├── .github └── workflows │ └── spinnaker-ci.yml ├── 1.26.7-Install-Scripts.zip ├── InstallHalyard.sh ├── README.md ├── acr.png ├── docs ├── artifacts.png └── hah.md ├── getbom.sh ├── halyard-bom-install ├── bom-yaml-1.19.4.tar.gz ├── halyard.sh ├── halyard.yaml ├── ingress.yaml ├── install.sh └── spinnaker-clusterrolebinding.yaml ├── helm-spinnaker ├── getimage.sh ├── ingress.yaml ├── pvc-spinnaker.yaml └── spinnaker │ ├── .helmignore │ ├── Chart.yaml │ ├── OWNERS │ ├── README.md │ ├── charts │ ├── minio │ │ ├── .helmignore │ │ ├── Chart.yaml │ │ ├── OWNERS │ │ ├── README.md │ │ ├── ci │ │ │ └── distributed-values.yaml │ │ ├── templates │ │ │ ├── NOTES.txt │ │ │ ├── _helper_create_bucket.txt │ │ │ ├── _helpers.tpl │ │ │ ├── configmap.yaml │ │ │ ├── deployment.yaml │ │ │ ├── ingress.yaml │ │ │ ├── networkpolicy.yaml │ │ │ ├── poddisruptionbudget.yaml │ │ │ ├── post-install-create-bucket-job.yaml │ │ │ ├── pvc.yaml │ │ │ ├── secrets.yaml │ │ │ ├── service.yaml │ │ │ ├── serviceaccount.yaml │ │ │ ├── servicemonitor.yaml │ │ │ └── statefulset.yaml │ │ └── values.yaml │ └── redis │ │ ├── .helmignore │ │ ├── Chart.yaml │ │ ├── README.md │ │ ├── ci │ │ ├── default-values.yaml │ │ ├── dev-values.yaml │ │ ├── extra-flags-values.yaml │ │ ├── insecure-sentinel-values.yaml │ │ ├── production-sentinel-values.yaml │ │ ├── production-values.yaml │ │ ├── redis-lib-values.yaml │ │ └── redisgraph-module-values.yaml │ │ ├── templates │ │ ├── NOTES.txt │ │ ├── _helpers.tpl │ │ ├── configmap.yaml │ │ ├── headless-svc.yaml │ │ ├── health-configmap.yaml │ │ ├── metrics-prometheus.yaml │ │ ├── metrics-svc.yaml │ │ ├── networkpolicy.yaml │ │ ├── prometheusrule.yaml │ │ ├── psp.yaml │ │ ├── redis-master-statefulset.yaml │ │ ├── redis-master-svc.yaml │ │ ├── redis-role.yaml │ │ ├── redis-rolebinding.yaml │ │ ├── redis-serviceaccount.yaml │ │ ├── redis-slave-statefulset.yaml │ │ ├── redis-slave-svc.yaml │ │ ├── redis-with-sentinel-svc.yaml │ │ └── secret.yaml │ │ ├── values-production.yaml │ │ ├── values.schema.json │ │ └── values.yaml │ ├── requirements.lock │ ├── requirements.yaml │ ├── templates │ ├── NOTES.txt │ ├── _helpers.tpl │ ├── configmap │ │ ├── additional-configmaps.yaml │ │ ├── additional-profile-configmaps.yaml │ │ ├── additional-scripts.yaml │ │ ├── bom.yaml │ │ ├── halyard-config.yaml │ │ ├── halyard-init-script.yaml │ │ ├── service-configs.yaml │ │ └── service-settings.yaml │ ├── hooks │ │ ├── cleanup.yaml │ │ └── install-using-hal.yaml │ ├── ingress │ │ ├── deck.yaml │ │ └── gate.yaml │ ├── rbac │ │ ├── halyard-sa.yaml │ │ ├── psp-halyard-role.yaml │ │ ├── psp-halyard-rolebinding.yaml │ │ ├── psp-halyard.yaml │ │ ├── rolebinding.yaml │ │ └── spinnaker-sa.yaml │ ├── secrets │ │ ├── additional-secrets.yaml │ │ ├── gcs.yaml │ │ ├── registry.yaml │ │ └── s3.yaml │ ├── services │ │ └── halyard.yaml │ └── statefulsets │ │ └── halyard.yaml │ ├── values.yaml │ └── values_saml.yaml ├── minio ├── README.md ├── minio │ ├── .helmignore │ ├── Chart.yaml │ ├── README.md │ ├── ci │ │ └── distributed-values.yaml │ ├── templates │ │ ├── NOTES.txt │ │ ├── _helper_create_bucket.txt │ │ ├── _helpers.tpl │ │ ├── configmap.yaml │ │ ├── deployment.yaml │ │ ├── ingress.yaml │ │ ├── networkpolicy.yaml │ │ ├── poddisruptionbudget.yaml │ │ ├── post-install-create-bucket-job.yaml │ │ ├── post-install-prometheus-metrics-job.yaml │ │ ├── post-install-prometheus-metrics-role.yaml │ │ ├── post-install-prometheus-metrics-rolebinding.yaml │ │ ├── post-install-prometheus-metrics-serviceaccount.yaml │ │ ├── pvc.yaml │ │ ├── secrets.yaml │ │ ├── service.yaml │ │ ├── serviceaccount.yaml │ │ ├── servicemonitor.yaml │ │ └── statefulset.yaml │ └── values.yaml └── pv.yaml ├── tools ├── GetImages.sh ├── fileprocess.py ├── halyard.sh ├── halyard.yaml ├── ingress.yaml └── install.sh └── updates └── bom-yaml-1.19.4.tar.gz /.github/workflows/spinnaker-ci.yml: -------------------------------------------------------------------------------- 1 | # This is a basic workflow to help you get started with Actions 2 | #VERSION 2 3 | #renew 4 | 5 | name: Spinnaker Pre Install 6 | env: 7 | SPINNAKER_VERSION: 1.26.7 8 | #REGISTRY_URL: "gcr.io/spinnaker-marketplace/" 9 | REGISTRY_URL: "us-docker.pkg.dev/spinnaker-community/docker/" 10 | NEW_REGISTRY_URL: "registry.cn-beijing.aliyuncs.com/spinnaker-cd/" 11 | NEW_REGISTRY_URL2: "docker.io/spinnakercd/" 12 | TAG_FILE: "tagfile.txt" 13 | BOM_DIR: ".boms" 14 | 15 | 16 | on: 17 | push: 18 | paths: 19 | - '.github/workflows/**' 20 | 21 | jobs: 22 | build: 23 | runs-on: ubuntu-20.04 24 | steps: 25 | - uses: actions/checkout@v2 26 | 27 | ## 28 | # - name: 01-安装Halyard部署工具 29 | # run: | 30 | # chmod +x ./InstallHalyard.sh 31 | # ls 32 | # sleep 2 33 | # sudo bash -x InstallHalyard.sh --user runner -y 34 | # sleep 5 35 | # hal -v 36 | # ## 37 | - name: 01-使用Halyard获取bom版本文件 38 | run: | 39 | docker pull registry.cn-beijing.aliyuncs.com/spinnaker-cd/halyard:1.32.0 40 | #docker run -itd -p 9084:8084 -p 9000:9000 --name halyard registry.cn-beijing.aliyuncs.com/spinnaker-cd/halyard:1.32.0 41 | docker run -itd --name halyard registry.cn-beijing.aliyuncs.com/spinnaker-cd/halyard:1.32.0 42 | sleep 5 43 | docker ps | grep halyard 44 | chmod +x getbom.sh 45 | docker cp getbom.sh halyard:/opt/getbom.sh 46 | docker exec -u root halyard chmod +x /opt/getbom.sh 47 | docker exec -u root halyard sh /opt/getbom.sh ${SPINNAKER_VERSION} 48 | docker cp halyard:/opt/${SPINNAKER_VERSION}.yml ./${SPINNAKER_VERSION}.yml 49 | mkdir -p .boms 50 | 51 | ## 解析版本文件生成镜像标签 52 | ## 上传到阿里云镜像仓库 53 | ## docker https://github.com/Azure/docker-login 54 | - name: 02-1-获取gcr.io镜像 55 | run: | 56 | python3 tools/fileprocess.py ${SPINNAKER_VERSION}.yml ${TAG_FILE} ${BOM_DIR} 57 | ls ${BOM_DIR} 58 | 59 | echo -e "\033[32m ---> Tag File ---> \033[0m" 60 | cat ${TAG_FILE} 61 | docker login -u ${{ secrets.DOCKER_USER}} -p ${{ secrets.DOCKER_PASSWD}} ${NEW_REGISTRY_URL} 62 | for tag in $(cat ${TAG_FILE}) 63 | do 64 | echo -e "\033[32m ---> pull ---> ${REGISTRY_URL}${tag} \033[0m" 65 | docker pull ${REGISTRY_URL}${tag} 66 | done 67 | 68 | - name: 02-2-同步镜像到dockerHUB 69 | run: | 70 | docker login -u ${{ secrets.HUBDOCKER_USER}} -p ${{ secrets.HUBDOCKER_PASSWD}} docker.io 71 | for tag in $(cat ${TAG_FILE}) 72 | do 73 | echo -e "\033[32m ---> push ---> ${NEW_REGISTRY_URL2}${tag} \033[0m" 74 | docker tag ${REGISTRY_URL}${tag} ${NEW_REGISTRY_URL2}${tag} 75 | docker push ${NEW_REGISTRY_URL2}${tag} 76 | done 77 | 78 | # - name: 02-3-同步镜像到阿里云镜像仓库 79 | # run: | 80 | # docker login -u ${{ secrets.DOCKER_USER}} -p ${{ secrets.DOCKER_PASSWD}} ${NEW_REGISTRY_URL} 81 | # for tag in $(cat ${TAG_FILE}) 82 | # do 83 | # echo -e "\033[32m ---> push ---> ${NEW_REGISTRY_URL}${tag} \033[0m" 84 | # docker tag ${REGISTRY_URL}${tag} ${NEW_REGISTRY_URL}${tag} 85 | # docker push ${NEW_REGISTRY_URL}${tag} 86 | # done 87 | 88 | ## 收集镜像tag文件和下载镜像的脚本 89 | - name: 03- 收集镜像tag文件和下载镜像的脚本 90 | run : | 91 | mkdir -p artifacts/${SPINNAKER_VERSION} 92 | mv ${TAG_FILE} artifacts/${SPINNAKER_VERSION}/ 93 | mv tools/GetImages.sh artifacts/${SPINNAKER_VERSION}/ 94 | ## install scripts files 95 | sed -i "s/SPIN_VERSION/${SPINNAKER_VERSION}/g" tools/install.sh 96 | sed -i "s/SPIN_VERSION/${SPINNAKER_VERSION}/g" tools/halyard.sh 97 | mv tools/halyard.sh artifacts/${SPINNAKER_VERSION}/ 98 | mv tools/halyard.yaml artifacts/${SPINNAKER_VERSION}/ 99 | mv tools/install.sh artifacts/${SPINNAKER_VERSION}/ 100 | mv tools/ingress.yaml artifacts/${SPINNAKER_VERSION}/ 101 | ## 102 | mv ${BOM_DIR} artifacts/${SPINNAKER_VERSION}/ 103 | mkdir -p artifacts/${SPINNAKER_VERSION}/${BOM_DIR}/bom 104 | 105 | ## 修改dockerregistry 106 | sed -i "s/us-docker.pkg.dev\/spinnaker-community\/docker/gcr.io\/spinnaker-marketplace/g" ${SPINNAKER_VERSION}.yml 107 | mv ${SPINNAKER_VERSION}.yml artifacts/${SPINNAKER_VERSION}/${BOM_DIR}/bom/ 108 | 109 | ## artifact https://github.com/actions/upload-artifact 110 | - uses: actions/upload-artifact@v2 111 | with: 112 | name: ${{ env.SPINNAKER_VERSION }}-Install-Scripts 113 | path: artifacts/* 114 | -------------------------------------------------------------------------------- /1.26.7-Install-Scripts.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zeyangli/spinnaker-cd-install/0fe2bc78ff26b12ab026c7c596a7440b493fa47e/1.26.7-Install-Scripts.zip -------------------------------------------------------------------------------- /InstallHalyard.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -e 4 | 5 | function check_migration_needed() { 6 | set +e 7 | 8 | which dpkg &> /dev/null 9 | if [ "$?" = "0" ]; then 10 | dpkg -s spinnaker-halyard &> /dev/null 11 | 12 | if [ "$?" != "1" ]; then 13 | >&2 echo "Attempting to install halyard while a debian installation is present." 14 | >&2 echo "Please visit: https://spinnaker.io/setup/install/halyard_migration/" 15 | exit 1 16 | fi 17 | fi 18 | set -e 19 | } 20 | 21 | function process_args() { 22 | while [ "$#" -gt "0" ] 23 | do 24 | local key="$1" 25 | shift 26 | case $key in 27 | --halyard-bucket-base-url) 28 | echo "halyard-bucket-base-url" 29 | HALYARD_BUCKET_BASE_URL="$1" 30 | shift 31 | ;; 32 | --download-with-gsutil) 33 | echo "download-with-gsutil" 34 | DOWNLOAD_WITH_GSUTIL=true 35 | ;; 36 | --spinnaker-repository) 37 | echo "spinnaker-repo" 38 | SPINNAKER_REPOSITORY_URL="$1" 39 | shift 40 | ;; 41 | --spinnaker-registry) 42 | echo "spinnaker-registry" 43 | SPINNAKER_DOCKER_REGISTRY="$1" 44 | shift 45 | ;; 46 | --spinnaker-gce-project) 47 | echo "spinnaker-gce-project" 48 | SPINNAKER_GCE_PROJECT="$1" 49 | shift 50 | ;; 51 | --config-bucket) 52 | echo "config-bucket" 53 | CONFIG_BUCKET="$1" 54 | shift 55 | ;; 56 | --user) 57 | echo "user" 58 | HAL_USER="$1" 59 | shift 60 | ;; 61 | --version) 62 | echo "version" 63 | HALYARD_VERSION="$1" 64 | shift 65 | ;; 66 | -y) 67 | echo "non-interactive" 68 | YES=true 69 | ;; 70 | --help|-help|-h) 71 | print_usage 72 | exit 13 73 | ;; 74 | *) 75 | echo "ERROR: Unknown argument '$key'" 76 | exit 1 77 | esac 78 | done 79 | } 80 | 81 | function get_user() { 82 | local user 83 | 84 | user=$(whoami) 85 | if [ -z "$YES" ]; then 86 | if [ "$user" = "root" ] || [ -z "$user" ]; then 87 | read -p "Please supply a non-root user to run Halyard as: " user 88 | fi 89 | fi 90 | 91 | echo $user 92 | } 93 | 94 | function get_home() { 95 | getent passwd $HAL_USER | cut -d: -f6 96 | } 97 | 98 | function configure_defaults() { 99 | if [ -z "$HAL_USER" ]; then 100 | HAL_USER=$(get_user) 101 | fi 102 | 103 | if [ -z "$HAL_USER" ]; then 104 | >&2 echo "You have not supplied a user to run Halyard as." 105 | exit 1 106 | fi 107 | 108 | if [ "$HAL_USER" = "root" ]; then 109 | >&2 echo "Halyard may not be run as root. Supply a user to run Halyard as: " 110 | >&2 echo " sudo bash $0 --user " 111 | exit 1 112 | fi 113 | 114 | set +e 115 | getent passwd $HAL_USER &> /dev/null 116 | 117 | if [ "$?" != "0" ]; then 118 | >&2 echo "Supplied user $HAL_USER does not exist" 119 | exit 1 120 | fi 121 | set -e 122 | 123 | if [ -z "$HALYARD_VERSION" ]; then 124 | HALYARD_VERSION="stable" 125 | fi 126 | 127 | echo "$(tput bold)Halyard version will be $HALYARD_VERSION $(tput sgr0)" 128 | 129 | if [ -z "$HALYARD_BUCKET_BASE_URL" ]; then 130 | HALYARD_BUCKET_BASE_URL="gs://spinnaker-artifacts/halyard" 131 | fi 132 | 133 | echo "$(tput bold)Halyard will be downloaded from $HALYARD_BUCKET_BASE_URL $(tput sgr0)" 134 | 135 | if [ -z "$CONFIG_BUCKET" ]; then 136 | CONFIG_BUCKET="halconfig" 137 | fi 138 | 139 | echo "$(tput bold)Halyard config will come from bucket gs://$CONFIG_BUCKET $(tput sgr0)" 140 | 141 | home=$(get_home) 142 | local halconfig_dir="$home/.hal" 143 | 144 | echo "$(tput bold)Halconfig will be stored at $halconfig_dir/config$(tput sgr0)" 145 | 146 | mkdir -p $halconfig_dir 147 | chown $HAL_USER $halconfig_dir 148 | 149 | mkdir -p /opt/spinnaker/config 150 | chmod a+rx /opt/spinnaker/config 151 | 152 | cat > /opt/spinnaker/config/halyard.yml < /opt/spinnaker/config/halyard-user 168 | 169 | cat > $halconfig_dir/uninstall.sh <] [--user=] 201 | -y Accept all default options during install 202 | (non-interactive mode). 203 | 204 | --halyard-bucket-base-url The bucket the Halyard JAR to be installed 205 | is stored in. 206 | 207 | --download-with-gsutil If specifying a GCS bucket using 208 | --halyard-bucket-base-url, this flag causes the 209 | install script to rely on gsutil and its 210 | authentication to fetch the Halyard JAR. 211 | 212 | --config-bucket The bucket the your Bill of Materials and 213 | base profiles are stored in. 214 | 215 | --spinnaker-repository Obtain Spinnaker artifact debians from 216 | rather than the default repository, which is 217 | $SPINNAKER_REPOSITORY_URL. 218 | 219 | --spinnaker-registry Obtain Spinnaker docker images from 220 | rather than the default registry, which is 221 | $SPINNAKER_DOCKER_REGISTRY. 222 | 223 | --spinnaker-gce-project Obtain Spinnaker GCE images from 224 | rather than the default project, which is 225 | $SPINNAKER_GCE_PROJECT. 226 | 227 | --version Specify the exact version of Halyard to 228 | install. 229 | 230 | --user Specify the user to run Halyard as. This 231 | user must exist. 232 | EOF 233 | } 234 | 235 | function check_java() { 236 | 237 | if ! which java 2>&1 > /dev/null; then 238 | echo "Couldn't find a 'java' binary in your \$PATH. Halyard requires Java to run." 239 | exit 1 240 | fi 241 | } 242 | 243 | function configure_bash_completion() { 244 | local yes 245 | echo "" 246 | if [ -z "$YES" ]; then 247 | read -p "Would you like to configure halyard to use bash auto-completion? [default=Y]: " yes 248 | else 249 | yes="y" 250 | fi 251 | 252 | if [ "$yes" = "y" ] || [ "$yes = "Y" ] || [ "$yes = "yes" ] || [ "$yes" = "" ]; then 253 | local home=$(get_home) 254 | completion_script="/etc/bash_completion.d/hal" 255 | 256 | mkdir -p $(dirname $completion_script) 257 | hal --print-bash-completion | tee $completion_script > /dev/null 258 | 259 | local bashrc 260 | if [ -z "$YES" ]; then 261 | echo "" 262 | read -p "Where is your bash RC? [default=$home/.bashrc]: " bashrc 263 | fi 264 | 265 | if [ -z "$bashrc" ]; then 266 | bashrc="$home/.bashrc" 267 | fi 268 | 269 | if [ -z "$(grep $completion_script $bashrc)" ]; then 270 | echo "# configure hal auto-complete " >> $bashrc 271 | echo ". /etc/bash_completion.d/hal" >> $bashrc 272 | fi 273 | 274 | echo "Bash auto-completion configured." 275 | echo "$(tput bold)To use the auto-completion either restart your shell, or run$(tput sgr0)" 276 | echo "$(tput bold). $bashrc$(tput sgr0)" 277 | fi 278 | } 279 | 280 | function install_halyard() { 281 | TEMPDIR=$(mktemp -d installhalyard.XXXX) 282 | pushd $TEMPDIR 283 | local gcs_bucket_and_file 284 | 285 | if [[ "$HALYARD_BUCKET_BASE_URL" != gs://* ]]; then 286 | >&2 echo "Currently installing halyard is only supported from a GCS bucket." 287 | >&2 echo "The --halyard-install-url parameter must start with 'gs://'." 288 | exit 1 289 | else 290 | gcs_bucket_and_file=${HALYARD_BUCKET_BASE_URL:5}/$HALYARD_VERSION/debian/halyard.tar.gz 291 | fi 292 | 293 | if [ -n "$DOWNLOAD_WITH_GSUTIL" ]; then 294 | gsutil cp gs://$gcs_bucket_and_file halyard.tar.gz 295 | else 296 | curl -O https://storage.googleapis.com/$gcs_bucket_and_file 297 | fi 298 | 299 | tar --no-same-owner -xvf halyard.tar.gz -C /opt 300 | 301 | 302 | if which systemd-sysusers &>/dev/null; then 303 | if [ ! -d "/usr/lib/sysusers.d" ]; then 304 | if [ ! -L "/usr/lib/sysusers.d" ]; then 305 | echo "Creating /usr/lib/sysusers.d directory." 306 | install -dm755 -o root -g root /usr/lib/sysusers.d 307 | fi 308 | fi 309 | cat > /usr/lib/sysusers.d/halyard.conf < /dev/null || true 315 | 316 | else 317 | groupadd halyard || true 318 | groupadd spinnaker || true 319 | fi 320 | 321 | usermod -G halyard -a $HAL_USER || true 322 | usermod -G spinnaker -a $HAL_USER || true 323 | chown $HAL_USER:halyard /opt/halyard 324 | 325 | mv /opt/hal /usr/local/bin 326 | chmod a+rx /usr/local/bin/hal 327 | 328 | if [ -f /opt/update-halyard ]; then 329 | mv /opt/update-halyard /usr/local/bin 330 | chmod a+rx /usr/local/bin/update-halyard 331 | else 332 | echo "No update script supplied with installer..." 333 | fi 334 | 335 | mkdir -p /var/log/spinnaker/halyard 336 | chown $HAL_USER:halyard /var/log/spinnaker/halyard 337 | chmod 755 /var/log/spinnaker /var/log/spinnaker/halyard 338 | 339 | popd 340 | rm -rf $TEMPDIR 341 | } 342 | 343 | check_migration_needed 344 | 345 | process_args $@ 346 | configure_defaults 347 | 348 | check_java 349 | install_halyard 350 | until hal --daemon-endpoint http://127.0.0.1:8064 --ready; do sleep 5 && ps aux ; done 351 | su -l -c "hal -v" -s /bin/bash $HAL_USER 352 | 353 | configure_bash_completion 354 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Spinnaker Installation Manual 2 | 3 | ![Spinnaker Pre Install](https://github.com/zeyangli/spinnaker-cd-install/workflows/Spinnaker%20Pre%20Install/badge.svg?branch=master) 4 | 5 | 目前spinnaker的安装大都采用halyard部署,也有两种版本。一种使用halyard,另外一种是使用helm job(其实也是用的halyard)。 6 | 使用halyard安装部署非常简单,如果您的网络允许部署起立更快! 7 | 8 | ![acr-images](acr.png) 9 | 10 | 已同步更新docker.io。 11 | 12 | 13 | ## 安装说明(最新) 14 | 15 | - 提前部署好S3存储(可以使用minio,提前部署好,注意更新tools/halyard.sh文件) 16 | 17 | ``` 18 | ## Storage 配置基于minio搭建的S3存储 19 | hal config storage s3 edit \ 20 | --endpoint http://minio.idevops.site \ 21 | --access-key-id AKIAIOSFODNN7EXAMPLE \ 22 | --secret-access-key wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY \ 23 | --bucket spinnaker \ 24 | --path-style-access true --no-validate 25 | hal config storage edit --type s3 --no-validate 26 | ``` 27 | 28 | - 如需自定义spinnaker域名,可以修改tools/halyard.sh 29 | 30 | ``` 31 | DECK_HOST="http://spinnaker.idevops.site" 32 | GATE_HOST="http://spin-gate.idevops.site" 33 | ``` 34 | 35 | 36 | 在[actions](https://github.com/zeyangli/spinnaker-cd-install/actions) 中获取最新的版本部署脚本文件(代码库中已保存1.26.7版本的安装脚本文件)。 37 | 将该文件上传到配置好了kubectl客户端的节点中。 38 | 39 | ``` 40 | unzip 1.23.6-Install-Script.zip && cd 1.23.6 41 | [root@master 1.23.6]# ls 42 | GetImages.sh halyard.sh halyard.yaml ingress.yaml install.sh tagfile.txt 43 | [root@master 1.23.6]# tree 44 | . 45 | ├── GetImages.sh ## 可单独执行,遍历tagfile.txt进行镜像下载。 46 | ├── halyard.sh ## Halyard初始化配置脚本。 47 | ├── halyard.yaml ## Halyard容器方式部署时的配置文件。 48 | ├── ingress.yaml ## Spinnaker 部署后的Ingress模板文件。 49 | ├── install.sh ## Spinnaker 部署脚本。 50 | └── tagfile.txt ## 镜像标签文件(该文件的形成取决于bom版本文件中的定义,具体可以看actions过程) 51 | 52 | 0 directories, 6 files 53 | ``` 54 | 55 | 在每个k8s node节点下载spinnaker部署时需要的docker镜像, 然后安装spinnaker。 56 | 57 | ``` 58 | [root@master 1.23.6]# sh install.sh 59 | [getimg -> install -> ingress = allinstall] 60 | 61 | sh install.sh getimg ## 下载镜像(提前配置好各node节点的免密) 62 | sh install.sh install ## 安装spinnaker 63 | sh install.sh ingress ## 创建ingress 64 | 65 | ``` 66 | 验证pod运行状态 67 | 68 | ``` 69 | [root@master 1.23.6]# kubectl get pod -n spinnaker 70 | NAME READY STATUS RESTARTS AGE 71 | spin-clouddriver-65c656b665-v9qgg 0/1 Running 0 36s 72 | spin-deck-c74b79594-vbp2l 1/1 Running 0 34s 73 | spin-echo-56bbbbd648-bj2ss 0/1 Running 0 36s 74 | spin-front50-54894dd569-6p89d 0/1 Running 0 31s 75 | spin-gate-5798654745-4fzkw 0/1 Running 0 35s 76 | spin-igor-68f6bfdcbc-zbhcq 0/1 Running 0 33s 77 | spin-orca-5547d664b8-pj8tw 0/1 Running 0 32s 78 | spin-redis-6d85585fd7-d6jzx 1/1 Running 0 34s 79 | spin-rosco-56c56bb968-vmfr8 0/1 Running 0 31s 80 | ``` 81 | 82 | 83 | 84 | ## halyard-bom-install(demo) 85 | 86 | 使用halyard安装配置spinnaker,无需设置代理。(bom方式)这种方式会启动一个docker容器(halyard)执行任务。 87 | 88 | ``` 89 | ├── bom-yaml-1.19.4.tar.gz ## bom所需的yaml文件 90 | ├── halyard.sh ## halyard初始化配置发布脚本 91 | ├── halyard.yaml ## halyard 配置文件 92 | ├── ingress.yaml ## spinnaker部署访问入口 93 | └── install.sh ## 安装脚本 94 | 95 | ``` 96 | 97 | 注意编辑install.sh 调整部署变量值。 然后 sh -x install.sh allinstall . 98 | 99 | 100 | ## helm-bom-install[废弃] 101 | 102 | 其实是一个helm chart,已经对values做了修改。这种方式会启动一个pod(halyard)执行任务。 103 | 104 | ``` 105 | sh getimages.sh ## 获取阿里云镜像 106 | kubectl create ns spinnaker 107 | cd helm-bom-install 108 | kubectl create -f pvc.yaml -n spinnaker ## 注意修改pv类型,这里使用的nfs 109 | kubectl create -f ingress.yaml -n spinnaker ## 注意修改Ingress Host 110 | 111 | helm install spinnaker -n spinnaker ./spinnaker ## 部署 112 | kubectl get pod -n spinnaker 113 | 114 | ``` 115 | 116 | ## Spinnaker版本更新 117 | 注意:现在已经在actions中配置ci,大部分步骤都是自动完成的。需要提前将您当前spinnaker版本的boms文件(~/.hal/.boms)打包上传到代理库updates目录中哦! 118 | 119 | 使用github actions 自动化获取版本文件,获取gcr.io镜像然后更名上传到阿里云仓库中。最后会生成一个制品`version-install-script`,里面包含镜像tag文件和下载镜像的脚本。 120 | (图片如果加载不出来,可以直接在Actions中查看最新的流水线中获取哦) 121 | ![artifacts-images](docs/artifacts.png) 122 | 123 | 然后手动获取服务版本分支中的配置文件,(此步骤已经在ci中实现,无需手动,直接下载actions制品即可) 124 | 125 | 126 | 最后手动发布。 127 | 128 | ``` 129 | unzip 1.19.14-Image-Script.zip 130 | cd 1.19.14 131 | 132 | rm -fr ~/.hal/.boms/ 133 | mv .boms/ ~/.hal/ 134 | chmod 777 -R ~/.hal/* 135 | 136 | docker exec -it halyard bash 137 | hal config version edit --version local:1.19.14 --no-validate 138 | hal deploy apply --no-validate 139 | ``` 140 | 141 | 回滚 142 | ``` 143 | hal config version edit --version local:1.19.4 --no-validate 144 | hal deploy apply --no-validate 145 | ``` 146 | 147 | 148 | 149 | 150 | 151 | 152 | ------ 153 | 以上内容简单记录,后续再进一步整理完善。目前此版本仅限于学习研究使用,避免生产环境使用。 154 | 155 | The Bill of Materials (BOM) :https://spinnaker.io/guides/operator/custom-boms/ 156 | https://spinnaker.io/community/releases/versions/ 获取最新稳定版本 157 | 158 | 159 | 160 | -------------------------------------------------------------------------------- /acr.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zeyangli/spinnaker-cd-install/0fe2bc78ff26b12ab026c7c596a7440b493fa47e/acr.png -------------------------------------------------------------------------------- /docs/artifacts.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zeyangli/spinnaker-cd-install/0fe2bc78ff26b12ab026c7c596a7440b493fa47e/docs/artifacts.png -------------------------------------------------------------------------------- /docs/hah.md: -------------------------------------------------------------------------------- 1 | hah 2 | -------------------------------------------------------------------------------- /getbom.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Wait for the Hal daemon to be ready 3 | export DAEMON_ENDPOINT=http://127.0.0.1:8064 4 | export HAL_COMMAND="hal --daemon-endpoint $DAEMON_ENDPOINT" 5 | until $HAL_COMMAND --ready; do sleep 10 ; done 6 | 7 | SPINNAKER_VERSION=$1 8 | 9 | hal version list 10 | hal version bom ${SPINNAKER_VERSION} -q -o yaml >/opt/${SPINNAKER_VERSION}.yml 11 | -------------------------------------------------------------------------------- /halyard-bom-install/bom-yaml-1.19.4.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zeyangli/spinnaker-cd-install/0fe2bc78ff26b12ab026c7c596a7440b493fa47e/halyard-bom-install/bom-yaml-1.19.4.tar.gz -------------------------------------------------------------------------------- /halyard-bom-install/halyard.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | VERSION="1.19.4" 4 | DECK_HOST="http://spinnaker.idevops.site" 5 | GATE_HOST="http://spin-gate.idevops.site" 6 | until hal --ready; do sleep 10 ; done 7 | 8 | # 设置Spinnaker版本,--version 指定版本 9 | hal config version edit --version local:${VERSION} --no-validate 10 | 11 | ## 设置时区 12 | hal config edit --timezone Asia/Shanghai 13 | 14 | ## Storage 配置基于minio搭建的S3存储 15 | hal config storage s3 edit \ 16 | --endpoint http://minio.idevops.site \ 17 | --access-key-id AKIAIOSFODNN7EXAMPLE \ 18 | --secret-access-key wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY \ 19 | --bucket spinnaker \ 20 | --path-style-access true --no-validate 21 | hal config storage edit --type s3 --no-validate 22 | 23 | # Docker Registry Docker镜像仓库 24 | # Set the dockerRegistry provider as enabled 25 | hal config provider docker-registry enable --no-validate 26 | hal config provider docker-registry account add dockerhub \ 27 | --address index.docker.io \ 28 | --repositories library/alpine,library/ubuntu,library/centos,library/nginx \ 29 | --no-validate 30 | 31 | 32 | # 添加account to the kubernetes provider. 33 | hal config provider kubernetes enable --no-validate 34 | hal config provider kubernetes account add default \ 35 | --docker-registries dockerhub \ 36 | --context $(kubectl config current-context) \ 37 | --service-account true \ 38 | --omit-namespaces=kube-system,kube-public \ 39 | --provider-version v2 \ 40 | --no-validate 41 | 42 | ## 编辑Spinnaker部署选项,分部署部署,名称空间。 43 | hal config deploy edit \ 44 | --account-name default \ 45 | --type distributed \ 46 | --location spinnaker \ 47 | --no-validate 48 | 49 | ## 开启一些主要的功能 50 | hal config features edit --pipeline-templates true --no-validate 51 | hal config features edit --artifacts true --no-validate 52 | hal config features edit --managed-pipeline-templates-v2-ui true --no-validate 53 | 54 | 55 | 56 | ## 设置deck与gate的域名 57 | hal config security ui edit --override-base-url ${DECK_HOST} --no-validate 58 | hal config security api edit --override-base-url ${GATE_HOST} --no-validate 59 | 60 | ##发布 61 | hal deploy apply --no-validate 62 | -------------------------------------------------------------------------------- /halyard-bom-install/halyard.yaml: -------------------------------------------------------------------------------- 1 | server: 2 | port: 8064 3 | 4 | grpc: 5 | enabled: false 6 | 7 | halconfig: 8 | filesystem: 9 | path: ~/.hal/config 10 | 11 | spinnaker: 12 | artifacts: 13 | debian: https://dl.bintray.com/spinnaker-releases/debians 14 | docker: gcr.io/spinnaker-marketplace 15 | config: 16 | input: 17 | gcs: 18 | enabled: false 19 | writerEnabled: false 20 | bucket: halconfig 21 | 22 | management: 23 | endpoint: 24 | shutdown: 25 | enabled: true 26 | 27 | endpoints: 28 | web: 29 | exposure: 30 | include: shutdown, env, conditions, resolvedEnv, beans, health 31 | 32 | backup: 33 | google: 34 | enabled: false 35 | 36 | retrofit: 37 | logLevel: BASIC 38 | -------------------------------------------------------------------------------- /halyard-bom-install/ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: extensions/v1beta1 2 | kind: Ingress 3 | metadata: 4 | name: spinnaker-service 5 | annotations: 6 | kubernetes.io/ingress.class: nginx 7 | spec: 8 | rules: 9 | - host: spinnaker.idevops.site 10 | http: 11 | paths: 12 | - path: / 13 | backend: 14 | serviceName: spin-deck 15 | servicePort: 9000 16 | - host: spin-gate.idevops.site 17 | http: 18 | paths: 19 | - path: / 20 | backend: 21 | serviceName: spin-gate 22 | servicePort: 8084 23 | -------------------------------------------------------------------------------- /halyard-bom-install/install.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | VERSION="1.19.4" 4 | S_REGISTRY="gcr.io/spinnaker-marketplace" 5 | T_REGISTRY="registry.cn-beijing.aliyuncs.com/spinnaker-cd" 6 | BOMS_DIR="/root/.hal/" 7 | BOMS_FILR=".boms" 8 | KUBE_DIR="/root/.kube/" 9 | HALY_IMAGE="gcr.io/spinnaker-marketplace/halyard:1.32.0" 10 | DECK_HOST="spinnaker.idevops.site" 11 | GATE_HOST="spin-gate.idevops.site" 12 | NODES="node01.zy.com node02.zy.com" 13 | 14 | ## 下载镜像 15 | function GetImages(){ 16 | echo -e "\033[43;34m =====GetImg===== \033[0m" 17 | #gcr.io/spinnaker-marketplace/gate:1.15.1-20200403040016 18 | #gcr.io/spinnaker-marketplace/front50:0.22.1-20200401121252 19 | #gcr.io/spinnaker-marketplace/igor:1.9.2-20200401121252 20 | #gcr.io/spinnaker-marketplace/echo:2.11.2-20200401121252 21 | #gcr.io/spinnaker-marketplace/deck:3.0.2-20200324040016 22 | #gcr.io/spinnaker-marketplace/halyard:1.32.0 23 | #gcr.io/spinnaker-marketplace/clouddriver:6.7.3-20200401190525 24 | #gcr.io/spinnaker-marketplace/orca:2.13.2-20200401144746 25 | #gcr.io/spinnaker-marketplace/rosco:0.18.1-20200401121252 26 | 27 | IMAGES="gate:1.15.1-20200403040016\ 28 | front50:0.22.1-20200401121252\ 29 | igor:1.9.2-20200401121252\ 30 | echo:2.11.2-20200401121252\ 31 | deck:3.0.2-20200324040016\ 32 | halyard:1.32.0\ 33 | clouddriver:6.7.3-20200401190525\ 34 | orca:2.13.2-20200401144746\ 35 | rosco:0.18.1-20200401121252" 36 | 37 | for image in ${IMAGES} 38 | do 39 | for node in ${NODES} 40 | do 41 | echo -e "\033[32m ${node} ---> pull ---> ${image} \033[0m" 42 | ssh ${node} "docker pull ${T_REGISTRY}/${image}" 43 | echo -e "\033[32m ${node} ---> tag ---> ${image} \033[0m" 44 | ssh ${node} "docker tag ${T_REGISTRY}/${image} ${S_REGISTRY}/${image}" 45 | done 46 | done 47 | for node in ${NODES} 48 | do 49 | echo -e "\033[43;34m =====${node}===镜像信息===== \033[0m" 50 | ssh ${node} "docker images | grep 'spinnaker-marketplace' " 51 | done 52 | 53 | } 54 | 55 | function Clean(){ 56 | echo -e "\033[43;34m =====Clean===== \033[0m" 57 | rm -r ${BOMS_DIR}/config ${BOMS_DIR}/default 58 | } 59 | 60 | ## 安装 61 | function Install(){ 62 | echo -e "\033[43;34m =====Install===== \033[0m" 63 | [ -d ${BOMS_DIR} ] || mkdir ${BOMS_DIR} 64 | mv ${BOMS_FILR} ${BOMS_DIR} 65 | ls -a ${BOMS_DIR} 66 | chmod 777 -R ${BOMS_DIR} 67 | chmod 777 -R ${KUBE_DIR} 68 | 69 | docker run -d \ 70 | --name halyard \ 71 | -v ${BOMS_DIR}:/home/spinnaker/.hal \ 72 | -v ${KUBE_DIR}:/home/spinnaker/.kube \ 73 | -it ${HALY_IMAGE} 74 | 75 | sleep 5 76 | docker cp halyard.yaml halyard:/opt/halyard/config/halyard.yml 77 | docker stop halyard && docker start halyard 78 | sleep 3 79 | docker ps | grep halyard 80 | sleep 5 81 | chmod +x halyard.sh 82 | docker cp halyard.sh halyard:/home/spinnaker/halyard.sh 83 | docker exec -it halyard ./home/spinnaker/halyard.sh 84 | sleep 5 85 | kubectl get pod -n spinnaker 86 | sleep 5 87 | kubectl get pod -n spinnaker 88 | } 89 | 90 | ## Ingress 91 | function Ingress(){ 92 | echo -e "\033[43;34m =====Ingress===== \033[0m" 93 | sed -i "s/deck_domain/${DECK_HOST}/g" ingress.yaml 94 | sed -i "s/gate_domain/${GATE_HOST}/g" ingress.yaml 95 | cat ingress.yaml 96 | sleep 5 97 | kubectl create -f ingress.yaml -n spinnaker 98 | } 99 | 100 | 101 | case $1 in 102 | getimg) 103 | GetImages 104 | ;; 105 | # clean) 106 | # Clean 107 | # ;; 108 | install) 109 | Install 110 | ;; 111 | ingress) 112 | Ingress 113 | ;; 114 | allinstall) 115 | Clean 116 | GetImages 117 | Install 118 | sleep 10 119 | Ingress 120 | ;; 121 | 122 | *) 123 | echo -e " [getimg -> install -> ingress = allinstall] " 124 | ;; 125 | esac 126 | -------------------------------------------------------------------------------- /halyard-bom-install/spinnaker-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: spinnaker-spinnaker-spinnaker 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: cluster-admin 9 | subjects: 10 | - kind: ServiceAccount 11 | name: default 12 | namespace: spinnake 13 | -------------------------------------------------------------------------------- /helm-spinnaker/getimage.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | VERSION="1.19.4" 4 | S_REGISTRY="gcr.io/spinnaker-marketplace" 5 | T_REGISTRY="registry.cn-beijing.aliyuncs.com/spinnaker-cd" 6 | NODES="node01.zy.com node02.zy.com" 7 | 8 | ## 下载镜像 9 | function GetImages(){ 10 | echo -e "\033[43;34m =====GetImg===== \033[0m" 11 | #gcr.io/spinnaker-marketplace/gate:1.15.1-20200403040016 12 | #gcr.io/spinnaker-marketplace/front50:0.22.1-20200401121252 13 | #gcr.io/spinnaker-marketplace/igor:1.9.2-20200401121252 14 | #gcr.io/spinnaker-marketplace/echo:2.11.2-20200401121252 15 | #gcr.io/spinnaker-marketplace/deck:3.0.2-20200324040016 16 | #gcr.io/spinnaker-marketplace/halyard:1.32.0 17 | #gcr.io/spinnaker-marketplace/clouddriver:6.7.3-20200401190525 18 | #gcr.io/spinnaker-marketplace/orca:2.13.2-20200401144746 19 | #gcr.io/spinnaker-marketplace/rosco:0.18.1-20200401121252 20 | 21 | IMAGES="gate:1.15.1-20200403040016\ 22 | front50:0.22.1-20200401121252\ 23 | igor:1.9.2-20200401121252\ 24 | echo:2.11.2-20200401121252\ 25 | deck:3.0.2-20200324040016\ 26 | halyard:1.32.0\ 27 | clouddriver:6.7.3-20200401190525\ 28 | orca:2.13.2-20200401144746\ 29 | rosco:0.18.1-20200401121252" 30 | 31 | for image in ${IMAGES} 32 | do 33 | for node in ${NODES} 34 | do 35 | echo -e "\033[32m ${node} ---> pull ---> ${image} \033[0m" 36 | ssh ${node} "docker pull ${T_REGISTRY}/${image}" 37 | echo -e "\033[32m ${node} ---> tag ---> ${image} \033[0m" 38 | ssh ${node} "docker tag ${T_REGISTRY}/${image} ${S_REGISTRY}/${image}" 39 | done 40 | done 41 | for node in ${NODES} 42 | do 43 | echo -e "\033[43;34m =====${node}===镜像信息===== \033[0m" 44 | ssh ${node} "docker images | grep 'spinnaker-marketplace' " 45 | done 46 | 47 | } 48 | 49 | GetImages 50 | -------------------------------------------------------------------------------- /helm-spinnaker/ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: extensions/v1beta1 2 | kind: Ingress 3 | metadata: 4 | name: spinnaker-service 5 | annotations: 6 | kubernetes.io/ingress.class: nginx 7 | spec: 8 | rules: 9 | - host: spinnaker.idevops.site 10 | http: 11 | paths: 12 | - path: / 13 | backend: 14 | serviceName: spin-deck 15 | servicePort: 9000 16 | - host: spin-gate.idevops.site 17 | http: 18 | paths: 19 | - path: / 20 | backend: 21 | serviceName: spin-gate 22 | servicePort: 8084 23 | -------------------------------------------------------------------------------- /helm-spinnaker/pvc-spinnaker.yaml: -------------------------------------------------------------------------------- 1 | kind: PersistentVolume 2 | apiVersion: v1 3 | metadata: 4 | name: halyard-pv 5 | namespace: spinnaker 6 | spec: 7 | accessModes: 8 | - ReadWriteOnce #访问模式定义为只能以读写的方式挂载到单个节点 9 | capacity: 10 | storage: 10Gi 11 | persistentVolumeReclaimPolicy: Retain 12 | storageClassName: halyard-nfs 13 | nfs: 14 | path: /data/devops/spinnaker/halyard 15 | server: 192.168.1.200 16 | --- 17 | kind: PersistentVolume 18 | apiVersion: v1 19 | metadata: 20 | name: redis-pv 21 | namespace: spinnaker 22 | spec: 23 | accessModes: 24 | - ReadWriteOnce #访问模式定义为只能以读写的方式挂载到单个节点 25 | capacity: 26 | storage: 10Gi 27 | persistentVolumeReclaimPolicy: Retain 28 | storageClassName: redis-nfs 29 | nfs: 30 | path: /data/devops/spinnaker/redis 31 | server: 192.168.1.200 32 | --- 33 | kind: PersistentVolume 34 | apiVersion: v1 35 | metadata: 36 | name: minio-pv 37 | namespace: spinnaker 38 | spec: 39 | accessModes: 40 | - ReadWriteOnce #访问模式定义为只能以读写的方式挂载到单个节点 41 | capacity: 42 | storage: 10Gi 43 | persistentVolumeReclaimPolicy: Retain 44 | storageClassName: minio-nfs 45 | nfs: 46 | path: /data/devops/spinnaker/minio 47 | server: 192.168.1.200 48 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | appVersion: 1.16.2 3 | description: Open source, multi-cloud continuous delivery platform for releasing software 4 | changes with high velocity and confidence. 5 | home: http://spinnaker.io/ 6 | icon: https://pbs.twimg.com/profile_images/669205226994319362/O7OjwPrh_400x400.png 7 | maintainers: 8 | - email: viglesias@google.com 9 | name: viglesiasce 10 | - email: ezimanyi@google.com 11 | name: ezimanyi 12 | - email: hello@dwardu.com 13 | name: dwardu89 14 | - email: username.taken@gmail.com 15 | name: paulczar 16 | name: spinnaker 17 | sources: 18 | - https://github.com/spinnaker 19 | - https://github.com/viglesiasce/images 20 | version: 2.2.0 21 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/OWNERS: -------------------------------------------------------------------------------- 1 | approvers: 2 | - viglesiasce 3 | - ezimanyi 4 | - dwardu89 5 | - paulczar 6 | reviewers: 7 | - viglesiasce 8 | - ezimanyi 9 | - dwardu89 10 | - paulczar 11 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/charts/minio/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/charts/minio/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | appVersion: master 3 | description: MinIO is a high performance data infrastructure for machine learning, 4 | analytics and application data workloads. 5 | home: https://min.io 6 | icon: https://min.io/resources/img/logo/MINIO_wordmark.png 7 | keywords: 8 | - storage 9 | - object-storage 10 | - S3 11 | maintainers: 12 | - email: dev@minio.io 13 | name: Minio 14 | - email: hello@acale.ph 15 | name: Acaleph 16 | name: minio 17 | sources: 18 | - https://github.com/minio/minio 19 | version: 5.0.9 20 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/charts/minio/OWNERS: -------------------------------------------------------------------------------- 1 | approvers: 2 | - krisis 3 | - harshavardhana 4 | - nitisht 5 | - wlan0 6 | - dvaldivia 7 | reviewers: 8 | - krisis 9 | - harshavardhana 10 | - nitisht 11 | - wlan0 12 | - dvaldivia 13 | 14 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/charts/minio/ci/distributed-values.yaml: -------------------------------------------------------------------------------- 1 | mode: distributed 2 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/charts/minio/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | {{- if eq .Values.service.type "ClusterIP" "NodePort" }} 2 | Minio can be accessed via port {{ .Values.service.port }} on the following DNS name from within your cluster: 3 | {{ template "minio.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local 4 | 5 | To access Minio from localhost, run the below commands: 6 | 7 | 1. export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") 8 | 9 | 2. kubectl port-forward $POD_NAME 9000 --namespace {{ .Release.Namespace }} 10 | 11 | Read more about port forwarding here: http://kubernetes.io/docs/user-guide/kubectl/kubectl_port-forward/ 12 | 13 | You can now access Minio server on http://localhost:9000. Follow the below steps to connect to Minio server with mc client: 14 | 15 | 1. Download the Minio mc client - https://docs.minio.io/docs/minio-client-quickstart-guide 16 | 17 | 2. mc config host add {{ template "minio.fullname" . }}-local http://localhost:9000 {{ .Values.accessKey }} {{ .Values.secretKey }} S3v4 18 | 19 | 3. mc ls {{ template "minio.fullname" . }}-local 20 | 21 | Alternately, you can use your browser or the Minio SDK to access the server - https://docs.minio.io/categories/17 22 | {{- end }} 23 | {{- if eq .Values.service.type "LoadBalancer" }} 24 | Minio can be accessed via port {{ .Values.service.port }} on an external IP address. Get the service external IP address by: 25 | kubectl get svc --namespace {{ .Release.Namespace }} -l app={{ template "minio.fullname" . }} 26 | 27 | Note that the public IP may take a couple of minutes to be available. 28 | 29 | You can now access Minio server on http://:9000. Follow the below steps to connect to Minio server with mc client: 30 | 31 | 1. Download the Minio mc client - https://docs.minio.io/docs/minio-client-quickstart-guide 32 | 33 | 2. mc config host add {{ template "minio.fullname" . }}-local http://:{{ .Values.service.port }} {{ .Values.accessKey }} {{ .Values.secretKey }} S3v4 34 | 35 | 3. mc ls {{ template "minio.fullname" . }}-local 36 | 37 | Alternately, you can use your browser or the Minio SDK to access the server - https://docs.minio.io/categories/17 38 | {{- end }} 39 | 40 | {{ if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }} 41 | Note: Since NetworkPolicy is enabled, only pods with label 42 | {{ template "minio.fullname" . }}-client=true" 43 | will be able to connect to this minio cluster. 44 | {{- end }} 45 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/charts/minio/templates/_helper_create_bucket.txt: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -e ; # Have script exit in the event of a failed command. 3 | 4 | {{- if .Values.configPathmc }} 5 | MC_CONFIG_DIR="{{ .Values.configPathmc }}" 6 | MC="/usr/bin/mc --config-dir ${MC_CONFIG_DIR}" 7 | {{- else }} 8 | MC="/usr/bin/mc" 9 | {{- end }} 10 | 11 | # connectToMinio 12 | # Use a check-sleep-check loop to wait for Minio service to be available 13 | connectToMinio() { 14 | SCHEME=$1 15 | ATTEMPTS=0 ; LIMIT=29 ; # Allow 30 attempts 16 | set -e ; # fail if we can't read the keys. 17 | ACCESS=$(cat /config/accesskey) ; SECRET=$(cat /config/secretkey) ; 18 | set +e ; # The connections to minio are allowed to fail. 19 | echo "Connecting to Minio server: $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT" ; 20 | MC_COMMAND="${MC} config host add myminio $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT $ACCESS $SECRET" ; 21 | $MC_COMMAND ; 22 | STATUS=$? ; 23 | until [ $STATUS = 0 ] 24 | do 25 | ATTEMPTS=`expr $ATTEMPTS + 1` ; 26 | echo \"Failed attempts: $ATTEMPTS\" ; 27 | if [ $ATTEMPTS -gt $LIMIT ]; then 28 | exit 1 ; 29 | fi ; 30 | sleep 2 ; # 1 second intervals between attempts 31 | $MC_COMMAND ; 32 | STATUS=$? ; 33 | done ; 34 | set -e ; # reset `e` as active 35 | return 0 36 | } 37 | 38 | # checkBucketExists ($bucket) 39 | # Check if the bucket exists, by using the exit code of `mc ls` 40 | checkBucketExists() { 41 | BUCKET=$1 42 | CMD=$(${MC} ls myminio/$BUCKET > /dev/null 2>&1) 43 | return $? 44 | } 45 | 46 | # createBucket ($bucket, $policy, $purge) 47 | # Ensure bucket exists, purging if asked to 48 | createBucket() { 49 | BUCKET=$1 50 | POLICY=$2 51 | PURGE=$3 52 | 53 | # Purge the bucket, if set & exists 54 | # Since PURGE is user input, check explicitly for `true` 55 | if [ $PURGE = true ]; then 56 | if checkBucketExists $BUCKET ; then 57 | echo "Purging bucket '$BUCKET'." 58 | set +e ; # don't exit if this fails 59 | ${MC} rm -r --force myminio/$BUCKET 60 | set -e ; # reset `e` as active 61 | else 62 | echo "Bucket '$BUCKET' does not exist, skipping purge." 63 | fi 64 | fi 65 | 66 | # Create the bucket if it does not exist 67 | if ! checkBucketExists $BUCKET ; then 68 | echo "Creating bucket '$BUCKET'" 69 | ${MC} mb myminio/$BUCKET 70 | else 71 | echo "Bucket '$BUCKET' already exists." 72 | fi 73 | 74 | # At this point, the bucket should exist, skip checking for existence 75 | # Set policy on the bucket 76 | echo "Setting policy of bucket '$BUCKET' to '$POLICY'." 77 | ${MC} policy set $POLICY myminio/$BUCKET 78 | } 79 | 80 | # Try connecting to Minio instance 81 | {{- if .Values.tls.enabled }} 82 | scheme=https 83 | {{- else }} 84 | scheme=http 85 | {{- end }} 86 | connectToMinio $scheme 87 | 88 | {{- if or .Values.defaultBucket.enabled }} 89 | # Create the bucket 90 | createBucket {{ .Values.defaultBucket.name }} {{ .Values.defaultBucket.policy }} {{ .Values.defaultBucket.purge }} 91 | {{ else if .Values.buckets }} 92 | # Create the buckets 93 | {{- range .Values.buckets }} 94 | createBucket {{ .name }} {{ .policy }} {{ .purge }} 95 | {{- end }} 96 | {{- end }} 97 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/charts/minio/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Expand the name of the chart. 4 | */}} 5 | {{- define "minio.name" -}} 6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} 7 | {{- end -}} 8 | 9 | {{/* 10 | Create a default fully qualified app name. 11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 12 | If release name contains chart name it will be used as a full name. 13 | */}} 14 | {{- define "minio.fullname" -}} 15 | {{- if .Values.fullnameOverride -}} 16 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} 17 | {{- else -}} 18 | {{- $name := default .Chart.Name .Values.nameOverride -}} 19 | {{- if contains $name .Release.Name -}} 20 | {{- .Release.Name | trunc 63 | trimSuffix "-" -}} 21 | {{- else -}} 22 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 23 | {{- end -}} 24 | {{- end -}} 25 | {{- end -}} 26 | 27 | {{/* 28 | Create chart name and version as used by the chart label. 29 | */}} 30 | {{- define "minio.chart" -}} 31 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} 32 | {{- end -}} 33 | 34 | {{/* 35 | Return the appropriate apiVersion for networkpolicy. 36 | */}} 37 | {{- define "minio.networkPolicy.apiVersion" -}} 38 | {{- if semverCompare ">=1.4-0, <1.7-0" .Capabilities.KubeVersion.GitVersion -}} 39 | {{- print "extensions/v1beta1" -}} 40 | {{- else if semverCompare "^1.7-0" .Capabilities.KubeVersion.GitVersion -}} 41 | {{- print "networking.k8s.io/v1" -}} 42 | {{- end -}} 43 | {{- end -}} 44 | 45 | {{/* 46 | Return the appropriate apiVersion for deployment. 47 | */}} 48 | {{- define "minio.deployment.apiVersion" -}} 49 | {{- if semverCompare "<1.9-0" .Capabilities.KubeVersion.GitVersion -}} 50 | {{- print "apps/v1beta2" -}} 51 | {{- else -}} 52 | {{- print "apps/v1" -}} 53 | {{- end -}} 54 | {{- end -}} 55 | 56 | {{/* 57 | Return the appropriate apiVersion for statefulset. 58 | */}} 59 | {{- define "minio.statefulset.apiVersion" -}} 60 | {{- if .Capabilities.APIVersions.Has "apps/v1beta2" -}} 61 | {{- print "apps/v1beta2" -}} 62 | {{- else -}} 63 | {{- print "apps/v1" -}} 64 | {{- end -}} 65 | {{- end -}} 66 | 67 | {{/* 68 | Return the appropriate apiVersion for ingress. 69 | */}} 70 | {{- define "minio.ingress.apiVersion" -}} 71 | {{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}} 72 | {{- print "extensions/v1beta1" -}} 73 | {{- else -}} 74 | {{- print "networking.k8s.io/v1beta1" -}} 75 | {{- end -}} 76 | {{- end -}} 77 | 78 | {{/* 79 | Determine service account name for deployment or statefulset. 80 | */}} 81 | {{- define "minio.serviceAccountName" -}} 82 | {{- if .Values.serviceAccount.create -}} 83 | {{- default (include "minio.fullname" .) .Values.serviceAccount.name | replace "+" "_" | trunc 63 | trimSuffix "-" -}} 84 | {{- else -}} 85 | {{- default "default" .Values.serviceAccount.name -}} 86 | {{- end -}} 87 | {{- end -}} 88 | 89 | {{/* 90 | Properly format optional additional arguments to Minio binary 91 | */}} 92 | {{- define "minio.extraArgs" -}} 93 | {{- range .Values.extraArgs -}} 94 | ,{{ . | quote }} 95 | {{- end -}} 96 | {{- end -}} 97 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/charts/minio/templates/configmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: {{ template "minio.fullname" . }} 5 | labels: 6 | app: {{ template "minio.name" . }} 7 | chart: {{ template "minio.chart" . }} 8 | release: {{ .Release.Name }} 9 | heritage: {{ .Release.Service }} 10 | data: 11 | initialize: |- 12 | {{ include (print $.Template.BasePath "/_helper_create_bucket.txt") . | indent 4 }} 13 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/charts/minio/templates/deployment.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq .Values.mode "standalone" }} 2 | {{ $bucketRoot := or ($.Values.bucketRoot) ($.Values.mountPath) }} 3 | apiVersion: {{ template "minio.deployment.apiVersion" . }} 4 | kind: Deployment 5 | metadata: 6 | name: {{ template "minio.fullname" . }} 7 | labels: 8 | app: {{ template "minio.name" . }} 9 | chart: {{ template "minio.chart" . }} 10 | release: {{ .Release.Name }} 11 | heritage: {{ .Release.Service }} 12 | spec: 13 | strategy: 14 | type: {{ .Values.DeploymentUpdate.type }} 15 | {{- if eq .Values.DeploymentUpdate.type "RollingUpdate" }} 16 | rollingUpdate: 17 | maxSurge: {{ .Values.DeploymentUpdate.maxSurge }} 18 | maxUnavailable: {{ .Values.DeploymentUpdate.maxUnavailable }} 19 | {{- end}} 20 | {{- if .Values.nasgateway.enabled }} 21 | replicas: {{ .Values.nasgateway.replicas }} 22 | {{- end }} 23 | {{- if .Values.s3gateway.enabled }} 24 | replicas: {{ .Values.s3gateway.replicas }} 25 | {{- end }} 26 | {{- if .Values.azuregateway.enabled }} 27 | replicas: {{ .Values.azuregateway.replicas }} 28 | {{- end }} 29 | {{- if .Values.gcsgateway.enabled }} 30 | replicas: {{ .Values.gcsgateway.replicas }} 31 | {{- end }} 32 | {{- if .Values.ossgateway.enabled }} 33 | replicas: {{ .Values.ossgateway.replicas }} 34 | {{- end }} 35 | {{- if .Values.b2gateway.enabled }} 36 | replicas: {{ .Values.b2gateway.replicas }} 37 | {{- end }} 38 | selector: 39 | matchLabels: 40 | app: {{ template "minio.name" . }} 41 | release: {{ .Release.Name }} 42 | template: 43 | metadata: 44 | name: {{ template "minio.fullname" . }} 45 | labels: 46 | app: {{ template "minio.name" . }} 47 | release: {{ .Release.Name }} 48 | {{- if .Values.podLabels }} 49 | {{ toYaml .Values.podLabels | indent 8 }} 50 | {{- end }} 51 | annotations: 52 | checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} 53 | checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} 54 | {{- if .Values.podAnnotations }} 55 | {{ toYaml .Values.podAnnotations | trimSuffix "\n" | indent 8 }} 56 | {{- end }} 57 | spec: 58 | {{- if .Values.priorityClassName }} 59 | priorityClassName: "{{ .Values.priorityClassName }}" 60 | {{- end }} 61 | serviceAccountName: {{ include "minio.serviceAccountName" . | quote }} 62 | {{- if and .Values.securityContext.enabled .Values.persistence.enabled }} 63 | securityContext: 64 | runAsUser: {{ .Values.securityContext.runAsUser }} 65 | runAsGroup: {{ .Values.securityContext.runAsGroup }} 66 | fsGroup: {{ .Values.securityContext.fsGroup }} 67 | {{- end }} 68 | containers: 69 | - name: {{ .Chart.Name }} 70 | image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" 71 | imagePullPolicy: {{ .Values.image.pullPolicy }} 72 | {{- if .Values.s3gateway.enabled }} 73 | command: [ "/bin/sh", 74 | "-ce", 75 | "/usr/bin/docker-entrypoint.sh minio -S {{ .Values.certsPath }} gateway s3 {{ .Values.s3gateway.serviceEndpoint }}" 76 | {{- template "minio.extraArgs" . }} ] 77 | {{- else }} 78 | {{- if .Values.azuregateway.enabled }} 79 | command: [ "/bin/sh", 80 | "-ce", 81 | "/usr/bin/docker-entrypoint.sh minio -S {{ .Values.certsPath }} gateway azure" 82 | {{- template "minio.extraArgs" . }} ] 83 | {{- else }} 84 | {{- if .Values.gcsgateway.enabled }} 85 | command: [ "/bin/sh", 86 | "-ce", 87 | "/usr/bin/docker-entrypoint.sh minio -S {{ .Values.certsPath }} gateway gcs {{ .Values.gcsgateway.projectId }}" 88 | {{- template "minio.extraArgs" . }} ] 89 | {{- else }} 90 | {{- if .Values.ossgateway.enabled }} 91 | command: [ "/bin/sh", 92 | "-ce", 93 | "/usr/bin/docker-entrypoint.sh minio -S {{ .Values.certsPath }} gateway oss {{ .Values.ossgateway.endpointURL }}" 94 | {{- template "minio.extraArgs" . }} ] 95 | {{- else }} 96 | {{- if .Values.nasgateway.enabled }} 97 | command: [ "/bin/sh", 98 | "-ce", 99 | "/usr/bin/docker-entrypoint.sh minio -S {{ .Values.certsPath }} gateway nas {{ $bucketRoot }}" 100 | {{- template "minio.extraArgs" . }} ] 101 | {{- else }} 102 | {{- if .Values.b2gateway.enabled }} 103 | command: [ "/bin/sh", 104 | "-ce", 105 | "/usr/bin/docker-entrypoint.sh minio -S {{ .Values.certsPath }} gateway b2" 106 | {{- template "minio.extraArgs" . }} ] 107 | {{- else }} 108 | command: [ "/bin/sh", 109 | "-ce", 110 | "/usr/bin/docker-entrypoint.sh minio -S {{ .Values.certsPath }} server {{ $bucketRoot }}" 111 | {{- template "minio.extraArgs" . }} ] 112 | {{- end }} 113 | {{- end }} 114 | {{- end }} 115 | {{- end }} 116 | {{- end }} 117 | {{- end }} 118 | volumeMounts: 119 | {{- if and .Values.persistence.enabled (not .Values.gcsgateway.enabled) (not .Values.azuregateway.enabled) (not .Values.s3gateway.enabled) (not .Values.b2gateway.enabled) }} 120 | - name: export 121 | mountPath: {{ .Values.mountPath }} 122 | {{- if .Values.persistence.subPath }} 123 | subPath: "{{ .Values.persistence.subPath }}" 124 | {{- end }} 125 | {{- end }} 126 | {{- if .Values.gcsgateway.enabled }} 127 | - name: minio-user 128 | mountPath: "/etc/credentials" 129 | readOnly: true 130 | {{- end }} 131 | {{- if .Values.tls.enabled }} 132 | - name: cert-secret-volume 133 | mountPath: {{ .Values.certsPath }} 134 | {{ end }} 135 | ports: 136 | {{- if .Values.tls.enabled }} 137 | - name: https 138 | {{ else }} 139 | - name: http 140 | {{- end }} 141 | containerPort: 9000 142 | env: 143 | - name: MINIO_ACCESS_KEY 144 | valueFrom: 145 | secretKeyRef: 146 | name: {{ if .Values.existingSecret }}{{ .Values.existingSecret }}{{ else }}{{ template "minio.fullname" . }}{{ end }} 147 | key: accesskey 148 | - name: MINIO_SECRET_KEY 149 | valueFrom: 150 | secretKeyRef: 151 | name: {{ if .Values.existingSecret }}{{ .Values.existingSecret }}{{ else }}{{ template "minio.fullname" . }}{{ end }} 152 | key: secretkey 153 | {{- if .Values.gcsgateway.enabled }} 154 | - name: GOOGLE_APPLICATION_CREDENTIALS 155 | value: "/etc/credentials/gcs_key.json" 156 | {{- end }} 157 | {{- range $key, $val := .Values.environment }} 158 | - name: {{ $key }} 159 | value: {{ $val | quote }} 160 | {{- end}} 161 | livenessProbe: 162 | httpGet: 163 | path: /minio/health/live 164 | {{- if .Values.tls.enabled }} 165 | port: https 166 | {{ else }} 167 | port: http 168 | {{- end }} 169 | {{- if .Values.tls.enabled }} 170 | scheme: HTTPS 171 | {{ else }} 172 | scheme: HTTP 173 | {{- end }} 174 | initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} 175 | periodSeconds: {{ .Values.livenessProbe.periodSeconds }} 176 | timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} 177 | successThreshold: {{ .Values.livenessProbe.successThreshold }} 178 | failureThreshold: {{ .Values.livenessProbe.failureThreshold }} 179 | readinessProbe: 180 | httpGet: 181 | {{- if .Values.tls.enabled }} 182 | scheme: HTTPS 183 | {{- end }} 184 | path: /minio/health/ready 185 | {{- if .Values.tls.enabled }} 186 | port: https 187 | {{ else }} 188 | port: http 189 | {{- end }} 190 | initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} 191 | periodSeconds: {{ .Values.readinessProbe.periodSeconds }} 192 | timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} 193 | successThreshold: {{ .Values.readinessProbe.successThreshold }} 194 | failureThreshold: {{ .Values.readinessProbe.failureThreshold }} 195 | resources: 196 | {{ toYaml .Values.resources | indent 12 }} 197 | {{- with .Values.nodeSelector }} 198 | nodeSelector: 199 | {{ toYaml . | indent 8 }} 200 | {{- end }} 201 | {{- with .Values.affinity }} 202 | affinity: 203 | {{ toYaml . | indent 8 }} 204 | {{- end }} 205 | {{- with .Values.tolerations }} 206 | tolerations: 207 | {{ toYaml . | indent 8 }} 208 | {{- end }} 209 | volumes: 210 | {{- if and ((not .Values.gcsgateway.enabled) (not .Values.azuregateway.enabled) (not .Values.s3gateway.enabled) (not .Values.b2gateway.enabled)) }} 211 | - name: export 212 | {{- if .Values.persistence.enabled }} 213 | persistentVolumeClaim: 214 | claimName: {{ .Values.persistence.existingClaim | default (include "minio.fullname" .) }} 215 | {{- else }} 216 | emptyDir: {} 217 | {{- end }} 218 | {{- end }} 219 | - name: minio-user 220 | secret: 221 | secretName: {{ if .Values.existingSecret }}{{ .Values.existingSecret }}{{ else }}{{ template "minio.fullname" . }}{{ end }} 222 | {{- if .Values.tls.enabled }} 223 | - name: cert-secret-volume 224 | secret: 225 | secretName: {{ .Values.tls.certSecret }} 226 | items: 227 | - key: {{ .Values.tls.publicCrt }} 228 | path: public.crt 229 | - key: {{ .Values.tls.privateKey }} 230 | path: private.key 231 | - key: {{ .Values.tls.publicCrt }} 232 | path: CAs/public.crt 233 | {{ end }} 234 | {{- end }} 235 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/charts/minio/templates/ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.ingress.enabled -}} 2 | {{- $fullName := include "minio.fullname" . -}} 3 | {{- $servicePort := .Values.service.port -}} 4 | {{- $ingressPath := .Values.ingress.path -}} 5 | apiVersion: {{ template "minio.ingress.apiVersion" . }} 6 | kind: Ingress 7 | metadata: 8 | name: {{ $fullName }} 9 | labels: 10 | app: {{ template "minio.name" . }} 11 | chart: {{ template "minio.chart" . }} 12 | release: {{ .Release.Name }} 13 | heritage: {{ .Release.Service }} 14 | {{- with .Values.ingress.labels }} 15 | {{ toYaml . | indent 4 }} 16 | {{- end }} 17 | 18 | {{- with .Values.ingress.annotations }} 19 | annotations: 20 | {{ toYaml . | indent 4 }} 21 | {{- end }} 22 | spec: 23 | {{- if .Values.ingress.tls }} 24 | tls: 25 | {{- range .Values.ingress.tls }} 26 | - hosts: 27 | {{- range .hosts }} 28 | - {{ . | quote }} 29 | {{- end }} 30 | secretName: {{ .secretName }} 31 | {{- end }} 32 | {{- end }} 33 | rules: 34 | {{- range .Values.ingress.hosts }} 35 | - host: {{ . | quote }} 36 | http: 37 | paths: 38 | - path: {{ $ingressPath }} 39 | backend: 40 | serviceName: {{ $fullName }} 41 | servicePort: {{ $servicePort }} 42 | {{- end }} 43 | {{- end }} 44 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/charts/minio/templates/networkpolicy.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.networkPolicy.enabled }} 2 | kind: NetworkPolicy 3 | apiVersion: {{ template "minio.networkPolicy.apiVersion" . }} 4 | metadata: 5 | name: {{ template "minio.fullname" . }} 6 | labels: 7 | app: {{ template "minio.name" . }} 8 | chart: {{ template "minio.chart" . }} 9 | release: {{ .Release.Name }} 10 | heritage: {{ .Release.Service }} 11 | spec: 12 | podSelector: 13 | matchLabels: 14 | app: {{ template "minio.name" . }} 15 | release: {{ .Release.Name }} 16 | ingress: 17 | - ports: 18 | - port: {{ .Values.service.port }} 19 | {{- if not .Values.networkPolicy.allowExternal }} 20 | from: 21 | - podSelector: 22 | matchLabels: 23 | {{ template "minio.name" . }}-client: "true" 24 | {{- end }} 25 | {{- end }} 26 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/charts/minio/templates/poddisruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.podDisruptionBudget.enabled }} 2 | apiVersion: policy/v1beta1 3 | kind: PodDisruptionBudget 4 | metadata: 5 | name: minio 6 | labels: 7 | app: {{ template "minio.name" . }} 8 | spec: 9 | maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} 10 | selector: 11 | matchLabels: 12 | app: {{ template "minio.name" . }} 13 | {{- end }} -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/charts/minio/templates/post-install-create-bucket-job.yaml: -------------------------------------------------------------------------------- 1 | {{- if or .Values.defaultBucket.enabled .Values.buckets }} 2 | apiVersion: batch/v1 3 | kind: Job 4 | metadata: 5 | name: {{ template "minio.fullname" . }}-make-bucket-job 6 | labels: 7 | app: {{ template "minio.name" . }}-make-bucket-job 8 | chart: {{ template "minio.chart" . }} 9 | release: {{ .Release.Name }} 10 | heritage: {{ .Release.Service }} 11 | annotations: 12 | "helm.sh/hook": post-install,post-upgrade 13 | "helm.sh/hook-delete-policy": hook-succeeded 14 | spec: 15 | template: 16 | metadata: 17 | labels: 18 | app: {{ template "minio.name" . }} 19 | release: {{ .Release.Name }} 20 | {{- if .Values.podLabels }} 21 | {{ toYaml .Values.podLabels | indent 8 }} 22 | {{- end }} 23 | spec: 24 | restartPolicy: OnFailure 25 | {{- if .Values.nodeSelector }} 26 | nodeSelector: 27 | {{ toYaml .Values.nodeSelector | indent 8 }} 28 | {{- end }} 29 | {{- with .Values.affinity }} 30 | affinity: 31 | {{ toYaml . | indent 8 }} 32 | {{- end }} 33 | {{- with .Values.tolerations }} 34 | tolerations: 35 | {{ toYaml . | indent 8 }} 36 | {{- end }} 37 | volumes: 38 | - name: minio-configuration 39 | projected: 40 | sources: 41 | - configMap: 42 | name: {{ template "minio.fullname" . }} 43 | - secret: 44 | name: {{ if .Values.existingSecret }}{{ .Values.existingSecret }}{{ else }}{{ template "minio.fullname" . }}{{ end }} 45 | {{- if .Values.tls.enabled }} 46 | - name: cert-secret-volume-mc 47 | secret: 48 | secretName: {{ .Values.tls.certSecret }} 49 | items: 50 | - key: {{ .Values.tls.publicCrt }} 51 | path: CAs/public.crt 52 | {{ end }} 53 | containers: 54 | - name: minio-mc 55 | image: "{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}" 56 | imagePullPolicy: {{ .Values.mcImage.pullPolicy }} 57 | command: ["/bin/sh", "/config/initialize"] 58 | env: 59 | - name: MINIO_ENDPOINT 60 | value: {{ template "minio.fullname" . }} 61 | - name: MINIO_PORT 62 | value: {{ .Values.service.port | quote }} 63 | volumeMounts: 64 | - name: minio-configuration 65 | mountPath: /config 66 | {{- if .Values.tls.enabled }} 67 | - name: cert-secret-volume-mc 68 | mountPath: {{ .Values.configPathmc }}certs 69 | {{ end }} 70 | resources: 71 | {{ toYaml .Values.resources | indent 10 }} 72 | {{- end }} 73 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/charts/minio/templates/pvc.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq .Values.mode "standalone" }} 2 | {{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} 3 | apiVersion: v1 4 | kind: PersistentVolumeClaim 5 | metadata: 6 | name: {{ template "minio.fullname" . }} 7 | labels: 8 | app: {{ template "minio.name" . }} 9 | chart: {{ template "minio.chart" . }} 10 | release: {{ .Release.Name }} 11 | heritage: {{ .Release.Service }} 12 | spec: 13 | {{- if and .Values.nasgateway.enabled .Values.nasgateway.pv }} 14 | selector: 15 | matchLabels: 16 | pv: {{ .Values.nasgateway.pv | quote }} 17 | {{- end }} 18 | accessModes: 19 | - {{ .Values.persistence.accessMode | quote }} 20 | resources: 21 | requests: 22 | storage: {{ .Values.persistence.size | quote }} 23 | 24 | {{- if .Values.persistence.storageClass }} 25 | {{- if (eq "-" .Values.persistence.storageClass) }} 26 | storageClassName: "" 27 | {{- else }} 28 | storageClassName: "{{ .Values.persistence.storageClass }}" 29 | {{- end }} 30 | {{- end }} 31 | {{- if .Values.persistence.VolumeName }} 32 | volumeName: "{{ .Values.persistence.VolumeName }}" 33 | {{- end }} 34 | {{- end }} 35 | {{- end }} 36 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/charts/minio/templates/secrets.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.existingSecret }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ template "minio.fullname" . }} 6 | labels: 7 | app: {{ template "minio.name" . }} 8 | chart: {{ template "minio.chart" . }} 9 | release: {{ .Release.Name }} 10 | heritage: {{ .Release.Service }} 11 | type: Opaque 12 | data: 13 | accesskey: {{ if .Values.accessKey }}{{ .Values.accessKey | b64enc | quote }}{{ else }}{{ randAlphaNum 20 | b64enc | quote }}{{ end }} 14 | secretkey: {{ if .Values.secretKey }}{{ .Values.secretKey | b64enc | quote }}{{ else }}{{ randAlphaNum 40 | b64enc | quote }}{{ end }} 15 | {{- if .Values.gcsgateway.enabled }} 16 | gcs_key.json: {{ .Values.gcsgateway.gcsKeyJson | b64enc }} 17 | {{- end }} 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/charts/minio/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ template "minio.fullname" . }} 5 | labels: 6 | app: {{ template "minio.name" . }} 7 | chart: {{ template "minio.chart" . }} 8 | release: {{ .Release.Name }} 9 | heritage: {{ .Release.Service }} 10 | {{- if .Values.service.annotations }} 11 | annotations: 12 | {{ toYaml .Values.service.annotations | indent 4 }} 13 | {{- end }} 14 | spec: 15 | {{- if (or (eq .Values.service.type "ClusterIP" "") (empty .Values.service.type)) }} 16 | type: ClusterIP 17 | {{- if not (empty .Values.service.clusterIP) }} 18 | clusterIP: {{ .Values.service.clusterIP }} 19 | {{end}} 20 | {{- else if eq .Values.service.type "LoadBalancer" }} 21 | type: {{ .Values.service.type }} 22 | loadBalancerIP: {{ default "" .Values.service.loadBalancerIP }} 23 | {{- else }} 24 | type: {{ .Values.service.type }} 25 | {{- end }} 26 | ports: 27 | {{- if .Values.tls.enabled }} 28 | - name: https 29 | {{ else }} 30 | - name: http 31 | {{- end }} 32 | port: {{ .Values.service.port }} 33 | protocol: TCP 34 | {{- if (and (eq .Values.service.type "NodePort") ( .Values.service.nodePort)) }} 35 | nodePort: {{ .Values.service.nodePort }} 36 | {{- else }} 37 | targetPort: 9000 38 | {{- end}} 39 | {{- if .Values.service.externalIPs }} 40 | externalIPs: 41 | {{- range $i , $ip := .Values.service.externalIPs }} 42 | - {{ $ip }} 43 | {{- end }} 44 | {{- end }} 45 | selector: 46 | app: {{ template "minio.name" . }} 47 | release: {{ .Release.Name }} 48 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/charts/minio/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "minio.serviceAccountName" . | quote }} 6 | namespace: {{ .Release.Namespace | quote }} 7 | {{- end -}} 8 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/charts/minio/templates/servicemonitor.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.metrics.serviceMonitor.enabled }} 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: ServiceMonitor 4 | metadata: 5 | name: {{ template "minio.fullname" . }} 6 | {{- if .Values.metrics.serviceMonitor.namespace }} 7 | namespace: {{ .Values.metrics.serviceMonitor.namespace }} 8 | {{- end }} 9 | labels: 10 | app: {{ template "minio.name" . }} 11 | chart: {{ template "minio.chart" . }} 12 | release: {{ .Release.Name }} 13 | heritage: {{ .Release.Service }} 14 | {{- if .Values.metrics.serviceMonitor.additionalLabels }} 15 | {{ toYaml .Values.metrics.serviceMonitor.additionalLabels | indent 4 }} 16 | {{- end }} 17 | spec: 18 | endpoints: 19 | {{- if .Values.tls.enabled }} 20 | - port: https 21 | {{ else }} 22 | - port: http 23 | {{- end }} 24 | path: /minio/prometheus/metrics 25 | {{- if .Values.metrics.serviceMonitor.interval }} 26 | interval: {{ .Values.metrics.serviceMonitor.interval }} 27 | {{- end }} 28 | {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} 29 | scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} 30 | {{- end }} 31 | namespaceSelector: 32 | matchNames: 33 | - {{ .Release.Namespace }} 34 | selector: 35 | matchLabels: 36 | app: {{ include "minio.name" . }} 37 | release: {{ .Release.Name }} 38 | {{- end }} 39 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/charts/minio/templates/statefulset.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq .Values.mode "distributed" }} 2 | {{ $zoneCount := .Values.zones | int }} 3 | {{ $nodeCount := .Values.replicas | int }} 4 | {{ $drivesPerNode := .Values.drivesPerNode | int }} 5 | {{ $scheme := "http" }} 6 | {{- if .Values.tls.enabled }} 7 | {{ $scheme := "https" }} 8 | {{ end }} 9 | {{ $mountPath := .Values.mountPath }} 10 | {{ $bucketRoot := or ($.Values.bucketRoot) ($.Values.mountPath) }} 11 | {{ $subPath := .Values.persistence.subPath }} 12 | {{ $penabled := .Values.persistence.enabled }} 13 | {{ $accessMode := .Values.persistence.accessMode }} 14 | {{ $storageClass := .Values.persistence.storageClass }} 15 | {{ $psize := .Values.persistence.size }} 16 | apiVersion: v1 17 | kind: Service 18 | metadata: 19 | name: {{ template "minio.fullname" . }}-svc 20 | labels: 21 | app: {{ template "minio.name" . }} 22 | chart: {{ template "minio.chart" . }} 23 | release: "{{ .Release.Name }}" 24 | heritage: "{{ .Release.Service }}" 25 | spec: 26 | publishNotReadyAddresses: true 27 | clusterIP: None 28 | ports: 29 | {{- if .Values.tls.enabled }} 30 | - name: https 31 | {{ else }} 32 | - name: http 33 | {{- end }} 34 | port: {{ .Values.service.port }} 35 | protocol: TCP 36 | selector: 37 | app: {{ template "minio.name" . }} 38 | release: {{ .Release.Name }} 39 | --- 40 | apiVersion: {{ template "minio.statefulset.apiVersion" . }} 41 | kind: StatefulSet 42 | metadata: 43 | name: {{ template "minio.fullname" . }} 44 | labels: 45 | app: {{ template "minio.name" . }} 46 | chart: {{ template "minio.chart" . }} 47 | release: {{ .Release.Name }} 48 | heritage: {{ .Release.Service }} 49 | spec: 50 | updateStrategy: 51 | type: {{ .Values.StatefulSetUpdate.updateStrategy }} 52 | podManagementPolicy: "Parallel" 53 | serviceName: {{ template "minio.fullname" . }}-svc 54 | replicas: {{ mul $zoneCount $nodeCount }} 55 | selector: 56 | matchLabels: 57 | app: {{ template "minio.name" . }} 58 | release: {{ .Release.Name }} 59 | template: 60 | metadata: 61 | name: {{ template "minio.fullname" . }} 62 | labels: 63 | app: {{ template "minio.name" . }} 64 | release: {{ .Release.Name }} 65 | {{- if .Values.podLabels }} 66 | {{ toYaml .Values.podLabels | indent 8 }} 67 | {{- end }} 68 | annotations: 69 | checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} 70 | checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} 71 | {{- if .Values.podAnnotations }} 72 | {{ toYaml .Values.podAnnotations | trimSuffix "\n" | indent 8 }} 73 | {{- end }} 74 | spec: 75 | {{- if .Values.priorityClassName }} 76 | priorityClassName: "{{ .Values.priorityClassName }}" 77 | {{- end }} 78 | serviceAccountName: {{ include "minio.serviceAccountName" . | quote }} 79 | {{- if and .Values.securityContext.enabled .Values.persistence.enabled }} 80 | securityContext: 81 | runAsUser: {{ .Values.securityContext.runAsUser }} 82 | runAsGroup: {{ .Values.securityContext.runAsGroup }} 83 | fsGroup: {{ .Values.securityContext.fsGroup }} 84 | {{- end }} 85 | containers: 86 | - name: {{ .Chart.Name }} 87 | image: {{ .Values.image.repository }}:{{ .Values.image.tag }} 88 | imagePullPolicy: {{ .Values.image.pullPolicy }} 89 | 90 | command: [ "/bin/sh", 91 | "-ce", 92 | "/usr/bin/docker-entrypoint.sh minio -S {{ .Values.certsPath }} server {{- range $i := until $zoneCount }}{{ $factor := mul $i $nodeCount }}{{ $endIndex := add $factor $nodeCount }}{{ $beginIndex := mul $i $nodeCount }} {{ $scheme }}://{{ template `minio.fullname` $ }}-{{ `{` }}{{ $beginIndex }}...{{ sub $endIndex 1 }}{{ `}`}}.{{ template `minio.fullname` $ }}-svc.{{ $.Release.Namespace }}.svc.{{ $.Values.clusterDomain }}{{if (gt $drivesPerNode 1)}}{{ $bucketRoot }}-{{ `{` }}0...{{ sub $drivesPerNode 1 }}{{ `}` }}{{else}}{{ $bucketRoot }}{{end}}{{- end}}" 93 | {{- template "minio.extraArgs" . }} ] 94 | volumeMounts: 95 | {{- if $penabled }} 96 | {{- if (gt $drivesPerNode 1) }} 97 | {{- range $i := until $drivesPerNode }} 98 | - name: export-{{ $i }} 99 | mountPath: {{ $mountPath }}-{{ $i }} 100 | {{- if and $penabled $subPath }} 101 | subPath: {{ $subPath }} 102 | {{- end }} 103 | {{- end }} 104 | {{- else }} 105 | - name: export 106 | mountPath: {{ $mountPath }} 107 | {{- if and $penabled $subPath }} 108 | subPath: {{ $subPath }} 109 | {{- end }} 110 | {{- end }} 111 | {{- end }} 112 | {{- if .Values.tls.enabled }} 113 | - name: cert-secret-volume 114 | mountPath: {{ .Values.certsPath }} 115 | {{ end }} 116 | ports: 117 | {{- if .Values.tls.enabled }} 118 | - name: https 119 | {{ else }} 120 | - name: http 121 | {{- end }} 122 | containerPort: 9000 123 | env: 124 | - name: MINIO_ACCESS_KEY 125 | valueFrom: 126 | secretKeyRef: 127 | name: {{ if .Values.existingSecret }}{{ .Values.existingSecret }}{{ else }}{{ template "minio.fullname" . }}{{ end }} 128 | key: accesskey 129 | - name: MINIO_SECRET_KEY 130 | valueFrom: 131 | secretKeyRef: 132 | name: {{ if .Values.existingSecret }}{{ .Values.existingSecret }}{{ else }}{{ template "minio.fullname" . }}{{ end }} 133 | key: secretkey 134 | {{- range $key, $val := .Values.environment }} 135 | - name: {{ $key }} 136 | value: {{ $val | quote }} 137 | {{- end}} 138 | livenessProbe: 139 | httpGet: 140 | path: /minio/health/live 141 | {{- if .Values.tls.enabled }} 142 | port: https 143 | {{ else }} 144 | port: http 145 | {{- end }} 146 | {{- if .Values.tls.enabled }} 147 | scheme: HTTPS 148 | {{ else }} 149 | scheme: HTTP 150 | {{- end }} 151 | initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} 152 | periodSeconds: {{ .Values.livenessProbe.periodSeconds }} 153 | timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} 154 | successThreshold: {{ .Values.livenessProbe.successThreshold }} 155 | failureThreshold: {{ .Values.livenessProbe.failureThreshold }} 156 | readinessProbe: 157 | httpGet: 158 | path: /minio/health/ready 159 | {{- if .Values.tls.enabled }} 160 | port: https 161 | {{ else }} 162 | port: http 163 | {{- end }} 164 | {{- if .Values.tls.enabled }} 165 | scheme: HTTPS 166 | {{ else }} 167 | scheme: HTTP 168 | {{- end }} 169 | initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} 170 | periodSeconds: {{ .Values.readinessProbe.periodSeconds }} 171 | timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} 172 | successThreshold: {{ .Values.readinessProbe.successThreshold }} 173 | failureThreshold: {{ .Values.readinessProbe.failureThreshold }} 174 | resources: 175 | {{ toYaml .Values.resources | indent 12 }} 176 | {{- with .Values.nodeSelector }} 177 | nodeSelector: 178 | {{ toYaml . | indent 8 }} 179 | {{- end }} 180 | {{- with .Values.affinity }} 181 | affinity: 182 | {{ toYaml . | indent 8 }} 183 | {{- end }} 184 | {{- with .Values.tolerations }} 185 | tolerations: 186 | {{ toYaml . | indent 8 }} 187 | {{- end }} 188 | volumes: 189 | - name: minio-user 190 | secret: 191 | secretName: {{ if .Values.existingSecret }}{{ .Values.existingSecret }}{{ else }}{{ template "minio.fullname" . }}{{ end }} 192 | {{- if .Values.tls.enabled }} 193 | - name: cert-secret-volume 194 | secret: 195 | secretName: {{ .Values.tls.certSecret }} 196 | items: 197 | - key: {{ .Values.tls.publicCrt }} 198 | path: public.crt 199 | - key: {{ .Values.tls.privateKey }} 200 | path: private.key 201 | - key: {{ .Values.tls.publicCrt }} 202 | path: CAs/public.crt 203 | {{ end }} 204 | {{- if .Values.persistence.enabled }} 205 | volumeClaimTemplates: 206 | {{- if gt $drivesPerNode 1 }} 207 | {{- range $diskId := until $drivesPerNode}} 208 | - metadata: 209 | name: export-{{ $diskId }} 210 | spec: 211 | accessModes: [ {{ $accessMode | quote }} ] 212 | {{- if $storageClass }} 213 | storageClassName: {{ $storageClass }} 214 | {{- end }} 215 | resources: 216 | requests: 217 | storage: {{ $psize }} 218 | {{- end }} 219 | {{- else }} 220 | - metadata: 221 | name: export 222 | spec: 223 | accessModes: [ {{ $accessMode | quote }} ] 224 | {{- if $storageClass }} 225 | storageClassName: {{ $storageClass }} 226 | {{- end }} 227 | resources: 228 | requests: 229 | storage: {{ $psize }} 230 | {{- end }} 231 | {{- end }} 232 | {{- end }} 233 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/charts/redis/.helmignore: -------------------------------------------------------------------------------- 1 | .git 2 | # OWNERS file for Kubernetes 3 | OWNERS 4 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/charts/redis/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | appVersion: 5.0.7 3 | description: Open source, advanced key-value store. It is often referred to as a data 4 | structure server since keys can contain strings, hashes, lists, sets and sorted 5 | sets. 6 | engine: gotpl 7 | home: http://redis.io/ 8 | icon: https://bitnami.com/assets/stacks/redis/img/redis-stack-220x234.png 9 | keywords: 10 | - redis 11 | - keyvalue 12 | - database 13 | maintainers: 14 | - email: containers@bitnami.com 15 | name: Bitnami 16 | - email: cedric@desaintmartin.fr 17 | name: desaintmartin 18 | name: redis 19 | sources: 20 | - https://github.com/bitnami/bitnami-docker-redis 21 | version: 10.5.3 22 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/charts/redis/ci/default-values.yaml: -------------------------------------------------------------------------------- 1 | # Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml. 2 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/charts/redis/ci/dev-values.yaml: -------------------------------------------------------------------------------- 1 | master: 2 | persistence: 3 | enabled: false 4 | 5 | cluster: 6 | enabled: true 7 | slaveCount: 1 8 | 9 | usePassword: false 10 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/charts/redis/ci/extra-flags-values.yaml: -------------------------------------------------------------------------------- 1 | master: 2 | extraFlags: 3 | - --maxmemory-policy allkeys-lru 4 | persistence: 5 | enabled: false 6 | slave: 7 | extraFlags: 8 | - --maxmemory-policy allkeys-lru 9 | persistence: 10 | enabled: false 11 | usePassword: false 12 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/charts/redis/ci/redis-lib-values.yaml: -------------------------------------------------------------------------------- 1 | ## Redis library image 2 | ## ref: https://hub.docker.com/r/library/redis/ 3 | ## 4 | image: 5 | registry: docker.io 6 | repository: redis 7 | tag: '5.0.5' 8 | 9 | master: 10 | command: "redis-server" 11 | 12 | slave: 13 | command: "redis-server" 14 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/charts/redis/ci/redisgraph-module-values.yaml: -------------------------------------------------------------------------------- 1 | image: 2 | registry: docker.io 3 | repository: redislabs/redisgraph 4 | tag: '1.0.0' 5 | 6 | master: 7 | command: "redis-server" 8 | 9 | slave: 10 | command: "redis-server" 11 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/charts/redis/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | ** Please be patient while the chart is being deployed ** 2 | 3 | {{- if contains .Values.master.service.type "LoadBalancer" }} 4 | {{- if not .Values.usePassword }} 5 | {{ if and (not .Values.networkPolicy.enabled) (.Values.networkPolicy.allowExternal) }} 6 | 7 | ------------------------------------------------------------------------------- 8 | WARNING 9 | 10 | By specifying "master.service.type=LoadBalancer" and "usePassword=false" you have 11 | most likely exposed the Redis service externally without any authentication 12 | mechanism. 13 | 14 | For security reasons, we strongly suggest that you switch to "ClusterIP" or 15 | "NodePort". As alternative, you can also switch to "usePassword=true" 16 | providing a valid password on "password" parameter. 17 | 18 | ------------------------------------------------------------------------------- 19 | {{- end }} 20 | {{- end }} 21 | {{- end }} 22 | 23 | {{- if .Values.cluster.enabled }} 24 | {{- if .Values.sentinel.enabled }} 25 | Redis can be accessed via port {{ .Values.sentinel.service.redisPort }} on the following DNS name from within your cluster: 26 | 27 | {{ template "redis.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} for read only operations 28 | 29 | For read/write operations, first access the Redis Sentinel cluster, which is available in port {{ .Values.sentinel.service.sentinelPort }} using the same domain name above. 30 | 31 | {{- else }} 32 | Redis can be accessed via port {{ .Values.redisPort }} on the following DNS names from within your cluster: 33 | 34 | {{ template "redis.fullname" . }}-master.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} for read/write operations 35 | {{ template "redis.fullname" . }}-slave.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} for read-only operations 36 | {{- end }} 37 | 38 | {{- else }} 39 | Redis can be accessed via port {{ .Values.redisPort }} on the following DNS name from within your cluster: 40 | 41 | {{ template "redis.fullname" . }}-master.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} 42 | 43 | {{- end }} 44 | 45 | {{ if .Values.usePassword }} 46 | To get your password run: 47 | 48 | export REDIS_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "redis.secretName" . }} -o jsonpath="{.data.redis-password}" | base64 --decode) 49 | {{- end }} 50 | 51 | To connect to your Redis server: 52 | 53 | 1. Run a Redis pod that you can use as a client: 54 | 55 | kubectl run --namespace {{ .Release.Namespace }} {{ template "redis.fullname" . }}-client --rm --tty -i --restart='Never' \ 56 | {{ if .Values.usePassword }} --env REDIS_PASSWORD=$REDIS_PASSWORD \{{ end }} 57 | {{- if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }}--labels="{{ template "redis.fullname" . }}-client=true" \{{- end }} 58 | --image {{ template "redis.image" . }} -- bash 59 | 60 | 2. Connect using the Redis CLI: 61 | 62 | {{- if .Values.cluster.enabled }} 63 | {{- if .Values.sentinel.enabled }} 64 | redis-cli -h {{ template "redis.fullname" . }} -p {{ .Values.sentinel.service.redisPort }}{{ if .Values.usePassword }} -a $REDIS_PASSWORD{{ end }} # Read only operations 65 | redis-cli -h {{ template "redis.fullname" . }} -p {{ .Values.sentinel.service.sentinelPort }}{{ if .Values.usePassword }} -a $REDIS_PASSWORD{{ end }} # Sentinel access 66 | {{- else }} 67 | redis-cli -h {{ template "redis.fullname" . }}-master{{ if .Values.usePassword }} -a $REDIS_PASSWORD{{ end }} 68 | redis-cli -h {{ template "redis.fullname" . }}-slave{{ if .Values.usePassword }} -a $REDIS_PASSWORD{{ end }} 69 | {{- end }} 70 | {{- else }} 71 | redis-cli -h {{ template "redis.fullname" . }}-master{{ if .Values.usePassword }} -a $REDIS_PASSWORD{{ end }} 72 | {{- end }} 73 | 74 | {{ if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }} 75 | Note: Since NetworkPolicy is enabled, only pods with label 76 | {{ template "redis.fullname" . }}-client=true" 77 | will be able to connect to redis. 78 | {{- else -}} 79 | 80 | To connect to your database from outside the cluster execute the following commands: 81 | 82 | {{- if contains "NodePort" .Values.master.service.type }} 83 | 84 | export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") 85 | export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "redis.fullname" . }}-master) 86 | redis-cli -h $NODE_IP -p $NODE_PORT {{- if .Values.usePassword }} -a $REDIS_PASSWORD{{ end }} 87 | 88 | {{- else if contains "LoadBalancer" .Values.master.service.type }} 89 | 90 | NOTE: It may take a few minutes for the LoadBalancer IP to be available. 91 | Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "redis.fullname" . }}' 92 | 93 | export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "redis.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") 94 | redis-cli -h $SERVICE_IP -p {{ .Values.master.service.nodePort }} {{- if .Values.usePassword }} -a $REDIS_PASSWORD{{ end }} 95 | 96 | {{- else if contains "ClusterIP" .Values.master.service.type }} 97 | 98 | kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ template "redis.fullname" . }}-master {{ .Values.redisPort }}:{{ .Values.redisPort }} & 99 | redis-cli -h 127.0.0.1 -p {{ .Values.redisPort }} {{- if .Values.usePassword }} -a $REDIS_PASSWORD{{ end }} 100 | 101 | {{- end }} 102 | {{- end }} 103 | 104 | {{ include "redis.checkRollingTags" . }} 105 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/charts/redis/templates/configmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: {{ template "redis.fullname" . }} 5 | labels: 6 | app: {{ template "redis.name" . }} 7 | chart: {{ template "redis.chart" . }} 8 | heritage: {{ .Release.Service }} 9 | release: {{ .Release.Name }} 10 | data: 11 | redis.conf: |- 12 | {{- if .Values.configmap }} 13 | # User-supplied configuration: 14 | {{ tpl .Values.configmap . | indent 4 }} 15 | {{- end }} 16 | master.conf: |- 17 | dir {{ .Values.master.persistence.path }} 18 | {{- if .Values.master.configmap }} 19 | # User-supplied master configuration: 20 | {{ tpl .Values.master.configmap . | indent 4 }} 21 | {{- end }} 22 | {{- if .Values.master.disableCommands }} 23 | {{- range .Values.master.disableCommands }} 24 | rename-command {{ . }} "" 25 | {{- end }} 26 | {{- end }} 27 | replica.conf: |- 28 | dir {{ .Values.slave.persistence.path }} 29 | slave-read-only yes 30 | {{- if .Values.slave.configmap }} 31 | # User-supplied slave configuration: 32 | {{ tpl .Values.slave.configmap . | indent 4 }} 33 | {{- end }} 34 | {{- if .Values.slave.disableCommands }} 35 | {{- range .Values.slave.disableCommands }} 36 | rename-command {{ . }} "" 37 | {{- end }} 38 | {{- end }} 39 | {{- if .Values.sentinel.enabled }} 40 | sentinel.conf: |- 41 | dir "/tmp" 42 | bind 0.0.0.0 43 | port {{ .Values.sentinel.port }} 44 | sentinel monitor {{ .Values.sentinel.masterSet }} {{ template "redis.fullname" . }}-master-0.{{ template "redis.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} {{ .Values.redisPort }} {{ .Values.sentinel.quorum }} 45 | sentinel down-after-milliseconds {{ .Values.sentinel.masterSet }} {{ .Values.sentinel.downAfterMilliseconds }} 46 | sentinel failover-timeout {{ .Values.sentinel.masterSet }} {{ .Values.sentinel.failoverTimeout }} 47 | sentinel parallel-syncs {{ .Values.sentinel.masterSet }} {{ .Values.sentinel.parallelSyncs }} 48 | {{- if .Values.sentinel.configmap }} 49 | # User-supplied sentinel configuration: 50 | {{ tpl .Values.sentinel.configmap . | indent 4 }} 51 | {{- end }} 52 | {{- end }} 53 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/charts/redis/templates/headless-svc.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ template "redis.fullname" . }}-headless 5 | labels: 6 | app: {{ template "redis.name" . }} 7 | chart: {{ template "redis.chart" . }} 8 | release: {{ .Release.Name }} 9 | heritage: {{ .Release.Service }} 10 | spec: 11 | type: ClusterIP 12 | clusterIP: None 13 | ports: 14 | - name: redis 15 | port: {{ .Values.redisPort }} 16 | targetPort: redis 17 | {{- if .Values.sentinel.enabled }} 18 | - name: redis-sentinel 19 | port: {{ .Values.sentinel.port }} 20 | targetPort: redis-sentinel 21 | {{- end }} 22 | selector: 23 | app: {{ template "redis.name" . }} 24 | release: {{ .Release.Name }} 25 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/charts/redis/templates/health-configmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: {{ template "redis.fullname" . }}-health 5 | labels: 6 | app: {{ template "redis.name" . }} 7 | chart: {{ template "redis.chart" . }} 8 | heritage: {{ .Release.Service }} 9 | release: {{ .Release.Name }} 10 | data: 11 | ping_readiness_local.sh: |- 12 | {{- if .Values.usePasswordFile }} 13 | password_aux=`cat ${REDIS_PASSWORD_FILE}` 14 | export REDIS_PASSWORD=$password_aux 15 | {{- end }} 16 | response=$( 17 | timeout -s 9 $1 \ 18 | redis-cli \ 19 | {{- if .Values.usePassword }} 20 | -a $REDIS_PASSWORD --no-auth-warning \ 21 | {{- end }} 22 | -h localhost \ 23 | -p $REDIS_PORT \ 24 | ping 25 | ) 26 | if [ "$response" != "PONG" ]; then 27 | echo "$response" 28 | exit 1 29 | fi 30 | ping_liveness_local.sh: |- 31 | {{- if .Values.usePasswordFile }} 32 | password_aux=`cat ${REDIS_PASSWORD_FILE}` 33 | export REDIS_PASSWORD=$password_aux 34 | {{- end }} 35 | response=$( 36 | timeout -s 9 $1 \ 37 | redis-cli \ 38 | {{- if .Values.usePassword }} 39 | -a $REDIS_PASSWORD --no-auth-warning \ 40 | {{- end }} 41 | -h localhost \ 42 | -p $REDIS_PORT \ 43 | ping 44 | ) 45 | if [ "$response" != "PONG" ] && [ "$response" != "LOADING Redis is loading the dataset in memory" ]; then 46 | echo "$response" 47 | exit 1 48 | fi 49 | {{- if .Values.sentinel.enabled }} 50 | ping_sentinel.sh: |- 51 | {{- if .Values.usePasswordFile }} 52 | password_aux=`cat ${REDIS_PASSWORD_FILE}` 53 | export REDIS_PASSWORD=$password_aux 54 | {{- end }} 55 | response=$( 56 | timeout -s 9 $1 \ 57 | redis-cli \ 58 | {{- if .Values.usePassword }} 59 | -a $REDIS_PASSWORD --no-auth-warning \ 60 | {{- end }} 61 | -h localhost \ 62 | -p $REDIS_SENTINEL_PORT \ 63 | ping 64 | ) 65 | if [ "$response" != "PONG" ]; then 66 | echo "$response" 67 | exit 1 68 | fi 69 | parse_sentinels.awk: |- 70 | /ip/ {FOUND_IP=1} 71 | /port/ {FOUND_PORT=1} 72 | /runid/ {FOUND_RUNID=1} 73 | !/ip|port|runid/ { 74 | if (FOUND_IP==1) { 75 | IP=$1; FOUND_IP=0; 76 | } 77 | else if (FOUND_PORT==1) { 78 | PORT=$1; 79 | FOUND_PORT=0; 80 | } else if (FOUND_RUNID==1) { 81 | printf "\nsentinel known-sentinel {{ .Values.sentinel.masterSet }} %s %s %s", IP, PORT, $0; FOUND_RUNID=0; 82 | } 83 | } 84 | {{- end }} 85 | ping_readiness_master.sh: |- 86 | {{- if .Values.usePasswordFile }} 87 | password_aux=`cat ${REDIS_MASTER_PASSWORD_FILE}` 88 | export REDIS_MASTER_PASSWORD=$password_aux 89 | {{- end }} 90 | response=$( 91 | timeout -s 9 $1 \ 92 | redis-cli \ 93 | {{- if .Values.usePassword }} 94 | -a $REDIS_MASTER_PASSWORD --no-auth-warning \ 95 | {{- end }} 96 | -h $REDIS_MASTER_HOST \ 97 | -p $REDIS_MASTER_PORT_NUMBER \ 98 | ping 99 | ) 100 | if [ "$response" != "PONG" ]; then 101 | echo "$response" 102 | exit 1 103 | fi 104 | ping_liveness_master.sh: |- 105 | {{- if .Values.usePasswordFile }} 106 | password_aux=`cat ${REDIS_MASTER_PASSWORD_FILE}` 107 | export REDIS_MASTER_PASSWORD=$password_aux 108 | {{- end }} 109 | response=$( 110 | timeout -s 9 $1 \ 111 | redis-cli \ 112 | {{- if .Values.usePassword }} 113 | -a $REDIS_MASTER_PASSWORD --no-auth-warning \ 114 | {{- end }} 115 | -h $REDIS_MASTER_HOST \ 116 | -p $REDIS_MASTER_PORT_NUMBER \ 117 | ping 118 | ) 119 | if [ "$response" != "PONG" ] && [ "$response" != "LOADING Redis is loading the dataset in memory" ]; then 120 | echo "$response" 121 | exit 1 122 | fi 123 | ping_readiness_local_and_master.sh: |- 124 | script_dir="$(dirname "$0")" 125 | exit_status=0 126 | "$script_dir/ping_readiness_local.sh" $1 || exit_status=$? 127 | "$script_dir/ping_readiness_master.sh" $1 || exit_status=$? 128 | exit $exit_status 129 | ping_liveness_local_and_master.sh: |- 130 | script_dir="$(dirname "$0")" 131 | exit_status=0 132 | "$script_dir/ping_liveness_local.sh" $1 || exit_status=$? 133 | "$script_dir/ping_liveness_master.sh" $1 || exit_status=$? 134 | exit $exit_status 135 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/charts/redis/templates/metrics-prometheus.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (.Values.metrics.enabled) (.Values.metrics.serviceMonitor.enabled) }} 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: ServiceMonitor 4 | metadata: 5 | name: {{ template "redis.fullname" . }} 6 | {{- if .Values.metrics.serviceMonitor.namespace }} 7 | namespace: {{ .Values.metrics.serviceMonitor.namespace }} 8 | {{- end }} 9 | labels: 10 | app: {{ template "redis.name" . }} 11 | chart: {{ template "redis.chart" . }} 12 | release: {{ .Release.Name }} 13 | heritage: {{ .Release.Service }} 14 | {{- range $key, $value := .Values.metrics.serviceMonitor.selector }} 15 | {{ $key }}: {{ $value | quote }} 16 | {{- end }} 17 | spec: 18 | endpoints: 19 | - port: metrics 20 | {{- if .Values.metrics.serviceMonitor.interval }} 21 | interval: {{ .Values.metrics.serviceMonitor.interval }} 22 | {{- end }} 23 | selector: 24 | matchLabels: 25 | app: {{ template "redis.name" . }} 26 | release: {{ .Release.Name }} 27 | namespaceSelector: 28 | matchNames: 29 | - {{ .Release.Namespace }} 30 | {{- end -}} 31 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/charts/redis/templates/metrics-svc.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.metrics.enabled }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: {{ template "redis.fullname" . }}-metrics 6 | labels: 7 | app: {{ template "redis.name" . }} 8 | chart: {{ template "redis.chart" . }} 9 | release: {{ .Release.Name }} 10 | heritage: {{ .Release.Service }} 11 | {{- if .Values.metrics.service.labels -}} 12 | {{ toYaml .Values.metrics.service.labels | nindent 4 }} 13 | {{- end -}} 14 | {{- if .Values.metrics.service.annotations }} 15 | annotations: {{ toYaml .Values.metrics.service.annotations | nindent 4 }} 16 | {{- end }} 17 | spec: 18 | type: {{ .Values.metrics.service.type }} 19 | {{ if eq .Values.metrics.service.type "LoadBalancer" -}} {{ if .Values.metrics.service.loadBalancerIP }} 20 | loadBalancerIP: {{ .Values.metrics.service.loadBalancerIP }} 21 | {{ end -}} 22 | {{- end -}} 23 | ports: 24 | - name: metrics 25 | port: 9121 26 | targetPort: metrics 27 | selector: 28 | app: {{ template "redis.name" . }} 29 | release: {{ .Release.Name }} 30 | {{- end }} 31 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/charts/redis/templates/networkpolicy.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.networkPolicy.enabled }} 2 | kind: NetworkPolicy 3 | apiVersion: {{ template "networkPolicy.apiVersion" . }} 4 | metadata: 5 | name: {{ template "redis.fullname" . }} 6 | labels: 7 | app: {{ template "redis.name" . }} 8 | chart: {{ template "redis.chart" . }} 9 | release: {{ .Release.Name }} 10 | heritage: {{ .Release.Service }} 11 | spec: 12 | podSelector: 13 | matchLabels: 14 | app: {{ template "redis.name" . }} 15 | release: {{ .Release.Name }} 16 | {{- if .Values.cluster.enabled }} 17 | policyTypes: 18 | - Ingress 19 | - Egress 20 | egress: 21 | # Allow dns resolution 22 | - ports: 23 | - port: 53 24 | protocol: UDP 25 | # Allow outbound connections to other cluster pods 26 | - ports: 27 | - port: {{ .Values.redisPort }} 28 | {{- if .Values.sentinel.enabled }} 29 | - port: {{ .Values.sentinel.port }} 30 | {{- end }} 31 | to: 32 | - podSelector: 33 | matchLabels: 34 | app: {{ template "redis.name" . }} 35 | release: {{ .Release.Name }} 36 | {{- end }} 37 | ingress: 38 | # Allow inbound connections 39 | - ports: 40 | - port: {{ .Values.redisPort }} 41 | {{- if .Values.sentinel.enabled }} 42 | - port: {{ .Values.sentinel.port }} 43 | {{- end }} 44 | {{- if not .Values.networkPolicy.allowExternal }} 45 | from: 46 | - podSelector: 47 | matchLabels: 48 | {{ template "redis.fullname" . }}-client: "true" 49 | - podSelector: 50 | matchLabels: 51 | app: {{ template "redis.name" . }} 52 | release: {{ .Release.Name }} 53 | {{- if .Values.networkPolicy.ingressNSMatchLabels }} 54 | - namespaceSelector: 55 | matchLabels: 56 | {{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }} 57 | {{ $key | quote }}: {{ $value | quote }} 58 | {{- end }} 59 | {{- if .Values.networkPolicy.ingressNSPodMatchLabels }} 60 | podSelector: 61 | matchLabels: 62 | {{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }} 63 | {{ $key | quote }}: {{ $value | quote }} 64 | {{- end }} 65 | {{- end }} 66 | {{- end }} 67 | {{- end }} 68 | {{- if .Values.metrics.enabled }} 69 | # Allow prometheus scrapes for metrics 70 | - ports: 71 | - port: 9121 72 | {{- end }} 73 | {{- end }} 74 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/charts/redis/templates/prometheusrule.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }} 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: PrometheusRule 4 | metadata: 5 | name: {{ template "redis.fullname" . }} 6 | {{- with .Values.metrics.prometheusRule.namespace }} 7 | namespace: {{ . }} 8 | {{- end }} 9 | labels: 10 | app: {{ template "redis.name" . }} 11 | chart: {{ template "redis.chart" . }} 12 | release: {{ .Release.Name | quote }} 13 | heritage: {{ .Release.Service | quote }} 14 | {{- with .Values.metrics.prometheusRule.additionalLabels }} 15 | {{ toYaml . | indent 4 }} 16 | {{- end }} 17 | spec: 18 | {{- with .Values.metrics.prometheusRule.rules }} 19 | groups: 20 | - name: {{ template "redis.name" $ }} 21 | rules: {{ tpl (toYaml .) $ | nindent 8 }} 22 | {{- end }} 23 | {{- end }} 24 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/charts/redis/templates/psp.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.podSecurityPolicy.create }} 2 | apiVersion: {{ template "podSecurityPolicy.apiVersion" . }} 3 | kind: PodSecurityPolicy 4 | metadata: 5 | name: {{ template "redis.fullname" . }} 6 | labels: 7 | app: {{ template "redis.name" . }} 8 | chart: {{ template "redis.chart" . }} 9 | heritage: {{ .Release.Service }} 10 | release: {{ .Release.Name }} 11 | spec: 12 | allowPrivilegeEscalation: false 13 | fsGroup: 14 | rule: 'MustRunAs' 15 | ranges: 16 | - min: {{ .Values.securityContext.fsGroup }} 17 | max: {{ .Values.securityContext.fsGroup }} 18 | hostIPC: false 19 | hostNetwork: false 20 | hostPID: false 21 | privileged: false 22 | readOnlyRootFilesystem: false 23 | requiredDropCapabilities: 24 | - ALL 25 | runAsUser: 26 | rule: 'MustRunAs' 27 | ranges: 28 | - min: {{ .Values.securityContext.runAsUser }} 29 | max: {{ .Values.securityContext.runAsUser }} 30 | seLinux: 31 | rule: 'RunAsAny' 32 | supplementalGroups: 33 | rule: 'MustRunAs' 34 | ranges: 35 | - min: {{ .Values.securityContext.runAsUser }} 36 | max: {{ .Values.securityContext.runAsUser }} 37 | volumes: 38 | - 'configMap' 39 | - 'secret' 40 | - 'emptyDir' 41 | - 'persistentVolumeClaim' 42 | {{- end }} 43 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/charts/redis/templates/redis-master-svc.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.sentinel.enabled }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: {{ template "redis.fullname" . }}-master 6 | labels: 7 | app: {{ template "redis.name" . }} 8 | chart: {{ template "redis.chart" . }} 9 | release: {{ .Release.Name }} 10 | heritage: {{ .Release.Service }} 11 | {{- if .Values.master.service.labels -}} 12 | {{ toYaml .Values.master.service.labels | nindent 4 }} 13 | {{- end -}} 14 | {{- if .Values.master.service.annotations }} 15 | annotations: {{ toYaml .Values.master.service.annotations | nindent 4 }} 16 | {{- end }} 17 | spec: 18 | type: {{ .Values.master.service.type }} 19 | {{- if and (eq .Values.master.service.type "LoadBalancer") .Values.master.service.loadBalancerIP }} 20 | loadBalancerIP: {{ .Values.master.service.loadBalancerIP }} 21 | {{- end }} 22 | {{- if and (eq .Values.master.service.type "LoadBalancer") .Values.master.service.loadBalancerSourceRanges }} 23 | loadBalancerSourceRanges: 24 | {{- with .Values.master.service.loadBalancerSourceRanges }} 25 | {{ toYaml . | indent 4 }} 26 | {{- end }} 27 | {{- end }} 28 | ports: 29 | - name: redis 30 | port: {{ .Values.master.service.port }} 31 | targetPort: redis 32 | {{- if .Values.master.service.nodePort }} 33 | nodePort: {{ .Values.master.service.nodePort }} 34 | {{- end }} 35 | selector: 36 | app: {{ template "redis.name" . }} 37 | release: {{ .Release.Name }} 38 | role: master 39 | {{- end }} 40 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/charts/redis/templates/redis-role.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.create -}} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: Role 4 | metadata: 5 | name: {{ template "redis.fullname" . }} 6 | labels: 7 | app: {{ template "redis.name" . }} 8 | chart: {{ template "redis.chart" . }} 9 | release: {{ .Release.Name }} 10 | heritage: {{ .Release.Service }} 11 | rules: 12 | {{- if .Values.podSecurityPolicy.create }} 13 | - apiGroups: ['{{ template "podSecurityPolicy.apiGroup" . }}'] 14 | resources: ['podsecuritypolicies'] 15 | verbs: ['use'] 16 | resourceNames: [{{ template "redis.fullname" . }}] 17 | {{- end -}} 18 | {{- if .Values.rbac.role.rules }} 19 | {{ toYaml .Values.rbac.role.rules | indent 2 }} 20 | {{- end -}} 21 | {{- end -}} 22 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/charts/redis/templates/redis-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.create -}} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: RoleBinding 4 | metadata: 5 | name: {{ template "redis.fullname" . }} 6 | labels: 7 | app: {{ template "redis.name" . }} 8 | chart: {{ template "redis.chart" . }} 9 | release: {{ .Release.Name }} 10 | heritage: {{ .Release.Service }} 11 | roleRef: 12 | apiGroup: rbac.authorization.k8s.io 13 | kind: Role 14 | name: {{ template "redis.fullname" . }} 15 | subjects: 16 | - kind: ServiceAccount 17 | name: {{ template "redis.serviceAccountName" . }} 18 | {{- end -}} 19 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/charts/redis/templates/redis-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ template "redis.serviceAccountName" . }} 6 | labels: 7 | app: {{ template "redis.name" . }} 8 | chart: {{ template "redis.chart" . }} 9 | release: {{ .Release.Name }} 10 | heritage: {{ .Release.Service }} 11 | {{- end -}} 12 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/charts/redis/templates/redis-slave-svc.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.cluster.enabled (not .Values.sentinel.enabled) }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: {{ template "redis.fullname" . }}-slave 6 | labels: 7 | app: {{ template "redis.name" . }} 8 | chart: {{ template "redis.chart" . }} 9 | release: {{ .Release.Name }} 10 | heritage: {{ .Release.Service }} 11 | {{- if .Values.slave.service.labels -}} 12 | {{ toYaml .Values.slave.service.labels | nindent 4 }} 13 | {{- end -}} 14 | {{- if .Values.slave.service.annotations }} 15 | annotations: 16 | {{ toYaml .Values.slave.service.annotations | indent 4 }} 17 | {{- end }} 18 | spec: 19 | type: {{ .Values.slave.service.type }} 20 | {{- if and (eq .Values.slave.service.type "LoadBalancer") .Values.slave.service.loadBalancerIP }} 21 | loadBalancerIP: {{ .Values.slave.service.loadBalancerIP }} 22 | {{- end }} 23 | {{- if and (eq .Values.slave.service.type "LoadBalancer") .Values.slave.service.loadBalancerSourceRanges }} 24 | loadBalancerSourceRanges: 25 | {{- with .Values.slave.service.loadBalancerSourceRanges }} 26 | {{ toYaml . | indent 4 }} 27 | {{- end }} 28 | {{- end }} 29 | ports: 30 | - name: redis 31 | port: {{ .Values.slave.service.port }} 32 | targetPort: redis 33 | {{- if .Values.slave.service.nodePort }} 34 | nodePort: {{ .Values.slave.service.nodePort }} 35 | {{- end }} 36 | selector: 37 | app: {{ template "redis.name" . }} 38 | release: {{ .Release.Name }} 39 | role: slave 40 | {{- end }} 41 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/charts/redis/templates/redis-with-sentinel-svc.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.sentinel.enabled }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: {{ template "redis.fullname" . }} 6 | labels: 7 | app: {{ template "redis.name" . }} 8 | chart: {{ template "redis.chart" . }} 9 | release: {{ .Release.Name }} 10 | heritage: {{ .Release.Service }} 11 | {{- if .Values.sentinel.service.labels }} 12 | {{ toYaml .Values.sentinel.service.labels | nindent 4 }} 13 | {{- end }} 14 | {{- if .Values.sentinel.service.annotations }} 15 | annotations: 16 | {{ toYaml .Values.sentinel.service.annotations | indent 4 }} 17 | {{- end }} 18 | spec: 19 | type: {{ .Values.sentinel.service.type }} 20 | {{ if eq .Values.sentinel.service.type "LoadBalancer" -}} {{ if .Values.sentinel.service.loadBalancerIP }} 21 | loadBalancerIP: {{ .Values.sentinel.service.loadBalancerIP }} 22 | {{ end -}} 23 | {{- end -}} 24 | ports: 25 | - name: redis 26 | port: {{ .Values.sentinel.service.redisPort }} 27 | targetPort: redis 28 | {{- if .Values.sentinel.service.redisNodePort }} 29 | nodePort: {{ .Values.sentinel.service.redisNodePort }} 30 | {{- end }} 31 | - name: redis-sentinel 32 | port: {{ .Values.sentinel.service.sentinelPort }} 33 | targetPort: redis-sentinel 34 | {{- if .Values.sentinel.service.sentinelNodePort }} 35 | nodePort: {{ .Values.sentinel.service.sentinelNodePort }} 36 | {{- end }} 37 | selector: 38 | app: {{ template "redis.name" . }} 39 | release: {{ .Release.Name }} 40 | {{- end }} 41 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/charts/redis/templates/secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.usePassword (not .Values.existingSecret) -}} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ template "redis.fullname" . }} 6 | labels: 7 | app: {{ template "redis.name" . }} 8 | chart: {{ template "redis.chart" . }} 9 | release: "{{ .Release.Name }}" 10 | heritage: "{{ .Release.Service }}" 11 | type: Opaque 12 | data: 13 | redis-password: {{ include "redis.password" . | b64enc | quote }} 14 | {{- end -}} 15 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/charts/redis/values.schema.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://json-schema.org/schema#", 3 | "type": "object", 4 | "properties": { 5 | "usePassword": { 6 | "type": "boolean", 7 | "title": "Use password authentication", 8 | "form": true 9 | }, 10 | "password": { 11 | "type": "string", 12 | "title": "Password", 13 | "form": true, 14 | "description": "Defaults to a random 10-character alphanumeric string if not set", 15 | "hidden": { 16 | "condition": false, 17 | "value": "usePassword" 18 | } 19 | }, 20 | "cluster": { 21 | "type": "object", 22 | "title": "Cluster Settings", 23 | "form": true, 24 | "properties": { 25 | "enabled": { 26 | "type": "boolean", 27 | "form": true, 28 | "title": "Enable master-slave", 29 | "description": "Enable master-slave architecture" 30 | }, 31 | "slaveCount": { 32 | "type": "integer", 33 | "title": "Slave Replicas", 34 | "form": true, 35 | "hidden": { 36 | "condition": false, 37 | "value": "cluster.enabled" 38 | } 39 | } 40 | } 41 | }, 42 | "master": { 43 | "type": "object", 44 | "title": "Master replicas settings", 45 | "form": true, 46 | "properties": { 47 | "persistence": { 48 | "type": "object", 49 | "title": "Persistence for master replicas", 50 | "form": true, 51 | "properties": { 52 | "enabled": { 53 | "type": "boolean", 54 | "form": true, 55 | "title": "Enable persistence", 56 | "description": "Enable persistence using Persistent Volume Claims" 57 | }, 58 | "size": { 59 | "type": "string", 60 | "title": "Persistent Volume Size", 61 | "form": true, 62 | "render": "slider", 63 | "sliderMin": 1, 64 | "sliderMax": 100, 65 | "sliderUnit": "Gi", 66 | "hidden": { 67 | "condition": false, 68 | "value": "master.persistence.enabled" 69 | } 70 | }, 71 | "matchLabels": { 72 | "type": "object", 73 | "title": "Persistent Match Labels Selector" 74 | }, 75 | "matchExpressions": { 76 | "type": "object", 77 | "title": "Persistent Match Expressions Selector" 78 | } 79 | } 80 | } 81 | } 82 | }, 83 | "slave": { 84 | "type": "object", 85 | "title": "Slave replicas settings", 86 | "form": true, 87 | "hidden": { 88 | "condition": false, 89 | "value": "cluster.enabled" 90 | }, 91 | "properties": { 92 | "persistence": { 93 | "type": "object", 94 | "title": "Persistence for slave replicas", 95 | "form": true, 96 | "properties": { 97 | "enabled": { 98 | "type": "boolean", 99 | "form": true, 100 | "title": "Enable persistence", 101 | "description": "Enable persistence using Persistent Volume Claims" 102 | }, 103 | "size": { 104 | "type": "string", 105 | "title": "Persistent Volume Size", 106 | "form": true, 107 | "render": "slider", 108 | "sliderMin": 1, 109 | "sliderMax": 100, 110 | "sliderUnit": "Gi", 111 | "hidden": { 112 | "condition": false, 113 | "value": "slave.persistence.enabled" 114 | } 115 | }, 116 | "matchLabels": { 117 | "type": "object", 118 | "title": "Persistent Match Labels Selector" 119 | }, 120 | "matchExpressions": { 121 | "type": "object", 122 | "title": "Persistent Match Expressions Selector" 123 | } 124 | } 125 | } 126 | } 127 | }, 128 | "volumePermissions": { 129 | "type": "object", 130 | "properties": { 131 | "enabled": { 132 | "type": "boolean", 133 | "form": true, 134 | "title": "Enable Init Containers", 135 | "description": "Use an init container to set required folder permissions on the data volume before mounting it in the final destination" 136 | } 137 | } 138 | }, 139 | "metrics": { 140 | "type": "object", 141 | "form": true, 142 | "title": "Prometheus metrics details", 143 | "properties": { 144 | "enabled": { 145 | "type": "boolean", 146 | "title": "Create Prometheus metrics exporter", 147 | "description": "Create a side-car container to expose Prometheus metrics", 148 | "form": true 149 | }, 150 | "serviceMonitor": { 151 | "type": "object", 152 | "properties": { 153 | "enabled": { 154 | "type": "boolean", 155 | "title": "Create Prometheus Operator ServiceMonitor", 156 | "description": "Create a ServiceMonitor to track metrics using Prometheus Operator", 157 | "form": true, 158 | "hidden": { 159 | "condition": false, 160 | "value": "metrics.enabled" 161 | } 162 | } 163 | } 164 | } 165 | } 166 | } 167 | } 168 | } 169 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/requirements.lock: -------------------------------------------------------------------------------- 1 | dependencies: 2 | - name: redis 3 | repository: https://kubernetes-charts.storage.googleapis.com/ 4 | version: 10.5.3 5 | - name: minio 6 | repository: https://kubernetes-charts.storage.googleapis.com/ 7 | version: 5.0.9 8 | digest: sha256:106d25a8f1fb7a20ce2e7289bc150dca8c23a45d1e63b27df5b21bd8a6d642bd 9 | generated: "2020-02-20T14:53:08.2196-05:00" 10 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/requirements.yaml: -------------------------------------------------------------------------------- 1 | dependencies: 2 | - name: redis 3 | version: 10.5.3 4 | repository: https://kubernetes-charts.storage.googleapis.com/ 5 | condition: redis.enabled 6 | - name: minio 7 | version: 5.0.9 8 | repository: https://kubernetes-charts.storage.googleapis.com/ 9 | condition: minio.enabled 10 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | 1. You will need to create 2 port forwarding tunnels in order to access the Spinnaker UI: 2 | export DECK_POD=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "cluster=spin-deck" -o jsonpath="{.items[0].metadata.name}") 3 | kubectl port-forward --namespace {{ .Release.Namespace }} $DECK_POD 9000 4 | 5 | export GATE_POD=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "cluster=spin-gate" -o jsonpath="{.items[0].metadata.name}") 6 | kubectl port-forward --namespace {{ .Release.Namespace }} $GATE_POD 8084 7 | 8 | 2. Visit the Spinnaker UI by opening your browser to: http://127.0.0.1:9000 9 | 10 | To customize your Spinnaker installation. Create a shell in your Halyard pod: 11 | 12 | kubectl exec --namespace {{ .Release.Namespace }} -it {{ .Release.Name }}-spinnaker-halyard-0 bash 13 | 14 | For more info on using Halyard to customize your installation, visit: 15 | https://www.spinnaker.io/reference/halyard/ 16 | 17 | For more info on the Kubernetes integration for Spinnaker, visit: 18 | https://www.spinnaker.io/reference/providers/kubernetes-v2/ 19 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Expand the name of the chart. 4 | */}} 5 | {{- define "spinnaker.name" -}} 6 | {{- default .Chart.Name .Values.nameOverride | trunc 24 | trimSuffix "-" -}} 7 | {{- end -}} 8 | 9 | {{/* 10 | Create a default fully qualified app name. 11 | We truncate at 24 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 12 | */}} 13 | {{- define "spinnaker.fullname" -}} 14 | {{- $name := default .Chart.Name .Values.nameOverride -}} 15 | {{- printf "%s-%s" .Release.Name $name | trunc 24 | trimSuffix "-" -}} 16 | {{- end -}} 17 | 18 | {{/* 19 | Common labels for metadata. 20 | */}} 21 | {{- define "spinnaker.standard-labels-base" -}} 22 | app: {{ include "spinnaker.fullname" . | quote }} 23 | heritage: {{ .Release.Service | quote }} 24 | release: {{ .Release.Name | quote }} 25 | {{- end -}} 26 | {{- define "spinnaker.standard-labels" -}} 27 | {{ include "spinnaker.standard-labels-base" . }} 28 | chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" 29 | {{- end -}} 30 | 31 | {{/* 32 | A set of common selector labels for resources. 33 | */}} 34 | {{- define "spinnaker.standard-selector-labels" -}} 35 | app: {{ include "spinnaker.fullname" . | quote }} 36 | release: {{ .Release.Name | quote }} 37 | {{- end -}} 38 | 39 | {{/* 40 | Create comma separated list of namespaces in Kubernetes 41 | */}} 42 | {{- define "nameSpaces" -}} 43 | {{- join "," .Values.kubeConfig.nameSpaces }} 44 | {{- end -}} 45 | 46 | {{/* 47 | Create comma separated list of omitted namespaces in Kubernetes 48 | */}} 49 | {{- define "omittedNameSpaces" -}} 50 | {{- join "," .Values.kubeConfig.omittedNameSpaces }} 51 | {{- end -}} 52 | 53 | {{- define "omittedKinds" -}} 54 | {{- join "," .Values.kubeConfig.omittedKinds }} 55 | {{- end -}} 56 | 57 | {{- define "k8sKinds" -}} 58 | {{- join "," .Values.kubeConfig.kinds }} 59 | {{- end -}} 60 | 61 | {{/* 62 | Redis base URL for Spinnaker 63 | */}} 64 | {{- define "spinnaker.redisBaseURL" -}} 65 | {{- if .Values.redis.enabled }} 66 | {{- printf "redis://:%s@%s-redis-master:6379" .Values.redis.password .Release.Name -}} 67 | {{- else if .Values.redis.external.password }} 68 | {{- printf "redis://:%s@%s:%s" .Values.redis.external.password .Values.redis.external.host (.Values.redis.external.port | toString) -}} 69 | {{- else }} 70 | {{- printf "redis://%s:%s" .Values.redis.external.host (.Values.redis.external.port | toString) -}} 71 | {{- end }} 72 | {{- end }} 73 | 74 | {{/* 75 | Create name of kubeconfig file to use when setting up kubernetes provider 76 | */}} 77 | {{- define "spinnaker.kubeconfig" -}} 78 | {{- if .Values.kubeConfig.encryptedKubeconfig }} 79 | {{- printf .Values.kubeConfig.encryptedKubeconfig | toString -}} 80 | {{- else }} 81 | {{- printf "/opt/kube/%s" .Values.kubeConfig.secretKey | toString -}} 82 | {{- end }} 83 | {{- end }} 84 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/templates/configmap/additional-configmaps.yaml: -------------------------------------------------------------------------------- 1 | {{ if .Values.halyard.additionalConfigMaps.create -}} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ template "spinnaker.fullname" . }}-additional-config-maps 6 | labels: 7 | {{ include "spinnaker.standard-labels" . | indent 4 }} 8 | data: 9 | {{- if and .Values.halyard.additionalConfigMaps.create .Values.halyard.additionalConfigMaps.data }} 10 | {{- range $index, $content := .Values.halyard.additionalConfigMaps.data }} 11 | {{ $index }}: |- 12 | {{ $content | indent 4 }} 13 | {{- end }} 14 | {{- end }} 15 | {{- end }} 16 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/templates/configmap/additional-profile-configmaps.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: {{ template "spinnaker.fullname" . }}-additional-profile-config-maps 5 | labels: 6 | {{ include "spinnaker.standard-labels" . | indent 4 }} 7 | {{/* 8 | Render profiles for each service by merging predefined defaults with values passed by 9 | .Values.halyard.additionalProfileConfigMaps.data 10 | */}} 11 | {{- $profiles := dict "gate-local.yml" dict -}} 12 | 13 | {{- /* Defaults: Disable S3 versioning on Front50 if Minio storage is used */}} 14 | {{- /* https://www.spinnaker.io/setup/install/storage/minio/#editing-your-storage-settings */}} 15 | {{- if .Values.minio.enabled -}} 16 | {{- $_ := set $profiles "front50-local.yml" (dict "spinnaker" (dict "s3" (dict "versioning" false))) -}} 17 | {{- end -}} 18 | 19 | {{- /* Defaults: Add special settings for gate if GCE or ALB ingress is used */}} 20 | {{- /* https://github.com/spinnaker/spinnaker/issues/1630#issuecomment-467359999 */}} 21 | {{- if index $.Values.ingress "annotations" -}} 22 | {{- if eq (index $.Values.ingress.annotations "kubernetes.io/ingress.class" | default "") "gce" "alb" "nsx" }} 23 | {{- $tomcatProxySettings := dict -}} 24 | {{- $_ := set $tomcatProxySettings "protocolHeader" "X-Forwarded-Proto" -}} 25 | {{- $_ := set $tomcatProxySettings "remoteIpHeader" "X-Forwarded-For" -}} 26 | {{- $_ := set $tomcatProxySettings "internalProxies" ".*" -}} 27 | {{- $_ := set $tomcatProxySettings "httpsServerPort" "X-Forwarded-Port" -}} 28 | {{- $_ := set $profiles "gate-local.yml" (dict "server" (dict "tomcat" $tomcatProxySettings)) -}} 29 | {{- end -}} 30 | {{- end -}} 31 | 32 | {{- /* Merge dictionaries with passed values */}} 33 | {{- $customProfilesEnabled := .Values.halyard.additionalProfileConfigMaps.create | default true -}} 34 | {{- if and $customProfilesEnabled .Values.halyard.additionalProfileConfigMaps.data -}} 35 | {{- $_ := mergeOverwrite $profiles .Values.halyard.additionalProfileConfigMaps.data -}} 36 | {{- end -}} 37 | 38 | {{- /* Convert the content of profiles to string unless it's already a string */}} 39 | {{- range $filename, $content := $profiles -}} 40 | {{- if not (typeIs "string" $content) -}} 41 | {{- $_ := set $profiles $filename ($content | toYaml) -}} 42 | {{- end -}} 43 | {{- end -}} 44 | 45 | {{- /* Pass content of profiles through tpl */}} 46 | {{- range $filename, $content := $profiles -}} 47 | {{- $_ := set $profiles $filename (tpl $content $) -}} 48 | {{- end -}} 49 | 50 | data: 51 | {{ $profiles | toYaml | indent 2 }} 52 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/templates/configmap/additional-scripts.yaml: -------------------------------------------------------------------------------- 1 | {{ if .Values.halyard.additionalScripts.create -}} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ template "spinnaker.fullname" . }}-additional-scripts 6 | labels: 7 | {{ include "spinnaker.standard-labels" . | indent 4 }} 8 | data: 9 | {{- if and .Values.halyard.additionalScripts.create .Values.halyard.additionalScripts.data }} 10 | {{- range $index, $content := .Values.halyard.additionalScripts.data }} 11 | {{ $index }}: |- 12 | {{ tpl $content $ | indent 4 }} 13 | {{- end }} 14 | {{- end }} 15 | {{- end }} 16 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/templates/configmap/bom.yaml: -------------------------------------------------------------------------------- 1 | {{ if .Values.halyard.bom -}} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ template "spinnaker.fullname" . }}-halyard-bom 6 | labels: 7 | {{ include "spinnaker.standard-labels" . | indent 4 }} 8 | data: 9 | {{ .Values.halyard.spinnakerVersion }}.yml: 10 | {{ .Values.halyard.bom | toYaml | indent 4 }} 11 | {{- end }} 12 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/templates/configmap/halyard-config.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: {{ template "spinnaker.fullname" . }}-halyard-config 5 | labels: 6 | {{ include "spinnaker.standard-labels" . | indent 4 }} 7 | data: 8 | install.sh: | 9 | #!/bin/bash 10 | 11 | # Wait for the Hal daemon to be ready 12 | export DAEMON_ENDPOINT=http://{{ template "spinnaker.fullname" . }}-halyard:8064 13 | export HAL_COMMAND="hal --daemon-endpoint $DAEMON_ENDPOINT" 14 | until $HAL_COMMAND --ready; do sleep 10 ; done 15 | 16 | 17 | 18 | 19 | bash -xe /opt/halyard/scripts/config.sh 20 | 21 | {{- if .Values.halyard.additionalScripts.enabled }} 22 | bash /opt/halyard/additional/{{ .Values.halyard.additionalScripts.configMapKey }} 23 | {{- end }} 24 | 25 | {{- if and .Values.halyard.additionalScripts.create .Values.halyard.additionalScripts.data }} 26 | {{- range $index, $script := .Values.halyard.additionalScripts.data }} 27 | bash -xe /opt/halyard/additionalScripts/{{ $index }} 28 | {{- end }} 29 | {{- end }} 30 | 31 | $HAL_COMMAND deploy apply --no-validate 32 | {{- if .Values.halyard.additionalInstallParameters }} \ 33 | {{- .Values.halyard.additionalInstallParameters | join " \\\n" | nindent 6 }} 34 | {{- end }} 35 | clean.sh: | 36 | export HAL_COMMAND='hal --daemon-endpoint http://{{ template "spinnaker.fullname" . }}-halyard:8064' 37 | $HAL_COMMAND deploy clean -q 38 | config.sh: | 39 | # Spinnaker version 40 | {{ if .Values.halyard.bom }} 41 | $HAL_COMMAND config version edit --version local:{{ .Values.halyard.spinnakerVersion }} --no-validate 42 | {{ else }} 43 | $HAL_COMMAND config version edit --version {{ .Values.halyard.spinnakerVersion }} --no-validate 44 | {{ end }} 45 | 46 | ## config ui 47 | #$HAL_COMMAND config security ui edit --override-base-url http://spinnaker.idevops.site 48 | #$HAL_COMMAND config security api edit --override-base-url http://spin-gate.idevops.site 49 | 50 | # Storage 51 | {{ if .Values.minio.enabled }} 52 | echo {{ .Values.minio.secretKey }} | $HAL_COMMAND config storage s3 edit \ 53 | --endpoint http://{{ .Release.Name }}-minio:9000 \ 54 | --access-key-id {{ .Values.minio.accessKey }} \ 55 | --secret-access-key --bucket {{ .Values.minio.defaultBucket.name }} \ 56 | --path-style-access true --no-validate --debug 57 | $HAL_COMMAND config storage edit --type s3 --no-validate 58 | {{ end }} 59 | {{ if .Values.s3.enabled }} 60 | {{- if .Values.s3.secretKey -}} cat /opt/s3/secretKey | {{- end }} $HAL_COMMAND config storage s3 edit \ 61 | --bucket {{ .Values.s3.bucket }} \ 62 | {{- if .Values.s3.rootFolder }} 63 | --root-folder {{ .Values.s3.rootFolder }} \ 64 | {{- end }} 65 | {{- if .Values.s3.region }} 66 | --region {{ .Values.s3.region }} \ 67 | {{- end }} 68 | {{- if .Values.s3.endpoint }} 69 | --endpoint {{ .Values.s3.endpoint }} \ 70 | {{- end }} 71 | {{- if .Values.s3.assumeRole }} 72 | --assume-role {{ .Values.s3.assumeRole }} \ 73 | {{- end }} 74 | {{- if .Values.s3.accessKey }} 75 | --access-key-id "$(cat /opt/s3/accessKey)" \ 76 | {{- end }} 77 | {{- if .Values.s3.secretKey }} 78 | --secret-access-key \ 79 | {{- end }} 80 | {{- range .Values.s3.extraArgs }} 81 | {{- . }} \ 82 | {{- end }} 83 | 84 | $HAL_COMMAND config storage edit --type s3 85 | {{ end }} 86 | {{ if .Values.gcs.enabled }} 87 | $HAL_COMMAND config storage gcs edit --project {{ .Values.gcs.project }} --json-path /opt/gcs/key.json --bucket {{ .Values.gcs.bucket }} 88 | $HAL_COMMAND config storage edit --type gcs 89 | {{ end }} 90 | {{ if .Values.azs.enabled }} 91 | $HAL_COMMAND config storage azs edit --storage-account-name {{ .Values.azs.storageAccountName }} \ 92 | {{- if .Values.azs.containerName }} 93 | --storage-container-name {{ .Values.azs.containerName }} \ 94 | {{- end }} 95 | --storage-account-key "{{ .Values.azs.accessKey }}" 96 | $HAL_COMMAND config storage edit --type azs 97 | {{ end }} 98 | 99 | # Docker Registry 100 | $HAL_COMMAND config provider docker-registry enable --no-validate 101 | {{- range $index, $registry := .Values.dockerRegistries }} 102 | 103 | if $HAL_COMMAND config provider docker-registry account get {{ $registry.name }} --no-validate; then 104 | PROVIDER_COMMAND='edit' 105 | else 106 | PROVIDER_COMMAND='add' 107 | fi 108 | 109 | $HAL_COMMAND config provider docker-registry account $PROVIDER_COMMAND {{ $registry.name }} --address {{ $registry.address }} --no-validate \ 110 | {{ if $registry.username -}} --username {{ $registry.username }} \ 111 | {{ if $registry.passwordCommand -}} --password-command "{{ $registry.passwordCommand }}"{{ else -}} --password-file /opt/registry/passwords/{{ $registry.name }}{{- end }} \ 112 | {{ if $registry.email -}} --email {{ $registry.email }}{{- end -}}{{- end }} \ 113 | {{ if $registry.repositories -}} --repositories {{ range $index, $repository := $registry.repositories }}{{if $index}},{{end}}{{- $repository }}{{- end }}{{- end }} 114 | 115 | {{- end }} 116 | 117 | $HAL_COMMAND config provider kubernetes enable --no-validate 118 | {{- range $index, $context := .Values.kubeConfig.contexts }} 119 | 120 | if $HAL_COMMAND config provider kubernetes account get {{ $context }} --no-validate; then 121 | PROVIDER_COMMAND='edit' 122 | else 123 | PROVIDER_COMMAND='add' 124 | fi 125 | 126 | $HAL_COMMAND config provider kubernetes account $PROVIDER_COMMAND {{ $context }} --no-validate --docker-registries dockerhub \ 127 | --context {{ $context }} {{ if not $.Values.kubeConfig.enabled }}--service-account true{{ end }} \ 128 | {{ if $.Values.kubeConfig.enabled }}--kubeconfig-file {{ template "spinnaker.kubeconfig" $ }}{{ end }} \ 129 | {{ if $.Values.kubeConfig.onlySpinnakerManaged.enabled }}--only-spinnaker-managed true{{ end }} \ 130 | {{ if not $.Values.kubeConfig.checkPermissionsOnStartup }}--check-permissions-on-startup false{{ end }} \ 131 | {{ if $.Values.kubeConfig.nameSpaces }}--namespaces={{ template "nameSpaces" $ }}{{ end }} \ 132 | {{ if not $.Values.kubeConfig.nameSpaces }}--omit-namespaces={{ template "omittedNameSpaces" $ }}{{ end }} \ 133 | {{ if $.Values.kubeConfig.omittedKinds }}--omit-kinds={{ template "omittedKinds" $ }}{{ end }} \ 134 | {{ if $.Values.kubeConfig.kinds }}--kinds={{ template "k8sKinds" $ }}{{ end }} \ 135 | --provider-version v2 136 | {{- end }} 137 | $HAL_COMMAND config deploy edit --account-name {{ .Values.kubeConfig.deploymentContext }} --no-validate --type distributed \ 138 | --location {{ .Release.Namespace }} 139 | # Use Deck to route to Gate 140 | #$HAL_COMMAND config security api edit --no-validate --override-base-url /gate 141 | {{- range $index, $feature := .Values.spinnakerFeatureFlags }} 142 | $HAL_COMMAND config features edit --no-validate --{{ $feature }} true 143 | {{- end }} 144 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/templates/configmap/halyard-init-script.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: {{ template "spinnaker.fullname" . }}-halyard-init-script 5 | labels: 6 | {{ include "spinnaker.standard-labels" . | indent 4 }} 7 | data: 8 | init.sh: | 9 | #!/bin/bash 10 | 11 | # Override Halyard daemon's listen address 12 | cp /opt/halyard/config/* /tmp/config 13 | printf 'server.address: 0.0.0.0\n' > /tmp/config/halyard-local.yml 14 | echo "spinnaker.config.input.gcs.enabled: false" >> /tmp/config/halyard-local.yml 15 | hal shutdown && hal 16 | 17 | # Use Redis deployed via the dependent Helm chart 18 | rm -rf /tmp/spinnaker/.hal/default/service-settings 19 | mkdir -p /tmp/spinnaker/.hal/default/service-settings 20 | cp /tmp/service-settings/* /tmp/spinnaker/.hal/default/service-settings/ 21 | 22 | rm -rf /tmp/spinnaker/.hal/default/profiles 23 | mkdir -p /tmp/spinnaker/.hal/default/profiles 24 | cp /tmp/additionalProfileConfigMaps/* /tmp/spinnaker/.hal/default/profiles/ 25 | 26 | rm -rf /tmp/spinnaker/.hal/.boms 27 | 28 | {{- if .Values.halyard.bom }} 29 | mkdir -p /tmp/spinnaker/.hal/.boms/bom 30 | cp /tmp/halyard-bom/* /tmp/spinnaker/.hal/.boms/bom 31 | cp -r /tmp/spinnaker/bom-yaml/* /tmp/spinnaker/.hal/.boms/ 32 | {{- end }} 33 | 34 | {{- if .Values.halyard.serviceConfigs }} 35 | for filename in /tmp/service-configs/*; do 36 | basename=$(basename -- "$filename") 37 | fname="${basename#*_}" 38 | servicename="${basename%%_*}" 39 | 40 | mkdir -p "/tmp/spinnaker/.hal/.boms/$servicename" 41 | cp "$filename" "/tmp/spinnaker/.hal/.boms/$servicename/$fname" 42 | done 43 | {{- end }} 44 | 45 | {{- if hasKey .Values.halyard "additionalInitScript" }} 46 | # additionalInitScript 47 | {{ tpl .Values.halyard.additionalInitScript $ | indent 4 }} 48 | {{- end }} 49 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/templates/configmap/service-configs.yaml: -------------------------------------------------------------------------------- 1 | {{ if .Values.halyard.serviceConfigs -}} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ template "spinnaker.fullname" . }}-service-configs 6 | labels: 7 | {{ include "spinnaker.standard-labels" . | indent 4 }} 8 | 9 | {{/* 10 | Render local configuration for each service with values passed by 11 | .Values.halyard.serviceConfigs 12 | */}} 13 | {{- $settings := dict -}} 14 | 15 | {{- if .Values.halyard.serviceConfigs -}} 16 | {{- $_ := mergeOverwrite $settings .Values.halyard.serviceConfigs -}} 17 | {{- end -}} 18 | 19 | {{- /* Convert the content of settings key to YAML string */}} 20 | {{- range $filename, $content := $settings -}} 21 | {{- if not (typeIs "string" $content) -}} 22 | {{- $_ := set $settings $filename ($content | toYaml) -}} 23 | {{- end -}} 24 | {{- end -}} 25 | 26 | data: 27 | {{ $settings | toYaml | indent 2 }} 28 | {{- end -}} 29 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/templates/configmap/service-settings.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: {{ template "spinnaker.fullname" . }}-service-settings 5 | labels: 6 | {{ include "spinnaker.standard-labels" . | indent 4 }} 7 | 8 | {{/* 9 | Render settings for each service by merging predefined defaults with values passed by 10 | .Values.halyard.additionalServiceSettings 11 | */}} 12 | {{- $settings := dict -}} 13 | 14 | {{- /* Defaults: redis service */}} 15 | {{- $redisDefaults := dict -}} 16 | {{- $_ := set $redisDefaults "skipLifeCycleManagement" true -}} 17 | {{- $_ := set $redisDefaults "overrideBaseUrl" (include "spinnaker.redisBaseURL" $) -}} 18 | {{- $_ := set $settings "redis.yml" $redisDefaults -}} 19 | 20 | {{/* Defaults: gate service */}} 21 | {{- if .Values.ingress.enabled -}} 22 | {{- $gateDefaults := dict -}} 23 | {{- $_ := set $gateDefaults "kubernetes" (dict "useExecHealthCheck" false "serviceType" "NodePort") -}} 24 | {{- $_ := set $settings "gate.yml" $gateDefaults -}} 25 | {{- end -}} 26 | 27 | {{/* Defaults: deck service */}} 28 | {{- $deckDefaults := dict -}} 29 | {{- $_ := set $deckDefaults "env" (dict "API_HOST" "http://spin-gate.idevops.site") -}} 30 | {{- if .Values.ingress.enabled -}} 31 | {{- $_ := set $deckDefaults "kubernetes" (dict "useExecHealthCheck" false "serviceType" "NodePort") -}} 32 | {{- end -}} 33 | {{- $_ := set $settings "deck.yml" $deckDefaults -}} 34 | 35 | {{- /* Merge dictionaries with passed values */}} 36 | {{- if .Values.halyard.additionalServiceSettings -}} 37 | {{- $_ := mergeOverwrite $settings .Values.halyard.additionalServiceSettings -}} 38 | {{- end -}} 39 | 40 | {{- /* Convert the content of settings key to YAML string */}} 41 | {{- range $filename, $content := $settings -}} 42 | {{- if not (typeIs "string" $content) -}} 43 | {{- $_ := set $settings $filename ($content | toYaml) -}} 44 | {{- end -}} 45 | {{- end -}} 46 | 47 | data: 48 | {{ $settings | toYaml | indent 2 }} 49 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/templates/hooks/cleanup.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: batch/v1 2 | kind: Job 3 | metadata: 4 | name: "{{ template "spinnaker.fullname" . }}-cleanup-using-hal" 5 | labels: 6 | {{ include "spinnaker.standard-labels" . | indent 4 }} 7 | component: halyard 8 | annotations: 9 | "helm.sh/hook": "pre-delete" 10 | "helm.sh/hook-delete-policy": "before-hook-creation" 11 | spec: 12 | template: 13 | metadata: 14 | {{- if .Values.halyard.annotations }} 15 | annotations: 16 | {{ toYaml .Values.halyard.annotations | indent 8 }} 17 | {{- end }} 18 | labels: 19 | {{ include "spinnaker.standard-labels" . | indent 8 }} 20 | component: halyard 21 | spec: 22 | restartPolicy: OnFailure 23 | volumes: 24 | - name: halyard-config 25 | configMap: 26 | name: {{ template "spinnaker.fullname" . }}-halyard-config 27 | {{- if .Values.halyard.image.pullSecrets }} 28 | imagePullSecrets: 29 | {{- range .Values.halyard.image.pullSecrets }} 30 | - name: {{ . }} 31 | {{- end}} 32 | {{- end}} 33 | containers: 34 | - name: halyard-install 35 | image: {{ .Values.halyard.image.repository }}:{{ .Values.halyard.image.tag }} 36 | volumeMounts: 37 | - name: halyard-config 38 | mountPath: /opt/halyard/scripts 39 | command: 40 | - bash 41 | - -xe 42 | - "/opt/halyard/scripts/clean.sh" 43 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/templates/hooks/install-using-hal.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: batch/v1 2 | kind: Job 3 | metadata: 4 | name: "{{ .Release.Name }}-install-using-hal" 5 | labels: 6 | {{ include "spinnaker.standard-labels" . | indent 4 }} 7 | annotations: 8 | "helm.sh/hook": "post-install,post-upgrade" 9 | "helm.sh/hook-delete-policy": "before-hook-creation" 10 | "helm.sh/hook-weight": "0" 11 | spec: 12 | template: 13 | metadata: 14 | annotations: 15 | checksum/config: {{ include (print $.Template.BasePath "/configmap/halyard-config.yaml") . | sha256sum }} 16 | {{- if .Values.halyard.annotations }} 17 | {{ toYaml .Values.halyard.annotations | indent 8 }} 18 | {{- end }} 19 | labels: 20 | {{ include "spinnaker.standard-labels" . | indent 8 }} 21 | spec: 22 | {{- if .Values.serviceAccount.halyardName }} 23 | serviceAccountName: {{ .Values.serviceAccount.halyardName }} 24 | {{- else }} 25 | serviceAccountName: {{ template "spinnaker.fullname" . }}-halyard 26 | {{- end }} 27 | securityContext: 28 | runAsUser: {{ .Values.securityContext.runAsUser }} 29 | fsGroup: {{ .Values.securityContext.fsGroup }} 30 | {{- if .Values.nodeSelector }} 31 | nodeSelector: 32 | {{ toYaml .Values.nodeSelector | indent 8 }} 33 | {{- end }} 34 | restartPolicy: OnFailure 35 | volumes: 36 | {{- if and .Values.kubeConfig.enabled .Values.kubeConfig.secretName }} 37 | - name: kube-config 38 | secret: 39 | secretName: {{ .Values.kubeConfig.secretName }} 40 | {{- end }} 41 | - name: halyard-config 42 | configMap: 43 | name: {{ template "spinnaker.fullname" . }}-halyard-config 44 | {{- if .Values.halyard.additionalScripts.enabled }} 45 | - name: additional-config 46 | configMap: 47 | name: {{ .Values.halyard.additionalScripts.configMapName }} 48 | {{- end }} 49 | {{- if or .Values.halyard.additionalSecrets.create (hasKey .Values.halyard.additionalSecrets "name") }} 50 | - name: additional-secrets 51 | secret: 52 | {{- if .Values.halyard.additionalSecrets.create }} 53 | secretName: {{ template "spinnaker.fullname" . }}-additional-secrets 54 | {{- else if .Values.halyard.additionalSecrets.name }} 55 | secretName: {{ .Values.halyard.additionalSecrets.name }} 56 | {{- end }} 57 | {{- end }} 58 | {{- if .Values.halyard.additionalConfigMaps.create }} 59 | - name: additional-config-maps 60 | configMap: 61 | name: {{ template "spinnaker.fullname" . }}-additional-config-maps 62 | {{- end }} 63 | {{- if .Values.halyard.additionalScripts.create }} 64 | - name: additional-scripts 65 | configMap: 66 | name: {{ template "spinnaker.fullname" . }}-additional-scripts 67 | {{- end }} 68 | {{- if .Values.halyard.bom }} 69 | - name: halyard-bom 70 | configMap: 71 | name: {{ template "spinnaker.fullname" . }}-halyard-bom 72 | {{- end }} 73 | {{- if .Values.gcs.enabled }} 74 | - name: gcs-key 75 | secret: 76 | {{- if .Values.gcs.secretName }} 77 | secretName: {{ .Values.gcs.secretName }} 78 | {{- else }} 79 | secretName: {{ template "spinnaker.fullname" . }}-gcs 80 | {{- end }} 81 | {{- end }} 82 | {{- if and .Values.s3.enabled .Values.s3.accessKey .Values.s3.secretKey }} 83 | - name: s3-secrets 84 | secret: 85 | secretName: {{ template "spinnaker.fullname" .}}-s3 86 | {{- end }} 87 | {{- if .Values.halyard.pullSecrets }} 88 | imagePullSecrets: 89 | {{- range .Values.halyard.image.pullSecrets }} 90 | - name: {{ . }} 91 | {{- end}} 92 | {{- end}} 93 | containers: 94 | - name: halyard-install 95 | image: {{ .Values.halyard.image.repository }}:{{ .Values.halyard.image.tag }} 96 | volumeMounts: 97 | - name: halyard-config 98 | mountPath: /opt/halyard/scripts 99 | {{- if .Values.halyard.additionalScripts.enabled }} 100 | - name: additional-config 101 | mountPath: /opt/halyard/additional 102 | {{- end }} 103 | {{- if or .Values.halyard.additionalSecrets.create (hasKey .Values.halyard.additionalSecrets "name") }} 104 | - name: additional-secrets 105 | mountPath: /opt/halyard/additionalSecrets 106 | {{- end }} 107 | {{- if .Values.halyard.additionalConfigMaps.create }} 108 | - name: additional-config-maps 109 | mountPath: /opt/halyard/additionalConfigMaps 110 | {{- end }} 111 | {{- if .Values.halyard.additionalScripts.create }} 112 | - name: additional-scripts 113 | mountPath: /opt/halyard/additionalScripts 114 | {{- end }} 115 | {{- if .Values.halyard.bom }} 116 | - name: halyard-bom 117 | mountPath: /opt/halyard/bom 118 | {{- end }} 119 | {{- if .Values.gcs.enabled }} 120 | - name: gcs-key 121 | mountPath: /opt/gcs 122 | {{- end }} 123 | {{- if and .Values.s3.enabled .Values.s3.accessKey .Values.s3.secretKey }} 124 | - name: s3-secrets 125 | mountPath: /opt/s3 126 | {{- end }} 127 | {{- if and .Values.kubeConfig.enabled .Values.kubeConfig.secretName }} 128 | - name: kube-config 129 | mountPath: /opt/kube 130 | {{- end }} 131 | command: 132 | - bash 133 | - -xe 134 | - "/opt/halyard/scripts/install.sh" 135 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/templates/ingress/deck.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.ingress.enabled }} 2 | apiVersion: extensions/v1beta1 3 | kind: Ingress 4 | metadata: 5 | {{- if .Values.ingress.annotations }} 6 | annotations: 7 | {{ toYaml .Values.ingress.annotations | indent 4 }} 8 | {{- end }} 9 | name: {{ template "spinnaker.fullname" . }}-deck 10 | labels: 11 | {{ include "spinnaker.standard-labels" . | indent 4 }} 12 | spec: 13 | rules: 14 | - host: {{ .Values.ingress.host | quote }} 15 | http: 16 | paths: 17 | {{- if index $.Values.ingress "annotations" }} 18 | {{- if eq (index $.Values.ingress.annotations "kubernetes.io/ingress.class" | default "") "gce" "alb" "nsx" }} 19 | - path: /* 20 | {{- else }}{{/* Has annotations but ingress class is not "gce" nor "alb" */}} 21 | - path: / 22 | {{- end }} 23 | {{- else}}{{/* Has no annotations */}} 24 | - path: / 25 | {{- end }} 26 | backend: 27 | serviceName: spin-deck 28 | servicePort: 9000 29 | {{- if .Values.ingress.tls }} 30 | tls: 31 | {{ toYaml .Values.ingress.tls | indent 4 }} 32 | {{- end -}} 33 | {{- end }} 34 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/templates/ingress/gate.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.ingressGate.enabled }} 2 | apiVersion: extensions/v1beta1 3 | kind: Ingress 4 | metadata: 5 | {{- if .Values.ingressGate.annotations }} 6 | annotations: 7 | {{ toYaml .Values.ingressGate.annotations | indent 4 }} 8 | {{- end }} 9 | name: {{ template "spinnaker.fullname" . }}-gate 10 | labels: 11 | {{ include "spinnaker.standard-labels" . | indent 4 }} 12 | spec: 13 | rules: 14 | - host: {{ .Values.ingressGate.host | quote }} 15 | http: 16 | paths: 17 | {{- if index $.Values.ingress "annotations" }} 18 | {{- if eq (index $.Values.ingress.annotations "kubernetes.io/ingress.class" | default "") "gce" "alb" "nsx" }} 19 | - path: /* 20 | {{- else }}{{/* Has annotations but ingress class is not "gce" nor "alb" */}} 21 | - path: / 22 | {{- end }} 23 | {{- else}}{{/* Has no annotations */}} 24 | - path: / 25 | {{- end }} 26 | backend: 27 | serviceName: spin-gate 28 | servicePort: 8084 29 | {{- if .Values.ingressGate.tls }} 30 | tls: 31 | {{ toYaml .Values.ingressGate.tls | indent 4 }} 32 | {{- end }} 33 | {{- end }} 34 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/templates/rbac/halyard-sa.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | {{- if .Values.serviceAccount.halyardName }} 6 | name: {{ .Values.serviceAccount.halyardName }} 7 | {{- else }} 8 | name: {{ template "spinnaker.fullname" . }}-halyard 9 | {{- end }} 10 | namespace: {{ .Release.Namespace }} 11 | labels: 12 | {{ include "spinnaker.standard-labels" . | indent 4 }} 13 | {{- if .Values.serviceAccount.serviceAccountAnnotations }} 14 | annotations: 15 | {{ toYaml .Values.serviceAccount.serviceAccountAnnotations | indent 4 }} 16 | {{- end }} 17 | {{- end }} 18 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/templates/rbac/psp-halyard-role.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.pspEnabled }} 2 | kind: Role 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ template "spinnaker.fullname" . }}-halyard-psp 6 | labels: 7 | {{ include "spinnaker.standard-labels" . | indent 4 }} 8 | rules: 9 | - apiGroups: ['extensions'] 10 | resources: ['podsecuritypolicies'] 11 | verbs: ['use'] 12 | resourceNames: 13 | - {{ template "spinnaker.fullname" . }}-halyard 14 | {{- end }} 15 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/templates/rbac/psp-halyard-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.pspEnabled }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: RoleBinding 4 | metadata: 5 | name: {{ template "spinnaker.fullname" . }}-halyard-psp 6 | labels: 7 | {{ include "spinnaker.standard-labels" . | indent 4 }} 8 | roleRef: 9 | apiGroup: rbac.authorization.k8s.io 10 | kind: Role 11 | name: {{ template "spinnaker.fullname" . }}-halyard-psp 12 | subjects: 13 | - kind: ServiceAccount 14 | {{- if .Values.serviceAccount.halyardName }} 15 | name: {{ .Values.serviceAccount.halyardName }} 16 | {{- else }} 17 | name: {{ template "spinnaker.fullname" . }}-halyard 18 | {{- end }} 19 | namespace: {{ .Release.Namespace }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/templates/rbac/psp-halyard.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.pspEnabled }} 2 | apiVersion: policy/v1beta1 3 | kind: PodSecurityPolicy 4 | metadata: 5 | name: {{ template "spinnaker.fullname" . }}-halyard 6 | labels: 7 | {{ include "spinnaker.standard-labels" . | indent 4 }} 8 | spec: 9 | privileged: false 10 | allowPrivilegeEscalation: false 11 | volumes: 12 | - 'configMap' 13 | - 'emptyDir' 14 | - 'persistentVolumeClaim' 15 | - 'secret' 16 | hostNetwork: false 17 | hostIPC: false 18 | hostPID: false 19 | runAsUser: 20 | rule: 'RunAsAny' 21 | seLinux: 22 | rule: 'RunAsAny' 23 | supplementalGroups: 24 | rule: 'RunAsAny' 25 | fsGroup: 26 | rule: 'RunAsAny' 27 | {{- end }} 28 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/templates/rbac/rolebinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: RoleBinding 3 | metadata: 4 | name: {{ template "spinnaker.fullname" . }}-halyard 5 | labels: 6 | {{ include "spinnaker.standard-labels" . | indent 4 }} 7 | roleRef: 8 | apiGroup: rbac.authorization.k8s.io 9 | kind: ClusterRole 10 | name: edit 11 | subjects: 12 | - namespace: {{ .Release.Namespace }} 13 | kind: ServiceAccount 14 | {{- if .Values.serviceAccount.halyardName }} 15 | name: {{ .Values.serviceAccount.halyardName }} 16 | {{- else }} 17 | name: {{ template "spinnaker.fullname" . }}-halyard 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/templates/rbac/spinnaker-sa.yaml: -------------------------------------------------------------------------------- 1 | # In the case of a local cluster Spinnaker needs 2 | # to be able to deploy to all namespaces in the cluster. 3 | {{- if not .Values.kubeConfig.enabled }} 4 | {{- if .Values.rbac.create }} 5 | apiVersion: rbac.authorization.k8s.io/v1 6 | kind: ClusterRoleBinding 7 | metadata: 8 | {{- if .Values.serviceAccount.spinnakerName }} 9 | name: {{ .Values.serviceAccount.spinnakerName }} 10 | {{- else }} 11 | name: {{ template "spinnaker.fullname" . }}-spinnaker 12 | {{- end }} 13 | labels: 14 | {{ include "spinnaker.standard-labels" . | indent 4 }} 15 | roleRef: 16 | apiGroup: rbac.authorization.k8s.io 17 | kind: ClusterRole 18 | name: cluster-admin 19 | subjects: 20 | - namespace: {{ .Release.Namespace }} 21 | kind: ServiceAccount 22 | # Clouddriver does not currently allow config of its 23 | # service account. 24 | name: default 25 | {{- end }} 26 | {{- end }} 27 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/templates/secrets/additional-secrets.yaml: -------------------------------------------------------------------------------- 1 | {{ if .Values.halyard.additionalSecrets.create -}} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ template "spinnaker.fullname" . }}-additional-secrets 6 | labels: 7 | {{ include "spinnaker.standard-labels" . | indent 4 }} 8 | data: 9 | {{- if and .Values.halyard.additionalSecrets.create .Values.halyard.additionalSecrets.data }} 10 | {{- range $index, $content := .Values.halyard.additionalSecrets.data }} 11 | {{ $index }}: |- 12 | {{ $content | indent 4 }} 13 | {{- end }} 14 | {{- end }} 15 | {{- end }} 16 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/templates/secrets/gcs.yaml: -------------------------------------------------------------------------------- 1 | {{ if and .Values.gcs.enabled .Values.gcs.jsonKey }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | {{- if .Values.gcs.secret }} 6 | name: {{ .Values.gcs.secret }} 7 | {{- else }} 8 | name: {{ template "spinnaker.fullname" . }}-gcs 9 | {{- end }} 10 | labels: 11 | {{ include "spinnaker.standard-labels" . | indent 4 }} 12 | component: halyard 13 | type: Opaque 14 | data: 15 | key.json: {{ .Values.gcs.jsonKey | b64enc }} 16 | {{ end }} 17 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/templates/secrets/registry.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.dockerRegistryAccountSecret }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ template "spinnaker.fullname" . }}-registry 6 | labels: 7 | {{ include "spinnaker.standard-labels" . | indent 4 }} 8 | component: clouddriver 9 | type: Opaque 10 | data: 11 | {{- range $index, $account := .Values.dockerRegistries }} 12 | {{ $account.name }}: {{ default "" $account.password | b64enc | quote }} 13 | {{- end }} 14 | {{- end }} 15 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/templates/secrets/s3.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (or .Values.s3.accessKey .Values.s3.secretKey) (not (and .Values.s3.accessKey .Values.s3.secretKey)) -}} 2 | {{ fail "S3: If providing credentials, accessKey and secretKey must be both set." }} 3 | {{- end -}} 4 | 5 | {{- if and .Values.s3.enabled .Values.s3.accessKey .Values.s3.secretKey }} 6 | apiVersion: v1 7 | kind: Secret 8 | metadata: 9 | name: {{ template "spinnaker.fullname" . }}-s3 10 | labels: 11 | {{ include "spinnaker.standard-labels" . | indent 4 }} 12 | component: halyard 13 | type: Opaque 14 | data: 15 | accessKey: {{ .Values.s3.accessKey | b64enc | quote }} 16 | secretKey: {{ .Values.s3.secretKey | b64enc | quote }} 17 | {{- end }} 18 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/templates/services/halyard.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ template "spinnaker.fullname" . }}-halyard 5 | labels: 6 | {{ include "spinnaker.standard-labels" . | indent 4 }} 7 | component: halyard 8 | spec: 9 | ports: 10 | - port: 8064 11 | name: daemon 12 | clusterIP: None 13 | selector: 14 | app: {{ template "spinnaker.fullname" . }} 15 | component: halyard 16 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/templates/statefulsets/halyard.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: StatefulSet 3 | metadata: 4 | name: {{ template "spinnaker.fullname" . }}-halyard 5 | labels: 6 | {{ include "spinnaker.standard-labels" . | indent 4 }} 7 | spec: 8 | serviceName: {{ template "spinnaker.fullname" . }}-halyard 9 | replicas: 1 10 | selector: 11 | matchLabels: 12 | {{ include "spinnaker.standard-selector-labels" . | indent 6 }} 13 | component: halyard 14 | template: 15 | metadata: 16 | {{- if .Values.halyard.annotations }} 17 | annotations: 18 | {{ toYaml .Values.halyard.annotations | indent 8 }} 19 | {{- end }} 20 | labels: 21 | {{ include "spinnaker.standard-labels" . | indent 8 }} 22 | component: halyard 23 | spec: 24 | {{- if .Values.serviceAccount.halyardName }} 25 | serviceAccountName: {{ .Values.serviceAccount.halyardName }} 26 | {{- else }} 27 | serviceAccountName: {{ template "spinnaker.fullname" . }}-halyard 28 | {{- end }} 29 | securityContext: 30 | runAsUser: {{ .Values.securityContext.runAsUser }} 31 | fsGroup: {{ .Values.securityContext.fsGroup }} 32 | {{- if .Values.nodeSelector }} 33 | nodeSelector: 34 | {{ toYaml .Values.nodeSelector | indent 8 }} 35 | {{- end }} 36 | {{- if .Values.tolerations }} 37 | tolerations: 38 | {{ toYaml .Values.tolerations | indent 8 }} 39 | {{- end }} 40 | initContainers: 41 | - name: "create-halyard-local" 42 | image: {{ .Values.halyard.image.repository }}:{{ .Values.halyard.image.tag }} 43 | command: 44 | - bash 45 | - /tmp/initscript/init.sh 46 | volumeMounts: 47 | - name: halyard-config 48 | mountPath: /tmp/config 49 | - name: service-settings 50 | mountPath: /tmp/service-settings 51 | {{- if .Values.halyard.serviceConfigs }} 52 | - name: service-configs 53 | mountPath: /tmp/service-configs 54 | {{- end }} 55 | - name: halyard-home 56 | mountPath: /tmp/spinnaker 57 | - name: additional-profile-config-maps 58 | mountPath: /tmp/additionalProfileConfigMaps 59 | {{- if .Values.halyard.bom }} 60 | - name: halyard-bom 61 | mountPath: /tmp/halyard-bom 62 | {{- end }} 63 | - name: halyard-initscript 64 | mountPath: /tmp/initscript 65 | {{- if .Values.halyard.customCerts.enabled }} 66 | - mountPath: /etc/ssl/certs/java/cacerts 67 | subPath: cacerts 68 | name: cacerts 69 | {{- end }} 70 | {{- if .Values.halyard.env }} 71 | env: 72 | {{ toYaml .Values.halyard.env | indent 8 }} 73 | {{- end }} 74 | volumes: 75 | {{- if not .Values.halyard.persistence.enabled }} 76 | - name: halyard-home 77 | emptyDir: {} 78 | {{- end }} 79 | {{- if and .Values.kubeConfig.enabled .Values.kubeConfig.secretName }} 80 | - name: kube-config 81 | secret: 82 | secretName: {{ .Values.kubeConfig.secretName }} 83 | {{- end }} 84 | {{- if .Values.gcs.enabled }} 85 | - name: gcs-key 86 | secret: 87 | {{- if .Values.gcs.secretName }} 88 | secretName: {{ .Values.gcs.secretName }} 89 | {{- else }} 90 | secretName: {{ template "spinnaker.fullname" . }}-gcs 91 | {{- end }} 92 | {{- end }} 93 | - name: reg-secrets 94 | secret: 95 | {{- if .Values.dockerRegistryAccountSecret }} 96 | secretName: {{ .Values.dockerRegistryAccountSecret }} 97 | {{- else }} 98 | secretName: {{ template "spinnaker.fullname" . }}-registry 99 | {{- end }} 100 | {{- if and .Values.s3.enabled .Values.s3.accessKey .Values.s3.secretKey }} 101 | - name: s3-secrets 102 | secret: 103 | secretName: {{ template "spinnaker.fullname" . }}-s3 104 | {{- end }} 105 | {{- if or .Values.halyard.additionalSecrets.create (hasKey .Values.halyard.additionalSecrets "name") }} 106 | - name: additional-secrets 107 | secret: 108 | {{- if .Values.halyard.additionalSecrets.create }} 109 | secretName: {{ template "spinnaker.fullname" . }}-additional-secrets 110 | {{- else if .Values.halyard.additionalSecrets.name }} 111 | secretName: {{ .Values.halyard.additionalSecrets.name }} 112 | {{- end }} 113 | {{- end }} 114 | {{- if or .Values.halyard.additionalConfigMaps.create (hasKey .Values.halyard.additionalConfigMaps "name") }} 115 | - name: additional-config-maps 116 | configMap: 117 | {{- if .Values.halyard.additionalConfigMaps.create }} 118 | name: {{ template "spinnaker.fullname" . }}-additional-config-maps 119 | {{- else if .Values.halyard.additionalConfigMaps.name }} 120 | name: {{ .Values.halyard.additionalConfigMaps.name }} 121 | {{- end }} 122 | {{- end }} 123 | - name: additional-profile-config-maps 124 | configMap: 125 | name: {{ template "spinnaker.fullname" . }}-additional-profile-config-maps 126 | {{- if .Values.halyard.bom }} 127 | - name: halyard-bom 128 | configMap: 129 | name: {{ template "spinnaker.fullname" . }}-halyard-bom 130 | {{- end }} 131 | - name: halyard-config 132 | emptyDir: {} 133 | - name: service-settings 134 | configMap: 135 | name: {{ template "spinnaker.fullname" . }}-service-settings 136 | {{- if .Values.halyard.serviceConfigs }} 137 | - name: service-configs 138 | configMap: 139 | name: {{ template "spinnaker.fullname" . }}-service-configs 140 | {{- end }} 141 | - name: halyard-initscript 142 | configMap: 143 | name: {{ template "spinnaker.fullname" . }}-halyard-init-script 144 | {{- if .Values.halyard.customCerts.enabled }} 145 | - name: cacerts 146 | secret: 147 | secretName: {{ .Values.halyard.customCerts.secretName }} 148 | items: 149 | - key: cacerts 150 | path: cacerts 151 | {{- end }} 152 | {{- if .Values.halyard.image.pullSecrets }} 153 | imagePullSecrets: 154 | {{- range .Values.halyard.image.pullSecrets }} 155 | - name: {{ . }} 156 | {{- end}} 157 | {{- end}} 158 | containers: 159 | - name: halyard 160 | image: {{ .Values.halyard.image.repository }}:{{ .Values.halyard.image.tag }} 161 | ports: 162 | - containerPort: 8064 163 | name: daemon 164 | {{- if .Values.halyard.resources }} 165 | resources: 166 | {{ toYaml .Values.halyard.resources | indent 10 }} 167 | {{- end }} 168 | volumeMounts: 169 | {{- if .Values.gcs.enabled }} 170 | - name: gcs-key 171 | mountPath: /opt/gcs 172 | {{- end }} 173 | {{- if and .Values.s3.enabled .Values.s3.accessKey .Values.s3.secretKey }} 174 | - name: s3-secrets 175 | mountPath: /opt/s3 176 | {{- end }} 177 | {{- if and .Values.kubeConfig.enabled .Values.kubeConfig.secretName }} 178 | - name: kube-config 179 | mountPath: /opt/kube 180 | {{- end }} 181 | {{- if or .Values.halyard.additionalSecrets.create (hasKey .Values.halyard.additionalSecrets "name") }} 182 | - name: additional-secrets 183 | mountPath: /opt/halyard/additionalSecrets 184 | {{- end }} 185 | {{- if or .Values.halyard.additionalConfigMaps.create (hasKey .Values.halyard.additionalConfigMaps "name") }} 186 | - name: additional-config-maps 187 | mountPath: /opt/halyard/additionalConfigMaps 188 | {{- end }} 189 | - name: halyard-home 190 | mountPath: /home/spinnaker 191 | - name: halyard-config 192 | mountPath: /opt/halyard/config 193 | - name: reg-secrets 194 | mountPath: /opt/registry/passwords 195 | {{- if .Values.halyard.customCerts.enabled }} 196 | - mountPath: /etc/ssl/certs/java/cacerts 197 | subPath: cacerts 198 | name: cacerts 199 | {{- end }} 200 | {{- if .Values.halyard.env }} 201 | env: 202 | {{ toYaml .Values.halyard.env | indent 8 }} 203 | {{- end }} 204 | {{- if .Values.halyard.persistence.enabled }} 205 | volumeClaimTemplates: 206 | - metadata: 207 | name: halyard-home 208 | labels: 209 | {{ include "spinnaker.standard-labels-base" . | indent 8 }} 210 | spec: 211 | accessModes: [ "ReadWriteOnce" ] 212 | {{- with .Values.halyard.persistence.storageClass }} 213 | storageClassName: {{ . }} 214 | {{- end }} 215 | resources: 216 | requests: 217 | storage: 10Gi 218 | {{- end }} 219 | -------------------------------------------------------------------------------- /helm-spinnaker/spinnaker/values_saml.yaml: -------------------------------------------------------------------------------- 1 | # Configure ingress to allow access to both gate and deck from your machine: 2 | ingress: 3 | enabled: true 4 | host: spinnaker.example.com 5 | annotations: 6 | ingress.kubernetes.io/ssl-redirect: 'true' 7 | kubernetes.io/ingress.class: nginx 8 | kubernetes.io/tls-acme: "true" 9 | certmanager.k8s.io/cluster-issuer: letsencrypt-prod 10 | tls: 11 | - secretName: deck-tls 12 | hosts: 13 | - spinnaker.example.com 14 | 15 | ingressGate: 16 | enabled: true 17 | host: gate.spinnaker.example.com 18 | annotations: 19 | ingress.kubernetes.io/ssl-redirect: 'true' 20 | kubernetes.io/ingress.class: nginx 21 | kubernetes.io/tls-acme: "true" 22 | certmanager.k8s.io/cluster-issuer: letsencrypt-prod 23 | tls: 24 | - secretName: gate-tls 25 | hosts: 26 | - gate.spinnaker.example.com 27 | 28 | # Configure halyard to support saml 29 | halyard: 30 | # Provide a config map with Hal commands that will be run the core config (storage) 31 | # The config map should contain a script in the config.sh key 32 | additionalSecrets: 33 | create: true 34 | data: 35 | keystore.p12: aW4tc2VjcmV0cwo= # base64 encoded keystore in pkcs12 format 36 | password.txt: aW4tc2VjcmV0cwo= # base64 encoded password for the keystore 37 | metadata.xml: aW4tc2VjcmV0cwo= # base64 encoded metadata.xml file from your SAML authenticator 38 | additionalConfigMaps: 39 | create: true 40 | data: 41 | config.src: |- 42 | KEYSTORE_ALIAS=saml # Alias in the keystore for the cert 43 | GATE_URL="https://gate.spinnaker.example.com" # URL to access your gate 44 | DECK_URL="https://spinnaker.example.com" # Url to access your deck 45 | 46 | # Put the keystore, metadata, and keystore password in these files under additioanlSecrets 47 | KEYSTORE_FILE=/opt/halyard/additionalSecrets/keystore.p12 48 | PASSWORD_FILE=/opt/halyard/additionalSecrets/password.txt 49 | METADATA_FILE=/opt/halyard/additionalSecrets/metadata.xml 50 | additionalScripts: 51 | create: true 52 | data: 53 | configure_saml.sh: | 54 | # This source file contains these variables: 55 | # -> GATE_URL DECK_URL KEYSTORE_FILE PASSWORD_FILE METADATA_FILE KEYSTORE_ALIAS 56 | # I put config.src in additionalConfigMaps so you can break it out into a separate values.yaml file 57 | # You should create both halyard.additionalConfigMaps.data.config.src AND halyard.additionalConfigMaps.create = true 58 | source /opt/halyard/additionalConfigMaps/config.src 59 | 60 | KEYSTORE_PASSWORD="$( cat "$PASSWORD_FILE" )" 61 | 62 | $HAL_COMMAND config security ui edit --override-base-url "$DECK_URL" 63 | $HAL_COMMAND config security api edit --override-base-url "$GATE_URL" 64 | $HAL_COMMAND config security authn saml edit \ 65 | --keystore "$KEYSTORE_FILE" \ 66 | --keystore-alias "$KEYSTORE_ALIAS" \ 67 | --keystore-password "$KEYSTORE_PASSWORD" \ 68 | --metadata "$METADATA_FILE" \ 69 | --issuer-id "$GATE_URL" \ 70 | --no-validate \ 71 | --service-address-url "$GATE_URL" 72 | $HAL_COMMAND config security authn saml enable 73 | -------------------------------------------------------------------------------- /minio/README.md: -------------------------------------------------------------------------------- 1 | 2 | ## minio install 3 | 4 | - 如果从头配置来部署可以参考步骤[0,1,2,3] 5 | - 如果你想使用当前仓库中的minio ,直接下载代码,然后运行部署[0,2,3] 6 | 7 | 8 | ## 0.准备一个pv 9 | 10 | 我这里用的nfs,可按需修改哦。 11 | 12 | ``` 13 | kind: PersistentVolume 14 | apiVersion: v1 15 | metadata: 16 | name: ci-minio-pv 17 | namespace: devops 18 | spec: 19 | accessModes: 20 | - ReadWriteOnce 21 | capacity: 22 | storage: 50Gi 23 | persistentVolumeReclaimPolicy: Retain 24 | storageClassName: manual 25 | nfs: 26 | path: /data/devops/minio-data 27 | server: 192.168.1.200 28 | 29 | 30 | 31 | kubectl create -f pv.yaml 32 | 33 | ``` 34 | 35 | ## 1.获取最新minio charts 36 | 37 | ``` 38 | helm search repo stable/minio 39 | helm fetch stable/minio --version 5.0.33 40 | 41 | tar xf xxxx.tar 42 | vim minio/values.yaml 43 | 44 | ``` 45 | 46 | ## 2.替换values.yaml内容 47 | 48 | 我已经替换好了哦,大家需要按需修改pvc配置和ingress访问配置,其他配置也可以自定义。 49 | 50 | 51 | 52 | ```yaml 53 | configPathmc: "/root/.mc/" 54 | 55 | 56 | #pvc 57 | persistence: 58 | enabled: true 59 | storageClass: "manual" 60 | VolumeName: "ci-minio-pv" 61 | accessMode: ReadWriteOnce 62 | size: 50Gi 63 | 64 | #ingress 65 | ingress: 66 | enabled: true 67 | labels: {} 68 | # node-role.kubernetes.io/ingress: platform 69 | 70 | annotations: 71 | kubernetes.io/ingress.class: nginx 72 | path: / 73 | hosts: 74 | - minio.idevops.site 75 | tls: [] 76 | ``` 77 | 78 | ## 3.部署 79 | ``` 80 | helm install minio -n devops ./minio 81 | ``` 82 | -------------------------------------------------------------------------------- /minio/minio/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | -------------------------------------------------------------------------------- /minio/minio/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | appVersion: master 3 | deprecated: true 4 | description: DEPRECATED MinIO is a high performance data infrastructure for machine 5 | learning, analytics and application data workloads. 6 | home: https://min.io 7 | icon: https://min.io/resources/img/logo/MINIO_wordmark.png 8 | keywords: 9 | - storage 10 | - object-storage 11 | - S3 12 | name: minio 13 | sources: 14 | - https://github.com/minio/minio 15 | version: 5.0.33 16 | -------------------------------------------------------------------------------- /minio/minio/ci/distributed-values.yaml: -------------------------------------------------------------------------------- 1 | mode: distributed 2 | -------------------------------------------------------------------------------- /minio/minio/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | {{- if eq .Values.service.type "ClusterIP" "NodePort" }} 2 | Minio can be accessed via port {{ .Values.service.port }} on the following DNS name from within your cluster: 3 | {{ template "minio.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local 4 | 5 | To access Minio from localhost, run the below commands: 6 | 7 | 1. export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") 8 | 9 | 2. kubectl port-forward $POD_NAME 9000 --namespace {{ .Release.Namespace }} 10 | 11 | Read more about port forwarding here: http://kubernetes.io/docs/user-guide/kubectl/kubectl_port-forward/ 12 | 13 | You can now access Minio server on http://localhost:9000. Follow the below steps to connect to Minio server with mc client: 14 | 15 | 1. Download the Minio mc client - https://docs.minio.io/docs/minio-client-quickstart-guide 16 | 17 | 2. mc config host add {{ template "minio.fullname" . }}-local http://localhost:9000 {{ .Values.accessKey }} {{ .Values.secretKey }} S3v4 18 | 19 | 3. mc ls {{ template "minio.fullname" . }}-local 20 | 21 | Alternately, you can use your browser or the Minio SDK to access the server - https://docs.minio.io/categories/17 22 | {{- end }} 23 | {{- if eq .Values.service.type "LoadBalancer" }} 24 | Minio can be accessed via port {{ .Values.service.port }} on an external IP address. Get the service external IP address by: 25 | kubectl get svc --namespace {{ .Release.Namespace }} -l app={{ template "minio.fullname" . }} 26 | 27 | Note that the public IP may take a couple of minutes to be available. 28 | 29 | You can now access Minio server on http://:9000. Follow the below steps to connect to Minio server with mc client: 30 | 31 | 1. Download the Minio mc client - https://docs.minio.io/docs/minio-client-quickstart-guide 32 | 33 | 2. mc config host add {{ template "minio.fullname" . }}-local http://:{{ .Values.service.port }} {{ .Values.accessKey }} {{ .Values.secretKey }} S3v4 34 | 35 | 3. mc ls {{ template "minio.fullname" . }}-local 36 | 37 | Alternately, you can use your browser or the Minio SDK to access the server - https://docs.minio.io/categories/17 38 | {{- end }} 39 | 40 | {{ if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }} 41 | Note: Since NetworkPolicy is enabled, only pods with label 42 | {{ template "minio.fullname" . }}-client=true" 43 | will be able to connect to this minio cluster. 44 | {{- end }} 45 | -------------------------------------------------------------------------------- /minio/minio/templates/_helper_create_bucket.txt: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -e ; # Have script exit in the event of a failed command. 3 | 4 | {{- if .Values.configPathmc }} 5 | MC_CONFIG_DIR="{{ .Values.configPathmc }}" 6 | MC="/usr/bin/mc --config-dir ${MC_CONFIG_DIR}" 7 | {{- else }} 8 | MC="/usr/bin/mc" 9 | {{- end }} 10 | 11 | # connectToMinio 12 | # Use a check-sleep-check loop to wait for Minio service to be available 13 | connectToMinio() { 14 | SCHEME=$1 15 | ATTEMPTS=0 ; LIMIT=29 ; # Allow 30 attempts 16 | set -e ; # fail if we can't read the keys. 17 | ACCESS=$(cat /config/accesskey) ; SECRET=$(cat /config/secretkey) ; 18 | set +e ; # The connections to minio are allowed to fail. 19 | echo "Connecting to Minio server: $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT" ; 20 | MC_COMMAND="${MC} config host add myminio $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT $ACCESS $SECRET" ; 21 | $MC_COMMAND ; 22 | STATUS=$? ; 23 | until [ $STATUS = 0 ] 24 | do 25 | ATTEMPTS=`expr $ATTEMPTS + 1` ; 26 | echo \"Failed attempts: $ATTEMPTS\" ; 27 | if [ $ATTEMPTS -gt $LIMIT ]; then 28 | exit 1 ; 29 | fi ; 30 | sleep 2 ; # 1 second intervals between attempts 31 | $MC_COMMAND ; 32 | STATUS=$? ; 33 | done ; 34 | set -e ; # reset `e` as active 35 | return 0 36 | } 37 | 38 | # checkBucketExists ($bucket) 39 | # Check if the bucket exists, by using the exit code of `mc ls` 40 | checkBucketExists() { 41 | BUCKET=$1 42 | CMD=$(${MC} ls myminio/$BUCKET > /dev/null 2>&1) 43 | return $? 44 | } 45 | 46 | # createBucket ($bucket, $policy, $purge) 47 | # Ensure bucket exists, purging if asked to 48 | createBucket() { 49 | BUCKET=$1 50 | POLICY=$2 51 | PURGE=$3 52 | 53 | # Purge the bucket, if set & exists 54 | # Since PURGE is user input, check explicitly for `true` 55 | if [ $PURGE = true ]; then 56 | if checkBucketExists $BUCKET ; then 57 | echo "Purging bucket '$BUCKET'." 58 | set +e ; # don't exit if this fails 59 | ${MC} rm -r --force myminio/$BUCKET 60 | set -e ; # reset `e` as active 61 | else 62 | echo "Bucket '$BUCKET' does not exist, skipping purge." 63 | fi 64 | fi 65 | 66 | # Create the bucket if it does not exist 67 | if ! checkBucketExists $BUCKET ; then 68 | echo "Creating bucket '$BUCKET'" 69 | ${MC} mb myminio/$BUCKET 70 | else 71 | echo "Bucket '$BUCKET' already exists." 72 | fi 73 | 74 | # At this point, the bucket should exist, skip checking for existence 75 | # Set policy on the bucket 76 | echo "Setting policy of bucket '$BUCKET' to '$POLICY'." 77 | ${MC} policy set $POLICY myminio/$BUCKET 78 | } 79 | 80 | # Try connecting to Minio instance 81 | {{- if .Values.tls.enabled }} 82 | scheme=https 83 | {{- else }} 84 | scheme=http 85 | {{- end }} 86 | connectToMinio $scheme 87 | 88 | {{- if or .Values.defaultBucket.enabled }} 89 | # Create the bucket 90 | createBucket {{ .Values.defaultBucket.name }} {{ .Values.defaultBucket.policy }} {{ .Values.defaultBucket.purge }} 91 | {{ else if .Values.buckets }} 92 | # Create the buckets 93 | {{- range .Values.buckets }} 94 | createBucket {{ .name }} {{ .policy }} {{ .purge }} 95 | {{- end }} 96 | {{- end }} 97 | -------------------------------------------------------------------------------- /minio/minio/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Expand the name of the chart. 4 | */}} 5 | {{- define "minio.name" -}} 6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} 7 | {{- end -}} 8 | 9 | {{/* 10 | Create a default fully qualified app name. 11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 12 | If release name contains chart name it will be used as a full name. 13 | */}} 14 | {{- define "minio.fullname" -}} 15 | {{- if .Values.fullnameOverride -}} 16 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} 17 | {{- else -}} 18 | {{- $name := default .Chart.Name .Values.nameOverride -}} 19 | {{- if contains $name .Release.Name -}} 20 | {{- .Release.Name | trunc 63 | trimSuffix "-" -}} 21 | {{- else -}} 22 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 23 | {{- end -}} 24 | {{- end -}} 25 | {{- end -}} 26 | 27 | {{/* 28 | Create chart name and version as used by the chart label. 29 | */}} 30 | {{- define "minio.chart" -}} 31 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} 32 | {{- end -}} 33 | 34 | {{/* 35 | Return the appropriate apiVersion for networkpolicy. 36 | */}} 37 | {{- define "minio.networkPolicy.apiVersion" -}} 38 | {{- if semverCompare ">=1.4-0, <1.7-0" .Capabilities.KubeVersion.GitVersion -}} 39 | {{- print "extensions/v1beta1" -}} 40 | {{- else if semverCompare "^1.7-0" .Capabilities.KubeVersion.GitVersion -}} 41 | {{- print "networking.k8s.io/v1" -}} 42 | {{- end -}} 43 | {{- end -}} 44 | 45 | {{/* 46 | Return the appropriate apiVersion for deployment. 47 | */}} 48 | {{- define "minio.deployment.apiVersion" -}} 49 | {{- if semverCompare "<1.9-0" .Capabilities.KubeVersion.GitVersion -}} 50 | {{- print "apps/v1beta2" -}} 51 | {{- else -}} 52 | {{- print "apps/v1" -}} 53 | {{- end -}} 54 | {{- end -}} 55 | 56 | {{/* 57 | Return the appropriate apiVersion for statefulset. 58 | */}} 59 | {{- define "minio.statefulset.apiVersion" -}} 60 | {{- if .Capabilities.APIVersions.Has "apps/v1beta2" -}} 61 | {{- print "apps/v1beta2" -}} 62 | {{- else -}} 63 | {{- print "apps/v1" -}} 64 | {{- end -}} 65 | {{- end -}} 66 | 67 | {{/* 68 | Return the appropriate apiVersion for ingress. 69 | */}} 70 | {{- define "minio.ingress.apiVersion" -}} 71 | {{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}} 72 | {{- print "extensions/v1beta1" -}} 73 | {{- else -}} 74 | {{- print "networking.k8s.io/v1beta1" -}} 75 | {{- end -}} 76 | {{- end -}} 77 | 78 | {{/* 79 | Determine service account name for deployment or statefulset. 80 | */}} 81 | {{- define "minio.serviceAccountName" -}} 82 | {{- if .Values.serviceAccount.create -}} 83 | {{- default (include "minio.fullname" .) .Values.serviceAccount.name | replace "+" "_" | trunc 63 | trimSuffix "-" -}} 84 | {{- else -}} 85 | {{- default "default" .Values.serviceAccount.name -}} 86 | {{- end -}} 87 | {{- end -}} 88 | 89 | {{/* 90 | Properly format optional additional arguments to Minio binary 91 | */}} 92 | {{- define "minio.extraArgs" -}} 93 | {{- range .Values.extraArgs -}} 94 | {{ " " }}{{ . }} 95 | {{- end -}} 96 | {{- end -}} 97 | 98 | {{/* 99 | Return the proper Docker Image Registry Secret Names 100 | */}} 101 | {{- define "minio.imagePullSecrets" -}} 102 | {{/* 103 | Helm 2.11 supports the assignment of a value to a variable defined in a different scope, 104 | but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic. 105 | Also, we can not use a single if because lazy evaluation is not an option 106 | */}} 107 | {{- if .Values.global }} 108 | {{- if .Values.global.imagePullSecrets }} 109 | imagePullSecrets: 110 | {{- range .Values.global.imagePullSecrets }} 111 | - name: {{ . }} 112 | {{- end }} 113 | {{- else if .Values.imagePullSecrets }} 114 | imagePullSecrets: 115 | {{ toYaml .Values.imagePullSecrets }} 116 | {{- end -}} 117 | {{- else if .Values.imagePullSecrets }} 118 | imagePullSecrets: 119 | {{ toYaml .Values.imagePullSecrets }} 120 | {{- end -}} 121 | {{- end -}} -------------------------------------------------------------------------------- /minio/minio/templates/configmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: {{ template "minio.fullname" . }} 5 | labels: 6 | app: {{ template "minio.name" . }} 7 | chart: {{ template "minio.chart" . }} 8 | release: {{ .Release.Name }} 9 | heritage: {{ .Release.Service }} 10 | data: 11 | initialize: |- 12 | {{ include (print $.Template.BasePath "/_helper_create_bucket.txt") . | indent 4 }} 13 | -------------------------------------------------------------------------------- /minio/minio/templates/ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.ingress.enabled -}} 2 | {{- $fullName := include "minio.fullname" . -}} 3 | {{- $servicePort := .Values.service.port -}} 4 | {{- $ingressPath := .Values.ingress.path -}} 5 | apiVersion: {{ template "minio.ingress.apiVersion" . }} 6 | kind: Ingress 7 | metadata: 8 | name: {{ $fullName }} 9 | labels: 10 | app: {{ template "minio.name" . }} 11 | chart: {{ template "minio.chart" . }} 12 | release: {{ .Release.Name }} 13 | heritage: {{ .Release.Service }} 14 | {{- with .Values.ingress.labels }} 15 | {{ toYaml . | indent 4 }} 16 | {{- end }} 17 | 18 | {{- with .Values.ingress.annotations }} 19 | annotations: 20 | {{ toYaml . | indent 4 }} 21 | {{- end }} 22 | spec: 23 | {{- if .Values.ingress.tls }} 24 | tls: 25 | {{- range .Values.ingress.tls }} 26 | - hosts: 27 | {{- range .hosts }} 28 | - {{ . | quote }} 29 | {{- end }} 30 | secretName: {{ .secretName }} 31 | {{- end }} 32 | {{- end }} 33 | rules: 34 | {{- range .Values.ingress.hosts }} 35 | - http: 36 | paths: 37 | - path: {{ $ingressPath }} 38 | backend: 39 | serviceName: {{ $fullName }} 40 | servicePort: {{ $servicePort }} 41 | {{- if . }} 42 | host: {{ . | quote }} 43 | {{- end }} 44 | {{- end }} 45 | {{- end }} 46 | -------------------------------------------------------------------------------- /minio/minio/templates/networkpolicy.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.networkPolicy.enabled }} 2 | kind: NetworkPolicy 3 | apiVersion: {{ template "minio.networkPolicy.apiVersion" . }} 4 | metadata: 5 | name: {{ template "minio.fullname" . }} 6 | labels: 7 | app: {{ template "minio.name" . }} 8 | chart: {{ template "minio.chart" . }} 9 | release: {{ .Release.Name }} 10 | heritage: {{ .Release.Service }} 11 | spec: 12 | podSelector: 13 | matchLabels: 14 | app: {{ template "minio.name" . }} 15 | release: {{ .Release.Name }} 16 | ingress: 17 | - ports: 18 | - port: {{ .Values.service.port }} 19 | {{- if not .Values.networkPolicy.allowExternal }} 20 | from: 21 | - podSelector: 22 | matchLabels: 23 | {{ template "minio.name" . }}-client: "true" 24 | {{- end }} 25 | {{- end }} 26 | -------------------------------------------------------------------------------- /minio/minio/templates/poddisruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.podDisruptionBudget.enabled }} 2 | apiVersion: policy/v1beta1 3 | kind: PodDisruptionBudget 4 | metadata: 5 | name: minio 6 | labels: 7 | app: {{ template "minio.name" . }} 8 | spec: 9 | maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} 10 | selector: 11 | matchLabels: 12 | app: {{ template "minio.name" . }} 13 | {{- end }} -------------------------------------------------------------------------------- /minio/minio/templates/post-install-create-bucket-job.yaml: -------------------------------------------------------------------------------- 1 | {{- if or .Values.defaultBucket.enabled .Values.buckets }} 2 | apiVersion: batch/v1 3 | kind: Job 4 | metadata: 5 | name: {{ template "minio.fullname" . }}-make-bucket-job 6 | labels: 7 | app: {{ template "minio.name" . }}-make-bucket-job 8 | chart: {{ template "minio.chart" . }} 9 | release: {{ .Release.Name }} 10 | heritage: {{ .Release.Service }} 11 | annotations: 12 | "helm.sh/hook": post-install,post-upgrade 13 | "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation 14 | {{- with .Values.makeBucketJob.annotations }} 15 | {{ toYaml . | indent 4 }} 16 | {{- end }} 17 | spec: 18 | template: 19 | metadata: 20 | labels: 21 | app: {{ template "minio.name" . }}-job 22 | release: {{ .Release.Name }} 23 | {{- if .Values.podLabels }} 24 | {{ toYaml .Values.podLabels | indent 8 }} 25 | {{- end }} 26 | spec: 27 | restartPolicy: OnFailure 28 | {{- include "minio.imagePullSecrets" . | indent 6 }} 29 | {{- if .Values.nodeSelector }} 30 | nodeSelector: 31 | {{ toYaml .Values.nodeSelector | indent 8 }} 32 | {{- end }} 33 | {{- with .Values.affinity }} 34 | affinity: 35 | {{ toYaml . | indent 8 }} 36 | {{- end }} 37 | {{- with .Values.tolerations }} 38 | tolerations: 39 | {{ toYaml . | indent 8 }} 40 | {{- end }} 41 | volumes: 42 | - name: minio-configuration 43 | projected: 44 | sources: 45 | - configMap: 46 | name: {{ template "minio.fullname" . }} 47 | - secret: 48 | name: {{ if .Values.existingSecret }}{{ .Values.existingSecret }}{{ else }}{{ template "minio.fullname" . }}{{ end }} 49 | {{- if .Values.tls.enabled }} 50 | - name: cert-secret-volume-mc 51 | secret: 52 | secretName: {{ .Values.tls.certSecret }} 53 | items: 54 | - key: {{ .Values.tls.publicCrt }} 55 | path: CAs/public.crt 56 | {{ end }} 57 | serviceAccountName: {{ include "minio.serviceAccountName" . | quote }} 58 | containers: 59 | - name: minio-mc 60 | image: "{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}" 61 | imagePullPolicy: {{ .Values.mcImage.pullPolicy }} 62 | command: ["/bin/sh", "/config/initialize"] 63 | env: 64 | - name: MINIO_ENDPOINT 65 | value: {{ template "minio.fullname" . }} 66 | - name: MINIO_PORT 67 | value: {{ .Values.service.port | quote }} 68 | volumeMounts: 69 | - name: minio-configuration 70 | mountPath: /config 71 | {{- if .Values.tls.enabled }} 72 | - name: cert-secret-volume-mc 73 | mountPath: {{ .Values.configPathmc }}certs 74 | {{ end }} 75 | resources: 76 | {{ toYaml .Values.resources | indent 10 }} 77 | {{- end }} 78 | -------------------------------------------------------------------------------- /minio/minio/templates/post-install-prometheus-metrics-job.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.metrics.serviceMonitor.enabled }} 2 | {{- $fullName := include "minio.fullname" . -}} 3 | apiVersion: batch/v1 4 | kind: Job 5 | metadata: 6 | name: {{ $fullName }}-update-prometheus-secret 7 | labels: 8 | app: {{ template "minio.name" . }}-update-prometheus-secret 9 | chart: {{ template "minio.chart" . }} 10 | release: {{ .Release.Name }} 11 | heritage: {{ .Release.Service }} 12 | annotations: 13 | "helm.sh/hook": post-install,post-upgrade 14 | "helm.sh/hook-weight": "-5" 15 | "helm.sh/hook-delete-policy": hook-succeeded 16 | {{ toYaml .Values.updatePrometheusJob.annotations | indent 4 }} 17 | spec: 18 | template: 19 | metadata: 20 | labels: 21 | app: {{ template "minio.name" . }}-update-prometheus-secret 22 | release: {{ .Release.Name }} 23 | {{- if .Values.podLabels }} 24 | {{ toYaml .Values.podLabels | indent 8 }} 25 | {{- end }} 26 | spec: 27 | {{- if .Values.serviceAccount.create }} 28 | serviceAccountName: {{ $fullName }}-update-prometheus-secret 29 | {{- end }} 30 | restartPolicy: OnFailure 31 | {{- include "minio.imagePullSecrets" . | indent 6 }} 32 | {{- if .Values.nodeSelector }} 33 | nodeSelector: 34 | {{ toYaml .Values.nodeSelector | indent 8 }} 35 | {{- end }} 36 | {{- with .Values.affinity }} 37 | affinity: 38 | {{ toYaml . | indent 8 }} 39 | {{- end }} 40 | {{- with .Values.tolerations }} 41 | tolerations: 42 | {{ toYaml . | indent 8 }} 43 | {{- end }} 44 | volumes: 45 | - name: workdir 46 | emptyDir: {} 47 | initContainers: 48 | - name: minio-mc 49 | image: "{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}" 50 | imagePullPolicy: {{ .Values.mcImage.pullPolicy }} 51 | command: 52 | - /bin/sh 53 | - "-c" 54 | - mc admin prometheus generate target --json --no-color -q > /workdir/mc.json 55 | env: 56 | # mc admin prometheus generate don't really connect to remote server, TLS cert isn't required 57 | - name: MC_HOST_target 58 | value: http{{ if .Values.tls.enabled }}s{{ end }}://{{ .Values.accessKey }}:{{ .Values.secretKey }}@{{ $fullName }}:{{ .Values.service.port }} 59 | volumeMounts: 60 | - name: workdir 61 | mountPath: /workdir 62 | resources: 63 | {{ toYaml .Values.resources | indent 12 }} 64 | # extract bearerToken from mc admin output 65 | - name: jq 66 | image: "{{ .Values.helmKubectlJqImage.repository }}:{{ .Values.helmKubectlJqImage.tag }}" 67 | imagePullPolicy: {{ .Values.helmKubectlJqImage.pullPolicy }} 68 | command: 69 | - /bin/sh 70 | - "-c" 71 | - jq -e -c -j -r .bearerToken < /workdir/mc.json > /workdir/token 72 | volumeMounts: 73 | - name: workdir 74 | mountPath: /workdir 75 | resources: 76 | {{ toYaml .Values.resources | indent 12 }} 77 | - name: kubectl-create 78 | image: "{{ .Values.helmKubectlJqImage.repository }}:{{ .Values.helmKubectlJqImage.tag }}" 79 | imagePullPolicy: {{ .Values.helmKubectlJqImage.pullPolicy }} 80 | command: 81 | - /bin/sh 82 | - "-c" 83 | # The following script does: 84 | # - get the servicemonitor that need this secret and copy some metadata and create the ownerreference for the secret file 85 | # - create the secret 86 | # - merge both json 87 | - > 88 | kubectl -n {{ .Release.Namespace }} get servicemonitor {{ $fullName }} -o json | 89 | jq -c '{metadata: {name: "{{ $fullName }}-prometheus", namespace: .metadata.namespace, labels: {app: .metadata.labels.app, release: .metadata.labels.release}, ownerReferences: [{apiVersion: .apiVersion, kind: .kind, blockOwnerDeletion: true, controller: true, uid: .metadata.uid, name: .metadata.name}]}}' > /workdir/metadata.json && 90 | kubectl create secret generic {{ $fullName }}-prometheus --from-file=token=/workdir/token --dry-run -o json > /workdir/secret.json && 91 | cat /workdir/secret.json /workdir/metadata.json | jq -s add > /workdir/object.json 92 | volumeMounts: 93 | - name: workdir 94 | mountPath: /workdir 95 | resources: 96 | {{ toYaml .Values.resources | indent 12 }} 97 | containers: 98 | - name: kubectl-apply 99 | image: "{{ .Values.helmKubectlJqImage.repository }}:{{ .Values.helmKubectlJqImage.tag }}" 100 | imagePullPolicy: {{ .Values.helmKubectlJqImage.pullPolicy }} 101 | command: 102 | - kubectl 103 | - apply 104 | - "-f" 105 | - /workdir/object.json 106 | volumeMounts: 107 | - name: workdir 108 | mountPath: /workdir 109 | resources: 110 | {{ toYaml .Values.resources | indent 12 }} 111 | {{- end }} 112 | -------------------------------------------------------------------------------- /minio/minio/templates/post-install-prometheus-metrics-role.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | {{- $fullName := include "minio.fullname" . -}} 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: Role 5 | metadata: 6 | name: {{ $fullName }}-update-prometheus-secret 7 | labels: 8 | app: {{ template "minio.name" . }}-update-prometheus-secret 9 | chart: {{ template "minio.chart" . }} 10 | release: {{ .Release.Name }} 11 | heritage: {{ .Release.Service }} 12 | rules: 13 | - apiGroups: 14 | - "" 15 | resources: 16 | - secrets 17 | verbs: 18 | - get 19 | - create 20 | - update 21 | - patch 22 | resourceNames: 23 | - {{ $fullName }}-prometheus 24 | - apiGroups: 25 | - "" 26 | resources: 27 | - secrets 28 | verbs: 29 | - create 30 | - apiGroups: 31 | - monitoring.coreos.com 32 | resources: 33 | - servicemonitors 34 | verbs: 35 | - get 36 | resourceNames: 37 | - {{ $fullName }} 38 | {{- end -}} -------------------------------------------------------------------------------- /minio/minio/templates/post-install-prometheus-metrics-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | {{- $fullName := include "minio.fullname" . -}} 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: RoleBinding 5 | metadata: 6 | name: {{ $fullName }}-update-prometheus-secret 7 | labels: 8 | app: {{ template "minio.name" . }}-update-prometheus-secret 9 | chart: {{ template "minio.chart" . }} 10 | release: {{ .Release.Name }} 11 | heritage: {{ .Release.Service }} 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: Role 15 | name: {{ $fullName }}-update-prometheus-secret 16 | subjects: 17 | - kind: ServiceAccount 18 | name: {{ $fullName }}-update-prometheus-secret 19 | namespace: {{ .Release.Namespace | quote }} 20 | {{- end -}} -------------------------------------------------------------------------------- /minio/minio/templates/post-install-prometheus-metrics-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | {{- $fullName := include "minio.fullname" . -}} 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: {{ $fullName }}-update-prometheus-secret 7 | labels: 8 | app: {{ template "minio.name" . }}-update-prometheus-secret 9 | chart: {{ template "minio.chart" . }} 10 | release: {{ .Release.Name }} 11 | heritage: {{ .Release.Service }} 12 | {{- end -}} -------------------------------------------------------------------------------- /minio/minio/templates/pvc.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq .Values.mode "standalone" }} 2 | {{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} 3 | apiVersion: v1 4 | kind: PersistentVolumeClaim 5 | metadata: 6 | name: {{ template "minio.fullname" . }} 7 | labels: 8 | app: {{ template "minio.name" . }} 9 | chart: {{ template "minio.chart" . }} 10 | release: {{ .Release.Name }} 11 | heritage: {{ .Release.Service }} 12 | spec: 13 | {{- if and .Values.nasgateway.enabled .Values.nasgateway.pv }} 14 | selector: 15 | matchLabels: 16 | pv: {{ .Values.nasgateway.pv | quote }} 17 | {{- end }} 18 | accessModes: 19 | - {{ .Values.persistence.accessMode | quote }} 20 | resources: 21 | requests: 22 | storage: {{ .Values.persistence.size | quote }} 23 | 24 | {{- if .Values.persistence.storageClass }} 25 | {{- if (eq "-" .Values.persistence.storageClass) }} 26 | storageClassName: "" 27 | {{- else }} 28 | storageClassName: "{{ .Values.persistence.storageClass }}" 29 | {{- end }} 30 | {{- end }} 31 | {{- if .Values.persistence.VolumeName }} 32 | volumeName: "{{ .Values.persistence.VolumeName }}" 33 | {{- end }} 34 | {{- end }} 35 | {{- end }} 36 | -------------------------------------------------------------------------------- /minio/minio/templates/secrets.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.existingSecret }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ template "minio.fullname" . }} 6 | labels: 7 | app: {{ template "minio.name" . }} 8 | chart: {{ template "minio.chart" . }} 9 | release: {{ .Release.Name }} 10 | heritage: {{ .Release.Service }} 11 | type: Opaque 12 | data: 13 | accesskey: {{ if .Values.accessKey }}{{ .Values.accessKey | b64enc | quote }}{{ else }}{{ randAlphaNum 20 | b64enc | quote }}{{ end }} 14 | secretkey: {{ if .Values.secretKey }}{{ .Values.secretKey | b64enc | quote }}{{ else }}{{ randAlphaNum 40 | b64enc | quote }}{{ end }} 15 | {{- if .Values.gcsgateway.enabled }} 16 | gcs_key.json: {{ .Values.gcsgateway.gcsKeyJson | b64enc }} 17 | {{- end }} 18 | {{- if .Values.s3gateway.enabled -}} 19 | {{- if .Values.s3gateway.accessKey }} 20 | awsAccessKeyId: {{ .Values.s3gateway.accessKey | b64enc | quote }} 21 | {{- end }} 22 | {{- if .Values.s3gateway.secretKey }} 23 | awsSecretAccessKey: {{ .Values.s3gateway.secretKey | b64enc | quote }} 24 | {{- end }} 25 | {{- end }} 26 | {{- if .Values.etcd.clientCert }} 27 | etcd_client_cert.pem: {{ .Values.etcd.clientCert | b64enc | quote }} 28 | {{- end }} 29 | {{- if .Values.etcd.clientCertKey }} 30 | etcd_client_cert_key.pem: {{ .Values.etcd.clientCertKey | b64enc | quote }} 31 | {{- end }} 32 | {{- end }} 33 | -------------------------------------------------------------------------------- /minio/minio/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ template "minio.fullname" . }} 5 | labels: 6 | app: {{ template "minio.name" . }} 7 | chart: {{ template "minio.chart" . }} 8 | release: {{ .Release.Name }} 9 | heritage: {{ .Release.Service }} 10 | {{- if .Values.service.annotations }} 11 | annotations: 12 | {{ toYaml .Values.service.annotations | indent 4 }} 13 | {{- end }} 14 | spec: 15 | {{- if (or (eq .Values.service.type "ClusterIP" "") (empty .Values.service.type)) }} 16 | type: ClusterIP 17 | {{- if not (empty .Values.service.clusterIP) }} 18 | clusterIP: {{ .Values.service.clusterIP }} 19 | {{end}} 20 | {{- else if eq .Values.service.type "LoadBalancer" }} 21 | type: {{ .Values.service.type }} 22 | loadBalancerIP: {{ default "" .Values.service.loadBalancerIP }} 23 | {{- else }} 24 | type: {{ .Values.service.type }} 25 | {{- end }} 26 | ports: 27 | {{- if .Values.tls.enabled }} 28 | - name: https 29 | {{ else }} 30 | - name: http 31 | {{- end }} 32 | port: {{ .Values.service.port }} 33 | protocol: TCP 34 | {{- if (and (eq .Values.service.type "NodePort") ( .Values.service.nodePort)) }} 35 | nodePort: {{ .Values.service.nodePort }} 36 | {{- else }} 37 | targetPort: 9000 38 | {{- end}} 39 | {{- if .Values.service.externalIPs }} 40 | externalIPs: 41 | {{- range $i , $ip := .Values.service.externalIPs }} 42 | - {{ $ip }} 43 | {{- end }} 44 | {{- end }} 45 | selector: 46 | app: {{ template "minio.name" . }} 47 | release: {{ .Release.Name }} 48 | -------------------------------------------------------------------------------- /minio/minio/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "minio.serviceAccountName" . | quote }} 6 | namespace: {{ .Release.Namespace | quote }} 7 | {{- end -}} 8 | -------------------------------------------------------------------------------- /minio/minio/templates/servicemonitor.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.metrics.serviceMonitor.enabled }} 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: ServiceMonitor 4 | metadata: 5 | name: {{ template "minio.fullname" . }} 6 | {{- if .Values.metrics.serviceMonitor.namespace }} 7 | namespace: {{ .Values.metrics.serviceMonitor.namespace }} 8 | {{- end }} 9 | labels: 10 | app: {{ template "minio.name" . }} 11 | chart: {{ template "minio.chart" . }} 12 | release: {{ .Release.Name }} 13 | heritage: {{ .Release.Service }} 14 | {{- if .Values.metrics.serviceMonitor.additionalLabels }} 15 | {{ toYaml .Values.metrics.serviceMonitor.additionalLabels | indent 4 }} 16 | {{- end }} 17 | spec: 18 | endpoints: 19 | {{- if .Values.tls.enabled }} 20 | - port: https 21 | {{ else }} 22 | - port: http 23 | {{- end }} 24 | path: /minio/prometheus/metrics 25 | {{- if .Values.metrics.serviceMonitor.interval }} 26 | interval: {{ .Values.metrics.serviceMonitor.interval }} 27 | {{- end }} 28 | {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} 29 | scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} 30 | {{- end }} 31 | bearerTokenSecret: 32 | name: {{ template "minio.fullname" . }}-prometheus 33 | key: token 34 | namespaceSelector: 35 | matchNames: 36 | - {{ .Release.Namespace | quote }} 37 | selector: 38 | matchLabels: 39 | app: {{ include "minio.name" . }} 40 | release: {{ .Release.Name }} 41 | {{- end }} 42 | -------------------------------------------------------------------------------- /minio/minio/templates/statefulset.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq .Values.mode "distributed" }} 2 | {{ $zoneCount := .Values.zones | int }} 3 | {{ $nodeCount := .Values.replicas | int }} 4 | {{ $drivesPerNode := .Values.drivesPerNode | int }} 5 | {{ $scheme := "http" }} 6 | {{- if .Values.tls.enabled }} 7 | {{ $scheme = "https" }} 8 | {{ end }} 9 | {{ $mountPath := .Values.mountPath }} 10 | {{ $bucketRoot := or ($.Values.bucketRoot) ($.Values.mountPath) }} 11 | {{ $subPath := .Values.persistence.subPath }} 12 | {{ $penabled := .Values.persistence.enabled }} 13 | {{ $accessMode := .Values.persistence.accessMode }} 14 | {{ $storageClass := .Values.persistence.storageClass }} 15 | {{ $psize := .Values.persistence.size }} 16 | apiVersion: v1 17 | kind: Service 18 | metadata: 19 | name: {{ template "minio.fullname" . }}-svc 20 | labels: 21 | app: {{ template "minio.name" . }} 22 | chart: {{ template "minio.chart" . }} 23 | release: "{{ .Release.Name }}" 24 | heritage: "{{ .Release.Service }}" 25 | spec: 26 | publishNotReadyAddresses: true 27 | clusterIP: None 28 | ports: 29 | {{- if .Values.tls.enabled }} 30 | - name: https 31 | {{ else }} 32 | - name: http 33 | {{- end }} 34 | port: {{ .Values.service.port }} 35 | protocol: TCP 36 | selector: 37 | app: {{ template "minio.name" . }} 38 | release: {{ .Release.Name }} 39 | --- 40 | apiVersion: {{ template "minio.statefulset.apiVersion" . }} 41 | kind: StatefulSet 42 | metadata: 43 | name: {{ template "minio.fullname" . }} 44 | labels: 45 | app: {{ template "minio.name" . }} 46 | chart: {{ template "minio.chart" . }} 47 | release: {{ .Release.Name }} 48 | heritage: {{ .Release.Service }} 49 | spec: 50 | updateStrategy: 51 | type: {{ .Values.StatefulSetUpdate.updateStrategy }} 52 | podManagementPolicy: "Parallel" 53 | serviceName: {{ template "minio.fullname" . }}-svc 54 | replicas: {{ mul $zoneCount $nodeCount }} 55 | selector: 56 | matchLabels: 57 | app: {{ template "minio.name" . }} 58 | release: {{ .Release.Name }} 59 | template: 60 | metadata: 61 | name: {{ template "minio.fullname" . }} 62 | labels: 63 | app: {{ template "minio.name" . }} 64 | release: {{ .Release.Name }} 65 | {{- if .Values.podLabels }} 66 | {{ toYaml .Values.podLabels | indent 8 }} 67 | {{- end }} 68 | annotations: 69 | checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} 70 | checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} 71 | {{- if .Values.podAnnotations }} 72 | {{ toYaml .Values.podAnnotations | trimSuffix "\n" | indent 8 }} 73 | {{- end }} 74 | spec: 75 | {{- if .Values.priorityClassName }} 76 | priorityClassName: "{{ .Values.priorityClassName }}" 77 | {{- end }} 78 | serviceAccountName: {{ include "minio.serviceAccountName" . | quote }} 79 | {{- if and .Values.securityContext.enabled .Values.persistence.enabled }} 80 | securityContext: 81 | runAsUser: {{ .Values.securityContext.runAsUser }} 82 | runAsGroup: {{ .Values.securityContext.runAsGroup }} 83 | fsGroup: {{ .Values.securityContext.fsGroup }} 84 | {{- end }} 85 | containers: 86 | - name: {{ .Chart.Name }} 87 | image: {{ .Values.image.repository }}:{{ .Values.image.tag }} 88 | imagePullPolicy: {{ .Values.image.pullPolicy }} 89 | 90 | command: [ "/bin/sh", 91 | "-ce", 92 | "/usr/bin/docker-entrypoint.sh minio -S {{ .Values.certsPath }} server {{- range $i := until $zoneCount }}{{ $factor := mul $i $nodeCount }}{{ $endIndex := add $factor $nodeCount }}{{ $beginIndex := mul $i $nodeCount }} {{ $scheme }}://{{ template `minio.fullname` $ }}-{{ `{` }}{{ $beginIndex }}...{{ sub $endIndex 1 }}{{ `}`}}.{{ template `minio.fullname` $ }}-svc.{{ $.Release.Namespace }}.svc.{{ $.Values.clusterDomain }}{{if (gt $drivesPerNode 1)}}{{ $bucketRoot }}-{{ `{` }}0...{{ sub $drivesPerNode 1 }}{{ `}` }}{{else}}{{ $bucketRoot }}{{end}}{{- end}}{{- template `minio.extraArgs` . }}" ] 93 | volumeMounts: 94 | {{- if $penabled }} 95 | {{- if (gt $drivesPerNode 1) }} 96 | {{- range $i := until $drivesPerNode }} 97 | - name: export-{{ $i }} 98 | mountPath: {{ $mountPath }}-{{ $i }} 99 | {{- if and $penabled $subPath }} 100 | subPath: {{ $subPath }} 101 | {{- end }} 102 | {{- end }} 103 | {{- else }} 104 | - name: export 105 | mountPath: {{ $mountPath }} 106 | {{- if and $penabled $subPath }} 107 | subPath: {{ $subPath }} 108 | {{- end }} 109 | {{- end }} 110 | {{- end }} 111 | {{- if .Values.tls.enabled }} 112 | - name: cert-secret-volume 113 | mountPath: {{ .Values.certsPath }} 114 | {{ end }} 115 | ports: 116 | {{- if .Values.tls.enabled }} 117 | - name: https 118 | {{ else }} 119 | - name: http 120 | {{- end }} 121 | containerPort: 9000 122 | env: 123 | - name: MINIO_ACCESS_KEY 124 | valueFrom: 125 | secretKeyRef: 126 | name: {{ if .Values.existingSecret }}{{ .Values.existingSecret }}{{ else }}{{ template "minio.fullname" . }}{{ end }} 127 | key: accesskey 128 | - name: MINIO_SECRET_KEY 129 | valueFrom: 130 | secretKeyRef: 131 | name: {{ if .Values.existingSecret }}{{ .Values.existingSecret }}{{ else }}{{ template "minio.fullname" . }}{{ end }} 132 | key: secretkey 133 | {{- range $key, $val := .Values.environment }} 134 | - name: {{ $key }} 135 | value: {{ $val | quote }} 136 | {{- end}} 137 | livenessProbe: 138 | httpGet: 139 | path: /minio/health/live 140 | {{- if .Values.tls.enabled }} 141 | port: https 142 | {{ else }} 143 | port: http 144 | {{- end }} 145 | {{- if .Values.tls.enabled }} 146 | scheme: HTTPS 147 | {{ else }} 148 | scheme: HTTP 149 | {{- end }} 150 | initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} 151 | periodSeconds: {{ .Values.livenessProbe.periodSeconds }} 152 | timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} 153 | successThreshold: {{ .Values.livenessProbe.successThreshold }} 154 | failureThreshold: {{ .Values.livenessProbe.failureThreshold }} 155 | readinessProbe: 156 | httpGet: 157 | path: /minio/health/ready 158 | {{- if .Values.tls.enabled }} 159 | port: https 160 | {{ else }} 161 | port: http 162 | {{- end }} 163 | {{- if .Values.tls.enabled }} 164 | scheme: HTTPS 165 | {{ else }} 166 | scheme: HTTP 167 | {{- end }} 168 | initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} 169 | periodSeconds: {{ .Values.readinessProbe.periodSeconds }} 170 | timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} 171 | successThreshold: {{ .Values.readinessProbe.successThreshold }} 172 | failureThreshold: {{ .Values.readinessProbe.failureThreshold }} 173 | resources: 174 | {{ toYaml .Values.resources | indent 12 }} 175 | {{- with .Values.nodeSelector }} 176 | nodeSelector: 177 | {{ toYaml . | indent 8 }} 178 | {{- end }} 179 | {{- include "minio.imagePullSecrets" . | indent 6 }} 180 | {{- with .Values.affinity }} 181 | affinity: 182 | {{ toYaml . | indent 8 }} 183 | {{- end }} 184 | {{- with .Values.tolerations }} 185 | tolerations: 186 | {{ toYaml . | indent 8 }} 187 | {{- end }} 188 | volumes: 189 | - name: minio-user 190 | secret: 191 | secretName: {{ if .Values.existingSecret }}{{ .Values.existingSecret }}{{ else }}{{ template "minio.fullname" . }}{{ end }} 192 | {{- if .Values.tls.enabled }} 193 | - name: cert-secret-volume 194 | secret: 195 | secretName: {{ .Values.tls.certSecret }} 196 | items: 197 | - key: {{ .Values.tls.publicCrt }} 198 | path: public.crt 199 | - key: {{ .Values.tls.privateKey }} 200 | path: private.key 201 | - key: {{ .Values.tls.publicCrt }} 202 | path: CAs/public.crt 203 | {{ end }} 204 | {{- if .Values.persistence.enabled }} 205 | volumeClaimTemplates: 206 | {{- if gt $drivesPerNode 1 }} 207 | {{- range $diskId := until $drivesPerNode}} 208 | - metadata: 209 | name: export-{{ $diskId }} 210 | spec: 211 | accessModes: [ {{ $accessMode | quote }} ] 212 | {{- if $storageClass }} 213 | storageClassName: {{ $storageClass }} 214 | {{- end }} 215 | resources: 216 | requests: 217 | storage: {{ $psize }} 218 | {{- end }} 219 | {{- else }} 220 | - metadata: 221 | name: export 222 | spec: 223 | accessModes: [ {{ $accessMode | quote }} ] 224 | {{- if $storageClass }} 225 | storageClassName: {{ $storageClass }} 226 | {{- end }} 227 | resources: 228 | requests: 229 | storage: {{ $psize }} 230 | {{- end }} 231 | {{- end }} 232 | {{- end }} 233 | -------------------------------------------------------------------------------- /minio/pv.yaml: -------------------------------------------------------------------------------- 1 | kind: PersistentVolume 2 | apiVersion: v1 3 | metadata: 4 | name: ci-minio-pv 5 | namespace: devops 6 | spec: 7 | accessModes: 8 | - ReadWriteOnce 9 | capacity: 10 | storage: 50Gi 11 | persistentVolumeReclaimPolicy: Retain 12 | storageClassName: manual 13 | nfs: 14 | path: /data/devops/minio-data 15 | server: 192.168.1.200 16 | -------------------------------------------------------------------------------- /tools/GetImages.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | S_REGISTRY="gcr.io/spinnaker-marketplace" 4 | #T_REGISTRY="registry.cn-beijing.aliyuncs.com/spinnaker-cd" 5 | T_REGISTRY="docker.io/spinnakercd" 6 | NODES="node01.zy.com node02.zy.com" 7 | 8 | ## 下载镜像 9 | function GetImages(){ 10 | echo -e "\033[43;34m =====GetImg===== \033[0m" 11 | 12 | IMAGES=$( cat tagfile.txt) 13 | 14 | for image in ${IMAGES} 15 | do 16 | for node in ${NODES} 17 | do 18 | echo -e "\033[32m ${node} ---> pull ---> ${image} \033[0m" 19 | ssh ${node} "docker pull ${T_REGISTRY}/${image}" 20 | echo -e "\033[32m ${node} ---> tag ---> ${image} \033[0m" 21 | ssh ${node} "docker tag ${T_REGISTRY}/${image} ${S_REGISTRY}/${image}" 22 | done 23 | done 24 | for node in ${NODES} 25 | do 26 | echo -e "\033[43;34m =====${node}===镜像信息===== \033[0m" 27 | ssh ${node} "docker images | grep 'spinnaker-marketplace' " 28 | done 29 | 30 | } 31 | 32 | GetImages 33 | -------------------------------------------------------------------------------- /tools/fileprocess.py: -------------------------------------------------------------------------------- 1 | import yaml 2 | import sys 3 | import os 4 | 5 | 6 | class SpinnakerToDo(object): 7 | 8 | def __init__(self): 9 | self.filePath = sys.argv[1] 10 | self.tagFile = sys.argv[2] 11 | self.bomDir = sys.argv[3] 12 | self.gitRepo = "https://raw.githubusercontent.com/spinnaker" 13 | #self.exceptServices = ["defaultArtifact","monitoring-third-party","monitoring-daemon"] 14 | self.exceptServices = ["defaultArtifact","monitoring-third-party"] 15 | 16 | 17 | ## 读取yaml文件 18 | def GetYamlData(self): 19 | print("======> get yaml data <======") 20 | file = open(self.filePath, 'r', encoding="utf-8") 21 | fileData = file.read() 22 | file.close() 23 | ## 转换dict 24 | data = yaml.load(fileData) 25 | print(data['services']) 26 | serviceData = data['services'] 27 | print(serviceData.keys()) 28 | 29 | return serviceData 30 | 31 | ## 生成镜像tag文件 32 | def CreateTagFile(self): 33 | print("======> Get Tag <======") 34 | os.system("rm -fr " + self.tagFile) 35 | 36 | serviceData = self.GetYamlData() 37 | for s in serviceData.keys(): 38 | if s not in self.exceptServices : 39 | print(s + ":" + serviceData[s]['version']) 40 | tag = s + ":" + serviceData[s]['version'] 41 | f = open(self.tagFile, 'a') 42 | f.write(tag + "\n") 43 | f.close() 44 | 45 | ## 生成服务配置文件(首先用户会将当前版本的bom文件打包上传到updates目录中) 46 | def CreateServiceConf(self): 47 | serviceData = self.GetYamlData() 48 | for s in serviceData.keys(): 49 | if s not in self.exceptServices : 50 | serviceVersion = serviceData[s]['version'] 51 | tag = "version-" + serviceVersion.split("-")[0] 52 | print(s + ">>>>===GitHub Tag Version===>>>>" + tag) 53 | ## 创建一个服务目录 54 | createDirCmd = "mkdir -p %s/%s/%s" %(self.bomDir, s, serviceVersion ) 55 | os.system(createDirCmd) 56 | ## deck配置文件为settings.js,其他服务为yml。 57 | if s == "deck": 58 | serviceFile="settings.js" 59 | else: 60 | serviceFile="%s.yml" %(s) 61 | 62 | ## 监控程序 63 | if s == "monitoring-daemon": 64 | serviceFile = 'spinnaker-monitoring.yml' 65 | ## 下载服务配置文件,放到服务目录下 66 | ## https://raw.githubusercontent.com/spinnaker/spinnaker-monitoring/version-0.18.1/spinnaker-monitoring-daemon/halconfig/spinnaker-monitoring.yml 67 | cmd1 = "curl %s/%s/%s/spinnaker-monitoring-daemon/halconfig/%s -o %s/%s/%s" %(self.gitRepo, 'spinnaker-monitoring', tag, serviceFile, self.bomDir, s, serviceFile ) 68 | os.system(cmd1) 69 | cmd2 = "cp %s/%s/%s %s/%s/%s/%s" %(self.bomDir, s, serviceFile, self.bomDir, s, serviceVersion, serviceFile ) 70 | os.system(cmd2) 71 | else : 72 | ## 下载服务配置文件,放到服务目录下 73 | cmd1 = "curl %s/%s/%s/halconfig/%s -o %s/%s/%s" %(self.gitRepo, s, tag, serviceFile, self.bomDir, s, serviceFile ) 74 | os.system(cmd1) 75 | ## 复制服务配置文件,放到服务版本目录下 76 | cmd2 = "cp %s/%s/%s %s/%s/%s/%s" %(self.bomDir, s, serviceFile, self.bomDir, s, serviceVersion, serviceFile ) 77 | os.system(cmd2) 78 | ## rosco服务需要额外下载几个目录(images.yml packer) 79 | if s == "rosco": 80 | os.system("git clone --branch %s https://github.com/spinnaker/rosco.git " %(tag)) 81 | os.system("cp -r rosco/halconfig/* %s/%s/" %(self.bomDir, s)) 82 | os.system("cp -r rosco/halconfig/* %s/%s/%s/" %(self.bomDir, s, serviceVersion)) 83 | 84 | ## 检查文件 85 | os.system("ls %s/%s" %(self.bomDir, s )) 86 | os.system("ls %s/%s/%s" %(self.bomDir, s, serviceVersion )) 87 | 88 | ## 更新bom版本文件中的版本号为local: 89 | def UpdateBomVersionFile(self): 90 | print("======> write yaml data <======") 91 | file = open(self.filePath, 'r', encoding="utf-8") 92 | fileData = file.read() 93 | file.close() 94 | data = yaml.load(fileData) 95 | #serviceData = self.GetYamlData() 96 | for s in data['services'].keys(): 97 | if s != "defaultArtifact" : 98 | serviceVersion = data['services'][s]['version'] 99 | data['services'][s]['version'] = "local:" + serviceVersion 100 | 101 | 102 | data = yaml.dump(data) 103 | print(data) 104 | os.system("rm -fr " + self.filePath) 105 | f = open(self.filePath, 'a') 106 | f.write(data) 107 | f.close() 108 | 109 | def main(self): 110 | self.CreateTagFile() 111 | self.CreateServiceConf() 112 | self.UpdateBomVersionFile() 113 | 114 | 115 | 116 | if __name__ == '__main__': 117 | sp = SpinnakerToDo() 118 | sp.main() 119 | -------------------------------------------------------------------------------- /tools/halyard.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | VERSION="SPIN_VERSION" 4 | DECK_HOST="http://spinnaker.idevops.site" 5 | GATE_HOST="http://spin-gate.idevops.site" 6 | until hal --ready; do sleep 10 ; done 7 | 8 | # 设置Spinnaker版本,--version 指定版本 9 | hal config version edit --version local:${VERSION} --no-validate 10 | 11 | ## 设置时区 12 | hal config edit --timezone Asia/Shanghai 13 | 14 | ## Storage 配置基于minio搭建的S3存储 15 | hal config storage s3 edit \ 16 | --endpoint http://minio.idevops.site \ 17 | --access-key-id AKIAIOSFODNN7EXAMPLE \ 18 | --secret-access-key wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY \ 19 | --bucket spinnaker \ 20 | --path-style-access true --no-validate 21 | hal config storage edit --type s3 --no-validate 22 | 23 | # Docker Registry Docker镜像仓库 24 | # Set the dockerRegistry provider as enabled 25 | hal config provider docker-registry enable --no-validate 26 | hal config provider docker-registry account add dockerhub \ 27 | --address index.docker.io \ 28 | --repositories library/alpine,library/ubuntu,library/centos,library/nginx \ 29 | --no-validate 30 | 31 | 32 | # 添加account to the kubernetes provider. 33 | hal config provider kubernetes enable --no-validate 34 | hal config provider kubernetes account add default \ 35 | --docker-registries dockerhub \ 36 | --context $(kubectl config current-context) \ 37 | --service-account true \ 38 | --omit-namespaces=kube-system,kube-public \ 39 | --provider-version v2 \ 40 | --no-validate 41 | 42 | ## 编辑Spinnaker部署选项,分部署部署,名称空间。 43 | hal config deploy edit \ 44 | --account-name default \ 45 | --type distributed \ 46 | --location spinnaker \ 47 | --no-validate 48 | 49 | ## 开启一些主要的功能 50 | hal config features edit --pipeline-templates true --no-validate 51 | hal config features edit --artifacts true --no-validate 52 | hal config features edit --managed-pipeline-templates-v2-ui true --no-validate 53 | 54 | 55 | 56 | ## 设置deck与gate的域名 57 | hal config security ui edit --override-base-url ${DECK_HOST} --no-validate 58 | hal config security api edit --override-base-url ${GATE_HOST} --no-validate 59 | 60 | ##发布 61 | hal deploy apply --no-validate 62 | -------------------------------------------------------------------------------- /tools/halyard.yaml: -------------------------------------------------------------------------------- 1 | server: 2 | port: 8064 3 | 4 | grpc: 5 | enabled: false 6 | 7 | halconfig: 8 | filesystem: 9 | path: ~/.hal/config 10 | 11 | spinnaker: 12 | artifacts: 13 | debian: https://dl.bintray.com/spinnaker-releases/debians 14 | docker: gcr.io/spinnaker-marketplace 15 | config: 16 | input: 17 | gcs: 18 | enabled: false 19 | writerEnabled: false 20 | bucket: halconfig 21 | 22 | management: 23 | endpoint: 24 | shutdown: 25 | enabled: true 26 | 27 | endpoints: 28 | web: 29 | exposure: 30 | include: shutdown, env, conditions, resolvedEnv, beans, health 31 | 32 | backup: 33 | google: 34 | enabled: false 35 | 36 | retrofit: 37 | logLevel: BASIC 38 | -------------------------------------------------------------------------------- /tools/ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: extensions/v1beta1 2 | kind: Ingress 3 | metadata: 4 | name: spinnaker-service 5 | annotations: 6 | kubernetes.io/ingress.class: nginx 7 | spec: 8 | rules: 9 | - host: spinnaker.idevops.site 10 | http: 11 | paths: 12 | - path: / 13 | backend: 14 | serviceName: spin-deck 15 | servicePort: 9000 16 | - host: spin-gate.idevops.site 17 | http: 18 | paths: 19 | - path: / 20 | backend: 21 | serviceName: spin-gate 22 | servicePort: 8084 23 | -------------------------------------------------------------------------------- /tools/install.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | VERSION="SPIN_VERSION" 4 | S_REGISTRY="gcr.io/spinnaker-marketplace" 5 | T_REGISTRY="registry.cn-beijing.aliyuncs.com/spinnaker-cd" 6 | BOMS_DIR="/root/.hal/" 7 | BOMS_FILR=".boms" 8 | KUBE_DIR="/root/.kube/" 9 | HALY_IMAGE="gcr.io/spinnaker-marketplace/halyard:1.32.0" 10 | DECK_HOST="spinnaker.idevops.site" 11 | GATE_HOST="spin-gate.idevops.site" 12 | NODES="node01.zy.com node02.zy.com" 13 | 14 | ## 下载镜像 15 | function GetImages(){ 16 | echo -e "\033[43;34m =====GetImg===== \033[0m" 17 | 18 | IMAGES=$( cat tagfile.txt) 19 | for image in ${IMAGES} 20 | do 21 | for node in ${NODES} 22 | do 23 | echo -e "\033[32m ${node} ---> pull ---> ${image} \033[0m" 24 | ssh ${node} "docker pull ${T_REGISTRY}/${image}" 25 | echo -e "\033[32m ${node} ---> tag ---> ${image} \033[0m" 26 | ssh ${node} "docker tag ${T_REGISTRY}/${image} ${S_REGISTRY}/${image}" 27 | done 28 | done 29 | for node in ${NODES} 30 | do 31 | echo -e "\033[43;34m =====${node}===镜像信息===== \033[0m" 32 | ssh ${node} "docker pull registry.cn-beijing.aliyuncs.com/spinnaker-cd/redis-cluster:v2 " 33 | ssh ${node} "docker tag registry.cn-beijing.aliyuncs.com/spinnaker-cd/redis-cluster:v2 gcr.io/kubernetes-spinnaker/redis-cluster:v2" 34 | ssh ${node} "docker images | grep 'spinnaker-marketplace' " 35 | done 36 | 37 | } 38 | 39 | function Clean(){ 40 | echo -e "\033[43;34m =====Clean===== \033[0m" 41 | rm -r ${BOMS_DIR}/config ${BOMS_DIR}/default 42 | } 43 | 44 | ## 安装 45 | function Install(){ 46 | echo -e "\033[43;34m =====Install===== \033[0m" 47 | [ -d ${BOMS_DIR} ] || mkdir ${BOMS_DIR} 48 | mv ${BOMS_FILR} ${BOMS_DIR} 49 | ls -a ${BOMS_DIR} 50 | chmod 777 -R ${BOMS_DIR} 51 | chmod 777 -R ${KUBE_DIR} 52 | 53 | docker run -d \ 54 | --name halyard \ 55 | -v ${BOMS_DIR}:/home/spinnaker/.hal \ 56 | -v ${KUBE_DIR}:/home/spinnaker/.kube \ 57 | -it ${HALY_IMAGE} 58 | 59 | sleep 5 60 | docker cp halyard.yaml halyard:/opt/halyard/config/halyard.yml 61 | docker stop halyard && docker start halyard 62 | sleep 3 63 | docker ps | grep halyard 64 | sleep 5 65 | chmod +x halyard.sh 66 | docker cp halyard.sh halyard:/home/spinnaker/halyard.sh 67 | docker exec -it halyard ./home/spinnaker/halyard.sh 68 | sleep 5 69 | kubectl get pod -n spinnaker 70 | sleep 5 71 | kubectl get pod -n spinnaker 72 | } 73 | 74 | ## Ingress 75 | function Ingress(){ 76 | echo -e "\033[43;34m =====Ingress===== \033[0m" 77 | sed -i "s/deck_domain/${DECK_HOST}/g" ingress.yaml 78 | sed -i "s/gate_domain/${GATE_HOST}/g" ingress.yaml 79 | cat ingress.yaml 80 | sleep 5 81 | kubectl create -f ingress.yaml -n spinnaker 82 | } 83 | 84 | 85 | case $1 in 86 | getimg) 87 | GetImages 88 | ;; 89 | # clean) 90 | # Clean 91 | # ;; 92 | install) 93 | Install 94 | ;; 95 | ingress) 96 | Ingress 97 | ;; 98 | allinstall) 99 | Clean 100 | GetImages 101 | Install 102 | sleep 10 103 | Ingress 104 | ;; 105 | 106 | *) 107 | echo -e " [getimg -> install -> ingress = allinstall] " 108 | ;; 109 | esac 110 | -------------------------------------------------------------------------------- /updates/bom-yaml-1.19.4.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zeyangli/spinnaker-cd-install/0fe2bc78ff26b12ab026c7c596a7440b493fa47e/updates/bom-yaml-1.19.4.tar.gz --------------------------------------------------------------------------------