .Values.r10k.code.viaHttps.credentials.existingSecret .Values.r10k.code.viaHttps.credentials.netrc.value }} 219 | - name: r10k-code-netrc 220 | secret: 221 | secretName: {{ template "r10k.code.viaHttps.secret" . }} 222 | defaultMode: 288 # = mode 0440 223 | items: 224 | - key: netrc 225 | path: .netrc 226 | {{- end }} 227 | {{- if (include "hiera.enable" .) }} 228 | - name: r10k-hiera-volume 229 | configMap: 230 | name: {{ template "puppetserver.fullname" . }}-r10k-hiera-config 231 | defaultMode: 0550 232 | {{- if or (.Values.r10k.hiera.viaSsh.credentials.existingSecret) (and (.Values.r10k.hiera.viaSsh.credentials.ssh.value) (.Values.r10k.hiera.viaSsh.credentials.known_hosts.value)) }} 233 | - name: r10k-hiera-ssh 234 | secret: 235 | secretName: {{ template "r10k.hiera.viaSsh.secret" . }} 236 | defaultMode: 288 # = mode 0440 237 | items: 238 | - key: id_rsa 239 | path: id_rsa 240 | - key: known_hosts 241 | path: known_hosts 242 | {{- end }} 243 | {{- if or .Values.r10k.hiera.viaHttps.credentials.existingSecret .Values.r10k.hiera.viaHttps.credentials.netrc.value }} 244 | - name: r10k-hiera-netrc 245 | secret: 246 | secretName: {{ template "r10k.hiera.viaHttps.secret" . }} 247 | defaultMode: 288 # = mode 0440 248 | items: 249 | - key: netrc 250 | path: .netrc 251 | {{- end }} 252 | {{- if .Values.hiera.config }} 253 | - name: hiera-volume 254 | configMap: 255 | name: {{ template "puppetserver.fullname" . }}-hiera-config 256 | {{- end }} 257 | {{- if .Values.hiera.eyaml.existingSecret }} 258 | - name: eyaml-volume 259 | secret: 260 | secretName: {{ .Values.hiera.eyaml.existingSecret }} 261 | {{- else if or (.Values.hiera.eyaml.public_key) (.Values.hiera.eyaml.private_key) }} 262 | - name: eyamlpub-volume 263 | secret: 264 | secretName: {{ template "puppetserver.hiera.publicSecret" . }} 265 | - name: eyamlpriv-volume 266 | secret: 267 | secretName: {{ template "puppetserver.hiera.privateSecret" . }} 268 | {{- else if .Values.hiera.eyaml.existingMap }} 269 | - name: eyaml-volume 270 | configMap: 271 | name: {{ .Values.hiera.eyaml.existingMap }} 272 | {{- end }} 273 | {{- end }} 274 | {{- range $extraSecret := .Values.puppetserver.extraSecrets }} 275 | - name: {{ $extraSecret.name }} 276 | secret: 277 | secretName: {{ $extraSecret.name }} 278 | {{- end }} 279 | {{- end }} 280 | -------------------------------------------------------------------------------- /templates/puppetboard-ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.puppetboard.enabled .Values.puppetboard.ingress.enabled }} 2 | {{- $releaseName := .Release.Name -}} 3 | {{- $serviceName := ( include "puppetdb.fullname" . ) }} 4 | {{- $servicePort := .Values.puppetboard.port -}} 5 | {{- $pathType := .Values.puppetboard.ingress.pathType | default "ImplementationSpecific" -}} 6 | {{- $apiIsStable := eq (include "puppetserver.ingress.isStable" .) "true" -}} 7 | {{- $ingressSupportsPathType := eq (include "puppetserver.ingress.supportsPathType" .) "true" -}} 8 | apiVersion: {{ include "puppetserver.ingress.apiVersion" . }} 9 | kind: Ingress 10 | metadata: 11 | {{- if .Values.puppetboard.ingress.annotations }} 12 | annotations: 13 | {{ toYaml .Values.puppetboard.ingress.annotations | nindent 4 }} 14 | {{- end }} 15 | labels: 16 | {{- include "puppetserver.puppetdb.labels" . | nindent 4 }} 17 | {{- range $key, $value := .Values.puppetboard.ingress.extraLabels }} 18 | {{ $key }}: {{ $value }} 19 | {{- end }} 20 | name: {{ template "puppetdb.fullname" . }}-puppetboard 21 | spec: 22 | {{- if $apiIsStable }} 23 | {{- if .Values.puppetboard.ingress.ingressClassName }} 24 | ingressClassName: {{ .Values.puppetboard.ingress.ingressClassName }} 25 | {{- end }} 26 | {{- end }} 27 | rules: 28 | {{- range .Values.puppetboard.ingress.hosts }} 29 | {{- $url := splitList "/" . }} 30 | - host: {{ first $url }} 31 | http: 32 | paths: 33 | - path: /{{ rest $url | join "/" }} 34 | {{- if and $pathType $ingressSupportsPathType }} 35 | pathType: {{ $pathType }} 36 | {{- end }} 37 | backend: 38 | {{- if $apiIsStable }} 39 | service: 40 | name: {{ $serviceName }} 41 | port: 42 | number: {{ $servicePort }} 43 | {{- else }} 44 | serviceName: {{ $serviceName }} 45 | servicePort: {{ $servicePort }} 46 | {{- end }} 47 | {{- end -}} 48 | {{- if .Values.puppetboard.ingress.tls }} 49 | tls: 50 | {{ toYaml .Values.puppetboard.ingress.tls | nindent 4 }} 51 | {{- end -}} 52 | {{- end -}} 53 | -------------------------------------------------------------------------------- /templates/puppetdb-customconfigs-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.puppetdb.customconfigs.enabled }} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ template "puppetdb.fullname" . }}-custom-configs 6 | labels: 7 | {{- include "puppetserver.puppetdb.labels" . | nindent 4 }} 8 | {{- range $key, $value := .Values.puppetdb.extraLabels }} 9 | {{ $key }}: {{ $value }} 10 | {{- end }} 11 | data: 12 | {{- toYaml .Values.puppetdb.customconfigs.configmaps | nindent 2 }} 13 | {{- end }} 14 | 15 | -------------------------------------------------------------------------------- /templates/puppetdb-deployment.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.puppetdb.enabled }} 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: {{ template "puppetdb.fullname" . }} 6 | labels: 7 | {{- include "puppetserver.puppetdb.labels" . | nindent 4 }} 8 | {{- with .Values.puppetdb.extraLabels -}} 9 | {{ toYaml . | nindent 4 }} 10 | {{- end }} 11 | {{- if .Values.puppetdb.annotations }} 12 | annotations: 13 | {{- toYaml .Values.puppetdb.annotations | nindent 4 }} 14 | {{- end }} 15 | spec: 16 | selector: 17 | matchLabels: 18 | {{- include "puppetserver.puppetdb.matchLabels" . | nindent 6 }} 19 | {{- if .Values.puppetdb.updateStrategy }} 20 | strategy: {{- toYaml .Values.puppetdb.updateStrategy | nindent 4 }} 21 | {{- end }} 22 | template: 23 | metadata: 24 | labels: 25 | {{- include "puppetserver.puppetdb.labels" . | nindent 8 }} 26 | {{- with .Values.puppetdb.extraLabels -}} 27 | {{ toYaml . | nindent 8 }} 28 | {{- end }} 29 | annotations: 30 | {{- if .Values.puppetdb.customconfigs.enabled }} 31 | checksum/custom-configs.configmap: {{ include (print $.Template.BasePath "/puppetdb-customconfigs-configmap.yaml") . | sha256sum }} 32 | {{- end }} 33 | {{- if and .Values.singleCA.enabled .Values.singleCA.crl.asSidecar }} 34 | checksum/crl-config: {{ include (print $.Template.BasePath "/update-crl-configmap.yaml") . | sha256sum }} 35 | {{- end }} 36 | {{- if .Values.podAnnotations }} 37 | {{- toYaml .Values.podAnnotations | nindent 8 }} 38 | {{- end }} 39 | {{- if .Values.puppetdb.podAnnotations }} 40 | {{- toYaml .Values.puppetdb.podAnnotations | nindent 8 }} 41 | {{- end }} 42 | spec: 43 | hostname: puppetdb 44 | {{- if .Values.puppetdb.serviceAccount.enabled }} 45 | serviceAccountName: {{ include "puppetdb.serviceAccountName" . }} 46 | {{- end }} 47 | initContainers: 48 | - name: pgchecker 49 | image: "{{.Values.global.pgchecker.image}}:{{.Values.global.pgchecker.tag}}" 50 | imagePullPolicy: {{.Values.global.pgchecker.imagePullPolicy}} 51 | securityContext: 52 | allowPrivilegeEscalation: false 53 | runAsUser: 1000 54 | runAsGroup: 1000 55 | runAsNonRoot: true 56 | command: 57 | - sh 58 | - -c 59 | - | 60 | echo 'Waiting for PostgreSQL to become ready...' 61 | until printf "." && nc -z -w 2 {{ include "postgresql.hostname" . }} 5432; do 62 | sleep 2; 63 | done; 64 | echo 'PostgreSQL OK ✓' 65 | resources: 66 | requests: 67 | cpu: 20m 68 | memory: 32Mi 69 | limits: 70 | cpu: 20m 71 | memory: 32Mi 72 | - name: wait-puppetserver 73 | image: "{{.Values.global.curl.image}}:{{.Values.global.curl.tag}}" 74 | imagePullPolicy: {{.Values.global.curl.imagePullPolicy}} 75 | securityContext: 76 | allowPrivilegeEscalation: false 77 | runAsUser: 1000 78 | runAsGroup: 1000 79 | runAsNonRoot: true 80 | command: 81 | - sh 82 | - -c 83 | - | 84 | echo 'Waiting for puppetserver to become ready...' 85 | until printf "." && curl --silent --fail --insecure 'https://{{ template "puppetserver.puppetserver-masters.serviceName" . }}:{{ template "puppetserver.puppetserver-masters.port" . }}/status/v1/simple' | grep -q '^running$'; do 86 | sleep 2; 87 | done; 88 | echo 'Puppetserver OK ✓' 89 | resources: 90 | requests: 91 | cpu: 20m 92 | memory: 32Mi 93 | limits: 94 | cpu: 20m 95 | memory: 32Mi 96 | {{- with .Values.puppetdb.extraInitContainers }} 97 | {{- toYaml . | nindent 8 }} 98 | {{- end }} 99 | containers: 100 | {{- with .Values.puppetdb.extraContainers }} 101 | {{- toYaml . | nindent 8 }} 102 | {{- end }} 103 | - name: puppetdb 104 | image: "{{.Values.puppetdb.image}}:{{.Values.puppetdb.tag}}" 105 | imagePullPolicy: "{{.Values.puppetdb.pullPolicy}}" 106 | resources: 107 | {{- toYaml .Values.puppetdb.resources | nindent 12 }} 108 | env: 109 | - name: PUPPETSERVER_HOSTNAME 110 | value: {{ template "puppetserver.puppetserver-masters.serviceName" . }} 111 | - name: PUPPETSERVER_PORT 112 | value: "{{ template "puppetserver.puppetserver-masters.port" . }}" 113 | - name: DNS_ALT_NAMES 114 | value: {{ template "puppetdb.san" . }} 115 | {{- if not (hasKey .Values.puppetdb.extraEnv "PUPPETDB_POSTGRES_HOSTNAME") }} 116 | - name: PUPPETDB_POSTGRES_HOSTNAME 117 | value: "{{ include "postgresql.hostname" . }}" 118 | {{- end }} 119 | - name: PUPPETDB_PASSWORD 120 | valueFrom: 121 | secretKeyRef: 122 | name: {{ template "puppetdb.secret" . }} 123 | key: password 124 | - name: PUPPETDB_USER 125 | valueFrom: 126 | secretKeyRef: 127 | name: {{ template "puppetdb.secret" . }} 128 | key: username 129 | {{- range $key, $value := .Values.global.extraEnv }} 130 | - name: {{ $key }} 131 | value: "{{ $value }}" 132 | {{- end }} 133 | {{- range $key, $value := .Values.puppetdb.extraEnv }} 134 | - name: {{ $key }} 135 | value: "{{ $value }}" 136 | {{- end }} 137 | envFrom: 138 | {{- if .Values.global.extraEnvSecret }} 139 | - secretRef: 140 | name: {{ .Values.global.extraEnvSecret }} 141 | {{- end }} 142 | {{- if .Values.puppetdb.extraEnvSecret }} 143 | - secretRef: 144 | name: {{ .Values.puppetdb.extraEnvSecret }} 145 | {{- end }} 146 | ports: 147 | - name: pdb-http 148 | containerPort: 8080 149 | - name: pdb-https 150 | containerPort: 8081 151 | volumeMounts: 152 | - name: puppetdb-storage 153 | mountPath: /opt/puppetlabs/server/data/puppetdb 154 | {{- if .Values.puppetdb.metrics.enabled }} 155 | - name: puppetdb-metrics-volume 156 | mountPath: /etc/puppetlabs/puppetdb/jolokia-access.xml 157 | subPath: jolokia-access.xml 158 | - name: puppetdb-metrics-volume 159 | mountPath: /etc/puppetlabs/puppetdb/conf.d/metrics.conf 160 | subPath: metrics.conf 161 | {{- end -}} 162 | {{- range $key, $value := .Values.puppetdb.customconfigs.configmaps }} 163 | - name: puppetdb-custom-configs 164 | mountPath: /etc/puppetlabs/puppetdb/conf.d/{{ $key }} 165 | subPath: {{ $key }} 166 | {{- end }} 167 | securityContext: 168 | {{- toYaml .Values.puppetdb.securityContext | nindent 12 }} 169 | {{- if .Values.puppetboard.enabled }} 170 | - name: puppetboard 171 | image: "{{.Values.puppetboard.image}}:{{.Values.puppetboard.tag}}" 172 | imagePullPolicy: "{{.Values.puppetboard.pullPolicy}}" 173 | resources: 174 | {{- toYaml .Values.puppetboard.resources | nindent 12 }} 175 | env: 176 | - name: PUPPETDB_HOST 177 | value: {{ if .Values.singleCA.enabled}}{{.Values.singleCA.puppetdb.overrideHostname}}{{ else }}{{ ( include "puppetdb.fullname" . ) }}{{ end }} 178 | - name: PUPPETDB_PORT 179 | value: "8081" 180 | - name: PUPPETDB_SSL_VERIFY 181 | value: "/opt/puppetlabs/server/data/puppetdb/certs/certs/ca.pem" 182 | - name: PUPPETDB_CERT 183 | value: "/opt/puppetlabs/server/data/puppetdb/certs/certs/puppetdb.pem" 184 | - name: PUPPETDB_KEY 185 | value: "/opt/puppetlabs/server/data/puppetdb/certs/private_keys/puppetdb.pem" 186 | - name: PUPPETBOARD_PORT 187 | value: {{ .Values.puppetboard.port | quote }} 188 | - name: SECRET_KEY 189 | valueFrom: 190 | secretKeyRef: 191 | name: {{ template "puppetdb.fullname" . }}-puppetboard 192 | key: SECRET_KEY 193 | {{- range $key, $value := .Values.global.extraEnv }} 194 | - name: {{ $key }} 195 | value: "{{ $value }}" 196 | {{- end }} 197 | {{- range $key, $value := .Values.puppetboard.extraEnv }} 198 | - name: {{ $key }} 199 | value: "{{ $value }}" 200 | {{- end }} 201 | envFrom: 202 | {{- if .Values.global.extraEnvSecret }} 203 | - secretRef: 204 | name: {{ .Values.global.extraEnvSecret }} 205 | {{- end }} 206 | {{- if .Values.puppetboard.extraEnvSecret }} 207 | - secretRef: 208 | name: {{ .Values.puppetboard.extraEnvSecret }} 209 | {{- end }} 210 | ports: 211 | - name: puppetboard 212 | containerPort: {{ .Values.puppetboard.port }} 213 | securityContext: 214 | {{- toYaml .Values.puppetboard.securityContext | nindent 12 }} 215 | runAsUser: {{ .Values.global.securityContext.runAsUser }} 216 | runAsGroup: {{ .Values.global.securityContext.runAsGroup }} 217 | volumeMounts: 218 | - name: puppetdb-storage 219 | mountPath: /opt/puppetlabs/server/data/puppetdb 220 | {{- end }} 221 | {{- if and .Values.singleCA.enabled .Values.singleCA.crl.asSidecar }} 222 | # singleCA crl script update Sidecar 223 | - name: update-crl 224 | image: "{{ tpl .Values.singleCA.crl.image . }}:{{ tpl .Values.singleCA.crl.tag . }}" 225 | imagePullPolicy: {{ tpl .Values.singleCA.crl.imagePullPolicy . }} 226 | resources: 227 | {{- toYaml .Values.singleCA.crl.resources | nindent 12 }} 228 | env: 229 | - name: SSL_PATH 230 | value: /opt/puppetlabs/server/data/puppetdb/certs 231 | - name: CRL_SCRIPT_PATH 232 | value: /opt/puppetlabs/server/data/puppetdb/scripts 233 | {{- range $key, $value := .Values.global.extraEnv }} 234 | - name: {{ $key }} 235 | value: "{{ $value }}" 236 | {{- end }} 237 | {{- range $key, $value := .Values.singleCA.crl.extraEnv }} 238 | - name: {{ $key }} 239 | value: "{{ $value }}" 240 | {{- end }} 241 | {{- range $key, $value := .Values.puppetdb.extraEnv }} 242 | - name: {{ $key }} 243 | value: "{{ $value }}" 244 | {{- end }} 245 | envFrom: 246 | {{- if .Values.global.extraEnvSecret }} 247 | - secretRef: 248 | name: {{ .Values.global.extraEnvSecret }} 249 | {{- end }} 250 | {{- if .Values.singleCA.crl.extraEnvSecret }} 251 | - secretRef: 252 | name: {{ .Values.singleCA.crl.extraEnvSecret }} 253 | {{- end }} 254 | {{- if .Values.puppetdb.extraEnvSecret }} 255 | - secretRef: 256 | name: {{ .Values.puppetdb.extraEnvSecret }} 257 | {{- end }} 258 | command: ["sh", "-c", "/opt/puppetlabs/server/data/puppetdb/scripts/crl_entrypoint.sh" ] 259 | securityContext: 260 | runAsUser: {{ .Values.global.securityContext.runAsUser }} 261 | runAsGroup: {{ .Values.global.securityContext.runAsGroup }} 262 | {{- toYaml .Values.singleCA.crl.securityContext | nindent 12 }} 263 | volumeMounts: 264 | - name: puppetdb-storage 265 | mountPath: /opt/puppetlabs/server/data/puppetdb 266 | readinessProbe: 267 | exec: 268 | command: ["/bin/sh", "-ec", "test -f ~/.crl_cronjob.success"] 269 | failureThreshold: 2 270 | initialDelaySeconds: 5 271 | periodSeconds: 20 272 | successThreshold: 1 273 | timeoutSeconds: 5 274 | {{- end }} 275 | {{- if .Values.metrics.prometheus.puppetdb.enabled }} 276 | - name: puppetdb-exporter 277 | image: "{{ tpl .Values.metrics.prometheus.puppetdb.image . }}:{{ tpl .Values.metrics.prometheus.puppetdb.tag . }}" 278 | imagePullPolicy: {{ tpl .Values.metrics.prometheus.puppetdb.imagePullPolicy . }} 279 | resources: 280 | {{- toYaml .Values.metrics.prometheus.puppetdb.resources | nindent 12 }} 281 | env: 282 | - name: PUPPETDB_URL 283 | value: "https://{{ if .Values.singleCA.enabled}}{{.Values.singleCA.puppetdb.overrideHostname}}{{ else }}{{ ( include "puppetdb.fullname" . ) }}{{ end }}:8081/pdb/query" 284 | - name: PUPPETDB_CERT_FILE 285 | value: "/opt/puppetlabs/server/data/puppetdb/certs/certs/puppetdb.pem" 286 | - name: PUPPETDB_KEY_FILE 287 | value: "/opt/puppetlabs/server/data/puppetdb/certs/private_keys/puppetdb.pem" 288 | - name: PUPPETDB_CA_FILE 289 | value: "/opt/puppetlabs/server/data/puppetdb/certs/certs/ca.pem" 290 | - name: PUPPETDB_SCRAPE_INTERVAL 291 | value: "{{ .Values.metrics.prometheus.puppetdb.interval }}" 292 | - name: PUPPETDB_LISTEN_ADDRESS 293 | value: "0.0.0.0:{{ .Values.metrics.prometheus.puppetdb.port }}" 294 | {{- range $key, $value := .Values.global.extraEnv }} 295 | - name: {{ $key }} 296 | value: "{{ $value }}" 297 | {{- end }} 298 | {{- range $key, $value := .Values.metrics.prometheus.puppetdb.extraEnv }} 299 | - name: {{ $key }} 300 | value: "{{ $value }}" 301 | {{- end }} 302 | envFrom: 303 | {{- if .Values.global.extraEnvSecret }} 304 | - secretRef: 305 | name: {{ .Values.global.extraEnvSecret }} 306 | {{- end }} 307 | {{- if .Values.metrics.prometheus.puppetdb.extraEnvSecret }} 308 | - secretRef: 309 | name: {{ .Values.metrics.prometheus.puppetdb.extraEnvSecret }} 310 | {{- end }} 311 | ports: 312 | - name: metrics 313 | containerPort: {{ .Values.metrics.prometheus.puppetdb.port }} 314 | securityContext: 315 | runAsUser: 999 316 | runAsGroup: 999 317 | runAsNonRoot: true 318 | allowPrivilegeEscalation: false 319 | capabilities: 320 | drop: 321 | - all 322 | volumeMounts: 323 | - name: puppetdb-storage 324 | mountPath: /opt/puppetlabs/server/data/puppetdb 325 | {{- end }} 326 | {{- if .Values.singleCA.puppetdb.overrideHostname }} 327 | {{- $service := lookup "v1" "Service" .Release.Namespace (include "puppetdb.fullname" . ) }} 328 | hostAliases: 329 | {{- if $service }} 330 | - ip: {{ $service.spec.clusterIP }} 331 | {{- else }} 332 | - ip: 127.0.0.1 # this case is just to avoid an error with helm diff 333 | {{- end }} 334 | hostnames: 335 | - {{ .Values.singleCA.puppetdb.overrideHostname }} 336 | {{- end }} 337 | imagePullSecrets: 338 | {{- with .Values.global.imagePullSecrets }} 339 | {{ toYaml . }} 340 | {{- end }} 341 | volumes: 342 | - name: puppetdb-storage 343 | persistentVolumeClaim: 344 | claimName: {{ template "puppetdb.persistence.claimName" . }} 345 | {{- if .Values.puppetdb.metrics.enabled }} 346 | - name: puppetdb-metrics-volume 347 | configMap: 348 | name: {{ include "puppetdb.fullname" . }}-metrics-config 349 | {{- end }} 350 | {{- if .Values.puppetdb.customconfigs.enabled }} 351 | - name: puppetdb-custom-configs 352 | configMap: 353 | name: {{ include "puppetdb.fullname" . }}-custom-configs 354 | {{- end }} 355 | {{- if .Values.nodeSelector }} 356 | nodeSelector: 357 | {{ toYaml .Values.nodeSelector | nindent 10 }} 358 | {{- end }} 359 | {{- if .Values.affinity }} 360 | affinity: 361 | {{ toYaml .Values.affinity | nindent 10 }} 362 | {{- end }} 363 | {{- if .Values.tolerations }} 364 | tolerations: 365 | {{ toYaml .Values.tolerations| nindent 10 }} 366 | {{- end }} 367 | {{- if and (.Capabilities.APIVersions.Has "scheduling.k8s.io/v1beta1") (.Values.priorityClassName) }} 368 | priorityClassName: {{ .Values.priorityClassName }} 369 | {{- end }} 370 | {{- end }} 371 | -------------------------------------------------------------------------------- /templates/puppetdb-metrics-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (.Values.puppetdb.enabled) (.Values.puppetdb.metrics.enabled) }} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ template "puppetdb.fullname" . }}-metrics-config 6 | labels: 7 | {{- include "puppetserver.puppetdb.labels" . | nindent 4 }} 8 | {{- range $key, $value := .Values.puppetdb.extraLabels }} 9 | {{ $key }}: {{ $value }} 10 | {{- end }} 11 | data: 12 | metrics.conf: | 13 | metrics: { 14 | # a server id that will be used as part of the namespace for metrics produced 15 | # by this server 16 | server-id: localhost 17 | registries: { 18 | puppetserver: { 19 | # specify metrics to allow in addition to those in the default list 20 | #metrics-allowed: ["compiler.compile.production"] 21 | 22 | reporters: { 23 | # enable or disable JMX metrics reporter 24 | jmx: { 25 | enabled: true 26 | } 27 | # enable or disable Graphite metrics reporter 28 | #graphite: { 29 | # enabled: true 30 | #} 31 | } 32 | } 33 | } 34 | 35 | # this section is used to configure settings for reporters that will send 36 | # the metrics to various destinations for external viewing 37 | reporters: { 38 | #graphite: { 39 | # # graphite host 40 | # host: "127.0.0.1" 41 | # # graphite metrics port 42 | # port: 2003 43 | # # how often to send metrics to graphite 44 | # update-interval-seconds: 5 45 | #} 46 | } 47 | metrics-webservice: { 48 | jolokia: { 49 | # Enable or disable the Jolokia-based metrics/v2 endpoint. 50 | # Default is true. 51 | # enabled: false 52 | 53 | # Configure any of the settings listed at: 54 | # https://jolokia.org/reference/html/agents.html#war-agent-installation 55 | servlet-init-params: { 56 | # Specify a custom security policy: 57 | # https://jolokia.org/reference/html/security.html 58 | debug: "true" 59 | policyLocation: "file:///etc/puppetlabs/puppetdb/jolokia-access.xml" 60 | } 61 | } 62 | } 63 | } 64 | 65 | jolokia-access.xml: | 66 | 67 | 68 | 69 | 0.0.0.0/0 70 | 71 | 72 | 73 | read 74 | list 75 | version 76 | search 77 | 78 | 79 | 80 | puppetlabs.puppetdb.population:name=num-nodes 81 | Value 82 | objectName 83 | 84 | 85 | {{- end -}} 86 | -------------------------------------------------------------------------------- /templates/puppetdb-podsecuritypolicy.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (.Values.puppetdb.enabled) (.Values.puppetdb.psp.create) }} 2 | apiVersion: {{ include "podsecuritypolicy.apiVersion" . }} 3 | kind: PodSecurityPolicy 4 | metadata: 5 | name: {{ template "puppetdb.fullname" . }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | {{- include "puppetserver.puppetdb.labels" . | nindent 4 }} 9 | {{- range $key, $value := .Values.puppetdb.extraLabels }} 10 | {{ $key }}: {{ $value }} 11 | {{- end }} 12 | annotations: 13 | {{- with .Values.puppetdb.psp.annotations -}} 14 | {{ toYaml . | nindent 4 }} 15 | {{- end }} 16 | spec: 17 | privileged: false 18 | requiredDropCapabilities: 19 | - all 20 | allowedCapabilities: 21 | - CAP_FOWNER 22 | - CAP_CHOWN 23 | - CAP_SETUID 24 | - CAP_SETGID 25 | - CAP_DAC_OVERRIDE 26 | - FOWNER 27 | - CHOWN 28 | - SETUID 29 | - SETGID 30 | - DAC_OVERRIDE 31 | volumes: 32 | - 'configMap' 33 | - 'secret' 34 | - 'persistentVolumeClaim' 35 | - 'emptyDir' 36 | hostNetwork: false 37 | hostIPC: false 38 | hostPID: false 39 | runAsUser: 40 | rule: 'RunAsAny' 41 | seLinux: 42 | rule: 'RunAsAny' 43 | supplementalGroups: 44 | rule: 'MustRunAs' 45 | ranges: 46 | - min: 1 47 | max: 65535 48 | fsGroup: 49 | rule: 'MustRunAs' 50 | ranges: 51 | - min: 1 52 | max: 65535 53 | readOnlyRootFilesystem: false 54 | {{- end }} 55 | -------------------------------------------------------------------------------- /templates/puppetdb-preInstall.configMap.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (.Values.puppetserver.preGeneratedCertsJob.enabled) (.Values.puppetserver.preGeneratedCertsJob.importPuppetdb) (not .Values.singleCA.enabled) }} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ template "puppetdb.fullname" . }}-preinstall 6 | labels: 7 | {{- include "puppetserver.puppetdb.labels" . | nindent 4 }} 8 | {{- range $key, $value := .Values.puppetdb.extraLabels }} 9 | {{ $key }}: {{ $value }} 10 | {{- end }} 11 | annotations: 12 | "helm.sh/hook": "pre-install" 13 | "helm.sh/hook-weight": "1" 14 | "helm.sh/hook-delete-policy": "hook-succeeded,hook-failed" 15 | binaryData: 16 | {{- $root := . }} 17 | {{- range $path, $bytes := .Files.Glob "init/puppet-certs/puppetdb/*.gz" }} 18 | {{ base $path }}: {{ $root.Files.Get $path | b64enc | quote }} 19 | {{- end }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /templates/puppetdb-pvc.yaml: -------------------------------------------------------------------------------- 1 | {{- if and ( .Values.puppetdb.enabled ) ( not .Values.puppetdb.persistence.existingClaim ) }} 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: {{ template "puppetdb.fullname" . }}-claim 6 | labels: 7 | {{- include "puppetserver.puppetdb.labels" . | nindent 4 }} 8 | {{- range $key, $value := .Values.puppetdb.extraLabels }} 9 | {{ $key }}: {{ $value }} 10 | {{- end }} 11 | annotations: 12 | {{- if or (.Values.puppetserver.preGeneratedCertsJob.enabled) (.Values.singleCA.enabled) }} 13 | helm.sh/hook: pre-install 14 | helm.sh/hook-weight: "0" 15 | {{- end }} 16 | {{- include "puppetdb.persistence.annotations" . | nindent 4 }} 17 | spec: 18 | accessModes: 19 | {{- toYaml ( .Values.puppetdb.persistence.accessModes | default .Values.storage.accessModes ) | nindent 4 }} 20 | resources: 21 | requests: 22 | storage: {{ .Values.puppetdb.persistence.size | default .Values.storage.size | quote }} 23 | {{- $storageClass := include "puppetdb.persistence.storageClass" . }} 24 | {{- if $storageClass }} 25 | {{- if (eq "-" $storageClass) }} 26 | storageClassName: "" 27 | {{- else }} 28 | storageClassName: "{{ $storageClass }}" 29 | {{- end }} 30 | {{- end }} 31 | {{- end }} 32 | -------------------------------------------------------------------------------- /templates/puppetdb-role.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.puppetdb.rbac.create }} 2 | kind: Role 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ template "puppetdb.fullname" . }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | {{- include "puppetserver.puppetdb.labels" . | nindent 4 }} 9 | {{- range $key, $value := .Values.puppetdb.extraLabels }} 10 | {{ $key }}: {{ $value }} 11 | {{- end }} 12 | annotations: 13 | {{- with .Values.puppetdb.rbac.annotations -}} 14 | {{ toYaml . | nindent 4 }} 15 | {{- end }} 16 | rules: 17 | {{- if .Values.puppetdb.psp.create }} 18 | - apiGroups: ["extensions"] 19 | resources: ["podsecuritypolicies"] 20 | verbs: ["use"] 21 | resourceNames: 22 | - {{ template "puppetdb.fullname" . }} 23 | {{- end }} 24 | {{- end }} 25 | -------------------------------------------------------------------------------- /templates/puppetdb-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (.Values.puppetdb.enabled) (.Values.puppetdb.rbac.create) }} 2 | kind: RoleBinding 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ template "puppetdb.fullname" . }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | {{- include "puppetserver.puppetdb.labels" . | nindent 4 }} 9 | {{- range $key, $value := .Values.puppetdb.extraLabels }} 10 | {{ $key }}: {{ $value }} 11 | {{- end }} 12 | annotations: 13 | {{- with .Values.puppetdb.rbac.annotations -}} 14 | {{ toYaml . | nindent 4 }} 15 | {{- end }} 16 | roleRef: 17 | apiGroup: rbac.authorization.k8s.io 18 | kind: Role 19 | name: {{ template "puppetdb.fullname" . }} 20 | subjects: 21 | - kind: ServiceAccount 22 | name: {{ template "puppetdb.serviceAccountName" . }} 23 | namespace: {{ .Release.Namespace }} 24 | {{- end }} 25 | -------------------------------------------------------------------------------- /templates/puppetdb-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.puppetdb.enabled }} 2 | {{- if not .Values.global.postgresql.auth.existingSecret }} 3 | apiVersion: v1 4 | kind: Secret 5 | metadata: 6 | name: {{ template "puppetdb.secret" . }} 7 | labels: 8 | {{- include "puppetserver.puppetdb.labels" . | nindent 4 }} 9 | type: Opaque 10 | data: 11 | username: {{ .Values.global.postgresql.auth.username | b64enc | quote }} 12 | password: {{ .Values.global.postgresql.auth.password | b64enc | quote }} 13 | {{- end }} 14 | --- 15 | {{- if .Values.puppetboard.enabled }} 16 | apiVersion: v1 17 | kind: Secret 18 | metadata: 19 | name: {{ template "puppetdb.fullname" . }}-puppetboard 20 | type: Opaque 21 | data: 22 | {{- $secret := lookup "v1" "Secret" .Release.Namespace "puppetdb-puppetboard" }} 23 | {{- if $secret }} 24 | SECRET_KEY: {{ $secret.data.SECRET_KEY }} 25 | {{- else }} 26 | SECRET_KEY: {{ randAlphaNum 64 | b64enc | quote }} 27 | {{- end }} 28 | {{- end }} 29 | {{- end }} 30 | -------------------------------------------------------------------------------- /templates/puppetdb-service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.puppetdb.enabled }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: {{ template "puppetdb.fullname" . }} 6 | labels: 7 | {{- include "puppetserver.puppetdb.labels" . | nindent 4 }} 8 | {{- if .Values.puppetdb.service.labels }} 9 | {{- toYaml .Values.puppetdb.service.labels | nindent 4 }} 10 | {{- end }} 11 | {{- if .Values.puppetdb.service.annotations }} 12 | annotations: 13 | {{- toYaml .Values.puppetdb.service.annotations | nindent 4 }} 14 | {{- end }} 15 | spec: 16 | ports: 17 | - name: pdb-http 18 | port: 8080 19 | targetPort: pdb-http 20 | - name: pdb-https 21 | port: 8081 22 | targetPort: pdb-https 23 | {{- if .Values.puppetboard.enabled }} 24 | - name: puppetboard 25 | port: {{ .Values.puppetboard.port }} 26 | targetPort: {{ .Values.puppetboard.service.targetPort }} 27 | {{- end }} 28 | {{- if .Values.metrics.prometheus.enabled }} 29 | - name: metrics 30 | port: {{ .Values.metrics.prometheus.port }} 31 | targetPort: {{ .Values.metrics.prometheus.port }} 32 | {{- end }} 33 | {{- if eq .Values.puppetdb.service.type "ClusterIP" }} 34 | clusterIP: {{ .Values.puppetdb.service.clusterIP }} 35 | {{- end }} 36 | selector: 37 | {{- include "puppetserver.puppetdb.matchLabels" . | nindent 4 }} 38 | type: {{ .Values.puppetdb.service.type }} 39 | {{- if (and (eq .Values.puppetdb.service.type "LoadBalancer") (not (empty .Values.puppetdb.service.loadBalancerIP))) }} 40 | loadBalancerIP: {{ .Values.puppetdb.service.loadBalancerIP }} 41 | {{- end }} 42 | {{- end }} 43 | -------------------------------------------------------------------------------- /templates/puppetdb-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (.Values.puppetdb.serviceAccount.enabled) (.Values.puppetdb.serviceAccount.create) }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "puppetdb.serviceAccountName" . }} 6 | namespace: {{ .Release.Namespace }} 7 | annotations: 8 | {{- with .Values.puppetdb.serviceAccount.annotations -}} 9 | {{ toYaml . | nindent 4 }} 10 | {{- end }} 11 | {{- end }} 12 | -------------------------------------------------------------------------------- /templates/puppetdb-servicemonitor.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.puppetdb.enabled .Values.metrics.prometheus.puppetdb.enabled .Values.metrics.prometheus.puppetdb.serviceMonitor.enabled }} 2 | {{- if (not (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1")) }} 3 | {{- if (not (.Values.metrics.prometheus.disableAPICheck)) }} 4 | {{- fail "ERROR: You have to deploy monitoring.coreos.com/v1 first" }} 5 | {{- end }} 6 | {{- end }} 7 | apiVersion: monitoring.coreos.com/v1 8 | kind: ServiceMonitor 9 | metadata: 10 | name: {{ template "puppetdb.fullname" . }} 11 | namespace: {{ default .Release.Namespace .Values.metrics.prometheus.puppetdb.serviceMonitor.namespace | quote }} 12 | labels: 13 | {{- include "puppetserver.puppetdb.labels" . | nindent 4 }} 14 | {{- with .Values.metrics.prometheus.puppetdb.serviceMonitor.additionalLabels }} 15 | {{- toYaml . | nindent 4 }} 16 | {{- end }} 17 | release: kube-prometheus-stack 18 | spec: 19 | jobLabel: {{ .Values.metrics.prometheus.puppetdb.serviceMonitor.jobLabel | default "{{.Release.Name }}-puppetdb" }} 20 | endpoints: 21 | - port: metrics 22 | path: /metrics 23 | {{- with .Values.metrics.prometheus.puppetdb.serviceMonitor.honorLabels }} 24 | honorLabels: {{ . }} 25 | {{- end }} 26 | {{- with .Values.metrics.prometheus.puppetdb.serviceMonitor.honorTimestamps }} 27 | honorTimestamps: {{ . }} 28 | {{- end }} 29 | {{- with .Values.metrics.prometheus.puppetdb.serviceMonitor.enableHttp2 }} 30 | enableHttp2: {{ . }} 31 | {{- end }} 32 | {{- with .Values.metrics.prometheus.puppetdb.serviceMonitor.followRedirects }} 33 | followRedirects: {{ . }} 34 | {{- end }} 35 | {{- with .Values.metrics.prometheus.puppetdb.serviceMonitor.interval }} 36 | interval: {{ . }} 37 | {{- end }} 38 | {{- with .Values.metrics.prometheus.puppetdb.serviceMonitor.scrapeTimeout }} 39 | scrapeTimeout: {{ . }} 40 | {{- end }} 41 | {{- if .Values.metrics.prometheus.puppetdb.serviceMonitor.metricRelabelings }} 42 | metricRelabelings: 43 | {{ tpl (toYaml .Values.metrics.prometheus.puppetdb.serviceMonitor.metricRelabelings | indent 6) . }} 44 | {{- end }} 45 | {{- if .Values.metrics.prometheus.puppetdb.serviceMonitor.relabelings }} 46 | relabelings: 47 | {{ toYaml .Values.metrics.prometheus.puppetdb.serviceMonitor.relabelings | indent 6 }} 48 | {{- end }} 49 | namespaceSelector: 50 | matchNames: 51 | - {{ .Release.Namespace | quote }} 52 | selector: 53 | matchLabels: 54 | {{- include "puppetserver.puppetdb.matchLabels" . | nindent 6 }} 55 | {{- end }} 56 | -------------------------------------------------------------------------------- /templates/puppetdb.networkpolicy.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.puppetdb.networkPolicy.enabled }} 2 | apiVersion: networking.k8s.io/v1 3 | kind: NetworkPolicy 4 | metadata: 5 | name: {{ template "puppetdb.fullname" . }} 6 | labels: 7 | {{- include "puppetserver.puppetdb.labels" . | nindent 4 }} 8 | {{- with .Values.puppetserver.masters.extraLabels }} 9 | {{ toYaml . | nindent 4 }} 10 | {{- end }} 11 | spec: 12 | podSelector: 13 | matchLabels: 14 | {{- include "puppetserver.puppetdb.matchLabels" . | nindent 6 }} 15 | policyTypes: 16 | {{- toYaml .Values.puppetdb.networkPolicy.policyTypes | nindent 4 }} 17 | ingress: 18 | - from: 19 | - podSelector: {} 20 | ports: 21 | - port: 8081 22 | {{- if .Values.puppetdb.networkPolicy.additionnalIngressRules }} 23 | {{- toYaml .Values.puppetdb.networkPolicy.additionnalIngressRules | nindent 4 }} 24 | {{- end }} 25 | egress: 26 | - to: 27 | - namespaceSelector: 28 | matchLabels: 29 | kubernetes.io/metadata.name: kube-system 30 | podSelector: 31 | matchLabels: 32 | k8s-app: kube-dns 33 | ports: 34 | - protocol: TCP 35 | port: 53 36 | - protocol: UDP 37 | port: 53 38 | - to: 39 | - ipBlock: 40 | cidr: 0.0.0.0/0 41 | ports: 42 | - port: 53 43 | - to: 44 | - podSelector: 45 | matchLabels: 46 | {{- include "puppetserver.puppetserver.matchLabels" . | nindent 12 }} 47 | ports: 48 | - port: 8140 49 | - to: 50 | - podSelector: {} 51 | ports: 52 | - port: 8081 53 | - to: 54 | - namespaceSelector: 55 | matchLabels: 56 | kubernetes.io/metadata.name: {{ .Release.Namespace }} 57 | podSelector: 58 | matchLabels: 59 | app.kubernetes.io/name: postgresql 60 | ports: 61 | - port: 5432 62 | {{- if .Values.puppetdb.networkPolicy.additionnalEgressRules }} 63 | {{- toYaml .Values.puppetdb.networkPolicy.additionnalEgressRules | nindent 4 }} 64 | {{- end }} 65 | {{- end }} 66 | -------------------------------------------------------------------------------- /templates/puppetserver-ca-backup-cronjob.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.puppetserver.masters.backup.enabled (not .Values.singleCA.enabled) }} 2 | apiVersion: batch/v1 3 | kind: CronJob 4 | metadata: 5 | name: {{ template "puppetserver.fullname" . }}-master-backup 6 | labels: 7 | {{- include "puppetserver.puppetserver.labels" . | nindent 4 }} 8 | {{- with .Values.puppetserver.masters.extraLabels -}} 9 | {{ toYaml . | nindent 4 }} 10 | {{- end }} 11 | spec: 12 | concurrencyPolicy: Forbid 13 | suspend: false 14 | failedJobsHistoryLimit: {{ .Values.puppetserver.masters.backup.failedJobsHistoryLimit }} 15 | schedule: "{{ .Values.puppetserver.masters.backup.schedule }}" 16 | successfulJobsHistoryLimit: {{ .Values.puppetserver.masters.backup.successfulJobsHistoryLimit }} 17 | jobTemplate: 18 | metadata: 19 | labels: 20 | {{- include "puppetserver.puppetserver.labels" . | nindent 8 }} 21 | {{- with .Values.puppetserver.masters.extraLabels -}} 22 | {{ toYaml . | nindent 8 }} 23 | {{- end }} 24 | spec: 25 | template: 26 | spec: 27 | affinity: 28 | podAffinity: 29 | requiredDuringSchedulingIgnoredDuringExecution: 30 | - labelSelector: 31 | matchLabels: 32 | {{- include "puppetserver.puppetserver.matchLabels" . | nindent 20 }} 33 | topologyKey: kubernetes.io/hostname 34 | restartPolicy: OnFailure 35 | containers: 36 | - name: restic-backup 37 | image: "{{ .Values.puppetserver.masters.backup.image }}:{{ .Values.puppetserver.masters.backup.tag }}" 38 | imagePullPolicy: {{ .Values.puppetserver.masters.backup.pullPolicy }} 39 | command: 40 | - /bin/sh 41 | - -c 42 | - |- 43 | set -euf 44 | restic snapshots -q || restic init -q 45 | restic backup --tag=puppet-ca --host={{ template "puppetserver.fullname" . }} /backup 46 | restic forget --prune --keep-last {{ .Values.puppetserver.masters.backup.restic.keep_last }} 47 | resources: 48 | {{- toYaml .Values.puppetserver.masters.backup.resources | nindent 14 }} 49 | env: 50 | - name: RESTIC_REPOSITORY 51 | value: {{ .Values.puppetserver.masters.backup.restic.repository | quote }} 52 | - name: RESTIC_PASSWORD 53 | valueFrom: 54 | secretKeyRef: 55 | name: {{ template "puppetserver.fullname" . }}-restic-backup-creds 56 | key: restic_password 57 | - name: AWS_ACCESS_KEY_ID 58 | valueFrom: 59 | secretKeyRef: 60 | name: {{ template "puppetserver.fullname" . }}-restic-backup-creds 61 | key: access_key_id 62 | - name: AWS_SECRET_ACCESS_KEY 63 | valueFrom: 64 | secretKeyRef: 65 | name: {{ template "puppetserver.fullname" . }}-restic-backup-creds 66 | key: secret_access_key 67 | volumeMounts: 68 | - name: puppet-ca-storage 69 | mountPath: /backup/etc/puppetlabs/puppetserver/ca/ 70 | - name: puppet-puppet-storage 71 | mountPath: /backup/etc/puppetlabs/puppet/ 72 | {{- if .Values.puppetserver.masters.backup.caConfigMap }} 73 | - name: restic-ca-certificates 74 | mountPath: /etc/ssl/certs/ca-certificates.crt 75 | subPath: ca-certificates.crt 76 | {{- end }} 77 | volumes: 78 | - name: puppet-ca-storage 79 | persistentVolumeClaim: 80 | claimName: {{ template "puppetserver.persistence.ca.claimName" . }} 81 | - name: puppet-puppet-storage 82 | persistentVolumeClaim: 83 | claimName: {{ template "puppetserver.persistence.puppet.claimName" . }} 84 | {{- if .Values.puppetserver.masters.backup.caConfigMap }} 85 | - name: restic-ca-certificates 86 | configMap: 87 | name: {{ .Values.puppetserver.masters.backup.caConfigMap }} 88 | defaultMode: 0777 89 | {{- end }} 90 | {{- end }} 91 | -------------------------------------------------------------------------------- /templates/puppetserver-ca-backup-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.puppetserver.masters.backup.enabled (not .Values.singleCA.enabled) }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ template "puppetserver.fullname" . }}-restic-backup-creds 6 | labels: 7 | {{- include "puppetserver.puppetserver.labels" . | nindent 4 }} 8 | {{- with .Values.puppetserver.masters.extraLabels }} 9 | {{ toYaml . | nindent 4 }} 10 | {{- end }} 11 | type: Opaque 12 | data: 13 | {{- with .Values.puppetserver.masters.backup.restic }} 14 | {{- if .password }} 15 | restic_password: {{ .password | b64enc | quote }} 16 | {{- end }} 17 | {{- if .access_key_id }} 18 | access_key_id: {{ .access_key_id | b64enc | quote }} 19 | {{- end }} 20 | {{- if .secret_access_key }} 21 | secret_access_key: {{ .secret_access_key | b64enc | quote }} 22 | {{- end }} 23 | {{- end }} 24 | {{- end }} 25 | -------------------------------------------------------------------------------- /templates/puppetserver-ca-pvc.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.puppetserver.persistence.ca.existingClaim }} 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: {{ template "puppetserver.fullname" . }}-ca-claim 6 | labels: 7 | {{- include "puppetserver.puppetserver.labels" . | nindent 4 }} 8 | {{- with .Values.global.extraLabels }} 9 | {{ toYaml . | nindent 4 }} 10 | {{- end }} 11 | annotations: 12 | {{- if .Values.global.runAsNonRoot }} 13 | helm.sh/hook: pre-install 14 | {{- end }} 15 | {{- include "puppetserver.persistence.ca.annotations" . | nindent 4 }} 16 | spec: 17 | accessModes: 18 | {{- toYaml ( .Values.puppetserver.persistence.ca.accessModes | default .Values.storage.accessModes ) | nindent 4 }} 19 | resources: 20 | requests: 21 | storage: {{ .Values.puppetserver.persistence.ca.size | default .Values.storage.size | quote }} 22 | {{- $storageClass := include "puppetserver.persistence.ca.storageClass" . }} 23 | {{- if $storageClass }} 24 | {{- if (eq "-" $storageClass) }} 25 | storageClassName: "" 26 | {{- else }} 27 | storageClassName: "{{ $storageClass }}" 28 | {{- end }} 29 | {{- end }} 30 | {{- end }} 31 | -------------------------------------------------------------------------------- /templates/puppetserver-code-pvc.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.puppetserver.persistence.code.existingClaim }} 2 | {{- if or ( eq .Values.puppetserver.compilers.kind "Deployment" ) ( not .Values.puppetserver.compilers.enabled ) }} 3 | apiVersion: v1 4 | kind: PersistentVolumeClaim 5 | metadata: 6 | name: {{ template "puppetserver.fullname" . }}-code-claim 7 | labels: 8 | {{- include "puppetserver.puppetserver.labels" . | nindent 4 }} 9 | {{- with .Values.global.extraLabels }} 10 | {{ toYaml . | nindent 4 }} 11 | {{- end }} 12 | annotations: 13 | {{- if .Values.global.runAsNonRoot }} 14 | helm.sh/hook: pre-install 15 | {{- end }} 16 | {{- include "puppetserver.persistence.code.annotations" . | nindent 4 }} 17 | spec: 18 | accessModes: 19 | {{- toYaml ( .Values.puppetserver.persistence.code.accessModes | default .Values.storage.accessModes ) | nindent 4 }} 20 | resources: 21 | requests: 22 | storage: {{ .Values.puppetserver.persistence.code.size | default .Values.storage.size | quote }} 23 | {{- $storageClass := include "puppetserver.persistence.code.storageClass" . }} 24 | {{- if $storageClass }} 25 | {{- if (eq "-" $storageClass) }} 26 | storageClassName: "" 27 | {{- else }} 28 | storageClassName: "{{ $storageClass }}" 29 | {{- end }} 30 | {{- end }} 31 | {{- end }} 32 | {{- end }} 33 | -------------------------------------------------------------------------------- /templates/puppetserver-compilers.networkpolicy.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.puppetserver.compilers.networkPolicy.enabled }} 2 | apiVersion: networking.k8s.io/v1 3 | kind: NetworkPolicy 4 | metadata: 5 | name: {{ template "puppetserver.fullname" . }}-puppetserver-compilers 6 | labels: 7 | {{- include "puppetserver.puppetserver-compilers.labels" . | nindent 4 }} 8 | {{- with .Values.puppetserver.masters.extraLabels }} 9 | {{ toYaml . | nindent 4 }} 10 | {{- end }} 11 | spec: 12 | podSelector: 13 | matchLabels: 14 | {{- include "puppetserver.puppetserver-compilers.matchLabels" . | nindent 6 }} 15 | policyTypes: 16 | {{- toYaml .Values.puppetserver.compilers.networkPolicy.policyTypes | nindent 4 }} 17 | ingress: 18 | # Needed for the initial cert generation & puppetdb initContainer 19 | - from: 20 | - podSelector: 21 | matchLabels: 22 | app.kubernetes.io/name: "{{ .Values.puppetserver.name }}" 23 | ports: 24 | - port: 8140 25 | {{- if .Values.puppetserver.compilers.networkPolicy.additionnalIngressRules }} 26 | {{- toYaml .Values.puppetserver.compilers.networkPolicy.additionnalIngressRules | nindent 4 }} 27 | {{- end }} 28 | egress: 29 | # needed to resolve kubernetes dns query 30 | - to: 31 | - namespaceSelector: 32 | matchLabels: 33 | kubernetes.io/metadata.name: kube-system 34 | podSelector: 35 | matchLabels: 36 | k8s-app: kube-dns 37 | ports: 38 | - protocol: TCP 39 | port: 53 40 | - protocol: UDP 41 | port: 53 42 | # needed to resolve external dns query ( like proxy ) 43 | - to: 44 | - ipBlock: 45 | cidr: 0.0.0.0/0 46 | ports: 47 | - port: 53 48 | - to: 49 | - podSelector: 50 | matchLabels: 51 | {{- include "puppetserver.puppetdb.matchLabels" . | nindent 12 }} 52 | ports: 53 | - port: 8081 54 | - to: 55 | - podSelector: 56 | matchLabels: 57 | {{- include "puppetserver.puppetdb.matchLabels" . | nindent 12 }} 58 | ports: 59 | - port: 8081 60 | - to: 61 | - podSelector: 62 | matchLabels: 63 | {{- include "puppetserver.puppetserver.matchLabels" . | nindent 12 }} 64 | ports: 65 | - port: 8140 66 | {{- if .Values.puppetserver.compilers.networkPolicy.additionnalEgressRules }} 67 | {{- toYaml .Values.puppetserver.compilers.networkPolicy.additionnalEgressRules | nindent 4 }} 68 | {{- end }} 69 | {{- end }} 70 | -------------------------------------------------------------------------------- /templates/puppetserver-compilers.pdb.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.puppetserver.compilers.enabled .Values.puppetserver.compilers.podDisruptionBudget.enabled (or ( and (gt ( int .Values.puppetserver.compilers.manualScaling.compilers ) 1) ( not .Values.puppetserver.compilers.autoScaling.enabled)) (and .Values.puppetserver.compilers.autoScaling.enabled (gt ( int .Values.puppetserver.compilers.autoScaling.minCompilers ) 1)))}} 2 | apiVersion: policy/v1 3 | kind: PodDisruptionBudget 4 | metadata: 5 | name: {{ template "puppetserver.fullname" . }}-compilers 6 | labels: 7 | {{- include "puppetserver.puppetserver-compilers.labels" . | nindent 4 }} 8 | {{- with .Values.puppetserver.compilers.extraLabels }} 9 | {{ toYaml . | nindent 4 }} 10 | {{- end }} 11 | spec: 12 | {{- with .Values.puppetserver.compilers.podDisruptionBudget.minAvailable }} 13 | minAvailable: {{ . }} 14 | {{- end }} 15 | {{- with .Values.puppetserver.compilers.podDisruptionBudget.maxUnavailable }} 16 | maxUnavailable: {{ . }} 17 | {{- end }} 18 | selector: 19 | matchLabels: 20 | {{- include "puppetserver.puppetserver-compilers.matchLabels" . | nindent 6 }} 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /templates/puppetserver-confd-pvc.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (not .Values.puppetserver.persistence.confd.existingClaim) (not .Values.global.runAsNonRoot) (eq .Values.puppetserver.persistence.confd.enabled true)}} 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: {{ template "puppetserver.fullname" . }}-confd-claim 6 | labels: 7 | {{- include "puppetserver.puppetserver.labels" . | nindent 4 }} 8 | {{- with .Values.global.extraLabels }} 9 | {{ toYaml . | nindent 4 }} 10 | {{- end }} 11 | annotations: 12 | {{- if .Values.global.runAsNonRoot }} 13 | helm.sh/hook: pre-install 14 | {{- end }} 15 | {{- include "puppetserver.persistence.confd.annotations" . | nindent 4 }} 16 | spec: 17 | accessModes: 18 | {{- toYaml ( .Values.puppetserver.persistence.confd.accessModes | default .Values.storage.accessModes ) | nindent 4 }} 19 | resources: 20 | requests: 21 | storage: {{ .Values.puppetserver.persistence.confd.size | default .Values.storage.size | quote }} 22 | {{- $storageClass := include "puppetserver.persistence.confd.storageClass" . }} 23 | {{- if $storageClass }} 24 | {{- if (eq "-" $storageClass) }} 25 | storageClassName: "" 26 | {{- else }} 27 | storageClassName: "{{ $storageClass }}" 28 | {{- end }} 29 | {{- end }} 30 | {{- end }} 31 | -------------------------------------------------------------------------------- /templates/puppetserver-custom-entrypoints-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.puppetserver.customentrypoints.enabled }} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ template "puppetserver.fullname" . }}-customentrypoints 6 | labels: 7 | {{- include "puppetserver.puppetserver.labels" . | nindent 4 }} 8 | {{- with .Values.puppetserver.masters.extraLabels }} 9 | {{ toYaml . | nindent 4 }} 10 | {{- end }} 11 | data: 12 | {{- toYaml .Values.puppetserver.customentrypoints.configmaps | nindent 2 }} 13 | {{- end }} 14 | 15 | -------------------------------------------------------------------------------- /templates/puppetserver-customconfigs-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.puppetserver.customconfigs.enabled }} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ template "puppetserver.fullname" . }}-custom-configs 6 | labels: 7 | {{- include "puppetserver.puppetserver.labels" . | nindent 4 }} 8 | {{- with .Values.puppetserver.masters.extraLabels }} 9 | {{ toYaml . | nindent 4 }} 10 | {{- end }} 11 | data: 12 | {{- toYaml .Values.puppetserver.customconfigs.configmaps | nindent 2 }} 13 | {{- end }} 14 | 15 | -------------------------------------------------------------------------------- /templates/puppetserver-data-pvc.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (not .Values.puppetserver.persistence.data.existingClaim) (eq .Values.puppetserver.persistence.data.enabled true) }} 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: {{ template "puppetserver.fullname" . }}-serverdata-claim 6 | labels: 7 | {{- include "puppetserver.puppetserver.labels" . | nindent 4 }} 8 | {{- with .Values.global.extraLabels }} 9 | {{ toYaml . | nindent 4 }} 10 | {{- end }} 11 | annotations: 12 | {{- if .Values.global.runAsNonRoot }} 13 | helm.sh/hook: pre-install 14 | {{- end }} 15 | {{- include "puppetserver.persistence.data.annotations" . | nindent 4 }} 16 | spec: 17 | accessModes: 18 | {{- toYaml ( .Values.puppetserver.persistence.data.accessModes | default .Values.storage.accessModes ) | nindent 4 }} 19 | resources: 20 | requests: 21 | storage: {{ .Values.puppetserver.persistence.data.size | default .Values.storage.size | quote }} 22 | {{- $storageClass := include "puppetserver.persistence.data.storageClass" . }} 23 | {{- if $storageClass }} 24 | {{- if (eq "-" $storageClass) }} 25 | storageClassName: "" 26 | {{- else }} 27 | storageClassName: "{{ $storageClass }}" 28 | {{- end }} 29 | {{- end }} 30 | {{- end }} 31 | -------------------------------------------------------------------------------- /templates/puppetserver-hpa-compilers.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.puppetserver.compilers.enabled }} 2 | {{- if .Values.puppetserver.compilers.autoScaling.enabled }} 3 | apiVersion: {{ include "puppetserver.autoscaling.apiVersion" . }} 4 | kind: HorizontalPodAutoscaler 5 | metadata: 6 | name: {{ template "puppetserver.fullname" . }}-compilers-autoscaler 7 | labels: 8 | {{- include "puppetserver.puppetserver-compilers.labels" . | nindent 4 }} 9 | {{- with .Values.puppetserver.compilers.extraLabels }} 10 | {{ toYaml . | nindent 4 }} 11 | {{- end }} 12 | spec: 13 | scaleTargetRef: 14 | apiVersion: apps/v1 15 | kind: {{ .Values.puppetserver.compilers.kind }} 16 | name: {{ template "puppetserver.fullname" . }}-puppetserver-compiler 17 | minReplicas: {{ .Values.puppetserver.compilers.autoScaling.minCompilers }} 18 | maxReplicas: {{ .Values.puppetserver.compilers.autoScaling.maxCompilers }} 19 | metrics: 20 | {{- with .Values.puppetserver.compilers.autoScaling.cpuUtilizationPercentage }} 21 | - type: Resource 22 | resource: 23 | name: cpu 24 | target: 25 | type: Utilization 26 | averageUtilization: {{ . }} 27 | {{- end }} 28 | {{- with .Values.puppetserver.compilers.autoScaling.memoryUtilizationPercentage }} 29 | - type: Resource 30 | resource: 31 | name: memory 32 | target: 33 | type: Utilization 34 | averageUtilization: {{ . }} 35 | {{- end }} 36 | {{- end }} 37 | {{- end }} 38 | -------------------------------------------------------------------------------- /templates/puppetserver-hpa-masters.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.puppetserver.masters.multiMasters.enabled }} 2 | {{- if .Values.puppetserver.masters.multiMasters.autoScaling.enabled }} 3 | apiVersion: {{ include "puppetserver.autoscaling.apiVersion" . }} 4 | kind: HorizontalPodAutoscaler 5 | metadata: 6 | name: {{ template "puppetserver.fullname" . }}-masters-autoscaler 7 | labels: 8 | {{- include "puppetserver.puppetserver.labels" . | nindent 4 }} 9 | {{- with .Values.puppetserver.masters.extraLabels }} 10 | {{ toYaml . | nindent 4 }} 11 | {{- end }} 12 | spec: 13 | scaleTargetRef: 14 | apiVersion: apps/v1 15 | kind: Deployment 16 | name: {{ template "puppetserver.fullname" . }}-puppetserver-master 17 | minReplicas: {{ .Values.puppetserver.masters.multiMasters.autoScaling.minMasters }} 18 | maxReplicas: {{ .Values.puppetserver.masters.multiMasters.autoScaling.maxMasters }} 19 | metrics: 20 | {{- with .Values.puppetserver.masters.multiMasters.autoScaling.cpuUtilizationPercentage }} 21 | - type: Resource 22 | resource: 23 | name: cpu 24 | target: 25 | type: Utilization 26 | averageUtilization: {{ . }} 27 | {{- end }} 28 | {{- with .Values.puppetserver.masters.multiMasters.autoScaling.memoryUtilizationPercentage }} 29 | - type: Resource 30 | resource: 31 | name: memory 32 | target: 33 | type: Utilization 34 | averageUtilization: {{ . }} 35 | {{- end }} 36 | {{- end }} 37 | {{- end }} 38 | -------------------------------------------------------------------------------- /templates/puppetserver-ingress-compilers.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.puppetserver.compilers.enabled .Values.puppetserver.compilers.ingress.enabled -}} 2 | {{- $releaseName := .Release.Name -}} 3 | {{- $serviceName := include "puppetserver.puppetserver-compilers.serviceName" . }} 4 | {{- $servicePort := .Values.puppetserver.compilers.service.ports.puppetserver.port -}} 5 | {{- $pathType := .Values.puppetserver.compilers.ingress.pathType | default "ImplementationSpecific" -}} 6 | {{- $apiIsStable := eq (include "puppetserver.ingress.isStable" .) "true" -}} 7 | {{- $ingressSupportsPathType := eq (include "puppetserver.ingress.supportsPathType" .) "true" -}} 8 | apiVersion: {{ include "puppetserver.ingress.apiVersion" . }} 9 | kind: Ingress 10 | metadata: 11 | {{- if .Values.puppetserver.compilers.ingress.annotations }} 12 | annotations: 13 | {{ toYaml .Values.puppetserver.compilers.ingress.annotations | nindent 4 }} 14 | {{- end }} 15 | labels: 16 | {{- include "puppetserver.puppetserver.labels" . | nindent 4 }} 17 | {{- range $key, $value := .Values.puppetserver.compilers.ingress.extraLabels }} 18 | {{ $key }}: {{ $value }} 19 | {{- end }} 20 | name: {{ template "puppetserver.fullname" . }}-compilers 21 | spec: 22 | {{- if $apiIsStable }} 23 | {{- if .Values.puppetserver.compilers.ingress.ingressClassName }} 24 | ingressClassName: {{ .Values.puppetserver.compilers.ingress.ingressClassName }} 25 | {{- end }} 26 | {{- end }} 27 | rules: 28 | {{- range .Values.puppetserver.compilers.ingress.hosts }} 29 | {{- $url := splitList "/" . }} 30 | - host: {{ first $url }} 31 | http: 32 | paths: 33 | - path: /{{ rest $url | join "/" }} 34 | {{- if and $pathType $ingressSupportsPathType }} 35 | pathType: {{ $pathType }} 36 | {{- end }} 37 | backend: 38 | {{- if $apiIsStable }} 39 | service: 40 | name: {{ $serviceName }} 41 | port: 42 | number: {{ $servicePort }} 43 | {{- else }} 44 | serviceName: {{ $serviceName }} 45 | servicePort: {{ $servicePort }} 46 | {{- end }} 47 | {{- end -}} 48 | {{- if .Values.puppetserver.compilers.ingress.tls }} 49 | tls: 50 | {{ toYaml .Values.puppetserver.compilers.ingress.tls | nindent 4 }} 51 | {{- end -}} 52 | {{- end -}} 53 | -------------------------------------------------------------------------------- /templates/puppetserver-ingress-masters.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.puppetserver.masters.ingress.enabled -}} 2 | {{- $releaseName := .Release.Name -}} 3 | {{- $serviceName := include "puppetserver.puppetserver-masters.serviceName" . }} 4 | {{- $servicePort := .Values.puppetserver.masters.service.ports.puppetserver.port -}} 5 | {{- $pathType := .Values.puppetserver.masters.ingress.pathType | default "ImplementationSpecific" -}} 6 | {{- $apiIsStable := eq (include "puppetserver.ingress.isStable" .) "true" -}} 7 | {{- $ingressSupportsPathType := eq (include "puppetserver.ingress.supportsPathType" .) "true" -}} 8 | apiVersion: {{ include "puppetserver.ingress.apiVersion" . }} 9 | kind: Ingress 10 | metadata: 11 | {{- if .Values.puppetserver.masters.ingress.annotations }} 12 | annotations: 13 | {{ toYaml .Values.puppetserver.masters.ingress.annotations | nindent 4 }} 14 | {{- end }} 15 | labels: 16 | {{- include "puppetserver.puppetserver.labels" . | nindent 4 }} 17 | {{- range $key, $value := .Values.puppetserver.masters.ingress.extraLabels }} 18 | {{ $key }}: {{ $value }} 19 | {{- end }} 20 | name: {{ template "puppetserver.fullname" . }}-masters 21 | spec: 22 | {{- if $apiIsStable }} 23 | {{- if .Values.puppetserver.masters.ingress.ingressClassName }} 24 | ingressClassName: {{ .Values.puppetserver.masters.ingress.ingressClassName }} 25 | {{- end }} 26 | {{- end }} 27 | rules: 28 | {{- range .Values.puppetserver.masters.ingress.hosts }} 29 | {{- $url := splitList "/" . }} 30 | - host: {{ first $url }} 31 | http: 32 | paths: 33 | - path: /{{ rest $url | join "/" }} 34 | {{- if and $pathType $ingressSupportsPathType }} 35 | pathType: {{ $pathType }} 36 | {{- end }} 37 | backend: 38 | {{- if $apiIsStable }} 39 | service: 40 | name: {{ $serviceName }} 41 | port: 42 | number: {{ $servicePort }} 43 | {{- else }} 44 | serviceName: {{ $serviceName }} 45 | servicePort: {{ $servicePort }} 46 | {{- end }} 47 | {{- end -}} 48 | {{- if .Values.puppetserver.masters.ingress.tls }} 49 | tls: 50 | {{ toYaml .Values.puppetserver.masters.ingress.tls | nindent 4 }} 51 | {{- end -}} 52 | {{- end -}} 53 | -------------------------------------------------------------------------------- /templates/puppetserver-init-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.puppetserver.masters.multiMasters.enabled }} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ template "puppetserver.fullname" . }}-init-masters-config 6 | labels: 7 | {{- include "puppetserver.puppetserver.labels" . | nindent 4 }} 8 | {{- with .Values.puppetserver.masters.extraLabels }} 9 | {{ toYaml . | nindent 4 }} 10 | {{- end }} 11 | data: 12 | check_for_masters.sh: | 13 | #!/usr/bin/env bash 14 | if [[ -d "$PUPPET_SSL_DIR" ]]; then 15 | ls -la /etc/puppetlabs/puppet/ssl/certs/ 16 | echo "A Puppetserver master has already started running." 17 | echo "Waiting to finish the generation of the Puppet SSL certs..." 18 | sleep 5 19 | while ! [[ -n "$(find /etc/puppetlabs/puppet/ssl/certs -name 'puppet*.pem' | head -1)" ]]; 20 | do 21 | echo "Still waiting..." 22 | sleep 5 23 | done 24 | sleep 15 25 | echo "Puppet SSL certs have been generated. Continuing..." 26 | else 27 | echo "No other Puppetserver master is running. Continuing..." 28 | fi 29 | {{- end }} 30 | -------------------------------------------------------------------------------- /templates/puppetserver-manifests-configmap.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ template "puppetserver.fullname" . }}-manifests-config 6 | labels: 7 | {{- include "puppetserver.puppetserver.labels" . | nindent 4 }} 8 | {{- with .Values.puppetserver.masters.extraLabels }} 9 | {{ toYaml . | nindent 4 }} 10 | {{- end }} 11 | data: 12 | site.pp: | 13 | hiera_include('classes') 14 | -------------------------------------------------------------------------------- /templates/puppetserver-masters.networkpolicy.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.puppetserver.masters.networkPolicy.enabled }} 2 | apiVersion: networking.k8s.io/v1 3 | kind: NetworkPolicy 4 | metadata: 5 | name: {{ template "puppetserver.fullname" . }}-puppetserver 6 | labels: 7 | {{- include "puppetserver.puppetserver.labels" . | nindent 4 }} 8 | {{- with .Values.puppetserver.masters.extraLabels }} 9 | {{ toYaml . | nindent 4 }} 10 | {{- end }} 11 | spec: 12 | podSelector: 13 | matchLabels: 14 | {{- include "puppetserver.puppetserver.matchLabels" . | nindent 6 }} 15 | policyTypes: 16 | {{- toYaml .Values.puppetserver.masters.networkPolicy.policyTypes | nindent 4 }} 17 | ingress: 18 | # Needed for the initial cert generation & puppetdb initContainer 19 | - from: 20 | - podSelector: 21 | matchLabels: 22 | app.kubernetes.io/name: "{{ .Values.puppetserver.name }}" 23 | ports: 24 | - port: 8140 25 | {{- if .Values.puppetserver.masters.networkPolicy.additionnalIngressRules }} 26 | {{- toYaml .Values.puppetserver.masters.networkPolicy.additionnalIngressRules | nindent 4 }} 27 | {{- end }} 28 | egress: 29 | # needed to resolve kubernetes dns query 30 | - to: 31 | - namespaceSelector: 32 | matchLabels: 33 | kubernetes.io/metadata.name: kube-system 34 | podSelector: 35 | matchLabels: 36 | k8s-app: kube-dns 37 | ports: 38 | - protocol: TCP 39 | port: 53 40 | - protocol: UDP 41 | port: 53 42 | # needed to resolve external dns query ( like proxy ) 43 | - to: 44 | - ipBlock: 45 | cidr: 0.0.0.0/0 46 | ports: 47 | - port: 53 48 | - to: 49 | - podSelector: 50 | matchLabels: 51 | {{- include "puppetserver.puppetdb.matchLabels" . | nindent 12 }} 52 | ports: 53 | - port: 8081 54 | {{- if .Values.puppetserver.masters.networkPolicy.additionnalEgressRules }} 55 | {{- toYaml .Values.puppetserver.masters.networkPolicy.additionnalEgressRules | nindent 4 }} 56 | {{- end }} 57 | {{- end }} 58 | -------------------------------------------------------------------------------- /templates/puppetserver-masters.pdb.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.puppetserver.masters.podDisruptionBudget.enabled .Values.puppetserver.masters.multiMasters.enabled (or ( and (gt ( int .Values.puppetserver.masters.multiMasters.manualScaling.masters ) 1) ( not .Values.puppetserver.masters.multiMasters.autoScaling.enabled)) (and .Values.puppetserver.masters.multiMasters.autoScaling.enabled (gt ( int .Values.puppetserver.masters.multiMasters.autoScaling.minMasters ) 1)))}} 2 | apiVersion: policy/v1 3 | kind: PodDisruptionBudget 4 | metadata: 5 | name: {{ template "puppetserver.fullname" . }}-masters 6 | labels: 7 | {{- include "puppetserver.puppetserver.labels" . | nindent 4 }} 8 | {{- with .Values.puppetserver.masters.extraLabels }} 9 | {{ toYaml . | nindent 4 }} 10 | {{- end }} 11 | spec: 12 | {{- with .Values.puppetserver.masters.podDisruptionBudget.minAvailable }} 13 | minAvailable: {{ . }} 14 | {{- end }} 15 | {{- with .Values.puppetserver.masters.podDisruptionBudget.maxUnavailable }} 16 | maxUnavailable: {{ . }} 17 | {{- end }} 18 | selector: 19 | matchLabels: 20 | {{- include "puppetserver.puppetserver.matchLabels" . | nindent 6 }} 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /templates/puppetserver-podsecuritypolicy.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.puppetserver.psp.create }} 2 | apiVersion: {{ include "podsecuritypolicy.apiVersion" . }} 3 | kind: PodSecurityPolicy 4 | metadata: 5 | name: {{ template "puppetserver.fullname" . }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | {{- include "puppetserver.puppetserver.labels" . | nindent 4 }} 9 | {{- with .Values.puppetserver.masters.extraLabels }} 10 | {{ toYaml . | nindent 4 }} 11 | {{- end }} 12 | annotations: 13 | {{- if or .Values.puppetserver.preGeneratedCertsJob.enabled .Values.singleCA.enabled .Values.global.runAsNonRoot }} 14 | helm.sh/hook: pre-install 15 | helm.sh/hook-delete-policy: before-hook-creation 16 | helm.sh/hook-weight: "-10" 17 | {{- end }} 18 | {{- with .Values.puppetserver.psp.annotations -}} 19 | {{ toYaml . | nindent 4 }} 20 | {{- end }} 21 | spec: 22 | privileged: false 23 | requiredDropCapabilities: 24 | - all 25 | allowedCapabilities: 26 | - CAP_CHOWN 27 | - CAP_SETUID 28 | - CAP_SETGID 29 | - CAP_DAC_OVERRIDE 30 | - CAP_AUDIT_WRITE 31 | - CAP_FOWNER 32 | - CHOWN 33 | - SETUID 34 | - SETGID 35 | - DAC_OVERRIDE 36 | - AUDIT_WRITE 37 | - FOWNER 38 | volumes: 39 | - 'configMap' 40 | - 'secret' 41 | - 'persistentVolumeClaim' 42 | - 'emptyDir' 43 | hostNetwork: false 44 | hostIPC: false 45 | hostPID: false 46 | runAsUser: 47 | rule: 'RunAsAny' 48 | seLinux: 49 | rule: 'RunAsAny' 50 | supplementalGroups: 51 | rule: 'MustRunAs' 52 | ranges: 53 | - min: 1 54 | max: 65535 55 | fsGroup: 56 | rule: 'MustRunAs' 57 | ranges: 58 | - min: 1 59 | max: 65535 60 | readOnlyRootFilesystem: false 61 | {{- end }} 62 | -------------------------------------------------------------------------------- /templates/puppetserver-preInstall.configMap.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (.Values.puppetserver.preGeneratedCertsJob.enabled) (not .Values.singleCA.enabled) }} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ template "puppetserver.fullname" . }}-preinstall 6 | labels: 7 | {{- include "puppetserver.puppetserver.labels" . | nindent 4 }} 8 | {{- with .Values.puppetserver.masters.extraLabels }} 9 | {{ toYaml . | nindent 4 }} 10 | {{- end }} 11 | annotations: 12 | "helm.sh/hook": "pre-install" 13 | "helm.sh/hook-weight": "1" 14 | "helm.sh/hook-delete-policy": "hook-succeeded,hook-failed" 15 | binaryData: 16 | {{- $root := . }} 17 | {{- range $path, $bytes := .Files.Glob "init/puppet-certs/puppetserver/*.gz" }} 18 | {{ base $path }}: {{ $root.Files.Get $path | b64enc | quote }} 19 | {{- end }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /templates/puppetserver-puppetserver-pvc.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (not .Values.puppetserver.persistence.server.existingClaim) .Values.global.runAsNonRoot }} 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: {{ template "puppetserver.fullname" . }}-puppetserver-claim 6 | labels: 7 | {{- include "puppetserver.puppetserver.labels" . | nindent 4 }} 8 | {{- with .Values.global.extraLabels }} 9 | {{ toYaml . | nindent 4 }} 10 | {{- end }} 11 | annotations: 12 | {{- if .Values.global.runAsNonRoot }} 13 | helm.sh/hook: pre-install 14 | {{- end }} 15 | {{- include "puppetserver.persistence.server.annotations" . | nindent 4 }} 16 | spec: 17 | accessModes: 18 | {{- toYaml ( .Values.puppetserver.persistence.server.accessModes | default .Values.storage.accessModes ) | nindent 4 }} 19 | resources: 20 | requests: 21 | storage: {{ .Values.puppetserver.persistence.server.size | default .Values.storage.size | quote }} 22 | {{- $storageClass := include "puppetserver.persistence.server.storageClass" . }} 23 | {{- if $storageClass }} 24 | {{- if (eq "-" $storageClass) }} 25 | storageClassName: "" 26 | {{- else }} 27 | storageClassName: "{{ $storageClass }}" 28 | {{- end }} 29 | {{- end }} 30 | {{- end }} 31 | -------------------------------------------------------------------------------- /templates/puppetserver-pvc.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.puppetserver.persistence.puppet.existingClaim }} 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: {{ template "puppetserver.fullname" . }}-puppet-claim 6 | labels: 7 | {{- include "puppetserver.puppetserver.labels" . | nindent 4 }} 8 | {{- with .Values.global.extraLabels }} 9 | {{ toYaml . | nindent 4 }} 10 | {{- end }} 11 | annotations: 12 | {{- if or .Values.puppetserver.preGeneratedCertsJob.enabled .Values.singleCA.enabled .Values.global.runAsNonRoot }} 13 | helm.sh/hook: pre-install 14 | {{- end }} 15 | {{- include "puppetserver.persistence.puppet.annotations" . | nindent 4 }} 16 | spec: 17 | accessModes: 18 | {{- toYaml ( .Values.puppetserver.persistence.puppet.accessModes | default .Values.storage.accessModes ) | nindent 4 }} 19 | resources: 20 | requests: 21 | storage: {{ .Values.puppetserver.persistence.puppet.size | default .Values.storage.size | quote }} 22 | {{- $storageClass := include "puppetserver.persistence.puppet.storageClass" . }} 23 | {{- if $storageClass }} 24 | {{- if (eq "-" $storageClass) }} 25 | storageClassName: "" 26 | {{- else }} 27 | storageClassName: "{{ $storageClass }}" 28 | {{- end }} 29 | {{- end }} 30 | {{- end }} 31 | -------------------------------------------------------------------------------- /templates/puppetserver-role.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.puppetserver.rbac.create }} 2 | kind: Role 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ template "puppetserver.fullname" . }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | {{- include "puppetserver.puppetserver.labels" . | nindent 4 }} 9 | {{- with .Values.puppetserver.masters.extraLabels }} 10 | {{ toYaml . | nindent 4 }} 11 | {{- end }} 12 | annotations: 13 | {{- if or .Values.puppetserver.preGeneratedCertsJob.enabled .Values.singleCA.enabled .Values.global.runAsNonRoot }} 14 | helm.sh/hook: pre-install 15 | helm.sh/hook-delete-policy: before-hook-creation 16 | helm.sh/hook-weight: "-10" 17 | {{- end }} 18 | {{- with .Values.puppetserver.rbac.annotations -}} 19 | {{ toYaml . | nindent 4 }} 20 | {{- end }} 21 | rules: 22 | {{- if .Values.puppetserver.psp.create }} 23 | - apiGroups: ["extensions"] 24 | resources: ["podsecuritypolicies"] 25 | verbs: ["use"] 26 | resourceNames: 27 | - {{ template "puppetserver.fullname" . }} 28 | {{- end }} 29 | {{- end }} 30 | -------------------------------------------------------------------------------- /templates/puppetserver-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.puppetserver.rbac.create }} 2 | kind: RoleBinding 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ template "puppetserver.fullname" . }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | {{- include "puppetserver.puppetserver.labels" . | nindent 4 }} 9 | {{- with .Values.puppetserver.masters.extraLabels }} 10 | {{ toYaml . | nindent 4 }} 11 | {{- end }} 12 | annotations: 13 | {{- if or .Values.puppetserver.preGeneratedCertsJob.enabled .Values.singleCA.enabled .Values.global.runAsNonRoot }} 14 | helm.sh/hook: pre-install 15 | helm.sh/hook-delete-policy: before-hook-creation 16 | helm.sh/hook-weight: "-10" 17 | {{- end }} 18 | {{- with .Values.puppetserver.rbac.annotations -}} 19 | {{ toYaml . | nindent 4 }} 20 | {{- end }} 21 | roleRef: 22 | apiGroup: rbac.authorization.k8s.io 23 | kind: Role 24 | name: {{ template "puppetserver.fullname" . }} 25 | subjects: 26 | - kind: ServiceAccount 27 | name: {{ template "puppetserver.serviceAccountName" . }} 28 | namespace: {{ .Release.Namespace }} 29 | {{- end }} 30 | -------------------------------------------------------------------------------- /templates/puppetserver-service-agents-to-masters.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.puppetserver.compilers.enabled }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: {{ template "puppetserver.puppetserver.agents-to-masters.serviceName" . }} 6 | labels: 7 | {{- include "puppetserver.puppetserver.labels" . | nindent 4 }} 8 | {{- if .Values.puppetserver.masters.service.labels }} 9 | {{- toYaml .Values.puppetserver.masters.service.labels | nindent 4 }} 10 | {{- end }} 11 | {{- if .Values.puppetserver.masters.service.annotations }} 12 | annotations: 13 | {{- toYaml .Values.puppetserver.masters.service.annotations | nindent 4 }} 14 | {{- end }} 15 | spec: 16 | ports: 17 | {{- range $key, $value := .Values.puppetserver.masters.service.ports }} 18 | - name: {{ $key }} 19 | {{- toYaml $value | nindent 6 }} 20 | {{- end }} 21 | selector: 22 | {{- include "puppetserver.puppetserver.matchLabels" . | nindent 4 }} 23 | type: {{ .Values.puppetserver.masters.service.type }} 24 | {{- if (and (eq .Values.puppetserver.masters.service.type "LoadBalancer") (not (empty .Values.puppetserver.masters.service.loadBalancerIP))) }} 25 | loadBalancerIP: {{ .Values.puppetserver.masters.service.loadBalancerIP }} 26 | {{- end }} 27 | {{- end }} 28 | -------------------------------------------------------------------------------- /templates/puppetserver-service-compilers-headless.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.puppetserver.compilers.enabled }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: {{ template "puppetserver.puppetserver-compilers.serviceName" . }}-headless 6 | labels: 7 | {{- include "puppetserver.puppetserver-compilers.labels" . | nindent 4 }} 8 | {{- if .Values.puppetserver.compilers.service.headless.labels }} 9 | {{- toYaml .Values.puppetserver.compilers.service.headless.labels | nindent 4 }} 10 | {{- end }} 11 | {{- if .Values.puppetserver.compilers.service.headless.annotations }} 12 | annotations: 13 | {{- toYaml .Values.puppetserver.compilers.service.headless.annotations | nindent 4 }} 14 | {{- end }} 15 | spec: 16 | clusterIP: None 17 | ports: 18 | {{- range $key, $value := .Values.puppetserver.compilers.service.headless.ports }} 19 | - name: {{ $key }} 20 | {{- toYaml $value | nindent 6 }} 21 | {{- end }} 22 | selector: 23 | {{- include "puppetserver.puppetserver-compilers.matchLabels" . | nindent 4 }} 24 | {{- end }} 25 | -------------------------------------------------------------------------------- /templates/puppetserver-service-compilers.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.puppetserver.compilers.enabled }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: {{ template "puppetserver.puppetserver-compilers.serviceName" . }} 6 | labels: 7 | {{- include "puppetserver.puppetserver-compilers.labels" . | nindent 4 }} 8 | {{- if .Values.puppetserver.compilers.service.labels }} 9 | {{- toYaml .Values.puppetserver.compilers.service.labels | nindent 4 }} 10 | {{- end }} 11 | {{- if .Values.puppetserver.compilers.service.annotations }} 12 | annotations: 13 | {{- toYaml .Values.puppetserver.compilers.service.annotations | nindent 4 }} 14 | {{- end }} 15 | spec: 16 | ports: 17 | {{- range $key, $value := .Values.puppetserver.compilers.service.ports }} 18 | - name: {{ $key }} 19 | {{- toYaml $value | nindent 6 }} 20 | {{- end }} 21 | selector: 22 | {{- include "puppetserver.puppetserver-compilers.matchLabels" . | nindent 4 }} 23 | type: {{ .Values.puppetserver.compilers.service.type }} 24 | {{- if (and (eq .Values.puppetserver.compilers.service.type "LoadBalancer") (not (empty .Values.puppetserver.compilers.service.loadBalancerIP))) }} 25 | loadBalancerIP: {{ .Values.puppetserver.compilers.service.loadBalancerIP }} 26 | {{- end }} 27 | {{- end }} 28 | -------------------------------------------------------------------------------- /templates/puppetserver-service-masters.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ template "puppetserver.puppetserver-masters.serviceName" . }} 5 | labels: 6 | {{- include "puppetserver.puppetserver.labels" . | nindent 4 }} 7 | {{- if .Values.puppetserver.masters.service.labels }} 8 | {{- toYaml .Values.puppetserver.masters.service.labels | nindent 4 }} 9 | {{- end }} 10 | {{- if .Values.puppetserver.masters.service.annotations }} 11 | annotations: 12 | {{- toYaml .Values.puppetserver.masters.service.annotations | nindent 4 }} 13 | {{- end }} 14 | spec: 15 | ports: 16 | {{- range $key, $value := .Values.puppetserver.masters.service.ports }} 17 | - name: {{ $key }} 18 | {{- toYaml $value | nindent 6 }} 19 | {{- end }} 20 | selector: 21 | {{- include "puppetserver.puppetserver.matchLabels" . | nindent 4 }} 22 | {{- if .Values.puppetserver.compilers.enabled }} 23 | type: ClusterIP 24 | {{- else }} 25 | type: {{ .Values.puppetserver.masters.service.type }} 26 | {{- if (and (eq .Values.puppetserver.masters.service.type "LoadBalancer") (not (empty .Values.puppetserver.masters.service.loadBalancerIP))) }} 27 | loadBalancerIP: {{ .Values.puppetserver.masters.service.loadBalancerIP }} 28 | {{- end }} 29 | {{- end }} 30 | -------------------------------------------------------------------------------- /templates/puppetserver-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (.Values.puppetserver.serviceAccount.enabled) (.Values.puppetserver.serviceAccount.create) }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "puppetserver.serviceAccountName" . }} 6 | namespace: {{ .Release.Namespace }} 7 | annotations: 8 | {{- if or .Values.puppetserver.preGeneratedCertsJob.enabled .Values.singleCA.enabled .Values.global.runAsNonRoot }} 9 | helm.sh/hook: pre-install 10 | helm.sh/hook-delete-policy: before-hook-creation 11 | helm.sh/hook-weight: "-10" 12 | {{- end }} 13 | {{- with .Values.puppetserver.serviceAccount.annotations -}} 14 | {{ toYaml . | nindent 4 }} 15 | {{- end }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /templates/puppetserver-setup.configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.global.runAsNonRoot }} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ template "puppetserver.fullname" . }}-docker-entrypoint-config 6 | labels: 7 | {{- include "puppetserver.r10k.labels" . | nindent 4 }} 8 | annotations: 9 | helm.sh/hook: pre-install 10 | data: 11 | docker-entrypoint.sh: | 12 | #!/bin/bash 13 | # bash is required to pass ENV vars with dots as sh cannot 14 | set -e 15 | 16 | for f in /docker-entrypoint.d/*.sh; do 17 | echo "Running $f" 18 | "$f" 19 | done 20 | 21 | if [ -d /docker-custom-entrypoint.d/ ]; then 22 | find /docker-custom-entrypoint.d/ -type f -name "*.sh" \ 23 | -exec chmod +x {} \; 24 | sync 25 | find /docker-custom-entrypoint.d/ -type f -name "*.sh" \ 26 | -exec echo Running {} \; -exec {} \; 27 | fi 28 | 29 | # service puppetserver start 30 | exec /opt/puppetlabs/bin/puppetserver "$@" & 31 | 32 | sleep 30 33 | 34 | echo 'Waiting for puppetserver to become ready...' 35 | until printf "." && curl --noproxy '*' --silent --fail --insecure 'https://{{ template "puppetserver.puppetserver-masters.serviceName" . }}:{{ template "puppetserver.puppetserver-masters.port" . }}/status/v1/simple' | grep -q '^running$'; do 36 | sleep 2; 37 | done; 38 | echo 'Puppetserver OK ✓' 39 | service puppetserver stop 40 | {{- end }} 41 | -------------------------------------------------------------------------------- /templates/r10k-code-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (.Values.puppetserver.puppeturl) (and (not .Values.r10k.code.viaSsh.credentials.existingSecret) (not .Values.r10k.code.viaHttps.credentials.existingSecret)) }} 2 | {{- if or (and (.Values.r10k.code.viaSsh.credentials.ssh.value) (.Values.r10k.code.viaSsh.credentials.known_hosts.value)) (.Values.r10k.code.viaHttps.credentials) }} 3 | apiVersion: v1 4 | kind: Secret 5 | metadata: 6 | name: {{ template "puppetserver.fullname" . }}-r10k-code-creds 7 | labels: 8 | {{- include "puppetserver.r10k.labels" . | nindent 4 }} 9 | type: Opaque 10 | data: 11 | {{- with .Values.r10k.code.viaSsh.credentials }} 12 | {{- if and (.ssh.value) (.known_hosts.value) }} 13 | id_rsa: {{ .ssh.value | b64enc | quote }} 14 | known_hosts: {{ .known_hosts.value | b64enc | quote }} 15 | {{- end }} 16 | {{- end }} 17 | {{- with .Values.r10k.code.viaHttps.credentials }} 18 | {{- if .netrc.value }} 19 | netrc: {{ .netrc.value | b64enc | quote }} 20 | {{- end }} 21 | {{- end }} 22 | {{- with .Values.r10k.code.viaHttps.customCa }} 23 | {{- if .cert.value }} 24 | cert: {{ .cert.value | b64enc | quote }} 25 | {{- end }} 26 | {{- end }} 27 | {{- end }} 28 | {{- end }} 29 | -------------------------------------------------------------------------------- /templates/r10k-code.configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.puppetserver.puppeturl }} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ template "puppetserver.fullname" . }}-r10k-code-config 6 | labels: 7 | {{- include "puppetserver.r10k.labels" . | nindent 4 }} 8 | data: 9 | r10k_code.yaml: | 10 | # The location to use for storing cached Git repos 11 | :cachedir: '/etc/puppetlabs/code/r10k_cache' 12 | # A list of git repositories to create 13 | {{- if .Values.r10k.code.extraSettings }} 14 | {{- toYaml .Values.r10k.code.extraSettings | nindent 4 }} 15 | {{- end }} 16 | :sources: 17 | # This will clone the git repository and instantiate an environment per 18 | # branch in '/etc/puppetlabs/code/environments' 19 | :puppet_repo: 20 | remote: '{{ .Values.puppetserver.puppeturl }}' 21 | basedir: '{{ .Values.puppetserver.puppetbasedir }}' 22 | {{- if .Values.r10k.code.defaultRepoExtraConf }} 23 | {{- toYaml .Values.r10k.code.defaultRepoExtraConf | nindent 8 }} 24 | {{- end }} 25 | {{- if .Values.r10k.code.extraRepos }} 26 | {{- toYaml .Values.r10k.code.extraRepos | nindent 6 }} 27 | {{- end }} 28 | 29 | r10k_code_cronjob.sh: | 30 | #!/usr/bin/env sh 31 | {{- if .Values.r10k.code.cronJob.splay }} 32 | sleep $(( RANDOM % {{ int .Values.r10k.code.cronJob.splayLimit }} )) 33 | {{- end }} 34 | {{ with .Values.r10k.code.cronJob.timeout }}timeout -s 9 {{ int . }} {{ end }}/docker-entrypoint.sh deploy environment --config /etc/puppetlabs/puppet/r10k_code.yaml \ 35 | --puppetfile {{ template "r10k.code.args" . }} > ~/.r10k_code_cronjob.out 2>&1 36 | retVal=$? 37 | if [ "$retVal" -eq "0" ]; then 38 | touch {{ .Values.r10k.code.cronJob.successFile }} > /dev/null 2>&1 39 | else 40 | rm {{ .Values.r10k.code.cronJob.successFile }} > /dev/null 2>&1 41 | fi 42 | exit $retVal 43 | 44 | r10k_code_entrypoint.sh: | 45 | #!/usr/bin/env sh 46 | set -e 47 | {{- if .Values.r10k.code.cronJob.enabled }} 48 | cat > ~/.r10k_code_crontab <<'EOF' 49 | {{ .Values.r10k.code.cronJob.schedule }} /bin/sh -c /etc/puppetlabs/puppet/r10k_code_cronjob.sh 50 | EOF 51 | tail -Fq ~/.r10k_code_cronjob.out & 52 | {{- end }} 53 | touch {{ .Values.r10k.code.cronJob.successFile }} > /dev/null 2>&1 54 | {{- if or .Values.r10k.code.viaHttps.customCa.existingSecret .Values.r10k.code.viaHttps.customCa.cert.value }} 55 | git config --global http."{{ template "r10k.code.viaHttps.customCa.repoUrl" .}}".sslCAInfo ~/code-certs/ca.pem 56 | {{- end }} 57 | {{- if .Values.r10k.code.cronJob.enabled }} 58 | exec supercronic ~/.r10k_code_crontab 59 | {{- else}} 60 | tail -f /dev/null 61 | {{- end }} 62 | {{- end }} 63 | -------------------------------------------------------------------------------- /templates/r10k-hiera-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (include "hiera.enable" .) (and (not .Values.r10k.hiera.viaSsh.credentials.existingSecret) (not .Values.r10k.hiera.viaHttps.credentials.existingSecret)) }} 2 | {{- if or (and (.Values.r10k.hiera.viaSsh.credentials.ssh.value) (.Values.r10k.hiera.viaSsh.credentials.known_hosts.value)) (.Values.r10k.hiera.viaHttps.credentials) }} 3 | apiVersion: v1 4 | kind: Secret 5 | metadata: 6 | name: {{ template "puppetserver.fullname" . }}-r10k-hiera-creds 7 | labels: 8 | {{- include "puppetserver.r10k.labels" . | nindent 4 }} 9 | type: Opaque 10 | data: 11 | {{- with .Values.r10k.hiera.viaSsh.credentials }} 12 | {{- if and (.ssh.value) (.known_hosts.value) }} 13 | id_rsa: {{ .ssh.value | b64enc | quote }} 14 | known_hosts: {{ .known_hosts.value | b64enc | quote }} 15 | {{- end }} 16 | {{- end }} 17 | {{- with .Values.r10k.hiera.viaHttps.credentials }} 18 | {{- if .netrc.value }} 19 | netrc: {{ .netrc.value | b64enc | quote }} 20 | {{- end }} 21 | {{- end }} 22 | {{- end }} 23 | {{- end }} 24 | -------------------------------------------------------------------------------- /templates/r10k-hiera.configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if (include "hiera.enable" .) }} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ template "puppetserver.fullname" . }}-r10k-hiera-config 6 | labels: 7 | {{- include "puppetserver.r10k.labels" . | nindent 4 }} 8 | data: 9 | r10k_hiera.yaml: | 10 | # The location to use for storing cached Git repos 11 | :cachedir: '/etc/puppetlabs/code/r10k_cache' 12 | {{- if .Values.r10k.hiera.extraSettings }} 13 | {{- toYaml .Values.r10k.hiera.extraSettings | nindent 4 }} 14 | {{- end }} 15 | # A list of git repositories to create 16 | :sources: 17 | {{- if .Values.hiera.hieradataurl }} 18 | # This will clone the git repository and instantiate an environment per 19 | # branch in '/etc/puppetlabs/code/hiera-data' 20 | :hiera_repo: 21 | remote: '{{ .Values.hiera.hieradataurl }}' 22 | basedir: '/etc/puppetlabs/code/hiera-data' 23 | {{- if .Values.r10k.hiera.defaultRepoExtraConf }} 24 | {{- toYaml .Values.r10k.hiera.defaultRepoExtraConf | nindent 8 }} 25 | {{- end }} 26 | {{- end }} 27 | {{- if .Values.r10k.hiera.extraRepository }} 28 | {{- toYaml .Values.r10k.hiera.extraRepository | nindent 6 }} 29 | {{- end }} 30 | 31 | r10k_hiera_cronjob.sh: | 32 | #!/usr/bin/env sh 33 | {{- if .Values.r10k.hiera.cronJob.splay }} 34 | sleep $(( RANDOM % {{ int .Values.r10k.hiera.cronJob.splayLimit }} )) 35 | {{- end }} 36 | {{ with .Values.r10k.hiera.cronJob.timeout }}timeout -s 9 {{ int . }} {{ end }}/docker-entrypoint.sh deploy environment --config /etc/puppetlabs/puppet/r10k_hiera.yaml \ 37 | --puppetfile {{ template "r10k.hiera.args" . }} > ~/.r10k_hiera_cronjob.out 2>&1 38 | retVal=$? 39 | if [ "$retVal" -eq "0" ]; then 40 | touch {{ .Values.r10k.hiera.cronJob.successFile }} > /dev/null 2>&1 41 | else 42 | rm {{ .Values.r10k.hiera.cronJob.successFile }} > /dev/null 2>&1 43 | fi 44 | exit $retVal 45 | 46 | r10k_hiera_entrypoint.sh: | 47 | #!/usr/bin/env sh 48 | set -e 49 | {{- if .Values.r10k.hiera.cronJob.enabled }} 50 | cat > ~/.r10k_hiera_crontab <<'EOF' 51 | {{ .Values.r10k.hiera.cronJob.schedule }} /bin/sh -c /etc/puppetlabs/puppet/r10k_hiera_cronjob.sh 52 | EOF 53 | tail -Fq ~/.r10k_hiera_cronjob.out & 54 | {{- end }} 55 | touch {{ .Values.r10k.hiera.cronJob.successFile }} > /dev/null 2>&1 56 | {{- if .Values.r10k.hiera.cronJob.enabled }} 57 | exec supercronic ~/.r10k_hiera_crontab 58 | {{- else}} 59 | tail -f /dev/null 60 | {{- end }} 61 | {{- end }} 62 | -------------------------------------------------------------------------------- /templates/update-crl-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.singleCA.enabled }} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ template "puppetserver.fullname" . }}-crl-config 6 | labels: 7 | {{- include "puppetserver.puppetserver.labels" . | nindent 4 }} 8 | {{- with .Values.puppetserver.masters.extraLabels }} 9 | {{ toYaml . | nindent 4 }} 10 | {{- end }} 11 | annotations: 12 | "helm.sh/hook": "pre-install" 13 | "helm.sh/hook-weight": "0" 14 | data: 15 | crl_kubernetes_cronjob.sh: |- 16 | url={{ required "A valid .Values.singleCA.crl.url required!" .Values.singleCA.crl.url }} 17 | curl -o /tmp/crl.pem $url || { echo 'could not retrieve crl.pem' ; exit 1; } 18 | 19 | mv /tmp/crl.pem /crl/crl.pem 20 | 21 | grep -q "BEGIN X509 CRL" "/crl/crl.pem" > /dev/null 2>&1 || { echo 'crl.pem file is not in the right format'; cat /crl/crl.pem ; exit 1; } 22 | 23 | crl.sh: |- 24 | {{- if .Values.singleCA.config }} 25 | {{ .Values.singleCA.config | nindent 6 }} 26 | {{- else }} 27 | #!/usr/bin/env sh 28 | url={{ required "A valid .Values.singleCA.crl.url required!" .Values.singleCA.crl.url }} 29 | 30 | curl -s -o /tmp/crl.pem $url 31 | retVal=$? 32 | 33 | mv /tmp/crl.pem $SSL_PATH/crl.pem 34 | grep -q "BEGIN X509 CRL" "$SSL_PATH/crl.pem" > /dev/null 2>&1 35 | grepVal=$? 36 | 37 | if [[ "$retVal" -ne "0" || "$grepVal" -ne "0" ]]; then 38 | rm ~/.crl_cronjob.success > /dev/null 2>&1 39 | retVal=1 40 | else 41 | touch ~/.crl_cronjob.success > /dev/null 2>&1 42 | fi 43 | 44 | exit $retVal 45 | {{- end }} 46 | 47 | crl_cronjob.sh: | 48 | #!/usr/bin/env sh 49 | $CRL_SCRIPT_PATH/crl.sh > ~/.crl_cronjob.out 2>&1 50 | retVal=$? 51 | if [ "$retVal" -eq "0" ]; then 52 | touch ~/.crl_cronjob.success > /dev/null 2>&1 53 | else 54 | rm ~/.crl_cronjob.success > /dev/null 2>&1 55 | fi 56 | 57 | exit $retVal 58 | 59 | crl_entrypoint.sh: | 60 | #!/usr/bin/env sh 61 | set -e 62 | if [ ! -f $SSL_PATH/crl.pem ]; then 63 | /bin/sh -c $CRL_SCRIPT_PATH/crl_cronjob.sh 64 | fi 65 | cat > ~/.crl_crontab <<'EOF' 66 | {{ .Values.singleCA.crl.cronJob.schedule }} /bin/sh -c $CRL_SCRIPT_PATH/crl_cronjob.sh 67 | EOF 68 | # tail -Fq ~/.crl_cronjob.out & 69 | touch ~/.crl_cronjob.success > /dev/null 2>&1 70 | exec supercronic ~/.crl_crontab 71 | 72 | {{- end }} 73 | -------------------------------------------------------------------------------- /tests/__snapshot__/jmx-servicemonitor_test.yaml.snap: -------------------------------------------------------------------------------- 1 | manifest should match snapshot: 2 | 1: | 3 | apiVersion: monitoring.coreos.com/v1 4 | kind: ServiceMonitor 5 | metadata: 6 | labels: 7 | app.kubernetes.io/component: puppetserver 8 | app.kubernetes.io/instance: puppetserver 9 | app.kubernetes.io/managed-by: Helm 10 | app.kubernetes.io/name: puppetserver 11 | app.kubernetes.io/version: 7.17.0 12 | helm.sh/chart: puppetserver-9.5.2 13 | release: kube-prometheus-stack 14 | name: puppetserver-jmx 15 | namespace: puppet 16 | spec: 17 | endpoints: 18 | - honorLabels: true 19 | interval: 30s 20 | path: /metrics 21 | port: metrics 22 | jobLabel: jmx 23 | namespaceSelector: 24 | matchNames: 25 | - puppet 26 | selector: 27 | matchLabels: 28 | app.kubernetes.io/component: puppetserver 29 | app.kubernetes.io/name: puppetserver 30 | -------------------------------------------------------------------------------- /tests/__snapshot__/puppetdb-pvc_test.yaml.snap: -------------------------------------------------------------------------------- 1 | manifest should match snapshot: 2 | 1: | 3 | apiVersion: v1 4 | kind: PersistentVolumeClaim 5 | metadata: 6 | annotations: null 7 | labels: 8 | app.kubernetes.io/component: puppetdb 9 | app.kubernetes.io/instance: puppetserver 10 | app.kubernetes.io/managed-by: Helm 11 | app.kubernetes.io/name: puppetserver 12 | app.kubernetes.io/version: 7.17.0 13 | helm.sh/chart: puppetserver-9.5.2 14 | name: puppetserver-puppetdb-claim 15 | spec: 16 | accessModes: 17 | - ReadWriteOnce 18 | resources: 19 | requests: 20 | storage: 400Mi 21 | -------------------------------------------------------------------------------- /tests/__snapshot__/puppetdb-servicemonitor_test.yaml.snap: -------------------------------------------------------------------------------- 1 | manifest should match snapshot: 2 | 1: | 3 | apiVersion: monitoring.coreos.com/v1 4 | kind: ServiceMonitor 5 | metadata: 6 | labels: 7 | app.kubernetes.io/component: puppetdb 8 | app.kubernetes.io/instance: puppetserver 9 | app.kubernetes.io/managed-by: Helm 10 | app.kubernetes.io/name: puppetserver 11 | app.kubernetes.io/version: 7.17.0 12 | helm.sh/chart: puppetserver-9.5.2 13 | release: kube-prometheus-stack 14 | name: puppetserver-puppetdb 15 | namespace: puppet 16 | spec: 17 | endpoints: 18 | - honorLabels: true 19 | interval: 30s 20 | path: /metrics 21 | port: metrics 22 | jobLabel: puppetdb 23 | namespaceSelector: 24 | matchNames: 25 | - puppet 26 | selector: 27 | matchLabels: 28 | app.kubernetes.io/component: puppetdb 29 | app.kubernetes.io/name: puppetserver 30 | -------------------------------------------------------------------------------- /tests/__snapshot__/puppetdb.networkpolicy_test.yaml.snap: -------------------------------------------------------------------------------- 1 | manifest should match snapshot: 2 | 1: | 3 | apiVersion: networking.k8s.io/v1 4 | kind: NetworkPolicy 5 | metadata: 6 | labels: 7 | app.kubernetes.io/component: puppetdb 8 | app.kubernetes.io/instance: puppetserver 9 | app.kubernetes.io/managed-by: Helm 10 | app.kubernetes.io/name: puppetserver 11 | app.kubernetes.io/version: 7.17.0 12 | helm.sh/chart: puppetserver-9.5.2 13 | name: puppetserver-puppetdb 14 | spec: 15 | egress: 16 | - ports: 17 | - port: 53 18 | protocol: TCP 19 | - port: 53 20 | protocol: UDP 21 | to: 22 | - namespaceSelector: 23 | matchLabels: 24 | kubernetes.io/metadata.name: kube-system 25 | podSelector: 26 | matchLabels: 27 | k8s-app: kube-dns 28 | - ports: 29 | - port: 53 30 | to: 31 | - ipBlock: 32 | cidr: 0.0.0.0/0 33 | - ports: 34 | - port: 8140 35 | to: 36 | - podSelector: 37 | matchLabels: 38 | app.kubernetes.io/component: puppetserver 39 | app.kubernetes.io/name: puppetserver 40 | - ports: 41 | - port: 8081 42 | to: 43 | - podSelector: {} 44 | - ports: 45 | - port: 5432 46 | to: 47 | - namespaceSelector: 48 | matchLabels: 49 | kubernetes.io/metadata.name: puppet 50 | podSelector: 51 | matchLabels: 52 | app.kubernetes.io/name: postgresql 53 | ingress: 54 | - from: 55 | - podSelector: {} 56 | ports: 57 | - port: 8081 58 | - from: 59 | - namespaceSelector: {} 60 | ports: 61 | - port: 9090 62 | podSelector: 63 | matchLabels: 64 | app.kubernetes.io/component: puppetdb 65 | app.kubernetes.io/name: puppetserver 66 | policyTypes: 67 | - Egress 68 | - Ingress 69 | -------------------------------------------------------------------------------- /tests/__snapshot__/puppetserver-ca-pvc_test.yaml.snap: -------------------------------------------------------------------------------- 1 | manifest should match snapshot: 2 | 1: | 3 | apiVersion: v1 4 | kind: PersistentVolumeClaim 5 | metadata: 6 | annotations: null 7 | labels: 8 | app.kubernetes.io/component: puppetserver 9 | app.kubernetes.io/instance: puppetserver 10 | app.kubernetes.io/managed-by: Helm 11 | app.kubernetes.io/name: puppetserver 12 | app.kubernetes.io/version: 7.17.0 13 | helm.sh/chart: puppetserver-9.5.2 14 | name: puppetserver-ca-claim 15 | spec: 16 | accessModes: 17 | - ReadWriteOnce 18 | resources: 19 | requests: 20 | storage: 400Mi 21 | -------------------------------------------------------------------------------- /tests/__snapshot__/puppetserver-code-pvc_test.yaml.snap: -------------------------------------------------------------------------------- 1 | {} 2 | -------------------------------------------------------------------------------- /tests/__snapshot__/puppetserver-compilers.deployment_test.yaml.snap: -------------------------------------------------------------------------------- 1 | manifest should match snapshot: 2 | 1: | 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | labels: 7 | app.kubernetes.io/component: puppetserver-compilers 8 | app.kubernetes.io/instance: puppetserver 9 | app.kubernetes.io/managed-by: Helm 10 | app.kubernetes.io/name: puppetserver 11 | app.kubernetes.io/version: 7.17.0 12 | helm.sh/chart: puppetserver-9.5.2 13 | name: puppetserver-puppetserver-compiler 14 | spec: 15 | replicas: 1 16 | selector: 17 | matchLabels: 18 | app.kubernetes.io/component: puppetserver-compilers 19 | app.kubernetes.io/name: puppetserver 20 | strategy: 21 | type: RollingUpdate 22 | template: 23 | metadata: 24 | annotations: 25 | checksum/hiera-configmap: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b 26 | checksum/r10k-code.configmap: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b 27 | checksum/r10k-hiera.configmap: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b 28 | labels: 29 | app.kubernetes.io/component: puppetserver-compilers 30 | app.kubernetes.io/instance: puppetserver 31 | app.kubernetes.io/managed-by: Helm 32 | app.kubernetes.io/name: puppetserver 33 | app.kubernetes.io/version: 7.17.0 34 | helm.sh/chart: puppetserver-9.5.2 35 | spec: 36 | containers: 37 | - env: 38 | - name: PUPPET_MASTERPORT 39 | value: "8140" 40 | - name: DNS_ALT_NAMES 41 | value: puppet,puppetserver-agents-to-puppet,puppetserver-puppet,,puppetserver-puppet-compilers, 42 | - name: PUPPETDB_SERVER_URLS 43 | value: https://puppetserver-puppetdb:8081 44 | - name: CA_ENABLED 45 | value: "false" 46 | - name: CA_ALLOW_SUBJECT_ALT_NAMES 47 | value: "true" 48 | - name: CA_HOSTNAME 49 | value: puppetserver-puppet 50 | - name: CA_MASTERPORT 51 | value: "8140" 52 | envFrom: null 53 | image: ghcr.io/voxpupuli/container-puppetserver:7.17.0-v1.5.0 54 | imagePullPolicy: IfNotPresent 55 | livenessProbe: 56 | failureThreshold: 3 57 | periodSeconds: 30 58 | successThreshold: 1 59 | tcpSocket: 60 | port: 8140 61 | timeoutSeconds: 10 62 | name: puppetserver 63 | ports: 64 | - containerPort: 8140 65 | readinessProbe: 66 | failureThreshold: 3 67 | httpGet: 68 | path: /status/v1/simple 69 | port: 8140 70 | scheme: HTTPS 71 | periodSeconds: 60 72 | successThreshold: 1 73 | timeoutSeconds: 20 74 | resources: {} 75 | securityContext: 76 | allowPrivilegeEscalation: false 77 | capabilities: 78 | add: 79 | - CAP_CHOWN 80 | - CAP_SETUID 81 | - CAP_SETGID 82 | - CAP_DAC_OVERRIDE 83 | - CAP_AUDIT_WRITE 84 | - CAP_FOWNER 85 | - CHOWN 86 | - SETUID 87 | - SETGID 88 | - DAC_OVERRIDE 89 | - AUDIT_WRITE 90 | - FOWNER 91 | drop: 92 | - all 93 | startupProbe: 94 | failureThreshold: 30 95 | periodSeconds: 15 96 | tcpSocket: 97 | port: 8140 98 | volumeMounts: 99 | - mountPath: /etc/puppetlabs/code/ 100 | name: puppet-code-storage 101 | - mountPath: /etc/puppetlabs/puppet/ 102 | name: puppet-puppet-storage 103 | - mountPath: /opt/puppetlabs/server/data/puppetserver/ 104 | name: puppet-serverdata-storage 105 | - mountPath: /etc/puppetlabs/puppetserver/conf.d/ 106 | name: puppet-confd 107 | hostname: puppet 108 | imagePullSecrets: null 109 | initContainers: 110 | - args: 111 | - mkdir -p /etc/puppetlabs/puppet/eyaml/keys; mkdir -p /etc/puppetlabs/code/environments; mkdir -p /etc/puppetlabs/puppet/manifests; chown -R puppet:puppet /etc/puppetlabs; cp /tmp/puppet/configmap/site.pp /etc/puppetlabs/puppet/manifests/site.pp; chown puppet:puppet /etc/puppetlabs/puppet/manifests/site.pp; mkdir -p /opt/puppetlabs/server/data/puppetserver/dropsonde/bin/; touch /opt/puppetlabs/server/data/puppetserver/dropsonde/bin/dropsonde; chown puppet:puppet -R /opt/puppetlabs/server/data/puppetserver/; 112 | command: 113 | - sh 114 | - -c 115 | env: null 116 | envFrom: null 117 | image: ghcr.io/voxpupuli/container-puppetserver:7.17.0-v1.5.0 118 | imagePullPolicy: IfNotPresent 119 | name: perms-and-dirs 120 | resources: 121 | limits: 122 | cpu: 300m 123 | memory: 256Mi 124 | requests: 125 | cpu: 200m 126 | memory: 128Mi 127 | securityContext: 128 | capabilities: 129 | add: 130 | - CAP_CHOWN 131 | - CAP_SETUID 132 | - CAP_SETGID 133 | - CAP_DAC_OVERRIDE 134 | - CAP_AUDIT_WRITE 135 | - CAP_FOWNER 136 | - CHOWN 137 | - SETUID 138 | - SETGID 139 | - DAC_OVERRIDE 140 | - AUDIT_WRITE 141 | - FOWNER 142 | drop: 143 | - all 144 | runAsNonRoot: false 145 | runAsUser: 0 146 | volumeMounts: 147 | - mountPath: /etc/puppetlabs/puppet/ 148 | name: puppet-puppet-storage 149 | - mountPath: /etc/puppetlabs/code/ 150 | name: puppet-code-storage 151 | - mountPath: /tmp/puppet/configmap/site.pp 152 | name: manifests-volume 153 | subPath: site.pp 154 | - mountPath: /opt/puppetlabs/server/data/puppetserver/ 155 | name: puppet-serverdata-storage 156 | securityContext: 157 | fsGroup: 999 158 | volumes: 159 | - name: puppet-code-storage 160 | persistentVolumeClaim: 161 | claimName: puppetserver-code-claim 162 | - name: puppet-puppet-storage 163 | persistentVolumeClaim: 164 | claimName: puppetserver-puppet-claim 165 | - name: puppet-serverdata-storage 166 | persistentVolumeClaim: 167 | claimName: puppetserver-serverdata-claim 168 | - configMap: 169 | name: puppetserver-manifests-config 170 | name: manifests-volume 171 | - name: puppet-confd 172 | persistentVolumeClaim: 173 | claimName: puppetserver-confd-claim 174 | -------------------------------------------------------------------------------- /tests/__snapshot__/puppetserver-compilers.networkpolicy_test.yaml.snap: -------------------------------------------------------------------------------- 1 | manifest should match snapshot: 2 | 1: | 3 | apiVersion: networking.k8s.io/v1 4 | kind: NetworkPolicy 5 | metadata: 6 | labels: 7 | app.kubernetes.io/component: puppetserver-compilers 8 | app.kubernetes.io/instance: puppetserver 9 | app.kubernetes.io/managed-by: Helm 10 | app.kubernetes.io/name: puppetserver 11 | app.kubernetes.io/version: 7.17.0 12 | helm.sh/chart: puppetserver-9.5.2 13 | name: puppetserver-puppetserver-compilers 14 | spec: 15 | egress: 16 | - ports: 17 | - port: 53 18 | protocol: TCP 19 | - port: 53 20 | protocol: UDP 21 | to: 22 | - namespaceSelector: 23 | matchLabels: 24 | kubernetes.io/metadata.name: kube-system 25 | podSelector: 26 | matchLabels: 27 | k8s-app: kube-dns 28 | - ports: 29 | - port: 53 30 | to: 31 | - ipBlock: 32 | cidr: 0.0.0.0/0 33 | - ports: 34 | - port: 8081 35 | to: 36 | - podSelector: 37 | matchLabels: 38 | app.kubernetes.io/component: puppetdb 39 | app.kubernetes.io/name: puppetserver 40 | - ports: 41 | - port: 8081 42 | to: 43 | - podSelector: 44 | matchLabels: 45 | app.kubernetes.io/component: puppetdb 46 | app.kubernetes.io/name: puppetserver 47 | - ports: 48 | - port: 8140 49 | to: 50 | - podSelector: 51 | matchLabels: 52 | app.kubernetes.io/component: puppetserver 53 | app.kubernetes.io/name: puppetserver 54 | ingress: 55 | - from: 56 | - podSelector: 57 | matchLabels: 58 | app.kubernetes.io/name: puppetserver 59 | ports: 60 | - port: 8140 61 | - from: 62 | - namespaceSelector: {} 63 | ports: 64 | - port: 8140 65 | podSelector: 66 | matchLabels: 67 | app.kubernetes.io/component: puppetserver-compilers 68 | app.kubernetes.io/name: puppetserver 69 | policyTypes: 70 | - Egress 71 | - Ingress 72 | -------------------------------------------------------------------------------- /tests/__snapshot__/puppetserver-compilers.pdb_test.yaml.snap: -------------------------------------------------------------------------------- 1 | manifest should match snapshot: 2 | 1: | 3 | apiVersion: policy/v1 4 | kind: PodDisruptionBudget 5 | metadata: 6 | labels: 7 | app.kubernetes.io/component: puppetserver-compilers 8 | app.kubernetes.io/instance: puppetserver 9 | app.kubernetes.io/managed-by: Helm 10 | app.kubernetes.io/name: puppetserver 11 | app.kubernetes.io/version: 7.17.0 12 | helm.sh/chart: puppetserver-9.5.2 13 | name: puppetserver-compilers 14 | spec: 15 | maxUnavailable: 2 16 | minAvailable: 1 17 | selector: 18 | matchLabels: 19 | app.kubernetes.io/component: puppetserver-compilers 20 | app.kubernetes.io/name: puppetserver 21 | -------------------------------------------------------------------------------- /tests/__snapshot__/puppetserver-compilers.statefulset_test.yaml.snap: -------------------------------------------------------------------------------- 1 | manifest should match snapshot: 2 | 1: | 3 | apiVersion: apps/v1 4 | kind: StatefulSet 5 | metadata: 6 | labels: 7 | app.kubernetes.io/component: puppetserver-compilers 8 | app.kubernetes.io/instance: puppetserver 9 | app.kubernetes.io/managed-by: Helm 10 | app.kubernetes.io/name: puppetserver 11 | app.kubernetes.io/version: 7.17.0 12 | helm.sh/chart: puppetserver-9.5.2 13 | name: puppetserver-puppetserver-compiler 14 | spec: 15 | podManagementPolicy: OrderedReady 16 | replicas: 1 17 | selector: 18 | matchLabels: 19 | app.kubernetes.io/component: puppetserver-compilers 20 | app.kubernetes.io/name: puppetserver 21 | serviceName: puppetserver-puppet-compilers-headless 22 | template: 23 | metadata: 24 | annotations: 25 | checksum/crl-config: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b 26 | checksum/hiera-configmap: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b 27 | checksum/r10k-code.configmap: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b 28 | checksum/r10k-hiera.configmap: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b 29 | labels: 30 | app.kubernetes.io/component: puppetserver-compilers 31 | app.kubernetes.io/instance: puppetserver 32 | app.kubernetes.io/managed-by: Helm 33 | app.kubernetes.io/name: puppetserver 34 | app.kubernetes.io/version: 7.17.0 35 | helm.sh/chart: puppetserver-9.5.2 36 | spec: 37 | containers: 38 | - env: 39 | - name: PUPPETSERVER_HOSTNAME 40 | valueFrom: 41 | fieldRef: 42 | fieldPath: metadata.name 43 | - name: PUPPET_MASTERPORT 44 | value: "8140" 45 | - name: DNS_ALT_NAMES 46 | value: puppetserver-puppetserver-compiler-0,puppetserver-puppet-compilers, 47 | - name: PUPPETDB_SERVER_URLS 48 | value: https://puppetserver-puppetdb:8081 49 | - name: CA_ENABLED 50 | value: "false" 51 | - name: CA_HOSTNAME 52 | value: puppetserver-puppet 53 | - name: CA_MASTERPORT 54 | value: "8140" 55 | envFrom: null 56 | image: ghcr.io/voxpupuli/container-puppetserver:7.17.0-v1.5.0 57 | imagePullPolicy: IfNotPresent 58 | livenessProbe: 59 | failureThreshold: 3 60 | periodSeconds: 30 61 | successThreshold: 1 62 | tcpSocket: 63 | port: 8140 64 | timeoutSeconds: 10 65 | name: puppetserver 66 | ports: 67 | - containerPort: 8140 68 | readinessProbe: 69 | failureThreshold: 3 70 | httpGet: 71 | path: /status/v1/simple 72 | port: 8140 73 | scheme: HTTPS 74 | periodSeconds: 60 75 | successThreshold: 1 76 | timeoutSeconds: 20 77 | resources: {} 78 | securityContext: 79 | allowPrivilegeEscalation: false 80 | capabilities: 81 | add: 82 | - CAP_CHOWN 83 | - CAP_SETUID 84 | - CAP_SETGID 85 | - CAP_DAC_OVERRIDE 86 | - CAP_AUDIT_WRITE 87 | - CAP_FOWNER 88 | - CHOWN 89 | - SETUID 90 | - SETGID 91 | - DAC_OVERRIDE 92 | - AUDIT_WRITE 93 | - FOWNER 94 | drop: 95 | - all 96 | startupProbe: 97 | failureThreshold: 30 98 | periodSeconds: 15 99 | tcpSocket: 100 | port: 8140 101 | volumeMounts: 102 | - mountPath: /etc/puppetlabs/code/ 103 | name: puppet-code-volume 104 | - mountPath: /etc/puppetlabs/puppet/ 105 | name: puppet-puppet-volume 106 | imagePullSecrets: null 107 | initContainers: 108 | - args: 109 | - mkdir -p /etc/puppetlabs/puppet/eyaml/keys; mkdir -p /etc/puppetlabs/code/environments; mkdir -p /etc/puppetlabs/puppet/manifests; mkdir -p /etc/puppetlabs/code/r10k_cache; chown -R puppet:puppet /etc/puppetlabs; cp /tmp/puppet/configmap/site.pp /etc/puppetlabs/puppet/manifests/site.pp; chown puppet:puppet /etc/puppetlabs/puppet/manifests/site.pp; mkdir -p /opt/puppetlabs/server/data/puppetserver/dropsonde/bin/; touch /opt/puppetlabs/server/data/puppetserver/dropsonde/bin/dropsonde; chown puppet:puppet -R /opt/puppetlabs/server/data/puppetserver/; 110 | command: 111 | - sh 112 | - -c 113 | env: null 114 | envFrom: null 115 | image: ghcr.io/voxpupuli/container-puppetserver:7.17.0-v1.5.0 116 | imagePullPolicy: IfNotPresent 117 | name: perms-and-dirs 118 | resources: 119 | limits: 120 | cpu: 300m 121 | memory: 256Mi 122 | requests: 123 | cpu: 200m 124 | memory: 128Mi 125 | securityContext: 126 | capabilities: 127 | add: 128 | - CAP_CHOWN 129 | - CAP_SETUID 130 | - CAP_SETGID 131 | - CAP_DAC_OVERRIDE 132 | - CAP_AUDIT_WRITE 133 | - CAP_FOWNER 134 | - CHOWN 135 | - SETUID 136 | - SETGID 137 | - DAC_OVERRIDE 138 | - AUDIT_WRITE 139 | - FOWNER 140 | drop: 141 | - all 142 | runAsNonRoot: false 143 | runAsUser: 0 144 | volumeMounts: 145 | - mountPath: /etc/puppetlabs/code/ 146 | name: puppet-code-volume 147 | - mountPath: /etc/puppetlabs/puppet/ 148 | name: puppet-puppet-volume 149 | - mountPath: /tmp/puppet/configmap/site.pp 150 | name: manifests-volume 151 | subPath: site.pp 152 | securityContext: 153 | fsGroup: 999 154 | volumes: 155 | - configMap: 156 | name: puppetserver-manifests-config 157 | name: manifests-volume 158 | updateStrategy: 159 | type: RollingUpdate 160 | volumeClaimTemplates: 161 | - metadata: 162 | annotations: null 163 | name: puppet-code-volume 164 | spec: 165 | accessModes: 166 | - ReadWriteOnce 167 | resources: 168 | requests: 169 | storage: 400Mi 170 | - metadata: 171 | annotations: null 172 | name: puppet-puppet-volume 173 | spec: 174 | accessModes: 175 | - ReadWriteOnce 176 | resources: 177 | requests: 178 | storage: 400Mi 179 | -------------------------------------------------------------------------------- /tests/__snapshot__/puppetserver-data-pvc_test.yaml.snap: -------------------------------------------------------------------------------- 1 | {} 2 | -------------------------------------------------------------------------------- /tests/__snapshot__/puppetserver-masters.networkpolicy_test.yaml.snap: -------------------------------------------------------------------------------- 1 | manifest should match snapshot: 2 | 1: | 3 | apiVersion: networking.k8s.io/v1 4 | kind: NetworkPolicy 5 | metadata: 6 | labels: 7 | app.kubernetes.io/component: puppetserver 8 | app.kubernetes.io/instance: puppetserver 9 | app.kubernetes.io/managed-by: Helm 10 | app.kubernetes.io/name: puppetserver 11 | app.kubernetes.io/version: 7.17.0 12 | helm.sh/chart: puppetserver-9.5.2 13 | name: puppetserver-puppetserver 14 | spec: 15 | egress: 16 | - ports: 17 | - port: 53 18 | protocol: TCP 19 | - port: 53 20 | protocol: UDP 21 | to: 22 | - namespaceSelector: 23 | matchLabels: 24 | kubernetes.io/metadata.name: kube-system 25 | podSelector: 26 | matchLabels: 27 | k8s-app: kube-dns 28 | - ports: 29 | - port: 53 30 | to: 31 | - ipBlock: 32 | cidr: 0.0.0.0/0 33 | - ports: 34 | - port: 8081 35 | to: 36 | - podSelector: 37 | matchLabels: 38 | app.kubernetes.io/component: puppetdb 39 | app.kubernetes.io/name: puppetserver 40 | ingress: 41 | - from: 42 | - podSelector: 43 | matchLabels: 44 | app.kubernetes.io/name: puppetserver 45 | ports: 46 | - port: 8140 47 | - from: 48 | - namespaceSelector: {} 49 | ports: 50 | - port: 8140 51 | podSelector: 52 | matchLabels: 53 | app.kubernetes.io/component: puppetserver 54 | app.kubernetes.io/name: puppetserver 55 | policyTypes: 56 | - Egress 57 | - Ingress 58 | -------------------------------------------------------------------------------- /tests/__snapshot__/puppetserver-masters.pdb_test.yaml.snap: -------------------------------------------------------------------------------- 1 | manifest should match snapshot: 2 | 1: | 3 | apiVersion: policy/v1 4 | kind: PodDisruptionBudget 5 | metadata: 6 | labels: 7 | app.kubernetes.io/component: puppetserver 8 | app.kubernetes.io/instance: puppetserver 9 | app.kubernetes.io/managed-by: Helm 10 | app.kubernetes.io/name: puppetserver 11 | app.kubernetes.io/version: 7.17.0 12 | helm.sh/chart: puppetserver-9.5.2 13 | name: puppetserver-masters 14 | spec: 15 | maxUnavailable: 2 16 | minAvailable: 1 17 | selector: 18 | matchLabels: 19 | app.kubernetes.io/component: puppetserver 20 | app.kubernetes.io/name: puppetserver 21 | -------------------------------------------------------------------------------- /tests/__snapshot__/puppetserver-pvc_test.yaml.snap: -------------------------------------------------------------------------------- 1 | manifest should match snapshot: 2 | 1: | 3 | apiVersion: v1 4 | kind: PersistentVolumeClaim 5 | metadata: 6 | annotations: null 7 | labels: 8 | app.kubernetes.io/component: puppetserver 9 | app.kubernetes.io/instance: puppetserver 10 | app.kubernetes.io/managed-by: Helm 11 | app.kubernetes.io/name: puppetserver 12 | app.kubernetes.io/version: 7.17.0 13 | helm.sh/chart: puppetserver-9.5.2 14 | name: puppetserver-puppet-claim 15 | spec: 16 | accessModes: 17 | - ReadWriteOnce 18 | resources: 19 | requests: 20 | storage: 400Mi 21 | -------------------------------------------------------------------------------- /tests/__snapshot__/puppetserver-statefulset.compilers_test.yaml.snap: -------------------------------------------------------------------------------- 1 | manifest should match snapshot: 2 | 1: | 3 | apiVersion: apps/v1 4 | kind: StatefulSet 5 | metadata: 6 | labels: 7 | app.kubernetes.io/component: puppetserver-compilers 8 | app.kubernetes.io/instance: puppetserver 9 | app.kubernetes.io/managed-by: Helm 10 | app.kubernetes.io/name: puppetserver 11 | app.kubernetes.io/version: 7.17.0 12 | helm.sh/chart: puppetserver-8.3.0 13 | name: puppetserver-puppetserver-compiler 14 | spec: 15 | podManagementPolicy: OrderedReady 16 | replicas: 1 17 | selector: 18 | matchLabels: 19 | app.kubernetes.io/component: puppetserver-compilers 20 | app.kubernetes.io/name: puppetserver 21 | serviceName: puppetserver-puppet-compilers-headless 22 | template: 23 | metadata: 24 | annotations: 25 | checksum/crl-config: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b 26 | checksum/hiera-configmap: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b 27 | checksum/r10k-code.configmap: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b 28 | checksum/r10k-hiera.configmap: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b 29 | labels: 30 | app.kubernetes.io/component: puppetserver-compilers 31 | app.kubernetes.io/instance: puppetserver 32 | app.kubernetes.io/managed-by: Helm 33 | app.kubernetes.io/name: puppetserver 34 | app.kubernetes.io/version: 7.17.0 35 | helm.sh/chart: puppetserver-8.3.0 36 | spec: 37 | containers: 38 | - env: 39 | - name: PUPPETSERVER_HOSTNAME 40 | valueFrom: 41 | fieldRef: 42 | fieldPath: metadata.name 43 | - name: PUPPET_MASTERPORT 44 | value: "8140" 45 | - name: DNS_ALT_NAMES 46 | value: puppetserver-puppetserver-compiler-0,puppetserver-puppet-compilers, 47 | - name: PUPPETDB_SERVER_URLS 48 | value: https://puppetserver-puppetdb:8081 49 | - name: CA_ENABLED 50 | value: "false" 51 | - name: CA_HOSTNAME 52 | value: puppetserver-puppet 53 | - name: CA_MASTERPORT 54 | value: "8140" 55 | envFrom: null 56 | image: ghcr.io/voxpupuli/container-puppetserver:7.17.0-v1.5.0 57 | imagePullPolicy: IfNotPresent 58 | livenessProbe: 59 | failureThreshold: 3 60 | periodSeconds: 30 61 | successThreshold: 1 62 | tcpSocket: 63 | port: 8140 64 | timeoutSeconds: 10 65 | name: puppetserver 66 | ports: 67 | - containerPort: 8140 68 | readinessProbe: 69 | failureThreshold: 3 70 | httpGet: 71 | path: /status/v1/simple 72 | port: 8140 73 | scheme: HTTPS 74 | periodSeconds: 60 75 | successThreshold: 1 76 | timeoutSeconds: 20 77 | resources: {} 78 | securityContext: 79 | allowPrivilegeEscalation: false 80 | capabilities: 81 | add: 82 | - CAP_CHOWN 83 | - CAP_SETUID 84 | - CAP_SETGID 85 | - CAP_DAC_OVERRIDE 86 | - CAP_AUDIT_WRITE 87 | - CAP_FOWNER 88 | - CHOWN 89 | - SETUID 90 | - SETGID 91 | - DAC_OVERRIDE 92 | - AUDIT_WRITE 93 | - FOWNER 94 | drop: 95 | - all 96 | startupProbe: 97 | failureThreshold: 30 98 | periodSeconds: 15 99 | tcpSocket: 100 | port: 8140 101 | volumeMounts: 102 | - mountPath: /etc/puppetlabs/code/ 103 | name: puppet-code-volume 104 | - mountPath: /etc/puppetlabs/puppet/ 105 | name: puppet-puppet-volume 106 | imagePullSecrets: null 107 | initContainers: 108 | - args: 109 | - mkdir -p /etc/puppetlabs/puppet/eyaml/keys; mkdir -p /etc/puppetlabs/code/environments; mkdir -p /etc/puppetlabs/puppet/manifests; mkdir -p /etc/puppetlabs/code/r10k_cache; chown -R puppet:puppet /etc/puppetlabs; cp /tmp/puppet/configmap/site.pp /etc/puppetlabs/puppet/manifests/site.pp; chown puppet:puppet /etc/puppetlabs/puppet/manifests/site.pp; mkdir -p /opt/puppetlabs/server/data/puppetserver/dropsonde/bin/; touch /opt/puppetlabs/server/data/puppetserver/dropsonde/bin/dropsonde; chown puppet:puppet -R /opt/puppetlabs/server/data/puppetserver/; 110 | command: 111 | - sh 112 | - -c 113 | env: null 114 | envFrom: null 115 | image: ghcr.io/voxpupuli/container-puppetserver:7.17.0-v1.5.0 116 | imagePullPolicy: IfNotPresent 117 | name: perms-and-dirs 118 | resources: 119 | limits: 120 | cpu: 300m 121 | memory: 256Mi 122 | requests: 123 | cpu: 200m 124 | memory: 128Mi 125 | securityContext: 126 | capabilities: 127 | add: 128 | - CAP_CHOWN 129 | - CAP_SETUID 130 | - CAP_SETGID 131 | - CAP_DAC_OVERRIDE 132 | - CAP_AUDIT_WRITE 133 | - CAP_FOWNER 134 | - CHOWN 135 | - SETUID 136 | - SETGID 137 | - DAC_OVERRIDE 138 | - AUDIT_WRITE 139 | - FOWNER 140 | drop: 141 | - all 142 | runAsNonRoot: false 143 | runAsUser: 0 144 | volumeMounts: 145 | - mountPath: /etc/puppetlabs/code/ 146 | name: puppet-code-volume 147 | - mountPath: /etc/puppetlabs/puppet/ 148 | name: puppet-puppet-volume 149 | - mountPath: /tmp/puppet/configmap/site.pp 150 | name: manifests-volume 151 | subPath: site.pp 152 | securityContext: 153 | fsGroup: 999 154 | volumes: 155 | - configMap: 156 | name: puppetserver-manifests-config 157 | name: manifests-volume 158 | updateStrategy: 159 | type: RollingUpdate 160 | volumeClaimTemplates: 161 | - metadata: 162 | annotations: null 163 | name: puppet-code-volume 164 | spec: 165 | accessModes: 166 | - ReadWriteOnce 167 | resources: 168 | requests: 169 | storage: 400Mi 170 | - metadata: 171 | annotations: null 172 | name: puppet-puppet-volume 173 | spec: 174 | accessModes: 175 | - ReadWriteOnce 176 | resources: 177 | requests: 178 | storage: 400Mi 179 | -------------------------------------------------------------------------------- /tests/jmx-servicemonitor_test.yaml: -------------------------------------------------------------------------------- 1 | suite: test jmx serviceMonitor creation 2 | templates: 3 | - jmx-servicemonitor.yaml 4 | release: 5 | name: puppetserver 6 | namespace: puppet 7 | tests: 8 | - it: manifest should match snapshot 9 | set: 10 | metrics.prometheus.jmx.enabled: true 11 | metrics.prometheus.jmx.serviceMonitor.enabled: true 12 | metrics.prometheus.disableAPICheck: true 13 | asserts: 14 | - matchSnapshot: {} 15 | - it: should not create the serviceMonitor by default 16 | asserts: 17 | - hasDocuments: 18 | count: 0 19 | - it: should not create the serviceMonitor if "metrics.prometheus.jmx.enabled" is false 20 | set: 21 | metrics.prometheus.jmx.enabled: false 22 | metrics.prometheus.jmx.serviceMonitor.enabled: true 23 | asserts: 24 | - hasDocuments: 25 | count: 0 26 | - it: should not create the serviceMonitor if "metrics.prometheus.jmx.serviceMonitor.enabled" is false 27 | set: 28 | metrics.prometheus.jmx.enabled: true 29 | metrics.prometheus.jmx.serviceMonitor.enabled: false 30 | asserts: 31 | - hasDocuments: 32 | count: 0 33 | - it: should fail if monitoring.coreos.com/v1 api is not available 34 | set: 35 | metrics.prometheus.jmx.enabled: true 36 | metrics.prometheus.jmx.serviceMonitor.enabled: true 37 | asserts: 38 | - failedTemplate: 39 | errorMessage: "ERROR: You have to deploy monitoring.coreos.com/v1 first" 40 | - it: should create the ressource with the right name 1/2 41 | capabilities: 42 | apiVersions: 43 | - monitoring.coreos.com/v1 44 | release: 45 | name: puppetserver 46 | namespace: puppet 47 | set: 48 | metrics.prometheus.jmx.enabled: true 49 | metrics.prometheus.jmx.serviceMonitor.enabled: true 50 | metrics.prometheus.disableAPICheck: true 51 | asserts: 52 | - isKind: 53 | of: ServiceMonitor 54 | - equal: 55 | path: metadata.name 56 | value: puppetserver-jmx 57 | - it: should create the ressource with the right name 2/2 58 | capabilities: 59 | apiVersions: 60 | - monitoring.coreos.com/v1 61 | release: 62 | name: puppet 63 | namespace: puppet 64 | set: 65 | metrics.prometheus.jmx.enabled: true 66 | metrics.prometheus.jmx.serviceMonitor.enabled: true 67 | metrics.prometheus.disableAPICheck: true 68 | asserts: 69 | - isKind: 70 | of: ServiceMonitor 71 | - equal: 72 | path: metadata.name 73 | value: puppet-puppetserver-jmx 74 | - it: should create the service monitor if "metrics.prometheus.jmx.enabled" is true AND "metrics.prometheus.jmx.serviceMonitor.enabled" is true 75 | capabilities: 76 | apiVersions: 77 | - monitoring.coreos.com/v1 78 | release: 79 | name: puppetserver 80 | namespace: puppet 81 | set: 82 | metrics.prometheus.jmx.enabled: true 83 | metrics.prometheus.jmx.serviceMonitor.enabled: true 84 | metrics.prometheus.disableAPICheck: true 85 | asserts: 86 | - isKind: 87 | of: ServiceMonitor 88 | - it: should create the service monitor even if monitoring.coreos.com/v1 api is not available if "metrics.prometheus.disableAPICheck" is true 89 | release: 90 | name: puppetserver 91 | namespace: puppet 92 | set: 93 | metrics.prometheus.jmx.enabled: true 94 | metrics.prometheus.jmx.serviceMonitor.enabled: true 95 | metrics.prometheus.disableAPICheck: true 96 | asserts: 97 | - isKind: 98 | of: ServiceMonitor 99 | -------------------------------------------------------------------------------- /tests/puppetdb-pvc_test.yaml: -------------------------------------------------------------------------------- 1 | suite: test puppet puppet volume creation 2 | templates: 3 | - puppetdb-pvc.yaml 4 | release: 5 | name: puppetserver 6 | namespace: puppet 7 | tests: 8 | - it: manifest should match snapshot 9 | asserts: 10 | - matchSnapshot: {} 11 | - it: should not create the volume if "puppetdb.enabled" is false 12 | set: 13 | puppetdb.enabled: false 14 | asserts: 15 | - hasDocuments: 16 | count: 0 17 | - it: should create the volume by default 18 | asserts: 19 | - isKind: 20 | of: PersistentVolumeClaim 21 | -------------------------------------------------------------------------------- /tests/puppetdb-servicemonitor_test.yaml: -------------------------------------------------------------------------------- 1 | suite: test puppetdb serviceMonitor creation 2 | templates: 3 | - puppetdb-servicemonitor.yaml 4 | release: 5 | name: puppetserver 6 | namespace: puppet 7 | tests: 8 | - it: manifest should match snapshot 9 | asserts: 10 | - matchSnapshot: {} 11 | set: 12 | puppetdb.enabled: true 13 | metrics.prometheus.puppetdb.enabled: true 14 | metrics.prometheus.puppetdb.serviceMonitor.enabled: true 15 | metrics.prometheus.disableAPICheck: true 16 | - it: should not create the serviceMonitor by default 17 | asserts: 18 | - hasDocuments: 19 | count: 0 20 | - it: should not create the serviceMonitor if "puppetdb.enabled" is false 21 | set: 22 | puppetdb.enabled: false 23 | metrics.prometheus.puppetdb.enabled: true 24 | metrics.prometheus.puppetdb.serviceMonitor.enabled: true 25 | asserts: 26 | - hasDocuments: 27 | count: 0 28 | - it: should not create the serviceMonitor if "metrics.prometheus.puppetdb.enabled" is false 29 | set: 30 | puppetdb.enabled: true 31 | metrics.prometheus.puppetdb.enabled: false 32 | metrics.prometheus.puppetdb.serviceMonitor.enabled: true 33 | asserts: 34 | - hasDocuments: 35 | count: 0 36 | - it: should not create the serviceMonitor if "metrics.prometheus.puppetdb.serviceMonitor.enabled" is false 37 | set: 38 | puppetdb.enabled: true 39 | metrics.prometheus.puppetdb.enabled: true 40 | metrics.prometheus.puppetdb.serviceMonitor.enabled: false 41 | asserts: 42 | - hasDocuments: 43 | count: 0 44 | - it: should fail if monitoring.coreos.com/v1 api is not available 45 | set: 46 | puppetdb.enabled: true 47 | metrics.prometheus.puppetdb.enabled: true 48 | metrics.prometheus.puppetdb.serviceMonitor.enabled: true 49 | asserts: 50 | - failedTemplate: 51 | errorMessage: "ERROR: You have to deploy monitoring.coreos.com/v1 first" 52 | - it: should create the ressource with the right name 1/2 53 | capabilities: 54 | apiVersions: 55 | - monitoring.coreos.com/v1 56 | release: 57 | name: puppetserver 58 | namespace: puppet 59 | set: 60 | puppetdb.enabled: true 61 | metrics.prometheus.puppetdb.enabled: true 62 | metrics.prometheus.puppetdb.serviceMonitor.enabled: true 63 | metrics.prometheus.disableAPICheck: true 64 | asserts: 65 | - isKind: 66 | of: ServiceMonitor 67 | - equal: 68 | path: metadata.name 69 | value: puppetserver-puppetdb 70 | - it: should create the ressource with the right name 2/2 71 | capabilities: 72 | apiVersions: 73 | - monitoring.coreos.com/v1 74 | release: 75 | name: puppet 76 | namespace: puppet 77 | set: 78 | puppetdb.enabled: true 79 | metrics.prometheus.puppetdb.enabled: true 80 | metrics.prometheus.puppetdb.serviceMonitor.enabled: true 81 | metrics.prometheus.disableAPICheck: true 82 | asserts: 83 | - isKind: 84 | of: ServiceMonitor 85 | - equal: 86 | path: metadata.name 87 | value: puppet-puppetserver-puppetdb 88 | - it: should create the service monitor if "puppetdb.enabled" is true AND "metrics.prometheus.puppetdb.enabled" is true 89 | capabilities: 90 | apiVersions: 91 | - monitoring.coreos.com/v1 92 | release: 93 | name: puppetserver 94 | namespace: puppet 95 | set: 96 | puppetdb.enabled: true 97 | metrics.prometheus.puppetdb.enabled: true 98 | metrics.prometheus.puppetdb.serviceMonitor.enabled: true 99 | metrics.prometheus.disableAPICheck: true 100 | asserts: 101 | - isKind: 102 | of: ServiceMonitor 103 | - it: should create the service monitor even if monitoring.coreos.com/v1 api is not available if "metrics.prometheus.disableAPICheck" is true 104 | release: 105 | name: puppetserver 106 | namespace: puppet 107 | set: 108 | puppetdb.enabled: true 109 | metrics.prometheus.puppetdb.enabled: true 110 | metrics.prometheus.puppetdb.serviceMonitor.enabled: true 111 | metrics.prometheus.disableAPICheck: true 112 | asserts: 113 | - isKind: 114 | of: ServiceMonitor 115 | -------------------------------------------------------------------------------- /tests/puppetdb.networkpolicy_test.yaml: -------------------------------------------------------------------------------- 1 | suite: test puppetdb networkpolicy creation 2 | templates: 3 | - puppetdb.networkpolicy.yaml 4 | release: 5 | name: puppetserver 6 | namespace: puppet 7 | tests: 8 | - it: manifest should match snapshot 9 | set: 10 | puppetdb.networkPolicy.enabled: true 11 | asserts: 12 | - matchSnapshot: {} 13 | - it: should not create the networkpolicy by default 14 | asserts: 15 | - hasDocuments: 16 | count: 0 17 | - it: should not create the networkpolicy if the feature is not enable 18 | set: 19 | puppetdb.networkPolicy.enabled: false 20 | asserts: 21 | - hasDocuments: 22 | count: 0 23 | - it: should create the networkpolicy if the feature is enable 24 | set: 25 | puppetdb.networkPolicy.enabled: true 26 | asserts: 27 | - isKind: 28 | of: NetworkPolicy 29 | - equal: 30 | path: metadata.name 31 | value: puppetserver-puppetdb 32 | -------------------------------------------------------------------------------- /tests/puppetserver-ca-pvc_test.yaml: -------------------------------------------------------------------------------- 1 | suite: test puppet ca volume creation 2 | templates: 3 | - puppetserver-ca-pvc.yaml 4 | release: 5 | name: puppetserver 6 | namespace: puppet 7 | tests: 8 | - it: manifest should match snapshot 9 | set: 10 | puppetserver.masters.multiMasters.enabled: false 11 | asserts: 12 | - matchSnapshot: {} 13 | - it: should create the volume if puppet master only (single master) 14 | set: 15 | puppetserver.masters.multiMasters.enabled: false 16 | asserts: 17 | - isKind: 18 | of: PersistentVolumeClaim 19 | - equal: 20 | path: metadata.name 21 | value: puppetserver-ca-claim 22 | - it: should create the volume if puppet master only (multi master) 23 | set: 24 | puppetserver.masters.multiMasters.enabled: true 25 | puppetserver.masters.multiMasters.manualScaling.masters: 2 26 | asserts: 27 | - isKind: 28 | of: PersistentVolumeClaim 29 | - equal: 30 | path: metadata.name 31 | value: puppetserver-ca-claim 32 | - it: should create the volume if puppet puppet compilers is deployed 33 | set: 34 | puppetserver.masters.multiMasters.enabled: true 35 | puppetserver.masters.multiMasters.manualScaling.masters: 2 36 | puppetserver.compilers.enabled: true 37 | asserts: 38 | - isKind: 39 | of: PersistentVolumeClaim 40 | - equal: 41 | path: metadata.name 42 | value: puppetserver-ca-claim 43 | -------------------------------------------------------------------------------- /tests/puppetserver-code-pvc_test.yaml: -------------------------------------------------------------------------------- 1 | suite: test puppet code volume creation 2 | templates: 3 | - puppetserver-code-pvc.yaml 4 | release: 5 | name: puppetserver 6 | namespace: puppet 7 | tests: 8 | - it: manifest should match snapshot 9 | set: 10 | puppetserver.compilers.enabled: true 11 | asserts: 12 | - matchSnapshot: {} 13 | - it: should not create the volume if "puppetserver.persistence.code.existingClaim" is non-empty 14 | set: 15 | puppetserver.persistence.code.existingClaim: dummy 16 | asserts: 17 | - hasDocuments: 18 | count: 0 19 | - it: should not create the volume if compiler is used as StatefulSet 20 | set: 21 | puppetserver.compilers.enabled: true 22 | puppetserver.compilers.kind: StatefulSet 23 | asserts: 24 | - hasDocuments: 25 | count: 0 26 | - it: should create the volume by default 27 | asserts: 28 | - isKind: 29 | of: PersistentVolumeClaim 30 | - it: should create the volume if compilers is not deployed 31 | set: 32 | puppetserver.compilers.enabled: false 33 | asserts: 34 | - isKind: 35 | of: PersistentVolumeClaim 36 | - it: should create the volume if compiler is used as Deployment 37 | set: 38 | puppetserver.compilers.enabled: true 39 | puppetserver.compilers.kind: Deployment 40 | asserts: 41 | - isKind: 42 | of: PersistentVolumeClaim 43 | -------------------------------------------------------------------------------- /tests/puppetserver-compilers.deployment_test.yaml: -------------------------------------------------------------------------------- 1 | suite: test puppetserver compilers statefulset creation 2 | templates: 3 | - puppetserver-deployment-compilers.yaml 4 | - hiera-configmap.yaml 5 | - r10k-code.configmap.yaml 6 | - r10k-hiera.configmap.yaml 7 | - update-crl-configmap.yaml 8 | release: 9 | name: puppetserver 10 | namespace: puppet 11 | tests: 12 | - it: manifest should match snapshot 13 | set: 14 | puppetserver.compilers.enabled: true 15 | puppetserver.compilers.kind: Deployment 16 | asserts: 17 | - matchSnapshot: {} 18 | -------------------------------------------------------------------------------- /tests/puppetserver-compilers.networkpolicy_test.yaml: -------------------------------------------------------------------------------- 1 | suite: test puppetserver (compilers) networkpolicy creation 2 | templates: 3 | - puppetserver-compilers.networkpolicy.yaml 4 | release: 5 | name: puppetserver 6 | namespace: puppet 7 | tests: 8 | - it: manifest should match snapshot 9 | set: 10 | puppetserver.compilers.networkPolicy.enabled: true 11 | asserts: 12 | - matchSnapshot: {} 13 | - it: should not create the networkpolicy by default 14 | asserts: 15 | - hasDocuments: 16 | count: 0 17 | - it: should not create the networkpolicy if the feature is not enable 18 | set: 19 | puppetserver.compilers.networkPolicy.enabled: false 20 | asserts: 21 | - hasDocuments: 22 | count: 0 23 | - it: should create the networkpolicy if the feature is enable 24 | set: 25 | puppetserver.compilers.networkPolicy.enabled: true 26 | asserts: 27 | - isKind: 28 | of: NetworkPolicy 29 | - equal: 30 | path: metadata.name 31 | value: puppetserver-puppetserver-compilers 32 | -------------------------------------------------------------------------------- /tests/puppetserver-compilers.pdb_test.yaml: -------------------------------------------------------------------------------- 1 | suite: test puppetserver compilers podDisruptionBudget creation 2 | templates: 3 | - puppetserver-compilers.pdb.yaml 4 | release: 5 | name: puppetserver 6 | namespace: puppet 7 | tests: 8 | - it: manifest should match snapshot 9 | set: 10 | puppetserver.compilers.podDisruptionBudget.enabled: true 11 | puppetserver.compilers.enabled: true 12 | puppetserver.compilers.manualScaling.compilers: 1 13 | puppetserver.compilers.autoScaling.enabled: true 14 | puppetserver.compilers.autoScaling.minCompilers: 2 15 | puppetserver.compilers.podDisruptionBudget.maxUnavailable: 2 16 | asserts: 17 | - matchSnapshot: {} 18 | - it: should not create the podDisruptionBudget by default 19 | asserts: 20 | - hasDocuments: 21 | count: 0 22 | - it: should not create the podDisruptionBudget if compilers is not enable 23 | set: 24 | puppetserver.compilers.podDisruptionBudget.enabled: true 25 | puppetserver.compilers.enabled: false 26 | asserts: 27 | - hasDocuments: 28 | count: 0 29 | - it: should not create the podDisruptionBudget if compilers podDisruptionBudget is not enable 30 | set: 31 | puppetserver.compilers.podDisruptionBudget.enabled: false 32 | puppetserver.compilers.enabled: true 33 | asserts: 34 | - hasDocuments: 35 | count: 0 36 | - it: should not create the podDisruptionBudget if compilers is enable but number of compilers is equals to 1 37 | set: 38 | puppetserver.compilers.podDisruptionBudget.enabled: true 39 | puppetserver.compilers.enabled: true 40 | puppetserver.compilers.manualScaling.compilers: 1 41 | puppetserver.compilers.autoScaling.enabled: false 42 | puppetserver.compilers.autoScaling.minCompilers: 2 43 | asserts: 44 | - hasDocuments: 45 | count: 0 46 | - it: should create the podDisruptionBudget if compilers is enable and number of compilers is greather than to 1 47 | set: 48 | puppetserver.compilers.podDisruptionBudget.enabled: true 49 | puppetserver.compilers.enabled: true 50 | puppetserver.compilers.manualScaling.compilers: 2 51 | puppetserver.compilers.autoScaling.enabled: false 52 | puppetserver.compilers.autoScaling.minCompilers: 2 53 | asserts: 54 | - isKind: 55 | of: PodDisruptionBudget 56 | - equal: 57 | path: metadata.name 58 | value: puppetserver-compilers 59 | - it: should not create the podDisruptionBudget if autoScaling mode is enable with 1 mincompilers 60 | set: 61 | puppetserver.compilers.podDisruptionBudget.enabled: true 62 | puppetserver.compilers.enabled: true 63 | puppetserver.compilers.manualScaling.compilers: 2 64 | puppetserver.compilers.autoScaling.enabled: true 65 | puppetserver.compilers.autoScaling.minCompilers: 1 66 | asserts: 67 | - hasDocuments: 68 | count: 0 69 | - it: should create the podDisruptionBudget if autoScaling mode is enable with more than 1 mincompilers 70 | set: 71 | puppetserver.compilers.podDisruptionBudget.enabled: true 72 | puppetserver.compilers.enabled: true 73 | puppetserver.compilers.manualScaling.compilers: 1 74 | puppetserver.compilers.autoScaling.enabled: true 75 | puppetserver.compilers.autoScaling.minCompilers: 2 76 | asserts: 77 | - isKind: 78 | of: PodDisruptionBudget 79 | - equal: 80 | path: metadata.name 81 | value: puppetserver-compilers 82 | - it: should update minAvailable 83 | set: 84 | puppetserver.compilers.podDisruptionBudget.enabled: true 85 | puppetserver.compilers.enabled: true 86 | puppetserver.compilers.manualScaling.compilers: 1 87 | puppetserver.compilers.autoScaling.enabled: true 88 | puppetserver.compilers.autoScaling.minCompilers: 2 89 | puppetserver.compilers.podDisruptionBudget.minAvailable: 2 90 | asserts: 91 | - isKind: 92 | of: PodDisruptionBudget 93 | - equal: 94 | path: spec.minAvailable 95 | value: 2 96 | - it: should update maxUnavailable 97 | set: 98 | puppetserver.compilers.podDisruptionBudget.enabled: true 99 | puppetserver.compilers.enabled: true 100 | puppetserver.compilers.manualScaling.compilers: 1 101 | puppetserver.compilers.autoScaling.enabled: true 102 | puppetserver.compilers.autoScaling.minCompilers: 2 103 | puppetserver.compilers.podDisruptionBudget.maxUnavailable: 2 104 | asserts: 105 | - isKind: 106 | of: PodDisruptionBudget 107 | - equal: 108 | path: spec.maxUnavailable 109 | value: 2 110 | -------------------------------------------------------------------------------- /tests/puppetserver-compilers.statefulset_test.yaml: -------------------------------------------------------------------------------- 1 | suite: test puppetserver compilers statefulset creation 2 | templates: 3 | - puppetserver-statefulset-compilers.yaml 4 | - hiera-configmap.yaml 5 | - r10k-code.configmap.yaml 6 | - r10k-hiera.configmap.yaml 7 | - update-crl-configmap.yaml 8 | release: 9 | name: puppetserver 10 | namespace: puppet 11 | tests: 12 | - it: manifest should match snapshot 13 | set: 14 | puppetserver.compilers.enabled: true 15 | puppetserver.compilers.kind: StatefulSet 16 | asserts: 17 | - matchSnapshot: {} 18 | -------------------------------------------------------------------------------- /tests/puppetserver-data-pvc_test.yaml: -------------------------------------------------------------------------------- 1 | suite: test puppet data volume creation 2 | templates: 3 | - puppetserver-data-pvc.yaml 4 | release: 5 | name: puppetserver 6 | namespace: puppet 7 | tests: 8 | - it: manifest should match snapshot 9 | set: 10 | puppetserver.persistence.data.existingClaim: dummy 11 | asserts: 12 | - matchSnapshot: {} 13 | - it: should not create the volume if "puppetserver.persistence.data.existingClaim" is non-empty 14 | set: 15 | puppetserver.persistence.data.existingClaim: dummy 16 | asserts: 17 | - hasDocuments: 18 | count: 0 19 | - it: should create the volume by default 20 | asserts: 21 | - isKind: 22 | of: PersistentVolumeClaim 23 | -------------------------------------------------------------------------------- /tests/puppetserver-masters.networkpolicy_test.yaml: -------------------------------------------------------------------------------- 1 | suite: test puppetserver (masters) networkpolicy creation 2 | templates: 3 | - puppetserver-masters.networkpolicy.yaml 4 | release: 5 | name: puppetserver 6 | namespace: puppet 7 | tests: 8 | - it: manifest should match snapshot 9 | set: 10 | puppetserver.masters.networkPolicy.enabled: true 11 | asserts: 12 | - matchSnapshot: {} 13 | - it: should not create the networkpolicy by default 14 | asserts: 15 | - hasDocuments: 16 | count: 0 17 | - it: should not create the networkpolicy if the feature is not enable 18 | set: 19 | puppetserver.masters.networkPolicy.enabled: false 20 | asserts: 21 | - hasDocuments: 22 | count: 0 23 | - it: should create the networkpolicy if the feature is enable 24 | set: 25 | puppetserver.masters.networkPolicy.enabled: true 26 | asserts: 27 | - isKind: 28 | of: NetworkPolicy 29 | - equal: 30 | path: metadata.name 31 | value: puppetserver-puppetserver 32 | -------------------------------------------------------------------------------- /tests/puppetserver-masters.pdb_test.yaml: -------------------------------------------------------------------------------- 1 | suite: test puppetserver master podDisruptionBudget creation 2 | templates: 3 | - puppetserver-masters.pdb.yaml 4 | release: 5 | name: puppetserver 6 | namespace: puppet 7 | tests: 8 | - it: manifest should match snapshot 9 | set: 10 | puppetserver.masters.podDisruptionBudget.enabled: true 11 | puppetserver.masters.multiMasters.enabled: true 12 | puppetserver.masters.multiMasters.manualScaling.masters: 2 13 | puppetserver.masters.multiMasters.autoScaling.enabled: true 14 | puppetserver.masters.multiMasters.autoScaling.minMasters: 2 15 | puppetserver.masters.podDisruptionBudget.maxUnavailable: 2 16 | asserts: 17 | - matchSnapshot: {} 18 | - it: should not create the podDisruptionBudget by default 19 | asserts: 20 | - hasDocuments: 21 | count: 0 22 | - it: should not create the podDisruptionBudget if multi masters mode is not enable 23 | set: 24 | puppetserver.masters.podDisruptionBudget.enabled: true 25 | puppetserver.masters.multiMasters.enabled: false 26 | puppetserver.masters.multiMasters.manualScaling.masters: 2 27 | puppetserver.masters.multiMasters.autoScaling.enabled: true 28 | puppetserver.masters.multiMasters.autoScaling.minMasters: 2 29 | asserts: 30 | - hasDocuments: 31 | count: 0 32 | - it: should not create the podDisruptionBudget if multi masters mode is enable but number of master is equals to 1 33 | set: 34 | puppetserver.masters.podDisruptionBudget.enabled: true 35 | puppetserver.masters.multiMasters.enabled: true 36 | puppetserver.masters.multiMasters.manualScaling.masters: 1 37 | puppetserver.masters.multiMasters.autoScaling.enabled: false 38 | puppetserver.masters.multiMasters.autoScaling.minMasters: 2 39 | asserts: 40 | - hasDocuments: 41 | count: 0 42 | - it: should create the podDisruptionBudget if multi masters mode is enable and number of master is greather than to 1 43 | set: 44 | puppetserver.masters.podDisruptionBudget.enabled: true 45 | puppetserver.masters.multiMasters.enabled: true 46 | puppetserver.masters.multiMasters.manualScaling.masters: 3 47 | puppetserver.masters.multiMasters.autoScaling.enabled: false 48 | puppetserver.masters.multiMasters.autoScaling.minMasters: 2 49 | asserts: 50 | - isKind: 51 | of: PodDisruptionBudget 52 | - equal: 53 | path: metadata.name 54 | value: puppetserver-masters 55 | - it: should not create the podDisruptionBudget if autoScaling mode is enable with 1 minMasters 56 | set: 57 | puppetserver.masters.podDisruptionBudget.enabled: true 58 | puppetserver.masters.multiMasters.enabled: true 59 | puppetserver.masters.multiMasters.manualScaling.masters: 2 60 | puppetserver.masters.multiMasters.autoScaling.enabled: true 61 | puppetserver.masters.multiMasters.autoScaling.minMasters: 1 62 | asserts: 63 | - hasDocuments: 64 | count: 0 65 | - it: should create the podDisruptionBudget if autoScaling mode is enable with more than 1 minMasters 66 | set: 67 | puppetserver.masters.podDisruptionBudget.enabled: true 68 | puppetserver.masters.multiMasters.enabled: true 69 | puppetserver.masters.multiMasters.manualScaling.masters: 2 70 | puppetserver.masters.multiMasters.autoScaling.enabled: true 71 | puppetserver.masters.multiMasters.autoScaling.minMasters: 2 72 | asserts: 73 | - isKind: 74 | of: PodDisruptionBudget 75 | - equal: 76 | path: metadata.name 77 | value: puppetserver-masters 78 | - it: should update minAvailable 79 | set: 80 | puppetserver.masters.podDisruptionBudget.enabled: true 81 | puppetserver.masters.multiMasters.enabled: true 82 | puppetserver.masters.multiMasters.manualScaling.masters: 2 83 | puppetserver.masters.multiMasters.autoScaling.enabled: true 84 | puppetserver.masters.multiMasters.autoScaling.minMasters: 2 85 | puppetserver.masters.podDisruptionBudget.minAvailable: 2 86 | asserts: 87 | - isKind: 88 | of: PodDisruptionBudget 89 | - equal: 90 | path: spec.minAvailable 91 | value: 2 92 | - it: should update maxUnavailable 93 | set: 94 | puppetserver.masters.podDisruptionBudget.enabled: true 95 | puppetserver.masters.multiMasters.enabled: true 96 | puppetserver.masters.multiMasters.manualScaling.masters: 2 97 | puppetserver.masters.multiMasters.autoScaling.enabled: true 98 | puppetserver.masters.multiMasters.autoScaling.minMasters: 2 99 | puppetserver.masters.podDisruptionBudget.maxUnavailable: 2 100 | asserts: 101 | - isKind: 102 | of: PodDisruptionBudget 103 | - equal: 104 | path: spec.maxUnavailable 105 | value: 2 106 | -------------------------------------------------------------------------------- /tests/puppetserver-pvc_test.yaml: -------------------------------------------------------------------------------- 1 | suite: test puppet puppet volume creation 2 | templates: 3 | - puppetserver-pvc.yaml 4 | release: 5 | name: puppetserver 6 | namespace: puppet 7 | tests: 8 | - it: manifest should match snapshot 9 | asserts: 10 | - matchSnapshot: {} 11 | - it: should not create the volume if "puppetserver.persistence.puppet.existingClaim" is non-empty 12 | set: 13 | puppetserver.persistence.puppet.existingClaim: dummy 14 | asserts: 15 | - hasDocuments: 16 | count: 0 17 | - it: should create the volume by default 18 | asserts: 19 | - isKind: 20 | of: PersistentVolumeClaim 21 | --------------------------------------------------------------------------------