From 657311c5c2cf0a8c20ad96fe9f7e2dad846792df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moritz=20=22WanzenBug=22=20Wanzenb=C3=B6ck?= Date: Mon, 12 Jul 2021 10:45:58 +0200 Subject: [PATCH] Initial commit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds the following charts * snapshot-controller * snapshot-validation-webhook Signed-off-by: Moritz "WanzenBug" Wanzenböck --- .pre-commit-config.yaml | 51 +++++ LICENSE | 201 ++++++++++++++++++ README.md | 14 ++ charts/snapshot-controller/.helmignore | 23 ++ charts/snapshot-controller/Chart.yaml | 19 ++ charts/snapshot-controller/LICENSE | 201 ++++++++++++++++++ charts/snapshot-controller/README.md | 94 ++++++++ .../snapshot-controller/templates/NOTES.txt | 10 + .../templates/_helpers.tpl | 57 +++++ .../templates/deployment.yaml | 70 ++++++ .../templates/serviceaccount.yaml | 74 +++++++ charts/snapshot-controller/values.yaml | 38 ++++ .../snapshot-validation-webhook/.helmignore | 23 ++ charts/snapshot-validation-webhook/Chart.yaml | 20 ++ charts/snapshot-validation-webhook/LICENSE | 201 ++++++++++++++++++ charts/snapshot-validation-webhook/README.md | 96 +++++++++ .../templates/NOTES.txt | 33 +++ .../templates/_helpers.tpl | 69 ++++++ .../templates/_validate.tpl | 0 .../templates/certificate.yaml | 16 ++ .../templates/deployment.yaml | 72 +++++++ .../templates/service.yaml | 16 ++ .../templates/serviceaccount.yaml | 8 + .../templates/tests/test-invalid-body.yaml | 18 ++ .../templates/tests/test-valid-body.yaml | 18 ++ .../templates/webhook.yaml | 43 ++++ .../tests/invalid-admission.json | 1 + .../tests/valid-admission.json | 1 + .../snapshot-validation-webhook/values.yaml | 41 ++++ 29 files changed, 1528 insertions(+) create mode 100644 .pre-commit-config.yaml create mode 100644 LICENSE create mode 100644 README.md create mode 100644 charts/snapshot-controller/.helmignore create mode 100644 charts/snapshot-controller/Chart.yaml create mode 100644 charts/snapshot-controller/LICENSE create mode 100644 charts/snapshot-controller/README.md create mode 100644 charts/snapshot-controller/templates/NOTES.txt create mode 100644 charts/snapshot-controller/templates/_helpers.tpl create mode 100644 charts/snapshot-controller/templates/deployment.yaml create mode 100644 charts/snapshot-controller/templates/serviceaccount.yaml create mode 100644 charts/snapshot-controller/values.yaml create mode 100644 charts/snapshot-validation-webhook/.helmignore create mode 100644 charts/snapshot-validation-webhook/Chart.yaml create mode 100644 charts/snapshot-validation-webhook/LICENSE create mode 100644 charts/snapshot-validation-webhook/README.md create mode 100644 charts/snapshot-validation-webhook/templates/NOTES.txt create mode 100644 charts/snapshot-validation-webhook/templates/_helpers.tpl create mode 100644 charts/snapshot-validation-webhook/templates/_validate.tpl create mode 100644 charts/snapshot-validation-webhook/templates/certificate.yaml create mode 100644 charts/snapshot-validation-webhook/templates/deployment.yaml create mode 100644 charts/snapshot-validation-webhook/templates/service.yaml create mode 100644 charts/snapshot-validation-webhook/templates/serviceaccount.yaml create mode 100644 charts/snapshot-validation-webhook/templates/tests/test-invalid-body.yaml create mode 100644 charts/snapshot-validation-webhook/templates/tests/test-valid-body.yaml create mode 100644 charts/snapshot-validation-webhook/templates/webhook.yaml create mode 100644 charts/snapshot-validation-webhook/tests/invalid-admission.json create mode 100644 charts/snapshot-validation-webhook/tests/valid-admission.json create mode 100644 charts/snapshot-validation-webhook/values.yaml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..a2e4d8e --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,51 @@ +# See https://pre-commit.com for more information +# See https://pre-commit.com/hooks.html for more hooks +repos: + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v2.4.0 + hooks: + - id: trailing-whitespace + exclude: 'deploy/piraeus/' + - id: end-of-file-fixer + - id: check-yaml + exclude: 'charts/' + args: + - --multi + - id: check-added-large-files + - repo: https://github.com/Bahjat/pre-commit-golang + rev: master + hooks: + - id: gofumpt + - repo: https://github.com/dnephin/pre-commit-golang + rev: master + hooks: + - id: golangci-lint + args: + - --new-from-rev=HEAD + - id: go-unit-tests + - repo: local + hooks: + - id: generate-deep-copy + name: generated deep-copy code must be up-to-date + language: system + files: '^pkg/apis/.*\.go$' + pass_filenames: false + entry: make deep-copy + - id: generate-crds + name: generated crds must be up-to-date + language: system + files: '^pkg/apis/.*\.go$' + pass_filenames: false + entry: make crds + - id: generate-cn-values + name: generate helm values for CN users + language: system + files: '^charts/piraeus/values.*\.yaml' + pass_filenames: false + entry: make helm-values + - id: generate-piraeus-yaml + name: generate full yaml deployment from helm templates + language: system + files: '(^charts/piraeus/.*)|(^deploy/piraeus/.*)' + pass_filenames: false + entry: make deploy/piraeus diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..261eeb9 --- /dev/null +++ b/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/README.md b/README.md new file mode 100644 index 0000000..c74407b --- /dev/null +++ b/README.md @@ -0,0 +1,14 @@ +# Piraeus Charts + +A collection of helpful charts for Piraeus and other projects. + +* [snapshot controller](./charts/snapshot-controller) deploys a snapshot controller for CSI snapshots. +* [snapshot validation webhook](./charts/snapshot-validation-webhook) offers stricter validation of snapshot resources. + +### Contributing + +You are welcome to contribute on Piraeus. See [CONTRIBUTING in the main repo](https://github.com/piraeusdatastore/piraeus/blob/master/CONTRIBUTING.md) for how to get started. + +### License + +Piraeus Datastore is licensed under the Apache License, Version 2.0. See [LICENSE](./LICENSE). diff --git a/charts/snapshot-controller/.helmignore b/charts/snapshot-controller/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/charts/snapshot-controller/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/snapshot-controller/Chart.yaml b/charts/snapshot-controller/Chart.yaml new file mode 100644 index 0000000..a6e5243 --- /dev/null +++ b/charts/snapshot-controller/Chart.yaml @@ -0,0 +1,19 @@ +apiVersion: v2 +type: application +name: snapshot-controller +version: 1.0.0 +appVersion: "v4.1.1" +icon: https://raw.githubusercontent.com/piraeusdatastore/piraeus/master/artwork/sandbox-artwork/icon/color.svg +maintainers: + - name: The Piraeus Maintainers + url: https://github.com/piraeusdatastore/ +description: | + Deploys a Snapshot Controller in a cluster. Snapshot Controllers are often bundled with the Kubernetes distribution, + this chart is meant for cases where it is not. +keywords: + - storage + - snapshot +home: https://github.com/piraeusdatastore/helm-charts +sources: + - https://github.com/piraeusdatastore/helm-charts + - https://github.com/kubernetes-csi/external-snapshotter/ diff --git a/charts/snapshot-controller/LICENSE b/charts/snapshot-controller/LICENSE new file mode 100644 index 0000000..261eeb9 --- /dev/null +++ b/charts/snapshot-controller/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/charts/snapshot-controller/README.md b/charts/snapshot-controller/README.md new file mode 100644 index 0000000..bebe83c --- /dev/null +++ b/charts/snapshot-controller/README.md @@ -0,0 +1,94 @@ +# snapshot-validation-webhook + +Deploys the [snapshot-controller](https://github.com/kubernetes-csi/external-snapshotter) in a cluster. +The controller is required for CSI snapshotting to work and is not specific to any CSI driver. + +While many Kubernetes distributions already package this controller, some do not. If your cluster does ***NOT*** +have the following CRDs, you likely also do not have a snapshot controller deployed: + +``` +kubectl get crd volumesnapshotclasses.snapshot.storage.k8s.io +kubectl get crd volumesnapshots.snapshot.storage.k8s.io +kubectl get crd volumesnapshotcontents.snapshot.storage.k8s.io +``` + +## Usage + +First, please ensure you have the [snapshot validation webhook](../snapshot-validation-webhook) installed. + +Then, install the latest version of the snapshot CRDs: + +``` +kubectl apply -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/v4.1.1/client/config/crd/snapshot.storage.k8s.io_volumesnapshotclasses.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/v4.1.1/client/config/crd/snapshot.storage.k8s.io_volumesnapshots.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/v4.1.1/client/config/crd/snapshot.storage.k8s.io_volumesnapshotcontents.yaml +``` + +Now you can install this chart. See [below](#configuration) for available configuration options. + +``` +helm install piraeus/snapshot-controller +``` + +## Upgrade from older CRDs + +In an effort to tighten validation, the CSI project started enforcing stricter requirements on `VolumeSnapshot` and +`VolumeSnapshotContent` resources when switching from `v1beta1` to `v1` CRDs. This webhook is part of enforcing +these requirements. When upgrading you [have to ensure non of your resources violate the requirements for `v1`]. + +The upgrade procedure can be summarized by the following steps: + +1. Remove the old snapshot controller, if any (since you are upgrading, you probably already have one deployed manually). +2. Install the [validation webhook chart](../snapshot-validation-webhook). +3. Install the snapshot controller using one of the [`3.x.x` releases]: + + ``` + helm install piraeus/snapshot-controller --set image.tag=v3.0.3 + ``` +4. Ensure that none of the resources are labelled as invalid: + + ``` + kubectl get volumesnapshots --selector=snapshot.storage.kubernetes.io/invalid-snapshot-resource="" --all-namespaces + kubectl get volumesnapshotcontents --selector=snapshot.storage.kubernetes.io/invalid-snapshot-resource="" --all-namespaces + ``` + + If the above commands output any resource, they have to be removed + +5. Upgrade the CRDs + + ``` + kubectl replace -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/v4.1.1/client/config/crd/snapshot.storage.k8s.io_volumesnapshotclasses.yaml + kubectl replace -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/v4.1.1/client/config/crd/snapshot.storage.k8s.io_volumesnapshots.yaml + kubectl replace -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/v4.1.1/client/config/crd/snapshot.storage.k8s.io_volumesnapshotcontents.yaml + ``` + +6. Upgrade the [snapshot controller](../snapshot-controller) to the latest version: + + ``` + helm upgrade piraeus/snapshot-controller --set image.tag=v4.1.1 + ``` + +## Configuration + +The following options are available: + +| Option | Usage | Default | +|--------|-------|---------| +| `replicaCount` | Number of replicas to deploy. | `1` | +| `image.repository` | Repository to pull the image from. | `k8s.gcr.io/sig-storage/snapshot-controller` | +| `image.pullPolicy` | Pull policy to use. Possible values: `IfNotPresent`, `Always`, `Never` | `IfNotPresent` | +| `image.tag` | Override the tag to pull. If not given, defaults to charts `AppVersion`. | `""` | +| `imagePullSecrets` | Image pull secrets to add to the deployment. | `[]` | +| `podAnnotations` | Annotations to add to every pod in the deployment. | `{}` | +| `podSecurityContext` | Security context to set on the webhook pod. | `{}` | +| `securityContext` | Configure container security context. Defaults to dropping all capabilties and running as user 1000. | `{capabilities: {drop: [ALL]}, readOnlyRootFilesystem: true, runAsNonRoot: true, runAsUser: 1000}` +| `resources` | Resources to request and limit on the pod. | `{}` | +| `nodeSelector` | Node selector to add to each webhook pod. | `{}` | +| `tolerations` | Tolerations to add to each webhook pod. | `[]` | +| `affinity` | Affinity to set on each webhook pod. | `{}` | +| `rbac.create` | Create the necessary roles and bindings for the snapshot controller. | `true` | +| `serviceAccount.create` | Create the service account resource | `true` | +| `serviceAccount.name` | Sets the name of the service account. If left empty, will use the release name as default | `""` | + +[`3.x.x` releases]: https://github.com/kubernetes-csi/external-snapshotter/releases +[have to ensure non of your resources violate the requirements for `v1`]: https://github.com/kubernetes-csi/external-snapshotter#validating-webhook diff --git a/charts/snapshot-controller/templates/NOTES.txt b/charts/snapshot-controller/templates/NOTES.txt new file mode 100644 index 0000000..663bdea --- /dev/null +++ b/charts/snapshot-controller/templates/NOTES.txt @@ -0,0 +1,10 @@ +Volume Snapshot Controller installed. + +If you already have volume snapshots deployed using a CRDs before v1, you should +verify that the existing snapshots are upgradable to v1 CRDs. The snapshot controller (>= v3.0.0) +will label any invalid snapshots it can find. Use the following commands to find any invalid snapshot + +kubectl get volumesnapshots --selector=snapshot.storage.kubernetes.io/invalid-snapshot-resource="" --all-namespaces +kubectl get volumesnapshotcontents --selector=snapshot.storage.kubernetes.io/invalid-snapshot-resource="" --all-namespaces + +If the above commands return any items, you need to remove them before upgrading to the newer v1 CRDs. diff --git a/charts/snapshot-controller/templates/_helpers.tpl b/charts/snapshot-controller/templates/_helpers.tpl new file mode 100644 index 0000000..e761195 --- /dev/null +++ b/charts/snapshot-controller/templates/_helpers.tpl @@ -0,0 +1,57 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "snapshot-controller.name" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "snapshot-controller.fullname" -}} +{{- if contains .Chart.Name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name .Chart.Name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "snapshot-controller.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "snapshot-controller.labels" -}} +helm.sh/chart: {{ include "snapshot-controller.chart" . }} +{{ include "snapshot-controller.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "snapshot-controller.selectorLabels" -}} +app.kubernetes.io/name: {{ include "snapshot-controller.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "snapshot-controller.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "snapshot-controller.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/charts/snapshot-controller/templates/deployment.yaml b/charts/snapshot-controller/templates/deployment.yaml new file mode 100644 index 0000000..a3bed3b --- /dev/null +++ b/charts/snapshot-controller/templates/deployment.yaml @@ -0,0 +1,70 @@ +{{- if and (not (.Capabilities.APIVersions.Has "snapshot.storage.k8s.io/v1")) (not (.Capabilities.APIVersions.Has "snapshot.storage.k8s.io/v1beta") ) }} + {{ fail (printf ` +Please install the snapshot CRDs before deploying this chart. + +kubectl apply -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/%s/client/config/crd/snapshot.storage.k8s.io_volumesnapshotclasses.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/%s/client/config/crd/snapshot.storage.k8s.io_volumesnapshots.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/%s/client/config/crd/snapshot.storage.k8s.io_volumesnapshotcontents.yaml +` .Chart.AppVersion .Chart.AppVersion .Chart.AppVersion) }} +{{- end }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "snapshot-controller.fullname" . }} + labels: + {{- include "snapshot-controller.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "snapshot-controller.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "snapshot-controller.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "snapshot-controller.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: + - --leader-election + - --leader-election-namespace=$(NAMESPACE) + - --http-endpoint=:8080 + ports: + - name: http + containerPort: 8080 + protocol: TCP + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/snapshot-controller/templates/serviceaccount.yaml b/charts/snapshot-controller/templates/serviceaccount.yaml new file mode 100644 index 0000000..5d50151 --- /dev/null +++ b/charts/snapshot-controller/templates/serviceaccount.yaml @@ -0,0 +1,74 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "snapshot-controller.serviceAccountName" . }} + labels: + {{- include "snapshot-controller.labels" . | nindent 4 }} +{{- end }} +--- +{{- if .Values.rbac.create }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "snapshot-controller.fullname" . }}-runner +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots/status"] + verbs: ["update"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: snapshot-controller-role +subjects: + - kind: ServiceAccount + name: {{ include "snapshot-controller.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ include "snapshot-controller.fullname" . }}-runner + apiGroup: rbac.authorization.k8s.io +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "snapshot-controller.fullname" . }}-leaderelection +rules: + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "snapshot-controller.fullname" . }}-leaderelection +subjects: + - kind: ServiceAccount + name: {{ include "snapshot-controller.serviceAccountName" . }} +roleRef: + kind: Role + name: {{ include "snapshot-controller.fullname" . }}-leaderelection + apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/charts/snapshot-controller/values.yaml b/charts/snapshot-controller/values.yaml new file mode 100644 index 0000000..aea0097 --- /dev/null +++ b/charts/snapshot-controller/values.yaml @@ -0,0 +1,38 @@ +replicaCount: 1 + +image: + repository: k8s.gcr.io/sig-storage/snapshot-controller + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + +imagePullSecrets: [] +podAnnotations: {} + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + +resources: {} + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +rbac: + # Specifies whether RBAC resources should be created + create: true + +serviceAccount: + # Specifies whether a ServiceAccount should be created + create: true + name: "" diff --git a/charts/snapshot-validation-webhook/.helmignore b/charts/snapshot-validation-webhook/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/charts/snapshot-validation-webhook/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/snapshot-validation-webhook/Chart.yaml b/charts/snapshot-validation-webhook/Chart.yaml new file mode 100644 index 0000000..34aeb59 --- /dev/null +++ b/charts/snapshot-validation-webhook/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +type: application +name: snapshot-validation-webhook +version: 1.0.0 +appVersion: "v4.1.1" +icon: https://raw.githubusercontent.com/piraeusdatastore/piraeus/master/artwork/sandbox-artwork/icon/color.svg +maintainers: + - name: The Piraeus Maintainers + url: https://github.com/piraeusdatastore/ +description: | + Deploys the snapshot-validation-webhook and configures your cluster to validate every `VolumeSnapshot` and + `VolumeSnapshotContent` resource by sending it to the webhook. +keywords: + - storage + - snapshot + - validation +home: https://github.com/piraeusdatastore/helm-charts +sources: + - https://github.com/piraeusdatastore/helm-charts + - https://github.com/kubernetes-csi/external-snapshotter/ diff --git a/charts/snapshot-validation-webhook/LICENSE b/charts/snapshot-validation-webhook/LICENSE new file mode 100644 index 0000000..261eeb9 --- /dev/null +++ b/charts/snapshot-validation-webhook/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/charts/snapshot-validation-webhook/README.md b/charts/snapshot-validation-webhook/README.md new file mode 100644 index 0000000..96e97c2 --- /dev/null +++ b/charts/snapshot-validation-webhook/README.md @@ -0,0 +1,96 @@ +# snapshot-validation-webhook + +Deploys the [snapshot-validation-webhook](https://github.com/kubernetes-csi/external-snapshotter/#validating-webhook) +and configures your cluster to validate every `VolumeSnapshot` and `VolumeSnapshotContent` resource by sending it to +the webhook. + +This webhook should be deployed on all clusters that are using the [`snapshot-controller`](../snapshot-controller) chart, +or are in the process of installing it. + +## Usage + +Webhooks in Kubernetes are required to run on HTTPS. To that end, this charts needs to be configured with either + +* A [cert-manager.io](https://cert-manager.io) issuer able to create a certificate for the webhook service. + + To use this method, create an override file like: + ``` + tls: + certManagerIssuerRef: + name: internal-issuer + kind: ClusterIssuer + ``` + + To apply the override, use `--values `. + +* A pre-existing [`kubernetes.io/tls`] secret and the certificate of the CA used to sign said tls secret. + + To use this method, set `--set tls.certificateSecret=`. + The secret must be in the same namespace as the deployment and be valid for `..svc`. + +## Upgrade from older CRDs + +In an effort to tighten validation, the CSI project started enforcing stricter requirements on `VolumeSnapshot` and +`VolumeSnapshotContent` resources when switching from `v1beta1` to `v1` CRDs. This webhook is part of enforcing +these requirements. When upgrading you [have to ensure non of your resources violate the requirements for `v1`]. + +The upgrade procedure can be summarized by the following steps: + +1. Remove the old snapshot controller, if any (since you are upgrading, you probably already have one deployed manually). +2. Install this webhook chart. +3. Install the [snapshot controller](../snapshot-controller) using one of the [`3.x.x` releases]: + + ``` + helm install piraeus/snapshot-controller --set image.tag=v3.0.3 + ``` +4. Ensure that none of the resources are labelled as invalid: + + ``` + kubectl get volumesnapshots --selector=snapshot.storage.kubernetes.io/invalid-snapshot-resource="" --all-namespaces + kubectl get volumesnapshotcontents --selector=snapshot.storage.kubernetes.io/invalid-snapshot-resource="" --all-namespaces + ``` + + If the above commands output any resource, they have to be removed + +5. Upgrade the CRDs + + ``` + kubectl replace -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/v4.1.1/client/config/crd/snapshot.storage.k8s.io_volumesnapshotclasses.yaml + kubectl replace -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/v4.1.1/client/config/crd/snapshot.storage.k8s.io_volumesnapshots.yaml + kubectl replace -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/v4.1.1/client/config/crd/snapshot.storage.k8s.io_volumesnapshotcontents.yaml + ``` + +6. Upgrade the [snapshot controller](../snapshot-controller) to the latest version: + + ``` + helm upgrade piraeus/snapshot-controller --set image.tag=v4.1.1 + ``` + +## Configuration + +The following options are available: + +| Option | Usage | Default | +|--------|-------|---------| +| `replicaCount` | Number of replicas to deploy. | `1` | +| `image.repository` | Repository to pull the image from. | `k8s.gcr.io/sig-storage/snapshot-validation-webhook` | +| `image.pullPolicy` | Pull policy to use. Possible values: `IfNotPresent`, `Always`, `Never` | `IfNotPresent` | +| `image.tag` | Override the tag to pull. If not given, defaults to charts `AppVersion`. | `""` | +| `webhook.timeoutSeconds` | Timeout to use when contacting webhook server. | `2` | +| `webhook.failurePolicy` | Policy to apply when webhook is unavailable. Possible values: `Fail`, `Ignore`. | `Fail` | +| `tls.certificateSecret` | Name of the static tls secret to use for serving the HTTPS endpoint. | `""` | +| `tls.certManagerIssuerRef` | Issuer to use for provisioning the TLS certificate. If this is used, `tls.certificateSecret` can be left empty. | `{}` | +| `imagePullSecrets` | Image pull secrets to add to the deployment. | `[]` | +| `podAnnotations` | Annotations to add to every pod in the deployment. | `{}` | +| `podSecurityContext` | Security context to set on the webhook pod. | `{}` | +| `securityContext` | Configure container security context. Defaults to dropping all capabilties and running as user 1000. | `{capabilities: {drop: [ALL]}, readOnlyRootFilesystem: true, runAsNonRoot: true, runAsUser: 1000}` +| `resources` | Resources to request and limit on the pod. | `{}` | +| `nodeSelector` | Node selector to add to each webhook pod. | `{}` | +| `tolerations` | Tolerations to add to each webhook pod. | `[]` | +| `affinity` | Affinity to set on each webhook pod. | `{}` | +| `serviceAccount.create` | Create the service account resource | `true` | +| `serviceAccount.name` | Sets the name of the service account. If left empty, will use the release name as default | `""` | + +[`kubernetes.io/tls`]: https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets +[`3.x.x` releases]: https://github.com/kubernetes-csi/external-snapshotter/releases +[have to ensure non of your resources violate the requirements for `v1`]: https://github.com/kubernetes-csi/external-snapshotter#validating-webhook diff --git a/charts/snapshot-validation-webhook/templates/NOTES.txt b/charts/snapshot-validation-webhook/templates/NOTES.txt new file mode 100644 index 0000000..6c84c21 --- /dev/null +++ b/charts/snapshot-validation-webhook/templates/NOTES.txt @@ -0,0 +1,33 @@ +Validation for VolumeSnapshots installed. + +Please run `helm test {{ .Release.Name }}` to ensure it's properly working. + +{{- if .Capabilities.APIVersions.Has "snapshot.storage.k8s.io/v1beta1" }} + +Your cluster is using snapshot.storage.k8s.io/v1beta resources. Before upgrading to a >= v4.0.0 release of the CRDs +you MUST ensure that all existing snapshot resources are valid. + +The snapshot controller (>= v3.0.0) will label any invalid resources, which you can then inspect and delete as necessary: + +kubectl get volumesnapshots --selector=snapshot.storage.kubernetes.io/invalid-snapshot-resource="" --all-namespaces +kubectl get volumesnapshotcontents --selector=snapshot.storage.kubernetes.io/invalid-snapshot-resource="" --all-namespaces + +After you deleted every invalid resource, you can upgrade the CRDs: + +kubectl replace -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/{{ .Chart.AppVersion }}/client/config/crd/snapshot.storage.k8s.io_volumesnapshotclasses.yaml +kubectl replace -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/{{ .Chart.AppVersion }}/client/config/crd/snapshot.storage.k8s.io_volumesnapshots.yaml +kubectl replace -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/{{ .Chart.AppVersion }}/client/config/crd/snapshot.storage.k8s.io_volumesnapshotcontents.yaml + +{{- else if not (.Capabilities.APIVersions.Has "snapshot.storage.k8s.io/v1") }} + +If everything is working as it should, you can proceed by adding the snapshot.storage.k8s.io CRDs to your cluster: + +kubectl apply -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/{{ .Chart.AppVersion }}/client/config/crd/snapshot.storage.k8s.io_volumesnapshotclasses.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/{{ .Chart.AppVersion }}/client/config/crd/snapshot.storage.k8s.io_volumesnapshots.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/{{ .Chart.AppVersion }}/client/config/crd/snapshot.storage.k8s.io_volumesnapshotcontents.yaml + +{{- else }} + +You already seem to have the latest snapshot.storage.k8s.io CRDs deployed on your cluster, so you are good to go. + +{{ end }} diff --git a/charts/snapshot-validation-webhook/templates/_helpers.tpl b/charts/snapshot-validation-webhook/templates/_helpers.tpl new file mode 100644 index 0000000..3cec047 --- /dev/null +++ b/charts/snapshot-validation-webhook/templates/_helpers.tpl @@ -0,0 +1,69 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "snapshot-validation-webhook.name" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "snapshot-validation-webhook.fullname" -}} +{{- if contains .Chart.Name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name .Chart.Name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "snapshot-validation-webhook.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "snapshot-validation-webhook.labels" -}} +helm.sh/chart: {{ include "snapshot-validation-webhook.chart" . }} +{{ include "snapshot-validation-webhook.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "snapshot-validation-webhook.selectorLabels" -}} +app.kubernetes.io/name: {{ include "snapshot-validation-webhook.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "snapshot-validation-webhook.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "snapshot-validation-webhook.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + + +{{/* +Certificate secret name +*/}} +{{- define "snapshot-validation-webhook.certifcateName" -}} +{{- if .Values.tls.certificateSecret }} +{{- .Values.tls.certificateSecret }} +{{- else }} +{{- include "snapshot-validation-webhook.fullname" . }}-tls +{{- end }} +{{- end }} diff --git a/charts/snapshot-validation-webhook/templates/_validate.tpl b/charts/snapshot-validation-webhook/templates/_validate.tpl new file mode 100644 index 0000000..e69de29 diff --git a/charts/snapshot-validation-webhook/templates/certificate.yaml b/charts/snapshot-validation-webhook/templates/certificate.yaml new file mode 100644 index 0000000..8d23997 --- /dev/null +++ b/charts/snapshot-validation-webhook/templates/certificate.yaml @@ -0,0 +1,16 @@ +{{ if .Values.tls.certManagerIssuerRef }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "snapshot-validation-webhook.fullname" . }} + labels: + {{- include "snapshot-validation-webhook.labels" . | nindent 4 }} +spec: + secretName: {{ include "snapshot-validation-webhook.certifcateName" . }} + dnsNames: + - {{ include "snapshot-validation-webhook.fullname" . }}.{{ .Release.Namespace }}.svc + issuerRef: + {{- toYaml .Values.tls.certManagerIssuerRef | nindent 4 }} + privateKey: + rotationPolicy: Always +{{ end }} diff --git a/charts/snapshot-validation-webhook/templates/deployment.yaml b/charts/snapshot-validation-webhook/templates/deployment.yaml new file mode 100644 index 0000000..c4a582f --- /dev/null +++ b/charts/snapshot-validation-webhook/templates/deployment.yaml @@ -0,0 +1,72 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "snapshot-validation-webhook.fullname" . }} + labels: + {{- include "snapshot-validation-webhook.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "snapshot-validation-webhook.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "snapshot-validation-webhook.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "snapshot-validation-webhook.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: + - --tls-private-key-file=/etc/snapshot-validation/tls.key + - --tls-cert-file=/etc/snapshot-validation/tls.crt + - --port=8443 + ports: + - name: https + containerPort: 8443 + protocol: TCP + volumeMounts: + - mountPath: /etc/snapshot-validation + name: tls-config + livenessProbe: + httpGet: + path: /readyz + port: https + scheme: HTTPS + readinessProbe: + httpGet: + path: /readyz + port: https + scheme: HTTPS + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumes: + - name: tls-config + secret: + secretName: {{ include "snapshot-validation-webhook.certifcateName" . }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/snapshot-validation-webhook/templates/service.yaml b/charts/snapshot-validation-webhook/templates/service.yaml new file mode 100644 index 0000000..05963d7 --- /dev/null +++ b/charts/snapshot-validation-webhook/templates/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "snapshot-validation-webhook.fullname" . }} + labels: + {{- include "snapshot-validation-webhook.labels" . | nindent 4 }} +spec: + type: ClusterIP + ports: + - port: 443 + targetPort: https + protocol: TCP + name: https + selector: + {{- include "snapshot-validation-webhook.selectorLabels" . | nindent 4 }} +--- diff --git a/charts/snapshot-validation-webhook/templates/serviceaccount.yaml b/charts/snapshot-validation-webhook/templates/serviceaccount.yaml new file mode 100644 index 0000000..d5a567d --- /dev/null +++ b/charts/snapshot-validation-webhook/templates/serviceaccount.yaml @@ -0,0 +1,8 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "snapshot-validation-webhook.serviceAccountName" . }} + labels: + {{- include "snapshot-validation-webhook.labels" . | nindent 4 }} +{{- end }} diff --git a/charts/snapshot-validation-webhook/templates/tests/test-invalid-body.yaml b/charts/snapshot-validation-webhook/templates/tests/test-invalid-body.yaml new file mode 100644 index 0000000..aff33eb --- /dev/null +++ b/charts/snapshot-validation-webhook/templates/tests/test-invalid-body.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "snapshot-validation-webhook.fullname" . }}-test-invalid-body" + labels: + {{- include "snapshot-validation-webhook.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: curl + image: curlimages/curl + args: + - sh + - -exc + - | + curl -kfsS -X POST -H 'Content-Type: application/json' -d '{{ .Files.Get "tests/invalid-admission.json" | trim }}' https://{{ include "snapshot-validation-webhook.fullname" . }}/volumesnapshot | grep -c '"allowed":false' + restartPolicy: Never diff --git a/charts/snapshot-validation-webhook/templates/tests/test-valid-body.yaml b/charts/snapshot-validation-webhook/templates/tests/test-valid-body.yaml new file mode 100644 index 0000000..fa95825 --- /dev/null +++ b/charts/snapshot-validation-webhook/templates/tests/test-valid-body.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "snapshot-validation-webhook.fullname" . }}-test-valid-body" + labels: + {{- include "snapshot-validation-webhook.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: curl + image: curlimages/curl + args: + - sh + - -exc + - | + curl -kfsS -X POST -H 'Content-Type: application/json' -d '{{ .Files.Get "tests/valid-admission.json" | trim }}' https://{{ include "snapshot-validation-webhook.fullname" . }}/volumesnapshot | grep -c '"allowed":true' + restartPolicy: Never diff --git a/charts/snapshot-validation-webhook/templates/webhook.yaml b/charts/snapshot-validation-webhook/templates/webhook.yaml new file mode 100644 index 0000000..92897a0 --- /dev/null +++ b/charts/snapshot-validation-webhook/templates/webhook.yaml @@ -0,0 +1,43 @@ +{{- if and (not .Values.tls.certManagerIssuerRef) (not .Values.tls.certificateSecret) }} + {{ fail "Either set 'tls.certificateSecret' to the name of a kubernetes.io/tls secret or set 'tls.certManagerIssuerRef' to reference an existing cert-manager issuer." }} +{{- end }} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: {{ include "snapshot-validation-webhook.fullname" . }} + labels: + {{- include "snapshot-validation-webhook.labels" . | nindent 4 }} + {{- if .Values.tls.certManagerIssuerRef }} + annotations: + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "snapshot-validation-webhook.fullname" . }} + {{- end }} +webhooks: + - name: {{ include "snapshot-validation-webhook.name" . }}.csi.kubernetes.io + rules: + - apiGroups: + - snapshot.storage.k8s.io + apiVersions: + - v1 + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - volumesnapshots + - volumesnapshotcontents + scope: "*" + clientConfig: + service: + namespace: {{ .Release.Namespace }} + name: {{ include "snapshot-validation-webhook.fullname" . }} + path: "/volumesnapshot" + {{- if .Values.tls.certificateSecret }} + caBundle: {{ get (lookup "v1" "Secret" .Release.Namespace .Values.tls.certificateSecret).data "ca.crt" }} + {{- end }} + admissionReviewVersions: + - v1 + - v1beta1 + sideEffects: None + failurePolicy: {{ .Values.webhook.failurePolicy }} + timeoutSeconds: {{ .Values.webhook.timeoutSeconds }} diff --git a/charts/snapshot-validation-webhook/tests/invalid-admission.json b/charts/snapshot-validation-webhook/tests/invalid-admission.json new file mode 100644 index 0000000..5bde3fe --- /dev/null +++ b/charts/snapshot-validation-webhook/tests/invalid-admission.json @@ -0,0 +1 @@ +{"apiVersion":"admission.k8s.io/v1","kind":"AdmissionReview","request":{"dryRun":true,"kind":{"group":"snapshot.storage.k8s.io","kind":"VolumeSnapshot","version":"v1beta1"},"name":"valid-snapshot","namespace":"test","object":{"apiVersion":"snapshot.storage.k8s.io/v1","kind":"VolumeSnapshot","metadata":{"name":"valid-snapshot","namespace":"test","uid":"30c34ffe-6d19-40a6-b1a4-3afe5936e673"},"spec":{"source":{"persistentVolumeClaimName":"some-claim","volumeSnapshotContentName":"some-snap"},"volumeSnapshotClassName":"snapshot-class"}},"oldObject":null,"operation":"CREATE","requestKind":{"group":"snapshot.storage.k8s.io","kind":"VolumeSnapshot","version":"v1beta1"},"requestResource":{"group":"snapshot.storage.k8s.io","resource":"volumesnapshots","version":"v1beta1"},"resource":{"group":"snapshot.storage.k8s.io","resource":"volumesnapshots","version":"v1beta1"},"uid":"705ab4f5-6393-11e8-b7cc-42010a800002"}} diff --git a/charts/snapshot-validation-webhook/tests/valid-admission.json b/charts/snapshot-validation-webhook/tests/valid-admission.json new file mode 100644 index 0000000..d7a49d3 --- /dev/null +++ b/charts/snapshot-validation-webhook/tests/valid-admission.json @@ -0,0 +1 @@ +{"apiVersion":"admission.k8s.io/v1","kind":"AdmissionReview","request":{"dryRun":true,"kind":{"group":"snapshot.storage.k8s.io","kind":"VolumeSnapshot","version":"v1beta1"},"name":"valid-snapshot","namespace":"test","object":{"apiVersion":"snapshot.storage.k8s.io/v1","kind":"VolumeSnapshot","metadata":{"name":"valid-snapshot","namespace":"test","uid":"30c34ffe-6d19-40a6-b1a4-3afe5936e673"},"spec":{"source":{"persistentVolumeClaimName":"some-claim"},"volumeSnapshotClassName":"snapshot-class"}},"oldObject":null,"operation":"CREATE","requestKind":{"group":"snapshot.storage.k8s.io","kind":"VolumeSnapshot","version":"v1beta1"},"requestResource":{"group":"snapshot.storage.k8s.io","resource":"volumesnapshots","version":"v1beta1"},"resource":{"group":"snapshot.storage.k8s.io","resource":"volumesnapshots","version":"v1beta1"},"uid":"705ab4f5-6393-11e8-b7cc-42010a800002"}} diff --git a/charts/snapshot-validation-webhook/values.yaml b/charts/snapshot-validation-webhook/values.yaml new file mode 100644 index 0000000..68e17c5 --- /dev/null +++ b/charts/snapshot-validation-webhook/values.yaml @@ -0,0 +1,41 @@ +replicaCount: 1 + +image: + repository: k8s.gcr.io/sig-storage/snapshot-validation-webhook + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + +webhook: + timeoutSeconds: 2 + failurePolicy: Fail + +tls: + certificateSecret: "" + certManagerIssuerRef: {} + +imagePullSecrets: [] +podAnnotations: {} + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + +resources: {} + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +serviceAccount: + create: true + name: ""