├── marketplace ├── .gitignore ├── charts │ └── spinkube-azure-marketplace │ │ ├── charts │ │ ├── kwasm-operator │ │ │ ├── templates │ │ │ │ ├── NOTES.txt │ │ │ │ ├── clusterrole.yaml │ │ │ │ ├── role.yaml │ │ │ │ ├── serviceaccount.yaml │ │ │ │ ├── service.yaml │ │ │ │ ├── clusterrolebinding.yaml │ │ │ │ ├── rolebinding.yaml │ │ │ │ ├── tests │ │ │ │ │ └── test-connection.yaml │ │ │ │ ├── _helpers.tpl │ │ │ │ └── deployment.yaml │ │ │ ├── Chart.yaml │ │ │ └── values.yaml │ │ ├── cert-manager │ │ │ ├── .gitignore │ │ │ ├── signkey_annotation.txt │ │ │ ├── .helmignore │ │ │ ├── templates │ │ │ │ ├── NOTES.txt │ │ │ │ ├── webhook-psp-clusterrole.yaml │ │ │ │ ├── psp-clusterrole.yaml │ │ │ │ ├── cainjector-psp-clusterrole.yaml │ │ │ │ ├── controller-config.yaml │ │ │ │ ├── webhook-config.yaml │ │ │ │ ├── webhook-psp-clusterrolebinding.yaml │ │ │ │ ├── networkpolicy-egress.yaml │ │ │ │ ├── cainjector-config.yaml │ │ │ │ ├── psp-clusterrolebinding.yaml │ │ │ │ ├── networkpolicy-webhooks.yaml │ │ │ │ ├── cainjector-psp-clusterrolebinding.yaml │ │ │ │ ├── startupapicheck-psp-clusterrole.yaml │ │ │ │ ├── serviceaccount.yaml │ │ │ │ ├── webhook-serviceaccount.yaml │ │ │ │ ├── startupapicheck-psp-clusterrolebinding.yaml │ │ │ │ ├── cainjector-serviceaccount.yaml │ │ │ │ ├── webhook-service.yaml │ │ │ │ ├── startupapicheck-serviceaccount.yaml │ │ │ │ ├── service.yaml │ │ │ │ ├── poddisruptionbudget.yaml │ │ │ │ ├── webhook-poddisruptionbudget.yaml │ │ │ │ ├── cainjector-poddisruptionbudget.yaml │ │ │ │ ├── psp.yaml │ │ │ │ ├── cainjector-psp.yaml │ │ │ │ ├── startupapicheck-psp.yaml │ │ │ │ ├── webhook-psp.yaml │ │ │ │ ├── startupapicheck-rbac.yaml │ │ │ │ ├── webhook-mutating-webhook.yaml │ │ │ │ ├── webhook-validating-webhook.yaml │ │ │ │ ├── podmonitor.yaml │ │ │ │ ├── servicemonitor.yaml │ │ │ │ ├── webhook-rbac.yaml │ │ │ │ ├── startupapicheck-job.yaml │ │ │ │ ├── cainjector-rbac.yaml │ │ │ │ ├── cainjector-deployment.yaml │ │ │ │ ├── _helpers.tpl │ │ │ │ ├── webhook-deployment.yaml │ │ │ │ ├── deployment.yaml │ │ │ │ └── rbac.yaml │ │ │ └── Chart.yaml │ │ └── spin-operator │ │ │ ├── templates │ │ │ ├── selfsigned-issuer.yaml │ │ │ ├── serviceaccount.yaml │ │ │ ├── metrics-reader-rbac.yaml │ │ │ ├── webhook-service.yaml │ │ │ ├── serving-cert.yaml │ │ │ ├── metrics-service.yaml │ │ │ ├── NOTES.txt │ │ │ ├── proxy-rbac.yaml │ │ │ ├── mutating-webhook-configuration.yaml │ │ │ ├── validating-webhook-configuration.yaml │ │ │ ├── leader-election-rbac.yaml │ │ │ ├── manager-rbac.yaml │ │ │ ├── _helpers.tpl │ │ │ └── deployment.yaml │ │ │ ├── .helmignore │ │ │ ├── Chart.yaml │ │ │ ├── values.yaml │ │ │ └── README.md │ │ ├── templates │ │ ├── spin-operator.runtime-class.yaml │ │ ├── kwasm-annotate-nodes-job.yaml │ │ ├── shimexecutor-post-install-job.yaml │ │ ├── post-delete-job.yaml │ │ └── pre-delete-job.yaml │ │ ├── Chart.lock │ │ ├── Chart.yaml │ │ ├── values.yaml │ │ └── README.md ├── manifest.yaml ├── parameterFile.json ├── README.md ├── mainTemplate.json └── createUIDefinition.json ├── charts ├── cert-manager-v1.14.3.tgz ├── kwasm-operator-0.2.3.tgz └── spin-operator-0.4.0.tgz ├── templates ├── spin-operator.runtime-class.yaml ├── kwasm.annotation.yaml └── shimexecutor-post-install-job.yaml ├── values.yaml ├── Chart.lock ├── .helmignore ├── .github └── workflows │ ├── marketplace-publish.yaml │ ├── marketplace-verify.yaml │ └── marketplace-smoke-test.yaml ├── README.md ├── Chart.yaml └── LICENSE /marketplace/.gitignore: -------------------------------------------------------------------------------- 1 | **/*.tgz 2 | .cnab 3 | porter.yaml 4 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | Welcome to KWasm-operator -------------------------------------------------------------------------------- /charts/cert-manager-v1.14.3.tgz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/spinframework/azure/main/charts/cert-manager-v1.14.3.tgz -------------------------------------------------------------------------------- /charts/kwasm-operator-0.2.3.tgz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/spinframework/azure/main/charts/kwasm-operator-0.2.3.tgz -------------------------------------------------------------------------------- /charts/spin-operator-0.4.0.tgz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/spinframework/azure/main/charts/spin-operator-0.4.0.tgz -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/.gitignore: -------------------------------------------------------------------------------- 1 | *.tgz 2 | charts/* 3 | requirements.lock 4 | -------------------------------------------------------------------------------- /templates/spin-operator.runtime-class.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: node.k8s.io/v1 2 | kind: RuntimeClass 3 | metadata: 4 | name: wasmtime-spin-v2 5 | handler: spin 6 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/templates/spin-operator.runtime-class.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: node.k8s.io/v1 2 | kind: RuntimeClass 3 | metadata: 4 | name: wasmtime-spin-v2 5 | handler: spin 6 | -------------------------------------------------------------------------------- /values.yaml: -------------------------------------------------------------------------------- 1 | spin-operator: 2 | enabled: true 3 | 4 | cert-manager: 5 | enabled: true 6 | 7 | kwasm-operator: 8 | enabled: true 9 | kwasmOperator: 10 | installerImage: ghcr.io/spinkube/containerd-shim-spin/node-installer:v0.17.0 -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/signkey_annotation.txt: -------------------------------------------------------------------------------- 1 | fingerprint: 1020CF3C033D4F35BAE1C19E1226061C665DF13E 2 | url: https://cert-manager.io/public-keys/cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg 3 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/selfsigned-issuer.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cert-manager.io/v1 2 | kind: Issuer 3 | metadata: 4 | name: {{ include "spin-operator.fullname" . }}-selfsigned-issuer 5 | labels: 6 | {{- include "spin-operator.labels" . | nindent 4 }} 7 | spec: 8 | selfSigned: {} -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | creationTimestamp: null 5 | name: {{ include "kwasm-operator.fullname" . }} 6 | rules: 7 | - apiGroups: 8 | - "" 9 | resources: 10 | - nodes 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - update 16 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/role.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: Role 3 | metadata: 4 | creationTimestamp: null 5 | name: {{ include "kwasm-operator.fullname" . }} 6 | rules: 7 | - apiGroups: 8 | - batch 9 | resources: 10 | - jobs 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - create 16 | - delete 17 | -------------------------------------------------------------------------------- /Chart.lock: -------------------------------------------------------------------------------- 1 | dependencies: 2 | - name: spin-operator 3 | repository: oci://ghcr.io/spinkube/charts 4 | version: 0.4.0 5 | - name: cert-manager 6 | repository: https://charts.jetstack.io 7 | version: v1.14.3 8 | - name: kwasm-operator 9 | repository: http://kwasm.sh/kwasm-operator/ 10 | version: 0.2.3 11 | digest: sha256:0c192cc2f5c8fd54137c986bfa1278959ccbe64a5e7b58b40d5661a5f34910c0 12 | generated: "2024-11-05T14:48:48.29812-07:00" 13 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "kwasm-operator.serviceAccountName" . }} 6 | labels: 7 | {{- include "kwasm-operator.labels" . | nindent 4 }} 8 | {{- with .Values.serviceAccount.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- end }} 13 | -------------------------------------------------------------------------------- /.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | marketplace/ 25 | .github/ -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/Chart.lock: -------------------------------------------------------------------------------- 1 | dependencies: 2 | - name: spin-operator 3 | repository: file://charts/spin-operator 4 | version: 0.4.0 5 | - name: cert-manager 6 | repository: file://charts/cert-manager 7 | version: v0.1.0 8 | - name: kwasm-operator 9 | repository: file://charts/kwasm-operator 10 | version: 0.2.3 11 | digest: sha256:692c93c60d865c3fa36a8b60a7761889b5663f25fc5a2838528a1a8e9f8d33e1 12 | generated: "2024-11-05T14:50:24.550048-07:00" 13 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "kwasm-operator.fullname" . }} 5 | labels: 6 | {{- include "kwasm-operator.labels" . | nindent 4 }} 7 | spec: 8 | type: {{ .Values.service.type }} 9 | ports: 10 | - port: {{ .Values.service.port }} 11 | targetPort: http 12 | protocol: TCP 13 | name: http 14 | selector: 15 | {{- include "kwasm-operator.selectorLabels" . | nindent 4 }} 16 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: {{ include "spin-operator.fullname" . }}-controller-manager 5 | labels: 6 | app.kubernetes.io/component: rbac 7 | app.kubernetes.io/created-by: spin-operator 8 | app.kubernetes.io/part-of: spin-operator 9 | {{- include "spin-operator.labels" . | nindent 4 }} 10 | annotations: 11 | {{- toYaml .Values.controllerManager.serviceAccount.annotations | nindent 4 }} -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | creationTimestamp: null 5 | name: {{ include "kwasm-operator.fullname" . }} 6 | roleRef: 7 | apiGroup: rbac.authorization.k8s.io 8 | kind: ClusterRole 9 | name: {{ include "kwasm-operator.fullname" . }} 10 | subjects: 11 | - kind: ServiceAccount 12 | name: {{ include "kwasm-operator.serviceAccountName" . }} 13 | namespace: {{ .Release.Namespace }} -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/metrics-reader-rbac.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: {{ include "spin-operator.fullname" . }}-metrics-reader 5 | labels: 6 | app.kubernetes.io/component: kube-rbac-proxy 7 | app.kubernetes.io/created-by: spin-operator 8 | app.kubernetes.io/part-of: spin-operator 9 | {{- include "spin-operator.labels" . | nindent 4 }} 10 | rules: 11 | - nonResourceURLs: 12 | - /metrics 13 | verbs: 14 | - get -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/rolebinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: RoleBinding 3 | metadata: 4 | creationTimestamp: null 5 | name: {{ include "kwasm-operator.fullname" . }} 6 | namespace: {{ .Release.Namespace }} 7 | roleRef: 8 | apiGroup: rbac.authorization.k8s.io 9 | kind: Role 10 | name: {{ include "kwasm-operator.fullname" . }} 11 | subjects: 12 | - kind: ServiceAccount 13 | name: {{ include "kwasm-operator.serviceAccountName" . }} 14 | namespace: {{ .Release.Namespace }} -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | 23 | BUILD.bazel 24 | Chart.template.yaml 25 | README.template.md 26 | OWNERS 27 | cert-manager*.tgz 28 | -------------------------------------------------------------------------------- /marketplace/manifest.yaml: -------------------------------------------------------------------------------- 1 | applicationName: spinkube 2 | publisher: "Fermyon" 3 | description: "SpinKube on Azure Marketplace" 4 | version: 1.3.0 #Must be in the format of #.#.# 5 | helmChart: "./charts/spinkube-azure-marketplace" 6 | clusterArmTemplate: "./mainTemplate.json" 7 | uiDefinition: "./createUIDefinition.json" 8 | registryServer: "spinkubemarketplace.azurecr.io" 9 | testParameterFile: "./parameterFile.json" 10 | extensionRegistrationParameters: 11 | defaultScope: "cluster" # cluster or namespace 12 | namespace: "spinkube" # Specify the namespace the extension will install into. This property is required when defaultScope field value is chosen as 'cluster' 13 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/webhook-service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "spin-operator.fullname" . }}-webhook-service 5 | labels: 6 | app.kubernetes.io/component: webhook 7 | app.kubernetes.io/created-by: spin-operator 8 | app.kubernetes.io/part-of: spin-operator 9 | {{- include "spin-operator.labels" . | nindent 4 }} 10 | spec: 11 | type: {{ .Values.webhookService.type }} 12 | selector: 13 | control-plane: controller-manager 14 | {{- include "spin-operator.selectorLabels" . | nindent 4 }} 15 | ports: 16 | {{- .Values.webhookService.ports | toYaml | nindent 2 -}} -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | cert-manager {{ .Chart.AppVersion }} has been deployed successfully! 2 | 3 | In order to begin issuing certificates, you will need to set up a ClusterIssuer 4 | or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer). 5 | 6 | More information on the different types of issuers and how to configure them 7 | can be found in our documentation: 8 | 9 | https://cert-manager.io/docs/configuration/ 10 | 11 | For information on how to configure cert-manager to automatically provision 12 | Certificates for Ingress resources, take a look at the `ingress-shim` 13 | documentation: 14 | 15 | https://cert-manager.io/docs/usage/ingress/ 16 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/serving-cert.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cert-manager.io/v1 2 | kind: Certificate 3 | metadata: 4 | name: {{ include "spin-operator.fullname" . }}-serving-cert 5 | labels: 6 | {{- include "spin-operator.labels" . | nindent 4 }} 7 | spec: 8 | dnsNames: 9 | - '{{ include "{{ .Release.Namespace }}.fullname" . }}-webhook-service.{{ .Release.Namespace 10 | }}.svc' 11 | - '{{ include "{{ .Release.Namespace }}.fullname" . }}-webhook-service.{{ .Release.Namespace 12 | }}.svc.{{ .Values.kubernetesClusterDomain }}' 13 | issuerRef: 14 | kind: Issuer 15 | name: '{{ include "spin-operator.fullname" . }}-selfsigned-issuer' 16 | secretName: webhook-server-cert -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-psp-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.global.podSecurityPolicy.enabled }} 2 | kind: ClusterRole 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ template "webhook.fullname" . }}-psp 6 | labels: 7 | app: {{ include "webhook.name" . }} 8 | app.kubernetes.io/name: {{ include "webhook.name" . }} 9 | app.kubernetes.io/instance: {{ .Release.Name }} 10 | app.kubernetes.io/component: "webhook" 11 | {{- include "labels" . | nindent 4 }} 12 | rules: 13 | - apiGroups: ['policy'] 14 | resources: ['podsecuritypolicies'] 15 | verbs: ['use'] 16 | resourceNames: 17 | - {{ template "webhook.fullname" . }} 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/metrics-service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "spin-operator.fullname" . }}-controller-manager-metrics-service 5 | labels: 6 | app.kubernetes.io/component: kube-rbac-proxy 7 | app.kubernetes.io/created-by: spin-operator 8 | app.kubernetes.io/part-of: spin-operator 9 | control-plane: controller-manager 10 | {{- include "spin-operator.labels" . | nindent 4 }} 11 | spec: 12 | type: {{ .Values.metricsService.type }} 13 | selector: 14 | control-plane: controller-manager 15 | {{- include "spin-operator.selectorLabels" . | nindent 4 }} 16 | ports: 17 | {{- .Values.metricsService.ports | toYaml | nindent 2 -}} -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/psp-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.global.podSecurityPolicy.enabled }} 2 | kind: ClusterRole 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ template "cert-manager.fullname" . }}-psp 6 | labels: 7 | app: {{ include "cert-manager.name" . }} 8 | app.kubernetes.io/name: {{ include "cert-manager.name" . }} 9 | app.kubernetes.io/instance: {{ .Release.Name }} 10 | app.kubernetes.io/component: "controller" 11 | {{- include "labels" . | nindent 4 }} 12 | rules: 13 | - apiGroups: ['policy'] 14 | resources: ['podsecuritypolicies'] 15 | verbs: ['use'] 16 | resourceNames: 17 | - {{ template "cert-manager.fullname" . }} 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/tests/test-connection.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: "{{ include "kwasm-operator.fullname" . }}-test-connection" 5 | labels: 6 | {{- include "kwasm-operator.labels" . | nindent 4 }} 7 | annotations: 8 | "helm.sh/hook": test 9 | spec: 10 | containers: 11 | - name: wget 12 | image: {{ printf "%s/%s:%s" .Values.global.azure.images.kwasmOperatorTestConnectionWget.registry .Values.global.azure.images.kwasmOperatorTestConnectionWget.image .Values.global.azure.images.kwasmOperatorTestConnectionWget.tag }} 13 | command: ['wget'] 14 | args: ['{{ include "kwasm-operator.fullname" . }}:{{ .Values.service.port }}'] 15 | restartPolicy: Never 16 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/cainjector-psp-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.cainjector.enabled }} 2 | {{- if .Values.global.podSecurityPolicy.enabled }} 3 | kind: ClusterRole 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | metadata: 6 | name: {{ template "cainjector.fullname" . }}-psp 7 | labels: 8 | app: {{ include "cainjector.name" . }} 9 | app.kubernetes.io/name: {{ include "cainjector.name" . }} 10 | app.kubernetes.io/instance: {{ .Release.Name }} 11 | app.kubernetes.io/component: "cainjector" 12 | {{- include "labels" . | nindent 4 }} 13 | rules: 14 | - apiGroups: ['policy'] 15 | resources: ['podsecuritypolicies'] 16 | verbs: ['use'] 17 | resourceNames: 18 | - {{ template "cainjector.fullname" . }} 19 | {{- end }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/controller-config.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.config -}} 2 | {{- $_ := .Values.config.apiVersion | required ".Values.config.apiVersion must be set !" -}} 3 | {{- $_ := .Values.config.kind | required ".Values.config.kind must be set !" -}} 4 | apiVersion: v1 5 | kind: ConfigMap 6 | metadata: 7 | name: {{ include "cert-manager.fullname" . }} 8 | namespace: {{ include "cert-manager.namespace" . }} 9 | labels: 10 | app: {{ include "cert-manager.name" . }} 11 | app.kubernetes.io/name: {{ include "cert-manager.name" . }} 12 | app.kubernetes.io/instance: {{ .Release.Name }} 13 | app.kubernetes.io/component: "controller" 14 | {{- include "labels" . | nindent 4 }} 15 | data: 16 | config.yaml: | 17 | {{- .Values.config | toYaml | nindent 4 }} 18 | {{- end -}} -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-config.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.webhook.config -}} 2 | {{- $_ := .Values.webhook.config.apiVersion | required ".Values.webhook.config.apiVersion must be set !" -}} 3 | {{- $_ := .Values.webhook.config.kind | required ".Values.webhook.config.kind must be set !" -}} 4 | apiVersion: v1 5 | kind: ConfigMap 6 | metadata: 7 | name: {{ include "webhook.fullname" . }} 8 | namespace: {{ include "cert-manager.namespace" . }} 9 | labels: 10 | app: {{ include "webhook.name" . }} 11 | app.kubernetes.io/name: {{ include "webhook.name" . }} 12 | app.kubernetes.io/instance: {{ .Release.Name }} 13 | app.kubernetes.io/component: "webhook" 14 | {{- include "labels" . | nindent 4 }} 15 | data: 16 | config.yaml: | 17 | {{- .Values.webhook.config | toYaml | nindent 4 }} 18 | {{- end -}} -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-psp-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.global.podSecurityPolicy.enabled }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: {{ template "webhook.fullname" . }}-psp 6 | labels: 7 | app: {{ include "webhook.name" . }} 8 | app.kubernetes.io/name: {{ include "webhook.name" . }} 9 | app.kubernetes.io/instance: {{ .Release.Name }} 10 | app.kubernetes.io/component: "webhook" 11 | {{- include "labels" . | nindent 4 }} 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | name: {{ template "webhook.fullname" . }}-psp 16 | subjects: 17 | - kind: ServiceAccount 18 | name: {{ template "webhook.serviceAccountName" . }} 19 | namespace: {{ include "cert-manager.namespace" . }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/networkpolicy-egress.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.webhook.networkPolicy.enabled }} 2 | apiVersion: networking.k8s.io/v1 3 | kind: NetworkPolicy 4 | metadata: 5 | name: {{ template "webhook.fullname" . }}-allow-egress 6 | namespace: {{ include "cert-manager.namespace" . }} 7 | spec: 8 | egress: 9 | {{- with .Values.webhook.networkPolicy.egress }} 10 | {{- toYaml . | nindent 2 }} 11 | {{- end }} 12 | podSelector: 13 | matchLabels: 14 | app: {{ include "webhook.name" . }} 15 | app.kubernetes.io/name: {{ include "webhook.name" . }} 16 | app.kubernetes.io/instance: {{ .Release.Name }} 17 | app.kubernetes.io/component: "webhook" 18 | {{- with .Values.webhook.podLabels }} 19 | {{- toYaml . | nindent 6 }} 20 | {{- end }} 21 | policyTypes: 22 | - Egress 23 | {{- end }} 24 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/cainjector-config.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.cainjector.config -}} 2 | {{- $_ := .Values.cainjector.config.apiVersion | required ".Values.cainjector.config.apiVersion must be set !" -}} 3 | {{- $_ := .Values.cainjector.config.kind | required ".Values.cainjector.config.kind must be set !" -}} 4 | apiVersion: v1 5 | kind: ConfigMap 6 | metadata: 7 | name: {{ include "cainjector.fullname" . }} 8 | namespace: {{ include "cert-manager.namespace" . }} 9 | labels: 10 | app: {{ include "cainjector.name" . }} 11 | app.kubernetes.io/name: {{ include "cainjector.name" . }} 12 | app.kubernetes.io/instance: {{ .Release.Name }} 13 | app.kubernetes.io/component: "cainjector" 14 | {{- include "labels" . | nindent 4 }} 15 | data: 16 | config.yaml: | 17 | {{- .Values.cainjector.config | toYaml | nindent 4 }} 18 | {{- end -}} -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/psp-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.global.podSecurityPolicy.enabled }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: {{ template "cert-manager.fullname" . }}-psp 6 | labels: 7 | app: {{ include "cert-manager.name" . }} 8 | app.kubernetes.io/name: {{ include "cert-manager.name" . }} 9 | app.kubernetes.io/instance: {{ .Release.Name }} 10 | app.kubernetes.io/component: "controller" 11 | {{- include "labels" . | nindent 4 }} 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | name: {{ template "cert-manager.fullname" . }}-psp 16 | subjects: 17 | - kind: ServiceAccount 18 | name: {{ template "cert-manager.serviceAccountName" . }} 19 | namespace: {{ include "cert-manager.namespace" . }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: cert-manager 3 | # The version and appVersion fields are set automatically by the release tool 4 | version: v0.1.0 5 | appVersion: v0.1.0 6 | kubeVersion: ">= 1.22.0-0" 7 | description: A Helm chart for cert-manager 8 | home: https://github.com/cert-manager/cert-manager 9 | icon: https://raw.githubusercontent.com/cert-manager/cert-manager/d53c0b9270f8cd90d908460d69502694e1838f5f/logo/logo-small.png 10 | keywords: 11 | - cert-manager 12 | - kube-lego 13 | - letsencrypt 14 | - tls 15 | sources: 16 | - https://github.com/cert-manager/cert-manager 17 | maintainers: 18 | - name: cert-manager-maintainers 19 | email: cert-manager-maintainers@googlegroups.com 20 | url: https://cert-manager.io 21 | annotations: 22 | artifacthub.io/license: Apache-2.0 23 | artifacthub.io/prerelease: "{{IS_PRERELEASE}}" 24 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/networkpolicy-webhooks.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.webhook.networkPolicy.enabled }} 2 | 3 | apiVersion: networking.k8s.io/v1 4 | kind: NetworkPolicy 5 | metadata: 6 | name: {{ template "webhook.fullname" . }}-allow-ingress 7 | namespace: {{ include "cert-manager.namespace" . }} 8 | spec: 9 | ingress: 10 | {{- with .Values.webhook.networkPolicy.ingress }} 11 | {{- toYaml . | nindent 2 }} 12 | {{- end }} 13 | podSelector: 14 | matchLabels: 15 | app: {{ include "webhook.name" . }} 16 | app.kubernetes.io/name: {{ include "webhook.name" . }} 17 | app.kubernetes.io/instance: {{ .Release.Name }} 18 | app.kubernetes.io/component: "webhook" 19 | {{- with .Values.webhook.podLabels }} 20 | {{- toYaml . | nindent 6 }} 21 | {{- end }} 22 | policyTypes: 23 | - Ingress 24 | 25 | {{- end }} 26 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/cainjector-psp-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.cainjector.enabled }} 2 | {{- if .Values.global.podSecurityPolicy.enabled }} 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: ClusterRoleBinding 5 | metadata: 6 | name: {{ template "cainjector.fullname" . }}-psp 7 | labels: 8 | app: {{ include "cainjector.name" . }} 9 | app.kubernetes.io/name: {{ include "cainjector.name" . }} 10 | app.kubernetes.io/instance: {{ .Release.Name }} 11 | app.kubernetes.io/component: "cainjector" 12 | {{- include "labels" . | nindent 4 }} 13 | roleRef: 14 | apiGroup: rbac.authorization.k8s.io 15 | kind: ClusterRole 16 | name: {{ template "cainjector.fullname" . }}-psp 17 | subjects: 18 | - kind: ServiceAccount 19 | name: {{ template "cainjector.serviceAccountName" . }} 20 | namespace: {{ include "cert-manager.namespace" . }} 21 | {{- end }} 22 | {{- end }} 23 | -------------------------------------------------------------------------------- /.github/workflows/marketplace-publish.yaml: -------------------------------------------------------------------------------- 1 | name: Marketplace Publish 2 | 3 | on: 4 | push: 5 | tags: ["v*"] 6 | 7 | permissions: 8 | contents: read 9 | 10 | jobs: 11 | publish: 12 | name: Publish the marketplace bundle 13 | runs-on: ubuntu-22.04 14 | container: mcr.microsoft.com/container-package-app:1.3.8 15 | steps: 16 | - uses: actions/checkout@v3 17 | 18 | - name: install yq 19 | run: curl -sLo /usr/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 && chmod +x /usr/bin/yq 20 | 21 | - name: publish the bundle 22 | run: | 23 | az acr login -n ${{ secrets.AZURE_ACR }} -u ${{ secrets.AZURE_ACR }} -p ${{ secrets.AZURE_ACR_PASSWORD }} 24 | cd marketplace 25 | # Set the registry server to support publishing to alternate ACRs 26 | yq -i '.registryServer = "${{ secrets.AZURE_ACR }}.azurecr.io"' manifest.yaml 27 | cpa buildbundle 28 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/startupapicheck-psp-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.startupapicheck.enabled }} 2 | {{- if .Values.global.podSecurityPolicy.enabled }} 3 | kind: ClusterRole 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | metadata: 6 | name: {{ template "startupapicheck.fullname" . }}-psp 7 | labels: 8 | app: {{ include "startupapicheck.name" . }} 9 | app.kubernetes.io/name: {{ include "startupapicheck.name" . }} 10 | app.kubernetes.io/instance: {{ .Release.Name }} 11 | app.kubernetes.io/component: "startupapicheck" 12 | {{- include "labels" . | nindent 4 }} 13 | {{- with .Values.startupapicheck.rbac.annotations }} 14 | annotations: 15 | {{- toYaml . | nindent 4 }} 16 | {{- end }} 17 | rules: 18 | - apiGroups: ['policy'] 19 | resources: ['podsecuritypolicies'] 20 | verbs: ['use'] 21 | resourceNames: 22 | - {{ template "startupapicheck.fullname" . }} 23 | {{- end }} 24 | {{- end }} 25 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | {{- with .Values.global.imagePullSecrets }} 5 | imagePullSecrets: 6 | {{- toYaml . | nindent 2 }} 7 | {{- end }} 8 | automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} 9 | metadata: 10 | name: {{ template "cert-manager.serviceAccountName" . }} 11 | namespace: {{ include "cert-manager.namespace" . }} 12 | {{- with .Values.serviceAccount.annotations }} 13 | annotations: 14 | {{- toYaml . | nindent 4 }} 15 | {{- end }} 16 | labels: 17 | app: {{ include "cert-manager.name" . }} 18 | app.kubernetes.io/name: {{ include "cert-manager.name" . }} 19 | app.kubernetes.io/instance: {{ .Release.Name }} 20 | app.kubernetes.io/component: "controller" 21 | {{- include "labels" . | nindent 4 }} 22 | {{- with .Values.serviceAccount.labels }} 23 | {{- toYaml . | nindent 4 }} 24 | {{- end }} 25 | {{- end }} 26 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.webhook.serviceAccount.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | automountServiceAccountToken: {{ .Values.webhook.serviceAccount.automountServiceAccountToken }} 5 | metadata: 6 | name: {{ template "webhook.serviceAccountName" . }} 7 | namespace: {{ include "cert-manager.namespace" . }} 8 | {{- with .Values.webhook.serviceAccount.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | labels: 13 | app: {{ include "webhook.name" . }} 14 | app.kubernetes.io/name: {{ include "webhook.name" . }} 15 | app.kubernetes.io/instance: {{ .Release.Name }} 16 | app.kubernetes.io/component: "webhook" 17 | {{- include "labels" . | nindent 4 }} 18 | {{- with .Values.webhook.serviceAccount.labels }} 19 | {{ toYaml . | nindent 4 }} 20 | {{- end }} 21 | {{- with .Values.global.imagePullSecrets }} 22 | imagePullSecrets: 23 | {{- toYaml . | nindent 2 }} 24 | {{- end }} 25 | {{- end }} 26 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # SpinKube Helm Chart 2 | 3 | This is a Helm chart for deploying [SpinKube](https://spinkube.dev) on AKS. 4 | 5 | ## Create a new AKS cluster 6 | 7 | To create a new AKS cluster, you can use the following command: 8 | 9 | ```bash 10 | az login --use-device-code 11 | export RG=spinkube-demo 12 | az group create --name $(echo $RG) --location eastus2 13 | az aks create --name spinkube-azure-$(echo $RG) \ 14 | --resource-group $(echo $RG) \ 15 | --node-count 1 \ 16 | --tier free \ 17 | --generate-ssh-keys 18 | az aks get-credentials --resource-group $(echo $RG) --name spinkube-azure-$(echo $RG) 19 | kubectl config current-context 20 | ``` 21 | 22 | ## Install SpinKube 23 | ```bash 24 | helm install --wait spinkube . 25 | ``` 26 | 27 | ## Deploy a Spin App 28 | ```bash 29 | kubectl apply -f https://raw.githubusercontent.com/spinkube/spin-operator/main/config/samples/simple.yaml 30 | ``` 31 | 32 | and then check the status of the Spin App: 33 | ```bash 34 | kubectl port-forward services/simple-spinapp 8080:80 35 | ``` 36 | ```bash 37 | curl http://localhost:8080/hello 38 | ``` 39 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/startupapicheck-psp-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.startupapicheck.enabled }} 2 | {{- if .Values.global.podSecurityPolicy.enabled }} 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: ClusterRoleBinding 5 | metadata: 6 | name: {{ template "startupapicheck.fullname" . }}-psp 7 | labels: 8 | app: {{ include "startupapicheck.name" . }} 9 | app.kubernetes.io/name: {{ include "startupapicheck.name" . }} 10 | app.kubernetes.io/instance: {{ .Release.Name }} 11 | app.kubernetes.io/component: "startupapicheck" 12 | {{- include "labels" . | nindent 4 }} 13 | {{- with .Values.startupapicheck.rbac.annotations }} 14 | annotations: 15 | {{- toYaml . | nindent 4 }} 16 | {{- end }} 17 | roleRef: 18 | apiGroup: rbac.authorization.k8s.io 19 | kind: ClusterRole 20 | name: {{ template "startupapicheck.fullname" . }}-psp 21 | subjects: 22 | - kind: ServiceAccount 23 | name: {{ template "startupapicheck.serviceAccountName" . }} 24 | namespace: {{ include "cert-manager.namespace" . }} 25 | {{- end }} 26 | {{- end }} 27 | -------------------------------------------------------------------------------- /.github/workflows/marketplace-verify.yaml: -------------------------------------------------------------------------------- 1 | name: Marketplace Verify 2 | 3 | on: 4 | push: 5 | branches: ["main"] 6 | pull_request: 7 | branches: ["main"] 8 | 9 | permissions: 10 | contents: read 11 | 12 | jobs: 13 | verify: 14 | name: Verify the marketplace bundle 15 | runs-on: ubuntu-22.04 16 | container: mcr.microsoft.com/container-package-app:1.3.8 17 | steps: 18 | - uses: actions/checkout@v3 19 | 20 | - name: verify 21 | run: | 22 | cd marketplace 23 | cpa verify 24 | 25 | arm-ttk: 26 | name: Test marketplace templates 27 | runs-on: ubuntu-22.04 28 | steps: 29 | - uses: actions/checkout@v3 30 | 31 | - name: install arm-ttk 32 | run: | 33 | curl -sSLo arm-ttk.zip https://github.com/Azure/arm-ttk/releases/download/20240328/arm-ttk.zip 34 | unzip arm-ttk.zip 35 | 36 | - name: test marketplace package 37 | shell: pwsh 38 | run: | 39 | Set-Location arm-ttk/arm-ttk 40 | Import-Module ./arm-ttk.psd1 41 | Test-AzMarketplacePackage -TemplatePath ../../marketplace 42 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/cainjector-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.cainjector.enabled }} 2 | {{- if .Values.cainjector.serviceAccount.create }} 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | automountServiceAccountToken: {{ .Values.cainjector.serviceAccount.automountServiceAccountToken }} 6 | metadata: 7 | name: {{ template "cainjector.serviceAccountName" . }} 8 | namespace: {{ include "cert-manager.namespace" . }} 9 | {{- with .Values.cainjector.serviceAccount.annotations }} 10 | annotations: 11 | {{- toYaml . | nindent 4 }} 12 | {{- end }} 13 | labels: 14 | app: {{ include "cainjector.name" . }} 15 | app.kubernetes.io/name: {{ include "cainjector.name" . }} 16 | app.kubernetes.io/instance: {{ .Release.Name }} 17 | app.kubernetes.io/component: "cainjector" 18 | {{- include "labels" . | nindent 4 }} 19 | {{- with .Values.cainjector.serviceAccount.labels }} 20 | {{ toYaml . | nindent 4 }} 21 | {{- end }} 22 | {{- with .Values.global.imagePullSecrets }} 23 | imagePullSecrets: 24 | {{- toYaml . | nindent 2 }} 25 | {{- end }} 26 | {{- end }} 27 | {{- end }} 28 | -------------------------------------------------------------------------------- /templates/kwasm.annotation.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: batch/v1 2 | kind: Job 3 | metadata: 4 | name: kwasm-annotate-nodes 5 | spec: 6 | template: 7 | metadata: 8 | name: kwasm-annotate-nodes 9 | spec: 10 | serviceAccountName: kwasm-annotate-sa 11 | containers: 12 | - name: kubectl 13 | image: bitnami/kubectl:latest 14 | command: ["kubectl"] 15 | args: ["annotate", "node", "--all", "kwasm.sh/kwasm-node=true"] 16 | restartPolicy: OnFailure 17 | --- 18 | apiVersion: v1 19 | kind: ServiceAccount 20 | metadata: 21 | name: kwasm-annotate-sa 22 | --- 23 | apiVersion: rbac.authorization.k8s.io/v1 24 | kind: ClusterRole 25 | metadata: 26 | name: kwasm-annotate-clusterrole 27 | rules: 28 | - apiGroups: [""] 29 | resources: ["nodes"] 30 | verbs: ["*"] 31 | --- 32 | apiVersion: rbac.authorization.k8s.io/v1 33 | kind: ClusterRoleBinding 34 | metadata: 35 | name: kwasm-annotate-clusterrolebinding 36 | roleRef: 37 | apiGroup: rbac.authorization.k8s.io 38 | kind: ClusterRole 39 | name: kwasm-annotate-clusterrole 40 | subjects: 41 | - kind: ServiceAccount 42 | name: kwasm-annotate-sa 43 | namespace: default -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ template "webhook.fullname" . }} 5 | namespace: {{ include "cert-manager.namespace" . }} 6 | {{- with .Values.webhook.serviceAnnotations }} 7 | annotations: 8 | {{ toYaml . | indent 4 }} 9 | {{- end }} 10 | labels: 11 | app: {{ include "webhook.name" . }} 12 | app.kubernetes.io/name: {{ include "webhook.name" . }} 13 | app.kubernetes.io/instance: {{ .Release.Name }} 14 | app.kubernetes.io/component: "webhook" 15 | {{- include "labels" . | nindent 4 }} 16 | {{- with .Values.webhook.serviceLabels }} 17 | {{- toYaml . | nindent 4 }} 18 | {{- end }} 19 | spec: 20 | type: {{ .Values.webhook.serviceType }} 21 | {{- with .Values.webhook.loadBalancerIP }} 22 | loadBalancerIP: {{ . }} 23 | {{- end }} 24 | ports: 25 | - name: https 26 | port: 443 27 | protocol: TCP 28 | targetPort: "https" 29 | selector: 30 | app.kubernetes.io/name: {{ include "webhook.name" . }} 31 | app.kubernetes.io/instance: {{ .Release.Name }} 32 | app.kubernetes.io/component: "webhook" 33 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/startupapicheck-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.startupapicheck.enabled }} 2 | {{- if .Values.startupapicheck.serviceAccount.create }} 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | automountServiceAccountToken: {{ .Values.startupapicheck.serviceAccount.automountServiceAccountToken }} 6 | metadata: 7 | name: {{ template "startupapicheck.serviceAccountName" . }} 8 | namespace: {{ include "cert-manager.namespace" . }} 9 | {{- with .Values.startupapicheck.serviceAccount.annotations }} 10 | annotations: 11 | {{- toYaml . | nindent 4 }} 12 | {{- end }} 13 | labels: 14 | app: {{ include "startupapicheck.name" . }} 15 | app.kubernetes.io/name: {{ include "startupapicheck.name" . }} 16 | app.kubernetes.io/instance: {{ .Release.Name }} 17 | app.kubernetes.io/component: "startupapicheck" 18 | {{- include "labels" . | nindent 4 }} 19 | {{- with .Values.startupapicheck.serviceAccount.labels }} 20 | {{ toYaml . | nindent 4 }} 21 | {{- end }} 22 | {{- with .Values.global.imagePullSecrets }} 23 | imagePullSecrets: 24 | {{- toYaml . | nindent 2 }} 25 | {{- end }} 26 | {{- end }} 27 | {{- end }} 28 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | spin-operator {{ .Chart.Version }} is now deployed! 2 | 3 | Your release is named {{ .Release.Name }}. 4 | 5 | To learn more about the release, try: 6 | 7 | $ helm --namespace {{ .Release.Namespace }} status {{ .Release.Name }} 8 | $ helm --namespace {{ .Release.Namespace }} get all {{ .Release.Name }} 9 | 10 | Note: spin-operator requires a few additional resources to be present on the 11 | Kubernetes cluster before it can run the first Spin application. If you haven't 12 | already done so, please ensure the following: 13 | 14 | 1. Install the containerd-shim-spin SpinAppExecutor: 15 | 16 | $ kubectl apply -f https://github.com/spinkube/spin-operator/releases/download/v{{ .Chart.Version }}/spin-operator.shim-executor.yaml 17 | 18 | 2. Install the wasmtime-spin-v2 RuntimeClass: 19 | 20 | $ kubectl apply -f https://github.com/spinkube/spin-operator/releases/download/v{{ .Chart.Version }}/spin-operator.runtime-class.yaml 21 | 22 | You are now ready to deploy your first Spin app! 23 | 24 | For further details, see this chart's README: 25 | 26 | $ helm show readme oci://ghcr.io/spinkube/charts/spin-operator 27 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/service.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.prometheus.enabled (not .Values.prometheus.podmonitor.enabled) }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: {{ template "cert-manager.fullname" . }} 6 | namespace: {{ include "cert-manager.namespace" . }} 7 | {{- with .Values.serviceAnnotations }} 8 | annotations: 9 | {{ toYaml . | indent 4 }} 10 | {{- end }} 11 | labels: 12 | app: {{ include "cert-manager.name" . }} 13 | app.kubernetes.io/name: {{ include "cert-manager.name" . }} 14 | app.kubernetes.io/instance: {{ .Release.Name }} 15 | app.kubernetes.io/component: "controller" 16 | {{- include "labels" . | nindent 4 }} 17 | {{- with .Values.serviceLabels }} 18 | {{- toYaml . | nindent 4 }} 19 | {{- end }} 20 | spec: 21 | type: ClusterIP 22 | ports: 23 | - protocol: TCP 24 | port: 9402 25 | name: tcp-prometheus-servicemonitor 26 | targetPort: {{ .Values.prometheus.servicemonitor.targetPort }} 27 | selector: 28 | app.kubernetes.io/name: {{ include "cert-manager.name" . }} 29 | app.kubernetes.io/instance: {{ .Release.Name }} 30 | app.kubernetes.io/component: "controller" 31 | {{- end }} 32 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: kwasm-operator 3 | description: A Helm chart for Kubernetes 4 | 5 | # A chart can be either an 'application' or a 'library' chart. 6 | # 7 | # Application charts are a collection of templates that can be packaged into versioned archives 8 | # to be deployed. 9 | # 10 | # Library charts provide useful utilities or functions for the chart developer. They're included as 11 | # a dependency of application charts to inject those utilities and functions into the rendering 12 | # pipeline. Library charts do not define any templates and therefore cannot be deployed. 13 | type: application 14 | 15 | # This is the chart version. This version number should be incremented each time you make changes 16 | # to the chart and its templates, including the app version. 17 | # Versions are expected to follow Semantic Versioning (https://semver.org/) 18 | version: 0.2.3 19 | 20 | # This is the version number of the application being deployed. This version number should be 21 | # incremented each time you make changes to the application. Versions are not expected to 22 | # follow Semantic Versioning. They should reflect the version the application is using. 23 | # It is recommended to use it with quotes. 24 | appVersion: "0.2.3" 25 | -------------------------------------------------------------------------------- /marketplace/parameterFile.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "extensionResourceName": { 6 | "value": "spinkube" 7 | }, 8 | "clusterResourceName": { 9 | "value": "spinkubecluster" 10 | }, 11 | "createNewCluster": { 12 | "value": true 13 | }, 14 | "location": { 15 | "value": "eastus" 16 | }, 17 | "vmSize": { 18 | "value": "Standard_DS2_v2" 19 | }, 20 | "vmEnableAutoScale": { 21 | "value": true 22 | }, 23 | "vmCount": { 24 | "value": 1 25 | }, 26 | "dnsPrefix": { 27 | "value": "dns" 28 | }, 29 | "osDiskSizeGB": { 30 | "value": 0 31 | }, 32 | "kubernetesVersion": { 33 | "value": "1.29.10" 34 | }, 35 | "networkPlugin": { 36 | "value": "kubenet" 37 | }, 38 | "enableRBAC": { 39 | "value": true 40 | }, 41 | "enablePrivateCluster": { 42 | "value": false 43 | }, 44 | "enableHttpApplicationRouting": { 45 | "value": true 46 | }, 47 | "enableAzurePolicy": { 48 | "value": false 49 | }, 50 | "enableSecretStoreCSIDriver": { 51 | "value": false 52 | }, 53 | "osSKU": { 54 | "value": "Ubuntu" 55 | } 56 | } 57 | } -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/poddisruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.podDisruptionBudget.enabled }} 2 | apiVersion: policy/v1 3 | kind: PodDisruptionBudget 4 | metadata: 5 | name: {{ include "cert-manager.fullname" . }} 6 | namespace: {{ include "cert-manager.namespace" . }} 7 | labels: 8 | app: {{ include "cert-manager.name" . }} 9 | app.kubernetes.io/name: {{ include "cert-manager.name" . }} 10 | app.kubernetes.io/instance: {{ .Release.Name }} 11 | app.kubernetes.io/component: "controller" 12 | {{- include "labels" . | nindent 4 }} 13 | spec: 14 | selector: 15 | matchLabels: 16 | app.kubernetes.io/name: {{ include "cert-manager.name" . }} 17 | app.kubernetes.io/instance: {{ .Release.Name }} 18 | app.kubernetes.io/component: "controller" 19 | 20 | {{- if not (or (hasKey .Values.podDisruptionBudget "minAvailable") (hasKey .Values.podDisruptionBudget "maxUnavailable")) }} 21 | minAvailable: 1 # Default value because minAvailable and maxUnavailable are not set 22 | {{- end }} 23 | {{- if hasKey .Values.podDisruptionBudget "minAvailable" }} 24 | minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} 25 | {{- end }} 26 | {{- if hasKey .Values.podDisruptionBudget "maxUnavailable" }} 27 | maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} 28 | {{- end }} 29 | {{- end }} 30 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/proxy-rbac.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: {{ include "spin-operator.fullname" . }}-proxy-role 5 | labels: 6 | app.kubernetes.io/component: kube-rbac-proxy 7 | app.kubernetes.io/created-by: spin-operator 8 | app.kubernetes.io/part-of: spin-operator 9 | {{- include "spin-operator.labels" . | nindent 4 }} 10 | rules: 11 | - apiGroups: 12 | - authentication.k8s.io 13 | resources: 14 | - tokenreviews 15 | verbs: 16 | - create 17 | - apiGroups: 18 | - authorization.k8s.io 19 | resources: 20 | - subjectaccessreviews 21 | verbs: 22 | - create 23 | --- 24 | apiVersion: rbac.authorization.k8s.io/v1 25 | kind: ClusterRoleBinding 26 | metadata: 27 | name: {{ include "spin-operator.fullname" . }}-proxy-rolebinding 28 | labels: 29 | app.kubernetes.io/component: kube-rbac-proxy 30 | app.kubernetes.io/created-by: spin-operator 31 | app.kubernetes.io/part-of: spin-operator 32 | {{- include "spin-operator.labels" . | nindent 4 }} 33 | roleRef: 34 | apiGroup: rbac.authorization.k8s.io 35 | kind: ClusterRole 36 | name: '{{ include "spin-operator.fullname" . }}-proxy-role' 37 | subjects: 38 | - kind: ServiceAccount 39 | name: '{{ include "spin-operator.fullname" . }}-controller-manager' 40 | namespace: '{{ .Release.Namespace }}' -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-poddisruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.webhook.podDisruptionBudget.enabled }} 2 | apiVersion: policy/v1 3 | kind: PodDisruptionBudget 4 | metadata: 5 | name: {{ include "webhook.fullname" . }} 6 | namespace: {{ include "cert-manager.namespace" . }} 7 | labels: 8 | app: {{ include "webhook.name" . }} 9 | app.kubernetes.io/name: {{ include "webhook.name" . }} 10 | app.kubernetes.io/instance: {{ .Release.Name }} 11 | app.kubernetes.io/component: "webhook" 12 | {{- include "labels" . | nindent 4 }} 13 | spec: 14 | selector: 15 | matchLabels: 16 | app.kubernetes.io/name: {{ include "webhook.name" . }} 17 | app.kubernetes.io/instance: {{ .Release.Name }} 18 | app.kubernetes.io/component: "webhook" 19 | 20 | {{- if not (or (hasKey .Values.webhook.podDisruptionBudget "minAvailable") (hasKey .Values.webhook.podDisruptionBudget "maxUnavailable")) }} 21 | minAvailable: 1 # Default value because minAvailable and maxUnavailable are not set 22 | {{- end }} 23 | {{- if hasKey .Values.webhook.podDisruptionBudget "minAvailable" }} 24 | minAvailable: {{ .Values.webhook.podDisruptionBudget.minAvailable }} 25 | {{- end }} 26 | {{- if hasKey .Values.webhook.podDisruptionBudget "maxUnavailable" }} 27 | maxUnavailable: {{ .Values.webhook.podDisruptionBudget.maxUnavailable }} 28 | {{- end }} 29 | {{- end }} 30 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/cainjector-poddisruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.cainjector.podDisruptionBudget.enabled }} 2 | apiVersion: policy/v1 3 | kind: PodDisruptionBudget 4 | metadata: 5 | name: {{ include "cainjector.fullname" . }} 6 | namespace: {{ include "cert-manager.namespace" . }} 7 | labels: 8 | app: {{ include "cainjector.name" . }} 9 | app.kubernetes.io/name: {{ include "cainjector.name" . }} 10 | app.kubernetes.io/instance: {{ .Release.Name }} 11 | app.kubernetes.io/component: "cainjector" 12 | {{- include "labels" . | nindent 4 }} 13 | spec: 14 | selector: 15 | matchLabels: 16 | app.kubernetes.io/name: {{ include "cainjector.name" . }} 17 | app.kubernetes.io/instance: {{ .Release.Name }} 18 | app.kubernetes.io/component: "cainjector" 19 | 20 | {{- if not (or (hasKey .Values.cainjector.podDisruptionBudget "minAvailable") (hasKey .Values.cainjector.podDisruptionBudget "maxUnavailable")) }} 21 | minAvailable: 1 # Default value because minAvailable and maxUnavailable are not set 22 | {{- end }} 23 | {{- if hasKey .Values.cainjector.podDisruptionBudget "minAvailable" }} 24 | minAvailable: {{ .Values.cainjector.podDisruptionBudget.minAvailable }} 25 | {{- end }} 26 | {{- if hasKey .Values.cainjector.podDisruptionBudget "maxUnavailable" }} 27 | maxUnavailable: {{ .Values.cainjector.podDisruptionBudget.maxUnavailable }} 28 | {{- end }} 29 | {{- end }} 30 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: spin-operator 3 | description: A Helm chart for Kubernetes 4 | # A chart can be either an 'application' or a 'library' chart. 5 | # 6 | # Application charts are a collection of templates that can be packaged into versioned archives 7 | # to be deployed. 8 | # 9 | # Library charts provide useful utilities or functions for the chart developer. They're included as 10 | # a dependency of application charts to inject those utilities and functions into the rendering 11 | # pipeline. Library charts do not define any templates and therefore cannot be deployed. 12 | type: application 13 | # This is the chart version. This version number should be incremented each time you make changes 14 | # to the chart and its templates, including the app version. 15 | # Versions are expected to follow Semantic Versioning (https://semver.org/) 16 | # NOTE: this version is kept static in version control but is bumped when packaging and releasing 17 | version: 0.4.0 18 | # This is the version number of the application being deployed. This version number should be 19 | # incremented each time you make changes to the application. Versions are not expected to 20 | # follow Semantic Versioning. They should reflect the version the application is using. 21 | # It is recommended to use it with quotes. 22 | # NOTE: this version is kept static in version control but is bumped when packaging and releasing 23 | appVersion: "v0.4.0" 24 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/mutating-webhook-configuration.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: admissionregistration.k8s.io/v1 2 | kind: MutatingWebhookConfiguration 3 | metadata: 4 | name: {{ include "spin-operator.fullname" . }}-mutating-webhook-configuration 5 | annotations: 6 | cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "spin-operator.fullname" . }}-serving-cert 7 | labels: 8 | {{- include "spin-operator.labels" . | nindent 4 }} 9 | webhooks: 10 | - admissionReviewVersions: 11 | - v1 12 | clientConfig: 13 | service: 14 | name: '{{ include "spin-operator.fullname" . }}-webhook-service' 15 | namespace: '{{ .Release.Namespace }}' 16 | path: /mutate-core-spinkube-dev-v1alpha1-spinapp 17 | failurePolicy: Fail 18 | name: mspinapp.kb.io 19 | rules: 20 | - apiGroups: 21 | - core.spinkube.dev 22 | apiVersions: 23 | - v1alpha1 24 | operations: 25 | - CREATE 26 | - UPDATE 27 | resources: 28 | - spinapps 29 | sideEffects: None 30 | - admissionReviewVersions: 31 | - v1 32 | clientConfig: 33 | service: 34 | name: '{{ include "spin-operator.fullname" . }}-webhook-service' 35 | namespace: '{{ .Release.Namespace }}' 36 | path: /mutate-core-spinkube-dev-v1alpha1-spinappexecutor 37 | failurePolicy: Fail 38 | name: mspinappexecutor.kb.io 39 | rules: 40 | - apiGroups: 41 | - core.spinkube.dev 42 | apiVersions: 43 | - v1alpha1 44 | operations: 45 | - CREATE 46 | - UPDATE 47 | resources: 48 | - spinappexecutors 49 | sideEffects: None -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/validating-webhook-configuration.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: admissionregistration.k8s.io/v1 2 | kind: ValidatingWebhookConfiguration 3 | metadata: 4 | name: {{ include "spin-operator.fullname" . }}-validating-webhook-configuration 5 | annotations: 6 | cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "spin-operator.fullname" . }}-serving-cert 7 | labels: 8 | {{- include "spin-operator.labels" . | nindent 4 }} 9 | webhooks: 10 | - admissionReviewVersions: 11 | - v1 12 | clientConfig: 13 | service: 14 | name: '{{ include "spin-operator.fullname" . }}-webhook-service' 15 | namespace: '{{ .Release.Namespace }}' 16 | path: /validate-core-spinkube-dev-v1alpha1-spinapp 17 | failurePolicy: Fail 18 | name: vspinapp.kb.io 19 | rules: 20 | - apiGroups: 21 | - core.spinkube.dev 22 | apiVersions: 23 | - v1alpha1 24 | operations: 25 | - CREATE 26 | - UPDATE 27 | resources: 28 | - spinapps 29 | sideEffects: None 30 | - admissionReviewVersions: 31 | - v1 32 | clientConfig: 33 | service: 34 | name: '{{ include "spin-operator.fullname" . }}-webhook-service' 35 | namespace: '{{ .Release.Namespace }}' 36 | path: /validate-core-spinkube-dev-v1alpha1-spinappexecutor 37 | failurePolicy: Fail 38 | name: vspinappexecutor.kb.io 39 | rules: 40 | - apiGroups: 41 | - core.spinkube.dev 42 | apiVersions: 43 | - v1alpha1 44 | operations: 45 | - CREATE 46 | - UPDATE 47 | resources: 48 | - spinappexecutors 49 | sideEffects: None -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/leader-election-rbac.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: Role 3 | metadata: 4 | name: {{ include "spin-operator.fullname" . }}-leader-election-role 5 | labels: 6 | app.kubernetes.io/component: rbac 7 | app.kubernetes.io/created-by: spin-operator 8 | app.kubernetes.io/part-of: spin-operator 9 | {{- include "spin-operator.labels" . | nindent 4 }} 10 | rules: 11 | - apiGroups: 12 | - "" 13 | resources: 14 | - configmaps 15 | verbs: 16 | - get 17 | - list 18 | - watch 19 | - create 20 | - update 21 | - patch 22 | - delete 23 | - apiGroups: 24 | - coordination.k8s.io 25 | resources: 26 | - leases 27 | verbs: 28 | - get 29 | - list 30 | - watch 31 | - create 32 | - update 33 | - patch 34 | - delete 35 | - apiGroups: 36 | - "" 37 | resources: 38 | - events 39 | verbs: 40 | - create 41 | - patch 42 | --- 43 | apiVersion: rbac.authorization.k8s.io/v1 44 | kind: RoleBinding 45 | metadata: 46 | name: {{ include "spin-operator.fullname" . }}-leader-election-rolebinding 47 | labels: 48 | app.kubernetes.io/component: rbac 49 | app.kubernetes.io/created-by: spin-operator 50 | app.kubernetes.io/part-of: spin-operator 51 | {{- include "spin-operator.labels" . | nindent 4 }} 52 | roleRef: 53 | apiGroup: rbac.authorization.k8s.io 54 | kind: Role 55 | name: '{{ include "spin-operator.fullname" . }}-leader-election-role' 56 | subjects: 57 | - kind: ServiceAccount 58 | name: '{{ include "spin-operator.fullname" . }}-controller-manager' 59 | namespace: '{{ .Release.Namespace }}' -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/psp.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.global.podSecurityPolicy.enabled }} 2 | apiVersion: policy/v1beta1 3 | kind: PodSecurityPolicy 4 | metadata: 5 | name: {{ template "cert-manager.fullname" . }} 6 | labels: 7 | app: {{ include "cert-manager.name" . }} 8 | app.kubernetes.io/name: {{ include "cert-manager.name" . }} 9 | app.kubernetes.io/instance: {{ .Release.Name }} 10 | app.kubernetes.io/component: "controller" 11 | {{- include "labels" . | nindent 4 }} 12 | annotations: 13 | seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' 14 | seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' 15 | {{- if .Values.global.podSecurityPolicy.useAppArmor }} 16 | apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' 17 | apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' 18 | {{- end }} 19 | spec: 20 | privileged: false 21 | allowPrivilegeEscalation: false 22 | allowedCapabilities: [] # default set of capabilities are implicitly allowed 23 | volumes: 24 | - 'configMap' 25 | - 'emptyDir' 26 | - 'projected' 27 | - 'secret' 28 | - 'downwardAPI' 29 | hostNetwork: false 30 | hostIPC: false 31 | hostPID: false 32 | runAsUser: 33 | rule: 'MustRunAs' 34 | ranges: 35 | - min: 1000 36 | max: 1000 37 | seLinux: 38 | rule: 'RunAsAny' 39 | supplementalGroups: 40 | rule: 'MustRunAs' 41 | ranges: 42 | - min: 1000 43 | max: 1000 44 | fsGroup: 45 | rule: 'MustRunAs' 46 | ranges: 47 | - min: 1000 48 | max: 1000 49 | {{- end }} 50 | -------------------------------------------------------------------------------- /Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: spinkube-demo 3 | description: A Helm chart for SpinKube 4 | 5 | # A chart can be either an 'application' or a 'library' chart. 6 | # 7 | # Application charts are a collection of templates that can be packaged into versioned archives 8 | # to be deployed. 9 | # 10 | # Library charts provide useful utilities or functions for the chart developer. They're included as 11 | # a dependency of application charts to inject those utilities and functions into the rendering 12 | # pipeline. Library charts do not define any templates and therefore cannot be deployed. 13 | type: application 14 | 15 | # This is the chart version. This version number should be incremented each time you make changes 16 | # to the chart and its templates, including the app version. 17 | # Versions are expected to follow Semantic Versioning (https://semver.org/) 18 | version: 0.1.0 19 | 20 | # This is the version number of the application being deployed. This version number should be 21 | # incremented each time you make changes to the application. Versions are not expected to 22 | # follow Semantic Versioning. They should reflect the version the application is using. 23 | # It is recommended to use it with quotes. 24 | appVersion: "0.1.0" 25 | 26 | 27 | dependencies: 28 | - name: spin-operator 29 | version: "0.4.0" 30 | repository: "oci://ghcr.io/spinkube/charts" 31 | condition: spin-operator.enabled 32 | - name: cert-manager 33 | version: 1.14.3 34 | repository: "https://charts.jetstack.io" 35 | condition: cert-manager.enabled 36 | - name: kwasm-operator 37 | version: 0.2.3 38 | repository: "http://kwasm.sh/kwasm-operator/" 39 | condition: kwasm-operator.enabled 40 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/cainjector-psp.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.cainjector.enabled }} 2 | {{- if .Values.global.podSecurityPolicy.enabled }} 3 | apiVersion: policy/v1beta1 4 | kind: PodSecurityPolicy 5 | metadata: 6 | name: {{ template "cainjector.fullname" . }} 7 | labels: 8 | app: {{ include "cainjector.name" . }} 9 | app.kubernetes.io/name: {{ include "cainjector.name" . }} 10 | app.kubernetes.io/instance: {{ .Release.Name }} 11 | app.kubernetes.io/component: "cainjector" 12 | {{- include "labels" . | nindent 4 }} 13 | annotations: 14 | seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' 15 | seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' 16 | {{- if .Values.global.podSecurityPolicy.useAppArmor }} 17 | apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' 18 | apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' 19 | {{- end }} 20 | spec: 21 | privileged: false 22 | allowPrivilegeEscalation: false 23 | allowedCapabilities: [] # default set of capabilities are implicitly allowed 24 | volumes: 25 | - 'configMap' 26 | - 'emptyDir' 27 | - 'projected' 28 | - 'secret' 29 | - 'downwardAPI' 30 | hostNetwork: false 31 | hostIPC: false 32 | hostPID: false 33 | runAsUser: 34 | rule: 'MustRunAs' 35 | ranges: 36 | - min: 1000 37 | max: 1000 38 | seLinux: 39 | rule: 'RunAsAny' 40 | supplementalGroups: 41 | rule: 'MustRunAs' 42 | ranges: 43 | - min: 1000 44 | max: 1000 45 | fsGroup: 46 | rule: 'MustRunAs' 47 | ranges: 48 | - min: 1000 49 | max: 1000 50 | {{- end }} 51 | {{- end }} 52 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: spinkube-azure-marketplace 3 | description: A Helm chart for SpinKube on Azure Marketplace 4 | 5 | # A chart can be either an 'application' or a 'library' chart. 6 | # 7 | # Application charts are a collection of templates that can be packaged into versioned archives 8 | # to be deployed. 9 | # 10 | # Library charts provide useful utilities or functions for the chart developer. They're included as 11 | # a dependency of application charts to inject those utilities and functions into the rendering 12 | # pipeline. Library charts do not define any templates and therefore cannot be deployed. 13 | type: application 14 | 15 | # This is the chart version. This version number should be incremented each time you make changes 16 | # to the chart and its templates, including the app version. 17 | # Versions are expected to follow Semantic Versioning (https://semver.org/) 18 | version: 0.1.0 19 | 20 | # This is the version number of the application being deployed. This version number should be 21 | # incremented each time you make changes to the application. Versions are not expected to 22 | # follow Semantic Versioning. They should reflect the version the application is using. 23 | # It is recommended to use it with quotes. 24 | appVersion: "0.1.0" 25 | 26 | 27 | dependencies: 28 | - name: spin-operator 29 | version: "0.4.0" 30 | repository: "file://charts/spin-operator" 31 | condition: spin-operator.enabled 32 | - name: cert-manager 33 | version: v0.1.0 34 | repository: "file://charts/cert-manager" 35 | condition: cert-manager.enabled 36 | - name: kwasm-operator 37 | version: 0.2.3 38 | repository: "file://charts/kwasm-operator" 39 | condition: kwasm-operator.enabled 40 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/startupapicheck-psp.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.startupapicheck.enabled }} 2 | {{- if .Values.global.podSecurityPolicy.enabled }} 3 | apiVersion: policy/v1beta1 4 | kind: PodSecurityPolicy 5 | metadata: 6 | name: {{ template "startupapicheck.fullname" . }} 7 | labels: 8 | app: {{ include "startupapicheck.name" . }} 9 | app.kubernetes.io/name: {{ include "startupapicheck.name" . }} 10 | app.kubernetes.io/instance: {{ .Release.Name }} 11 | app.kubernetes.io/component: "startupapicheck" 12 | {{- include "labels" . | nindent 4 }} 13 | annotations: 14 | seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' 15 | seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' 16 | {{- if .Values.global.podSecurityPolicy.useAppArmor }} 17 | apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' 18 | apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' 19 | {{- end }} 20 | {{- with .Values.startupapicheck.rbac.annotations }} 21 | {{- toYaml . | nindent 4 }} 22 | {{- end }} 23 | spec: 24 | privileged: false 25 | allowPrivilegeEscalation: false 26 | allowedCapabilities: [] # default set of capabilities are implicitly allowed 27 | volumes: 28 | - 'projected' 29 | - 'secret' 30 | hostNetwork: false 31 | hostIPC: false 32 | hostPID: false 33 | runAsUser: 34 | rule: 'MustRunAs' 35 | ranges: 36 | - min: 1000 37 | max: 1000 38 | seLinux: 39 | rule: 'RunAsAny' 40 | supplementalGroups: 41 | rule: 'MustRunAs' 42 | ranges: 43 | - min: 1000 44 | max: 1000 45 | fsGroup: 46 | rule: 'MustRunAs' 47 | ranges: 48 | - min: 1000 49 | max: 1000 50 | {{- end }} 51 | {{- end }} 52 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/values.yaml: -------------------------------------------------------------------------------- 1 | global: 2 | azure: 3 | images: 4 | # spinkube-azure-marketplace 5 | kubectl: 6 | tag: latest 7 | image: kubectl 8 | registry: bitnami 9 | # spin-operator 10 | spinOperator: 11 | tag: v0.4.0 12 | image: spin-operator 13 | registry: ghcr.io/spinkube 14 | spinOperatorKubeRbacProxy: 15 | tag: v0.15.0 16 | image: kube-rbac-proxy 17 | registry: gcr.io/kubebuilder 18 | # cert-manager 19 | certManager: 20 | tag: v1.14.6 21 | image: cert-manager-controller 22 | registry: quay.io/jetstack 23 | certManagerAcmesolver: 24 | tag: v1.14.6 25 | image: cert-manager-acmesolver 26 | registry: quay.io/jetstack 27 | certManagerCainjector: 28 | tag: v1.14.6 29 | image: cert-manager-cainjector 30 | registry: quay.io/jetstack 31 | certManagerStartupapicheck: 32 | tag: v1.14.6 33 | image: cert-manager-startupapicheck 34 | registry: quay.io/jetstack 35 | certManagerWebhook: 36 | tag: v1.14.6 37 | image: cert-manager-webhook 38 | registry: quay.io/jetstack 39 | # kwasm-operator 40 | kwasmOperator: 41 | tag: kwasm-operator-0.2.2 42 | image: kwasm-operator 43 | registry: ghcr.io/kwasm 44 | kwasmOperatorInstallerImage: 45 | tag: v0.17.0 46 | image: node-installer 47 | registry: ghcr.io/spinkube/containerd-shim-spin 48 | kwasmOperatorTestConnectionWget: 49 | tag: latest 50 | image: busybox 51 | registry: docker.io 52 | 53 | spin-operator: 54 | enabled: true 55 | 56 | cert-manager: 57 | enabled: true 58 | 59 | kwasm-operator: 60 | enabled: true 61 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-psp.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.global.podSecurityPolicy.enabled }} 2 | apiVersion: policy/v1beta1 3 | kind: PodSecurityPolicy 4 | metadata: 5 | name: {{ template "webhook.fullname" . }} 6 | labels: 7 | app: {{ include "webhook.name" . }} 8 | app.kubernetes.io/name: {{ include "webhook.name" . }} 9 | app.kubernetes.io/instance: {{ .Release.Name }} 10 | app.kubernetes.io/component: "webhook" 11 | {{- include "labels" . | nindent 4 }} 12 | annotations: 13 | seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' 14 | seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' 15 | {{- if .Values.global.podSecurityPolicy.useAppArmor }} 16 | apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' 17 | apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' 18 | {{- end }} 19 | spec: 20 | privileged: false 21 | allowPrivilegeEscalation: false 22 | allowedCapabilities: [] # default set of capabilities are implicitly allowed 23 | volumes: 24 | - 'configMap' 25 | - 'emptyDir' 26 | - 'projected' 27 | - 'secret' 28 | - 'downwardAPI' 29 | hostNetwork: {{ .Values.webhook.hostNetwork }} 30 | {{- if .Values.webhook.hostNetwork }} 31 | hostPorts: 32 | - max: {{ .Values.webhook.securePort }} 33 | min: {{ .Values.webhook.securePort }} 34 | {{- end }} 35 | hostIPC: false 36 | hostPID: false 37 | runAsUser: 38 | rule: 'MustRunAs' 39 | ranges: 40 | - min: 1000 41 | max: 1000 42 | seLinux: 43 | rule: 'RunAsAny' 44 | supplementalGroups: 45 | rule: 'MustRunAs' 46 | ranges: 47 | - min: 1000 48 | max: 1000 49 | fsGroup: 50 | rule: 'MustRunAs' 51 | ranges: 52 | - min: 1000 53 | max: 1000 54 | {{- end }} 55 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/values.yaml: -------------------------------------------------------------------------------- 1 | # Default values for kwasm-operator. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | replicaCount: 1 6 | 7 | image: 8 | repository: ghcr.io/kwasm/kwasm-operator 9 | pullPolicy: IfNotPresent 10 | # Overrides the image tag whose default is the chart appVersion. 11 | tag: kwasm-operator-0.2.2 12 | 13 | imagePullSecrets: [] 14 | nameOverride: "" 15 | fullnameOverride: "" 16 | 17 | kwasmOperator: 18 | autoProvision: "false" 19 | installerImage: "ghcr.io/kwasm/kwasm-node-installer:main" 20 | 21 | serviceAccount: 22 | # Specifies whether a service account should be created 23 | create: true 24 | # Annotations to add to the service account 25 | annotations: {} 26 | # The name of the service account to use. 27 | # If not set and create is true, a name is generated using the fullname template 28 | name: "" 29 | 30 | podAnnotations: {} 31 | 32 | podSecurityContext: {} 33 | # fsGroup: 2000 34 | 35 | securityContext: {} 36 | # capabilities: 37 | # drop: 38 | # - ALL 39 | # readOnlyRootFilesystem: true 40 | # runAsNonRoot: true 41 | # runAsUser: 1000 42 | 43 | service: 44 | type: ClusterIP 45 | port: 80 46 | 47 | resources: {} 48 | # We usually recommend not to specify default resources and to leave this as a conscious 49 | # choice for the user. This also increases chances charts run on environments with little 50 | # resources, such as Minikube. If you do want to specify resources, uncomment the following 51 | # lines, adjust them as necessary, and remove the curly braces after 'resources:'. 52 | # limits: 53 | # cpu: 100m 54 | # memory: 128Mi 55 | # requests: 56 | # cpu: 100m 57 | # memory: 128Mi 58 | 59 | nodeSelector: {} 60 | 61 | tolerations: [] 62 | 63 | affinity: {} 64 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/startupapicheck-rbac.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.startupapicheck.enabled }} 2 | {{- if .Values.global.rbac.create }} 3 | # create certificate role 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | kind: Role 6 | metadata: 7 | name: {{ template "startupapicheck.fullname" . }}:create-cert 8 | namespace: {{ include "cert-manager.namespace" . }} 9 | labels: 10 | app: {{ include "startupapicheck.name" . }} 11 | app.kubernetes.io/name: {{ include "startupapicheck.name" . }} 12 | app.kubernetes.io/instance: {{ .Release.Name }} 13 | app.kubernetes.io/component: "startupapicheck" 14 | {{- include "labels" . | nindent 4 }} 15 | {{- with .Values.startupapicheck.rbac.annotations }} 16 | annotations: 17 | {{- toYaml . | nindent 4 }} 18 | {{- end }} 19 | rules: 20 | - apiGroups: ["cert-manager.io"] 21 | resources: ["certificates"] 22 | verbs: ["create"] 23 | --- 24 | apiVersion: rbac.authorization.k8s.io/v1 25 | kind: RoleBinding 26 | metadata: 27 | name: {{ include "startupapicheck.fullname" . }}:create-cert 28 | namespace: {{ include "cert-manager.namespace" . }} 29 | labels: 30 | app: {{ include "startupapicheck.name" . }} 31 | app.kubernetes.io/name: {{ include "startupapicheck.name" . }} 32 | app.kubernetes.io/instance: {{ .Release.Name }} 33 | app.kubernetes.io/component: "startupapicheck" 34 | {{- include "labels" . | nindent 4 }} 35 | {{- with .Values.startupapicheck.rbac.annotations }} 36 | annotations: 37 | {{- toYaml . | nindent 4 }} 38 | {{- end }} 39 | roleRef: 40 | apiGroup: rbac.authorization.k8s.io 41 | kind: Role 42 | name: {{ template "startupapicheck.fullname" . }}:create-cert 43 | subjects: 44 | - kind: ServiceAccount 45 | name: {{ template "startupapicheck.serviceAccountName" . }} 46 | namespace: {{ include "cert-manager.namespace" . }} 47 | {{- end }} 48 | {{- end }} 49 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-mutating-webhook.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: admissionregistration.k8s.io/v1 2 | kind: MutatingWebhookConfiguration 3 | metadata: 4 | name: {{ include "webhook.fullname" . }} 5 | labels: 6 | app: {{ include "webhook.name" . }} 7 | app.kubernetes.io/name: {{ include "webhook.name" . }} 8 | app.kubernetes.io/instance: {{ .Release.Name }} 9 | app.kubernetes.io/component: "webhook" 10 | {{- include "labels" . | nindent 4 }} 11 | annotations: 12 | cert-manager.io/inject-ca-from-secret: {{ printf "%s/%s-ca" (include "cert-manager.namespace" .) (include "webhook.fullname" .) | quote }} 13 | {{- with .Values.webhook.mutatingWebhookConfigurationAnnotations }} 14 | {{- toYaml . | nindent 4 }} 15 | {{- end }} 16 | webhooks: 17 | - name: webhook.cert-manager.io 18 | {{- with .Values.webhook.mutatingWebhookConfiguration.namespaceSelector }} 19 | namespaceSelector: 20 | {{- toYaml . | nindent 6 }} 21 | {{- end }} 22 | rules: 23 | - apiGroups: 24 | - "cert-manager.io" 25 | apiVersions: 26 | - "v1" 27 | operations: 28 | - CREATE 29 | resources: 30 | - "certificaterequests" 31 | admissionReviewVersions: ["v1"] 32 | # This webhook only accepts v1 cert-manager resources. 33 | # Equivalent matchPolicy ensures that non-v1 resource requests are sent to 34 | # this webhook (after the resources have been converted to v1). 35 | matchPolicy: Equivalent 36 | timeoutSeconds: {{ .Values.webhook.timeoutSeconds }} 37 | failurePolicy: Fail 38 | # Only include 'sideEffects' field in Kubernetes 1.12+ 39 | sideEffects: None 40 | clientConfig: 41 | {{- if .Values.webhook.url.host }} 42 | url: https://{{ .Values.webhook.url.host }}/mutate 43 | {{- else }} 44 | service: 45 | name: {{ template "webhook.fullname" . }} 46 | namespace: {{ include "cert-manager.namespace" . }} 47 | path: /mutate 48 | {{- end }} -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-validating-webhook.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: admissionregistration.k8s.io/v1 2 | kind: ValidatingWebhookConfiguration 3 | metadata: 4 | name: {{ include "webhook.fullname" . }} 5 | labels: 6 | app: {{ include "webhook.name" . }} 7 | app.kubernetes.io/name: {{ include "webhook.name" . }} 8 | app.kubernetes.io/instance: {{ .Release.Name }} 9 | app.kubernetes.io/component: "webhook" 10 | {{- include "labels" . | nindent 4 }} 11 | annotations: 12 | cert-manager.io/inject-ca-from-secret: {{ printf "%s/%s-ca" (include "cert-manager.namespace" .) (include "webhook.fullname" .) | quote}} 13 | {{- with .Values.webhook.validatingWebhookConfigurationAnnotations }} 14 | {{- toYaml . | nindent 4 }} 15 | {{- end }} 16 | webhooks: 17 | - name: webhook.cert-manager.io 18 | {{- with .Values.webhook.validatingWebhookConfiguration.namespaceSelector }} 19 | namespaceSelector: 20 | {{- toYaml . | nindent 6 }} 21 | {{- end }} 22 | rules: 23 | - apiGroups: 24 | - "cert-manager.io" 25 | - "acme.cert-manager.io" 26 | apiVersions: 27 | - "v1" 28 | operations: 29 | - CREATE 30 | - UPDATE 31 | resources: 32 | - "*/*" 33 | admissionReviewVersions: ["v1"] 34 | # This webhook only accepts v1 cert-manager resources. 35 | # Equivalent matchPolicy ensures that non-v1 resource requests are sent to 36 | # this webhook (after the resources have been converted to v1). 37 | matchPolicy: Equivalent 38 | timeoutSeconds: {{ .Values.webhook.timeoutSeconds }} 39 | failurePolicy: Fail 40 | sideEffects: None 41 | clientConfig: 42 | {{- if .Values.webhook.url.host }} 43 | url: https://{{ .Values.webhook.url.host }}/validate 44 | {{- else }} 45 | service: 46 | name: {{ template "webhook.fullname" . }} 47 | namespace: {{ include "cert-manager.namespace" . }} 48 | path: /validate 49 | {{- end }} 50 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/templates/kwasm-annotate-nodes-job.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: batch/v1 2 | kind: Job 3 | metadata: 4 | name: "{{ .Release.Name }}-kwasm-annotate-nodes" 5 | annotations: 6 | "helm.sh/hook": post-install,post-upgrade 7 | "helm.sh/hook-weight": "-4" 8 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded 9 | spec: 10 | template: 11 | metadata: 12 | name: "{{ .Release.Name }}-kwasm-annotate-nodes" 13 | spec: 14 | serviceAccountName: "{{ .Release.Name }}-kwasm-annotate-sa" 15 | containers: 16 | - name: kubectl 17 | image: {{ printf "%s/%s:%s" .Values.global.azure.images.kubectl.registry .Values.global.azure.images.kubectl.image .Values.global.azure.images.kubectl.tag }} 18 | command: ["/bin/sh", "-c"] 19 | args: 20 | - |- 21 | echo "Annotating nodes with kwasm.sh/kwasm-node=false to reset installation of the shim for upgrade scenarios" 22 | kubectl annotate node --all kwasm.sh/kwasm-node=false --overwrite 23 | echo "Annotating nodes with kwasm.sh/kwasm-node=true to (re-)trigger installation of the shim" 24 | kubectl annotate node --all kwasm.sh/kwasm-node=true --overwrite 25 | restartPolicy: OnFailure 26 | --- 27 | apiVersion: v1 28 | kind: ServiceAccount 29 | metadata: 30 | name: "{{ .Release.Name }}-kwasm-annotate-sa" 31 | --- 32 | apiVersion: rbac.authorization.k8s.io/v1 33 | kind: ClusterRole 34 | metadata: 35 | name: "{{ .Release.Name }}-kwasm-annotate-clusterrole" 36 | rules: 37 | - apiGroups: [""] 38 | resources: ["nodes"] 39 | verbs: ["*"] 40 | --- 41 | apiVersion: rbac.authorization.k8s.io/v1 42 | kind: ClusterRoleBinding 43 | metadata: 44 | name: "{{ .Release.Name }}-kwasm-annotate-clusterrolebinding" 45 | roleRef: 46 | apiGroup: rbac.authorization.k8s.io 47 | kind: ClusterRole 48 | name: "{{ .Release.Name }}-kwasm-annotate-clusterrole" 49 | subjects: 50 | - kind: ServiceAccount 51 | name: "{{ .Release.Name }}-kwasm-annotate-sa" 52 | namespace: {{ .Release.Namespace }} -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Expand the name of the chart. 3 | */}} 4 | {{- define "kwasm-operator.name" -}} 5 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} 6 | {{- end }} 7 | 8 | {{/* 9 | Create a default fully qualified app name. 10 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 11 | If release name contains chart name it will be used as a full name. 12 | */}} 13 | {{- define "kwasm-operator.fullname" -}} 14 | {{- if .Values.fullnameOverride }} 15 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} 16 | {{- else }} 17 | {{- $name := default .Chart.Name .Values.nameOverride }} 18 | {{- if contains $name .Release.Name }} 19 | {{- .Release.Name | trunc 63 | trimSuffix "-" }} 20 | {{- else }} 21 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} 22 | {{- end }} 23 | {{- end }} 24 | {{- end }} 25 | 26 | {{/* 27 | Create chart name and version as used by the chart label. 28 | */}} 29 | {{- define "kwasm-operator.chart" -}} 30 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} 31 | {{- end }} 32 | 33 | {{/* 34 | Common labels 35 | */}} 36 | {{- define "kwasm-operator.labels" -}} 37 | helm.sh/chart: {{ include "kwasm-operator.chart" . }} 38 | {{ include "kwasm-operator.selectorLabels" . }} 39 | {{- if .Chart.AppVersion }} 40 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 41 | {{- end }} 42 | app.kubernetes.io/managed-by: {{ .Release.Service }} 43 | {{- end }} 44 | 45 | {{/* 46 | Selector labels 47 | */}} 48 | {{- define "kwasm-operator.selectorLabels" -}} 49 | app.kubernetes.io/name: {{ include "kwasm-operator.name" . }} 50 | app.kubernetes.io/instance: {{ .Release.Name }} 51 | {{- end }} 52 | 53 | {{/* 54 | Create the name of the service account to use 55 | */}} 56 | {{- define "kwasm-operator.serviceAccountName" -}} 57 | {{- if .Values.serviceAccount.create }} 58 | {{- default (include "kwasm-operator.fullname" .) .Values.serviceAccount.name }} 59 | {{- else }} 60 | {{- default "default" .Values.serviceAccount.name }} 61 | {{- end }} 62 | {{- end }} 63 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/podmonitor.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.prometheus.enabled (and .Values.prometheus.podmonitor.enabled .Values.prometheus.servicemonitor.enabled) }} 2 | {{- fail "Either .Values.prometheus.podmonitor.enabled or .Values.prometheus.servicemonitor.enabled can be enabled at a time, but not both." }} 3 | {{- else if and .Values.prometheus.enabled .Values.prometheus.podmonitor.enabled }} 4 | apiVersion: monitoring.coreos.com/v1 5 | kind: PodMonitor 6 | metadata: 7 | name: {{ template "cert-manager.fullname" . }} 8 | {{- if .Values.prometheus.podmonitor.namespace }} 9 | namespace: {{ .Values.prometheus.podmonitor.namespace }} 10 | {{- else }} 11 | namespace: {{ include "cert-manager.namespace" . }} 12 | {{- end }} 13 | labels: 14 | app: {{ include "cert-manager.name" . }} 15 | app.kubernetes.io/name: {{ include "cert-manager.name" . }} 16 | app.kubernetes.io/instance: {{ .Release.Name }} 17 | app.kubernetes.io/component: "controller" 18 | {{- include "labels" . | nindent 4 }} 19 | prometheus: {{ .Values.prometheus.podmonitor.prometheusInstance }} 20 | {{- with .Values.prometheus.podmonitor.labels }} 21 | {{- toYaml . | nindent 4 }} 22 | {{- end }} 23 | {{- if .Values.prometheus.podmonitor.annotations }} 24 | annotations: 25 | {{- with .Values.prometheus.podmonitor.annotations }} 26 | {{- toYaml . | nindent 4 }} 27 | {{- end }} 28 | {{- end }} 29 | spec: 30 | jobLabel: {{ template "cert-manager.fullname" . }} 31 | selector: 32 | matchLabels: 33 | app.kubernetes.io/name: {{ template "cert-manager.name" . }} 34 | app.kubernetes.io/instance: {{ .Release.Name }} 35 | app.kubernetes.io/component: "controller" 36 | {{- if .Values.prometheus.podmonitor.namespace }} 37 | namespaceSelector: 38 | matchNames: 39 | - {{ include "cert-manager.namespace" . }} 40 | {{- end }} 41 | podMetricsEndpoints: 42 | - port: http-metrics 43 | path: {{ .Values.prometheus.podmonitor.path }} 44 | interval: {{ .Values.prometheus.podmonitor.interval }} 45 | scrapeTimeout: {{ .Values.prometheus.podmonitor.scrapeTimeout }} 46 | honorLabels: {{ .Values.prometheus.podmonitor.honorLabels }} 47 | {{- with .Values.prometheus.servicemonitor.endpointAdditionalProperties }} 48 | {{- toYaml . | nindent 4 }} 49 | {{- end }} 50 | {{- end }} 51 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/servicemonitor.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.prometheus.enabled (and .Values.prometheus.podmonitor.enabled .Values.prometheus.servicemonitor.enabled) }} 2 | {{- fail "Either .Values.prometheus.podmonitor.enabled or .Values.prometheus.servicemonitor.enabled can be enabled at a time, but not both." }} 3 | {{- else if and .Values.prometheus.enabled .Values.prometheus.servicemonitor.enabled }} 4 | apiVersion: monitoring.coreos.com/v1 5 | kind: ServiceMonitor 6 | metadata: 7 | name: {{ template "cert-manager.fullname" . }} 8 | {{- if .Values.prometheus.servicemonitor.namespace }} 9 | namespace: {{ .Values.prometheus.servicemonitor.namespace }} 10 | {{- else }} 11 | namespace: {{ include "cert-manager.namespace" . }} 12 | {{- end }} 13 | labels: 14 | app: {{ include "cert-manager.name" . }} 15 | app.kubernetes.io/name: {{ include "cert-manager.name" . }} 16 | app.kubernetes.io/instance: {{ .Release.Name }} 17 | app.kubernetes.io/component: "controller" 18 | {{- include "labels" . | nindent 4 }} 19 | prometheus: {{ .Values.prometheus.servicemonitor.prometheusInstance }} 20 | {{- with .Values.prometheus.servicemonitor.labels }} 21 | {{- toYaml . | nindent 4 }} 22 | {{- end }} 23 | {{- if .Values.prometheus.servicemonitor.annotations }} 24 | annotations: 25 | {{- with .Values.prometheus.servicemonitor.annotations }} 26 | {{- toYaml . | nindent 4 }} 27 | {{- end }} 28 | {{- end }} 29 | spec: 30 | jobLabel: {{ template "cert-manager.fullname" . }} 31 | selector: 32 | matchLabels: 33 | app.kubernetes.io/name: {{ template "cert-manager.name" . }} 34 | app.kubernetes.io/instance: {{ .Release.Name }} 35 | app.kubernetes.io/component: "controller" 36 | {{- if .Values.prometheus.servicemonitor.namespace }} 37 | namespaceSelector: 38 | matchNames: 39 | - {{ include "cert-manager.namespace" . }} 40 | {{- end }} 41 | endpoints: 42 | - targetPort: {{ .Values.prometheus.servicemonitor.targetPort }} 43 | path: {{ .Values.prometheus.servicemonitor.path }} 44 | interval: {{ .Values.prometheus.servicemonitor.interval }} 45 | scrapeTimeout: {{ .Values.prometheus.servicemonitor.scrapeTimeout }} 46 | honorLabels: {{ .Values.prometheus.servicemonitor.honorLabels }} 47 | {{- with .Values.prometheus.servicemonitor.endpointAdditionalProperties }} 48 | {{- toYaml . | nindent 4 }} 49 | {{- end }} 50 | {{- end }} 51 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/README.md: -------------------------------------------------------------------------------- 1 | # SpinKube for Azure Marketplace Helm Chart 2 | 3 | This is a Helm chart for a SpinKube offering on [Azure Marketplace](https://learn.microsoft.com/en-us/partner-center/marketplace-offers/). 4 | 5 | This chart isn't intended for users to install directly, although it is possible to do so. Rather, it is bundled together with other assets in the [marketplace](../../../marketplace/) directory as a Azure Marketplace offering. End users can then install SpinKube via the Azure portal. 6 | 7 | ## Assembly 8 | 9 | Azure Marketplace requires that all images references in an offering's chart (and any dependency sub-charts) must follow 10 | the pattern of `global.azure.images.`. See the [documentation for more details](https://learn.microsoft.com/en-us/partner-center/marketplace/azure-container-technical-assets-kubernetes?tabs=linux%2Clinux2#update-the-helm-chart). 11 | 12 | To comply, all of the sub-charts have been manually forked and updated appropriately. Here is a brief listing of chart and version (or git tag) to track pending automation: 13 | 14 | - **Spin Operator** 15 | 16 | [v0.4.0 tag of spinkube/spin-operator](https://github.com/spinkube/spin-operator/tree/v0.4.0/charts/spin-operator) 17 | 18 | - **Cert Manager** 19 | 20 | [v1.14.3 tag of cert-manager/cert-manager](https://github.com/cert-manager/cert-manager/tree/v1.14.3/deploy/charts/cert-manager) 21 | 22 | - **Kwasm Operator** 23 | 24 | [kwasm-operator-0.2.3 tag of kwasm/kwasm-operator](https://github.com/KWasm/kwasm-operator/tree/kwasm-operator-0.2.3/charts/kwasm-operator) 25 | 26 | ## Installation 27 | 28 | To install this chart onto a cluster, first create your Kubernetes cluster. 29 | 30 | You can follow [these steps to create an AKS cluster](../README.md#create-a-new-aks-cluster). 31 | 32 | ## Install SpinKube 33 | 34 | ```bash 35 | cd charts/spinkube-azure-marketplace 36 | helm dep up 37 | helm upgrade --install spinkube . \ 38 | --wait \ 39 | --namespace spinkube \ 40 | --create-namespace 41 | ``` 42 | 43 | ## Deploy a Spin App 44 | ```bash 45 | kubectl apply -f https://raw.githubusercontent.com/spinkube/spin-operator/main/config/samples/simple.yaml 46 | ``` 47 | 48 | and then check the status of the Spin App: 49 | ```bash 50 | kubectl port-forward services/simple-spinapp 8080:80 51 | ``` 52 | ```bash 53 | curl http://localhost:8080/hello 54 | ``` 55 | 56 | ## TODO 57 | 58 | - Include shim-executor installation in chart (perhaps via approach used in https://github.com/jpflueger/spinkube-oneclick) 59 | - Probably applies to both root-level chart and this marketplace chart 60 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/manager-rbac.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: {{ include "spin-operator.fullname" . }}-manager-role 5 | labels: 6 | {{- include "spin-operator.labels" . | nindent 4 }} 7 | rules: 8 | - apiGroups: 9 | - "" 10 | resources: 11 | - secrets 12 | verbs: 13 | - create 14 | - delete 15 | - get 16 | - list 17 | - patch 18 | - update 19 | - watch 20 | - apiGroups: 21 | - "" 22 | resources: 23 | - services 24 | verbs: 25 | - create 26 | - delete 27 | - get 28 | - list 29 | - patch 30 | - update 31 | - watch 32 | - apiGroups: 33 | - apps 34 | resources: 35 | - deployments 36 | verbs: 37 | - create 38 | - delete 39 | - get 40 | - list 41 | - patch 42 | - update 43 | - watch 44 | - apiGroups: 45 | - apps 46 | resources: 47 | - deployments/status 48 | verbs: 49 | - get 50 | - apiGroups: 51 | - "" 52 | resources: 53 | - events 54 | verbs: 55 | - create 56 | - patch 57 | - apiGroups: 58 | - core.spinkube.dev 59 | resources: 60 | - spinappexecutors 61 | verbs: 62 | - create 63 | - delete 64 | - get 65 | - list 66 | - patch 67 | - update 68 | - watch 69 | - apiGroups: 70 | - core.spinkube.dev 71 | resources: 72 | - spinappexecutors/finalizers 73 | verbs: 74 | - update 75 | - apiGroups: 76 | - core.spinkube.dev 77 | resources: 78 | - spinappexecutors/status 79 | verbs: 80 | - get 81 | - patch 82 | - update 83 | - apiGroups: 84 | - core.spinkube.dev 85 | resources: 86 | - spinapps 87 | verbs: 88 | - create 89 | - delete 90 | - get 91 | - list 92 | - patch 93 | - update 94 | - watch 95 | - apiGroups: 96 | - core.spinkube.dev 97 | resources: 98 | - spinapps/status 99 | verbs: 100 | - get 101 | - patch 102 | - update 103 | --- 104 | apiVersion: rbac.authorization.k8s.io/v1 105 | kind: ClusterRoleBinding 106 | metadata: 107 | name: {{ include "spin-operator.fullname" . }}-manager-rolebinding 108 | labels: 109 | app.kubernetes.io/component: rbac 110 | app.kubernetes.io/created-by: spin-operator 111 | app.kubernetes.io/part-of: spin-operator 112 | {{- include "spin-operator.labels" . | nindent 4 }} 113 | roleRef: 114 | apiGroup: rbac.authorization.k8s.io 115 | kind: ClusterRole 116 | name: '{{ include "spin-operator.fullname" . }}-manager-role' 117 | subjects: 118 | - kind: ServiceAccount 119 | name: '{{ include "spin-operator.fullname" . }}-controller-manager' 120 | namespace: '{{ .Release.Namespace }}' -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Expand the name of the chart. 3 | */}} 4 | {{- define "spin-operator.name" -}} 5 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} 6 | {{- end }} 7 | 8 | {{/* 9 | Create a default fully qualified app name. 10 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 11 | If release name contains chart name it will be used as a full name. 12 | */}} 13 | {{- define "spin-operator.fullname" -}} 14 | {{- if .Values.fullnameOverride }} 15 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} 16 | {{- else }} 17 | {{- $name := default .Chart.Name .Values.nameOverride }} 18 | {{- if contains $name .Release.Name }} 19 | {{- .Release.Name | trunc 63 | trimSuffix "-" }} 20 | {{- else }} 21 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} 22 | {{- end }} 23 | {{- end }} 24 | {{- end }} 25 | 26 | 27 | {{/* 28 | helmify replaces namespace name with `{{ .Release.Namespace }}` in dnsNames for Certificate object 29 | which means `{{ include "spin-operator.fullname" . }}` gets replaced with `{{ include "{{ .Release.Namespace }}.fullname" . }}` 30 | 31 | This is most likely a bug in helmify, but we can workaround it by defining a new template helper with name `{{ .Release.Namespace }}.fullname` 32 | */}} 33 | {{- define "{{ .Release.Namespace }}.fullname" -}} 34 | {{ include "spin-operator.fullname" . }} 35 | {{- end }} 36 | 37 | {{/* 38 | Create chart name and version as used by the chart label. 39 | */}} 40 | {{- define "spin-operator.chart" -}} 41 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} 42 | {{- end }} 43 | 44 | {{/* 45 | Common labels 46 | */}} 47 | {{- define "spin-operator.labels" -}} 48 | helm.sh/chart: {{ include "spin-operator.chart" . }} 49 | {{ include "spin-operator.selectorLabels" . }} 50 | {{- if .Chart.AppVersion }} 51 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 52 | {{- end }} 53 | app.kubernetes.io/managed-by: {{ .Release.Service }} 54 | {{- end }} 55 | 56 | {{/* 57 | Selector labels 58 | */}} 59 | {{- define "spin-operator.selectorLabels" -}} 60 | app.kubernetes.io/name: {{ include "spin-operator.name" . }} 61 | app.kubernetes.io/instance: {{ .Release.Name }} 62 | {{- end }} 63 | 64 | {{/* 65 | Create the name of the service account to use 66 | */}} 67 | {{- define "spin-operator.serviceAccountName" -}} 68 | {{- if .Values.serviceAccount.create }} 69 | {{- default (include "spin-operator.fullname" .) .Values.serviceAccount.name }} 70 | {{- else }} 71 | {{- default "default" .Values.serviceAccount.name }} 72 | {{- end }} 73 | {{- end }} 74 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: {{ include "kwasm-operator.fullname" . }} 5 | labels: 6 | {{- include "kwasm-operator.labels" . | nindent 4 }} 7 | spec: 8 | replicas: {{ .Values.replicaCount }} 9 | selector: 10 | matchLabels: 11 | {{- include "kwasm-operator.selectorLabels" . | nindent 6 }} 12 | template: 13 | metadata: 14 | {{- with .Values.podAnnotations }} 15 | annotations: 16 | {{- toYaml . | nindent 8 }} 17 | {{- end }} 18 | labels: 19 | {{- include "kwasm-operator.selectorLabels" . | nindent 8 }} 20 | spec: 21 | {{- with .Values.imagePullSecrets }} 22 | imagePullSecrets: 23 | {{- toYaml . | nindent 8 }} 24 | {{- end }} 25 | serviceAccountName: {{ include "kwasm-operator.serviceAccountName" . }} 26 | securityContext: 27 | {{- toYaml .Values.podSecurityContext | nindent 8 }} 28 | containers: 29 | - name: {{ .Chart.Name }} 30 | env: 31 | - name: CONTROLLER_NAMESPACE 32 | value: {{ .Release.Namespace }} 33 | - name: AUTO_PROVISION_NODES 34 | value: {{ .Values.kwasmOperator.autoProvision | quote }} 35 | - name: INSTALLER_IMAGE 36 | value: {{ printf "%s/%s:%s" .Values.global.azure.images.kwasmOperatorInstallerImage.registry .Values.global.azure.images.kwasmOperatorInstallerImage.image .Values.global.azure.images.kwasmOperatorInstallerImage.tag }} 37 | securityContext: 38 | {{- toYaml .Values.securityContext | nindent 12 }} 39 | image: {{ printf "%s/%s:%s" .Values.global.azure.images.kwasmOperator.registry .Values.global.azure.images.kwasmOperator.image .Values.global.azure.images.kwasmOperator.tag }} 40 | imagePullPolicy: {{ .Values.image.pullPolicy }} 41 | ports: 42 | - name: http 43 | containerPort: 8081 44 | protocol: TCP 45 | livenessProbe: 46 | httpGet: 47 | path: /healthz 48 | port: http 49 | readinessProbe: 50 | httpGet: 51 | path: /readyz 52 | port: http 53 | resources: 54 | {{- toYaml .Values.resources | nindent 12 }} 55 | {{- with .Values.nodeSelector }} 56 | nodeSelector: 57 | {{- toYaml . | nindent 8 }} 58 | {{- end }} 59 | {{- with .Values.affinity }} 60 | affinity: 61 | {{- toYaml . | nindent 8 }} 62 | {{- end }} 63 | {{- with .Values.tolerations }} 64 | tolerations: 65 | {{- toYaml . | nindent 8 }} 66 | {{- end }} 67 | -------------------------------------------------------------------------------- /marketplace/README.md: -------------------------------------------------------------------------------- 1 | # SpinKube for Azure Marketplace 2 | 3 | This directory holds assets comprising a SpinKube offering on [Azure Marketplace](https://learn.microsoft.com/en-us/partner-center/marketplace-offers/). 4 | 5 | These resources aren't necessarily meant to be used directly. Rather, they represent the assets bundled together to form a Marketplace offering, which users can then install via the Azure portal. These assets include: 6 | 7 | - [spinkube-azure-marketplace Helm chart](./charts/spinkube-azure-marketplace/) 8 | - [manifest.yaml](./manifest.yaml) 9 | - [Test parameter file](./parameterFile.json) 10 | - [ARM template](./mainTemplate.json) 11 | - [createUIDefinition.json](./createUIDefinition.json) 12 | 13 | The following guide is used for assembling these assets and publishing the resulting bundle to the marketplace: https://learn.microsoft.com/en-us/partner-center/marketplace-offers/azure-container-technical-assets-kubernetes 14 | 15 | ## Helm Chart 16 | 17 | Currently, the SpinKube Helm chart for the Azure Marketplace consists of forked charts for all of its dependencies (Spin Operator, Cert Manager, Kwasm Operator). Therefore, updating any of these is a manual process. See the chart [README.md](./charts/spinkube-azure-marketplace/README.md) for more info. 18 | 19 | When any of these chart dependencies are updated, please update the version(s) used in the chart [README.md](./charts/spinkube-azure-marketplace/README.md) as well. 20 | 21 | ## Release process 22 | 23 | When a new version of the marketplace bundle is ready to be published, use the following guide to create a new release. 24 | 25 | > ⚠️ Note: If breaking changes are introduced in any of the dependencies, eg Spin Operator, be sure to bump to the next major version. 26 | 27 | 1. Bump the `version` field in the [manifest.yaml](./manifest.yaml) to the next version, eg `v1.0.1` 28 | 1. Create a PR with the changelog in the description (eg https://github.com/spinkube/azure/compare/v1.0.0...main) 29 | 1. Merge PR after approval 30 | 1. Update your local fork to point to this merge commit 31 | 1. Create and push a git tag for this version. For example: 32 | ``` 33 | git tag -s -m "SpinKube Azure Marketplace v1.0.1" v1.0.1 34 | git push origin v1.0.1 35 | ``` 36 | 1. The [Marketplace Publish](../.github/workflows/marketplace-publish.yaml) workflow will publish the bundle 37 | 1. Once the bundle is published successfully, proceed with publishing the SpinKube Azure Marketplace offering via the [Partner Center](https://partner.microsoft.com/en-us/dashboard/commercial-marketplace). 38 | - This will minimally include [selecting the new bundle version](https://learn.microsoft.com/en-us/partner-center/marketplace-offers/azure-container-plan-technical-configuration-kubernetes) for the current Plan. 39 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-rbac.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.global.rbac.create }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: Role 4 | metadata: 5 | name: {{ template "webhook.fullname" . }}:dynamic-serving 6 | namespace: {{ include "cert-manager.namespace" . }} 7 | labels: 8 | app: {{ include "webhook.name" . }} 9 | app.kubernetes.io/name: {{ include "webhook.name" . }} 10 | app.kubernetes.io/instance: {{ .Release.Name }} 11 | app.kubernetes.io/component: "webhook" 12 | {{- include "labels" . | nindent 4 }} 13 | rules: 14 | - apiGroups: [""] 15 | resources: ["secrets"] 16 | resourceNames: 17 | - '{{ template "webhook.fullname" . }}-ca' 18 | verbs: ["get", "list", "watch", "update"] 19 | # It's not possible to grant CREATE permission on a single resourceName. 20 | - apiGroups: [""] 21 | resources: ["secrets"] 22 | verbs: ["create"] 23 | --- 24 | 25 | apiVersion: rbac.authorization.k8s.io/v1 26 | kind: RoleBinding 27 | metadata: 28 | name: {{ template "webhook.fullname" . }}:dynamic-serving 29 | namespace: {{ include "cert-manager.namespace" . }} 30 | labels: 31 | app: {{ include "webhook.name" . }} 32 | app.kubernetes.io/name: {{ include "webhook.name" . }} 33 | app.kubernetes.io/instance: {{ .Release.Name }} 34 | app.kubernetes.io/component: "webhook" 35 | {{- include "labels" . | nindent 4 }} 36 | roleRef: 37 | apiGroup: rbac.authorization.k8s.io 38 | kind: Role 39 | name: {{ template "webhook.fullname" . }}:dynamic-serving 40 | subjects: 41 | - apiGroup: "" 42 | kind: ServiceAccount 43 | name: {{ template "webhook.serviceAccountName" . }} 44 | namespace: {{ include "cert-manager.namespace" . }} 45 | 46 | --- 47 | 48 | apiVersion: rbac.authorization.k8s.io/v1 49 | kind: ClusterRole 50 | metadata: 51 | name: {{ template "webhook.fullname" . }}:subjectaccessreviews 52 | labels: 53 | app: {{ include "webhook.name" . }} 54 | app.kubernetes.io/name: {{ include "webhook.name" . }} 55 | app.kubernetes.io/instance: {{ .Release.Name }} 56 | app.kubernetes.io/component: "webhook" 57 | {{- include "labels" . | nindent 4 }} 58 | rules: 59 | - apiGroups: ["authorization.k8s.io"] 60 | resources: ["subjectaccessreviews"] 61 | verbs: ["create"] 62 | --- 63 | 64 | apiVersion: rbac.authorization.k8s.io/v1 65 | kind: ClusterRoleBinding 66 | metadata: 67 | name: {{ template "webhook.fullname" . }}:subjectaccessreviews 68 | labels: 69 | app: {{ include "webhook.name" . }} 70 | app.kubernetes.io/name: {{ include "webhook.name" . }} 71 | app.kubernetes.io/instance: {{ .Release.Name }} 72 | app.kubernetes.io/component: "webhook" 73 | {{- include "labels" . | nindent 4 }} 74 | roleRef: 75 | apiGroup: rbac.authorization.k8s.io 76 | kind: ClusterRole 77 | name: {{ template "webhook.fullname" . }}:subjectaccessreviews 78 | subjects: 79 | - apiGroup: "" 80 | kind: ServiceAccount 81 | name: {{ template "webhook.serviceAccountName" . }} 82 | namespace: {{ include "cert-manager.namespace" . }} 83 | {{- end }} 84 | -------------------------------------------------------------------------------- /templates/shimexecutor-post-install-job.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: batch/v1 2 | kind: Job 3 | metadata: 4 | name: "{{ .Release.Name }}-post-install" 5 | labels: 6 | app.kubernetes.io/managed-by: {{ .Release.Service | quote }} 7 | app.kubernetes.io/instance: {{ .Release.Name | quote }} 8 | app.kubernetes.io/version: {{ .Chart.AppVersion }} 9 | helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" 10 | annotations: 11 | "helm.sh/hook": post-install 12 | "helm.sh/hook-weight": "-5" 13 | "helm.sh/hook-delete-policy": hook-succeeded 14 | spec: 15 | template: 16 | metadata: 17 | name: "{{ .Release.Name }}" 18 | labels: 19 | app.kubernetes.io/managed-by: {{ .Release.Service | quote }} 20 | app.kubernetes.io/instance: {{ .Release.Name | quote }} 21 | helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" 22 | spec: 23 | restartPolicy: Never 24 | serviceAccountName: {{ .Release.Name }}-post-install 25 | containers: 26 | - name: post-install-job 27 | image: "bitnami/kubectl:1.30.0" 28 | imagePullPolicy: IfNotPresent 29 | command: ["/bin/sh", "-c"] 30 | args: 31 | - |- 32 | cat < parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", 100 | "required": true 101 | } 102 | } 103 | ], 104 | "visible": "[equals(basics('createNewCluster'), false)]" 105 | }, 106 | { 107 | "name": "newClusterSection", 108 | "type": "Microsoft.Common.Section", 109 | "elements": [ 110 | { 111 | "name": "aksVersionLookupControl", 112 | "type": "Microsoft.Solutions.ArmApiControl", 113 | "request": { 114 | "method": "GET", 115 | "path": "[concat(subscription().id, '/providers/Microsoft.ContainerService/locations/', location(), '/orchestrators?api-version=2019-04-01&resource-type=managedClusters')]" 116 | } 117 | }, 118 | { 119 | "name": "newClusterResourceName", 120 | "type": "Microsoft.Common.TextBox", 121 | "label": "AKS cluster name", 122 | "defaultValue": "", 123 | "toolTip": "Use only allowed characters", 124 | "constraints": { 125 | "required": true, 126 | "regex": "^[a-z0-9A-Z]{6,30}$", 127 | "validationMessage": "Only alphanumeric characters are allowed, and the value must be 6-30 characters long." 128 | } 129 | }, 130 | { 131 | "name": "kubernetesVersion", 132 | "type": "Microsoft.Common.DropDown", 133 | "label": "Kubernetes version", 134 | "defaultValue": "1.29.7", 135 | "toolTip": "The version of Kubernetes that should be used for this cluster. You will be able to upgrade this version after creating the cluster.", 136 | "constraints": { 137 | "allowedValues": "[map(steps('clusterDetails').newClusterSection.aksVersionLookupControl.properties.orchestrators, (item) => parse(concat('{\"label\":\"', item.orchestratorVersion, '\",\"value\":\"', item.orchestratorVersion, '\"}')))]", 138 | "required": true 139 | } 140 | }, 141 | { 142 | "name": "networkPlugin", 143 | "type": "Microsoft.Common.OptionsGroup", 144 | "label": "Network plugin", 145 | "toolTip": "Network plugin used for building Kubernetes network.", 146 | "defaultValue": "azure", 147 | "constraints": { 148 | "allowedValues": [ 149 | { 150 | "label": "azure", 151 | "value": "azure" 152 | }, 153 | { 154 | "label": "kubenet", 155 | "value": "kubenet" 156 | } 157 | ], 158 | "required": true 159 | }, 160 | "visible": true 161 | }, 162 | { 163 | "name": "vmSize", 164 | "type": "Microsoft.Compute.SizeSelector", 165 | "label": "VM size", 166 | "toolTip": "The size of virtual machine for VM.", 167 | "recommendedSizes": [ 168 | "Standard_B4ms", 169 | "Standard_DS2_v2", 170 | "Standard_D4s_v3" 171 | ], 172 | "osPlatform": "Linux" 173 | }, 174 | { 175 | "name": "osSKU", 176 | "type": "Microsoft.Common.DropDown", 177 | "label": "OS SKU", 178 | "toolTip": "The SKU of Linux OS for VM.", 179 | "constraints": { 180 | "allowedValues": [ 181 | { 182 | "label": "Ubuntu", 183 | "value": "Ubuntu" 184 | }, 185 | { 186 | "label": "AzureLinux", 187 | "value": "AzureLinux" 188 | } 189 | ], 190 | "required": true 191 | } 192 | }, 193 | { 194 | "name": "enableAutoScaling", 195 | "type": "Microsoft.Common.CheckBox", 196 | "label": "Enable auto scaling", 197 | "toolTip": "Enable auto scaling", 198 | "defaultValue": true 199 | }, 200 | { 201 | "name": "vmCount", 202 | "type": "Microsoft.Common.Slider", 203 | "min": 1, 204 | "max": 10, 205 | "label": "VMCount", 206 | "defaultValue": 1, 207 | "showStepMarkers": false, 208 | "toolTip": "Specify VM count", 209 | "constraints": { 210 | "required": false 211 | }, 212 | "visible": true 213 | } 214 | ], 215 | "visible": "[basics('createNewCluster')]" 216 | } 217 | ] 218 | }, 219 | { 220 | "name": "applicationDetails", 221 | "label": "Application Details", 222 | "elements": [ 223 | { 224 | "name": "extensionResourceName", 225 | "type": "Microsoft.Common.TextBox", 226 | "label": "Cluster extension resource name", 227 | "defaultValue": "", 228 | "toolTip": "Only lowercase alphanumeric characters are allowed, and the value must be 6-14 characters long.", 229 | "constraints": { 230 | "required": true, 231 | "regex": "^[a-z0-9]{6,14}$", 232 | "validationMessage": "Only lowercase alphanumeric characters are allowed, and the value must be 6-14 characters long." 233 | }, 234 | "visible": true 235 | } 236 | ] 237 | } 238 | ], 239 | "outputs": { 240 | "location": "[location()]", 241 | "createNewCluster": "[basics('createNewCluster')]", 242 | "clusterResourceName": "[if(basics('createNewCluster'), steps('clusterDetails').newClusterSection.newClusterResourceName, steps('clusterDetails').existingClusterSection.existingClusterResourceName)]", 243 | "kubernetesVersion": "[steps('clusterDetails').newClusterSection.kubernetesVersion]", 244 | "networkPlugin": "[steps('clusterDetails').newClusterSection.networkPlugin]", 245 | "extensionResourceName": "[steps('applicationDetails').extensionResourceName]", 246 | "vmSize": "[steps('clusterDetails').newClusterSection.vmSize]", 247 | "osSKU": "[steps('clusterDetails').newClusterSection.osSKU]", 248 | "vmEnableAutoScale": "[steps('clusterDetails').newClusterSection.enableAutoScaling]", 249 | "vmCount": "[int(steps('clusterDetails').newClusterSection.vmCount)]" 250 | } 251 | } 252 | } -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: {{ include "webhook.fullname" . }} 5 | namespace: {{ include "cert-manager.namespace" . }} 6 | labels: 7 | app: {{ include "webhook.name" . }} 8 | app.kubernetes.io/name: {{ include "webhook.name" . }} 9 | app.kubernetes.io/instance: {{ .Release.Name }} 10 | app.kubernetes.io/component: "webhook" 11 | {{- include "labels" . | nindent 4 }} 12 | {{- with .Values.webhook.deploymentAnnotations }} 13 | annotations: 14 | {{- toYaml . | nindent 4 }} 15 | {{- end }} 16 | spec: 17 | replicas: {{ .Values.webhook.replicaCount }} 18 | {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}} 19 | {{- if not (has (quote .Values.global.revisionHistoryLimit) (list "" (quote ""))) }} 20 | revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }} 21 | {{- end }} 22 | selector: 23 | matchLabels: 24 | app.kubernetes.io/name: {{ include "webhook.name" . }} 25 | app.kubernetes.io/instance: {{ .Release.Name }} 26 | app.kubernetes.io/component: "webhook" 27 | {{- with .Values.webhook.strategy }} 28 | strategy: 29 | {{- toYaml . | nindent 4 }} 30 | {{- end }} 31 | template: 32 | metadata: 33 | labels: 34 | app: {{ include "webhook.name" . }} 35 | app.kubernetes.io/name: {{ include "webhook.name" . }} 36 | app.kubernetes.io/instance: {{ .Release.Name }} 37 | app.kubernetes.io/component: "webhook" 38 | {{- include "labels" . | nindent 8 }} 39 | {{- with .Values.webhook.podLabels }} 40 | {{- toYaml . | nindent 8 }} 41 | {{- end }} 42 | {{- with .Values.webhook.podAnnotations }} 43 | annotations: 44 | {{- toYaml . | nindent 8 }} 45 | {{- end }} 46 | spec: 47 | serviceAccountName: {{ template "webhook.serviceAccountName" . }} 48 | {{- if hasKey .Values.webhook "automountServiceAccountToken" }} 49 | automountServiceAccountToken: {{ .Values.webhook.automountServiceAccountToken }} 50 | {{- end }} 51 | enableServiceLinks: {{ .Values.webhook.enableServiceLinks }} 52 | {{- with .Values.global.priorityClassName }} 53 | priorityClassName: {{ . | quote }} 54 | {{- end }} 55 | {{- with .Values.webhook.securityContext }} 56 | securityContext: 57 | {{- toYaml . | nindent 8 }} 58 | {{- end }} 59 | {{- if .Values.webhook.hostNetwork }} 60 | hostNetwork: true 61 | {{- end }} 62 | {{- if .Values.webhook.hostNetwork }} 63 | dnsPolicy: ClusterFirstWithHostNet 64 | {{- end }} 65 | containers: 66 | - name: {{ .Chart.Name }}-webhook 67 | image: {{ printf "%s/%s:%s" .Values.global.azure.images.certManagerWebhook.registry .Values.global.azure.images.certManagerWebhook.image .Values.global.azure.images.certManagerWebhook.tag }} 68 | imagePullPolicy: {{ .Values.webhook.image.pullPolicy }} 69 | args: 70 | {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}} 71 | {{- if not (has (quote .Values.global.logLevel) (list "" (quote ""))) }} 72 | - --v={{ .Values.global.logLevel }} 73 | {{- end }} 74 | {{- if .Values.webhook.config }} 75 | - --config=/var/cert-manager/config/config.yaml 76 | {{- end }} 77 | {{- $config := default .Values.webhook.config "" }} 78 | {{ if not $config.securePort -}} 79 | - --secure-port={{ .Values.webhook.securePort }} 80 | {{- end }} 81 | {{- if .Values.webhook.featureGates }} 82 | - --feature-gates={{ .Values.webhook.featureGates }} 83 | {{- end }} 84 | {{- $tlsConfig := default $config.tlsConfig "" }} 85 | {{ if or (not $config.tlsConfig) (and (not $tlsConfig.dynamic) (not $tlsConfig.filesystem) ) -}} 86 | - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE) 87 | - --dynamic-serving-ca-secret-name={{ template "webhook.fullname" . }}-ca 88 | - --dynamic-serving-dns-names={{ template "webhook.fullname" . }} 89 | - --dynamic-serving-dns-names={{ template "webhook.fullname" . }}.$(POD_NAMESPACE) 90 | - --dynamic-serving-dns-names={{ template "webhook.fullname" . }}.$(POD_NAMESPACE).svc 91 | {{ if .Values.webhook.url.host }} 92 | - --dynamic-serving-dns-names={{ .Values.webhook.url.host }} 93 | {{- end }} 94 | {{- end }} 95 | {{- with .Values.webhook.extraArgs }} 96 | {{- toYaml . | nindent 10 }} 97 | {{- end }} 98 | ports: 99 | - name: https 100 | protocol: TCP 101 | {{- if $config.securePort }} 102 | containerPort: {{ $config.securePort }} 103 | {{- else if .Values.webhook.securePort }} 104 | containerPort: {{ .Values.webhook.securePort }} 105 | {{- else }} 106 | containerPort: 6443 107 | {{- end }} 108 | - name: healthcheck 109 | protocol: TCP 110 | {{- if $config.healthzPort }} 111 | containerPort: {{ $config.healthzPort }} 112 | {{- else }} 113 | containerPort: 6080 114 | {{- end }} 115 | livenessProbe: 116 | httpGet: 117 | path: /livez 118 | {{- if $config.healthzPort }} 119 | port: {{ $config.healthzPort }} 120 | {{- else }} 121 | port: 6080 122 | {{- end }} 123 | scheme: HTTP 124 | initialDelaySeconds: {{ .Values.webhook.livenessProbe.initialDelaySeconds }} 125 | periodSeconds: {{ .Values.webhook.livenessProbe.periodSeconds }} 126 | timeoutSeconds: {{ .Values.webhook.livenessProbe.timeoutSeconds }} 127 | successThreshold: {{ .Values.webhook.livenessProbe.successThreshold }} 128 | failureThreshold: {{ .Values.webhook.livenessProbe.failureThreshold }} 129 | readinessProbe: 130 | httpGet: 131 | path: /healthz 132 | {{- if $config.healthzPort }} 133 | port: {{ $config.healthzPort }} 134 | {{- else }} 135 | port: 6080 136 | {{- end }} 137 | scheme: HTTP 138 | initialDelaySeconds: {{ .Values.webhook.readinessProbe.initialDelaySeconds }} 139 | periodSeconds: {{ .Values.webhook.readinessProbe.periodSeconds }} 140 | timeoutSeconds: {{ .Values.webhook.readinessProbe.timeoutSeconds }} 141 | successThreshold: {{ .Values.webhook.readinessProbe.successThreshold }} 142 | failureThreshold: {{ .Values.webhook.readinessProbe.failureThreshold }} 143 | {{- with .Values.webhook.containerSecurityContext }} 144 | securityContext: 145 | {{- toYaml . | nindent 12 }} 146 | {{- end }} 147 | env: 148 | - name: POD_NAMESPACE 149 | valueFrom: 150 | fieldRef: 151 | fieldPath: metadata.namespace 152 | {{- with .Values.webhook.resources }} 153 | resources: 154 | {{- toYaml . | nindent 12 }} 155 | {{- end }} 156 | {{- if or .Values.webhook.config .Values.webhook.volumeMounts }} 157 | volumeMounts: 158 | {{- if .Values.webhook.config }} 159 | - name: config 160 | mountPath: /var/cert-manager/config 161 | {{- end }} 162 | {{- if .Values.webhook.volumeMounts }} 163 | {{- toYaml .Values.webhook.volumeMounts | nindent 12 }} 164 | {{- end }} 165 | {{- end }} 166 | {{- with .Values.webhook.nodeSelector }} 167 | nodeSelector: 168 | {{- toYaml . | nindent 8 }} 169 | {{- end }} 170 | {{- with .Values.webhook.affinity }} 171 | affinity: 172 | {{- toYaml . | nindent 8 }} 173 | {{- end }} 174 | {{- with .Values.webhook.tolerations }} 175 | tolerations: 176 | {{- toYaml . | nindent 8 }} 177 | {{- end }} 178 | {{- with .Values.webhook.topologySpreadConstraints }} 179 | topologySpreadConstraints: 180 | {{- toYaml . | nindent 8 }} 181 | {{- end }} 182 | {{- if or .Values.webhook.config .Values.webhook.volumes }} 183 | volumes: 184 | {{- if .Values.webhook.config }} 185 | - name: config 186 | configMap: 187 | name: {{ include "webhook.fullname" . }} 188 | {{- end }} 189 | {{- if .Values.webhook.volumes }} 190 | {{- toYaml .Values.webhook.volumes | nindent 8 }} 191 | {{- end }} 192 | {{- end }} 193 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: {{ template "cert-manager.fullname" . }} 5 | namespace: {{ include "cert-manager.namespace" . }} 6 | labels: 7 | app: {{ template "cert-manager.name" . }} 8 | app.kubernetes.io/name: {{ template "cert-manager.name" . }} 9 | app.kubernetes.io/instance: {{ .Release.Name }} 10 | app.kubernetes.io/component: "controller" 11 | {{- include "labels" . | nindent 4 }} 12 | {{- with .Values.deploymentAnnotations }} 13 | annotations: 14 | {{- toYaml . | nindent 4 }} 15 | {{- end }} 16 | spec: 17 | replicas: {{ .Values.replicaCount }} 18 | {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}} 19 | {{- if not (has (quote .Values.global.revisionHistoryLimit) (list "" (quote ""))) }} 20 | revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }} 21 | {{- end }} 22 | selector: 23 | matchLabels: 24 | app.kubernetes.io/name: {{ template "cert-manager.name" . }} 25 | app.kubernetes.io/instance: {{ .Release.Name }} 26 | app.kubernetes.io/component: "controller" 27 | {{- with .Values.strategy }} 28 | strategy: 29 | {{- toYaml . | nindent 4 }} 30 | {{- end }} 31 | template: 32 | metadata: 33 | labels: 34 | app: {{ template "cert-manager.name" . }} 35 | app.kubernetes.io/name: {{ template "cert-manager.name" . }} 36 | app.kubernetes.io/instance: {{ .Release.Name }} 37 | app.kubernetes.io/component: "controller" 38 | {{- include "labels" . | nindent 8 }} 39 | {{- with .Values.podLabels }} 40 | {{- toYaml . | nindent 8 }} 41 | {{- end }} 42 | {{- with .Values.podAnnotations }} 43 | annotations: 44 | {{- toYaml . | nindent 8 }} 45 | {{- end }} 46 | {{- if and .Values.prometheus.enabled (not .Values.prometheus.servicemonitor.enabled) }} 47 | {{- if not .Values.podAnnotations }} 48 | annotations: 49 | {{- end }} 50 | prometheus.io/path: "/metrics" 51 | prometheus.io/scrape: 'true' 52 | prometheus.io/port: '9402' 53 | {{- end }} 54 | spec: 55 | serviceAccountName: {{ template "cert-manager.serviceAccountName" . }} 56 | {{- if hasKey .Values "automountServiceAccountToken" }} 57 | automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} 58 | {{- end }} 59 | enableServiceLinks: {{ .Values.enableServiceLinks }} 60 | {{- with .Values.global.priorityClassName }} 61 | priorityClassName: {{ . | quote }} 62 | {{- end }} 63 | {{- with .Values.securityContext }} 64 | securityContext: 65 | {{- toYaml . | nindent 8 }} 66 | {{- end }} 67 | {{- if or .Values.volumes .Values.config}} 68 | volumes: 69 | {{- if .Values.config }} 70 | - name: config 71 | configMap: 72 | name: {{ include "cert-manager.fullname" . }} 73 | {{- end }} 74 | {{ with .Values.volumes }} 75 | {{- toYaml . | nindent 8 }} 76 | {{- end }} 77 | {{- end }} 78 | containers: 79 | - name: {{ .Chart.Name }}-controller 80 | image: {{ printf "%s/%s:%s" .Values.global.azure.images.certManager.registry .Values.global.azure.images.certManager.image .Values.global.azure.images.certManager.tag }} 81 | imagePullPolicy: {{ .Values.image.pullPolicy }} 82 | args: 83 | {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}} 84 | {{- if not (has (quote .Values.global.logLevel) (list "" (quote ""))) }} 85 | - --v={{ .Values.global.logLevel }} 86 | {{- end }} 87 | {{- if .Values.config }} 88 | - --config=/var/cert-manager/config/config.yaml 89 | {{- end }} 90 | {{- $config := default .Values.config "" }} 91 | {{- if .Values.clusterResourceNamespace }} 92 | - --cluster-resource-namespace={{ .Values.clusterResourceNamespace }} 93 | {{- else }} 94 | - --cluster-resource-namespace=$(POD_NAMESPACE) 95 | {{- end }} 96 | {{- with .Values.global.leaderElection }} 97 | - --leader-election-namespace={{ .namespace }} 98 | {{- if .leaseDuration }} 99 | - --leader-election-lease-duration={{ .leaseDuration }} 100 | {{- end }} 101 | {{- if .renewDeadline }} 102 | - --leader-election-renew-deadline={{ .renewDeadline }} 103 | {{- end }} 104 | {{- if .retryPeriod }} 105 | - --leader-election-retry-period={{ .retryPeriod }} 106 | {{- end }} 107 | {{- end }} 108 | - --acme-http01-solver-image={{ printf "%s/%s:%s" .Values.global.azure.images.certManagerAcmesolver.registry .Values.global.azure.images.certManagerAcmesolver.image .Values.global.azure.images.certManagerAcmesolver.tag }} 109 | {{- with .Values.extraArgs }} 110 | {{- toYaml . | nindent 10 }} 111 | {{- end }} 112 | {{- with .Values.ingressShim }} 113 | {{- if .defaultIssuerName }} 114 | - --default-issuer-name={{ .defaultIssuerName }} 115 | {{- end }} 116 | {{- if .defaultIssuerKind }} 117 | - --default-issuer-kind={{ .defaultIssuerKind }} 118 | {{- end }} 119 | {{- if .defaultIssuerGroup }} 120 | - --default-issuer-group={{ .defaultIssuerGroup }} 121 | {{- end }} 122 | {{- end }} 123 | {{- if .Values.featureGates }} 124 | - --feature-gates={{ .Values.featureGates }} 125 | {{- end }} 126 | {{- if .Values.maxConcurrentChallenges }} 127 | - --max-concurrent-challenges={{ .Values.maxConcurrentChallenges }} 128 | {{- end }} 129 | {{- if .Values.enableCertificateOwnerRef }} 130 | - --enable-certificate-owner-ref=true 131 | {{- end }} 132 | {{- if .Values.dns01RecursiveNameserversOnly }} 133 | - --dns01-recursive-nameservers-only=true 134 | {{- end }} 135 | {{- with .Values.dns01RecursiveNameservers }} 136 | - --dns01-recursive-nameservers={{ . }} 137 | {{- end }} 138 | ports: 139 | - containerPort: 9402 140 | name: http-metrics 141 | protocol: TCP 142 | - containerPort: 9403 143 | name: http-healthz 144 | protocol: TCP 145 | {{- with .Values.containerSecurityContext }} 146 | securityContext: 147 | {{- toYaml . | nindent 12 }} 148 | {{- end }} 149 | {{- if or .Values.config .Values.volumeMounts }} 150 | volumeMounts: 151 | {{- if .Values.config}} 152 | - name: config 153 | mountPath: /var/cert-manager/config 154 | {{- end }} 155 | {{- with .Values.volumeMounts }} 156 | {{- toYaml . | nindent 12 }} 157 | {{- end }} 158 | {{- end }} 159 | env: 160 | - name: POD_NAMESPACE 161 | valueFrom: 162 | fieldRef: 163 | fieldPath: metadata.namespace 164 | {{- with .Values.extraEnv }} 165 | {{- toYaml . | nindent 10 }} 166 | {{- end }} 167 | {{- with .Values.http_proxy }} 168 | - name: HTTP_PROXY 169 | value: {{ . }} 170 | {{- end }} 171 | {{- with .Values.https_proxy }} 172 | - name: HTTPS_PROXY 173 | value: {{ . }} 174 | {{- end }} 175 | {{- with .Values.no_proxy }} 176 | - name: NO_PROXY 177 | value: {{ . }} 178 | {{- end }} 179 | {{- with .Values.resources }} 180 | resources: 181 | {{- toYaml . | nindent 12 }} 182 | {{- end }} 183 | 184 | {{- with .Values.livenessProbe }} 185 | {{- if .enabled }} 186 | # LivenessProbe settings are based on those used for the Kubernetes 187 | # controller-manager. See: 188 | # https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245 189 | livenessProbe: 190 | httpGet: 191 | port: http-healthz 192 | path: /livez 193 | scheme: HTTP 194 | initialDelaySeconds: {{ .initialDelaySeconds }} 195 | periodSeconds: {{ .periodSeconds }} 196 | timeoutSeconds: {{ .timeoutSeconds }} 197 | successThreshold: {{ .successThreshold }} 198 | failureThreshold: {{ .failureThreshold }} 199 | {{- end }} 200 | {{- end }} 201 | {{- with .Values.nodeSelector }} 202 | nodeSelector: 203 | {{- toYaml . | nindent 8 }} 204 | {{- end }} 205 | {{- with .Values.affinity }} 206 | affinity: 207 | {{- toYaml . | nindent 8 }} 208 | {{- end }} 209 | {{- with .Values.tolerations }} 210 | tolerations: 211 | {{- toYaml . | nindent 8 }} 212 | {{- end }} 213 | {{- with .Values.topologySpreadConstraints }} 214 | topologySpreadConstraints: 215 | {{- toYaml . | nindent 8 }} 216 | {{- end }} 217 | {{- with .Values.podDnsPolicy }} 218 | dnsPolicy: {{ . }} 219 | {{- end }} 220 | {{- with .Values.podDnsConfig }} 221 | dnsConfig: 222 | {{- toYaml . | nindent 8 }} 223 | {{- end }} 224 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/rbac.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.global.rbac.create }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: Role 4 | metadata: 5 | name: {{ template "cert-manager.fullname" . }}:leaderelection 6 | namespace: {{ .Values.global.leaderElection.namespace }} 7 | labels: 8 | app: {{ include "cert-manager.name" . }} 9 | app.kubernetes.io/name: {{ include "cert-manager.name" . }} 10 | app.kubernetes.io/instance: {{ .Release.Name }} 11 | app.kubernetes.io/component: "controller" 12 | {{- include "labels" . | nindent 4 }} 13 | rules: 14 | - apiGroups: ["coordination.k8s.io"] 15 | resources: ["leases"] 16 | resourceNames: ["cert-manager-controller"] 17 | verbs: ["get", "update", "patch"] 18 | - apiGroups: ["coordination.k8s.io"] 19 | resources: ["leases"] 20 | verbs: ["create"] 21 | 22 | --- 23 | 24 | # grant cert-manager permission to manage the leaderelection configmap in the 25 | # leader election namespace 26 | apiVersion: rbac.authorization.k8s.io/v1 27 | kind: RoleBinding 28 | metadata: 29 | name: {{ include "cert-manager.fullname" . }}:leaderelection 30 | namespace: {{ .Values.global.leaderElection.namespace }} 31 | labels: 32 | app: {{ include "cert-manager.name" . }} 33 | app.kubernetes.io/name: {{ include "cert-manager.name" . }} 34 | app.kubernetes.io/instance: {{ .Release.Name }} 35 | app.kubernetes.io/component: "controller" 36 | {{- include "labels" . | nindent 4 }} 37 | roleRef: 38 | apiGroup: rbac.authorization.k8s.io 39 | kind: Role 40 | name: {{ template "cert-manager.fullname" . }}:leaderelection 41 | subjects: 42 | - apiGroup: "" 43 | kind: ServiceAccount 44 | name: {{ template "cert-manager.serviceAccountName" . }} 45 | namespace: {{ include "cert-manager.namespace" . }} 46 | 47 | --- 48 | 49 | # Issuer controller role 50 | apiVersion: rbac.authorization.k8s.io/v1 51 | kind: ClusterRole 52 | metadata: 53 | name: {{ template "cert-manager.fullname" . }}-controller-issuers 54 | labels: 55 | app: {{ include "cert-manager.name" . }} 56 | app.kubernetes.io/name: {{ include "cert-manager.name" . }} 57 | app.kubernetes.io/instance: {{ .Release.Name }} 58 | app.kubernetes.io/component: "controller" 59 | {{- include "labels" . | nindent 4 }} 60 | rules: 61 | - apiGroups: ["cert-manager.io"] 62 | resources: ["issuers", "issuers/status"] 63 | verbs: ["update", "patch"] 64 | - apiGroups: ["cert-manager.io"] 65 | resources: ["issuers"] 66 | verbs: ["get", "list", "watch"] 67 | - apiGroups: [""] 68 | resources: ["secrets"] 69 | verbs: ["get", "list", "watch", "create", "update", "delete"] 70 | - apiGroups: [""] 71 | resources: ["events"] 72 | verbs: ["create", "patch"] 73 | --- 74 | 75 | # ClusterIssuer controller role 76 | apiVersion: rbac.authorization.k8s.io/v1 77 | kind: ClusterRole 78 | metadata: 79 | name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers 80 | labels: 81 | app: {{ include "cert-manager.name" . }} 82 | app.kubernetes.io/name: {{ include "cert-manager.name" . }} 83 | app.kubernetes.io/instance: {{ .Release.Name }} 84 | app.kubernetes.io/component: "controller" 85 | {{- include "labels" . | nindent 4 }} 86 | rules: 87 | - apiGroups: ["cert-manager.io"] 88 | resources: ["clusterissuers", "clusterissuers/status"] 89 | verbs: ["update", "patch"] 90 | - apiGroups: ["cert-manager.io"] 91 | resources: ["clusterissuers"] 92 | verbs: ["get", "list", "watch"] 93 | - apiGroups: [""] 94 | resources: ["secrets"] 95 | verbs: ["get", "list", "watch", "create", "update", "delete"] 96 | - apiGroups: [""] 97 | resources: ["events"] 98 | verbs: ["create", "patch"] 99 | 100 | --- 101 | 102 | # Certificates controller role 103 | apiVersion: rbac.authorization.k8s.io/v1 104 | kind: ClusterRole 105 | metadata: 106 | name: {{ template "cert-manager.fullname" . }}-controller-certificates 107 | labels: 108 | app: {{ include "cert-manager.name" . }} 109 | app.kubernetes.io/name: {{ include "cert-manager.name" . }} 110 | app.kubernetes.io/instance: {{ .Release.Name }} 111 | app.kubernetes.io/component: "controller" 112 | {{- include "labels" . | nindent 4 }} 113 | rules: 114 | - apiGroups: ["cert-manager.io"] 115 | resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"] 116 | verbs: ["update", "patch"] 117 | - apiGroups: ["cert-manager.io"] 118 | resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"] 119 | verbs: ["get", "list", "watch"] 120 | # We require these rules to support users with the OwnerReferencesPermissionEnforcement 121 | # admission controller enabled: 122 | # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement 123 | - apiGroups: ["cert-manager.io"] 124 | resources: ["certificates/finalizers", "certificaterequests/finalizers"] 125 | verbs: ["update"] 126 | - apiGroups: ["acme.cert-manager.io"] 127 | resources: ["orders"] 128 | verbs: ["create", "delete", "get", "list", "watch"] 129 | - apiGroups: [""] 130 | resources: ["secrets"] 131 | verbs: ["get", "list", "watch", "create", "update", "delete", "patch"] 132 | - apiGroups: [""] 133 | resources: ["events"] 134 | verbs: ["create", "patch"] 135 | 136 | --- 137 | 138 | # Orders controller role 139 | apiVersion: rbac.authorization.k8s.io/v1 140 | kind: ClusterRole 141 | metadata: 142 | name: {{ template "cert-manager.fullname" . }}-controller-orders 143 | labels: 144 | app: {{ include "cert-manager.name" . }} 145 | app.kubernetes.io/name: {{ include "cert-manager.name" . }} 146 | app.kubernetes.io/instance: {{ .Release.Name }} 147 | app.kubernetes.io/component: "controller" 148 | {{- include "labels" . | nindent 4 }} 149 | rules: 150 | - apiGroups: ["acme.cert-manager.io"] 151 | resources: ["orders", "orders/status"] 152 | verbs: ["update", "patch"] 153 | - apiGroups: ["acme.cert-manager.io"] 154 | resources: ["orders", "challenges"] 155 | verbs: ["get", "list", "watch"] 156 | - apiGroups: ["cert-manager.io"] 157 | resources: ["clusterissuers", "issuers"] 158 | verbs: ["get", "list", "watch"] 159 | - apiGroups: ["acme.cert-manager.io"] 160 | resources: ["challenges"] 161 | verbs: ["create", "delete"] 162 | # We require these rules to support users with the OwnerReferencesPermissionEnforcement 163 | # admission controller enabled: 164 | # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement 165 | - apiGroups: ["acme.cert-manager.io"] 166 | resources: ["orders/finalizers"] 167 | verbs: ["update"] 168 | - apiGroups: [""] 169 | resources: ["secrets"] 170 | verbs: ["get", "list", "watch"] 171 | - apiGroups: [""] 172 | resources: ["events"] 173 | verbs: ["create", "patch"] 174 | 175 | --- 176 | 177 | # Challenges controller role 178 | apiVersion: rbac.authorization.k8s.io/v1 179 | kind: ClusterRole 180 | metadata: 181 | name: {{ template "cert-manager.fullname" . }}-controller-challenges 182 | labels: 183 | app: {{ include "cert-manager.name" . }} 184 | app.kubernetes.io/name: {{ include "cert-manager.name" . }} 185 | app.kubernetes.io/instance: {{ .Release.Name }} 186 | app.kubernetes.io/component: "controller" 187 | {{- include "labels" . | nindent 4 }} 188 | rules: 189 | # Use to update challenge resource status 190 | - apiGroups: ["acme.cert-manager.io"] 191 | resources: ["challenges", "challenges/status"] 192 | verbs: ["update", "patch"] 193 | # Used to watch challenge resources 194 | - apiGroups: ["acme.cert-manager.io"] 195 | resources: ["challenges"] 196 | verbs: ["get", "list", "watch"] 197 | # Used to watch challenges, issuer and clusterissuer resources 198 | - apiGroups: ["cert-manager.io"] 199 | resources: ["issuers", "clusterissuers"] 200 | verbs: ["get", "list", "watch"] 201 | # Need to be able to retrieve ACME account private key to complete challenges 202 | - apiGroups: [""] 203 | resources: ["secrets"] 204 | verbs: ["get", "list", "watch"] 205 | # Used to create events 206 | - apiGroups: [""] 207 | resources: ["events"] 208 | verbs: ["create", "patch"] 209 | # HTTP01 rules 210 | - apiGroups: [""] 211 | resources: ["pods", "services"] 212 | verbs: ["get", "list", "watch", "create", "delete"] 213 | - apiGroups: ["networking.k8s.io"] 214 | resources: ["ingresses"] 215 | verbs: ["get", "list", "watch", "create", "delete", "update"] 216 | - apiGroups: [ "gateway.networking.k8s.io" ] 217 | resources: [ "httproutes" ] 218 | verbs: ["get", "list", "watch", "create", "delete", "update"] 219 | # We require the ability to specify a custom hostname when we are creating 220 | # new ingress resources. 221 | # See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148 222 | - apiGroups: ["route.openshift.io"] 223 | resources: ["routes/custom-host"] 224 | verbs: ["create"] 225 | # We require these rules to support users with the OwnerReferencesPermissionEnforcement 226 | # admission controller enabled: 227 | # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement 228 | - apiGroups: ["acme.cert-manager.io"] 229 | resources: ["challenges/finalizers"] 230 | verbs: ["update"] 231 | # DNS01 rules (duplicated above) 232 | - apiGroups: [""] 233 | resources: ["secrets"] 234 | verbs: ["get", "list", "watch"] 235 | 236 | --- 237 | 238 | # ingress-shim controller role 239 | apiVersion: rbac.authorization.k8s.io/v1 240 | kind: ClusterRole 241 | metadata: 242 | name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim 243 | labels: 244 | app: {{ include "cert-manager.name" . }} 245 | app.kubernetes.io/name: {{ include "cert-manager.name" . }} 246 | app.kubernetes.io/instance: {{ .Release.Name }} 247 | app.kubernetes.io/component: "controller" 248 | {{- include "labels" . | nindent 4 }} 249 | rules: 250 | - apiGroups: ["cert-manager.io"] 251 | resources: ["certificates", "certificaterequests"] 252 | verbs: ["create", "update", "delete"] 253 | - apiGroups: ["cert-manager.io"] 254 | resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"] 255 | verbs: ["get", "list", "watch"] 256 | - apiGroups: ["networking.k8s.io"] 257 | resources: ["ingresses"] 258 | verbs: ["get", "list", "watch"] 259 | # We require these rules to support users with the OwnerReferencesPermissionEnforcement 260 | # admission controller enabled: 261 | # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement 262 | - apiGroups: ["networking.k8s.io"] 263 | resources: ["ingresses/finalizers"] 264 | verbs: ["update"] 265 | - apiGroups: ["gateway.networking.k8s.io"] 266 | resources: ["gateways", "httproutes"] 267 | verbs: ["get", "list", "watch"] 268 | - apiGroups: ["gateway.networking.k8s.io"] 269 | resources: ["gateways/finalizers", "httproutes/finalizers"] 270 | verbs: ["update"] 271 | - apiGroups: [""] 272 | resources: ["events"] 273 | verbs: ["create", "patch"] 274 | 275 | --- 276 | 277 | apiVersion: rbac.authorization.k8s.io/v1 278 | kind: ClusterRoleBinding 279 | metadata: 280 | name: {{ template "cert-manager.fullname" . }}-controller-issuers 281 | labels: 282 | app: {{ include "cert-manager.name" . }} 283 | app.kubernetes.io/name: {{ include "cert-manager.name" . }} 284 | app.kubernetes.io/instance: {{ .Release.Name }} 285 | app.kubernetes.io/component: "controller" 286 | {{- include "labels" . | nindent 4 }} 287 | roleRef: 288 | apiGroup: rbac.authorization.k8s.io 289 | kind: ClusterRole 290 | name: {{ template "cert-manager.fullname" . }}-controller-issuers 291 | subjects: 292 | - name: {{ template "cert-manager.serviceAccountName" . }} 293 | namespace: {{ include "cert-manager.namespace" . }} 294 | kind: ServiceAccount 295 | 296 | --- 297 | 298 | apiVersion: rbac.authorization.k8s.io/v1 299 | kind: ClusterRoleBinding 300 | metadata: 301 | name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers 302 | labels: 303 | app: {{ include "cert-manager.name" . }} 304 | app.kubernetes.io/name: {{ include "cert-manager.name" . }} 305 | app.kubernetes.io/instance: {{ .Release.Name }} 306 | app.kubernetes.io/component: "controller" 307 | {{- include "labels" . | nindent 4 }} 308 | roleRef: 309 | apiGroup: rbac.authorization.k8s.io 310 | kind: ClusterRole 311 | name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers 312 | subjects: 313 | - name: {{ template "cert-manager.serviceAccountName" . }} 314 | namespace: {{ include "cert-manager.namespace" . }} 315 | kind: ServiceAccount 316 | 317 | --- 318 | 319 | apiVersion: rbac.authorization.k8s.io/v1 320 | kind: ClusterRoleBinding 321 | metadata: 322 | name: {{ template "cert-manager.fullname" . }}-controller-certificates 323 | labels: 324 | app: {{ include "cert-manager.name" . }} 325 | app.kubernetes.io/name: {{ include "cert-manager.name" . }} 326 | app.kubernetes.io/instance: {{ .Release.Name }} 327 | app.kubernetes.io/component: "controller" 328 | {{- include "labels" . | nindent 4 }} 329 | roleRef: 330 | apiGroup: rbac.authorization.k8s.io 331 | kind: ClusterRole 332 | name: {{ template "cert-manager.fullname" . }}-controller-certificates 333 | subjects: 334 | - name: {{ template "cert-manager.serviceAccountName" . }} 335 | namespace: {{ include "cert-manager.namespace" . }} 336 | kind: ServiceAccount 337 | 338 | --- 339 | 340 | apiVersion: rbac.authorization.k8s.io/v1 341 | kind: ClusterRoleBinding 342 | metadata: 343 | name: {{ template "cert-manager.fullname" . }}-controller-orders 344 | labels: 345 | app: {{ include "cert-manager.name" . }} 346 | app.kubernetes.io/name: {{ include "cert-manager.name" . }} 347 | app.kubernetes.io/instance: {{ .Release.Name }} 348 | app.kubernetes.io/component: "controller" 349 | {{- include "labels" . | nindent 4 }} 350 | roleRef: 351 | apiGroup: rbac.authorization.k8s.io 352 | kind: ClusterRole 353 | name: {{ template "cert-manager.fullname" . }}-controller-orders 354 | subjects: 355 | - name: {{ template "cert-manager.serviceAccountName" . }} 356 | namespace: {{ include "cert-manager.namespace" . }} 357 | kind: ServiceAccount 358 | 359 | --- 360 | 361 | apiVersion: rbac.authorization.k8s.io/v1 362 | kind: ClusterRoleBinding 363 | metadata: 364 | name: {{ template "cert-manager.fullname" . }}-controller-challenges 365 | labels: 366 | app: {{ include "cert-manager.name" . }} 367 | app.kubernetes.io/name: {{ include "cert-manager.name" . }} 368 | app.kubernetes.io/instance: {{ .Release.Name }} 369 | app.kubernetes.io/component: "controller" 370 | {{- include "labels" . | nindent 4 }} 371 | roleRef: 372 | apiGroup: rbac.authorization.k8s.io 373 | kind: ClusterRole 374 | name: {{ template "cert-manager.fullname" . }}-controller-challenges 375 | subjects: 376 | - name: {{ template "cert-manager.serviceAccountName" . }} 377 | namespace: {{ include "cert-manager.namespace" . }} 378 | kind: ServiceAccount 379 | 380 | --- 381 | 382 | apiVersion: rbac.authorization.k8s.io/v1 383 | kind: ClusterRoleBinding 384 | metadata: 385 | name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim 386 | labels: 387 | app: {{ include "cert-manager.name" . }} 388 | app.kubernetes.io/name: {{ include "cert-manager.name" . }} 389 | app.kubernetes.io/instance: {{ .Release.Name }} 390 | app.kubernetes.io/component: "controller" 391 | {{- include "labels" . | nindent 4 }} 392 | roleRef: 393 | apiGroup: rbac.authorization.k8s.io 394 | kind: ClusterRole 395 | name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim 396 | subjects: 397 | - name: {{ template "cert-manager.serviceAccountName" . }} 398 | namespace: {{ include "cert-manager.namespace" . }} 399 | kind: ServiceAccount 400 | 401 | {{- if .Values.global.rbac.aggregateClusterRoles }} 402 | --- 403 | 404 | apiVersion: rbac.authorization.k8s.io/v1 405 | kind: ClusterRole 406 | metadata: 407 | name: {{ template "cert-manager.fullname" . }}-cluster-view 408 | labels: 409 | app: {{ include "cert-manager.name" . }} 410 | app.kubernetes.io/name: {{ include "cert-manager.name" . }} 411 | app.kubernetes.io/instance: {{ .Release.Name }} 412 | app.kubernetes.io/component: "controller" 413 | {{- include "labels" . | nindent 4 }} 414 | rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true" 415 | rules: 416 | - apiGroups: ["cert-manager.io"] 417 | resources: ["clusterissuers"] 418 | verbs: ["get", "list", "watch"] 419 | 420 | {{- end }} 421 | --- 422 | 423 | apiVersion: rbac.authorization.k8s.io/v1 424 | kind: ClusterRole 425 | metadata: 426 | name: {{ template "cert-manager.fullname" . }}-view 427 | labels: 428 | app: {{ include "cert-manager.name" . }} 429 | app.kubernetes.io/name: {{ include "cert-manager.name" . }} 430 | app.kubernetes.io/instance: {{ .Release.Name }} 431 | app.kubernetes.io/component: "controller" 432 | {{- include "labels" . | nindent 4 }} 433 | {{- if .Values.global.rbac.aggregateClusterRoles }} 434 | rbac.authorization.k8s.io/aggregate-to-view: "true" 435 | rbac.authorization.k8s.io/aggregate-to-edit: "true" 436 | rbac.authorization.k8s.io/aggregate-to-admin: "true" 437 | rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true" 438 | {{- end }} 439 | rules: 440 | - apiGroups: ["cert-manager.io"] 441 | resources: ["certificates", "certificaterequests", "issuers"] 442 | verbs: ["get", "list", "watch"] 443 | - apiGroups: ["acme.cert-manager.io"] 444 | resources: ["challenges", "orders"] 445 | verbs: ["get", "list", "watch"] 446 | 447 | 448 | --- 449 | 450 | apiVersion: rbac.authorization.k8s.io/v1 451 | kind: ClusterRole 452 | metadata: 453 | name: {{ template "cert-manager.fullname" . }}-edit 454 | labels: 455 | app: {{ include "cert-manager.name" . }} 456 | app.kubernetes.io/name: {{ include "cert-manager.name" . }} 457 | app.kubernetes.io/instance: {{ .Release.Name }} 458 | app.kubernetes.io/component: "controller" 459 | {{- include "labels" . | nindent 4 }} 460 | {{- if .Values.global.rbac.aggregateClusterRoles }} 461 | rbac.authorization.k8s.io/aggregate-to-edit: "true" 462 | rbac.authorization.k8s.io/aggregate-to-admin: "true" 463 | {{- end }} 464 | rules: 465 | - apiGroups: ["cert-manager.io"] 466 | resources: ["certificates", "certificaterequests", "issuers"] 467 | verbs: ["create", "delete", "deletecollection", "patch", "update"] 468 | - apiGroups: ["cert-manager.io"] 469 | resources: ["certificates/status"] 470 | verbs: ["update"] 471 | - apiGroups: ["acme.cert-manager.io"] 472 | resources: ["challenges", "orders"] 473 | verbs: ["create", "delete", "deletecollection", "patch", "update"] 474 | 475 | --- 476 | 477 | # Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers 478 | apiVersion: rbac.authorization.k8s.io/v1 479 | kind: ClusterRole 480 | metadata: 481 | name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io 482 | labels: 483 | app: {{ include "cert-manager.name" . }} 484 | app.kubernetes.io/name: {{ include "cert-manager.name" . }} 485 | app.kubernetes.io/instance: {{ .Release.Name }} 486 | app.kubernetes.io/component: "cert-manager" 487 | {{- include "labels" . | nindent 4 }} 488 | rules: 489 | - apiGroups: ["cert-manager.io"] 490 | resources: ["signers"] 491 | verbs: ["approve"] 492 | resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"] 493 | 494 | --- 495 | 496 | apiVersion: rbac.authorization.k8s.io/v1 497 | kind: ClusterRoleBinding 498 | metadata: 499 | name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io 500 | labels: 501 | app: {{ include "cert-manager.name" . }} 502 | app.kubernetes.io/name: {{ include "cert-manager.name" . }} 503 | app.kubernetes.io/instance: {{ .Release.Name }} 504 | app.kubernetes.io/component: "cert-manager" 505 | {{- include "labels" . | nindent 4 }} 506 | roleRef: 507 | apiGroup: rbac.authorization.k8s.io 508 | kind: ClusterRole 509 | name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io 510 | subjects: 511 | - name: {{ template "cert-manager.serviceAccountName" . }} 512 | namespace: {{ include "cert-manager.namespace" . }} 513 | kind: ServiceAccount 514 | 515 | --- 516 | 517 | # Permission to: 518 | # - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers 519 | # - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers 520 | apiVersion: rbac.authorization.k8s.io/v1 521 | kind: ClusterRole 522 | metadata: 523 | name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests 524 | labels: 525 | app: {{ include "cert-manager.name" . }} 526 | app.kubernetes.io/name: {{ include "cert-manager.name" . }} 527 | app.kubernetes.io/instance: {{ .Release.Name }} 528 | app.kubernetes.io/component: "cert-manager" 529 | {{- include "labels" . | nindent 4 }} 530 | rules: 531 | - apiGroups: ["certificates.k8s.io"] 532 | resources: ["certificatesigningrequests"] 533 | verbs: ["get", "list", "watch", "update"] 534 | - apiGroups: ["certificates.k8s.io"] 535 | resources: ["certificatesigningrequests/status"] 536 | verbs: ["update", "patch"] 537 | - apiGroups: ["certificates.k8s.io"] 538 | resources: ["signers"] 539 | resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"] 540 | verbs: ["sign"] 541 | - apiGroups: ["authorization.k8s.io"] 542 | resources: ["subjectaccessreviews"] 543 | verbs: ["create"] 544 | 545 | --- 546 | 547 | apiVersion: rbac.authorization.k8s.io/v1 548 | kind: ClusterRoleBinding 549 | metadata: 550 | name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests 551 | labels: 552 | app: {{ include "cert-manager.name" . }} 553 | app.kubernetes.io/name: {{ include "cert-manager.name" . }} 554 | app.kubernetes.io/instance: {{ .Release.Name }} 555 | app.kubernetes.io/component: "cert-manager" 556 | {{- include "labels" . | nindent 4 }} 557 | roleRef: 558 | apiGroup: rbac.authorization.k8s.io 559 | kind: ClusterRole 560 | name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests 561 | subjects: 562 | - name: {{ template "cert-manager.serviceAccountName" . }} 563 | namespace: {{ include "cert-manager.namespace" . }} 564 | kind: ServiceAccount 565 | {{- end }} 566 | --------------------------------------------------------------------------------