diff --git a/charts/phoenix/templates/_helpers.tpl b/charts/phoenix/templates/_helpers.tpl index 92d3b39..819da95 100644 --- a/charts/phoenix/templates/_helpers.tpl +++ b/charts/phoenix/templates/_helpers.tpl @@ -1,7 +1,7 @@ {{/* Expand the name of the chart. */}} -{{- define "phoenix.name" -}} +{{- define "amtd.name" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} {{- end }} @@ -10,7 +10,7 @@ Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). If release name contains chart name it will be used as a full name. */}} -{{- define "phoenix.fullname" -}} +{{- define "amtd.fullname" -}} {{- if .Values.fullnameOverride }} {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} {{- else }} @@ -26,16 +26,16 @@ If release name contains chart name it will be used as a full name. {{/* Create chart name and version as used by the chart label. */}} -{{- define "phoenix.chart" -}} +{{- define "amtd.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} {{- end }} {{/* Common labels */}} -{{- define "phoenix.labels" -}} -helm.sh/chart: {{ include "phoenix.chart" . }} -{{ include "phoenix.selectorLabels" . }} +{{- define "amtd.labels" -}} +helm.sh/chart: {{ include "amtd.chart" . }} +{{ include "amtd.selectorLabels" . }} {{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} @@ -45,18 +45,18 @@ app.kubernetes.io/managed-by: {{ .Release.Service }} {{/* Selector labels */}} -{{- define "phoenix.selectorLabels" -}} -app.kubernetes.io/name: {{ include "phoenix.name" . }} +{{- define "amtd.selectorLabels" -}} +app.kubernetes.io/name: {{ include "amtd.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} {{/* Create the name of the service account to use */}} -{{- define "phoenix.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "phoenix.fullname" .) .Values.serviceAccount.name }} +{{- define "amtd.serviceAccountName" -}} +{{- if .Values.amtd.serviceAccount.create }} +{{- default (include "amtd.fullname" .) .Values.amtd.serviceAccount.name }} {{- else }} -{{- default "default" .Values.serviceAccount.name }} +{{- default "default" .Values.amtd.serviceAccount.name }} {{- end }} {{- end }} diff --git a/charts/phoenix/templates/deployment.yaml b/charts/phoenix/templates/deployment.yaml index 35551d9..5f785a2 100644 --- a/charts/phoenix/templates/deployment.yaml +++ b/charts/phoenix/templates/deployment.yaml @@ -2,50 +2,58 @@ apiVersion: apps/v1 kind: Deployment metadata: + name: {{ include "amtd.fullname" . }}-controller-manager + namespace: {{ .Release.Namespace }} labels: + {{- include "amtd.labels" . | nindent 4 }} control-plane: controller-manager - name: operator-controller-manager - namespace: {{ .Release.Namespace }} spec: - replicas: 1 + replicas: {{ .Values.amtd.replicaCount }} selector: matchLabels: + app.kubernetes.io/name: {{ include "amtd.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} control-plane: controller-manager template: metadata: - annotations: - kubectl.kubernetes.io/default-container: manager labels: + {{- include "amtd.labels" . | nindent 8 }} control-plane: controller-manager + annotations: + kubectl.kubernetes.io/default-container: manager spec: + serviceAccountName: {{ include "amtd.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.amtd.terminationGracePeriodSeconds }} + securityContext: + runAsNonRoot: true containers: - - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect + - name: manager + image: "{{ .Values.amtd.image.repository }}:{{ .Values.amtd.image.tag }}" + imagePullPolicy: {{ .Values.amtd.image.pullPolicy | quote }} command: - /manager - image: {{ .Values.amtd.image.repository }}:{{ .Values.amtd.image.tag }} + args: + - --health-probe-bind-address={{ .Values.amtd.healthProbeBindAddress }} + - --metrics-bind-address={{ .Values.amtd.metricsBindAddress }} + - --leader-elect livenessProbe: httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager + path: {{ .Values.amtd.livenessProbe.path }} + port: {{ .Values.amtd.livenessProbe.port }} + initialDelaySeconds: {{ .Values.amtd.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.amtd.livenessProbe.periodSeconds }} readinessProbe: httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 + path: {{ .Values.amtd.readinessProbe.path }} + port: {{ .Values.amtd.readinessProbe.port }} + initialDelaySeconds: {{ .Values.amtd.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.amtd.readinessProbe.periodSeconds }} resources: {{- toYaml .Values.amtd.resources | nindent 12 }} + {{- with .Values.amtd.securityContext }} securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL + {{- toYaml . | nindent 12 }} + {{- end }} {{- with .Values.amtd.affinity }} affinity: {{- toYaml . | nindent 8 }} @@ -58,8 +66,11 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} - securityContext: - runAsNonRoot: true - serviceAccountName: operator-controller-manager - terminationGracePeriodSeconds: 10 ---- \ No newline at end of file + {{- with .Values.amtd.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.amtd.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/phoenix/templates/rbac.yaml b/charts/phoenix/templates/rbac.yaml index 87d4964..db12fc6 100644 --- a/charts/phoenix/templates/rbac.yaml +++ b/charts/phoenix/templates/rbac.yaml @@ -9,7 +9,8 @@ metadata: app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: serviceaccount app.kubernetes.io/part-of: operator - name: operator-controller-manager + {{- include "amtd.labels" . | nindent 4 }} + name: {{ include "amtd.serviceAccountName" . }} namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 @@ -22,7 +23,8 @@ metadata: app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: role app.kubernetes.io/part-of: operator - name: operator-leader-election-role + {{- include "amtd.labels" . | nindent 4 }} + name: {{ include "amtd.fullname" . }}-leader-election-role namespace: {{ .Release.Namespace }} rules: - apiGroups: @@ -60,7 +62,7 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: operator-manager-role + name: {{ include "amtd.fullname" . }}-manager-role rules: - apiGroups: - amtd.r6security.com @@ -137,7 +139,8 @@ metadata: app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: clusterrole app.kubernetes.io/part-of: operator - name: operator-metrics-reader + {{- include "amtd.labels" . | nindent 4 }} + name: {{ include "amtd.fullname" . }}-metrics-reader rules: - nonResourceURLs: - /metrics @@ -154,7 +157,8 @@ metadata: app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: clusterrole app.kubernetes.io/part-of: operator - name: operator-proxy-role + {{- include "amtd.labels" . | nindent 4 }} + name: {{ include "amtd.fullname" . }}-proxy-role rules: - apiGroups: - authentication.k8s.io @@ -179,15 +183,16 @@ metadata: app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: rolebinding app.kubernetes.io/part-of: operator - name: operator-leader-election-rolebinding + {{- include "amtd.labels" . | nindent 4 }} + name: {{ include "amtd.fullname" . }}-leader-election-rolebinding namespace: {{ .Release.Namespace }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: operator-leader-election-role + name: {{ include "amtd.fullname" . }}-leader-election-role subjects: - kind: ServiceAccount - name: operator-controller-manager + name: {{ include "amtd.serviceAccountName" . }} namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 @@ -200,14 +205,15 @@ metadata: app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: clusterrolebinding app.kubernetes.io/part-of: operator - name: operator-manager-rolebinding + {{- include "amtd.labels" . | nindent 4 }} + name: {{ include "amtd.fullname" . }}-manager-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: operator-manager-role + name: {{ include "amtd.fullname" . }}-manager-role subjects: - kind: ServiceAccount - name: operator-controller-manager + name: {{ include "amtd.serviceAccountName" . }} namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 @@ -220,13 +226,13 @@ metadata: app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: clusterrolebinding app.kubernetes.io/part-of: operator - name: operator-proxy-rolebinding + {{- include "amtd.labels" . | nindent 4 }} + name: {{ include "amtd.fullname" . }}-proxy-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: operator-proxy-role + name: {{ include "amtd.fullname" . }}-proxy-role subjects: - kind: ServiceAccount - name: operator-controller-manager + name: {{ include "amtd.serviceAccountName" . }} namespace: {{ .Release.Namespace }} ---- \ No newline at end of file diff --git a/charts/phoenix/values.yaml b/charts/phoenix/values.yaml index d850ae6..e4cfb73 100644 --- a/charts/phoenix/values.yaml +++ b/charts/phoenix/values.yaml @@ -1,8 +1,36 @@ +nameOverride: "" +fullnameOverride: "" + amtd: + replicaCount: 1 image: repository: ghcr.io/r6security/phoenix/amtd-operator + tag: v0.2.2 pullPolicy: IfNotPresent - tag: "v0.2.2" + + serviceAccount: + create: true + automount: true + annotations: {} + name: "" + + terminationGracePeriodSeconds: 10 + + healthProbeBindAddress: ":8081" + metricsBindAddress: "127.0.0.1:8080" + + livenessProbe: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + + readinessProbe: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: limits: cpu: 500m @@ -10,21 +38,14 @@ amtd: requests: cpu: 10m memory: 64Mi + nodeSelector: {} tolerations: [] - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - - s390x - - key: kubernetes.io/os - operator: In - values: - - linux \ No newline at end of file + affinity: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + topologySpreadConstraints: [] + imagePullSecrets: []