r.appscode.com |
-| proxies.dockerHub | company/bin:tag | "" |
-| proxies.dockerLibrary | alpine, nginx etc. | "" |
-| proxies.ghcr | ghcr.io/company/bin:tag | ghcr.io |
-| proxies.quay | quay.io/company/bin:tag | quay.io |
-| proxies.kubernetes | registry.k8s.io/bin:tag | registry.k8s.io |
-| replicaCount | | 1 |
-| image.repository | | "dbgate/dbgate" |
-| image.pullPolicy | | Always |
-| image.tag | Overrides the image tag whose default is the chart appVersion. | "5.3.1-alpine" |
-| imagePullSecrets | | [] |
-| nameOverride | | "" |
-| fullnameOverride | | "" |
-| serviceAccount.create | Specifies whether a service account should be created | true |
-| serviceAccount.annotations | Annotations to add to the service account | {} |
-| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" |
-| podAnnotations | | {} |
-| podSecurityContext | | {} |
-| securityContext | | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":false,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}} |
-| service.type | | ClusterIP |
-| service.port | | 80 |
-| resources | | {} |
-| nodeSelector | | {} |
-| tolerations | | [] |
-| affinity | | {} |
-| namespace.create | | false |
-| gateway.className | | "ace" |
-| gateway.port | | 8082 |
-| gateway.tlsSecretRef.name | | service-presets-cert |
-| gateway.tlsSecretRef.namespace | | ace |
-| gateway.referenceGrant.create | | true |
-| keda.proxyService.namespace | | "keda" |
-| keda.proxyService.name | | "keda-add-ons-http-interceptor-proxy" |
-| keda.proxyService.port | | 8080 |
-| targetPendingRequests | | 200 |
-| autoscaling.http.minReplicas | | 0 |
-| autoscaling.http.maxReplicas | | 1 |
-| app.kind | MicrosoftSQLServer: mssql@dbgate-plugin-mssql MySQL: mysql@dbgate-plugin-mysql MariaDB: mariadb@dbgate-plugin-mysql Postgres: postgres@dbgate-plugin-postgres MongoDB: mongo@dbgate-plugin-mongo Redis: redis@dbgate-plugin-redis | "" |
-| app.service.name | | "" |
-| app.service.namespace | | "" |
-| app.authSecret.name | | "" |
-| app.tls.enabled | | false |
-| bind.name | | "" |
-| bind.namespace | | "" |
-| authzproxy.enabled | | false |
-| authzproxy.repository | KubeDB operator container image | appscode/kube-authz-proxy |
-| authzproxy.tag | KubeDB operator container image tag | "v0.0.1" |
-| authzproxy.securityContext | Security options this container should run with | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":false,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}} |
-| authzproxy.resources | Compute Resources required by this container | {} |
-| authzproxy.params.listen | | 8000 |
-| authzproxy.params.metricsAddr | | 8080 |
-| authzproxy.params.platformURL | | "" |
-| authzproxy.params.platformCABundle | | "" |
+| Parameter | Description | Default |
+|--------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| proxies.appscode | r.appscode.com | r.appscode.com |
+| proxies.dockerHub | company/bin:tag | "" |
+| proxies.dockerLibrary | alpine, nginx etc. | "" |
+| proxies.ghcr | ghcr.io/company/bin:tag | ghcr.io |
+| proxies.quay | quay.io/company/bin:tag | quay.io |
+| proxies.kubernetes | registry.k8s.io/bin:tag | registry.k8s.io |
+| replicaCount | | 1 |
+| image.repository | | "dbgate/dbgate" |
+| image.pullPolicy | | Always |
+| image.tag | Overrides the image tag whose default is the chart appVersion. | "5.3.1-alpine" |
+| imagePullSecrets | | [] |
+| nameOverride | | "" |
+| fullnameOverride | | "" |
+| serviceAccount.create | Specifies whether a service account should be created | true |
+| serviceAccount.annotations | Annotations to add to the service account | {} |
+| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" |
+| podAnnotations | | {} |
+| podSecurityContext | | {} |
+| securityContext | | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":false,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}} |
+| service.type | | ClusterIP |
+| service.port | | 80 |
+| resources | | {} |
+| nodeSelector | | {} |
+| tolerations | | [] |
+| affinity | | {} |
+| namespace.create | | false |
+| gateway.className | | "ace" |
+| gateway.port | | 8082 |
+| gateway.tlsSecretRef.name | | service-presets-cert |
+| gateway.tlsSecretRef.namespace | | ace |
+| gateway.referenceGrant.create | | true |
+| keda.proxyService.namespace | | "keda" |
+| keda.proxyService.name | | "keda-add-ons-http-interceptor-proxy" |
+| keda.proxyService.port | | 8080 |
+| targetPendingRequests | | 200 |
+| autoscaling.http.minReplicas | | 0 |
+| autoscaling.http.maxReplicas | | 1 |
+| app.kind | MicrosoftSQLServer: mssql@dbgate-plugin-mssql MySQL: mysql@dbgate-plugin-mysql MariaDB: mariadb@dbgate-plugin-mysql Postgres: postgres@dbgate-plugin-postgres MongoDB: mongo@dbgate-plugin-mongo Redis: redis@dbgate-plugin-redis | "" |
+| app.service.name | | "" |
+| app.service.namespace | | "" |
+| app.authSecret.name | | "" |
+| app.tls.enabled | | false |
+| bind.name | | "" |
+| bind.namespace | | "" |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm upgrade -i`. For example:
diff --git a/charts/dbgate/templates/deployment.yaml b/charts/dbgate/templates/deployment.yaml
index 24708b71..62b62035 100644
--- a/charts/dbgate/templates/deployment.yaml
+++ b/charts/dbgate/templates/deployment.yaml
@@ -37,46 +37,6 @@ spec:
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
- {{- if .Values.authzproxy.enabled }}
- - name: authz-proxy
- securityContext:
- {{- toYaml .Values.authzproxy.securityContext | nindent 12 }}
- image: '{{ include "image.ghcr" (merge (dict "_repo" $.Values.authzproxy.repository) $) }}:{{ .Values.authzproxy.tag | default .Chart.AppVersion }}'
- imagePullPolicy: {{ .Values.image.pullPolicy }}
- args:
- - run
- - --listen={{ .Values.authzproxy.params.listen }}
- - --metrics-addr={{ .Values.authzproxy.params.metricsAddr }}
- - --secret-name={{ .Values.app.authSecret.name }}
- - --secret-namespace={{ .Release.Namespace }}
- - --target-url=http://localhost:3000
- - --platform-url={{ .Values.authzproxy.params.platformURL }}
- {{- if .Values.authzproxy.params.platformCABundle }}
- - --platform-ca-file=/var/platform-auth/ca.crt
- {{- end }}
- ports:
- - name: proxy
- containerPort: {{ .Values.authzproxy.params.listen }}
- protocol: TCP
- - name: metrics
- containerPort: {{ .Values.authzproxy.params.metricsAddr }}
- protocol: TCP
- # livenessProbe:
- # httpGet:
- # path: /
- # port: http
- # readinessProbe:
- # httpGet:
- # path: /
- # port: http
- resources:
- {{- toYaml .Values.authzproxy.resources | nindent 12 }}
- {{- if .Values.authzproxy.params.platformCABundle }}
- volumeMounts:
- - mountPath: /var/platform-auth
- name: platform-auth
- {{- end }}
- {{ end }}
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
@@ -98,16 +58,8 @@ spec:
secretKeyRef:
name: {{ .Values.app.authSecret.name }}
key: username
- {{- if .Values.authzproxy.enabled }}
- - name: PASSWORD_PRIMARY
- valueFrom:
- secretKeyRef:
- name: {{ .Values.app.authSecret.name }}
- key: password
- {{- else }}
- name: PASSWORD_MODE_PRIMARY
value: askPassword
- {{- end }}
{{- if .Values.app.tls.enabled }}
- name: USE_SSL_PRIMARY
value: "1"
@@ -126,13 +78,6 @@ spec:
port: http
resources:
{{- toYaml .Values.resources | nindent 12 }}
- {{- if .Values.authzproxy.params.platformCABundle }}
- volumes:
- - name: platform-auth
- secret:
- defaultMode: 420
- secretName: {{ include "dbgate.fullname" . }}-platform-auth
- {{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
diff --git a/charts/dbgate/templates/platform-auth.yaml b/charts/dbgate/templates/platform-auth.yaml
deleted file mode 100644
index 2dae2cfe..00000000
--- a/charts/dbgate/templates/platform-auth.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-{{ $data := dict }}
-
-{{- with .Values.authzproxy.params.platformCABundle }}
-{{ $_ := set $data "ca.crt" . }}
-{{- end }}
-
-{{- if $data }}
-apiVersion: v1
-kind: Secret
-metadata:
- name: {{ include "dbgate.fullname" . }}-platform-auth
- namespace: {{ .Release.Namespace }}
- labels:
- {{- include "dbgate.labels" . | nindent 4 }}
-type: Opaque
-stringData: {{ $data | toJson }}
-{{- end }}
diff --git a/charts/dbgate/templates/service.yaml b/charts/dbgate/templates/service.yaml
index 6e82612c..9f91eef2 100644
--- a/charts/dbgate/templates/service.yaml
+++ b/charts/dbgate/templates/service.yaml
@@ -9,7 +9,7 @@ spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
- targetPort: {{ ternary "proxy" "http" .Values.authzproxy.enabled }}
+ targetPort: http
protocol: TCP
name: http
selector:
diff --git a/charts/dbgate/values.openapiv3_schema.yaml b/charts/dbgate/values.openapiv3_schema.yaml
index efafcbda..dd878e5b 100644
--- a/charts/dbgate/values.openapiv3_schema.yaml
+++ b/charts/dbgate/values.openapiv3_schema.yaml
@@ -952,254 +952,6 @@ properties:
- service
- tls
type: object
- authzproxy:
- properties:
- enabled:
- type: boolean
- params:
- properties:
- listen:
- type: integer
- metricsAddr:
- type: integer
- platformCABundle:
- type: string
- platformURL:
- type: string
- required:
- - listen
- - metricsAddr
- - platformCABundle
- - platformURL
- type: object
- repository:
- type: string
- resources:
- description: ResourceRequirements describes the compute resource requirements.
- properties:
- claims:
- description: "Claims lists the names of resources, defined in spec.resourceClaims,\
- \ that are used by this container. \n This is an alpha field and requires\
- \ enabling the DynamicResourceAllocation feature gate. \n This field\
- \ is immutable. It can only be set for containers."
- items:
- description: ResourceClaim references one entry in PodSpec.ResourceClaims.
- properties:
- name:
- description: Name must match the name of one entry in pod.spec.resourceClaims
- of the Pod where this field is used. It makes that resource available
- inside a container.
- type: string
- required:
- - name
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- limits:
- additionalProperties:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- description: 'Limits describes the maximum amount of compute resources
- allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
- type: object
- requests:
- additionalProperties:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- description: 'Requests describes the minimum amount of compute resources
- required. If Requests is omitted for a container, it defaults to Limits
- if that is explicitly specified, otherwise to an implementation-defined
- value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
- type: object
- type: object
- securityContext:
- description: SecurityContext holds security configuration that will be applied
- to a container. Some fields are present in both SecurityContext and PodSecurityContext. When
- both are set, the values in SecurityContext take precedence.
- properties:
- allowPrivilegeEscalation:
- description: 'AllowPrivilegeEscalation controls whether a process can
- gain more privileges than its parent process. This bool directly controls
- if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation
- is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN
- Note that this field cannot be set when spec.os.name is windows.'
- type: boolean
- appArmorProfile:
- description: appArmorProfile is the AppArmor options to use by this container.
- If set, this profile overrides the pod's appArmorProfile. Note that
- this field cannot be set when spec.os.name is windows.
- properties:
- localhostProfile:
- description: localhostProfile indicates a profile loaded on the node
- that should be used. The profile must be preconfigured on the node
- to work. Must match the loaded name of the profile. Must be set
- if and only if type is "Localhost".
- type: string
- type:
- description: 'type indicates which kind of AppArmor profile will be
- applied. Valid options are: Localhost - a profile pre-loaded on
- the node. RuntimeDefault - the container runtime''s default profile.
- Unconfined - no AppArmor enforcement.'
- type: string
- required:
- - type
- type: object
- capabilities:
- description: The capabilities to add/drop when running containers. Defaults
- to the default set of capabilities granted by the container runtime.
- Note that this field cannot be set when spec.os.name is windows.
- properties:
- add:
- description: Added capabilities
- items:
- description: Capability represent POSIX capabilities type
- type: string
- type: array
- x-kubernetes-list-type: atomic
- drop:
- description: Removed capabilities
- items:
- description: Capability represent POSIX capabilities type
- type: string
- type: array
- x-kubernetes-list-type: atomic
- type: object
- privileged:
- description: Run container in privileged mode. Processes in privileged
- containers are essentially equivalent to root on the host. Defaults
- to false. Note that this field cannot be set when spec.os.name is windows.
- type: boolean
- procMount:
- description: procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults
- for readonly paths and masked paths. This requires the ProcMountType
- feature flag to be enabled. Note that this field cannot be set when
- spec.os.name is windows.
- type: string
- readOnlyRootFilesystem:
- description: Whether this container has a read-only root filesystem. Default
- is false. Note that this field cannot be set when spec.os.name is windows.
- type: boolean
- runAsGroup:
- description: The GID to run the entrypoint of the container process. Uses
- runtime default if unset. May also be set in PodSecurityContext. If
- set in both SecurityContext and PodSecurityContext, the value specified
- in SecurityContext takes precedence. Note that this field cannot be
- set when spec.os.name is windows.
- format: int64
- type: integer
- runAsNonRoot:
- description: Indicates that the container must run as a non-root user.
- If true, the Kubelet will validate the image at runtime to ensure that
- it does not run as UID 0 (root) and fail to start the container if it
- does. If unset or false, no such validation will be performed. May also
- be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext,
- the value specified in SecurityContext takes precedence.
- type: boolean
- runAsUser:
- description: The UID to run the entrypoint of the container process. Defaults
- to user specified in image metadata if unspecified. May also be set
- in PodSecurityContext. If set in both SecurityContext and PodSecurityContext,
- the value specified in SecurityContext takes precedence. Note that this
- field cannot be set when spec.os.name is windows.
- format: int64
- type: integer
- seLinuxOptions:
- description: The SELinux context to be applied to the container. If unspecified,
- the container runtime will allocate a random SELinux context for each
- container. May also be set in PodSecurityContext. If set in both SecurityContext
- and PodSecurityContext, the value specified in SecurityContext takes
- precedence. Note that this field cannot be set when spec.os.name is
- windows.
- properties:
- level:
- description: Level is SELinux level label that applies to the container.
- type: string
- role:
- description: Role is a SELinux role label that applies to the container.
- type: string
- type:
- description: Type is a SELinux type label that applies to the container.
- type: string
- user:
- description: User is a SELinux user label that applies to the container.
- type: string
- type: object
- seccompProfile:
- description: The seccomp options to use by this container. If seccomp
- options are provided at both the pod & container level, the container
- options override the pod options. Note that this field cannot be set
- when spec.os.name is windows.
- properties:
- localhostProfile:
- description: localhostProfile indicates a profile defined in a file
- on the node should be used. The profile must be preconfigured on
- the node to work. Must be a descending path, relative to the kubelet's
- configured seccomp profile location. Must be set if type is "Localhost".
- Must NOT be set for any other type.
- type: string
- type:
- description: "type indicates which kind of seccomp profile will be\
- \ applied. Valid options are: \n Localhost - a profile defined in\
- \ a file on the node should be used. RuntimeDefault - the container\
- \ runtime default profile should be used. Unconfined - no profile\
- \ should be applied."
- type: string
- required:
- - type
- type: object
- windowsOptions:
- description: The Windows specific settings applied to all containers.
- If unspecified, the options from the PodSecurityContext will be used.
- If set in both SecurityContext and PodSecurityContext, the value specified
- in SecurityContext takes precedence. Note that this field cannot be
- set when spec.os.name is linux.
- properties:
- gmsaCredentialSpec:
- description: GMSACredentialSpec is where the GMSA admission webhook
- (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents
- of the GMSA credential spec named by the GMSACredentialSpecName
- field.
- type: string
- gmsaCredentialSpecName:
- description: GMSACredentialSpecName is the name of the GMSA credential
- spec to use.
- type: string
- hostProcess:
- description: HostProcess determines if a container should be run as
- a 'Host Process' container. All of a Pod's containers must have
- the same effective HostProcess value (it is not allowed to have
- a mix of HostProcess containers and non-HostProcess containers).
- In addition, if HostProcess is true then HostNetwork must also be
- set to true.
- type: boolean
- runAsUserName:
- description: The UserName in Windows to run the entrypoint of the
- container process. Defaults to the user specified in image metadata
- if unspecified. May also be set in PodSecurityContext. If set in
- both SecurityContext and PodSecurityContext, the value specified
- in SecurityContext takes precedence.
- type: string
- type: object
- type: object
- tag:
- type: string
- required:
- - enabled
- - params
- - repository
- - resources
- - securityContext
- - tag
- type: object
autoscaling:
properties:
http:
@@ -1778,7 +1530,6 @@ properties:
required:
- affinity
- app
-- authzproxy
- autoscaling
- bind
- fullnameOverride
diff --git a/charts/dbgate/values.yaml b/charts/dbgate/values.yaml
index 832e7bee..cc9a7d9e 100644
--- a/charts/dbgate/values.yaml
+++ b/charts/dbgate/values.yaml
@@ -138,30 +138,3 @@ app:
bind:
name: ""
namespace: ""
-
-authzproxy:
- enabled: false
- # KubeDB operator container image
- repository: appscode/kube-authz-proxy
- # KubeDB operator container image tag
- tag: "v0.0.1"
- # Security options this container should run with
- securityContext: # +doc-gen:break
- allowPrivilegeEscalation: false
- capabilities:
- drop: ["ALL"]
- readOnlyRootFilesystem: false
- runAsNonRoot: true
- runAsUser: 1000
- seccompProfile:
- type: RuntimeDefault
- # Compute Resources required by this container
- resources: {}
- # requests:
- # cpu: 100m
- # memory: 128Mi
- params:
- listen: 8000
- metricsAddr: 8080
- platformURL: ""
- platformCABundle: ""
diff --git a/charts/kafka-ui/README.md b/charts/kafka-ui/README.md
index aaa863f9..7f5744e5 100644
--- a/charts/kafka-ui/README.md
+++ b/charts/kafka-ui/README.md
@@ -45,76 +45,67 @@ The command removes all the Kubernetes components associated with the chart and
The following table lists the configurable parameters of the `kafka-ui` chart and their default values.
-| Parameter | Description | Default |
-|--------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| replicaCount | | 1 |
-| image.registry | | docker.io |
-| image.repository | | provectuslabs/kafka-ui |
-| image.pullPolicy | | IfNotPresent |
-| image.tag | Overrides the image tag whose default is the chart appVersion. | "" |
-| imagePullSecrets | | [] |
-| nameOverride | | "" |
-| fullnameOverride | | "" |
-| serviceAccount.create | Specifies whether a service account should be created | true |
-| serviceAccount.annotations | Annotations to add to the service account | {} |
-| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" |
-| existingConfigMap | | "" |
-| yamlApplicationConfig | | {} |
-| yamlApplicationConfigConfigMap | kafka: clusters: - name: yaml bootstrapServers: kafka-service:9092 spring: security: oauth2: auth: type: disabled management: health: ldap: enabled: false | {} |
-| existingSecret | keyName: config.yml name: configMapName | "" |
-| envs.secret | | {} |
-| envs.config | | {} |
-| networkPolicy.enabled | | false |
-| networkPolicy.egressRules.customRules | # Additional custom egress rules # e.g: # customRules: # - to: # - namespaceSelector: # matchLabels: # label: example | [] |
-| networkPolicy.ingressRules.customRules | # Additional custom ingress rules # e.g: # customRules: # - from: # - namespaceSelector: # matchLabels: # label: example | [] |
-| podAnnotations | | {} |
-| podLabels | | {} |
-| annotations | # Annotations to be added to kafka-ui Deployment # | {} |
-| probes.useHttpsScheme | | false |
-| podSecurityContext | | {} |
-| securityContext | | {} |
-| service.type | | ClusterIP |
-| service.port | | 80 |
-| resources | | {} |
-| autoscaling.enabled | | false |
-| autoscaling.minReplicas | | 1 |
-| autoscaling.maxReplicas | | 100 |
-| autoscaling.targetCPUUtilizationPercentage | | 80 |
-| nodeSelector | | {} |
-| tolerations | | [] |
-| affinity | | {} |
-| env | | {} |
-| initContainers | | {} |
-| volumeMounts | | {} |
-| volumes | | {} |
-| namespace.create | | false |
-| gateway.className | | "ace" |
-| gateway.port | | 8082 |
-| gateway.tlsSecretRef.name | | service-presets-cert |
-| gateway.tlsSecretRef.namespace | | ace |
-| gateway.referenceGrant.create | | true |
-| keda.proxyService.namespace | | "keda" |
-| keda.proxyService.name | | "keda-add-ons-http-interceptor-proxy" |
-| keda.proxyService.port | | 8080 |
-| targetPendingRequests | | 200 |
-| autoscaling.enabled | | false |
-| autoscaling.minReplicas | | 1 |
-| autoscaling.maxReplicas | | 100 |
-| autoscaling.targetCPUUtilizationPercentage | | 80 |
-| app.service.name | | "" |
-| app.service.namespace | | "" |
-| app.authSecret.name | | "" |
-| bind.name | | "" |
-| bind.namespace | | "" |
-| authzproxy.enabled | | false |
-| authzproxy.repository | KubeDB operator container image | appscode/kube-authz-proxy |
-| authzproxy.tag | KubeDB operator container image tag | "v0.0.1" |
-| authzproxy.securityContext | Security options this container should run with | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}} |
-| authzproxy.resources | Compute Resources required by this container | {} |
-| authzproxy.params.listen | | 8000 |
-| authzproxy.params.metricsAddr | | 8080 |
-| authzproxy.params.platformURL | | "" |
-| authzproxy.params.platformCABundle | | "" |
+| Parameter | Description | Default |
+|--------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------|
+| replicaCount | | 1 |
+| image.registry | | docker.io |
+| image.repository | | provectuslabs/kafka-ui |
+| image.pullPolicy | | IfNotPresent |
+| image.tag | Overrides the image tag whose default is the chart appVersion. | "" |
+| imagePullSecrets | | [] |
+| nameOverride | | "" |
+| fullnameOverride | | "" |
+| serviceAccount.create | Specifies whether a service account should be created | true |
+| serviceAccount.annotations | Annotations to add to the service account | {} |
+| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" |
+| existingConfigMap | | "" |
+| yamlApplicationConfig | | {} |
+| yamlApplicationConfigConfigMap | kafka: clusters: - name: yaml bootstrapServers: kafka-service:9092 spring: security: oauth2: auth: type: disabled management: health: ldap: enabled: false | {} |
+| existingSecret | keyName: config.yml name: configMapName | "" |
+| envs.secret | | {} |
+| envs.config | | {} |
+| networkPolicy.enabled | | false |
+| networkPolicy.egressRules.customRules | # Additional custom egress rules # e.g: # customRules: # - to: # - namespaceSelector: # matchLabels: # label: example | [] |
+| networkPolicy.ingressRules.customRules | # Additional custom ingress rules # e.g: # customRules: # - from: # - namespaceSelector: # matchLabels: # label: example | [] |
+| podAnnotations | | {} |
+| podLabels | | {} |
+| annotations | # Annotations to be added to kafka-ui Deployment # | {} |
+| probes.useHttpsScheme | | false |
+| podSecurityContext | | {} |
+| securityContext | | {} |
+| service.type | | ClusterIP |
+| service.port | | 80 |
+| resources | | {} |
+| autoscaling.enabled | | false |
+| autoscaling.minReplicas | | 1 |
+| autoscaling.maxReplicas | | 100 |
+| autoscaling.targetCPUUtilizationPercentage | | 80 |
+| nodeSelector | | {} |
+| tolerations | | [] |
+| affinity | | {} |
+| env | | {} |
+| initContainers | | {} |
+| volumeMounts | | {} |
+| volumes | | {} |
+| namespace.create | | false |
+| gateway.className | | "ace" |
+| gateway.port | | 8082 |
+| gateway.tlsSecretRef.name | | service-presets-cert |
+| gateway.tlsSecretRef.namespace | | ace |
+| gateway.referenceGrant.create | | true |
+| keda.proxyService.namespace | | "keda" |
+| keda.proxyService.name | | "keda-add-ons-http-interceptor-proxy" |
+| keda.proxyService.port | | 8080 |
+| targetPendingRequests | | 200 |
+| autoscaling.enabled | | false |
+| autoscaling.minReplicas | | 1 |
+| autoscaling.maxReplicas | | 100 |
+| autoscaling.targetCPUUtilizationPercentage | | 80 |
+| app.service.name | | "" |
+| app.service.namespace | | "" |
+| app.authSecret.name | | "" |
+| bind.name | | "" |
+| bind.namespace | | "" |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm upgrade -i`. For example:
diff --git a/charts/kafka-ui/values.yaml b/charts/kafka-ui/values.yaml
index dd16ba54..0e1312f5 100644
--- a/charts/kafka-ui/values.yaml
+++ b/charts/kafka-ui/values.yaml
@@ -168,30 +168,3 @@ app:
bind:
name: ""
namespace: ""
-
-authzproxy:
- enabled: false
- # KubeDB operator container image
- repository: appscode/kube-authz-proxy
- # KubeDB operator container image tag
- tag: "v0.0.1"
- # Security options this container should run with
- securityContext: # +doc-gen:break
- allowPrivilegeEscalation: false
- capabilities:
- drop: ["ALL"]
- readOnlyRootFilesystem: true
- runAsNonRoot: true
- runAsUser: 65534
- seccompProfile:
- type: RuntimeDefault
- # Compute Resources required by this container
- resources: {}
- # requests:
- # cpu: 100m
- # memory: 128Mi
- params:
- listen: 8000
- metricsAddr: 8080
- platformURL: ""
- platformCABundle: ""
diff --git a/charts/mongo-ui/README.md b/charts/mongo-ui/README.md
index 654e9967..8989ec35 100644
--- a/charts/mongo-ui/README.md
+++ b/charts/mongo-ui/README.md
@@ -45,62 +45,53 @@ The command removes all the Kubernetes components associated with the chart and
The following table lists the configurable parameters of the `mongo-ui` chart and their default values.
-| Parameter | Description | Default |
-|------------------------------------|------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| proxies.appscode | r.appscode.com | r.appscode.com |
-| proxies.dockerHub | company/bin:tag | "" |
-| proxies.dockerLibrary | alpine, nginx etc. | "" |
-| proxies.ghcr | ghcr.io/company/bin:tag | ghcr.io |
-| proxies.quay | quay.io/company/bin:tag | quay.io |
-| proxies.kubernetes | registry.k8s.io/bin:tag | registry.k8s.io |
-| replicaCount | | 1 |
-| image.repository | | "ugleiton/mongo-gui" |
-| image.pullPolicy | | Always |
-| image.tag | Overrides the image tag whose default is the chart appVersion. | "latest" |
-| imagePullSecrets | | [] |
-| nameOverride | | "" |
-| fullnameOverride | | "" |
-| serviceAccount.create | Specifies whether a service account should be created | true |
-| serviceAccount.annotations | Annotations to add to the service account | {} |
-| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" |
-| podAnnotations | | {} |
-| podSecurityContext | | {} |
-| securityContext | | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}} |
-| service.type | | ClusterIP |
-| service.port | | 80 |
-| resources | | {} |
-| nodeSelector | | {} |
-| tolerations | | [] |
-| affinity | | {} |
-| namespace.create | | false |
-| gateway.className | | "ace" |
-| gateway.port | | 10000 |
-| gateway.tlsSecretRef.name | | service-presets-cert |
-| gateway.tlsSecretRef.namespace | | ace |
-| gateway.referenceGrant.create | | true |
-| keda.proxyService.namespace | | "keda" |
-| keda.proxyService.name | | "keda-add-ons-http-interceptor-proxy" |
-| keda.proxyService.port | | 8080 |
-| targetPendingRequests | | 200 |
-| autoscaling.http.minReplicas | | 0 |
-| autoscaling.http.maxReplicas | | 1 |
-| app.service.name | | "" |
-| app.service.namespace | | "" |
-| app.authSecret.name | | "" |
-| app.url | | "mongodb://root:***@*.*.svc:27017?retryWrites=true&w=majority" |
-| tls.enabled | | false |
-| tls.secretName | | "" # mongo client cert |
-| bind.name | | "" |
-| bind.namespace | | "" |
-| authzproxy.enabled | | false |
-| authzproxy.repository | KubeDB operator container image | appscode/kube-authz-proxy |
-| authzproxy.tag | KubeDB operator container image tag | "v0.0.1" |
-| authzproxy.securityContext | Security options this container should run with | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}} |
-| authzproxy.resources | Compute Resources required by this container | {} |
-| authzproxy.params.listen | | 8000 |
-| authzproxy.params.metricsAddr | | 8080 |
-| authzproxy.params.platformURL | | "" |
-| authzproxy.params.platformCABundle | | "" |
+| Parameter | Description | Default |
+|--------------------------------|------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| proxies.appscode | r.appscode.com | r.appscode.com |
+| proxies.dockerHub | company/bin:tag | "" |
+| proxies.dockerLibrary | alpine, nginx etc. | "" |
+| proxies.ghcr | ghcr.io/company/bin:tag | ghcr.io |
+| proxies.quay | quay.io/company/bin:tag | quay.io |
+| proxies.kubernetes | registry.k8s.io/bin:tag | registry.k8s.io |
+| replicaCount | | 1 |
+| image.repository | | "ugleiton/mongo-gui" |
+| image.pullPolicy | | Always |
+| image.tag | Overrides the image tag whose default is the chart appVersion. | "latest" |
+| imagePullSecrets | | [] |
+| nameOverride | | "" |
+| fullnameOverride | | "" |
+| serviceAccount.create | Specifies whether a service account should be created | true |
+| serviceAccount.annotations | Annotations to add to the service account | {} |
+| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" |
+| podAnnotations | | {} |
+| podSecurityContext | | {} |
+| securityContext | | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}} |
+| service.type | | ClusterIP |
+| service.port | | 80 |
+| resources | | {} |
+| nodeSelector | | {} |
+| tolerations | | [] |
+| affinity | | {} |
+| namespace.create | | false |
+| gateway.className | | "ace" |
+| gateway.port | | 10000 |
+| gateway.tlsSecretRef.name | | service-presets-cert |
+| gateway.tlsSecretRef.namespace | | ace |
+| gateway.referenceGrant.create | | true |
+| keda.proxyService.namespace | | "keda" |
+| keda.proxyService.name | | "keda-add-ons-http-interceptor-proxy" |
+| keda.proxyService.port | | 8080 |
+| targetPendingRequests | | 200 |
+| autoscaling.http.minReplicas | | 0 |
+| autoscaling.http.maxReplicas | | 1 |
+| app.service.name | | "" |
+| app.service.namespace | | "" |
+| app.authSecret.name | | "" |
+| app.url | | "mongodb://root:***@*.*.svc:27017?retryWrites=true&w=majority" |
+| app.tls.enabled | | false |
+| app.tls.secretName | | "" # mongo client cert |
+| bind.name | | "" |
+| bind.namespace | | "" |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm upgrade -i`. For example:
diff --git a/charts/mongo-ui/templates/deployment.yaml b/charts/mongo-ui/templates/deployment.yaml
index 5c7aa834..16696b20 100644
--- a/charts/mongo-ui/templates/deployment.yaml
+++ b/charts/mongo-ui/templates/deployment.yaml
@@ -29,46 +29,6 @@ spec:
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
- {{- if .Values.authzproxy.enabled }}
- - name: authz-proxy
- securityContext:
- {{- toYaml .Values.authzproxy.securityContext | nindent 12 }}
- image: '{{ include "image.ghcr" (merge (dict "_repo" $.Values.authzproxy.repository) $) }}:{{ .Values.authzproxy.tag | default .Chart.AppVersion }}'
- imagePullPolicy: {{ .Values.image.pullPolicy }}
- args:
- - run
- - --listen={{ .Values.authzproxy.params.listen }}
- - --metrics-addr={{ .Values.authzproxy.params.metricsAddr }}
- - --secret-name={{ .Values.app.authSecret.name }}
- - --secret-namespace={{ .Release.Namespace }}
- - --target-url=http://localhost:4321
- - --platform-url={{ .Values.authzproxy.params.platformURL }}
- {{- if .Values.authzproxy.params.platformCABundle }}
- - --platform-ca-file=/var/platform-auth/ca.crt
- {{- end }}
- ports:
- - name: proxy
- containerPort: {{ .Values.authzproxy.params.listen }}
- protocol: TCP
- - name: metrics
- containerPort: {{ .Values.authzproxy.params.metricsAddr }}
- protocol: TCP
- # livenessProbe:
- # httpGet:
- # path: /
- # port: http
- # readinessProbe:
- # httpGet:
- # path: /
- # port: http
- resources:
- {{- toYaml .Values.authzproxy.resources | nindent 12 }}
- {{- if .Values.authzproxy.params.platformCABundle }}
- volumeMounts:
- - mountPath: /var/platform-auth
- name: platform-auth
- {{- end }}
- {{ end }}
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
@@ -77,18 +37,6 @@ spec:
env:
- name: MONGO_URL
value: {{ .Values.app.url }}
- {{- if not .Values.authzproxy.enabled }}
- - name: MONGOGUI_USERNAME
- valueFrom:
- secretKeyRef:
- name: {{ .Values.app.authSecret.name }}
- key: username
- - name: MONGOGUI_PASSWORD
- valueFrom:
- secretKeyRef:
- name: {{ .Values.app.authSecret.name }}
- key: password
- {{- end }}
ports:
- name: http
containerPort: 4321
@@ -103,16 +51,16 @@ spec:
# port: http
resources:
{{- toYaml .Values.resources | nindent 12 }}
- {{- if .Values.tls.enabled }}
+ {{- if .Values.app.tls.enabled }}
volumeMounts:
- name: tls
mountPath: /tmp
{{- end }}
- {{- if .Values.tls.enabled }}
+ {{- if .Values.app.tls.enabled }}
volumes:
- name: tls
secret:
- secretName: {{ .Values.tls.secretName }}
+ secretName: {{ .Values.app.tls.secretName }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
diff --git a/charts/mongo-ui/templates/platform-auth.yaml b/charts/mongo-ui/templates/platform-auth.yaml
deleted file mode 100644
index 84aff99a..00000000
--- a/charts/mongo-ui/templates/platform-auth.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-{{ $data := dict }}
-
-{{- with .Values.authzproxy.params.platformCABundle }}
-{{ $_ := set $data "ca.crt" . }}
-{{- end }}
-
-{{- if $data }}
-apiVersion: v1
-kind: Secret
-metadata:
- name: {{ include "mongo-ui.fullname" . }}-platform-auth
- namespace: {{ .Release.Namespace }}
- labels:
- {{- include "mongo-ui.labels" . | nindent 4 }}
-type: Opaque
-stringData: {{ $data | toJson }}
-{{- end }}
diff --git a/charts/mongo-ui/templates/service.yaml b/charts/mongo-ui/templates/service.yaml
index a026805d..2f189dbc 100644
--- a/charts/mongo-ui/templates/service.yaml
+++ b/charts/mongo-ui/templates/service.yaml
@@ -9,7 +9,7 @@ spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
- targetPort: {{ ternary "proxy" "http" .Values.authzproxy.enabled }}
+ targetPort: http
protocol: TCP
name: http
selector:
diff --git a/charts/mongo-ui/values.openapiv3_schema.yaml b/charts/mongo-ui/values.openapiv3_schema.yaml
index 2dfe603f..c389f181 100644
--- a/charts/mongo-ui/values.openapiv3_schema.yaml
+++ b/charts/mongo-ui/values.openapiv3_schema.yaml
@@ -941,8 +941,11 @@ properties:
properties:
enabled:
type: boolean
+ secretName:
+ type: string
required:
- enabled
+ - secretName
type: object
url:
type: string
@@ -952,254 +955,6 @@ properties:
- tls
- url
type: object
- authzproxy:
- properties:
- enabled:
- type: boolean
- params:
- properties:
- listen:
- type: integer
- metricsAddr:
- type: integer
- platformCABundle:
- type: string
- platformURL:
- type: string
- required:
- - listen
- - metricsAddr
- - platformCABundle
- - platformURL
- type: object
- repository:
- type: string
- resources:
- description: ResourceRequirements describes the compute resource requirements.
- properties:
- claims:
- description: "Claims lists the names of resources, defined in spec.resourceClaims,\
- \ that are used by this container. \n This is an alpha field and requires\
- \ enabling the DynamicResourceAllocation feature gate. \n This field\
- \ is immutable. It can only be set for containers."
- items:
- description: ResourceClaim references one entry in PodSpec.ResourceClaims.
- properties:
- name:
- description: Name must match the name of one entry in pod.spec.resourceClaims
- of the Pod where this field is used. It makes that resource available
- inside a container.
- type: string
- required:
- - name
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- limits:
- additionalProperties:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- description: 'Limits describes the maximum amount of compute resources
- allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
- type: object
- requests:
- additionalProperties:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- description: 'Requests describes the minimum amount of compute resources
- required. If Requests is omitted for a container, it defaults to Limits
- if that is explicitly specified, otherwise to an implementation-defined
- value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
- type: object
- type: object
- securityContext:
- description: SecurityContext holds security configuration that will be applied
- to a container. Some fields are present in both SecurityContext and PodSecurityContext. When
- both are set, the values in SecurityContext take precedence.
- properties:
- allowPrivilegeEscalation:
- description: 'AllowPrivilegeEscalation controls whether a process can
- gain more privileges than its parent process. This bool directly controls
- if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation
- is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN
- Note that this field cannot be set when spec.os.name is windows.'
- type: boolean
- appArmorProfile:
- description: appArmorProfile is the AppArmor options to use by this container.
- If set, this profile overrides the pod's appArmorProfile. Note that
- this field cannot be set when spec.os.name is windows.
- properties:
- localhostProfile:
- description: localhostProfile indicates a profile loaded on the node
- that should be used. The profile must be preconfigured on the node
- to work. Must match the loaded name of the profile. Must be set
- if and only if type is "Localhost".
- type: string
- type:
- description: 'type indicates which kind of AppArmor profile will be
- applied. Valid options are: Localhost - a profile pre-loaded on
- the node. RuntimeDefault - the container runtime''s default profile.
- Unconfined - no AppArmor enforcement.'
- type: string
- required:
- - type
- type: object
- capabilities:
- description: The capabilities to add/drop when running containers. Defaults
- to the default set of capabilities granted by the container runtime.
- Note that this field cannot be set when spec.os.name is windows.
- properties:
- add:
- description: Added capabilities
- items:
- description: Capability represent POSIX capabilities type
- type: string
- type: array
- x-kubernetes-list-type: atomic
- drop:
- description: Removed capabilities
- items:
- description: Capability represent POSIX capabilities type
- type: string
- type: array
- x-kubernetes-list-type: atomic
- type: object
- privileged:
- description: Run container in privileged mode. Processes in privileged
- containers are essentially equivalent to root on the host. Defaults
- to false. Note that this field cannot be set when spec.os.name is windows.
- type: boolean
- procMount:
- description: procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults
- for readonly paths and masked paths. This requires the ProcMountType
- feature flag to be enabled. Note that this field cannot be set when
- spec.os.name is windows.
- type: string
- readOnlyRootFilesystem:
- description: Whether this container has a read-only root filesystem. Default
- is false. Note that this field cannot be set when spec.os.name is windows.
- type: boolean
- runAsGroup:
- description: The GID to run the entrypoint of the container process. Uses
- runtime default if unset. May also be set in PodSecurityContext. If
- set in both SecurityContext and PodSecurityContext, the value specified
- in SecurityContext takes precedence. Note that this field cannot be
- set when spec.os.name is windows.
- format: int64
- type: integer
- runAsNonRoot:
- description: Indicates that the container must run as a non-root user.
- If true, the Kubelet will validate the image at runtime to ensure that
- it does not run as UID 0 (root) and fail to start the container if it
- does. If unset or false, no such validation will be performed. May also
- be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext,
- the value specified in SecurityContext takes precedence.
- type: boolean
- runAsUser:
- description: The UID to run the entrypoint of the container process. Defaults
- to user specified in image metadata if unspecified. May also be set
- in PodSecurityContext. If set in both SecurityContext and PodSecurityContext,
- the value specified in SecurityContext takes precedence. Note that this
- field cannot be set when spec.os.name is windows.
- format: int64
- type: integer
- seLinuxOptions:
- description: The SELinux context to be applied to the container. If unspecified,
- the container runtime will allocate a random SELinux context for each
- container. May also be set in PodSecurityContext. If set in both SecurityContext
- and PodSecurityContext, the value specified in SecurityContext takes
- precedence. Note that this field cannot be set when spec.os.name is
- windows.
- properties:
- level:
- description: Level is SELinux level label that applies to the container.
- type: string
- role:
- description: Role is a SELinux role label that applies to the container.
- type: string
- type:
- description: Type is a SELinux type label that applies to the container.
- type: string
- user:
- description: User is a SELinux user label that applies to the container.
- type: string
- type: object
- seccompProfile:
- description: The seccomp options to use by this container. If seccomp
- options are provided at both the pod & container level, the container
- options override the pod options. Note that this field cannot be set
- when spec.os.name is windows.
- properties:
- localhostProfile:
- description: localhostProfile indicates a profile defined in a file
- on the node should be used. The profile must be preconfigured on
- the node to work. Must be a descending path, relative to the kubelet's
- configured seccomp profile location. Must be set if type is "Localhost".
- Must NOT be set for any other type.
- type: string
- type:
- description: "type indicates which kind of seccomp profile will be\
- \ applied. Valid options are: \n Localhost - a profile defined in\
- \ a file on the node should be used. RuntimeDefault - the container\
- \ runtime default profile should be used. Unconfined - no profile\
- \ should be applied."
- type: string
- required:
- - type
- type: object
- windowsOptions:
- description: The Windows specific settings applied to all containers.
- If unspecified, the options from the PodSecurityContext will be used.
- If set in both SecurityContext and PodSecurityContext, the value specified
- in SecurityContext takes precedence. Note that this field cannot be
- set when spec.os.name is linux.
- properties:
- gmsaCredentialSpec:
- description: GMSACredentialSpec is where the GMSA admission webhook
- (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents
- of the GMSA credential spec named by the GMSACredentialSpecName
- field.
- type: string
- gmsaCredentialSpecName:
- description: GMSACredentialSpecName is the name of the GMSA credential
- spec to use.
- type: string
- hostProcess:
- description: HostProcess determines if a container should be run as
- a 'Host Process' container. All of a Pod's containers must have
- the same effective HostProcess value (it is not allowed to have
- a mix of HostProcess containers and non-HostProcess containers).
- In addition, if HostProcess is true then HostNetwork must also be
- set to true.
- type: boolean
- runAsUserName:
- description: The UserName in Windows to run the entrypoint of the
- container process. Defaults to the user specified in image metadata
- if unspecified. May also be set in PodSecurityContext. If set in
- both SecurityContext and PodSecurityContext, the value specified
- in SecurityContext takes precedence.
- type: string
- type: object
- type: object
- tag:
- type: string
- required:
- - enabled
- - params
- - repository
- - resources
- - securityContext
- - tag
- type: object
autoscaling:
properties:
http:
@@ -1739,16 +1494,6 @@ properties:
type: object
targetPendingRequests:
type: integer
- tls:
- properties:
- enabled:
- type: boolean
- secretName:
- type: string
- required:
- - enabled
- - secretName
- type: object
tolerations:
items:
description: The pod this Toleration is attached to tolerates any taint that
@@ -1788,7 +1533,6 @@ properties:
required:
- affinity
- app
-- authzproxy
- autoscaling
- bind
- fullnameOverride
@@ -1807,6 +1551,5 @@ required:
- service
- serviceAccount
- targetPendingRequests
-- tls
- tolerations
type: object
diff --git a/charts/mongo-ui/values.yaml b/charts/mongo-ui/values.yaml
index 07af025e..701ba6c0 100644
--- a/charts/mongo-ui/values.yaml
+++ b/charts/mongo-ui/values.yaml
@@ -127,36 +127,9 @@ app:
authSecret:
name: ""
url: "mongodb://root:***@*.*.svc:27017?retryWrites=true&w=majority"
-tls:
- enabled: false
- secretName: "" # mongo client cert
+ tls:
+ enabled: false
+ secretName: "" # mongo client cert
bind:
name: ""
namespace: ""
-
-authzproxy:
- enabled: false
- # KubeDB operator container image
- repository: appscode/kube-authz-proxy
- # KubeDB operator container image tag
- tag: "v0.0.1"
- # Security options this container should run with
- securityContext: # +doc-gen:break
- allowPrivilegeEscalation: false
- capabilities:
- drop: ["ALL"]
- readOnlyRootFilesystem: true
- runAsNonRoot: true
- runAsUser: 65534
- seccompProfile:
- type: RuntimeDefault
- # Compute Resources required by this container
- resources: {}
- # requests:
- # cpu: 100m
- # memory: 128Mi
- params:
- listen: 8000
- metricsAddr: 8080
- platformURL: ""
- platformCABundle: ""
diff --git a/charts/pgadmin/README.md b/charts/pgadmin/README.md
index 1572a989..f4f12074 100644
--- a/charts/pgadmin/README.md
+++ b/charts/pgadmin/README.md
@@ -45,59 +45,50 @@ The command removes all the Kubernetes components associated with the chart and
The following table lists the configurable parameters of the `pgadmin` chart and their default values.
-| Parameter | Description | Default |
-|------------------------------------|------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| proxies.appscode | r.appscode.com | r.appscode.com |
-| proxies.dockerHub | company/bin:tag | "" |
-| proxies.dockerLibrary | alpine, nginx etc. | "" |
-| proxies.ghcr | ghcr.io/company/bin:tag | ghcr.io |
-| proxies.quay | quay.io/company/bin:tag | quay.io |
-| proxies.kubernetes | registry.k8s.io/bin:tag | registry.k8s.io |
-| replicaCount | | 1 |
-| image.repository | | "dpage/pgadmin4" |
-| image.pullPolicy | | Always |
-| image.tag | Overrides the image tag whose default is the chart appVersion. | "" |
-| imagePullSecrets | | [] |
-| nameOverride | | "" |
-| fullnameOverride | | "" |
-| serviceAccount.create | Specifies whether a service account should be created | true |
-| serviceAccount.annotations | Annotations to add to the service account | {} |
-| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" |
-| podAnnotations | | {} |
-| podSecurityContext | | {} |
-| securityContext | | {"allowPrivilegeEscalation":false,"runAsGroup":5050,"runAsNonRoot":true,"runAsUser":5050,"seccompProfile":{"type":"RuntimeDefault"}} |
-| service.type | | ClusterIP |
-| service.port | | 80 |
-| resources | | {} |
-| nodeSelector | | {} |
-| tolerations | | [] |
-| affinity | | {} |
-| namespace.create | | false |
-| gateway.className | | "ace" |
-| gateway.port | | 8082 |
-| gateway.tlsSecretRef.name | | service-presets-cert |
-| gateway.tlsSecretRef.namespace | | ace |
-| gateway.referenceGrant.create | | true |
-| keda.proxyService.namespace | | "keda" |
-| keda.proxyService.name | | "keda-add-ons-http-interceptor-proxy" |
-| keda.proxyService.port | | 8080 |
-| targetPendingRequests | | 200 |
-| autoscaling.http.minReplicas | | 0 |
-| autoscaling.http.maxReplicas | | 1 |
-| app.service.name | | "" |
-| app.service.namespace | | "" |
-| app.authSecret.name | | "" |
-| bind.name | | "" |
-| bind.namespace | | "" |
-| authzproxy.enabled | | false |
-| authzproxy.repository | KubeDB operator container image | appscode/kube-authz-proxy |
-| authzproxy.tag | KubeDB operator container image tag | "v0.0.1" |
-| authzproxy.securityContext | Security options this container should run with | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}} |
-| authzproxy.resources | Compute Resources required by this container | {} |
-| authzproxy.params.listen | | 8000 |
-| authzproxy.params.metricsAddr | | 8080 |
-| authzproxy.params.platformURL | | "" |
-| authzproxy.params.platformCABundle | | "" |
+| Parameter | Description | Default |
+|--------------------------------|------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------|
+| proxies.appscode | r.appscode.com | r.appscode.com |
+| proxies.dockerHub | company/bin:tag | "" |
+| proxies.dockerLibrary | alpine, nginx etc. | "" |
+| proxies.ghcr | ghcr.io/company/bin:tag | ghcr.io |
+| proxies.quay | quay.io/company/bin:tag | quay.io |
+| proxies.kubernetes | registry.k8s.io/bin:tag | registry.k8s.io |
+| replicaCount | | 1 |
+| image.repository | | "dpage/pgadmin4" |
+| image.pullPolicy | | Always |
+| image.tag | Overrides the image tag whose default is the chart appVersion. | "" |
+| imagePullSecrets | | [] |
+| nameOverride | | "" |
+| fullnameOverride | | "" |
+| serviceAccount.create | Specifies whether a service account should be created | true |
+| serviceAccount.annotations | Annotations to add to the service account | {} |
+| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" |
+| podAnnotations | | {} |
+| podSecurityContext | | {} |
+| securityContext | | {"allowPrivilegeEscalation":false,"runAsGroup":5050,"runAsNonRoot":true,"runAsUser":5050,"seccompProfile":{"type":"RuntimeDefault"}} |
+| service.type | | ClusterIP |
+| service.port | | 80 |
+| resources | | {} |
+| nodeSelector | | {} |
+| tolerations | | [] |
+| affinity | | {} |
+| namespace.create | | false |
+| gateway.className | | "ace" |
+| gateway.port | | 8082 |
+| gateway.tlsSecretRef.name | | service-presets-cert |
+| gateway.tlsSecretRef.namespace | | ace |
+| gateway.referenceGrant.create | | true |
+| keda.proxyService.namespace | | "keda" |
+| keda.proxyService.name | | "keda-add-ons-http-interceptor-proxy" |
+| keda.proxyService.port | | 8080 |
+| targetPendingRequests | | 200 |
+| autoscaling.http.minReplicas | | 0 |
+| autoscaling.http.maxReplicas | | 1 |
+| app.service.name | | "" |
+| app.service.namespace | | "" |
+| app.authSecret.name | | "" |
+| bind.name | | "" |
+| bind.namespace | | "" |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm upgrade -i`. For example:
diff --git a/charts/pgadmin/templates/deployment.yaml b/charts/pgadmin/templates/deployment.yaml
index 7a381d69..d4249e27 100644
--- a/charts/pgadmin/templates/deployment.yaml
+++ b/charts/pgadmin/templates/deployment.yaml
@@ -29,46 +29,6 @@ spec:
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
- {{- if .Values.authzproxy.enabled }}
- - name: authz-proxy
- securityContext:
- {{- toYaml .Values.authzproxy.securityContext | nindent 12 }}
- image: '{{ include "image.ghcr" (merge (dict "_repo" $.Values.authzproxy.repository) $) }}:{{ .Values.authzproxy.tag | default .Chart.AppVersion }}'
- imagePullPolicy: {{ .Values.image.pullPolicy }}
- args:
- - run
- - --listen={{ .Values.authzproxy.params.listen }}
- - --metrics-addr={{ .Values.authzproxy.params.metricsAddr }}
- - --secret-name={{ .Values.app.authSecret.name }}
- - --secret-namespace={{ .Release.Namespace }}
- - --target-url=http://localhost:80
- - --platform-url={{ .Values.authzproxy.params.platformURL }}
- {{- if .Values.authzproxy.params.platformCABundle }}
- - --platform-ca-file=/var/platform-auth/ca.crt
- {{- end }}
- ports:
- - name: proxy
- containerPort: {{ .Values.authzproxy.params.listen }}
- protocol: TCP
- - name: metrics
- containerPort: {{ .Values.authzproxy.params.metricsAddr }}
- protocol: TCP
- # livenessProbe:
- # httpGet:
- # path: /
- # port: http
- # readinessProbe:
- # httpGet:
- # path: /
- # port: http
- resources:
- {{- toYaml .Values.authzproxy.resources | nindent 12 }}
- {{- if .Values.authzproxy.params.platformCABundle }}
- volumeMounts:
- - mountPath: /var/platform-auth
- name: platform-auth
- {{- end }}
- {{ end }}
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
@@ -132,12 +92,6 @@ spec:
emptyDir: {}
- name: logdir
emptyDir: {}
- {{- if .Values.authzproxy.params.platformCABundle }}
- - name: platform-auth
- secret:
- defaultMode: 420
- secretName: {{ include "pgadmin.fullname" . }}-platform-auth
- {{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
diff --git a/charts/pgadmin/templates/platform-auth.yaml b/charts/pgadmin/templates/platform-auth.yaml
deleted file mode 100644
index 96981860..00000000
--- a/charts/pgadmin/templates/platform-auth.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-{{ $data := dict }}
-
-{{- with .Values.authzproxy.params.platformCABundle }}
-{{ $_ := set $data "ca.crt" . }}
-{{- end }}
-
-{{- if $data }}
-apiVersion: v1
-kind: Secret
-metadata:
- name: {{ include "pgadmin.fullname" . }}-platform-auth
- namespace: {{ .Release.Namespace }}
- labels:
- {{- include "pgadmin.labels" . | nindent 4 }}
-type: Opaque
-stringData: {{ $data | toJson }}
-{{- end }}
diff --git a/charts/pgadmin/templates/service.yaml b/charts/pgadmin/templates/service.yaml
index 67f0f24a..cfe0ae2c 100644
--- a/charts/pgadmin/templates/service.yaml
+++ b/charts/pgadmin/templates/service.yaml
@@ -9,7 +9,7 @@ spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
- targetPort: {{ ternary "proxy" "http" .Values.authzproxy.enabled }}
+ targetPort: http
protocol: TCP
name: http
selector:
diff --git a/charts/pgadmin/values.openapiv3_schema.yaml b/charts/pgadmin/values.openapiv3_schema.yaml
index 92ed5155..4391a445 100644
--- a/charts/pgadmin/values.openapiv3_schema.yaml
+++ b/charts/pgadmin/values.openapiv3_schema.yaml
@@ -937,265 +937,9 @@ properties:
- name
- namespace
type: object
- tls:
- properties:
- enabled:
- type: boolean
- required:
- - enabled
- type: object
required:
- authSecret
- service
- - tls
- type: object
- authzproxy:
- properties:
- enabled:
- type: boolean
- params:
- properties:
- listen:
- type: integer
- metricsAddr:
- type: integer
- platformCABundle:
- type: string
- platformURL:
- type: string
- required:
- - listen
- - metricsAddr
- - platformCABundle
- - platformURL
- type: object
- repository:
- type: string
- resources:
- description: ResourceRequirements describes the compute resource requirements.
- properties:
- claims:
- description: "Claims lists the names of resources, defined in spec.resourceClaims,\
- \ that are used by this container. \n This is an alpha field and requires\
- \ enabling the DynamicResourceAllocation feature gate. \n This field\
- \ is immutable. It can only be set for containers."
- items:
- description: ResourceClaim references one entry in PodSpec.ResourceClaims.
- properties:
- name:
- description: Name must match the name of one entry in pod.spec.resourceClaims
- of the Pod where this field is used. It makes that resource available
- inside a container.
- type: string
- required:
- - name
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- limits:
- additionalProperties:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- description: 'Limits describes the maximum amount of compute resources
- allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
- type: object
- requests:
- additionalProperties:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- description: 'Requests describes the minimum amount of compute resources
- required. If Requests is omitted for a container, it defaults to Limits
- if that is explicitly specified, otherwise to an implementation-defined
- value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
- type: object
- type: object
- securityContext:
- description: SecurityContext holds security configuration that will be applied
- to a container. Some fields are present in both SecurityContext and PodSecurityContext. When
- both are set, the values in SecurityContext take precedence.
- properties:
- allowPrivilegeEscalation:
- description: 'AllowPrivilegeEscalation controls whether a process can
- gain more privileges than its parent process. This bool directly controls
- if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation
- is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN
- Note that this field cannot be set when spec.os.name is windows.'
- type: boolean
- appArmorProfile:
- description: appArmorProfile is the AppArmor options to use by this container.
- If set, this profile overrides the pod's appArmorProfile. Note that
- this field cannot be set when spec.os.name is windows.
- properties:
- localhostProfile:
- description: localhostProfile indicates a profile loaded on the node
- that should be used. The profile must be preconfigured on the node
- to work. Must match the loaded name of the profile. Must be set
- if and only if type is "Localhost".
- type: string
- type:
- description: 'type indicates which kind of AppArmor profile will be
- applied. Valid options are: Localhost - a profile pre-loaded on
- the node. RuntimeDefault - the container runtime''s default profile.
- Unconfined - no AppArmor enforcement.'
- type: string
- required:
- - type
- type: object
- capabilities:
- description: The capabilities to add/drop when running containers. Defaults
- to the default set of capabilities granted by the container runtime.
- Note that this field cannot be set when spec.os.name is windows.
- properties:
- add:
- description: Added capabilities
- items:
- description: Capability represent POSIX capabilities type
- type: string
- type: array
- x-kubernetes-list-type: atomic
- drop:
- description: Removed capabilities
- items:
- description: Capability represent POSIX capabilities type
- type: string
- type: array
- x-kubernetes-list-type: atomic
- type: object
- privileged:
- description: Run container in privileged mode. Processes in privileged
- containers are essentially equivalent to root on the host. Defaults
- to false. Note that this field cannot be set when spec.os.name is windows.
- type: boolean
- procMount:
- description: procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults
- for readonly paths and masked paths. This requires the ProcMountType
- feature flag to be enabled. Note that this field cannot be set when
- spec.os.name is windows.
- type: string
- readOnlyRootFilesystem:
- description: Whether this container has a read-only root filesystem. Default
- is false. Note that this field cannot be set when spec.os.name is windows.
- type: boolean
- runAsGroup:
- description: The GID to run the entrypoint of the container process. Uses
- runtime default if unset. May also be set in PodSecurityContext. If
- set in both SecurityContext and PodSecurityContext, the value specified
- in SecurityContext takes precedence. Note that this field cannot be
- set when spec.os.name is windows.
- format: int64
- type: integer
- runAsNonRoot:
- description: Indicates that the container must run as a non-root user.
- If true, the Kubelet will validate the image at runtime to ensure that
- it does not run as UID 0 (root) and fail to start the container if it
- does. If unset or false, no such validation will be performed. May also
- be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext,
- the value specified in SecurityContext takes precedence.
- type: boolean
- runAsUser:
- description: The UID to run the entrypoint of the container process. Defaults
- to user specified in image metadata if unspecified. May also be set
- in PodSecurityContext. If set in both SecurityContext and PodSecurityContext,
- the value specified in SecurityContext takes precedence. Note that this
- field cannot be set when spec.os.name is windows.
- format: int64
- type: integer
- seLinuxOptions:
- description: The SELinux context to be applied to the container. If unspecified,
- the container runtime will allocate a random SELinux context for each
- container. May also be set in PodSecurityContext. If set in both SecurityContext
- and PodSecurityContext, the value specified in SecurityContext takes
- precedence. Note that this field cannot be set when spec.os.name is
- windows.
- properties:
- level:
- description: Level is SELinux level label that applies to the container.
- type: string
- role:
- description: Role is a SELinux role label that applies to the container.
- type: string
- type:
- description: Type is a SELinux type label that applies to the container.
- type: string
- user:
- description: User is a SELinux user label that applies to the container.
- type: string
- type: object
- seccompProfile:
- description: The seccomp options to use by this container. If seccomp
- options are provided at both the pod & container level, the container
- options override the pod options. Note that this field cannot be set
- when spec.os.name is windows.
- properties:
- localhostProfile:
- description: localhostProfile indicates a profile defined in a file
- on the node should be used. The profile must be preconfigured on
- the node to work. Must be a descending path, relative to the kubelet's
- configured seccomp profile location. Must be set if type is "Localhost".
- Must NOT be set for any other type.
- type: string
- type:
- description: "type indicates which kind of seccomp profile will be\
- \ applied. Valid options are: \n Localhost - a profile defined in\
- \ a file on the node should be used. RuntimeDefault - the container\
- \ runtime default profile should be used. Unconfined - no profile\
- \ should be applied."
- type: string
- required:
- - type
- type: object
- windowsOptions:
- description: The Windows specific settings applied to all containers.
- If unspecified, the options from the PodSecurityContext will be used.
- If set in both SecurityContext and PodSecurityContext, the value specified
- in SecurityContext takes precedence. Note that this field cannot be
- set when spec.os.name is linux.
- properties:
- gmsaCredentialSpec:
- description: GMSACredentialSpec is where the GMSA admission webhook
- (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents
- of the GMSA credential spec named by the GMSACredentialSpecName
- field.
- type: string
- gmsaCredentialSpecName:
- description: GMSACredentialSpecName is the name of the GMSA credential
- spec to use.
- type: string
- hostProcess:
- description: HostProcess determines if a container should be run as
- a 'Host Process' container. All of a Pod's containers must have
- the same effective HostProcess value (it is not allowed to have
- a mix of HostProcess containers and non-HostProcess containers).
- In addition, if HostProcess is true then HostNetwork must also be
- set to true.
- type: boolean
- runAsUserName:
- description: The UserName in Windows to run the entrypoint of the
- container process. Defaults to the user specified in image metadata
- if unspecified. May also be set in PodSecurityContext. If set in
- both SecurityContext and PodSecurityContext, the value specified
- in SecurityContext takes precedence.
- type: string
- type: object
- type: object
- tag:
- type: string
- required:
- - enabled
- - params
- - repository
- - resources
- - securityContext
- - tag
type: object
autoscaling:
properties:
@@ -1775,7 +1519,6 @@ properties:
required:
- affinity
- app
-- authzproxy
- autoscaling
- bind
- fullnameOverride
diff --git a/charts/pgadmin/values.yaml b/charts/pgadmin/values.yaml
index 5adb357c..8c1ec40d 100644
--- a/charts/pgadmin/values.yaml
+++ b/charts/pgadmin/values.yaml
@@ -130,30 +130,3 @@ app:
bind:
name: ""
namespace: ""
-
-authzproxy:
- enabled: false
- # KubeDB operator container image
- repository: appscode/kube-authz-proxy
- # KubeDB operator container image tag
- tag: "v0.0.1"
- # Security options this container should run with
- securityContext: # +doc-gen:break
- allowPrivilegeEscalation: false
- capabilities:
- drop: ["ALL"]
- readOnlyRootFilesystem: true
- runAsNonRoot: true
- runAsUser: 65534
- seccompProfile:
- type: RuntimeDefault
- # Compute Resources required by this container
- resources: {}
- # requests:
- # cpu: 100m
- # memory: 128Mi
- params:
- listen: 8000
- metricsAddr: 8080
- platformURL: ""
- platformCABundle: ""
diff --git a/charts/phpmyadmin/README.md b/charts/phpmyadmin/README.md
index 0cba007d..e3215b23 100644
--- a/charts/phpmyadmin/README.md
+++ b/charts/phpmyadmin/README.md
@@ -45,60 +45,51 @@ The command removes all the Kubernetes components associated with the chart and
The following table lists the configurable parameters of the `phpmyadmin` chart and their default values.
-| Parameter | Description | Default |
-|------------------------------------|------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| proxies.appscode | r.appscode.com | r.appscode.com |
-| proxies.dockerHub | company/bin:tag | "" |
-| proxies.dockerLibrary | alpine, nginx etc. | "" |
-| proxies.ghcr | ghcr.io/company/bin:tag | ghcr.io |
-| proxies.quay | quay.io/company/bin:tag | quay.io |
-| proxies.kubernetes | registry.k8s.io/bin:tag | registry.k8s.io |
-| replicaCount | | 1 |
-| image.repository | | "appscode-images/phpmyadmin" |
-| image.pullPolicy | | Always |
-| image.tag | Overrides the image tag whose default is the chart appVersion. | "" |
-| imagePullSecrets | | [] |
-| nameOverride | | "" |
-| fullnameOverride | | "" |
-| serviceAccount.create | Specifies whether a service account should be created | true |
-| serviceAccount.annotations | Annotations to add to the service account | {} |
-| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" |
-| podAnnotations | | {} |
-| podSecurityContext | | {} |
-| securityContext | | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":false,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}} |
-| service.type | | ClusterIP |
-| service.port | | 80 |
-| resources | | {} |
-| nodeSelector | | {} |
-| tolerations | | [] |
-| affinity | | {} |
-| namespace.create | | false |
-| gateway.className | | "ace" |
-| gateway.port | | 8082 |
-| gateway.tlsSecretRef.name | | service-presets-cert |
-| gateway.tlsSecretRef.namespace | | ace |
-| gateway.referenceGrant.create | | true |
-| keda.proxyService.namespace | | "keda" |
-| keda.proxyService.name | | "keda-add-ons-http-interceptor-proxy" |
-| keda.proxyService.port | | 8080 |
-| targetPendingRequests | | 200 |
-| autoscaling.http.minReplicas | | 0 |
-| autoscaling.http.maxReplicas | | 1 |
-| app.service.name | | "" |
-| app.service.namespace | | "" |
-| app.authSecret.name | | "" |
-| app.tls.enabled | | false |
-| bind.name | | "" |
-| bind.namespace | | "" |
-| authzproxy.enabled | | false |
-| authzproxy.repository | KubeDB operator container image | appscode/kube-authz-proxy |
-| authzproxy.tag | KubeDB operator container image tag | "v0.0.1" |
-| authzproxy.securityContext | Security options this container should run with | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}} |
-| authzproxy.resources | Compute Resources required by this container | {} |
-| authzproxy.params.listen | | 8000 |
-| authzproxy.params.metricsAddr | | 8080 |
-| authzproxy.params.platformURL | | "" |
-| authzproxy.params.platformCABundle | | "" |
+| Parameter | Description | Default |
+|--------------------------------|------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| proxies.appscode | r.appscode.com | r.appscode.com |
+| proxies.dockerHub | company/bin:tag | "" |
+| proxies.dockerLibrary | alpine, nginx etc. | "" |
+| proxies.ghcr | ghcr.io/company/bin:tag | ghcr.io |
+| proxies.quay | quay.io/company/bin:tag | quay.io |
+| proxies.kubernetes | registry.k8s.io/bin:tag | registry.k8s.io |
+| replicaCount | | 1 |
+| image.repository | | "appscode-images/phpmyadmin" |
+| image.pullPolicy | | Always |
+| image.tag | Overrides the image tag whose default is the chart appVersion. | "" |
+| imagePullSecrets | | [] |
+| nameOverride | | "" |
+| fullnameOverride | | "" |
+| serviceAccount.create | Specifies whether a service account should be created | true |
+| serviceAccount.annotations | Annotations to add to the service account | {} |
+| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" |
+| podAnnotations | | {} |
+| podSecurityContext | | {} |
+| securityContext | | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":false,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}} |
+| service.type | | ClusterIP |
+| service.port | | 80 |
+| resources | | {} |
+| nodeSelector | | {} |
+| tolerations | | [] |
+| affinity | | {} |
+| namespace.create | | false |
+| gateway.className | | "ace" |
+| gateway.port | | 8082 |
+| gateway.tlsSecretRef.name | | service-presets-cert |
+| gateway.tlsSecretRef.namespace | | ace |
+| gateway.referenceGrant.create | | true |
+| keda.proxyService.namespace | | "keda" |
+| keda.proxyService.name | | "keda-add-ons-http-interceptor-proxy" |
+| keda.proxyService.port | | 8080 |
+| targetPendingRequests | | 200 |
+| autoscaling.http.minReplicas | | 0 |
+| autoscaling.http.maxReplicas | | 1 |
+| app.service.name | | "" |
+| app.service.namespace | | "" |
+| app.authSecret.name | | "" |
+| app.tls.enabled | | false |
+| bind.name | | "" |
+| bind.namespace | | "" |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm upgrade -i`. For example:
diff --git a/charts/phpmyadmin/templates/deployment.yaml b/charts/phpmyadmin/templates/deployment.yaml
index 4de1d92e..8c230b8e 100644
--- a/charts/phpmyadmin/templates/deployment.yaml
+++ b/charts/phpmyadmin/templates/deployment.yaml
@@ -29,46 +29,6 @@ spec:
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
- {{- if .Values.authzproxy.enabled }}
- - name: authz-proxy
- securityContext:
- {{- toYaml .Values.authzproxy.securityContext | nindent 12 }}
- image: '{{ include "image.ghcr" (merge (dict "_repo" $.Values.authzproxy.repository) $) }}:{{ .Values.authzproxy.tag | default .Chart.AppVersion }}'
- imagePullPolicy: {{ .Values.image.pullPolicy }}
- args:
- - run
- - --listen={{ .Values.authzproxy.params.listen }}
- - --metrics-addr={{ .Values.authzproxy.params.metricsAddr }}
- - --secret-name={{ .Values.app.authSecret.name }}
- - --secret-namespace={{ .Release.Namespace }}
- - --target-url=http://localhost:80
- - --platform-url={{ .Values.authzproxy.params.platformURL }}
- {{- if .Values.authzproxy.params.platformCABundle }}
- - --platform-ca-file=/var/platform-auth/ca.crt
- {{- end }}
- ports:
- - name: proxy
- containerPort: {{ .Values.authzproxy.params.listen }}
- protocol: TCP
- - name: metrics
- containerPort: {{ .Values.authzproxy.params.metricsAddr }}
- protocol: TCP
- # livenessProbe:
- # httpGet:
- # path: /
- # port: http
- # readinessProbe:
- # httpGet:
- # path: /
- # port: http
- resources:
- {{- toYaml .Values.authzproxy.resources | nindent 12 }}
- {{- if .Values.authzproxy.params.platformCABundle }}
- volumeMounts:
- - mountPath: /var/platform-auth
- name: platform-auth
- {{- end }}
- {{ end }}
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
@@ -110,12 +70,6 @@ spec:
# https://docs.phpmyadmin.net/en/latest/config.html#cfg_SaveDir
- name: data
emptyDir: {}
- {{- if .Values.authzproxy.params.platformCABundle }}
- - name: platform-auth
- secret:
- defaultMode: 420
- secretName: {{ include "phpmyadmin.fullname" . }}-platform-auth
- {{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
diff --git a/charts/phpmyadmin/templates/platform-auth.yaml b/charts/phpmyadmin/templates/platform-auth.yaml
deleted file mode 100644
index e6b403da..00000000
--- a/charts/phpmyadmin/templates/platform-auth.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-{{ $data := dict }}
-
-{{- with .Values.authzproxy.params.platformCABundle }}
-{{ $_ := set $data "ca.crt" . }}
-{{- end }}
-
-{{- if $data }}
-apiVersion: v1
-kind: Secret
-metadata:
- name: {{ include "phpmyadmin.fullname" . }}-platform-auth
- namespace: {{ .Release.Namespace }}
- labels:
- {{- include "phpmyadmin.labels" . | nindent 4 }}
-type: Opaque
-stringData: {{ $data | toJson }}
-{{- end }}
diff --git a/charts/phpmyadmin/templates/service.yaml b/charts/phpmyadmin/templates/service.yaml
index 08c78dec..f70c2851 100644
--- a/charts/phpmyadmin/templates/service.yaml
+++ b/charts/phpmyadmin/templates/service.yaml
@@ -9,7 +9,7 @@ spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
- targetPort: {{ ternary "proxy" "http" .Values.authzproxy.enabled }}
+ targetPort: http
protocol: TCP
name: http
selector:
diff --git a/charts/phpmyadmin/values.openapiv3_schema.yaml b/charts/phpmyadmin/values.openapiv3_schema.yaml
index 92ed5155..48198a89 100644
--- a/charts/phpmyadmin/values.openapiv3_schema.yaml
+++ b/charts/phpmyadmin/values.openapiv3_schema.yaml
@@ -949,254 +949,6 @@ properties:
- service
- tls
type: object
- authzproxy:
- properties:
- enabled:
- type: boolean
- params:
- properties:
- listen:
- type: integer
- metricsAddr:
- type: integer
- platformCABundle:
- type: string
- platformURL:
- type: string
- required:
- - listen
- - metricsAddr
- - platformCABundle
- - platformURL
- type: object
- repository:
- type: string
- resources:
- description: ResourceRequirements describes the compute resource requirements.
- properties:
- claims:
- description: "Claims lists the names of resources, defined in spec.resourceClaims,\
- \ that are used by this container. \n This is an alpha field and requires\
- \ enabling the DynamicResourceAllocation feature gate. \n This field\
- \ is immutable. It can only be set for containers."
- items:
- description: ResourceClaim references one entry in PodSpec.ResourceClaims.
- properties:
- name:
- description: Name must match the name of one entry in pod.spec.resourceClaims
- of the Pod where this field is used. It makes that resource available
- inside a container.
- type: string
- required:
- - name
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- limits:
- additionalProperties:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- description: 'Limits describes the maximum amount of compute resources
- allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
- type: object
- requests:
- additionalProperties:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- description: 'Requests describes the minimum amount of compute resources
- required. If Requests is omitted for a container, it defaults to Limits
- if that is explicitly specified, otherwise to an implementation-defined
- value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
- type: object
- type: object
- securityContext:
- description: SecurityContext holds security configuration that will be applied
- to a container. Some fields are present in both SecurityContext and PodSecurityContext. When
- both are set, the values in SecurityContext take precedence.
- properties:
- allowPrivilegeEscalation:
- description: 'AllowPrivilegeEscalation controls whether a process can
- gain more privileges than its parent process. This bool directly controls
- if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation
- is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN
- Note that this field cannot be set when spec.os.name is windows.'
- type: boolean
- appArmorProfile:
- description: appArmorProfile is the AppArmor options to use by this container.
- If set, this profile overrides the pod's appArmorProfile. Note that
- this field cannot be set when spec.os.name is windows.
- properties:
- localhostProfile:
- description: localhostProfile indicates a profile loaded on the node
- that should be used. The profile must be preconfigured on the node
- to work. Must match the loaded name of the profile. Must be set
- if and only if type is "Localhost".
- type: string
- type:
- description: 'type indicates which kind of AppArmor profile will be
- applied. Valid options are: Localhost - a profile pre-loaded on
- the node. RuntimeDefault - the container runtime''s default profile.
- Unconfined - no AppArmor enforcement.'
- type: string
- required:
- - type
- type: object
- capabilities:
- description: The capabilities to add/drop when running containers. Defaults
- to the default set of capabilities granted by the container runtime.
- Note that this field cannot be set when spec.os.name is windows.
- properties:
- add:
- description: Added capabilities
- items:
- description: Capability represent POSIX capabilities type
- type: string
- type: array
- x-kubernetes-list-type: atomic
- drop:
- description: Removed capabilities
- items:
- description: Capability represent POSIX capabilities type
- type: string
- type: array
- x-kubernetes-list-type: atomic
- type: object
- privileged:
- description: Run container in privileged mode. Processes in privileged
- containers are essentially equivalent to root on the host. Defaults
- to false. Note that this field cannot be set when spec.os.name is windows.
- type: boolean
- procMount:
- description: procMount denotes the type of proc mount to use for the containers.
- The default is DefaultProcMount which uses the container runtime defaults
- for readonly paths and masked paths. This requires the ProcMountType
- feature flag to be enabled. Note that this field cannot be set when
- spec.os.name is windows.
- type: string
- readOnlyRootFilesystem:
- description: Whether this container has a read-only root filesystem. Default
- is false. Note that this field cannot be set when spec.os.name is windows.
- type: boolean
- runAsGroup:
- description: The GID to run the entrypoint of the container process. Uses
- runtime default if unset. May also be set in PodSecurityContext. If
- set in both SecurityContext and PodSecurityContext, the value specified
- in SecurityContext takes precedence. Note that this field cannot be
- set when spec.os.name is windows.
- format: int64
- type: integer
- runAsNonRoot:
- description: Indicates that the container must run as a non-root user.
- If true, the Kubelet will validate the image at runtime to ensure that
- it does not run as UID 0 (root) and fail to start the container if it
- does. If unset or false, no such validation will be performed. May also
- be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext,
- the value specified in SecurityContext takes precedence.
- type: boolean
- runAsUser:
- description: The UID to run the entrypoint of the container process. Defaults
- to user specified in image metadata if unspecified. May also be set
- in PodSecurityContext. If set in both SecurityContext and PodSecurityContext,
- the value specified in SecurityContext takes precedence. Note that this
- field cannot be set when spec.os.name is windows.
- format: int64
- type: integer
- seLinuxOptions:
- description: The SELinux context to be applied to the container. If unspecified,
- the container runtime will allocate a random SELinux context for each
- container. May also be set in PodSecurityContext. If set in both SecurityContext
- and PodSecurityContext, the value specified in SecurityContext takes
- precedence. Note that this field cannot be set when spec.os.name is
- windows.
- properties:
- level:
- description: Level is SELinux level label that applies to the container.
- type: string
- role:
- description: Role is a SELinux role label that applies to the container.
- type: string
- type:
- description: Type is a SELinux type label that applies to the container.
- type: string
- user:
- description: User is a SELinux user label that applies to the container.
- type: string
- type: object
- seccompProfile:
- description: The seccomp options to use by this container. If seccomp
- options are provided at both the pod & container level, the container
- options override the pod options. Note that this field cannot be set
- when spec.os.name is windows.
- properties:
- localhostProfile:
- description: localhostProfile indicates a profile defined in a file
- on the node should be used. The profile must be preconfigured on
- the node to work. Must be a descending path, relative to the kubelet's
- configured seccomp profile location. Must be set if type is "Localhost".
- Must NOT be set for any other type.
- type: string
- type:
- description: "type indicates which kind of seccomp profile will be\
- \ applied. Valid options are: \n Localhost - a profile defined in\
- \ a file on the node should be used. RuntimeDefault - the container\
- \ runtime default profile should be used. Unconfined - no profile\
- \ should be applied."
- type: string
- required:
- - type
- type: object
- windowsOptions:
- description: The Windows specific settings applied to all containers.
- If unspecified, the options from the PodSecurityContext will be used.
- If set in both SecurityContext and PodSecurityContext, the value specified
- in SecurityContext takes precedence. Note that this field cannot be
- set when spec.os.name is linux.
- properties:
- gmsaCredentialSpec:
- description: GMSACredentialSpec is where the GMSA admission webhook
- (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents
- of the GMSA credential spec named by the GMSACredentialSpecName
- field.
- type: string
- gmsaCredentialSpecName:
- description: GMSACredentialSpecName is the name of the GMSA credential
- spec to use.
- type: string
- hostProcess:
- description: HostProcess determines if a container should be run as
- a 'Host Process' container. All of a Pod's containers must have
- the same effective HostProcess value (it is not allowed to have
- a mix of HostProcess containers and non-HostProcess containers).
- In addition, if HostProcess is true then HostNetwork must also be
- set to true.
- type: boolean
- runAsUserName:
- description: The UserName in Windows to run the entrypoint of the
- container process. Defaults to the user specified in image metadata
- if unspecified. May also be set in PodSecurityContext. If set in
- both SecurityContext and PodSecurityContext, the value specified
- in SecurityContext takes precedence.
- type: string
- type: object
- type: object
- tag:
- type: string
- required:
- - enabled
- - params
- - repository
- - resources
- - securityContext
- - tag
- type: object
autoscaling:
properties:
http:
@@ -1775,7 +1527,6 @@ properties:
required:
- affinity
- app
-- authzproxy
- autoscaling
- bind
- fullnameOverride
diff --git a/charts/phpmyadmin/values.yaml b/charts/phpmyadmin/values.yaml
index 59566bcf..97668952 100644
--- a/charts/phpmyadmin/values.yaml
+++ b/charts/phpmyadmin/values.yaml
@@ -131,30 +131,3 @@ app:
bind:
name: ""
namespace: ""
-
-authzproxy:
- enabled: false
- # KubeDB operator container image
- repository: appscode/kube-authz-proxy
- # KubeDB operator container image tag
- tag: "v0.0.1"
- # Security options this container should run with
- securityContext: # +doc-gen:break
- allowPrivilegeEscalation: false
- capabilities:
- drop: ["ALL"]
- readOnlyRootFilesystem: true
- runAsNonRoot: true
- runAsUser: 65534
- seccompProfile:
- type: RuntimeDefault
- # Compute Resources required by this container
- resources: {}
- # requests:
- # cpu: 100m
- # memory: 128Mi
- params:
- listen: 8000
- metricsAddr: 8080
- platformURL: ""
- platformCABundle: ""