Compare commits
1 Commits
main
...
renovate/k
| Author | SHA1 | Date | |
|---|---|---|---|
| 2808b53b35 |
@ -1,6 +1,6 @@
|
|||||||
# kubezero-argo
|
# kubezero-argo
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
KubeZero Argo - Events, Workflow, CD
|
KubeZero Argo - Events, Workflow, CD
|
||||||
|
|
||||||
@ -18,9 +18,9 @@ Kubernetes: `>= 1.30.0-0`
|
|||||||
|
|
||||||
| Repository | Name | Version |
|
| Repository | Name | Version |
|
||||||
|------------|------|---------|
|
|------------|------|---------|
|
||||||
| https://argoproj.github.io/argo-helm | argo-cd | 8.0.14 |
|
| https://argoproj.github.io/argo-helm | argo-cd | 8.0.9 |
|
||||||
| https://argoproj.github.io/argo-helm | argo-events | 2.4.15 |
|
| https://argoproj.github.io/argo-helm | argo-events | 2.4.15 |
|
||||||
| https://argoproj.github.io/argo-helm | argocd-image-updater | 0.12.2 |
|
| https://argoproj.github.io/argo-helm | argocd-image-updater | 0.12.1 |
|
||||||
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 |
|
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 |
|
||||||
|
|
||||||
## Values
|
## Values
|
||||||
@ -53,7 +53,7 @@ Kubernetes: `>= 1.30.0-0`
|
|||||||
| argo-cd.dex.enabled | bool | `false` | |
|
| argo-cd.dex.enabled | bool | `false` | |
|
||||||
| argo-cd.enabled | bool | `false` | |
|
| argo-cd.enabled | bool | `false` | |
|
||||||
| argo-cd.global.image.repository | string | `"public.ecr.aws/zero-downtime/zdt-argocd"` | |
|
| argo-cd.global.image.repository | string | `"public.ecr.aws/zero-downtime/zdt-argocd"` | |
|
||||||
| argo-cd.global.image.tag | string | `"v3.0.5"` | |
|
| argo-cd.global.image.tag | string | `"v3.0.3"` | |
|
||||||
| argo-cd.global.logging.format | string | `"json"` | |
|
| argo-cd.global.logging.format | string | `"json"` | |
|
||||||
| argo-cd.global.networkPolicy.create | bool | `true` | |
|
| argo-cd.global.networkPolicy.create | bool | `true` | |
|
||||||
| argo-cd.istio.enabled | bool | `false` | |
|
| argo-cd.istio.enabled | bool | `false` | |
|
||||||
@ -83,8 +83,8 @@ Kubernetes: `>= 1.30.0-0`
|
|||||||
| argo-events.configs.jetstream.streamConfig.maxMsgs | int | `1000000` | Maximum number of messages before expiring oldest message |
|
| argo-events.configs.jetstream.streamConfig.maxMsgs | int | `1000000` | Maximum number of messages before expiring oldest message |
|
||||||
| argo-events.configs.jetstream.streamConfig.replicas | int | `1` | Number of replicas, defaults to 3 and requires minimal 3 |
|
| argo-events.configs.jetstream.streamConfig.replicas | int | `1` | Number of replicas, defaults to 3 and requires minimal 3 |
|
||||||
| argo-events.configs.jetstream.versions[0].configReloaderImage | string | `"natsio/nats-server-config-reloader:0.14.1"` | |
|
| argo-events.configs.jetstream.versions[0].configReloaderImage | string | `"natsio/nats-server-config-reloader:0.14.1"` | |
|
||||||
| argo-events.configs.jetstream.versions[0].metricsExporterImage | string | `"natsio/prometheus-nats-exporter:0.17.3"` | |
|
| argo-events.configs.jetstream.versions[0].metricsExporterImage | string | `"natsio/prometheus-nats-exporter:0.17.2"` | |
|
||||||
| argo-events.configs.jetstream.versions[0].natsImage | string | `"nats:2.11.4-scratch"` | |
|
| argo-events.configs.jetstream.versions[0].natsImage | string | `"nats:2.11.1-scratch"` | |
|
||||||
| argo-events.configs.jetstream.versions[0].startCommand | string | `"/nats-server"` | |
|
| argo-events.configs.jetstream.versions[0].startCommand | string | `"/nats-server"` | |
|
||||||
| argo-events.configs.jetstream.versions[0].version | string | `"2.10.11"` | |
|
| argo-events.configs.jetstream.versions[0].version | string | `"2.10.11"` | |
|
||||||
| argo-events.enabled | bool | `false` | |
|
| argo-events.enabled | bool | `false` | |
|
||||||
|
|||||||
@ -26,7 +26,6 @@ spec:
|
|||||||
prune: true
|
prune: true
|
||||||
syncOptions:
|
syncOptions:
|
||||||
- ApplyOutOfSyncOnly=true
|
- ApplyOutOfSyncOnly=true
|
||||||
- ServerSideApply=true
|
|
||||||
info:
|
info:
|
||||||
- name: "Source:"
|
- name: "Source:"
|
||||||
value: "https://git.zero-downtime.net/ZeroDownTime/KubeZero/src/branch/release/v1.32/"
|
value: "https://git.zero-downtime.net/ZeroDownTime/KubeZero/src/branch/release/v1.32/"
|
||||||
|
|||||||
@ -27,7 +27,7 @@ argo-events:
|
|||||||
- version: 2.10.11
|
- version: 2.10.11
|
||||||
natsImage: nats:2.11.4-scratch
|
natsImage: nats:2.11.4-scratch
|
||||||
metricsExporterImage: natsio/prometheus-nats-exporter:0.17.3
|
metricsExporterImage: natsio/prometheus-nats-exporter:0.17.3
|
||||||
configReloaderImage: natsio/nats-server-config-reloader:0.18.0
|
configReloaderImage: natsio/nats-server-config-reloader:0.14.1
|
||||||
startCommand: /nats-server
|
startCommand: /nats-server
|
||||||
|
|
||||||
argo-cd:
|
argo-cd:
|
||||||
@ -38,7 +38,7 @@ argo-cd:
|
|||||||
format: json
|
format: json
|
||||||
image:
|
image:
|
||||||
repository: public.ecr.aws/zero-downtime/zdt-argocd
|
repository: public.ecr.aws/zero-downtime/zdt-argocd
|
||||||
tag: v3.0.5
|
tag: v3.0.3
|
||||||
networkPolicy:
|
networkPolicy:
|
||||||
create: true
|
create: true
|
||||||
|
|
||||||
@ -63,10 +63,6 @@ argo-cd:
|
|||||||
application.instanceLabelKey: Null
|
application.instanceLabelKey: Null
|
||||||
server.rbac.log.enforce.enable: Null
|
server.rbac.log.enforce.enable: Null
|
||||||
|
|
||||||
resource.compareoptions: |
|
|
||||||
# disables status field diffing in specified resource types
|
|
||||||
ignoreAggregatedRoles: true
|
|
||||||
|
|
||||||
resource.customizations: |
|
resource.customizations: |
|
||||||
argoproj.io/Application:
|
argoproj.io/Application:
|
||||||
health.lua: |
|
health.lua: |
|
||||||
|
|||||||
@ -2,7 +2,7 @@ apiVersion: v2
|
|||||||
name: kubezero-falco
|
name: kubezero-falco
|
||||||
description: Falco Container Security and Audit components
|
description: Falco Container Security and Audit components
|
||||||
type: application
|
type: application
|
||||||
version: 0.1.3
|
version: 0.1.4
|
||||||
home: https://kubezero.com
|
home: https://kubezero.com
|
||||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||||
keywords:
|
keywords:
|
||||||
@ -16,7 +16,7 @@ dependencies:
|
|||||||
version: 0.2.1
|
version: 0.2.1
|
||||||
repository: https://cdn.zero-downtime.net/charts/
|
repository: https://cdn.zero-downtime.net/charts/
|
||||||
- name: falco
|
- name: falco
|
||||||
version: 5.0.0
|
version: 5.0.3
|
||||||
repository: https://falcosecurity.github.io/charts
|
repository: https://falcosecurity.github.io/charts
|
||||||
condition: k8saudit.enabled
|
condition: k8saudit.enabled
|
||||||
alias: k8saudit
|
alias: k8saudit
|
||||||
|
|||||||
@ -3,10 +3,6 @@ nats:
|
|||||||
enabled: false
|
enabled: false
|
||||||
|
|
||||||
config:
|
config:
|
||||||
cluster:
|
|
||||||
routeURLs:
|
|
||||||
useFQDN: true
|
|
||||||
|
|
||||||
jetstream:
|
jetstream:
|
||||||
enabled: true
|
enabled: true
|
||||||
|
|
||||||
|
|||||||
@ -13,14 +13,8 @@ maintainers:
|
|||||||
- name: Stefan Reimer
|
- name: Stefan Reimer
|
||||||
email: stefan@zero-downtime.net
|
email: stefan@zero-downtime.net
|
||||||
dependencies:
|
dependencies:
|
||||||
- name: kubezero-lib
|
|
||||||
version: 0.2.1
|
|
||||||
repository: https://cdn.zero-downtime.net/charts/
|
|
||||||
- name: kyverno
|
- name: kyverno
|
||||||
version: 3.4.2
|
version: 3.4.2
|
||||||
repository: https://kyverno.github.io/kyverno/
|
repository: https://kyverno.github.io/kyverno/
|
||||||
condition: kyverno.enabled
|
condition: kyverno.enabled
|
||||||
- name: policies
|
|
||||||
version: 0.1.0
|
|
||||||
condition: policies.enabled
|
|
||||||
kubeVersion: ">= 1.30.0-0"
|
kubeVersion: ">= 1.30.0-0"
|
||||||
|
|||||||
@ -18,8 +18,6 @@ Kubernetes: `>= 1.30.0-0`
|
|||||||
|
|
||||||
| Repository | Name | Version |
|
| Repository | Name | Version |
|
||||||
|------------|------|---------|
|
|------------|------|---------|
|
||||||
| | policies | 0.1.0 |
|
|
||||||
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 |
|
|
||||||
| https://kyverno.github.io/kyverno/ | kyverno | 3.4.2 |
|
| https://kyverno.github.io/kyverno/ | kyverno | 3.4.2 |
|
||||||
|
|
||||||
# Kyverno
|
# Kyverno
|
||||||
@ -28,22 +26,4 @@ Kubernetes: `>= 1.30.0-0`
|
|||||||
|
|
||||||
| Key | Type | Default | Description |
|
| Key | Type | Default | Description |
|
||||||
|-----|------|---------|-------------|
|
|-----|------|---------|-------------|
|
||||||
| kyverno.admissionController.revisionHistoryLimit | int | `2` | |
|
|
||||||
| kyverno.backgroundController.revisionHistoryLimit | int | `2` | |
|
|
||||||
| kyverno.cleanupController.rbac.clusterRole.extraResources[0].apiGroups[0] | string | `"postgresql.cnpg.io"` | |
|
|
||||||
| kyverno.cleanupController.rbac.clusterRole.extraResources[0].resources[0] | string | `"backups"` | |
|
|
||||||
| kyverno.cleanupController.rbac.clusterRole.extraResources[0].verbs[0] | string | `"delete"` | |
|
|
||||||
| kyverno.cleanupController.rbac.clusterRole.extraResources[0].verbs[1] | string | `"list"` | |
|
|
||||||
| kyverno.cleanupController.rbac.clusterRole.extraResources[0].verbs[2] | string | `"watch"` | |
|
|
||||||
| kyverno.cleanupController.revisionHistoryLimit | int | `2` | |
|
|
||||||
| kyverno.config.preserve | bool | `false` | |
|
|
||||||
| kyverno.config.webhookAnnotations."argocd.argoproj.io/installation-id" | string | `"KubeZero-ArgoCD"` | |
|
|
||||||
| kyverno.crds.migration.enabled | bool | `false` | |
|
|
||||||
| kyverno.enabled | bool | `false` | |
|
| kyverno.enabled | bool | `false` | |
|
||||||
| kyverno.features.logging.format | string | `"json"` | |
|
|
||||||
| kyverno.grafana.enabled | bool | `false` | |
|
|
||||||
| kyverno.policyReportsCleanup.enabled | bool | `false` | |
|
|
||||||
| kyverno.reportsController.enabled | bool | `false` | |
|
|
||||||
| kyverno.reportsController.revisionHistoryLimit | int | `2` | |
|
|
||||||
| kyverno.webhooksCleanup.autoDeleteWebhooks.enabled | bool | `true` | |
|
|
||||||
| kyverno.webhooksCleanup.enabled | bool | `true` | |
|
|
||||||
|
|||||||
@ -1,18 +0,0 @@
|
|||||||
apiVersion: v2
|
|
||||||
name: policies
|
|
||||||
description: KubeZero collection of Kyverno policies
|
|
||||||
type: application
|
|
||||||
version: 0.1.0
|
|
||||||
home: https://kubezero.com
|
|
||||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
|
||||||
keywords:
|
|
||||||
- kubezero
|
|
||||||
- kyverno
|
|
||||||
maintainers:
|
|
||||||
- name: Stefan Reimer
|
|
||||||
email: stefan@zero-downtime.net
|
|
||||||
dependencies:
|
|
||||||
- name: kubezero-lib
|
|
||||||
version: 0.2.1
|
|
||||||
repository: https://cdn.zero-downtime.net/charts/
|
|
||||||
kubeVersion: ">= 1.30.0-0"
|
|
||||||
@ -1,18 +0,0 @@
|
|||||||
{{ template "chart.header" . }}
|
|
||||||
{{ template "chart.deprecationWarning" . }}
|
|
||||||
|
|
||||||
{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }}
|
|
||||||
|
|
||||||
{{ template "chart.description" . }}
|
|
||||||
|
|
||||||
{{ template "chart.homepageLine" . }}
|
|
||||||
|
|
||||||
{{ template "chart.maintainersSection" . }}
|
|
||||||
|
|
||||||
{{ template "chart.sourcesSection" . }}
|
|
||||||
|
|
||||||
{{ template "chart.requirementsSection" . }}
|
|
||||||
|
|
||||||
# Kyverno
|
|
||||||
|
|
||||||
{{ template "chart.valuesSection" . }}
|
|
||||||
@ -1,70 +0,0 @@
|
|||||||
{{- if .Values.aws.enabled }}
|
|
||||||
apiVersion: kyverno.io/v1
|
|
||||||
kind: ClusterPolicy
|
|
||||||
metadata:
|
|
||||||
name: add-aws-iam-pod-identity
|
|
||||||
annotations:
|
|
||||||
policies.kyverno.io/title: AWS Pod Identity
|
|
||||||
policies.kyverno.io/category: aws
|
|
||||||
kyverno.io/kyverno-version: 1.14.0
|
|
||||||
kyverno.io/kubernetes-version: "1.31"
|
|
||||||
policies.kyverno.io/subject: Pod
|
|
||||||
policies.kyverno.io/description: >-
|
|
||||||
This provides the EKS Pod Identity Webhook functionality for KubeZero.
|
|
||||||
Pods having a service account annotated with \"kubezero.com/aws-iam-role-arn\"
|
|
||||||
will get the required environment variables as well as volumes injected
|
|
||||||
to make the SDKs automatically find and use the IAM role.
|
|
||||||
spec:
|
|
||||||
useServerSideApply: true
|
|
||||||
background: false
|
|
||||||
rules:
|
|
||||||
- name: add-aws-iam-oidc-mapping
|
|
||||||
context:
|
|
||||||
- name: saAnnotations
|
|
||||||
apiCall:
|
|
||||||
urlPath: "/api/v1/namespaces/{{`{{request.namespace}}`}}/serviceaccounts/{{`{{request.object.spec.serviceAccountName}}`}}"
|
|
||||||
jmesPath: "metadata.annotations || ''"
|
|
||||||
match:
|
|
||||||
any:
|
|
||||||
- resources:
|
|
||||||
kinds:
|
|
||||||
- Pod
|
|
||||||
operations:
|
|
||||||
- CREATE
|
|
||||||
preconditions:
|
|
||||||
all:
|
|
||||||
- key: "{{`{{request.object.spec.serviceAccountName || '' }}`}}"
|
|
||||||
operator: NotEquals
|
|
||||||
value: ""
|
|
||||||
- key: "{{`{{ saAnnotations.\"kubezero.com/aws-iam-role-arn\" || '' }}`}}"
|
|
||||||
operator: NotEquals
|
|
||||||
value: ""
|
|
||||||
mutate:
|
|
||||||
foreach:
|
|
||||||
- list: "request.object.spec.containers"
|
|
||||||
patchStrategicMerge:
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- (name): "{{`{{ element.name }}`}}"
|
|
||||||
env:
|
|
||||||
- name: AWS_REGION
|
|
||||||
value: {{ .Values.aws.region }}
|
|
||||||
- name: AWS_ROLE_ARN
|
|
||||||
value: "{{`{{ saAnnotations.\"kubezero.com/aws-iam-role-arn\" }}`}}"
|
|
||||||
- name: AWS_WEB_IDENTITY_TOKEN_FILE
|
|
||||||
value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
|
|
||||||
- name: AWS_STS_REGIONAL_ENDPOINTS
|
|
||||||
value: regional
|
|
||||||
volumeMounts:
|
|
||||||
- name: aws-token
|
|
||||||
mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
|
|
||||||
readOnly: true
|
|
||||||
volumes:
|
|
||||||
- name: aws-token
|
|
||||||
projected:
|
|
||||||
sources:
|
|
||||||
- serviceAccountToken:
|
|
||||||
path: token
|
|
||||||
expirationSeconds: 86400
|
|
||||||
audience: "sts.amazonaws.com"
|
|
||||||
{{- end }}
|
|
||||||
@ -1,62 +0,0 @@
|
|||||||
{{- if .Values.bestPractices.enabled }}
|
|
||||||
apiVersion: kyverno.io/v1
|
|
||||||
kind: ClusterPolicy
|
|
||||||
metadata:
|
|
||||||
name: disallow-container-sock-mounts
|
|
||||||
annotations:
|
|
||||||
policies.kyverno.io/title: Disallow CRI socket mounts in CEL expressions
|
|
||||||
policies.kyverno.io/category: Best Practices, EKS Best Practices in CEL
|
|
||||||
policies.kyverno.io/severity: medium
|
|
||||||
policies.kyverno.io/subject: Pod
|
|
||||||
policies.kyverno.io/minversion: 1.11.0
|
|
||||||
kyverno.io/kubernetes-version: "1.26-1.27"
|
|
||||||
policies.kyverno.io/description: >-
|
|
||||||
Container daemon socket bind mounts allows access to the container engine on the
|
|
||||||
node. This access can be used for privilege escalation and to manage containers
|
|
||||||
outside of Kubernetes, and hence should not be allowed. This policy validates that
|
|
||||||
the sockets used for CRI engines Docker, Containerd, and CRI-O are not used. In addition
|
|
||||||
to or replacement of this policy, preventing users from mounting the parent directories
|
|
||||||
(/var/run and /var) may be necessary to completely prevent socket bind mounts.
|
|
||||||
spec:
|
|
||||||
background: true
|
|
||||||
rules:
|
|
||||||
- name: validate-socket-mounts
|
|
||||||
match:
|
|
||||||
any:
|
|
||||||
- resources:
|
|
||||||
kinds:
|
|
||||||
- Pod
|
|
||||||
operations:
|
|
||||||
- CREATE
|
|
||||||
- UPDATE
|
|
||||||
validate:
|
|
||||||
failureAction: Enforce
|
|
||||||
cel:
|
|
||||||
variables:
|
|
||||||
- name: hasVolumes
|
|
||||||
expression: "!has(object.spec.volumes)"
|
|
||||||
- name: volumes
|
|
||||||
expression: "object.spec.volumes"
|
|
||||||
- name: volumesWithHostPath
|
|
||||||
expression: "variables.volumes.filter(volume, has(volume.hostPath))"
|
|
||||||
expressions:
|
|
||||||
- expression: >-
|
|
||||||
variables.hasVolumes ||
|
|
||||||
variables.volumesWithHostPath.all(volume, !volume.hostPath.path.matches('/var/run/docker.sock'))
|
|
||||||
message: "Use of the Docker Unix socket is not allowed."
|
|
||||||
|
|
||||||
- expression: >-
|
|
||||||
variables.hasVolumes ||
|
|
||||||
variables.volumesWithHostPath.all(volume, !volume.hostPath.path.matches('/var/run/containerd/containerd.sock'))
|
|
||||||
message: "Use of the Containerd Unix socket is not allowed."
|
|
||||||
|
|
||||||
- expression: >-
|
|
||||||
variables.hasVolumes ||
|
|
||||||
variables.volumesWithHostPath.all(volume, !volume.hostPath.path.matches('/var/run/crio/crio.sock'))
|
|
||||||
message: "Use of the CRI-O Unix socket is not allowed."
|
|
||||||
|
|
||||||
- expression: >-
|
|
||||||
variables.hasVolumes ||
|
|
||||||
variables.volumesWithHostPath.all(volume, !volume.hostPath.path.matches('/var/run/cri-dockerd.sock'))
|
|
||||||
message: "Use of the Docker CRI socket is not allowed."
|
|
||||||
{{- end }}
|
|
||||||
@ -1,9 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
set -ex
|
|
||||||
|
|
||||||
. ../../scripts/lib-update.sh
|
|
||||||
|
|
||||||
login_ecr_public
|
|
||||||
update_helm
|
|
||||||
|
|
||||||
update_docs
|
|
||||||
@ -1,6 +0,0 @@
|
|||||||
bestPractices:
|
|
||||||
enabled: false
|
|
||||||
|
|
||||||
aws:
|
|
||||||
enabled: false
|
|
||||||
region: us-west-2
|
|
||||||
@ -1,52 +0,0 @@
|
|||||||
{{- if and false .Values.kyverno.enabled }}
|
|
||||||
apiVersion: cert-manager.io/v1
|
|
||||||
kind: Certificate
|
|
||||||
metadata:
|
|
||||||
name: {{ template "kubezero-lib.fullname" . }}-admission-tls
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
labels:
|
|
||||||
{{ include "kubezero-lib.labels" . | nindent 4 }}
|
|
||||||
spec:
|
|
||||||
secretName: {{ template "kubezero-lib.fullname" . }}-kyverno-svc.{{ .Release.Namespace }}.svc.kyverno-tls-pair
|
|
||||||
issuerRef:
|
|
||||||
name: kubezero-local-ca-issuer
|
|
||||||
kind: ClusterIssuer
|
|
||||||
duration: 8760h0m0s
|
|
||||||
privateKey:
|
|
||||||
encoding: PKCS8
|
|
||||||
usages:
|
|
||||||
- "client auth"
|
|
||||||
- "server auth"
|
|
||||||
commonName: {{ template "kubezero-lib.fullname" . }}-admission
|
|
||||||
dnsNames:
|
|
||||||
# <cluster-name>-<nodepool-component>-<index>
|
|
||||||
- 'kyverno-svc'
|
|
||||||
- 'kyverno-svc.{{ .Release.Namespace }}'
|
|
||||||
- 'kyverno-svc.{{ .Release.Namespace }}.svc'
|
|
||||||
---
|
|
||||||
|
|
||||||
apiVersion: cert-manager.io/v1
|
|
||||||
kind: Certificate
|
|
||||||
metadata:
|
|
||||||
name: {{ template "kubezero-lib.fullname" . }}-cleanup-tls
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
labels:
|
|
||||||
{{ include "kubezero-lib.labels" . | nindent 4 }}
|
|
||||||
spec:
|
|
||||||
secretName: {{ template "kubezero-lib.fullname" . }}-kyverno-cleanup-controller.{{ .Release.Namespace }}.svc.kyverno-tls-pair
|
|
||||||
issuerRef:
|
|
||||||
name: kubezero-local-ca-issuer
|
|
||||||
kind: ClusterIssuer
|
|
||||||
duration: 8760h0m0s
|
|
||||||
privateKey:
|
|
||||||
encoding: PKCS8
|
|
||||||
usages:
|
|
||||||
- "client auth"
|
|
||||||
- "server auth"
|
|
||||||
commonName: {{ template "kubezero-lib.fullname" . }}-cleanup-controller
|
|
||||||
dnsNames:
|
|
||||||
# <cluster-name>-<nodepool-component>-<index>
|
|
||||||
- 'kyverno-cleanup-controller'
|
|
||||||
- 'kyverno-cleanup-controller.{{ .Release.Namespace }}'
|
|
||||||
- 'kyverno-cleanup-controller.{{ .Release.Namespace }}.svc'
|
|
||||||
{{- end }}
|
|
||||||
@ -1,57 +1,2 @@
|
|||||||
kyverno:
|
kyverno:
|
||||||
enabled: false
|
enabled: false
|
||||||
|
|
||||||
# Disable hooks being triggered during each sync
|
|
||||||
policyReportsCleanup:
|
|
||||||
enabled: false
|
|
||||||
webhooksCleanup:
|
|
||||||
enabled: true
|
|
||||||
autoDeleteWebhooks:
|
|
||||||
enabled: true
|
|
||||||
|
|
||||||
crds:
|
|
||||||
migration:
|
|
||||||
enabled: false
|
|
||||||
|
|
||||||
# templating:
|
|
||||||
# enabled: true
|
|
||||||
|
|
||||||
config:
|
|
||||||
preserve: false
|
|
||||||
webhookAnnotations:
|
|
||||||
argocd.argoproj.io/installation-id: KubeZero-ArgoCD
|
|
||||||
# Unfortunately Argo needs different values for Mutating and Validating hooks so disabled for now
|
|
||||||
# argocd.argoproj.io/tracking-id: policy:/ServiceAccount:kyverno/kyverno-admission-controller
|
|
||||||
|
|
||||||
features:
|
|
||||||
logging:
|
|
||||||
format: json
|
|
||||||
|
|
||||||
# Enabled via kubezero global metrics flag
|
|
||||||
grafana:
|
|
||||||
enabled: false
|
|
||||||
|
|
||||||
admissionController:
|
|
||||||
revisionHistoryLimit: 2
|
|
||||||
|
|
||||||
cleanupController:
|
|
||||||
revisionHistoryLimit: 2
|
|
||||||
rbac:
|
|
||||||
clusterRole:
|
|
||||||
extraResources:
|
|
||||||
# Allow to clean up postgreSQL backups
|
|
||||||
- apiGroups:
|
|
||||||
- postgresql.cnpg.io
|
|
||||||
resources:
|
|
||||||
- backups
|
|
||||||
verbs:
|
|
||||||
- delete
|
|
||||||
- list
|
|
||||||
- watch
|
|
||||||
|
|
||||||
backgroundController:
|
|
||||||
revisionHistoryLimit: 2
|
|
||||||
|
|
||||||
reportsController:
|
|
||||||
revisionHistoryLimit: 2
|
|
||||||
enabled: false
|
|
||||||
|
|||||||
@ -10,8 +10,7 @@ metadata:
|
|||||||
labels:
|
labels:
|
||||||
{{- include "kubezero-lib.labels" . | nindent 4 }}
|
{{- include "kubezero-lib.labels" . | nindent 4 }}
|
||||||
annotations:
|
annotations:
|
||||||
argocd.argoproj.io/compare-options: IncludeMutationWebhook=true
|
argocd.argoproj.io/sync-options: Replace=true
|
||||||
# argocd.argoproj.io/sync-options: Replace=true
|
|
||||||
{{- with ( index .Values $name "annotations" ) }}
|
{{- with ( index .Values $name "annotations" ) }}
|
||||||
{{- toYaml . | nindent 4 }}
|
{{- toYaml . | nindent 4 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
@ -42,7 +41,6 @@ spec:
|
|||||||
syncOptions:
|
syncOptions:
|
||||||
- CreateNamespace=true
|
- CreateNamespace=true
|
||||||
- ApplyOutOfSyncOnly=true
|
- ApplyOutOfSyncOnly=true
|
||||||
- ServerSideApply=true
|
|
||||||
info:
|
info:
|
||||||
- name: "Source:"
|
- name: "Source:"
|
||||||
value: "https://git.zero-downtime.net/ZeroDownTime/KubeZero/src/branch/release/v1.31/charts/kubezero-{{ $name }}"
|
value: "https://git.zero-downtime.net/ZeroDownTime/KubeZero/src/branch/release/v1.31/charts/kubezero-{{ $name }}"
|
||||||
|
|||||||
@ -10,9 +10,9 @@ argo-cd:
|
|||||||
params:
|
params:
|
||||||
{{- if not $.Values.global.highAvailable }}
|
{{- if not $.Values.global.highAvailable }}
|
||||||
# Reduce load on API server on single node control plane
|
# Reduce load on API server on single node control plane
|
||||||
controller.status.processors: 4
|
controller.status.processors: 2
|
||||||
controller.operation.processors: 2
|
controller.operation.processors: 1
|
||||||
controller.kubectl.parallelism.limit: 2
|
controller.kubectl.parallelism.limit: 1
|
||||||
{{- else }}
|
{{- else }}
|
||||||
controller.status.processors: 8
|
controller.status.processors: 8
|
||||||
controller.operation.processors: 4
|
controller.operation.processors: 4
|
||||||
|
|||||||
@ -1,36 +1,6 @@
|
|||||||
{{- define "policy-values" }}
|
{{- define "policy-values" }}
|
||||||
kyverno:
|
kyverno:
|
||||||
{{- if eq .Values.global.platform "aws" }}
|
test: true
|
||||||
global:
|
|
||||||
{{- include "kubezero-lib.control-plane" . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
grafana:
|
|
||||||
enabled: {{ .Values.metrics.enabled }}
|
|
||||||
|
|
||||||
admissionController:
|
|
||||||
serviceMonitor:
|
|
||||||
enabled: {{ .Values.metrics.enabled }}
|
|
||||||
|
|
||||||
cleanupController:
|
|
||||||
serviceMonitor:
|
|
||||||
enabled: {{ .Values.metrics.enabled }}
|
|
||||||
|
|
||||||
backgroundController:
|
|
||||||
serviceMonitor:
|
|
||||||
enabled: {{ .Values.metrics.enabled }}
|
|
||||||
|
|
||||||
reportsController:
|
|
||||||
serviceMonitor:
|
|
||||||
enabled: {{ .Values.metrics.enabled }}
|
|
||||||
|
|
||||||
policies:
|
|
||||||
{{- if eq .Values.global.platform "aws" }}
|
|
||||||
aws:
|
|
||||||
enabled: true
|
|
||||||
region: {{ .global.aws.region }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
{{- define "policy-argo" }}
|
{{- define "policy-argo" }}
|
||||||
|
|||||||
@ -30,6 +30,10 @@ addons:
|
|||||||
aws-eks-asg-rolling-update-handler:
|
aws-eks-asg-rolling-update-handler:
|
||||||
enabled: false
|
enabled: false
|
||||||
|
|
||||||
|
policy:
|
||||||
|
enabled: false
|
||||||
|
targetRevision: 0.1.0
|
||||||
|
|
||||||
network:
|
network:
|
||||||
enabled: true
|
enabled: true
|
||||||
retain: true
|
retain: true
|
||||||
@ -37,11 +41,6 @@ network:
|
|||||||
cilium:
|
cilium:
|
||||||
enabled: true
|
enabled: true
|
||||||
|
|
||||||
policy:
|
|
||||||
enabled: false
|
|
||||||
namespace: kyverno
|
|
||||||
targetRevision: 0.1.0
|
|
||||||
|
|
||||||
cert-manager:
|
cert-manager:
|
||||||
enabled: false
|
enabled: false
|
||||||
namespace: cert-manager
|
namespace: cert-manager
|
||||||
@ -123,7 +122,7 @@ logging:
|
|||||||
argo:
|
argo:
|
||||||
enabled: false
|
enabled: false
|
||||||
namespace: argocd
|
namespace: argocd
|
||||||
targetRevision: 0.4.1
|
targetRevision: 0.4.0
|
||||||
argo-cd:
|
argo-cd:
|
||||||
enabled: false
|
enabled: false
|
||||||
istio:
|
istio:
|
||||||
|
|||||||
@ -1,3 +1,4 @@
|
|||||||
|
---
|
||||||
apiVersion: batch/v1
|
apiVersion: batch/v1
|
||||||
kind: Job
|
kind: Job
|
||||||
metadata:
|
metadata:
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user