diff --git a/charts/stable/datapower-operator/.helmignore b/charts/stable/datapower-operator/.helmignore new file mode 100644 index 0000000..50af031 --- /dev/null +++ b/charts/stable/datapower-operator/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/stable/datapower-operator/Chart.yaml b/charts/stable/datapower-operator/Chart.yaml new file mode 100644 index 0000000..000bba2 --- /dev/null +++ b/charts/stable/datapower-operator/Chart.yaml @@ -0,0 +1,16 @@ +apiVersion: v2 +name: datapower-operator +description: A chart to deploy the DataPowerService Operator +type: application +version: 1.0.0 +appVersion: 1.0.0 +kubeVersion: '>=1.16.0' +keywords: +- amd64 +- Security +- Integration +- Commercial +- Limited +- RHOCP +- ROKS +- IKS diff --git a/charts/stable/datapower-operator/LICENSE b/charts/stable/datapower-operator/LICENSE new file mode 100644 index 0000000..7a4a3ea --- /dev/null +++ b/charts/stable/datapower-operator/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. \ No newline at end of file diff --git a/charts/stable/datapower-operator/README.md b/charts/stable/datapower-operator/README.md new file mode 100644 index 0000000..ce194fd --- /dev/null +++ b/charts/stable/datapower-operator/README.md @@ -0,0 +1,231 @@ +# DataPowerService Operator Chart + +## Introduction + +The DataPowerService Operator manages StatefulSets of DataPower Pods following configuration defined in DataPowerService Custom Resources. + +## Chart Details + +This chart deploys a DataPowerService Operator Deployment into a namespace. The DataPowerService CRD will be deployed from this chart if and only if a version of it does not already exist in the cluster. + +## Prerequisites + +- Helm v3 +- Kubernetes/OpenShift cluster + +### PodDisruptionBudget + +The DataPower Operator is recommended to have a single instance active at all time. The following PodDisruptionBudget can be created to enforce this. + +```yaml +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: datapower-operator-pdb +spec: + minAvailable: 1 + selector: + matchLabels: + name: datapower-operator +``` + +### PodSecurityPolicy Requirements + +Custom PodSecurityPolicy definition: + +```yaml +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: ibm-datapower-operator-restricted-psp +spec: + allowPrivilegeEscalation: false + forbiddenSysctls: + - '*' + hostNetwork: false + hostPorts: false + requiredDropCapabilities: + - ALL + runAsUser: + rule: MustRunAsNonRoot + seLinux: + rule: RunAsAny + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI + - persistentVolumeClaim +``` + +### SecurityContextConstraints Requirements + +Custom SecurityContextConstraints definition: + +```yaml +kind: SecurityContextConstraints +apiVersion: v1 +metadata: + name: ibm-datapower-operator-scc +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +allowedCapabilities: null +apiVersion: security.openshift.io/v1 +defaultAddCapabilities: null +groups: +- system:authenticated +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsNonRoot +seLinuxContext: + type: MustRunAs +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +``` + +### Multiple Failure Zones + +This chart is configured to spread DataPower Operator pods evenly across multiple Kubernetes zones. To take advantage of this functionality, follow the [prerequisites](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#prerequisites) for Pod Topology Spread Constraints. + +With EvenPodsSpread enabled in the cluster, no more than one Operator pod will be deployed per zone. If replicaCount is higher than the number of available zones, the remaining replicas will not be scheduled. + +## Resources Required + +The DataPower Operator requires a minimum of + +```yaml +resources: + requests: + cpu: "500m" + memory: "512Mi" +``` + +## Installing the Chart + +To install this chart, issue the following command: + +``` +helm install . +``` + +See configuration section below for information regarding tuning your operator installation. + +## Uninstalling the Chart + +To uninstall this chart, issue the following command: + +``` +helm uninstall +``` + +Due to [limitations](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/) in Helm, the `DataPowerService` Custom Resource Definition (CRD) is not deleted when the operator is uninstalled via Helm. To clean up the CRD, issue the following command: + +``` +kubectl delete crd/datapowerservices.datapower.ibm.com +``` + +**Warning:** Deleting the CRD will cause all Custom Resource (CR) instances to also be deleted. + +## Configuration +### Chart values + +|Value|Description|Default| +|-|-|-| +|`operator.replicas`|Number of Operator pods to deploy|`1`| +|`operator.image.repository`|Repository containing Operator image|`docker.io/ibmcom/datapower-operator`| +|`operator.image.tag`|Name of Operator image|`latest`| +|`operator.image.pullPolicy`|Image pull policy for Operator|`Always`| +|`operator.image.imagePullSecrets`|List of pull secret names|`[]`| +|`operator.installMode`|InstallMode of the operator|`OwnNamespace`| +|`operator.watchNamespaces`|Namespaces the Operator should watch|`[]`| +|`operator.logLevel`|Set logLevel for Operator pod|`info`| + +#### `operator.replicas` + +This Operator supports deploying with multiple replicas across multiple zones. When more than one Operator pod is present, a leader will be determined. Only the leader manages DataPower StatefulSets. + +#### `operator.image.imagePullSecrets` + +Optional list of pull secrets if operator image is pulled from a registry which requires authentication. Example syntax: + +```yaml +operator: + image: + imagePullSecrets: + - name: my-pull-secret +``` + +#### `operator.installMode` + +This can be one of four options: +- OwnNamespace +- SingleNamespace +- MultiNamespace +- AllNamespaces + +**OwnNamespace** + +OwnNamespace makes the Operator listen in the namespace it is installed in and nowhere else. With this option, `operator.watchNamespaces` is ignored. + +**SingleNamespace** + +SingleNamespace makes the Operator listen to an arbitrary namespace, defined in `operator.watchNamespaces`. With this option, the first namespace in the `operator.watchNamespaces` list is used, the rest are ignored. + +**MultiNamespace** + +MultiNamespace makes the Operator listen to any number of arbitrary namespaces, defined in `operator.watchNamespaces`. With this option, all namespaces defined in `operator.watchNamespaces` are used. + +**AllNamespaces** + +AllNamespaces makes the Operator listen to all namespaces. With this option, `operator.watchNamespaces` is ignored. + +#### `operator.watchNamespaces` + +This is a list of namespaces the Operator should watch. Usage of this list is dependent on the `operator.installMode`. + +#### `operator.logLevel` + +Log level can be set to one of: +- error +- info +- debug +- integer > 0 + +This value will adjust the verbosity of the logs produced by the Operator. Default value is `info`. Operator logs currently only support `error`, `info`, and `debug` logs, setting an integer higher than 1 will increase the verbosity of library code while higher than 4 will set the verbosity level of `client-go` for Kubernetes API logging. + +### Operator Components + +|Resource Type|Name Format|Created By| +|-|-|-| +|Cluster Role|`--datapower-operator`|Chart| +|Cluster Role Binding|`--datapower-operator`|Chart| +|Deployment|`-datapower-operator`|Chart| +|Role|`--datapower-operator`|Chart| +|Role Binding|`--datapower-operator`|Chart| +|Service Account|`--datapower-operator`|Chart| +|MutatingWebhookConfigurations|`.datapowerservices.defaulter.datapower.ibm.com`|Operator| +|ValidatingWebhookConfigurations|`.datapowerservices.validator.datapower.ibm.com`|Operator| +|Secret (webhook TLS)|`datapower-operator`|Operator| + + +## Limitations + +This chart is able to be installed in development, nonproduction, and production environments. diff --git a/charts/stable/datapower-operator/RELEASENOTES.md b/charts/stable/datapower-operator/RELEASENOTES.md new file mode 100644 index 0000000..6e84b1e --- /dev/null +++ b/charts/stable/datapower-operator/RELEASENOTES.md @@ -0,0 +1,11 @@ +## What's new + +## Breaking Changes + +## Fixes + +## Prerequisites + +## Documentation + +## Version History diff --git a/charts/stable/datapower-operator/crds/datapower.ibm.com_datapowerservices_crd.yaml b/charts/stable/datapower-operator/crds/datapower.ibm.com_datapowerservices_crd.yaml new file mode 100644 index 0000000..55aa6b5 --- /dev/null +++ b/charts/stable/datapower-operator/crds/datapower.ibm.com_datapowerservices_crd.yaml @@ -0,0 +1,1636 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: "2020-05-31T16:37:32Z" + labels: + app.kubernetes.io/instance: datapower-operator + app.kubernetes.io/managed-by: datapower-operator + app.kubernetes.io/name: datapowerservices.datapower.ibm.com + name: datapowerservices.datapower.ibm.com +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[?(@.type=="Ready")].status + description: DataPowerService readiness status + name: Ready + type: string + - JSONPath: .status.conditions[?(@.type=="Ready")].message + description: DataPowerService readiness summary + name: Summary + type: string + - JSONPath: .status.versions.reconciled + description: DataPowerService reconciled version + name: Version + type: string + - JSONPath: .status.conditions[?(@.type=="ReconcileError")].message + description: DataPowerService reconcile error + name: Error + type: string + - JSONPath: .metadata.creationTimestamp + name: Age + type: date + group: datapower.ibm.com + names: + categories: + - all + - apic + kind: DataPowerService + listKind: DataPowerServiceList + plural: datapowerservices + shortNames: + - dp + singular: datapowerservice + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: DataPowerService is the Schema for the datapowerservices API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: DataPowerServiceSpec defines the desired state of DataPowerService + properties: + affinity: + description: Affinity section to allow users to override the default + affinity settings + properties: + nodeAffinity: + description: Describes node affinity scheduling rules for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes + that satisfy the affinity expressions specified by this field, + but it may choose a node that violates one or more of the + expressions. The node that is most preferred is the one with + the greatest sum of weights, i.e. for each node that meets + all of the scheduling requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a sum by iterating through + the elements of this field and adding "weight" to the sum + if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. + items: + description: An empty preferred scheduling term matches all + objects with implicit weight 0 (i.e. it's a no-op). A null + preferred scheduling term matches no objects (i.e. is also + a no-op). + properties: + preference: + description: A node selector term, associated with the + corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the + operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be + empty. If the operator is Gt or Lt, the values + array must have a single element, which will + be interpreted as an integer. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the + operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be + empty. If the operator is Gt or Lt, the values + array must have a single element, which will + be interpreted as an integer. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated with matching the corresponding + nodeSelectorTerm, in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this + field are not met at scheduling time, the pod will not be + scheduled onto the node. If the affinity requirements specified + by this field cease to be met at some point during pod execution + (e.g. due to an update), the system may or may not try to + eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. The + terms are ORed. + items: + description: A null or empty node selector term matches + no objects. The requirements of them are ANDed. The + TopologySelectorTerm type implements a subset of the + NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the + operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be + empty. If the operator is Gt or Lt, the values + array must have a single element, which will + be interpreted as an integer. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the + operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be + empty. If the operator is Gt or Lt, the values + array must have a single element, which will + be interpreted as an integer. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. co-locate + this pod in the same node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes + that satisfy the affinity expressions specified by this field, + but it may choose a node that violates one or more of the + expressions. The node that is most preferred is the one with + the greatest sum of weights, i.e. for each node that meets + all of the scheduling requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a sum by iterating through + the elements of this field and adding "weight" to the sum + if the node has pods which matches the corresponding podAffinityTerm; + the node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies which namespaces + the labelSelector applies to (matches against); + null or empty list means "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey matches + that of any node on which any of the selected pods + is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the corresponding + podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this + field are not met at scheduling time, the pod will not be + scheduled onto the node. If the affinity requirements specified + by this field cease to be met at some point during pod execution + (e.g. due to a pod label update), the system may or may not + try to eventually evict the pod from its node. When there + are multiple elements, the lists of nodes corresponding to + each podAffinityTerm are intersected, i.e. all terms must + be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) that + this pod should be co-located (affinity) or not co-located + (anti-affinity) with, where co-located is defined as running + on a node whose value of the label with key + matches that of any node on which a pod of the set of pods + is running + properties: + labelSelector: + description: A label query over a set of resources, in + this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values + array must be non-empty. If the operator is + Exists or DoesNotExist, the values array must + be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies which namespaces the + labelSelector applies to (matches against); null or + empty list means "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where + co-located is defined as running on a node whose value + of the label with key topologyKey matches that of any + node on which any of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules (e.g. + avoid putting this pod in the same node, zone, etc. as some other + pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes + that satisfy the anti-affinity expressions specified by this + field, but it may choose a node that violates one or more + of the expressions. The node that is most preferred is the + one with the greatest sum of weights, i.e. for each node that + meets all of the scheduling requirements (resource request, + requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field + and adding "weight" to the sum if the node has pods which + matches the corresponding podAffinityTerm; the node(s) with + the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies which namespaces + the labelSelector applies to (matches against); + null or empty list means "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey matches + that of any node on which any of the selected pods + is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the corresponding + podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements specified by + this field are not met at scheduling time, the pod will not + be scheduled onto the node. If the anti-affinity requirements + specified by this field cease to be met at some point during + pod execution (e.g. due to a pod label update), the system + may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding + to each podAffinityTerm are intersected, i.e. all terms must + be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) that + this pod should be co-located (affinity) or not co-located + (anti-affinity) with, where co-located is defined as running + on a node whose value of the label with key + matches that of any node on which a pod of the set of pods + is running + properties: + labelSelector: + description: A label query over a set of resources, in + this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values + array must be non-empty. If the operator is + Exists or DoesNotExist, the values array must + be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies which namespaces the + labelSelector applies to (matches against); null or + empty list means "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where + co-located is defined as running on a node whose value + of the label with key topologyKey matches that of any + node on which any of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + annotations: + additionalProperties: + type: string + description: Annotations field allows custom annotations to be added + to the service + type: object + datapowerMonitor: + description: DataPower Monitor configuration + properties: + env: + description: Environment variables + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded + using the previous defined environment variables in the + container and any service environment variables. If a variable + cannot be resolved, the reference in the input string will + be unchanged. The $(VAR_NAME) syntax can be escaped with + a double $$, ie: $$(VAR_NAME). Escaped references will never + be expanded, regardless of whether the variable exists or + not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + fieldRef: + description: 'Selects a field of the pod: supports metadata.name, + metadata.namespace, metadata.labels, metadata.annotations, + spec.nodeName, spec.serviceAccountName, status.hostIP, + status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath is + written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the specified + API version. + type: string + required: + - fieldPath + type: object + resourceFieldRef: + description: 'Selects a resource of the container: only + resources limits and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, requests.memory + and requests.ephemeral-storage) are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the exposed + resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + secretKeyRef: + description: Selects a key of a secret in the pod's namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + image: + description: Image specifier for DataPower Monitor + type: string + lifecycleDebounceMs: + description: Set the pod lifecycle debounce in milliseconds + format: int32 + type: integer + livenessProbePort: + description: LivenessProbe port + format: int32 + type: integer + monitorGatewayPeering: + description: Enables the peering status monitoring functionality + in the DataPower Monitor + type: boolean + peeringRecoveryCheckIntervalMs: + description: Set the pod peering recovery interval in milliseconds + format: int32 + type: integer + resources: + description: Monitor resources + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + type: object + type: object + xmlMgmtPort: + description: Should match the port xml-mgmt is configured to listen + on, if not provided 5550 will be used + format: int32 + type: integer + type: object + debug: + description: User exposed debug toggle. Use this to obtain debug information + from init scripts. + type: boolean + domains: + description: List of DataPowerDomains to associate with Service + items: + description: DataPowerDomainSpec defines the desired state of DataPowerDomain + properties: + certs: + description: Secrets containing crypto info + items: + properties: + certType: + description: Type of certs, usrcerts or sharedcerts + enum: + - sharedcerts + - usrcerts + minLength: 1 + type: string + secret: + description: Secret containing certs + minLength: 1 + type: string + subPath: + description: SubPath cert is placed into + type: string + required: + - certType + - secret + type: object + type: array + dpApp: + description: Name of the configmap to be used for Domain config + properties: + config: + description: ConfigMaps storing DataPower configuration files + items: + description: ConfigMap containing DataPower configuration + files + minLength: 1 + type: string + minItems: 1 + type: array + local: + description: ConfigMaps storing DataPower local files + items: + description: ConfigMap containing DataPower configuration + files + minLength: 1 + type: string + type: array + required: + - config + type: object + name: + description: Name of the domain + minLength: 1 + type: string + required: + - name + type: object + type: array + env: + description: Environment variables + items: + description: EnvVar represents an environment variable present in + a Container. + properties: + name: + description: Name of the environment variable. Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded using + the previous defined environment variables in the container + and any service environment variables. If a variable cannot + be resolved, the reference in the input string will be unchanged. + The $(VAR_NAME) syntax can be escaped with a double $$, ie: + $$(VAR_NAME). Escaped references will never be expanded, regardless + of whether the variable exists or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. Cannot + be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap or its key + must be defined + type: boolean + required: + - key + type: object + fieldRef: + description: 'Selects a field of the pod: supports metadata.name, + metadata.namespace, metadata.labels, metadata.annotations, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, + status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath is written + in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the specified + API version. + type: string + required: + - fieldPath + type: object + resourceFieldRef: + description: 'Selects a resource of the container: only resources + limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, + requests.cpu, requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, optional + for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the exposed + resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + secretKeyRef: + description: Selects a key of a secret in the pod's namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must + be defined + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + extraExe: + description: List of ConfigMap names to mount containing extra executables + items: + type: string + type: array + image: + description: Custom DataPower image + minLength: 1 + type: string + imagePullSecrets: + description: Image pull secrets + items: + type: string + type: array + initCmds: + description: Commands to run during user-specified initialization stage + items: + type: string + type: array + labels: + additionalProperties: + type: string + description: Labels field allows custom labels to be added to the service + type: object + license: + description: DataPower License + properties: + accept: + description: 'The license agreement must be accepted during installation + of this product. To view the license for a given DataPower image, + you can view the license by running the container: docker run + --rm --show-license' + type: boolean + use: + description: The license use. Will inform which DataPower image + is pulled during install. + enum: + - production + - nonproduction + - developers + - developers-limited + type: string + required: + - accept + - use + type: object + livenessProbe: + description: Custom LivenessProbe + properties: + exec: + description: One and only one of the following should be specified. + Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute inside the + container, the working directory for the command is root + ('/') in the container's filesystem. The command is simply + exec'd, it is not run inside a shell, so traditional shell + instructions ('|', etc) won't work. To use a shell, you need + to explicitly call out to that shell. Exit status of 0 is + treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be considered + failed after having succeeded. Defaults to 3. Minimum value is + 1. + format: int32 + type: integer + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to the pod IP. + You probably want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP allows + repeated headers. + items: + description: HTTPHeader describes a custom header to be used + in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access on the container. + Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. Defaults + to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container has started + before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. Default + to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be considered + successful after having failed. Defaults to 1. Must be 1 for liveness + and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: 'TCPSocket specifies an action involving a TCP port. + TCP hooks not yet supported TODO: implement a realistic TCP lifecycle + hook' + properties: + host: + description: 'Optional: Host name to connect to, defaults to + the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access on the container. + Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + timeoutSeconds: + description: 'Number of seconds after which the probe times out. + Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + odTracing: + description: OpenTracingSpec defines desired state of agent and collector + containers + properties: + agent: + description: Defines probes for agent container + properties: + livenessProbe: + description: Trimmed down livenessProbe + properties: + failureThreshold: + description: Failure threshold + format: int32 + type: integer + initialDelaySeconds: + description: Initial Delay in seconds + format: int32 + type: integer + periodSeconds: + description: Period in seconds + format: int32 + type: integer + timeoutSeconds: + description: Timeout in seconds + format: int32 + type: integer + type: object + readinessProbe: + description: Trimmed down readinessProbe + properties: + failureThreshold: + description: Failure threshold + format: int32 + type: integer + initialDelaySeconds: + description: Initial Delay in seconds + format: int32 + type: integer + periodSeconds: + description: Period in seconds + format: int32 + type: integer + timeoutSeconds: + description: Timeout in seconds + format: int32 + type: integer + type: object + type: object + collector: + description: Defines probes for collector container + properties: + livenessProbe: + description: Trimmed down livenessProbe + properties: + failureThreshold: + description: Failure threshold + format: int32 + type: integer + initialDelaySeconds: + description: Initial Delay in seconds + format: int32 + type: integer + periodSeconds: + description: Period in seconds + format: int32 + type: integer + timeoutSeconds: + description: Timeout in seconds + format: int32 + type: integer + type: object + readinessProbe: + description: Trimmed down readinessProbe + properties: + failureThreshold: + description: Failure threshold + format: int32 + type: integer + initialDelaySeconds: + description: Initial Delay in seconds + format: int32 + type: integer + periodSeconds: + description: Period in seconds + format: int32 + type: integer + timeoutSeconds: + description: Timeout in seconds + format: int32 + type: integer + type: object + type: object + enabled: + description: Whether OpenTracing is enabled or disabled + type: boolean + imageAgent: + description: Image for agent container + minLength: 1 + type: string + imageCollector: + description: Image for collector container + minLength: 1 + type: string + imagePullPolicy: + description: Controls what conditions to pull image + type: string + odTracingDataHostname: + description: Data Hostname + minLength: 1 + type: string + odTracingRegistrationHostname: + description: Registration Hostname + minLength: 1 + type: string + required: + - enabled + - imageAgent + - imageCollector + - imagePullPolicy + - odTracingDataHostname + - odTracingRegistrationHostname + type: object + podManagementPolicy: + description: Pod management policy for the DataPower StatefulSet + enum: + - Parallel + - OrderedReady + type: string + readinessProbe: + description: Custom ReadinessProbe + properties: + exec: + description: One and only one of the following should be specified. + Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute inside the + container, the working directory for the command is root + ('/') in the container's filesystem. The command is simply + exec'd, it is not run inside a shell, so traditional shell + instructions ('|', etc) won't work. To use a shell, you need + to explicitly call out to that shell. Exit status of 0 is + treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be considered + failed after having succeeded. Defaults to 3. Minimum value is + 1. + format: int32 + type: integer + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to the pod IP. + You probably want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP allows + repeated headers. + items: + description: HTTPHeader describes a custom header to be used + in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access on the container. + Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. Defaults + to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container has started + before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. Default + to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be considered + successful after having failed. Defaults to 1. Must be 1 for liveness + and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: 'TCPSocket specifies an action involving a TCP port. + TCP hooks not yet supported TODO: implement a realistic TCP lifecycle + hook' + properties: + host: + description: 'Optional: Host name to connect to, defaults to + the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access on the container. + Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + timeoutSeconds: + description: 'Number of seconds after which the probe times out. + Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + replicas: + description: Desired number of DataPower Pods in the StatefulSet + format: int32 + minimum: 0 + type: integer + resources: + description: Resource limits and requests specifications for DataPowerService + statefulset + properties: + limits: + description: Limits describes the maximum amount of compute resources + allowed. + properties: + memory: + description: Memory, in bytes. (8Gi = 8GiB = 8 * 1024 * 1024 + * 1024) + type: string + type: object + requests: + description: Requests describes the minimum amount of compute resources + required. + properties: + cpu: + description: CPU, in cores. Minimum value is 4. + minimum: 4 + type: integer + memory: + description: Memory, in bytes. (8Gi = 8GiB = 8 * 1024 * 1024 + * 1024) + type: string + type: object + type: object + serviceAccountName: + description: ServiceAccountName + type: string + storage: + description: Storage + items: + description: DataPowerStorage defines a single volume of persistent + or ephemeral type + properties: + class: + description: Class specifies the storage class to create PVC with + type: string + deleteClaim: + description: DeleteClaim defines if the volume claim should be + deleted; valid for persistent type only + type: boolean + path: + description: Path is the path where the volume claim should mount + inside the container + minLength: 1 + type: string + selector: + description: Selector sets the label query for volumes to consider + for binding; valid for persistent type only + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If + the operator is In or NotIn, the values array must + be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A + single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is "key", + the operator is "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + size: + anyOf: + - type: integer + - type: string + description: 'Size is the amount of storage that should be requested + Expected format is #Gi' + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + description: Type is the type of storage, options are ephemeral + and persistent + enum: + - ephemeral + - persistent + type: string + volumeMode: + description: VolumeMode switches between block and filesystem + storage; valid for persistent type only + type: string + required: + - path + - type + type: object + type: array + users: + description: List of DataPower Users + items: + description: DataPowerUsersSpec defines the desired state of DataPowerUsers + properties: + accessLevel: + description: User access level + enum: + - group-defined + - privileged + type: string + group: + description: User group + type: string + name: + description: Name of the user + minLength: 1 + type: string + passwordSecret: + description: Secret for user's credentials + minLength: 1 + type: string + required: + - accessLevel + - name + - passwordSecret + type: object + type: array + version: + description: DataPower Firmware Version + minLength: 1 + type: string + required: + - license + - replicas + - users + - version + type: object + status: + description: DataPowerServiceStatus defines the observed state of DataPowerService + properties: + conditions: + description: Conditions represent the latest available observations + of the DataPowerService's state + items: + description: "Condition represents an observation of an object's state. + Conditions are an extension mechanism intended to be used when the + details of an observation are not a priori known or would not apply + to all instances of a given Kind. \n Conditions should be added + to explicitly convey properties that users and components care about + rather than requiring those properties to be inferred from other + observations. Once defined, the meaning of a Condition can not be + changed arbitrarily - it becomes part of the API, and has the same + backwards- and forwards-compatibility concerns of any other part + of the API." + properties: + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + description: ConditionReason is intended to be a one-word, CamelCase + representation of the category of cause of the current status. + It is intended to be used in concise output, such as one-line + kubectl get output, and in summarizing occurrences of causes. + type: string + status: + type: string + type: + description: "ConditionType is the type of the condition and is + typically a CamelCased word or short phrase. \n Condition types + should indicate state in the \"abnormal-true\" polarity. For + example, if the condition indicates when a policy is invalid, + the \"is valid\" case is probably the norm, so the condition + should be called \"Invalid\"." + type: string + required: + - status + - type + type: object + type: array + customImages: + description: True when a custom DataPower image is being used + type: boolean + nodes: + description: List of pods (by name) in the statefulset + items: + type: string + type: array + phase: + description: Phase of the DataPowerService instance + enum: + - Pending + - Running + - Failed + type: string + versions: + description: Reconciled and available versions + properties: + available: + description: Available versions for the DataPower operand + properties: + channels: + description: Available DataPower firmware channels + items: + description: Defines a DataPower Channel + properties: + name: + description: Name of the channel + type: string + required: + - name + type: object + type: array + versions: + description: Available DataPower firmware versions + items: + description: Defines a DataPower Version + properties: + name: + description: Name of the version + type: string + required: + - name + type: object + type: array + required: + - channels + - versions + type: object + reconciled: + description: Reconciled version of the DataPower operand + type: string + required: + - available + - reconciled + type: object + required: + - conditions + - customImages + - phase + - versions + type: object + type: object + version: v1beta1 + versions: + - name: v1beta1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/charts/stable/datapower-operator/templates/NOTES.txt b/charts/stable/datapower-operator/templates/NOTES.txt new file mode 100644 index 0000000..1479ff8 --- /dev/null +++ b/charts/stable/datapower-operator/templates/NOTES.txt @@ -0,0 +1,9 @@ +The DataPower Operator has been deployed! + +To verify your install, look for: +- Operator pod: kubectl get pod | grep '{{ template "datapower-operator.fullname" . }}' +- MutatingWebhookConfigurations: kubectl get mutatingwebhookconfigurations | grep '{{ .Release.Namespace }}.datapowerservices.defaulter.datapower.ibm.com' +- ValidatingWebhookConfigurations: kubectl get validatingwebhookconfigurations | grep '{{ .Release.Namespace }}.datapowerservices.validator.datapower.ibm.com' +- Cluster Role: kubectl get clusterrole | grep '{{ template "datapower-operator.namespacedname" . }}' +- Cluster Role Binding: kubectl get clusterrolebinding | grep '{{ template "datapower-operator.namespacedname" . }}' +- Service Account: kubectl get serviceaccount | grep '{{ template "datapower-operator.namespacedname" . }}' diff --git a/charts/stable/datapower-operator/templates/_helpers.tpl b/charts/stable/datapower-operator/templates/_helpers.tpl new file mode 100644 index 0000000..6437c87 --- /dev/null +++ b/charts/stable/datapower-operator/templates/_helpers.tpl @@ -0,0 +1,109 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "datapower-operator.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "datapower-operator.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a namespaced name for a release. +The order of naming is release-namespace-chartname +*/}} +{{- define "datapower-operator.namespacedname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s-%s" .Release.Name .Release.Namespace $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "datapower-operator.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "datapower-operator.labels" -}} +helm.sh/chart: {{ include "datapower-operator.chart" . }} +{{ include "datapower-operator.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "datapower-operator.selectorLabels" -}} +app.kubernetes.io/name: {{ include "datapower-operator.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "datapower-operator.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "datapower-operator.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +datapower-operator.getMulti +This template builds a CSV of namespaces from the list watchNamespaces. +Resulting CSV has a trailing ',' that must be removed. +*/}} +{{- define "datapower-operator.getMulti" -}} +{{- range .Values.operator.watchNamespaces -}}{{ . }},{{- end -}} +{{- end -}} + +{{/* +datapower-operator.getWatchNamespace +Handle building the WATCH_NAMESPACE environment variable. +WATCH_NAMESPACE is informed by a scope type and a list of namespaces. +*/}} +{{- define "datapower-operator.getWatchNamespace" -}} +{{- if eq .Values.operator.installMode "OwnNamespace" -}} +valueFrom: + fieldRef: + fieldPath: metadata.namespace +{{- else if eq .Values.operator.installMode "SingleNamespace" -}} +value: "{{ index .Values.operator.watchNamespaces 0 }}" +{{- else if eq .Values.operator.installMode "MultiNamespace" -}} +value: "{{ include "datapower-operator.getMulti" . | trimSuffix "," }}" +{{- else if eq .Values.operator.installMode "AllNamespaces" -}} +value: "" +{{- end -}} +{{- end -}} + diff --git a/charts/stable/datapower-operator/templates/cluster_role.yaml b/charts/stable/datapower-operator/templates/cluster_role.yaml new file mode 100644 index 0000000..bc6d2f0 --- /dev/null +++ b/charts/stable/datapower-operator/templates/cluster_role.yaml @@ -0,0 +1,150 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: {{ template "datapower-operator.namespacedname" . }} + labels: + app.kubernetes.io/instance: {{ template "datapower-operator.namespacedname" . }} + app.kubernetes.io/name: datapower-operator + app.kubernetes.io/managed-by: datapower-operator +rules: +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - '*' +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + - clusterrolebindings + verbs: + - get + - list +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - update + - watch + - patch + - list +- apiGroups: + - "" + resources: + - pods + - services + - services/finalizers + - endpoints + - persistentvolumeclaims + - events + - configmaps + - secrets + - serviceaccounts + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create +- apiGroups: + - apps + resourceNames: + - datapower-operator + resources: + - deployments/finalizers + verbs: + - update +- apiGroups: + - "" + resources: + - pods + verbs: + - get +- apiGroups: + - apps + resources: + - replicasets + - deployments + verbs: + - get +- apiGroups: + - datapower.ibm.com + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - batch + resources: + - jobs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - monitoringcontroller.cloud.ibm.com + resources: + - monitoringdashboards + verbs: + - create + - get + - list + - watch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get \ No newline at end of file diff --git a/charts/stable/datapower-operator/templates/cluster_role_binding.yaml b/charts/stable/datapower-operator/templates/cluster_role_binding.yaml new file mode 100644 index 0000000..a5d6efe --- /dev/null +++ b/charts/stable/datapower-operator/templates/cluster_role_binding.yaml @@ -0,0 +1,16 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "datapower-operator.namespacedname" . }} + labels: + app.kubernetes.io/instance: {{ template "datapower-operator.namespacedname" . }} + app.kubernetes.io/name: datapower-operator + app.kubernetes.io/managed-by: datapower-operator +subjects: +- kind: ServiceAccount + name: {{ template "datapower-operator.namespacedname" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ template "datapower-operator.namespacedname" . }} + apiGroup: rbac.authorization.k8s.io diff --git a/charts/stable/datapower-operator/templates/operator.yaml b/charts/stable/datapower-operator/templates/operator.yaml new file mode 100644 index 0000000..17aee8b --- /dev/null +++ b/charts/stable/datapower-operator/templates/operator.yaml @@ -0,0 +1,99 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: datapower-operator + labels: + app.kubernetes.io/instance: {{ template "datapower-operator.namespacedname" . }} + app.kubernetes.io/name: datapower-operator + app.kubernetes.io/managed-by: datapower-operator +spec: + replicas: {{ .Values.operator.replicas }} + selector: + matchLabels: + app.kubernetes.io/instance: {{ template "datapower-operator.namespacedname" . }} + app.kubernetes.io/name: datapower-operator + app.kubernetes.io/managed-by: datapower-operator + template: + metadata: + labels: + app.kubernetes.io/instance: {{ template "datapower-operator.namespacedname" . }} + app.kubernetes.io/name: datapower-operator + app.kubernetes.io/managed-by: datapower-operator + annotations: + productID: datapower-operator + productName: "IBM DataPower Operator" + productVersion: 1.0.0 + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: "beta.kubernetes.io/arch" + operator: In + values: ["amd64"] + topologySpreadConstraints: + - maxSkew: 0 + topologyKey: zone + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/instance: {{ template "datapower-operator.namespacedname" . }} + app.kubernetes.io/name: datapower-operator + app.kubernetes.io/managed-by: datapower-operator + hostNetwork: false + hostPID: false + hostIPC: false + serviceAccountName: {{ template "datapower-operator.namespacedname" . }} + {{- if .Values.operator.image.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.operator.image.imagePullSecrets }} + - name: {{ .name }} + {{- end }} + {{- end }} + containers: + - name: datapower-operator + # Replace this with the built image name + image: {{ .Values.operator.image.repository }}:{{ .Values.operator.image.tag }} + command: + - datapower-operator + args: + - "--zap-encoder=json" + - "--zap-level={{ .Values.operator.logLevel }}" + - "--zap-time-encoding=iso8601" + imagePullPolicy: {{ .Values.operator.image.pullPolicy }} + env: + - name: WATCH_NAMESPACE +{{ include "datapower-operator.getWatchNamespace" . | indent 14 }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: OPERATOR_NAME + value: "datapower-operator" + - name: NAMESPACED_NAME + value: {{ template "datapower-operator.namespacedname" . }} + - name: IBM_ENTITLED_REGISTRY + value: "cp.icr.io/cp/datapower" + - name: IBM_DOCKER_HUB + value: "docker.io/ibmcom" + resources: + requests: + cpu: "500m" + memory: "512Mi" + limits: + cpu: 2 + memory: "2Gi" + securityContext: + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/charts/stable/datapower-operator/templates/service_account.yaml b/charts/stable/datapower-operator/templates/service_account.yaml new file mode 100644 index 0000000..c09a779 --- /dev/null +++ b/charts/stable/datapower-operator/templates/service_account.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "datapower-operator.namespacedname" . }} + labels: + app.kubernetes.io/instance: {{ template "datapower-operator.namespacedname" . }} + app.kubernetes.io/name: datapower-operator + app.kubernetes.io/managed-by: datapower-operator diff --git a/charts/stable/datapower-operator/values.yaml b/charts/stable/datapower-operator/values.yaml new file mode 100644 index 0000000..e5551e3 --- /dev/null +++ b/charts/stable/datapower-operator/values.yaml @@ -0,0 +1,14 @@ +# Default values for datapower-operator. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +operator: + replicas: 1 + image: + repository: docker.io/ibmcom/datapower-operator + tag: latest + pullPolicy: Always + imagePullSecrets: [] + installMode: OwnNamespace + watchNamespaces: [] + logLevel: info